US State Dept has no idea if it works
How do you know if the State Dept is working ?
The US Department of State has largely failed to implement an effective cybersecurity risk program, auditors concluded in a report last week. That means a crucial arm of the American government is potentially wide open to cyberattacks it may not be able to identify or stop. The State Department, which handles diplomacy and US …
If anyone bothered to actually properly audit, and not the old buddy wink and a nod audit, they'd find most State and Local Muni orgs across the US operate the same way. I used to consult at many of them locally, they certainly don't here, and having worked enough sampling of the rest of the US too, have no doubt. No one in government actually implements proper measures, they buy something, pay a consultant, pray it works to drop a bit extra in the hat in on sunday when done, and when it doesn't, hand a claim over to insurance to go back to waiting for their pension to kick in.
It's not just in government, and it's not just the US. I have never worked anywhere where we would have passed an audit that I carried out to the actual letter of any of the ISO or BSI or whatever other rules we might claim to be complying with. It's always "Do just enough to get it by letter of the law according to the overworked auditor who won't actually look too hard" never "Do the actual thing the intent of the law meant for us to do" because actually complying will always upset too many people who don't want their day made harder by having to actually follow procedures and be seen to follow them.
I like to imagine it actually works in say, nuclear, or aeronautics, because that lets me sleep better at night... but I wouldn't want to bet on it.