Computer Security:

Compliance With Security Plan Requirements of the Computer Security Act

IMTEC-89-55: Published: Jun 21, 1989. Publicly Released: Jun 21, 1989.

Additional Materials:


Office of Public Affairs
(202) 512-4800

Pursuant to a congressional request, GAO determined federal agencies' compliance with a legislative requirement to submit security plans for their computers containing sensitive information to the National Institute of Standards and Technology and the National Security Agency.

GAO found that: (1) the Computer Security Act of 1987 required agencies to establish and submit their computer security plans by January 8, 1989; (2) 50 of 85 surveyed agencies submitted all of their security plans, and 11 agencies submitted some of their security plans by the deadline; (3) 17 agencies reported that they had no computer systems that processed sensitive information; (4) five agencies did not submit security plans, with one citing its exemption from the act, three stating that they would submit plans later in 1989, and one not projecting when it would submit plans; (5) the agencies submitted a total of 1,592 plans; (6) most of the agencies submitting plans involved senior information resource managers, other senior managers, and system users in preparing and reviewing plans; (7) the submitted computer security plans generally were consistent with agency procedures and directives; and (8) agencies submitting plans typically used criteria based on Office of Management and Budget computer security plan guidance, as well as other criteria, to assess risks and develop protection requirements.

Oct 9, 2020

Sep 22, 2020

Sep 21, 2020

Sep 17, 2020

Sep 16, 2020

Aug 18, 2020

May 27, 2020

May 13, 2020

Apr 24, 2020

Apr 13, 2020

Looking for more? Browse all our products here