Information Security

Pursuant to a congressional request, GAO reviewed the National Aeronautics and Space Administration's (NASA) software change controls, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) NASA does not have a formally documented agency-level software change control policy; (2) development and implementation of software change policies and procedures are the responsibility of each component; (3) according to the NASA official, the components used their routine software change control processes for year 2000 remediation; (4) however, GAO was not provided copies of these component policies to make comparisons to federal guidance; (5) instead, the agency official provided GAO with a written explanation of software change practices at NASA components; (6) based on GAO's interview, the agency official was not familiar with contractor practices for software management; (7) this is of potential concern because contractors performed remediation of all 156 mission-critical systems; (8) for example, one contract was with a foreign-owned company that also hired foreign nationals; (9) in addition, source code for two systems was transmitted to contractor facilities, one of which was a foreign-owned facility that received source code for administrative systems; and (10) the NASA official provided no details regarding protective controls over the source code when the code was out of the agency's direct control.