The Report on Gov't Cybersecurity Causing 'Major Concerns' That You Might Not Have Heard of Yet

A report released last week by the State Department's inspector general blasted its office tasked with cybersecurity as being mismanaged and not doing its primary functions, which at the time of the inspection were actually being performed by other offices within the department. But so far, it's garnered little attention.

State Department (Image: Wikimedia)

Titled Inspection of the Bureau of Information Resource Management, Office of Information Assurance, the little publicized report evaluates the office tasked with providing "information technology and services the Department needs to successfully carry out its foreign policy mission by applying modern IT tools, approaches, systems, and information products." As part of this, it also needs to address information security of the systems as directed by Title III of the E-Government Act of 2002.

What the inspector general found though was that IRM/IA "does not fulfill all those requirements" laid out in Title III. In fact, "the majority of the required functions are performed by Department of State (Department) offices other than IRM/IA," the report states.

All in all:

IRM/IA is not doing enough and is potentially leaving Department systems vulnerable. IRM/IA has conceded that other Department elements have a greater role in information security, diminishing the relevance of IRM/IA.

Currently, the bureau employs 22 federal employees and 36 contractors, receiving $5.9 million in funding per year from 2011 through 2013. The report states that its operating budget for 2013 though is $10 million. It meets the additional costs through "other funds coming from reimbursements and internal bureau transfers." Its Chief Information Officer requested $8 million more for FY 2014 to "support specific Department initiatives."

Some of the major problems outlined in the report also include:

• The current workload of IRM/IA does not justify its organizational structure, resources, or status as an IRM directorate.
• No single Department bureau has full responsibility for the information systems security officer (ISSO) program. Both IRM and the Bureau of Diplomatic Security (DS) directly or indirectly support the ISSO program, resulting in confusion among personnel on requirements and guidance. The involvement of both bureaus also wastes personnel resources.
• IRM/IA lacks adequate management controls and procedures to monitor its contracts, task orders, and blanket purchase agreements, which have an approximate value of $79 million.
• IRM/IA has no mission statement and is not engaged in strategic planning.

"This report reads like a what-not-to-do list from every policy, program, and contracting perspective," Scott Amey, the general counsel for the Project On Government Oversight, told Mother Jones. "With stories about foreign entities hacking US government systems and questions about non-authorized access to classified information, this latest IG report causes major concerns about the State Department’s ability to protect government systems.

The report also indicates that the office wanted to add more staff, but the IG didn't necessarily agree with its plan.

"In light of the lack of active involvement in many of its stated responsibilities, the proposed IRM/IA office realignment for an additional deputy position and one more division, as well as the need for some of the current divisions, are not justified by the current level of work being performed," the report stated.

The report recommends the Office of Resource Management and Organizational Analysis assess IRM/IA's organization, workload and functions in the context of what is already being done in other offices within the State Department. It also recommends, among dozens of other specific recommendations, that IRM/IA actually define its mission and goals and establish a strategy for achieving them.

In light of the recent leak of classified programs headed by the National Security Agency, and Bradley Manning leaking information from State Department itself to Wikileaks in 2010, information security is a hot topic for government agencies at this time.

Read more specifics of the Inspector General's report of this State Department bureau.

This report comes on the heels of a separate report critical of the State Department's expenditures on social media efforts.

(H/T: Gizmodo)

--

[related]