DEPARTMENT OF AGRICULTURE PROPOSED COMPUTER ACQUISITION

lease 2002/11/15 : CIA-RDP84-00933R000300270001-1 Senate Hearings .before the Committee on appropriations Department of Agriculture Proposed Computer Acquisition Fiscal Year 916 94 th CONGRESS, FIRST SESSION SPECIAL HEARING Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approi)cf r**T+R(N/T/10:FIA Mi2UV lJ lf ff 0001-1 PROPOSED COMPUTER ACQUISITION HEARING BEFORE A SUBCOMMITTEE OF THE COMMITTEE ON APPROPRIATIONS UNITED STATES SENATE Special Hearing 0 U.S. GOVERNMENT PRINTING OFFICE 60-209 0 WASHINGTON : 1976 Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1 SUBCOMMITTEE OF THE COMMITTEE ON APPROPRIATIONS GALE W. McGEE, Wyoming, Chairman JOHN C. STENNIS, Mississippi WILLIAM PROXMIRE, Wisconsin ROBERT C. BYRD, West Virginia DANIEL K. INOUYE, Hawaii BIRCH BAYII, Indiana THOMAS F. EAGLETON, Missouri LAWTON CHILES, Florida JOHN L. McCLELLAN, Arkansas, C.), ol/icio HIRAM L. FONG, Hawaii ROMAN L. HRUSKA, Nebraska MILTON R. YOUNG, North Dakota MARK O. HATFIELD, Oregon HENRY BELLMON, Oklahoma E% OFFICIO MEMBERS FROM THE COMMITTEE ON AGRICULTURE HERMAN E. TALMADGE, Georgia ROBERT DOLE, Kansas TAMES O. EASTLAND, Mississippi Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1 CONTENTS Statement of J. P. Bolduc, Deputy Assistant Secretary for Administration, Department of Agriculture ________________________ ______________ 1 Letter from Elmer B. Staats, Comptroller General of the United States _ _ _ _ _ _ _ _ 3 General Accounting Office report, "Improved Planning------------------------ 4 Agency ADP financial plan (USDA) (table) ------------------------------------ 61 Statement of James R. Pompa, vice president, Honeywell Information Systems - _ 99 Letter from D. E. Stromback, vice president and group executive, Federal and Special Systems Group_________________________________________________ 104 Letter from C. A. Christopher, Univac Division, Sperry Rand Corp ------------ 105 Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1 DEPARTMENT OF AGRICULTURE AND RELATED AGENCIES APPROPRIATIONS FOR FISCAL YEAR 1976 WEDNESDAY, JUNE 18, 1975 U.S. SENATE, SUBCOMMITTEE OF THE COMMITTEE ON APPROPRIATIONS, Washington, D.C. The subcommittee met at 10:05 a.m., in room 1224, Everett McKin- ley Dirksen Office Building, Hon. Gale W. McGee (chairman) presid- ing. Present: Senators McGee, Fong, Young and Bellmon. DEPARTMENT OF AGRICULTURE AUTOMATED DATA PROCESSING AND COMPUTER EQUIPMENT STATEMENT OF J. P. BOLDUC, DEPUTY ASSISTANT SECRETARY FOR ADMINISTRATION ACCOMPANIED BY: FRANK B. ELLIOTT, ADMINISTRATOR, FARMERS HOME AD- MINISTRATION, USDA H. W. MEETZE, DIRECTOR, OFFICE OF AUTOMATED DATA SYSTEMS, USDA OPENING REMARKS BY CHAIRMAN Senator McGEE. This hearing will come to order. We are here to investigate Department of Agriculture plans to acquire substantial aiLl unts of automatic data processing equipment. The proposa as been under active investigation by the General Ac- counting Office for the past several mohs. GAO REPORT CRITICAL OF WDA On June 3, GAO issued its report entitled, "Improved Planning." This report stressed that improved planning is a must before a Depart- ment-wide automatic data processing system is acquired. The report was severely critical of the Department. It alleges that sufficient efforts weren't made to survey and examine the scope of Department ADP and computer needsbeoreiss~ un a request for the proposal. In the opinion of the GAO, the Department went forward without knowing its specific needs and without adequateFy""considering the communicAtion`s problenfiii 1ved in such acquisition. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15: CIA-RDP84-00933R000300270001-1 2 Thus, based on the indepth findings of the GAO, the suggestion was simple, but to the point. That is, GAO says procurement should be cancelled forthwith, pending corrections, adjustments, or filling in what was not adequately prepared. The Department, in responding to the GAO, agrees with many of the findings. But it takes exception to the conclusion, for obvious reasons, since they already had reached their own conclusion. The Department apparently feels that the procurements should be allowed to proceed and adjustments could be made as they go along. The General Services in.istration, which, in effect, is operating as a confr:act ? agency for the Department in the acquisition of this equipment, generally--agrees that the procurement should be kept alive, pending a resolution of the needs. But that is about as far as the agreement seems to go. It has become the business of this subcommittee, because the costs an- ticipated are substantial ones. This money will have to come from you-know-where. That is the reason for our hearings this morning. Estimates of the cost of this 400 million mark, total for the next 7 prro8osal arr. " run Compl'ic around "afio the e s owing foift that "expenditure add to the problem. The matter also is not without its importance to the private sector. Private industry has already expended considerable amounts of time and money in responding to the request for bids. If the procurement is cancelled, as recommended by the GAO, bidders would stand to lose considerable amounts of money already committed. This adds a complicated dimension to the question that this commit- tee must consider. I am presuming at the outset of these