Computer Security: Governmentwide Planning Process Had Limited Impact

Published by the Government Accountability Office on 1990-05-10.

Below is a raw (and likely hideous) rendition of the original report. (PDF)

1 May     l!W)

I                            COMPUTER
                             Planning Process Had
                             Limited Impact



                   United States
CiAO               General Accounting Office
                   Washington, D.C. 20648

                   Information Management and
                   Technology Division


                   May lo,1990

                   The Honorable Robert A. Roe
                   Chairman, Committee on Science,
                     Space, and Technology
                   House of Representatives

                   Dear Mr. Chairman:

                   This report responds to your June 5,1989, request and subsequent
                   agreements with your office that we review the governmentwide com-
                   puter security planning and review process required by the Computer
                   Security Act of 1987. The act required federal agencies to identify sys-
                   tems that contain sensitive information and to develop plans to safe-
                   guard them. As agreed, we assessed the (1) planning process in 10
                   civilian agencies as well as the extent to which they implemented
                   planned controls described in 22 selected plans and (2) National Insti-
                   tute of Standards and Technology (NIsT)/National Security Agency (NSA)
                   review of the plans.

                   This is the fifth in a series of reports on implementation of the Com-
                   puter Security Act that GAO has prepared for your committee. Appendix
                   I details the review’s objectives, scope, and methodology. Appendix II
                   describes the systems covered by the 22 plans we reviewed,

                   The planning and review process implemented under the Computer
Results in Brief   Security Act did little to strengthen computer security governmentwide.
                   Although agency officials believe that the process heightened awareness
                   of computer security, they typically described the plans as merely
                   “reporting requirements” and of limited use in addressing agency-
                   specific problems.

                   Officials cited three problems relating to the design and implementation
                   of the planning process: (1) the plans lacked adequate information to
                   serve as management tools and some agencies already had planning
                   processes in place, (2) managers had little time to prepare the plans, and
                   (3) the Office of Management and Budget (OMB) planning guidance was
                   sometimes unclear and misinterpreted by agency officials.

                   Although a year has passed since the initial computer security plans
                   were completed, agencies have made little progress in implementing

                   Page 1                 GAO/IMTEG9049   Governmentwide Computer Security Planning
               B-238064                                                                                       /

               planned controls. Agency officials said that budget constraints and inad-
               equate top management support-in      terms of resources and commit-
               ment-were key reasons why controls had not been implemented.

                Based on the results of the planning and review process, oMB-in con-
               junction with NISTand NsA-issued draft security planning guidance in
               January 1990. The draft guidance focuses on agency security programs
                and calls for NIST,NSA,and OMBto visit agencies to discuss their security
               programs and problems, and provide advice and technical assistance.
               We believe that efforts directed toward assisting agencies in solving spe-
               cific problems and drawing top management attention to computer
                security issues have greater potential for improving computer security

               The Computer Security Act of 1987 (P.L. 100-236) was passed in
Background     response to concerns that the security of sensitive information was not
               being adequately addressed in the federal government.1 The act’s intent
               was to improve the security and privacy of sensitive information in fed-
               eral computer systems by establishing minimum security practices. The
               act required agencies to (1) identify all developmental and operational
               systems with sensitive information, (2) develop and submit to NIST and
               NsA for advice and comment a security and privacy plan for each system
               identified, and (3) establish computer security training programs.

               OMB Bulletin 88-16, developed with NIST and NSA assistance, provides gui-
               dance on the computer security plans required by the act. To be in com-
               pliance, approximately 60 civilian agencies submitted almost 1,600
               computer security plans to a NIST/NSA review team in early 1989. Nearly
               all of these plans followed, to some degree, the format and content
               requested by the bulletin. The bulletin requested that the following
               information be included in each plan:

             . Basic system identification: agency, system name and type, whether the
               plan combines systems, operational status, system purpose, system envi-
               ronment, and point of contact.
             . Information sensitivity: laws and regulations affecting the system, pro-
               tection requirements, and description of sensitivity.

               ’ The act defies sensitiveinformation 89any unclassifiedinformation that in the event of loss,mis-
               use,or unauthorized accessor modification, could adverselyaffect the national interest, conductof a
               federal program,or the privacy individuals are entitled to under the Privacy Act of 1974(6 U.S.C.

