Top Five/Bottom Five For Performance Awards in FY2014

Posted: 2:48 am EDT


Via GovExec:

The number of career senior executives receiving a bonus based on their job performance increased by 12.2 percentage points between fiscal years 2013 and 2014 across government, and the average amount of individual performance awards increased $347 during that time.
Here are the top five most generous agencies when it came to individual performance awards in fiscal 2014. We’ve defined “most generous” as those agencies that provided bonuses that were more than the average individual award of $10,560 governmentwide. Again, these are averages; some senior executives might have received more money, and others less than the amount listed in parentheses.

  1. National Science Foundation ($15,333)
  2. Justice ($14,600)
  3. Small Business Administration ($13,894)
  4. Education ($12,800)
  5. Commerce ($12,177)

The agencies that doled out the smallest individual SES performance (less than $10,560) awards in fiscal 2014 were:

  1. State Department ($8,434)
  2. General Services Administration ($8,509)
  3. Nuclear Regulatory Commission ($9,013)
  4. Transportation Department ($9,063)
  5. Veterans Affairs Department ($9,450)


USAID Finally Gets an Inspector General 1,496 Days After Job Went Vacant

Posted: 12:17 am EDT


The U.S. Agency for International Development (USAID) has been without a Senate-confirmed inspector general for four years.  The position became vacant in October 2011 following Donald Gambatesa’s resignation (he was confirmed by the U.S. Senate in December 2005).

On June 20, 2013, President Obama announced his intent to nominate Michael G. Carroll as the next Inspector General.  According to WaPo, Michael G. Carroll, who was USAID’s acting inspector general, withdrew his name from consideration to be President Obama’s permanent inspector general after it has been pending for 16 months. This came amidst WaPo’s report that negative findings in USAID OIG’s reports were allegedly being stricken from audits between 2011 and 2013.   On November 12, 2014, the White House officially withdrew the Carroll nomination.  WaPo reported Mr. Carroll’s retirement on December 8, 2014 (see USAID watchdog Michael Carroll retires in wake of whistleblower claims).

In May this year, President Obama announced his intent to nominate Ann Calvaresi Barr, as the next Inspector General for USAID.

On May 11, the Senate received and referred Ms. Barr’s nomination  to the Committee on Foreign Relations; it was  also sequentially referred to the Committee on Homeland Security and Governmental Affairs for 20 calendar days.

Ms. Barr did not get her confirmation hearing until August 4. Two months later, the Barr nomination was cleared by the SFCR on October 1, and by the Committee on Homeland Security and Governmental Affairs on October 22.  On November 19, the full Senate confirmed Ms. Barr by voice vote, 1,496 days after the job went vacant and 192 days after President Obama announced her nomination.

Ms. Barr should have a lengthy junkyard dog list. Just look at this:

Stricter definition?  Help, where’s my smelling salt …



Related posts:

Snapshot: Unaccompanied Children By Country of Citizenship (FY2009-2014)

Posted: 12:25 am EDT


According to the Department of Homeland Security (DHS), the number of UAC from any country apprehended at the U.S. border climbed from nearly 28,000 in fiscal year 2012 to more than 42,000 in fiscal year 2013, and to more than 73,000 in fiscal year 2014. Prior to fiscal year 2012, most UAC apprehended at the border were Mexican nationals.5 However, as figure 1 shows, starting in fiscal year 2013, the total number of UAC from El Salvador, Guatemala, and Honduras surpassed the number of UAC from Mexico and, in fiscal year 2014, far surpassed the number of UAC from Mexico.

Screen Shot 2015-10-27

Recent data and research indicate that, while fewer UAC are being apprehended in the United States in 2015, the pace of migration from Central America remains high. According to DHS, as of August 2015, apprehensions at the southwest border are down 46 percent compared with last year—with more than 35,000 UAC apprehended in fiscal year 2015 compared with about 66,000 through the same time period in fiscal year 2014. However, analyses of DHS data indicate that apprehensions in the month of August 2015 increased compared to previous months this year and exceeded by nearly 50 percent August 2014 apprehensions. Moreover, research by two nongovernmental organizations indicates that a greater number of Central Americans this year are being apprehended in Mexico. According to the Migration Policy Institute,6 Mexico has increased its enforcement capacity and is apprehending a greater number of Central American migrants, including children.


