State Department Agency Deemed 'Critical' to Information Security Is A Mess, Report Shows
Published July 20, 2013
An obscure little State Department agency whose work is called "critical to the Department's information security posture" has been in a shambles for years, and is still in chaos, according to an audit report by the department's inspector general released yesterday.
As one result of all the bumbling and inaction, the security checks that the agency is supposed to perform and subsequent approvals for use that it is supposed to bestow every three years on 36 of those State Department systems have lapsed entirely, meaning that they are operating, in effect, illegally.
Some of the lapses have gone on for two years; in at least a couple of cases involving information systems that the audit calls "primary general support systems," the lapses have gone on since 2007.
One of the systems that is operating without a current license, known as iPost, was given an award two years ago for "significantly improving the effectiveness of the nation's cyber security." According to the inspector general's report, auditors couldn't find any documentation to back up how the award-winning system was created or maintained, nor any source code for the information it was supposed to track.
There is more -- much more -- concerning the 22-person agency, known as the Office of Information Assurance of the State Department's Bureau of Information Resource Management (IRM/IA), which among other things certifies the security status of more than 170 information systems in the State Department. The report comes at a time of heightened concern about both cyber-security and torrents of information leaks in the U.S. government.
According to the audit report, the agency has statutory responsibility as State's "lead office for information assurance and security." Its top official, currently William Lay, is known as State's Chief Information Security Officer (CISO), who reports up to State's Chief Information Officer, currently Steven C. Taylor.
Despite the agency's august legal status, IRM/IA's staff apparently has no sense of what security functions their unit is actually required to perform, has failed for years to update information security manuals used by thousands of other State Department personnel, and has often left important details about the vulnerability of State's information systems where they can be accessed by people with lower-level security classifications.
CLICK HERE FOR THE AUDIT
The State Department said in a statement that it was taking the report's findings seriously.
Much of the agency's certification work has apparently been done by outside contractors, often unsupervised, and often performing duties that are supposed to be done only by government employees.
Neither contractors nor staffers apparently maintain much documentation about their work, or even about how the contractors are being paid under a $19 million contract that could swell to $60 million in outlying years. As the report puts it tersely, "Management is unable to verify the accuracy of reported costs."
Even the presence of inspectors didn't seem to stir much concern. Though the unnamed CISO said he would reassign responsibilities to fix some of the oversight problems, "no corrective action was taken during the course of the inspection," which lasted for six weeks earlier this year.
In effect, IRM/IA seems to be something of a zombie agency. IRM/IA staffers, according to the inspector general's report, don't show up for inter-departmental meetings, don't participate in their Bureau's strategic planning exercises, don't keep track of important documentation in the security certification process, and can't find a major portion of their budget receipts.
Even the relatively good news that many of the agency's functions have migrated to other parts of the larger Bureau comes with the fact that in some important cases, this occurred because IRM/IA personnel didn't show up for meetings where they shared joint responsibility.
Nor does the agency's management seem to have cared much for a long time about where it is going or what it needs to do to get there. According to the report, the agency "has no mission statement and is not engaged in strategic planning."
"There is no evidence of IRM/IA management engaging in a comprehensive strategic review to assess its current capabilities and future needs," the report says. "The CISO and his division chiefs have not reviewed operations to determine what information assurance and security functions they are required to perform or are currently handling."
Or, to put it even more bluntly, the inspector general's auditing team "could not validate whether IRM/IA has not been able to meet priorities since the office has not defined any priorities."
In a bid to correct the fiasco, the inspectors has issued 32 recommendations, including the requirement that IRM/IA "participate regularly" in department-wide meetings and "share learned information from such meetings with its staff," along with a strong hint that other functions might be hived off to others -- who happen to be doing some of them anyway.
The State Department said in its statement, in response to the report: "The Department takes the OIG feedback seriously and is committed to addressing the recommendations and the concerns that led to the assessment. Mr. William G. Lay was appointed to the position of Deputy Chief Information Officer for Information Assurance and Chief Information Security Officer for the U.S. Department of State in late 2012."