A new report published by the U.S. Government Accountability Office (GAO) says that a number of government agencies aren’t properly supervising the contractors who make up at least a third of the federal cyber-workforce.
Six federal agencies were audited by the GAO, including the Departments of Energy (DOE), Homeland Security (DHS), State, and Transportation (DOT), the Environmental Protection Agency (EPA), and the Office of Personnel Management (OPM). They were chosen based on their reported number of contractor-operated systems.
The 43-page report, titled “Agencies Need To Improve Oversight Of Contractor Controls,” was generated during a 17-month review that ended in July.
Federal law and policy mandate agencies government-wide with preventing leaks of sensitive data by government contractors and protecting information and systems from threats to national security, economic well-being, and public health and safety. However, all of the agencies, excluding the DHS, were “inconsistent in overseeing the execution and review” of privacy requirements and contractor implementation controls, according to the GAO.
A contributing factor in the oversight shortfalls, the report concluded, was that the agencies had “no documented procedures for officials to follow in order to effectively oversee contractor performance.”
Among other deficiencies, the GAO found that in certain instances, the Departments of State and Transportation hadn’t notified contractors of essential requirements for working with agency systems. As the language was not included in their contract (officials for both agencies were unable to explain why this was), the outsourced employees could not legally be held to the agencies’ security and privacy requirements. Oversight procedures, such as independent assessments of the contractor-operated systems, were also found to be flawed at both of these agencies.
“For the two State systems we reviewed,” the GAO reported, “department officials responsible for these systems stated that they did not believe that it was necessary for them to check whether contractor employees had undergone a background investigation. However, the system security plans for both State systems had documented the selection of background investigations as applicable security controls, therefore calling for them to be included in the scope of testing.”
Required background checks on government contractors were also an issue at the DOT. In one system evaluated by the GAO, seven employees had not been subjected to an investigation. “When they did so in response to our audit, they found that three of them did not,” the auditors said. Additionally, the report finds the agency officials couldn’t produce evidence that 44 of 133 contractor employees had undergone a current background check.
One of the chief problems appears to be that government agencies aren’t really sure what systems are “contractor-operated” and which aren’t, which leads to deficiencies in how security and privacy protocols are implemented. The report found that executive guidance from the Office of Management and Budget had failed to offer clear definitions. Consequently, agencies are interpreting their responsibilities in protecting our nation’s data in different ways.
Included with the GAO’s report were letters from officials at five of the six agencies evaluated, which detailed how they intended to independently address the security flaws in their departments. State, for instance, agreed with the assessment and said it intends to develop and implement new oversight procedures. An official at DOT, which has a 75 percent contracted workforce, responded to the audit only by email, saying the agency would consider the GAO’s recommendations.
Photo via Leonardo Rizzi/Flickr (CC BY 2.0)