Skip to Highlights

GAO discussed federal agencies' compliance with the Computer Security Act of 1987. GAO found that: (1) 45 agencies had training programs for their employees, 19 planned to develop training programs, 2 were unsure of when they would start training, 15 agencies had no computer systems with sensitive information, 3 agencies responded late to a GAO questionnaire, and 1 agency did not respond; (2) 31 of 45 agencies with training programs had 190 classroom courses or modules, while 35 had nonclassroom training activities; (3) most of the agencies were satisfied with the National Institute of Standards and Technology's (NIST) guidelines and the Office of Personnel Management's (OPM) training regulations; (4) 42 agencies timely submitted their security plans to NIST, 14 did not meet the deadline but planned to comply with the act's requirements, and 12 agencies indicated that they did not have sensitive systems; and (5) 48 agencies submitted 1,172 security plans for 2,245 systems, 11 agencies submitted plans for systems operated by other agencies, 16 agencies developed 184 plans for 228 systems operated by contractors, and 1 agency reported a plan for a state and local government system. GAO also: (1) developed security plans within the required time frame; (2) submitted five plans for its systems, four plans for systems operated by other agencies, and two plans for contractor-operated systems; and (3) was satisfied with Office of Management and Budget guidance on security plan development.

Full Report