An urgent report from the Government Accountability Office is aimed at the State Department. GAO called for State to, in its words, "expeditiously get on with a...
An urgent report from the Government Accountability Office is aimed at the State Department. GAO called for State to, in its words, “expeditiously get on with a cybersecurity risk management program.” State has a plan, now it has to carry it out. For more on this, the Federal Drive with Tom Temin spoke with Jennifer Franks, GAO’s Director of Information Technology and Cybersecurity.
Interview Transcript:
Tom Temin And what’s going on here? Because expeditiously that was in the headline. That means like get on with it already, folks. Like now.
Jennifer Franks Absolutely. We’ve been doing this work on behalf of the Senate Committee on Foreign Relations. And with the urgency of really meeting to look at their cybersecurity practices, establishing some roles within this chief information security officers’ ability to just carry out protecting the department’s systems and networks. They’re looking at ways to just better detect, respond and recover from the evolving cyber threats and cybersecurity incidents. We really do need them to take heed to implementing some of these recommendations a little bit swiftly.
Tom Temin Because you found they did identify risk management roles and responsibilities. So they have the belly buttons to push, you might say. And they have developed a cyber-risk management strategy at State. But then there’s a whole stack of Xs in red circles that looks really scary, including mitigated the cybersecurity risks. They have not done the actual risk mitigation. Tell us more.
Jennifer Franks Absolutely. So what’s key here is they note it had a cybersecurity strategy in place, which is big because the department wide guidance for the cross, the federal agency says have a plan, have one in place, which is its good. So that was a positive. But the Department of State runs in a very insular organization. This is not unique for state. A lot of organizations do have a very decentralized way of working for their operations. But because of this, state needs to really look at how they assess risk across the different bureaus and really look at the department wide efforts for identifying and mitigating their cybersecurity risk. We only looked at a subset of their systems, but they have 494 information systems and only 44% of them had an authorization to operate, which means that they were cleared to actually be on line operating in their environment, which also means they had not been fully assessed for risk compliance.
Tom Temin Yeah. So the ATO is a crucial part for government operations for government agencies to have before they can deploy a system. And is that evidence of that decentralized, federated way that they go about this, do you think?
Jennifer Franks Absolutely.
Tom Temin Right. So there’s no central authority. I mean. Well, there is an office of the CIO. The question then becomes, does the State Department, CIO and the technology organization and CISO organization under CIO have sufficient sway over these systems to make sure they run through their before they’re operated?
Jennifer Franks And that’s something that we were finding they do not. We were actually discovering that because of a lack of organization, a lack of communication, the CIO actually has very limited ability to see across the different bureaus, see across the organization, and even have that strength of communication and really determine what’s going on across those different bureaus. Each of those different bureaus have their different organizations, they have their different funding, they have their own sets of operations that are very insular from where the chief information officer has purview, has the authority to actually say what should be done and what should be authoritatively authorized in that organization. She only can see what they’re permitting her to see. So we were asking or we were even recommending in our report for the CIO to have more authorities and more insight into what’s going on across the organization.
Tom Temin In other words, it’s not enough to be able to set policy for all the sub organizations, but they have to be able to verify.
Jennifer Franks Absolutely.
Tom Temin Got it. And you also found that there is some pretty old stuff running and that poses a particular risk from just ancient software that may not be updated and may be vulnerable.
Jennifer Franks Absolutely. And why this was critical was because, as we know, evolving cyber security vulnerabilities and threats around the globe are increasing every single day. And with the unique, evolving mission of the State Department, they manage our national security around the globe, and they have bureaus and polls that protect us around the globe. And because of this, we were actually looking at their abilities to detect, respond to and even recover from cybersecurity incident. So because of this, we were actually reviewing their capabilities to have that incident response program in place. So they do have 24/7 operations. They have a team which is a positive that is looking at the continuous monitoring efforts to scope their network. Great. But then when you look a little deeper into your security operations and your I.T. Infrastructure, we then found that the hardware and software aspects of what you’re using to support your infrastructure. Yes, you’re running with outdated information software, hardware, and some of them we’re going back to 13 years of being end of life. So they’re unsupported.
Tom Temin We’re speaking with Jennifer Franks. She’s director of information technology and cyber security at the Government accountability Office. And one other finding that we want to discuss here is they have not implemented a continuous monitoring program. I thought continuous monitoring originally, like 15, 18 years ago, originated at the State Department. And so that’s a pretty bad weakness in your cyber operation.
Jennifer Franks Absolutely. And continuous monitoring, you’re right. It’s been around for a while. It’s been a metric that all federal agencies have been stated to definitely need to be implementing into their various organizations. This is also an area that would help them to assess the likelihood of events happening in their environment. This would be helpful for being able to better detect and respond to cybersecurity incidents. But this is also a vulnerability or a weakness to their insular approach. They’re just large and there’s just so much going on, and they had an approach to the strategy again. But because there is so much, they did not really look at the department wide efforts to really driving home what could then be done to really implementing that continuous wide monitoring program.
Tom Temin Essentially, you found that the technical problems with old software and lack of ATO for systems that are running derives from the insulated culture at state. A good example of culture and reality, so to speak, interacting in an important way.
Jennifer Franks Yes.
Tom Temin All right. And for GAO, even there’s a long list of recommendations here, 15 in all, they are all open. Just highlight the recommendations for us besides expeditiously get your plan done.
Jennifer Franks Yes, there are 15 in this current report conducting the Bureau level Risk Assessment. There are 28 bureaus that own information systems that we did review. So we were just asking them to look at their abilities to look at cybersecurity across those different bureaus. We want them to develop plans to mitigate the cyber vulnerabilities that they even previously identified. You know, look at what you had open before GAO even got to the agency to audit your entities. We want you to look at perhaps ensuring that your information systems have valid authorizations to operate. Again, we only looked at a subset of systems, but there are 494 systems. They all need to be authorized to operate, not just your subset. We want to really increase the ability for the CIO to have more access, more asset ability to look into all the bureaus in the post around the world so that she can really have that ability to provide continuous monitoring services to look towards how she can help strengthen the controls around the threats and vulnerabilities that are plaguing the networks for the State Department. We also just want to look at how we’re better able to, you know, provide continuous monitoring services, contingency plans in the event of a service disruption, because sometimes cyber events happen. It’s not as if it’s a when. So should it even happen? Are we prepared? So having the necessary contingency plans in place to be ready, we’re going to ask for you to look at those operations.
Tom Temin And by the way, the person we’ve been talking about, CIO, is Dr. Kelly Fletcher. We should mention her by name. She’s, you know, struggling to get this done. But it sounds like this needs to be the deputy secretary for management type of person to really drive this kind of effort above the CIO. Clearly, the secretary of state’s got other things to do, but there are deputies that do management, and that seems like that’s where the effort needs to start.
Jennifer Franks And we actually direct the recommendations to the secretary. Absolutely.
Tom Temin So far, do they agree with most of the recommendations, even though they’re not implemented?
Jennifer Franks Absolutely. They have concurred with all of our open recommendations right now, and they are actively starting to work towards implementing them. And we are actively still working with the agency to see that they are carrying forth with their promise.
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Tom Temin is host of the Federal Drive and has been providing insight on federal technology and management issues for more than 30 years.
Follow @tteminWFED