IG: State Department Security Program WeakDepartment Fails to Address Recurring InfoSec Weaknesses
The integrity of the State Department's information security program is at significant risk because of recurring weaknesses the agency has failed to address, the department's inspector general says in a just-published audit.
In the partly redacted report, published Jan. 16, Inspector General Steve Linick took the department to task for not addressing deficiencies found in previous years' audits required under the Federal Information Security Management Act, the law that governs federal government IT security.
Linick says it's crucial for the department to address the weaknesses in its information security program.
"The Department of State is entrusted to safeguard sensitive information, which is often the target of terrorists and criminal organizations," he says. "Cyber-attacks against government organizations appear to be on the rise, including state-sponsored efforts to exploit U.S. government information security vulnerabilities. ... To protect this information, the department must ensure that its information system security program and management control structure are operationally effective."
Top Security Concerns
Among the concerns the IG points out in its report are weaknesses in cybersecurity management.
The department employs nearly 6,400 systems administrators who are given networkwide permission to manage and troubleshoot problems collaboratively. Linick doesn't think that's a good idea, saying such an arrangement increases risk. "The recent, highly publicized breach of information pertaining to national security matters by Edward Snowden, a contract systems administrator, starkly illustrates the issue." he says.
Other continuing deficiencies the IG identifies include the department's failure to complete risk management and continuous monitoring strategies and implement an enterprisewide continuity of operation plan.
"Although the chief information office has verbally articulated his ideas for risk management and continuous monitoring, no documented strategy for either exists," Linick says. "The absence of such formal documentation, and its concomitant acceptance by department management, can heighten the department's vulnerability to internal and external information security threats."
Because recurring weaknesses continue to put at significant risk the integrity of the department's overall information security program, the inspector general designates the collective weaknesses as a "significant deficiency," as defined by the Office of Management and Budget.
In OMB parlance, "significant deficiency" means that IT systems significantly restrict the ability of the agency to carry out its mission or compromises the security of its information assets, personnel and operations.
State Department Comptroller James Millette, who chairs the State Department's management control steering committee, says the department's security officials "respectfully disagree" on the level of severity the IG maintains these weaknesses collectively represent, but they, nevertheless, commit to addressing the problems the audit points out.
"Let me assure you that the committee takes the reported weaknesses very seriously," Millette says. "The committee believes that our efforts over the coming year will advance the department's information security posture and address OIG concerns."
Explanations of significant and recurring weaknesses for many operations and system were redacted in the report.
Role of NSA
The IG recommends that the department employ the services of the National Security Agency to conduct independent penetration testing to further evaluate its IT security program and outline a range of technical and procedural countermeasures to reduce risks.
Millette, however, says he's hesitant to use the NSA services, saying the department's law enforcement agency, the Diplomatic Security Service, could conduct the penetration tests. "However," he says, "we fully understand the issue of perception of independence." Millette suggests the department work with a third party.
But Millette did not explain why he doesn't want the NSA to conduct the test. The State Department did not immediately reply to a request from Information Security Media Group for an explanation.
The IG, in a written response to Millette, reiterates that testing by the Diplomatic Security Service is unacceptable. "Because [Diplomatic Services] is actively involved in the department's information system security program, it cannot be considered an independent, impartial assessor," Linick says. "The penetration testing must be performed by the National Security Agency or an equally qualified organization independent of the department and approved by the OIG."