An audit of the State Department’s information security program shows it’s not in line with federal requirements and the chief information officer is not equipped to make sure the program is effective, according to a new inspector general report.
An independent audit done by D.C. auditing firm Williams, Adley & Company found two glaring deficiencies with the State Department, the details of which were heavily redacted in report’s public release.
Of the details that were made publicly available, the audit found the CIO is not “properly positioned within the organization” to ensure the department’s security programs are effective.
Additionally, the auditors found that the information security programs were not in compliance with Federal Information Security Management Act, Office of Management and Budget, and National Institute of Standards and Technology requirements, despite efforts taken to improve the plan.
The report also takes issue with medium- and high-risk vulnerabilities that went unreported, access management issues, and email accounts. However the details of what auditors found have been completely stripped from the report.
A spokesperson for the State’s IG office told FedScoop the redactions were due to information included in the report that the department’s general counsel deemed to be exempt from Freedom of Information Act requests and therefore didn’t need to be included.
The State Department was the entryway for a breach of the White House’s sensitive but unclassified computer systems earlier this year, according to U.S. officials. That breach has since been attributed to Russian hackers.
Read the full inspector general report here.