REVIEW OF GENERAL CONTROLS IN FEDERAL COMPUTER SYSTEMS CONDUCTED BY THE PRESIDENT'S COUNCIL ON INTEGRITY AND EFFICIENCY (PCIE)
Document Type:
Collection:
Document Number (FOIA) /ESDN (CREST):
CIA-RDP90M01364R000800370002-8
Release Decision:
RIFPUB
Original Classification:
K
Document Page Count:
53
Document Creation Date:
December 23, 2016
Document Release Date:
January 17, 2013
Sequence Number:
2
Case Number:
Publication Date:
November 29, 1988
Content Type:
MEMO
File:
Attachment | Size |
---|---|
CIA-RDP90M01364R000800370002-8.pdf | 2.72 MB |
Body:
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Executive Re 'shy
M-89-06
EXECUTIVE OFFICE OF THE PRESIDENT
OFFICE OF MANAGEMENT AND BUDGET
WASHINGTON, D.C. 20503
November 29, 1988
MEMORANDUM FOR HEADS OF EXECUTIVE
FROM: Joseph R. Wrigh
Director
SUBJECT:
TMENTS AND AGENCIES
?
Review of Gene 1 Controls in Federal
Computer Syst us Conducted by the
President's Council on Integrity and
Efficiency (PCIE)
The attached report is the second in a series of products of the
President's Council on Integrity and Efficiency (PCIE) Computer
Systems Integrity Project. In a review of ten major Federal
computer centers, the PCIE study team found serious control
deficiencies in system software, as well as opportunities to
recover inefficiently used disk storage.
The findings in the report are both alarming and important. They
suggest actions that agencies should take immediately, such as
developing effective policies and procedures for operating system
security for their computer centers and making greater use of
commercially available diagnostic tools to guide operating system
maintenance. I urge you to examine the report carefully and take
immediate action to address the deficiencies identified both in
the specific systems reviewed in the report as well as in other
systems in your agency with similar system software. In
particular:
o If your agency is one of the agencies identified in the
report, I ask that you determine which of the weaknesses
reported for your agency are material, as described in our
August 15, 1988 guidance (M-88-29), and report them in
this year's annual report to the President under the
Office of Management and Budget's (OMB) Circular No.
A-123.
o In accordance with the Computer Security Act of 1987
(Public Law 100-235), your agency is developing computer
security plans for each of its computer systems that
contain sensitive information. Control of system software
is to be included as part of those plans (see OMB Bulletin
88-16). Given the potential risk represented by the
weakness found, I ask that you make sure that where
security plans concern systems-that utilize the system
software discussed in this report, extra attention be paid
to that portion of the security plan.
1 &gZiaLi1111'
[LT n PL1-115)W
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
-2-
I am also asking the Directors of the National Institute of
Standards and Technology and the National Security Agency and the
Administrator of the General Services Administration to act on
the recommendations addressed to those agencies.
Reports of this sort, which identify potential vulnerabilities
and offer constructive advice for addressing them, are critical
to our continuing efforts to improve the integrity of Federal
systems consistent with the Computer Security Act of 1987, the
Federal Manager's Financial Integrity Act of 1982 (Public Law
97-255), and just plain good management practice. I commend the
PCIE for its efforts.
Attachment
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Aooroved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
i
A4ii4-1 I
PRESIDENT'S COUNCIL
ON INTEGRITY AND
EFFICIENCY
REVIEW
of
GENERAL CONTROLS
in -
FEDERAL COMPUTER
? SYSTEMS
-
OCTOBER 1988
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
PRESIDENT'S COUNCIL on INTEGRITY & EFFICIENCY
October 12, 1988
MEMORANDUM FOR: The Honorable Joseph R. Wright, Jr.
Chairman, President's Council on
Integrity and Efficiency
FROM:
Members, President's Council on
Integrity and Efficiency
Project Co-Leaders
PCIE Computer Committee
Computer Systems Integrity Project
SUBJECT: Review of General Controls in
Federal Computer Systems
The enclosed final audit report presents the consolidated results of Task
2A of the President's Council on Integrity and Efficiency (PCIE) sponsored
Computer Systems Integrity Project. Task 2A covered the Review of General
Controls in Federal Computer Systems. The report's Executive Summary
succinctly describes the overall condition identified by the Inspectors
General, including (1) the existence of serious operating system and
security software control deficiencies at all agency computer centers
reviewed and (2) opportunities to recover an estimated $17 million in
inefficiently used disk storage at these centers.
The report makes several Governmentwide recommendations for strengthening
information systems management of operating system and security software,
and disk and tape storage at Federal computer centers. Implementing these
recommendations will require actions by the Office of Management and
Budget, the National Institute of Standards and Technology, the National
Security Agency, and the General Services Administration. We provided
copies of the draft version of this report to all four organizations for
comment. We obtained informal comments from Office of Management and
Budget officials after receiving formal written comments from the other
three organizations (included in their entirety in Appendix F). These
comments indicate general agreement with the report and its recommenda-
tions, and have been incorporated as appropriate into this final version of
the report.
(Uz I 112Li-
Bill D. Colvin
Inspector General
National Aeronautics and
Space Administration
Enclosure
n W. Melchner
spector General
epartment of Transportation
npriassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
THE PRESIDENT'S COUNCIL ON
INTEGRITY AND EFFICIENCY'S REVIEW OF
GENERAL CONTROLS IN FEDERAL COMPUTER SYSTEMS
EXECUTIVE SUMMARY
In September 1986, the President's Council on Integrity and Efficiency
(PCIE) initiated the Computer Systems Integrity Project. The project is a
multi-task effort focusing on controls, security, and other integrity
issues related to the entire data processing systems life cycle. The
objectives of the overall project are to assess the integrity of Federal
computer systems and develop recommendations for Governmentwide
improvements in standards, procedures, documentation, and operations
affecting computer systems integrity.
The first task, Survey of Agency Implementation of Computer Systems
Integrity Requirements, focused on the compliance of eight agencies with
mandated policies and other requirements for computer security and
controls. It assessed the general level of implementation of those
requirements for Federal agency computer systems unrelated to national
security. It resulted in a separate product by each of the eight
participating Offices of Inspectors General discussing survey results at
their particular agency. In addition, a consolidated report by the PCIE
which summarized overall survey results was issued on June 2, 1988. The
report identified five common obstacles which limited the effectiveness of
agency compliance activities, and made recommendations to the Office of
Management and - Budget (OMB) for overcoming those obstacles and
strengthening agencies' compliance capabilities Governmentwide.
This second task, General Controls Review, is one of two project tasks
aimed at reviewing operational systems. Initiated in July 1987, the task
was aimed at assessing management controls over system software--i.e.,
operating system software and access (security) software--at 10 Federal
computer centers. In addition, disk and tape storage management were
analyzed as a byproduct of using the computer assisted audit techniques
employed to assess system software controls. The Inspectors General
offices at the ten Federal agencies shown in Appendix A participated in
this task. They used a 'combination of both automated and manual audit
techniques as described in Appendices B and C. Of the 10 major
mission-support/administrative computer centers reviewed (Appendix A also
profiles each center), 6 disburse an estimated $273 billion to American
citizens and businesses annually, and 8 support large-scale financial
systems that controlled funds which totalled over $1.4 trillion for FY
1987. Each participating Inspector General issued one or more reports
describing the system software internal control weaknesses and disk and
tape storage management deficiencies found at each of their respective
agencies. These reports are listed in Appendix D.
We concluded that all of the agency computer systems reviewed had serious
operating system and security software control deficiencies (see Appendix
E). The operating system integrity exposures would allow a knowledgeable
perpetrator to access, modify, and/or destroy an agency's computer data,
programs, and other resour:es without leaving an audit trail. These
exposures resulted from (a) inadequate controls over enhancements to
operating systems, (b) inadequate administration of the authorized program
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
facility (an important system protection mechanism), (c) improper
maintenance of operating system software, and (d) a lack of policies
standards, and procedures pertaining to system software management. In
addition, improper technical implementation of security software features
and inadequate administrative controls over security software further
increased the risks to operational continuity and integrity of critical
applications which support agency missions.
Using terminals just like those used by regular users to access the
systems, we demonstrated to agency information systems managers the
seriousness of these collective internal control weaknesses. For example,
in the presence of agency information systems managers, we disabled
security checking for file accesses and converted our "standard" terminal
into the functional equivalent of a "master operator's console." This gave
us the capability to take total control over the agency's computer system
and access, modify, and/or destroy sensitive data and disrupt the
continuity of information processing activities. We convinced agency
managers that we, or any knowledgeable user, could have performed any of
these adverse acts without being detected. In general, agency information
systems managers were not fully equipped to deal with the technically
complex interrelationships between system software controls and computer
systems integrity. We believe that additional guidance for agency
information systems managers is needed to better focus attention on, and to
strengthen, operating system and security software controls. Part II of
the report discusses these issues in more depth, and includes comprehensive
Governmentwide recommendations.
Our computerized analyses of combined disk storage resources showed that
significant opportunities existed to improve disk storage management at
all ten agency computer centers reviewed. In total, an estimated $17
million in inefficiently used disk storage could be recovered and made
available for reuse through the application of generally accepted disk
storage management techniques--thereby reducing the need for future
additional disk storage procurements. Similarly, our computerized analyses
of magnetic tape storage showed that tape processing efficiency could also
be significantly improved. Additional guidance on the use of generally
accepted disk and tape storage management techniques is needed for agency
information systems managers to better focus attention on, and to
strengthen controls over, disk and tape storage resources. Part III of the
report discusses this issue in more depth, and contains pertinent
Governmentwide recommendations.
Comments of organizations affected by the Governmentwide recommendations
have been incorporated into the report as appropriate, and their formal
replies are contained in their entirety in Appendix F. OMB staff generally
agreed with the recommendations presented in this report for strengthening
information systems management of operating system and security software,
and disk and tape storage at Federal computer centers. The actions
prescribed for the responsible oversight agencies, together with the
agency-specific actions recommended by the respective Inspectors General,
should substantially strengthen computer systems integrity Governmentwide.
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
TABLE OF CONTENTS
Page
EXECUTIVE SUMMARY
I. INTRODUCTION 1
Background 1
Overview of Governmentwide Requirements 3
Scope of Evaluation 4
II. STRENGTHENING CONTROLS OVER OPERATING SYSTEM AND ENVIRONMENTAL
SECURITY SOFTWARE 6
Need to Strengthen Operating System Software Controls 6
Operating System Extension 7
Operating System Protection 7
Operating System Maintenance 8
Operating System Software Management Policies,
Standards, and Procedures 12
Need to Strengthen Security Software Controls 12
Technical Security Software Controls 13
Administrative Security Controls 14
Recommendations 15
III. IMPROVING MANAGEMENT OF DISK AND MAGNETIC TAPE
STORAGE RESOURCES 16
Need to Strengthen Disk Storage Management 16
Need to Improve Tape Storage Management 17
Recommendations 18
IV. APPENDICES
Appendix A. Profile of Agency Missions, Computer
Centers Reviewed, and Potential
Adverse Impact on Missions 19
Appendix B. Audit Methodology and Guidelines 26
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
TABLE OF CONTENTS (Continued)
Page
Appendix C. Definition of System Software Problem Analysis
Management Areas and Severity Levels 32
Appendix D. Individual Agency Reports Issued under Task 2A. . 36
Appendix E. Assessment of System Software Controls
at 10 Federal Computer Centers 38
Appendix F. Comments of Organizations Affected
by Governmentwide Recommendations 39
Appendix G. List of Acronyms 45
iv
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
I. INTRODUCTION
Background
Federal agencies have significant information technology inventories,
and the trend is toward the use of more information technology,
especially in the hands of end users. For example, agencies currently
have about 18,000 large- and medium-scale computers and, according to
estimates by the General Services Administration (GSA), have almost
one-half million microcomputers costing about $1.7 billion in use.
