GAO: Software policies unheeded

Agencies fail to follow proper procedures to ensure that rewritten and upgraded

software does not introduce security holes that hackers could use to steal

sensitive government information, according to the General Accounting Office.

Half of the 16 agencies that GAO recently surveyed did not follow formal

policies when making changes to the software in agency systems. And the

policies that are in place at the remaining agencies do not meet federal

standards spelled out in several information technology laws and guidance

established by the Office of Management and Budget and the National Institute

of Standards and Technology.

GAO also found that agencies did not sufficiently supervise contractors

hired to work on software and that agencies did not conduct proper background

screening of the programmers hired to write software code.

"Overall, we concluded that controls over changes to software for federal

information systems as described in agency policies and procedures were

inadequate," wrote David McClure, associate director of Governmentwide and

Defense Information Systems at GAO, in a letter to Rep. Stephen Horn (R-Calif.).

Agencies must follow several laws and rules when rewriting code (see

box).

In November, Horn, chairman of the House Subcommittee on Government

Management, Information and Technology, asked GAO to study how agencies

manage contractors working on writing software for systems. He said he was

concerned that contractors hired to rewrite code to fix the Year 2000 problem

may have introduced security holes, either deliberately or by mistake.

GAO confirmed that "controls over access to and modification of software

are essential in providing reasonable assurance that system-based security

controls are not compromised," McClure wrote. But controls that meet federal

standards, for the most part, do not exist.

Agencies that have controls in place still need to tighten them, said

Jean Boltz, assistant director to McClure at GAO. "A lot of them did have

policies and procedures in place. There were just some deficiencies in them,"

Boltz said.

Agencies have begun to take steps to control how they manage software

changes. "The agencies are almost always working on improvements," Boltz

said. "But the Year 2000 really emphasizes for them the importance of this

issue."

OMB also has begun to make changes to Circular A-130, the central rule

for federal information system management. OMB has proposed one set of revisions,

which included guidance on how agencies should provide access to information

and to push agencies to exercise better oversight of information technology

investments [FCW, April 24, 2000].

OMB is also working on revisions to the circular's Appendix III, the

section dealing with federal information security. Those revisions "do not

include any additions or modifications to agency guidance regarding software

change controls or related controls pertaining to personnel and contract

oversight practices," according to McClure's letter.

GAO will turn over a copy of its report to OMB and recommend OMB clarify

its guidance. "We are going to encourage them to emphasize this area," Boltz

said.