U.S. Department of State Fiscal Year 2019 Agency Financial Report

through the automated control testing and progress tracking; (2) defining and improving the security architec- ture that will serve as a framework to link business drivers with operational security and technical controls to protect assets and functionality; and (3) strengthening the gover- nance process to ensure information technology assets are accounted for throughout the IT life-cycle. ■ ■ Continued to reduce the backlog of systems operating without a valid authorization to operate (ATO). In the fourth quarter of 2019, the Department reported 78 percent of its systems as authorized to operate, compared to 21 percent in the third quarter of 2017. This steady improvement is due to several factors, including the continued use of risk-based prioritization to triage the backlog. In 2019, the Department granted authorization to several FedRAMP-approved cloud systems that will serve as enterprise offerings for use across the agency such as ServiceNow, Office365, and Microsoft Azure. The expectation is that on-premise and custom applications will migrate to the new enterprise cloud solutions and reduce the number of systems that the agency personnel must manage. In the meantime, the Department continues to identify and assess common controls from on-premise services and cloud service providers to reduce the overall number of security controls that must be assessed and maintained. Efforts to mature the use of Xacta, the Governance Risk and Compliance automated tool, are ongoing. Underway is the pilot of Xacta Compliance Campaign Manager – a module that helps system owners answer non-technical controls. Xacta Continuum, a module that supports continuous monitoring of technical controls, is also in the testing phase. With the deployment of these two modules the Department will move a step closer towards an ongoing authorization approach compared to the previous three-year ATO cycle. ■ ■ Deployed the ISSO Dashboard for system logs to most U.S. missions overseas and some domestic sites. This web-based interface provides information system security officers (ISSOs) the capability to continuously monitor the network for anomalies, such as failed login attempts, application crashes, software and service installations, remote desktop activity, account usage, event logs cleared, and system or service failures in the pane of a customiz- able dashboard. The Department of States’ steady, proactive efforts to enhance the information security program reflect an enduring recognition that securing and protecting cyber assets is an ongoing multi-year effort, with no finish line. D igital A ccountability and T ransparency A ct The Digital Accountability and Transparency Act (DATA Act) of 2014’s purpose was to make information related to Federal expenditures more easily accessible and transparent. In doing so, the Federal Government gave citizens, Congress, and others unprecedented public access to structured information about spending and opened up new horizons for oversight, account- ability, activism, and innovation. The law required the U.S. Department of the Treasury to establish common standards for financial data provided by all Government agencies. At the same time, other collaborative efforts were underway with regard to how these elements would be displayed and made available to the public through the website USASpending.gov. Ultimately, the goal of the law is to improve the ability of Americans to track and understand how the government is spending their tax dollars. It is also the first step in a larger and longer effort for agencies to use data as a resource to transform the way that leadership manages and governs the agencies. The Department has made considerable progress in complying with the DATA Act. Because of the extensive global presence of the Department, with more than 270 embassies, consulates, and other posts in over 180 countries, the Department faces challenges in consolidating data originating from around the world. This challenge also requires communication between multiple systems. To satisfy the requirements of the DATA Act, the Department made substantial progress in transitioning the Global Financial Management System data warehouse into a Global Business Intelligence solution. This effort includes upgrading its supporting infrastructure. This solution will be the single source for meeting internal and external financial reporting requirements for the Department. The Department developed and implemented a comprehensive data quality plan during 2019. Strong internal controls were in place while the Department continued working to refine processes to accurately record and validate 57 standardized data elements, capturing Procurement Instrument Identifiers 38 | U nited S tates D epartment of S tate 2019 A gency F inancial R eport MANAGEMENT’S DISCUSSION AND ANALYSIS | MANAGEMENT ASSURANCES AND OTHER FINANCIAL COMPLIANCES