In fiscal year 2014, USAID, State, DHS, and IAF allocated a combined $44.5 million for El Salvador, $88.1 million for Guatemala, and $78 million for Honduras. In addition, MCC signed a threshold program agreement with Honduras in fiscal year 2013 totaling $15.6 million, a compact agreement with El Salvador in fiscal year 2014 totaling $277 million, and a threshold program agreement with Guatemala in fiscal year 2015 totaling $28 million.


GAO Lists Titles of Restricted Reports, See @StateDept Report SubList

Posted: 1:57 am EDT


The following reports have been determined to contain either classified information or controlled unclassified information by the audited agencies and cannot be publicly released. As such, they have not been posted to GAO’s website and have product numbers that end in C (classified) or SU (controlled unclassified information).

The list is intended by the GAO to keep Congress, federal agencies, and the public informed of the existence of these products. The list consists of all such classified or controlled products issued since September 30, 2014 and will be updated each time a new report is issued according to

Members of Congress or congressional staff who wish to obtain one or more of these products should call or e-mail the Congressional Relations Office (202) 512-4400 or

All others who wish to obtain one or more of these products should follow the instructions found on Requesting Restricted Products.

Via FAS/Secrecy News:

A congressional staffer said the move was prompted by concerns expressed by some Members of Congress and staff that they were unaware of the restricted reports, since they had not been indexed or archived by GAO.

Publication of the titles of restricted GAO reports “was not necessarily universally desired by everyone in Congress,” the staffer said, and “it took about a year” to resolve the issue. But “GAO deserves a lot of credit. They decided it was the right thing to do, and they did it.”

Although primarily aimed at congressional consumers, the new webpage also serves to inform the public. GAO is not subject to the Freedom of Information Act, but will usually entertain requests for records anyway. However, GAO is not authorized to release information that has been classified or controlled by an executive branch agency.

The full list of restricted reports is here. Below are the reports relevant to the State Department:

Kabul: Camp Sullivan Mishap Related to HESCO Security Barriers
GAO-15-708RSU: Published: September 28, 2015

Diplomatic Security: State Department Should Better Manage Risks to Residences and Other Soft Targets Overseas

GAO-15-512SU: Published: June 18, 2015

Combating Terrorism: Steps Taken to Mitigate Threats to Locally Hired Staff, but State Department Could Improve Reporting on Terrorist Threats

GAO-15-458SU: Published: June 17, 2015

Combating Terrorism: State Should Review How It Addresses Holds Placed During the Foreign Terrorist Organization Designation Process

GAO-15-439SU: Published: April 21, 2015

Interagency Coordination: DoD and State Need to Clarify DoD roles and Responsibilities to Protect U.S. Personnel and Facilities Overseas in High-Threat Areas

GAO-15-219C: Published: March 4, 2015

Critical Infrastructure Protection: DHS and State Need to Improve Their Process for Identifying Foreign Dependencies

GAO-15-233C: Published: February 26, 2015

Intermediate-Range Nuclear Forces Treaty: State Informs Congress of Russian Compliance through Reports and Briefings

GAO-15-318RSU: Published: February 25, 2015

Spying Case Against Robin Raphel Fizzles; AG Lynch’s “Houston, We Have a Problem” Moment

Posted: 2:05 am EDT


We blogged about the Robin Raphel case in September (see The Murky Robin Raphel Case 10 Months On, Remains Murky … Why?.

In November 2014, we also blogged this: Robin Raphel, Presumption of Innocence and Tin Can Phones for Pak Officials.

On October 10, the NYTimes reported that officials apparently now say that the spying investigation has all but fizzled. This leaves the Justice Department to decide whether to prosecute Ms. Raphel for the far less serious charge of keeping classified information in her home.

