Information Security: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk

GAO-05-362 April 22, 2005
Highlights Page (PDF)   Full Report (PDF, 39 pages)   Accessible Text   Recommendations (HTML)

Summary

The federal government increasingly relies on information technology (IT) systems to provide essential services affecting the health, economy, and defense of the nation. To assist in providing these important services, the federal government relies extensively on contractors to provide IT services and systems. In addition to contractors that provide systems and services to the federal government, other organizations possess or use federal information or have access to federal information systems. These other organizations with privileged access to federal data and systems can include grantees, state and local governments, and research and educational institutions. The Office of Management and Budget (OMB) cited contractor security as a governmentwide challenge in a 2001 information security report to Congress. Recognizing the need for agencies to have effective information security programs, Congress passed the Federal Information Security Management Act of 2002 (FISMA), which provides the overall framework for ensuring the effectiveness of information security controls that support federal operations and assets. FISMA requirements apply to all federal contractors and organizations or sources that possess or use federal information or that operate, use, or have access to federal information systems on behalf of an agency. Our objectives were to (1) describe the information security risks associated with the federal government's reliance on contractor-provided IT systems and services and other users with privileged access to federal data and systems; (2) identify methods used by federal agencies to ensure security of information and information systems that are operated, used, or accessed by contractors and other users with privileged access to federal data; and (3) discuss steps the administration is taking to ensure implementation and oversight of security of information and information systems that are operated, used, or accessed by contractors and other users with privileged access to federal data and systems.

Contractors and users with privileged access to federal data and systems provide valuable services that contribute to the efficient functioning of the government, but a range of risks (including operational, strategic, and legal) must be managed effectively. Most agencies recognize risks to the confidentiality, integrity, and availability of their information and systems associated with the use of contractors and other users with privileged access to federal data and systems. For example, malicious code can be inserted into agency software and systems. In addition, agencies also reported specific risks when contractors develop software or perform work at off-site facilities. Federal agencies reported additional risks to their operations posed by other users with privileged access to federal data and systems, such as lack of controlled network connections, poor access controls, and the introduction of viruses and worms. Agencies use contracts, policies, and self-assessments for ensuring information security oversight of contractors; however, each of these methods has limitations and needs further strengthening. Most agencies reported using contract language to establish information security requirements for contractors. However, agency-provided contract language generally did not address key elements of FISMA, such as annual testing of controls. In addition, the majority of agencies reported having information security policies for contractors and almost two-thirds of the agencies reported having such policies for other users with privileged access to federal data. Yet our analysis of agency-provided policies found that only 5 agencies had established policies that specifically addressed information security oversight of contractor-provided systems. Finally, the majority of agencies reported using the NIST self-assessment tool to assess contractor security capabilities. However, only 10 reported using the tool to assess the security implemented by other users with privileged access to federal data. The administration continues in its efforts to improve information security oversight of contractors, but challenges remain. For example, efforts to update the Federal Acquisition Regulation (FAR) to include the information security requirements of FISMA (which would be reflected in all relevant government contracts) have been under way since 2002, but are not yet complete. OMB continues to gather data about the number of agency systems, including those that are operated by contractors, and how many have been reviewed using a self-assessment tool. However, the data submitted showed that several agencies' chief information officers and inspectors general disagreed on the number of contractor or agency systems by as many as 100 systems or more. In addition, the data collected by OMB does not address other users with privileged access to federal data or the quality of the self assessments. Finally, NIST has developed guidance, parts of which are relevant to contractor security oversight. However, unified governmentwide guidance for overseeing information security of contractors and other users with privileged access to federal data and systems has not been issued.



Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Director:
Team:
Phone:
Gregory C. Wilshusen
Government Accountability Office: Information Technology
(202) 512-6244


Recommendations for Executive Action


Recommendation: To ensure that agencies are developing the appropriate information security oversight capabilities for contractors and other users with privileged access to federal data and systems, in accordance with FISMA, the Director of OMB should ensure that efforts to update FAR are completed expeditiously and that such efforts require agency security management efforts required by FISMA, including (1) periodic testing and evaluation of management, operational, and technical controls; (2) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies and procedures; (3) procedures for detecting, reporting, and responding to security incidents; and (4) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Agency Affected: Executive Office of the President: Office of Management and Budget

Status: Implemented

Comments: Federal Acquisition Regulation (FAR) has been updated to include the agency information security management efforts required by FISMA. As a result of this recommendation, the FAR (FAC 2005-06 September 30, 2005) has been updated to include the following information in Subpart 7.1, titled "Acquisition Plans." Specifically, Section 7.103, titled "Agency Head Responsibilities," states that: The agency head or a designee shall prescribe procedures for ensuring that agency planners on information technology acquisitions comply with the information technology security requirements in the Federal Information Security Management Act (44 U.S.C. 3544), OMB's implementing policies including Appendix III of OMB Circular A-130, and guidance and standards from the Department of Commerce's National Institute of Standards and Technology. Updates to the FAR require that agency planners on information technology acquisitions comply with the information security requirements of FISMA. These requirements include (1) periodic testing and evaluation of the effectiveness of management, operational, and technical controls of every information system identified in the inventory required under section 3505(c); (2) a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; (3) procedures for detecting, reporting, and responding to security incidents, and (4) plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency.

Recommendation: To ensure that agencies are developing the appropriate information security oversight capabilities for contractors and other users with privileged access to federal data and systems, in accordance with FISMA, the Director of OMB should ensure that federal agencies develop policies for ensuring information security of contractors and other users with privileged access to federal data, including (1) establishing procedures for contractor information security oversight; (2) assigning roles and responsibilities; (3) creating specific audit plans for systems and facilities; (4) describing interconnection security agreements; (5) creating requirements for agency information that will be secured at contractor facilities including storing, processing, transmitting on contractor systems, background checks, and facility security; and (6) requiring agency officials to conduct reviews to ensure that IT security requirements are being enforced.

Agency Affected: Executive Office of the President: Office of Management and Budget

Status: Implemented

Comments: The Office of Management and Budget(OMB) has modified its "FY 2005 Instructions for Preparing the Federal Information Security Management Act Report" to better ensure that federal agencies develop policies for ensuring the information security of contractors. It also requests agency IGs to evaluate the agency's oversight of contractor systems as part of the annual FISMA reporting process.