different types of systems--such as microcomputers and                 mainframes--having diverse functions and security needs,                 although the guidance specified that only similar systems                 could be combined.  When dissimilar systems were combined,                 the plan's usefulness as a management tool was limited.                 Further, for plans that combined systems, some agencies                 reported that a security control was in place for the entire                 plan, although it was actually in place for only a few                 systems.  Agency officials stated that they combined systems                 in accordance with their understanding of the OMB guidance                 and NIST/NSA verbal instructions.                 In addition, officials were confused about how much detail                 to include in the plans and whether to address                 telecommunications issues (e.g., network security).  For                 example, they said that although the guidance asked for                 brief descriptions of systems and information sensitivity,                 NIST/NSA reviewers frequently commented that plans lacked                 adequate descriptions.  NIST officials said they expected                 that the plans would be more detailed and discuss the                 vulnerabilities inherent in networks.  They said, in                 retrospect, that it would have been helpful if the guidance                 had provided examples and clarified the level of expected                 detail.                 AGENCIES HAVE NOT IMPLEMENTED                 -----------------------------                 MOST PLANNED SECURITY CONTROLS                 ------------------------------                 Although a year has passed since the initial computer                 security plans were completed, agencies have made little                                          5                 B-238954                 progress in implementing planned controls.3  The 22 plans we                 reviewed contained 145 planned security controls.  According                 to agency officials, as of January 1990, only 38 percent of                 the 145 planned controls had been implemented.                 Table 1 shows the number and percentage of planned security                 controls that had been implemented as of January 1990.          Table 1:  Implementation of Security Controls in 22 Plans                                                                    Percent          Security control           Planned        Implemented     implemented          ----------------           -------        -----------     -----------          Assignment of security          responsibility              7              7               100          Audit and variance          detection                   7              7               100          Confidentiality          controls                    3              3               100          User identification          and authentication          2              2               100          Personnel selection          and screening               7              6                86          Security measures for          support systems             9              5                56          Security awareness and          training measures          20             12                60          Authorization/access          controls                    4              2                50          Contingency plans          11              5                45          Data integrity and          validation controls         8              2                25          Audit trails and          maintaining          journals                   12              2                17                3Only 4 percent of the security controls had implementation                 dates beyond January 1990.                                          6                 B-238954          Production, input/          output controls             8              1                13          Risk/sensitivity          assessment                 11              1                 9          Security specifications    10              0                 0          Design review and          testing                    11              0                 0          Certification/          accreditation              14              0                 0          Software controls           1              0                 0          Total                     145             55                 -                 According to many agency officials, budget constraints and                 lack of adequate top management support--in terms of                 resources and commitment--were key reasons why security                 controls had not yet been implemented.                 Although some officials stated that the planning process has                 raised management awareness of computer security issues,                 this awareness has, for the most part, apparently not yet                 resulted in increased resources for computer security                 programs.  A number of officials said that security has been                 traditionally viewed as overhead and as a target for budget                 cuts.  Some officials noted that requests for funding of                 contingency planning, full-time security officers, and                 training for security personnel and managers have a low                 approval rate.                 NIST/NSA REVIEW FEEDBACK WAS GENERAL                 ------------------------------------                 AND OF LIMITED USE TO AGENCIES                 ------------------------------                 Agency officials said that the NIST/NSA review comments and                 recommendations on their plans were general and of limited                 use in addressing specific problems.  However, because the                 plans were designed to be brief and minimize the risks of                 unauthorized disclosure, they had little detailed                 information for NIST and NSA to review.  Thus, the NIST/NSA                 review team focused their comments on (1) the plans'                 conformity with the OMB planning guidance and (2)                 governmentwide guidance (e.g., NIST Federal Information                 Processing Standards publications) relating to planned                 security controls.  (Appendix IV provides an example of                 typical NIST/NSA review comments and recommendations.)                                          7                 B-238954                 Despite the limited agency use of the feedback, NIST                 officials said that the information in the plans will be                 useful to NIST in identifying broad security weaknesses and                 needs.  