hearings that all of the interested and concerned parties are at least familiar with the GAO report. That is where we are going to start. We are starting with the assumption that this hasn't just been discovered. To assist in the consideration of this matter, the GAO report will be entered in the record at this point. [The report follows:] Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 CIA-RDP84-00933R000300270001-1 COMPTROLLER GENERAL. OF THE. UNITED STATES WASHINGTON. O.C_ =D!16 . To the President of the Senate and the Sneaker of the House of Representatives This report gives our reasons for recommending cancellation of a planned procurement of automatic data processing e3Lipment for the Department of Agriculture. We made our review pursuant to the Budget and Accountinq Act, 1921 (31 U.S.C. 53), and the Accounting and Auditinq Act of 1950 (31 U.S.C. 67). We are sendino copies of this report to the Secretary of Agriculture and to the AdministCafor of Genc:xal Slices. Comptroller General of the United States Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1 4 COMPTROLLER GENERAL'S REPORT 10 THE CONGRESS IMPROVED PLANNING--A MUST BEFORE A DEPARTMENT-WIDE. AUTOMATIC DATA PROCESS NG SYSTEM IS ACQUIRED FOR THE DEPARTMENT OF AGRICULTURE D I G E S T WHY THE REVIEW igAS MADE Congressman John E. Moss and former Senator Sar J. Ervin, Jr., requested that GAO review all circumstanc'?s surrounding a proposed com- puter network, known as FEDNET, with emphasis on potential invasion of privacy. FINDINGS AND CONCLUSIONS In February 1974 the General Services Admin- istration released a req uest-'tor proposals to industry to provide (1) automatic data proc- essing equipment for use at one General Serv- ices center and at four Department of Agri- culture centers and (2) a data communications network that eventually would have linked the computers with several thousand terminals throughout the countT -" When the Congress learned of the project, there was widespread concern because the Congress had not .)een fully informed of plans for a project of its size and because it could pose a serious threat to the privacy.of individuals, particular "nce 'gip""'sice such a net- wor k might be expanded to link all Government computers. As a result, the request for proposals was revised to eliminate the data communications network and t r~"'eautomatic data processing "" equipm n for the General Services' center. The revised request provides for equipment for four Agricult,wre centers, with equipment for a fifth center optional. For the four Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 5CIA-RDP84-00933R000300270001-1 centers, the total cost of the project., in- cluding $106 million for-equipment and soft- ware and- operating costs over an 8-year period, is estimated at $358 milli.or ee pp. 2 and 18.) System la n studies needed Inipecember 1970 the Secretary of Agriculture app T"'CRe lowing concepts to achieve effective use of automatic data processing resources. --Management of all Agriculture's data proc- ess7tfij resources by a central office.----* --Development of an overall automatic data processing plan, --Large-scale, regional computer centers with maximum use of terminals for remote use of computers. (See p. 4.) I&A r it 1971] task force recommended con- solia`?t`Yrt "`automatic data processing re- sources and identified actions needed to de- velop the overall automatic data processing plan. (See p. 4.) In ehruary 1974)when General Services re- leas M7-1'eauest, for proposals cover ing both Agriculture's and General Services' equipment requirements, Agriculture had no developed the e etu res that should have preceded procure- ment. (See p. 6.) Determine user requirements before star tiny: procurement Agriculture had not determined the data proc- essing and communications requirements for all of its agencies. The data processing re- quirements used to justify the February 1974 request for proposals were not representative of Department-wide needs because they were developed primarily from the workload analy- sis of only one Agr iculture agency--one of the largest of 29 agencies and users. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 :6CIA-RDP84-OO933ROOO3OO27OOO1-1 There was no basis for designing an optimum communications network because agency users' locations and communications needs had not .been identified. A complete accumulation and analysis of user requirements before procure- ment is imperative in view of the size, corn- plexity, and eventual cost of the project. (See pp. 7 and 10.) Consider data .securit re uirements Agriculture had not adequately considered security requirements that would reasonably protect personal or other sensitive informa- tion from unauthorized access. Agriculture could not develop realistic security specifi- cations for the request for propose.'