FCC IT Spending Raises Some Questions

We received 32 documents in response to a Freedom of Information request for all contracts with outside providers of IT, cybersecurity and electronic comment filing system-related services signed between 2012 and earlier this year. They cover an array of service providers, dollar amounts and contracted services, including $85,353 to NCI for "continuation of ECFS support" for the Electronic Comment Filing System, $470,701 to Carahsoft Technology for a two-year contract for CyberArk software licenses and maintenance through Aug. 31, 2018, $76,500 to Cyber Ninjas for cybersecurity, analytics and penetration testing to be done through the end of this year, and blanket purchase agreements to NCI and Computech against which individual orders would be placed. Combined, the contracts for which there was a specific value represented roughly $4.7 million, the single largest being nearly $3.7 million to Summit Technologies.

Nothing about those contract details raise red flags, but it's impossible to say without knowing more about what was being done under these various contracts, said Jonathan Katz, director of the University of Maryland’s Maryland Cybersecurity Center. George Mason University public policy assistant research professor Christine Pommerening agreed the individual amounts, overall size and partners seem in line with IT expenditures necessary for a large agency. Some details were redacted.

The FCC appears to spend more of its IT budget on security related contracts -- roughly 13 percent -- than other agencies that have to comply with the Chief Financial Officer Act, said Min-Seok Pang, assistant professor at Temple University's Fox School of Business. About 8.8 percent of the commission's IT budgets went to security spending since 2012, he said.

There are questions about whether the agency's security-related spending is well made, Pang said. An OMB FY 2016 FISMA compliance report released in March said the agency is "committed to remediating information technology ... control deficiencies" and to improving its information security. It said the FCC OIG said agency management should particularly prioritize information security continuous monitoring programs, identity and access management, risk management and contractor systems, according to OIG recommendations in the FISMA compliance report. The FCC received criticism (see 1707100041) and congressional inquiries (see 1707070039) after ECFS was hit in May by what the agency says was a directed-denial-of-service attack (see 1705080042). ECFS has had other problems (see 1707240070).

“The electronic comment filing system has been functioning well since the release of the Restoring Internet Freedom NPRM," the FCC said. "It is facilitating widespread public participation in the proceeding, and we are continuing to monitor its performance.” The commission received a record millions of net neutrality comments, some of which were related to ECFS problems.

The agency is modernizing its IT systems, moving primarily to a cloud-based system from its legacy one, said its 2018 budget summary. It said it cut such legacy spending by 35 percent, and since 2013 achieved two major milestones that let it cut operations and maintenance spending from 85 percent to less than 50 percent of its IT budget: migrating legacy systems to software-as-a-service and platform-as-a-service cloud solutions, and going to a commercial cloud provider -- a step that it said also improved its information security. With FY 2018 bringing “the half-way point on its modernization journey,” the agency said, its focuses now are on moving licensing systems to the cloud, supporting the Mobility Fund II and Connect America Phase II efforts, modernizing the equipment authorization system and wrapping up the broadcast incentive auction.