United States Department of State Office of the Inspector General, Management Assistance Report: Deficiencies Reported in Cyber Security Assessment Reports Remain Uncorrected , July 2017. Unclassified.
National Security Archive
The 2017 OIG report uncovers a bureaucratic blind spot: embassy cyber‑security assessments were routinely ignored, leaving critical vulnerabilities unpatched.
Source: United States Department of State Office of the Inspector General, Management Assistance Report: Deficiencies Reported in Cyber Security Assessment Reports Remain Uncorrected , July 2017. Unclassified. Date: Jul 1, 2017 Archive: State Department OIG
Editorial Analysis
Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.
A Stubborn Gap in Embassy Cyber Hygiene
The July 2017 Management Assistance Report from the State Department’s Office of the Inspector General (OIG) is not a technical manual but a bureaucratic wake‑up call. It documents a pattern that emerged after the Federal Information Security Management Act (FISMA) and its 2014 modernization required every federal agency to prove that its information‑security program was both documented and effective. The Department of State delegated much of that responsibility to the Bureau of Diplomatic Security’s Regional Cyber Security Officer (RCSO) program, which conducts on‑site Cyber Security Assessments (CSAs) at embassies, consulates and other overseas posts.
The OIG review examined 50 overseas inspection reports issued between February 2014 and March 2017. In 23 cases the DS had already performed a CSA, and in 18 of those the subsequent OIG inspection repeated the same set of recommendations – ranging from weak information‑systems security officer oversight to untested contingency plans and unsecured dedicated internet links. The report’s stark finding: the State Department had no systematic process to confirm that posts actually remedied the vulnerabilities flagged in CSA reports. In other words, the assessments existed on paper, but the corrective loop never closed.
Why the Report Matters in the Broader Cyber‑Security Narrative
The document sits at the intersection of two historic currents. First, the post‑9/11 expansion of U.S. cyber‑defense policy, which saw FISMA become a cornerstone of federal risk management. Second, the growing recognition that diplomatic missions are high‑value targets for nation‑state hackers – a reality underscored by the 2014 breach of the U.S. State Department’s email system (the “SolarWinds” precursor to later disclosures). The OIG’s 2017 finding therefore highlights a structural weakness in the very institutions tasked with safeguarding the nation’s diplomatic communications.
By flagging the lack of a compliance‑tracking mechanism, the report implicitly questions the efficacy of the RCSO model. The program’s mandate—to “protect and secure information on Department computer systems”—relies on advisory CSA reports that, as the OIG notes, are not enforceable. Without a mandated remediation pathway, posts can defer or ignore recommendations, leaving the same vulnerabilities exposed for years – the average lag between CSA and OIG inspection was over ten months, with some cases stretching to thirty‑one months.
Actors, Intentions, and What the Language Reveals
The primary actors are the OIG, the Bureau of Diplomatic Security (DS), and the Bureau of Information Resource Management (IRM). The OIG, as an internal watchdog, frames its role as “management assistance,” a phrasing that signals both critique and a willingness to help fix the problem. Its recommendation – that DS coordinate with IRM and regional bureaus to require implementation and to institute a tracking process – is precise, not merely admonitory. The report’s language is careful: it cites statutory authority (FISMA, FAM 262.7‑2) to underline that the Department is already legally bound to secure its systems, yet it also points out that the existing policy “does not require posts to implement CSA recommendations.” This contrast exposes a gap between law and practice, and suggests that the bureaucratic culture prioritized reporting over remediation.
The DS response, tucked into an appendix, is not reproduced here, but the OIG’s decision to issue a draft for stakeholder comment indicates an expectation of collaborative change rather than punitive action. The inclusion of multiple regional bureaus (AF, EAP, EUR, NEA, SCA, WHA) in the recommendation underscores the report’s awareness that cyber‑security cannot be siloed; it must be integrated across the diplomatic enterprise.
