This may make you grind your teeth ...
Within the U.S. Department of State there is the The Bureau of Information Resource Management, Office of Information Assurance (IRM/IA). This bureau was "established to address the information security requirements outlined in Title III of the E-Government Act of 2002" and is:
... responsible for the Department's cyber security program [which includes] information assurance policies, standards, and guidelines; and compliance with National Security directives. The key programs of IRM/IA include cyber security management, which is comprised of policy development, risk management, systems authorizations, performance measures, and annual reporting for [Federal Information Security Management Act of 2002 (FISMA)]. IRM/IA collaborates with [Bureau of Diplomatic Security (DS)] on information security responsibilities.
This is obviously a very important role as the bureau deals with critical federal state department security stuff but in July this year the Office of Inspector General of the United States Department of State and the Broadcasting Board of Governors issued a report that found the office:
- ... does not fulfill all those all those requirements. The majority of the required functions are performed by Department of State (Department) offices other than IRM/IA.
- The current workload of IRM/IA does not justify its organizational structure, resources, or status as an IRM directorate.
- The mishandling of the certification and accreditation (C&A) process and contract by IRM/IA, including development of tools and guidance and reviews of C&A packages has contributed to expired authorizations to operate 52 of the Department's 309 systems.
- No single Department bureau has full responsibility for the information systems security officer (ISSO) program. Both IRM and the Bureau of Diplomatic Security (DS) directly or indirectly support the ISSO program, resulting in confusion among personnel on requirements and guidance. The involvement of both bureaus also wastes personnel resources.
- IRM/IA lacks adequate management controls and procedures to monitor its contracts, task orders, and blanket purchase agreements, which have an approximate value of $79 million.
- RM/IA has no mission statement and is not engaged in strategic planning. requirements. The majority of the required functions are performed by Department of State (Department) offices other than IRM/IA.
So, how did this happen? Unfortunately the report doesn't analyze the history of the bureau but, according to a FierceGovernmentIT posting:
Rather than dissolve the office and simply let other parts of the department take on portions of its responsibilities, the OIG does see value in keeping the office as a central point for cybersecurity at State. The report makes 32 recommendations and 4 informal recommendations for righting the ship.
In short, this bureau of the State Department, founded some nine years ago, is now an abject failure and while there's the possibility of the bureau being salvaged, it raises some interesting questions about who's in charge and are they actually doing their job.
If only this were the only US governmental department bureau to waste our tax dollars ...