IG: GSA contractors get system access before background checks

General Services Administration officials compromised confidential information when they failed to perform background checks on contractors before giving them access to the agency’s information systems, according to GSA’s inspector general.The IG found that agency officials granted 25 contractors access to one system without performing background investigations, even though the contract for the work required them. In addition, two other contractor-run systems allowed temporary access but didn’t request checks on the workers, according to a Sept. 17 IG report recently posted online.“Background investigations remain an oversight challenge,” the report states.Casey Coleman, the agency’s chief information officer, said GSA signed an agreement with the Homeland Security Department to speed the process of conducting background checks on contractors.However, the IG said GSA has no procedures in place to ensure that managers complete the background investigations.In its audit, the IG said current safeguards do not guarantee that officials will complete investigations before granting access to agencies’ information systems. Even security measures mandated by Homeland Security Presidential Directive 12, which requires credentials for all federal employees and government contractors after they have undergone a background check, does not offer that protection.“The lack of background investigations being completed for contractors is also a recurring weakness,” the report states.The IG recommends that GSA officials find ways to measure whether managers are conducting the background checks that the task orders require.GSA officials missed other flaws in the agency’s information systems, the report adds. The IG found unsecured Web applications, databases and operating systems and said the gaps have compromised confidential information.Coleman said GSA continues to focus on securing its systems. She said the agency completed its latest round of checks on more than 2,100 servers in September and found that 97.5 percent had no high-risk vulnerabilities. Moreover, GSA earned an A on the Federal Information Security Management Act score card for 2006. Dave Marin, staff director for the Republicans on the House Oversight and Government Reform Committee, said all agencies face similar challenges in guarding their systems against intrusions.