The fallout from the investigation has in the meantime seriously damaged Ms. Raphel’s reputation, built over decades in some of the world’s most volatile countries.

If the Justice Department declines to file spying charges, as several officials said they expected, it will be the latest example of American law enforcement agencies bringing an espionage investigation into the public eye, only to see it dissipate under further scrutiny. Last month, the Justice Department dropped charges against a Temple University physicist who had been accused of sharing sensitive information with China. In May, prosecutors dropped all charges against a government hydrologist who had been under investigation for espionage.
Some American investigators remain suspicious of Ms. Raphel and are loath to abandon the case entirely. Even if the government cannot mount a case for outright spying, they are pushing for a felony charge related to the classified information in her home.







In the case of Xiaoxing Xi, the Temple university professor and head of the school’s physics department, federal authorities handling the case were said to have misunderstood key parts of the science behind the professor’s work.  Mr. Xi’s lawyer said, “We found what appeared to be some fundamental mistakes and misunderstandings about the science and technology involved here.” The federal officials handling the Xi case did not know the science but went ahead and indicted him anyway.

Are we going to hear soon that the federal officials handling the Raphel case also made some fundamental mistakes and misunderstanding of the diplomatic tradecraft?  At least two of these officials leaked the probe to the news media even if no charges were filed against Ambassador Raphel.

This  was not a harmless leak. She lost her security clearance, and her job at the State Department without ever being charged of any crime. And in the court of social media, just the news that she is reportedly the subject of a spying investigation is enough to get her attacked and pilloried for treason. Perhaps, the most disturbing part in the report is that the authorities appear to have no case against her for spying, so now they’re considering slapping her with a felony charge under the Espionage Act.

Now, why would they do that?

Perhaps to save face and never having to admit that federal authorities made a mistake or lack an understanding of international statecraft? They could say —  see, we got something out of a year’s worth of investigation, so it was not completely useless.

Or perhaps because American investigators still viewed Ambassador Raphel’s relationships with deep suspicion?

Because, obviously, “deep suspicion” is now the bar for an espionage charge?

We should note that the hydrologist, Sherry Chen was cleared of spying charges but was notified in September that she will be fired by the National Weather Service for many of the same reasons the USG originally prosecuted her. Xiaoxing Xi of Temple University had been charged with “four counts of wire fraud in the case involving the development of a pocket heater for magnesium diboride thin films.” The USG asked to dismiss the case without prejudice, meaning it could be revived, according to

Unlike the Chen and Xi cases, Raphel was never charged and was not afforded the right to defend herself in the court of law.  What we have in one case may have been a misunderstanding, a second case, may well have been a mistake, but a third case is certainly, a trend.

This is AG Loretta Lynch’s  “Houston, we have a problem” moment.


Was the Consular Consolidated Database (CCD) the main target of the twin hackers?

Posted: 1:27 am EDT


In May 2015, a federal grand jury indicted twin brothers Muneeb and Sohaib Akhter, 23, of Springfield, Virginia, on charges of aggravated identity theft, conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, access of a protected computer without authorization, conspiracy to access a government computer without authorization, false statements, and obstruction of justice.  According to USDOJ, the brothers and coconspirators also devised a scheme to hack into computer systems at the U.S.  Department of State to access network traffic and to obtain passport information.  (See Twin Brothers and Co-Conspirators on Alleged Scheme to Hack State Dept to Obtain Passport Information).

The bothers pleaded guilty on June 26, 2015.   On October 2, the USDOJ announced that Muneeb Akhter was sentenced for accessing a protected computer without authorization, making a false statement and obstructing justice.  Muneeb Akhter was sentenced to 39 months in prison and Sohaib Akhter was sentenced to 24 months in prison.  Each man was also sentenced to three years of supervised release. Case title: USA v. Akhter et al.  Below is an excerpt from the announcement:

[T]he Akhter brothers and co-conspirators engaged in a series of computer intrusions and attempted computer intrusions against the U.S. Department of State to obtain sensitive passport and visa information and other related and valuable information about State Department computer systems.  In or around February 2015, Sohaib Akhter used his contract position at the State Department to access sensitive computer systems containing personally identifiable information belonging to dozens of co-workers, acquaintances, a former employer and a federal law enforcement agent investigating his crimes.

