The Federal Communications Commission failed to implement appropriate information security controls in the initial components of the Enhanced Secured Network project, the Government Accountability Office said in a new report.
“Although FCC took steps to enhance its ability to control and monitor its network for security threats, weaknesses identified in the commission’s deployment of components of the ESN project as of August 2012 resulted in unnecessary risk that sensitive information could be disclosed, modified, or obtained without authorization,” GAO said.
GAO said FCC’s efforts to effectively manage the ESN project were hindered by its inconsistent implementation of procedures for estimating costs, developing and maintaining an integrated schedule, managing project risks and conducting oversight.
If not addressed, these weaknesses could pose challenges for the commission to achieve the project’s goal of improved security GAO said.
Specifically, GAO said FCC:
- had not developed a reliable life cycle cost estimate for ESN that includes all implementation costs;
- did not, in its project schedule, adequately identify the sequence in which activities must occur, ensure that detailed activities were traceable to higher- level activities, or establish a baseline schedule;
- documented and managed some risks to project success, but its prime contractor did not identify any project risks until after the deployment of the initial components of the ESN project had begun; and
- had not included the ESN project in its processes for conducting regular oversight of information technology projects.