GAO-05-362, Information Security: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk


This is the accessible text file for GAO report number GAO-05-362 
entitled 'Information Security: Improving Oversight of Access to 
Federal Systems and Data by Contractors Can Reduce Risk' which was 
released on May 23, 2005. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

April 2005: 

Information Security: 

Improving Oversight of Access to Federal Systems and Data by 
Contractors Can Reduce Risk: 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-05-362]: 

GAO Highlights: 

Highlights of GAO-05-362, a report to congressional requesters: 

Why GAO Did This Study: 

The federal government relies extensively on information technology 
services and systems provided by contractors. The Federal Information 
Security Management Act of 2002 (FISMA) requires agencies to establish 
information security programs that extend to contractors and other 
users of federal data and systems, such as grantees, state and local 
governments, and research and educational institutions. 

GAO was asked to (1) describe the information security risks associated 
with contractors and users with privileged access to federal data and 
systems; (2) identify methods federal agencies use to ensure security 
of information and systems provided or used by contractors and other 
users with privileged access to federal data; and (3) determine what 
steps the administration is taking to ensure implementation and 
oversight of security of federal information and systems provided or 
used by contractors and other users with privileged access. 

What GAO Found: 

Contractors and users with privileged access to federal data and 
systems provide valuable services that contribute to the efficient 
functioning of the government, but they present a range of related 
risks that must be managed effectively. Most agencies recognize risks 
to the confidentiality, integrity, and availability of their 
information and systems associated with the use of contractors and 
other users with privileged access to federal data and systems. In 
addition, agencies reported specific risks when contractors develop 
software or perform work at off-site facilities. 

Agencies use contracts, policies, and self-assessments as methods to 
ensure information security oversight of contractors; however, each 
method has limitations and needs further strengthening. For example, 
most agencies have not incorporated FISMA requirements, such as annual 
testing of controls, into their contract language. Additionally, most 
of the 24 major agencies reported having policies for contractors and 
users with privileged access to federal data and systems; however, 
GAO’s analysis of submitted agency policies found that only 5 agencies 
had established specific information security oversight policies (see 
figure). Finally, while the majority of agencies reported using a 
National Institute of Standards and Technology self-assessment tool to 
review contractor security capabilities, only 10 agencies reported 
using the tool to assess users with privileged access to federal data 
and systems, which may expose federal data to increased risk. 

The administration continues in its efforts to improve information 
security oversight of contractors, but challenges remain. For example, 
efforts to update the Federal Acquisition Regulation to address 
information security have been under way since 2002, but are not 
complete. OMB continues to gather data about the number of agency 
systems, including those that are operated by contractors and how many 
have been reviewed. However, the submitted data showed that several 
agencies disagreed internally on the number of contractor or agency 
systems. Finally, federal agencies could benefit from unified guidance 
for overseeing information security of contractors and privileged users 
of federal data and systems. 

Major Agencies with Security Policies for Contractors, Privileged Users 
of Federal Data and Systems, and Contractor Security Oversight: 

[See PDF for image]

[End of figure]

What GAO Recommends: 

GAO recommends that the Office of Management and Budget (OMB) ensure 
that the Federal Acquisition Regulation aligns with FISMA and that 
agencies develop contractor oversight policies We also recommend that 
the Commerce develop unified guidance. OMB and Commerce generally 
agreed with the results of this report. 

www.gao.gov/cgi-bin/getrpt?GAO-05-362. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Gregory C. Wilshusen 
(202) 512-3317 or wilshuseng@gao.gov. 

[End of section]

Contents: 

Letter: 

Results in Brief: 

Background: 

Federal Agencies Face a Range of Risks from Contractors and Other Users 
of Federal Data and Systems: 

Agencies Use Various Methods for Overseeing Contractor Security: 

Administration Efforts to Improve Information Security of Contractors 
Continue, but Challenges Remain: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments on Our Evaluation: 

Appendixes: 

Appendix I: Objectives, Scope, and Methodology: 

Appendix II: Comments from the Department of Commerce: 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Staff Acknowledgments: 

Tables: 

Table 1: Examples of Agency-Identified Risks to Federal Systems and 
Data Resulting from Reliance on Contractors: 

Table 2: The FAR Privacy or Security Safeguards Contract Language: 

Table 3: Number of Contractor Facilities and Operations Reported in 
Fiscal Year 2004: 

Figures: 

Figure 1: Federal Sources for Addressing Information Security Oversight 
of Contractor-Delivered IT Systems and Services: 

Figure 2: Major Agencies with Security Policies for Contractors, 
Privileged Users of Federal Data and Systems, and Contractor Security 
Oversight: 

Figure 3: Total Contractor Facilities and Number of Facilities Reviewed 
for 23 Federal Agencies in Fiscal Years 2002-2004: 

Abbreviations: 

CFO: chief financial officer: 

DOD: Department of Defense: 

FAR: Federal Acquisition Regulation: 

FISMA: Federal Information Security Management Act of 2002: 

GSA: General Services Administration: 

IT: information technology: 

NIST: National Institute of Standards and Technology: 

OMB: Office of Management and Budget: 

Letter April 22, 2005: 

The Honorable Tom Davis: 
Chairman, Committee on Government Reform: 
House of Representatives: 

The Honorable Adam Putnam: 
House of Representatives: 

The federal government increasingly relies on information technology 
(IT) systems to provide essential services affecting the health, 
economy, and defense of the nation. To assist in providing these 
important services, the federal government relies extensively on 
contractors to provide IT services and systems. In addition to 
contractors that provide systems and services to the federal 
government, other organizations possess or use federal information or 
have access to federal information systems. These other organizations 
with privileged access to federal data and systems can include 
grantees, state and local governments, and research and educational 
institutions. 

The Office of Management and Budget (OMB) cited contractor security as 
a governmentwide challenge in a 2001 information security report to 
Congress. Recognizing the need for agencies to have effective 
information security programs, Congress passed the Federal Information 
Security Management Act of 2002 (FISMA), which provides the overall 
framework for ensuring the effectiveness of information security 
controls that support federal operations and assets. FISMA requirements 
apply to all federal contractors and organizations or sources that 
possess or use federal information or that operate, use, or have access 
to federal information systems on behalf of an agency. 

Our objectives were to (1) describe the information security risks 
associated with the federal government's reliance on contractor- 
provided IT systems and services and other users with privileged access 
to federal data and systems; (2) identify methods used by federal 
agencies to ensure security of information and information systems that 
are operated, used, or accessed by contractors and other users with 
privileged access to federal data; and (3) discuss steps the 
administration is taking to ensure implementation and oversight of 
security of information and information systems that are operated, 
used, or accessed by contractors and other users with privileged access 
to federal data and systems. 

