The State Department’s Inspector General identified information technology (IT) planning deficiencies in almost 70 percent of overseas inspections performed in FY 2014 and 2015, the Office of Inspector General (OIG) said in a report released early in February.
The report, Management Assistance Report: Continued Deficiencies Identified in Information Technology Contingency Planning, said the issues include information management staff at posts not developing, updating, or testing IT contingency plans as well as plans existing that lack appropriate key stakeholders and contact information as part of emergency preparedness.
In all, 69 percent (20 of 29) of overseas inspections the OIG performed in 2014 and 2015 had these kinds of failures.
This is contrary to requirements set forth in the Foreign Affairs Manual (FAM) and the National Institute of Standards and Technology (NIST) Special Publication 800-34, Contingency Planning Guide for Federal Information Systems.
Contingency planning for IT systems work “by establishing thorough plans, procedures, and technical measures that can enable a post to recover as quickly and effectively as possible after an unforeseen incident,” the IG report said.
The measures can allow a State Department post to better recover information system services after major disruptions, like a cyber attack or local instability. Contingency plans help a post recover information through relocation to an alternate site, using alternate equipment, or performance of information system functions using manual methods.
The contingency planning process involves several steps: developing a contingency planning process, conducting a business impact analysis, identifying preventive controls, creating contingency strategies, developing a contingency plan, ensuring contingency plan testing and training, and maintaining and updating the plan on a regular basis.
In contrast, the OIG found only 12 percent (32 of 272) information management officers or the most senior information management personnel at embassies and consulates had a stated work requirement to develop and test IT contingency plans. The 5 FAM 825 and 5 FAM 826 sections of the manual specifically state the overseas information management staff has responsibility for the development and testing of IT contingency plans, the report said.
The department’s overseas IT contingency planning faults are not new. In 2011, the OIG issued a memorandum to the Bureau of Information Resource Management with two recommendations on the topic. The bureau, in compliance responses, stated it was preparing to implement a tracking mechanism and develop a SharePoint site to capture risk scoring compliance for posts and bureaus.
“However, after four years the bureau still lacks a tracking mechanism and a SharePoint site as mentioned in their compliance responses,” the OIG said.
Therefore, the OIG recommends “the Bureau of Information Resource Management, in coordination with the regional bureaus, should include the requirement to complete and test information technology contingency plans in the work requirements for information management personnel.”
The report did not identify which postings were deficient or in what specific ways.