               Page 2                         GAO/IMTEC9O-43 Governmentwide Computer Security Planning

                          l   Security control status: reported as “in place,” “planned,” “in place and
                              planned” (i.e., some aspects of the control are operational and others are
                              planned), or “not applicable,” and a brief description of and expected
                              operational dates for controls that are reported as planneda (Appendix
                              V lists the controls.)

                              Appendix III presents a composite security plan that we developed for
                              this report as an example of the civilian plans we reviewed. It is repre-
                              sentative of the content, format, and common omissions of the plans.

                              The goals of the planning process were commendable-to strengthen
Plans Had Limited             computer security by helping agencies identify and evaluate their secur-
Impact on Agency              ity needs and controls for sensitive systems. According to agency offi-
Computer Security             cials, the process yielded some benefits, the one most frequently cited
                              being increased management awareness of computer security. Further,
Programs                      some officials noted that the planning process provided a framework for
                              reviewing their systems’ security controls.

                              However, problems relating to the design and implementation of the
                              planning process limited its impact on agency security programs. Specif-
                              ically, (1) the plans lacked adequate information to serve as effective
                              management tools, (2) managers had little time to prepare the plans, and
                              (3) the OMB guidance was sometimes unclear and misinterpreted by the
                              agencies. Consequently, most agency officials viewed the plans as
                              reporting requirements, rather than as management tools.

Plans Lacked Adequate         Although agency officials said that security planning is essential to the
                              effective management of sensitive systems, the plans lacked important
Information to Serve as       information that managers need in order to plan, and to monitor and
Effective Management          implement plans. The plans did not include this information, in part,
Tools                         because they were designed not only to help agencies plan, but also to
                              facilitate NIST/NSA’S review of the plans and to minimize the risks of
                              unauthorized disclosure of vulnerabilities. For example:

                          . Many plans provided minimal descriptions (a sentence or nothing at all)
                            of system sensitivity and planned security controls. Detailed

                              ’ In this report, we are.using the term “planned controls” to include controlsthat agencieslisted as
                              “planned” or “in placeand planned” in their January 1989plans. Both categoriesindicated that the
                              controls were not fully in place.

                              Page 3                          GAO/IMTEG90-48 Governmentwide Computer Security Planning
                               E-238954                                                                    ,

                             descriptions would have made the plans more useful in setting priorities
                             for implementing planned controls.
                           l The plans did not assign responsibility for each planned control. It was
                             not clear, therefore, who was accountable for implementing the control
                             (e.g., who would be performing a risk assessment).
                           l The plans did not include resource estimates needed to budget for
                             planned actions.
                           . The plans generally did not refer to computer security-related internal
                             control weaknesses, although such information can be important in
                             developing plans.

                               Finally, officials from about one-third of the agencies said that they
                               already had more comprehensive planning processes to help them iden-
                               tify and evaluate their security needs. As a result, the governmentwide
                               process was largely superfluous for these agencies. Officials at such
                               agencies said that their plans, which included information such as
                               detailed descriptions of security controls, already met the objectives of
                               the governmentwide planning process. Many officials said that what
                               they needed was assistance in areas such as network security.

Managers Had Little Time       Officials had little time to adequately consider their security needs and
to Prepare the Plans           prepare plans, further limiting the usefulness of the plans. OMB Bulletin
                               88-16 was issued July 6, 1988, 27 weeks before the plans were due to
                               the NIST/NSA review team, as required by the Computer Security Act.
                               However, less than 14 weeks was left after most agencies issued gui-
                               dance on responding to the OMB request. Within the remaining time,
                               instructions were sent to the component agencies and from there to the
                               managers responsible for preparing the plans, meetings were held to dis-
                               cuss the plans, managers prepared the plans, and the plans were
                               reviewed by component agencies and returned to the agencies for
                               review. As a result, some managers had only a few days to prepare

Guidance Was Sometimes         Many agency officials misinterpreted or found the guidance unclear as
Unclear and                    to how systems were to be combined in the plans, the definition of some
                               key terms (e.g., “in place”), the level of expected detail, and the need to
Misinterpreted by              address telecommunications. For example, some plans combined many
Agencies                       different types of systems- such as microcomputers and mainframes-
            *                  having diverse functions and security needs, although the guidance
                               specified that only similar systems could be combined. When dissimilar

                               Page 4                 GAO/IMTEG90-49 Governmentwide Computer Security Planning



                    systems were combined, the plan’s usefulness as a management tool was

                    Further, for plans that combined systems, some agencies reported that a
                    security control was in place for the entire plan, although it was actually
                    in place for only a few systems. Agency officials stated that they com-
                    bined systems in accordance with their understanding of the OMB gui-
                    dance and NIST/NSA verbal instructions.