Sohaib Akhter later devised a scheme to ensure that he could maintain perpetual access to desired State Department systems.  Sohaib Akhter, with the help of Muneeb Akhter and co-conspirators, attempted to secretly install an electronic collection device inside a State Department building.  Once installed, the device could have enabled Sohaib Akhter and co-conspirators to remotely access and collect data from State Department computer systems.  Sohaib Akhter was forced to abandon the plan during its execution when he broke the device while attempting to install it behind a wall at a State Department facility in Washington, D.C.

Furthermore, beginning in or about November 2013, Muneeb Akhter was performing contract work for a private data aggregation company located in Rockville, Maryland.  He hacked into the company’s database of federal contract information so that he and his brother could use the information to tailor successful bids to win contracts and clients for their own technology company.  Muneeb Akhter also inserted codes onto the victim company’s servers that caused them to vote for Akhter in an online contest and send more than 10,000 mass emails to students at George Mason University, also for the purpose of garnering contest votes.

In or about October 2014, Muneeb Akhter lied about his hacking activities and employment history on a government background investigation form while successfully obtaining a position with a defense contractor.  Furthermore, in or about March 2015, after his arrest and release pending trial, Muneeb Akhter obstructed justice by endeavoring to isolate a key co-conspirator from law enforcement officers investigating the conspirators’ crimes.  Among other acts, Muneeb Akhter drove the co-conspirator to the airport and purchased a boarding pass, which the co-conspirator used to travel out of the country to the Republic of Malta.  When the co-conspirator returned to the United States, Muneeb Akhter continued to encourage the co-conspirator to avoid law enforcement agents.

One of the brothers was profiled by WaPo in 2014. Both brothers started college at 16 and they were George Mason’s youngest graduates in 2011. In 2012, the brothers received a $200,000 grant from the Defense Advanced Research Project Agency, or DARPA.

The details of this case are even more disturbing.  Under Count Eight  (Conspiracy to Access a Government Computer without Authorization).

60. The Bureau of Consular Affairs (hereinafter “Bureau”) is a division of the State Department, which administers laws, formulates regulations, and implements policies relating to consular services and immigration. It has physical offices in Washington, DC.

61. Passport Lockbox (hereinafter “Lockbox”) is a Bureau program that performs payment processing, scarming of applications, and initial data entry for US. passport applications. Lockbox has a computer database containing imaged passport applications associated with real individuals. The imaged passport applications in Lockbox’s database contain, among other things, a photograph of the passport applicant, as well as certain personal information including the applicant’s full name, date and place of birth, current address, telephone numbers, parent information, spouse’s name, and emergency contact information.

62. ActioNet, Inc. (hereinafter “ActioNet”) is a contractor that provided information technology support to the State Department. It has physical offices in Falls Church, Virginia, located in the Eastern District of Virginia.

63. From in or about October 2014 to in or about February 2015, SOHAIB AKHTER was a contract employee at ActioNet assigned to a position at the State Department as a Tier II Application Support Resource in the Data Engineering and Data Management Program within the Bureau.

64. Prior to accessing the Lockbox database, and throughout his tenure as a contractor with the State Department, SOHAIB AKHTER was made aware of and indicated he understood: (a) the confidential nature of the Lockbox database and the confidential personal data contained therein; (b) the information contained in the passport records maintained by the State Department pursuant to Lockbox is protected from unauthorized disclosure by the Privacy Act of 1974, 5 U.S.C. § 552a; and (c) passport applications maintained by the State Department in the Lockbox database should be accessed only in connection with an employee’s official government duties and not the employee’s interest or curiosity.

