The Federal Communications Commission (FCC) has yet to fully address cyber-security risks in its systems, a newly published report from the United States Government Accountability Office (GAO) reveals.
In September 2019, GAO issued a report on the FCC’s cyber-security stance, making a total of 136 recommendations for improvements to be made to various systems. As of November 2019, the Commission had implemented 63% of these.
However, 7% of the recommendations were only partially implemented and 30% were not implemented at all as of November 2019, although the FCC is planning on fully implementing all recommendations by April 2021.
“Until FCC fully implements these recommendations and resolves the associated deficiencies, its information systems and information will remain at increased risk of misuse, improper disclosure or modification, and loss,” GAO notes in the newly published report (PDF).
GAO started looking into the FCC’s security posture after a surge of more than 22 million comments on net neutrality disrupted the Commission’s Electronic Comment Filing System (ECFS) in 2017, and discovered numerous deficiencies in core security functions.
The 136 recommendations were made to address issues related to “identifying risks, protecting systems from threats and vulnerabilities, detecting and responding to cyber security events, and recovering system operations.”
These deficiencies, GAO says, increased the risk of unauthorized disclosure or modification of sensitive information, and could also make such information unavailable when needed.
GAO reviewed three of the FCC’s systems and issued recommendations on addressing the discovered issues. As of November 2019, the FCC implemented 85 of the recommendations and partially implemented 10 of them, but had not started implementing 41 of the recommendations.
Analysis of the FCC’s systems revealed that the organization failed to consistently implement security controls and appropriate information safeguards, did not effectively implement controls to identify incidents and vulnerabilities, did not fully implement incident response controls, and did not develop restoration procedures.
The FCC has yet to take key actions on resolving known vulnerabilities, documenting operational procedures, applying security patches and software updates, and improving network monitoring capabilities.
“Fully implementing the remaining recommendations is essential to ensuring that the commission’s systems and sensitive information are adequately protected from cyber threats,” GAO says.
Related: GAO Criticizes Pentagon Over Cyber Hygiene Efforts
Related: Facilities That Lost Data Center Status at Increased Risk of Cyberattacks: GAO
Related: GAO Says Electric Grid Cybersecurity Risks Only Partially Assessed