Website Cryptome brings us the Office of Inspector General’s (OIG) Report on the State Department Bureau of Information Resource Management, Office of Information Assurance (IRM/IA). The Report is timely, as IRM/IA is responsible for the Department’s cyber security program. The head of IRM/IA is the State Department’s chief information security officer.
In other words, these guys are responsible for the State Department’s computer security stuff. After letting some Army private in remote Iraq run WGET against ten years of cables, all apparently unlogged and unmonitored, why would anyone care about computer security at State? After having its cables database posted all shiney and naked on the internet, in a post-Manning era, what could be more important to the organization?
What’s Wrong at IRM/IA?
Well, apparently many things, because here are some summary points from the report:
The Bureau of Information Resource Management, Office of Information Assurance (IRM/IA) was established to address the information security requirements of the E-Government Act. The office does not fulfill all those requirements.
— The current workload of IRM/IA does not justify its organizational structure, resources, or status as an IRM directorate.
— The mishandling of the certification and accreditation (C&A) process and contract by IRM/IA has contributed to expired authorizations to operate 52 of the Department’s 309 systems.
— No single Department bureau has full responsibility for the information systems security officer (ISSO) program, resulting in confusion among personnel on requirements and waste of personnel resources.
— IRM/IA lacks adequate management controls to monitor its contracts, task orders, and blanket purchase agreements, approximate value of $79 million.
— IRM/IA has no mission statement and is not engaged in strategic planning.
More Specifically, What’s Wrong at IRM/IA?
The basics are pure 2013 Washington: IRM/IA has more contractors than full-time staff (36 vs. 22). With the Snowden story in the news, the report worries that “contractors are performing inherently governmental functions.” With a hint of irony, the report notes that among these, it is contractors who draft responses to OIG audit reports. Not all of those worker bees are happy: during the course of the inspection alone, IRM/IA was handling one formal EEO complaint as well as two employee relations cases.
Of course all this costs lots of taxpayer money: Funding for IRM/IA activities is $5.9 million per year, plus an annual operating budget in FY13 of about $10 million, with other funds coming from reimbursements and internal bureau transfers. For FY14 planning, the Chief Information Officer increased the IRM/IA budget
request by an additional $8 million. The bureau runs $79 million in contracts and buys. IRM/IA is
also supported through the broader Vanguard 2.2.1 contract valued at $2.5 billion. The OIG mentions, almost with an appended “of course,” that that contract “has not been managed appropriately.”
Also, Some Bad Things
So it kinda is a bad thing that the OIG says “IRM/IA is not doing enough and is potentially leaving Department systems vulnerable” which of course is the whole point of IRM/IA existing.
Maybe it is also bad that “IRM/IA performs a limited number of information assurance functions, does not have a lead role in most of the functions it does perform and, for the most part, only compiles information generated by others.” In fact, the bureau shows a “lack of active involvement in many of its stated responsibilities.”
And this could be a negative: “IRM/IA does not have a vision for the office and specific goals for each of its three divisions.” And so “division chiefs [lack] priorities based on defined goals. As a result, the staff is not proactive in meeting information security requirements.”
Well, that could be that the head of the bureau “is not seen regularly in the office.”
So, the fact that “IRM/IA is not engaged with IT strategic planning in the Department” means that the current Department IT Strategic Plan contains little mention of information assurance functions. Nor is information assurance addressed prominently in the IRM Strategic Plan. While there are references in these plans to the importance of protecting the Department’s worldwide network, the strategy and crosswalk for addressing these factors… is not detailed in the strategic or tactical plans’ goals and objectives.”
So it is little surprise that the report notes “IRM/IA does not have an office strategic plan. There is no evidence of IRM/IA management engaging in a comprehensive strategic review to assess its current capabilities and future needs. The CISO and his division chiefs have not reviewed operations to determine what information assurance and security functions they are required to perform or are currently handling based on statutory requirements” and that “Policy and outreach in IRM/IA has been inconsistent and ineffective.”
Most of the regs, rules and guidelines for the Department’s cyber security date from 2007 or earlier and do not mention the latest technologies. For example, there is little mention of State’s beloved social media.There is no mention of cloud computing, which the OIG coolly says “is surprising considering that cloud computing is a strategic goal for the Department overall.”
This one is hilarious: one of IRM/IA’s “tools,” used to track security vulnerabilities, requires users to note changes by hand on a printed spreadsheet, those changes then being typed manually into a database by
In another accounting “tool,” users are held accountable for their low security scores. Why so such low scores? IRM/IA says their change in the criteria used is at fault but sent no notification to inform users of the change.
And yet the bureau’s response to some of this is to ask for an additional deputy position and one more division, in what the report (must be tongue in cheek) calls a “realignment.” That process will require an “organizational assessment” of three months. Not surprising given that apparently contractors wrote the response. Ka-ching!
So who is in charge of this sad failure of an organization? Guy named William Lay just took over in September 2012 and in a hopeful note the OIG says “the atmosphere in the office has improved.”
No doubt State will say it will investigate, simply spend more money claiming that is its “solution,” or most likely just ignore this report and execute Bradley Manning.
Still, in the spirit of public service, maybe we all can help. Why not let William Lay know what you think at CIO@state.gov? It sounds like he could use the help.
Bonus: Cryptome.org, which was Wikileaks before there was a Wikileaks, is one of my long-time favorite websites. Since 1996 the quirky website has been a source of detailed information, typically without hype or drama, on America’s national security state. Perhaps alone on the web, Cryptome is also an avid publisher of declassified info on older, Cold War, programs. This info is precious to historians, and valuable to those wishing to speculate on where things are headed. At a time when most Americans other than James Bamforddid not even know the NSA existed, Cryptome has been on the story.
Copyright © 2015. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity. Follow me on Twitter!