                    In addition, officials were confused about how much detail to include in
                    the plans and whether to address telecommunications issues (e.g., net-
                    work security). For example, they said that although the guidance asked
                    for brief descriptions of systems and information sensitivity, NIST/NSA
                    reviewers frequently commented that plans lacked adequate descrip-
                    tions. NIST officials said they expected that the plans would be more
                    detailed and discuss the vulnerabilities inherent in networks. They said,
                    in retrospect, that it would have been helpful if the guidance had pro-
                    vided examples and clarified the level of expected detail.

                    Although a year has passed since the initial computer security plans
Agencies Have Not   were completed, agencies have made little progress in implementing
Implemented Most    planned controls3 The 22 plans we reviewed contained 145 planned
Planned Security    security controls. According to agency officials, as of January 1990,
                    only 38 percent of the 146 planned controls had been implemented.
                    Table 1 shows the number and percentage of planned security controls
                    that had been implemented as of January 1990.

                    3 Only 4 percentof the security controls had implementationdatesbeyondJanuary 1990.

                    Page 5                       GAO/lMTJSG9048 Governmentwide Computer Security Planning

Table 1: lmplementatlon of Security
Controls In 22 Plans                                                                                                Percent
                                      Security control                           Planned    Implemented        implemented
                                      Assianment of securitv resoonsibilitv            7                  7               100
                                      Audit and variance detection                     7                  7               100
                                      Confidentiality controls                         3                  3               100
                                      User identification and authentication           2                  2               100
                                      Personnel selection and screenina                7                  6                86
                                      Security measures for support systems            9                  5                56
                                      Security awareness and training
                                        measures                                      20                12                 60
                                      Authorization/access    controls                 4                 2                 50
                                      Contingency plans                               11                 5                 45
                                      Data integrity and validation controls           8                 2                 25
                                      Audit trails and maintainina iournals           12                 2                 17
                                      Production, input/ output controls               8                 1                 13
                                      Risk/sensitivity assessment                     11                 1                  9
                                      Securitv soecifications                         10                 0                  0
                                      Desian review and testina                       11                 0                  0
                                      Certification/ accreditation                    14                 0                  0
                                      Software controls                                1                 0                  0
                                      Total                                          145                55                  .

                                      According to many agency officials, budget constraints and lack of ade-
                                      quate top management support-in     terms of resources and commit-
                                      ment-were key reasons why security controls had not yet been

                                      Although some officials stated that the planning process has raised
                                      management awareness of computer security issues, this awareness has,
                                      for the most part, apparently not yet resulted in increased resources for
                                      computer security programs. A number of officials said that security
                                      has been traditionally viewed as overhead and as a target for budget
                                      cuts. Some officials noted that requests for funding of contingency plan-
                                      ning, full-time security officers, and training for security personnel and
                                      managers have a low approval rate.


                                      Page 6                      GAO/KMTEG90-49 Governmentwide   Computer !Security Planning

                        Agency officials said that the NIST/NSA review comments and recommen-
NIST/NSA Review         dations on their plans were general and of limited use in addressing spe-
Feedback Was General     -f
                        ci ic problems. However, because the plans were designed to be brief
and of Limited Use to   and minimize the risks of unauthorized disclosure, they had little
                        detailed information for NIST and NSA to review. Thus, the NIST/NSA
Agencies                review team focused their comments on (1) the plans’ conformity with
                        the OMB planning guidance and (2) governmentwide guidance (e.g., NET
                        Federal Information Processing Standards publications) relating to
                        planned security controls. (Appendix IV provides an example of typical
                        NET/NE% review comments and recommendations.)

