Almost 70 percent of U.S. embassies' IT contingency plans are deficient, according to the State Department inspector general. This could lead to the leakage or loss of sensitive data and bring down critical operations at the worst possible times.
The IG mentioned this four years ago and the Bureau of Information Resources Management still hasn't done anything about it.
Report: Continued Deficiencies Identified in IT Contingency Planning
Networks can go down for a variety of reasons, including cyberattacks, natural disasters and local instability. Without contingency plans in place for all these eventualities, IT operations can be interrupted, which could mean critical communication and security services won't be available when needed. It can also lead to sensitive information being compromised or lost forever.
The IG pointed to a September 2014 hurricane that disrupted services at the embassy in Mexico City.
"The embassy reported on its lessons learned and noted that attention needed to be placed on ensuring that key personnel were included in IT contingency plan testing exercises and ongoing planning as well as the need to adopt a mission-wide approach to emergency preparedness," the IG wrote in its report.
Of the 29 contingency plans the IG reviewed, 20 of them—about 69 percent—were deficient in some way.
The publicly released IG report did not go into specifics on which embassies were deficient or how, though it explains the issue in broad strokes.
"The issues identified ranged from information management staff at posts not developing, updating or testing IT contingency plans to plans that lacked appropriate key stakeholders and contact information as part of emergency preparedness, contrary to requirements," the report states.
The report also notes only 12 percent of IT managers at U.S. embassies—32 of 272—had IT contingency planning explicitly as part of their duties.
The IG first exposed these problems in 2011 and tasked the Bureau of Information Resource Management with establishing new procedures.
"However, after four years the bureau still lacks a tracking mechanism and a SharePoint site as mentioned in their compliance responses," the IG said, though the agency said in September it was "researching other alternatives to comply with OIG recommendations."
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.
