GAO Cyber Study Shows Contractors Operate Vital Systems at Key Civilian Agencies

Recently, I looked at how GAO’s cybersecurity review shows growing reliance on contractors for important IT operations. OMB had agencies report the number of agency and contractor systems by “impact levels” – low, medium or high – as defined by the National Institute of Standards and Technology (NIST) in their 2004 Federal Information Processing Standards (FIPS) Publication 199. (For a link to both the GAO report and the FIPS 199 documentation, see my previous entry. Here, I thought I would dig a bit deeper at the agency level to see what we could glean from the available data.

FY 2014 Data Points to Select Civilian Agencies

In an appendix to their study, GAO provided some agency-specific data for fiscal year (FY) 2014 where agencies reported the number of agency and contractor-operated systems by impact level defined in FIPS 199. Rather than simply restate the data below I thought I would look at some of the relative proportions among the two main categories of agency-operated and contractor-operated to see what tendencies might emerge. (See table below.)

Observations

• Agencies that have >50% of their systems as contractor-operated are Education, Energy, GSA, and USAID.
• DHS has 16% of its systems as contractor-operated. Of these systems, 94% are identified as High (15%) or Moderate (78%) impact level. Among the 84% of systems that are agency-operated, 96% of these systems are identified as High (23%) or Moderate (73%) impact level.
• Energy did not categorize nearly half (46%) of its contractor-operated systems, which account for 73% of their 588 systems.  This percentage of non-categorized systems makes DoE stand out among all of the reporting agencies.
• The DoD and civilian agencies split the percentage of the total number of systems almost down the middle. DoD reported 4,673 systems, which accounts for 47% of the total 9,906 reported systems. The civilian agencies reported 5,233 systems, which accounts for 53% of the total. DoD reports only 2% of their systems being contractor-operated and none of those systems fall within the High impact level area.
• The agencies reporting the largest number of systems are DHS (583), DoD (4,673), Energy (588), HHS (611), NASA (473), Transportation (459), and Treasury (357). These seven agencies account for 7,744 (78%) of the total reported systems. Yet, these same agencies report a total of 1,072 systems as contractor-operated, which is about 14% of their combined total systems. Factoring out DoD from this, these top civilian agencies account for 3,071 total systems, of which 975 are contractor-operated, or about 32%.
• Justice’s 214 systems are 93% agency-operated and have the highest percentage of High impact level systems at 30% among the larger agencies.
• OPM’s 44 total systems mostly agency-operated, but the 44% of systems that are contractor-operated have a high percentage (90%) of systems with a High (30%) or Medium (60%) impact level.

While the focus might naturally center on the number of systems that fall in the high impact level area for both categories, the sheer volume of systems in the moderate classification should draw some attention. Under the moderate impact level the loss of confidentiality, integrity, or availability could be expected to have “a serious adverse effect” on organizational operations, organizational assets, or individuals per FIPS 199.

Across both operational categories, 5,766 of the total 9,906 systems – nearly 60% of the systems – were designated at moderate impact level, compared to 10% and 8% of systems labeled high impact for agency-operated and contractor-operated respectively. This means that agencies and contractors alike must ensure that they are giving as much cybersecurity attention to these systems as they are to the high impact systems to protect against operational disruptions.