GAO discussed federal civilian agencies' practices in identifying and incorporating security controls in automated information systems. GAO believes that: (1) there is no comprehensive guidance that addresses how civilian agencies should incorporate security considerations into the system development process; (2) current agency practices do not ensure the security of mission-critical, sensitive systems; (3) many agencies have made system architecture decisions without considering security needs; and (4) agencies could not demonstrate how their systems were vulnerable, but nonetheless identified areas where they believed that security controls were necessary.