State Department Facing 'Significant' Information Security Issues, OIG Says

Mark Van Scyoc/Shutterstock

Information security and management was one of seven major management and performance issues the State Department faced in fiscal year 2020.

The State Department faces persistent challenges related to information security and management, according to a recently published inspector general report. 

The Inspector General for the State Department, in its annual management and performance audit released last week, concluded the agency has taken steps to improve information security. But outstanding weaknesses left the department vulnerable to cyberattacks and threats. Information security and management was one of seven major issues the IG examined in the report.  

“The department acknowledges that its information systems and networks are subject to serious threats that can exploit and compromise sensitive information, and it has taken some steps to address these concerns,” the report reads. “However, notwithstanding the expenditure of substantial resources by the department, OIG continues to identify significant issues that put department information at risk.”  

OIG first reported “pervasive concerns” related to Information Systems Security Officer, or ISSO, activities in 2017, according to the audit, and OIG found in a separate audit for fiscal year 2020 that the agency doesn’t have an adequate organizationwide information security program. 

One example of ISSO deficiencies is a failure to perform required auditing activities. OIG found mission ISSOs only audited 16 out of 265 workstations from August 2018 to July 2019, or only about 6% of workstations, according to the report.

“Failure to perform required ISSO responsibilities leaves department networks vulnerable to potential unauthorized access and malicious activity,” the report reads. “Also, without a systematic approach to monitoring networks and recording findings, department networks could be breached, and information security compromised.”

Embassies also failed to develop, test and train sufficient information technology contingency plans, according to the audit. And the Foreign Service Institute creates vulnerabilities due to loose access protocols controlling internet access. On-campus users who accept the terms and use agreement can connect wirelessly to FSI’s internet without supplying identification information, making it hard to identify people who misuse the network, according to the audit. 

The last information security area of concern OIG noted this year is records management. The agency lacks controls around records creation, maintenance and disposition, according to the audit. 

“The lack of an effective records management program could result in the loss of important data for historical insight into policy analysis, decision-making, and archival research,” according to the report. 

The other six management and performance issues OIG examined are protection of people and facilities, oversight of contracts, grants and foreign assistance, financial and property management, operating in contingency and critical environments, workforce management, and promoting accountability through internal coordination and clear lines of authority.