Information Security:

Software Change Controls at the Department of Housing and Urban Development

AIMD-00-195R: Published: Jun 30, 2000. Publicly Released: Jun 30, 2000.

Additional Materials:

Contact:

Joel C. Willemssen
(202) 512-6253
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Pursuant to a congressional request, GAO reviewed the software change controls at the Department of Housing and Urban Development (HUD), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) HUD had established formal departmentwide policies and procedures that adequately addressed major aspects of their centralized software change control function; (2) the formally documented policy established a goal for the department to maintain a level 2, or repeatable, process maturity based on the Carnegie Mellon University Software Engineering Institute's Capability Maturity Model for Software; (3) however, GAO identified concerns in two related areas--contract oversight and background checks of personnel involved in software change activities; (4) agency officials were not familiar with contractor practices for software management; (5) for example, contract information on procurement method, inclusion of contract provisions for background checks of employees, and protection of code transmissions and code located at contractor facilities was not readily available; (6) this is of potential concern because all 57 of HUD's mission-critical federal systems involved the use of contractors for year 2000 remediation; (7) HUD officials told GAO that all 10 contracts for remediation services employed foreign nationals; (8) further, HUD sent code associated with one mission-critical system to a contractor facility, but agency officials could not readily determine how the code was protected during and after transit to the contractor facility, when the code was out of the agency's direct control; (9) although HUD officials told GAO that all contracts for remediation services included provisions for background checks of contractor staff, background screenings were not a routine security control at HUD for noncontract personnel involved in making changes to software; and (10) this is of concern because the Office of Management and Budget and the National Institute of Standards and Technology criteria require background screening of key staff involved with automated systems.

Sep 13, 2017

Aug 1, 2017

Mar 1, 2017

  • housing icon, source: Comstock

    Low-Income Housing Tax Credit:

    The Role of Syndicators
    GAO-17-285R: Published: Feb 16, 2017. Publicly Released: Mar 1, 2017.

Jan 9, 2017

Nov 17, 2016

Oct 31, 2016

Oct 3, 2016

Jul 13, 2016

Jun 8, 2016

May 31, 2016

Looking for more? Browse all our products here