By Patrick Marshall

Blog archive
Auditor works on checklist while man puts out fire in background

FCC vs. GAO: Haste = waste, or he who hesitates is lost?

The Federal Communications Commission was dinged in a recent audit for cutting corners while upgrading network security in response to a breach.

The Government Accountability Office said that the security of the commission’s Enhanced Secured Network was compromised because the FCC did not implement appropriate security controls and follow proper procedures in project development and deployment.

But FCC countered that the ESN was an emergency response, “designed to avoid an increase in security risks posed by delays in implementation,” and that even with cutting corners, “the FCC’s network is stronger, better, and more secure than it was before the commission started these upgrade efforts.”

The case is a good example of the conflict between the requirements of auditors who evaluate regulatory compliance and the demands on frontline administrators who must deal with real-world threats while keeping systems running. The conflict is an old one and has implications for IT security. Auditors evaluate how something is done rather than what is accomplished. They focus on process and documentation. Process and documentation are important because they help ensure repeatability of results and keep everyone on the same page while doing a job. Results often are hard to quantify and measure, so adherence to process can the best way to tell if requirements have been met.

But the guys on the front lines spend a lot of time putting out fires and patching things, with little time for paperwork. Duct tape isn’t pretty, but admins do what they have to do to keep things running. Maybe they can go back and fix it properly later — after putting out the next fire. Auditors hate this. Administrators aren’t crazy about it either and would gladly change things if they had the budget, time and resources they need.

The FCC situation began with the 2011 discovery of a breach during an upgrade of the commission’s security and monitoring systems. The ESN project was the response and it was brought in under budget and on schedule. But GAO found that impact assessments had not been done to ensure that the proper security controls were being used and that the system had not been formally reauthorized for operation as required by the Federal Information Security Management Act.

FCC acknowledged these lapses but said they were necessary at the time and that it had gone back to cover these bases after ESN was up and running.

Both sides have their points. The key to the dispute lies in a single word in GAO’s conclusion:  “As a result of these and other deficiencies, FCC faces an unnecessary risk that individuals could gain unauthorized access to its sensitive systems and information.” The key word is “unnecessary.”

Did FCC create an unnecessary risk? Or did the commission accept a necessary amount of risk to get a necessary fix in place as quickly as possible?

It is impossible to say without knowing the details of the breach and the fixes, which haven’t been released. But it would be wrong to conclude that a risk is unnecessary just because it could be prevented under ideal conditions. Most people go to work each day and do the best they can with the conditions at hand, which seldom are ideal.

Posted by William Jackson on Feb 11, 2013 at 9:39 AM


  • IT Modernization
    shutterstock image By enzozo; photo ID: 319763930

    OMB provides key guidance for TMF proposals amid surge in submissions

    Deputy Federal CIO Maria Roat details what makes for a winning Technology Modernization Fund proposal as agencies continue to submit major IT projects for potential funding.

  • gears and money (zaozaa19/

    Worries from a Democrat about the Biden administration and federal procurement

    Steve Kelman is concerned that the push for more spending with small disadvantaged businesses will detract from the goal of getting the best deal for agencies and taxpayers.

Stay Connected