Information generated from these systems has become critical to
managers for long-range planning as well as day-to-day operations. The
increased dependence on computer systems to carry out departments' and
agencies' missions requires that the integrity of computer systems is
maintained. This involves assuring that cost-effective internal
controls are in place to manage and secure the processing of sensitive
automated information critical to Government operations.
The information technology explosion has greatly increased
Opportunities for fraud, waste, and abuse in Federal programs, making
effective computer security more important than ever before. The
Computer Committee of the PCIE has issued three reports since June 1983
addressing computer-related fraud issues. The first report, entitled
"Computer-Related Fraud and Abuse in Government Agencies" (June 1983),
discussed 172 computer-related fraud cases and provided data on
perpetrator characteristics, losses, methods of perpetration,
detection, and controls. The second report, entitled "Computer-Related
Fraud in 'Government Agencies: Perpetrator Interviews" (May 1985),
discussed the results of interviews conducted with 46 perpetrators of
computer-related fraud involving seven Federal agencies. It provided
insight into how, why, and by whom computer crimes are committed, and
addressed generic weaknesses in Government computer systems. The third
report, entitled "Computers: Crimes, Clues and Controls" (March 1986),
discussed the prevention of unauthorized access, disclosure, delay,
alteration, destruction, and other misuse of unclassified but sensitive
automated data. In response to the growing threat of computer crime,
Congress passed the Computer Fraud and Abuse Act of 1986, which made it
easier for agencies to prosecute fraudulent and other illegal acts
involving Federal computer systems.
From this perspective, in September 1986, the PCIE Computer Committee
initiated the Computer Systems Integrity Project. The project is a
multi-task effort focusing on controls, security, and other integrity
issues related to the entire data processing systems' life cycle. The
objectives of the overall project are to assess the integrity of
Federal computer systems and develop recommendations for Governmentwide
improvements in standards, procedures, documentation, and operations
affecting computer systems integrity. Portions of the project are
being performed in conjunction with the President's Council on
Management Improvement.
1
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
The first task, Survey of Agency Implementation of Computer Systems
Integrity Requirements, was aimed at providing an overview of the
implementation of policies and other requirements pertaining to the
establishment of general controls, generic application controls, and
other integrity issues for Federal agency computer systems unrelated to
national security. The work focused on the compliance of eight
agencies with mandated requirements for computer security and controls
in order to assess the general level of implementation of those
requirements within the agencies. It resulted in nine products--a
separate product by each of the eight participating Offices of
Inspectors General (issued between April 1987 and May 1988) discussing
survey results at their particular agency, and a June 2, 1988
consolidated report by the PCIE summarizing overall survey results.
In general, the survey found that by issuing policies and procedures,
assigning responsibilities, putting monitoring activities in place, and
conducting some training, Federal agencies complied with many of the
computer systems integrity requirements stipulated in OMB Circulars
A-123 "Internal Control Systems", A-127 "Financial Management Systems",
and A-130 "Management of Federal Information Resources". However,
agencies varied widely in the emphasis they placed on implementing each
set of requirements, and the specificity of requirements within the
circulars appeared to determine which functions were most actively
being addressed within the agencies. The PCIE summary report
identified five common obstacles which limited the effectiveness of
agency implementation activities. The report made recommendations to
OMB for overcoming those obstacles and strengthening agencies'
implementation capabilities Governmentwide. Officials from OMB, GSA,
the Office of Personnel Management (OPM), and the Department of
Commerce's National Institute of Standards and Technology (HIST)
generally concurred with the report findings and recommendations.
This second task, General Controls Review, is one of two project tasks
aimed at reviewing operational systems. It was initiated in July 1987
to assess management controls over system software at selected Federal
computer centers. (System software refers to the computer programs
that manage the processing workload and control user access to the
various resources of-the computer system.) Work on this task focused
on two key system software controls subareas: (a) operating system
software controls and (b) access (security) software controls. In
addition, disk and tape storage management were analyzed as a byproduct
of using the computer assisted audit techniques employed to assess
system software controls.
System software controls is one of six types of general information
system controls (the other five are organization controls; system
design, development, and modification controls; data center operations
controls; data center protection controls; and hardware controls). We
concentrated our general controls review on this. area because the
Inspector General community has traditionally given little or no
attention to system software controls--even though the degree of their
effectiveness has a major impact on overall computer systems integrity.
2
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Overview of Governmentwide Requirements'
Governmentwide policies and requirements for system software controls
and disk and tape storage management have been prescribed in general
terms by a variety of Federal sources, including OMB and the Congress.
Although system software controls are not specifically mentioned,
Circulars A-123 and A-130, in conjunction with the Computer Security
Act of 1987, contain the requirements for agencies to establish and
implement computer security and control activities. Similarly, OMB
Circular A-130, in conjunction with the Paperwork Reduction
Reauthorization Act of 1986, requires agencies to establish and
implement information resources management controls to ensure the
efficient, effective, and economical use of information resources such
as disk and tape storage resources. These requirements and their
sources are further discussed below.
In providing for implementation of the Federal Managers' Financial
Integrity Act of 1982, OMB Circular A-123 requires agencies to
establish and maintain cost-effective systems of internal controls to
provide management with reasonable assurance that assets are
safeguarded against waste, loss, and unauthorized use. Included in its
provisions are requirements that agencies (a) conduct risk assessments
to identify potential risks in their operations, (b) make internal
control evaluations to determine whether their internal control systems
are effective, and (c) report annually to the President and Congress on
the state of their internal control systems.
OMB Circular A-130 provides for implementing the Paperwork Reduction
Act of 1980 and other public laws and Executive orders. The 1980 Act
established a broad mandate for agencies to perform their information
activities in an efficient, effective, and economical manner. It
specifically provided authority to OMB to develop and implement uniform
and consistent information resources management policies; oversee the
development and use of information management principles, standards,
and guidelines; evaluate agency information management practices; and
determine compliance of such practices with established policies,
principles, and guidelines. In response to its provisions, GSA issued
regulations requiring all executive agencies to review their
Information Resources Management policies and activities on a triennial
cycle. OMB Circular A-130 establishes requirements for general
information policy, records management, privacy, and Federal Automatic
Data Processing (ADP) and telecommunications. In addition, Appendix
III of the circular (entitled "Security of Federal Automated
Information Systems") requires agencies to ensure an adequate level of
security for all automated information systems so that they operate
effectively and accurately, contain appropriate safeguards, and
continuously operate in support of critical agency functions.
In 1986, the Congress enacted the Paperwork Reduction Reauthorization
Act, which amended the 1980 Paperwork Reduction Act. The 1986 Act
prescribed two requirements which further addressed computer systems
integrity. The 1986 Act first made agencies responsible for
implementing applicable Governmentwide and agency information policies,
principles, standards, and guidelines; and second, tasked them with
periodically evaluating and improving, as needed, the accuracy,
3
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
completeness, and reliability of data and records contained in Federal
information systems. (OMB has not yet incorporated these new
requirements into Circular A-130.) In addition, the 1986 Act addressed
information resources management by requiring that the Federal
Government ensure that ADP, telecommunications, and other information
technologies are acquired and used in an economical, efficient, and
effective manner.
The January 8, 1988 enactment of the Computer Security Act of 1987
(P.L. 100-235) recognized the need for improving the security and
privacy of sensitive information in Federal computer systems and
created the means for establishing minimum acceptable security
practices for such systems. In particular, it assigned NIST
responsibility for developing standards and guidelines for the
cost-effective security and privacy of information in Federal computer
systems, required the establishment of security plans by all operators
of Federal computer systems, and required mandatory periodic training
for all persons involved in Federal computer systems.
Scope of Evaluation
Ten Inspectors General Offices participated in this task (Departments
of Agriculture, Energy, Health and Human Services, Housing and Urban
Development, Transportation, Treasury; Government Printing Office;
National Aeronautics and Space Administration (NASA); OPM; and Veterans
Administration). The Inspectors General reviewed system software
controls and disk and tape storage resource utilization at a major
mission-support/administrative computer center within each of their
agencies. These agencies use automated systems to track their
operating budget outlays, which are estimated to total about $746
billion for FY 1988. Of the 10 computer centers reviewed, 6 disburse
an estimated $273 billion to American citizens and businesses annually.
Further, eight of the computer centers support large-scale financial
systems that controlled FY 1987 funds totaling over $1.4 trillion.
All but one of the computer centers reviewed operated large-scale
International Business Machines (IBM) Corporation computer systems (or
compatible brands) using IBM's Multiple Virtual Storage (MVS) operating
system. (The review work performed at the one non-MVS equipped
computer center did not include an assessment of operating system
software controls.) As shown by this task, MVS is the dominant
operating system supporting the Federal Government's entitlement,
payroll, financial management, accounting, grants management, and
general administrative applications. A majority of the centers also
used one of several commercially available environmental security
software packages. A profile of the missions of each agency and
computer center reviewed during this task is included in Appendix A.
The Appendix also highlights the mission impairments that can result
from inadequately controlled system software.
4
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
The Department of Transportation (DOT) and NASA Inspectors General
Offices had overall responsibility for coordinating this task. A
detailed Task Audit Guide and customized audit software were developed
by DDT's Inspector General staff and used by the participants in
performing this audit work. In addition, DDT's Inspector General staff
provided extensive technical assistance to the participants, primarily
in the area of operating system software controls. In performing this
task, the participants used industry guidelines on system software
management and security software implementation to supplement the
Federal computer systems integrity and information resources management
requirements. A combination of automated and manual audit techniques
described in Appendices B and C was used to review each agency's
computer systems. The reviews, which were conducted in accordance with
the U.S. General Accounting Office's "Standards for Audit of
Governmental Organizations, Programs, Activities, and Functions," were
designed to answer the following three questions:
-- Were operating system features which control the ability to
perform sensitive tasks, such as bypassing system security,
properly administered and controlled?
-- Were environmental security software mechanisms which control
user access to information and other computer resources
properly administered and controlled?
-- Were disk, and magnetic tape storage resources economically,
efficiently, and effectively used?
Where available, the participants used past reports and ongoing audits
to fulfill specific task requirements. The field work was conducted
between August 1987 and March 1988. Based on the information
developed, individual agency reports were prepared and issued (see
Appendix 0). This report consolidates the findings of the individual
agency assessments and presents recommendations addressing
Governmentwide issues.
5
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
II. STRENGTHENING CONTROLS OVER OPERATING SYSTEM AND ENVIRONMENTAL
SECURITY SOFTWARE
All of the agency computer systems reviewed had significant operating
system and security software control deficiencies (See Appendix E).
The operating system integrity exposures would allow a knowledgeable
perpetrator to access, modify, and/or destroy an agency's computer
data, programs, and other resources?without leaving an audit trail.
The security software control deficiencies further increased the risks
to the operational continuity and integrity of critical applications
supporting the missions of the agencies. Using terminals just like
those used by regular users to access the systems, we demonstrated to
agency information systems managers the seriousness of these
collective internal control weaknesses. For example, 'we disabled
security checking for file accesses and converted our "standard"
terminal into the functional equivalent of a "master operator's
console." This gave us the capability to take total control over the
agency's computer system and access, modify, and/or destroy sensitive
data and disrupt the Continuity of information processing activities.