-- r. ecause it had not made an analysis of all us-s' sensitive and txrsonal data. Such an analy- sis is a prerequisite to any determinations of cost-effective methods of providing ac- ceptable levels of security. (See p. 13.) Although Agriculture is now making a survey of its agency requirements for data process- ing and communications, its survey questions are not aimed at producing the types of in- formation needed to reasonably protect per- sonal and sensitive data. (See p. 15.) Compare costs for pro 2sed and existing ssystems and or al ter r.at ive designs Agriculture did not make the economic studies required by Government regulations as a basis for evaluating a proposed project's benefits or the cost implications of alternative de- signs. (See p. 17.) Agriculture officials told GAO that.the proj- ect had been economically justified on the basis that the estimated overall cost for acquiring, preparing, and operating the pro- posed consolidation of installations and in- tegration of data systems was less than what the overall cost would have been if each Agriculture agency had been permitted to ac- quire arid operate its own system. GAO be- lieves that this jus.:ification is not valid, Approved For Release 2002/11/15 : CIA-RDP84-00933ROO0300270001-1  Approved For Release 2002/11/15 :CIA-RDP84-00933R000300270001-1 mainly because it did not compare costs for existing and proposed systems and for alter- native system designs. (See p. 17.) In January 1973 Agriculture decided on the locations for four departmental centers. Three centers already existed and the fourth was in the planning stage. There were no sys- tems or economic studies made for considering alternative numbers of centers or locations. .Consequently there was no consideration of the potential savings if only one, two, or three centers were established or of optimum locations for the centers. ( See P. 18.) Conclusions GAO recognizes that Agriculture could expect economies aril efficiencies to result from ( 1) consolidating and integrating data processing services Department-wide and (2) replacing a collection of heterooeneous. second- and third-generation equipment. At this time, however , the t enuest for proposals is not based on the required studies and analyses. As a result there ale unanswered questions concerning trlt' number and location of sites, the data processing equipment configurations, interfaces with communications equipment, and the privacy and security considerations. (See p. 19.) RECOMMENDATIONS The Secretary of Agriculture should: --Advise General Set vices to cancel the planned procurement of c.utomatic data processing equipment. --Prepare a consolidation and integration plan for the proposed system. --Complete the studies of Agriculture data processing and communication requirements, network and configuration analysis, secu- rity and privacy requirements, and economic factors. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1 8 --After completion and comoatative analysis of the plan and studies, select, if war:- ranted, the best alternative and prepare a new request for proposals based on estab- lished requirements. AGENCY ACTIONS A;J RES.OLVED ISSUES Agriculture acknowledged that data processing and communications requirements of all users had not been determined when the request for proposals was released in February 1974; how- ever, it thought that the pending procurement of equipment should not be canceled until a survey of such requirements, begun in October 1974, is completed in May 1975. Agriculture says that if the survey results indicate that the procurement is not justified, it will be canceled. (See p. 20.) Agriculture's comments indicate that it is either abandoning or deferring its stated ob- jectives--consolidating computer activity at some 47 locations into 4 centers, integrating data systems, and maximizing use of terminals for remote computer use. If such is the case, GAO still believes that the procurement should be canceled because, according to Ag.- riculture's consulting firm, existiMng equip- ment at thr ee depar tmental . center s that the -firm v?isitea was adequate, whereas equipment f et1n9 the -requirements of the request for 'p'roposals would provide. considerably more computer power than Agriculture needs. (See p. 21.) If Agriculture is merely deferring its stated objectives to the near future, a complete communications study, including. network anal- ysis and confi,uration, has to be made before any data processing equipment is procured, to insure its effective use. Since the purpose of such a study, which would involve a con- siderable amount of time, is to tailor the communications system to users' needs, it could not be made until after all user re- quiremercts have been der t.mined. GAO be- lieves that all required studies should be made. (See p. 22.) Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/159 CIA-RDP84-00933R000300270001-1 General Services agrees that no contract award should be made until Agriculture has. completed all the studies GAO noted. and has taken the requisite actions, including ob- taining General Services' approval of Agri- culture's communications plans. Although General Services feels that industry should be advised of the possible cancellation, it believes that the procurement should not be canceler at this time because of the large investment by industry and the Government. (See p. 22.) General Service's suggestion that Agriculture not award a'contract until General Services has approved the communications plans empha-. sizes the importance of completing studies to determine the least costly alternatives be- fore starting procurement.. In GAO's opinion, Agriculture's noncompliance with the regu.la- tions on matters that could have a gr,__' im- pact on a system's requirements is jus- tification for General Services' cancv,` s.,.g the prom... ement. (See p. 23.) MATTERS FOR CONSIDERATION BY THE CONGRESS The House Committee on Appropriations directed Agriculture to keep the Committee fully informed of the progress and proposals for the propo.sed computer system and to obtain the Committee's approval before obligating any additional funds for this system. The information in this re- port should also be useful to other committees and Members of Congress concerned with individ- ual privacy safeguards and efficient and eco- nomical automatic data processing operations. