State/OIG Issues Report on @StateDept IT Incident Response and Reporting Deficiencies

Posted: 2:03 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

An independent accounting firm hired by State/OIG determined that the State Department’s IT incident response and reporting (IR&R) program was not operating effectively. Specifically, of the 25 cyber security incidents evaluated, Williams, Adley found that five were miscategorized, six were not remediated in a timely manner, one was not identified in a timely manner, one was missing incident information, four were not reported to the U.S. Computer Emergency Readiness Team (US-CERT) in a timely manner, and two were not reported to US-CERT as required.

The deficiencies in the IR&R program occurred primarily because of inadequate communication between the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS) and inadequate management oversight that would ensure that personnel within the Department’s incident response team fully complied with prescribed categorization guidelines, reporting requirements, and remediation timelines.

Without an effective IR&R program, the Department may be unable to properly identify weaknesses, restore IT operations in a timely manner, and identify and respond to cyber security incidents, which could potentially lead to interruptions of critical operations and hinder the Department’s ability to achieve its core mission.
[…]
Williams, Adley determined that the Department’s IR&R program was not operating effectively for the months of September and October 2014. Specifically, Williams, Adley reviewed the Department’s handling of 25 cyber security incidents out of 303 incidents (CAT 1 to CAT 6) reported during the scope period8 to determine whether the Department complied with its information security policies and procedures.

Screen Shot

According to the audit, remediation of one denial of service attack took over 200 hours, remediation of four malicious code attacks took between 174 hours and 312 hours, and remediation of one probe attack took over 175 hours.

Here’s the proposed solution according to the audit:

DS officials stated that a proposed solution was currently being developed that would improve the responsiveness of and communications between DS and IRM. Specifically, the Department would create a Joint Concept of Operations, via a Memorandum of Understanding, that would enhance the current capabilities of the DS Foreign Affairs Cybersecurity Center. Although the Memorandum of Understanding was in the initial drafting phase as of the date of this report, it is a proposed solution that, when fully implemented, will allow the Department to approve a Joint Security Operations Center concept that will potentially consolidate core IRM and DS cyber security functions and thus strengthen the responsiveness of and communications between IRM and DS. This effort will serve as the first step in improving communications between IRM and DS.

The State Department’s response to the OIG requests that the two recommendations be closed  due to agency actions but also expressed concerns over the OIG’s use of this press article from nextgov cited in the audit:

Screen Shot

WaPo reported about the down email system due to hacking concerns here and we did a blogpost of the incident here (see  State Department’s Computer Systems Hacked, 5th Known Agency Breach This Year?).

#

 

Advertisements

State/OIG Reminds @StateDept of IT Contingency Planning Deficiencies

Posted: 12:59 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last week, State/OIG issued a Management Assistance Report (MAR-PDF) reminding the State Department of continued deficiencies identified in information technology contingency planning at its overseas posts:

OIG identified IT contingency planning deficiencies in 69 percent (20 out of 29) of overseas inspections performed during FYs 2014 and 2015. The issues identified ranged from information management staff at posts not developing, updating, or testing IT contingency plans to plans that lacked appropriate key stakeholders and contact information as part of emergency preparedness, contrary to requirements set forth in 5 Foreign Affairs Manual (FAM) 1064, 12 FAM 623.7, 12 FAM 632.3, and National Institute of Standards and Technology Special Publication 800-34. This report recommends that the Department take action to ensure that information management personnel are held accountable for IT contingency planning by making this responsibility explicit in their work requirements.

Recommendations from 2011 OIG Memorandum Report Unimplemented

OIG inspection teams continue to report IT contingency planning findings in overseas inspection reports, despite a December 2011 OIG memorandum2 to the Bureau of Information Resource Management with two recommendations addressing the topic. The memorandum identified IT contingency planning issues involving bureaus’ and posts’ lack of attention to developing and testing IT contingency plans as part of their emergency preparedness activities. The Bureau of Information Resource Management stated in compliance responses that it was planning to implement a tracking mechanism and develop a SharePoint site to capture risk scoring compliance for posts and bureaus. However, after 4 years the bureau still lacks a tracking mechanism and a SharePoint site as mentioned in their compliance responses. The September 2015 compliance response noted that the bureau is researching other alternatives to comply with OIG recommendations.

 So State/OIG is trying again with this MAR and a nudge on the Work Requirements of Information Management Staff

A review of Foreign Service employee evaluation reports for information management officers or the most senior information management personnel at embassies and consulates revealed that only 12 percent (32 out of 272) had a stated work requirement to develop and test IT contingency plans. According to 5 FAM 825 and 5 FAM 826, responsibility for the development and testing of IT contingency plans lies with the information management staff overseas.