Legacy and Ongoing Relevance
Although the report is unclassified and over six years old, its core diagnosis remains salient. Subsequent disclosures – from the 2015 Office of Personnel Management breach to the 2020 SolarWinds incident – have shown that foreign missions continue to be soft targets for sophisticated adversaries. The OIG’s call for a tracking mechanism prefigured later federal initiatives such as the Continuous Diagnostics and Mitigation (CDM) program, which emphasizes real‑time monitoring and automated compliance verification.
If the Department acted on the recommendation, one would expect a formalized remediation workflow, perhaps an internal ticketing system tied to each CSA finding, and periodic audits to confirm closure. The absence of public follow‑up documentation makes it difficult to assess compliance, but the report itself has been cited in later congressional hearings on diplomatic cyber‑security, suggesting it helped keep the issue on the agenda.
In sum, the 2017 Management Assistance Report is more than a bureaucratic inventory; it is a diagnostic snapshot of a systemic flaw that, if left unaddressed, threatens the confidentiality, integrity, and availability of U.S. diplomatic communications. Its insistence on moving from assessment to action continues to echo in today’s debates over how the State Department secures its global digital footprint.
UNCLASSIFIED
OIG Office of Inspector General U.S. Department of State • Broadcasting Board of Governors
ISP-17-39 Office of Inspections July 2017
Management Assistance Report: Deficiencies Reported in Cyber Security Assessment Reports Remain Uncorrected
MANAGEMENT ASSISTANCE REPORT
UNCLASSIFIED
UNCLASSIFIED
Summary of Review OIG’s review of 50 overseas inspection reports published from February 2014 through March 2017 found 18 instances where recommendations in a Bureau of Diplomatic Security (DS) Cyber Security Assessment (CSA) report were repeated in a subsequent OIG inspection. OIG found 23 instances where DS performed a CSA—a detailed review of technical, operational, and management controls of unclassified and classified computer systems at overseas posts—at the same post before the OIG inspection. Of these 23 CSA reports, in 18 instances the subsequent OIG inspection performed at that post made the same information technology (IT) recommendations. These recommendations addressed weaknesses in information systems security officer programs, incomplete and untested IT contingency plans, noncompliant dedicated internet networks, and various physical, technical, and administrative cyber security control weaknesses. OIG conducted this management assistance review to determine why posts did not correct the cyber security weaknesses cited in CSA reports in a timely manner. OIG recommends that DS establish a process to track and verify compliance with recommendations made in CSA reports.
BACKGROUND The Federal Information Security Management Act (FISMA) of 2002¹ and the Federal Information Security Modernization Act of 2014² require all federal agencies to develop, document, and implement an effective information security program that supports agency operations and assets. The Department of State (Department) assigned to DS numerous information security program responsibilities in support of FISMA.³ One of the methods DS uses to meet FISMA requirements is the Regional Cyber Security Officer (RCSO) program, whose mission is to protect and secure information on Department computer systems. To do this, RCSOs perform on-site assessments of, and consultations with, embassies, consulates, and other sites worldwide to evaluate compliance with government policies, identify any vulnerabilities to advanced threats, and assess whether industry best practices are being used.⁴ Each on-site assessment results in a CSA report—a detailed review of technical, operational, and management controls of unclassified and classified computer systems at overseas posts.⁵ These reports contain recommendations for posts to address cyber security deficiencies identified by DS during the review. CSAs also include narrative and descriptions of results and suggestions for improvements in areas that passed minimum tests but still could be enhanced. DS has a target to perform a CSA of each overseas post at least once every 18 months with no more than a 36-month gap between CSAs. CSAs are advisory reports, and posts are not required to implement CSA recommendations or suggestions.
¹ 44 U.S.C. Sections 3541-3549. ² 44 U.S.C. Sections 3551-3558. ³ 1 FAM 262.7-2, Office of Cybersecurity (updated June 30, 2015); 1 FAM 272.3, Office of Information Technology Security Compliance (December 5, 2016). ⁴ RCSO home page https://intranet.ds.state.sbu/DS/SI/CS/ESS/RCSO/default.aspx, April 26, 2017. ⁵ 1 FAM 262.7-2, Office of Cybersecurity (DS/SI/CS) (updated June 30, 2015).
