Skip to Highlights
Highlights

Pursuant to a congressional request, GAO reviewed Federal Information Resources Management Regulation (FIRMR) Bulletin C-22, which provides guidance to federal agencies on the security and privacy protection of federal computer resources. GAO noted that the guidance: (1) is intended for general use by federal agencies; (2) does not address the various types of sensitive information disclosure; and (3) does not address all the methods available for removing highly sensitive information from computers.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce 1. The Administrator of General Services and the Secretary of Commerce should revise Bulletin C-22 by: (1) incorporating into it information already published in National Institute of Standards and Technology advisory material concerning the sensitivity of information and various appropriate methods of disposition; and (2) clearly stating that National Security Agency guidance on the secure handling of sensitive or classified information provides disposition alternatives that may be appropriate depending on the sensitivity of the data involved.
Closed - Implemented
The report was just released to the agency on 8/17/93. It has not had time to fully respond to the recommendations. GSA has issued revised FIRMR Bulletin C-22, Supplement 1, dated July 8, 1994, that references NIST and NSA guidance concerning disposition alternatives for sensitive and classified information.
General Services Administration 2. The Administrator of General Services and the Secretary of Commerce should revise Bulletin C-22 by: (1) incorporating into it information already published in National Institute of Standards and Technology advisory material concerning the sensitivity of information and various appropriate methods of disposition; and (2) clearly stating that National Security Agency guidance on the secure handling of sensitive or classified information provides disposition alternatives that may be appropriate depending on the sensitivity of the data involved.
Closed - Implemented
The report was released to the agency on August 17, 1993. It has not had time to fully respond to the recommendations. GSA has issued revised FIRMR Bulletin C-22, Supplement 1, dated July 8, 1994, that references NIST and NSA guidance concerning disposition alternatives for sensitive and classified information.

Full Report