Recommendation 1: The Bureau of Information Resource Management, in coordination with the regional bureaus, should include the requirement to complete and test information technology contingency plans in the work requirements for information management personnel. (Action: IRM, in coordination with AF, EAP, EUR, NEA, SCA, and WHA).

In related news:

#

@StateDept’s Problematic Information Security Program and Colin Powell’s Wired Diplomatic Corps

Posted: 2:10 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

.

Via the AP:

Clinton approved significant increases in the State Department’ information technology budgets while she was secretary, but senior State Department officials say she did not spend much time on the department’s cyber vulnerabilities. Her emails show she was aware of State’s technological shortcomings, but was focused more on diplomacy.
[…]
Emails released by the State Department from her private server show Clinton and her top aides viewed the department’s information technology systems as substandard and worked to avoid them.

Screen Shot 2015-10-20

click here to view pdf file

The report does not include specific details on the “significant increases” in the IT budget. Where did it go? Why did the Clinton senior staff suffer through the State Department’s antiquated technology without any fixes?

In contrast, here is Colin Powell’s Wired Diplomatic Corps:

Another disturbing aspect of State Department life prior to 2001 was the poor condition of its information technology (IT). Independent commissions warned the organization’s computer networks were “perilously close to the point of system failure” and “the weakest in the U.S. government.” Inadequate funding, concerns over IT security, and simple bureaucratic inertia were all contributing factors. Powell came to an institution in which his employees relied on an antiquated cable messaging system, slow, outdated computers and as many as three separate networks to do their daily work. At several posts diplomats did not enjoy full access to the Internet or the department’s classified network. Such realities were troubling for a new secretary of state, who had served on American Online’s board of directors and considered Internet access an indispensable resource in his own daily life. Powell believed effective twenty-first diplomacy necessitated a modern communications system at State and made its establishment a top priority.

As with embassy construction and security, Powell successfully garnered the financial resources to make substantial quantitative and qualitative improvements in the organization’s information technology. For instance, a secure unclassified computer network with full Internet access was extended to 43,500 desktops during his tenure, making the State Department a fully wired bureaucracy for the first time in its history. This goal was reached in May 2003, under budget and ahead of schedule. Shortly thereafter a modernized classified network was installed at 224 embassies and consulates — every post that the Bureau of Diplomatic Security deemed eligible for such technology. In addition, a Global IT Modernization (GIT-M) program was launched to ensure that all computer hardware is kept state-of-the-art through an aggressive, four-year replacement cycle. Other changes equipped the institution with cutting-edge mainframes, updated secure telephones, and wireless emergency communication systems. Most recently, the State Department began under Powell’s leadership to replace its decades old cable and e-mail systems with one modern, secure, and fully integrated messaging and retrieval system.

These impressive technological changes were complemented by the creation of a new 10-person office for e-Diplomacy in 2002. The unit was established to support State’s information revolution by finding ways to increase organizational efficiency through information technology, making the newly installed systems user-friendly, and continuing to identify new ways to send, store and access information. Furthermore, IT security was enhanced considerably. One department report indicated that by August 2004, 90.4 percent of State’s operational systems had been fully authorized and certified, earning the department OMB’s highest rating for IT improvement under the President’s Management Agenda (PMA). In part, achievements of this type were facilitated through Powell’s hiring of 530 new IT specialists (while controlling for attrition). Through an aggressive recruitment and retention program based on incentives and bonuses, the department’s vacancy rate for such positions, which was “over 30 percent five years ago, [was] essentially eliminated.” As with congressional relations and embassy construction and security, State’s information technology was enhanced significantly under Powell’s leadership.

Read in full here via American Diplomacy — The Other Side of Powell’s Record by Christopher Jones.

So, among the more recent secretaries of state, one stayed home more than most. Secretary Powell knew the IT systems were substandard and he went about making the fixes a priority; he did not hand it off to “H” to lobby Congress or simply talked about the State Department’s “woeful state of civilian technology.” 

Below is a clip from OIG Steve Linick’s Management Alert for recurring information system weaknesses spanning FY2011-FY2013.  The actual FISMA reports do not seem to be publicly available at this time:

Screen Shot 2015-10-20

The FISMA audit dated October 2014 says:

[T]he Chief Information Security Officer stated that the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA), received a budget of $14 million in FY 2014, an increase from $7 million in FY 2013.6 A majority of the budget was used for contractor support to improve FISMA compliance efforts.