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1 10 CHAPTER 1 INTRODUCTION In response to requests on May 15, 1974, from Congressman John E. Moss and on May 22, 1974, from former Senator Sam J. Ervin, Jr., then the Chairman of the Subcommittee on Constitutional Rights, Senate Committee on the Judiciary, GAO has been reviewing circumstances s%irrounding a joint General Services Administration (GSA) and U.S. Department of Agriculture (USDA) computer acquisition project, referred to to as the Federal Information Network (FEDNET). l/ In 1965 Public Law 89-306 made GSA responsible for the economic and efficient acquisition, utilization, and main- tenance of the Government's general-purpose-automatic data processing (ADP) equipment. The law reiterated the existing responsibility of the Office of Management and Budget. (OMB) for fiscal and policy control over all aspects of ADP man- agement. OMB had previously issued policies. and guidelines, in the form of circulars and bulletins, on acquiring and using ADP equipment and services. The law also provided for the National Bureau of Standards, Department of Commerce, to retain responsibility for developing technical standards and coordinating the Government's ADP research efforts. In May 1973 Executive Order 11717 transferred policy responsi- bilities to GSA, leaving OMB responsible for fiscal control and general oversight. One of the law's objectives was for GSA to be the sole purchaser of the Government's general-purpose ADP equipment, to enable it to obtain quantity discounts; however, pending attaining that objective, GSA was authorized to delegate procurement authority tG other Federal agencies. GSA issued Federal Property-Management Regulations on the administra- tive and procurement procedures for agencies to follow. When GSA receives an agency request for equipment procurement, it can elect to (1) delegate the procurement authority, (2) participate with the agency in the procure- ment, or (3) procure the equipment for the agency. The law prohibits GSA from interfering with agency determina- tions of ADP equipment requirements, including developing specifications and selecting the types and configurations of equipment needed. In April 197733 SDA requested authority to nroc-ure ADP equinmet ar four centers (with. the motion to eduiF a fifth. center). At that time GSA was planninc to acquire a l.arcoe- scale computer cyst-^ for ,one of its Feder.,' 11-ti Processinq Centers s o that onerations at its centers ?.-1 :k-- consot i- dated. rfA's planned procurement involved' to comm.unica- tions network for remote tct?'iirial use, hut the proposed USDA procurement did not. 1/An acronym first used by GSA in 1973 for a proposed natioew4de computer netwq;k for all Federal agencies,. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15i1CIA-RDP84-00933R000300270001-1 Because of the similSri?v in the procurement oh'octic?s of the two aoenci-s and heed::se of th,e not entr it .sav;ngls through au antity discounts, USDA proposed a joint. procurement Durin_1 neact iat ions, GSr, to us,? USDA:. for prn- posals (RFP) tor ADP cq:riomant, incl.idinq the ',er;chn~-irk, 1: and USDA agreed to use GSA's RFP for the data ,ncies' inform'.ation system; by r-,aulatinn the aae'ciesI collection, atntesance, use, a- ,d dissemination of informat ion. The l +w er t ,t,I ist,es requirements as to the types of information that Federal agencies can maintain, the rights of the individuals who are the subject of such information, how such information can be used and disclosed, the accounting for disclosures, and safeguards to insure information security and confi- dentiality. USDA's information systems include personal information on its'employees as well as on farmers' incomes and financial positions. Because of the impending procurement for USDA and because the proposed procurement for GSA has been. withdrawn, our initial effort was directed primarily to the need and determination of requirements for USDA's part of the proj- We are continuinu our review, and in a later report ect . we plan to provide information on. actions that Federal agen- cies should take to protect personal and other sensitive data while fostering the proper use of data processing networks to achieve economic benefits and operational ef- ficiency. 1/The vendor's live test rat ion that his e,ruiamont car. meet performance soeclficat ions. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933ROO0300270001-1 12 CHAPTER 2 SYSTEM PLANS AND STUDIES NEEDED BEFORE CONSOLIDATING ADP INSTALLATIONS AND INTEGRATING EXISTING SYSTEMS In implementing its objective to co.nsolidate ADP instal- lations and to into-,.