To accomplish our review, we surveyed the 24 Chief Financial Officers 
Act (CFO) agencies[Footnote 1] regarding their policies and procedures 
for overseeing contractor security. We analyzed documentation submitted 
by the federal agencies and interviewed relevant officials in OMB, the 
General Services Administration (GSA), the Federal Acquisition 
Regulation Council, the National Institute of Standards and Technology 
(NIST), and private sector officials in the banking and finance 
industries. We conducted our work between August 2004 and March 2005 in 
accordance with generally accepted government auditing standards. 
Details of our objectives, scope, and methodology are included in 
appendix I. 

Results in Brief: 

Contractors and users with privileged access to federal data and 
systems provide valuable services that contribute to the efficient 
functioning of the government, but a range of risks (including 
operational, strategic, and legal) must be managed effectively. Most 
agencies recognize risks to the confidentiality, integrity, and 
availability of their information and systems associated with the use 
of contractors and other users with privileged access to federal data 
and systems. For example, malicious code can be inserted into agency 
software and systems. In addition, agencies also reported specific 
risks when contractors develop software or perform work at off-site 
facilities. Federal agencies reported additional risks to their 
operations posed by other users with privileged access to federal data 
and systems, such as lack of controlled network connections, poor 
access controls, and the introduction of viruses and worms.[Footnote 2]

Agencies use contracts, policies, and self-assessments for ensuring 
information security oversight of contractors; however, each of these 
methods has limitations and needs further strengthening. Most agencies 
reported using contract language to establish information security 
requirements for contractors. However, agency-provided contract 
language generally did not address key elements of FISMA, such as 
annual testing of controls. In addition, the majority of agencies 
reported having information security policies for contractors and 
almost two-thirds of the agencies reported having such policies for 
other users with privileged access to federal data. Yet our analysis of 
agency-provided policies found that only 5 agencies had established 
policies that specifically addressed information security oversight of 
contractor-provided systems. Finally, the majority of agencies reported 
using the NIST self-assessment tool to assess contractor security 
capabilities. However, only 10 reported using the tool to assess the 
security implemented by other users with privileged access to federal 
data. 

The administration continues in its efforts to improve information 
security oversight of contractors, but challenges remain. For example, 
efforts to update the Federal Acquisition Regulation (FAR) to include 
the information security requirements of FISMA (which would be 
reflected in all relevant government contracts) have been under way 
since 2002, but are not yet complete. OMB continues to gather data 
about the number of agency systems, including those that are operated 
by contractors, and how many have been reviewed using a self-assessment 
tool. However, the data submitted showed that several agencies' chief 
information officers and inspectors general disagreed on the number of 
contractor or agency systems by as many as 100 systems or more. In 
addition, the data collected by OMB does not address other users with 
privileged access to federal data or the quality of the self 
assessments. Finally, NIST has developed guidance, parts of which are 
relevant to contractor security oversight. However, unified 
governmentwide guidance for overseeing information security of 
contractors and other users with privileged access to federal data and 
systems has not been issued. 

We are making recommendations to the Director of OMB to ensure that (1) 
the FAR update efforts complement agency security management efforts 
required by FISMA; (2) federal agencies develop policies for 
information security oversight of contractors and other users with 
privileged access to federal data; and (3) agencies review the security 
of other users with privileged access to federal data and systems. 
Additionally, we are making recommendations to the Secretary of 
Commerce to develop a unified set of guidance to assist agencies in 
developing appropriate information security policies for managing risks 
related to contractors and other users with privileged access to 
federal data and systems. 

In commenting on a draft of this report, OMB officials provided oral 
comments that generally agreed with the results of this report. 
Additionally, the Deputy Secretary of Commerce provided written 
comments that agreed with our findings and stated that the department 
is planning to develop a consolidated framework for contractor-related 
guidelines. 

Background: 

The U.S. government is one of the largest users and acquirers of data, 
information, and supporting technology systems in the world, and plans 
to invest approximately $65 billion annually on IT. These investments 
include the acquisition of IT services and systems from thousands of 
contractors.[Footnote 3] The ability to contract for technology 
services can allow an agency to obtain or offer enhanced services 
without the cost of owning the required technology or maintaining the 
human capital required to deploy and operate it. The systems and 
services provided by contractors include computer and telecommunication 
systems and services, as well as the testing, quality control, 
installation, and operation of computer equipment. Additionally, 
contractors provide services and systems to agencies by: 

* providing IT services and systems at agency facilities;

* providing IT services and systems on behalf of the agency at 
contractor facilities;

* providing IT services and systems to an agency via remote access; 
and: 

* developing or maintaining IT systems or software. 

In its fiscal year 2001 report to Congress on federal government 
information security reform, OMB identified poor security oversight of 
contractor-provided IT systems and services as a common governmentwide 
challenge. In that report, OMB stated that IT contracts should include 
adequate security requirements, but that many agencies had reported no 
security controls in contracts or no verification that contractors 
fulfill any requirements that are in place. 

Federal Law and Policy Address Planning and Oversight for Information 
Security: 

Information security is an essential component of the acquisition, 
development, management, and oversight of IT systems and services 
delivered by contractors. When relying on contractors, a federal agency 
transfers operational responsibilities for performing one or more IT 
service(s) to one or more external providers. However, the overall 
responsibility and accountability for securing the information and 
systems remains with the federal agency (see fig. 1). 

Figure 1: Federal Sources for Addressing Information Security Oversight 
of Contractor-Delivered IT Systems and Services: 

[See PDF for image] 

[End of figure] 

As depicted in figure 1, federal sources for addressing information 
security oversight of contractor-delivered IT systems and services are 
as follows: 

* FAR: emphasizes basic planning for the acquisition process;[Footnote 
4]

* FISMA: requires an agencywide information security program that 
extends to contractors and other users with privileged access to 
federal data and systems;[Footnote 5] and: 

* NIST standards and guidance and OMB guidance: assist agencies in 
establishing necessary security programs. 

The FAR Emphasizes Planning and Includes Certain Information Security 
Requirements: 

The FAR emphasizes planning and includes certain specific information 
security requirements and provides the primary regulation for federal 
executive agencies in their acquisition of IT supplies and services 
with appropriated funds. 

Additionally, in implementing federal privacy requirements, agencies 
are to ensure that contracts for the design, development, or operation 
of records systems using commercial IT services or support services 
include the following: 

* agency rules of conduct that the contractor and the contractor's 
employees shall be required to follow;

* a list of the anticipated threats and hazards that the contractor 
must guard against;

* a description of the safeguards that the contractor must specifically 
provide; and: 

* requirements for a program of government inspection during 
performance of the contract that will ensure the continued efficacy and 
efficiency of safeguards and the discovery and countering of new 
threats and hazards. 

