Status of Compliance With the Computer Security Act of 1987

In response to a congressional request, GAO discussed federal agencies' compliance with Computer Security Act of 1987 requirements to: (1) establish training programs; and (2) identify computer systems that contain sensitive information. GAO found that: (1) 74 of the 89 agencies identified all of their sensitive systems; (2) six agencies had not yet identified all of their sensitive systems; and (3) four agencies did not respond because they were not sure whether they were subject to the act. GAO also found that: (1) the Navy reported 27,000 sensitive systems, which was about half of the total systems reported; (2) the Army reported 12,000 sensitive systems; (3) the Air Force reported 10,000 sensitive systems; (4) other Department of Defense components reported 3,000 sensitive systems; (5) all other civilian agencies reported about 1,400 sensitive systems; and (6) the Office of Personnel Management's training regulation became effective 5 days after the act's deadline.