“The majority of functions are performed by other offices. IRM/IA is not doing enough and is potentially leaving department systems vulnerable. IRM/IA has conceded that other department elements have a greater role in information security, diminishing the relevance of IRM/IA,” the report said.
The office, established in 2004, is responsible for State’s cybersecurity program and information assurance policies.
The report made 32 recommendations, including performing an organization assessment as well as developing a mission statement that includes both short and long term goals. The report stated the office did not have a mission statement or formal goals during the investigation.
Though the arrival of a new chief information security officer, William Lay, has improved the office atmosphere, the IRM/IA office does not have the workload to justify its organizational structure, auditors found.
“In light of the lack of active involvement in many of its stated responsibilities, the proposed IRM/IA office realignment for an additional deputy position and one more division, as well as the need for some of the current divisions, are not justified by the current level of work being performed. The possibility of duplicative functions occurring between IRM/IA and other department elements is likely,” the report stated.
The office has inconsistencies in both policies and practices, according to the report, causing some of the certification and assurance (C&A) processes it manages to be ineffective. Many of the systems’ operation authorizations have expired.
Even though IRM/IA is the lead office for C&A, it is only responsible for 56 percent of the department’s programs. In many cases, the report said, some of these programs are operating under authorizations that have been expired for two years or more.
“When questioned, IRM/IA management stated that the responsibility for completing system authorizations is with system owners. System owners have a responsibility to complete the necessary documentation and assessments, but ultimately it is the CISO’s responsibility to verify that systems authorizations have been performed on all Department systems in accordance with Title III of the E-Government Act of 2002,” the report stated.
Additionally, the office showed poor performance in contract management, the report stated. The former Policy, Liaison and Reporting division chief, who recently departed, left large gaps in documentation for the staff member who assumed his position, causing deficiencies in the office’s contracting program, according to the report.
The report also said existing contract documentation showed incomplete files, such as one contract with a ceiling of $2 million that showed major inconsistencies. In addition, the report said the office made payments without sufficient oversight and that no personnel were regularly reviewing payments. The report said this caused overpayments to some contractors.
The office said in a statement it will respond to the IG’s recommendations.
“The U.S. Department of State takes the OIG feedback seriously and will respond appropriately. Mr. William G. Lay was appointed to the position of Deputy Chief Information Officer for Information Assurance and Chief Information Security Officer for the U.S. Department of State in late 2012,” the statement said. IRM/IA staff includes 22 full-time employees and 36 contract employees, and funding is $5.9 million per year, the report stated.
Cogan Schneier is an intern for Federal News Radio.