GAO: Federal Agencies are Falling Short in Overseeing IT Contractors

GAO set out to assess how well certain agencies oversee the security and privacy controls for systems that are operated by contractors and how well the agencies with government-wide security and privacy guidance and oversight responsibilities were doing in helping them. In their audit, GAO reviewed the implementation of security and privacy controls for selected contractor-operated systems across six federal agencies, based on their reported number of contractor-operated systems. These were the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM). 

GAO found that the agencies generally had established security and privacy requirements for contractors to follow and prepared for assessments to determine the effectiveness of contractor implementation of controls. However, all but DHS were inconsistent in overseeing the execution and review of those assessments. One frequent area of inconsistency was in executing test plans that would identify potential security and privacy risks. In one example, GAO found that the DOT officials did not have evidence that 44 of 133 contractor employees operating one particular system had undergone a current background investigation.

A contributing reason for shortfalls that GAO identified in agency oversight of contractors was that agencies had not effectively documented procedures to direct officials in performing such oversight activities. None of the agencies had procedures in place to direct officials in how to conduct such oversight and that led to inconsistencies.

Another area mentioned by GAO is inconsistently-applied or unclear guidance. OMB FISMA reporting instructions to agencies state that systems operated by contractors are to be reported as part of the agency’s system inventory. But GAO found that agencies are interpreting and applying the guidance differently because the guidance for categorizing and reporting contractor-operated systems does not clearly define what constitutes a contractor-operated system. The difference in application causes many systems that are contractor-operated to not be classified as such.  This has resulted in incomplete information on the number of contractor-operated systems within the government.

Potential Cost Implications

Given the areas of shortfall within agencies it is possible that renewed efforts could have cost and administrative implications in several areas:

• Personnel Security – Scrutiny of contractor background investigations is at an all-time high and inconsistencies discovered by GAO may result in direct costs and/or delays to companies and agencies while sufficient background investigations are completed. Similar implications may result if required agency-specific training in security or contingency planning has not been consistently administered.
• Compliance Efforts – Given GAO’s spotlight on inconsistencies in how systems are evaluated, assessments of systems and personnel for compliance with agency requirements will likely increase, adding short-term burden until processes are in place and efforts are routine.
• FISMA Assessment – Increased clarity or education from OMB on applying their FISMA reporting standards for contractor-operated systems could increase scrutiny on some systems – both government-owned, contractor-operated and contractor-owned, contractor-operated.  Many of these systems may have been previously overlooked or mis-categorized, which could spur deeper scrutiny and increased costs.

Potential Contractor Opportunities

As agencies strive to improve they may look to industry experts for assistance in the following areas:

• Procedure Development – Agencies will need to document the procedures for their officials to follow in order to perform effective oversight of contractors. While these efforts may be considered inherently governmental in nature, some agencies may seek the help of contracted experts to aid in solidifying such procedures. Expect agencies to maintain directive control over this process.
• Independent Assessments – GAO found that five of the six agencies they studied used independent assessors for system reviews, as required by NIST, and this included contracting for these assessment services. There may be continued opportunities for contractors to find work in this area. Expect agency officials to verify that the selected assessor is independent.
• Test Plan Development and Execution – While most agencies that GAO audited had developed test plans, almost none of them had effectively executed test plans. Here is another area where independent contracted services may be in demand.

Considering GAO’s recommendations focus on both procedures and policies – that agencies develop procedures for contractor oversight and that OMB clarify reporting instructions to agencies – it will take some time for agencies to fully address the concerns raised in the report.