                        Despite the limited agency use of the feedback, NIST officials said that
                        the information in the plans will be useful to NIST in identifying broad
                        security weaknesses and needs. During the review process, the NIST/NSA
                        review team developed a data base that included the status of security
                        controls for almost 1,600 civilian plans. NIST intends to use statistics
                        from the data base to support an upcoming report on observations and
                        lessons learned from the planning and review process. Noting that the
                        data have limitations-for     example, varying agency interpretations of
                        “in place” --NET officials said that areas showing the greatest percent-
                        age of planned controls indicated areas where more governmentwide
                        guidance might be needed. Appendix V shows the status of security con-
                        trols in the civilian plans, according to our analysis of the NIST/NSA data

                        The 1990 draft OMB security planning guidance calls for NIST, NSA, and
Revised Guidance        OMB to provide advice and technical assistance on computer security
Provides for Agency     issues to federal agencies as needed. Under the guidance, NIST, NSA, and
Assistance              OMB would visit agencies and discuss (1) their computer security pro-
                        grams, (2) the extent to which the agencies have identified their sensi-
                        tive computer systems, (3) the quality of their security plans, and (4)
                        their unresolved internal control weaknesses. NET officials said that the
                        number of agencies visited in fiscal year 1991 will depend on that year’s
                        funding for NIST'S Computer Security Division, which will lead NIST'S
                        effort, and the number of staff provided by NSA,

                        In addition, under the 1990 draft guidance, agencies would develop
                        plans for sensitive systems that are new or significantly changed, did
                        not have a plan for 1989, or had 1989 plans for which NET and NSA could
                        not provide comments because of insufficient information. Agencies

                        4 NIST and NSAdeletedagencyand system names from the data base provided to us.

                        Page 7                       GAO/JMTEC9043     Goverumentwide Computer Security Plauning
              B-239954                                                                      ,

              would be required to review their component agency plans and provide
              independent advice and comment.

              The government faces new levels of risk in information security because
Conclusions   of increased use of networks and computer literacy and greater depen-
              dence on information technology overall. As a result, effective computer
              security programs are more critical than ever in safeguarding the sys-
              tems that provide essential government services.

              The planning and feedback process was an effort to strengthen com-
              puter security by helping agencies identify and assess their sensitive
              system security needs, plans, and controls. However, the plans created
              under the process were viewed primarily as reporting requirements, and
              although the process may have elevated management awareness of com-
              puter security, as yet it has done little to strengthen agency computer
              security programs.

              OMB'S draft planning security guidance creates the potential for more
              meaningful improvements by going beyond planning and attempting to
              address broader agency-specific security problems. However, although
              NET, NSA, and OMB assistance can provide an impetus for change, their
              efforts must be matched by agency management commitment and
              actions to make needed improvements. Ultimately, it is the agencies’
              responsibility to ensure that the information they use and maintain is
              adequately safeguarded and that appropriate security measures are in
              place and tested. Agency management of security is an issue we plan to
              address in our ongoing review of this important area.

              As requested, we did not obtain written agency comments on this report.
              We did, however, discuss its contents with NIST, OMB, and NSA officials
              and have included their comments where appropriate. We conducted our
              review between July 1989 and March 1990, in accordance with gener-
              ally accepted government auditing standards.

              As arranged with your office, unless you publicly release the contents of
              this report earlier, we plan no further distribution until 30 days after
              the date of this letter. At that time we will send copies to the appropri-
              ate House and Senate committees, major federal agencies, OMB, NET, NSA,
              and other interested parties. We will also make copies available to
              others on request.

              Page 8                 GAO/IMTEC904fl   Governmentwide Computer Security Planning



            This report was prepared under the direction of Jack L. Brock, Jr.,
            Director, Government Information and Financial Management, who can
            be reached at (202) 275-3195. Other major contributors are listed in
            appendix VI.

            Sincerely yours,

        D Ralph  V, Carlone
          Assistant Comptroller   General

            Page 9                GAO/lMTEG90-48   Govemmentwide   Computer Mty   PLanning

Appendix I
Objectives, Scope,and
Appendix II
Description of Systems
in Plans GAO
Appendix III                                                                                          16
Computer Security
and Privacy Plan
Appendix IV                                                                                           21
NIST/NSA Feedback
on Computer Security
Appendix V                                                                                            22
Status of Security
Controls in 1,542
Appendix VI                                                                                           23
Major Contributors to
This Report
Related GAO Products                                                                                  24

Table      v             Table 1: Implementation of Security Controls in 22 Plans                      6

                         Page 10               GAO/IMTJ3C9O-48 Governmentwide Computer Security Planning


GAO        General Accounting Office
IMTJZC     Information Management and Technology Division
NIST       National Institute of Standards and Technology
NSA        National Security Agency
OMB        Office of Management and Budget

Page 11                GAO/lMTEG9o-#3   Gwemmentwide   Computer Security Planning
Appendix I

Objectives, Scope,and Methodology

                  In response to a June 6,1989, request of the Chairman, House Commit-
                  tee on Science, Space, and Technology, and subsequent agreements with
                  his office, we assessed the impact of the computer security planning and
                  review process required by the Computer Security Act of 1987.

