The US Department of State has been urged by the Government Accountability Office (GAO) to fully implement its cybersecurity risk program [1]. The GAO has identified deficiencies in the department’s current program [3], which pose a risk to its ability to detect, investigate [3], and mitigate cybersecurity incidents [2] [3].


In a report [2] [3], the GAO highlighted several shortcomings in the department’s cybersecurity program. These include a lack of departmentwide risk mitigation [3], bureau-level risk assessments [3], authorization for information systems [2] [3], and a departmentwide continuous monitoring program [1] [3]. The GAO has provided 15 recommendations for the department to address these issues [3], such as developing plans to mitigate vulnerabilities [2] [3], conducting risk assessments [2], ensuring valid authorizations for information systems [2], and updating system contingency plans [2]. The department has concurred with all 15 recommendations [2] [3].

Currently, only 44% of the department’s nearly 500 information systems have completed the authorization process [1], and a department-wide continuous monitoring system has yet to be implemented [1]. The department has identified risk management roles and responsibilities and developed a cyber risk management strategy [1]. However, it lacks assurance that its security controls are operating as intended until required risk management activities are implemented [1]. Additionally, the department may not be fully aware of information security vulnerabilities and threats affecting its mission operations [1].

The report also identifies deficiencies in the State Department’s IT infrastructure [2], including outdated hardware and software installations [2]. These vulnerabilities make the department susceptible to exploits and hinder its ability to detect and mitigate cybersecurity incidents [2]. The Chief Information Officer’s role is limited by shared management responsibilities and a lack of communication within the department [2]. The report suggests that the department’s IT structure and insulated culture contribute to many of the identified deficiencies [2].


The GAO’s report highlights the urgent need for the US Department of State to address the deficiencies in its cybersecurity program. Failure to do so puts the department’s ability to detect, investigate [3], and mitigate cybersecurity incidents at risk [2] [3]. It is crucial for the department to fully implement the GAO’s recommendations, including developing plans to mitigate vulnerabilities [2] [3], conducting risk assessments [2], and updating system contingency plans [2]. Additionally, addressing the issues with the department’s IT infrastructure and improving communication within the department are essential steps to enhance its cybersecurity program. Until these measures are taken, the department’s cybersecurity program remains vulnerable [2], and its systems are at risk.