U.S. Department of State Fiscal Year 2019 Agency Financial Report

Accordingly, OIG issued recommendations for individual posts to implement standard operating procedures to ensure performance of ISSO duties. OIG also continued to find deficiencies related to developing, testing, and training employees on IT contingency planning at overseas posts. 34 Department guidelines require every information system to have a contingency plan that is documented and tested annually. Incomplete and untested IT contingency plans increase the risk of ineffective responses to or loss of critical communication during an emergency. Embassies failed to show that they tested IT contingency plans annually, and initial and refresher IT contingency training for IT employees was lacking. Another issue often noted in our inspection work pertains to local IT configuration control boards. Department policy requires any embassy that maintains its own IT systems to establish a local control board to ensure that the hardware, software, and network components installed on the local area network do not adversely affect the existing IT infrastructure. Nonetheless, we found multiple overseas posts that had not established a board to govern all systems equipment operated on the embassy’s network. 35 Furthermore, in an audit on the Department’s local control boards, we reported that even where boards are operating, they are not consistently complying with all policies. 36 For example, we found a lack of testing performed on change requests and weaknesses in maintaining documentation regarding board decisions on change requests. 37 We also identified concerns with mechanisms used by the Department to assess its IT systems for deficiencies. For example, the Department created a team to assess 34 ISP-I-19-20, July 2019; ISP-I-19-18, June 2019; ISP-I-19-14, April 2019; ISP-I-19-07, February 2019; ISP-I-19-06, February 2019; ISP-I-19-05, February 2019; ISP-I-19-10, December 2018; ISP-I-19-04, November 2018; ISP-I-19-03, November 2018. 35 ISP-I-19-18, June 2019; OIG, Inspection of Embassy Libreville, Gabon (ISP-I-19-16, June 2019); ISP-I-19-14, April 2019; ISP-I-19-07, February 2019; ISP-I-19-06, February 2019; ISP-I-19-03, November 2018. 36 OIG, Audit of the Department of State’s Local Configuration Control Boards (AUD-IT-19-36, July 2019). 37 Ibid . 38 Audit of Selected Post Efforts To Track and Remediate Vulnerabilities Identified During Blue Team Risk Assessments (AUD-IT-19-41, September 2019). 39 ISP-I-19-21, May 2019. 40 OIG, Inspection of the Bureau of Democracy, Human Rights, and Labor (ISP-I-19-11, October 2018). IT networks and to provide recommendations and remediation strategies to enhance the Department’s IT posture. Although this effort had a positive effect on the IT posture at posts where the assessment had occurred, we identified improvements that could be made to the process. For example, bureaus and posts were not required to respond to recommendations made during the assessment, and the team did not ensure that all vulnerabilities identified had been remediated. In addition, some recommendations made by the assessment team were duplicative and of limited qualitative value. We also found that there was no mechanism in place to communicate identified vulnerabilities to the system owner if a vulnerability was considered significant or required additional resources to remediate. 38 Finally, we note that some of our FY 2019 work highlighted the difficulties the Department faces acquiring and developing new IT systems. In the Office of Foreign Missions, we found that the lack of a fully implemented systems development lifecycle methodology hindered the development of the office’s IT system and significantly delayed its completion. 39 As a result, staff had to manage its work on a system that had not had a valid authorization to operate since 2013. In the Bureau of Democracy, Human Rights, and Labor, we found the bureau did not prepare a project plan that included necessary budget and planning elements for a system intended to replace the current system on which Leahy vetting is conducted. 40 The bureau also lacked a technically qualified project manager to oversee development of the new system. These deficiencies raised the risks of cost overruns and delays, which could ultimately compromise the Department’s ability to conduct Leahy vetting. 118 | U nited S tates D epartment of S tate 2019 A gency F inancial R eport OTHER INFORMATION | INSPECTOR GENERAL’S STATEMENT ON THE DEPARTMENT’S MAJOR MANAGEMENT AND PERFORMANCE CHALLENGES