During the review process, the NIST/NSA review team                 developed a data base that included the status of security                 controls for almost 1,600 civilian plans.  NIST intends to                 use statistics from the data base to support an upcoming                 report on observations and lessons learned from the planning                 and review process.  Noting that the data have limitations--                 for example, varying agency interpretations of "in place"--                 NIST officials said that areas showing the greatest                 percentage of planned controls indicated areas where more                 governmentwide guidance might be needed.  Appendix V shows                 the status of security controls in the civilian plans,                 according to our analysis of the NIST/NSA data base.4                 REVISED GUIDANCE PROVIDES                 -------------------------                 FOR AGENCY ASSISTANCE                 ---------------------                 The 1990 draft OMB security planning guidance calls for                 NIST, NSA, and OMB to provide advice and technical                 assistance on computer security issues to federal agencies                 as needed.  Under the guidance, NIST, NSA, and OMB would                 visit agencies and discuss (1) their computer security                 programs, (2) the extent to which the agencies have                 identified their sensitive computer systems, (3) the quality                 of their security plans, and (4) their unresolved internal                 control weaknesses.  NIST officials said that the number of                 agencies visited in fiscal year 1991 will depend on that                 year's funding for NIST's Computer Security Division, which                 will lead NIST's effort, and the number of staff provided by                 NSA.                 In addition, under the 1990 draft guidance, agencies would                 develop plans for sensitive systems that are new or                 significantly changed, did not have a plan for 1989, or had                 1989 plans for which NIST and NSA could not provide comments                 because of insufficient information.  Agencies would be                 required to review their component agency plans and provide                 independent advice and comment.                 CONCLUSIONS                 -----------                 The government faces new levels of risk in information                 security because of increased use of networks and computer                4NIST and NSA deleted agency and system names from the data                 base provided to us.                                          8                 B-238954                 literacy and greater dependence on information technology                 overall.  As a result, effective computer security programs                 are more critical than ever in safeguarding the systems that                 provide essential government services.                 The planning and feedback process was an effort to                 strengthen computer security by helping agencies identify                 and assess their sensitive system security needs, plans, and                 controls.  However, the plans created under the process were                 viewed primarily as reporting requirements, and although the                 process may have elevated management awareness of computer                 security, as yet it has done little to strengthen agency                 computer security programs.                 OMB's draft planning security guidance creates the potential                 for more meaningful improvements by going beyond planning                 and attempting to address broader agency-specific security                 problems.  However, although NIST, NSA, and OMB assistance                 can provide an impetus for change, their efforts must be                 matched by agency management commitment and actions to make                 needed improvements.  Ultimately, it is the agencies'                 responsibility to ensure that the information they use and                 maintain is adequately safeguarded and that appropriate                 security measures are in place and tested.  Agency                 management of security is an issue we plan to address in our                 ongoing review of this important area.                                        ---  --- ---                 As requested, we did not obtain written agency comments on                 this report.  We did, however, discuss its contents with                 NIST, OMB, and NSA officials and have included their                 comments where appropriate.  We conducted our review between                 July 1989 and March 1990, in accordance with generally                 accepted government auditing standards.                 As arranged with your office, unless you publicly release                 the contents of this report earlier, we plan no further                 distribution until 30 days after the date of this letter.                 At that time we will send copies to the appropriate House                 and Senate committees, major federal agencies, OMB, NIST,                 NSA, and other interested parties.  We will also make copies                 available to others on request.                 This report was prepared under the direction of Jack L.                 Brock, Jr., Director, Government Information and Financial                 Management, who can be reached at (202) 275-3195.  Other                 major contributors are listed in appendix VI.                                          9                 B-238954                 Sincerely yours,                 Ralph V. Carlone                 Assistant Comptroller General                                         10                 B-238954                                          CONTENTS                     Page                                          ---------                    ----                 LETTER                                                  1                 APPENDIX                    I     Objectives, Scope, and Methodology             12                    II    Plans GAO Reviewed                             14                    III   Computer Security and Privacy Plan             16                    IV    NIST/NSA Feedback on Computer Security Plans   21                    V     Status of Security Controls in 1,542 Plans     22                    VI    Major Contributors to This Report              24                 Related GAO Products                                    25                 TABLE                    1     Implementation of Security Controls in 22       6                          Plans                                        ABBREVIATIONS                                        -------------