From: GovInfoSecurity.com
Other Department Units Fulfill Responsibilities of CISO-led Office
By Eric Chabrow
By conceding its IT security responsibilities to other U.S. State Department units, the relevance of the Office of Information Assurance is being diminished, a just-issued inspector general’s report contends.
The IG report stops short of saying that the State Department avoids taking steps to address IT security. The report maintains, however, that its Office of Information Assurance’s lack of leadership creates confusion among department personnel on IT security requirements and guidance they must follow.
“[The office] is not doing enough and is potentially leaving department systems vulnerable,” Harold Geisel, deputy inspector general, writes in the 35-page report. “[The office] has conceded that other department elements have a greater role in information security, diminishing the relevance of [the office].”
The IG report offers 36 recommendations, including a number aimed at better integrating the office into the State Department’s cybersecurity planning and leadership.
The State Department did not respond to a request for comment on the IG report.
Born of the E-Government Act
Created in 2003 to comply with provisions of the E-Government Act of 2002, the Office of Information Assurance, within the Bureau of Information Resource Management at the State Department, is responsible for the department’s cybersecurity program; information assurance policies, standards and guidelines; and compliance with national security directives. Key office programs include cybersecurity management, which comprises policy development, risk management, systems authorizations, performance measures and annual reporting for the Federal Information Security Management Act, the law that governs IT security in the federal government.
The office, headed by the department’s chief information security officer, has 22 full-time employees and 36 contractors. Its operating budget for the current fiscal year is $10 million. The State Department’s CIO proposes to increase the office’s budget for fiscal year 2014, which begins Oct. 1, by $8 million to support certification and accreditation initiatives, continuous monitoring and controls needed for safeguarding classified information.
No Justification
According to the audit:
- The current Office of Information Assurance workload does not justify its organizational structure, resources or status as an Information Resource Management directorate.
- The mishandling of the certification and accreditation process and contract by the office, including development of tools and guidance and reviews of C&A packages, has contributed to expired authorizations to operate 52 of the department’s 309 systems.
- No single department bureau has full responsibility for the information systems security officer program. The office and the Bureau of Diplomatic Security directly or indirectly support the information systems security officer’s program, resulting in confusion among personnel on requirements and guidance. The involvement of both bureaus also wastes personnel resources.
- The office lacks adequate management controls and procedures to monitor its contracts, task orders and blanket purchase agreements, which have an approximate value of $79 million.
- The office has no mission statement and is not engaged in strategic planning.
Leave a Reply