The FAR requires agencies to ensure that IT contracts address privacy 
protections in accordance with the Privacy Act.[Footnote 6]

FISMA Implementation Extends to Federal Contractors and Others: 

FISMA requires each agency to develop, document, and implement an 
agencywide information security program to protect information and 
information systems, including those provided or managed by another 
agency, contractor, or accessed by other users with privileged access 
to federal data. Specifically, this information security program is to 
include the following: 

* periodic assessments of the risk and magnitude of harm that could 
result from the unauthorized access, use, disclosure, disruption, 
modification, or destruction of information or information systems;

* risk-based policies and procedures that cost-effectively reduce 
information security risks to an acceptable level and ensure that 
information security is addressed throughout the life cycle of each 
information system;

* subordinate plans for providing adequate information security for 
networks, facilities, and systems or groups of information systems;

* security awareness training for agency personnel, including 
contractors and other users of information systems that support the 
operations and assets of the agency;

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices, performed with a 
frequency depending on risk, but no less than annually, and that 
includes testing of management, operational, and technical controls for 
every system identified in the agency's required inventory of major 
information systems;

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies in the information security 
policies, procedures, and practices of the agency;

* procedures for detecting, reporting, and responding to security 
incidents; and: 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

Federal agencies' implementation of FISMA requirements extends to 
contractors that are delivering IT systems and services and to other 
users of federal data and systems.[Footnote 7] In addition to these 
requirements, FISMA requires each agency to develop, maintain, and 
annually update an inventory of major information systems operated by 
the agency or that are under its control. This inventory is to include 
an identification of the interfaces between each system and all other 
systems or networks, including those operated by or under the control 
of contractors or other users with privileged access to federal data. 

FISMA also requires each agency to have an annual independent 
evaluation of its information security program and practices, including 
control testing and compliance assessment. Evaluations of nonnational 
security systems are to be performed by the agency inspector general or 
by an independent external auditor. Furthermore, for nonnational 
security systems, FISMA requires NIST to develop (1) standards to be 
used by all agencies to categorize all of their information and 
information systems based on the objectives of providing appropriate 
levels of information security according to a range of risk levels; (2) 
guidelines recommending the types of information and information 
systems to be included in each category; and (3) minimum information 
security requirements for information and information systems in each 
category. 

NIST Standards and Guidance and OMB Guidance Support FISMA 
Implementation: 

NIST standards and guidance and OMB guidance both support agency 
efforts to implement FISMA. NIST has issued a number of information 
security standards and guidance that is intended to promote the 
security of federal IT systems and services, such as its guidance on 
conducting risk assessments and on the format and content of security 
plans.[Footnote 8] In addition, as part of its statutory 
responsibilities under FISMA, NIST has issued standards and guidance 
that include consideration of security oversight of contractor-provided 
IT systems and services and other users with privileged access to 
federal data and systems. 

In its fiscal year 2004 FISMA reporting guidance,[Footnote 9] OMB 
required federal agencies to use NIST SP 800-26 or an equivalent 
assessment tool for agency annual information security 
reviews.[Footnote 10] The self assessments were also to be used to 
evaluate the security of contractor-provided IT systems and services. 
The self assessments provide a method for agency officials to determine 
the current status of their information security programs and, where 
necessary, to establish a target for improvement. 

Federal Agencies Face a Range of Risks from Contractors and Other Users 
of Federal Data and Systems: 

Federal agencies face a range of risks from contractors and other users 
with privileged access to federal data and systems. Contractors that 
provide systems and services or other users with privileged access to 
federal data and systems can introduce risks to agency information and 
systems. Most agencies recognize the contractor-related risks, 
including those associated with contractor software development and off-
site operations. Further, agencies view users with privileged access to 
federal systems and data as potential sources of risk. 

Contractors and Other Users of Federal Data and Systems Introduce Risks 
to Agencies: 

Contractors and other users with privileged access to federal data and 
systems can introduce information security risks to federal information 
and information systems that are sometimes difficult to quantify. 
Examples of these risks are as follows. 

Strategic. Two basic strategic risks include management inexperience in 
overseeing contractor/other organization operations and the potential 
for inaccurate contractor/other organization information to negatively 
impact agency decisions. For example, inadequate management experience 
and expertise can impede an agency's ability to understand and control 
key risks. Additionally, inaccurate information from a contractor/other 
organization may prevent the leadership of an organization from having 
the necessary data to make well-informed strategic decisions. 

Reputation. Errors, delays, system failures, or unauthorized disclosure 
of information may negatively impact how citizens, state and local 
governments, and other federal agencies view an agency and its services 
or mission. 

Legal/Compliance. Federal agencies are required to ensure that their 
information security programs are being applied to systems and services 
that are being provided by contractors/other organizations and ensure 
compliance with laws such as privacy protections. 

Implementation. Initiating a contractor relationship may require a 
complex transition of people, processes, hardware, software, and other 
assets from the agency to the provider or from one provider to another, 
all of which may introduce new risks. 

Ownership/Dependence. An agency may ignore certain security issues due 
to "out of sight, out of mind" thinking, having delegated this concern 
to the provider. An agency may also become dependent on a particular 
contractor. 

Operational. In addition to fraud or error, contractor or privileged 
access information security weaknesses could negatively impact agency 
operations, including delivering products; managing information; 
maintaining operations and transaction processing; customer service; 
systems development and support; and internal control processes. 

Shared Environment. Contractors may use one system to service multiple 
clients and, as a result, this system-sharing may pose more risks than 
an in-house environment. For example, sharing a common network or a 
processing environment, such as a general purpose server, across 
multiple clients can increase the likelihood of one organization having 
access to the sensitive information of another. 

The risks identified can present complex challenges to federal 
agencies. Many of the complexities stem from risks related to people, 
processes, or technologies that, if not properly overseen or managed, 
can potentially harm an agency's operations, information, or systems. 

Most Agencies Recognize Contractor-Related Risks to Information: 

Most agencies (17 of 24) reported that they recognize contractor risks 
to their information and information systems. These people, process, 
and technology risks can degrade or diminish the confidentiality, 
integrity, and availability of agency information systems or data. 
Examples of agency-identified risks are summarized in table 1. 

Table 1: Examples of Agency-Identified Risks to Federal Systems and 
Data Resulting from Reliance on Contractors: 

Category: People; 
Risk description: Unauthorized personnel having physical access to 
agency IT resources (including systems, facilities, and data). 

Category: People; 
Risk description: Unauthorized personnel having electronic access to 
agency IT resources (including systems and data). 

Category: People; 
Risk description: Increased use of foreign nationals. 

Category: People; 
Risk description: Contractor or privileged users of federal data and 
systems who may not receive appropriate, periodic background 
investigations. 

Category: People; 
Risk description: Inadequate segregation of duties (e.g., software 
developer is the same individual who puts the software into 
production). 

Category: Processes; 
Risk description: Failure by contractor or privileged users of federal 
data and systems to follow agency IT security requirements. 

Category: Processes; 
Risk description: Possible disclosure of agency-sensitive information 
to unauthorized individuals or entities. 

Category: Processes; 
Risk description: Lack of effective compliance monitoring of 
contractors performing work off-site or privileged users of federal 
data and systems. 

