Federal agencies often rely on contractors to operate computer systems and process information on their behalf, but agencies must ensure that contractors adequately protect these systems and information.
A report released today by the Government Accountability Office details GAO’s review of agency oversight of contractor-operated systems for six federal agencies. GAO found the agencies generally established security and privacy requirements and planned for assessments to determine the effectiveness of contractor implementation of controls. However, GAO also found five of the agencies were inconsistent in overseeing the execution and review of those assessments, resulting in security lapses.
In one agency, testing did not discover that background checks of contractor employees were not conducted.
According to the report, a contributing reason for these shortfalls is that agencies had not documented procedures for officials to follow in order to effectively oversee contractor performance.
GAO recommended that five of the six selected agencies develop procedures for the oversight of contractors and that the Office of Management and Budget clarify reporting instructions to agencies.