How Many Contractors Run Fed IT?Agency Oversight of Vendors Makes Answering that Query Hard
The federal government does not know how many IT systems are run by contractors. That's a takeaway from a study titled Agencies Need to Improve Oversight of Contractor Controls issued Sept. 8 by the Government Accountability Office.
The study contends that federal agencies are inconsistent in following Office of Management and Budget guidance regarding the oversight of contractors in implementing federal information systems' security controls.
The GAO report reveals that federal agencies fail to report all of their contractor-operated IT systems in their annual submissions to OMB as required by the Federal Information Security Management Act, the law that governs federal government IT. "The information is not complete enough to provide OMB with an accurate representation of the number of contractor-operated systems within the government," says Gregory Wilshusen, GAO director of information security issue, in the report.
And that makes OMB's report to Congress on the implementation of FISMA incomplete. "Without complete information about contractor-operated systems, OMB and DHS may limit their ability to assist agencies in improving their cybersecurity postures and Congress will not have complete information on the implementation of FISMA," Wilshusen says.
OMB has ceded some of its IT security authority over civilian federal agencies to the Department of Homeland Security.
Taking OMB to Task
The report also took OMB to task, contending the White House office could be more thorough when providing guidance to agencies on how to categorize and report contract-operated IT systems. Wilshusen says OMB guidelines fail to clearly define a contractor-operated system, which results in agencies interpreting the guidance differently.
For instance, the State Department only reported systems as being contractor operated if the systems were owned and operated by the contractor. Homeland Security, however, reported government-owned systems operated by contractors as being contractor-operated systems and placed systems owned and operated solely by contractors into a third category known as external information systems. The Department of Transportation's inspector general reported that contractors owned and operated 24 of 60 of its information systems but categorized only four as being contractor-operated.
The GAO audit wasn't conducted to determine the number of contractor-operated and/or owned systems but, rather, to evaluate how effective agencies were in ensuring contractors implemented security controls in the systems they ran. Five of six key federal government agencies reviewed by government auditors were deemed inconsistent in making sure contractors employed proper security controls, the exception being DHS.
Besides DHS, GAO examiners scrutinized the Environmental Protection Agency, Office of Personnel Management and the departments of Energy, State and Transportation.
GAO contends the agencies failed to document procedures for officials to follow to effectively oversee contractor performance. "Until these agencies develop, document, and implement specific procedures for overseeing contractors, they will have reduced assurance that the contractors are adequately securing and protecting agency information," Wilshusen says.
Citing an OMB estimate, GAO says contractors represented one-third of IT security personnel in the government's two dozen largest agencies in fiscal year 2012.
As with government employees, contractors who operate systems and provide services to federal agencies provide significant benefits, Wilshusen says, but they also can introduce risks to agency information and systems, such as the unauthorized access, use, disclosure and modification of federal data. "Contractor employees who have access to agency data and technology can introduce risks that can degrade or diminish the confidentiality, integrity, and availability of agency systems or data," he says.
According to the report, agencies generally had not documented procedures to direct officials in effectively performing such oversight activities. For instance, in one of the Transportation Department systems audited, GAO says officials accepted assessment results for 25 controls from the wrong system; the department didn't have procedures in place to direct officials on how to effectively review such test results.
Lack of Procedures
GAO's interviews with personnel working in the agencies' CIO offices revealed that they generally had no procedures in place to direct officials in how to conduct contractor oversight of security controls. Such inconsistencies might have been mitigated if procedures had been created, documented and implemented, the report says.
GAO is recommending that five of the six selected agencies develop procedures for the oversight of contractors and that OMB clarify reporting instructions to agencies. The five agencies generally agreed with the recommendations. OMB did not provide any comments.
But Jim Crumpacker, DHS GAO-OIG liaison officer, says the DHS will work with OMB to update guidance regarding the reporting of the number of contractor-operated systems for fiscal year 2015, which begins Oct. 1.