The Federal Election Commission (FEC) is missing effective IT governance and struggles with internal cyber vulnerabilities, according to an FEC Office of Inspector General (OIG) report released on Nov. 19.
“The FEC has struggled to implement an IT governance approach that establishes effective oversight to meet security standards in efforts to prevent external and internal threats into FEC systems,” the OIG report states.
While FEC is legally exempt from the Federal Information Systems Management Act (FISMA), the agency failed to implement an alternative IT framework. OIG recommended in the past that the agency adopt the National Institute of Standards and Technology’s (NIST) standards for Federal information systems, but FEC has not complied. In its latest report, OIG asks FEC to develop a “sufficiently mature” information security program.
OIG also reported user threats to the FEC network. “FEC is at risk of an internal user visiting a malicious website or clicking on a link in a phishing attack that would allow an external attacker to gain access to the FEC internal network,” the report states.
For instance, FEC recently fired an employee for downloading prohibited software that elevated risk for malware on an agency-issued laptop. When the FEC partnered with the Cybersecurity and Infrastructure Security Agency (CISA) to evaluate consequences of the misconduct, CISA recommended that the agency implement strict network access control policies and review its trusted internet connection architecture. OIG requests FEC focus more attention on this recommendation.
Additionally, the OIG report challenges the FEC’s CIO leadership structure. Alec Palmer is both the staff director and CIO of the organization, and the OIG report states that the dual-hat structure has led to “several reported control weaknesses within the FEC’s information security program.” IT is ever-evolving, the report states, and a fully dedicated CIO is necessary to manage resources and protocol.
OIG commended recent strides by FEC to improve information security through recent efforts to address control weaknesses procedures, reduction of vulnerabilities, and assessment of major agency system operations.