Inspector General Issues Harsh Report on FEC Computer Security

A federal Inspector General has released a harsh assessment of an agency that has repeatedly failed to improve computer security even after suffering a hacking attack.

The Inspector General of the Federal Election Commission has issued an independent audit report on the agency's Fiscal Year 2013 Fiscal Statements. The audit identified a significant deficiency in internal controls related to Information Technology security. The audit disclosed one instance of noncompliance with The Homeland Security Presidential Directive 23, and National Security Presidential Directive 54, Cyber Security and Monitoring, establishing the Comprehensive National Cyber Security Initiative, and relating to Initiative No. 1, Manage the Federal Enterprise Network as a Single Enterprise with a Trusted Internet Connection (TIC).

Major findings included (1) Failure to develop a strong IT security program places FEC at high risk of continued network intrusions, and (2) Oversight and monitoring of IT Corrective Actions are ineffective.

Other intrusions identified happened in August 2013, and again in early FY 2014 (i.e., after October 1, 2013).

Although the IG report indicated the new independent auditor report contains recommendations to address deficiencies found by the auditors, the FEC management generally occurred with only "some of the findings and recommendations." The FEC is to prepare a corrective action plan.

The report stops short of placing primary blame for the security lapses on the staff, the Commissioners, or both. But the report is clear that the problems still exist.