United States General Accounting Office
___________________________________________________________________
GAO Report to the Chairman, Committee on
Science, Space, and Technology,
House of Representatives
___________________________________________________________________
May 1990 COMPUTER SECURITY
Governmentwide Planning Process
Had Limited Impact
___________________________________________________________________
GAO/IMTEC-90-48
This U.S. General Accounting Office (GAO) report is 1 of 7
available over the Internet as part of a test to determine
whether there is sufficient interest within this community to
warrant making all GAO reports available over the Internet.
The file REPORTS at NIH lists the 7 reports.
So that we can keep a count of report recipients, and your
reaction, please send an E-Mail message to KH3@CU.NIH.GOV and
include, along with your E-Mail address, the following
information:
1) Your organization.
2) Your position/title and name (optional).
3) The title/report number of the above reports you have
retrieved electronically or ordered by mail or phone.
4) Whether you have ever obtained a GAO report before.
5) Whether you have copied a report onto another bulletin
board--if so, which report and bulletin board.
6) Other GAO report subjects you would be interested in.
GAO's reports cover a broad range of subjects such as
major weapons systems, energy, financial institutions,
and pollution control.
7) Any additional comments or suggestions.
Thank you for your time.
Sincerely,
Jack L. Brock, Jr.
Director,
Government Information and Financial
Management Issues
Information Management and Technology Division
B-238954
May 10, 1990
The Honorable Robert A. Roe
Chairman, Committee on Science,
Space, and Technology
House of Representatives
Dear Mr. Chairman:
This report responds to your June 5, 1989, request and
subsequent agreements with your office that we review the
governmentwide computer security planning and review process
required by the Computer Security Act of 1987. The act
required federal agencies to identify systems that contain
sensitive information and to develop plans to safeguard
them. As agreed, we assessed the (1) planning process in 10
civilian agencies as well as the extent to which they
implemented planned controls described in 22 selected plans
and (2) National Institute of Standards and Technology
(NIST)/National Security Agency (NSA) review of the plans.
This is the fifth in a series of reports on implementation
of the Computer Security Act that GAO has prepared for your
committee. Appendix I details the review's objectives,
scope, and methodology. Appendix II describes the systems
covered by the 22 plans we reviewed.
RESULTS IN BRIEF
----------------
The planning and review process implemented under the
Computer Security Act did little to strengthen computer
security governmentwide. Although agency officials believe
that the process heightened awareness of computer security,
they typically described the plans as merely "reporting
requirements" and of limited use in addressing agency-
specific problems.
Officials cited three problems relating to the design and
implementation of the planning process: (1) the plans
lacked adequate information to serve as management tools and
some agencies already had planning processes in place, (2)
managers had little time to prepare the plans, and (3) the
Office of Management and Budget (OMB) planning guidance was
sometimes unclear and misinterpreted by agency officials.
1
B-238954
Although a year has passed since the initial computer
security plans were completed, agencies have made little
progress in implementing planned controls. Agency officials
said that budget constraints and inadequate top management
support--in terms of resources and commitment--were key
reasons why controls had not been implemented.
Based on the results of the planning and review process,
OMB--in conjunction with NIST and NSA--issued draft security
planning guidance in January 1990. The draft guidance
focuses on agency security programs and calls for NIST, NSA,
and OMB to visit agencies to discuss their security programs
and problems, and provide advice and technical assistance.
We believe that efforts directed toward assisting agencies
in solving specific problems and drawing top management
attention to computer security issues have greater potential
for improving computer security governmentwide.
BACKGROUND
----------
The Computer Security Act of 1987 (P.L. 100-235) was passed
in response to concerns that the security of sensitive
information was not being adequately addressed in the
federal government.1 The act's intent was to improve the
security and privacy of sensitive information in federal
computer systems by establishing minimum security practices.
The act required agencies to (1) identify all developmental
and operational systems with sensitive information, (2)
develop and submit to NIST and NSA for advice and comment a
security and privacy plan for each system identified, and
(3) establish computer security training programs.
OMB Bulletin 88-16, developed with NIST and NSA assistance,
provides guidance on the computer security plans required by
the act. To be in compliance, approximately 60 civilian
agencies submitted almost 1,600 computer security plans to a
NIST/NSA review team in early 1989. Nearly all of these
plans followed, to some degree, the format and content
requested by the bulletin. The bulletin requested that the
following information be included in each plan:
1The act defines sensitive information as any unclassified
information that in the event of loss, misuse, or
unauthorized access or modification, could adversely affect
the national interest, conduct of a federal program, or the
privacy individuals are entitled to under the Privacy Act of
1974 (5 U.S.C. 552a).
2
B-238954
-- Basic system identification: agency, system name and
type, whether the plan combines systems, operational
status, system purpose, system environment, and point of
contact.
-- Information sensitivity: laws and regulations affecting
the system, protection requirements, and description of
sensitivity.
-- Security control status: reported as "in place,"
"planned," "in place and planned" (i.e., some aspects of
the control are operational and others are planned), or
"not applicable," and a brief description of and expected
operational dates for controls that are reported as
planned.2 (Appendix V lists the controls.)
Appendix III presents a composite security plan that we
developed for this report as an example of the civilian
plans we reviewed. It is representative of the content,
format, and common omissions of the plans.
PLANS HAD LIMITED IMPACT ON
---------------------------
AGENCY COMPUTER SECURITY PROGRAMS
---------------------------------
The goals of the planning process were commendable--to
strengthen computer security by helping agencies identify
and evaluate their security needs and controls for sensitive
systems. According to agency officials, the process yielded
some benefits, the one most frequently cited being increased
management awareness of computer security. Further, some
officials noted that the planning process provided a
framework for reviewing their systems' security controls.
However, problems relating to the design and implementation
of the planning process limited its impact on agency
security programs. Specifically, (1) the plans lacked
adequate information to serve as effective management tools,
(2) managers had little time to prepare the plans, and (3)
the OMB guidance was sometimes unclear and misinterpreted by
the agencies. Consequently, most agency officials viewed
the plans as reporting requirements, rather than as
management tools.
2In this report, we are using the term "planned controls" to
include controls that agencies listed as "planned" or "in
place and planned" in their January 1989 plans. Both
categories indicated that the controls were not fully in
place.
3
B-238954
Plans Lacked Adequate Information to
------------------------------------
Serve as Effective Management Tools
-----------------------------------
Although agency officials said that security planning is
essential to the effective management of sensitive systems,
the plans lacked important information that managers need in
order to plan, and to monitor and implement plans. The
plans did not include this information, in part, because
they were designed not only to help agencies plan, but also
to facilitate NIST/NSA's review of the plans and to minimize
the risks of unauthorized disclosure of vulnerabilities.
For example:
-- Many plans provided minimal descriptions (a sentence or
nothing at all) of system sensitivity and planned
security controls. Detailed descriptions would have
made the plans more useful in setting priorities for
implementing planned controls.
-- The plans did not assign responsibility for each planned
control. It was not clear, therefore, who was
accountable for implementing the control (e.g., who would
be performing a risk assessment).
-- The plans did not include resource estimates needed to
budget for planned actions.
-- The plans generally did not refer to computer security-
related internal control weaknesses, although such
information can be important in developing plans.
