The FEC in fact remained at “high risk for future network intrusions”. However, the electoral watchdog said that it has little interest in implementing even minimum IT security controls.
The audit firm, Leon Snead & Co., said in the audit that the FEC’s IT security program does not meet government-wide best practice minimum requirements in many areas. That includes carrying out due diligence information as part of an organization-wide risk management program, using the risk management tools and techniques to implement and maintain modern safeguards and countermeasures, and ensuring the necessary resilience to support ongoing federal responsibilities, critical infrastructure applications and continuity of government in the event of an attack.
The firm also found that risk analysis was not completed before the FEC rejected even minimum IT security controls. And, the agency has a history of this: independent evaluations performed since fiscal year 2004 have continually reported significant weaknesses and noncompliance with IT best practice standards within FEC’s IT security program areas reviewed.
At main issue is the fact that the FEC is exempt from the Federal Information Security Management Act (FISMA), which requires certain cybersecurity measures. But unlike other FISMA-exempt agencies, FEC has refused to adopt as the agency’s IT security standard the IT security controls and techniques released by the National Institute of Standards and Technology (NIST).
FEC officials have said that the agency follows NIST best practices “where applicable to their operations.” However, a security control assessment report issued to FEC by an independent contractor in December 2008 found that 40% of the IT security controls applicable to FEC’s IT environment had been only partially implemented, or not implemented at all.
The decision to eschew the cybersecurity practices employed in other areas of government is one that has already had significant ramifications. FEC has experienced several serious data intrusions and information breaches in the last few years. Leon Snead obtained information on two intrusions and information data breaches, which, if FEC had implemented government-wide minimum best practice IT security controls, may have prevented and/or detected them in a more timely manner.
In May 2012, the FEC was a victim of a network intrusion by an advanced persistent threat (APT) that compromised several FEC systems and a commissioner’s user account. For approximately eight months, the Commissioner’s computer contained malware with the potential for a computer hacker to access and obtain copies of matters under review by the agency, including reports and briefs, and subpoenas, along with specific details on the agency review processes and other sensitive FEC documentation and sensitive personal identifiable information.
The agency hired a contractor to analyze this serious intrusion on FEC’s IT systems, and to provide recommended solutions to eliminate any threat. The contractor completed the analysis, and provided a report to FEC on October 5, 2012. However, almost one year after the report was issued, Leon Snead was advised by FEC officials that the agency had not yet implemented any significant portion of the contractor’s recommendations. It said that it is now working on them.
A second intrusion occurred in August 2013, targeting the FEC’s website (FEC.gov). The FEC had to disable use of certain features of the website to conduct an analysis of the intrusion. But as FEC was working on remediating the August 2013 intrusion, another intrusion was detected on the agency’s website in early fiscal year 2014. The investigations continue.
“FEC will remain at high risk for intrusions and data breaches unless it fundamentally changes its governance and management approach, and adopts a risk-based IT security program that is based upon the federal government’s IT security control standard – NIST best practices,” the auditors said.
It added, “Without a risk-based analysis and supporting evidence, FEC’s critical IT security decisions are based upon whether the agency is exempt from the legislative requirement, rather than assessing if the control would provide an effective reduction of risks to the FEC’s information and information systems.”
The firm made a number of recommendations, including formally adopting the NIST IT security controls, and other applicable guidance that provides best practice IT security control requirements. OCIO officials advised that its IT security officer will review those for possible implementation in fiscal year 2014. But, FEC said that it “does not agree to formally adopt NIST guidelines.”
“While OCIO officials have advised that they will ‘review’ the NIST minimum control requirements, they have again stated that they will not adopt the federal government’s minimum IT security controls best practices,” the firm said. “Until FEC adopts these minimum controls, as other federal agencies have done that are also exempt, FEC will remain at high risk.”