Summary

Pursuant to a congressional request, GAO reviewed the Office of Personnel Management's (OPM) software change controls, focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) office-level guidance for routine software change control did not exist, and formally documented component procedures for year 2000 software changes were inadequate; (2) procedures developed by both OPM components for year 2000 remediation of software did not adequately address key controls for operating system software access and monitoring; (3) based on GAO's interviews, agency officials were not familiar with contractor practices for software management; (4) this is of potential concern because 65 (61 percent) of OPM's 107 mission-critical federal systems involved the use of contractors for year 2000 remediation; (5) also of concern is that Retirement and Insurance Service Systems (RISS) sent code associated with 7 mission-critical systems to a contractor facility for remediation, and agency officials could not readily determine how the code was protected after transit to the contractor facility, when the code was out of the agency's direct control; (6) OPM officials did not have complete data on the involvement of foreign nationals in software change process activities; and (7) however, officials told GAO that one of two contracts issued by RISS for remediation of 57 mission-critical systems involved foreign nationals.