Finally, officials from about one-third of the agencies said
that they already had more comprehensive planning processes
to help them identify and evaluate their security needs. As
a result, the governmentwide process was largely superfluous
for these agencies. Officials at such agencies said that
their plans, which included information such as detailed
descriptions of security controls, already met the
objectives of the governmentwide planning process. Many
officials said that what they needed was assistance in areas
such as network security.
Managers Had Little
-------------------
Time to Prepare the Plans
-------------------------
Officials had little time to adequately consider their
security needs and prepare plans, further limiting the
usefulness of the plans. OMB Bulletin 88-16 was issued July
6, 1988, 27 weeks before the plans were due to the NIST/NSA
4
B-238954
review team, as required by the Computer Security Act.
However, less than 14 weeks was left after most agencies
issued guidance on responding to the OMB request. Within
the remaining time, instructions were sent to the component
agencies and from there to the managers responsible for
preparing the plans, meetings were held to discuss the
plans, managers prepared the plans, and the plans were
reviewed by component agencies and returned to the agencies
for review. As a result, some managers had only a few days
to prepare plans.
Guidance Was Sometimes Unclear
------------------------------
and Misinterpreted by Agencies
------------------------------
Many agency officials misinterpreted or found the guidance
unclear as to how systems were to be combined in the plans,
the definition of some key terms (e.g., "in place"), the
level of expected detail, and the need to address
telecommunications. For example, some plans combined many
different types of systems--such as microcomputers and
mainframes--having diverse functions and security needs,
although the guidance specified that only similar systems
could be combined. When dissimilar systems were combined,
the plan's usefulness as a management tool was limited.
Further, for plans that combined systems, some agencies
reported that a security control was in place for the entire
plan, although it was actually in place for only a few
systems. Agency officials stated that they combined systems
in accordance with their understanding of the OMB guidance
and NIST/NSA verbal instructions.
In addition, officials were confused about how much detail
to include in the plans and whether to address
telecommunications issues (e.g., network security). For
example, they said that although the guidance asked for
brief descriptions of systems and information sensitivity,
NIST/NSA reviewers frequently commented that plans lacked
adequate descriptions. NIST officials said they expected
that the plans would be more detailed and discuss the
vulnerabilities inherent in networks. They said, in
retrospect, that it would have been helpful if the guidance
had provided examples and clarified the level of expected
detail.
AGENCIES HAVE NOT IMPLEMENTED
-----------------------------
MOST PLANNED SECURITY CONTROLS
------------------------------
Although a year has passed since the initial computer
security plans were completed, agencies have made little
5
B-238954
progress in implementing planned controls.3 The 22 plans we
reviewed contained 145 planned security controls. According
to agency officials, as of January 1990, only 38 percent of
the 145 planned controls had been implemented.
Table 1 shows the number and percentage of planned security
controls that had been implemented as of January 1990.
Table 1: Implementation of Security Controls in 22 Plans
Percent
Security control Planned Implemented implemented
---------------- ------- ----------- -----------
Assignment of security
responsibility 7 7 100
Audit and variance
detection 7 7 100
Confidentiality
controls 3 3 100
User identification
and authentication 2 2 100
Personnel selection
and screening 7 6 86
Security measures for
support systems 9 5 56
Security awareness and
training measures 20 12 60
Authorization/access
controls 4 2 50
Contingency plans 11 5 45
Data integrity and
validation controls 8 2 25
Audit trails and
maintaining
journals 12 2 17
3Only 4 percent of the security controls had implementation
dates beyond January 1990.
6
B-238954
Production, input/
output controls 8 1 13
Risk/sensitivity
assessment 11 1 9
Security specifications 10 0 0
Design review and
testing 11 0 0
Certification/
accreditation 14 0 0
Software controls 1 0 0
Total 145 55 -
According to many agency officials, budget constraints and
lack of adequate top management support--in terms of
resources and commitment--were key reasons why security
controls had not yet been implemented.
Although some officials stated that the planning process has
raised management awareness of computer security issues,
this awareness has, for the most part, apparently not yet
resulted in increased resources for computer security
programs. A number of officials said that security has been
traditionally viewed as overhead and as a target for budget
cuts. Some officials noted that requests for funding of
contingency planning, full-time security officers, and
training for security personnel and managers have a low
approval rate.
NIST/NSA REVIEW FEEDBACK WAS GENERAL
------------------------------------
AND OF LIMITED USE TO AGENCIES
------------------------------
Agency officials said that the NIST/NSA review comments and
recommendations on their plans were general and of limited
use in addressing specific problems. However, because the
plans were designed to be brief and minimize the risks of
unauthorized disclosure, they had little detailed
information for NIST and NSA to review. Thus, the NIST/NSA
review team focused their comments on (1) the plans'
conformity with the OMB planning guidance and (2)
governmentwide guidance (e.g., NIST Federal Information
Processing Standards publications) relating to planned
security controls. (Appendix IV provides an example of
typical NIST/NSA review comments and recommendations.)
7
B-238954
Despite the limited agency use of the feedback, NIST
officials said that the information in the plans will be
useful to NIST in identifying broad security weaknesses and
needs. During the review process, the NIST/NSA review team
developed a data base that included the status of security
controls for almost 1,600 civilian plans. NIST intends to
use statistics from the data base to support an upcoming
report on observations and lessons learned from the planning
and review process. Noting that the data have limitations--
for example, varying agency interpretations of "in place"--
NIST officials said that areas showing the greatest
percentage of planned controls indicated areas where more
governmentwide guidance might be needed. Appendix V shows
the status of security controls in the civilian plans,
according to our analysis of the NIST/NSA data base.4
REVISED GUIDANCE PROVIDES
-------------------------
FOR AGENCY ASSISTANCE
---------------------
The 1990 draft OMB security planning guidance calls for
NIST, NSA, and OMB to provide advice and technical
assistance on computer security issues to federal agencies
as needed. Under the guidance, NIST, NSA, and OMB would
visit agencies and discuss (1) their computer security
programs, (2) the extent to which the agencies have
identified their sensitive computer systems, (3) the quality
of their security plans, and (4) their unresolved internal
control weaknesses. NIST officials said that the number of
agencies visited in fiscal year 1991 will depend on that
year's funding for NIST's Computer Security Division, which
will lead NIST's effort, and the number of staff provided by
NSA.
In addition, under the 1990 draft guidance, agencies would
develop plans for sensitive systems that are new or
significantly changed, did not have a plan for 1989, or had
1989 plans for which NIST and NSA could not provide comments
because of insufficient information. Agencies would be
required to review their component agency plans and provide
independent advice and comment.
CONCLUSIONS
-----------
The government faces new levels of risk in information
security because of increased use of networks and computer
4NIST and NSA deleted agency and system names from the data
base provided to us.
8
B-238954
literacy and greater dependence on information technology
overall. As a result, effective computer security programs
are more critical than ever in safeguarding the systems that
provide essential government services.
The planning and feedback process was an effort to
strengthen computer security by helping agencies identify
and assess their sensitive system security needs, plans, and
controls. However, the plans created under the process were
viewed primarily as reporting requirements, and although the
process may have elevated management awareness of computer
security, as yet it has done little to strengthen agency
computer security programs.
