An independent evaluation of the Election Assistance Commission found that it continues for a second year to fall short of some requirements in the Federal Information Security Management Act. Many of the problems identified are tied to a lack of resources and to the commission’s reliance on the General Services Administration as a provider of IT services.
FISMA establishes broad requirements for IT security in executive branch agencies, including maintaining an inventory of information systems, certification and accreditation of those systems, and comprehensive risk-based security plans. It requires an annual evaluation of compliance, which the EAC inspector general this year turned over to the CPA firm Clifton Gunderson LLP for the evaluation.
“The U.S. Election Assistance Commission has made progress in educating users through security and privacy awareness training, and has initiated discussions to develop EAC specific policies related to information system security and privacy,” the IG said in the transmittal letter with the report. “However, additional improvements are needed. The evaluation found that the EAC has not established an information security program and has not been proactive in reviewing security controls and identifying areas to strengthen this program. In addition, the evaluation found that the EAC was not fully compliant with several provisions of the Privacy Act.”
The problems illustrate the challenges faced by small agencies with limited resources, which often rely on other agencies and outside third parties to provide IT services. In the case of EAC, GSA provides network services and applications supporting the commission’s operations. Its Web site is supported by Humanitas Inc. of Silver Spring, Md.
The Election Assistance Commission was established in 2002 by the Help America Vote Act to serve as a national clearinghouse and resource for election administrators. Its mission includes providing technology guidance and voluntary voting system guidelines, managing a voting system testing and certification program, and administering grants and payments to states to help them meet HAVA requirements.
EAC said in its response to the findings that it relies heavily on GSA’s security plans and controls for its IT security and continuity of operations, but is developing its own programs and capabilities.
“Though EAC’s process is informal considering the lack of documentation and procedural guides, a contingency plan exists for GSA systems which include EAC,” the agency wrote. “As a result, EAC would be effectively operational in the event of a minor or major disaster. EAC currently has a draft of recommendations for a COOP plan which will be addressed during the agency’s efforts to be in compliance.”
EAC also has hired a consultant to help it meet FISMA requirements, including, “completion of a certification and accreditation of support systems, system security plans and practices and procedural guides and documentation that will address the following issues:
- Periodic assessments of risks.
- Policies and procedures that are based on risk assessments.
- Periodic testing and evaluation of the effectiveness of information security policies, procedures, practices and security controls.
- A process for planning, implementing, evaluating and documenting remedial actions to address any deficiencies in the information security policies, procedures and practices of the agency.
- Procedures for detecting, reporting and responding to security incidents.
- Plans and procedures to ensure continuity of operations.
- Subordinate plans for providing adequate information security for support systems.
This year’s FISMA evaluation identified three deficiencies that carried over from last year, as well as six new ones. Carryovers from last year were:
- Lack of an inventory of systems and applications used by GSA to support EAC.
- Lack of policies and procedures for information security or privacy management.
- Inadequate personnel security practices at GSA, which is EAC’s service provider. GSA’s inspector general has reported some non-compliance with background checks for contractors.
New problems for this year are:
- Lack of an agencywide information security program.
- Failure to implement a security management structure with written authorities.
- Failure to complete certification and accreditation, formal risk assessment, security plan or security test and evaluation of LAN and Web site general support systems.
- Privacy Act non-compliance: No chief privacy officer, has not identified systems with personally identifiable information or done privacy impact assessments, no formal policies addressing info protection needs associated with PII accessed remotely or removed from offices.
- Failure to establish formal incident response capability.
- Failure to complete a continuity-of-operations plan, disaster recovery plan or business impact assessment.
EAC is looking to its contractor to help address most of these issues, and in the meantime, “EAC operates within GSA’s security controls,” it said.
EAC’s human resources director currently is acting as privacy officer and the commission still is facing difficulties in identifying a permanent official.
“EAC is currently researching this issue,” it wrote in response to the evaluation. “Due to the fact that the EAC is a small agency with limited human resources and capital, EAC needs to verify that the currently Acting Privacy Officer can formally be appointed Chief Privacy Officer due to the multiple roles and assignments that the person formally has.”