                  As agreed, we limited our review primarily to 10 civilian agencies in the
                  Washington, D.C. area: the Departments of Agriculture, Commerce,
                  Energy, Health and Human Services, the Interior, Labor, Transportation,
                  the Treasury, and Veterans Affairs and the General Services Adminis-
                  tration. As agreed, the Department of Defense was excluded from our
                  review because the plans it submitted differed substantially in format
                  and content from the civilian plans.

                  Specifically, we

              . assessed the computer security planning process and NIST/NSA review
                comments on the security plans developed as a result of the process,
              l determined the extent to which the 10 agencies implemented planned
                control measures reported in 22 selected plans, and
              . developed summary statistics using a NEST/N&I data base covering over
                1,600 civilian computer security plans.

                  To assess the impact of the planning and review process on agencies’
                  security programs, we interviewed information resource management,
                  computer security, and other officials from the 10 agencies listed above.
                  In addition, we interviewed officials from NIST, NSA, and OMB who were
                  involved in the planning process, to gain their perspectives on the bene-
                  fits and problems associated with the process.

                  We analyzed 22 computer security plans developed by the 10 agencies
                  and the NIST/NSA review feedback relating to the plans. Most plans
                  addressed groups of systems. (See app. II for a description of the sys-
                  tems.) We selected the systems primarily on the basis of their sensitiv-
                  ity, significance, and prior GAO, President’s Council on Integrity and
                  Efficiency, and OMB reviews. We also reviewed federal computer secur-
                  ity planning and review guidance, department requests for agency com-
                  ponent plans, and department and agency computer security policies.

                  To determine the extent to which planned computer security controls
                  have been implemented, we reviewed the 22 plans and discussed with
                  agency officials the status of these controls. To develop security plan

                  Page 12                GAO/IMTEC!IO-48 Governmentwide   Computer Security Planning

    Objectlveq Scope, and Methodology

    statistics, we used the NEST/N&I data base, which contains data on the
    status of controls for over 1,500 plans. We did not verify the status of
    the planned controls as reported to us by agency officials, the accuracy
    of the plans, or the data in the NIST/NSA data base.

    Page 13                     GAO/IMTECXWM   Governmentwide Computer security Planning
Appendix II

Description of Systems in Plam GAO Reviewed #_

.--_-...-.I--_                   Plan                            System dercription
Farmers Home Administration      Automated Field                 Provides automated local office tools to support 2,300 offices servicing
                                   Management System             agricultural and rural development loans.
                                 Accounting Systems              Provides automated accounting and reporting for agricultural and rural
                                                                 development insured and guaranteed loans; processed 11.2 million
                                                                 payments and reduced more than 600 financial and 500 management
                                                                 reports in FY 8 t
Patent and Trademark Office      Patent and Trademark            Provides support for the management, administration, and evaluation of
                                   Automation Systems            information related to patent and trademark application processing. Systems
                                                                 include Patent Application, Locating and Monitoring; Trademark Receipts/
                                                                 Deposit Accounts; Automated Patent Svstem; Administrative Support;   .   and
_.- .....-.___ --. --                                            Office Automation.
Social Security Administration   Benefit Payment System          Provides claims processing for retirement, survivors, disability, and
                                                                 supplemental security income payments through 1,350 field offices and 61
                                                                 service centers.
                                 Social Security Number          Assigns social security numbers through the field office network, central
                                   Assignment System             &&seppssing       facility, and data communications of Benefits Payment

                                 Earnings Maintenance            Maintains an earnings history for each social security number holder.
                                   System                        Information is sent by employers to three data operation centers and
                                                                 forwarded to the National Computer Center.
                                 Access Control Event            Controls employee movement through turnstiles, people traps, and secure
                                   Processor System              areas. It also monitors fire alarm control panels and activates the fire and
                                                                 evacuation systems in an emergency.
Bureau of Labor Statistics       Economic Statistics System      Provides statistics on employment and unemployment, prices and living
                                                                 conditions, compensation and working conditions, productivity, economic
                                                                 growth and employment projections, and occupational safety and health
Employment Standards             Federal Employees’              Provides for tracking and recording case status information in district offices.
  Administration                   CoZo;~~nsation System         It allows medical and rehabilitation bill and compensation payment
                                                                 information to be transferred to their central facility for editing and
                                                                 calculatina voucher and report creation.
US Geological Survey             National Digital Cartographic   Stores digitized map information for geological purposes to facilitate
                                   Data Base                     organizational requirements at the bureau, division, office, and other
                                 National Earthquake             Provides earthquake information to the academic community, the private
                                   Information Service           sector, and government agencies.


