Report: Agencies Aren’t Properly Vetting All Cyber Contractors


Most departments failed to assess whether IT vendors took security precautions.

Vendors operating systems that handle government data are required to take security precautions, but most agencies are not making sure they do so.

That is the finding of the latest federal audit of agency cybersecurity. The deficiency is significant because contract employees make up a third of the total federal cyber workforce, according to the Government Accountability Office.

More than 75 percent of the Transportation Department's information security workforce are contractors -- and some of them had not gone through background checks, GAO said in a new report.

But department officials responsible for testing compliance "had not evaluated whether the seven contractor employees working on [a] system had the required background investigation," the report stated.

After auditors informed the department of the slip-up, Transportation officials realized three had not been investigated. Officials consequently blocked those personnel from accessing the system until their background checks were completed.  

A similar situation occurred at the State Department, where almost all of the agency's cyber staff is outsourced.

Officials there felt it was unnecessary to verify background investigations had taken place on one particular system, according to GAO.

Agencies Don't Always Know if Contractors Should be Trusted

"By not testing that all contractor employees operating a system have had an appropriate background investigation completed, agency officials lack assurance that contractor employees can be trusted with access to government information and systems," the report stated.

On another Transportation project GAO studied, there was no proof a total of 44 people – a third of the contractors working on the system evaluated  had undergone investigations. 

The agencies evaluated -- State, Transportation, the Office of Personnel Management, the Environmental Protection Agency, and the departments of Energy and Homeland Security -- were specifically chosen because their contractor-to-civil servant ratio varied.

Governmentwide, agencies are mandated to see to it that contractors prevent leaks of sensitive data, bar unauthorized individuals from accessing systems and don’t install malicious code, among other things. 

But five of the six agencies scrutinized did not supervise the execution of those protections or review whether they were performed appropriately -- "resulting in security lapses," the report stated.  

“Oversight of the execution and review of assessments of contractor-operated systems was not consistent,” according to the report. Until agencies write down specific steps on how to supervise contractors, “they will have reduced assurance that the contractors are adequately securing and protecting agency information, including of the extent to which contractors have undergone background investigations.”

DHS was the exception. Homeland Security effectively tested the safeguards for systems reviewed, auditors found. "For areas such as background investigation and contingency plan training evidence was provided showing that all of the contractors operating the system had received an investigation or training," the report stated.

How Are Agencies Responding?

In letters responding to a draft report, most of the departments consented to recommendations to address the issues GAO identified. 

State Acting Comptroller Christopher H. Flaggs said his department "agrees with GAO and is planning to develop, document and implement oversight procedures" for each "contractor-operated, contractor-owned system."

Transportation, however, sent an email to GAO stating only that the department would "consider" the recommendations. 

Transportation officials were not immediately able to respond to a request for comment from Nextgov.

A separate security audit of contract employees with physical access to sensitive information published last month found that IRS contractors hired for courier, printing, document recovery, and sign language and interpreter services didn't undergo background checks.

In one instance, a courier who delivered IRS documents to post offices and other locations had previously served 21 years in prison for arson, retaliation and attempted escape.

(Image via SOMMAI/