Contractors struggle with federal security demands

Contractors struggle with federal security demands

Government IT administrators sweat over FISMA compliance, but pity the poor private-sector security officers who find they must meet the same systems security requirements.

As the Federal Information Security Management Act is pushed out to government contractors, standards for compliance are a mystery to many, said Todd Fitzgerald, systems security officer for United Government Services LLC of Milwaukee. He should know: His company has had to figure out standards to meet security requirements for its work processing medical claims.

'The thing to do is focus on policy,' he advised 'Do you have a management process in place to move to the controls you need?' Fitzgerald spoke today at the Computer Security Institute's annual conference in Washington.

UGS is a major processor of Part A Medicare and Medicaid claims, handling more than 30 million hospital claims a year. The Medicare Act mandates information security standards for contractors of the Center for Medicare and Medicaid Services.

'This ties us into having to comply with FISMA requirements,' Fitzgerald said.

But companies do not work directly with the Office of Management and Budget or with inspectors general, who determine FISMA compliance for agencies.

'There is a lot of good documentation available, and it is free,' Fitzgerald said.

Under FISMA, the National Institute of Standards and Technology is mandated to develop guidelines and standards for compliance with the law. This material is available in NIST publications, he noted.

Contractors rely on auditors, either in-house or outside, to gauge compliance with federal requirements. Fitzgerald emphasized the value of using audit results as a guide for improving compliance, and the need to document practices and procedures.

'If it's not written down, you're not doing it,' he said.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected