From the U.S. Government Accountability Office, www.gao.gov

Transcript for: Federal Oversight of Contractor Information Security
Controls

Description: Audio interview by GAO staff with Greg Wilshusen, Director,
Information Technology 

Related GAO Work: GAO-14-612: Information Security: Agencies Need to
Improve Oversight of Contractor Controls

Released: September 2014

[ Background Music ]

[ Narrator: ] Welcome to GAO's Watchdog Report; your source for news and
information from the U.S. Government Accountability Office. It's
September 2014. Federal agencies often rely on contractors to operate
computer systems and process information on their behalf. Federal law
and policy require that agencies ensure that contractors adequately
protect these systems and information. A team led by Greg Wilshusen, a
director in GAO's Information Technology team, recently reviewed how
well agencies oversee contractor-operated systems. GAO's Sarah Kaczmarek
sat down with Greg to talk about what they found.

[ Sarah Kaczmarek: ] Your team looked at six federal agencies for this
report. How good of a job are they doing overseeing security and privacy
controls for systems that contractors use?

[ Greg Wilshusen: ] Well, first let me provide a little context.
Contractors own and operate many IT systems on behalf of federal
agencies. And these systems, like all federal systems, are required to
follow prescribed security policies and privacy protections. And as a
result, these systems require oversight by the federal agencies to make
sure that their contractors are adequately ensuring that these
particular requirements are being met. Our audit found that agencies'
oversight of contractor-operated systems was not being consistently
implemented. For example, the six agencies we reviewed generally
established security and privacy requirements for those systems and
prepared for assessments in order to determine whether or not the
contractors were adequately implementing those requirements. However, 5
out of the 6 agencies were inconsistent in overseeing the execution of
those assessments and reviewing them to make sure that they are
appropriately completed. For example, our review found that 2 of the
agencies did not adequately determine whether or not the contractor
personnel had received background investigations, which is a requirement
for operating these types of systems. In addition, 5 of the agencies did
not assure that contractor personnel received the appropriate and
required security training for their positions. And finally we also
determined that officials at 3 agencies did not adequately review the
assessment results and also did not assure that the plan of actions and
milestones were being developed and implemented and updated for
identified vulnerabilities.

[ Sarah Kaczmarek: ] Your report's raising a lot of issues here. Why are
these shortfalls happening?

[ Greg Wilshusen: ] Well, a primary reason for these shortfalls is that
the agencies had not developed and documented procedures for their
officials to actually oversee, and what processes they should go through
to ensure that, the contractors are implementing these security
controls. So, that was first and foremost is just making sure that they
document these procedures for agencies to follow. You know, as a result,
agencies had less assurance that their oversight of the contractors was
effective and consistent to assure that their information and systems
were being adequately protected.

[ Sarah Kaczmarek: ] And what's the federal government doing to address
these issues?

[ Greg Wilshusen: ] Well, the Office of Management and Budget, OMB, has
developed guidance over the years to help and guide agencies in
overseeing the performance of their contractors. And the National
Institute of Standards and Technology and GSA has also provided
assistance through the form of guidance and requirements to agencies to
assure that contractors perform these types of activities.

[ Sarah Kaczmarek: ] Let me ask you, what recommendations is your team
making in this report?

[ Greg Wilshusen: ] Well, we're recommending that the agencies in our
review develop, document, and implement, fully implement, procedures for
overseeing the implementation of security and privacy requirements and
protections for the information and information systems that they
operate.

[ Sarah Kaczmarek ] Finally, what do you see as the bottom line of this
report?

[ Greg Wilshusen: ] Well, I think the bottom line is that the 6 agencies
we reviewed made efforts to assess the implementation of security and
privacy controls for the selected contractor systems we reviewed.
However, until those agencies develop, document, and fully implement
specific procedures for overseeing contractors, they will have reduced
assurance that their contractors are adequately securing and protecting
their information.

[ Background Music ]

[ Narrator: ] To learn more, visit GAO.gov and be sure to tune in to the
next episode of GAO's Watchdog Report for more from the congressional
watchdog, the U.S. Government Accountability Office.