Information Security:
Software Change Controls at the Department of State
AIMD-00-199R: Published: Jun 30, 2000. Publicly Released: Jun 30, 2000.
Additional Materials:
- Full Report:
Contact:
(202) 512-6253
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
Pursuant to a congressional request, GAO reviewed the software change controls at the Department of State, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.
GAO noted that: (1) according to State officials, background checks of personnel involved in the software change process were a routine security control for federal, contractor, and foreign national personnel involved in making changes to software; (2) also, officials told GAO that all 19 contracts included provisions for background checks of contractor staff; (3) this is important because 4 of these contracts for remediation services involved foreign nationals; (4) GAO identified weaknesses regarding formal policies and procedures and contract oversight; (5) all three State components told GAO that they followed State's departmentwide formally documented guidance for software change control, but GAO found that this guidance did not adequately address key software change controls; (6) specifically, the guidance did not address: (a) operating system software access and monitoring; and (b) application software library controls for labelling and taking inventory of software programs; (7) agency officials were not familiar with contractor practices for software management; (8) this is of potential concern because all 43 of State's mission-critical systems involved the use of contractors for year 2000 remediation; and (9) all three State components sent code associated with 18 mission-critical systems to contractor facilities for remediation, and agency officials could not readily determine how the code was protected during and after transit to the contractor facility, when the code was out of State's direct control.
Sep 17, 2018
Cybersecurity:
Office of Federal Student Aid Should Take Additional Steps to Oversee Non-School Partners' Protection of Borrower InformationGAO-18-518: Published: Sep 17, 2018. Publicly Released: Sep 17, 2018.
Sep 7, 2018
-
Data Protection:
Actions Taken by Equifax and Federal Agencies in Response to the 2017 BreachGAO-18-559: Published: Aug 30, 2018. Publicly Released: Sep 7, 2018.
Sep 6, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-622: Published: Sep 6, 2018. Publicly Released: Sep 6, 2018.
Jul 31, 2018
-
Information Security:
IRS Needs to Rectify Control Deficiencies That Limit Its Effectiveness in Protecting Sensitive Financial and Taxpayer DataGAO-18-391: Published: Jul 31, 2018. Publicly Released: Jul 31, 2018.
Jul 25, 2018
-
High-Risk Series:
Urgent Actions Are Needed to Address Cybersecurity Challenges Facing the NationGAO-18-645T: Published: Jul 25, 2018. Publicly Released: Jul 25, 2018.
Jul 12, 2018
-
Information Security:
Supply Chain Risks Affecting Federal AgenciesGAO-18-667T: Published: Jul 12, 2018. Publicly Released: Jul 12, 2018.
Jun 14, 2018
-
Cybersecurity Workforce:
Agencies Need to Improve Baseline Assessments and Procedures for Coding PositionsGAO-18-466: Published: Jun 14, 2018. Publicly Released: Jun 14, 2018.
May 14, 2018
-
Protecting Classified Information:
Defense Security Service Should Address Challenges as New Approach Is PilotedGAO-18-407: Published: May 14, 2018. Publicly Released: May 14, 2018.
Apr 24, 2018
-
Cybersecurity:
DHS Needs to Enhance Efforts to Improve and Promote the Security of Federal and Private-Sector NetworksGAO-18-520T: Published: Apr 24, 2018. Publicly Released: Apr 24, 2018.
Mar 7, 2018
-
Cybersecurity Workforce:
DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill RequirementsGAO-18-430T: Published: Mar 7, 2018. Publicly Released: Mar 7, 2018.
Looking for more? Browse all our products here
Explore our Key Issues on Information Security
Explore our other Key Issues here
