Agencies are responsible for mitigating risks that arise from the use of contractor-operated systems but some agencies have not developed procedures for overseeing the privacy and security of federal information on those systems, GAO has said.
Agencies had not documented procedures to direct officials in performing oversight activities for contractor systems effectively, according to GAO-14-612.
It warned that agency officials have less assurance that oversight activities are being performed consistently and effectively over all of their contractor-operated systems and weaknesses may go undetected and unresolved, such as having contractor employees operate a system without undergoing a background investigation.
The Departments of Energy, State, Transportation, Homeland Security, the EPA and OPM agreed to develop procedures for the oversight of contractors. GAO recommended the same for OMB but it did not comment.