                                                 Page 14                        GAO/lMTEC-90-4g Govemmentwide          Computer !Security Planning
                                                   Doacrtptlon of systems ln Plana
                                                   GAO ltE3viewed

Orasnlzstion                      Plan                             Svstem descrintion
Federal Aviation                  En Route and Terminal Air        Provides control to all en route aircraft in the U.S. that are operating under
  Administration                    Traffic Control System         instrument flight rules and are not under the control of military or other
                                  Maintenance and Operations       Provides maintenance monitoring and facility and equipment support
                                    Support Systems                through Remote Maintenance Monitorin System, Research and
                                                                   Development Computer Complex, and !! ystem Support Computer Complex.
                                  Interfacility Communications     Provides ground-to-air electronic interfaces to aircraft.
                                  Ground-to-Air Systems                Provides aircraft position information, allows for discreet identification of
                                                                       aircraft, and provides the framework for data link services in U.S. aerospace.
                                           Weather and Flight Services Used to predict, process, and disseminate weather information that will
                                              Systems                  provide the aviation community with near real-time data derived from a
                                                                       variety of weather sensors.
Internal Revenue Service                   Cosmiiir       Processing   A series of programs used to ensure the highest level of voluntary taxpayer
                                                                       compliance with tax laws, based on research, examination of tax returns, and
                                                                       collection of tax deficiencies.
                                           Tax Processing System       Provides automated support for the business areas of input processing,
 ^.     _ .._. . _-_                                                   investigation identification, and customer service.
Customs Service                            Automated Commercial        Provides an on-line accounting and collection system for tracking and
                                              System                   processing data and records pertaining to all cargo and merchandise
 - _..._._..
           ._“I        ._.____.
                             - __..____--~                             imported into the United States.
Veterans Affairs Austin Data               Mainframe Equipment         Provides programmatic data processing support. Processes approximately
_-.__.....___           Center -- _-_._ ---.. Configuration
          ” .-....-.- ..-___                                           70 separate applications and serves about 30,000 on-line users.
General Services                           FSsS;;4e~deral Supply       Federal Supply Management System for procuring and distributing supplies
    Administration                                                     and eauiement.
De artment of Energy                       Mainframe Computer and PC Provides pro rammatic information required to manage, operate, and
    8 trategic Petroleum                      Sensitive Systems        maintain the 1 trategic Petroleum Reserve during leach/fill operations,
    Reserve Project                                                    operational standby, and drawdown and distribution operations.
    Manaqement Office


                                                   Page 15                        GAO/IlUTEG90-48 Guverumentwide Computer Security Planning
Appendix III

Computer Security and Privacy Plan

               We developed this composite security plan to show what most civilian
               plans contained, their format, and some common omissions. Notes in
               parentheses show common deviations from the OMB guidance.

               Computer Security and Privacy Plan


               Reporting     Department     or Agency - Department of X

               Organizational     Subcomponent       - Subagency Y

               Operating Organization        - Organization Z

               System Name/Title       - Automated Report Management System (ARMS)

               System Category
               [X] Major Application
               [ ] General-Purpose ADP Support System

               Level of Aggregation
               [X] Single Identifiable System
               [ ] Group of Similar Systems

               Operational Status
               [X] Operational
               [ ] Under Development

               General Description/Purpose        - The primary purpose of ARMS is to
               retrieve, create, process, store, and distribute data. (Note: The descrip-
               tion and purpose is incomplete. OMB Bulletin 88-16 required a one or two
               paragraph description of the function and purpose of the system.)

               System Environment and Special Considerations - System is con-
               trolled by a ABC series computer which is stored in the computer room.
               (Note: The environment is not adequately described. OMB Bulletin 88-16
               requested a description of system location, types of computer hardware
               and software involved, types of users served, and other special

               Information      Contact - Security Officer, J. Doe, 202/275-xxxx

               Page 16                    GAO/IMTJ3G9O-48 Governmentwide   Computer Security Planning
Appendix III
Computer Security and Privacy Plan


General Description        of Information        Sensitivity

The data ARMS maintains and uses are those required to provide a total
management information function. (Note: This description is inade-
quate. OMB Bulletin 88-16 requested that the plans describe, in general
terms, the nature of the system and the need for protective measures.)

Applicable Laws or Regulations Affecting                the System
6 USC. 562a, “Privacy Act,” c. 1974.

System Protection Requirements
The Protection Requirement is:

                                     Primary           Secondary     Minimal/NA
[X] Confidentiality                         [Xl                [ I                11
[X] Integrity                               El                 [ I                [ I
[X] Availability                            [ 1                [Xl              [ I

Risk Assessment - There currently exists no formal large-scale risk
assessment covering ARMS. We are scheduling a formal risk analysis.

Applicable Guidance - FIPS PUBS No. 41, Computer Security Guidelines
for Implementing the Privacy Act of 1974; FIPS PUB No. 83, Guidelines
on User Authentication Techniques for Computer Network Access

Page 17                    GAO/IMTEG90-49 Governmentwide Computer Security Planning
Appendix III
Computer Security and Privacy Plan


                                                                In place
                                     In place      Planned      planned           N/A
Assignment of Security
Responsibility                               [Xl          [I          [I            [ 1
Assessment                                   [ 1          [ I         El            [ 1

A formal risk analysis program will be used to update the current
assessment. (Note: An expected operational date is not included. OMR
Bulletin 88-16 states that there should be expected operational dates for
controls that are planned or in place and planned.)

Personnel Selection
Screening                                    [ I          11               [Xl      11
National Agency Check Inquiries (NACI) are required for all employees
but have not been completed for everyone having access to sensitive
information. Expected operational date - October 1989.

                                                                In place &
                                     In place      Planned        planned         WA
Security Specifications                    [Xl            11               [I       [I
Design Review & Testing                      1 I          [ 1              [ 1      [Xl
Accreditation                                [ 1          [Xl              [I       [I
(Note: No information is given for certification/accreditation. OMB Bulle-
tin 88-16 states that a general description of the planned measures and
expected operational dates should be provided.)

Page 18                     GAO/lMTEC90-48    Governmentwide Computer Security Planning
Appendix III
Computer Security and Privacy Plan

                                                                       In place &
                                       In place          Planned         planned      WA
Production,     I/O
Controls                                         [Xl             11             [I      [I
Contingency      Planning                        [ I             [Xl            [I      [I
A contingency plan is being developed in compliance with requirements
established by the agency’s security program. Completion date - Novem-
ber 1990.

Audit and Variance
Detection                                  [ I              [ 1             [Xl         [ I

Day-to-day procedures are being developed for variance detection.
Audit reviews are also being developed and will be conducted on a
monthly basis. Completion date - June 1989,
Software Maintenance
Controls                                   [Xl              t 1             [ I         [ I
Documentation                              WI               [ I             [ I         [ 1
                                                                   In place &
                                     In place          Planned       planned          WA
Security Awareness
and Training
Measures                                  [ 1               1I              [Xl         [ 1
Training for management and users in information and application
security will be strengthened, and security awareness training provided
for all new employees beginning in June 1989.

Page 19                     GAO/IMTEG994?         Governmentwide Computer Security Planning

Appendix III
Computer Security and privacy Plan

                                                            In place &
                                     In place    Planned      planned           WA
User Identification
and Authentication                         [XI        [ 1           [ I           I 1
Access Controls                            [Xl        [ 1           [ I           t 1
Data Integrity
& Validation
Controls                                   [Xl        [ 1           [ I           [ I
Audit Trails
& Journaling                               WI         11            1I            1I
                                                            In place &
                                     In place    Planned      planned           N/A
Security Measures
for Support Systems                        [Xl        [ I           [ 1           11

(Note: This section was left blank in most plans. OMB Bulletin 88-16
stated that the purpose of this section wits t,o give agency planners the
opportunity to include comments concerning needs for additional gui-
dance, standards, or other tools to improve system protection.)

Page 20                     GAO/IMTEG90-4fS Governmentwide Computer Security Planning
Appendix IV

-T/N&4    Feedback on Computer
sectity Plans

              The following example shows typical NIST/NSA comments and


              REF. NO. 0001

              AGENCY NAME: Department of X, Subagency Y

              SYSTEM NAME: Automated Report Management System

              The brevity of information in the information sensitivity, general sys-
              tem description, and the system environment sections made it difficult
              to understand the security needs of the system. Information on the
              physical, operational, and technical environment and the nature of the
              sensitivity is essential to understanding the security needs of the

              For some controls, such as security training and awareness, expected
              operational dates are not indicated as required by OMB Bulletin 88-16.

