Information Security:

Software Change Controls at the Department of Housing and Urban Development

AIMD-00-195R: Published: Jun 30, 2000. Publicly Released: Jun 30, 2000.

Additional Materials:

Contact:

Joel C. Willemssen
(202) 512-6253
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the software change controls at the Department of Housing and Urban Development (HUD), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) HUD had established formal departmentwide policies and procedures that adequately addressed major aspects of their centralized software change control function; (2) the formally documented policy established a goal for the department to maintain a level 2, or repeatable, process maturity based on the Carnegie Mellon University Software Engineering Institute's Capability Maturity Model for Software; (3) however, GAO identified concerns in two related areas--contract oversight and background checks of personnel involved in software change activities; (4) agency officials were not familiar with contractor practices for software management; (5) for example, contract information on procurement method, inclusion of contract provisions for background checks of employees, and protection of code transmissions and code located at contractor facilities was not readily available; (6) this is of potential concern because all 57 of HUD's mission-critical federal systems involved the use of contractors for year 2000 remediation; (7) HUD officials told GAO that all 10 contracts for remediation services employed foreign nationals; (8) further, HUD sent code associated with one mission-critical system to a contractor facility, but agency officials could not readily determine how the code was protected during and after transit to the contractor facility, when the code was out of the agency's direct control; (9) although HUD officials told GAO that all contracts for remediation services included provisions for background checks of contractor staff, background screenings were not a routine security control at HUD for noncontract personnel involved in making changes to software; and (10) this is of concern because the Office of Management and Budget and the National Institute of Standards and Technology criteria require background screening of key staff involved with automated systems.

Jul 13, 2016

Jun 8, 2016

May 31, 2016

May 2, 2016

Jan 8, 2016

Sep 15, 2015

Jul 23, 2015

Jul 10, 2015

Jul 6, 2015

May 19, 2015

Looking for more? Browse all our products here