GAO: Software policies unheeded

Related Links

"Security Guidance"

Agencies fail to follow proper procedures to ensure that rewritten and upgraded

software does not introduce security holes that hackers could use to steal

sensitive government information, according to the General Accounting Office.

Half of the 16 agencies that GAO recently surveyed did not follow formal

policies when making changes to the software in agency systems. And the

policies that are in place at the remaining agencies do not meet federal

standards spelled out in several information technology laws and guidance

established by the Office of Management and Budget and the National Institute

of Standards and Technology.

GAO also found that agencies did not sufficiently supervise contractors

hired to work on software and that agencies did not conduct proper background

screening of the programmers hired to write software code.

"Overall, we concluded that controls over changes to software for federal

information systems as described in agency policies and procedures were

inadequate," wrote David McClure, associate director of Governmentwide and

Defense Information Systems at GAO, in a letter to Rep. Stephen Horn (R-Calif.).

Agencies must follow several laws and rules when rewriting code (see

box).

In November, Horn, chairman of the House Subcommittee on Government

Management, Information and Technology, asked GAO to study how agencies

manage contractors working on writing software for systems. He said he was

concerned that contractors hired to rewrite code to fix the Year 2000 problem

may have introduced security holes, either deliberately or by mistake.

GAO confirmed that "controls over access to and modification of software

are essential in providing reasonable assurance that system-based security

controls are not compromised," McClure wrote. But controls that meet federal

standards, for the most part, do not exist.

Agencies that have controls in place still need to tighten them, said

Jean Boltz, assistant director to McClure at GAO. "A lot of them did have

policies and procedures in place. There were just some deficiencies in them,"

Boltz said.

Agencies have begun to take steps to control how they manage software

changes. "The agencies are almost always working on improvements," Boltz

said. "But the Year 2000 really emphasizes for them the importance of this

issue."

OMB also has begun to make changes to Circular A-130, the central rule

for federal information system management. OMB has proposed one set of revisions,

which included guidance on how agencies should provide access to information

and to push agencies to exercise better oversight of information technology

investments [FCW, April 24, 2000].

OMB is also working on revisions to the circular's Appendix III, the

section dealing with federal information security. Those revisions "do not

include any additions or modifications to agency guidance regarding software

change controls or related controls pertaining to personnel and contract

oversight practices," according to McClure's letter.

GAO will turn over a copy of its report to OMB and recommend OMB clarify

its guidance. "We are going to encourage them to emphasize this area," Boltz

said.

Featured

  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.