OMB's draft planning security guidance creates the potential
for more meaningful improvements by going beyond planning
and attempting to address broader agency-specific security
problems. However, although NIST, NSA, and OMB assistance
can provide an impetus for change, their efforts must be
matched by agency management commitment and actions to make
needed improvements. Ultimately, it is the agencies'
responsibility to ensure that the information they use and
maintain is adequately safeguarded and that appropriate
security measures are in place and tested. Agency
management of security is an issue we plan to address in our
ongoing review of this important area.
--- --- ---
As requested, we did not obtain written agency comments on
this report. We did, however, discuss its contents with
NIST, OMB, and NSA officials and have included their
comments where appropriate. We conducted our review between
July 1989 and March 1990, in accordance with generally
accepted government auditing standards.
As arranged with your office, unless you publicly release
the contents of this report earlier, we plan no further
distribution until 30 days after the date of this letter.
At that time we will send copies to the appropriate House
and Senate committees, major federal agencies, OMB, NIST,
NSA, and other interested parties. We will also make copies
available to others on request.
This report was prepared under the direction of Jack L.
Brock, Jr., Director, Government Information and Financial
Management, who can be reached at (202) 275-3195. Other
major contributors are listed in appendix VI.
9
B-238954
Sincerely yours,
Ralph V. Carlone
Assistant Comptroller General
10
B-238954
CONTENTS Page
--------- ----
LETTER 1
APPENDIX
I Objectives, Scope, and Methodology 12
II Plans GAO Reviewed 14
III Computer Security and Privacy Plan 16
IV NIST/NSA Feedback on Computer Security Plans 21
V Status of Security Controls in 1,542 Plans 22
VI Major Contributors to This Report 24
Related GAO Products 25
TABLE
1 Implementation of Security Controls in 22 6
Plans
ABBREVIATIONS
-------------
GAO General Accounting Office
IMTEC Information Management and Technology Division
NIST National Institute of Standards and Technology
NSA National Security Agency
OMB Office of Management and Budget
11
APPENDIX I APPENDIX I
OBJECTIVES, SCOPE, AND METHODOLOGY
----------------------------------
In response to a June 5, 1989, request of the Chairman,
House Committee on Science, Space, and Technology, and
subsequent agreements with his office, we assessed the
impact of the computer security planning and review process
required by the Computer Security Act of 1987.
As agreed, we limited our review primarily to 10 civilian
agencies in the Washington, D.C. area: the Departments of
Agriculture, Commerce, Energy, Health and Human Services,
the Interior, Labor, Transportation, the Treasury, and
Veterans Affairs and the General Services Administration.
As agreed, the Department of Defense was excluded from our
review because the plans it submitted differed
substantially in format and content from the civilian plans.
Specifically, we
--assessed the computer security planning process and
NIST/NSA review comments on the security plans developed as
a result of the process,
--determined the extent to which the 10 agencies implemented
planned control measures reported in 22 selected plans, and
--developed summary statistics using a NIST/NSA data base
covering over 1,500 civilian computer security plans.
To assess the impact of the planning and review process on
agencies' security programs, we interviewed information
resource management, computer security, and other officials
from the 10 agencies listed above. In addition, we
interviewed officials from NIST, NSA, and OMB who were
involved in the planning process, to gain their perspectives
on the benefits and problems associated with the process.
We analyzed 22 computer security plans developed by the 10
agencies and the NIST/NSA review feedback relating to the
plans. Most plans addressed groups of systems. (See app.
II for a description of the systems.) We selected the
systems primarily on the basis of their sensitivity,
significance, and prior GAO, President's Council on
Integrity and Efficiency, and OMB reviews. We also reviewed
federal computer security planning and review guidance,
department requests for agency component plans, and
department and agency computer security policies.
12
APPENDIX I APPENDIX I
To determine the extent to which planned computer security
controls have been implemented, we reviewed the 22 plans and
discussed with agency officials the status of these
controls. To develop security plan statistics, we used the
NIST/NSA data base, which contains data on the status of
controls for over 1,500 plans. We did not verify the status
of the planned controls as reported to us by agency
officials, the accuracy of the plans, or the data in the
NIST/NSA data base.
13
APPENDIX II APPENDIX II
PLANS GAO REVIEWED
------------------
Organization Plan
------------ ----
Farmers Home Administration Automated Field Management
System
Accounting Systems
Patent and Trademark Office Patent and Trademark
Automation Systems
Social Security Administration Benefit Payment System
Social Security Number
Assignment System
Earnings Maintenance System
Access Control Event
Processor System
Bureau of Labor Statistics Economic Statistics System
Employment Standards Federal Employees'
Administration Compensation System
Level I
U.S. Geological Survey National Digital
Cartographic Data Base
National Earthquake
Information Service
Federal Aviation Administration En Route and Terminal Air
Traffic Control System
Maintenance and Operations
Support Systems
Interfacility
Communications System
Ground-to-Air Systems
Weather and Flight
Services Systems
14
APPENDIX II APPENDIX II
Organization Plan
------------ ----
Internal Revenue Service Compliance Processing
System
Tax Processing System
Customs Service Automated Commercial
System
Veterans Affairs Austin Data Mainframe Equipment
Processing Center Configuration
General Services Administration FSS-19 Federal Supply
System
Department of Energy Strategic Mainframe Computer and PC
Petroleum Reserve Project Sensitive Systems
Management Office
Note: Summary information describing each of the above
systems has been omitted from this version of the report.
Call GAO report distribution at 202-275-6241 to obtain a
complete copy of this report.
15
APPENDIX III APPENDIX III
COMPUTER SECURITY AND PRIVACY PLAN
----------------------------------
We developed this composite security plan to show what most
civilian plans contained, their format, and some common omissions.
Notes in parentheses show common deviations from the OMB guidance.
Computer Security and Privacy Plan
1. BASIC SYSTEM IDENTIFICATION
Reporting Department or Agency - Department of X
Organizational Subcomponent - Subagency Y
Operating Organization - Organization Z
System Name/Title - Automated Report Management System (ARMS)
System Category
[X] Major Application
[ ] General-Purpose ADP Support System
Level of Aggregation
[X] Single Identifiable System
[ ] Group of Similar Systems
Operational Status
[X] Operational
[ ] Under Development
General Description/Purpose - The primary purpose of ARMS is
to retrieve, create, process, store, and distribute data.
(Note: The description and purpose is incomplete. OMB
Bulletin 88-16 required a one or two paragraph description of
the function and purpose of the system.)
System Environment and Special Considerations - System is
controlled by a ABC series computer which is stored in the
computer room. (Note: The environment is not adequately
described. OMB Bulletin 88-16 requested a description of
system location, types of computer hardware and software
involved, types of users served, and other special
considerations.)
Information Contact - Security Officer, J. Doe, 202/275-xxxx
16
APPENDIX III APPENDIX III
2. SENSITIVITY OF INFORMATION
General Description of Information Sensitivity
The data ARMS maintains and uses are those required to provide
a total management information function. (Note: This
description is inadequate. OMB Bulletin 88-16 requested that
the plans describe, in general terms, the nature of the system
and the need for protective measures.)
