Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Disaster Recovery

FCC Only Partially Improved Its Cybersecurity Posture, GAO Says

The Federal Communications Commission (FCC) has yet to fully address cyber-security risks in its systems, a newly published report from the United States Government Accountability Office (GAO) reveals.

The Federal Communications Commission (FCC) has yet to fully address cyber-security risks in its systems, a newly published report from the United States Government Accountability Office (GAO) reveals.

In September 2019, GAO issued a report on the FCC’s cyber-security stance, making a total of 136 recommendations for improvements to be made to various systems. As of November 2019, the Commission had implemented 63% of these.

However, 7% of the recommendations were only partially implemented and 30% were not implemented at all as of November 2019, although the FCC is planning on fully implementing all recommendations by April 2021.

“Until FCC fully implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and loss,” GAO notes in the newly published report (PDF).

GAO started looking into the FCC’s security posture after a surge of more than 22 million comments on net neutrality disrupted the Commission’s Electronic Comment Filing System (ECFS) in 2017, and discovered numerous deficiencies in core security functions.

The 136 recommendations were made to address issues related to “identifying risks, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations.”

These deficiencies, GAO says, increased the risk of unauthorized disclosure or modification of sensitive information, and could also make such information unavailable when needed.

Advertisement. Scroll to continue reading.

GAO reviewed three of the FCC’s systems and issued recommendations on addressing the discovered issues. As of November 2019, the FCC implemented 85 of the recommendations and partially implemented 10 of them, but had not started implementing 41 of the recommendations.

Analysis of the FCC’s systems revealed that the organization failed to consistently implement security controls and appropriate information safeguards, did not effectively implement controls to identify incidents and vulnerabilities, did not fully implement incident response controls, and did not develop restoration procedures.

The FCC has yet to take key actions on resolving known vulnerabilities, documenting operational procedures, applying security patches and software updates, and improving network monitoring capabilities.

“Fully implementing the remaining recommendations is essential to ensuring that the commission’s systems and sensitive information are adequately protected from cyber threats,” GAO says.

Related: GAO Criticizes Pentagon Over Cyber Hygiene Efforts

Related: Facilities That Lost Data Center Status at Increased Risk of Cyberattacks: GAO

Related: GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.