              The plan refers to the development control, design review and testing,
              as not applicable. Even in an operational system, development controls
              should be addressed as historical security measures and as ongoing mea-
              sures for changing hardware and software.

              The plan notes that a more formal risk assessment is being planned. This
              effort should help your organization more effectively manage risks and
              security resources. National Institute of Standards and Technology Fed-
              eral Information Processing Standards Publication 65, “Guideline for
              Automatic Data Processing Risk Analysis,” and 73, “Guideline for the
              Security of Computer Applications” may be of help in this area.

              Page 21                GAO/IMTEG90-48 Governmentwide Computer Security Planning
Appendix   V

Status of iSecurity Controls in 1,542 Plans                                                                       *’a

                                                                                          Planned and
                                                               Plan            In place        in place          Planned
                 Security controls                      responses”           (percent)       (percent)          (percent)
                 Management controls
                 Assignment of security
                   responsibilitv                               1.448                91                 5                 4
                 Personnel selection and
                   screening                                    1,268                84                11                  5
                 Risk analysis and sensitivity
                   assessment                                   1,321                71                13                17
                 Development controls
                Design review and testing                         728                82                10                 8
                Certification and accreditation                   948                66                10                24
                Security and acquisition
                  specifications                                1,093                83                10                 7
                ODerational controls
                Audit and variance detection                    1,177                81                 7                12
                Documentation                                   1,375                83                IO                 8
                Emergency, backup, and
                  contingency planning                          1,381                69                14               - 17
                Physical and environmental
                  protection                                      450                87                10                 4
                Production and input/output
                  controls                                      1,290                87                 7                 7
                Software maintenance
                  controls                                      1,327                87                 7                 7
                Security training and
                  awareness measures                            1,408                58                27                15
                Technical controls
                Authorization/access    controls                1.389                87                 6                 7
                Confidentiality controls                          357                84                 7                 9
                Audit trail mechanisms                          1,194                83                 8                 9
                Integrity controls                              1,220                85                 8                 7
                User identification and
                   authentication                               1,370                87                 7                 6
                Welghted average                                     .               81                10    -----3
                Note: The status of security controls is based on information reported in 1,542 civilian plans in early 1989
                and contained in the NIST/NSA data base. Missing and not applicable answers were not included in the
                percentages. Some percentages do not add up to 100 due to rounding.
                @‘Plan responses” is the number of plans, out of 1,542, that addressed each control.

                Page 22                            GA0/IMTEG90-48        Governmentwide Computer Security Planning
Major Contributors to This l&port

                       Linda D. Koontz, Assistant Director
Information            Jerilynn B. Hoy, Assignment Manager
Management and         Beverly A. Peterson, Evaluator-in-Charge
Technology Division,   Barbarol J. James, Evaluator
Washington, DC.

                       Page 23                GAO/IMTEG9049   Governmentwide Computer Security Planning
RelaM GAO Products

             Computer Security: Identification of Sensitive Systems Operated on
             Behalf of Ten Agencies (GAO/IMTEG894'0, Sept. 27,1989).

             Computer Security: Compliance With Security Plan Requirements of the
             Computer Security Act (GAO/IMTE~-~~-~~, June 2 1,1989).

             Computer Security: Compliance With Training Requirements of the
             Computer Security Act of 1987 (GAOIIMTEC-89-16BR, Feb. 22, 1989).

             Computer Security: Status of Compliance With the Computer Security
             Act Of1987 (GAO/IMTEC-88-GlBR,fk!pt.2‘& 1988).

(510465)     Page 24               GAO/IMTEG90-48 Governmentwide Computer Security Planning

    --l---“,”       _ll_“..~“,.“...ll.“..”   _._,_._   *   l^^.l.ll”ll.   .““l_l   ._..._   -   .   ..-.-._   -I.--   .._.....   -“1-   __..   -   ._._._   ~______   ._.__                          -___I-

                                                                                                                      Il~vl~lt~st h for (*opit~s ol’(;Ao                      rt~porls   shor~lti   tw w111, lo:

                                          I   I’t~rmit,   No. (;l(l
1% tld ty f’tw I’riva   t.th I Jw !$300