TheConversation

Blog archive

Did the State Department's William Lay deserve IG criticism?

William Lay

Does the State Department's William Lay deserve the criitcism leveled at him in a recent IG report? Some readers say no. (File photo)

Several readers reacted strongly to an article FCW published July 19 covering a State Department Inspector General report on the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA).

Some readers were critical of FCW’s reporting on the IG’s findings, which included criticism against Chief Information Security Officer William Lay, who heads the Bureau.

One reader wrote: This article and the report are totally unfair to the CISO. Mr. Lay just arrived only months before this inspection, and inherited decisions from other people already departed. I am glad there are some positive things in this, but this seems to be placing a lot of blame on the CISO, without even letting him settle in and sort out the pieces left behind.

Another reader wrote: Any of the major takeaways from this IG report (lack of vision, disregard for standard operating procedures, abusive authority, inconsistent and ineffective strategy, etc...) are already occurring at DHS since the former State CISO took control at DHS-FNR. [Federal Network Resilience.] The DHS IGs better wake-up because what happened at State isn't an isolated event. Someone in the IG better take a close look at what is happening in FNR before the crew that provided the miserable iPost solution completely tanks the 180+ million DHS continuous monitoring effort.

Another reader wrote: Amazing . . . . The previous CISO leaves a total disaster behind as he rides a wave of glory into a new position at DHS, leaving his replacement (Lay) to take the blame. Pathetic.

Still another wrote: Is anyone surprised at this report? Does anyone think the Department of State really cares about the report? A Department spokesman states "The Department takes the OIG feedback seriously and is committed to addressing the recommendations and the concerns that led to the assessment." All one has to do is to review the last four or five OIG annual FISMA audits,  to see that the OIG has been documenting these issues for years. Who cares!!!!

Frank Konkel responds: I reached out to the State Department’s Inspector General’s office on this matter and was told that the report provides a “historical snapshot” of the bureau at any given point in time. I believe Lay, while new on the job, happened to be the guy in charge when the IG came looking around, so he’s going to shoulder some blame for the bureau’s problems. The IG report balances praise and criticism for Lay, and I believe our report portrays that fairly.

However, most of the criticism by the IG is bureau-wide, and a slew of the problems documented in the report certainly predate Lay’s tenure, which began in September 2012. Major issues like the bureau operating without a mission statement and mishandling its certification and accreditation processes were either not fixed or not addressed by Lay’s predecessor, John M. Streufert, who held the position from February 2008 to January 2012, or almost four years.

Streufert now works as the director of Federal Network Resilience at the Department of Homeland Security. I sent a request for comment to DHS on the matter, but didn’t hear back, so I can’t say anything more on that. But I do agree with reader perspectives that Lay, hired nine months ago, should not bear the brunt of responsibility for documented problems that were years in the making.

Posted by Frank Konkel on Jul 24, 2013 at 12:03 PM


FCW in Print

In the latest issue: Looking back on three decades of big stories in federal IT.

Featured

  • FCW @ 30 GPS

    FCW @ 30

    Since 1996, FCW has covered it all -- the major contracts, the disruptive technologies, the picayune scandals and the many, many people who make federal IT function. Here's a look back at six of the most significant stories.

  • Shutterstock image.

    A 'minibus' appropriations package could be in the cards

    A short-term funding bill is expected by Sept. 30 to keep the federal government operating through early December, but after that the options get more complicated.

  • Defense Secretary Ash Carter speaks at the TechCrunch Disrupt conference in San Francisco

    DOD launches new tech hub in Austin

    The DOD is opening a new Defense Innovation Unit Experimental office in Austin, Texas, while Congress debates legislation that could defund DIUx.

  • Shutterstock image.

    Merged IT modernization bill punts on funding

    A House panel approved a new IT modernization bill that appears poised to pass, but key funding questions are left for appropriators.

  • General Frost

    Army wants cyber capability everywhere

    The Army's cyber director said cyber, electronic warfare and information operations must be integrated into warfighters' doctrine and training.

  • Rising Star 2013

    Meet the 2016 Rising Stars

    FCW honors 30 early-career leaders in federal IT.

Reader comments

Fri, Dec 13, 2013

C&A should be transformed into an automated, operational rendering of the current IT Security posture of an organization. The real IT Security issue is not addressed in the IG reports. John Streufert knew this and pursued operational IT Security as a goal. Would you rather have an operationally secure IT environment, or a fully-documented IT environment that is full of unattended security holes? With the current egregious cybersecurity climate, combined with government staffing/funding issues, it is unlikely both can transpire at any organization. Pick your poison.

Mon, Aug 5, 2013

Something you may not know is that IG denied a request from the Deparment's HR RMA group for the artifacts gathered that supported the IG's report (conclusions). As it stands right now, there is no evidence to support the IG's report.

Tue, Jul 30, 2013 State Tech

Lay may well be trouble for State (so far he's quite unimpressive), but don't crap on iPost in a discussion of the current or the former CISO. This approach works and should be improved, not abandoned. This is not a technical article, but one would be welcomed.

Fri, Jul 26, 2013 Jack

Frank, you are really on to something here. You need to keep digging. Look at what happened to VA, NASA and State Department when they tried to "move away" to the "monitor these four controls" approach.

Fri, Jul 26, 2013

What happened here at DoS is only the beginning. The scary side, the DHS' Continuous Diagnostics and Mitigation (CDM) Program is using the iPost's model and success story to argue this approach can automate the certification and accreditation process. The scarier side, OMB is actually buying into this non-sense and are considering removing the three year requirement. Frank, you need to dig deeper into the subject.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group