Summary

Pursuant to a congressional request, GAO reviewed software change controls at the Department of Energy (DOE), focusing on: (1) whether key controls as described in agency policies and procedures regarding software change authorization, testing, and approval complied with federal guidance; and (2) the extent to which agencies contracted for year 2000 remediation of mission-critical systems and involved foreign nationals in these efforts.

GAO noted that: (1) 3 of the 20 components--Nevada Operations Office, Ohio Field Office, and Western Area Power Administration (WAPA)--had no formally documented process for routine software change control; (2) departmentwide guidance and formal procedures at 17 of the 20 components included in GAO's review were inadequate; (3) of these 17 components, only headquarters offices had formally adopted the department-level guidance in documented procedures; (4) DOE had established department-level guidance for software engineering that adopted the Carnegie Mellon University Software Engineering Institute's Capability Maturity Model for Software; (5) however, the guidance was not mandatory, was adopted by only headquarters offices, and did not address key controls; (6) based on GAO's interviews, DOE officials were not familiar with contractor practices for software management; (7) this is of potential concern because 324 of 352 DOE mission-critical systems covered by GAO's study involved the use of contractors for year 2000 remediation; (8) officials at 9 DOE components were unfamiliar with daily contractor practices and either directed GAO to interview contractor staff to obtain this information or relied on contractor personnel in GAO's interview; (9) based on GAO's interviews and review of documented security policies and procedures, background screenings of personnel involved in the software change process were not a routine security control at all components; (10) for example, officials at Ames Laboratory, the Office of Civilian Radioactive Waste Management, and WAPA told GAO that four contracts for remediation services did not include provisions for background checks or contractor staff; (11) agency officials at Ames, headquarters, and the National Renewable Energy Laboratory told GAO that foreign nationals were employed on three contracts for remediation services; (12) officials at Ames, headquarters, and WAPA did not require routine background screening of foreign national personnel involved in making changes to software; and (13) at Ames and headquarters, complete data on the involvement of foreign nationals in software change process activities were not readily available.