United States General Accounting Office          ___________________________________________________________________          GAO                         Report to the Chairman, Committee on                                      Science, Space, and Technology,                                      House of Representatives          ___________________________________________________________________          May 1990                    COMPUTER SECURITY                                      Governmentwide Planning Process                                      Had Limited Impact          ___________________________________________________________________          GAO/IMTEC-90-48         This U.S. General Accounting Office (GAO) report is 1 of 7         available over the Internet as part of a test to determine         whether there is sufficient interest within this community to         warrant making all GAO reports available over the Internet.         The file REPORTS at NIH lists the 7 reports.         So that we can keep a count of report recipients, and your         reaction, please send an E-Mail message to KH3@CU.NIH.GOV and         include, along with your E-Mail address, the following         information:              1)   Your organization.              2)   Your position/title and name (optional).              3)   The title/report number of the above reports you have                   retrieved electronically or ordered by mail or phone.              4)   Whether you have ever obtained a GAO report before.              5)   Whether you have copied a report onto another bulletin                   board--if so, which report and bulletin board.              6)   Other GAO report subjects you would be interested in.                   GAO's reports cover a broad range of subjects such as                   major weapons systems, energy, financial institutions,                   and pollution control.              7)   Any additional comments or suggestions.         Thank you for your time.         Sincerely,         Jack L. Brock, Jr.         Director,         Government Information and Financial         Management Issues         Information Management and Technology Division                 B-238954                 May 10, 1990                 The Honorable Robert A. Roe                 Chairman, Committee on Science,                   Space, and Technology                 House of Representatives                 Dear Mr. Chairman:                 This report responds to your June 5, 1989, request and                 subsequent agreements with your office that we review the                 governmentwide computer security planning and review process                 required by the Computer Security Act of 1987.  The act                 required federal agencies to identify systems that contain                 sensitive information and to develop plans to safeguard                 them.  As agreed, we assessed the (1) planning process in 10                 civilian agencies as well as the extent to which they                 implemented planned controls described in 22 selected plans                 and (2) National Institute of Standards and Technology                 (NIST)/National Security Agency (NSA) review of the plans.                 This is the fifth in a series of reports on implementation                 of the Computer Security Act that GAO has prepared for your                 committee.  Appendix I details the review's objectives,                 scope, and methodology.  Appendix II describes the systems                 covered by the 22 plans we reviewed.                 RESULTS IN BRIEF                 ----------------                 The planning and review process implemented under the                 Computer Security Act did little to strengthen computer                 security governmentwide.  Although agency officials believe                 that the process heightened awareness of computer security,                 they typically described the plans as merely "reporting                 requirements" and of limited use in addressing agency-                 specific problems.                 Officials cited three problems relating to the design and                 implementation of the planning process:  (1) the plans                 lacked adequate information to serve as management tools and                 some agencies already had planning processes in place, (2)                 managers had little time to prepare the plans, and (3) the                 Office of Management and Budget (OMB) planning guidance was                 sometimes unclear and misinterpreted by agency officials.                                          1                 B-238954                 Although a year has passed since the initial computer                 security plans were completed, agencies have made little                 progress in implementing planned controls.  Agency officials                 said that budget constraints and inadequate top management                 support--in terms of resources and commitment--were key                 reasons why controls had not been implemented.                 Based on the results of the planning and review process,                 OMB--in conjunction with NIST and NSA--issued draft security                 planning guidance in January 1990.  The draft guidance                 focuses on agency security programs and calls for NIST, NSA,                 and OMB to visit agencies to discuss their security programs                 and problems, and provide advice and technical assistance.                 We believe that efforts directed toward assisting agencies                 in solving specific problems and drawing top management                 attention to computer security issues have greater potential                 for improving computer security governmentwide.                 BACKGROUND                 ----------                 The Computer Security Act of 1987 (P.L. 100-235) was passed                 in response to concerns that the security of sensitive                 information was not being adequately addressed in the                 federal government.1  The act's intent was to improve the                 security and privacy of sensitive information in federal                 computer systems by establishing minimum security practices.                 The act required agencies to (1) identify all developmental                 and operational systems with sensitive information, (2)                 develop and submit to NIST and NSA for advice and comment a                 security and privacy plan for each system identified, and                 (3) establish computer security training programs.                 OMB Bulletin 88-16, developed with NIST and NSA assistance,                 provides guidance on the computer security plans required by                 the act.  To be in compliance, approximately 60 civilian                 agencies submitted almost 1,600 computer security plans to a                 NIST/NSA review team in early 1989.  Nearly all of these                 plans followed, to some degree, the format and content                 requested by the bulletin.  