Internal State Department documents reveal serious security lapses in the SMART system, including unsecured workstations and servers, the transfer of sensitive data totally unencrypted, and the regular mixing of classified and non-classified information.
SMART is the State Department’s State Messaging and Archival Toolset which was originally implemented to improve information sharing in the aftermath of the 9/11 attacks with the $2.5 billion Vanguard contract, and became operational in September 2008, but the system has never met security levels mandated by the Federal Information Security Management Act (FISMA).
Th SMART system handles communications for both the classified “ClassNet” and the unclassified “OpenNet” channels and employs a searchable archive that is utilized by the White House, federal agencies and diplomatic missions overseas, and fails to measure up to security standards according to a 2010 Office of Inspector General (OIG) report.
“Two years ago I would have said ‘yes’ if you asked me if I was surprised, but seeing all that has happened in the last few years and how grossly incompetent the government is at protecting its secrets at all levels — it is disappointing,” said Sophos’s Chester Wisniewski.
An independent audit conducted in 2012 revealed that more than19,000 of the 121,702 active accounts on just the unclassified system did not require passwords, and another 529 accounts did not require passwords to be changed every sixty days as required.
The Information Security Officer Directorate requested a waiver last month to allow for the lapses with the promise that they be remedied at a later date.
“For security reasons, the State Department does not comment on the technical aspects of our communication systems,” a spokesperson said.
Read More Here…