Category: Processes; 
Risk description: Contractor or privileged users of federal data and 
systems may have ineffective patch management processes. 

Category: Technology; 
Risk description: Incorporation of unauthorized features in customized 
application software. For example, a third-party software developer has 
the potential to incorporate "back doors," spyware, or malicious code 
into customized application software that could expose agency IT 
resources to unauthorized loss, damage, modification, or disclosure of 
data. 

Category: Technology; 
Risk description: Encryption technology may not meet federal standards. 

Category: Technology; 
Risk description: Intentional or unintentional introduction of viruses 
and worms. 

Source: GAO analysis of federal agencies' survey response data. 

Note: The various risks identified in table 1 could represent multiple 
risks (i.e. risks in one or more of the identified categories of 
people, processes and technology). 

[End of table]

In addition to the risks identified in the table, agencies identified 
specific risks from contractor software development activities and off- 
site operations. These risks include the following: 

* a poor patch management process could impact federal operations, such 
as agency Web sites;

* the hosting infrastructure may not separate customer and company 
data; and: 

* the need for oversight at an off-site facility. 

Without proper controls, the risks associated with software development 
and work performed off site could be very damaging to federal 
information and systems. For example, loss of confidentiality, 
integrity, or availability of data can disrupt federal operations and 
services and may impede the ability to ensure the performance of 
mission-critical functions. 

Agencies Assess Users with Privileged Access to Federal Data and 
Systems as Potential Risks: 

Many agencies reported their risks from other users with privileged 
access to federal data and systems. Seventeen agencies indicated that 
they assess the risks posed by other users with privileged access to 
federal data and systems. Agency-identified risks included: 

* lack of controls on network connections;

* unauthorized use or release of information, such as grantee 
information being revealed to another grantee;

* malicious activity that introduces viruses and worms; and: 

* poor electronic access controls that could permit customer passwords 
to be compromised and exploited by identity theft. 

Of the remaining 7 agencies, 5 indicated that other users do not 
possess or use their data and systems; 1 indicated that it had not 
assessed risks of other users with privileged access; and the other 
agency did not respond regarding whether they had assessed risks of 
other users with privileged access to federal data and systems. 

Agencies Use Various Methods for Overseeing Contractor Security: 

Federal agencies report using three primary methods for overseeing the 
information security of contractors: 

* using contract language to establish information security 
requirements for contractors;

* having information security policies for contractors and other users 
with privileged access to federal data; and: 

* using NIST self-assessment tools to assess contractor security 
capabilities and assess the security implemented by other users with 
privileged access to federal data. 

These methods can be leveraged for effective agency oversight of 
contractors and privileged users for federal systems and data. However 
when not properly implemented, each of these methods has limitations. 

Agencies Use Contract Language to Establish Information Security 
Requirements: 

Most agencies report using contract language to establish information 
security requirements for contractors. The FAR requires that agencies 
use specific contract language related to privacy or security 
safeguards. Table 2 contains an example of FAR-provided language for 
agencies to include in their IT contracts. 

Table 2: The FAR Privacy or Security Safeguards Contract Language: 

(a) The Contractor shall not publish or disclose in any manner, without 
the Contracting Officer's written consent, the details of any 
safeguards either designed or developed by the Contractor under this 
contract or otherwise provided by the Government. 

(b) To the extent required to carry out a program of inspection to 
safeguard against threats and hazards to the security, integrity, and 
confidentiality of Government data, the Contractor shall afford the 
Government access to the Contractor's facilities, installations, 
technical capabilities, operations, documentation, records, and 
databases. 

(c) If new or unanticipated threats or hazards are discovered by either 
the Government or the Contractor, or if existing safeguards have ceased 
to function, the discoverer shall immediately bring the situation to 
the attention of the other party. 

Source: Federal Acquisition Regulation 52.239-1. 

[End of table]

This FAR language helps ensure that federal agencies can maintain 
access to contractor facilities in order to perform security oversight 
functions. However, this language does not address all aspects of 
security. For example, the clause in table 2 does not apply to 
subcontractors. By not including subcontractors within specific 
information security requirements, agencies can be introducing 
significant risks without a contractual tool with which to manage them. 

More importantly, the FAR has not been amended to reflect the 
requirements of the FISMA. As a result, the language in the FAR does 
not reflect key FISMA requirements, including: 

* periodic testing and evaluation of the effectiveness of information 
security policies, procedures, and practices performed with a frequency 
depending on risk, but not less than annually, and including testing of 
management, operational, and technical controls for every system 
identified in the agency's required inventory of major information 
systems;

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies in the information security 
policies, procedures, and practices of the agency;

* procedures for detecting, reporting, and responding to security 
incidents; and: 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

The FAR provides, however, that this contract language only needs to be 
"substantially the same" as standard FAR clauses and agencies, 
therefore, have the flexibility to modify it to address FISMA 
requirements. Additionally, agencies are authorized to include in their 
agency FAR supplements, regulations, and clauses that supplement FAR 
policies and procedures or satisfy specific needs of the 
agency.[Footnote 11] Agency FAR supplements, accordingly, could include 
additional language to address the requirements of FISMA. 

However, although some agency FAR supplements include requirements 
related to IT security that are not in the FAR, no agency has made a 
comprehensive effort to revise its FAR supplement to reflect FISMA. 

The 2003 NIST SP 800-35[Footnote 12] stresses the importance of 
establishing security requirements with external parties in formal 
contracts. However, by not establishing clear security requirements in 
contracts, agencies may not be able to ensure that their agency 
information is secured in accordance with FISMA. 

Most Agencies Have Information Security Policies for Contractors, but 
Few Policies Provide for Oversight Capabilities: 

Although most agencies reported having written policies that addressed 
information security for contractor-provided IT services and systems 
and for other users with privileged access to federal data and systems, 
few established specific policies for overseeing the information 
security practices of contractors to ensure compliance with contract 
requirements and agency information security policies. As figure 2 
illustrates, 22 of the surveyed agencies reported having information 
security policies for contractors, and 15 reported having policies for 
other users with privileged access to federal data and systems. 
However, the majority of agencies addressed contractors and other users 
with privileged access to federal information and systems within the 
general scope of their agency policy, and did not define information 
security oversight requirements. For example, agency policies did not 
describe oversight methods; the frequency of reviews or assessments; 
key management controls to mitigate unauthorized disclosure of 
information; physical/logical access controls; or the introduction of 
unauthorized features. Further, most of the agencies did not have 
policies or provide guidance on key areas, including control of agency 
data in an off-site facility or requirements for interconnection 
security agreements.[Footnote 13]

Figure 2: Major Agencies with Security Policies for Contractors, 
Privileged Users of Federal Data and Systems, and Contractor Security 
Oversight: 

[See PDF for image] 

[End of figure] 

However, we identified only 5 agencies that had established specific 
policies addressing contractor information security oversight. While 
the five agency policies reflected a broad range of maturity levels, 
they included many of the following elements: 

* establishing procedures for contractor information security oversight;

* assigning roles and responsibilities;

* creating specific audit plans for systems and facilities;

* describing interconnection security agreements;

* creating requirements for agency information that will be secured at 
contractor facilities--including storing, processing, and transmitting 
on contractor systems, background checks, and facility security; and: 

* requiring agency officials to conduct reviews to ensure that IT 
security requirements were being enforced. 

