Risk
9/13/2010
12:10 PM
50%
50%

GAO Finds Agencies Lax On Data Protection

Departments that deal with highly sensitive information need better safeguards to secure it against contract workers, finds Government Accountability Office.




Slideshow: Next Generation Defense Technologies
(click for larger image and for full photo gallery)
Some federal agencies that deal with highly sensitive data are not adequately protecting it from contract workers, a new Government Accountability Office (GAO) report found.

The Departments of Defense (DoD), Homeland Security (DHS), and Health and Human Services (HHS) have some guidance and contract provisions in place for what data contractors can access while working at the federal government. However, they have not established appropriate safeguards to keep contract workers away from information they should not have access to, such as employees' personal, proprietary business, and agency-sensitive information, according to the report, released Friday.

The agencies also don't specify contractor responsibilities for prompt notification to the agency if unauthorized disclosure of information or misuse occurs, according to the report.

The Federal Acquisition Regulation (FAR) provides rules for how the government acquires goods and services -- including contract employees -- but it is lacking in these particular areas in terms of access to data, according to the report.

While the DoD, DHS, and HHS -- agencies that very often deal with classified and highly sensitive information -- have supplemented FAR with their own rules and regulations for contractors, they have not gone far enough to protect data, the GAO found.

Insider access to sensitive data on federal computer networks is a chief security concern of federal agencies, as data breaches often occur when someone with access to the network steals or misuses data, or loses a computer on which sensitive data is stored.

According to the report, there are currently pending regulatory changes to FAR to develop a standard approach to protect sensitive information from contractors.

However, FAR still does not cover two critical data-protection scenarios -- the use of nondisclosure agreements to protect sensitive data that contract workers access and the establishment of requirements for contractors to let agencies know when they've accessed such information.

The GAO is recommending that the Office of Federal Procurement Policy administrator work with the FAR Council to oversee changes in the guidelines to address this lack of safeguards.

Agency acquisition policy, IT security, and privacy officials; CIOs; and other affected parties also should be part of the process that adds regulations to FAR, according to the report.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-2086
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in the live preview in the Panopoly Magic module before 7.x-1.17 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a pane title.

CVE-2015-2087
Published: 2015-02-26
Unrestricted file upload vulnerability in the Avatar Uploader module before 6.x-1.3 for Drupal allows remote authenticated users to execute arbitrary PHP code by uploading a file with a PHP extension, then accessing it via unspecified vectors.

CVE-2015-2088
Published: 2015-02-26
Cross-site scripting (XSS) vulnerability in unspecified administration pages in the Term Queue module before 6.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unknown vectors.

CVE-2015-2089
Published: 2015-02-26
Multiple cross-site request forgery (CSRF) vulnerabilities in the CrossSlide jQuery (crossslide-jquery-plugin-for-wordpress) plugin 2.0.5 for WordPress allow remote attackers to hijack the authentication of administrators for requests that (1) change plugin settings or conduct cross-site scripting (...

CVE-2015-2090
Published: 2015-02-26
SQL injection vulnerability in the ajax_survey function in settings.php in the WordPress Survey and Poll plugin 1.1.7 for Wordpress allows remote attackers to execute arbitrary SQL commands via the survey_id parameter in an ajax_survey action to wp-admin/admin-ajax.php.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.