Information Security:

Agencies Need to Improve Oversight of Contractor Controls

GAO-14-612: Published: Aug 8, 2014. Publicly Released: Sep 8, 2014.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Although the six federal agencies that GAO reviewed (the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA) and the Office of Personnel Management (OPM)) generally established security and privacy requirements and planned for assessments to determine the effectiveness of contractor implementation of controls, five of the six agencies were inconsistent in overseeing the execution and review of those assessments, resulting in security lapses. For example, in one agency, testing did not discover that background checks of contractor employees were not conducted. The following table shows the degree of implementation of oversight activities at selected agencies.

GAO Evaluation of Agency Oversight of Selected Contractor-Operated Systems

 

Establish requirements

Plan assessment

Execute assessment

Review assessment

DOE

DHS

State

DOT

EPA

OPM

Source: GAO analysis of agency data. | GAO 14 612

                                    ● Fully Implemented                     ◐ Partially Implemented                       ○ Not Implemented

A contributing reason for these shortfalls is that agencies had not documented procedures for officials to follow in order to effectively oversee contractor performance. Until these agencies develop, document, and implement specific procedures for overseeing contractors, they will have reduced assurance that the contractors are adequately securing and protecting agency information.

The Office of Management and Budget (OMB), the National Institute of Standards and Technology, and the General Services Administration have developed guidance to assist agencies in ensuring the implementation of security and privacy controls by their contractors. However, OMB guidance to agencies for categorizing and reporting on contractor-operated systems is not clear on when an agency should identify a system as contractor-operated and therefore agencies are interpreting the guidance differently. In fiscal year 2012, inspectors general from 9 of the 24 major agencies found data reliability issues with agencies' categorization of contractor-operated systems. Without accurate information on the number of contractor-operated systems, OMB assistance to agencies to help improve their cybersecurity posture will be limited and OMB's report to Congress on the implementation of the Federal Information Security Management Act (FISMA) is not complete.

Why GAO Did This Study

Federal agencies often rely on contractors to operate computer systems and process information on their behalf. Federal law and policy require that agencies ensure that contractors adequately protect these systems and information.

GAO was asked to evaluate how well agencies oversee contractor-operated systems. The objectives of this report were to assess the extent to which (1) selected agencies oversee the security and privacy controls for systems that are operated by contractors on their behalf and (2) executive branch agencies with government-wide guidance and oversight responsibilities have taken steps to assist agencies in ensuring implementation of information security and privacy controls by such contractors. To do this, GAO selected six agencies based on their reported number of contractor-operated systems and two systems at each agency using a non-generalizable random sample for review, analyzed agency policies and procedures, and examined security and privacy-related artifacts for selected systems. GAO also interviewed agency officials, and reviewed federal guidance and evaluated agency FISMA submissions.

What GAO Recommends

GAO is recommending that five of the six selected agencies develop procedures for the oversight of contractors and that OMB clarify reporting instructions to agencies. The five agencies generally agreed with the recommendations and OMB did not provide any comments.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of Energy (DOE), in response to our recommendation developed, documented, and implemented a system test plan as evidenced by the scope, breadth, and depth of its documented assessment of the National Institute of Standards and Technology (NIST) 800-53 security controls.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test plan is developed.

    Agency Affected: Department of Energy

  2. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of Energy (DOE), in response to our recommendation, developed, documented, implemented oversight procedures and executed its system test plan as evidenced by the scope, breadth, and depth of its documented assessment of the National Institute of Standards and Technology (NIST) 800-53 security controls.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency Affected: Department of Energy

  3. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of the Energy (DOE), in response to our recommendation, developed, documented, implemented oversight procedures and reviewed the test results.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Energy should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency Affected: Department of Energy

  4. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that State, in response to our recommendation, communicated security and privacy requirements to contractors in its task orders for the contractor-run systems.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency Affected: Department of State

  5. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of State (State), in response to our recommendation, developed, documented, and implemented oversight procedures for ensuring that an independent assessor performed a security assessment for both of its contractor-operated systems.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, an independent assessor is selected to assess the system.

