GAO: Software policies unheeded
- By Diane Frank
- May 15, 2000
Agencies fail to follow proper procedures to ensure that rewritten and upgraded
software does not introduce security holes that hackers could use to steal
sensitive government information, according to the General Accounting Office.
Half of the 16 agencies that GAO recently surveyed did not follow formal
policies when making changes to the software in agency systems. And the
policies that are in place at the remaining agencies do not meet federal
standards spelled out in several information technology laws and guidance
established by the Office of Management and Budget and the National Institute
of Standards and Technology.
GAO also found that agencies did not sufficiently supervise contractors
hired to work on software and that agencies did not conduct proper background
screening of the programmers hired to write software code.
"Overall, we concluded that controls over changes to software for federal
information systems as described in agency policies and procedures were
inadequate," wrote David McClure, associate director of Governmentwide and
Defense Information Systems at GAO, in a letter to Rep. Stephen Horn (R-Calif.).
Agencies must follow several laws and rules when rewriting code (see
box).
In November, Horn, chairman of the House Subcommittee on Government
Management, Information and Technology, asked GAO to study how agencies
manage contractors working on writing software for systems. He said he was
concerned that contractors hired to rewrite code to fix the Year 2000 problem
may have introduced security holes, either deliberately or by mistake.
GAO confirmed that "controls over access to and modification of software
are essential in providing reasonable assurance that system-based security
controls are not compromised," McClure wrote. But controls that meet federal
standards, for the most part, do not exist.
Agencies that have controls in place still need to tighten them, said
Jean Boltz, assistant director to McClure at GAO. "A lot of them did have
policies and procedures in place. There were just some deficiencies in them,"
Boltz said.
Agencies have begun to take steps to control how they manage software
changes. "The agencies are almost always working on improvements," Boltz
said. "But the Year 2000 really emphasizes for them the importance of this
issue."
OMB also has begun to make changes to Circular A-130, the central rule
for federal information system management. OMB has proposed one set of revisions,
which included guidance on how agencies should provide access to information
and to push agencies to exercise better oversight of information technology
investments [FCW, April 24, 2000].
OMB is also working on revisions to the circular's Appendix III, the
section dealing with federal information security. Those revisions "do not
include any additions or modifications to agency guidance regarding software
change controls or related controls pertaining to personnel and contract
oversight practices," according to McClure's letter.
GAO will turn over a copy of its report to OMB and recommend OMB clarify
its guidance. "We are going to encourage them to emphasize this area," Boltz
said.