U.S. Department of State Fiscal Year 2020 Agency Financial Report

information systems security duties as required. For example, they did not scan user emails and folders and section folders or monitor the dedicated internet network. OIG determined mission ISSOs audited only 16 of the 265 workstations from August 2018 to July 2019. 41 Failure to perform required ISSO responsibilities leaves Department networks vulnerable to potential unauthorized access and malicious activity. Also, without a systematic approach to monitoring networks and recording findings, Department networks could be breached, and information security compromised. Deficiencies related to developing, testing, and training on contingency plans were also found to be persistent in several embassies, which failed to complete or annually test unclassified and classified IT contingency plans. 42 Department standards require management to develop and test IT contingency plans annually for effectiveness and to determine the embassy’s readiness to execute them during unplanned system outages or disruptions. Another cybersecurity issue identified in OIG FY 2020 work pertains to user access controls. As part of its open connection approach and contrary to Department guidance, OIG found that the Foreign Service Institute (FSI) grants wireless internet access to any on-campus user who simply accepts the Terms and Use Agreement on its opening login page. Therefore, FSI cannot determine who made any particular connection because its access controls do not require users to take steps to identify themselves prior to the start of a wireless session. The failure to capture such information makes it more difficult to identify individuals who misuse the network, such as a former FSI employee who inappropriately used the FSI guest wireless network and relied upon its open connection to the internet to engage in criminal activity. 43 Overseeing Records Management in Accordance With Standards Finally, we found records management deficiencies throughout FY 2020. For example, CT did not establish 41 ISP-I-20-16, June 2020. 42 ISP-I-20-17, June 2020; ISP-I-20-16, June 2020; ISP-I-20-22, May 2020; ISP-I-20-21, May 2020; ISP-I-20-13, May 2020; ISP-I-20-09, January 2020. 43 OIG, Management Assistance Report: Foreign Service Institute Wireless User Access Controls (ESP-20-03, March 2020). 44 ISP-I-20-29, April 2020. 45 OIG, Audit of the Department of State’s FY 2019 Implementation of the Digital Accountability and Transparency Act of 2014 (AUD-FM-20-05, November 2019). a records management program to institute controls over records creation, maintenance, and disposition. In addition, OIG found the bureau had never retired official records. Department standards require that all Department employees preserve documentary materials meeting the definition of a record under the Federal Records Act. In another example, Embassy Vilnius, Lithuania, had not retired political, economic, and public diplomacy program files since 2013. 44 The lack of an effective records management program could result in the loss of important data for historical insight into policy analysis, decision-making, and archival research. 4 F inancial and P roperty M anagement Management of its financial resources and property remains a challenge for the Department. This is due, in large part, to overall internal control issues—namely, the Department’s ability to identify internal control weaknesses and comply with relevant standards. As with oversight of contracts and grants, attention to this challenge is particularly important to ensure that the Department appropriately uses and oversees public resources. Since an FY 2017 report on the Digital Accountability and Transparency Act of 2014 (DATA Act), the Department has taken steps to improve procedures, quality control, and oversight. However, additional action is needed, according to an external audit firm acting on behalf of OIG. The quality of data must be improved to fulfill the intent of the DATA Act. 45 Internal Control Deficiencies An independent audit of the Department’s FY 2019 consolidated financial statements identified certain matters that were considered significant. Weaknesses in property and equipment management were initially reported in the audit of the Department’s FY 2005 consolidated financial 124 | U ni ted S tates D epartment of S tate 2020 A gency F inanci al R eport OTHER INFORMATION | INSPECTOR GENERAL’S STATEMENT ON THE DEPARTMENT’S MAJOR MANAGEMENT AND PERFORMANCE CHALLENGES