Report Contents
Report Terms
Report Recommendations
OIG recommends that the Chief Information Officer, in coordination with the Information Security Steering Committee, implement a risk management framework strategy for the Department that is consistent with Federal Information Security Management Act requirements, Office of Management and Budget policy, and applicable National Institute of Standards and Technology guidelines.
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
OIG recommends the Bureau of Information Resource Management, Office of Information Assurance, in coordination with system owners (bureaus and posts), follow the Foreign Affairs Manual (12 FAM 620) to have the supervisor complete the appropriate system access forms (for example, new user access and elevated rights) prior to granting access.
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
OIG recommends that the Chief Information Officer, in coordination with the Information Security Steering Committee, exercise the authorities prescribed in the Foreign Affairs Manual (1 FAM 040 and 5 FAM 119) and direct bureaus and/or offices to prioritize resources to effectively implement and validate remediation actions prior to closing Plans of Action and Milestones.
OIG recommends that system owners, in coordination with the Bureau of Information Resource Management, Office of Information Assurance, ensure that bureaus, offices, and posts adhere to completion dates for corrective actions and/or ensure that the remediation dates are updated, as needed. In addition, OIG recommends system owners implement processes and procedures to cross-reference Plans of Action and Milestones information, including costs, to the capital planning budget process with a Unique Investment Identifier.
OIG recommends that the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA), consistently assess overall bureau risk and provide bureaus with Quarterly Plans of Action & Milestones Grade memoranda. In addition, OIG recommends that bureaus and/or offices provide written responses for the Quarterly Plans of Action & Milestones Grade memoranda to IRM/IA.
OIG recommends that the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA), define a time period for bureaus and/or offices to include identified deficiencies resulting from audits into the Plans of Action and Milestones (POA&M) database and communicate findings to IRM/IA in accordance with Office of Management and Budget Memorandum M-11-33.
OIG recommends that the Bureau of Information Resource Management, Office of Information Assurance, in coordination with system owners, identify deficiencies resulting from the vulnerability scans performed by the Bureau of Diplomatic Security, Security Infrastructure Directorate, Office of Computer Security, and include those vulnerabilities that are not immediately remediated in the Plans of Action and Milestones database in accordance with Office of Management and Budget Memorandum M-11-33.
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
Sensitive Information Redacted
OIG recommends that the Chief Information Officer, in coordination with the Bureau of Information Resource Management, Office of Information Assurance, and the Bureau of Diplomatic Security's Security Infrastructure Directorate, Office of Computer Security, finalize the Information Assurance Training Plan to ensure key information technology personnel with security responsibilities for the Department take specialized role-based security training as required by National Institute of Standards and Technology Special Publication 800-53, Revision 4.
OIG recommends that the Chief Information Officer, in coordination with the Bureau of Information Resource Management, Office of Information Assurance, and the Bureau of Diplomatic Security's Security Infrastructure Directorate, Office of Computer Security, implement a tracking mechanism for role-based training, in accordance with National Institute of Standards and Technology Special Publication 800-53, Revision 4, to ensure that personnel with significant security responsibilities receive the appropriate training according to the Information Assurance Training Plan.
OIG recommends that the Information System Steering Committee, in coordination with the Bureau of Information Resource Management, Office of Information Assurance, and the Bureau of Diplomatic Security's Security Infrastructure Directorate, Office of Computer Security, implement a general security awareness course, specific to users with only ClassNet access that do not have OpenNet access, to ensure that those personnel receive the appropriate general security awareness training in accordance with National Institute of Standards and Technology Special Publication 800-53, Revision 4.
Sensitive Information Redacted
Sensitive Information Redacted
OIG recommends that the Bureau of Diplomatic Security, Security Infrastructure Directorate, Office of Computer Security, update the Computer Incident Response Team Standard Operating Procedures to require the Computer Incident Response Team to notify the Bureau of Diplomatic Security, Security Infrastructure Directorate, Office of Information Security, Program Applications Division, and the U.S. Computer Emergency Readiness Team in the event of a potential data spillage prior to closing a security incident ticket.