Agencies fail to protect software, report says

By Frank Micciche

July 12, 2000

fmicciche@govexec.com

In letters sent to chief information officers at 16 federal agencies, the General Accounting Office has detailed widespread non-compliance with policies in place to protect the government's software code.

The findings first surfaced in a spring briefing conducted for Rep. Stephen Horn, R-Calif., chairman of the Government Reform Subcommittee on Government Management, Information and Technology. Horn had requested the investigation last November, when agencies were in the midst of addressing potential Y2K problems.

"Overall, we concluded that controls over changes to software for federal information systems were inadequate," wrote David McClure, GAO's associate director of governmentwide and defense information systems.

GAO found that half of the agencies had yet to adopt formal agencywide policies for software change management, exposing their systems to carelessness and inconsistency at best and the introduction of malicious code at worst. To combat this pitfall, the office is recommending that the Office of Management and Budget clarify official guidance on such matters in a reworked version of Circular A-130, "Management of Federal Information Resources."

The letters also highlighted problems with oversight of federal IT systems by agencies that employed contractors to surmount potential Y2K hurdles last year. More than 30 percent of of agency components studied allowed non-U.S. contractors to make changes and remediations to software programs without any formalized clearance.

Most startling was the discovery that not one of the 15 agencies that utilized private contractors in its software change or Y2K remediation efforts, including the Defense and State departments, could account for the security of information transmitted to contractors. Any breach could have threatened hundreds of mission-critical systems across the federal spectrum, the report said.

Below are GAO's general ratings of each of the 16 agencies.

Agency Policies and Procedures Contract Oversight Background Checks on Contractors
State Existing policy does not adequately address key SCCs*. Could not account for security of code once transmitted to contractors. Satisfactory (Bureau of Diplomatic Security issued report on foreign contractor involvement).
Commerce Departmentwide guidance inadequate. Could not account for security of code once transmitted to contractors. Background checks not routine for contractors involved in software change/handling code.
Treasury Existing policy does not adequately/at all address key SCCs. Could not account for security of code once transmitted to contractors. Satisfactory
Veteran Affairs All but one component's SCC policy adequate. Could not account for security of code once transmitted to contractors. Background checks not routine for contractors involved in software change/Y2K remediation.
Transportation 9 of 12 components have no formal procedures for SCCs Could not account for security of code once transmitted to contractors. Background checks for those involved in software change but not for Y2K mediation contractors.
Energy Departmentwide guidance and formal procedures at 17 of 20 components studied inadequate. Could not account for security of code once transmitted to contractors. Background checks not routine for contractors involved in software changes or Y2K remediation.
Interior No departmentwide SCC policy. Spotty component SCC/Y2K remediation policies. Could not account for security of code once transmitted to contractors. Background checks not routine for contractors involved in software changes or Y2K remediation.
Justice No departmentwide SCC policy. No component SCC policy at FBI, INTERPOL, Justice Management Division, U.S. Marshals. Inadequate component SCC policy at others. Could not account for security of code once transmitted to contractors. Satisfactory
Labor No departmentwide SCC policy. Spotty component SCC/Y2K remediation policies. Could not account for security of code once transmitted to contractors. Satisfactory
NASA No departmentwide SCC policy. Component policies not provided to GAO. Could not account for security of code once transmitted to contractors. Satisfactory
Office of Personnel Management No office-level guidance for SCCs. (Issued moratorium on changes from 11/99-3/00). Could not account for security of code once transmitted to contractors. Satisfactory
Social Security Administration Improvements in place as result of IG report on weaknesses in policy. Satisfactory Satisfactory
Defense No department wide SCC policy. Spotty component SCC policies. Could not account for security of code once transmitted to contractors. Satisfactory
Agriculture No departmentwide SCC policy. Component policies inadequate. Could not account for security of code once transmitted to contractors. Background checks not routine for contractors involved in software changes or Y2K remediation.
Health and Human Services No departmentwide SCC policy. Spotty component SCC/Y2K remediation policies. Could not account for security of code once transmitted to contractors. Inconsistent policy on background checks for contractors involved in software changes or Y2K remediation.
Housing and Urban Development Policies and procedures Could not account for security of code once transmitted to contractors. Background checks for contractors but not for certain key staff involved in software change.
*SCCs=Software change controls

By Frank Micciche

July 12, 2000

http://www.govexec.com/technology/2000/07/agencies-fail-to-protect-software-report-says/6803/