The Social Security Administration’s Office of Inspector General, based on OMB guidance, informed the agency that they, not GSA, are responsible for ensuring contractor compliance with FISMA requirements for HSPD-12 credentials. The OIG statement was contained in an HSPD-12 Contrator Security Audit Report, attached below. The report stated:
Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed with relation to contractor services.
The Audit Report also stated that:
Agency officials stated that GSA, as the executive agent appointed by OMB, provided a certified list of vendors that met all Federal requirements. SSA has accepted this certification and believes that the vendor has met all the needed FISMA requirements.
It was not apparent that the GSA certification also incorporated FISMA requirements. To that end, we asked GSA whether it had performed a C&A review on the contractor’s systems as well as requested any related C&A documentation. To date, GSA has not provided us any of the requested information.
The OIG recommended:
1. Ensure contractor personnel receive appropriate training on Agency’s policies and procedures for safeguarding PII.
2. Request documentation from GSA that the contractor’s information systems are certified and accredited as required by Federal requirements. However, if GSA did not perform a C&A review of the contractor’s information systems, SSA should seek guidance from OMB to determine which agency is responsible for conducting this review on the contractor’s information systems.
Leave a Reply