Page images
PDF
EPUB

Appendix I

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

Department of
Agriculture

Response to Committees' Request of November 29, 1988

Response to Committees'
Request of March 7, 1989

Before the Committees' November 1988 request, the Department of Agriculture sent a letter to its components requesting that they identify computer systems containing sensitive information. The Department attached to its letter a copy of the Computer Security Act of 1987, and Agriculture's definition of sensitive information. This was done as part of Agriculture's effort to comply with the Computer Security Act.

In its response to the Committees' request, Agriculture reported nine sensitive computer systems operated by contractors and no systems operated by states or other organizations. In preparing its response, Agriculture sent a letter asking its components to submit lists of sensitive systems that are operated on the Department's behalf by contractors, states or other organizations. According to Agriculture's Automatic Data Processing (ADP) Security Officer, Agriculture performed no verification of the lists submitted by its components. The Department compiled a list of all sensitive systems identified by its components.

We contacted one Agriculture component, the Forest Service, to determine how it identified its sensitive systems. Forest Service's ADP Security Officer said the Service received the Department's letter asking each component to identify its sensitive computer systems, a copy of the act, and a definition of sensitive information. The ADP Security Officer stated that Forest Service's headquarters identified all sensitive computer systems from its central inventory of automated systems. The official said the Forest Service identified and reported to Agriculture three contractor-operated sensitive systems.

Agriculture reported that it reviewed its first response to the Committees and reaffirmed that its response was accurate. The ADP Security Officer stated that, based on Agriculture's review of components' computer security plans, there were no additional systems to report.

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

Department of
Defense

Response to Committees' Request of November 29, 1988

The Department of Defense reported to the Committees 35 sensitive
computer systems that are operated by contractors and no systems that
are operated by states or other organizations. Defense said these sys-
tems were identified by all of its components except the major ser-
vices-Air Force, Army, and Navy-which would be reported to the
Committees as soon as Defense received the information from the major
services.

The Information Systems Manager, Office of the Assistant Secretary of Defense, said Defense sent to its components a letter that requested lists of their sensitive systems that are operated by contractors, states, or other organizations. Defense attached to its letter a copy of the Committees' letter requesting this information.

We contacted one Defense component, the Department of the Navy, to
determine how it identified its sensitive systems. According to the Com-
puter Security Coordinator, the Navy received Defense's letter and sent
a copy of it to the Navy's components, including the U.S. Marine Corps.
A Marine Corps headquarters computer security analyst stated that the
Marine Corps sent to its components a letter requesting a list of sensitive
systems along with copies of the Department of Defense's letter, the
Committees' request letter, and definitions of a sensitive system and
other terms. The analyst said two Marine Corps components identified
sensitive systems operated by contractors. One of these components, the
Manpower Department, identified from its inventory sensitive man-
power systems that are operated by contractors. The analyst said
Marine Corps headquarters checked the components' responses with its
inventory of sensitive systems to ensure that they were accurate and
complete. According to the Computer Security Coordinator, instead of
holding the Marine Corps' response until the Navy completed its identifi-
cation of sensitive systems, the Marine Corps' response was forwarded
to Defense.

The Information Systems Manager said Defense compared components' responses with its list of computer security plans to ensure that the responses were accurate and complete.

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

Response to Committees'
Request of March 7, 1989

Department of Energy

Response to Committees' Request of November 29, 1988

Defense reported 180 additional contractor-operated sensitive systems that were identified by the Army and Air Force. Defense indicated that information on the Navy's sensitive computer systems would be forwarded to the Committees along with any additional Service inputs after they are received by Defense.

In response to the Committees' request, the Department of Energy reported that it does not keep a central inventory of sensitive systems. However, Energy said it requested its components to certify that all sensitive systems operated by contractors, states, or other organizations had been identified.