Applicable Laws or Regulations Affecting the System
5 U.S.C. 552a, "Privacy Act," c. 1974.
System Protection Requirements
The Protection Requirement is:
Primary Secondary Minimal/NA
[X] Confidentiality [X] [ ] [ ]
[X] Integrity [X] [ ] [ ]
[X] Availability [ ] [X] [ ]
3. SYSTEM SECURITY MEASURES
Risk Assessment - There currently exists no formal large scale
risk assessment covering ARMS. We are scheduling a formal
risk analysis.
Applicable Guidance - FIPS PUBS No. 41, Computer Security
Guidelines for Implementing the Privacy Act of 1974;
FIPS PUB No. 83, Guidelines on User Authentication Techniques
for Computer Network Access Control.
17
APPENDIX III APPENDIX III
SECURITY MEASURES
-----------------
MANAGEMENT CONTROLS
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Assignment of Security
Responsibility [X] [ ] [ ] [ ]
Risk/Sensitivity
Assessment [ ] [ ] [X] [ ]
A formal risk analysis program will be used to update the
current assessment. (Note: An expected operational date is
not included. OMB Bulletin 88-16 states that there should be
expected operational dates for controls that are planned or
in place and planned.)
Personnel Selection
Screening [ ] [ ] [X] [ ]
National Agency Check Inquiries (NACI) are required for all
employees but have not been completed for everyone having
access to sensitive information. Expected operational date -
October 1989.
DEVELOPMENT CONTROLS
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Security
Specifications [X] [ ] [ ] [ ]
Design Review
& Testing [ ] [ ] [ ] [X]
Certification/
Accreditation [ ] [X] [ ] [ ]
(Note: No information is given for certification/
accreditation. OMB Bulletin 88-16 states that a general
description of the planned measures and expected operational
dates should be provided.)
18
APPENDIX III APPENDIX III
OPERATIONAL CONTROLS
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Production, I/O Controls [X] [ ] [ ] [ ]
Contingency Planning [ ] [X] [ ] [ ]
A contingency plan is being developed in compliance with
requirements established by the agency's security program.
Completion date - November 1990.
Audit and Variance
Detection [ ] [ ] [X] [ ]
Day-to-day procedures are being developed for variance
detection. Audit reviews are also being developed and will be
conducted on a monthly basis. Completion date - June 1989.
Software Maintenance
Controls [X] [ ] [ ] [ ]
Documentation [X] [ ] [ ] [ ]
SECURITY AWARENESS AND TRAINING
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Security Awareness and
Training Measures [ ] [ ] [X] [ ]
Training for management and users in information and
application security will be strengthened, and security
awareness training provided for all new employees beginning in
June 1989.
19
APPENDIX III APPENDIX III
TECHNICAL CONTROLS
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
User Identification and
Authentication [X] [ ] [ ] [ ]
Authorization/Access
Controls [X] [ ] [ ] [ ]
Data Integrity &
Validation Controls [X] [ ] [ ] [ ]
Audit Trails & Journaling [X] [ ] [ ] [ ]
SUPPORT SYSTEM SECURITY MEASURES
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Security Measures for
Support Systems [X] [ ] [ ] [ ]
4. NEEDS AND ADDITIONAL COMMENTS
(Note: This section was left blank in most plans. OMB
Bulletin 88-16 stated that the purpose of this section was to
give agency planners the opportunity to include comments
concerning needs for additional guidance, standards, or other
tools to improve system protection.)
20
APPENDIX IV APPENDIX IV
NIST/NSA FEEDBACK ON COMPUTER SECURITY PLANS
--------------------------------------------
The following example shows typical NIST/NSA comments and
recommendations.
COMPUTER SECURITY PLAN REVIEW PROJECT COMMENTS AND RECOMMENDATIONS
REF. NO. 0001
AGENCY NAME: Department of X
Subagency Y
SYSTEM NAME: Automated Report Management System
The brevity of information in the information sensitivity, general
system description, and the system environment sections made it
difficult to understand the security needs of the system.
Information on the physical, operational, and technical environment
and the nature of the sensitivity is essential to understanding the
security needs of the system.
For some controls, such as security training and awareness,
expected operational dates are not indicated as required by OMB
Bulletin 88-16.
The plan refers to the development control, design review and
testing, as not applicable. Even in an operational system,
development controls should be addressed as historical security
measures and as ongoing measures for changing hardware and
software.
The plan notes that a more formal risk assessment is being planned.
This effort should help your organization more effectively manage
risks and security resources. National Institute of Standards and
Technology Federal Information Processing Standards Publication 65,
"Guideline for Automatic Data Processing Risk Analysis," and 73,
"Guideline for the Security of Computer Applications" may be of
help in this area.
21
APPENDIX V APPENDIX V
STATUS OF SECURITY CONTROLS IN 1,542 PLANS
------------------------------------------
Planned &
Plan In place in place Planned
---- -------- --------- -------
Security controls responses#a (percent) (percent) (percent)
Management controls
Assignment of security
responsibility 1,448 91 5 4
Personnel selection and
screening 1,268 84 11 5
Risk analysis and
sensitivity assessment 1,321 71 13 17
Development controls
Design review and testing 728 82 10 8
Certification and
accreditation 948 66 10 24
Security and acquisition
specifications 1,093 83 10 7
Operational controls
Audit and variance
detection 1,177 81 7 12
Documentation 1,375 83 10 8
Emergency, backup, and
contingency planning 1,381 69 14 17
Physical and environmental
protection 450 87 10 4
Production and input/
output controls 1,290 87 7 7
Software maintenance
controls 1,327 87 7 7
Security training and
awareness measures 1,408 58 27 15
22
APPENDIX V APPENDIX V
Technical controls
Authorization/access
controls 1,389 87 6 7
Confidentiality controls 357 84 7 9
Audit trail mechanisms 1,194 83 8 9
Integrity controls 1,220 85 8 7
User identification
and authentication 1,370 87 7 6
Weighted average -- 81 10 10
Note: The status of security controls is based on information reported
in 1,542 civilian plans in early 1989 and contained in the NIST/NSA data
base. Missing and not applicable answers were not included in the
percentages. Some percentages do not add up to 100 due to rounding.
a"Plan responses" is the number of plans, out of 1,542, that addressed
each control.
23
APPENDIX VI APPENDIX VI
MAJOR CONTRIBUTORS TO THIS REPORT
---------------------------------
INFORMATION MANAGEMENT AND TECHNOLOGY DIVISION, WASHINGTON, D.C.
----------------------------------------------------------------
Linda D. Koontz, Assistant Director
Jerilynn B. Hoy, Assignment Manager
Beverly A. Peterson, Evaluator-in-Charge
Barbarol J. James, Evaluator
(510465)
24
RELATED GAO PRODUCTS
--------------------
Computer Security: Identification of Sensitive Systems Operated on
Behalf of Ten Agencies (GAO/IMTEC-89-70, Sept. 27, 1989).
Computer Security: Compliance With Security Plan Requirements of the
Computer Security Act (GAO/IMTEC-89-55, June 21, 1989).
Computer Security: Compliance With Training Requirements of the
Computer Security Act of 1987 (GAO/IMTEC-89-16BR, Feb. 22, 1989).
Computer Security: Status of Compliance With the Computer Security Act
of 1987 (GAO/IMTEC-88-61BR, Sept. 22, 1988).
