The Government Accountability Office has determined that the Federal Communications Commission failed to properly implement necessary security controls in the initial phases of its Enhanced Secured Networks project, and, as a result, FCC data remains vulnerable to “unnecessary risk of inadvertent or deliberate misuse, improper disclosure, or destruction.”
The GAO conducted the study [pdf] in response to a September 2011 compromise of FCC networks that prompted the commission to embark on the ESN project, for which the agency was granted $10 million. The study was designed as an analysis of the FCC’s implementation of immediately needed network security controls and as an assessment of the commission’s broader plan for the ESN project.
The study found that the FCC’s implementation of measures intended to increase their ability to monitor networks for security threats actually exposed information within those networks to unnecessary risk of disclosure, modification, and destruction. Despite their best intentions, the report claims, the FCC neglected key security controls in the initial phases of the ESN project. Unless the FCC can correct its errors, the GAO warns, the project is doomed to fail at its stated purpose of protecting FCC systems and data.
Broadly, the commission did not estimate lifecycle costs well, it did not schedule well, it did not assess potential risks well, and it did not oversee well, the report said.
Specifically, the commission failed to properly implement certain boundary protection controls, reliably and consistently encrypt stored passwords, and correctly install a preventative malware protection tool. The GAO identified further weaknesses in identity, authentication, authorization, cryptography, audit, monitoring, and configuration management.
The GAO recommends the Chairman of the FCC take the following actions: perform key security risk management activities for the ESN project including selecting and documenting the security controls, assessing the implementation of the controls, and authorizing the system to operate; conduct appropriate gate reviews, such as the Requirements Approval, at major transition points in the project; develop a life-cycle cost estimate for the ESN project that reflects current project status; establish an integrated and reliable master schedule for the ESN project; document, evaluate, and manage all identified project risks in a risk management process, and document mitigation strategies for all risks; commit to a time frame for establishing commission guidance on project management, including cost estimating, scheduling, and risk management; and monitor and oversee the ESN project on a regular basis and ensure that project data used for this purpose are current and valid.
In a separate, limited release report, the GAO made an additional 26 recommendations regarding nearly as many specific cybersecurity weaknesses within FCC networks.
The FCC attributed its failures to the nature of the ESN as an emergency project that required immediate action. The GAO agreed with the need for this sense of urgency in its report but is not accepting that as an excuse for shoddy security controls implementation.
For the most part, the FCC agreed with the GAO’s assessment. Moving forward, the FCC plans to, or in some cases, claims it already has taken action to address many of the government watchdogs’s concerns.
The National Institute of Standards and Technology provided guidance for the GAO’s study, which was conducted by assessing the state of FCC network infrastructure in August of last year and through conducting interviews with FCC officials.