Energy's Acting Director of ADP Management stated that after responding to the Committees, the Department requested its components to submit lists of the sensitive systems they previously identified. Energy compiled the components' lists and submitted, as an additional response to the Committees, a list of 691 sensitive systems operated by contractors and no systems operated by states or other organizations.

We contacted one Energy component, the Morgantown Energy Technology Center, to determine how it identified its sensitive computer systems. A program analyst said the Center received four memorandums from the Department regarding the identification of sensitive computer systems. The analyst stated that the Center reviewed its inventory of computer systems and determined that none of its sensitive systems are operated by contractors, states, or other organizations. The analyst said the Center's field unit has no computer systems. The Center sent a letter to Energy headquarters certifying that the Center had identified all of its sensitive systems.

Response to Committees'
Request of March 7, 1989

Energy reported that the information requested was provided in the additional response to the Committees listing 691 sensitive systems operated by contractors.

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

Department of Health and Human Services

Response to Committees' Request of November 29, 1988

Response to Committees'
Request of March 7, 1989

The Department of Health and Human Services (HHS) reported 31 sensitive computer systems that are operated by contractors or other organizations and no systems operated by states.

In preparing HHS's response, the Senior Information Resources Manager stated that the Department sent a letter to its five components requesting that they submit lists of sensitive systems operated by contractors, states, or other organizations. This official said HHS verified the accuracy and completeness of the lists with the Information Systems Security Officers of each component.

We contacted one HHS component, the Social Security Administration
(SSA), to determine how it identified its sensitive computer systems. SSA's
Senior Computer Security Officer said the agency received a letter from
the Department requesting that it identify its sensitive systems that are
operated by contractors, states, or other organizations. The Senior Com-
puter Security Officer stated that he developed SSA's response based on
his knowledge of all systems. SSA reported that none of its sensitive sys-
tems are operated by contractors, states, or other organizations.

HHS reported to the Committees 26 additional sensitive systems operated by contractors or other organizations and no systems operated by states.

In preparing its response, the Senior Information Resources Manager said HHS instructed all program offices, in conjunction with their attorneys, to reexamine the computer systems that the program offices had originally identified as not processing sensitive information. As a result of the reexamination, HHS determined that 26 of the systems are sensitive computer systems that are operated by contractors or other organizations.

Number of Sensitive Systems Reported and
Approaches Used by the Ten Agencies to
Identify the Systems

Department of the
Interior

Response to Committees' Request of November 29, 1988

Response to Committees'
Request of March 7, 1989

Before the Committees' November 1988 request, the Department of the Interior sent to its components a letter requesting lists of sensitive computer systems and providing instructions on the identification of such systems. This was done as part of Interior's effort to comply with the Computer Security Act of 1987.

In its response to the Committees' request, Interior reported three sensitive computer systems operated by contractors or other organizations and no systems operated by states. Interior's Information Resources Security Administrator said Interior compiled its list from the components' lists of sensitive computer systems. The Administrator also said he verified the accuracy of the components' lists with their Information Resources Management Officers. The Administrator said that after reviewing components' computer security plans, Interior realized that it had omitted one system from its response. The official told us that a corrected response would be sent to the Committees.

We contacted one Interior component, the U.S. Geological Survey, to
determine how it identified its sensitive computer systems. The Informa-
tion Resources Management Officer told us that the Geological Survey
received the Department's letter with instructions to identify its sensi-
tive computer systems. The officer stated that the Geological Survey
requested its divisions to update their inventories of sensitive computer
systems and sent to division representatives an information package
consisting of the Computer Security Act and other information to help
them update their lists. According to the officer, the division representa-
tives passed the information along to offices responsible for the systems
and requested that they update their inventories of sensitive systems.
The Geological Survey compiled the divisions' updated lists and
reported to Interior that none of its sensitive systems are operated by
contractors, states, or other organizations.

Interior reported to the Committees a total of 12 sensitive computer systems operated by contractors or other organizations. According to the Department's Information Systems Security Administrator, the Committees' March request prompted a reexamination of the computer security

« PreviousContinue »