"This letter summarizes the results of our recent review of software change controls at the Department of State. Controls over access to and modification of software are essential in providing reasonable assurance that system-based security controls are not compromised. […] [W]e suggest that you review State's software change control policies and procedures and consider adopting industry best practices such as the Carnegie Mellon University Software Engineering Institute's Capability Maturity Model for Software. In addition, we suggest that you review related contract oversight and personnel policies and practices and implement any changes that you deem necessary. Because we also identified software control weaknesses at other agencies covered by our review, we have recommended that OMB clarify its guidance to agencies regarding software change controls as part of broader revisions that OMB is currently developing to Circular A-130, Management of Federal Information Resources."
Government Accountability Office (GAO): http://www.gao.gov/