Information Security:

Controls Over Software Changes at Federal Agencies

AIMD-00-151R: Published: May 4, 2000. Publicly Released: May 4, 2000.

Contact:

Jack L. Brock, Jr
(202) 512-4841
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO provided information on software change controls at federal agencies, focusing on: (1) whether key controls as described in documented policies and procedures regarding software change authorization, testing, and approval comply with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and the extent to which foreign nationals were involved in these efforts.

GAO noted that: (1) controls over changes to software for federal information systems as described in agency policies and procedures were inadequate; (2) specifically, GAO identified deficiencies in three control areas: (a) formal policies and procedures; (b) contract oversight; and (c) background screening of personnel; (3) formally documented policies and procedures did not exist or did not meet the requirements of federal criteria; (4) for example, 8 of 16 agencies had not established formal, agencywide policies for software change management, and 50 of 128 agency components had not established formal procedures or adopted agency-level guidance; (5) based on GAO's interviews at the 16 agencies and the 128 components, oversight of contractors was inadequate, especially when software change functions were completely contracted out; (6) this is of potential concern because 1,980 (41 percent) of 4,785 mission-critical federal systems covered by GAO's study involved the use of contractors for year 2000 remediation; (7) of particular concern, code or data associated with 319 of these systems were sent to contractor facilities, but agency officials could not readily determine how such code and data were protected during and after transit; (8) based on GAO's interviews with agency officials and review of documented security policies and procedures, background screenings of personnel involved in the software change process were not a routine security control; (9) of the 128 components GAO reviewed, 42 did not require routine background screening of foreign national personnel involved in making changes to software; (10) further, agency officials told GAO that 24 of 579 contracts for remediation services did not include provisions for background checks of contractor staff; and (11) complete data on use of foreign nationals in the software change process were not readily available.

Apr 17, 2014

Apr 2, 2014

Jan 28, 2014

Jan 8, 2014

Sep 26, 2013

Feb 20, 2013

Feb 1, 2013

Sep 27, 2012

Sep 18, 2012

Jul 17, 2012

Looking for more? Browse all our products here