The US Department of State has been warned by the General Accounting Office (GAO) that it must fully implement its cybersecurity risk program and take additional steps to better protect its IT network and systems, according to a 92-page report.
The report highlights several areas in which the State Department needs to improve its cybersecurity measures. Firstly, the department has completed the authorization process for less than half (44%) of its nearly 500 information systems. This means that a significant portion of the department’s systems have not been fully assessed for security risks.
Additionally, the State Department has yet to implement a department-wide continuous monitoring system. This system would allow the department to regularly assess the security of its IT network and systems, ensuring that any vulnerabilities or threats are identified and addressed in a timely manner.
While the department has identified risk management roles and responsibilities and developed a cyber risk management strategy, the report emphasizes that these measures are not enough. Without implementing the required risk management activities, the department cannot guarantee that its security controls are functioning as intended. This puts the department at risk of security breaches and compromises its mission operations.
The report also outlines 15 recommendations for executive actions that remain outstanding. One of the key recommendations is for the State Department to develop and maintain a department-wide risk profile that prioritizes the most significant risks. This would allow the department to allocate resources and address the highest priority risks first.
Additionally, the State Department needs to develop plans to mitigate the vulnerabilities identified by its Chief Information Officer (CIO) and conduct bureau-level risk assessments for all 28 bureaus that own information systems. These assessments are crucial for understanding the specific risks faced by each bureau and implementing targeted security measures.
The report also highlights challenges in implementing the department’s incident response program, updating and testing information system contingency plans, and properly configuring its inventory database. It emphasizes the need for an overall improvement in the department’s IT infrastructure security, including replacing outdated hardware and software installations.
Furthermore, the report points to limitations in securing IT systems due to shared management responsibilities and poor communication. While the CIO oversees the main network and sets standards, individual bureaus handle many tasks independently, leading to confusion among information system security officers regarding requirements. This lack of coordination and communication puts the department’s systems at risk and hampers the CIO’s ability to effectively manage and oversee the cybersecurity program.
The report concludes that these deficiencies are largely a result of the department’s isolated culture and inadequate communication between the CIO and the individual bureaus. It warns that unless these issues are addressed, the department’s systems will remain vulnerable to attacks and unauthorized access.
The release of this report comes at a time when cybersecurity concerns are particularly high. In May, Chinese hackers successfully attacked 25 US government agencies, including the State Department, resulting in the theft of 60,000 emails from senior officials. This incident highlights the urgent need for the State Department to enhance its cybersecurity measures and protect sensitive information from foreign threats.
In response to the growing importance of cybersecurity, the State Department announced the creation of a Bureau of Cyberspace and Digital Policy in April 2022. This bureau will help shape norms of responsible government behavior in cyberspace and assist US allies in strengthening their own cybersecurity programs.
However, the report emphasizes that more needs to be done to address the existing deficiencies in the department’s cybersecurity measures. It concludes by warning that unless the State Department takes immediate action, its systems will remain vulnerable and the department’s mission operations will be at risk.