Information Security

Pursuant to a congressional request, GAO reviewed software change controls at the Department of Health and Human Services (HHS), focusing on: (1) weaknesses regarding formal policies and procedures; (2) contract oversight; and (3) background screening of personnel.

GAO noted that: (1) formally documented departmentwide change control policies and procedures did not exist at HHS; (2) formally documented component-level policies and procedures at the Administration for Children and Families (ACF), Administration on Aging (AoA), and Indian Health Service (IHS), did not meet federal criteria; (3) ACF's formally documented Change Management Procedure did not address application software libraries, and operating system software access and monitoring; (4) AoA had a formally documented change control procedure, but it was not in place during year 2000 remediation--it was effective March 2000--and it did not address operating system software access and monitoring; (5) IHS had a formally documented change control process; (6) however, the process did not require documentation of software changes and it did not address access to application program libraries and operating system software, and operating system software monitoring and change control; (7) agency officials were not familiar with contractor practices for software management; (8) this is of potential concern because 233 (82 percent) of HHS' 284 mission-critical federal systems covered by GAO's study involved the use of contractors for year 2000 remediation; (9) for example, the Health Care Financing Administration (HCFA), IHS, the Office of Inspector General, and Program Support Center sent code for 52 mission-critical systems to contractor facilities, including code for 15 systems transmitted by HCFA to a foreign-owned contractor facility; (10) agency officials could not readily determine how the code and data were protected during and after transit to the contractor facility, when the code was out of the agency's direct control; (11) ACF, AoA, HCFA, the National Institutes of Health (NIH), and PSC did not include background screening provisions in contracts, and ACF, AoA, and NIH did not require routine background screenings of federal or contract staff performing software change functions; (12) this is of potential concern because three ACF contracts and four NIH contracts involved foreign nationals; (13) for example, three ACF contracts had foreign nationals on staff from India, Pakistan, Singapore, Russia, Ukraine, Taiwan, China, and Guatemala, yet ACF did not include background screening provisions in their contracts; and (14) although IHS required routine screening of all staff, the background screening of a British foreign national was not completed prior to the individual's work on year 2000 remediation.