Don't blame contractors solely for poor security

Several reports this year highlighted that agencies are doing a poor job with securing their contractor-managed IT systems, but one expert warns against putting the blame entirely on contractors.

For the past couple of years, several audits found that many agencies had not properly addressed IT security issues required by the Federal Information Security Management Act. Many agencies were also found to lack oversight of how contractors operated on their behalf. For example, a 2009 FISMA audit noted that the Agriculture Department failed to include several systems in the inventory of contractor systems.

Another IG report found that the Education Department's information systems security program had persistent vulnerabilities in areas including networks, security patch management and remote access software. For Education, a contractor had been tasked with the management of the IT systems. In 2007, Perot Systems, later acquired by Dell, won a contract to manage and provide all IT infrastructure services to the department under the Education Department Utility for Communications, Applications, and Technology Environment system. It was this program the IG found had operational, managerial, and technical security control weaknesses.

“If a contractor is building a system for you, especially if it’s a large system, it’s very hard, sometimes impossible to test it thoroughly,” said  Shari Pfleeger, director of research for the Institute for Information Infrastructure Protection at Dartmouth College. Agencies therefore often have to rely on contractors’ reputation but as far as their products go, once the shrink wrap is off, it’s often buyer beware, she said.

Almost all of the critical military data that has been lost was lost from contractor sites, not from the military itself, said Alan Paller, director of research at the SANS Institute. Part of the reason is that most data is held at contractor sites and attackers naturally target those locations, he said.

“But the fact that so much data has been taken from those sites makes it hard to trust that when [contractors] tell the government they they are going to protect information, that it’s true,” Paller said.

The essential problem is one of manpower, he said, and specialized IT professionals come few and far between.

“What you got is not very many people with technical skills to do security and instead you got a lot of soft-skilled people,” Paller said. “That creates a situation where the contractors are not doing what the agencies want them to do in terms of security.”

But Pfleeger warned against placing the entire blame on contractors.  “I don’t want to make it sound like everything is the contractor’s fault; sometimes, it has to do with differing expectations of the government agency and the contractor,” she said. “Sometimes, the people at the agency don’t even know the right questions to ask because they have underlying assumptions.”

One problem can be illustrated by the following example: An agency might ask a contractor if all the data is encrypted, and the contractor says yes. But there is a difference between data in rest and data in motion; data might be encrypted while stored in a database, but in motion and between transfer points, the data might no longer be encrypted, Pfleeger said.

“That’s when you have mismatched assumptions,” she said.

About the Author

Camille Tuutti is a former FCW staff writer who covered federal oversight and the workforce.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.