United States General Accounting Office ___________________________________________________________________ GAO Report to the Chairman, Committee on Science, Space, and Technology, House of Representatives ___________________________________________________________________ May 1990 COMPUTER SECURITY Governmentwide Planning Process Had Limited Impact ___________________________________________________________________ GAO/IMTEC-90-48 This U.S. General Accounting Office (GAO) report is 1 of 7 available over the Internet as part of a test to determine whether there is sufficient interest within this community to warrant making all GAO reports available over the Internet. The file REPORTS at NIH lists the 7 reports. So that we can keep a count of report recipients, and your reaction, please send an E-Mail message to KH3@CU.NIH.GOV and include, along with your E-Mail address, the following information: 1) Your organization. 2) Your position/title and name (optional). 3) The title/report number of the above reports you have retrieved electronically or ordered by mail or phone. 4) Whether you have ever obtained a GAO report before. 5) Whether you have copied a report onto another bulletin board--if so, which report and bulletin board. 6) Other GAO report subjects you would be interested in. GAO's reports cover a broad range of subjects such as major weapons systems, energy, financial institutions, and pollution control. 7) Any additional comments or suggestions. Thank you for your time. Sincerely, Jack L. Brock, Jr. Director, Government Information and Financial Management Issues Information Management and Technology Division B-238954 May 10, 1990 The Honorable Robert A. Roe Chairman, Committee on Science, Space, and Technology House of Representatives Dear Mr. Chairman: This report responds to your June 5, 1989, request and subsequent agreements with your office that we review the governmentwide computer security planning and review process required by the Computer Security Act of 1987. The act required federal agencies to identify systems that contain sensitive information and to develop plans to safeguard them. As agreed, we assessed the (1) planning process in 10 civilian agencies as well as the extent to which they implemented planned controls described in 22 selected plans and (2) National Institute of Standards and Technology (NIST)/National Security Agency (NSA) review of the plans. This is the fifth in a series of reports on implementation of the Computer Security Act that GAO has prepared for your committee. Appendix I details the review's objectives, scope, and methodology. Appendix II describes the systems covered by the 22 plans we reviewed. RESULTS IN BRIEF ---------------- The planning and review process implemented under the Computer Security Act did little to strengthen computer security governmentwide. Although agency officials believe that the process heightened awareness of computer security, they typically described the plans as merely "reporting requirements" and of limited use in addressing agency- specific problems. Officials cited three problems relating to the design and implementation of the planning process: (1) the plans lacked adequate information to serve as management tools and some agencies already had planning processes in place, (2) managers had little time to prepare the plans, and (3) the Office of Management and Budget (OMB) planning guidance was sometimes unclear and misinterpreted by agency officials. 1 B-238954 Although a year has passed since the initial computer security plans were completed, agencies have made little progress in implementing planned controls. Agency officials said that budget constraints and inadequate top management support--in terms of resources and commitment--were key reasons why controls had not been implemented. Based on the results of the planning and review process, OMB--in conjunction with NIST and NSA--issued draft security planning guidance in January 1990. The draft guidance focuses on agency security programs and calls for NIST, NSA, and OMB to visit agencies to discuss their security programs and problems, and provide advice and technical assistance. We believe that efforts directed toward assisting agencies in solving specific problems and drawing top management attention to computer security issues have greater potential for improving computer security governmentwide. BACKGROUND ---------- The Computer Security Act of 1987 (P.L. 100-235) was passed in response to concerns that the security of sensitive information was not being adequately addressed in the federal government.1 The act's intent was to improve the security and privacy of sensitive information in federal computer systems by establishing minimum security practices. The act required agencies to (1) identify all developmental and operational systems with sensitive information, (2) develop and submit to NIST and NSA for advice and comment a security and privacy plan for each system identified, and (3) establish computer security training programs. OMB Bulletin 88-16, developed with NIST and NSA assistance, provides guidance on the computer security plans required by the act. To be in compliance, approximately 60 civilian agencies submitted almost 1,600 computer security plans to a NIST/NSA review team in early 1989. Nearly all of these plans followed, to some degree, the format and content requested by the bulletin. The bulletin requested that the following information be included in each plan: 1The act defines sensitive information as any unclassified information that in the event of loss, misuse, or unauthorized access or modification, could adversely affect the national interest, conduct of a federal program, or the privacy individuals are entitled to under the Privacy Act of 1974 (5 U.S.C. 552a). 2 B-238954 -- Basic system identification: agency, system name and type, whether the plan combines systems, operational status, system purpose, system environment, and point of contact. -- Information sensitivity: laws and regulations affecting the system, protection requirements, and description of sensitivity. -- Security control status: reported as "in place," "planned," "in place and planned" (i.e., some aspects of the control are operational and others are planned), or "not applicable," and a brief description of and expected operational dates for controls that are reported as planned.2 (Appendix V lists the controls.) Appendix III presents a composite security plan that we developed for this report as an example of the civilian plans we reviewed. It is representative of the content, format, and common omissions of the plans. PLANS HAD LIMITED IMPACT ON --------------------------- AGENCY COMPUTER SECURITY PROGRAMS --------------------------------- The goals of the planning process were commendable--to strengthen computer security by helping agencies identify and evaluate their security needs and controls for sensitive systems. According to agency officials, the process yielded some benefits, the one most frequently cited being increased management awareness of computer security. Further, some officials noted that the planning process provided a ...
kopia23