Skip to main content

Information Security: Agencies Need to Improve Oversight of Contractor Controls

GAO-14-612 Published: Aug 08, 2014. Publicly Released: Sep 08, 2014.
Jump To:
Skip to Highlights

Highlights

What GAO Found

Although the six federal agencies that GAO reviewed (the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM)) generally established security and privacy requirements and planned for assessments to determine the effectiveness of contractor implementation of controls, five of the six agencies were inconsistent in overseeing the execution and review of those assessments, resulting in security lapses. For example, in one agency, testing did not discover that background checks of contractor employees were not conducted. The following table shows the degree of implementation of oversight activities at selected agencies.

GAO Evaluation of Agency Oversight of Selected Contractor-Operated Systems

 

Establish requirements

Plan assessment

Execute assessment

Review assessment

DOE

DHS

State

DOT

EPA

OPM

Source: GAO analysis of agency data. | GAO 14 612

                                    ● Fully Implemented                     ◐ Partially Implemented                       ○ Not Implemented

A contributing reason for these shortfalls is that agencies had not documented procedures for officials to follow in order to effectively oversee contractor performance. Until these agencies develop, document, and implement specific procedures for overseeing contractors, they will have reduced assurance that the contractors are adequately securing and protecting agency information.

The Office of Management and Budget (OMB), the National Institute of Standards and Technology, and the General Services Administration have developed guidance to assist agencies in ensuring the implementation of security and privacy controls by their contractors. However, OMB guidance to agencies for categorizing and reporting on contractor-operated systems is not clear on when an agency should identify a system as contractor-operated and therefore agencies are interpreting the guidance differently. In fiscal year 2012, inspectors general from 9 of the 24 major agencies found data reliability issues with agencies' categorization of contractor-operated systems. Without accurate information on the number of contractor-operated systems, OMB assistance to agencies to help improve their cybersecurity posture will be limited and OMB's report to Congress on the implementation of the Federal Information Security Management Act (FISMA) is not complete.

Why GAO Did This Study

Federal agencies often rely on contractors to operate computer systems and process information on their behalf. Federal law and policy require that agencies ensure that contractors adequately protect these systems and information.

GAO was asked to evaluate how well agencies oversee contractor-operated systems. The objectives of this report were to assess the extent to which (1) selected agencies oversee the security and privacy controls for systems that are operated by contractors on their behalf and (2) executive branch agencies with government-wide guidance and oversight responsibilities have taken steps to assist agencies in ensuring implementation of information security and privacy controls by such contractors. To do this, GAO selected six agencies based on their reported number of contractor-operated systems and two systems at each agency using a non-generalizable random sample for review, analyzed agency policies and procedures, and examined security and privacy-related artifacts for selected systems. GAO also interviewed agency officials, and reviewed federal guidance and evaluated agency FISMA submissions.

Recommendations

GAO is recommending that five of the six selected agencies develop procedures for the oversight of contractors and that OMB clarify reporting instructions to agencies. The five agencies generally agreed with the recommendations and OMB did not provide any comments.