-ate its agencies' data systems, USDA started procuring equipment before developing the system plans or making the analytical studies Government policies and regu- lations required. Such plans and studies are needed to insure that ADP equipment acquired meets the needs of all users in the most efficient and economical manner possible. USDA administrative regulations, issued in April. 1971, recognize the provisions of OMP Circular A-54 (superseded by Federal Management Circular 74-5, July 30, 1974) and Bulletin 60-6 concerning the planning and studies that should precede selecting and acquiring equipment. The regulations identify the essential elements of a systems study and require that the study be documented to (1) insure that a proper study has been made, (2) afford an opportunity for reviewing levels to eval- uate the recommendations and resulting decisions, and (3) pro- vide a basis for the future evaluation of the system in terms of original expectations. In December 1970 a USDA staff study concluded that USDA's ADP resources were not being used effectively. The study identified 43 USDA computer systems in 26 cities and 67 new computers planned for installation by 1975. The staff recom- mended that the Secretary of Agriculture approve the following concepts, to avoid duplication and waste of resources. 1. Management of all of USDA's data pr, yessing resources by a central office. 2. Development of an overall ADP plan. 3. Large-scale, rectional co:router centers with maximum use of terminals for remote use of the computers. The Secretary accepted the concepts and formed a task force to develop implementation policies and objectives. The task force report, issued in Aoril 1971, recommended consolidating ADP resources and identified the actions needed to develop the overall ADP plan. Some of the actions recom- mended were: --Analyze USDA's data processing needs after establishing a catalog of data systems.,.. existing and potential com- putinq and data communications needs, and management information requirements. --Identify agencies' use of common '.-- and applications and conceptually design an.integratrx? information sys- tem and computer network. Approved For Release 2002/11/15 : CIA-RDP84-00933ROO0300270001-1  Approved For Release 2002/11/15 : Cll X-RDP84-00933R000300270001-1 The task force recommended that, to insure that departmental control of ADP resources would meet individual aqency needs, the central office acquire detailed knowledge of all of USDA agencies' missions, plans, and applications. After the Secretary approved the April report, the As- sistant Secretary for Administration formed new task forces, in July 1971, to assist in developinq the overall ADP plan and accomplishing other actions recommended in the report. A systems study task force was to systematically assess each agency's data processing program--the information re- ceived, the source and method of collecting the information, the type of processing, the output of results from processing, who got the results, and how the results were used. USDA of- ficials were unable to provide documentation of such assess- ment. The Secretary established the Office of Information Sys- tems in March 1972 (changed to Office of Automated Data Sys- tems (ADS) in January 1974) and made it responsible for man- aging all ADP resources and for developing the integrated, USDA-wide information system. Although ADS gradually assumed management control of the departmental computer centers, it did not analyze USDA agencies' data processing requirements or carry out the other actions previously identified as pre- requisit.es to an overall ADP plan. In November 1973 USDA released an RFP for a study to evaluate (1) the crganiiation and management of ADP functions, (2) existing ADP operations in the light of user requirements, and (3) plans for consolidating ADP resources, including com- munication requirements. A contract was awarded to American Management Sys'-ems, Inc., (AMS) on January 8, 1974. AMS later issued four interim reports covering its re- view of (1) the proposed ADP equipment RFP, (2) budgeting and control procedures within ADS and USDA, (3) the ADS.organiza- tiorial structure, and (4) USDA agency ADP requirements. AMS issued its final report on May 30, 1974. The reports listed several areas of concern involving: 1. Adequacy of USDA's planning and resources for conver- sion to the new equipment. 2. Accuracy of USDA's costing and sizing estimate.:. 3. Procuring too much computer power. 4. Lack of specific computer center plans. 5. Lack of detailed data on agency ADP workloads. 6. Capability of ADS to support the procurement from the viewpoint of organizational structure, technical ex- pertise, planning, and staffing. