Information Security:

Federal Communications Commission Needs to Strengthen Controls over Enhanced Secured Network Project

GAO-13-155: Published: Jan 25, 2013. Publicly Released: Feb 1, 2013.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
WilshusenG@gao.gov

 

Valerie C. Melvin
(202) 512-6304
MelvinV@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Federal Communications Commission (FCC) did not effectively implement appropriate information security controls in the initial components of the Enhanced Secured Network (ESN) project. Although FCC took steps to enhance its ability to control and monitor its network for security threats, weaknesses identified in the commission's deployment of components of the ESN project as of August 2012 resulted in unnecessary risk that sensitive information could be disclosed, modified, or obtained without authorization. This occurred, in part, because FCC did not fully implement key information security activities during the development and deployment of the initial components of the project. While FCC policy is to integrate security risk management into system life-cycle management activities, the commission instead deployed the initial components of the ESN project without, among other things, first selecting and documenting the security controls, assessing the controls, or authorizing the system to operate. As a result of these deficiencies, FCC's information remained at unnecessary risk of inadvertent or deliberate misuse, improper disclosure, or destruction. Further, addressing these deficiencies could require costly and timeconsuming rework.

FCC's efforts to effectively manage the ESN project were hindered by its inconsistent implementation of procedures for estimating costs, developing and maintaining an integrated schedule, managing project risks, and conducting oversight. If not addressed, these weaknesses could pose challenges for the commission to achieve the project's goal of improved security. Specifically, FCC

  • had not developed a reliable life cycle cost estimate for ESN that includes all implementation costs;
  • did not, in its project schedule, adequately identify the sequence in which activities must occur, ensure that detailed activities were traceable to higherlevel activities, or establish a baseline schedule;
  • documented and managed some risks to project success, but its prime contractor did not identify any project risks until after the deployment of the initial components of the ESN project had begun; and
  • had not included the ESN project in its processes for conducting regular oversight of information technology projects.

According to FCC officials, a key reason that they had not fully applied their policies or widely accepted best practices for security risk management and project management is because the ESN project was an emergency project and, therefore, needed to be initiated quickly. However, while GAO agrees that the security threat makes implementation urgent, it does not negate the need to perform key security risk management activities. Unless FCC more effectively implements its IT security policies and improves its project management practices and effectively applies them to the ESN project, unnecessary risk exists that the project may not succeed in its purpose of effectively protecting the commission's systems and information.

Why GAO Did This Study

In September 2011, FCC discovered that it had experienced a security breach on its computer network, which potentially allowed sensitive information to be compromised. The commission initiated the ESN project to implement enhanced security controls and an improved network architecture to defend against cyber attacks and reduce the risk of a successful future attack. GAO was asked to assess the extent to which FCC has (1) effectively implemented appropriate information security controls for the initial components of the ESN project, and (2) implemented appropriate procedures to manage and oversee its ESN project. To do so, GAO determined the effectiveness of ESN security controls by evaluating control configurations and identifying management controls; and determined how FCC applied them to the ESN project by analyzing documentation and interviewing commission officials.

What GAO Recommends

GAO is making seven recommendations to the FCC to implement management controls to help ensure that ESN meets its objective of securing FCC's systems and information. In commenting on a draft of this report, FCC concurred with the recommendations. In a separate report with limited distribution, GAO is also making 26 recommendations to resolve technical information security weaknesses related to access controls and configuration management of the ESN.

For more information, contact Gregory Wilshusen at (202) 512-6244 or wilshuseng@gao.gov, Valerie Melvin at (202) 512-6304 or melvinv@gao.gov, and Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To help strengthen Information Technology (IT) and project management controls over the ESN project, the Chairman of the FCC should perform key security risk management activities for the ESN project including selecting and documenting the security controls, assessing the implementation of the controls, and authorizing the system to operate.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen IT and project management controls over the ESN project, the Chairman of the FCC should conduct appropriate gate reviews, such as the Requirements Approval, at major transition points in the project.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen IT and project management controls over the ESN project, the Chairman of the FCC should develop a life-cycle cost estimate for the ESN project that reflects current project status.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen IT and project management controls over the ESN project, the Chairman of the FCC should establish an integrated and reliable master schedule for the ESN project.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen IT and project management controls over the ESN project, the Chairman of the FCC should document, evaluate, and manage all identified project risks in a risk management process, and document mitigation strategies for all risks.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen IT and project management controls over the ESN project, the Chairman of the FCC should commit to a time frame for establishing commission guidance on project management, including cost estimating, scheduling, and risk management.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To help strengthen IT and project management controls over the ESN project, the Chairman of the FCC should monitor and oversee the ESN project on a regular basis and ensure that project data used for this purpose are current and valid.

    Agency Affected: Federal Communications Commission

    Status: Open

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Apr 17, 2014

    Apr 2, 2014

    Jan 28, 2014

    Jan 8, 2014

    Sep 26, 2013

    Feb 20, 2013

    Feb 1, 2013

    Sep 27, 2012

    Sep 18, 2012

    Jul 17, 2012

    Looking for more? Browse all our products here