Information security continues to be a “major management challenge” for the State Department due to a “concerning” number of open recommendations around “fundamental” IT issues, according to an Office of Inspector General report released Wednesday.
The bulk of those recommendations, 26 to be exact, pertained to configuration management of products and systems to ensure information security, prompting OIG to recommend the under secretary for management track IRM’s future progress.
“Because the under secretary for management is responsible for ensuring that corrective actions on OIG recommendations are actually taken, OIG recommends that the under secretary monitor the status of corrective actions for the open recommendations addressed to IRM and take actions if necessary until they have been implemented and closed,” reads the report.
Of the other unaddressed recommendations, 11 related to risk management, 11 to identity and access management, 10 to shared services, eight to IT investments, six to data protection and privacy, four to security training, four to continuous monitoring, four to contingency planning, three to information system security officers, one to supply chain risk management, two to general IT policies, and three to other IT topics.
OIG made two recommendations to Under Secretary Carol Perez, the first that her office verify IRM has plans of action and milestones (POA&M) documented for all 90 of its OIG recommendations. The undersecretary disagreed.
“If the end goal is for IRM to close their open recommendations with OIG, a realistic concern is that developing a separate action plan for each recommendation would prove overly cumbersome,” Perez wrote in her response. “IRM’s staff, time and resources are better spent working on compliance-related activities, maintaining a high standard of day-to-day operations, and communicating directly with OIG.”
As a result OIG marked the recommendation unresolved, arguing agencies are required to develop POA&M by the National Institutes of Standards and Technology and that the under secretary must submit her own POA for the recommendation.
The undersecretary accepted OIG’s second recommendation that her office develop a method for periodically reviewing IRM’s efforts because it already had one in place, so OIG marked the recommendation closed.
“[T]he office of the acting under secretary for management provides a spreadsheet of open recommendations from OIG to IRM, with a high-level visual depiction of IRM’s compliance,” reads the report. “After IRM provides a response to the acting under secretary for management, she reviews the data and ensures that IRM is up-to-date on compliance efforts.”