Summary: Under the Computer Security Act of 1987, federal agencies must identify computer systems containing sensitive information and come up with plans to safeguard them. Most federal agencies have security controls in place for sensitive computer systems. Over the last two years, the percentage of implemented controls has risen from 78 percent to 92 percent. In addition, agencies have instituted 88 percent of applicable controls for nine new systems GAO reviewed. Agency officials have said that some new controls have yet to be implemented because (1) the systems are undergoing changes that may affect existing security controls, (2) the agencies are improving security controls, and (3) one new system is in the early stages of development. Most agencies continue to believe that security planning increases management awareness of computer security. They also believe that visits by the Office of Management and Budget and others, in which technical advice and other assistance may be offered, strengthen management commitment to computer security.