The bulletin requested that the                 following information be included in each plan:                1The act defines sensitive information as any unclassified                 information that in the event of loss, misuse, or                 unauthorized access or modification, could adversely affect                 the national interest, conduct of a federal program, or the                 privacy individuals are entitled to under the Privacy Act of                 1974 (5 U.S.C. 552a).                                          2                 B-238954                 -- Basic system identification:  agency, system name and                    type, whether the plan combines systems, operational                    status, system purpose, system environment, and point of                    contact.                 -- Information sensitivity:  laws and regulations affecting                    the system, protection requirements, and description of                    sensitivity.                 -- Security control status:  reported as "in place,"                    "planned," "in place and planned" (i.e., some aspects of                    the control are operational and others are planned), or                    "not applicable," and a brief description of and expected                    operational dates for controls that are reported as                    planned.2  (Appendix V lists the controls.)                 Appendix III presents a composite security plan that we                 developed for this report as an example of the civilian                 plans we reviewed.  It is representative of the content,                 format, and common omissions of the plans.                 PLANS HAD LIMITED IMPACT ON                 ---------------------------                 AGENCY COMPUTER SECURITY PROGRAMS                 ---------------------------------                 The goals of the planning process were commendable--to                 strengthen computer security by helping agencies identify                 and evaluate their security needs and controls for sensitive                 systems.  According to agency officials, the process yielded                 some benefits, the one most frequently cited being increased                 management awareness of computer security.  Further, some                 officials noted that the planning process provided a                 framework for reviewing their systems' security controls.                 However, problems relating to the design and implementation                 of the planning process limited its impact on agency                 security programs.  Specifically, (1) the plans lacked                 adequate information to serve as effective management tools,                 (2) managers had little time to prepare the plans, and (3)                 the OMB guidance was sometimes unclear and misinterpreted by                 the agencies.  Consequently, most agency officials viewed                 the plans as reporting requirements, rather than as                 management tools.                2In this report, we are using the term "planned controls" to                 include controls that agencies listed as "planned" or "in                 place and planned" in their January 1989 plans.  Both                 categories indicated that the controls were not fully in                 place.                                          3                 B-238954                 Plans Lacked Adequate Information to                 ------------------------------------                 Serve as Effective Management Tools                 -----------------------------------                 Although agency officials said that security planning is                 essential to the effective management of sensitive systems,                 the plans lacked important information that managers need in                 order to plan, and to monitor and implement plans.  The                 plans did not include this information, in part, because                 they were designed not only to help agencies plan, but also                 to facilitate NIST/NSA's review of the plans and to minimize                 the risks of unauthorized disclosure of vulnerabilities.                 For example:                 -- Many plans provided minimal descriptions (a sentence or                    nothing at all) of system sensitivity and planned                    security controls.  Detailed descriptions would have                    made the plans more useful in setting priorities for                    implementing planned controls.                 -- The plans did not assign responsibility for each planned                    control.  It was not clear, therefore, who was                    accountable for implementing the control (e.g., who would                    be performing a risk assessment).                 -- The plans did not include resource estimates needed to                    budget for planned actions.                 -- The plans generally did not refer to computer security-                    related internal control weaknesses, although such                    information can be important in developing plans.                 Finally, officials from about one-third of the agencies said                 that they already had more comprehensive planning processes                 to help them identify and evaluate their security needs.  As                 a result, the governmentwide process was largely superfluous                 for these agencies.  Officials at such agencies said that                 their plans, which included information such as detailed                 descriptions of security controls, already met the                 objectives of the governmentwide planning process.  Many                 officials said that what they needed was assistance in areas                 such as network security.                 Managers Had Little                 -------------------                 Time to Prepare the Plans                 -------------------------                 Officials had little time to adequately consider their                 security needs and prepare plans, further limiting the                 usefulness of the plans.  OMB Bulletin 88-16 was issued July                 6, 1988, 27 weeks before the plans were due to the NIST/NSA                                          4                 B-238954                 review team, as required by the Computer Security Act.                 However, less than 14 weeks was left after most agencies                 issued guidance on responding to the OMB request.  Within                 the remaining time, instructions were sent to the component                 agencies and from there to the managers responsible for                 preparing the plans, meetings were held to discuss the                 plans, managers prepared the plans, and the plans were                 reviewed by component agencies and returned to the agencies                 for review.  As a result, some managers had only a few days                 to prepare plans.                 Guidance Was Sometimes Unclear                 ------------------------------                 and Misinterpreted by Agencies                 ------------------------------                 Many agency officials misinterpreted or found the guidance                 unclear as to how systems were to be combined in the plans,                 the definition of some key terms (e.g., "in place"), the                 level of expected detail, and the need to address                 telecommunications.  For example, some plans combined many