Although we did not further exercise any of these powerful security
and control privileges to perform any adverse acts, we convinced
agency managers that we, or any knowledgeable user, could have
performed any of the adverse acts noted above without being detected.
While operating system and security software functions are, in many
respects, separate, computer systems integrity cannot be accomplished
without having effective internal controls in place simultaneously
over both. For example, when operating system integrity has been
compromised, even a sophisticated and properly implemented security
software package cannot be relied upon to prevent unauthorized
access, modification, or destruction of sensitive information or other
computer resources. Similarly, weak security software controls
threaten operating system integrity by not sufficiently restricting
user access to sensitive operating system resources and not ensuring
separation of duties within sensitive information systems functional
areas. Agency information systems managers were not adequately
familiar with the technically complex interrelationships between
system software controls and computer systems integrity. Additional
guidance for agency information systems management is needed to better
focus attention on, and to strengthen, operating system and security
software controls.
Need to Strengthen Operating System Software Controls
An operating system provides a collection of service routines (i.e.,
special programs) to supervise the sequence and processing of
applications by a computer. The operating system also plays a key
role in assuring computer systems integrity by isolating and
protecting.all individual tasks (i.e., applications) from one another
in the system. As discussed below, the operating system integrity
exposures and vulnerabilities identified by our work resulted from (a)
inadequate controls over operating system extension, (b) inadequate
administration of an important system protection mechanism, (c)
improper maintenance of operating system software, and (d) a lack of
policies, standards, and procedures pertaining to system software
management.
6
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Operating System Extension
The standard functional capabilities of the MVS operating system can
be extended through the addition of one or more special Supervisor
Calls (SVC). SVCs are special machine instructions within an
operating system which programs use to communicate with the operating
system. For example, a "calling" program uses the SVC mechanism to
request that the operating system perform a desired system service
routine, such as opening a data file for modification. The vendor
provides a standard set of SVCs when a computer center acquires the
MVS operating system. In addition, other SVCs can be obtained from
system software vendors and public domain software exchange services,
and may even be developed inhouse by a computer center's own systems
programming staff. Installing such additional SVCs has been a common
practice at MVS computer centers.
Proper SVC design and implementation is a key element of operating
system integrity and security. SVCs employ specialized and powerful
processing capabilities to perform sensitive but crucial processing
functions. The MVS vendor has developed rigorous integrity standards
for its SVCs to ensure that their use can be highly controlled. SVCs
from other sources, however, may not be subjected to similar integrity
standards. According to computer security experts, installing such
non-MVS vendor tested SVCs creates one of the greatest vulnerabilities
for operating systems.
All nine MVS computer centers reviewed had installed non-MVS vendor
tested SVCs which compromised system integrity. To demonstrate the
seriousness of this type of integrity exposure, our audit tests
successfully exploited vulnerable installation-added SVCs at eight of
the nine computer centers. In doing so, we were able to bypass
security software controls and take full control of the agency
computer systems. These tests showed that the added SVCs provided the
opportunity for any knowledgeable perpetrator to bypass critical
operating system controls and then bypass normal security software
controls. Furthermore, all three SVC sources--commercial system
software vendors, public domain software exchange services, and local
systems programming staff--contributed exposures at the computer
centers reviewed. Before any SVC is installed, information systems
management should thoroughly review its characteristics to guard
against compromising operating system integrity and exposing an
agency's computer system to potential penetration by unauthorized
individuals.
Operating System Protection
A key MVS operating system protection mechanism under the administra-
tive control of computer center management is the authorized program
facility (APF). Programs which have been placed in specially
designated APF libraries become, in effect, part of the operating
system and can generally gain the ability to circumvent or disable any
security mechanism, alter any audit trail, and/or modify any
application's data in the computer, regardless of the presence of
access control software. Noncompliance with the MVS vendor's
guidelines for APF administration can introduce integrity exposures to
7
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
the operating system environment and, at a minimum, seriously
jeopardizes information systems management control over system
software. For example, one IBM guideline cautions computer center
management to avoid assigning the same name to more than one active
APF-authorized program because the existence of duplicate names could
result in a mixup of program flow and possibly introduce anintegrity
exposure.
By performing a computer-assisted analysis of the APF libraries at
each of the nine MVS computer centers, we determined that all but one
had significant numbers of duplicate-named programs. The eight
centers averaged over 2,500 sets of duplicate-named programs (out of
an average of 15,900 programs per center), and the center with the
most duplicates had about 5,900 sets out of a total of about 51,000
programs. Information systems management should ensure that APF
libraries and their contents are strictly controlled in accordance
with MVS vendor guidelines to protect the operating system, as well as
all applications, from accidental and/or deliberate acts to access,
modify, or destroy information, programs, or other sensitive computer
resources.
Operating System Maintenance
In sophisticated and complex operating system environments such as
MVS, proper performance of routine and Special maintenance tasks--a
crucial area of system software management--is essential. Improperly
applied changes can result in system modifications where the audit
trail is insufficient to verify what changes were actually made.
Industry experts strongly recommend that all maintenance to MVS be
performed under the control of the vendor's System Modification
Program (SMP). SMP provides facilities to manage a computer
installation's software inventory by providing extensive records of
additions and modifications in a historical control file. For all
nine computer centers reviewed, modifications were made to operating
system components outside the controls of SMP. Information systems
management needs to adequately control operating system software
maintenance--using recommended SMP facilities exclusively--to avoid
unintentionally compromising the integrity of the system.
Because managing MVS operating system maintenance is complex,
information systems management should also consider using commercially
available diagnostic software tools as a preventive maintenance,
catalyst to supplement the traditional system software management
process. We used such a commercially available diagnostic software
package to analyze a key MVS maintenance dimension--unresolved
problems--for the MVS computer systems reviewed. This package, which
uses the SMP historical control file and a vendor-developed data base
of MVS problems, compares the current MVS Operating system software
environment with this data base and provides comprehensive information
on unresolved problems by severity level in various functional
management areas. The summary tables and charts that follow show the
range of significant, unresolved problems across the nine MVS computer
systems analyzed--indicating that preventive maintenance should be a
major concern at these Federal agencies.
Our diagnostic software package identified 4,915 instances of
unresolved operating system problems at the nine MVS computer centers
reviewed. Appendix C contains a description of each management area.
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
NUMBER OF PROBLEM INSTANCES BY SYSTEMS MANAGEMENT AREA
MANAGEMENT AREA
1
2
MVS COMPUTER CENTER
8
9
TOTAL
3
4
5
6
7
Performance
and capacity
183
129
85
81
90
65
61
56..
30
780
B
Security
56
22
6
26
16
17
17
8
.10
178
C
Measurement
,and accounting
67
35
22
32
27
10
12
9
10
224
0
Workload control
5
2
0
2
8
2
2
2
2
25
E
Operation
and execution
132
124
91
50
57
45
43
36
39
617
F
Internal
reliability
446
318
298
144
160
130
101
114
76
1787
G
External
reliability
209
135
63
124
92
61
66
66
42
858
H
Unassigned
74
95
18
71
43
31
45
41
28
446
Total
1172
860
583
530
493
361
347
332
237
4915
====
====
====
====
====
====
====
====
====
= = = =
The package's vendor identified three severity levels-for problems.
The "critical" level is the most serious and can cause the entire
computer system to fail (or some similarly catastrophic condition to
occur); the "impacting" level is less serious than "critical" but
includes integrity problems; and the "limited" level is the least
serious but by no means trivial. (Appendix C expands on the vendor's
criteria for categorizing problem severity.) Of the 4,915 problem
instances identified, 340 were categorized as critical; 1,848 as
impacting; and 2,727 as limited.
NUMBER OF PROBLEM INSTANCES BY SEVERITY LEVEL
MVS COMPUTER CENTER
1 2 3 4 5 6 7 8
SEVERITY LEVEL
TOTAL
Critical
80
65
32
37
31
26
26
18
25
340
Impacting
485
347
257
158
172
127
111
119
72
1848
Limited
607
448
294
335
290
208
210
195
140,
2727
Total
1172
860
583
530
493
361
347
332
237
4915
= = = =
Graphic summaries of the above tables follow.
9
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
81
30
183
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
SUMMARY OF PROBLEMS BY SYSTEMS MANAGEMENT AREA
ACROSS MVS COMPUTER SYSTEMS REVIEWED
56
67
17 II 9 22 I
1111
1m h
oei
1 m h
oei
2 8
mon
1 m h 1
oei o
ci
50
1132
144
m h lm
el oe
F?B--I [?c--I F?D?I F?E--I
A PERFORMANCE/CAPACITY
8 SECURITY
C MEASUREMENT/ACCOUNTING
D WORKLOAD/CONTROL
446
209
95
E OPERATION/EXECUTION
F INTERNAL RELIABILITY
G EXTERNAL RELIABILITY
H UNASSIGNED
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
h 1 m h
1 oei
ci
HHH
18
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
31
SUMMARY OF PROBLEMS BY SEVERITY LEVEL
ACROSS MVS COMPUTER SYSTEMS REVIEWED
80
72
158
485
140
290
807
lowest median highest lowest median highest lowest median highest
rn,T,0.,I L IPIAMAPITTL10.0 I Ia M. I ? .111. !P.M
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Some of the unresolved problems had the potential to adversely affect
computer systems integrity. For example, one critical problem
identified by the diagnostic software pertained to specialized system
software for disk storage management. The problem description
provided by the package stated "if an audit, list, or report command
uses the ODS parameter specifying a name which is a catalog alias, the
catalog will be destroyed." (A catalog is a critical ,systemwide data
control file; an alias refers to an alternate name.) Since data files
and program libraries are normally located by using a catalog, a
destroyed catalog can have catastrophic effects on an agency's
critical applications. Similarly, the computer-generated description
for another critical problem we encountered stated "VTOC index space
map can become corrupted for a 3350 or 3380 model E." (A VTOC, or
volume table of contents, index space map is a critical data control
file for disk storage devices, such as disk device models 3350 and
3380.) A corrupted VTOC can render the data on the entire device
essentially unusable and can have severely disrupting effects on an
agency's critical applications. Clearly, unresolved problem's like
these are a serious concern because they threaten the integrity of
agency computer systems. Information systems management should take
advantage of commercially available diagnostic software tools to guide
preventive maintenance activities, thereby strengthening the overall
system software management process.
Operating System Software Management Policies, Standards, and
Procedures
Despite the importance and technical complexity of system software
management, none of the nine MVS computer centers reviewed had
adequate written policies, standards, or procedures pertaining to this
crucial topic. Without such guidance, information systems management
cannot be assured that operating system software (which controls
agency computer systems) will be installed and maintained in a
cost-effective manner that avoids introducing computer systems
integrity exposures and vulnerabilities. In our opinion, had proper
written guidance pertaining to operating system controls been issued
and followed at the computer centers reviewed, many of the problems
found--particularly the integrity exposures--probably would not have
occurred. By providing quality, documented management guidance,
agencies can minimize or even eliminate integrity exposures resulting
from errors, omissions, or lack of adequate controls over operating
system software.
Need to Strengthen Security Software Controls
Effective security requires the segregation of user duties so that no
single user can circumvent the computer system's internal controls
over the management and use of computer resources. An environmental
security software package (in conjunction with an operating system
that has its integrity intact) can achieve such segregation of duties
by providing reasonable assurance that a computer system's hardware
and software resources are being protected from accidental or
deliberate modification or unauthorized use. In addition, security
software provides the means to restrict and contain accidental or
deliberate actions which could otherwise disrupt computer operations
or cause errors and improper modification of valid information.
