Report Contents
Report Terms
Report Recommendations
OIG recommends that the Chief Information Officer, in coordination with the Information Security Steering Committee, prioritize tasks to ensure that devoted resources identify, document, and finalize a risk management framework for Department of State information systems in accordance with National Institute of Standards and Technology Special Publication 800-30, Revision 1.
Sensitive Information Redacted
OIG recommends that Bureau of Information Resource Management ensure system owners perform security impact analyses for all systems and applications in accordance with the National Institute of Standards and Technology Special Publication 800-53, Revision 3, and reauthorize the systems accordingly.
OIG recommends that the Chief Information Officer exercise the authorities prescribed in the Foreign Affairs Manual (1 FAM 040) and direct bureaus and/or offices to prioritize resources to effectively implement and validate remediation actions prior to closing Plans of Action and Milestones (POAM); ensure completion dates for corrective actions are adhered to and/or the remediation dates are updated as needed; implement processes and procedures to cross-reference POAM information, including costs, to the capital planning budget process with a Unique Investment Identifier; and ensure that written responses for the Quarterly Plan of Action Milestones Grade memorandums are provided to the Bureau of Information Resource Management, Office of Information Assurance.
OIG recommends that the Bureau of Information Resource Management, Office of Information Assurance, include the financial statement audit report findings, identified and communicated by the Bureau of Comptroller and Global Financial Services, within the Plan of Action and Milestone database in accordance with Office of Management and Budget Memorandum M-11-33.
OIG recommends that the Bureau of Information Resource Management, Office of Information Assurance, in coordination with system owners, identify weaknesses resulting from the vulnerability scans performed by the Bureau of Diplomatic Security, Security Infrastructure, Office of Computer Security, and include those weaknesses that are not immediately remediated in the Plan of Action and Milestone database in accordance with Office of Management and Budget Memorandum M-11-33.
OIG recommends that the Chief Information Officer, in coordination with the Information Security Steering Committee, document an enterprise-wide continuous monitoring strategy that includes a continuous monitoring policy and assesses the security state of information systems and is consistent with Federal Information Security Management Act requirements, Office of Management and Budget policy, and applicable National Institute of Standards and Technology guidelines.
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
OIG recommends system owners (bureaus and posts) follow the Foreign Affairs Manual (12 FAM 620) to have the supervisor complete the appropriate system access forms (for example, new user access and elevated rights) prior to granting access.
Sensitive Information Redacted
Sensitive Information Redacted
OIG recommends that management review their Active Directory Organizational Units structure and correct any Organizational Units that do not follow the guidance stated within the Active Directory and Global Address List Standardization.
Sensitive Information Redacted
OIG recommends that the system owners, in coordination with Chief Information Officer and the Bureau of Information Resource Management, Office of Information Assurance, perform and review contingency plan testing annually, including validating system backups and establishing an alternate site strategy in accordance with the Foreign Affairs Manual (5 FAM 1064), National Institute of Standards and Technology (NIST) Special Publication (SP) 800-34, Revision 1, and NIST SP 800-53, Revision 3.
OIG recommends that the Chief Information Officer, in coordination with the contingency planning coordinator, identify an alternate processing site, alternate storage site, and alternate telecommunications servers for each system in accordance with National Institute of Standards and Technology Special Publication 800- 34, Revision 1.
OIG recommends that the Office of Emergency Management, in coordination with the Emergency Action Committee for each bureau, conduct its annual review and certify its Bureau Emergency Action Plans in accordance with the Foreign Affairs Manual (6 FAM 400).
OIG recommends that data center managers enforce the log and record keeping policy to show that system backups are being performed in accordance with the Foreign Affairs Manual (12 FAM 620).
OIG recommends that the Chief Information Officer, in coordination with the Bureau of Information Resource Management, Office of Information Assurance, and the Bureau of Diplomatic Security, consolidate and track all extensions (for example, contractor sites, other Government agencies, and third-party vendors) within iMatrix, in accordance with the Foreign Affairs Manual (5 FAM 600).
OIG recommends that the Chief Information Officer, in coordination with the Bureau of Diplomatic Security, ensure that annual physical inspections are completed for all OpenNet and ClassNet extensions as defined within each Memorandum of Understanding.
OIG recommends that the Bureau of Diplomatic Security, in coordination with the applicable bureau Information System Security Officers for each contractor and government extension, ensure that all Memorandums of Understanding for extensions contain the required clearance levels for users and that those users are cleared as defined in the Foreign Affairs Manual (5 FAM 1065).
OIG recommends that the Bureau of Diplomatic Security, in coordination with the Bureau of Resource Management, suspend user accounts for unverified individuals at the International Boundary and Water Commission until the required background screenings are completed as required by the Memorandum of Understanding.
OIG recommends the Chief Information Officer, in coordination with the Bureau of Information Resource Management, Office of Information Assurance, and the Bureau of Diplomatic Security, Security Infrastructure, Office of Computer Security, finalize the Information Assurance Training Plan to ensure key information technology personnel with security responsibilities take specialized, role-based security training, as required by National Institute of Standards and Technology Special Publication 800-53, Revision 3.
OIG recommends the Chief Information Officer, in coordination with the Bureau of Information Resource Management, Office of Information Assurance, and the Bureau of Diplomatic Security, implement a tracking mechanism for role-based training to ensure that personnel with significant security responsibilities receive the appropriate training according to the Information Assurance Training Plan in accordance with National Institute of Standards and Technology Special Publication 800-53, Revision 3.
OIG recommends that the Bureau of Information Resource Management, Operations, Messaging Systems Office, E-Mail Operations Division, Mobile Computing, update the Foreign Affairs Manual (5 FAM 460 and 12 FAM 680) to replace the OpenNet Everywhere system with Global OpenNet, including the Mobile Computing Management System enrollment process, as the only remote access system for approved users.