ISP-17-39 1 UNCLASSIFIED
UNCLASSIFIED
OIG found in many of its recent overseas inspections that CSA recommendations had yet to be implemented. OIG conducted this management assistance review to determine why posts did not comply with CSA findings and recommendations to mitigate cyber security risks and vulnerabilities.
FINDING: NO PROCESS IN PLACE TO VERIFY COMPLIANCE WITH CYBER SECURITY ASSESSMENT RECOMMENDATIONS
OIG reviewed 50 overseas inspection reports published from February 2014 through March 2017 and found 23 instances where DS performed a CSA before the OIG inspection. Of these 23 CSA reports, in 18 instances the subsequent OIG inspection made the same IT recommendations. Issues included inadequate performance of information systems security officer duties, incomplete or untested IT contingency plans, unidentified dedicated internet networks, physical control deficiencies, administrative control weaknesses, and technical controls issues.6 Six OIG reports specifically cited instances in which the embassy did not address findings or recommendations previously included in CSA reports.7
In accordance with FISMA, 1 Foreign Affairs Manual (FAM) 262.7(1) and 1 FAM 262.7-2, DS, through the CSA reports, provides policy and implementation guidance to overseas posts with detailed, technical analyses of weaknesses and vulnerabilities for the post’s information and computer systems. However, DS does not require posts to implement CSA recommendations or have any process to verify that compliance or remediation activities have addressed findings and recommendations in CSA reports. Without such a requirement to implement CSA recommendations, and without any process or mechanism in place to monitor compliance, potential risks that Department information and computer systems could be compromised will remain unmitigated.
Recommendation: The Bureau of Diplomatic Security, in coordination with the Bureau of Information Resource Management and regional bureaus, should require implementation of Cyber Security Assessment report recommendations and establish a process to track and verify that overseas posts comply with those recommendations. (Action: DS, in coordination with IRM, AF, EAP, EUR, NEA, SCA, and WHA)
6 Specific technical details are purposefully excluded to keep this document unclassified. 7 The time between Cyber Security Assessment reports and OIG Inspection reports for identified posts ranged from one month to forty-one months with an average of over ten months between the two reports.
ISP-17-39 2 UNCLASSIFIED
UNCLASSIFIED
RECOMMENDATION
OIG provided a draft of this report to Department stakeholders for their review and comment on the findings and recommendation. OIG issued the following recommendation to the Bureau of Diplomatic Security. Its complete response can be found in Appendix B.
Recommendation: The Bureau of Diplomatic Security, in coordination with the Bureau of Information Resource Management and regional bureaus, should require implementation of Cyber Security Assessment report recommendations and establish a process to track and verify that overseas posts comply with those recommendations. (Action: DS, in coordination with IRM, AF, EAP, EUR, NEA, SCA, and WHA)
Management Response: In its July 19, 2017, response, the Bureau of Diplomatic Security concurred with the recommendation. The bureau noted that it will coordinate with IRM to determine the best tracking and verification processes to meet the requirements of the recommendations.
OIG Reply: OIG considers the recommendation resolved. The recommendation can be closed when OIG receives and accepts documentation of a process to ensure overseas posts' compliance with recommendations in Cyber Security Assessment reports.
ISP-17-39 UNCLASSIFIED 3
UNCLASSIFIED
APPENDIX A: OBJECTIVES, SCOPE, AND METHODOLOGY
This review was conducted in accordance with the Quality Standards for Inspection and Evaluation, as issued in 2012 by the Council of the Inspectors General on Integrity and Efficiency, and the Inspector’s Handbook, as issued by OIG for the Department and the Broadcasting Board of Governors.
The Office of Inspections provides the Secretary of State, the Chairman of the Broadcasting Board of Governors, and Congress with systematic and independent evaluations of the operations of the Department and the Broadcasting Board of Governors. Consistent with Section 209 of the Foreign Service Act of 1980, this review focused on the Department’s management controls—whether the administration of activities and operations meets the requirements of applicable laws and regulations and whether internal management controls have been instituted to ensure quality of performance and reduce the likelihood of mismanagement.
OIG’s specific inspection objectives were to (1) identify recurring findings and recommendations cited in both Cyber Security Assessment reports and OIG inspection reports, and (2) identify factors contributing to non-compliance with recommendations made in Cyber Security Assessment reports.
OIG reviewed and analyzed all Cyber Security Assessment reports and OIG inspection reports published from February 2014 through March 2017. OIG also reviewed Department guidelines to understand the roles, responsibilities, and processes involved in the performance of Cyber Security Assessments. Finally, OIG used professional judgment, along with documentary, testimonial, and analytical evidence collected or generated, to develop its finding and an actionable recommendation.
Timothy Williams conducted this review.
ISP-17-39 4 UNCLASSIFIED
UNCLASSIFIED
APPENDIX B: MANAGEMENT RESPONSES
United States Department of State Assistant Secretary of State for Diplomatic Security Washington, D.C. 20520
UNCLASSIFIED July 18, 2017
INFORMATION MEMO TO INSPECTOR GENERAL LINICK - OIG
FROM: DS – Bill A. Miller, Acting [Signature] JUL 19 2017
SUBJECT: Bureau of Diplomatic Security Response to the Office of Inspector General (OIG) Management Assistant Report Deficiencies Reported in Cyber Security Assessment (CSA) Reports Remain Uncorrected, ISP-17-39
Below is the Bureau of Diplomatic Security’s response to Recommendation 1 of the draft report.
Recommendation 1: The Bureau of Diplomatic Security, in coordination with the Bureau of Information Resource Management and regional bureaus, should require implementation of CSA report recommendations and establish a process to track and verify that overseas posts comply with those recommendations.
DS Response (7/18/17): DS concurs that more formal tracking of the CSA findings and recommendations identified by Regional Computer Security Officers is necessary to drive prompt remediation of cybersecurity vulnerabilities by all stakeholders, to include: posts, regional bureaus, and IRM. DS will coordinate with IRM to determine the best tracking and verification processes to meet this recommendation.
UNCLASSIFIED
ISP-17-39 5 UNCLASSIFIED
UNCLASSIFIED
Approved: DS – Bill A. Miller
Drafted: DS/CTS – W. Stevens (x5-2593)
Cleared: M – D. Winters (ok)
IRM – C. Eckert (ok)
DS/DSS – C. Schurman (ok)
DS/EX – W. Terrini (ok)
DS/EX/MGT – J. Schools (ok)
DS/MGT/PPD – M. Scherger (ok)
DS/MGT/PPD – L. Long (ok)
DS/CTS – L. Price (ok)
DS/CTS – M. Holland (ok)
ISP-17-39
6
UNCLASSIFIED
UNCLASSIFIED
U.S. DEPARTMENT OF STATE OFFICE OF INSPECTOR GENERAL BROADCASTING BOARD OF GOVERNORS
HELP FIGHT
FRAUD. WASTE. ABUSE.
1-800-409-9926 OIG.state.gov/HOTLINE If you fear reprisal, contact the OIG Whistleblower Ombudsman to learn more about your rights: OIGWPEAOmbuds@state.gov
oig.state.gov Office of Inspector General • U.S. Department of State • P.O. Box 9778 • Arlington, VA 22219 UNCLASSIFIED
NATIONAL SECURITY ARCHIVE
National Security Archive, Suite 701, Gelman Library, The George Washington University, 2130 H Street, NW, Washington, D.C., 20037, Phone: 202/994-7000, Fax: 202/994-7005, nsarchiv@gwu.edu