State Department Post-Manning Information Security Report: D-

Website Cryptome brings us the Office of Inspector General’s (OIG) Report on the State Department Bureau of Information Resource Management, Office of Information Assurance (IRM/IA). The Report is timely, as IRM/IA is responsible for the Department’s cyber security program. The head of IRM/IA is the State Department’s chief information security officer.

In other words, these guys are responsible for the State Department’s computer security stuff. After letting some Army private in remote Iraq run WGET against ten years of cables, all apparently unlogged and unmonitored, why would anyone care about computer security at State? After having its cables database posted all shiney and naked on the internet, in a post-Manning era, what could be more important to the organization?

What’s Wrong at IRM/IA?

Well, apparently many things, because here are some summary points from the report:

The Bureau of Information Resource Management, Office of Information Assurance (IRM/IA) was established to address the information security requirements of the E-Government Act. The office does not fulfill all those requirements.

— The current workload of IRM/IA does not justify its organizational structure, resources, or status as an IRM directorate.

— The mishandling of the certification and accreditation (C&A) process and contract by IRM/IA has contributed to expired authorizations to operate 52 of the Department’s 309 systems.

— No single Department bureau has full responsibility for the information systems security officer (ISSO) program, resulting in confusion among personnel on requirements and waste of personnel resources.

— IRM/IA lacks adequate management controls to monitor its contracts, task orders, and blanket purchase agreements, approximate value of $79 million.

— IRM/IA has no mission statement and is not engaged in strategic planning.

More Specifically, What’s Wrong at IRM/IA?

The basics are pure 2013 Washington: IRM/IA has more contractors than full-time staff (36 vs. 22). With the Snowden story in the news, the report worries that “contractors are performing inherently governmental functions.” With a hint of irony, the report notes that among these, it is contractors who draft responses to OIG audit reports. Not all of those worker bees are happy: during the course of the inspection alone, IRM/IA was handling one formal EEO complaint as well as two employee relations cases.

Of course all this costs lots of taxpayer money: Funding for IRM/IA activities is $5.9 million per year, plus an annual operating budget in FY13 of about $10 million, with other funds coming from reimbursements and internal bureau transfers. For FY14 planning, the Chief Information Officer increased the IRM/IA budget
request by an additional $8 million. The bureau runs $79 million in contracts and buys. IRM/IA is
also supported through the broader Vanguard 2.2.1 contract valued at $2.5 billion. The OIG mentions, almost with an appended “of course,” that that contract “has not been managed appropriately.”

Also, Some Bad Things

So it kinda is a bad thing that the OIG says “IRM/IA is not doing enough and is potentially leaving Department systems vulnerable” which of course is the whole point of IRM/IA existing.

Maybe it is also bad that “IRM/IA performs a limited number of information assurance functions, does not have a lead role in most of the functions it does perform and, for the most part, only compiles information generated by others.” In fact, the bureau shows a “lack of active involvement in many of its stated responsibilities.”

And this could be a negative: “IRM/IA does not have a vision for the office and specific goals for each of its three divisions.” And so “division chiefs [lack] priorities based on defined goals. As a result, the staff is not proactive in meeting information security requirements.”

Well, that could be that the head of the bureau “is not seen regularly in the office.”

So, the fact that “IRM/IA is not engaged with IT strategic planning in the Department” means that the current Department IT Strategic Plan contains little mention of information assurance functions. Nor is information assurance addressed prominently in the IRM Strategic Plan. While there are references in these plans to the importance of protecting the Department’s worldwide network, the strategy and crosswalk for addressing these factors… is not detailed in the strategic or tactical plans’ goals and objectives.”

So it is little surprise that the report notes “IRM/IA does not have an office strategic plan. There is no evidence of IRM/IA management engaging in a comprehensive strategic review to assess its current capabilities and future needs. The CISO and his division chiefs have not reviewed operations to determine what information assurance and security functions they are required to perform or are currently handling based on statutory requirements” and that “Policy and outreach in IRM/IA has been inconsistent and ineffective.”

Most of the regs, rules and guidelines for the Department’s cyber security date from 2007 or earlier and do not mention the latest technologies. For example, there is little mention of State’s beloved social media.There is no mention of cloud computing, which the OIG coolly says “is surprising considering that cloud computing is a strategic goal for the Department overall.”

This one is hilarious: one of IRM/IA’s “tools,” used to track security vulnerabilities, requires users to note changes by hand on a printed spreadsheet, those changes then being typed manually into a database by
IRM/IA staff.

In another accounting “tool,” users are held accountable for their low security scores. Why so such low scores? IRM/IA says their change in the criteria used is at fault but sent no notification to inform users of the change.

