IG dings State Department's information security program in annual report
The State Department Office of the Inspector General says it found weaknesses in eight of nine domains in an audit of the department's information security program.
Weaknesses in the State Department's information security program are putting information at risk, "despite the Department's expenditure of substantial resources on information system security," according to a recent report from the State Department's Office of the Inspector General on the department's top management and performance challenges from FY2022.
The findings are from a Sept. 2022 audit of the department's information security program that found that "the Department did not have a fully-developed and implemented information security program based on evidence of security weaknesses identified in eight of nine metric domains" – identified in the report as "risk management, supply chain risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, and contingency planning."
The inspector general recommended at the time that the department "take steps to ensure that all Department information systems are authorized to operate and that officials establish an effective continuous monitoring program for Department systems."
State Department management wrote in a response included in the new report that "countering adversaries in the cyber realm is one of the department's highest priorities," and that it has "made progress in improving its cybersecurity posture and meeting regulatory requirements," citing a decrease in the number of new Federal Information Security Modernization Act recommendations from watchdog since 2020.
The recent review also includes a section on the department's workforce woes, including a May 2022 report into allegations of favoritism in the selection of foreign service selection board public member positions. The State Department wrote that it closed all but two of the watchdog's recommendations from that report and is now working to close those remaining by the end of this calendar year. The department has also stood up "stronger internal controls and completely revamped the public member hiring process for the 2022 selection boards."