Summary: Pursuant to a congressional request, GAO reviewed software change controls at the Department of Justice (DOJ), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.
GAO noted that: (1) based on GAO's interviews and review of documented security policies and procedures, background screenings of personnel involved in the software change process were a routine security control at DOJ; (2) officials told GAO that all 37 contracts for remediation services of 137 mission-critical systems included provisions for background checks of contractor staff; (3) this is important because GAO found that although foreign nationals were involved in one Drug Enforcement Administration (DEA) contract, officials told GAO that adequate personnel security controls were practiced; (4) however, GAO identified several weaknesses related to formal policies and procedures for software change control and contract oversight; (5) formally documented component-level policies and procedures at DEA, the Immigration and Naturalization Service (INS), and the Antitrust Division (ATR) did not meet federal criteria; (6) specifically, the documented procedures at these components did not address the following key software change controls: (a) ATR procedures did not address testing of changes, protection of application software libraries, and restricting and monitoring of access to operating system software; (b) DEA procedures did not adequately address restricting access to program code in and monitoring access to operating system software; and (c) INS procedures did not adequately address control of application software libraries; (7) based on GAO's interviews, DEA and the Federal Bureau of Investigation (FBI) officials were not familiar with contractor practices for software management when source code was out of the agency's direct control; and (8) specifically, FBI and DEA electronically transmitted code for six mission-critical systems to contractor facilities for remediation, and agency officials could not readily determine how the code was protected during and after transit to the contractor facilities.