Vulnerabilities seem to be running rampant in federal computer systems. Both the Department of Homeland Security Inspector General and the Government Accountability Office (GAO) have recently found significant flaws.

One tropical storm, Arlene, has already hit the United States this year, and DHS Inspector General Richard Skinner says the department is not adequately prepared to recover its IT systems in the event of a disaster.

Skinner's report found that 15 of 19 IT facilities reviewed within the department have no recovery site or the site was not fully functional. This poses a significant danger to critical IT systems. Without the systems functioning, DHS would be unable to perform such processes as airport and border screening and grant processing following a disaster.

The problems with disaster recovery are occurring in part because DHS does not have a program in place to provide an enterprise-wide disaster recovery solution, the report says. It recommends consolidating the department's data centers, which could then be used to provide the basis for enterprise-wide disaster recovery capability.

“Even a minor disruption could become a major problem without adequate backup and recovery capability,” Skinner says in the report. “For example, a recent problem with a private sector company's database application, combined with a manual backup system, resulted in the cancellation of hundreds of flights.”

Meanwhile, the federal government as a whole fell under the microscope of the GAO in regard to IT services and systems provided to the government by contractors.

In relying on IT services and systems provided by contractors, federal agencies are not doing enough to secure their information and face a range of operational, strategic and legal risks, according to a recent GAO report.

The report notes that efforts to update the Federal Acquisition Regulation (FAR) to include information security requirements of the Federal Information Security Management Act (FISMA) of 2002 have been under way since 2002, but are still incomplete. FISMA established a framework for enhancing the effectiveness of information security controls that support federal operations and assets.

“Agencies are not doing enough,” says Rep. Tom Davis (R-Va.), chairman of the House Government Reform Committee. “While most agencies use contract language to outline security requirements for contractors, agencies do not reference critical FISMA requirements in the language. Most agencies have information security policies in place for contractors; however, only a fraction of them address oversight.”

Contractors and users with privileged access to federal data and systems provide valuable services that contribute to the efficient functioning of the government, but a range of risks (including operational, strategic and legal) must be managed effectively. Most agencies recognize risks to the confidentiality, integrity and availability of their information and systems associated with the use of contractors and other users with privileged access to federal data and systems. For example, malicious code can be inserted into agency software and systems. In addition, agencies also reported specific risks when contractors develop software or perform work at off-site facilities.

Only a few agencies use a self-assessment tool established by the National Institute of Standards and Technology to measure the status of contractors that provide IT systems, Davis says.

The committee will examine the Office of Management and Budget's efforts to update the FAR to include stricter information security requirements.

“The federal government is dependent on information technology services and systems provided by outside contractors,” Davis says. “While these contractor systems undoubtedly contribute to the effectiveness of the federal government, they are potential Trojan horses for cyber-attacks unless more is done.”