By establishing oversight policies that address these elements, 
agencies can more consistently oversee contractor security and ensure 
that contractors and other users with privileged access to federal 
systems and data comply with agency security requirements. However, 
without such policies, oversight efforts can be impeded. 

In fiscal years 2003 and 2004, many agency inspectors general cited the 
lack of agency policies and guidance regarding how agency program 
managers or organizational components should conduct oversight of 
contractor operations as problematic. Three different agency inspectors 
general reported the following: 

* Agency policies and procedures did not provide organizational 
components with guidance on conducting reviews of their contractor- 
provided services. Further, there was little evidence that components 
are ensuring that contractor-provided services are secure and comply 
with agency security policy. 

* Agency program officials had not ensured that (1) adequate security 
of contractor-provided services, including not identifying the full 
range of services provided and that (2) oversight processes and 
procedures for ensuring secure operations had not been defined or 
implemented. 

* Agency officials were not using adequate methods to ensure that 
contractor security met the requirements of FISMA, OMB, and NIST 
guidelines after reviewing the access controls, security clearances, 
and security awareness training for contractors that provide network 
administration, systems development, and systems administration. 

Without appropriate policies and guidance, agencies may not be able to 
effectively and efficiently assess the security of contractor 
operations or that of other users with privileged access to federal 
data and systems. For example, without specific oversight policies 
establishing when and how agencies will review contractor-operated 
systems, officials responsible for the systems may not be taking 
sufficient action to ensure that security requirements are being met. 
Further, information system controls needed to ensure secure operations 
may not be tested on regular intervals. As a result, agencies may not 
be able to protect federal information in accordance with FISMA. 

Agencies Use Self-Assessment Tool to Review Contractor Security, but 
Its Oversight Value May Be Limited: 

The majority of agencies reported using a self-assessment tool to 
review contractor information security, but the oversight value may be 
limited. NIST's self-assessment guide states that self-assessments 
provide a method for agency officials to determine the current status 
of their information security programs and, where necessary, to 
establish a target for improvement. NIST SP 800-26 structures the 
questionnaire by management, operational, and technical controls. The 
section on technical controls does not require testing of those 
controls as part of the self-assessment, but instead relies on 
documentation. In response to our survey, 22 agencies reported using 
NIST SP 800-26 to assess contractors providing IT services and systems 
and 2 agencies reported not using this assessment tool. 

While most agencies reported using NIST SP 800-26, the self-assessment 
tool may have limited value in overseeing contractor information 
security. For example, by relying on a contractor's self assessment, an 
agency official may not obtain a clear understanding of the 
effectiveness of security controls or be assured of the validity of the 
responses without independent testing. Further, the agency chief 
information officer or inspector general may have trouble conducting an 
analysis or review of the self assessment if there is not sufficient 
documentation. 

As an example of the self-assessment challenges, one agency inspector 
general found significant problems with the agency's self assessment. 
The inspector general noted that, after reviewing a sample of the 
agency's NIST SP 800-26 self assessments, (1) security weaknesses had 
not been properly defined, (2) variations existed between inspector 
general and agency scoring on the NIST SP 800-26 reviews, and (3) the 
agency did not verify the results of self assessments. 

Further, the lack of information security requirements established in 
contracts and the absence of agency oversight policies may diminish the 
efforts of reviewers using NIST SP 800-26 because they may not be able 
to refer to clear criteria with which to assess systems' security. As a 
result, agencies may not obtain an accurate status of the security of 
contractor-provided systems and services. 

Many Agencies Do Not Review Other Users with Privileged Access to 
Federal Data and Systems: 

In August 2004, OMB mandated the use of NIST SP 800-26 for agency 
annual system reviews. However, in response to our survey, only 10 
agencies reported using NIST SP 800-26 to assess other users with 
privileged access to federal data and systems that have connectivity to 
agency networks. By not assessing and testing the security controls of 
other users with privileged access to federal data, agencies reported 
that they are at increased risk of losing control of network 
connections, experiencing unauthorized use of information, such as 
grantee information being revealed to another grantee, and malicious 
activity that introduces viruses and worms. 

Administration Efforts to Improve Information Security of Contractors 
Continue, but Challenges Remain: 

The administration is making efforts to improve information security 
over contractors, but challenges remain. For example, the information 
security requirements in FAR are being revised and OMB continues to 
gather data from the agencies about the number of contractor facilities 
reviewed by agencies. Additionally, NIST has issued guidance, parts of 
which address some contractor security issues. 

Federal Acquisition Regulation Is Being Updated to Modernize IT 
Requirements: 

In response to the administration's plans to update FAR, officials at 
the FAR Council stated that the acquisition regulation was being 
updated to address information security requirements of contractor- 
provided systems and services. Officials further explained that the 
administration had been working on updating the FAR language since 2002 
when FISMA was enacted. According to the FAR Council officials, the 
council had completed the majority of its work in December 2004. As of 
March 2005, the FAR amendments were undergoing legal review. 

OMB Collects Data on Agency Information Security Oversight of 
Contractors, but Effectiveness of Agency Efforts Is Unclear: 

Through its FISMA reporting requirements, OMB continues to gather 
information about agency oversight of contractors, but understanding 
the effectiveness of agency efforts based on the collected data is 
unclear. On an annual basis, OMB collects information from the agencies 
about: 

* the total number of agency systems, including whether the chief 
information officer and the inspectors general agree on the number of 
systems identified and: 

* the number of contractor facilities and operations identified and 
reviewed using NIST SP 800-26 or an equivalent methodology. 

The fiscal year 2004 FISMA submissions revealed significant 
discrepancies in the responses from the agency and the inspector 
general. For example, as shown in table 3, the number of systems 
reported as being agency systems or contractor systems varied 
significantly among the chief information officers and the inspectors 
general at four agencies. Without a clear understanding of who has 
operational control of a system, agencies cannot ensure that the 
appropriate oversight and security controls are being implemented in 
accordance with agency policy. 

Table 3: Number of Contractor Facilities and Operations Reported in 
Fiscal Year 2004: 

Agency: Agency A; 
Agency/chief information officers total: 61; 
Inspectors general total: 13. 

Agency: Agency B; 
Agency/chief information officers total: 11; 
Inspectors general total: 65. 

Agency: Agency C; 
Agency/chief information officers total: 4; 
Inspectors general total: 111. 

