Skip to main content

Information Security: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk

GAO-05-362 Published: Apr 22, 2005. Publicly Released: May 23, 2005.
Jump To:
Skip to Highlights

Highlights

The federal government increasingly relies on information technology (IT) systems to provide essential services affecting the health, economy, and defense of the nation. To assist in providing these important services, the federal government relies extensively on contractors to provide IT services and systems. In addition to contractors that provide systems and services to the federal government, other organizations possess or use federal information or have access to federal information systems. These other organizations with privileged access to federal data and systems can include grantees, state and local governments, and research and educational institutions. The Office of Management and Budget (OMB) cited contractor security as a governmentwide challenge in a 2001 information security report to Congress. Recognizing the need for agencies to have effective information security programs, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which provides the overall framework for ensuring the effectiveness of information security controls that support federal operations and assets. FISMA requirements apply to all federal contractors and organizations or sources that possess or use federal information or that operate, use, or have access to federal information systems on behalf of an agency. Our objectives were to (1) describe the information security risks associated with the federal government's reliance on contractor-provided IT systems and services and other users with privileged access to federal data and systems; (2) identify methods used by federal agencies to ensure security of information and information systems that are operated, used, or accessed by contractors and other users with privileged access to federal data; and (3) discuss steps the administration is taking to ensure implementation and oversight of security of information and information systems that are operated, used, or accessed by contractors and other users with privileged access to federal data and systems.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget To ensure that agencies are developing the appropriate information security oversight capabilities for contractors and other users with privileged access to federal data and systems, in accordance with FISMA, the Director of OMB should ensure that efforts to update FAR are completed expeditiously and that such efforts require agency security management efforts required by FISMA, including (1) periodic testing and evaluation of management, operational, and technical controls; (2) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies and procedures; (3) procedures for detecting, reporting, and responding to security incidents; and (4) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.
Closed – Implemented
Federal Acquisition Regulation (FAR) has been updated to include the agency information security management efforts required by FISMA. As a result of this recommendation, the FAR (FAC 2005-06 September 30, 2005) has been updated to include the following information in Subpart 7.1, titled "Acquisition Plans." Specifically, Section 7.103, titled "Agency Head Responsibilities," states that: The agency head or a designee shall prescribe procedures for ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB's implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce's National Institute of Standards and Technology. Updates to the FAR require that agency planners on information technology acquisitions comply with the information security requirements of FISMA. These requirements include (1) periodic testing and evaluation of the effectiveness of management, operational, and technical controls of every information system identified in the inventory required under section 3505(c); (2) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; (3) procedures for detecting, reporting, and responding to security incidents, and (4) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.
Office of Management and Budget To ensure that agencies are developing the appropriate information security oversight capabilities for contractors and other users with privileged access to federal data and systems, in accordance with FISMA, the Director of OMB should ensure that federal agencies develop policies for ensuring information security of contractors and other users with privileged access to federal data, including (1) establishing procedures for contractor information security oversight; (2) assigning roles and responsibilities; (3) creating specific audit plans for systems and facilities; (4) describing interconnection security agreements; (5) creating requirements for agency information that will be secured at contractor facilities including storing, processing, transmitting on contractor systems, background checks, and facility security; and (6) requiring agency officials to conduct reviews to ensure that IT security requirements are being enforced.
Closed – Implemented
The Office of Management and Budget(OMB) has modified its "FY 2005 Instructions for Preparing the Federal Information Security Management Act Report" to better ensure that federal agencies develop policies for ensuring the information security of contractors. It also requests agency IGs to evaluate the agency's oversight of contractor systems as part of the annual FISMA reporting process.

Full Report

GAO Contacts

Office of Public Affairs

Topics

Computer securityContract oversightContractorsSecurity policiesFederal agenciesInformation resources managementInformation securityInformation security managementInformation systemsInformation technologyMalicious codeRisk managementStrategic planningPolicies and procedures