Did the State Department's William Lay deserve IG criticism?
Some FCW readers thought a recent IG report -- and our story -- went too far in blaming a current leader for long-standing problems.
Does the State Department's William Lay deserve the criitcism leveled at him in a recent IG report? Some readers say no. (File photo)
Several readers reacted strongly to an article FCW published July 19 covering a State Department Inspector General report on the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA).
Some readers were critical of FCW’s reporting on the IG’s findings, which included criticism against Chief Information Security Officer William Lay, who heads the Bureau.
One reader wrote: This article and the report are totally unfair to the CISO. Mr. Lay just arrived only months before this inspection, and inherited decisions from other people already departed. I am glad there are some positive things in this, but this seems to be placing a lot of blame on the CISO, without even letting him settle in and sort out the pieces left behind.
Another reader wrote: Any of the major takeaways from this IG report (lack of vision, disregard for standard operating procedures, abusive authority, inconsistent and ineffective strategy, etc...) are already occurring at DHS since the former State CISO took control at DHS-FNR. [Federal Network Resilience.] The DHS IGs better wake-up because what happened at State isn't an isolated event. Someone in the IG better take a close look at what is happening in FNR before the crew that provided the miserable iPost solution completely tanks the 180+ million DHS continuous monitoring effort.
Another reader wrote: Amazing . . . . The previous CISO leaves a total disaster behind as he rides a wave of glory into a new position at DHS, leaving his replacement (Lay) to take the blame. Pathetic.
Still another wrote: Is anyone surprised at this report? Does anyone think the Department of State really cares about the report? A Department spokesman states "The Department takes the OIG feedback seriously and is committed to addressing the recommendations and the concerns that led to the assessment." All one has to do is to review the last four or five OIG annual FISMA audits, to see that the OIG has been documenting these issues for years. Who cares!!!!
Frank Konkel responds: I reached out to the State Department’s Inspector General’s office on this matter and was told that the report provides a “historical snapshot” of the bureau at any given point in time. I believe Lay, while new on the job, happened to be the guy in charge when the IG came looking around, so he’s going to shoulder some blame for the bureau’s problems. The IG report balances praise and criticism for Lay, and I believe our report portrays that fairly.
However, most of the criticism by the IG is bureau-wide, and a slew of the problems documented in the report certainly predate Lay’s tenure, which began in September 2012. Major issues like the bureau operating without a mission statement and mishandling its certification and accreditation processes were either not fixed or not addressed by Lay’s predecessor, John M. Streufert, who held the position from February 2008 to January 2012, or almost four years.
Streufert now works as the director of Federal Network Resilience at the Department of Homeland Security. I sent a request for comment to DHS on the matter, but didn’t hear back, so I can’t say anything more on that. But I do agree with reader perspectives that Lay, hired nine months ago, should not bear the brunt of responsibility for documented problems that were years in the making.