We identified control deficiencies in all [Redacted] (b) (5)  of the information security program areas used to evaluate the Department’s information security program. Although we recognize that the Department has made progress in the areas of risk management, configuration management, and POA&M since FY 2013, we concluded that the Department is not in compliance with FISMA, OMB, and NIST requirements. Collectively, the control deficiencies we identified during this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.

We have been unable to find the FISMA reports during all of Rice, Clinton and Kerry tenures. We’ll keep looking.

#

 

State Dept Awards $2.8M “High Availability and Disaster Recovery Services” IT Contract to VMware

Posted: 12:53 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On March 31, 2015, the State Department awarded a $2.8 million “High Availability and Disaster Recovery Services” contract to VMware.  The contract awarded on behalf of the Bureau of Information Resource Management, Operations, Systems Integration Office, Enterprise Server Operations Center or IRM/OPS/SIO/ESOC is for 12 months, and appears to be a modification of a prior task order.  The J&A document posted online justifying “other than full competition” indicates “only one source capable” in handwritten notation. “Persistent security concerns,” “changing strategic landscape” and  “heightened vulnerability” all appear in the limited source justification for the award.  VMware is located in Palo Alto, CA and Reston, VA.

click for larger view

click for larger view

 #

 

OIG: Only 41,749 State Dept Record Emails Preserved Out Of Over a Billion Emails Sent

Posted: 4:29 pm EDT
Updated: March 12, 9:29 pm PST
[twitter-follow screen_name=’Diplopundit’ ]

State Department deputy spokeswoman Marie Harf told CNN that since the inspector general is independent from the department “they will have to speak to the timing and details of releasing this report, which they control.”

So we asked the IG and we’re told that “the timing of the release of this report (ISP-I-15-15) was purely coincidental to the recent email issue.”

*

State/OIG did a review (pdf) of the Department’s State Messaging and Archive Retrieval Toolset (SMART) and Record Email in Washington, DC, between January 24 and March 15, 2014. According to the OIG, in 2013, Department employees created 41,749 record emails. These statistics are similar to numbers from 2011, when Department employees created 61,156 record emails out of more than a billion emails sent. Department officials have noted that many emails that qualify as records are not being saved as record emails.

Below are the highlights of the OIG review:

  • A 2009 upgrade in the Department of State’s system facilitated the preservation of emails as official records. However, Department of State employees have not received adequate training or guidance on their responsibilities for using those systems to preserve “record emails.” In 2011, employees created 61,156 record emails out of more than a billion emails sent. Employees created 41,749 record emails in 2013.
  • Record email usage varies widely across bureaus and missions. The Bureau of Administration needs to exercise central oversight of the use of the record email function.
  • Some employees do not create record emails because they do not want to make the email available in searches or fear that this availability would inhibit debate about pending decisions.
  • System designers in the Bureau of Information Resource Management need more understanding and knowledge of the needs of their customers to make the system more useful. A new procedure for monitoring the needs of customers would facilitate making those adjustments.

Additional details from the OIG report:

The need for official records

The Department of State (Department) and its employees need official records for many purposes: reference in conducting ongoing operations; orientation of successors; defending the U.S. Government’s position in disputes or misunderstandings; holding individuals accountable; recording policies, practices, and accomplishments; responding to congressional and other enquiries; and documenting U.S. diplomatic history. Record preservation is particularly important in the Department because Foreign Service officers rotate into new positions every 2 or 3 years. Federal law requires departments, agencies, and their employees to create records of their more significant actions and to preserve records according to Governmentwide standards.

Who has responsibility for the preservation of official records?

Every employee in the Department has the responsibility of preserving emails that should be retained as official records.3 The Office of Information Programs and Services in the Bureau of Administration’s Office of Global Information Services (A/GIS/IPS) is responsible for the Department’s records management program, including providing guidance on the preservation of records for the Department and ensuring compliance. IRM administers the enterprise email system, including SMART, and therefore provides the technical infrastructure for sending and receiving emails and preserving some as record email.

What constitute official records? 

If an employee puts down on paper or in electronic form information about “the organization, functions, policies, decisions, procedures, operations, or other activities of the Government,” the information may be appropriate for preservation and therefore a record according to law, whether or not the author recognizes this fact. Whether the written information creates a record is a matter of content, not form. Federal statutes, regulations, presidential executive orders, the Foreign Affairs Manual (FAM), Department notices, cables, and the SMART Messaging Guidebook contain the criteria for creating and maintaining official records and associated employee responsibilities.