69. MUNEEB AKHTER and SOHAIB AKHTER, UCC-l, and other coconspirators known and unknown to the Grand Jury, engaged in a series of computer intrusions and attempted computer intrusions against the State Department to obtain sensitive passport and visa information and other related and valuable information about State Department computer systems.

70. SOHAIB AKHTER used his contract position at the State Department to search for and access sensitive passport information belonging to coworkers, acquaintances, a former employer, and federal agents investigating him for crimes alleged in this Indictment. After accessing sensitive passport information from State Department computers, SOHAIB AKHTER copied, saved, and shared this information with coconspirators.

71. SOHAIB AKHTER also attempted to use his access to State Department computer systems to create an unauthorized account that would enable him to access State Department computer systems undetected. SOHAIB AKHTER surreptitiously installed malicious programs onto State Department computer systems in order to execute his plan to create the backdoor login account.

72. SOHAIB AKHTER orchestrated a scheme to secretly install a physical device at a State Department building known as SA-17. Once installed, the device would enable SOHAIB AKHTER and coconspirators to collect data from and remotely access State Department computer systems.

73. SOHAIB AKHTER led the conspiracy, organized the intrusion to install the physical device, recruited coconspirators to assist in execution of the intrusion, and managed the execution of the intrusion.

74. MUNEEB AKHTER provided technical assistance to SOHAIB AKHTER for the unauthorized access. MUNEEB AKHTER programmed the physical device, known as a “gumstix,” so that it would collect data from State Department computers and transmit it wirelessly to computers controlled by MUNEEB AKHTER and SOHAIB AKHTER and coconspirators.

75. On the day the scheme was executed, UCC-1 transported materials, including the gumstix, from MUNEEB AKHTER, located at the AKHTER residence, to SOHAIB AKHTER, located at SA-17.
78. In or about October 2014, SOHAIB AKHTER was hired by ActioNet to perform contract work for the State Department at both ActioNet offices in Falls Church, Virginia, and Bureau offices in Washington, DC.

79. Beginning on or about February 12, 2015, and continuing thereafter until on or about February 19, 2015, in Falls Church, Virginia, in the Eastern District of Virginia, and elsewhere, SOHAIB AKHTER, while employed at ActioNet, accessed the Lockbox database without authorization. .

80. Between on or about February 12, 2015, and on or about February 19, 2015, SOHAIB AKHTER conducted approximately 119 searches for U.S. passport records using the Passport Lockbox Lookup report. He accessed personal passport information for approximately 62 different individuals, including: G.R., a DHS special agent investigating the crimes alleged in this Indictment; UCC-1; A.I.; A.M., the CEO of Victim Company 2; and himself. In addition, SOHAIB AKHTER attempted to access passport information for S.T., a DHS special agent investigating the crimes alleged in this Indictment.

82. In or about February 2015, SOHAIB AKHTER viewed and copied from State Department computer systems the personal passport information associated with several individuals, including DHS Special Agent G.R.

83. In or about March 2015, MUNEEB AKHTER told UCC-1 that he and SOHAIB AKHTER stored the personal passport information that SOHIAB AKHTER removed from State Department systems on an external hard drive. MUNEEB AKHTER told UCC-1 that Special Agent G.R.’s information would be valuable to criminals on the “dark net” and that he was considering selling the information.

84. In or about February 2015, SOHAIB AKHTER downloaded several programs to a State Department computer. These programs included malicious software, or malware, which SOHAIB AKHTER hoped would enable him to access State Department computers remotely.

85. In or about February 2015, SOHAIB AKHTER told UCC-1 that if he was able to gain remote access to State Department computer systems, he could: access information on individuals’ passport applications; access and unilaterally approve visa applications without State Department authorization in exchange for payment; and create passports and visas and sell them on the “dark net.”

