OMB modifies security reporting

Fiscal 2005 Reporting Instructions for the Federal Information Security Management Act

The Office of Management and Budget has issued new security reporting guidelines that emphasize contractor oversight and data privacy protections. OMB officials, however, have not released the scoring templates used to determine agencies’ grades for compliance with the Federal Information Security Management Act.

Under the 2005 FISMA reporting guidelines issued June 13, agencies will have to answer new questions about data privacy and contractor oversight in reports they must submit to OMB by Oct. 7. When OMB officials added the new questions, they also dropped some old ones. Agencies, for example, will no longer have to report how many times they were victims of a malicious code attack because someone in the agency had not installed a necessary security patch.

The new guidelines emphasize that agencies are responsible for ensuring that federal contractors maintain appropriate security controls on equipment used to deliver network or other managed services. The security controls also apply to contractor support staff, government-owned and contractor-operated equipment and contractor-owned equipment in which any federal data is processed or stored.

“Agencies must ensure identical, not equivalent security procedures,” according to the guidelines. That means agencies must make certain that federal contractors conduct risk assessments, develop contingency plans, certify and accredit their systems and everything else that federal agencies must do to comply with FISMA.

The guidelines further state that those federal and contractor responsibilities must be spelled out in any contracts that agencies award.

The guidelines’ focus on contractor systems answers some criticisms that congressional auditors made in a recent report. The Government Accountability Office faulted OMB in May for not incorporating FISMA requirements into the Federal Acquisition Regulation, which governs federal contracting.

Federal contractors have expressed mixed reactions to the heightened attention that GAO and OMB officials are giving to information systems security. Harold Gracey, executive consultant at Topside Consulting Group, said federal contractors already do a good job of protecting government information. But “it is worthwhile to follow up and make sure what people are saying they’re doing is actually happening,” he added.

Others say the new scrutiny is justified. Federal contracts should be written as outsourcing contracts because that is what they are, said Jody Westby, managing director at PricewaterhouseCoopers. Most federal contracts lack adequate oversight provisions and requirements for contractor systems, she said.

Such provisions are found in most master service agreements in the private sector because corporate managers treat all such agreements as outsourcing contracts, Westby said.

Uniform federal contractual language covering not only information security but also workforce and physical security relative to IT systems would help ensure that contractors are maintaining proper security, she said.

If OMB developed standard contractual clauses for security consistent with FISMA, everyone could benefit, Westby said. “FISMA is an enterprise security program,” she said, and the related policy and technical guidance developed by the National Institute of Standards and Technology is “world class -- it’s excellent.”

“Anybody who is handling data for the federal government should be able to comply with those standards,” Westby said.

But whether the contractor or the agency pays for the additional security oversight is something that would have to be worked out on a case-by-case basis if it is not included in standard contracting language, Westby said. “The cost of who pays for it is a discussion that needs to be had.”