The Federal Communications Commission still has data flowing through its network without proper encryption, according to an April 24 report from the Government Accountability Office.
The GAO report looked at the implementation status of 136 information security recommendations from a September 2019 evaluation by the watchdog agency. As of November 2019, it found that the FCC has fully implemented 85 of the recommendations, with 10 partially implemented and another 41 not addressed.
Key steps that the FCC must take, the GAO wrote, include resolving known vulnerabilities, applying security patches and improving network-monitoring capabilities.
The FCC is in the process of correcting basic cybersecurity shortfalls, like properly protecting data, giving IT systems proper authorization to operate and speeding up incident response. According to the GAO, the FCC has created action plans to address the remaining recommendations by April 2021.
In seven instances, the GAO found, the commission didn’t properly secure data with strong encryption or establish a secure communications path between a user and an information system.
“These deficiencies existed primarily because commission personnel did not adequately monitor configuration settings," the GAO wrote. “By not consistently deploying strong encryption capabilities, FCC limits its ability to protect the confidentiality and integrity of its sensitive information.”
As of November 2019, the commission was still working to implement proper encryption capabilities, according to the GAO.
The GAO also found that the FCC was using two systems whose authorization to operate, or ATO, had expired. The FCC granted a full ATO to one of the systems after September last year, but the other system won’t receive its full ATO until “later in 2020” the GAO wrote.
“By not regularly updating the risk assessment of one system and continuing to operate another system without a current authorization to operate, FCC unnecessarily exposed the information on these systems to increased risks of unauthorized changes and access to information,” the GAO wrote.
The GAO also said that the FCC didn’t specify several cybersecurity control requirements to its cloud service provider, such as retaining audit records, meeting incident reporting time frames and protecting system boundaries as mandated by the Federal Risk and Authorization Management Program. The FCC plans to solve this issue by May this year.
“By not specifying its specific control requirements when procuring services from its cloud provider, FCC increased the risk that its data and sensitive regulatory information will not be adequately protected in the event that its cloud service provider experiences a security breach,” the GAO wrote.
The report said the FCC had developed a plan of action and milestone for the remaining open recommendations.
By May 1, the FCC aims to reduce the number of open recommendation to 23. By April 30, 2021, the commission wants all problems resolved.
“Until FCC fully implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and loss,” GAO officials wrote.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.