Office of the Secretary: Information Security in Information Technology Service Contracts Is Improving, But Additional Efforts are Needed. Final Inspection Report No. OSE-16513

摘要

To assess the Department's progress in fiscal year 2003, we reviewed its new security policy and a sample of IT service contract actions issued as of October 1, 2002. The findings from this review were summarized in our September 2003 FISMA report. We found that the Department's newly issued information security policy contains appropriate requirements for contractors and other government agencies that support Commerce. The Department also drafted standard contract provisions for safeguarding the security of sensitive but unclassified systems and information, which require, among other things, a certification and accreditation package for contracted IT resources/services that involve connection to Commerce networks or storage of Commerce data on contractor-owned systems. However, while most of the contract actions we reviewed contained some security coverage, adequate provisions for controlling access to departmental systems and networks were still missing. We also found little coordination among the contracting, technical, and security staff responsible for developing contract-specific security requirements and minimal oversight of individual contractor compliance with security requirements.