A new report from the State Department’s Office of Inspector General (OIG) says that the agency made some headway on addressing IT problems in Fiscal Year 2019, but not enough to quell the internal watchdog’s concerns that lingering issues are leaving the agency exposed to major cybersecurity vulnerabilities.
For its part, the State Department responded that it is working on a list of management fixes to those problems that it hopes to see results from in 2020.
“The Department acknowledges that its information systems and networks are subject to serious threats that can exploit and compromise sensitive information, and it has taken some steps to address these concerns,” the agency Inspector General said. “However, notwithstanding the expenditure of substantial resources by the Department, OIG continues to identify significant issues that put its information at risk.”
“Although the Department has taken steps to improve its information security program, as in prior years, OIG’s annual assessment of the Department’s information security program identified numerous control weaknesses that affected program effectiveness and increased the Department’s vulnerability to cyberattacks and threats,” the report says.
“The lack of fully-implemented risk management strategy and dispersed authority contribute to many of OIG’s concerns regarding IT security and management at the Department,” it says.
Among the issues flagged by the OIG in its FY2019 review:
- State Department’s CIO continues to be “not well placed in the organization to be fully accountable for information security program issues”; and
- OIG has concerns “with the CIO’s ability to track and control IT investments, which affects the Department’s ability to obtain a clear picture of total IT spending.”
On the latter issue, OIG said State Department has taken “some steps to strengthen the delegation of authority to the CIO,” and said it will continue to assess whether the agency’s IT security program has “noticeably improved” as a result.
The OIG also flagged “lapses” in the performance of Information Systems Security Officers deployed by the State Department in its extensive worldwide operations. The watchdog brought up the issue in FY2019, but said that since then “our overseas inspections work continued to find numerous posts where unclassified and classified ISSOs did not perform all information system security duties as required.”
“As a result, OIG found information security issues that could have been prevented with regular performance of these mandated duties,” the report says. “Moreover, without a systematic approach to monitoring networks and recording findings, Department networks could be breached, and information security compromised.”
OIG also found “deficiencies related to developing, testing, and training employees on it contingency planning on overseas posts,” adding, “Incomplete and untested IT contingency plans increase the risk of ineffective responses to or loss of critical communication during an emergency.”
In a response to the OIG report, the State Department said that addressing IT issues and improving agency cybersecurity are included in management’s top five priorities for fixes. And it said it has made progress addressing the CIO role by delegating to the CIO authority over all IT investments including those related to cybersecurity.
“The CIO currently is evaluating the effectiveness of the Chief Information Security Officer and Diplomatic Security (DS) partnership to manage cybersecurity risk and threat,” the State Department said.
The agency also said it has launched a new cyber pay initiative that is “re-evaluating positions and responsibilities and creating positions that have cybersecurity as a primary function of their job. This program is scheduled for implementation in 2020.”
Release of the OIG report follows a query from Sen. Mark Warner, D-Va., earlier this month pressing Secretary of State Mike Pompeo for details on any cybersecurity improvements at the agency. He asked for an answer by Jan. 31.