By Patrick Marshall

Blog archive
Auditor works on checklist while man puts out fire in background

FCC vs. GAO: Haste = waste, or he who hesitates is lost?

The Federal Communications Commission was dinged in a recent audit for cutting corners while upgrading network security in response to a breach.

The Government Accountability Office said that the security of the commission’s Enhanced Secured Network was compromised because the FCC did not implement appropriate security controls and follow proper procedures in project development and deployment.

But FCC countered that the ESN was an emergency response, “designed to avoid an increase in security risks posed by delays in implementation,” and that even with cutting corners, “the FCC’s network is stronger, better, and more secure than it was before the commission started these upgrade efforts.”

The case is a good example of the conflict between the requirements of auditors who evaluate regulatory compliance and the demands on frontline administrators who must deal with real-world threats while keeping systems running. The conflict is an old one and has implications for IT security. Auditors evaluate how something is done rather than what is accomplished. They focus on process and documentation. Process and documentation are important because they help ensure repeatability of results and keep everyone on the same page while doing a job. Results often are hard to quantify and measure, so adherence to process can the best way to tell if requirements have been met.

But the guys on the front lines spend a lot of time putting out fires and patching things, with little time for paperwork. Duct tape isn’t pretty, but admins do what they have to do to keep things running. Maybe they can go back and fix it properly later — after putting out the next fire. Auditors hate this. Administrators aren’t crazy about it either and would gladly change things if they had the budget, time and resources they need.

The FCC situation began with the 2011 discovery of a breach during an upgrade of the commission’s security and monitoring systems. The ESN project was the response and it was brought in under budget and on schedule. But GAO found that impact assessments had not been done to ensure that the proper security controls were being used and that the system had not been formally reauthorized for operation as required by the Federal Information Security Management Act.

FCC acknowledged these lapses but said they were necessary at the time and that it had gone back to cover these bases after ESN was up and running.

Both sides have their points. The key to the dispute lies in a single word in GAO’s conclusion:  “As a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information.” The key word is “unnecessary.”

Did FCC create an unnecessary risk? Or did the commission accept a necessary amount of risk to get a necessary fix in place as quickly as possible?

It is impossible to say without knowing the details of the breach and the fixes, which haven’t been released. But it would be wrong to conclude that a risk is unnecessary just because it could be prevented under ideal conditions. Most people go to work each day and do the best they can with the conditions at hand, which seldom are ideal.

Posted by William Jackson on Feb 11, 2013 at 9:39 AM


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.