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Energy To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test plan is developed.
Closed – Implemented
In fiscal year 2018, we verified that the Department of Energy (DOE), in response to our recommendation developed, documented, and implemented a system test plan as evidenced by the scope, breadth, and depth of its documented assessment of the National Institute of Standards and Technology (NIST) 800-53 security controls.
Department of Energy To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.
Closed – Implemented
In fiscal year 2018, we verified that the Department of Energy (DOE), in response to our recommendation, developed, documented, implemented oversight procedures and executed its system test plan as evidenced by the scope, breadth, and depth of its documented assessment of the National Institute of Standards and Technology (NIST) 800-53 security controls.
Department of Energy To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.
Closed – Implemented
In fiscal year 2018, we verified that the Department of the Energy (DOE), in response to our recommendation, developed, documented, implemented oversight procedures and reviewed the test results.
Department of State To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.
Closed – Implemented
In fiscal year 2018, we verified that State, in response to our recommendation, communicated security and privacy requirements to contractors in its task orders for the contractor-run systems.
Department of State To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, an independent assessor is selected to assess the system.
Closed – Implemented
In fiscal year 2018, we verified that the Department of State (State), in response to our recommendation, developed, documented, and implemented oversight procedures for ensuring that an independent assessor performed a security assessment for both of its contractor-operated systems.
Department of State To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.
Closed – Implemented
In fiscal year 2018, we verified that the Department of State (State), in response to our recommendation, has fully executed its test plans as evidenced by the existence of plans of actions and milestones which documented the nature of findings based on weaknesses found during the assessment and authorization phase of the system.
Department of State To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.
Closed – Implemented
In fiscal year 2018, we verified that the Department of State (State), in response to our recommendation, has instituted procedures in its "Information Systems Security Requirements Instructions" for completing annual control test assessments of contractor-operated systems. Additionally, State officials have reviewed assessment test results of its contractor-operated systems.
Department of State To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.
Closed – Implemented
In fiscal year 2018, we verified that the Department of State (State), in response to our recommendation, maintained plans of action and milestones that identified estimated completion dates and the resources assigned for implementing the corrective actions.
Department of Transportation To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.
Closed – Implemented
In fiscal year 2018, we verified the Department of Transportation (DOT), in response to our recommendation, communicated security and privacy requirements through the issuance of the Transportation Acquisition Manual and implemented the requirements in its acquisition of the Crash Data Acquisition Network, Cloud-provider contracting, and FedRamp initiative.
Department of Transportation To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.
Closed – Implemented
In fiscal year 2018, we verified that the Department of Transportation (DOT), in response to our recommendation, has fully executed testing plans for its contractor-operated systems as evidenced by its thorough assessment of the security controls identified in National Institute of Standards and Technology (NIST) Special Publication 800-53.
Department of Transportation To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.
Closed – Implemented
In fiscal year 2018, we verified that Department of Transportation (DOT) officials, in response to our recommendation, have reviewed the test results of its contractor-operated system assessments.
Department of Transportation To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned to resolution are maintained.
Closed – Implemented
In fiscal year 2018, we verified that the Department of Transportation (DOT), in response to our recommendation, maintained plans of action and milestones that identified estimated completion dates and the resources assigned to implement the corrective actions.
Environmental Protection Agency To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.
Closed – Implemented
In fiscal year 2018, we verified that the Environmental Protection Agency, in response to our recommendation, has fully executed testing plans for its contractor-operated systems as evidenced by its thorough assessment of the security controls identified in NIST Special Publication 800-53.
Environmental Protection Agency To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.
Closed – Implemented
In fiscal year 2018, we verified that the Environmental Protection Agency (EPA), in response to our recommendation, maintained plans of action and milestones that identified estimated completion dates and the resources assigned to implement the corrective actions.
Office of Personnel Management
Priority Rec.
To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Director of the Office of Personnel Management should develop, document, and implement oversight procedures for ensuring that a system test is fully executed for each contractor-operated system.
Closed – Implemented
The Office of Personnel Management (OPM) concurred with our recommendation. In fiscal year 2018, we verified that OPM issued a post-inspection report template for documenting its security and privacy controls assessments of contractors' information technology sites. The template lists the applicable contract clauses, and the procedures for assessing controls. The agency also updated training on security assessment standards. These actions increase assurance that the agency will be able to provide its officials with accurate assessments of contractors' security and privacy controls.
Office of Management and Budget To be able to effectively assist agencies with their contractor oversight programs, the Director of the Office of Management and Budget, in collaboration with the Secretary of Homeland Security, should develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems.
Closed – Implemented
In fiscal year 2018, we verified that the Office of Management and Budget (OMB) and Department of Homeland Security (DHS), in response to our recommendation, have developed and clarified reporting guidance to agencies for annually reporting contractor-operated systems by providing a definition for "contractor-operated systems" in its fiscal year 2018 Chief Information Officer Federal Information Security Modernization Act metrics.

Full Report

GAO Contacts

Gregory C. Wilshusen
Director
Information Technology and Cybersecurity

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Agency evaluationComputer securityConfidential communicationsContract performanceContractor personnelCyber securityFederal procurementGovernment informationInformation securityInformation systemsInformation technologyInternal controlsPrivacy policiesRegulatory agenciesReporting requirementsRequirements definitionStrategic information systems planningGovernment agency oversight