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933ROO0300270001-1 14 In its first interim report, AMS noted that it was as- sisting ADS in developing a single, comprehensive ADP plan because none had been prepared. On June 26, 1974, the AMS contract was amended to include assisting USDA in planning, systems analysis, and general management of ADI' operations. One of A.MS's new tasks was to define requirements and to develoo specifications for the communications sytems. it should be noted that this action was taken 4 months after the equipment REP was released to industry. The concepts the Secretary approved in 1970 and the plan- ning actions recommended in the 1971 report provided, in our opinion, a sound basis for the efficient and economical Pro- curement and use of ADP and communications equipment. But these goals have not been accomplished because the recommended actions were not taken. USDA did not develop the detailed plans or make the studies that should have preceded procurement action. ADS, the central office for the USDA-wide information system, did not gather the information about management information re- quirements and agencies' computing and data communication neeha. CHAPTER 3 DETERMINATION OE DATA PROCES5IN'_AND:'OM,~1UNICATIONS REQUIREME:N'I'S NE.EL)E:D DDEFORE; FQUIPMI,N'I' IS ACQUIRED USDA initiated action to acquire equipment for four d?n:~rtrental computer centers even though it had not deter- -rined the data processing and communications requirements for all 01 its a.acncies. A complete accumulation and analysis of user recuiremento-hefore procurement is imrerative in vjew of the sire, complexity, and eventual cost. of the pr:cje ct . Accordinq to the 1971 task force report, one prerequisite of the overall ADP elan was determining data processing requirements. The report also cited the need for special emphasis on data communications because such communications were essential for --providinq access to computer facilities from remote locations, --providing access to data files, --balancing computer load, --providing computer power to dispersed activities, --acouirinq data, and Approved For Release 2002/11/15 : CIA-RDP84-00933ROO0300270001-1  Approved For Release 2002/11/15 : C!~-RDP84-00933ROO0300270001-1 --contributing to information exchange by people and computers. DATA PROCESSING REQUIREMENTS Data processing requirements used to justify the RFP released to industry in February 1974 are not representative of total USDA needs because they were developed primarily from the workload analysis prepared by only one USDA agency--the Agricultural Stabilization and Conservation Service (ASCS), one of the largest of the. 29 user groups at USDA. This occurred even though the central office, accord- ing to the mandate of the approved 1971 task force report (see p. 4), was to acquire detailed knowledge of all USDA agencies' data processing applications and conceptually design an integrated departmental information system. Following are some of the items identified in USDA's administrative regulations, which implement OMB's policies and guidelines, for inclusion in the systems study. --Description of the end products to be produced by the system and the value of their intent'." use. --Description of the data sources and major data files used in the system. --Frequency and need for updating the major data files or producing end products. --Volumes of data involved. --Implementation schedule. --ADP equipment specifications, if any, such as required delivery dates, need for compatibility, and performance standards. The following procurement-oriented actions, instead of the actions recommended in the 1971 task force report and USDA administrative requlations, were taken. In addition to establishing the systems study task force to assess each agency's program (see p. 5), the Assistant Secretary for Administration established a pro- curement task force in July 1971 to gather data on interim agency requirements and to write the necessary procurement documents for acquiring departmental computer equipment for use until the overall ADP plan was completed. The task force was given 5 months to complete its study. In August 1971 the task force reported that it had identified five possible approaches for determining agency requirements and specifications and requested that one ap- proach be selected so that the task force could continue its work. Each approach--ranging from a 100-percent survey of agency requirements (highest degree of reliability) to a 10-percent sample--was listed and compared for such factors Approved For Release 2002/11/15 : CIA-RDP84-00933ROO0300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1 16 as the risk in obtaining reliable requirements data, time and costs, and probability of GSA's approval. During the review process, the Actinq Director of ADS suggested a sixth approach--brand name or equal--because future workload requirements were vague or unknown. The brand-name-or-equal approach was considered (1) easier for specifyinq known computer characteristics in an RFP and (2) the most expeditious--requiring 4 to 6 months for developing an RFP. . Although the Assistant Secretary approved using the brand-name-or-equal approach, he suggested that the manu- facturer's name and model number be omitted and that ecuip- ment performance characteristics (such as core size and processing speeds) be used to insure getting the specific equipment desired without mentioning the maunfacturer's name. In February 1973 USDA informally asked GSA's opinion and reaction on a proposal to acquire, on a sole-source basis, IBM 370-168 systems for four departmental centers. In March 1973 GSA informally told USDA that the sole-source proposal was unjustified and suggested that USDA prepare an RFP for a competitive proct- tent. On April 1, 1973, 18 employees from ASCS's ADP Division, including the project manager, were transferred to ADS to assist in developing the RFP which was to be finished in draft form 1 month later. We were told that, in view of the short time allowed for the work and the absence of require- ments for all agencies, ADS used ASCS's November 1972 