GovernmentExecutive.com

Information technology contractors pose a major security risk by not locking down their networks properly, according to the Defense Department's top IT official. The threat, along with risks associated with offshoring and acquisitions of American IT firms by foreign companies, are driving defense and intelligence agency initiatives to develop stricter information security standards.

Contractors managed 1,353 systems on behalf of federal agencies in fiscal 2007, according to an Office of Management and Budget fiscal 2007 report on the implementation of the 2002 Federal Information Security Management Act, submitted to Congress in late February. Less than half of 25 major agencies said they "almost always" ensured that information systems used or operated by a contractor met the requirements of FISMA, OMB policy, and guidelines set by the National Institute of Science and Technology.

Lack of oversight, combined with contractors' failure to secure their networks, put sensitive government information at risk, said John Grimes, Defense chief information officer and assistant secretary for networks and information integration, during a panel discussion Tuesday at the Information Processing Interagency Conference in Orlando, Fla.

"We have a propensity to talk about the infrastructure, but we have to remember why we're here -- to protect the data," he said. "There's 'exfiltration' of sensitive data from contractors, [which is] a big issue for national security."

Smaller companies often present bigger risk because they are less accustomed to dealing with sensitive or classified information flowing through their networks than large systems integrators.

"And remember, primes are responsible for what comes up from subcontractors," Grimes said, citing an incident in which a subcontractor assigned a foreign national without proper clearance to write code for a sensitive defense program. "[The company] meant well, but there was ignorance of what could be done," Grimes said.

Defense is working to educate large contractors and develop standards to ensure that proper security protocols are followed, and the department plans to do the same with network and IP providers. Grimes said that globalization, driven by the Internet, makes intellectual property far more difficult to protect. The trend also creates concerns about mergers and acquisitions of IT firms by foreign companies, he said, and the offshoring of sensitive processes.

"Do you know what's coming back? Have you challenged your contractors [to find out]? These are the challenges we as a community -- as CIOs -- need to think about under this umbrella of cybersecurity."

COMMENTS

• This concern is way overdue. Vendors with federal contracts should be held to the federal IT security standards (which are think in volume). That these vendors routinely access federal systems and data via their non-federal networks is a huge backdoor vulnerability. See, security measures (protecting the tax payer's data) is not always profitable...and ALL vendors are endeavoring to turn a profit. I'm not faulting the vendors for that, but it should be understood that profit will always come before security for these entities, thus they should not be allowed to police themselves in this area. Feds charged with this responsiblity must be allowed to exercise control over it. Don Posted March 6, 2008 7:43 AM
• Unfortunately, since contracting out a number of positions formerly held by the Government workforce, this continues to be a problem. The only way to ensure contractors abide by the policies and procedures is to ensure the proper penalties are defined in contracts and if after three offenses, contractors should be T4C (Terminated for Convenience) or T4D (Terminated for Default) and if occurrence is prior to contract completion further penalized for re-advertising and hiring a more competent company. If these infractions were committed by a Government worker, they would be penalized either in the form of counseling and/or administrative action. I cannot fathom why the same cannot be applied and/or enforced for contractors. It behooves the Government to ensure the proper procedural guidance is in place to detract those shirking their responsibility and/or companies hiring foreign nationals not in possession of the required clearances working with sensitive data. All too often prime contractors are focused on their bottom line and not the end product or acceptance of responsibility for their complacency. My concern is the passage of sensitive data through a breach or flaw in the system and the disclosure of information without authorization or official sanction. It's past time for imposition of penalties to preclude data getting into the wrong hands. CAE Posted March 6, 2008 7:38 AM