U.S. Department of State Fiscal Year 2020 Agency Financial Report

architectural standards. This error occurred, in part, because OBO personnel failed to properly file and share the Legal Assessment prepared in 2011. The Legal Assessment is a document that describes the building permit approval process and local building codes prepared by a local firm contracted by an embassy or post on behalf of OBO. An architecture firm hired by OBO never submitted a final Project Development Survey to OBO, as contractually required, and OIG could find no evidence that the initial OBO project manager or the OBO project manager who replaced him had attempted to enforce this contract requirement. OBO estimates that it will cost the Department between $90 million and $125 million to rebuild the new building in an approved location, which is approximately twice what was originally budgeted to construct the building. 35 In a recent report, OIG found that, when executing award modifications for a construction contract in Amman, Jordan, the CO did not include the estimated total time necessary to accomplish the required work. This deviation is contrary to guidance and occurred, in part, to expedite the issuance of the contract modifications. However, this practice makes it difficult for OBO to hold the contractor accountable for completing the project on time. 36 At NECs London and The Hague, OBO personnel did not ensure that major systems were commissioned prior to declaring the projects substantially complete, as required. In addition, when the projects were declared substantially complete, OBO personnel did not provide the construction contractor with a consolidated list of all remaining work to be performed, completed, or corrected before final acceptance. As of April 2020, the contractor had not completed all work required for final acceptance of NEC London, and the Project Director at NEC The Hague had not recommended to the CO final acceptance of this project. For both projects, it has been more than 2 years since substantial completion was declared. 37 35 AUD-MERO-20-20, February 2020. 36 AUD-MERO-20-39, September 2020. 37 AUD-CGI-20-43, September 2020. 38 OIG, Audit of the Department of State Information Security Program (AUD-IT-20-04, October 2019). 39 OIG, Inspection of the U.S. Mission to the United Nations and Other International Organizations in Geneva, Switzerland (ISP-I-20-16, June 2020); OIG, Inspection of Embassy Vilnius, Lithuania (ISP-I-20-29, April 2020); ISP-I-20-17, June 2020; ISP-I-20-22, May 2020; ISP-I-20-21, May 2020; ISP-I-20-20, May 2020; ISP-I-20-07, February 2020; ISP-I-20-09, January 2020; ISP-I-20-04, November 2019; ISP-I-20-01, October 2019. 40 ISP-I-20-17, June 2020. 3 I nformation S ecurity and M anagement The Department depends on information systems to function, and the security of these systems is vital to protecting national and economic security, public safety, and the flow of commerce. The Department acknowledges that its information systems and networks are subject to serious threats that can exploit and compromise sensitive information, and it has taken some steps to address these concerns. However, notwithstanding the expenditure of substantial resources by the Department, OIG continues to identify significant issues that put Department information at risk. Strengthening Cybersecurity Although the Department has taken steps to improve its information security program, as in prior years, OIG’s annual assessment of the Department’s information security program identified numerous control weaknesses that affected program effectiveness and increased the Department’s vulnerability to cyberattacks and threats. Specifically, an FY 2020 audit found that the Department lacked a fully implemented organization- wide information security program based on evidence of security weaknesses identified in all eight areas of focus, including risk management, continuous monitoring, and contingency planning. 38 We first identified pervasive Information Systems Security Officer (ISSO) concerns in 2017, and OIG’s FY 2020 work reveals this to be a continuing problem. Specifically, weaknesses in the performance of ISSO duties is a persistent problem, as identified in several reports. 39 For example, in Bangladesh, the ISSO did not record information system audits or complete account reviews included in the Department’s ISSO checklist, as required. 40 In Geneva, the mission's unclassified and classified ISSOs did not perform all 2020 A gency F inanci al R eport U ni ted S tates D epartment of S tate | 123 INSPECTOR GENERAL’S STATEMENT ON THE DEPARTMENT’S MAJOR MANAGEMENT AND PERFORMANCE CHALLENGES | OTHER INFORMATION