IG raps cybersecurity at State

The State Department's cybersecurity plans are inadequate, the department's inspector general reported recently. But State's chief information officer said there aren't enough resources to do everything.

The recent IG report, "Critical Infrastructure Protection: The Department Can Enhance Its International Leadership and Its Own Cyber Security," found that State did not include foreign operations in its plans as required by Presidential Decision Directive 63 (PDD 63).

State's critical infrastructure protection plan does not, for example, assess vulnerabilities in its interagency connections, and it does not specify how the department will ensure that all employees and contractors are trained in required concepts and skills for protecting critical infrastructure systems, according to the report.

"Implementing well-organized approaches to ensure all employees receive required security awareness, training and education will strengthen the department's security readiness," the IG report stated.

Fernando Burbano, State's CIO, is working to address the IG's recommendations. But he also noted that State and other agencies have not had the resources to adequately fund cybersecurity mandates. "There's no money behind it."

PDD 63, signed by President Clinton in May 1998, requires federal agencies to protect information systems that support the nation's critical infrastructure, including electricity, telecommunications and government services.

State has had a number of security lapses recently, most notably last year's disappearance of a notebook computer containing classified information.

The IG also found that the department's critical infrastructure protection plan and vulnerability assessments did not address the minimum requirements for its overseas operations as required by PDD 63, nor did it address the role and responsibilities of the lead person at each post in protecting that infrastructure.

"Foreign operations are essential to U.S. government foreign policy and relations, national defense and U.S. interests abroad," the IG report stated.

Furthermore, the IG found that State officials did not address the requirement that they conduct periodic assessments of their security controls. The IG review was conducted in conjunction with a President's Council on Integrity and Efficiency assessment of PDD 63's implementation at agencies.

Although the Office of Management and Budget has argued otherwise, Burbano said that many of the requirements are new and that agencies need money to implement those security provisions.

He has been pushing for a pool of money for security fixes similar to the emergency fund that enabled agencies to address the Year 2000 problem.

Furthermore, Burbano said that because of the government's drawn-out budget cycle, there is typically a two-year gap between when agencies request money and when the funds are approved.

"Until we get the proper amount of money and get the budget cycle in sync, we are stuck in this gap," he said.

About the Author

Christopher J. Dorobek is the co-anchor of Federal News Radio’s afternoon drive program, The Daily Debrief with Chris Dorobek and Amy Morris, and the founder, publisher and editor of the DorobekInsider.com, a leading blog for the Federal IT community.

Dorobek joined Federal News Radio in 2008 with 16 years of experience covering government issues with an emphasis on government information technology. Prior to joining Federal News Radio, Dorobek was editor-in-chief of Federal Computer Week, the leading news magazine for government IT decision-makers and the flagship of the 1105 Government Information Group portfolio of publications. As editor-in-chief, Dorobek served as a member of the senior leadership team at 1105 Government Information Group, providing daily editorial direction and management for FCW magazine, FCW.com, Government Health IT and its other editorial products.

Dorobek joined FCW in 2001 as a senior reporter and assumed increasing responsibilities, becoming managing editor and executive editor before being named editor-in-chief in 2006. Prior to joining FCW, Dorobek was a technology reporter at PlanetGov.com, one of the first online community centers for current and former government employees. He also spent five years at Government Computer News, another leading industry publication, covering a variety of federal IT-related issues.

Dorobek is a frequent speaker on issues involving the government IT industry, and has appeared as a frequent contributor to NewsChannel 8’s Federal News Today program. He began his career as a reporter at the Foster’s Daily Democrat, a daily newspaper in Dover, N.H. He is a graduate of the University of Southern California. He lives in Washington, DC.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/Shutterstock.com)

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected