Contractors Must Meet Standards for IT Security Service contractors must maintain the same information security standards as the agencies they work for, according to new guidelines from the Office of Management and Budget. The guidelines, issued June 13, tell agencies how to comply with the Federal Information Security Management Act, known as FISMA. “Agencies are fully responsible and accountable for ensuring all FISMA and related policy requirements are implemented and reviewed [by contractors] and such must be included in the terms of the contract,” the guidelines state. “Agencies must ensure identical, not ‘equivalent,’ security procedures.” Annual reviews, risk assessments, security plans, control testing, contingency planning and certification and accreditation of service providers “must, at a minimum, explicitly meet guidance” issued by the National Institute of Standards and Technology. Agency inspectors general must examine some contractor systems in their annual FISMA compliance reviews. The rules apply no matter whether contractor support occurs on- or off-site. FISMA covers government information held by contractors as well as information systems. For the first time, OMB directed agencies to provide a detailed report on their privacy programs as part of the annual FISMA report they submit in October. This month the Government Accountability Office recommended, and OMB agreed, that agencies’ information security programs should address emerging cybersecurity threats such as spam, phishing and spyware, and that OMB and the Homeland Security Department should develop guidelines for reporting such incidents to a central clearinghouse. The OMB guidelines are available at www.whitehouse.gov/omb/memoranda/fy2005/m05-15.html.