U.S. Department of State Fiscal Year 2019 Agency Financial Report

In 2019, OMB and DHS used the core areas of the National Institute of Standards and Technology Cybersecurity Framework to assess cybersecurity capabilities and compliance and concluded that overall, the Department improved its security posture to actively “managing” cybersecurity risk. The October 2019 FISMA audit of the Department recognized the agency’s progress in maturing the information security program in two of the five core areas of the Cybersecurity Framework. The OIG also recommended 1) to ensure an accurate, comprehensive inventory of systems and associated components; and 2) to fully define and implement an information security architecture. The actions that the Department undertook in 2019 are based on the premise that cybersecurity is an ongoing effort that requires agility to respond to ever evolving threats and the mission needs. To that end, the Department accomplished the following: ■ ■ Updated the Agency Cyber Risk Management Strategy and implemented several initiatives to assess areas of need and prioritize resource allocations. These initiatives include the development of a mission risk assessment process; completion of a bureau-level cyber risk assessment pilot and an accompanying report; development of a bureau- level cyber performance scorecard and an executive risk decision support guide; and launch of a second bureau- level risk assessment pilot. ■ ■ Developed a high-value assets (HVA) strategy to expand the agency’s ability to identify and monitor risks and to better align with secure architecture in response to the DHS’s Binding Operational Directive 18-02 that governs the HVA management. Furthermore, the Department increased oversight and prioritization of critical and high vulnerability remediation of HVAs. The agency also developed a three-year assessment schedule to ensure the secure operation of its HVAs. ■ ■ Worked steadily to streamline inventory processes, validate existing data, and develop a common framework for categorizing and reporting assets. A number of ongoing efforts aim to further enhance the agency’s ability to ensure an accurate and up-to-date inventory including: (1) The DHS’s Continuous Diagnostics and Mitigation (CDM) assessment that will provide the Department a baseline of software, hardware, and systems by 2021. The CDM program will enhance government network security of 1982 (FMFIA), including assessments performed to meet the requirements of OMB Circular A-123 Appendix A. When applicable, particular importance is given to any reported material weakness and material non-conformance identified during these internal control assessments. The Department has made it a priority to meet the objectives of the FFMIA. In its Report on Compliance and Other Matters, the Independent Auditor identified instances of substantial noncompliance with Federal financial management systems requirements. The Department acknowledges that the Independent Auditor has noted certain weaknesses in our financial management systems. OMB’s Appendix D provides a revised compliance model that entails a risk-and outcome-based approach to assess FFMIA compliance. In our assessments and evaluations, the Department identified similar weaknesses. However, applying the guidance and the assessment framework noted in Appendix D to OMB Circular A-123, the Department considers them deficiencies versus substantial non-conformances relative to substantial compliance with the requirements of the FFMIA. Nonetheless, the Department is committed to continuing to work to address all identified financial management system deficiencies. F ederal I nformation S ecurity M odernization A ct The Federal Information Security Modernization Act of 2014 (FISMA) requires Federal agencies to develop, document, and implement an agency-wide program to protect government information and information systems that support the operations and assets of the agency. FISMA authorized the Department of Homeland Security (DHS) to take a leadership and oversight role in this effort, created cyber breach notification requirements, and modified the scope of reportable information from primarily policies and financial information to specific information about threats, security incidents, and compliance with security requirements. The Department of State remains committed to adopting the best cybersecurity practices and embedding them into the agency’s culture. As a result, the agency continues to improve its cybersecurity posture and provide transparency internally and with external partners in other Federal agencies. 2019 A gency F inancial R eport U nited S tates D epartment of S tate | 37 MANAGEMENT ASSURANCES AND OTHER FINANCIAL COMPLIANCES | MANAGEMENT’S DISCUSSION AND ANALYSIS