Controls Over Software Changes at Federal Agencies
AIMD-00-151R: Published: May 4, 2000. Publicly Released: May 4, 2000.
Pursuant to a congressional request, GAO provided information on software change controls at federal agencies, focusing on: (1) whether key controls as described in documented policies and procedures regarding software change authorization, testing, and approval comply with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and the extent to which foreign nationals were involved in these efforts.
GAO noted that: (1) controls over changes to software for federal information systems as described in agency policies and procedures were inadequate; (2) specifically, GAO identified deficiencies in three control areas: (a) formal policies and procedures; (b) contract oversight; and (c) background screening of personnel; (3) formally documented policies and procedures did not exist or did not meet the requirements of federal criteria; (4) for example, 8 of 16 agencies had not established formal, agencywide policies for software change management, and 50 of 128 agency components had not established formal procedures or adopted agency-level guidance; (5) based on GAO's interviews at the 16 agencies and the 128 components, oversight of contractors was inadequate, especially when software change functions were completely contracted out; (6) this is of potential concern because 1,980 (41 percent) of 4,785 mission-critical federal systems covered by GAO's study involved the use of contractors for year 2000 remediation; (7) of particular concern, code or data associated with 319 of these systems were sent to contractor facilities, but agency officials could not readily determine how such code and data were protected during and after transit; (8) based on GAO's interviews with agency officials and review of documented security policies and procedures, background screenings of personnel involved in the software change process were not a routine security control; (9) of the 128 components GAO reviewed, 42 did not require routine background screening of foreign national personnel involved in making changes to software; (10) further, agency officials told GAO that 24 of 579 contracts for remediation services did not include provisions for background checks of contractor staff; and (11) complete data on use of foreign nationals in the software change process were not readily available.