Agency: Agency D; 
Agency/chief information officers total: 20; 
Inspectors general total: 5. 

Source: Fiscal year 2004 agency chief information officer and 
inspectors general FISMA submissions to OMB. 

[End of table]

Over the past 3 years, there has been a decline in both the number of 
contractor facilities identified by the agencies and the number of 
facilities reviewed by the agencies. Figure 3 depicts this trend in 23 
of the major agencies. 

Figure 3: Total Contractor Facilities and Number of Facilities Reviewed 
for 23 Federal Agencies in Fiscal Years 2002-2004: 

[See PDF for image] 

Note: The Department of Defense (DOD) contractor facilities and number 
of facilities reviewed are not reflected in the figure because this 
information was not available for 2002. However, in 2003, the DOD 
reported identifying 4,716 contractor facilities and reviewing 4,000 
facilities, while in 2004, the department inventoried 4,686 and 
reviewed 3,961 facilities. 

[End of figure] 

The disagreement between agency chief information officers and 
inspectors general about whether systems are deemed to be agency 
systems or contractor systems can impede effective and efficient 
information security oversight efforts. In some cases, it may even 
result in systems not being reviewed. By not performing reviews of 
contractor-operated facilities, agencies cannot ensure that their 
information is being protected in accordance with FISMA and, as a 
result, federal operations and data can be at risk. 

The data gathered from the agencies on the number of contractor systems 
identified and reviewed do not provide an accurate measure of the 
effectiveness of agency information security oversight of contractors. 
However, additional data about the contracts, policies, and self 
assessments could provide a better measure of effectiveness. For 
example, asking inspectors general to determine: 

* what portion of the contractor systems identified by the agencies 
have specific IT security language that addresses key FISMA elements;

* if the agency information security policies provide specific 
oversight policies for contractors and privileged users of federal 
systems and data; and: 

* whether the required NIST SP 800-26 assessments of contractor systems 
were completed by the agency, the contractor, or an independent entity. 

Finally, annual agency reports required by FISMA do not address 
security related to other users with privileged access to federal data. 
There is not a clear governmentwide understanding of how agencies are 
addressing the various challenges and identified risks related to other 
users with privileged access. As previously discussed, agencies have 
not developed policies or reviewed the controls necessary to ensure 
that these users of federal data do not place agencies' information and 
systems at risk of compromise. As a result, federal agencies that lack 
appropriate controls and oversight can be exposing their information 
and systems to additional risks from privileged users who might 
introduce malicious code, disclose unauthorized information, or lack 
controls to secure their network interfaces with the agency systems. 

Unified Federal Guidance Could Assist Agencies: 

No single federal guide exists for federal agencies to rely on when 
addressing information security over contractors. FISMA requirements 
apply to all federal contractors and organizations or sources that 
possess or use federal information or that operate, use, or have access 
to federal information systems on behalf of an agency. In support of 
FISMA implementation, NIST has issued a number of information security 
products intended to improve federal IT systems. 

However, in the absence of a single, comprehensive guide to assist in 
the development of policies, agencies must refer to portions of several 
different documents that address elements related to contractor 
information security oversight. For example, in 2005, NIST published 
Recommended Security Controls for Federal Information Systems,[Footnote 
14] which refers to portions of the following documents that can be 
used by agencies to address some of the challenges related to 
information security oversight of contractors: 

* SP 800-18 states that agencies may require compliance with the guide 
as part of contract requirements;

* SP 800-35 lists in its appendices sample acquisition language that is 
appropriate for inclusion into IT security service statements of work;

* SP 800-47 discusses, in brief, the development of non-disclosure 
agreements for contractors when determining interconnection 
requirements; and: 

* 800-64 gives examples of contract clauses that can be used to help 
establish clear lines of authority and responsibility. 

In February 2005, NIST released the Federal Information Processing 
Standard 201 entitled Personal Identity Verification of Federal 
Employees and Contractors. This standard was developed in response to 
Homeland Security Presidential Directive 12 and is intended to improve 
the identification and authentication of federal employees and 
contractors for access to federal facilities and information systems. 
This standard helps to address the risk of contractors gaining 
unauthorized physical or electronic access to federal information. 

Unified guidance on addressing the information security oversight of 
contractors and privileged users of federal systems and data could 
assist agencies in developing effective programs to ensure compliance 
with agency policy. However, without clear guidance on how to develop 
effective information security oversight of contractors and users with 
privileged access to federal systems and data, federal agencies may not 
develop sufficient policies to address the range of risks posed by 
contractors and key users. As a result, federal information and 
operations can be placed at undue risk. 

Conclusions: 

Contractors provide valuable services that contribute to the efficient 
functioning of the government, but a range of risks from contractors 
and other users with privileged access to federal data and systems must 
be managed effectively. Contracts, policies, and security self- 
assessments can be leveraged as valuable oversight tools for federal 
agencies in managing oversight of contractors and other users. However, 
when not properly implemented, each of these methods has limitations. 
For example, many agencies are not incorporating FISMA requirements 
into their contract language; accordingly, their strongest tool for 
establishing information security requirements is limited. 
Additionally, many agencies have not defined specific oversight 
policies for contractors and other users with privileged access to 
federal data. Without clearly defined information security oversight 
policies, agencies may be accepting significant risk to their 
information and systems from both contractors and other users with 
privileged access without having the appropriate controls to mitigate 
the risks. Finally, agency reliance on self-assessment tools may not 
provide them with the appropriate tools to ensure the security of their 
information. 

To address these complex challenges, a variety of administration 
efforts have been started to further enhance federal agencies' efforts 
to improve information security oversight of contractors, but 
challenges remain. For example, the effort to update FAR guidance has 
not been completed. In addition, continuing OMB FISMA oversight reveals 
challenges in contractor oversight. Finally, if agencies lack unified 
guidance to assist them in creating appropriate information security 
oversight policies for contractors and other users with privileged 
access to federal data and systems, federal agencies may not be able to 
effectively protect their information. 

Recommendations for Executive Action: 

To ensure that agencies are developing the appropriate information 
security oversight capabilities for contractors and other users with 
privileged access to federal data and systems, we recommend, in 
accordance with FISMA, that the Director of OMB ensure that the 
following two actions take place. 

* Efforts to update FAR are completed expeditiously and that such 
efforts require agency security management efforts required by FISMA, 
including: 

* periodic testing and evaluation of management, operational, and 
technical controls;

* a process for planning, implementing, evaluating, and documenting 
remedial action to address any deficiencies in the information security 
policies and procedures;

* procedures for detecting, reporting, and responding to security 
incidents; and: 

* plans and procedures to ensure continuity of operations for 
information systems that support the operations and assets of the 
agency. 

