According to a new report out from the Government Accountability Office (GAO) on Thursday, the State Department has failed to fully implement its cybersecurity risk program and needs to take a number of steps to better protect its IT network and systems.
“The State Department carries out American diplomacy and helps shape U.S. foreign policy. Securing the IT systems that support State’s mission is crucial to its ability to manage its cybersecurity risks,” the 92-page Government Accountability Office (GAO) report reads.
According to the GAO, the Department of State has documented a cybersecurity risk management program that meets Federal requirements. Specifically, the department has identified risk management roles and responsibilities and developed a risk management strategy.
However, the agency has failed to fully implement its program to identify and monitor risk to assets and the information maintained on its systems.
“Until the department implements required risk management activities, it lacks assurance that its security controls are operating as intended,” the watchdog agency wrote. “Moreover, State is likely not fully aware of information security vulnerabilities and threats affecting mission operations.”
Additionally, the report notes that the department has not fully implemented processes that support its incident response program.
Further, the State Department has not adequately secured its IT infrastructure to support its incident response program, GAO said.
“Without fully implemented incident response processes and an adequately secured IT infrastructure to support State’s incident response program by, among other things, updating outdated or unsupported products, State’s IT infrastructure is vulnerable to exploits,” GAO said.
“Furthermore, the department risks being unable to fully detect, investigate, and mitigate cybersecurity-related incidents,” it said.
Finally, the watchdog agency found that the State Department’s IT structure and insulated are among the reasons responsible for many of the deficiencies identified in the report.
GAO made 15 recommendations to the State Department, including that the Secretary of State develop plans to mitigate vulnerabilities and ensure that the CIO has access to assets at bureaus and posts to continuously monitor for threats and vulnerabilities that may affect mission operations.
The State Department concurred with all 15 recommendations to address cybersecurity weaknesses.
