sensitive systems. In responding to the Committees' request, 5 of the 10 agencies-the Departments of Defense, Health and Human Services, Interior, Labor, and Treasury-reported 220 additional systems operated by contractors or other organizations and none by states. Four agencies-the Departments of Interior, Justice, Labor, and Treasurysaid they reviewed computer security plans and verified the accuracy of their original responses. Appendix I describes the approaches used by the agencies to identify their sensitive systems operated by contractors or other organizations. Objectives, Scope, and Methodology As agreed with the Committees' offices, our objectives were (1) to obtain the agencies' lists of sensitive systems that were provided in response to the Committees' request of November 29, 1988, and descriptions of the approaches used to identify the systems, and (2) review the 10 agencies' responses to the Committees' follow-up request of March 7, 1989, for any revisions to the original lists and obtain descriptions of how the agencies identified systems included in the revisions. To accomplish these objectives, we obtained copies of the lists of sensitive computer systems that were submitted to the Committees. We interviewed officials of each of the 10 agencies to ascertain how they identified their sensitive systems operated by contractors, states, or other organizations and whether any additional approaches were used to revise the lists initially sent to the Committees. We performed our work between January and July 1989 in the Washing- In accordance with the Committees' wishes, we did not obtain agencies' comments on a draft of this report. This report was prepared under the direction of JayEtta Z. Hecker, Director, Resources, Community, and Economic Development Information Systems, (202) 275-9675. Other major contributors are listed in appendix II. Ralph V. Cartone Ralph V. Carlone Assistant Comptroller General |