Don't blame contractors solely for poor security

Several reports this year highlighted that agencies are doing a poor job with securing their contractor-managed IT systems, but one expert warns against putting the blame entirely on contractors.

For the past couple of years, several audits found that many agencies had not properly addressed IT security issues required by the Federal Information Security Management Act. Many agencies were also found to lack oversight of how contractors operated on their behalf. For example, a 2009 FISMA audit noted that the Agriculture Department failed to include several systems in the inventory of contractor systems.

Another IG report found that the Education Department's information systems security program had persistent vulnerabilities in areas including networks, security patch management and remote access software. For Education, a contractor had been tasked with the management of the IT systems. In 2007, Perot Systems, later acquired by Dell, won a contract to manage and provide all IT infrastructure services to the department under the Education Department Utility for Communications, Applications, and Technology Environment system. It was this program the IG found had operational, managerial, and technical security control weaknesses.

“If a contractor is building a system for you, especially if it’s a large system, it’s very hard, sometimes impossible to test it thoroughly,” said  Shari Pfleeger, director of research for the Institute for Information Infrastructure Protection at Dartmouth College. Agencies therefore often have to rely on contractors’ reputation but as far as their products go, once the shrink wrap is off, it’s often buyer beware, she said.

Almost all of the critical military data that has been lost was lost from contractor sites, not from the military itself, said Alan Paller, director of research at the SANS Institute. Part of the reason is that most data is held at contractor sites and attackers naturally target those locations, he said.

“But the fact that so much data has been taken from those sites makes it hard to trust that when [contractors] tell the government they they are going to protect information, that it’s true,” Paller said.

The essential problem is one of manpower, he said, and specialized IT professionals come few and far between.

“What you got is not very many people with technical skills to do security and instead you got a lot of soft-skilled people,” Paller said. “That creates a situation where the contractors are not doing what the agencies want them to do in terms of security.”

But Pfleeger warned against placing the entire blame on contractors.  “I don’t want to make it sound like everything is the contractor’s fault; sometimes, it has to do with differing expectations of the government agency and the contractor,” she said. “Sometimes, the people at the agency don’t even know the right questions to ask because they have underlying assumptions.”

One problem can be illustrated by the following example: An agency might ask a contractor if all the data is encrypted, and the contractor says yes. But there is a difference between data in rest and data in motion; data might be encrypted while stored in a database, but in motion and between transfer points, the data might no longer be encrypted, Pfleeger said.

“That’s when you have mismatched assumptions,” she said.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.

Featured

  • Cybersecurity

    DHS floats 'collective defense' model for cybersecurity

    Homeland Security Secretary Kirstjen Nielsen wants her department to have a more direct role in defending the private sector and critical infrastructure entities from cyberthreats.

  • Defense
    Defense Secretary James Mattis testifies at an April 12 hearing of the House Armed Services Committee.

    Mattis: Cloud deal not tailored for Amazon

    On Capitol Hill, Defense Secretary Jim Mattis sought to quell "rumors" that the Pentagon's planned single-award cloud acquisition was designed with Amazon Web Services in mind.

  • Census
    shutterstock image

    2020 Census to include citizenship question

    The Department of Commerce is breaking with recent practice and restoring a question about respondent citizenship last used in 1950, despite being urged not to by former Census directors and outside experts.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.