Skip to Highlights
Highlights

The Department of State (State) has implemented a custom application called iPost and a risk scoring program that is intended to provide continuous monitoring capabilities of information security risk to elements of its information technology (IT) infrastructure. Continuous monitoring can facilitate nearer real-time risk management and represents a significant change in the way information security activities have been conducted in the past. GAO was asked to determine (1) the extent to which State has identified and prioritized risk to the department in its risk scoring program; (2) how agency officials use iPost information to implement security improvements; (3) the controls for ensuring the timeliness, accuracy, and completeness of iPost information; and (4) the benefits and challenges associated with implementing iPost. To do this, GAO analyzed program documentation and compared it to relevant standards, interviewed and surveyed department officials, and performed analyses on iPost data.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of State 1. To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to incorporate the results of iPost's monitoring of controls into key security documents such as the OpenNet security plan, security assessment report, and plan of action and milestones.
Closed - Not Implemented
State Department did not provide adequate documentation to demonstrate implementation of this recommendation.
Department of State 2. To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to document existing controls intended to ensure the timeliness, accuracy, and completeness of iPost data.
Closed - Not Implemented
State Department asserted that the agency:(a) maintained full scan schedules in an Excel spreadsheet for all domains; (b) verified daily that scans are being completed without errors and on schedule; (c) generated reports upon completion of a scan; (d) tracked the scan rate to meet the enterprise's goal. However, State did not provide adequate evidentiary support so that we could verify these assertions.
Department of State 3. To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to develop, document, and implement procedures for validating data and reviewing and reconciling output in iPost to ensure data consistency, accuracy, and completeness.
Closed - Not Implemented
State Department asserted the following: (a) A risk score is applied based on the severity of the vulnerability in order to garner the attention of the ISSO and/or system owner; (b) The Post Administration Tool (PAT) is readily available for system owners to use in order to remediate vulnerabilities; (c) System Center Configuration Manager (SCCM) is utilized to assist in maintaining up to date versions and pushing of patches; (d) There are dedicated teams to assist system owners with issues surrounding remediation (i.e. patch management, SMS, DSE, etc.) However, State did not provide adequate support so that we could verify these assertions.
Department of State 4. To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to clearly identify in iPost individuals with site-level responsibility for monitoring the security state and ensuring the resolution of security weaknesses of Windows hosts.
Closed - Not Implemented
State did not provide adequate support so that we could verify that a documented and implemented process exists to ensure that ISSOs and/or system managers are responsible for monitoring the security state.
Department of State 5. To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to implement procedures to consistently notify senior managers at sites with low security grades of the need for corrective actions, in accordance with department criteria.
Closed - Implemented
In fiscal year 2015, we verified that State, in response to our recommendation, developed a Risk Reduction Summary report that identifies sites with low security grades needing assistance for corrective actions.
Department of State 6. To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to develop, document, and maintain an iPost configuration management and test process.
Closed - Not Implemented
State did not provide an iPost configuration management standard operating procedure for operational units, domestic sites/bureaus, and overseas posts as requested.
Department of State 7. To improve implementation of iPost at State, the Secretary of State should direct the Chief Information Officer to develop, document, and implement a continuous monitoring strategy that addresses risk, to include changing threats, vulnerabilities, technologies, and missions/business processes.
Closed - Implemented
In fiscal year 2015, we verified that State, in response to our recommendation, developed, documented, and implemented an information security continuous monitoring strategy that outlines improvements to the implementation of the six step risk management framework, the acquisition and implementation of tools to scan and aggregate sensor and other data for analysis supporting situational awareness, and the implementation of a risk executive function to establish organizational tolerance and guide agency risk decisions.

Full Report

GAO Contacts