RFP as the basis for the departmental RFP. According to the project records and our discussions with USDA officials, ASCS was the only USDA agency that had completed a thorough systems study. ASCS's RFP--which USDA did not approve--had called for a large-scale regional com- puter and a nationwide telecommunications network,, similar to the 1970 concept the Secretary approved. (See p. 4.) ADS increased the number of computer centers in ASCS's RFP from one to four and expanded the workload requirements stated by ASCS so that the four centers would service all USDA users. There was no documentation showing ADS's rationale. or methods for the modifications to the ASCS RFP. On April 12, 1973, USDA formally requested that GSA authorize USDA to procure computer systems for the four departmental centers. The request pointed out that USDA was then operating 76 computers at 47 locations and that an objective of the proposed procurement was to reduce the number of data processing installations. USDA also advised GSA that the Air Force's Automatic Data. Processing Equip- ment Selection Office was helping to write specifications and prepare recommendations to the final source' selection authority. . Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : C1-RDP84-00933RO00300270001-1 Following submission of the request, uccortliny to the fotmer director of ADS, USDA proposed a joint procurement with GSA because GSA was olannir.q to consolidate: its 12 Fed- oral Data Proceu my Centers by up:jradin-J equitrrr.nt at one Center. GSA's plans included acquisitton o f a data co ,nmuni- ca?:ic,ns network and comrrii t?rr equipment, whc.rr-, as the U5[1A RFP was for only computer esttipTi'"nt, includirtu o-'riph?'Cal Bout:rent used for hookup tc] coramunat ions facilities. During negotiations USDA's RFP was ;-iditled to ac'comr,od.]te GSA's req. it ,, nts. Conv?-rsei'. data communications RFP was modified to .;,,,>m ,late US l:A' ro.r - mnusteations roost re:cents. The RF'P ru;-rt tr.'s ;,:'l c aulpment and the data `o!.1:uni,-ationz; network r_ t'_ase t to in- duetry on February 2r3, 1974. GSA later deleted fro:n, the PUP the data ec:m^;unicati:ins network and equipment for a Gr'1 center as a result of con- gressional concern ov,r (1) how GSA had h.ind1'd tf:.' orojoct-- not fully intctmirq the Consrr,?t,,. ano s1vins ina&?ate att( n- tion to the ootential for invasion of Iricac~--ant (2) tt:n-- c,ussi:)ility that the data cor:runicatic>ns network could even- tually he exro;nded to establish a national data c- ntEer l rn.c - inq all Federal agaencies. dSA is still handlir?.q the orocurs:oent for USDA. Pro.osaIs wtte due' from vendors by Nnv- rhe'r 29, 1974. We were informed tr.,;t tr:ree? r;roposals w.-r, The target date for contract award CQM CNICATIONS RE0U?RF:ME*:TS is mid-June 1975. USDA has no basis for determinins the apti!r:u, id)P s?:stem desi:)n and location--to insure offi:ie:lt use st the nrw ouip:rent--because it did not a com:carnica~ tons study to id-,ntify the t, and volu:,? of data, location of aoencv users, and estimated costs. Subpart 101-32.11 of the Federal Prorne.rry Mir;auirment Requi:,t ions states that a data cor:nunicati_n, etu,1v should tom- mad= before a decision on the' ii--d at . t,J .,DP ens ii,- sent Ire acouir?d is reached, if the Proposed AM, si'stem includes any of the following. --A real-time or an on-line co.mr;uter system. --A time-sharing system. --Remote locations that srovi(le input and Obtain out out in a time frame that cannot be satisfied by nonalr?c- tronic comsuni cations means. Approved For Release 2002/11/15 : CIA-RDP84-00933ROO0300270001-1  Approved For Release 2002/11/1$ CIA-RDP84-00933R000300270001-1 .--Current and usable information that must he accessed with a high degree of immediacy by many users. --Two or more computers, not located at the same site, with a requirement for backup, load balancing, or data transfer between them. All of these conditions apply to the oropo:. u departmental ADP system. Specifically, the proposed corr;r,liuation project is to have four computer installations with (1) several thousand remote terminals, nationwide, to service users in 29 USDA, agencies and (2) integrated data systems on line with ismediate access by users. Subpart 101-32.11 states also that a data communications study should include a detailed analysis indicating (1) the additional equipment required, (2) the type and number of communications lines, (3) the impact on the format of the data and data banks, codes to be used. and programing re- quired, and (4) the important elements of cost. It is USDA's plan, however, to first acquire the large-scale ADP equipment and then--sometime in the future-- gather user requirements, design a network, and integrate it with the ADP equipment. This approach is not consistent with the regulations which require that ADP and communica- tions systems be planned in a coordinated and integrated process. Apparently USDA has not recognized that efficient and economical acquisition and use of an ADP network is directly dependent on how the communications system is tailored to meet agency needs. (This point is discussed further in app. IV.) CURRENT ANALYSIS OF REQUIREMENTS In one of its interim reports to USDA, AMS.concluded that it could not verify that the agencies' requirements would be satisfied by the RFP specifications. Consequently, in