August 31, 1999
Thompson letter on GPRA - State Attachment 1
OPEN GAO RECOMMENDATIONS ON STATE’S
MAJOR MANAGEMENT PROBLEMS
ENHANCING THE MANAGEMENT OF SECURITY PROGRAMS FOR OVERSEAS PERSONNEL AND PROPERTY
Problem description: In the wake of the bombing of the U.S. embassies in Kenya and Tanzania, the Congress provided the Department of State $1.45 billion in emergency funding in the Omnibus Consolidated and Emergency Supplemental Appropriations Act for Fiscal Year 1999 (P.L. 105-277) to enhance security around the world. This includes funds for an immediate response to the bombings, such as medical treatment, counterterrorism programs and rewards, and economic assistance, as well as funds to rebuild the embassies in Kenya and Tanzania. In addition, State will likely request several billion dollars in funds for new capital construction in the upcoming years. State will face several management challenges in administering an expanded security construction program, including whether it can bring on board the appropriate amount of staff to plan and manage a large number of overseas construction projects.
While there currently are no open recommendations related to State’s management of security programs, GAO is reviewing State’s handling of these efforts. In view of State’s prior experiences and difficulties in implementing the security construction program, several questions and issues need to be addressed as part of today’s efforts to formulate strategies for enhancing security. Questions should focus on the total costs to bring overseas posts into compliance with current security standards, the actions needed to ensure that State has the management capability to implement a large-scale construction program, and whether there are adequate control mechanisms to ensure efficient and effective use of available funding. One issue of utmost importance to address first is whether there is a valid need for the large number of U.S. employees overseas. The security burden is directly associated with the size of the overseas workforce so that State needs to take the lead in a broad examination of how the U.S. government carries out its overseas roles and related missions and whether all requirements and alternatives have been explored.
IMPROVING INFORMATION MANAGEMENT SYSTEMS
Problem description: State’s information resource management (IRM) infrastructure has historically been inadequate to support the agency’s core foreign policy and administrative functions. State officials have recognized that deficiencies exist. State is spending hundreds of millions of dollars each year on IRM, including $100 million to $150 million to modernize its information technology (IT) hardware and software systems, remediate Year 2000 problems, implement a comprehensive information security management system, and upgrade its overall IT capability. State estimated in 1997 that it would need $2.7 billion over 5 years to achieve a modernized global infrastructure. However, this estimate was not prepared through the rigorous analytical process called for in federal guidance designed to control costs and improve efficiency.
GAO recommended that State implement a number of corrective measures, including establishing a central information security unit and adopting risk-based IT security management techniques. State concurred with the majority of GAO’s recommendations and has taken steps to improve information security, such as establishing a central IT security unit and department-level information systems security officer, preparing new management guidance on IT security, and increasing IT security awareness activities.
| GAO Report No. and Date |
Recommendation |
|
AIMD-98-145 May 18, 1998 |
The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department’s information security activities. In doing so, State should assign the Chief Information Officer (CIO) the responsibility and authority for ensuring that the information security policies, procedures, and practices are adequate. |
|
AIMD-98-145 May 18, 1998 |
The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department’s information security activities. In doing so, State should clarify the computer security responsibilities of the Bureau of Diplomatic Security, the Office of Information Management, and individual bureaus and diplomatic posts. |
|
AIMD-98-145 May 18, 1998 |
The Department of State should establish a central information security unit and assign it responsibility for facilitating, coordinating, and overseeing the department’s information security activities. In doing so, State should consider whether some duties that have been assumed by these offices can be assigned to, or at a minimum coordinated with, the central information security unit. |
|
AIMD-98-145 May 18, 1998 |
The Department of State should develop policy and procedures that require senior State managers to regularly determine the (1) value and sensitivity of the information to be protected, (2) vulnerabilities of their computers and networks, (3) threats, including hackers, thieves, disgruntled employees, foreign adversaries, and spies, (4) countermeasures available to combat the problem, and (5) cost-effectiveness of the countermeasures. |
|
AIMD-98-145 May 18, 1998 |
The Department of State should revise the Foreign Affairs Manual (FAM) so that it clearly describes the legislatively mandated security responsibilities of the CIO, the security responsibilities of senior managers and all computer users, and the need for and use of risk assessments. |
|
AIMD-98-145 May 18, 1998 |
The Department of State should establish and implement key controls to help the department protect its information systems and information, including assessments of the department’s ability to (1) react to intrusion and attacks on its information systems, (2) respond quickly and effectively to security incidents, (3) help contain and repair any damage caused, and (4) prevent future damage. State should also establish the central reporting and tracking of information security incidents to ensure that knowledge of these problems can be shared across the department and with other federal agencies. |
|
AIMD-98-145 May 18, 1998 |
