Advertisement

Watchdog calls for State Department to assess cybersecurity risks

“Until the department implements required risk management activities, it lacks assurance that its security controls are operating as intended,” GAO states in a new report. “Moreover, State is likely not fully aware of information security vulnerabilities and threats affecting mission operations.”
Secretary of State Antony Blinken speaks to reporters during a press briefing at the U.S. Department of State on July 27, 2022 in Washington, DC. (Photo by Anna Rose Layden/Getty Images)

The Government Accountability Office called Thursday for the State Department to fully implement cybersecurity risk mitigation measures after finding an array of deficiencies in its current program.  

The GAO said in a new report that while State has a cybersecurity risk management program in place, it is missing key elements of its cybersecurity risk management program, including mitigating departmentwide risks, conducting bureau-level risk assessments, completing authorization for all of its information systems, and implementing a departmentwide continuous monitoring program.

GAO said that the state of the department’s current cybersecurity program risks the ability to “detect, investigate and mitigate cybersecurity-related incidents.”

“Until the department implements required risk management activities, it lacks assurance that its security controls are operating as intended,” the report states. “Moreover, State is likely not fully aware of information security vulnerabilities and threats affecting mission operations.”

Advertisement

There are a number of issues at hand, GAO found, including a lack of fully implemented processes that support its incident response program and an IT infrastructure that isn’t “adequately secured” and needs to be modernized.

“This includes replacing the 23,689 hardware systems and 3,102 occurrences of network and server operating system software installations that have reached end-of-life. Certain installations of operating system software had reached end-of-life over 13 years ago,” the report states.

The report continues: “Without fully implemented incident response processes and an adequately secured IT infrastructure to support State’s incident response program by, among other things, updating outdated or unsupported products, State’s IT infrastructure is vulnerable to exploits.”

GAO offered 15 recommendations for the department and the secretary of state to address, including developing a plan to mitigate known vulnerabilities, ensuring all systems have a current authority to operate, and conducting risk assessments for the information systems that the watchdog reviewed, among other things.

The GAO also recommended that the department “direct the CIO to update an October 2020 matrix” so the program complies better with federal guidance and departmentwide policies. The department issued a statement previously on its cybersecurity program’s responsibility to identify and assess vulnerabilities and respond to threats. 

Advertisement

The department concurred with all recommendations.

Caroline Nihill

Written by Caroline Nihill

Caroline Nihill is a reporter for FedScoop in Washington, D.C., covering federal IT. Her reporting has included the tracking of artificial intelligence governance from the White House and Congress, as well as modernization efforts across the federal government. Caroline was previously an editorial fellow for Scoop News Group, writing for FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. She earned her bachelor’s in media and journalism from the University of North Carolina at Chapel Hill after transferring from the University of Mississippi.

Latest Podcasts