* Federal agencies develop policies for ensuring information security 
of contractors and other users with privileged access to federal data, 
including: 

* establishing procedures for contractor information security oversight;

* assigning roles and responsibilities;

* creating specific audit plans for systems and facilities;

* describing interconnection security agreements;

* creating requirements for agency information that will be secured at 
contractor facilities including storing, processing, transmitting on 
contractor systems, background checks, and facility security; and: 

* requiring agency officials to conduct reviews to ensure that IT 
security requirements are being enforced. 

To assist agencies in managing the risks related to contractors and 
other users with privileged access to federal data and systems, we 
recommend that the Secretary of Commerce develop a unified set of 
guidance for developing appropriate information security policies. 

Agency Comments on Our Evaluation: 

We provided a draft of this report to OMB and the Department of 
Commerce for their official review and comment. OMB General Counsel 
provided oral comments on the report, which have been incorporated as 
appropriate. OMB generally agreed with the report findings and 
conclusions. OMB officials told us that, as part of the capital asset 
plan and business case development process, agencies are required to 
answer several information security oversight questions related to 
contractor-provided IT systems and services. These questions provide 
OMB important information when assessing the business case for funding. 
Further, OMB stated that their efforts to enhance oversight of 
contractors includes requiring that the 25 E-Government initiatives be 
independently reviewed to determine compliance with IT security 
requirements. OMB did not disagree with the overall recommendations and 
recognized the need for further agency action to address contractor 
security oversight. 

In written comments, which are reprinted in appendix II, the Deputy 
Secretary of the Department of Commerce acknowledged the accuracy of 
the report. In regard to our recommendation, Commerce stated that NIST 
recognizes the importance of providing guidance to assist agencies in 
ensuring that security requirements are applied by contractors. 
Additionally, NIST has developed publications that can be used for 
contractors and are focused on acquisition, assessments, controls, and 
the system development life cycle. Commerce agreed that through NIST, 
it would develop a strategy to build a framework for a consolidated 
delivery of contractor related-guidelines. 

As agreed with your offices, unless you publicly announce the contents 
of this report earlier, we plan no further distribution until 30 days 
from the report date. At that time, we will send copies of this report 
to interested congressional committees; the Director, Office of 
Management and Budget; and the Secretary, Department of Commerce. We 
will also make copies available to others upon request. In addition, 
the report will be available at no charge on the GAO Web site at 
[Hyperlink, http://www.gao.gov]. 

If you or any of your staff have any questions concerning this report, 
please contact me at (202) 512-3317. I can also be reached by e-mail at 
[Hyperlink, wilshuseng@gao.gov]. Other contacts and key contributors to 
this report are listed in appendix III. 

Signed by: 

Gregory C. Wilshusen: 
Director, Information Security Issues: 

[End of section]

Appendixes: 

Appendix I: Objectives, Scope, and Methodology: 

The objectives of our review were to: 

* Describe the information security risks associated with the federal 
government's reliance on contractors providing information technology 
systems and services and other users with privileged access to federal 
data and systems federal information or access federal information 
systems. 

* Identify methods used by federal agencies to ensure security of 
information and information systems that are operated, used, or 
accessed by contractors and other users with privileged access to 
federal data. 

* Discuss what steps the administration is taking to ensure 
implementation and oversight of security of information and information 
systems that are operated, used, or accessed by contractors and other 
users with privileged access to federal data. 

To describe the information security risks associated with the federal 
government's reliance on contractors and other organizations, we 
analyzed existing federal regulations, laws, and guidelines such as the 
Federal Acquisition Regulation (FAR); Federal Information Security 
Management Act of 2002 (FISMA); and National Institute of Standards and 
Technology (NIST) guidance. In addition, we interviewed federal and 
private-sector officials regarding the policies and procedures for 
overseeing contractor security. We then developed a series of questions 
that were incorporated into a Web-based survey instrument. We pretested 
our survey instrument at one federal department and one federal 
independent agency. We also met with Office of Management and Budget 
(OMB) officials to discuss OMB's role in ensuring the security of 
contractor-provided systems and services. For each agency to be 
surveyed, we identified the office of the chief information officer, 
notified each office of our work, and, via e-mail, distributed a link 
to each office. All 24 agencies responded to our survey. We did not 
verify the accuracy of the agencies' responses; however, we reviewed 
supporting documentation that agencies provided to validate their 
responses. We contacted agency officials when necessary for follow-up. 

Although this was not a sample survey and, therefore, there were no 
sampling errors, conducting any survey may introduce errors, commonly 
referred to as nonsampling errors. For example, difficulties in how a 
particular question is interpreted, in the sources of information that 
are available to respondents, or in how the data are entered into a 
database or were analyzed can introduce unwanted variability into the 
survey results. We took steps in the development of the survey 
instrument, the data collection, and the data analysis to minimize 
these nonsampling errors. For example, a survey specialist designed the 
survey instrument in collaboration with GAO staff with subject-matter 
expertise. Then, as previously stated, it was pretested to ensure that 
the questions were relevant, clearly stated, and easy to comprehend. 
When the data were analyzed, a second, independent analyst checked all 
computer programs. Because this was a Web-based survey, respondents 
entered their answers directly into the electronic questionnaire. This 
eliminated the need to have the data keyed into a database, thus 
removing an additional potential source of error. 

To identify methods used by federal agencies to ensure security of 
contractor-provided systems and services, we interviewed the FAR 
Council, OMB, and NIST officials to discuss their guidelines and other 
tools available to agencies. In addition, questions regarding agency 
policy, agency use of oversight guidelines, acquisition process, and 
personnel/background checks, security requirements, and contract 
language were included in the survey we sent to the 24 Chief Financial 
Officer's Act agencies. We did not verify the accuracy of the agencies' 
responses; however, we reviewed supporting documentation that agencies 
provided to validate their responses. We contacted agency officials 
when necessary for follow-up. 

Finally, to determine what steps the administration is taking to ensure 
implementation and oversight of security of contractors and other users 
with privileged access that operate, use, or access federal information 
systems on behalf of an agency, we interviewed FAR Council, OMB, and 
NIST officials regarding the policies and procedures for overseeing 
contractor security. We also reviewed annual chief information officer 
and inspectors general FISMA reports to assess progress made in meeting 
FISMA requirements related to contractor security. 

We conducted our work in Washington, D.C., from August 2004 through 
March 2005 in accordance with generally accepted government auditing 
standards. 

[End of section]

Appendix II: Comments from the Department of Commerce: 

THE DEPUTY SECRETARY OF COMMERCE: 
Washington, D.C. 20230:

April 19, 2005:

Mr. Gregory Wilshusen:
Director, Information Security Issues:
United States Government Accountability Office:
Washington, DC 20548:

Dear Mr. Wilshusen:

I enclose the Department of Commerce's comments on Government 
Accountability Office (GAO) proposed report entitled Information 
Security: Improving Oversight of Access to Federal Systems and Data by 
Contractors Can Reduce Risk (GAO-05-362). Thank you for the opportunity 
to review the report. I commend the GAO for this study on the issue of 
improving information security oversight of contractors.