86. On or about February 15, 2015, SOHAIB AKHTER called UCC-1 and asked him to buy a drill. UCC-1 purchased the drill and then, pursuant to SOHAIB AKHTER’s request, drove to the AKHTER residence to pick up additional items from MUNEEB AKHTER. At the AKHTER residence, in Springfield, Virginia, in the Eastern District of Virginia, MUNEEB AKHTER told UCC-1 that he was programming a SD card, which was later to be inserted into the gumstix. MUNEEB AKHTER gave UCC-1 a bag containing a screwdriver, tape, glue, and the gumstix. Pursuant to SOHAIB AKHTER’s request, UCC—l drove to SA-17, in Washington, DC, and delivered the bag and items to SOHAIB AKHTER outside SA-17. Later that day, MUNEEB AKHTER drove separately to Washington, DC, and delivered the SD card to SOHAIB AKHTER.

87. On or about the evening of February 15, 2015, SOHAIB AKHTER called MUNEEB AKHTER and told him that he attempted to install the gumstix behind a wall inside SA-17 but was ultimately unsuccessful.

88. On or about February 19, 2015, SOHAIB AKHTER sent an email from his State Department email account to the email address containing lines of code and headers for State Department servers.


We’re not sure reading this if the intrusion was done on the State Department’s Travel Document Issuance System (TDIS) which includes information from U.S. citizens and nationals applying for passports, other Department of State computer systems, passport acceptance agents, the Social Security Administration, the lockbox provider (CITIBANK), passport specialists, and fraud prevention managers, or, if the intrusion occurred on the Passport Information Electronic Records Systems (PIERS), or wait … the motherload, the Consular Consolidated Database (CCD) The Passport Lockbox program cited in the indictment is vague; it’s not a system of record according to the State Department’s System of Records Notices.  But the indictment identifies it as a State Department database. Could this be in reference to the Citibank® Lockbox Services? That is a high-speed processing environment and image-based platform for receivables management, advanced reporting and image inquiry used by the State Department to enable the scanning of applications, extraction of applicant photos received at lockbox locations and storing and batching of images.

Note that #69 of the indictment also alleges “a series of computer intrusions and attempted computer intrusions against the State Department to obtain sensitive passport and visa information;” does that mean the targeted system was the CCD?  The CCD provides access to passport data in Travel Document Issuance System (TDIS), Passport Lookout Tracking System (PLOTS), and Passport Information Electronic Records System (PIERS).  As of December 2009, the CCD also contains over 100 million visa cases and 75 million photographs, utilizing billions of rows of data, and has a current growth rate of approximately 35 thousand visa cases every day.

By the way, one of the brothers was a contract employee assigned to a position at the State Department as a Tier II Application Support Resource in the Data Engineering and Data Management Program within the CA Bureau from October 2014 to in or about February 2015 (#63).  In November 2014, the State Department suffered some “technical difficulties.” See State Dept Re-attached to the Internet, and About Those “Unrelated” Embassy Outages; State Department’s “Technical Difficulties” Continue Worldwide, So What About the CCD?

Was it just a coincidence that a master of the universe hacker was working at the State Department at the time when the agency’s systems were having technical difficulties?

Or were the Akhter twins the “technical difficulties”?





When the Boss Is Last to Know: Chaffetz Snoops at the Secret Service

Posted: 1:06 pm EDT


The Department of Homeland Security Inspector General has completed its independent investigation into allegations that one or more Secret Service agents improperly accessed internal databases to look up the 2003 employment application of Congressman Jason Chaffetz, Chairman of the House Committee on Oversight and Government Reform. The Inspector General has confirmed that between March 24 and April 2, 2015, on approximately 60 different occasions, 45 Secret Service employees accessed Chaffetz’ sensitive personal information. The OIG concluded that only 4 of the 45 employees had an arguable legitimate need to access the information.

Here is the IG’s conclusion:

This episode reflects an obvious lack of care on the part of Secret Service personnel as to the sensitivity of the information entrusted to them. It also reflects a failure by the Secret Service management and leadership to understand the potential risk to the agency as events unfolded and react to and prevent or mitigate the damage caused by their workforce’s actions.

