Information security remains a prevalent concern for the State Department based on numerous previous recommendations regarding fundamental information technology-related issues that still require close attention, according to a recent agency Office of Inspector General (OIG) report.
The report assesses 107 unclassified, open OIG recommendations from 19 reports addressed to the Bureau of Information Resource Management (IRM) as of July 30, 2021. OIG found that IRM had addressed three of the 107 recommendations and closed one duplicative recommendation related to risk management, one related to data protection and privacy, and one related to general IT policies. Additionally, OIG closed 14 recommendations in August 2021 as part of its normal compliance process.
However, the remaining 90 recommendations – 57 percent of which dated back to fiscal 2019 or earlier – remain relevant and require “close attention to close them,” the report read.
A larger number of the recommendations involve configuration management of products and systems to ensure information security. The other unaddressed recommendations pertain to several areas including as risk management, IT investments, contingency planning, and shared services.
To facilitate closing the remaining recommendations addressed to IRM, OIG made two recommendations to Carol Perez, the agency’s under secretary for management. OIG recommended her office develop a method for periodically reviewing IRM’s efforts – and indicated that step has since been taken.
OIG also recommended that Perez’s office verify IRM plans of action and milestones (POA&M) documented for all 90 recommendations. However, Perez disagreed with that recommendation, explaining that if the end goal is for IRM to solve open recommendations, developing an individual action plan for each recommendation is “overly cumbersome.”
“IRM’s staff, time, and resources are better spent working on compliance-related activities, maintaining a high standard of day-to-day operations, and communicating directly with OIG,” Perez wrote in her response to OIG.
However, OIG argued that under guidance from the National Institutes of Standards and Technology, agencies are required to develop a POA&M, and that Perez must submit a POA for the recommendation.