For decades, the State Department bifurcated the oversight, accountability and implementation of its cybersecurity defenses. The Information Resource Management office, where the agency chief information officer sits, and Diplomatic Security Bureau each play separate and not always complimentary roles, drawing the ire of Congress and the inspector general, and, at times, creating unnecessary challenges.
Sen. Mark Warner (D-Va.), vice chairman of the Select Committee on Intelligence and co-chairman of the bipartisan Senate Cybersecurity Caucus, wrote to the department earlier this year asking questions about the reporting structure of the CISO after an inspector general report found the CISO “lacked necessary seniority for effectiveness or accountability. My understanding is that the current CIO reports to the Undersecretary for Management to the Secretary of State, and that the CISO reports to the CIO.”
Just about a year after that letter and IG report, Undersecretary of State for Management Brian Bulatao is creating a new position — the enterprise chief information security officer — to once again try to address what could be seen as a disparate approach to cybersecurity across the department. Bulatao announced the new position, which will report to the CIO, in a Dec. 7 memo to staff, which Federal News Network obtained.
“The E-CISO will have broad authority (on behalf of the CIO) to oversee all aspects of cybersecurity. Any bureau that maintains their own cyber infrastructure will be responsible to the E-CISO for meeting all required cyber standards,” said Stuart McGuigan, State’s CIO, in an email to Federal News Network. “The E-CISO will be responsible for developing and implementing enterprise information security programs, including policies and procedures that are designed to protect the department’s enterprise communications systems from internal and external threats. The central E-CISO position was created to ensure that one entity is responsible to oversee cybersecurity on behalf of the CIO and follows industry best practices.”
Insight by Citrix: During this webinar executives from the Department of the Navy, U.S. Army Corps of Engineers, Census Bureau and Citrix Systems will discuss how federal leaders can use their experience over the last 20 months to continue to reduce costs and complexities and move further into the cloud and other modern approaches to technology.
Within the E-CISO, State also is creating the Office of Global Information Technology Risk.
“GITR will develop policy, procedures and templates to guide organizations within the department responsible for IT to conduct their own IT risk assessments and report results,” McGuigan said in a memo to Bulatao from earlier this fall, which Federal News Network also obtained. “These results will be analyzed and presented to department leadership for situational awareness and to inform decisions to manage risk.”
The E-CISO role, however, likely will have the bigger impact on addressing State’s cyber coordination challenges.
McGuigan expanded on the E-CISO role in a video shared publicly on the internet and provided to Federal News Network. He said all cyber policy and oversight activities performed by the information assurance organization will be elevated to the new E-CISO, the deputy CIO for information assurance will be renamed the deputy CIO for cyber operations and will be responsible for all IRM cyber operations.
“These new enhancements will increase transparency throughout IRM’s cybersecurity efforts and strengthen the partnership we have with the Bureau of Diplomatic Security,” he said in the video.
McGuigan said the E-CISO has not been selected yet. State advertised the position on USAJobs and are now reviewing applications.
In the memo to Bulatao, McGuigan said the decision to realign cybersecurity oversight and responsibilities are two-fold. First, it’s in response to senior leadership direction, and second from multiple inspector general recommendations.
“IRM seeks to formalize its cyber risk management program as an office within the E-CISO office and expand its responsibilities for all dimensions of IT risk,” the memo said. “The office will be staffed with two divisions, Risk Management and Risk Solutions, with distinct capabilities to advise, assist and guide the department on taking calculated risks in support of the conduct of diplomacy.”
The one big question that the E-CISO doesn’t answer is something Congress and auditors have been trying to address across the department for decades. The E-CISO nor the CIO will have day-to-day responsibilities over operational management, workforce performance and non-IT resource allocation.
The hope is that by requiring each bureau to conduct risk assessments and share them, the E-CISO can work through senior leadership, including the CIO and the undersecretary of management, to force improvements.
“The OIG found that numerous control weaknesses affected program effectiveness and increased the chance of cyberattacks and threats to the department,” the IG wrote in the fiscal 2020 management challenges report. “The department’s Field First initiative to align technology to conduct diplomacy on the foreign affairs frontlines continues, with a new chief architect now in place. Under the Field First initiative, the department is identifying existing IT gaps, costs to close them and establishing post-specific roadmaps for implementation. Preliminary analysis shows that our greatest needs overseas are bandwidth, collaboration tools, and new equipment. IRM has been working with the Bureau of Administration to deploy an IT Service Management portal in myServices that will manage employee requests for IT solutions.”
In 2019, the IG was more specific about the lack of coordination between IRM and Diplomatic Security Bureau.
“OIG remains concerned with the overlapping and poorly defined responsibilities between DS and IRM and the organizational placement of the CIO, which impedes the position’s ability to effectively implement an agencywide information security program,” auditors stated in the management challenges report for 2019. “In addition to addressing these structural and organizational concerns through its reports and recommendations, OIG has repeatedly emphasized these matters in testimony, presentations, and other communications with the department and with Congress.”
This challenge is not new for State. In 2017, the Diplomatic Security Service established the Cyber and Technology Security (CTS) directorate to improve security at embassies, consulates and among foreign affairs officers.
Despite these efforts and the ongoing auditor reports, State has been slow to fix these long-standing problems and now the agency is trying the E-CISO approach.
The changes to State’s cyber oversight and policy offices is part of a targeted IRM modernization.
McGuigan said recently he reinvigorated the IT Executive Council to include six working groups, including cybersecurity, mobility, architecture and workforce.
He said the goal is ensure bureaus help develop and take part in enterprise capabilities like cloud services or other new technical capabilities.
Outside of IRM, State wants to create a new Bureau of Cyberspace Security and Emerging Technologies (CSET), which would consolidate many disparate functions and improve coordination internally and across the government. The technologies CSET will look at include things like 5G, supply chain security and similar national security issues.
State told the Government Accountability Office that it expects to establish the new office in early 2021.
The creation of the E-CISO comes nine months into the COVID-19 pandemic where State’s cyber challenges, like many agencies, increased as its risk profile expanded with remote working.
“In order to meet the growing demand for remote work in response to the pandemic, IRM undertook a multi-pronged approach to ensure that the department could continue to operate while many employees worked from home, and provide users with more options to overcome IT challenges,” McGuigan said. “First, the department enabled the Office 365 environment, coupled with multifactor authentication, for all employees. Next, the department increased the concurrent virtual desktop interface (VDI) capacity to 15,000 users, previously it was limited to 5,000 concurrent users, and procured and imaged several thousand laptops. Additionally, the department enabled a video collaboration capabilities through WebEx and Teams to ensure that users could continue to meet virtually throughout the pandemic.”