Just weeks after the US Department of Energy was shown to have disregarded proper cybersecurity measures, the Federal Election Commission (FEC) is facing what an independent auditor calls “significant deficiencies” when it comes to its cybersecurity posture. The FEC in fact remained at “high risk for future network intrusions”. However, the electoral watchdog said that it has little interest in implementing even minimum IT security controls. The audit firm, Leon Snead & Co., said in the audit that the FEC’s IT security program does not meet government-wide best practice minimum requirements in many areas. That includes carrying out due diligence information as part of an organization-wide risk management program, using the risk management tools and techniques to implement and maintain modern safeguards and countermeasures, and ensuring the necessary resilience to support ongoing federal responsibilities, critical infrastructure applications and continuity of government in the event of an attack.
The firm also found that risk analysis was not completed before the FEC rejected even minimum IT security controls. And, the agency has a history of this: independent evaluations performed since fiscal year 2004 have continually reported significant weaknesses and noncompliance with IT best practice standards within FEC’s IT security program areas reviewed.
At main issue is the fact that the FEC is exempt from the Federal Information Security Management Act (FISMA), which requires certain cybersecurity measures. But unlike other FISMA-exempt agencies, FEC has refused to adopt as the agency’s IT security standard the IT security controls and techniques released by the National Institute of Standards and Technology (NIST).
FEC officials have said that the agency follows NIST best practices “where applicable to their operations.” However, a security control assessment report issued to FEC by an independent contractor in December 2008 found that 40% of the IT security controls applicable to FEC’s IT environment had been only partially implemented, or not implemented at all.