OMB: Team effort needed on FISMA

Government contractors that supply federal agencies with outsourced services must collaborate with those agencies to develop suitable arrangements for meeting requirements under the Federal Information Security Management Act, the Office of Management and Budget said this week.

In a July 14 memorandum, OMB Deputy Director for Management Clay Johnson called on contractors that provide outsourced network operations, telecommunications services and managed services to work closely with their customer agencies on both general and agency-specific requirements.

In addition, the memo charges agencies with ensuring that all FISMA requirements are set forth in contracts for outsourced work, general contractor support, and laboratory and research work. In the case of general contractor support, agencies also are responsible for ensuring that contractor employees receive training in agency security policy and procedures.

The memo also stipulates that agencies must ensure identical, not merely equivalent, security procedures. Moreover, security aspects such as annual reviews, risk assessments, security plans, control testing, contingency planning, and certification and accreditation must concur with guidance from the National Institute of Standards and Technology.

Johnson wrote that agencies and inspectors general should consult with other agencies using the same service provider and share the results of completed security reviews to avoid unnecessarily burdening the service provider with duplicative reviews.

The 40-page memo, addressed to executive departments and agency directors, was presented in a FAQ format. The material pertaining to security was set forth in Question 37 in which Johnson gave examples of agency security requirements for contractors.

The memo divided contractors into five primary categories related to securing systems and information. Those categories were service providers; contractor support; government-owned, contractor-operated facilities; laboratories and research centers; and management and operating contracts.