Information Security:

Software Change Controls at the Department of Agriculture

AIMD-00-186R: Published: Jun 30, 2000. Publicly Released: Jun 30, 2000.

Additional Materials:


Joel C. Willemssen
(202) 512-6253


Office of Public Affairs
(202) 512-4800

Pursuant to a congressional request, GAO reviewed software change controls at the Department of Agriculture (USDA), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) departmentwide guidance did not exist and formally documented component procedures were inadequate; (2) although several components had informal controls in place, most were not documented; (3) the Animal and Plant Health Inspection Service and the Farm Service Agency did not have formally documented processes for software change control; (4) in addition, the procedures for the remaining four components covered by GAO's review did not adequately address key controls, including operating system software changes, monitoring, and access--nor controls over application software libraries including access to code, movement of software programs, and inventories of software; (5) agency officials were not familiar with contractor practices for software management; (6) this is of potential concern because 74 (32 percent) of USDA's 229 mission-critical federal systems covered by GAO's study involved the use of contractors for year 2000 remediation; (7) for example, five components (all except for the Natural Resources Conservation Service) sent code associated with 69 mission-critical systems to contractor facilities, including non-U.S. contractor facilities; (8) agency officials could not readily determine how the code was protected during and after transit to the contractor facility, when the code was out of the agency's direct control; (9) background screenings of personnel involved in the software change process were not a routine security control; (10) of 43 contracts issued for remediation services by the six components, 14 contracts (all issued by the Forest Service) did not include contract provisions for background checks of contractor staff; (11) in addition, five components (all except Rural Development) did not require routine background screening of foreign national personnel involved in making changes to software; (12) complete data on the involvement of foreign nationals in software change process activities were not readily available from agency officials interviewed; and (13) officials told GAO that all six components included in the study involved foreign nationals on 11 contracts for remediation services.

Feb 6, 2018

Sep 28, 2017

Aug 3, 2017

Jul 27, 2017

Jul 26, 2017

May 31, 2017

May 23, 2017

Apr 4, 2017

Mar 30, 2017

Mar 28, 2017

Looking for more? Browse all our products here