OIG Conclusions

The OIG concludes its report with a whopping 36 “recommendations” for improvement.

And yet the bureau’s response to some of this is to ask for an additional deputy position and one more division, in what the report (must be tongue in cheek) calls a “realignment.” That process will require an “organizational assessment” of three months. Not surprising given that apparently contractors wrote the response. Ka-ching!

So who is in charge of this sad failure of an organization? Guy named William Lay just took over in September 2012 and in a hopeful note the OIG says “the atmosphere in the office has improved.”

No doubt State will say it will investigate, simply spend more money claiming that is its “solution,” or most likely just ignore this report and execute Bradley Manning.

Still, in the spirit of public service, maybe we all can help. Why not let William Lay know what you think at It sounds like he could use the help.

Bonus:, which was Wikileaks before there was a Wikileaks, is one of my long-time favorite websites. Since 1996 the quirky website has been a source of detailed information, typically without hype or drama, on America’s national security state. Perhaps alone on the web, Cryptome is also an avid publisher of declassified info on older, Cold War, programs. This info is precious to historians, and valuable to those wishing to speculate on where things are headed. At a time when most Americans other than James Bamforddid not even know the NSA existed, Cryptome has been on the story.

Related Articles:

Copyright © 2020. All rights reserved. The views expressed here are solely those of the author(s) in their private capacity.


  • Eric Hodgdon on said:

    Thanks. Keep the pressure up.

    “Push, push, push, all the way, all the time, right on down the line.”

  • Rich Bauer on said:

    I hear things are so bad that State is considering hiring Bradley Manning as a consultant.

  • Rich Bauer on said:

    “At a time when most Americans other than James Bamford did not even know the NSA existed, Cryptome has been on the story.”

    Question: Is linking to Cryptome a violation of the Insider Threat rules?

    Reading from the Bush Iraq WMD script for the justification of spying on US, the Obama administration maintains Congress shouldn’t be surprised by the programs.

    “In short, all three branches of government knew about these programs, approved them, and helped to ensure that they complied with the law.”

    Reading from Hillary Clintion’s “if I had only read the reports” script – Rep. James Sensenbrenner, R-Wis., recalled that when he chaired the House Judiciary Committee in 2006, “I was not aware of any dragnet collection of phone records when the Patriot Act was reauthorized.” If he had, he said, “I would have publicly opposed such abuse.”

    What a revolting situation.

  • pitchfork on said:

    quote “With the Snowden story in the news,..”unquote


    In the news. right. Yesterday, here was the main Google news story at noon…

    “Reports: Woman killed riding coaster identified”

    Not one single story on Snowden or his revelations.

    Down the news cycle memory hole.

    Shame on Amerika ..and Google/MSM et al.

  • meloveconsullongtime on said:

    “Not one single story on Snowden or his revelations.
    Down the news cycle memory hole.”

    Kim Kardahsian got a big ole butt!

  • Kyzl Orda on said:

    “…in a hopeful note the OIG says “the atmosphere in the office has improved…”

    That should go in the green x column, since ‘atmospheres’ are rarely remarked upon at State in an official capacity

    The Obama administration was supposed to put an end to contracting. WHy not bring the computer specialists into the civil service? HR officers at one time touted supervisors should have a right to fire whom they want.

    THe problem is being a contractor – no reason need be provided. You’d like to think only the bad and lazy employees are given the door, but not so. A person can be easily fired *without cause*. That’s the beauty of contracting.

    Civil service, on the other hand, and I am guessing Foreign Service is the same?? requires reasons and documentation – something some supervisors are loathe to do because it means they have to put effort into it, especially if the employee is an excellent one. Yes, productive employees get fired at State for doing their job. The right of supervisors to fire anyone is being abused and government jobs offered to the highest bidder, literally, and employees whether contract or government officialy get the message productivity is irrelevant and if you see something, say nothing or it means your job

  • Kyzl Orda on said:

    “Reading from Hillary Clintion’s “if I had only read the reports” script – Rep. James Sensenbrenner, R-Wis., recalled that when he chaired the House Judiciary Committee in 2006, “I was not aware of any dragnet collection of phone records when the Patriot Act was reauthorized.” If he had, he said, “I would have publicly opposed such abuse.”

    What a revolting situation.”

