Information Security

Pursuant to a congressional request, GAO reviewed software change controls at the Department of Agriculture (USDA), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) departmentwide guidance did not exist and formally documented component procedures were inadequate; (2) although several components had informal controls in place, most were not documented; (3) the Animal and Plant Health Inspection Service and the Farm Service Agency did not have formally documented processes for software change control; (4) in addition, the procedures for the remaining four components covered by GAO's review did not adequately address key controls, including operating system software changes, monitoring, and access--nor controls over application software libraries including access to code, movement of software programs, and inventories of software; (5) agency officials were not familiar with contractor practices for software management; (6) this is of potential concern because 74 (32 percent) of USDA's 229 mission-critical federal systems covered by GAO's study involved the use of contractors for year 2000 remediation; (7) for example, five components (all except for the Natural Resources Conservation Service) sent code associated with 69 mission-critical systems to contractor facilities, including non-U.S. contractor facilities; (8) agency officials could not readily determine how the code was protected during and after transit to the contractor facility, when the code was out of the agency's direct control; (9) background screenings of personnel involved in the software change process were not a routine security control; (10) of 43 contracts issued for remediation services by the six components, 14 contracts (all issued by the Forest Service) did not include contract provisions for background checks of contractor staff; (11) in addition, five components (all except Rural Development) did not require routine background screening of foreign national personnel involved in making changes to software; (12) complete data on the involvement of foreign nationals in software change process activities were not readily available from agency officials interviewed; and (13) officials told GAO that all six components included in the study involved foreign nationals on 11 contracts for remediation services.