The U.S. federal government relies extensively on IT services and systems provided by outside contractors. Although such contractors help the federal government run more effectively, they also can take advantage of security risks. In a recent report, Information Security: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk, the U.S. Government Accountability Office (GAO) warned that agencies need to increase safeguards against cyberattacks by contractors and other users who have privileged access to federal data and systems.

The U.S. government is one of the largest users and acquirers of data, information, and supporting technology systems in the world, and plans to invest approximately $65 billion annually on IT — with services and systems coming from thousands of contractors, according to the GAO report. Contracting IT services can allow an agency to obtain or offer enhanced services without the cost of ownership and operation. Contractors provide IT services in several ways: at agency facilities, on behalf of the agency at contractor facilities, or to an agency via remote access. They also develop or maintain IT systems or software.

In accordance with the Federal Information Security Management Act of 2002 (FISMA), agencies are required to implement policies and procedures for overseeing their contractor-provided systems, such as annual testing of controls. Most agencies have not yet incorporated the federal requirements into their contracts, policies, and self-assessments, according to the GAO report.

The Office of Management and Budget (OMB) in a 2001 information security report to the U.S. Congress cited "contractor security" as a governmentwide challenge. As a result, Congress passed FISMA, which includes a framework for providing information security controls that support federal operations. To review the current state of such controls, the GAO analyzed documentation from 24 federal agencies and interviewed officials about their policies and procedures for overseeing contractor security.

The GAO's review of agency policies found that only five agencies had established specific information security oversight policies. The report also found that only 10 reported using a tool provided by the National Institute of Standards and Technology's (NIST's) to assess users who have privileged access to federal data and systems.

As outlined in the GAO report, agencies should recognize that contractors and other users with privileged access to federal data and systems, including grantees, state and local governments, and research and educational institutions, can introduce risks related to various aspects of an organization, such as:

• Strategy. Management inexperience in overseeing contractor operations can lead to inaccurate contractor information that negatively impacts agency decisions. For example, deceptive information from a contractor may prevent management from having the necessary data to make a well-informed strategic decision.
• Reputation. Errors, delays, system failures, or unauthorized disclosure of information may negatively impact how an agency is viewed by the public, state and local governments, and other federal agencies.
• Implementation. Initiating a contractor relationship may require a complex transition of people, processes, hardware, software, and other assets from the agency to the provider or from one provider to another, all of which can introduce new risks.
• Operations. In addition to fraud or error, contractor information security weaknesses can negatively impact the delivery of products, maintenance of operations, transactions, customer service, and internal control processes.
• Shared environments. Contractors may use one system to service multiple clients. For example, sharing a common network across multiple clients can increase an organization's access to sensitive, external information.

To ensure that agencies are implementing appropriate measures, the GAO recommended, in accordance with FISMA, that the OMB help speed up the process of updating the Federal Acquisition Regulation (FAR) to include the FISMA information security requirements. FAR was established to codify uniform policies for acquisition of supplies and services by executive agencies.

Updates to FISMA requirements have been under way since 2002. The rules specify that agencies must periodically test and evaluate management, operational, and technical controls; create a process to plan, implement, evaluate, and document remedial action to address any deficiencies in information security policies; and implement procedures to detect, report, and respond to security incidents.

The GAO also recommended that federal agencies develop policies, such as:

• Establishing procedures for contractor information security oversight.
• Assigning roles and responsibilities.
• Creating specific audit plans for systems and facilities.
• Describing interconnection security agreements.
• Creating requirements for agency information that will be secured at contractor facilities, which include storing, processing, transmitting on contractor systems, and checking background and facility security.
• Requiring agency officials to conduct reviews to ensure that IT security requirements are enforced.

To assist agencies in managing the risks related to contractors and other users with privileged access to federal data and systems, the GAO also recommended that the Secretary of Commerce create a unified set of guidance for developing appropriate information security policies.

Information Security: Improving Oversight of Access to Federal Systems and Data by Contractors Can Reduce Risk can be downloaded from the GAO Web site, www.gao.gov/cgi-bin/getrpt?GAO-05-362.