    Dear Rich, those are great examples of the ironies of bumbling leadership and how members of both parties can work together in the least productive way. For 6 figure salaries, such people should be reading what crosses their desks

  • meloveconsullongtime on said:

    And then as an outsider – I mean as someone who has NEVER worked for ANY government (neither the US govt nor any other) – to MY mind, I really don’t care about any internal ways of the State Department pretending to “correct” itself – rather, as a total outsider, I simply imagine the US Department of State like this:

  • pitchfork on said:

    quote:” I simply imagine the US Department of State like this:….”

    melove……you’re sooooooooo good. 🙂

    Personally, I imagine Dos like this…

    quote:”Who cares about Snowden when you can watch “Ow My Balls!”:”

    Speaking of balls… a contest between Obama and a Brahma bull..guess who would win the title?

  • Rich Bauer on said:

    Hey, Lady Liberty, your slip is showing

    Remember the good ol’ days when the government didn’t try to insult your intelligence. Its lies always had a frosting of truth to help you swallow them but now its lies are only topped with thin disguise on par with Tommy Flanagan. Consider:

    — Liar Scooter Libby gets pardoned for outing Valerie “a Flame”, the covert spy, jeapordizing the CIA covert operation to secure nuclear material so terrorists can’t use it to nuke New York City. (Sorry about that, Lady Liberty, that’s not the only thing aflame) But John Kirikou gets 30 months for revealing the CIA torture program and the name of a CIA torturer, ruining “we are the good guys” Mad Men PR.

    –Snowden vs Lady: While the US screams “how dare you” when Russia contemplates giving Edward Snowden temporay asylum -(btw -Ed hasn’t been convicted of anything) Panama has released Robert Seldon Lady and he has flown back to the US. Lady was convicted in absentia in Italy for his part in kidnapping a Muslim cleric in Milan and rendering him to jail in Egypt where the cleric claims he was tortured during interrogation. Lady was sentenced to up to nine years in prison for his role in the rendition.

    The rule of law doesn’t apply here: During Lady’s trial, the US refused to cooperate with Italian authorities who had to sentence all 23 Americans convicted in absentia in 2009. The verdict against Lady was upheld by Italy’s top court in 2012. She’s no Lady Liberty: Marie Harf, a State Department spokeswoman, claimed to have no details on whether Lady would be questioned by US authorities, or whether the US would cooperate with Italy on the case.

    While a convicted criminal whose actions could be construed as a terrorist is protected by US (but I was only following orders) can live in retirement without worries about being extradited, Snowden is hounded at every juncture and those countries who refused to hand him over such as China and Russia are threatened with dire consequences. Even the Bolivian presidential plane is forced to land and be searched because the US thinks that Snowden might be on board.

    While Tommy Flanagan had the hots for Morgan Fairchild, it appears the US has kicked out Lady Liberty and been seduced by the Whore of Babylon. Liars make strange bedfellows.

  • Rich Bauer on said:

    More LOST in Translation: Bill Murray is not the only one to wake up and wonder what strange world he has entered. This country is seriously fucked up.

  • meloveconsullongtime on said:

    “For God’s sake, let us sit upon the ground
    And tell sad stories of the death of kings;
    How some have been deposed; some slain in war,
    Some haunted by the ghosts they have deposed;
    Some poison’d by their wives: some sleeping kill’d;
    All murder’d”

    King Richard II, in Shakespear’s eponymous play.

  • Rich Bauer on said:

    To sleep, perchance to dream: Our selective prosecution of Rule of Law when-it-suits-US (e.g. Snowden v. Lady, et al) draws a direct parallel with Orwell’s general philosophy of doublethink, of which the memory hole is in a sense the physical embodiment; “to forget, whatever it was necessary to forget, then to draw it back into memory again at the moment when it was needed, and then promptly to forget it again”.

    Lulled to sleep as our rights to liberty slip down the memory hole, not even our ashes will remain.

  • meloveconsullongtime on said:

    Actually America’s split-mindedness differs from Orwellian Doublethink insofar as the latter had moments of integrity within time, but American split-mindedness is constant. The American habit is to hold two utterly contradictory thoughts simultaneously, which contra Fitzgerald is not a sign of genius but of willful evil.

    Just one widespread domestic example, unrelated to whistleblowers or international affairs: Advocating “gay marriage” for the ostensible reason of marriage being essentially subject to redefinition, while simultaneously refusing to legalise polygamy or incestuous marriages for putatively objective reasons.

  • pitchfork on said:

    I woke up this morning to the nightmare for another day. I don’t want to live in this nightmare anymore. Just knowing my children will face this deepening Orwellian nightmare enrages me. All I know is, if the American population doesn’t do something enmass pretty quick they are going to be shit out of luck. William Binney and Frank Church had it right. Given the NSA Utah facility is already online, day by day were loosing what time is left to do ANY THING. At this point, I really pray that Snowden’s strategy TAKES THE USG DOWN.

Post a new comment

Your email will not be published.
Submitting comment...