Appendix I Number of Sensitive Systems Reported and Department of Response to Committees' Request of November 29, 1988 Response to Committees' Before the Committees' November 1988 request, the Department of Agriculture sent a letter to its components requesting that they identify computer systems containing sensitive information. The Department attached to its letter a copy of the Computer Security Act of 1987, and Agriculture's definition of sensitive information. This was done as part of Agriculture's effort to comply with the Computer Security Act. In its response to the Committees' request, Agriculture reported nine sensitive computer systems operated by contractors and no systems operated by states or other organizations. In preparing its response, Agriculture sent a letter asking its components to submit lists of sensitive systems that are operated on the Department's behalf by contractors, states or other organizations. According to Agriculture's Automatic Data Processing (ADP) Security Officer, Agriculture performed no verification of the lists submitted by its components. The Department compiled a list of all sensitive systems identified by its components. We contacted one Agriculture component, the Forest Service, to determine how it identified its sensitive systems. Forest Service's ADP Security Officer said the Service received the Department's letter asking each component to identify its sensitive computer systems, a copy of the act, and a definition of sensitive information. The ADP Security Officer stated that Forest Service's headquarters identified all sensitive computer systems from its central inventory of automated systems. The official said the Forest Service identified and reported to Agriculture three contractor-operated sensitive systems. Agriculture reported that it reviewed its first response to the Committees and reaffirmed that its response was accurate. The ADP Security Officer stated that, based on Agriculture's review of components' computer security plans, there were no additional systems to report. Number of Sensitive Systems Reported and Department of Response to Committees' Request of November 29, 1988 The Department of Defense reported to the Committees 35 sensitive The Information Systems Manager, Office of the Assistant Secretary of Defense, said Defense sent to its components a letter that requested lists of their sensitive systems that are operated by contractors, states, or other organizations. Defense attached to its letter a copy of the Committees' letter requesting this information. We contacted one Defense component, the Department of the Navy, to The Information Systems Manager said Defense compared components' responses with its list of computer security plans to ensure that the responses were accurate and complete. Number of Sensitive Systems Reported and Response to Committees' Defense reported 180 additional contractor-operated sensitive systems that were identified by the Army and Air Force. Defense indicated that information on the Navy's sensitive computer systems would be forwarded to the Committees along with any additional Service inputs after they are received by Defense. Department of Energy Response to Committees' Request of November 29, 1988 Response to Committees' In response to the Committees' request, the Department of Energy reported that it does not keep a central inventory of sensitive systems. However, Energy said it requested its components to certify that all sensitive systems operated by contractors, states, or other organizations had been identified. Energy's Acting Director of ADP Management stated that after responding to the Committees, the Department requested its components to submit lists of the sensitive systems they previously identified. Energy compiled the components' lists and submitted, as an additional response to the Committees, a list of 691 sensitive systems operated by contractors and no systems operated by states or other organizations. We contacted one Energy component, the Morgantown Energy Technology Center, to determine how it identified its sensitive computer systems. A program analyst said the Center received four memorandums from the Department regarding the identification of sensitive computer systems. The analyst stated that the Center reviewed its inventory of computer systems and determined that none of its sensitive systems are operated by contractors, states, or other organizations. The analyst said the Center's field unit has no computer systems. The Center sent a letter to Energy headquarters certifying that the Center had identified all of its sensitive systems. Energy reported that the information requested was provided in the additional response to the Committees listing 691 sensitive systems operated by contractors. Number of Sensitive Systems Reported and Department of Health and Human Services Response to Committees' Request of November 29, 1988 Response to Committees' The Department of Health and Human Services (HHS) reported 31 sensitive computer systems that are operated by contractors or other organizations and no systems operated by states. In preparing HHS's response, the Senior Information Resources Manager stated that the Department sent a letter to its five components requesting that they submit lists of sensitive systems operated by contractors, states, or other organizations. This official said HHS verified the accuracy and completeness of the lists with the Information Systems Security Officers of each component. We contacted one HHS component, the Social Security Administration HHS reported to the Committees 26 additional sensitive systems operated by contractors or other organizations and no systems operated by states. In preparing its response, the Senior Information Resources Manager said HHS instructed all program offices, in conjunction with their attorneys, to reexamine the computer systems that the program offices had originally identified as not processing sensitive information. As a result of the reexamination, HHS determined that 26 of the systems are sensitive computer systems that are operated by contractors or other organizations. Department of the Number of Sensitive Systems Reported and Response to Committees' Request of November 29, 1988 Before the Committees' November 1988 request, the Department of the Interior sent to its components a letter requesting lists of sensitive computer systems and providing instructions on the identification of such systems. This was done as part of Interior's effort to comply with the Computer Security Act of 1987. Response to Committees' In its response to the Committees' request, Interior reported three sensitive computer systems operated by contractors or other organizations and no systems operated by states. Interior's Information Resources Security Administrator said Interior compiled its list from the components' lists of sensitive computer systems. The Administrator also said he verified the accuracy of the components' lists with their Information Resources Management Officers. The Administrator said that after reviewing components' computer security plans, Interior realized that it had omitted one system from its response. The official told us that a corrected response would be sent to the Committees. We contacted one Interior component, the U.S. Geological Survey, to Interior reported to the Committees a total of 12 sensitive computer systems operated by contractors or other organizations. According to the Department's Information Systems Security Administrator, the Committees' March request prompted a reexamination of the computer security |