Contractors struggle with federal security demands

Find opportunities — and win them.

As the Federal Information Security Management Act is pushed out to government contractors, standards for compliance are a mystery to many, said Todd Fitzgerald, systems security officer for United Government Services LLC of Milwaukee.

Government IT administrators sweat over FISMA compliance, but pity the poor private-sector security officers who find they must meet the same systems security requirements.

As the Federal Information Security Management Act is pushed out to government contractors, standards for compliance are a mystery to many, said Todd Fitzgerald, systems security officer for United Government Services LLC of Milwaukee. He should know: His company has had to figure out standards to meet security requirements for its work processing medical claims.

"The thing to do is focus on policy," he advised "Do you have a management process in place to move to the controls you need?" Fitzgerald spoke today at the Computer Security Institute's annual conference in Washington.

UGS is a major processor of Part A Medicare and Medicaid claims, handling more than 30 million hospital claims a year. The Medicare Act mandates information security standards for contractors of the Center for Medicare and Medicaid Services.

"This ties us into having to comply with FISMA requirements," Fitzgerald said.

But companies do not work directly with the Office of Management and Budget or with inspectors general, who determine FISMA compliance for agencies.

"There is a lot of good documentation available, and it is free," Fitzgerald said.

Under FISMA, the National Institute of Standards and Technology is mandated to develop guidelines and standards for compliance with the law. This material is available in NIST publications, he noted.

Contractors rely on auditors, either in-house or outside, to gauge compliance with federal requirements. Fitzgerald emphasized the value of using audit results as a guide for improving compliance, and the need to document practices and procedures.

"If it's not written down, you're not doing it," he said.