12
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
However, state-of-the-art security software packages are only as
effective as the quality of their implementation and administration.
From this perspective, Federal agencies have been unsuccessful in
achieving computer systems integrity--as evidenced by the fact that
all agency computer centers we reviewed had significant control
deficiencies in security software implementation and administration.
As shown below, these deficiencies included (a) improper technical
implementation of security software features and (b) inadequate
administrative controls. As a result, computer center operations are
exposed to significant security risks which threaten the overall
missions and goals of the Federal agencies.
PROFILE OF SECURITY SOFTWARE CONTROLS
AT AGENCY COMPUTER CENTERS REVIEWED
CONTROLS IMPLEMENTED?
(NUMBER OF CENTERS)
YES NO UNK*
TECHNICAL SECURITY SOFTWARE CONTROLS
Operational parameters/options:
Critical system files adequately protected
2
6
2
Sensitive utility programs adequately controlled
0
7
3
Tape bypass label processing adequately restricted
2
6
2
Special security exposure interfaces installed
1
5
4
"Super users" adequately restricted
1
9
0
ADMINISTRATIVE SECURITY CONTROLS
Security administered by independent staff
1
8
1
Adequate policies, standards, and procedures
0
8
2
Security violation reports effectively reviewed
1
8
1
*UNK Unknown. In certain cases, the control dimension either could not
be assessed or the results of the assessment did not fall clearly into
either the "yes" or "no" category.
Technical Security Software Controls
The deficiencies we identified in the various agencies'_ compliance
with generally accepted security practices when implementing security
software centered around the (a) selection of parameters and other
security-related options, and (b) assignment of user privileges. Only
two centers had adequately protected all critical system files (e.g.,
APF libraries) from. unauthorized access. In addition, none of the
centers used security software to control sensitive system utility
programs (e.g., "superzap," which can copy, modify, and destroy user
and critical system data), users generally were not restricted from
bypassing label security checks (referred to as bypass label
processing) when accessing data residing on magnetic tapes, and
special security exposure interfaces (required by certain powerful
13
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
software packages to bring them under the control of security software)
generally were not installed. Further, the number of users assigned
powerful security privileges (i.e., "super users") exceeded generally
recommended limits. Collectively, these deficiencies made it virtually
impossible for security software to enforce separation of duties
between the various users of the computer systems reviewed. To ensure
adequate protection of critical agency applications and other computer
resources through software-enforced separation of duties, information
systems management needs to improve its selection of operational
parameters and assignment of user privileges when implementing
environmental security software.
Administrative Security Controls
Eight of the ten agency computer centers did not have an independent
group assigned to administer security software. In general, technical
administration of computer security had been assigned to systems
programmers, who also had numerous other important system
software-related technical responsibilities (e.g., system software
maintenance, computer performance monitoring and tuning, etc.). This
arrangement violates the generally accepted data processing control
practice of not assigning systems programmers to administer a computer
center's security function. Because systems programmers at the
majority of centers we visited controlled both security software and
the operating system software supporting that security software,
organizational separation of duties--where the activities of one
employee act as a check on those of another--was not achieved. As a
result, the controls provided by security software could not be fully
relied upon. Information systems management must ensure independent
system security administration and control by assigning this important
function to a separate group.
Of the ten agency computer centers reviewed, eight lacked adequate
computer security policies, standards, and procedures pertaining to the
crucial area of security software use, and/or were not following such
guidance. (Reviewing this topic at the other two agencies was
impractical because of unique conditions affecting their security
environments.) Without such guidance, information systems management
cannot be assured that security software protecting agency computer
systems will be implemented and administered in a cost-effective manner
that minimizes security exposures and vulnerabilities. In our opinion,
had proper written guidance pertaining to security software controls
been issued and followed at the computer centers reviewed, many of the
problems -found probably would not have occurred. For example, at the
eight agency computer centers where this issue was reviewed, no one was
effectively reviewing security violation _ reports--a routine
administrative task normally required by formal security policies,
standards, and procedures. By providing quality, documented management
guidance, agencies can minimize or even eliminate security software
control weaknesses resulting from errors, omissions, or lack of
adequate controls over security software.
14
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Recommendations
We recommend that:
OMB encourage Federal agencies to:
o develop effective policies, standards, and procedures for
operating system software management and security software use;
o take advantage of commercially available diagnostic software
tools to guide operating system preventive maintenance;
o carefully evaluate, and where, appropriate adhere to, vendor
guidelines in the management and use of operating system and
security software; and
use the reporting provisions of OMB Circular A-123 to identify
operating system and/or security software weaknesses, where
appropriate, as material internal control weaknesses.
NIST, with technical advice and assistance from National Security
Agency (NSA), develop and issue information systems management
guidelines which cover both operating system and security software
controls, specifically addressing operating system extension,
protection, and maintenance and security software implementation
and administration.
NIST appropriately emphasize operating system and security software
controls improvements in the computer security plans that are now
being prepared in accordance with the Computer Security Act of
1987.
NIST, with technical advice and assistance from NSA and GSA,
develop training guidelines to ensure that Federal information
systems managers are aware of the integrity and security risks
posed by system software, such as certain commercially available
products and public domain programs.
GSA specify system software management as a Governmentwide priority
area for review by Federal agencies under the Information Resources
Management review process mandated by the Paperwork Reduction Act
of 1980.
15
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
III. IMPROVING MANAGEMENT OF DISK AND MAGNETIC TAPE STORAGE RESOURCES
OMB Circular A-130 and the Paperwork Reduction Reauthorization Act of
1986 require Federal agencies to use their information resources
(which include disk and magnetic tape storage resources) in an
efficient, effective, and economical manner. However, as shown by
our computerized analyses of combined disk storage resources
(methodology described in Appendix B) valued in excess of $83.8
million, significant opportunities existed to improve disk storage
management at all agency computer centers reviewed. In total, an
estimated $17 million in inefficiently used disk storage ($16 million
at the nine centers with IBM equipment, and $1 million at the one
center without IBM equipment) could be recovered and made available
for reuse through the application of generally accepted disk storage
management techniques--thereby reducing the need for future
additional disk storage procurements. Similarly, as shown by our
computerized analyses of magnetic tape storage (methodology described
in Appendix B) at seven of the nine centers equipped with IBM
computers, tape processing efficiency could also be significantly
improved. In our opinion, the lack of formal storage management
plans ( addressing both disk and tape use) at 7 of the 10 agency
computer centers contributed to the widespread inefficient use of
disk and tape storage resources. Additional guidance is needed for
agency information systems management to better focus attention on,
and to strengthen controls over, disk and tape storage resources.
Need to Strengthen Disk Storage Management
Al though the unit cost of disk storage technology has fallen
dramatically since the 1970' s , agencies continue to experience
storage shortages and must endure lengthy procurement processes to
acquire additional storage. Information systems managers have a
vested interest in developing storage management plans and
implementing generally accepted disk storage management techniques so
that their agencies can achieve the best possible utilization of this
resource. These techniques involve migrating ( i .e., moving) inactive
files from costly online disk storage devices to substantially
cheaper offline magnetic tape storage, recovering unused disk space
that has been allocated in excess of actual needs, and ensuring that
disk space allocation is maximized according .to the type qf disk
device in use. For example, $17 million worth of disk storage could
be recovered for reallocation at the 10 computer centers we visited
if agency information systems management (a) migrated to tape those
disk files which have been inactive for 30 or more days, (b) released
1
Because of the various ways (e.g., lease, rental, purchase, etc.) in
which the nine agencies with IBM (or compatible) equipment procured their
disk storage and the different points in time when it was acquired, we
computed a standard cost for assigning a value to their combined disk
storage resources. This standard cost was based on, GSA schedule prices for
purchasing IBM disk devicfs and associated control units, plus 5 years of
maintenance. It excluded other significant cost components, such as floor
space, electricity, and cooling costs, because figures for these items were
not readily available.
16
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 CIA-RDP90M01364R000800370002-8
unused space which has been overallocated, and (c) reorganized files
to use at least 90 percent of disk device track capacity. Each of
these techniques is easily accomplished using commercially available
disk storage management software.
Need to Improve Tape Storage Management
Agencies can similarly save computer resources when processing
magnetic tape files by ensuring that the files are created using
efficient blocking techniques. (Blocking refers to the process of
grouping logical records together and then writing them onto tape as
one physical record, or block.) Performance studies have
consistently shown that computer processing efficiency improves
significantly when large blocks of data (referred to as large
blocking factors) are specified for sequential files such as magnetic
tape files. However, over three-fourths of the more than 730,000
magnetic tape files we analyzed at seven of the nine IBM computer
centers were blocked for less than maximum efficiency (i.e.; using a
blocking factor less than, 90 percent of the largest blocking factor
possible) . Agency information systems management should encourage
more efficient blocking of tape files to economically utilize
computer processing resources.
17
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Recommendations
We recommend that:
OMB encourage Federal agencies, in carrying out their information
resources management responsibilities, to develop and implement
formal storage management plans that:
o provide for the use of generally accepted disk and tape storage
management techniques such as those discussed in this report,
and
o ensure the validity of disk storage requirements prior to
procuring additional disk storage resources.
NIST and GSA develop and issue information systems management
guidelines for the efficient, effective, and economical use of disk
and magnetic tape storage resources.
GSA specify disk and magnetic tape storage management as a
Governmentwide priority area for review by Federal agencies under
the Information Resources Management review process mandated by the
Paperwork Reduction Act of 1980.
18
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX A
(7 Pages)
PROFILE OF AGENCY MISSIONS, COMPUTER CENTERS
REVIEWED, AND POTENTIAL ADVERSE IMPACT ON MISSIONS
Operating system exposures and security software control weaknesses like
those discussed in this report pose significant risks to Federal agency
information systems, thereby threatening agency missions. These weaknesses
can be exploited by a knowledgeable perpetrator to gain unauthorized access
to agency computer systems and misuse or destroy mission-critical
information resources. When such a perpetrator takes advantage of system
software vulnerabilities, the opportunity exists for a damaging event to
result that may cause significant harm--such as monetary loss to the
Government, reduced services to the public, financial hargship on
recipients of Federal entitlement programs, adverse economic impact on the
Nation, or unauthorized disclosure of sensitive information. Unless proper
controls over system software are implemented, information systems managers
are not sufficiently protected against such damaging events. In addition
to providing a profile of agency missions and computer centers reviewed,
this appendix describes the potential harm to agency missions (and to
American taxpayers) from inadequate controls over operating system and
security software at the centers we reviewed.
1. Department of Agriculture (USDA)
The USDA was established in 1862 to improve and maintain the
agricultural environment and U.S. agricultural production capacity.
Further, USDA helps to curb hunger and malnutrition, and ensures
standards of quality in the daily food supply through inspection and
grading services. In addition, the Department's research findings
benefit all Americans either directly or indirectly. Its estimated
budget outlay for FY 1988 is $50.7 billion.
The USDA computer center reviewed is the Department's largest, and it
supports critical data processing applications for all USDA agencies.
These applications support USDA missions related to agricultural price
support, loan, and crop insurance programs. The center's primary
workload is supporting financial accounting systems which track over
$100 billion of obligations and expenditures. In addition, the center
annually creates loan and direct payment authorization records totaling
over $10 billion. The center's two large-scale IBM computer systems
both use the MVS operating system and CA-ACF2 environmental security
software. Over 4,500 registered users access the facility through a
nationwide telecommunications network, which includes both dedicated
high-speed communications lines and public telephone system dialup
support. The center, a Government-owned and Government-operated (GOGO)
facility, has an operating budget of about $41 million for FY 1988.