25
___________________________________________________________________
GAO Report to the Chairman, Committee on
Science, Space, and Technology,
House of Representatives
___________________________________________________________________
May 1990 COMPUTER SECURITY
Governmentwide Planning Process
Had Limited Impact
___________________________________________________________________
GAO/IMTEC-90-48
This U.S. General Accounting Office (GAO) report is 1 of 7
available over the Internet as part of a test to determine
whether there is sufficient interest within this community to
warrant making all GAO reports available over the Internet.
The file REPORTS at NIH lists the 7 reports.
So that we can keep a count of report recipients, and your
reaction, please send an E-Mail message to KH3@CU.NIH.GOV and
include, along with your E-Mail address, the following
information:
1) Your organization.
2) Your position/title and name (optional).
3) The title/report number of the above reports you have
retrieved electronically or ordered by mail or phone.
4) Whether you have ever obtained a GAO report before.
5) Whether you have copied a report onto another bulletin
board--if so, which report and bulletin board.
6) Other GAO report subjects you would be interested in.
GAO's reports cover a broad range of subjects such as
major weapons systems, energy, financial institutions,
and pollution control.
7) Any additional comments or suggestions.
Thank you for your time.
Sincerely,
Jack L. Brock, Jr.
Director,
Government Information and Financial
Management Issues
Information Management and Technology Division
B-238954
May 10, 1990
The Honorable Robert A. Roe
Chairman, Committee on Science,
Space, and Technology
House of Representatives
Dear Mr. Chairman:
This report responds to your June 5, 1989, request and
subsequent agreements with your office that we review the
governmentwide computer security planning and review process
required by the Computer Security Act of 1987. The act
required federal agencies to identify systems that contain
sensitive information and to develop plans to safeguard
them. As agreed, we assessed the (1) planning process in 10
civilian agencies as well as the extent to which they
implemented planned controls described in 22 selected plans
and (2) National Institute of Standards and Technology
(NIST)/National Security Agency (NSA) review of the plans.
This is the fifth in a series of reports on implementation
of the Computer Security Act that GAO has prepared for your
committee. Appendix I details the review's objectives,
scope, and methodology. Appendix II describes the systems
covered by the 22 plans we reviewed.
RESULTS IN BRIEF
----------------
The planning and review process implemented under the
Computer Security Act did little to strengthen computer
security governmentwide. Although agency officials believe
that the process heightened awareness of computer security,
they typically described the plans as merely "reporting
requirements" and of limited use in addressing agency-
specific problems.
Officials cited three problems relating to the design and
implementation of the planning process: (1) the plans
lacked adequate information to serve as management tools and
some agencies already had planning processes in place, (2)
managers had little time to prepare the plans, and (3) the
Office of Management and Budget (OMB) planning guidance was
sometimes unclear and misinterpreted by agency officials.
1
B-238954
Although a year has passed since the initial computer
security plans were completed, agencies have made little
progress in implementing planned controls. Agency officials
said that budget constraints and inadequate top management
support--in terms of resources and commitment--were key
reasons why controls had not been implemented.
Based on the results of the planning and review process,
OMB--in conjunction with NIST and NSA--issued draft security
planning guidance in January 1990. The draft guidance
focuses on agency security programs and calls for NIST, NSA,
and OMB to visit agencies to discuss their security programs
and problems, and provide advice and technical assistance.
We believe that efforts directed toward assisting agencies
in solving specific problems and drawing top management
attention to computer security issues have greater potential
for improving computer security governmentwide.
BACKGROUND
----------
The Computer Security Act of 1987 (P.L. 100-235) was passed
in response to concerns that the security of sensitive
information was not being adequately addressed in the
federal government.1 The act's intent was to improve the
security and privacy of sensitive information in federal
computer systems by establishing minimum security practices.
The act required agencies to (1) identify all developmental
and operational systems with sensitive information, (2)
develop and submit to NIST and NSA for advice and comment a
security and privacy plan for each system identified, and
(3) establish computer security training programs.
OMB Bulletin 88-16, developed with NIST and NSA assistance,
provides guidance on the computer security plans required by
the act. To be in compliance, approximately 60 civilian
agencies submitted almost 1,600 computer security plans to a
NIST/NSA review team in early 1989. Nearly all of these
plans followed, to some degree, the format and content
requested by the bulletin. The bulletin requested that the
following information be included in each plan:
1The act defines sensitive information as any unclassified
information that in the event of loss, misuse, or
unauthorized access or modification, could adversely affect
the national interest, conduct of a federal program, or the
privacy individuals are entitled to under the Privacy Act of
1974 (5 U.S.C. 552a).
2
B-238954
-- Basic system identification: agency, system name and
type, whether the plan combines systems, operational
status, system purpose, system environment, and point of
contact.
-- Information sensitivity: laws and regulations affecting
the system, protection requirements, and description of
sensitivity.
-- Security control status: reported as "in place,"
"planned," "in place and planned" (i.e., some aspects of
the control are operational and others are planned), or
"not applicable," and a brief description of and expected
operational dates for controls that are reported as
planned.2 (Appendix V lists the controls.)
Appendix III presents a composite security plan that we
developed for this report as an example of the civilian
plans we reviewed. It is representative of the content,
format, and common omissions of the plans.
PLANS HAD LIMITED IMPACT ON
---------------------------
AGENCY COMPUTER SECURITY PROGRAMS
---------------------------------
The goals of the planning process were commendable--to
strengthen computer security by helping agencies identify
and evaluate their security needs and controls for sensitive
systems. According to agency officials, the process yielded
some benefits, the one most frequently cited being increased
management awareness of computer security. Further, some
officials noted that the planning process provided a
framework for reviewing their systems' security controls.
However, problems relating to the design and implementation
of the planning process limited its impact on agency
security programs. Specifically, (1) the plans lacked
adequate information to serve as effective management tools,
(2) managers had little time to prepare the plans, and (3)
the OMB guidance was sometimes unclear and misinterpreted by
the agencies. Consequently, most agency officials viewed
the plans as reporting requirements, rather than as
management tools.
2In this report, we are using the term "planned controls" to
include controls that agencies listed as "planned" or "in
place and planned" in their January 1989 plans. Both
categories indicated that the controls were not fully in
place.
3
B-238954
Plans Lacked Adequate Information to
------------------------------------
Serve as Effective Management Tools
-----------------------------------
Although agency officials said that security planning is
essential to the effective management of sensitive systems,
the plans lacked important information that managers need in
order to plan, and to monitor and implement plans. The
plans did not include this information, in part, because
they were designed not only to help agencies plan, but also
to facilitate NIST/NSA's review of the plans and to minimize
the risks of unauthorized disclosure of vulnerabilities.
For example:
-- Many plans provided minimal descriptions (a sentence or
nothing at all) of system sensitivity and planned
security controls. Detailed descriptions would have
made the plans more useful in setting priorities for
implementing planned controls.
-- The plans did not assign responsibility for each planned
control. It was not clear, therefore, who was
accountable for implementing the control (e.g., who would
be performing a risk assessment).
-- The plans did not include resource estimates needed to
budget for planned actions.
-- The plans generally did not refer to computer security-
related internal control weaknesses, although such
information can be important in developing plans.
