The Center for Public Integrity did obtain through its Freedom of Information Act request 18 emails that together indicate top FEC staffers have for months considered this study — and the safety issues it addresses — a top priority.
FEC Chairwoman Ann Ravel, a Democrat, said Thursday that the FEC is not releasing the study because “the concern is that it contains information that details potential vulnerabilities.” She added that she believes, “without question, that the agency will be more secure” when it fixes problems pointed out by the study’s findings.
Ravel declined to discuss commissioners’ deliberations on the security study. Vice Chairman Matthew Petersen, a Republican, did not return a request for comment, nor did Commissioner Lee Goodman, a Republican who served as FEC chairman when the agency commissioned the study.
But Ravel confirmed that commissioners in July reviewed the study, which had been overseen by FEC Staff Director and Chief Information Officer Alec Palmer and conducted by Luray, Virginia-based consulting firm SD Solutions LLC.
An FEC employee familiar with the matter said commissioners in July conducted a closed-door meeting and approved hiring an outside firm to implement the study’s various recommendations. In a separate July meeting, the commission’s finance committee approved spending about $400,000 to pay for security improvements. Hiring a contractor remains a work in progress, the source said.
The security study itself wasn’t cheap: The FEC on Aug. 15, 2014, paid SD Solutions LLC $199,500 for what’s described in federal contract records as an “information technology gap analysis.”
A “gap analysis,” in government parlance, compares some aspect of a federal agency’s actual performance with what an agency would consider ideal performance.
Less comprehensive reports on the FEC’s security systems, including a broad annual survey of agency operations by contractor Leon Snead & Co., have highlighted notable flaws in the FEC’s computer and information technology systems.
“Without adopting and implementing National Institute of Science and Technology minimum security controls, the FEC’s computer network, data and information is at an increased risk of loss, theft, manipulation, [and] interruption of operations,” Leon Snead & Co.’s 2012 report stated.
FEC officials bristled at such assertions, saying its “systems are secure.”
Revelations in December 2013 about the Chinese hacking incident, which crippled its computer systems, changed the agency’s attitude.
Ravel acknowledged that “there was a lot of internal discussion” by FEC officials about security, and by early 2014, Goodman and Ravel — often at odds with one another politically and ideologically — said they were united in improving the FEC’s computer systems.
From there, the agency made steady progress toward improving its computer security.
It quickly began hiring new IT staffers.
In March 2014, the FEC requested Congress allocate it $1.51 million to address its obsolete computer systems.
And come the summer of 2014, the agency was seeking a contractor to comprehensively review those systems. It hired SD Solutions LLC to do the work.
In an email on Aug. 21, 2014, Palmer, the FEC’s staff director and chief information officer, told Goodman and Ravel that his staff was preparing for the study by “working on the timeline of all security related improvements and activities over the past 9 months and timeline related to the NIST study.”
On Oct. 31, Palmer thanked Deborah Tibbs, his special assistant, for attending a training course that would aid her in helping manage the study’s contract.
“We all know how critical this is in improving our security posture here at the FEC,” Palmer wrote Tibbs.
Contractor SD Solutions LLC appears to have completed its work this spring. On June 10, Palmer asked FEC Chief Information Security Officer Esteve Mede for an update on the study’s status.
“[W]e need to get the recommendations into the hands of the commissioners by the end of this month including all the cost related issues benefits risks etc. so they can make a decision and then we can set up a contract for execution before the end of the fiscal year,” Palmer wrote.