While most of the 24 agencies surveyed use contract language to establish infosec requirements for contractors, the language generally did not address key components of FISMA (Federal Information Security Management Act), such as annual testing of controls, auditors reported.
Only five agencies had established policies that specifically addressed infosec oversight of systems provided by contractors and only 10 used a tool to assess security of other users with privileged access to federal data.
In addition, several agencies' CIOs and inspectors general disagreed on the number of contractor or agency systems by as many as 100 systems or more, auditors said.
In response to the GAO report, Rep. Tom Davis (R-Va.) - chairman of the House Committee on Government Reform - noted that FISMA requires agencies to develop and implement policies and procedures for overseeing contractor-provided systems.
"Despite these safeguards, contractor access to federal data systems presents a broad range of security risks that the government must confront," he said in a statement.
Davis said the committee will look at a number of ways to improve the situation, including examining the Office of Management and Budget's efforts to update the Federal Acquisition Regulation to include stricter infosec requirements.
The committee also would support NIST developing a comprehensive guide to help agencies develop infosec policies for contractors.
Another GAO report found that the Federal Deposit Insurance Corporation (FDIC) still needs to shore up its sensitive computer systems, despite making significant improvements to its infosec efforts.