An audit of the State Department's information security posture found critical deficiencies in the agency's risk management framework and monitoring programs, stemming largely from a problematic organizational structure.
The auditors — Williams, Adley and Company — found two critical weaknesses, though the specifics of those vulnerabilities were redacted from the report.
From what can be gleaned from the unredacted portions, the departments security weaknesses centered on a failure to communicate and properly implement a risk management framework and a continuous monitoring program.
The auditors noted State officials have developed an Information Security Risk Management Strategy at the top level, however issues with implementing that strategy persist. The specifics of how that implementation is failing were heavily redacted from the report.
"One overall cause of the weaknesses Williams, Adley identified is that the CIO is not properly positioned within the organization to ensure that the department's information security program is effective," it reads. "Without a centralized approach to communicating information security risks, the department cannot have an effective risk management program and the consequence of that ineffectiveness can impact all levels of the organization."
Similarly, the agency has failed to set up a continuous monitoring program to maintain a level of information security assurance across its networks. The report notes State was waiting on tools from the Continuous Diagnostics and Mitigation (CDM) program, which began rolling out this year.
The auditors have been conducting tests on State Department systems since 2010 and "identified similar control deficiencies throughout our audits, which Williams, Adley believes is indicative of a systemic problem within the department."
The inspector general made four recommendations based on the audit, all of which the department concurred with and immediately began to implement. The department's active response prompted the IG to close all four recommendations, pending any further action.