Blog archive

Did the State Department's William Lay deserve IG criticism?

William Lay

Does the State Department's William Lay deserve the criitcism leveled at him in a recent IG report? Some readers say no. (File photo)

Several readers reacted strongly to an article FCW published July 19 covering a State Department Inspector General report on the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA).

Some readers were critical of FCW’s reporting on the IG’s findings, which included criticism against Chief Information Security Officer William Lay, who heads the Bureau.

One reader wrote: This article and the report are totally unfair to the CISO. Mr. Lay just arrived only months before this inspection, and inherited decisions from other people already departed. I am glad there are some positive things in this, but this seems to be placing a lot of blame on the CISO, without even letting him settle in and sort out the pieces left behind.

Another reader wrote: Any of the major takeaways from this IG report (lack of vision, disregard for standard operating procedures, abusive authority, inconsistent and ineffective strategy, etc...) are already occurring at DHS since the former State CISO took control at DHS-FNR. [Federal Network Resilience.] The DHS IGs better wake-up because what happened at State isn't an isolated event. Someone in the IG better take a close look at what is happening in FNR before the crew that provided the miserable iPost solution completely tanks the 180+ million DHS continuous monitoring effort.

Another reader wrote: Amazing . . . . The previous CISO leaves a total disaster behind as he rides a wave of glory into a new position at DHS, leaving his replacement (Lay) to take the blame. Pathetic.

Still another wrote: Is anyone surprised at this report? Does anyone think the Department of State really cares about the report? A Department spokesman states "The Department takes the OIG feedback seriously and is committed to addressing the recommendations and the concerns that led to the assessment." All one has to do is to review the last four or five OIG annual FISMA audits,  to see that the OIG has been documenting these issues for years. Who cares!!!!

Frank Konkel responds: I reached out to the State Department’s Inspector General’s office on this matter and was told that the report provides a “historical snapshot” of the bureau at any given point in time. I believe Lay, while new on the job, happened to be the guy in charge when the IG came looking around, so he’s going to shoulder some blame for the bureau’s problems. The IG report balances praise and criticism for Lay, and I believe our report portrays that fairly.

However, most of the criticism by the IG is bureau-wide, and a slew of the problems documented in the report certainly predate Lay’s tenure, which began in September 2012. Major issues like the bureau operating without a mission statement and mishandling its certification and accreditation processes were either not fixed or not addressed by Lay’s predecessor, John M. Streufert, who held the position from February 2008 to January 2012, or almost four years.

Streufert now works as the director of Federal Network Resilience at the Department of Homeland Security. I sent a request for comment to DHS on the matter, but didn’t hear back, so I can’t say anything more on that. But I do agree with reader perspectives that Lay, hired nine months ago, should not bear the brunt of responsibility for documented problems that were years in the making.

Posted by Frank Konkel on Jul 24, 2013 at 12:03 PM

Cyber. Covered.

Government Cyber Insider tracks the technologies, policies, threats and emerging solutions that shape the cybersecurity landscape.


Reader comments

Fri, Dec 13, 2013

C&A should be transformed into an automated, operational rendering of the current IT Security posture of an organization. The real IT Security issue is not addressed in the IG reports. John Streufert knew this and pursued operational IT Security as a goal. Would you rather have an operationally secure IT environment, or a fully-documented IT environment that is full of unattended security holes? With the current egregious cybersecurity climate, combined with government staffing/funding issues, it is unlikely both can transpire at any organization. Pick your poison.

Mon, Aug 5, 2013

Something you may not know is that IG denied a request from the Deparment's HR RMA group for the artifacts gathered that supported the IG's report (conclusions). As it stands right now, there is no evidence to support the IG's report.

Tue, Jul 30, 2013 State Tech

Lay may well be trouble for State (so far he's quite unimpressive), but don't crap on iPost in a discussion of the current or the former CISO. This approach works and should be improved, not abandoned. This is not a technical article, but one would be welcomed.

Fri, Jul 26, 2013 Jack

Frank, you are really on to something here. You need to keep digging. Look at what happened to VA, NASA and State Department when they tried to "move away" to the "monitor these four controls" approach.

Fri, Jul 26, 2013

What happened here at DoS is only the beginning. The scary side, the DHS' Continuous Diagnostics and Mitigation (CDM) Program is using the iPost's model and success story to argue this approach can automate the certification and accreditation process. The scarier side, OMB is actually buying into this non-sense and are considering removing the three year requirement. Frank, you need to dig deeper into the subject.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group