Summary

Pursuant to a congressional request, GAO determined federal agencies' compliance with a legislative requirement to submit security plans for their computers containing sensitive information to the National Institute of Standards and Technology and the National Security Agency.

GAO found that: (1) the Computer Security Act of 1987 required agencies to establish and submit their computer security plans by January 8, 1989; (2) 50 of 85 surveyed agencies submitted all of their security plans, and 11 agencies submitted some of their security plans by the deadline; (3) 17 agencies reported that they had no computer systems that processed sensitive information; (4) five agencies did not submit security plans, with one citing its exemption from the act, three stating that they would submit plans later in 1989, and one not projecting when it would submit plans; (5) the agencies submitted a total of 1,592 plans; (6) most of the agencies submitting plans involved senior information resource managers, other senior managers, and system users in preparing and reviewing plans; (7) the submitted computer security plans generally were consistent with agency procedures and directives; and (8) agencies submitting plans typically used criteria based on Office of Management and Budget computer security plan guidance, as well as other criteria, to assess risks and develop protection requirements.