GAO: Feds need to keep closer eye on IT contractors

GAO on Information Security: Improving Oversight of Access to Federal Systems and Data

A recent internal audit found federal agencies lax in holding contractors responsible for computer systems and network security.

Government Accountability Office auditors found that only five of 24 executive branch agencies had developed policies for ensuring that federal contractors protect government information on computer networks, according to a report that GAO released today.

Federal agencies have few resources at their disposal for holding contractors accountable for the security of government information on systems and networks that contractors control, the auditors found. Three tools that agency officials use to oversee contractors — contracts, oversight policies and self-assessments — have been relatively ineffective at preventing the risks posed by contractor operations, the report states.

Those risks include unnecessary exposure to worms and viruses, weak system access controls and unauthorized release or use of government information.

Auditors found that efforts to update language in the Federal Acquisition Regulation to include information security requirements that became law in 2002 are still unfinished. They recommended that the Office of Management and Budget director ensure that the FAR is updated to incorporate the 2002 Federal Information Security Management Act’s provisions.

Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, released a statement on the GAO report that said his committee will examine OMB’s efforts to update the FAR to include stricter information security requirements in government contracts. “OMB needs to complete this important step to secure the government's systems,” he said.

In other recommendations, GAO auditors proposed that the National Institute of Standards and Technology develop a governmentwide guidance document to help agencies oversee contractors’ information security policies, procedures and practices. NIST officials have agreed to develop the guidelines.

Davis and former House Government Reform Committee member Adam Putnam (R-Fla.) requested the GAO study.

A Federal Computer Week investigation of federal agencies and vendors last year found wireless vulnerabilities among contractors.

Featured

  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected