U.S. Department of State Fiscal Year 2019 Agency Financial Report

The Department also has progressed in addressing the role of the Chief Information Officer (CIO). The CIO has been delegated oversight authority over all IT investments, including cybersecurity. The CIO currently is evaluating the effectiveness of the Chief Information Security Officer and Diplomatic Security (DS) partnership to manage cybersecurity risk and threat. However, DS also has responsibilities for certain aspects of information security, as delegated in memoranda and the Omnibus Diplomatic Security and Antiterrorism Act. These aspects include communications and computer-related security functions. Interdependent security disciplines enable DS to leverage technical, law enforcement, and counterintelligence capabilities in combatting threats to protect classified and sensitive information affecting foreign policy and national security. The Department has recognized this by splitting responsibilities for information and cybersecurity between the Bureau of Information Resource Management (IRM) and DS. The operational division of responsibilities between DS and IRM are parallel to the collaborative efforts between: ■ ■ DS and OBO to secure diplomatic facilities globally; ■ ■ Bureau of Intelligence and Research and the Bureau of Administration to secure intelligence information and Sensitive Compartmented Information Facilities and to ensure that classified information is safeguarded and securely shared; and ■ ■ DS and HR to ensure a vetted and trusted workforce. Although the OIG states, “there is no clear pictures of total IT spending by the Department,” the Department continues to report its total IT spending to the Office of Management and Budget annually. The CIO and the Director of Budget and Planning certify this information. The Department continues to review and improve IT investment oversight through the new IT Executive Council governing structure. This structure incorporates the requirements and participation of all regional bureau IT leadership. As a result, the IT acquisition procurement review has been brought under the office of the CIO. The Department acknowledges that it continued to experience lapses in performance duties of ISSOs in 2019. This continues to be a struggle, as the current level of information resources staff overseas cannot sustain both regular duties and tasks of an ISSO. However, the Department has launched a new cyber incentive pay initiative. This program is re-evaluating positions and responsibilities and creating positions that have cybersecurity as a primary function of their job. This program is scheduled for implementation in 2020. The OIG report also addresses overseas posts that did not establish a local control board to ensure that the hardware, software, and network components installed on the local area network do not adversely affect the existing IT infrastructure. The Department already has identified a solution to this with the modernization of the Department’s central Information Technology Configuration Control Board system. This system will be deployed in 2020 on a cloud platform, will incorporate local change controls efforts, and will be accessible to post, providing the Department with a comprehensive view of the configuration of all IT assets and systems in production. The OIG addressed suggested improvements to the team the Department created to assess IT networks and to provide recommendations and remediation strategies to enhance the Department’s IT posture, such as requiring that bureaus and posts respond to recommendations made during assessments that the IT team ensures all vulnerabilities identified are remediated. This is being addressed by the IT Executive Council (ITEC), which incorporates the requirements and participation of all regional bureau IT leadership. The ITEC also will alleviate concerns such as the Bureau of Democracy, Human Rights, and Labor’s failure to prepare a project plan to replace its Leahy vetting system. 2019 A gency F inancial R eport U nited S tates D epartment of S tate | 129 MANAGEMENT’S RESPONSE TO INSPECTOR GENERAL | OTHER INFORMATION