GAO: FCC Enhanced Secured Network at risk from security weaknesses


The Federal Communications Commission did not effectively implement appropriate information security controls in the initial components of its Enhanced Secured Network project, according to a Jan. 25 Government Accountability Office report (.pdf). Part of the problem, say auditors, is that ESN was an emergency project hastily initiated by the FCC to improve its computer security by implementing enhanced security controls to defend against cyber attacks.

ESN was a direct response to a September 2011 cybersecurity incident in which the FCC took swift action to identify and remove infected workstations and identify significant factors that increased risk to its network. While the GAO agrees that the security threat required quick action, the report says it does not negate the need to perform key security risk management activities.

"Although FCC took steps to enhance its ability to control and monitor its network for security threats, weaknesses identified in the commission's deployment of components of the ESN project as of August 2012 resulted in unnecessary risk that sensitive information could be disclosed, modified, or obtained without authorization," states the report. "This occurred, in part, because FCC did not fully implement key information security activities during the development and deployment of the initial components of the project."

GAO's performance audit, conducted from May 2012 to January 2013, found that the FCC deployed initial components of the ESN project without, among other things, first selecting and documenting the security controls, assessing the controls, or authorizing the system to operate. As a result of these and other deficiencies, report states that FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information. 

In addition, the audit identifies other security weaknesses in controls related to boundary protection, identification and authentication, authorization, cryptography, audit and monitoring, and configuration management that limit the effectiveness of the security enhancements and unnecessarily place sensitive information at risk. 

"Unless FCC more effectively implements its IT security policies and improves its project management practices and effectively applies them to the ESN project, unnecessary risk exists that the project may not succeed in its purpose of effectively protecting the commission's systems and information," the report concludes. Moreover, addressing these deficiencies could require costly and time-consuming rework, GAO says.

The FCC concurred with seven recommendations made by the GAO, which also included 26 recommendations in a separate report to resolve technical information security weaknesses related to access controls and ESN configuration management. 

For more:
-read report, GAO-13-155 (.pdf)

Related Articles:
Senate Democrats propose tentative cybersecurity bill
Cybersecurity issues remain unresolved at Commerce agencies, say auditors
IG: DOE lacks integrated enterprisewide cybersecurity strategy