    Agency Affected: Department of State

  6. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of State (State), in response to our recommendation, has fully executed its test plans as evidenced by the existence of plans of actions and milestones which documented the nature of findings based on weaknesses found during the assessment and authorization phase of the system.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency Affected: Department of State

  7. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of State (State), in response to our recommendation, has instituted procedures in its "Information Systems Security Requirements Instructions" for completing annual control test assessments of contractor-operated systems. Additionally, State officials have reviewed assessment test results of its contractor-operated systems.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency Affected: Department of State

  8. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of State (State), in response to our recommendation, maintained plans of action and milestones that identified estimated completion dates and the resources assigned for implementing the corrective actions.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of State should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency Affected: Department of State

  9. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified the Department of Transportation (DOT), in response to our recommendation, communicated security and privacy requirements through the issuance of the Transportation Acquisition Manual and implemented the requirements in its acquisition of the Crash Data Acquisition Network, Cloud-provider contracting, and FedRamp initiative.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, security and privacy requirements are communicated to contractors.

    Agency Affected: Department of Transportation

  10. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of Transportation (DOT), in response to our recommendation, has fully executed testing plans for its contractor-operated systems as evidenced by its thorough assessment of the security controls identified in National Institute of Standards and Technology (NIST) Special Publication 800-53.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency Affected: Department of Transportation

  11. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that Department of Transportation (DOT) officials, in response to our recommendation, have reviewed the test results of its contractor-operated system assessments.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, test results are reviewed by agency officials.

    Agency Affected: Department of Transportation

  12. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Department of Transportation (DOT), in response to our recommendation, maintained plans of action and milestones that identified estimated completion dates and the resources assigned to implement the corrective actions.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Secretary of Transportation should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned to resolution are maintained.

    Agency Affected: Department of Transportation

  13. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Environmental Protection Agency, in response to our recommendation, has fully executed testing plans for its contractor-operated systems as evidenced by its thorough assessment of the security controls identified in NIST Special Publication 800-53.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, a system test is fully executed.

    Agency Affected: Environmental Protection Agency

  14. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Environmental Protection Agency (EPA), in response to our recommendation, maintained plans of action and milestones that identified estimated completion dates and the resources assigned to implement the corrective actions.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Administrator of the Environmental Protection Agency should develop, document, and implement oversight procedures for ensuring that, for each contractor-operated system, plans of action and milestones with estimated completion dates and resources assigned for resolution are maintained.

    Agency Affected: Environmental Protection Agency

  15. Status: Closed - Implemented

    Priority recommendation

    Comments: The Office of Personnel Management (OPM) concurred with our recommendation. In fiscal year 2018, we verified that OPM issued a post-inspection report template for documenting its security and privacy controls assessments of contractors' information technology sites. The template lists the applicable contract clauses, and the procedures for assessing controls. The agency also updated training on security assessment standards. These actions increase assurance that the agency will be able to provide its officials with accurate assessments of contractors' security and privacy controls.

    Recommendation: To ensure that the privacy and security controls of contractor-operated systems are being properly overseen, the Director of the Office of Personnel Management should develop, document, and implement oversight procedures for ensuring that a system test is fully executed for each contractor-operated system.

    Agency Affected: Office of Personnel Management

  16. Status: Closed - Implemented

    Comments: In fiscal year 2018, we verified that the Office of Management and Budget (OMB) and Department of Homeland Security (DHS), in response to our recommendation, have developed and clarified reporting guidance to agencies for annually reporting contractor-operated systems by providing a definition for "contractor-operated systems" in its fiscal year 2018 Chief Information Officer Federal Information Security Modernization Act metrics.

    Recommendation: To be able to effectively assist agencies with their contractor oversight programs, the Director of the Office of Management and Budget, in collaboration with the Secretary of Homeland Security, should develop and clarify reporting guidance to agencies for annually reporting the number of contractor-operated systems.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Sep 17, 2018

Sep 7, 2018

Sep 6, 2018

Jul 31, 2018

Jul 25, 2018

Jul 12, 2018

Jun 14, 2018

May 14, 2018

Apr 24, 2018

Mar 7, 2018

Looking for more? Browse all our products here