Which email messages should be saved as records?

According to Department guidance referenced above, email messages should be saved as records if they document the formulation and execution of basic policies and actions or important meetings; if they facilitate action by agency officials and their successors in office; if they help Department officials answer congressional questions; or if they protect the financial, legal, and other rights of the government or persons the government’s actions directly affect. Guidance also provides a series of questions prompting employees to consider whether the information should be shared, whether the successor would find the email helpful, whether it is an email that would ordinarily be saved in the employee’s own records, whether it contains historically important information, whether it preserves the employee’s position on an issue, or whether it documents important actions that affect financial or legal rights of the government or the public.

 

The OIG report notes that it has previously examined the Department’s records management, including electronic records management, in its 2012 inspection of A/GIS/IPS. OIG found that A/GIS/IPS was not meeting statutory and regulatory records management requirements because, although the office developed policy and issued guidance on records management, it did not ensure proper implementation, monitor performance, or enforce compliance. OIG also noted that, although SMART users can save emails as records using the record email function, they save only a fraction of the numbers sent. OIG recommended that the Bureau of Administration implement a plan to increase the number of record emails saved in SMART.

That was in 2012.

The OIG team also found that “several major conditions impede the use of record emails: an absence of centralized oversight; a lack of understanding and knowledge of record-keeping requirements; a reluctance to use record email because of possible consequences; a lack of understanding of SMART features; and impediments in the software that prevent easy use.”

To show how misunderstood is the requirement to save record emails, see the following chart. The U.S. Embassy in Hanoi had 993 record emails compared to US Embassy Islamabad that only had 121 record emails preserved. The US Consulate General in Guangzhou had 2 record emails while  USCG Ho Chi Minh City had 539. It looks like the US Embassy in Singapore with 1,047 record emails had the highest record emails preserved in 2013. The frontline posts like Baghdad had 303, Kabul had 61, Sana’a had 142 and Tripoli had 10 record emails in 2013. The only explanation here is that the folks in Singapore had a better understanding of record email requirements than the folks in our frontline posts. Given that the turn-over of personnel at these frontline posts is more frequent, this can have consequential outcome not just in the public’s right to know but in continuity of operations.

Screen Shot 2015-03-11

Again, via the OIG:

Many inspections of embassies and bureaus have found that the use of SMART and the record email function are poorly understood. This lack of understanding is one of the principal causes of the failure of U.S. embassies to use record email more often. The inspections show that many employees do not know what types of emails should be saved as record emails. The employees typically need more and clearer guidance and more training. OIG has made formal and informal recommendations to increase the use of record email, to write and distribute formal embassy or bureau guidance on record email, and to arrange for training.

The A/GIS/IPS office is under the Assistant Secretary for the Bureau of Administration, an office that reports to the Under Secretary for Management (M). The Bureau of Information Resource Management (IRM) also reports to M.

 #

State Department’s Computer Systems Hacked, 5th Known Agency Breach This Year?

— Domani Spero
[twitter-follow screen_name=’Diplopundit’ ]

 

Just the bit of bad news you don’t need to start your Monday:

 

Below via WaPo:

The State Department did not seek to publicize that it had been hacked. On Friday, it announced that “maintenance” would be done to the unclassified network during a routine, scheduled outage. But on Sunday, after the Associated Press first reported the breach, officials acknowledged they had found traces of suspicious activity in their system and were updating security in the middle of a scheduled outage. In a sign of how complete the shutdown was, duty officers were using Gmail accounts.

A senior State Department official, who spoke on the condition of anonymity to discuss the breach, also told WaPo that “none of the department’s classified systems were compromised.”

Would State report publicly the classified intrusion if those systems were compromised?

This report follows the confirmation of a hack at the National Oceanic and Atmospheric Administration which reportedly forced cybersecurity teams to seal off data vital to disaster planning, aviation, shipping, etc. this past September, the reported breach of the computer networks of the United States Postal Service, compromising the data of more than 800,000 employees and a breach at the White House.  In June this year, the WSJ also reported the breach of computer systems at the Office of Personnel Management, which stores data on federal employees.

An unnamed official told nextgov.com that State is bolstering the security “of its main unclassified network during a scheduled outage of some Internet-linked systems.” The site, nextgov.com says it is “unclear why officials waited until this weekend to disconnect potentially infected systems at State.”