Inadequate controls over system software can result in unauthorized
and/or inaccurate disbursements of the more than $10 billion paid
annually to 1.5 million participants under the Agricultural Price
Support Program, Agriculture Loan Program, and Federal Crop Insurance
19
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
APPENDIX A
Program. Further, accidental or intentional modifications of data made
possible by such internal control weaknesses can lead to erroneous
management decisions which in turn could adversely impact Federal
agricultural programs in such areas as agricultural product pricing and
production capacity.
2. Department of Energy (DOE)
The establishment of DOE in 1977 consolidated major Federal energy
functions under one Cabinet-level Department. DOE serves as the
framework for a comprehensive and balanced national energy plan through
the coordination and administration of the Federal Government's energy
functions. With an estimated budget outlay of $10.5 billion for FY
1988, the Department is responsible for energy technology research and
development; the marketing of Federal power; energy conservation; the
nuclear weapons program; energy regulatory programs; and a. central
energy data collection and analysis program.
The DOE computer center reviewed provides sensitive data processing
support for critical DOE programs. These critical programs include
materials production, defense waste management, and naval nuclear
propulsion. With an operating budget of about $10 million for FY 1988,
the center operates three large-scale IBM computer systems. One system
is dedicated to classified data processing while the other two support
unclassified data processing. All three systems use IBM's MVS
operating system and security software developed inhouse. Further, one
system uses the IBM Virtual Machine operating system in addition to
MVS. Over 3,900 registered users access the facility through a local
area network. The center, a Government-owned and Contractor-operated
(GOCO) facility, has a small staff of Federal employees who provide
general operational oversight on a day-to-day basis.
Inadequate controls over system software can adversely impact the
Department's efforts to effectively and efficiently produce defense
materials, control nuclear waste, and conduct research and development
in energy technology. If critical mission-related data is accidentally
or intentionally modified, DOE could experience erroneous management
decisions, disruption to operations, compromise of proprietary data,
and/or excessive program costs.
3. Department of Health and Human Services (HHS)
HHS is the largest Federal civilian agency. With an estimated budget
outlay of $375.1 billion for FY 1988, the Department administers such
programs as retirement income and health insurance, research and
treatment of disease, and regulation of the purity of foods and drugs
sold in America. The Department's recordkeeping activities cover
everyone issued a social security number as well as the thousands of
employers who report the earnings of these individuals. It is also the
oversight agency for the following five major operating
administrations: Health Care Financing Administration, Social Security
Administration, the Public Health Service, Family Support
Administration, and Office of Human Development Services.
20
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX A
The HHS computer center reviewed processes retirement income and health
insurance program-related applications affecting most American
citizens, currently paying out over $200 billion in benefits annually
to 40 million people. The computer center operates 14 large-scale
computer systems, including Amdahl, NAS, IBM, and UNISYS computer
systems. All systems except one, the UNISYS system, use IBM's MVS
operating system, in conjunction with CA-TOP SECRET environmental
security software. Over 44,100 registered users access the facility
through a nationwide network of dedicated lines. The center is a GOGO
facility.
The Nation's retirement income and health insurance programs, which
disburse more than $200 billion in annual benefit payments, affect
almost every American citizen. Inadequate controls over system
software can lead to unauthorized, inaccurate, and/or misdirected
disbursements which could result in fraud or financial hardship to
millions of program recipients. Further, accidental or intentional
modifications of data made possible by such internal control weaknesses
could reduce the level of quality of services to the public.
4. Department of Housing and Urban Development (HUD)
HUD, established in 1965, administers programs for mortgage insurance,
rental subsidy, fair housing, construction and rehabilitation of rental
units, and community and neighborhood development and preservation.
Its budget outlay for FY 1988 is estimated at $18.6 billion.
The HUD computer center reviewed supports the Department's critical
housing-related grants and subsidy applications and application
development requirements. With an operating budget of over $1 million
for FY 1988, the center operates three large-scale UNISYS computer
systems. The center also uses Honeywell minicomputers for front-end
processing. The Honeywell MENU System software provides security and
allows over,7,000 registered users to perform data entry and/or remote
batch or interactive processing with a choice of application systems
and functions. Users access the facility from various sites through a
nationwide telecommunications network, which includes both dedicated
high-speed communications lines and public telephone system dialup
support. The center, a GOCO facility, has a small staff of Federal
employees who provide general operational oversight.
Strong system software controls are essential for'HUD to efficiently
and effectively meet its mission responsibilities related to fair
housing and rental subsidy. Accidental or intentional modification of
data, made possible by system software control weaknesses, can lead to
the compromise of proprietary data and erroneous payments resulting in
financial hardship to housing recipients and loss of Government funds.
During FY 1987, the Department disbursed over $13 billion for
housing-related grants and subsidies.
5. Department of Transportation (DOT)
The founding of DOT in 1967 brought together some 30 Federal
transportation bureaus and offices. The mission of DOT is to better
foster and promote the various modes of transportation and to regulate
21
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
De
APPENDIX A
them for the public's safety. With an estimated FY 1988 budget outlay
of $26.3 billion, the Department administers various transportation
programs related to highways (Federal Highway Administration, National
Highway Traffic Safety Administration); air traffic (Federal Aviation
Administration); maritime (U.S. Coast Guard, Maritime Administration,
and St. Lawrence Seaway Development Corporation); railroads (Federal
Railroad Administration); and mass transit (Urban Mass Transportation
Administration).
The DOT computer center reviewed is a major supplier of timesharing
services to over 3,000 registered users. This center' supports the
processing of sensitive automated applications that are critical to the
mission of the Department, involving transportation grants management,
highway trust fund control, coastal search and rescue operations, and
military payroll. The center operates a large-scale Amdahl .computer
system using IBM's MVS operating system and CA-ACF2 environmental
security software. Users access the facility through a nationwide
telecommunications network, which includes both dedicated high-speed
communications lines and public telephone system dialup support. The
center, a GOCO facility, has a small staff of Federal employees who
provide general operational oversight. Its operating budget for FY
1988 is about $20 million.
Strong system software controls are vital to protecting the integrity
of DOT's mission-essential applications. With estimated disbursements
totaling $19 billion during FY 1987, inaccurate automated information
could result in erroneous payments to vendors, grantees, and employees,
and/or misuse of Federal funds. In addition, accidental or intentional
modifications of data, made possible by system software control
weaknesses, can undermine efforts to foster and promote the various
modes of transportation and regulate public transportation
safety?thereby resulting in reduced program effectiveness and/or
excessive program costs. Further, the compromise of critical mission
applications could indirectly lead to accidents involving loss of life,
personal injury, and/or property damage.
6. Department of the Treasury
The Department of Treasury was created in 1789 as the official fiscal
agency of the Government. The Department had an estimated budget
outlay of $198.9 billion for FY 1988. In addition to tracking the
Federal Government's annual budget deficits and total debt, the
Department's functions include collection and protection of revenues,
administration of import duties and regulations, printing of currency
and coins, accounting for public debt securities, and collection of
income and other taxes. Among the operating administrations performing
these functions are the Financial Management Service, Internal Revenue
Service, U.S. Mint, Bureau of Engraving and Printing, Bureau of the
Public Debt, U.S. Customs Service, and the U.S. Secret Service.
The Treasury computer center reviewed operates one medium-scale and one
large-scale IBM computer system, both running IBM's MVS operating
system in conjunction with the CA-TOP SECRET environmental security
package. This center supports 16 mission-critical financial
22
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX A
applications of which the Check Payment and Reconciliation System was
the major application during FY 1987--processing transactions
representing aggregate payments exceeding $1 trillion. Over 1,800
registered users access the facility through a nationwide
telecommunications network. The center, a GOGO facility, has an
operating budget of about $10.2 million for FY 1988.
The data processing support provided by the computer center reviewed is
vital to Treasury's mission responsibilities for tracking the Federal
Government's annual budget deficits and protecting the Government's
revenues. System software control weaknesses could thus undermine
agency efforts to track and reconcile Government funds in excess of $1
trillion. Further, such weaknesses can disrupt or obstruct check
reclamation efforts, which in turn can result in financial losses to
the Government due to duplicate, fraudulent, and/or erroneous payments.
7. Government Printing Office (GPO)
The GPO was established in 1860 to fill printing and binding orders
placed by Congress and the various Federal agencies. GPO prepares
catalogs and distributes and sells Government publications. It also
furnishes blank paper, inks, and similar supplies on order. GPO's FY
1988 budget outlay is estimated at $940 million.
The computer center operates two large-scale IBM computer systems using
the MVS operating system and CA-TOP SECRET environmental security
software. The center's 1,200 registered users access the facility
through a telecommunications network which includes both dedicated
communications lines and dialup telephone lines. The center, a GOGO
facility, has an FY 1988 operating budget of about $14 million.
Strong system software controls are essential for GPO to efficiently
and effectively fill the printing and binding orders placed by the
Congress and Federal agencies. For example, billing information is
crucial to sustaining printing operations and the continued production
of related goods and services. Inadequate system software controls
could lead to erroneous or inaccurate tracking of billing and other
automated financial information--which in turn could result in
significant loss to the Government's printing operations and its
customers.
8. National Aeronautics and Space Administration (NASA)
NASA was established in 1958 to plan, direct, and conduct aeronautical
and space activities for peaceful purposes for the benefit of all
mankind. With an estimated budget outlay of $9.1 billion for FY 1988,
NASA administers programs of a research and development nature that are
designed to contribute to a number of national goals, including the
preeminence of the nation in the science and technology of aeronautics
and space.
23
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX A
The NASA computer center reviewed is the major supplier of computer
services to agency headquarters and supports sensitive data processing
applications that are critical to NASA's mission. Such sensitive
applications include financial management, procurement administration,
reimbursable costs management, equipment and inventory control, payroll
and personnel, and resources management. The center operates two
medium-scale IBM computer systems, both running IBM's MVS operating
system in conjunction with CA-ACF2 environmental security software.
About 850 registered users access the facility through a local area
network and remote access dedicated high-speed communications lines.
The center, a GOCO facility, has a small staff of federal employees who
provide general operational oversight. Its operating budget for FY
1988 is over $3 million.
System software control weaknesses at the NASA computer center reviewed
could lead to unauthorized or inaccurate payments to employees and
vendors, resulting in loss of Government funds and interruption of
mission-related activities. Moreover, such integrity exposures
undermine NASA's efforts to efficiently and effectively plan, direct,
and conduct its aeronautical and space activities.
9. Office of Personnel Management (OPM)
OPM, established in 1978 to replace the Civil Service Commission, is
tasked with ensuring that the Federal Government provides essential
personnel services to applicants and employees. With an estimated
budget outlay of $28.5 billion for FY 1988, the Office administers a
merit system for Federal employment which calls for recruiting,
examining, training, and promoting people only on the basis of their
knowledge, skills, and abilities, regardless of their race, religion,
sex, or other nonmerit factors. OPM is also charged with administering
benefit programs for Federal employees. In that regard, OPM
administers the Civil Service Retirement System (CSRS), a large,
automated application which provides monthly pension benefits to
Federal Government retirees. This mission-critical application
disburses annuities totaling about $21.6 billion annually to 1.9
million annuitants. In addition to monthly check issuance, OPM
oversees all CSRS processing associated with adjudication of new
retirement cases and adjustment of existing accounts.
The OPM computer center reviewed provides data processing support for
CSRS. With an FY 1988 operating budget of about $6 million, the center
operates one large-scale and one medium-scale IBM computer system.
