Report Contents
(U) Summary of Project
(U) The purpose of this Management Assistance Report is to present the Office of Inspector General’s (OIG) analysis of unclassified OIG recommendations addressed to the Bureau of Information Resource Management (IRM) that were open as of July 30, 2021. The OIG analysis was performed to identify duplicative recommendations and to group the open recommendations by topic area (see Appendices A-M) to highlight their importance and facilitate management action to close them.
(U) On the basis of its analysis, OIG determined that 3 of 107 unclassified, open recommendations from 19 reports addressed to IRM were duplicative. As a result, OIG is closing these recommendations with the issuance of this report. Furthermore, in August 2021, OIG closed an additional 14 of 107 recommendations addressed to IRM as part of its compliance process. With respect to the remaining 90 unclassified, open recommendations, it is important to note that some of these recommendations have remained open since 2014. In addition, as of August 2021, OIG has 26 open recommendations related to configuration management, which the National Institute of Standards and Technology (NIST) considers to be critical in “providing adequate information security and supporting an organization’s risk management process.”1
(U) According to the Foreign Affairs Manual (FAM), the Under Secretary for Management is the Department’s designated OIG follow-up official who is responsible for ensuring that corrective action is taken on OIG recommendations.2 Therefore, to facilitate the closure of the unclassified, open recommendations addressed to IRM, OIG offered two recommendations to the Acting Under Secretary for Management. On the basis of the Acting Under Secretary for Management’s response to a draft of this report, OIG considers one recommendation unresolved and one recommendation closed. A synopsis of the Acting Under Secretary for Management’s response to the recommendations offered and OIG’s reply follow each recommendation in the Conclusion section of this report. The Acting Under Secretary for Management’s response is reprinted in its entirety in Appendix N.
1 (U) NIST, Special Publication (SP) 800-128, “Guide for Security-Focused Configuration Management of Information Systems,” 1 (August 2011).
2 (U) 1 FAM 044.1(10)(d), “Responsibilities.
Report Terms
Report Recommendations
OIG recommends that the Under Secretary for Management verify that the Bureau of Information Resource Management (IRM) has developed plans of action and milestones, as required by the National Institute of Standards and Technology, Special Publication 800-53, rev. 4, to address each open OIG recommendation. The plans of action and milestones should document planned remedial actions to correct the deficiencies identified. If the Under Secretary for Management determines that IRM has not developed or maintained plans of action and milestones for each open OIG recommendation, the Under Secretary for Management should direct IRM to take action to comply with standards.
OIG recommends that the Under Secretary for Management develop and implement a methodology to periodically review the status of the Bureau of Information Resource Management’s efforts to implement open OIG recommendations, as described in its plans of action and milestones (Recommendation 1).