Compliance With Training Requirements of the Computer Security Act of 1987
IMTEC-89-16BR: Published: Feb 22, 1989. Publicly Released: Feb 22, 1989.
- Full Report:
Pursuant to a congressional request, GAO assessed federal agencies' compliance with the Computer Security Act's requirement that agencies with computer systems containing sensitive information initiate training programs within 60 days after the Office of Personnel Management (OPM) issued a computer security training regulation.
GAO found that: (1) OPM issued an interim training regulation in July 1988; (2) 81 of 85 agencies responded to its September 1988 questionnaire about computer security training programs; (3) 45 agencies implemented programs, offering a total of 190 training courses and 114 computer security training activities; (4) 19 agencies had not implemented programs, but reported plans to start them between November 1988 and April 1989; (5) two agencies without programs did not report their program implementation dates; (6) 15 agencies reported that they did not have any sensitive computer systems; (7) most of the agencies reported that their training programs followed the National Institute for Standards and Technology's (NIST) draft training regulations and the OPM training regulation, with the remaining agencies reporting that the agency head had approved their alternative programs; (8) most agencies were satisfied with both NIST draft training guidelines and the OPM training regulation; and (9) some of the programs lacked courses covering computer security life-cycle management or targeting senior management.