« PreviousContinue »
This report responds to your November 29, 1988, request for information on the identification of sensitive computer systems by 10 federal agencies. In discussions with your offices, we agreed to obtain the agencies' lists of sensitive computer systems operated by contractors, states, or other organizations and descriptions of the approaches they used to respond to your November 29, 1988, and March 7, 1989, requests. As you know, federal agencies were to identify these systems and prepare security plans for them in accordance with the Computer Security Act of 1987. This letter summarizes the requested information. Appendix I provides more details on the number of sensitive systems the agencies identified and the approaches they used to identify the systems.
Number of Sensitive
Nine of the 10 agencies identified a total of 1,032 sensitive systems operated by contractors or other organizations and none operated by state governments. One agency, the Environmental Protection Agency, reported that it operates all of its own sensitive computer systems. Table 1 shows the total number of sensitive computer systems operated by contractors or other organizations on behalf of the agencies.
Approaches Used to
On November 29, 1988, the Chairmen of the House Committees on Government Operations and Science, Space, and Technology, jointly requested that 10 agencies provide lists of sensitive computer systems that are operated on the agencies' behalf by contractors, states, or other organizations. Generally, in responding to the Committees' request, the 10 agencies asked their main organizational components to identify sensitive computer systems that are operated by contractors, states, or other organizations. Five agencies—the Departments of Agriculture, Interior, Justice, Labor, and Treasury-sent to their components a copy of the Computer Security Act or agencies' definitions of terms, such as sensitive information, along with their reporting instructions. The agencies' headquarters consolidated the information they received and prepared an agency response.
In preparing their responses to the November 1988 request, four agencies—the Departments of Justice, Defense, Labor, and Treasury—told us they used computer security plans, inventories, or other documentation as a check to ensure that the lists submitted to the Committees were complete.
The Committees sent a second letter, dated March 7, 1989, to the 10 agencies noting that their original responses did not appear to include all systems operated by contractors, states, or other organizations. Therefore, the Committees requested that the agencies provide revised lists of