Finally, officials from about one-third of the agencies said
that they already had more comprehensive planning processes
to help them identify and evaluate their security needs. As
a result, the governmentwide process was largely superfluous
for these agencies. Officials at such agencies said that
their plans, which included information such as detailed
descriptions of security controls, already met the
objectives of the governmentwide planning process. Many
officials said that what they needed was assistance in areas
such as network security.
Managers Had Little
-------------------
Time to Prepare the Plans
-------------------------
Officials had little time to adequately consider their
security needs and prepare plans, further limiting the
usefulness of the plans. OMB Bulletin 88-16 was issued July
6, 1988, 27 weeks before the plans were due to the NIST/NSA
4
B-238954
review team, as required by the Computer Security Act.
However, less than 14 weeks was left after most agencies
issued guidance on responding to the OMB request. Within
the remaining time, instructions were sent to the component
agencies and from there to the managers responsible for
preparing the plans, meetings were held to discuss the
plans, managers prepared the plans, and the plans were
reviewed by component agencies and returned to the agencies
for review. As a result, some managers had only a few days
to prepare plans.
Guidance Was Sometimes Unclear
------------------------------
and Misinterpreted by Agencies
------------------------------
Many agency officials misinterpreted or found the guidance
unclear as to how systems were to be combined in the plans,
the definition of some key terms (e.g., "in place"), the
level of expected detail, and the need to address
telecommunications. For example, some plans combined many
different types of systems--such as microcomputers and
mainframes--having diverse functions and security needs,
although the guidance specified that only similar systems
could be combined. When dissimilar systems were combined,
the plan's usefulness as a management tool was limited.
Further, for plans that combined systems, some agencies
reported that a security control was in place for the entire
plan, although it was actually in place for only a few
systems. Agency officials stated that they combined systems
in accordance with their understanding of the OMB guidance
and NIST/NSA verbal instructions.
In addition, officials were confused about how much detail
to include in the plans and whether to address
telecommunications issues (e.g., network security). For
example, they said that although the guidance asked for
brief descriptions of systems and information sensitivity,
NIST/NSA reviewers frequently commented that plans lacked
adequate descriptions. NIST officials said they expected
that the plans would be more detailed and discuss the
vulnerabilities inherent in networks. They said, in
retrospect, that it would have been helpful if the guidance
had provided examples and clarified the level of expected
detail.
AGENCIES HAVE NOT IMPLEMENTED
-----------------------------
MOST PLANNED SECURITY CONTROLS
------------------------------
Although a year has passed since the initial computer
security plans were completed, agencies have made little
5
B-238954
progress in implementing planned controls.3 The 22 plans we
reviewed contained 145 planned security controls. According
to agency officials, as of January 1990, only 38 percent of
the 145 planned controls had been implemented.
Table 1 shows the number and percentage of planned security
controls that had been implemented as of January 1990.
Table 1: Implementation of Security Controls in 22 Plans
Percent
Security control Planned Implemented implemented
---------------- ------- ----------- -----------
Assignment of security
responsibility 7 7 100
Audit and variance
detection 7 7 100
Confidentiality
controls 3 3 100
User identification
and authentication 2 2 100
Personnel selection
and screening 7 6 86
Security measures for
support systems 9 5 56
Security awareness and
training measures 20 12 60
Authorization/access
controls 4 2 50
Contingency plans 11 5 45
Data integrity and
validation controls 8 2 25
Audit trails and
maintaining
journals 12 2 17
3Only 4 percent of the security controls had implementation
dates beyond January 1990.
6
B-238954
Production, input/
output controls 8 1 13
Risk/sensitivity
assessment 11 1 9
Security specifications 10 0 0
Design review and
testing 11 0 0
Certification/
accreditation 14 0 0
Software controls 1 0 0
Total 145 55 -
According to many agency officials, budget constraints and
lack of adequate top management support--in terms of
resources and commitment--were key reasons why security
controls had not yet been implemented.
Although some officials stated that the planning process has
raised management awareness of computer security issues,
this awareness has, for the most part, apparently not yet
resulted in increased resources for computer security
programs. A number of officials said that security has been
traditionally viewed as overhead and as a target for budget
cuts. Some officials noted that requests for funding of
contingency planning, full-time security officers, and
training for security personnel and managers have a low
approval rate.
NIST/NSA REVIEW FEEDBACK WAS GENERAL
------------------------------------
AND OF LIMITED USE TO AGENCIES
------------------------------
Agency officials said that the NIST/NSA review comments and
recommendations on their plans were general and of limited
use in addressing specific problems. However, because the
plans were designed to be brief and minimize the risks of
unauthorized disclosure, they had little detailed
information for NIST and NSA to review. Thus, the NIST/NSA
review team focused their comments on (1) the plans'
conformity with the OMB planning guidance and (2)
governmentwide guidance (e.g., NIST Federal Information
Processing Standards publications) relating to planned
security controls. (Appendix IV provides an example of
typical NIST/NSA review comments and recommendations.)
7
B-238954
Despite the limited agency use of the feedback, NIST
officials said that the information in the plans will be
useful to NIST in identifying broad security weaknesses and
needs. During the review process, the NIST/NSA review team
developed a data base that included the status of security
controls for almost 1,600 civilian plans. NIST intends to
use statistics from the data base to support an upcoming
report on observations and lessons learned from the planning
and review process. Noting that the data have limitations--
for example, varying agency interpretations of "in place"--
NIST officials said that areas showing the greatest
percentage of planned controls indicated areas where more
governmentwide guidance might be needed. Appendix V shows
the status of security controls in the civilian plans,
according to our analysis of the NIST/NSA data base.4
REVISED GUIDANCE PROVIDES
-------------------------
FOR AGENCY ASSISTANCE
---------------------
The 1990 draft OMB security planning guidance calls for
NIST, NSA, and OMB to provide advice and technical
assistance on computer security issues to federal agencies
as needed. Under the guidance, NIST, NSA, and OMB would
visit agencies and discuss (1) their computer security
programs, (2) the extent to which the agencies have
identified their sensitive computer systems, (3) the quality
of their security plans, and (4) their unresolved internal
control weaknesses. NIST officials said that the number of
agencies visited in fiscal year 1991 will depend on that
year's funding for NIST's Computer Security Division, which
will lead NIST's effort, and the number of staff provided by
NSA.
In addition, under the 1990 draft guidance, agencies would
develop plans for sensitive systems that are new or
significantly changed, did not have a plan for 1989, or had
1989 plans for which NIST and NSA could not provide comments
because of insufficient information. Agencies would be
required to review their component agency plans and provide
independent advice and comment.
CONCLUSIONS
-----------
The government faces new levels of risk in information
security because of increased use of networks and computer
4NIST and NSA deleted agency and system names from the data
base provided to us.
8
B-238954
literacy and greater dependence on information technology
overall. As a result, effective computer security programs
are more critical than ever in safeguarding the systems that
provide essential government services.
The planning and feedback process was an effort to
strengthen computer security by helping agencies identify
and assess their sensitive system security needs, plans, and
controls. However, the plans created under the process were
viewed primarily as reporting requirements, and although the
process may have elevated management awareness of computer
security, as yet it has done little to strengthen agency
computer security programs.