As of this writing, the State Department’s mobile access (go.state.gov) is down with the following notice: “The Department is currently experiencing an ongoing, planned outage to upgrade our network.  during this event, mobile access (GO) will be unavialable.  We apologize for any inconvenience this may cause you.  For questions or more information, please contact the IT Service Center at 202-647-2000.”

We understand that GO will be down until further notice and may need to be rebuilt. A mobile copy is currently live at http://m.state.gov.

* * *

In totally unrelated news, and nothing/nothing whatsoever to do with this reported hack — State/OIG on November 7, published its Audit of Department of State Information Security Program.  The report is readable if you don’t mind the redacted parts:

Screen Shot 2014-11-15 at 11.11.19 AM

Below is an excerpt:

Information technology security controls are important to protect confidentiality, integrity, and availability of information and information systems. When they are absent or deficient, information becomes vulnerable to compromise.[REDACTED]
[…]
Although we acknowledge the Department’s actions to improve its information security program, we continue to find security control deficiencies in multiple information security program areas that were previously reported in FY 2010, FY 2011, FY 2012, and FY 2013. Over this period, we consistently identified similar control deficiencies in more than 100 different systems. As a result, the OIG issued a Management Alert in November 2013 titled “OIG Findings of Significant and Recurring Weaknesses in the Department of State Information System Security Program” that discussed significant and recurring control weaknesses in the Department’s Information System Security Program [REDACTED B(5)]

The FY 2013 FISMA audit report contained 29 recommendations intended to address identified security deficiencies. During this audit, we reviewed corrective actions taken by the Department to address the deficiencies reported in the FY 2013 FISMA report. Based on the actions taken by the Department, OIG closed 4 of 29 recommendations from the FY 2013 report.
[…]
We identified control deficiencies in all [Redacted] (b) (5)  of the information security program areas used to evaluate the Department’s information security program. Although we recognize that the Department has made progress in the areas of risk management, configuration management, and POA&M since FY 2013, we concluded that the Department is not in compliance with FISMA, OMB, and NIST requirements. Collectively, the control deficiencies we identified during this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.
[…]
Although we found the Department’s Computer Incident Response Team (CIRT) Standard Operating Procedures aligned with NIST SP 800-61, Revision 2,39 procedures do not clearly state all the bureaus, offices, and organizations that require notification prior to closing an incident. As a result, DS/SI/CS did not report all incidents to the U.S. Computer Emergency Readiness Team (US-CERT) as required. Specifically, 1 out of 22 (5 percent) security incidents we tested was not reported to the US-CERT, even though it was a Category 4 incident and involved potential classified spillage. If the Department does not report data spillage incidents (potential or confirmed) to US-CERT within the established timeframes, US-CERT may not be able to help contain the incident and notify appropriate officials within the allotted timeframe.

According to State/OIG, Category 4 incidents are incidents involving improper usage of Department systems or networks (that is, a person that violates acceptable computing use policies).

According to OMB Memorandum M-14-04, a significant deficiency is defined as a weakness in an agency’s overall information systems security program or management control structure, or within one or more information systems that significantly restricts the capability of the agency to carry out its mission or compromises the security of its information, information systems, personnel, or other resources, operations, or assets. via

 * * *

Related item:

Audit of Department of State Information Security Program; Published On: November 07, 2014; Report Date: November 2014; Report Number: AUD-IT-15-17; View Report: aud-it-15-17.pdf

 

 

 

 

 

 

 

State/OIG Issues Alert on Recurring Weaknesses of State Department’s Computer Security

|| >    We’re running our crowdfunding project from January 1 to February 15, 2014. If you want to keep us around, see Help Diplopundit Continue the Chase—Crowdfunding for 2014 via RocketHub  <||

 

— By Domani Spero

In November 2013, Inspector General Steve Linick issued a management alert memo to the State Department’s Management Control Steering Committee concerning the “significant and recurring weaknesses” of its information system security program over the past three fiscal years (2011-2013).

The recurring weaknesses identified were in six areas: Authority to Operate (ATO), Baseline Controls, Scarming and Configuration Management Controls, Access Controls, Cyber Security Management, and Risk Management and Continuous Monitoring Strategies.

A backgrounder from the OIG report:

The Department of State (Department) is entrusted to safeguard sensitive information, which is often the target of terrorist and criminal organizations. Cyber attacks against Government organizations appear to be on the rise,’ including state-sponsored efforts to exploit U.S. Government information security vulnerabilities. The Department is responsible for preserving and protecting classified information vital to the preservation of national security in high risk environments across the globe. The Department also undertakes significant numbers of financial and other transactions, including, for instance, the daily collection of millions of dollars in consular fees. In addition, the Department maintains records on approximately 192 million current passports,5 which contain such sensitive personally identifiable information (PII) as dates of birth and social security numbers. To protect this information, the Department must ensure that its Information System Security Program and management control structure are operationally effective.

