GAO: Feds need to keep closer eye on IT contractors
- By Florence Olsen
- May 23, 2005
GAO on Information Security: Improving Oversight of Access to Federal Systems and Data
A recent internal audit found federal agencies lax in holding contractors responsible for computer systems and network security.
Government Accountability Office auditors found that only five of 24 executive branch agencies had developed policies for ensuring that federal contractors protect government information on computer networks, according to a report that GAO released today.
Federal agencies have few resources at their disposal for holding contractors accountable for the security of government information on systems and networks that contractors control, the auditors found. Three tools that agency officials use to oversee contractors — contracts, oversight policies and self-assessments — have been relatively ineffective at preventing the risks posed by contractor operations, the report states.
Those risks include unnecessary exposure to worms and viruses, weak system access controls and unauthorized release or use of government information.
Auditors found that efforts to update language in the Federal Acquisition Regulation to include information security requirements that became law in 2002 are still unfinished. They recommended that the Office of Management and Budget director ensure that the FAR is updated to incorporate the 2002 Federal Information Security Management Act’s provisions.
Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, released a statement on the GAO report that said his committee will examine OMB’s efforts to update the FAR to include stricter information security requirements in government contracts. “OMB needs to complete this important step to secure the government's systems,” he said.
In other recommendations, GAO auditors proposed that the National Institute of Standards and Technology develop a governmentwide guidance document to help agencies oversee contractors’ information security policies, procedures and practices. NIST officials have agreed to develop the guidelines.
Davis and former House Government Reform Committee member Adam Putnam (R-Fla.) requested the GAO study.
A Federal Computer Week investigation of federal agencies and vendors last year found wireless vulnerabilities among contractors.