OMB's draft planning security guidance creates the potential
for more meaningful improvements by going beyond planning
and attempting to address broader agency-specific security
problems. However, although NIST, NSA, and OMB assistance
can provide an impetus for change, their efforts must be
matched by agency management commitment and actions to make
needed improvements. Ultimately, it is the agencies'
responsibility to ensure that the information they use and
maintain is adequately safeguarded and that appropriate
security measures are in place and tested. Agency
management of security is an issue we plan to address in our
ongoing review of this important area.
--- --- ---
As requested, we did not obtain written agency comments on
this report. We did, however, discuss its contents with
NIST, OMB, and NSA officials and have included their
comments where appropriate. We conducted our review between
July 1989 and March 1990, in accordance with generally
accepted government auditing standards.
As arranged with your office, unless you publicly release
the contents of this report earlier, we plan no further
distribution until 30 days after the date of this letter.
At that time we will send copies to the appropriate House
and Senate committees, major federal agencies, OMB, NIST,
NSA, and other interested parties. We will also make copies
available to others on request.
This report was prepared under the direction of Jack L.
Brock, Jr., Director, Government Information and Financial
Management, who can be reached at (202) 275-3195. Other
major contributors are listed in appendix VI.
9
B-238954
Sincerely yours,
Ralph V. Carlone
Assistant Comptroller General
10
B-238954
CONTENTS Page
--------- ----
LETTER 1
APPENDIX
I Objectives, Scope, and Methodology 12
II Plans GAO Reviewed 14
III Computer Security and Privacy Plan 16
IV NIST/NSA Feedback on Computer Security Plans 21
V Status of Security Controls in 1,542 Plans 22
VI Major Contributors to This Report 24
Related GAO Products 25
TABLE
1 Implementation of Security Controls in 22 6
Plans
ABBREVIATIONS
-------------
GAO General Accounting Office
IMTEC Information Management and Technology Division
NIST National Institute of Standards and Technology
NSA National Security Agency
OMB Office of Management and Budget
11
APPENDIX I APPENDIX I
OBJECTIVES, SCOPE, AND METHODOLOGY
----------------------------------
In response to a June 5, 1989, request of the Chairman,
House Committee on Science, Space, and Technology, and
subsequent agreements with his office, we assessed the
impact of the computer security planning and review process
required by the Computer Security Act of 1987.
As agreed, we limited our review primarily to 10 civilian
agencies in the Washington, D.C. area: the Departments of
Agriculture, Commerce, Energy, Health and Human Services,
the Interior, Labor, Transportation, the Treasury, and
Veterans Affairs and the General Services Administration.
As agreed, the Department of Defense was excluded from our
review because the plans it submitted differed
substantially in format and content from the civilian plans.
Specifically, we
--assessed the computer security planning process and
NIST/NSA review comments on the security plans developed as
a result of the process,
--determined the extent to which the 10 agencies implemented
planned control measures reported in 22 selected plans, and
--developed summary statistics using a NIST/NSA data base
covering over 1,500 civilian computer security plans.
To assess the impact of the planning and review process on
agencies' security programs, we interviewed information
resource management, computer security, and other officials
from the 10 agencies listed above. In addition, we
interviewed officials from NIST, NSA, and OMB who were
involved in the planning process, to gain their perspectives
on the benefits and problems associated with the process.
We analyzed 22 computer security plans developed by the 10
agencies and the NIST/NSA review feedback relating to the
plans. Most plans addressed groups of systems. (See app.
II for a description of the systems.) We selected the
systems primarily on the basis of their sensitivity,
significance, and prior GAO, President's Council on
Integrity and Efficiency, and OMB reviews. We also reviewed
federal computer security planning and review guidance,
department requests for agency component plans, and
department and agency computer security policies.
12
APPENDIX I APPENDIX I
To determine the extent to which planned computer security
controls have been implemented, we reviewed the 22 plans and
discussed with agency officials the status of these
controls. To develop security plan statistics, we used the
NIST/NSA data base, which contains data on the status of
controls for over 1,500 plans. We did not verify the status
of the planned controls as reported to us by agency
officials, the accuracy of the plans, or the data in the
NIST/NSA data base.
13
APPENDIX II APPENDIX II
PLANS GAO REVIEWED
------------------
Organization Plan
------------ ----
Farmers Home Administration Automated Field Management
System
Accounting Systems
Patent and Trademark Office Patent and Trademark
Automation Systems
Social Security Administration Benefit Payment System
Social Security Number
Assignment System
Earnings Maintenance System
Access Control Event
Processor System
Bureau of Labor Statistics Economic Statistics System
Employment Standards Federal Employees'
Administration Compensation System
Level I
U.S. Geological Survey National Digital
Cartographic Data Base
National Earthquake
Information Service
Federal Aviation Administration En Route and Terminal Air
Traffic Control System
Maintenance and Operations
Support Systems
Interfacility
Communications System
Ground-to-Air Systems
Weather and Flight
Services Systems
14
APPENDIX II APPENDIX II
Organization Plan
------------ ----
Internal Revenue Service Compliance Processing
System
Tax Processing System
Customs Service Automated Commercial
System
Veterans Affairs Austin Data Mainframe Equipment
Processing Center Configuration
General Services Administration FSS-19 Federal Supply
System
Department of Energy Strategic Mainframe Computer and PC
Petroleum Reserve Project Sensitive Systems
Management Office
Note: Summary information describing each of the above
systems has been omitted from this version of the report.
Call GAO report distribution at 202-275-6241 to obtain a
complete copy of this report.
15
APPENDIX III APPENDIX III
COMPUTER SECURITY AND PRIVACY PLAN
----------------------------------
We developed this composite security plan to show what most
civilian plans contained, their format, and some common omissions.
Notes in parentheses show common deviations from the OMB guidance.
Computer Security and Privacy Plan
1. BASIC SYSTEM IDENTIFICATION
Reporting Department or Agency - Department of X
Organizational Subcomponent - Subagency Y
Operating Organization - Organization Z
System Name/Title - Automated Report Management System (ARMS)
System Category
[X] Major Application
[ ] General-Purpose ADP Support System
Level of Aggregation
[X] Single Identifiable System
[ ] Group of Similar Systems
Operational Status
[X] Operational
[ ] Under Development
General Description/Purpose - The primary purpose of ARMS is
to retrieve, create, process, store, and distribute data.
(Note: The description and purpose is incomplete. OMB
Bulletin 88-16 required a one or two paragraph description of
the function and purpose of the system.)
System Environment and Special Considerations - System is
controlled by a ABC series computer which is stored in the
computer room. (Note: The environment is not adequately
described. OMB Bulletin 88-16 requested a description of
system location, types of computer hardware and software
involved, types of users served, and other special
considerations.)
Information Contact - Security Officer, J. Doe, 202/275-xxxx
16
APPENDIX III APPENDIX III
2. SENSITIVITY OF INFORMATION
General Description of Information Sensitivity
The data ARMS maintains and uses are those required to provide
a total management information function. (Note: This
description is inadequate. OMB Bulletin 88-16 requested that
the plans describe, in general terms, the nature of the system
and the need for protective measures.)
