Information Security

Pursuant to a congressional request, GAO reviewed software change controls at the Department of Commerce, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) departmentwide guidance and formally documented component procedures were inadequate, and not all components had formally documented controls; (2) although Commerce had established department-level guidance for software management, implementation was delegated to Commerce components, which did not consistently apply or adopt the requirements; (3) specific key controls not addressed by the department-level guidance and the component procedures were: (a) operating system software changes, monitoring, and access; and (b) controls over application software libraries including access to code, movement of software programs, and inventories of software; (4) based on GAO's interviews, agency officials were not familiar with contractor practices for software management; (5) this is of potential concern because 89 of 470 Commerce mission-critical federal systems covered by GAO's study involved the use of contractors for year 2000 remediation; (6) at the Minority Business Development Agency (MBDA), Commerce officials directed GAO to interview contractor staff; (7) in addition, Commerce officials at the seven components could not readily provide information on software control requirements included in contracts or on related contractor practices; (8) based on GAO's interviews and review of documented security policies and procedures, background screenings of personnel involved in the software change process were not a routine security control; (9) of the 12 Commerce components GAO reviewed, Economics and Statistics Administration (ESA) and the National Technical Information Service did not require routine background screening of personnel involved in making changes to software or include security provisions in contracts; (10) according to agency officials, foreign nationals were involved in remediation activities on 10 contracts at Bureau of the Census, Economic Development Administration, MBDA, National Telecommunications and Information Administration, and Patent and Trademark Office (PTO); and (11) at headquarters, Census, the Economic Development Administration, ESA, Office of the Secretary and PTO, complete data on the involvement of foreign nationals in software change process activities were not readily available.