System operators can plug in rogue devices to the department's network without the chief information officer's knowledge, a watchdog report found.
This story has been updated with response from State Department officials.
At the State Department, where Russian-backed hackers allegedly embedded for at least six months, bureaus are not required to tell the top tech official about system threats, an internal watchdog discovered.
Another technical error uncovered? System operators can plug in rogue devices to the department's network without the chief information officer's knowledge.
These findings by the department inspector general follow a network intrusion that allowed nation state attackers to jump between State and White House unclassified email system systems beginning last fall. Cyberspies are believed to have accessed messages dealing with President Barack Obama's private itinerary and other national security-sensitive documents.
"The CIO is not properly positioned within the organization to ensure that the department’s information security program is effective," said auditors from Williams, Adley & Company, an independent public accounting firm hired to conduct a cyber inspection.
The Bureau of Diplomatic Security and other offices, for instance, are "not required to communicate information security risks to the CIO," according to a heavily redacted inspection report, which was released Nov. 20 to the public.
IT managers currently have the ability to "add and remove devices from the network without communicating the information" to the CIO, the auditors found.
In response to a draft report, State officials agreed with the audit's recommendation to review the CIO's position within the department's organization chart, with respect to federal law. Specifically, the 1996 Clinger-Cohen Act tasks each department CIO with monitoring the performance of its IT programs.
On Tuesday, a State official said in an email that the inspector general "has only recently released" its audit report, and the "deputy secretary accepted this recommendation and is developing a plan to carry out the organizational review."
Congress further emboldened CIOs in 2014, by passing the Federal Information Technology Acquisition Reform Act to grant them control over IT cost, schedule, performance and security.
But agencies have yet to be graded on the extent to which CIOs do indeed hold the purse strings.
According to annual reports on compliance with information security rules, State has a history of cybersecurity lapses.
One year ago, State confirmed detecting odd behavior on its network, after the White House disclosed signs of suspicious activity on its system. Reportedly, the intruders hacked a State employee’s email account with a malicious message that appeared official and, then, from the hacked account, sent Oval Office employees tainted messages to dig a hole into the White House network.
The department requested 2016 funding to gut and rebuild its classified and unclassified networks, around the same time news broke that presidential contender and former State Secretary Hillary Clinton used a personal home email system for official business.
The inspector general advised State to consider realigning its job hierarchy so the head of tech can "carry out the CIO’s lead role in managing information security for the department."
Nextgov has requested comment from the department.