The Government Accountability Office called Thursday for the State Department to fully implement cybersecurity risk mitigation measures after finding an array of deficiencies in its current program.
The GAO said in a new report that while State has a cybersecurity risk management program in place, it is missing key elements of its cybersecurity risk management program, including mitigating departmentwide risks, conducting bureau-level risk assessments, completing authorization for all of its information systems, and implementing a departmentwide continuous monitoring program.
GAO said that the state of the department’s current cybersecurity program risks the ability to “detect, investigate and mitigate cybersecurity-related incidents.”
“Until the department implements required risk management activities, it lacks assurance that its security controls are operating as intended,” the report states. “Moreover, State is likely not fully aware of information security vulnerabilities and threats affecting mission operations.”
There are a number of issues at hand, GAO found, including a lack of fully implemented processes that support its incident response program and an IT infrastructure that isn’t “adequately secured” and needs to be modernized.
“This includes replacing the 23,689 hardware systems and 3,102 occurrences of network and server operating system software installations that have reached end-of-life. Certain installations of operating system software had reached end-of-life over 13 years ago,” the report states.
The report continues: “Without fully implemented incident response processes and an adequately secured IT infrastructure to support State’s incident response program by, among other things, updating outdated or unsupported products, State’s IT infrastructure is vulnerable to exploits.”
GAO offered 15 recommendations for the department and the secretary of state to address, including developing a plan to mitigate known vulnerabilities, ensuring all systems have a current authority to operate, and conducting risk assessments for the information systems that the watchdog reviewed, among other things.
The GAO also recommended that the department “direct the CIO to update an October 2020 matrix” so the program complies better with federal guidance and departmentwide policies. The department issued a statement previously on its cybersecurity program’s responsibility to identify and assess vulnerabilities and respond to threats.
The department concurred with all recommendations.