The inspector general found multiple expired authorizations to operate.
Some of the State Department’s key human resources information system processes are operating with expired authorities to operate and require management intervention, according to a State Department Office of Inspector General audit released in early July.
The audit serves as a review of information system processes within the State Department’s Office of Technology Services, housed within the Bureau of Global Talent Management. OTS develops and maintains information systems that support human resources and business processes across State’s global footprint.
Auditors found four of OTS’ six information systems had expired authorizations to operate, “contrary to department standards.” Under Federal Information Processing Standard 199, the four systems in question were categorized as having a “moderate security impact,” meaning, the “loss of confidentiality, integrity, or availability of the systems and their data could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.” The ATO process ensures required security controls are implemented properly, and auditors noted that systems with outdated ATOs are at increased risk of compromise.
Auditors also pointed out other problematic issues within the office. OTS’ systems development lifecycle process “lacked documented management approvals” and did not designate a central location for project documentation storage, according to auditors. In addition, the office failed to perform ongoing security controls assessments—in violation of State Department standards—and designated third-party contractors to key positions. Auditors found OTS designated a contractor as the information systems security officer,” contrary to department standards, which require the position be filled with a direct-hire employee.
“The current ISSO designation could potentially limit the effectiveness of the ISSO oversight protection performed for OTS,” the audit states.
OIG made 10 recommendations to the Bureau of Global Talent Management, which concurred with each recommendation.
Source: https://www.nextgov.com/cybersecurity/2021/07/key-state-department-systems-require-management-attention-ig-says/183605/