The Foreign Service Journal, September 2005

tices.” The Office of Management and Budget holds agencies to account for their technology programs’ information assurance by forcing them to certify and accredit major systems one by one. The Federal Information Security Management Act requires all agencies to re-evaluate and test information security policies, procedures and practices at least once a year. Last year, State met a rigorous OMB deadline for certification and accreditation of its major IT programs. State’s cyber security effort continues at a reduced level, updating system inspections and accrediting new programs. At State, oversight of all cyber-security activities including certification and accreditation falls to the Chief Information Security Officer, who works from the Information Resource Management Bureau. Jane Norris, who holds that post, reports to the chief informa- tion officer on how to manage risk. “We set performance measures, and then go back and evaluate and report find- ings,” she explains. She says that her oversight role “sets up an interesting dynamic” with colleagues in Diplomatic Security, who take the operational lead. For the initial round of certification and accredita- tion, Norris commanded a team of 155 — many detailed from Diplomatic Security — to review all State Department computer systems. The OMB-man- dated exercise took place from May 2003 to September 2004, and cost about half of the $62 million that OMB had estimated. A smaller staff of about 80 supports the ongoing activity. Standards climb every year. Among Norris’ new challenges are the tasks of compiling a single inventory of State’s IT assets and improving contingency plans through testing. Is all this documentation excessive? “It can be con- strued as a paperwork exercise,” Norris concedes, adding that some agencies may meet OMB require- ments while whitewashing vulnerabilities. She asserts that the Office of the Inspector General issued an inde- pendent assessment of State systems that lent extra F O C U S 54 F O R E I G N S E R V I C E J O U R N A L / S E P T E M B E R 2 0 0 5