Summary

Pursuant to a congressional request, GAO provided information on 10 federal agencies' identification of sensitive computer systems operated by contractors, states, and other organizations.

GAO found that: (1) 9 agencies reported in November 1988 a total of 812 sensitive computer systems operated by contractors or other organizations and none operated by states; (2) the Environmental Protection Agency (EPA) reported that it operated all of its sensitive computer systems; (3) the Departments of Agriculture (USDA), Interior, Justice (DOJ), Labor (DOL), and the Treasury sent their components definitions of sensitive computer systems and then consolidated component-supplied information to determine their total numbers of sensitive systems; (4) DOJ, DOL, Treasury, and the Department of Defense (DOD) used computer security plans, inventories, or other documentation to ensure that their reported lists were complete; and (5) in response to a March 1989 request that they revise their lists, which did not appear to include all sensitive systems operated by contractors, states, or other organizations, DOD, Interior, DOL, Treasury, and the Department of Health and Human Services reported a total of 220 additional systems, while other agencies reviewed their original responses and verified their accuracy.