Screen Shot 2015-09-30

via dhs/oig

All personnel involved – the agents who inappropriately accessed the information, the mid-level supervisors who understood what was occurring, and the senior leadership of the Service – bear responsibility for what occurred. Better and more frequent training is only part of the solution. Ultimately, while the responsibility for this activity can be fairly placed on the shoulders of the agents who casually disregarded important privacy rules, the Secret Service leadership must do a better job of controlling the actions of its personnel. The Secret Service leadership must demonstrate a commitment to integrity. This includes setting an appropriate tone at the top, but more importantly requires a commitment to establishing and adhering to standards of conduct and ethical and reasonable behavior. Standards of conduct and ethics are meaningful only if they are enforced and if deviations from such standards are dealt with appropriately.

It doesn’t take a lawyer explaining the nuances of the Privacy Act to know that the conduct that occurred here – by dozens of agents in every part of the agency – was simply wrong. The agents should have known better. Those who engaged in this behavior should be made to understand how destructive and corrosive to the agency their actions were. These agents work for an agency whose motto – “worthy of trust and confidence” – is engraved in marble in the lobby of their headquarters building. Few could credibly argue that the agents involved in this episode lived up to that motto. Given the sensitivity of the information with which these agents are entrusted, particularly with regard to their protective function, this episode is deeply disturbing.

Additionally, it is especially ironic, and troubling, that the Director of the Secret Service was apparently the only one in the Secret Service who was unaware of the issue until it reached the media. At the March 24th hearing, he testified that he was “infuriated” that he was not made aware of the March 4th drinking incident. He testified that he was “working furiously to try to break down these barriers where people feel that they can’t talk up the chain.” In the days after this testimony, 18 supervisors, including his Chief of Staff and the Deputy Director, were aware of what was occurring. Yet, the Director himself did not know. When he became aware, he took swift and decisive action, but too late to prevent his agency from again being subject to justified criticism.

Read the full report here. Check out Appendix 1 for the chronological access to the Chaffetz record which includes multiple field offices, including the London office. Appendix 2 is the timeline of record access.

We can’t remember anything like this happening in the recent past.  There was the 1992 passportgate, of course, which involves a presidential candidate, but that’s not quite the same. In 2009, the DOJ said that a ninth individual pleaded guilty for illegally accessing numerous confidential passport application files, although it was for what’s considered “idle curiosity.”

Whether the intent of the Chaffetz record breach was to embarrass a sitting congressman or curiosity (not everyone who looked at the files leak it to the media), the files are protected by the Privacy Act of 1974, and access by employees is strictly limited to official government duties. Only 4 of the 45 employees who did access the Chaffetz records had a legitimate reason to access the protected information. If the DOJ pursued 9 State Department employees for peeking at the passport records of politicians and celebrities, we can’t imagine that it could simply look away in this case. Particularly in this case.  Winter is definitely coming to the Secret Service.



Federal Employees With Stolen Fingerprints From OPM Breach – Now Up to 5.6 Million

Posted: 12:05 pm EDT
Updated: 6:39 pm PDT



Here is the official statement from OPM dated September 23, 2015:

As part of the government’s ongoing work to notify individuals affected by the theft of background investigation records, the Office of Personnel Management and the Department of Defense have been analyzing impacted data to verify its quality and completeness.  During that process, OPM and DoD identified archived records containing additional fingerprint data not previously analyzed.  Of the 21.5 million individuals whose Social Security Numbers and other sensitive information were impacted by the breach, the subset of individuals whose fingerprints have been stolen has increased from a total of approximately 1.1 million to approximately 5.6 million.  This does not increase the overall estimate of 21.5 million individuals impacted by the incident.  An interagency team will continue to analyze and refine the data as it prepares to mail notification letters to impacted individuals.