Both computers use the MVS operating system and commercial security
software packages which protect only certain online environments.
About 350 registered users access the facility through a network of
local terminals. The center is a GOGO facility, but has an onsite
contractor providing software maintenance support.
24
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX A
Integrity weaknesses in the system software controlling the CSRS can
lead to unauthorized and/or inaccurate annuity payments (including the
theft of Government funds) and economic hardship for program
recipients. Further, accidental or intentional modifications of data
made possible by system software control weaknesses can lead to
excessive costs of Government operations.
10. Veterans Administration (VA)
The VA was established in 1930 to serve America's veterans and their
families by ensuring that they receive quality medical care,
appropriate levels of benefits, adequate compensation, decent working
conditions, necessary training and education, and equal employment
opportunity. It has an estimated FY 1988 budget outlay of $27.6
billion.
The VA computer center reviewed is a major supplier of timesharing
services to over 5,000 registered users. The center supports more than
76 mission-critical applications associated with every major VA
program. These critical applications include VA-owned home mortgage
loans; VA-owned facility construction, expansion, and upgrading
appropriations; civilian payroll and personnel; and financial
accounting systems. Collectively, these applications disbursed about
$9.7 billion during FY 1987 for goods, services, and personnel costs.
The center operates two large-scale Amdahl computer systems using IBM's
MVS operating system in conjunction with CA-TOP SECRET environmental
security software. Users access these systems through a nationwide
telecommunications network, which includes dedicated communications
lines and public telephone system dialup support. The center, a GOGO
facility, has an FY 1988 operating budget of about $50 million.
The majority of VA's programmatic and administrative applications
are supported by the computer center reviewed. System software control
weaknesses at that center could lead to accidental or deliberate
modification of application data--which in turn could cause financial
hardship to millions of American veterans and their families. In
addition, the disruption of these critical applications could
debilitate agency efforts to provide veterans with quality medical
care, decent working conditions, adequate training and education, and
equal employment opportunity.
a
25
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX B
(6 Pages)
AUDIT METHODOLOGY AND GUIDELINES
Overview of Audit Methodology
An operating system has integrity if it can (I) prevent one program from
interfering with or modifying another program's execution--unless
"authorized" to do so, and (2) protect itself against unauthorized access
by ensuring that integrity controls cannot be bypassed. This basic
definition--embodying the concepts "authorized program" and "authorized
user"--guided the formulation of our audit objectives and the development
of a methodology for meeting those objectives. MVS integrity controls can
ensure that only authorized programs (i.e., those meeting standard MVS
authorization conventions) can gain the sensitive powers needed to modify
another program's execution. These controls, however, are not intended to
ensure that only authorized users can execute sensitive authorized
programs. Control of authorized users is provided by environmental
security software, which is crucial but optional for MVS environments.
Thus, the primary objectives of our MVS system software controls audit were
to determine whether (1) operating system features which control the
ability to perform sensitive tasks (i.e., execute authorized programs) were
properly administered and controlled, and (2) environmental security
software mechanisms which control user access to computer resources were
properly administered and controlled. In addition, because the computer
assisted audit techniques we employed to assess system software controls
also provided the capabilities for assessing disk and tape storage
management, we performed such an analysis as a subordinate audit objective.
The remainder of this appendix provides brief descriptions of the computer
assisted audit techniques we used, the general methodology and audit steps
we employed to meet each audit objective, and audit references including
industry guidelines on system software management and security software
implementation which we used to supplement Federal computer systems
integrity and information resources management requirements.
Computer Assisted Audit Techniques Used
The automated tools and techniques used consisted of (1) DOT-developed
computer programs (collectively referred to as the "Scrubber" system), (2)
a public domain software analysis program (called an object code
"disassembler")' (3) specialized MVS utility programs (classified by IBM as
service aids), (4) IBM's Interactive Systems Productivity Facility (ISPF)
program product, (5) vendor-provided security package reporting programs,
and (6) a commercially available MVS-oriented system software diagnostic
package known as Problem Alert System (PAS) (described in Appendix C).
The Scrubber system is an integrated set of Basic Assembly Language
routines and Dylakor, Inc., (i.e., DYL-260 and DYL-280) data retrieval and
analysis software programs which analyzes MVS operating system software.
Certain Scrubber routines analyze large, complex sets of APF libraries and
critical operating syst(m control tables which are all key control points
regarding MVS integrity. Scrubber also analyzes certain aspects of disk
26
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX B
storage usage and, for installations using the CA-1 tape management system
package, tape processing efficiency. The public domain disassembler
program assists in analyzing certain critical operating system routines
(primarily SVCs) for integrity exposures. The IBM service aids, AMBLIST
and AMASPZAP, assist in reviewing system software program modifications and
control tables, respectively. ISPF was used as the primary timesharing
operating environment in which we conducted many of our technical review
activities, such as job processing, output retrieval, system software file
review, and miscellaneous data management. Finally, utility reporting
programs, which are standard components of commercially available
environmental security software packages like CA-ACF2 and CA-TOP SECRET,
provided critical information regarding an installation's selection of
parameters, security-related options, and assignment of security privileges
to system users.
Review of Operating System Software Controls
Operating systems, such as IBM's MVS, generally have very elaborate control
mechanisms designed specifically to ensure processing integrity. These
control mechanisms isolate and protect numerous simultaneously processing
tasks from one another. As indicated above, only authorized programs
should have the capability to perform sensitive tasks such as accessing and
modifying another program's execution or data areas. The key mechanism in
IBM's MVS operating system for controlling such capabilities is APF. That
is, MVS will allow programs to perform sensitive tasks only if they have
first been identified according to APF conventions. If a program can gain
the capability to perform such sensitive tasks outside of normal APF
conventions, then MVS' integrity has been compromised, and all applications
and data are at risk of unauthorized access, manipulation, destruction, or
disclosure. Audit experience has shown that poor APF administration and
the improper modification (i.e., corruption) of key operating system
components by an installation results in the compromise of system integrity
controls.
Documenting the System Software Environment
This set of audit steps involved developing a basic understanding of
the system software environment under review and making a preliminary
assessment of nontechnical controls. Organization and staffing of the
computer center's technical support function (i.e., primarily the
systems programming group) was reviewed to evaluate such control areas
as separation of duties, personnel qualifications, and documented
procedures for staff management. General management and specific
technical direction were also reviewed, addressing such critical
control areas as system software management policies, standards,
procedures, and change control. In addition, an inventory of computer
hardware and software was developed to validate the configuration under
review.
System Generation and Initialization
This set of audit steps ficused on two key technical control
areas--operating system extension, primarily involving locally added
SVCs, and human intervention in the system initialization process. As
27
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
APPENDIX B
discussed in the body of the report, controls over the addition of
non-MVS vendor tested SVCs is crucial to preserving MVS integrity.
Also highly desirable, is minimizing the role of the computer operator
during system startup (also referred to as initial program load (IPL))
to avoid accidental or intentional modifications to critical MVS
control parameters (as specified in the MVS library named
SYS1.PARMLIB). Initialization parameters for the Job Entry Subsystem
(JES), a critical MVS subsystem controlling the entry of work into the
system and disposition of job output, were reviewed for controls over
user submission of operator commands and JES processing integrity. The
Scrubber system, disassembler, and IBM's ISPF file management and
display functions were used in performing these audit steps.
APF Administration
This set of audit steps was included to determine whether 'computer
center management had promulgated integrity guidelines, as recommended
by the vendor, and was generally complying with the vendor's
recommendations for proper APF administration and control. APF works
on the assumption that if the first module in a program sequence is
authorized, then authorized individuals have determined the flow of
control to all subsequent modules in that sequence. MVS considers
these modules authorized to use sensitive system functions as long as
they come from authorized libraries. As a result, the installation
must follow certain critical guidelines when using APF. Specifically,
information systems management must:
Ensure that all programs that will run as authorized programs
adhere to the installation's integrity guidelines and to MVS system
integrity requirements.
Control which programs are stored in authorized libraries.
Protect authorized libraries through environmental security
software to ensure that only selected users can store or alter
programs in these libraries.
Ensure that no two load modules with the same name exist across the
set of authorized libraries. (Two modules with the same name could
lead to accidental or deliberate mixup in module flow, possibly
introducing an integrity exposure.)
Ensure that the SYS1.PARMLIB library does not contain the names and
volume serial numbers of data sets that no longer exist. (If it
does, a user could assign his/her own data sets with the same names
to those volumes and cause his/her own libraries to become
authorized.)
Ensure that volumes specified in SYS1.PARMLIB are mounted at IPL
and are permanently resident. (Otherwise, a user could introduce a
"counterfeit" APF library by supplying his own disk volume.)
The Scrubber system, IBM's AMASPZAP service aid, and IBM's ISPF file
management and display functions were used to review the APF library
environment.
28
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
APPENDIX B
System Software Maintenance
This set of audit steps addressed the computer center's system software
maintenance activities. MVS maintenance is an important control area
because of its impact on system integrity and security, the sheer
complexity and magnitude of fixes provided by the vendor to correct
operational problems, and its significant burden on the typically
severely strained technical support staff. The vendor ships
maintenance tapes to MVS customer sites about nine times a year, with
each tape containing about 1,500 to 2,000 fixes for the typical MVS
installation. Some of the corrections included with each maintenance
tape are basic system integrity fixes. MVS maintenance should be
performed under the absolute control of the vendor's SMP and software
corrections should be made in a preventive maintenance mode (i.e.,
compensating operational adjustments are made to temporarily circumvent
unresolved system software problems, and/or fixes are applied as soon
as practicable after they are made available by the vendor.) The
Scrubber system and IBM's AMBLIST service aid were used to identify
potential instances where maintenance was applied to system software
program libraries outside of the controls of SMP. The PAS package (see
Appendix C) was used to assess the status of vendor-supplied
maintenance actions.
Review of Security Software Controls
IBM's MVS operating system, through the APF mechanism, can control the
execution of sensitive tasks, but has no way of detecting and controlling
who is executing the sensitive tasks (i.e., determining whether an
authorized program was submitted by an authorized user). Effective control
of "authorized users" generally requires specialized environmental security
software, such as RACF, CA-ACF2, or CA-TOP SECRET. The following audit
steps were designed to evaluate both generic and product-specific security
software controls. Utility reporting programs, which are standard
components of commercially available environmental security software
packages, were used where appropriate to obtain critical security profile
information.
Documenting the General System Security Environment
This set of audit steps involved developing a basic understanding of
the computer center security environment under review. Organization
and staffing of the computer center's security function was reviewed to
evaluate such control areas as separation of duties, personnel
qualifications, and documented procedures for staff management.
General management and specific technical direction were also reviewed,
addressing such critical control areas as security software management
policies, standards, procedures, and user registration change control.
In addition, a technical security profile was developed to evaluate the
center's selection of parameters, implementation of security-related
options, and assignment of security privileges to system users.
Regardless of the type of security software used by the installation,
the following general areas of concern were reviewed:
-- The universe of "super users"--i.e., those with especially powerful
security privileges. :
29
4,1
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX B
Access profiles for sensitive system files affecting integrity,
security, and general operational control.
Controls over, sensitive system utility programs.
Security software parameters implemented, such as minimum password
length, number of access attempts allowed, etc., and the security
system's production mode of operation (e.g., abort, warn, etc.).
Disposition of security logging and reporting facilities.
Controls over tape bypass label processing.
System software program products requiring special interface with
the installation's security software.
