A new report from the Government Accountability Office called out civilian agencies for not adequately overseeing the contractors who run their computer systems.
The office reviewed the practices of six agencies, and found that most of them did not do a good job of assessing whether the contractor employees working for them implemented the agency’s security and privacy requirements. For example, the Transportation Department was unaware that some of its contractor employees did not even have the required background checks for their security clearances.
All the agencies were competent at establishing security and privacy requirements, but five out of six of agencies were “inconsistent” about testing whether contractors met those requirements, the GAO said. The exception was the Department of Homeland Security.
In light of the growing number of cyberattacks targeted at the government and contractors, the report said federal agencies needed to do a better job of ensuring that contractors adhere to security protocols.
The six agencies GAO reviewed were the Office of Personnel Management, the Environmental Protection Agency, DHS, and the Energy, State and Transportation departments.
How can government agencies use new technology to become efficient while trying to balance the security concerns that arise from their adoption? And what guidelines will be set for contractors who work with them?
Those were some of the questions tackled at media company NextGov’s Prime 2014 conference last week.
“Move to the cloud if you haven’t already, don’t try to fight it,” Mark Pietrasanta, chief technology officer at Aquilent, a services contractor, urged a crowd of government and industry officials during a panel discussion titled “Clearing the Hurdles to Agency Innovation.”
At another session titled “Evolutions in Cyber-Security & Stopping Next-Generation Insider Threats,” panelists reminded the audience that breaches have become the norm rather than the exception. By the year 2020, attacks will be so common that private companies will purchase “cybersecurity insurance” to protect themselves, said Ari Schwartz, a member of the White House’s National Security Council.
The threat of attack shouldn’t be a roadblock to government’s adoption of technology, others said, but a consideration while building and implementing new systems.
“You’ve either been breached or you’re about to be breached,” said Steve Cooper, the Commerce Department’s chief information officer.
The two-day conference was held at the Ronald Reagan Building and International Trade Center in Washington.
More from Capital Business: