U.S. Department of State Fiscal Year 2020 Agency Financial Report

R esource M anagement S ystems S ummary Other Information, Section III of this AFR, provides an overview of the Department’s current and future resource management systems framework and systems critical to effective agency-wide financial management operations, financial reporting, internal controls, and interagency functions and locations worldwide consistently interpret, select and integrate cyber tools and processes, as we modernize our information technology assets in a changing threat landscape. ■ Implemented continuous diagnostic monitoring (CDM) and enhanced the Department’s capacity to ensure role-based access controls through its identity access credential management program. The enhanced capacity will give the Department immediate access to comprehensive attributes of any single user after consolidating all digital identities including cybersecurity training records, clearance suitability, and system access rights. Additionally, the CDM identity management capabilities allow Department-wide users single sign-on service to reduce both the number of passwords a user must memorize and the probability of password compromise. The actions that the Department continues to undertake are based on the premise that cybersecurity is an ongoing effort that requires agility to respond to ever evolving threats and the mission needs. agency’s culture. As a result, the agency continues to improve its cybersecurity posture and provide transparency internally and with external partners in other Federal agencies. In 2019, OMB and DHS used the core areas of the National Institute of Standards and Technology (NIST) Cybersecurity Framework to assess cybersecurity capabilities and compliance and concluded that overall, the Department improved its security posture to actively “managing” cybersecurity risk for all of 2019 and last two quarters for 2020. The FISMA audit that would normally be completed in November of 2020 was granted an extension for 60 days, and findings will be available at that time. In the meantime, the OIG recognized the agency’s progress in maturing the information security program in two of the five core areas of the Cybersecurity Framework and we continue to make progress to fully mature the program. To that end, in 2020, the Department accomplished the following: ■ Enhanced capabilities to better inform top leadership and support risk-based decision making through an updated Agency Cyber Risk Management Strategy and implementation of agency and bureau level risk assessments and cyber performance scorecards. For high value assets, in response to DHS’s Binding Operational Directive 18-02, the risk reporting initiatives also included annual and quarterly metrics to facilitate a more comprehensive view of risk remediations. ■ Initiated a multi-year effort to strengthen the Department’s security posture through greater alignment between business needs, cybersecurity, and enterprise architecture. Instead of adopting a flavor of the month approach to cyber security technologies and a complex sprawl of tools and processes with no integration, the Department is developing a robust framework to decide how much security is needed to protect the most critical and sensitive information assets in a more cost-effective manner that Department staff can efficiently administer and maintain. Using the NIST Risk Management Framework, NIST Cyber Security Framework, and the Sherwood Applied Business Security Architecture, the Department developed governance and a methodology to provide oversight for security architecture enterprise wide. By doing so, the Department can ensure different ? Did You Know? Robert Smith, the sixth Secretary of State, served both as the Secretary of the Navy (1801-1809) and the Secretary of State (1809-1811). M ore information on former Secretaries can be found a t: https://history.state.gov/departmenthistory/ p eople/secretaries 2020 A gency F inanci al R eport U ni ted S tates D epartment of S tate | 37 MANAGEMENT ASSURANCES AND OTHER LEGAL COMPLIANCES | MANAGEMENT’S DISCUSSION AND ANALYSIS