GAO: Feds need to keep closer eye on IT contractors

GAO on Information Security: Improving Oversight of Access to Federal Systems and Data

A recent internal audit found federal agencies lax in holding contractors responsible for computer systems and network security.

Government Accountability Office auditors found that only five of 24 executive branch agencies had developed policies for ensuring that federal contractors protect government information on computer networks, according to a report that GAO released today.

Federal agencies have few resources at their disposal for holding contractors accountable for the security of government information on systems and networks that contractors control, the auditors found. Three tools that agency officials use to oversee contractors — contracts, oversight policies and self-assessments — have been relatively ineffective at preventing the risks posed by contractor operations, the report states.

Those risks include unnecessary exposure to worms and viruses, weak system access controls and unauthorized release or use of government information.

Auditors found that efforts to update language in the Federal Acquisition Regulation to include information security requirements that became law in 2002 are still unfinished. They recommended that the Office of Management and Budget director ensure that the FAR is updated to incorporate the 2002 Federal Information Security Management Act’s provisions.

Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee, released a statement on the GAO report that said his committee will examine OMB’s efforts to update the FAR to include stricter information security requirements in government contracts. “OMB needs to complete this important step to secure the government's systems,” he said.

In other recommendations, GAO auditors proposed that the National Institute of Standards and Technology develop a governmentwide guidance document to help agencies oversee contractors’ information security policies, procedures and practices. NIST officials have agreed to develop the guidelines.

Davis and former House Government Reform Committee member Adam Putnam (R-Fla.) requested the GAO study.

A Federal Computer Week investigation of federal agencies and vendors last year found wireless vulnerabilities among contractors.

Featured

  • Defense
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    DOD CIO hits pause on JEDI cloud acquisition

    Dana Deasy set cloud as his office's top priority. But when it comes to the JEDI request for proposal, he's directed staff to "pause" to compile a comprehensive review.

  • Cybersecurity
    By Gorodenkoff shutterstock ID 761940757

    Waging cyber war without a rulebook

    As the U.S. looks to go on the offense in the cyber domain, critical questions remain unanswered around who will take the lead and how clearly to draw the rules of engagement.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Deadline extended for Rising Star nominations

    You now have until July 18 to help us identify the early-career innovators and change agents in government IT.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.