Page 1 GAO-25-108069 State Priority Recommendations
Comptroller General
of the United States
April 11, 2025
The Honorable Marco Rubio
Secretary of State
U.S. Department of State
2201 C Street, NW
Washington, DC 20520
Priority Open Recommendations: Department of State
Dear Secretary Rubio:
Congratulations on your appointment. The purpose of this letter is to call your personal attention
to three areas based on GAO’s past work and 13 open priority recommendations, which are
enclosed.
1
Additionally, there are 619 other open recommendations that we will continue to
work with your staff to address.
We are highlighting the following areas that warrant timely and focused attention. Specifically:
Addressing weaknesses in cybersecurity. State has not fully implemented its program to
identify and monitor risk to assets and the information maintained on its systems. As we
reported in September 2023, until the department implements required risk management
activities, it lacks assurance that its security controls are operating as intended.
2
Moreover,
State is likely not fully aware of information security vulnerabilities and threats affecting mission
operations.
GAO recommends that State take several actions, including (1) mitigating known vulnerabilities,
(2) conducting bureau-level risk assessments for the 28 bureaus that owned information
systems that GAO reviewed, (3) ensuring that its information systems have valid authorizations
to operate in accordance with department policies and federal guidance, (4) ensuring that the
Chief Information Officer (CIO) has access to assets at bureaus and posts to continuously
monitor for threats and vulnerabilities that may affect mission operations, (5) ensuring that all
system contingency plans for high value assets are tested annually as required by department
policies, and (6) directing the CIO to update an October 2020 matrix to better ensure
compliance with applicable department policies and federal guidance. In addition, there are
about 500 recommendations related to technical security control deficiencies in State's IT
infrastructure that also warrant attention.
1
GAO considers a recommendation to be a priority if, when implemented, it may significantly improve government
operations, for example, by realizing large dollar savings; eliminating mismanagement, fraud, and abuse; or making
progress toward addressing a high-risk or duplication issue.
2
GAO, Cybersecurity: State Needs to Expeditiously Implement Risk Management and Other Key Practices, GAO-23-
107012 (Washington, D.C.: Sept. 28, 2023).
