National Agency Check Inquiries (NACI) are required for all               employees but have not been completed for everyone having               access to sensitive information.  Expected operational date -               October 1989.               DEVELOPMENT CONTROLS                                                            In Place                                     In Place    Planned    & Planned   N/A                                     --------    -------    ---------   ---               Security               Specifications            [X]         [ ]         [ ]      [ ]               Design Review               & Testing                 [ ]         [ ]         [ ]      [X]               Certification/               Accreditation             [ ]         [X]         [ ]      [ ]               (Note:  No information is given for certification/               accreditation.  OMB Bulletin 88-16 states that a general               description of the planned measures and expected operational               dates should be provided.)                                         18                 APPENDIX III                                    APPENDIX III               OPERATIONAL CONTROLS                                                             In Place                                      In Place    Planned    & Planned   N/A                                      --------    -------    ---------   ---               Production, I/O Controls  [X]         [ ]         [ ]      [ ]               Contingency Planning      [ ]         [X]         [ ]      [ ]               A contingency plan is being developed in compliance with               requirements established by the agency's security program.               Completion date - November 1990.               Audit and Variance               Detection                 [ ]         [ ]         [X]      [ ]               Day-to-day procedures are being developed for variance               detection.  Audit reviews are also being developed and will be               conducted on a monthly basis.  Completion date - June 1989.               Software Maintenance               Controls                  [X]         [ ]         [ ]      [ ]               Documentation             [X]         [ ]         [ ]      [ ]               SECURITY AWARENESS AND TRAINING                                                              In Place                                       In Place    Planned    & Planned   N/A                                       --------    -------    ---------   ---               Security Awareness and               Training Measures         [ ]         [ ]         [X]      [ ]               Training for management and users in information and               application security will be strengthened, and security               awareness training provided for all new employees beginning in               June 1989.                                         19                 APPENDIX III                                    APPENDIX III               TECHNICAL CONTROLS                                                              In Place                                       In Place    Planned    & Planned   N/A                                       --------    -------    ---------   ---               User Identification and               Authentication            [X]         [ ]         [ ]      [ ]               Authorization/Access               Controls                  [X]         [ ]         [ ]      [ ]               Data Integrity &               Validation Controls       [X]         [ ]         [ ]      [ ]               Audit Trails & Journaling [X]         [ ]         [ ]      [ ]               SUPPORT SYSTEM SECURITY MEASURES                                                              In Place                                       In Place    Planned    & Planned   N/A                                       --------    -------    ---------   ---               Security Measures for               Support Systems           [X]         [ ]         [ ]      [ ]          4.   NEEDS AND ADDITIONAL COMMENTS               (Note:  This section was left blank in most plans.  OMB               Bulletin 88-16 stated that the purpose of this section was to               give agency planners the opportunity to include comments               concerning needs for additional guidance, standards, or other               tools to improve system protection.)                                         20          APPENDIX IV                                             APPENDIX IV                     NIST/NSA FEEDBACK ON COMPUTER SECURITY PLANS                     --------------------------------------------          The following example shows typical NIST/NSA comments and          recommendations.          COMPUTER SECURITY PLAN REVIEW PROJECT COMMENTS AND RECOMMENDATIONS                                     REF. NO. 0001          AGENCY NAME:  Department of X                        Subagency Y          SYSTEM NAME:  Automated Report Management System          The brevity of information in the information sensitivity, general          system description, and the system environment sections made it          difficult to understand the security needs of the system.          Information on the physical, operational, and technical environment          and the nature of the sensitivity is essential to understanding the          security needs of the system.          For some controls, such as security training and awareness,          expected operational dates are not indicated as required by OMB          Bulletin 88-16.          The plan refers to the development control, design review and          testing, as not applicable.  Even in an operational system,          development controls should be addressed as historical security          measures and as ongoing measures for changing hardware and          software.          The plan notes that a more formal risk assessment is being planned.          This effort should help your organization more effectively manage          risks and security resources.  National Institute of Standards and          Technology Federal Information Processing Standards Publication 65,          "Guideline for Automatic Data Processing Risk Analysis," and 73,          "Guideline for the Security of Computer Applications" may be of          help in this area.                                         21          APPENDIX V                                               APPENDIX V                      STATUS OF SECURITY CONTROLS IN 1,542 PLANS                      ------------------------------------------                                                          Planned &                                 Plan         In place    in place    Planned                                 ----         --------    ---------   -------    Security controls            responses#a  (percent)   (percent)   (percent)    Management controls    Assignment of security    responsibility               1,448        91           5          4    Personnel selection and    screening                    1,268        84          11          5    Risk analysis and    sensitivity assessment       1,321        71          13         17    Development controls    Design review and testing      728        82          10          8    Certification and    accreditation                  948        66          10         24    Security and acquisition    specifications               1,093        83          10          7    Operational controls    Audit and variance    detection                    1,177        81           7         12    Documentation                1,375        83          10          8    Emergency, backup, and    contingency planning         1,381        69          14         17    Physical and environmental    protection                     450        87          10          4    Production and input/    output controls              1,290        87           7          7    Software maintenance    controls                     1,327        87           7          7    Security training and    awareness measures           1,408        58          27         15                                         22          APPENDIX V                                               APPENDIX V    Technical controls    Authorization/access    controls                     1,389        87           6          7    Confidentiality controls       357        84           7          9    Audit trail mechanisms       1,194        83           8          9    Integrity controls           1,220        85           8          7    User identification    and authentication           1,370        87           7          6    Weighted average               --         81          10         10    Note:  The status of security controls is based on information reported    in 1,542 civilian plans in early 1989 and contained in the NIST/NSA data    base.  Missing and not applicable answers were not included in the    percentages.  Some percentages do not add up to 100 due to rounding.   a"Plan responses" is the number of plans, out of 1,542, that addressed    each control.                                         23    APPENDIX VI                                                   APPENDIX VI                        MAJOR CONTRIBUTORS TO THIS REPORT                        ---------------------------------    INFORMATION MANAGEMENT AND TECHNOLOGY DIVISION, WASHINGTON, D.C.    ----------------------------------------------------------------    Linda D. Koontz, Assistant Director    Jerilynn B. Hoy, Assignment Manager    Beverly A. Peterson, Evaluator-in-Charge    Barbarol J. James, Evaluator    (510465)                                         24                              RELATED GAO PRODUCTS                              --------------------    Computer Security:  Identification of Sensitive Systems Operated on    Behalf of Ten Agencies (GAO/IMTEC-89-70, Sept. 27, 1989).    Computer Security:  Compliance With Security Plan Requirements of the    Computer Security Act (GAO/IMTEC-89-55, June 21, 1989).    Computer Security:  Compliance With Training Requirements of the    Computer Security Act of 1987 (GAO/IMTEC-89-16BR, Feb. 22, 1989).    Computer Security:  Status of Compliance With the Computer Security Act    of 1987 (GAO/IMTEC-88-61BR, Sept. 22, 1988).                                         25