Don't blame contractors solely for poor security

Several reports this year highlighted that agencies are doing a poor job with securing their contractor-managed IT systems, but one expert warns against putting the blame entirely on contractors.

For the past couple of years, several audits found that many agencies had not properly addressed IT security issues required by the Federal Information Security Management Act. Many agencies were also found to lack oversight of how contractors operated on their behalf. For example, a 2009 FISMA audit noted that the Agriculture Department failed to include several systems in the inventory of contractor systems.

Another IG report found that the Education Department's information systems security program had persistent vulnerabilities in areas including networks, security patch management and remote access software. For Education, a contractor had been tasked with the management of the IT systems. In 2007, Perot Systems, later acquired by Dell, won a contract to manage and provide all IT infrastructure services to the department under the Education Department Utility for Communications, Applications, and Technology Environment system. It was this program the IG found had operational, managerial, and technical security control weaknesses.

“If a contractor is building a system for you, especially if it’s a large system, it’s very hard, sometimes impossible to test it thoroughly,” said  Shari Pfleeger, director of research for the Institute for Information Infrastructure Protection at Dartmouth College. Agencies therefore often have to rely on contractors’ reputation but as far as their products go, once the shrink wrap is off, it’s often buyer beware, she said.

Almost all of the critical military data that has been lost was lost from contractor sites, not from the military itself, said Alan Paller, director of research at the SANS Institute. Part of the reason is that most data is held at contractor sites and attackers naturally target those locations, he said.

“But the fact that so much data has been taken from those sites makes it hard to trust that when [contractors] tell the government they they are going to protect information, that it’s true,” Paller said.

The essential problem is one of manpower, he said, and specialized IT professionals come few and far between.

“What you got is not very many people with technical skills to do security and instead you got a lot of soft-skilled people,” Paller said. “That creates a situation where the contractors are not doing what the agencies want them to do in terms of security.”

But Pfleeger warned against placing the entire blame on contractors.  “I don’t want to make it sound like everything is the contractor’s fault; sometimes, it has to do with differing expectations of the government agency and the contractor,” she said. “Sometimes, the people at the agency don’t even know the right questions to ask because they have underlying assumptions.”

One problem can be illustrated by the following example: An agency might ask a contractor if all the data is encrypted, and the contractor says yes. But there is a difference between data in rest and data in motion; data might be encrypted while stored in a database, but in motion and between transfer points, the data might no longer be encrypted, Pfleeger said.

“That’s when you have mismatched assumptions,” she said.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

2014 Rising Star Awards

Help us find the next generation of leaders in federal IT.

Reader comments

Wed, Jan 4, 2012

Taking the BLAME for anything that goes wrong is what contractors are hired for. The Feds that demand systems run in particular ways are never wrong, it is always the contractors that misunderstood what their Fed Boss thought he wanted.

Wed, Jan 4, 2012 OccupyIT

Happy New Year! Time to dole out the generalities and make policy decision based on emotions - business as usual! Sometimes we that software built under contract, unlike all other products produced by mankind, carry with them an unlimited warrantee against all possible future events that can scare us (likely: script kitties; and unlikely: nuclear attack). As a result I have seen many USG COs refuse to allow contractors to schedule security reviews, address identified vulnerabilities through software maintenance, or rewaork software when underlying libraries change. I have also seen awards to supposed software development contractors that were simply unqualified children with access to keyboards. Hire CMMI-3 firms with network and development staff with security certifications and budget for ongoing secuirty reviews and updates - it isn't hard unless thinking is hard for you. Good luck buying silver bullets in the open market! They cost more (and work less) than talent...

Tue, Dec 27, 2011 The Free Market

"The essential problem is one of manpower, he said, and specialized IT professionals come few and far between." Unfortunately Congress does not seem to understand that the hiring of specialized talent is subject to the law of supply and demand. When the demand for a particular skill set is high and the supply is low, the cost to hire that skill set goes up. The price you have to pay is not something that Congress can mandate, nor is it something they can freeze. If Congress is unwilling to pay what the market demands for these people, then the Federal Government is just going to have to do without them. Of course what is more likely to happen is that the Government will have to contract out for these skills, probably at a much higher price tag than it would have cost to just hire them in as full time employees. This way Congress gets to say they've reduced the Federal workforce, while making sure they get to funnel plenty of taxpayer money to the contracting firms owned by their donors, buddies and relatives.

Fri, Dec 23, 2011

I believe that where the decision makers in the government is to blame the most is in their discretion about what aspects of our country's infrastructure is doled out to contractors. Let's face it, if information security is one of the primary important factors to the foundation of our country's infrastructure today and we put it in the hands of a commercial company whose primary objectives and motivations is to make money we've got a fundamental value conflict at hand with our country's security and safety at stake. Couple this with the present constant pressure on management in our governmental agencies to cut costs so that we look good right now for the bean counters who have no real forethought of the dynamic consequences to security and you've got a lethal combination for continual bad decision making.

My suggestion is to keep these aspects to our information security in-house. Train our own people whose values are the same at all levels if not for anything else but simply because these people want to keep their jobs with the government. They have more at stake if there are any security breaches. They're connected much more deeply than the contractor. It is worth the up-front costs for the long term returns on investment.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above