Report 9-07 - System Access by Contractors without Security Clearances

This report supplements our evaluation of the Federal Information SecurityManagement Act (FISMA) implementation for Fiscal Year 2008. The Office of Inspector General (OIG) is required to annually assess SBA’s compliance with FISMA in accordance with specific reporting instructions issued by the Office of Management and Budget (OMB). During the course of our FY 2008 FISMA review, we determined that SBA did not consistently ensure that contractors were properly vetted prior to granting them access to sensitive SBA systems and data. This vulnerability was not consistently reported and tracked in SBA’s Plan of Action and Milestones (POA&M).

In order to assess security controls over contractor access, we reviewed SBA access requirements outlined in Standard Operating Procedure (SOP) 90 47 2. We also requested the names of contractors with access to all hosted application on the following 10 systems:

[FOIA ex. 2]

We compared contractor names to Agency and OIG records and interviewed the appropriate Agency representatives to determine whether background investigations and clearances had been completed for contractor staff. To determine whether SBA appropriately identified and corrected vulnerabilities involving unauthorized contractor access, we reviewed OMB Memorandum M-04-25 requirements and the Agency’s POA&M quarterly reports for FY 2008. Our review was conducted in accordance with the Government Auditing Standards as prescribed by the Comptroller General of the United States.