TheConversation

Blog archive

Did the State Department's William Lay deserve IG criticism?

William Lay

Does the State Department's William Lay deserve the criitcism leveled at him in a recent IG report? Some readers say no. (File photo)

Several readers reacted strongly to an article FCW published July 19 covering a State Department Inspector General report on the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA).

Some readers were critical of FCW’s reporting on the IG’s findings, which included criticism against Chief Information Security Officer William Lay, who heads the Bureau.

One reader wrote: This article and the report are totally unfair to the CISO. Mr. Lay just arrived only months before this inspection, and inherited decisions from other people already departed. I am glad there are some positive things in this, but this seems to be placing a lot of blame on the CISO, without even letting him settle in and sort out the pieces left behind.

Another reader wrote: Any of the major takeaways from this IG report (lack of vision, disregard for standard operating procedures, abusive authority, inconsistent and ineffective strategy, etc...) are already occurring at DHS since the former State CISO took control at DHS-FNR. [Federal Network Resilience.] The DHS IGs better wake-up because what happened at State isn't an isolated event. Someone in the IG better take a close look at what is happening in FNR before the crew that provided the miserable iPost solution completely tanks the 180+ million DHS continuous monitoring effort.

Another reader wrote: Amazing . . . . The previous CISO leaves a total disaster behind as he rides a wave of glory into a new position at DHS, leaving his replacement (Lay) to take the blame. Pathetic.

Still another wrote: Is anyone surprised at this report? Does anyone think the Department of State really cares about the report? A Department spokesman states "The Department takes the OIG feedback seriously and is committed to addressing the recommendations and the concerns that led to the assessment." All one has to do is to review the last four or five OIG annual FISMA audits,  to see that the OIG has been documenting these issues for years. Who cares!!!!

Frank Konkel responds: I reached out to the State Department’s Inspector General’s office on this matter and was told that the report provides a “historical snapshot” of the bureau at any given point in time. I believe Lay, while new on the job, happened to be the guy in charge when the IG came looking around, so he’s going to shoulder some blame for the bureau’s problems. The IG report balances praise and criticism for Lay, and I believe our report portrays that fairly.

However, most of the criticism by the IG is bureau-wide, and a slew of the problems documented in the report certainly predate Lay’s tenure, which began in September 2012. Major issues like the bureau operating without a mission statement and mishandling its certification and accreditation processes were either not fixed or not addressed by Lay’s predecessor, John M. Streufert, who held the position from February 2008 to January 2012, or almost four years.

Streufert now works as the director of Federal Network Resilience at the Department of Homeland Security. I sent a request for comment to DHS on the matter, but didn’t hear back, so I can’t say anything more on that. But I do agree with reader perspectives that Lay, hired nine months ago, should not bear the brunt of responsibility for documented problems that were years in the making.

Posted by Frank Konkel on Jul 24, 2013 at 12:03 PM


The Fed 100

Save the date for 28th annual Federal 100 Awards Gala.

Featured

  • computer network

    How Einstein changes the way government does business

    The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

  • Defense Secretary Jim Mattis. Army photo by Monica King. Jan. 26, 2017.

    Mattis mulls consolidation in IT, cyber

    In a Feb. 17 memo, Defense Secretary Jim Mattis told senior leadership to establish teams to look for duplication across the armed services in business operations, including in IT and cybersecurity.

  • Image from Shutterstock.com

    DHS vague on rules for election aid, say states

    State election officials had more questions than answers after a Department of Homeland Security presentation on the designation of election systems as critical U.S. infrastructure.

  • Org Chart Stock Art - Shutterstock

    How the hiring freeze targets millennials

    The government desperately needs younger talent to replace an aging workforce, and experts say that a freeze on hiring doesn't help.

  • Shutterstock image: healthcare digital interface.

    VA moves ahead with homegrown scheduling IT

    The Department of Veterans Affairs will test an internally developed scheduling module at primary care sites nationwide to see if it's ready to service the entire agency.

  • Shutterstock images (honglouwawa & 0beron): Bitcoin image overlay replaced with a dollar sign on a hardware circuit.

    MGT Act poised for a comeback

    After missing in the last Congress, drafters of a bill to encourage cloud adoption are looking for a new plan.

Reader comments

Fri, Dec 13, 2013

C&A should be transformed into an automated, operational rendering of the current IT Security posture of an organization. The real IT Security issue is not addressed in the IG reports. John Streufert knew this and pursued operational IT Security as a goal. Would you rather have an operationally secure IT environment, or a fully-documented IT environment that is full of unattended security holes? With the current egregious cybersecurity climate, combined with government staffing/funding issues, it is unlikely both can transpire at any organization. Pick your poison.

Mon, Aug 5, 2013

Something you may not know is that IG denied a request from the Deparment's HR RMA group for the artifacts gathered that supported the IG's report (conclusions). As it stands right now, there is no evidence to support the IG's report.

Tue, Jul 30, 2013 State Tech

Lay may well be trouble for State (so far he's quite unimpressive), but don't crap on iPost in a discussion of the current or the former CISO. This approach works and should be improved, not abandoned. This is not a technical article, but one would be welcomed.

Fri, Jul 26, 2013 Jack

Frank, you are really on to something here. You need to keep digging. Look at what happened to VA, NASA and State Department when they tried to "move away" to the "monitor these four controls" approach.

Fri, Jul 26, 2013

What happened here at DoS is only the beginning. The scary side, the DHS' Continuous Diagnostics and Mitigation (CDM) Program is using the iPost's model and success story to argue this approach can automate the certification and accreditation process. The scarier side, OMB is actually buying into this non-sense and are considering removing the three year requirement. Frank, you need to dig deeper into the subject.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group