GAO Faults FCC on Breach ResponseCommission Failed to Implement Effectively Security Controls
After discovering a breach in September 2011 while upgrading its IT security systems, the Federal Communications Commission developed an emergency response plan it called the Enhanced Secured Network, or ESN.
The FCC designed ESN, a $10 million program to run parallel with other security initiatives, to avoid any increased security risks posed by delays in implementing the upgrades while keeping the agency fully operational and maintaining for its stakeholders their ability to interact with the commission.
Sixteen months later, in an audit dated Jan. 25 and made public six days later, the Government Accountability Office said the FCC failed to implement effectively appropriate information security controls in the initial components of ESN.
GAO says weaknesses identified in the FCC's deployment of components of ESN as of last August resulted in unnecessary risk that sensitive information could be disclosed, modified or obtained without authorization. This occurred, in part, because the commission did not fully implement key information security activities during the development and deployment of the initial components of the project.
"While FCC policy is to integrate security risk management into system life-cycle management activities, the commission instead deployed the initial components of the ESN project without, among other things, first selecting and documenting the security controls, assessing the controls or authorizing the system to operate," GAO says in a letter sent to the leaders of the House and Senate Appropriations Subcommittees on Financial Services and General Government. "As a result of these deficiencies, FCC's information remained at unnecessary risk of inadvertent or deliberate misuse, improper disclosure or destruction. Further, addressing these deficiencies could require costly and time-consuming rework."
Inconsistent Implementation of Procedures
How did this happen? GAO contends inconsistent implementation of procedures for estimating costs, developing and maintaining an integrated schedule, managing project risks and conducting oversight hindered FCC's efforts to manage effectively ESN. If not addressed, the congressional auditors say, these weaknesses could pose challenges for the commission to achieve the project's goal of improved security.
Specifically, GAO says, FCC:
- Failed to develop a reliable life cycle cost estimate for ESN that includes all implementation costs;
- Did not, in its project schedule, adequately identify the sequence in which activities must occur, ensure that detailed activities were traceable to higher-level activities or establish a baseline schedule;
- Documented and managed some risks to project success, but its prime contractor did not identify any project risks until after the deployment of the initial components of ESN had begun;
- Had not included ESN in its processes for conducting regular oversight of information technology projects.
FCC Managing Director David Robbins, in a written response to the audit, doesn't dispute GAO's findings, although he says a main reason the FCC hadn't fully applied policies or widely accepted best practices for security risk management and project management was because ESN was an emergency project and, therefore, needed to be initiated quickly.
GAO didn't completely buy the FCC argument. Urgency, the auditors write, doesn't negate the need to perform key security risk management activities. "Unless FCC more effectively implements its IT security policies and improves its project management practices and effectively applies them to the ESN project," the GAO report says, "unnecessary risk exists that the project may not succeed in its purpose of effectively protecting the commission's systems and information."
Robbins responds that ESN will be completed within budget, adding: "The FCC's overall network security is in a better place now as a result of the ESN project."
Still, he says the FCC will heed the GAO's seven recommendations to implement management controls to help ensure that ESN meets its objective of securing FCC's systems and information.
Robbins says the FCC staff is well aware that the job of protecting its system is never done and promises continued vigilance.