Environmental Security Package Review
For those seven installations using a commercially available
environmental security software package, we applied the vendor's
audit-related guidance to the extent practicable. Examples of
vendor-provided guidance are the RACF Auditors Guide, CA-ACF2 Auditors
Guide, and CA-TOP SECRET Auditors Guide.
Review of Disk and Tape Storage Resources
The purpose of this set of audit steps was to assess whether disk and
magnetic tape storage resources were being economically, efficiently, and
effectively used. Using the Scrubber system, we developed a profile of the
disk environment by scanning the VTOCs of all online disk devices and
building a data base of all online disk data set names and attributes.
From the disk data base, we summarized utilization statistics by disk
device type (e.g., 3330, 3350, 3380) for data set activity, blocking
efficiency (based on a minimum track utilization of 90 percent), releasable
space, and presence of invalid data sets. We also calculated potential
storage savings under five alternative policies for migrating inactive disk
data sets to tape. These policy alternatives covered disk data sets which
have not been accessed for 180, 90, 60, 45, and 30 days, respectively. (By
calculating storage savings under alternative migration policies, computer
center managers can perform sensitivity analyses on the alternative
policies.) A similar analysis was performed, again using ?the Scrubber
system, on tape-based data sets. Through this analysis we identified those
data sets most likely to encounter permanent read errors due to media age,
and those having blocking factors not conducive to efficient processing.
Audit References
The following audit references include industry guidelines on system
software management and security software implementation which we used to
supplement Federal computer systems integrity and information resources
management-requirements.
1. "System Software Controls," Evaluating Internal Controls in
Computer-Based Systems, Audit Guide, Section V, Questionnaire 8,
Publication AFMD-81-76, U.S. General Accounting Office.
30
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX B
2. "Examine/MVS Concepts and Facilities and Usage Guides", Rosemont
Development and Support Center, Computer Associates International.
3. "MVS Security," GC28-1400-D, IBM.
4. "Problem Alert System (PAS) _User Guide," Morino Associates, Inc.
5. "PAS Systems Software Management Methodology," Morino Associates, Inc.
6. "OS/VS2 Conversion Notebook," GC28-0689-6, IBM.
7. "OS/VS2 MVS System Programming Library: Initialization and Tuning
Guide," GC28-1029-4, IBM.
8. "MVS/XA MVS System Programming Library: Initialization and Tuning
Guide," GC28-1149, IBM.
9. "Auditing the Technical Support Function," Chester M. Winters, EDPACS,
Volume XII, No. 8, February 1985, Automation Training Center.
10. "Auditing an MVS Operating System," Auerbach Information Management
Series, EDP Auditing, 75-04-30.
11. "ACF2 Auditor's Guide," Rosemont Development and Support Center,
Computer Associates International.
12. "RACF Auditor's Guide," SC28-1342-3, IRM.
13. "CA-TOP SECRET Auditor's Guide," Computer Associates International.
14. "ACF2 Other Products Manual," Publication No. ABP0011-01, Chicago
Development and Support Center, Uccel Corporation.
15. "DP Policies and Procedures," Robert E. Umbaugh, The AUERBACH Data
Processing Management Library, Volume 1: A Practical Guide to Data
Processing Management.
16. "The Auditor's Use and Control of Utility Programs," Michael I. Sobol,
The AUERBACH Data Processing Management Library, Volume 7: EDP
Auditing.
0
31
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX C
(4 Pages)
DEFINITION OF SYSTEM SOFTWARE PROBLEM ANALYSIS
MANAGEMENT AREAS AND SEVERITY LEVELS
This appendix defines the management areas and severity levels associated
with the system software problems reported by the MVS diagnostic software
package used during this task to review the status of system software
maintenance. This diagnostic software package--Morino Associates, Inc.'s
PAS--consists of a software maintenance analyzer, a data base describing
thousands of MVS-related system software problems, and.. a reporting
subsystem which produces summary and detail level reports. The purposeof
the package is to help MVS installations reduce security, and integrity
exposures, minimize the risk of disabling service disruptions, and decrease
vulnerability to data deletion and/or destruction.
The opportunity for unresolved system software problems exists in virtually
all MVS computer systems because of software complexity, interaction
between software packages, interaction between hardware and software, and
human resource limitations. Timely and thorough preventive maintenance is
the key to minimizing these problems and avoiding altogether the problems
which can produce catastrophic effects on Federal agency computer systems.
As described below, effective use of PAS can help managers of MVS systems
assess the adequacy of preventive system software maintenance at their
installation.
PAS Management Areas
To facilitate review and prioritization of problems applicable to an
installation, PAS classifies MVS system software problems by specific
management areas. These logical groupings can be related to specific
areas of interest or concern reflecting management objectives and
priorities. While not all problems fit exactly and consistently into
them, the following defined management areas are used to account for
the items in the PAS data base:
PERFORMANCE AND CAPACITY - Problems with critical system resources
e.g., central processing unit or CPU, real storage, virtual storage,
disk space, etc.) or functions (e.g., paging, swapping, processing
delay, etc.) which adversely affect the system's ability to satisfy
service level objectives and availability requirements. Examples
include (1) the performance of unnecessary CPU instruction processing
for a given function, (2) the need for excessive input/output
operations or device/controller/channel resources, and (3) unnecessary
delay in performing services for a program or function which is ready
to execute.
SECURITY - Problems involving system integrity and related functional
errors which adversely affect security. Examples include (1) MVS
system integrity corrections excluding data integrity problems, (2) an
erroneous or incomplete security-related function such as failure to
protect a data set or failure to update or delete a RACF security
a
32
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
APPENDIX C
profile, and (3) erroneous or incomplete security-related records or
messages on successful and unsuccessful resource access requests.
MEASUREMENT AND ACCOUNTING - Problems with the accuracy and complete-
ness of system resource measurement and task event data. Examples
include (1) erroneous or incomplete resource utilization or logging
data--principally System Management Facility (SMF) and Resource
Measurement Facility, (2) errors associated with SMF exits, and (3)
implementation errors which prevent performance of a required operation
or cause incorrect or incomplete results.
WORKLOAD CONTROL - Problems with the management, control, and prioriti-
zation of jobs which impair the system's ability to get work
accomplished. Examples include (1) problems with data management and
JES exits commonly used for workload management functions, (2)
implementation errors preventing the appropriate controls or Oiorities
from being used, and (3) failure to enforce installation
performance-related controls and service objectives.
OPERATION AND EXECUTION - Problems with operator console functions,
system services, and device support. Examples include (1) system
operator controls or facilities not performing as intended, (2) job
control language functions not performing as expected, and (3)
inadequate support for new devices or device features.
INTERNAL RELIABILITY - Problems that cause system abnormal ends
(ABEND), perpetual wait, and looping conditions. Examples include (1)
an unexpected program ABEND due to a programming error or invalid data,
(2) an unending wait state created by processing a program containing a
request for a resource which is permanently unavailable, and (3) a
programming error causing the same instruction or group of instructions
to be executed repeatedly (if CPU interrupts are disabled during this
loop, all applications may suffer loss of service, and a total system
restart may be required).
EXTERNAL RELIABILITY - Problems involving data damage, device error,
and incorrect, duplicate, or missing data. Examples include (1) the
damaging or destruction of external data (e.g., VTOC, catalog, system,
or user data set), (2) a programming error causing an external device
to terminate input/output with an ABEND, and (3) erroneous or
incomplete critical operating system error recording file information.
UNASSIGNED - Problems which denot fit any of the above classifi-
cations.
33
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX C
PAS Severity Levels
In assigning severity levels to MVS problems, PAS attempts to reflect
the impact a given system software error is likely to have on an
installation. The three possible problem severity levels and the
conditions they represent are:
CRITICAL - Generally results in substantial adverse impact on
perfonmance, security, user or system data sets, measurement data, or
system availability. One or more of the following conditions may be
present.
Failure of the entire system (resulting from a disabled loop or
hard wait state) or loss of a processor in an attached processor,
multiprocessor, or dyadic configuration.
Unrecoverable error and/or loss of a critical system component or
subsystem which either precludes continued system operation or
severely limits it.
Significant performance degradation to entire system (even if it
degrades gradually).
Total exhaustion of a resource, such as the common service area
(CSA) and system queue area (SQA) (critical pools of virtual
storage), which prevents introduction of new work.
Loss of an external resource or facility which is critical to
continued system operation, such as damaged page, swap, spool,
catalog, SMF, RACF, or other critical system data sets.
System or component errors or damage which cause loss of
significant system capability (such as initiator or timesharing
logon failures).
Problems in device error recovery procedures which lead to job
failure or incorrect data.
Errors that cause discontinuance of a significant logging,
auditing, or diagnostic capability (such as SMF or system error
recording) or the inability to produce a system or stand-alone
storage contents listing.
Errors involving failure to release enqueued resources or MVS
locks, which lead to eventual wait state in multiple address
spaces.
Any problems which result in overlay of common storage areas,
such as the nucleus, SQA, CSA, and link pack area. The actual
results may be unpredictable, depending on the system use of the
damaged area.
34
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX C
IMPACTING 7 Problem impact is less severe than critical or is limited
to certain users or 'applications. One or more of the following
conditions may be present.
- Moderate system performance degradation on a global basis, or
affecting all users of a common function or program, or
applicable to a single component or subsystem.
- Failures resulting from storage overlays or program errors which
terminate all user sessions within a restricted subset (such as
all ISPF users or all jobs using a particular access method).
- All MVS system integrity corrections.
- Security-related (RACF or password) errors which may impact all
users of a common system service such as disk allocetion or
scratch.
- Partial loss or waste of internal or external resources such as
global storage (CSA/SQA) or disk space.
- SMF and other recording data errors which result in significant
loss of valuable information or substantial distortion of
important values such as resource utilization counts or timings.
- Loss of a single user address space or initiator due to a wait
state or loop condition.
- Damage to a nonglobal resource or facility, such as a damaged
user volume, VTOC, user catalog, or user data set.
LIMITED - Problem is more limited and/or less severe than the higher
severity levels described above, but should not be considered
trivial. One or more of the following conditions may be present.
- Failure is limited to those jobs or sessions using an
infrequently used system function or optional subfunction.
- All SMF and recording data errors not classified as critical or
impacting.
- Moderate performance degradation for a single user, or for all
users of a limited-use function or program.
- User data damage resulting from situations with a low probability
of occurrence.
- Minor to moderate performance degradation of a facility or device
which is not significant to overall system performance.
- Security-related (RACF or password) errors confined to a single
user or data set.
- System or component failures which may be significant but which
have a low probability of occurrence.
35
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX D
(2 Pages)
INDIVIDUAL AGENCY REPORTS
ISSUED UNDER TASK 2A
Type of Report
and Number
Agency and Product Title
Department of Agriculture
PCIE Computer Systems
Integrity Project
PCIE Computer Systems
Integrity Project
Office of Information Resources Management
PCIE Computer Systems Integrity Project
National Computer Center At Kansas City
Department of Energy
Audit of Central Computer Systems
Integrity at the Savannah River Plant
Department of Health and Human Services
Social Security Administration,
Systems Software Internal
Control Review
Department of Housing and Urban Development
General Controls Over
Computer Operations
Computer Access Controls
Department of Transportation
Report on Observations Regarding
System Software Control Weaknesses
at the Transportation Computer Center
Report on the Need for Stronger
Management Controls Over Disk Storage
at the Transportation Computer Center
Report on Internal Control Weaknesses
in Operating System Software and Major
Subsystems at the Transportation
Computer Center
Report on Control Weaknesses in the
Implementation and Administration
? of Access Control Software at the
Transportation Computer Center
* Contents Restricted
36
Date Issued
Interim Report
58099-10-FM 02-12-88
Interim Report
58099-10-FM 03-10-88
Final Report
58099-10-FM 09-30-88
Final Report
ER-0-88-06 07-29-88
Final Report
CIN-A13-88-00011 10-11-88
Final Report
85-AA-166-0004 07-25-85
Final Report
88-AA-166-0001 08-22-88
Interim Report *
AD-OT-5-004 02-28-85
Final Report
AD-OT-5-011 08-16-85
Final Report *
AD-OT-6-003 03-27-86
Final Report *
-AD-OT-7-004 06-02-87
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
APPENDIX D
INDIVIDUAL AGENCY REPORTS
ISSUED UNDER TASK 2A
Agency and Product Title
Department of the Treasury
Internal Audit Memorandum -
Unauthorized Access Exposure
Audit Memorandum -- Operating
Type of Report
and Number
Interim Report
No Number
Interim Report
System Software Maintenance A-FM-88-002
Computer System Integrity at the Final Report *
Financial Management Service OIG 88-078
Government Printing Office
Management of System Software,
Access Security, and Resource Final Report
Management Can Be Improved 88-36
National Aeronautics and Space Administration
Interim Report on the Computer
Systems Integrity Project
Date Issued
12-23-87
02-23-87
09-14-88
07-29-88
Interim Report
A-HQ-88-001 10-20-87
Final Report on The PCIE Computer
Integrity Task 2A Audit of the NASA Final Report
Headquarters Computer Center (NHCC) A-HQ-88-001
Office of Personnel Management
Possible Weakness for
Director's A-123 Report
Interim Report
88-21(M)
Final Report on PCIE Computer Final Report
Security Audit of the WOPC 88-37
Veterans Administration
Audit of Austin Data Processing
Center Program and Data Security
* Contents Restricted
37
07-22-88
12-09-87
06-03-88
Final Report *
8A0-007-121 09-30-88
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX E
ASSESSMENT OF SYSTEM SOFTWARE CONTROLS
AT 10 FEDERAL COMPUTER CENTERS
NUMBER OF CENTERS
CONTROL CATEGORY STRONG MARGINAL INADEQUATE UNKNOWN
Operating System Software Controls:
1
Extension (SVC) controls 0 1 8 0
Protection (APF) controls 0 1 8 0
Maintenance controls 1 1 7 0
Policies, standards, procedures 0 3 6 0
Security Software Controls:
Technical controls 0 0 7 3
Administrative separation of duties 1 1 8 0
Policies, standards, procedures 0 4 4 2
Security violation report review 1 0 8 1
Legend:
Strong
No significant control deficiencies found nor any major
integrity or security exposures identified (e.g., for the
security violation report review category, center security
staff were effectively reviewing and investigating
violations reported by security software).
Marginal One or more significant control deficiencies found but no
resulting major integrity or security exposures confirmed;
however, development of such exposures in the future was
highly likely (e.g., for the policies, standards, and
procedures control category, existing guidance either did
not sufficiently cover all system software management areas
or was only partially implemented).
Inadequate One or more significant control deficiencies found which
produced at least one major integrity or security exposure
(e.g., for the technical security software controls
category, all critical system software files were not
adequately protected from unauthorized access).
Unknown Not all elements of specified control category evaluated at
these centers. Thus, at best, only a partial assessment of
overall control effectiveness could be made--producing
results not comparable to those at centers where all
control elements were evaluated.
1The one non-MVS computer center was excluded from this portion of the
audit. Thus, evaluations were performed at 9 of the 10 centers reviewed.
38
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
AWWWWW.w
? Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
4-- lo rages)
I.
?
6ti
.,??
SEP 23 19813
John W. Melchner
Inspector General
Departnient of Transportation
Room 9210
400 Seventh Street, SW
Washington, DC 20590
Dear Mr. Melchner:
UNITED STATES DEPARTMENT OF COMMERCE
National Inetltute of Standards and Technology
(formerly National !Bureau of Standards]
Gs tele-sbut-g Mer-yienci 20899
OFFICE OF THE DIRECTOR
The National Institute of Standards and Technology (NIST) has received and
reviewed the draft Summary Report for Task 2A of the PCIE's Computer
Systems Integrity Project. We commend the PCIE and the project staff for
an outstanding job of assessing management controls over system software
and over disk and tape management. We support the conclusions of the
report regarding the vulnerabilities caused by inadequate system software
controls and the opportunities for improved efficiency in disk and tape
management in Federal computer systems.
We are in general agreement with the recommendations of the report and
believe that the NIST Computer Security program is already moving in the
directions indicated. NIST, as part of its ongoing Computer Security
Program and its activities under Public Law 100-235, expects to provide
additional guidance in several areas affecting improved privacy and
security of Federal computer systems -- including those areas addressed in
the report. It is expected that agencies will address systems software
controls as one of several areas of controls in their security plans for
sensitive systems as required under the law. NIST and others are working
to increase the security and integrity features of commercially-available
computer systems.
In addition, we believe that emphasis should be placed on the report's
recommendation that Federal agencies develop their own policies and
procedures for effective systems software mahagement controls, including
adherence to vendor guidance and recommendations. This is particularly
important, since each agency will have its own, vendor-specific, systems
environment for which government-wide guidance will simply be too broad
and general in scope. It would be impractical and inappropriate for NIST.
GSA, or any other agency to attempt writing guidance directed to specific
vendor systems, regardless of how extensive their use in the Federal
Government.
39
75 Years Stimulating America's Prove.. * 1913-1988
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364146-6016E&-6002-8
Again, we commend the Council and its project staff on a fine job in the
Task 2A report. If you have specific questions, please contact Dennis
Steinauer, Computer Security Management Group, at (301) 975-3359.
.'#
Ernest-Ambler
Director
a.)
ge
40
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
NATIONAL COMPUTER SECURITY CENTER
FORT GEORGE G. MEADE, MARYLAND 20755-6000
Serial: C-306-88
7 October 1988
John W. Melchner
Inspector General
Department of Transportation
400 7th Street SW
Washington, DC 20590
Dear Mr. Melchner:
?
1. We have reviewed the portions of the PCIE Draft Report
that are relevant to the National Computer Security Center's
(NCSC) mission. We agree with those comments and
recommendations.
2. We have two specific comments. First, we believe the
phrase "commercially available system software products meet
minimum computer system integrity requirements . . ." needs
clarification both in terms of what is meant by "integrity" and
what is meant by meeting "minimum requirements," i.e., whose
requirements? We have already relayed these two comments to
Mr. John Lainhart at the Department of Transportation.
Mr. Lainhart remarked that the report uses "integrity" in its
generic sense, not in the more technical and specific sense we
associate with it.
3. We would be pleased to support the recommendation that
OMB work with NSA and the National Institute of Standards and
Technology in areas that touch the civil and private sectors, as
long as it is within the pervue of PL 100-235, the Computer
Security Act of 1987.
4. The PCIE Draft Report again emphasizes the need for
better computer security measures to protect sensitive
unclassified data. The NCSC is prepared to assist OMB in any
way we can to overcome the current deficiencies in federal
computer systems.
Sincerely,
PATRICK R. AGE
Director
41
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17 : CIA-RDP90M01364R000800370002-8
LANIJ/A r
Copy Furnished:
June Gibbs Brown
Inspector General
Department of Defense
400 Maryland Avenue SW
Mail Code W
Washington, DC 20546
42
Serial: C-306-88
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
General Services Administration I \
Information Resources Management Service 1 i
Washington, DC 20405 N /
.441.,....,
SEP 1 9
MEMORANDUM FOR KAREN SHAFFER
OFFICE OF THE INSPECTOR GENERAL
FROM:
SUBJECT:
TOM HO
CHIEF, PRO AND MANAGEMENT
REVIEWS BRAN
Comments on PCIE "Draft Report for Computer
Systems Integrity Project, Task 2A: Review of
General Controls in Federal Computer Systems
The project team did an outstanding job in its review of
general controls. Although security and electronic media
storage been identified as important governmentwide priorities
by OMB and others, the PCIE team was able to document specific
deficiencies that highlight the urgent need for agencies to
address these functions immediately. We strongly agree with
the recommendations of the PCIE, particularly those that
pertain to our Governmentwide review function.
Regarding the recommendation that OMB work with GSA to specify
system software controls as a Governmentwide priority area for
review by Federal agencies under the Information Resources
Manaoement review process mandated by the Paperwork Reduction
Act of 1980 on page 15 of the draft report:
Each year, in our annual data call for plans and synopses of
agency-conducted IRM reviews, we encourage agency officials to
consider the most recent information technology priorities
addressed by OMB. In the past, OMB has communicated these
areas of emphasis through two publications: "A Five Year Plan
for Meeting the ADP and Telecommunications Needs of the Federal
Government" and, most recently, "Management of the United
States Government."
It should be noted, however, that OMB and GSA are relying upon
agency officials to focus review efforts upon those areas which
best meet individual agency needs. Establishment of system
software controls as a governmentwide priority will not
guaranies that agencies focus their efforts on this particular
area.
43
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX F
- 2 -
Security has been identified as a priority item ever since
passage of the Security Act of 1987 and publication of OMB
Circular A-130. However, since system software controls have
not been specifically addressed, and in light of the findings
of the Computer Systems Integrity Project, software controls
could be singled out for executive level attention in future
ONE planning documents.
Regarding the recommendation that OMB work with GSA to specify
disk and magnetic tape storage management as a Governmentwide
priority area for review by Federal agencies under the
Information Resources Management review Process mandated by the
paperwork Reduction Act of 180 on page 18 of the draft report:
Electronic recordkeeping has been and will continue to be a
goyernmentwide priority under the Federal IRM Review Program.
Since management of electronic storage media falls within the
category of electronic recordkeeping, we believe that OMB
should address the issue within the context of electronic
recordkeeping in its future planning documents. Perhaps the
PCIE should make it clear to OMB that efficient management of
electronic storage media deserves recognition as a separate
priority category.
We also support the establishment of governmentwide guidelines
and standards in both of these areas by OMB, NSA, NES and GSA.
44
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
4 4
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8
APPENDIX G
LIST OF ACRONYMS
ABEND Abnormal End
ADP Automatic Data Processing
APF Authorized Program Facility
CA-ACF2 Computer Associates' Access Control Facility 2
CPU Central Processing Unit
CSA Common Service Area
CSRS Civil Service Retirement System
DOE Department of Energy
DOL Department of Labor
DOT Department of Transportation
FY Fiscal Year
GOCO Government-owned and Contractor-operated
GOGO Government-owned and Government-operated
GPO Government Printing Office
GSA General Services Administration
HHS Department of Health and Human Services
HUD Department of Housing and Urban Development
IBM International Business Machines Corporation
IPL Initial Program Load
ISPF Interactive Systems Productivity Facility
JES Job Entry Subsystem
MVS Multiple Virtual Storage
NAS National Advanced Systems
NASA National Aeronautics and Space Administration
NIST National Institute of Standards and Technology
NSA National Security Agency
OMB Office of Management and Budget
OPM Office of Personnel Management
PAS Problem Alert System
PCIE President's Council on Integrity and Efficiency
RACF Resource Access Control Facility
SMF System Management Facility
SMP System Modification Program
SQA System Queue Area
SVC Supervisor Call
USDA Department of Agriculture
VA Veterans Administration
VTOC Vol ume Table of Contents
45
Declassified and Approved For Release 2013/01/17: CIA-RDP90M01364R000800370002-8