|| > We’re running our crowdfunding project from January 1 to February 15, 2014. If you want to keep us around, see Help Diplopundit Continue the Chase—Crowdfunding for 2014 via RocketHub <||
— By Domani Spero
In November 2013, Inspector General Steve Linick issued a management alert memo to the State Department’s Management Control Steering Committee concerning the “significant and recurring weaknesses” of its information system security program over the past three fiscal years (2011-2013).
The recurring weaknesses identified were in six areas: Authority to Operate (ATO), Baseline Controls, Scarming and Conﬁguration Management Controls, Access Controls, Cyber Security Management, and Risk Management and Continuous Monitoring Strategies.
A backgrounder from the OIG report:
The Department of State (Department) is entrusted to safeguard sensitive information, which is often the target of terrorist and criminal organizations. Cyber attacks against Government organizations appear to be on the rise,’ including state-sponsored efforts to exploit U.S. Government information security vulnerabilities. The Department is responsible for preserving and protecting classiﬁed information vital to the preservation of national security in high risk environments across the globe. The Department also undertakes signiﬁcant numbers of ﬁnancial and other transactions, including, for instance, the daily collection of millions of dollars in consular fees. In addition, the Department maintains records on approximately 192 million current passports,5 which contain such sensitive personally identiﬁable information (PII) as dates of birth and social security numbers. To protect this information, the Department must ensure that its Information System Security Program and management control structure are operationally effective.
Some of the examples of weaknesses cited include the following:
- In FY 2013, OIG found another instance of access control weakness. Speciﬁcally, OIG reported that 36 employees assigned to the [Redacted] (b) (5). Pursuant to 12 FAM 232, those systems can only be accessed by individuals possessing appropriate clearances. The 36 employees did not possess such clearances.
- On August 20, 2013, the Bureau of Information Resource Management (IRM) reported that the Department had a total of 6,369 system administrators. According to IRM ofﬁcials, system administrators are given network-wide permissions to allow them to collaboratively manage and troubleshoot issues.“ However, such broad access by large numbers of system administrators also subjects the system to risk. The recent, highly-publicized breach of information pertaining to national security matters by Edward Snowden, a contract systems administrator, starkly illustrates the issue.”
- The Bureau of Diplomatic Security did not have the administrative credentials needed for Demilitarized Zone servers to perform periodic scanning.
State/OIG made three recommendations including directing the Ofﬁce of the Chief Information Officer to employ the services of the National Security Agency (NSA) to conduct independent penetration testing to further evaluate the Information System Security Program and outline a range of technical and procedural countermeasures to reduce risks.
On December 13, 2013, James Millette, the chairman of the Steering Committee and the State Department’s Comptroller who also heads the State Department’s Bureau of the Comptroller and Global Financial Services (CGFS) sent the OIG a written response which says that they “respectfully disagree on the level of severity these weaknesses collectively represent.” Part of the response also includes the following:
Your memo recommended that the MCSC direct IRM to employ the services of the National Security Agency (NSA) to conduct independent penetration testing. The Committee believes that DS, like the OIG, has direct lines to the Secretary and has the capability to be independent in these matters. In addition, DS assured the Committee that they have the capability and work with and have the confidence of NSA in these matters. We believe OIG would not disagree that DS has the capability to adequately perform the testing. However, we fully understand the issue of perception of independence. Therefore the MCSC is supportive of DS and IRM having further discussions with the OIG on this matter to determine the best plan of action to perform penetration testing that meets the needs of the OIG and Department management. In addition, at the meeting, we suggested that there may be other alternatives to NSA, such as using a 3rd party to review the methodology used by DS.
That’s an old timer at the State Department telling the new IG that the Committee believes that Diplomatic Security (DS) like the Office of the Inspector General (OIG) has “direct lines” to the Secretary? Really! It is a fact that DS reports to “M” or the Under Secretary for Management and not directly to the Secretary. (Unless, the Committee thinks the OIG also reports to “M” just like DS)? OIG is one of the ten offices at State that reports directly to the Secretary. If the Secretary in practice delegates that authority, he has two deputies above the under secretaries, and one of them is for management and resources.
On Jan 13, 2014, the Inspector General sent another memo to the Management Control Steering Committee. The memo indicates closure of one recommendation but left the other two issues “unresolved.” This is also where the OIG patiently explains to the Committee what it means by “independence.”
OIG considers Recommendation 3, pertaining to independent penetration testing, unresolved. The MCSC indicated that it is supportive of the Bureau of Diplomatic Security (DS) and IRM having further discussions with OIG on this matter, but it further stated that “OIG would not disagree that DS has the capability to adequately perform the testing.” The issue, however, is not about DS’s “capability” but its independence and perceived independence.
According to the National Institute of Standards and Technology (NIST):
An independent assessor is any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an information system. Impartiality implies that the assessor is free from any perceived or actual conﬂicts of interest with respect to the development, operation, and/or management of the information system or the determination of security control effectiveness.
Because DS is actively involved in the Department’s Information System Security Program, it cannot be considered an independent, impartial assessor. The recommendation will remain open until OIG reviews and accepts documentation showing that independent penetration testing has been implemented. The penetration testing must be performed by the National Security Agency or an equally qualiﬁed organization independent of the Department and approved by OIG.
The NSA is already conducting pentest on critical U.S. infrastructures among other things. Why is State thinking only DS, or third party and not NSA?
* * *