The Department of State should ensure that the results of the annual financial statement audits required by the Chief Financial Officers Act of 1990 are used to track the department’s progress in establishing, implementing, and adhering to sound information security controls. |
|
AIMD-98-162 Aug. 28, 1998 |
Regarding the Year 2000 problem, the Secretary of State should ensure that senior program managers and the CIO reassess all of State’s systems using the new mission-based approach to identify those systems supporting the most critical business operations. |
|
NSIAD-98-242 Sept. 29, 1998 |
The Secretary of State should make the development of a fully implemented IT planning and investment process a top priority. The Secretary’s implementation strategy should include establishing a fully functioning IRM Technical Review Board and IRM Configuration Control Board. |
|
NSIAD-98-242 Sept. 29, 1998 |
The Secretary should include in State’s implementation strategy establishing a validated information technology architecture to help guide the department’s IRM modernization and ongoing IT support decisions. |
|
NSIAD-98-242 Sept. 29, 1998 |
The Secretary should include in State’s implementation strategy revising (once the boards and architecture are in place) the strategic and tactical plans and 5-year cost estimate and identifying potential cost savings expected from the modernization effort. |
IMPROVING FINANCIAL MANAGEMENT SYSTEMS
Problem description: One of State’s long-standing shortcomings has been the absence of an effective financial management system that can assist managers in making "cost-based" decisions. State received an unqualified audit opinion on its departmentwide financial statements for fiscal year 1997, but the agency needs to continue to bring its systems into full compliance with federal accounting and information management requirements. State must also work on solving related internal control weaknesses if it is to adequately protect its assets and have timely, reliable data for cost-based decision-making, reporting, and performance management.
GAO identified weaknesses in State’s financial management systems in connection with the audit of the financial statements of the federal government. While there currently are no open recommendations related to State’s financial management, GAO will continue to monitor the agency’s improvement efforts. For example, State has indicated that it is in the process of establishing a contract to study the level of compliance with the Federal Financial Management Improvement Act. State has also indicated that additional reports and procedures are being put into place to address internal control weaknesses. In addition, to improve coordination efforts with agencies located at overseas posts, State has implemented a new system that is expected to better manage resources and allocate overseas support costs.
EFFECTIVELY MANAGING THE VISA PROCESS
Problem description: State processes more than 8 million immigrant and nonimmigrant visa applications annually. State’s own internal assessments have categorized this process as being materially deficient due to unfilled computer systems needs, insufficient staffing overseas, and inadequate interagency coordination, which have weakened management controls. To reduce the program’s vulnerability to fraud, State has put a number of controls in place to prevent unqualified individuals from receiving a visa, including a special computerized logarithmic name-checking capability and an antiterrorism tip-off program. There is one open recommendation in this area, related to the need for State to develop timeliness standards for processing nonimmigrant visas to determine the appropriate level and mix of resources needed and to take full advantage of all ongoing efforts to improve visa operations.
| GAO Report No. and Date | Recommendation |
| NSIAD-98-69 Mar. 13, 1998 |
To determine the appropriate level and mix of resources needed and to take full advantage of all ongoing efforts to improve visa operations, the Secretary of State should develop timeliness standards for processing nonimmigrant visas. |
EFFECTIVELY REORGANIZING FOREIGN AFFAIRS AGENCIES
Problem description: In a major effort to improve the efficiency and effectiveness of U.S. foreign affairs operations, the Congress directed the abolishment of the U.S. Information Agency (USIA) and the U.S. Arms Control and Disarmament Agency (ACDA) and the transfer of those functions into State. A key issue is whether State can integrate these agencies in a manner that reduces overall costs while enhancing capability.
While there currently are no open recommendations related to State’s reorganizing of the foreign affairs agencies, GAO will continue to monitor this situation at State. For example, State has indicated that during the transition, costs will likely increase because of the need to implement system conversions and transfers; in the longer term, overall staffing and costs may decrease. State faces several challenges in achieving the objectives of this reorganization.
STRENGTHENING STRATEGIC AND PERFORMANCE PLANNING
Problem description: State needs to strengthen its strategic and performance planning as part of its overall efforts to improve management. In its first strategic plan for foreign affairs, State formulated 16 foreign policy goals that cover a wide spectrum of U.S. national interests--national security, economic prosperity, American citizens and U.S. borders, law enforcement, democracy, humanitarian response, and global issues. The department’s 1999 annual performance plan often fell short of Results Act requirements. Overall, the performance plan did not clearly indicate the department’s intended performance and was vague about how State will coordinate with other agencies. Further, State’s performance plan did not provide sufficient confidence that its performance information would be credible.
While there currently are no open recommendations related to State’s strategic and performance planning, GAO will continue to monitor State’s actions in this area. For example, in response to our work, State is attempting improve its planning by developing clearer and more objective performance measures linked to performance goals and identifying partnerships with other agencies or governments to address crosscutting issues.
