IG cites ongoing flaws in State's security

The State Department's systems security remains weak a year after the department's inspector general identified serious flaws, the IG reported recently.

As part of an annual review mandated by the Government Information Security Reform Act, the IG found that although State has a plan for certifying and accrediting its systems' security, it has set no timetable for implementing the plan.

But other officials called the security of State systems 'solid' in a statement responding to a reporter's questions.

'State has a strong program that includes intrusion detection systems deployed throughout the global infrastructure, enhanced firewalls and routers, a rigorous antivirus program and independent, periodic penetration testing,' the department said.

IT officials said some of the problems identified by the IG resulted from differences in how the department and IG defined GISRA terms. The department is taking steps to bolster its systems security, including establishing a new security office and seeking additional funds, State said.

Department officials had certified and accredited 4 percent of systems by August, the IG report said. Even though 72 percent of the department's 358 systems contain some level of classified information, only 15 percent have security plans, the report said.

State said it had a provisional plan for certifying all its systems on a three-year cycle.
The IG also said that information security officers at overseas posts 'generally were not performing all the requisite duties.'

Of 11 posts visited by auditors, none had information security plans, said the report.

The department said it had assigned security duties to officers at the posts, but the shortage of IT professionals made completing the tasks difficult. The department said it soon would appoint regional systems officers to oversee multiple smaller posts.

State also said it had established a new Office of Information Assurance to ensure that security measures are considered from a systems project's beginning.

The IG's report said the audit team will make recommendations for improving security at the department.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.