Applicable Laws or Regulations Affecting the System
5 U.S.C. 552a, "Privacy Act," c. 1974.
System Protection Requirements
The Protection Requirement is:
Primary Secondary Minimal/NA
[X] Confidentiality [X] [ ] [ ]
[X] Integrity [X] [ ] [ ]
[X] Availability [ ] [X] [ ]
3. SYSTEM SECURITY MEASURES
Risk Assessment - There currently exists no formal large scale
risk assessment covering ARMS. We are scheduling a formal
risk analysis.
Applicable Guidance - FIPS PUBS No. 41, Computer Security
Guidelines for Implementing the Privacy Act of 1974;
FIPS PUB No. 83, Guidelines on User Authentication Techniques
for Computer Network Access Control.
17
APPENDIX III APPENDIX III
SECURITY MEASURES
-----------------
MANAGEMENT CONTROLS
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Assignment of Security
Responsibility [X] [ ] [ ] [ ]
Risk/Sensitivity
Assessment [ ] [ ] [X] [ ]
A formal risk analysis program will be used to update the
current assessment. (Note: An expected operational date is
not included. OMB Bulletin 88-16 states that there should be
expected operational dates for controls that are planned or
in place and planned.)
Personnel Selection
Screening [ ] [ ] [X] [ ]
National Agency Check Inquiries (NACI) are required for all
employees but have not been completed for everyone having
access to sensitive information. Expected operational date -
October 1989.
DEVELOPMENT CONTROLS
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Security
Specifications [X] [ ] [ ] [ ]
Design Review
& Testing [ ] [ ] [ ] [X]
Certification/
Accreditation [ ] [X] [ ] [ ]
(Note: No information is given for certification/
accreditation. OMB Bulletin 88-16 states that a general
description of the planned measures and expected operational
dates should be provided.)
18
APPENDIX III APPENDIX III
OPERATIONAL CONTROLS
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Production, I/O Controls [X] [ ] [ ] [ ]
Contingency Planning [ ] [X] [ ] [ ]
A contingency plan is being developed in compliance with
requirements established by the agency's security program.
Completion date - November 1990.
Audit and Variance
Detection [ ] [ ] [X] [ ]
Day-to-day procedures are being developed for variance
detection. Audit reviews are also being developed and will be
conducted on a monthly basis. Completion date - June 1989.
Software Maintenance
Controls [X] [ ] [ ] [ ]
Documentation [X] [ ] [ ] [ ]
SECURITY AWARENESS AND TRAINING
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Security Awareness and
Training Measures [ ] [ ] [X] [ ]
Training for management and users in information and
application security will be strengthened, and security
awareness training provided for all new employees beginning in
June 1989.
19
APPENDIX III APPENDIX III
TECHNICAL CONTROLS
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
User Identification and
Authentication [X] [ ] [ ] [ ]
Authorization/Access
Controls [X] [ ] [ ] [ ]
Data Integrity &
Validation Controls [X] [ ] [ ] [ ]
Audit Trails & Journaling [X] [ ] [ ] [ ]
SUPPORT SYSTEM SECURITY MEASURES
In Place
In Place Planned & Planned N/A
-------- ------- --------- ---
Security Measures for
Support Systems [X] [ ] [ ] [ ]
4. NEEDS AND ADDITIONAL COMMENTS
(Note: This section was left blank in most plans. OMB
Bulletin 88-16 stated that the purpose of this section was to
give agency planners the opportunity to include comments
concerning needs for additional guidance, standards, or other
tools to improve system protection.)
20
APPENDIX IV APPENDIX IV
NIST/NSA FEEDBACK ON COMPUTER SECURITY PLANS
--------------------------------------------
The following example shows typical NIST/NSA comments and
recommendations.
COMPUTER SECURITY PLAN REVIEW PROJECT COMMENTS AND RECOMMENDATIONS
REF. NO. 0001
AGENCY NAME: Department of X
Subagency Y
SYSTEM NAME: Automated Report Management System
The brevity of information in the information sensitivity, general
system description, and the system environment sections made it
difficult to understand the security needs of the system.
Information on the physical, operational, and technical environment
and the nature of the sensitivity is essential to understanding the
security needs of the system.
For some controls, such as security training and awareness,
expected operational dates are not indicated as required by OMB
Bulletin 88-16.
The plan refers to the development control, design review and
testing, as not applicable. Even in an operational system,
development controls should be addressed as historical security
measures and as ongoing measures for changing hardware and
software.
The plan notes that a more formal risk assessment is being planned.
This effort should help your organization more effectively manage
risks and security resources. National Institute of Standards and
Technology Federal Information Processing Standards Publication 65,
"Guideline for Automatic Data Processing Risk Analysis," and 73,
"Guideline for the Security of Computer Applications" may be of
help in this area.
21
APPENDIX V APPENDIX V
STATUS OF SECURITY CONTROLS IN 1,542 PLANS
------------------------------------------
Planned &
Plan In place in place Planned
---- -------- --------- -------
Security controls responses#a (percent) (percent) (percent)
Management controls
Assignment of security
responsibility 1,448 91 5 4
Personnel selection and
screening 1,268 84 11 5
Risk analysis and
sensitivity assessment 1,321 71 13 17
Development controls
Design review and testing 728 82 10 8
Certification and
accreditation 948 66 10 24
Security and acquisition
specifications 1,093 83 10 7
Operational controls
Audit and variance
detection 1,177 81 7 12
Documentation 1,375 83 10 8
Emergency, backup, and
contingency planning 1,381 69 14 17
Physical and environmental
protection 450 87 10 4
Production and input/
output controls 1,290 87 7 7
Software maintenance
controls 1,327 87 7 7
Security training and
awareness measures 1,408 58 27 15
22
APPENDIX V APPENDIX V
Technical controls
Authorization/access
controls 1,389 87 6 7
Confidentiality controls 357 84 7 9
Audit trail mechanisms 1,194 83 8 9
Integrity controls 1,220 85 8 7
User identification
and authentication 1,370 87 7 6
Weighted average -- 81 10 10
Note: The status of security controls is based on information reported
in 1,542 civilian plans in early 1989 and contained in the NIST/NSA data
base. Missing and not applicable answers were not included in the
percentages. Some percentages do not add up to 100 due to rounding.
a"Plan responses" is the number of plans, out of 1,542, that addressed
each control.
23
APPENDIX VI APPENDIX VI
MAJOR CONTRIBUTORS TO THIS REPORT
---------------------------------
INFORMATION MANAGEMENT AND TECHNOLOGY DIVISION, WASHINGTON, D.C.
----------------------------------------------------------------
Linda D. Koontz, Assistant Director
Jerilynn B. Hoy, Assignment Manager
Beverly A. Peterson, Evaluator-in-Charge
Barbarol J. James, Evaluator
(510465)
24
RELATED GAO PRODUCTS
--------------------
Computer Security: Identification of Sensitive Systems Operated on
Behalf of Ten Agencies (GAO/IMTEC-89-70, Sept. 27, 1989).
Computer Security: Compliance With Security Plan Requirements of the
Computer Security Act (GAO/IMTEC-89-55, June 21, 1989).
Computer Security: Compliance With Training Requirements of the
Computer Security Act of 1987 (GAO/IMTEC-89-16BR, Feb. 22, 1989).
Computer Security: Status of Compliance With the Computer Security Act
of 1987 (GAO/IMTEC-88-61BR, Sept. 22, 1988).
25
0 comments:
Post a Comment