The U.S. government spent $214 billion on contract projects in 2013, including over $18.2 billion on information technology contracts. In light of recent cyber attacks on government contractors, politicians have grown concerned about how well government agencies monitor and manage government contractors’ access to sensitive government information.
A recent U.S. Government Accountability Office (GAO) report examined whether six government agencies had developed and carried out policies for overseeing contractor-operated networks and systems. The GAO inquiry had two major objectives: to assess how selected agencies oversaw security for contractor-operated systems and to assess how effectively the Office of Management and Budget (OMB), the National Institute of Standards and Technology (NIST), and the General Services Administration (GSA) assisted these agencies.
The GAO identified several key categories of agency action: establishing oversight requirements; planning control assessments; and conducting and reviewing these assessments.
The GAO found that the U.S. Department of Homeland Security (DHS), the U.S. Environmental Protection Agency (EPA), the Department of Energy (DOE), and the U.S. Office of Personnel Management all had fully implemented policies on contractor oversight. By contrast, the U.S. Department of State (DOS) and the U.S. Department of Transportation (DOT) had only partially implemented such policies. Of these six agencies, the GAO found that only DHS and the EPA had consistently planned and executed assessments of their policies and that only DHS had consistently reviewed its assessments.
The GAO also reviewed OMB’s guidance to agencies, concluding that some of OMB’s definitions are unclear. According to the GAO, different agencies have interpreted some of OMB’s guidance differently, leading to failures in overseeing all contractor-operated systems adequately and systematically.
The GAO report examined the guidance that NIST and the GSA provided to agencies on how to establish effective oversight of contractors, as required in the Federal Information Security Management Act. The report noted that NIST has established and revised guidelines regulating the security that contractors must provide for sensitive information and how agencies manage the risks associated with using contractors. The GSA provided contract templates and assistance for agencies to draft contracts.
The GAO report offered individual recommendations for each of the agencies except for DHS, for which the report offered no recommendations. These recommendations suggested how agencies should plan, execute, and review tests for each of their contractor-operated systems. The GAO also recommended that OMB work with DHS to provide clearer guidance to agencies.
Each of the agencies except for the DOT submitted letters responding to a draft of the GAO report. DHS, OPM, and DOS concurred with the GAO’s findings and recommendations, and the EPA concurred but added that they have already made progress in conducting tests on contractor systems. The DOE outlined the policies and past regulations that the agency has implemented to ensure contractor security.
The GAO selected these six agencies to represent a cross-section of agency oversight. In choosing these six agencies, the GAO divided agencies based on their number of contractor-operated systems, categorizing the eight agencies with the most of these systems as “high,” the following eight as “medium,” and the last eight as “low.” The GAO then selected the two highest ranked agencies from within each of these three categories. Finally, within each agency, the GAO randomly selected two systems to analyze.
The GAO is an independent congressional agency that audits government agencies and advises Congress on making government more efficient. According to the GAO, its actions result in measurable financial benefits of $51.5 billion compared to its budget of $507.2 million. The office previously has examined issues surrounding the use of government contractors, such as the effectiveness of Medicare contractors.