Summary: Pursuant to a congressional request, GAO reviewed the Department of Veteran Affairs' (VA) software change controls, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.
GAO noted that: (1) the component-level policies and procedures used by VA components were adequate except the Veterans Benefits Administration did not address controlling installation of operating system software; (2) however, departmental guidance for software change control was limited to restricting access to operating system software and investigating unusual change activity; (3) the department-level policies did not address the following key controls: (a) documenting, approving, and testing software changes; (b) controlling application software libraries; and (c) monitoring changes, access to, and use of operating system software; (4) based on GAO's interviews, agency officials were not familiar with contractor practices for software management; (5) this is of some concern because VA used contract services for 40 (13 percent) of VA's 305 mission-critical systems included in GAO's review; (6) however, VA did not describe the protective controls in place to prevent unauthorized disclosure of code or unauthorized access to code; (7) therefore, GAO cannot evaluate the adequacy of these controls; (8) according to VA's comments, VA did not use the renovated code for these two mission-critical systems because the contractors had not completed the task; (9) nevertheless, as a general practice, controls over code are important during the transmission of code to a contractor facility and while at the contractor facility to prevent disclosure of code for intelligence gathering by malicious individuals; (10) VA officials told GAO that the nine contracts for year 2000 remediation services did not include provisions for background screening of personnel; (11) this is a potential concern because one contract for remediation of source code for a Veterans Health Administration project management system involved a foreign national; and (12) also, Office of Management and Budget and National Institute of Standards and Technology criteria require background screening of key staff involved with automated systems.