GAO recommends better oversight of companies' information security practices
Information Security: Improving Oversight of Access to Federal Systems and Data by Contractors Can R
Contractors may have to take more responsibility ensuring the security of the computer systems and networks they use in the course of performing contracted work, which could increase their costs.
Internal auditors have shone new light on a gap in federal contracting law that, if it were closed, might add such costs to federal information technology contracts. But no one can yet say who would pay those costs contractors or the federal agencies that hire them.
The Government Accountability Office's recommendations for additional security oversight could make managing federal IT contracts a more expensive proposition for businesses, experts say.
GAO's auditors found that federal agencies are often lax in holding contractors responsible for the security of the computer systems and networks that they own or manage, and they blamed the problem partly on a lack of relevant contracting language in the Federal Acquisition Regulation. Efforts to update the FAR to include information security requirements that became law in 2002 have never been completed.
The GAO auditors recommended that the Office of Management and Budget's director focus on updating the FAR to incorporate provisions of the 2002 Federal Information Security Management Act (FISMA). Rep. Tom Davis (R-Va.), who requested the GAO study, went further and chided OMB in a statement.
Davis, chairman of the House Government Reform Committee, said his committee will review OMB's efforts to update the FAR. "OMB needs to complete this important step to secure the government's systems," he said.
Davis referred to contractor systems as "potential Trojan horses for cyberattacks unless more is done."
FISMA applies to federal agencies and their contractors, but not all contractors are aware of that, said Jody Westby, managing director at PricewaterhouseCoopers. FISMA requires re-evaluating and testing information security policies, procedures and practices at least once a year, a process that must include every major information system's management, operational and technical controls.
The law also requires federal contractors to set up procedures for detecting, reporting and responding to information security incidents and to have plans and procedures to operate after a major disruption or disaster that might destroy an agency's or contractor's primary information systems.
Renny DiPentima, president and chief executive officer of SRA International, said the solutions company began preparing to comply with FISMA almost immediately after it was enacted. As a result, any additional security language in the FAR would have little effect on how SRA employees do their work under federal contracts, he said.
But, he added, for those companies that have not focused on FISMA compliance internally, the certification requirements and oversight probably would add costs to federal contracting.
Pat Schambach, senior vice president and general manager of e-government and infrastructure solutions at PEC Solutions, said he is concerned that a stronger contractual emphasis on security controls could inadvertently shut out some contractors and prevent them from doing business with the federal government.
"I hope the GAO report and resulting OMB actions produce the right outcomes," he said.
"The answer is to put the correct controls in place to manage the risk, not unlike what agencies do to manage the risks of their own employees having access to sensitive information," Schambach said.
Others say that updating the FAR would improve security and help protect government information.