IG: State Dept. Security Office 'Irrelevant'Other Department Units Fulfill Responsibilities of CISO-led Office
By conceding its IT security responsibilities to other U.S. State Department units, the relevance of the Office of Information Assurance is being diminished, a just-issued inspector general's report contends.
The IG report stops short of saying that the State Department avoids taking steps to address IT security. The report maintains, however, that its Office of Information Assurance's lack of leadership creates confusion among department personnel on IT security requirements and guidance they must follow.
"[The office] is not doing enough and is potentially leaving department systems vulnerable," Harold Geisel, deputy inspector general, writes in the 35-page report. "[The office] has conceded that other department elements have a greater role in information security, diminishing the relevance of [the office]."
The IG report offers 36 recommendations, including a number aimed at better integrating the office into the State Department's cybersecurity planning and leadership.
The State Department did not respond to a request for comment on the IG report.
Born of the E-Government Act
Created in 2003 to comply with provisions of the E-Government Act of 2002, the Office of Information Assurance, within the Bureau of Information Resource Management at the State Department, is responsible for the department's cybersecurity program; information assurance policies, standards and guidelines; and compliance with national security directives. Key office programs include cybersecurity management, which comprises policy development, risk management, systems authorizations, performance measures and annual reporting for the Federal Information Security Management Act, the law that governs IT security in the federal government.
The office, headed by the department's chief information security officer, has 22 full-time employees and 36 contractors. Its operating budget for the current fiscal year is $10 million. The State Department's CIO proposes to increase the office's budget for fiscal year 2014, which begins Oct. 1, by $8 million to support certification and accreditation initiatives, continuous monitoring and controls needed for safeguarding classified information.
According to the audit:
- The current Office of Information Assurance workload does not justify its organizational structure, resources or status as an Information Resource Management directorate.
- The mishandling of the certification and accreditation process and contract by the office, including development of tools and guidance and reviews of C&A packages, has contributed to expired authorizations to operate 52 of the department's 309 systems.
- No single department bureau has full responsibility for the information systems security officer program. The office and the Bureau of Diplomatic Security directly or indirectly support the information systems security officer's program, resulting in confusion among personnel on requirements and guidance. The involvement of both bureaus also wastes personnel resources.
- The office lacks adequate management controls and procedures to monitor its contracts, task orders and blanket purchase agreements, which have an approximate value of $79 million.
- The office has no mission statement and is not engaged in strategic planning.
According to the IG, the information assurance office performs a limited number of assurance functions, yet doesn't have a lead role in most of the functions it performs. For the most part, it only compiles information generated by other units.
For example, the IG says, the information assurance office is charged with overseeing the information systems security officer programs, but it's not the principal office where ISSO personnel overseas seek information and guidance. Several unit information security officers surveyed by the IG said they were unaware of the information assurance office's involvement.
Lack of Leadership
In addition, the Office of Information Assurance is supposed to be the department's lead in certification and authentication activities, yet many bureaus and offices complete necessary C&A assessments and documents without involvement by the information assurance's office. "More significantly," Geisel says, "[the office] does not have the lead for the most important C&A effort in the department: the OpenNet network [that links domestic and overseas local area networks]. That task is handled by Information Resource Management's enterprise network management office."
The State Department has proposed a realignment of the information assurance office that would add another deputy and add one more division, an idea the IG discounts because of its failure to tackle existing responsibilities.
Meanwhile, the Office of Information Assurance is in the midst of a realignment assessment study, which should be completed by September, the IG says.