Following a May 2017 disruption in the Federal Communications Commission’s (FCC) Electronic Comment Filing System (ECFS), the Government Accountability Office (GAO) made numerous cybersecurity recommendations that the agency still has not implemented.
In the publicly released version of the September 2019 report documenting FCC’s weakness, GAO reports that the agency has not started 41 of the 136 recommendations, or 30 percent. The May 2017 crash of ECFS began after a massive surge of public commenting on the platform, more than 22 million comments in total, that sparked an August 2018 Office of the Inspector General (OIG) audit. OIG “attributed the disruption in ECFS’s service to a combination of system capacity and performance issues.”
FCC received five key directives to reduce future disruptions, including conducting internal assessments, deploying additional virtual hardware, optimizing and acquiring system software, and updating incident response policy and procedures.
The September 2019 GAO report identified further qualms in FCC’s “core security functions related to identifying risk, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations.” While FCC has completed 63 percent of the recommendations, and has plans to institute the rest by April 2021, GAO documented several critical concerns.
“Until FCC fully implements these recommendations and resolves the associated deficiencies,” the report states, “its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and loss.”
GAO documented, for example, that FCC failed to specify control requirements with its cloud service produce, which increased the risk that it’s sensitive information would not be protected in the wake of a data breach. In seven instances, GAO also reported that FCC did not implement strong enough encryption capabilities to protect sensitive data or establish secure communications.
FCC also failed to “consistently implement” the National Institute of Standards and Technology’s cybersecurity framework to protect its systems and the information stored on them, GAO wrote. Deficiencies were noted in five core functions identifying risk, protecting systems from threats, detecting cybersecurity events, responding to cybersecurity events, and recovering system operations.
Among several other shortcomings, GAO said that FCC also failed to implement software patches on a prescribed basis or update software in a timely manner in three of the systems reviewed.
FCC noted in its response to the agency that since the release of the non-public report, the agency has completed nine additional recommendations that they are working with GAO to mark as completed. The agency said that they are currently undergoing a “major, multi-year strategic effort to modernize our IT capabilities.”