We recognize the need to develop cohesive government-wide guidance to 
assist agencies in developing appropriate information security policies 
for addressing contractors and other users with privileged access to 
federal data and systems. The National Institute of Standards and 
Technology (KIST) has developed a set of publications for acquisition, 
self-assessment, and controls that should be applied in developing 
information systems. In addition, NIST has recently developed a road 
map which maps NIST publications to the various phases of the system 
development life cycle. In support of the GAO proposed recommendation, 
NIST will extend its efforts to develop a strategy to build the 
necessary framework for a more consolidated delivery of the contractor 
related guidelines.

Again, thank you for the opportunity to comment on this draft report.

Sincerely,

Signed by: 

Theodore W. Kassinger:

Enclosure:

Comments on Government Accountability Office (GAO) Report entitled 
"Information Security: Improving Oversight of Access to Federal Systems 
and Data by Contractors Can Reduce Risk" made by the National Institute 
of Standards and Technology (KIST), Department of Commerce:

The GAO team should be commended for the study. The report provides a 
thorough assessment of the information security risks associated with 
the Federal Government's reliance on contractor-provided IT systems and 
services and other users with privileged access to federal data and 
systems. Furthermore, it identifies current methods employed by federal 
agencies to avoid these risks, and provides recommendations to improve 
information security oversight for contractors.

NIST has reviewed the report and has noted no major errors or 
omissions. The report identified one major recommendation --that the 
Secretary of Commerce develop a unified set of guidance for developing 
appropriate information security guidance related to contracting.

NIST recognizes the importance of providing guidance to assist agencies 
in ensuring that the appropriate security requirements are applied to 
contractors. We had previously developed a three-volume set of special 
publications (SP) specifically focused on acquisition (SP800-64, SP800- 
35, and SP800-36). In addition, SP 800-26, the NIST self-assessment 
tool, can be used for contractor assessments. Most recently, NIST 
published SP800-53 which defines in great detail the controls that 
should be applied in developing information systems. This document can 
be used to derive security requirements for systems being developed by 
contractors. (http://csrc.nist.gov/publications/nistpubs/index.html)

Further, recognizing the need to provide one consolidated road map to 
the numerous NIST publications, which can be applied throughout the 
system development life cycle (SDLC), we recently published a reference 
which maps all of the NIST guidance to the various phases of the SDLC. 
It can be used by contractors to identify the appropriate references 
based on scope and focus of specific contract tasking. 
(http://csrc.nist.gov/SDLCinfosec/SDLC_brochure_Aug04.pdf)

The above strategy has allowed NIST to develop information security 
publications in focused areas with the sufficient detail required to be 
useful.

To support the GAO proposed recommendation, NIST will extend its 
efforts to develop a strategy to build the necessary framework for a 
more consolidated delivery of the contractor-related guidelines. 

[End of section]

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

J. Paul Nicholas, Assistant Director, (202) 512-4457, [Hyperlink, 
nicholasj@gao.gov].  

Staff Acknowledgments: 

In addition to the individual named above, key contributors to this 
report included Neil Doherty, Nancy Glover, Stuart Kaufman, Anjalique 
Lawrence, Nnaemeka Okonkwo, and Kevin Secrest. 

(310544): 

FOOTNOTES

[1] These 24 CFO departments and agencies are the Departments of 
Agriculture, Commerce, Defense, Education, Energy, Health and Human 
Services, Homeland Security, Housing and Urban Development, Interior, 
Justice, Labor, State, Transportation, Treasury, Veterans Affairs, 
Environmental Protection Agency; General Services Administration; 
National Aeronautics and Space Administration; National Science 
Foundation; Nuclear Regulatory Commission; Office of Personnel 
Management; Small Business Administration; Social Security 
Administration; and U.S. Agency for International Development. 

[2] A virus is a program that "infects" computer files, usually 
executable programs, by inserting a copy of itself into the file. These 
copies are usually executed when the infected file is loaded into 
memory, allowing the virus to infect other files. A virus requires 
human involvement (usually unwittingly) to propagate. A worm is an 
independent computer program that reproduces by copying itself from one 
system to another across a network. Unlike computer viruses, worms do 
not require human involvement to propagate. 

[3] Contractors are generally considered to be the primary entity with 
which a department or agency enters into an agreement. In this report, 
we use the term "contactor" when referring to both contractors and 
subcontractors. We refer to other organizations that possess or use 
federal information or have access to federal information systems--such 
as grantees, state and local governments, and research and educational 
institutions--as other users with privileged access to federal data and 
systems. 

[4] 48 C.F.R. Chapter 1. 

[5] Federal Information Security Management Act of 2002, Title III, E- 
Government Act of 2002, Pub. L. No. 107-347 (Dec. 17, 2002). 

[6] Privacy Act of 1974, Pub. L. No. 93-579, 5 U.S.C. 552a; FAR Subpart 
24.1, 48 C.F.R. Subpart 24.1. 

[7] In 2003, the Medicare Prescription Drug, Improvement, and 
Modernization Act (Pub. L. No. 108-173) was enacted. Section 912 of the 
act includes a provision requiring Medicare administrative contractors 
to implement a contractorwide information security program to provide 
information security for the operation and assets of the contractor for 
Medicare functions. Additionally, the information security program is 
required to meet certain requirements for information security programs 
already imposed on agencies and their data contractors by FISMA. 
Medicare administrative contractors are also required to undergo an 
annual independent testing and evaluation of their information security 
programs. 

[8] NIST, Risk Management Guide for Information Technology Systems, 
Special Publication 800-30 (Gaithersburg, Md.: July 2002) and Guide for 
Developing Security Plans for Information Technology Systems, Special 
Publication 800-18 (Gaithersburg, Md.: December 1998). 

[9] OMB, Fiscal Year 2004 Reporting Instructions for the Federal 
Information Security Management Act, M-04-25(Washington, D.C.: Aug. 23, 
2004). 

[10] NIST, Security Self-Assessment Guide for Information Technology 
Systems, NIST Special Publication 800-26 (Gaithersburg, Md.: November 
2001). 

[11] FAR Subpart 1.3; 48 C.F.R. Subpart 1.3. 

[12] NIST, Guide to Information Technology Services, Special 
Publication 800-35 (Gaithersburg, Md.: October 2003). 

[13] An interconnection security agreement documents specific technical 
and security requirements for connecting IT systems from different 
organizations, such as between a federal agency and a contractor or 
between a federal agency and other users with privileged access to 
federal data and systems. 

[14] NIST, Recommended Security Controls for Federal Information 
Systems, Special Publication 800-53 (Gaithersburg, Md.: February 2005). 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office

441 G Street NW, Room LM

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: fraudnet@gao.gov

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director,

NelliganJ@gao.gov

(202) 512-4800

U.S. Government Accountability Office,

441 G Street NW, Room 7149

Washington, D.C. 20548: