Acting Inspector General,
Harold W. Geisel.
The Reports Consolidation Act of 2000 requires that the Department’s Performance and Accountability Report include a statement by the Inspector General that summarizes the most serious management and performance challenges facing the Department and briefly assesses the progress in addressing them. The Office of Inspector General (OIG) considers the most serious management and performance challenges for the Department to be in the following areas:
Protecting people, facilities, and information continues to be one of the Department’s highest priorities and greatest challenges. The single most significant factor in this effort is having a safe and secure work environment. The Department has undertaken a vigorous program to replace overseas facilities that do not meet security standards with new, secure facilities, but a decade or more will be needed to fully complete this program. In the interim, the Department must identify and implement temporary measures that can mitigate the threats to people, facilities, and information.
The second most significant aspect in the protection of people, facilities, and information is the security personnel who manage and implement the Department’s security programs. Staffing shortages, increasing security requirements, and the demands of high-threat posts have put an ever-increasing workload on Department security personnel. As a result, some security requirements are not being fully met. The Department needs to find ways to help security professionals become more efficient and effective in their work, and to be able to more closely scrutinize the demands being placed on them.
A critical factor in the protection of people, facilities, and information is the cost and the limited funds available for this purpose. Related to cost is the number of people to be protected—the more people protected, the higher the cost. For these reasons, close attention needs to be paid to National Security Decision Directive 38 requests for personnel increases, and Annex A of the chief of mission/combatant commander memorandum of agreement, which identifies those Department of Defense personnel for which the chief of mission has security responsibility. For non-Department personnel under chief of mission security responsibility, International Cooperative Administrative Support Services agreements are needed to cover the cost of the required security support. The Department needs to ensure that all personnel are adequately protected, and that the cost of providing this protection is being equitably distributed.
Other factors that need to be considered are ever-changing security threats and the implementation of measures to counter those threats. For example, lessons learned from past attacks on official facilities should be used as a basis for new security requirements that will provide better protection against future attacks. Similarly, as technology changes, security requirements should be revised to counter increased technical threats or identified vulnerabilities. These are being done, but at an extremely slow pace. In some cases, it has taken years to change the Department’s security requirements in response to an identified vulnerability or an increased threat. It is crucial to find ways to streamline the process of updating security requirements to better keep pace with the ever-changing threat environment.
The protection of personally identifiable information (PII) is a significant information security challenge for the Department. Safeguarding PII and preventing its breach are essential to ensuring the U.S. Government retains the trust of the American public. Enormous amounts of PII are used in many Department programs and operations and are stored and accessed via multiple mediums, which require multiple levels of control and protection. The Department has made strides in protecting PII and other sensitive data, but recently identified weaknesses demonstrate the need for continued focus and improvement.
The Department’s Passport Information Electronic Records System (PIERS) contains PII on more than 210 million passports for approximately 139 million passport holders. In March 2008, media reports surfaced that the PII maintained in PIERS for three U.S. Senators, who were also presidential candidates, had been improperly accessed by Department employees and contract staff. OIG performed a review to identify the internal control weaknesses that allowed the improper access to occur, and made recommendations to address the internal control weaknesses found, including the development of policies and procedures to accurately identify the users of passport information, detect unauthorized access to passport and applicant information, and respond effectively when unauthorized access has been determined. As noted above, the Department has made significant strides in addressing these weaknesses.
Federal agencies are required to encrypt and safeguard PII contained on laptop computers. OIG found that as a result of various internal control weaknesses, the Department did not have an accurate inventory of all of its domestic and overseas classified and unclassified laptop computers. Specifically, bureaus and posts failed to enter newly acquired laptop computers into the official inventory system or to delete laptops from the inventory after disposal. In addition, bureaus and posts failed to report and investigate missing laptops or adequately document when a laptop was loaned to an individual for use outside of the assigned facility.
OIG also found that not all of the Department’s laptop computers had been encrypted. This created a security vulnerability whereby PII or potentially sensitive information about Department operations contained on those computers could be compromised, should those computers be lost or stolen.
The Department’s Computer Incident Response Team (CIRT) now automatically alerts OIG of every information security-related breach, including those concerning PII and laptops. Continued monitoring and protection of passports records and PII of Department employees, as well as other mission-critical information, is crucial if the Department is to maintain the public trust and effectively perform its responsibilities.
The Department continues working to satisfy the requirements of the Federal Information Security Management Act of 2002. During fiscal year 2009, the Department modified its systems inventory management approach and its certification and accreditation (C&A) toolkits, and updated its contingency plan policy. However, the Department continues to face challenges in implementing a fully effective information security management program. The Plans of Action and Milestones process must be strengthened by working with system owners to ensure timely reporting of security weaknesses during the C&A process; testing contingency plans; developing detailed standard operating procedures for addressing each IT security weakness and/or finding; and actively monitoring, validating, and implementing remediation steps to correct all security weaknesses within a reasonable time frame. Security awareness also must be strengthened. Specifically, the processes to identify the number of users with access to the network and the number of users who have taken the cyber security awareness have not been fully defined.
A recent OIG evaluation concluded that the Department’s effort to consolidate IT desktop services found inadequate project planning and management, among other shortcomings. The number one priority for the IT Consolidation was customer service; however, the consolidation program to date has failed to deliver the level of customer service promised. In addition, the Department established a 2-year schedule to complete the consolidation of IT desktop services for 34 domestic bureaus and offices rather than abiding by the contractor-recommended 5-year timeframe. As a result, project requirements were not fully defined, cost savings cannot be documented, and security measures are inadequate.
Financial management continues to be a major challenge in the Department. In each of the past three years, the Department could not respond in a timely manner to requests for evidential material during the audit of the financial statements. As a result, the independent external auditor was unable to express an opinion on the financial statements by the mandated deadline. For the audit of the FY 2008 financial statements, the Department later provided additional information that supported the amounts in its financial statements, and the external auditor then issued an unqualified opinion.
The Department continues to take steps to improve internal controls over financial management. In 2008, its efforts allowed two material internal control weaknesses, related to personal property and undelivered orders (UDO), to be downgraded to significant internal control deficiencies. The external auditor also identified two other significant deficiencies related to the adequacy of the financial and accounting system, and to calculating the extent of the liability related to supplemental pension plans for locally employed staff that had been identified in prior audits. The Department believes that its plans to establish a virtual single global financial management system, which will include both domestic and overseas financial data, will address some of the internal control issues identified by the external auditor. The Department also is working to establish an accurate inventory of defined benefit supplemental pension plans for locally employed staff.
The Department spends about $4 billion annually on formal contracts and simplified acquisitions,1 primarily on procurement activities that support overseas programs and operations. Between FY 2001 and FY 2006, the Department’s primary acquisition organization, the Bureau of Administration’s Office of Acquisitions Management (AQM), experienced a 41 percent increase in the number of procurement transactions processed and a 155 percent increase in the dollar value of procurement actions issued. This workload increase was not accompanied by a corresponding increase in AQM contracting office personnel.
OIG found several examples where contract administration and oversight were inadequate, including the more than $55 million in overpayments in contracts valued at $1 billion for personal protective services in Iraq. Other procurement issues the Department must focus on include adequate planning and transparency in the procurement process. Failure to plan adequately for the construction of the New Embassy Compound in Baghdad, Iraq, and failure to properly administer the contract resulted in more than $100 million in construction defects the Department was required to repair or replace, and the failure to collect liquidated damages and interest payments on contractor advances. With its multi-year plan to upgrade overseas facilities, the Department must ensure that contractors are properly chosen, work is properly conducted, and costs are contained.
Cross-border problems, which have a direct impact on U.S. business interests, environmental safety, quality of life, and border security, continue to challenge the Department. The Department must adequately prepare for both new statutory requirements and new policy initiatives in order to effectively assist U.S. citizens, implement new policies, and provide effective oversight of funds. Examples of increased staffing, resource, and oversight demands include the implementation of the Western Hemisphere Travel Initiative, which requires travel documents for all land, sea, and air travelers in the region. Border crossing card replacement also is expected to add significantly to demand for visa adjudications in Mexico. The Merida Initiative, a historic development in the U.S.-Mexico bilateral relationship to fight transnational crime and corruption, will require significant resources, particularly at Embassy Mexico City. The Department must anticipate and adequately prepare for implementation of such changes.
The Department needs to better integrate public diplomacy into policy formation. In the Bureau of African Affairs, for example, the public diplomacy and public affairs office is not an active contributor to the bureau’s policy goals. On the other hand, the Bureau of Western Hemisphere Affairs’ successful program of embedding public diplomacy officers with the regional desk officers of the regions they serve is a useful model for ensuring better coordination that results in more effective daily press guidance as well as increased public diplomacy input to regional planning. This initiative needs to be developed further and implemented by other regional bureaus.
According to the Secretary of State, the Department needs to employ new social networking tools—including FaceBook, Twitter, YouTube, and blogging—to engage in dialogue with broader audiences. Challenges hampering the Department’s efforts to support social networking include a lack of human, fiscal, and technical resources, IT security and policy concerns, and a lack of appropriate IT equipment and support. As the security climate deteriorates overseas and as new embassy compounds are established with impressive security enhancements, it becomes more difficult for public affairs offices to directly engage local residents. New ways of conducting public diplomacy must be found, including the possible use of virtual presence posts, digital videoconferences, and a further reliance on web sites.
The Department has made important progress in ensuring that public diplomacy is seen as a part of a total diplomatic effort rather than as something that is added as an afterthought to a particular policy, but further integration within the Department and interagency still remains an issue. The Department needs to ensure more mission-level integration of public diplomacy objectives in all mission goals.
Observers inside and outside the government recognize that the Department of State and America’s diplomats face major challenges in coordinating and managing foreign assistance. Foreign assistance has grown in dollar value and scope, and now includes not only development assistance, but also economic, security, humanitarian, and law enforcement assistance.
As the number and variety of foreign assistance programs has grown, so has the number of agencies—and the number of bureaus in the Department—conducting the programs. The U.S. Government must deliver foreign assistance through grants, contracts, or cooperative agreements, but OIG found that some grants officers did not have the appropriate training to perform those responsibilities, and coordination and financial management of these funds must be improved.
In addition, U.S. embassies and the Department face the challenge of managing the Global HIV/AIDS, Tuberculosis, and Malaria program with a budget of nearly $10 billion a year. The Department established the position of Director of Foreign Assistance in 2006, and began to build a process for integrating strategic planning and budgeting of foreign assistance into the strategic planning of the U.S. Government’s other foreign policy goals. Although this initiative responds to widely shared concerns about the modernization of the U.S. Government’s management of foreign assistance, it remains a work in progress.
1 A simplified acquisition is a purchase made from a private commercial business source totaling $100,000 or less (or $5.5 million for commercial items). (back to text)