IPA Performance Audit Report of FEC's Patches and Vulnerabilities Management Programs

View Report

Title Full

Date Issued

Monday, July 7, 2025

Submitting OIG

Federal Election Commission OIG

Agencies Reviewed/Investigated

Federal Election Commission

Report Number

Con25OCIO0006

Report Description

This report presents the results of our Independent Auditors’ Performance Audit Report on the Federal Election Commission’s (FEC) Security Patches and Vulnerabilities Management Programs for the Fiscal Year Ending September 30, 2024.

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 10 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
1	No	$0	$0
We recommend that the FEC OCIO update the agency’s SSPP documents and establish a privacy program plan that aligns with NIST SP 800-53, Rev.5.1.1 requirements as required by OMB.
2	No	$0	$0
We recommend that the FEC OCIO develop and implement a SCRM strategy, policies, and procedures that align with NIST and as OMB requires.
3	Yes	$0	$0
We recommend the FEC OCIO secure (redacted) by monitoring configuration settings to ensure compliance with STIG security configuration settings as required by the agency’s SSP.
4	No	$0	$0
We recommend the FEC OCIO review and monitor STIG security configuration settings for its Server 2 as required by the FECLAN SSP.
5	Yes	$0	$0
We recommend that the FEC OCIO implement STIG security configuration settings for Server 1 in accordance with the agency’s FECLAN SSP. If the agency cannot utilize its directory GPOs, we recommend that the agency use alternative methods.
6	Yes	$0	$0
We recommend that the FEC OCIO conduct regular security scans of Server 1 to verify compliance with STIG security configuration settings in accordance with the agency’s FECLAN SSP.
7	No	$0	$0
We recommend that the FEC OCIO reassess and reprioritize resources to identify opportunities to accelerate the remediation of urgent, critical, and high vulnerabilities.
8	No	$0	$0
We recommend that the FEC OCIO regularly conduct risks assessments in accordance with OMB Circular A-130, Managing Information as a Strategic Resource, to help identify other corrective actions to improve the timeliness of vulnerability remediation.
9	No	$0	$0
We recommend that the FEC develop and implement SLA policy and procedures and define KPMs for managing the performance of third-party service contracts.
10	No	$0	$0
We recommend that the FEC OCIO ensure (redacted) logs are forwarded to and actively monitored by the agency’s centralized SIEM system, in accordance with the agency’s system security plan.