Information Security:

Software Change Controls at the Department of Veterans Affairs

AIMD-00-201R: Published: Jun 30, 2000. Publicly Released: Jun 30, 2000.

Additional Materials:


Joel C. Willemssen
(202) 512-6253


Office of Public Affairs
(202) 512-4800

Pursuant to a congressional request, GAO reviewed the Department of Veteran Affairs' (VA) software change controls, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) the component-level policies and procedures used by VA components were adequate except the Veterans Benefits Administration did not address controlling installation of operating system software; (2) however, departmental guidance for software change control was limited to restricting access to operating system software and investigating unusual change activity; (3) the department-level policies did not address the following key controls: (a) documenting, approving, and testing software changes; (b) controlling application software libraries; and (c) monitoring changes, access to, and use of operating system software; (4) based on GAO's interviews, agency officials were not familiar with contractor practices for software management; (5) this is of some concern because VA used contract services for 40 (13 percent) of VA's 305 mission-critical systems included in GAO's review; (6) however, VA did not describe the protective controls in place to prevent unauthorized disclosure of code or unauthorized access to code; (7) therefore, GAO cannot evaluate the adequacy of these controls; (8) according to VA's comments, VA did not use the renovated code for these two mission-critical systems because the contractors had not completed the task; (9) nevertheless, as a general practice, controls over code are important during the transmission of code to a contractor facility and while at the contractor facility to prevent disclosure of code for intelligence gathering by malicious individuals; (10) VA officials told GAO that the nine contracts for year 2000 remediation services did not include provisions for background screening of personnel; (11) this is a potential concern because one contract for remediation of source code for a Veterans Health Administration project management system involved a foreign national; and (12) also, Office of Management and Budget and National Institute of Standards and Technology criteria require background screening of key staff involved with automated systems.

Jul 31, 2018

Jul 24, 2018

Jul 19, 2018

Jun 26, 2018

Jun 21, 2018

Jun 4, 2018

May 7, 2018

Apr 19, 2018

Apr 12, 2018

Looking for more? Browse all our products here