You have commented 339 times on Rantburg.

Your Name
Your e-mail (optional)
Website (optional)
My Original Nic        Pic-a-Nic        Sorry. Comments have been closed on this article.
Bold Italic Underline Strike Bullet Blockquote Small Big Link Squish Foto Photo
Submit your comments on this article
Home Front: WoT
State Department agency deemed 'critical' to information security is a mess
2013-07-20
An obscure little State Department agency whose work is called "critical to the Department's information security posture" has been in a shambles for years, and is still in chaos, according to an audit report by the department's inspector general released yesterday.

As one result of all the bumbling and inaction, the security checks that the agency is supposed to perform and subsequent approvals for use that it is supposed to bestow every three years on 36 of those State Department systems have lapsed entirely, meaning that they are operating, in effect, illegally.
Some of the lapses have gone on for two years; in at least a couple of cases involving information systems that the audit calls "primary general support systems," the lapses have gone on since 2007.

One of the systems that is operating without a current license, known as iPost, was given an award two years ago for "significantly improving the effectiveness of the nation's cyber security." According to the inspector general's report, auditors couldn't find any documentation to back up how the award-winning system was created or maintained, nor any source code for the information it was supposed to track.
Fred and Badanov, we got a job opening for you guys!
There is more -- much more -- concerning the 22-person agency, known as the Office of Information Assurance of the State Department's Bureau of Information Resource Management (IRM/IA), which among other things certifies the security status of more than 170 information systems in the State Department. The report comes at a time of heightened concern about both cyber-security and torrents of information leaks in the U.S. government.

According to the audit report, the agency has statutory responsibility as State's "lead office for information assurance and security." Its top official, currently William Lay, is known as State's Chief Information Security Officer (CISO), who reports up to State's Chief Information Officer, currently Steven C. Taylor.

Despite the agency's august legal status, IRM/IA's staff apparently has no sense of what security functions their unit is actually required to perform, has failed for years to update information security manuals used by thousands of other State Department personnel, and has often left important details about the vulnerability of State's information systems where they can be accessed by people with lower-level security classifications.

The State Department said in a statement that it was taking the report's findings seriously.
"How seriously?"
"Umm, ask Mr. Carney. He'll tell you."
Much of the agency's certification work has apparently been done by outside contractors, often unsupervised, and often performing duties that are supposed to be done only by government employees.
"Who is working on this?"
"Top people."
"Who?"
"Top. People."
Neither contractors nor staffers apparently maintain much documentation about their work, or even about how the contractors are being paid under a $19 million contract that could swell to $60 million in outlying years. As the report puts it tersely, "Management is unable to verify the accuracy of reported costs."

Even the presence of inspectors didn't seem to stir much concern. Though the unnamed CISO said he would reassign responsibilities to fix some of the oversight problems, "no corrective action was taken during the course of the inspection," which lasted for six weeks earlier this year.

In effect, IRM/IA seems to be something of a zombie agency. IRM/IA staffers, according to the inspector general's report, don't show up for inter-departmental meetings, don't participate in their Bureau's strategic planning exercises, don't keep track of important documentation in the security certification process, and can't find a major portion of their budget receipts.

Even the relatively good news that many of the agency's functions have migrated to other parts of the larger Bureau comes with the fact that in some important cases, this occurred because IRM/IA personnel didn't show up for meetings where they shared joint responsibility.

Nor does the agency's management seem to have cared much for a long time about where it is going or what it needs to do to get there. According to the report, the agency "has no mission statement and is not engaged in strategic planning."
In other words, it's much like the rest of our government. We're in the best of hands...
Posted by:Skidmark

#5  State's IT Motto: "Yesterday's Technology - Tomorrow."

This doesn't surprise me at all. When you scratch the surface on many things at State, you'll find incompetence, corruption, and general laziness. I've been inside the Matrix and it is not a pretty picture.
Posted by: Bangkok Billy   2013-07-20 19:37  

#4  Credit where due, getting this report out seems to be the only thing Secretary of State Kerry has accomplished thus far. As it may be his only accomplishment before turning his responsibilities over to a Republican appointee, it ought to be celebrated.
Posted by: trailing wife   2013-07-20 17:37  

#3  Don't worry - the staff will be transferred to the IRS to manage ObumbleCare....

Snark of the day
Posted by: CrazyFool   2013-07-20 15:45  

#2  since 2007? Blame Boooooosh!
Posted by: Frank G   2013-07-20 15:27  

#1  Close the agency, and fire ALL employees, they aren't doing the job, so get rid of them, We won't miss them.

And SHOULD we miss them , Re-Hire NEW employees, currently employed need not apply. (If you re-apply, the application goes straight to the trash)

If anybody sneaks in, POLICE.
WE MEAN NOBODY.
Posted by: Redneck Jim   2013-07-20 14:23  

00:00