October 1974 ADS began an ADP systems inventory by send- ing four one-page survey forms to 'JSDA agencies. The forms, to be returned by February 17, April 15, and September 15, 1975, inquire about existing and proposed systems and appli- cations, operating environment, frequency of. use, file activity, and conversion requirements. One survey form asks agencies to identify the computer center where their jobs are being processed and -to indicate their preference for future Processing from the four locations selected for the new equipment. It should. be noted that gathering user requirements is the preliminary step in the system analysis and design process. After the forms are returned, analyses and further studies will be required. Such studies should, in our opinion., include a communications. .study and network analysis to determine the optimum network size and design. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1 19 It should also be noted that vendors' equipment proposals have been received, that benchmark tests have been completed, and that contract award is planned for mid-June 1975. It seems to us, therefore, that the survey and analy- ses initiated in October 1974 can have only a limited impact upon the already established specifications of the current procurement action. CHAPTER 4 PRIVACY AND SECURITY REQUIREMENTS NEED ATTENTION USDA has not adequately considered security requirements necessary to reasonably protect personal or other sensitive information from unauthorized access. Although such inade- quate consideration may not have been uncommon in federal agencies at the time the equipment RFP was released in Feb- urary 1974, later expressions of congressional concern for the protection of personal privacy emphasized the need for greater consideration. Nevertheless., USDA's requests for its agencies' requirements in October 1974 shunted that Privacy and security requirements were still not being adequately considered. Although the RFP specifies certain security features, USDA did not make the studies and analyses necessary to determine its security requirements. Such studies would have provided such information as --user data to be placed on the system, --data confidentiality and sensitivity, --the most likely sources of threat to the data, --safeguards available and their corresponding cost, --the most cost-effective mix of security safeguards which would satisfy user needs. A system's hardware and software provide the technical features necessary to achieve the level of security estab- lished by an analysis of users' security requirements. Since USDA did not make the studies necessary to develop the security requirements, it could not have an adequate basis for developing realistic security specifications for the RFP. The security specifications in the RFP merely recite the security features whose presence in a system is no as- surance that the system is or can be made suitable for Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/255 : CIA-RDP84-00933R000300270001-1 processing sensitive or personal data. 1/ On the contrary, a number of the specifications describe operating controls that support a particular concept and type of operation that has hen repeatedly shown, on contemporary systems, to in- adeouately protect data from unauthorized access by a deter- rrinod u ser. The term "determined user" ref. to an individ- ual who has programing knowledge and who is willing to spend time and monry to compromise, change, or dcsttov the data. The state of. the art in computer security is such that absolute security has not been achieved in a multiuser time- sharing environment. In fact, security against a determined perr-tratot cannot he absolutely insured in any environment without complete physical isolation. Decisions must tnere- f:tt- ho, made on the degree of security which would be ade- cu..te in relation to the value of personal and sensitive intonation to potential perpetrators, to data subjects, and to the agencies holding the information. There are a number of methods that could be employed, dep.-ndinq on the degree of sensitivity of the data that re- quiires protection. Which method or combination of methods wouli b?? appropriate cannot be determined until the sensi- tive or personal data requiring processing is identified. Once this is done, the most cost-effective method of pro- vidinq an acceptable level of security to that data can be determined. 1/ Tne RFP specified such security features as: a. User and file passwar-3. An identification technique which twrmits the system to recognize an authorized user be- fore giving access to tha svstems or restricted data. b. Pr leaed instructions. Those instructions that can cxactted only by computer programs that have such con- trollfunctions as scheduling and allocating the system's re- sources (the ooeratinq system) and not by unprivileged users. c. Hardware memory read/write protection. A feature to prevent inadvertent data or program erasure and to oro- te t data integrity. d. Audit trail. A record ~n sufficient detail to determine the cause or originator of all unauthorized attempts to look at or change the data base. Approved For Release 2002/11/15 : CIA-RDP84-00933R000300270001-1  Approved For Release 2002/11/15 : CIA-RDP84-00933ROO0300270001-1 21 To proviie the degree of protection considered ar.?lr~r,ri