Insecurity alert

GAO recommends better oversight of companies' information security practices

Information Security: Improving Oversight of Access to Federal Systems and Data by Contractors Can R

Related Links

Contractors may have to take more responsibility ensuring the security of the computer systems and networks they use in the course of performing contracted work, which could increase their costs.

Internal auditors have shone new light on a gap in federal contracting law that, if it were closed, might add such costs to federal information technology contracts. But no one can yet say who would pay those costs — contractors or the federal agencies that hire them.

The Government Accountability Office's recommendations for additional security oversight could make managing federal IT contracts a more expensive proposition for businesses, experts say.

GAO's auditors found that federal agencies are often lax in holding contractors responsible for the security of the computer systems and networks that they own or manage, and they blamed the problem partly on a lack of relevant contracting language in the Federal Acquisition Regulation. Efforts to update the FAR to include information security requirements that became law in 2002 have never been completed.

The GAO auditors recommended that the Office of Management and Budget's director focus on updating the FAR to incorporate provisions of the 2002 Federal Information Security Management Act (FISMA). Rep. Tom Davis (R-Va.), who requested the GAO study, went further and chided OMB in a statement.

Davis, chairman of the House Government Reform Committee, said his committee will review OMB's efforts to update the FAR. "OMB needs to complete this important step to secure the government's systems," he said.

Davis referred to contractor systems as "potential Trojan horses for cyberattacks unless more is done."

FISMA applies to federal agencies and their contractors, but not all contractors are aware of that, said Jody Westby, managing director at PricewaterhouseCoopers. FISMA requires re-evaluating and testing information security policies, procedures and practices at least once a year, a process that must include every major information system's management, operational and technical controls.

The law also requires federal contractors to set up procedures for detecting, reporting and responding to information security incidents and to have plans and procedures to operate after a major disruption or disaster that might destroy an agency's or contractor's primary information systems.

Renny DiPentima, president and chief executive officer of SRA International, said the solutions company began preparing to comply with FISMA almost immediately after it was enacted. As a result, any additional security language in the FAR would have little effect on how SRA employees do their work under federal contracts, he said.

But, he added, for those companies that have not focused on FISMA compliance internally, the certification requirements and oversight probably would add costs to federal contracting.

Pat Schambach, senior vice president and general manager of e-government and infrastructure solutions at PEC Solutions, said he is concerned that a stronger contractual emphasis on security controls could inadvertently shut out some contractors and prevent them from doing business with the federal government.

"I hope the GAO report and resulting OMB actions produce the right outcomes," he said.

"The answer is to put the correct controls in place to manage the risk, not unlike what agencies do to manage the risks of their own employees having access to sensitive information," Schambach said.

Others say that updating the FAR would improve security and help protect government information.

GAO prescribes more contractor oversight

Federal agencies have few resources at their disposal for holding contractors accountable for the security of information on systems and networks that contractors control, according to a report the Government Accountability Office released last month.

To help agencies improve their oversight of contractors, GAO recommended:

  • Updating the Federal Acquisition Regulation to ensure that contractors are complying with the Federal Information Security Management Act's requirements.
  • Developing additional oversight policies on an agency-by-agency basis for protecting information to which contractors have access.
  • Having the National Institute of Standards and Technology develop guidelines to help agencies improve their oversight of contractors' information security policies, procedures and practices.

Source: Government Accountability Office

FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.


  • Anne Rung -- Commerce Department Photo

    Exit interview with Anne Rung

    The government's departing top acquisition official said she leaves behind a solid foundation on which to build more effective and efficient federal IT.

  • Charles Phalen

    Administration appoints first head of NBIB

    The National Background Investigations Bureau announced the appointment of its first director as the agency prepares to take over processing government background checks.

  • Sen. James Lankford (R-Okla.)

    Senator: Rigid hiring process pushes millennials from federal work

    Sen. James Lankford (R-Okla.) said agencies are missing out on younger workers because of the government's rigidity, particularly its protracted hiring process.

  • FCW @ 30 GPS

    FCW @ 30

    Since 1987, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group