Some of the examples of weaknesses cited include the following:

  • In FY 2013, OIG found another instance of access control weakness. Specifically, OIG reported that 36 employees assigned to the [Redacted] (b) (5).  Pursuant to 12 FAM 232, those systems can only be accessed by individuals possessing appropriate clearances. The 36 employees did not possess such clearances.
  • On August 20, 2013, the Bureau of Information Resource Management (IRM) reported that the Department had a total of 6,369  system administrators. According to IRM officials, system administrators are given network-wide permissions to allow them to collaboratively manage and troubleshoot issues.“ However, such broad access by large numbers of system administrators also subjects the system to risk. The recent, highly-publicized breach of information pertaining to national security matters by Edward Snowden, a contract systems administrator, starkly illustrates the issue.”
  • The Bureau of Diplomatic Security did not have the administrative credentials needed for Demilitarized Zone servers  to perform periodic scanning.

State/OIG made three recommendations including directing the Office of the Chief Information Officer to employ the services of the National Security Agency (NSA) to conduct independent penetration testing to further evaluate the Information System Security Program and outline a range of technical and procedural countermeasures to reduce risks.

On December 13, 2013, James Millette, the chairman of the Steering Committee and the State Department’s Comptroller who also heads the State Department’s Bureau of the Comptroller and Global Financial Services (CGFS) sent the OIG a written response which says  that they “respectfully disagree on the level of severity these weaknesses collectively represent.” Part of the response also includes the following:

Your memo recommended that the MCSC direct IRM to employ the services of the National Security Agency (NSA) to conduct independent penetration testing. The Committee believes that DS, like the OIG, has direct lines to the Secretary and has the capability to be independent in these matters. In addition, DS assured the Committee that they have the capability and work with and have the confidence of NSA in these matters. We believe OIG would not disagree that DS has the capability to adequately perform the testing. However, we fully understand the issue of perception of independence. Therefore the MCSC is supportive of DS and IRM having further discussions with the OIG on this matter to determine the best plan of action to perform penetration testing that meets the needs of the OIG and Department management. In addition, at the meeting, we suggested that there may be other alternatives to NSA, such as using a 3rd party to review the methodology used by DS.

That’s an old timer at the State Department telling the new IG that the Committee believes that Diplomatic Security (DS)  like the Office of the Inspector General (OIG) has “direct lines” to the Secretary?  Really!  It is a fact that DS reports to “M” or the Under Secretary for Management  and not directly to the Secretary.  (Unless, the Committee thinks the OIG also reports to “M” just like DS)?  OIG is one of the ten offices at State that reports directly to the Secretary.  If  the Secretary in practice delegates that authority, he has two deputies above the under secretaries, and one of them is for management and resources.

On Jan 13, 2014, the Inspector General sent another memo to the Management Control Steering Committee. The memo indicates closure of one recommendation but left the other two issues “unresolved.” This is also where the OIG patiently explains to the Committee what it means by “independence.”

OIG considers Recommendation 3, pertaining to independent penetration testing, unresolved. The MCSC indicated that it is supportive of the Bureau of Diplomatic Security (DS) and IRM having further discussions with OIG on this matter, but it further stated that “OIG would not disagree that DS has the capability to adequately perform the testing.” The issue, however, is not about DS’s “capability” but its independence and perceived independence.

According to the National Institute of Standards and Technology (NIST):

An independent assessor is any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an information system. Impartiality implies that the assessor is free from any perceived or actual conflicts of interest with respect to the development, operation, and/or management of the information system or the determination of security control effectiveness.

Because DS is actively involved in the Department’s Information System Security Program, it cannot be considered an independent, impartial assessor. The recommendation will remain open until OIG reviews and accepts documentation showing that independent penetration testing has been implemented. The penetration testing must be performed by the National Security Agency or an equally qualified organization independent of the Department and approved by OIG.

The NSA is already conducting pentest on critical U.S. infrastructures among other things.  Why is State thinking only DS, or third party and not NSA?

* * *

Related item:

-01/13/14   Mgmt Alert on OIG Findings of Significant and Recurring Weaknesses in the Dept of State Info System Security Program (MA-A-0001)  [6298 Kb]