Federal experts believe that, as of now, the ability to misuse fingerprint data is limited.  However, this probability could change over time as technology evolves.  Therefore, an interagency working group with expertise in this area – including the FBI, DHS, DOD, and other members of the Intelligence Community – will review the potential ways adversaries could misuse fingerprint data now and in the future.  This group will also seek to develop potential ways to prevent such misuse.  If, in the future, new means are developed to misuse the fingerprint data, the government will provide additional information to individuals whose fingerprints may have been stolen in this breach.

As we have stated previously, all individuals impacted by this intrusion and their minor dependent children (as of July 1, 2015) are eligible for identify theft and fraud protection services, at no cost to them.  In conjunction with the Department of Defense, OPM is working to begin mailing notifications to impacted individuals, and these notifications will proceed on a rolling basis.

OPM and our partners across government are working to protect the safety and security of the information of Federal employees, service-members, contractors, and others who provide their information to us. Together with our interagency partners, OPM is committed to delivering high-quality identity protection services to impacted individuals. The interagency team will continue to review the impacted data to enhance its quality and completeness, and to monitor for any misuse of the data. The U.S. Government will continue to evaluate the coverage being provided and whether any adjustments are needed in association with this incident.

Sigh. Grrr. Sigh. Grrr. Sigh. Grrr. Sigh. Grrr.






GAO: FASTC Fort Pickett Fully Meets Requirements, FLETC Glynco, Not Really

Posted: 3:25 am EDT

We have previously written about the State Department’s Foreign Affairs Security Training Center (FASTC) project that has been snared in a tug of war in Congress.

On September 9, the Government Accountability Office finally released its review of the project. Concerned by the considerable variation in the cost estimates for FASTC and FLETC, members of Congress requested that GAO provide further information on both the requirements and costs of DS training. GAO examined (1) key site requirements critical to the provision of DS training and the extent to which the FASTC and FLETC proposals meet these requirements and (2) the estimated capital and recurring costs of these proposals and the extent to which the capital cost estimates conform to leading practices for reliable cost estimates. The GAO report was publicly released on September 16.

Screen Shot 2015-09-16

via GAO

See Figure 3: Key Events in Plans to Consolidate Bureau of Diplomatic Security Training (pdf)

Excerpt below:

State has been in the process of looking for a site suitable for its DS training facility for more than a decade. In 2011, State and the General Services Administration (GSA) identified Fort Pickett near Blackstone, Virginia, as the preferred site for the Foreign Affairs Security Training Center (FASTC). The initial 2012 master plan for FASTC would have consolidated hard- and soft-skills training at Fort Pickett for an estimated cost of $925 million. In March 2013, State reduced the scope of FASTC to exclude facilities for soft-skills training and life support functions, such as dormitories and a cafeteria, ultimately decreasing the estimated cost of the current proposal to $413 million. Also in 2013, the Office of Management and Budget (OMB) directed State to work with the Department of Homeland Security (DHS) to assess the viability of using the Federal Law Enforcement Training Centers (FLETC) in Glynco, Georgia, to accommodate DS’s training. In November 2013, FLETC submitted a business case to OMB indicating that it could meet DS’s requirements, including soft-skills training, for an estimated cost of $272 million. Following this assessment, DS, FLETC, and OMB could not agree on a path forward.

In April 2014, the administration reaffirmed the selection of Fort Pickett for FASTC, and State and GSA began implementing their plan to construct FASTC. State and GSA have obligated about $71 million to date toward FASTC at Fort Pickett.2 In May 2015, GSA purchased land and, in June 2015, awarded a contract for the initial phase of construction of FASTC.
[W]e analyzed four of DS’s requirements that we determined were critical in the selection of a site for DS’s training facility and found that Fort Pickett fully met all four while FLETC did not fully meet any.7 First, building FASTC at Fort Pickett would enable DS to consolidate at one location 10 of the 12 widely scattered hard-skills training venues it is currently using.8 FLETC can accommodate many of these venues on its Glynco campus but would have to conduct some exercises at a Marine Corps training facility about 30 miles away. Second, we found that Fort Pickett is available for nighttime training, which DS conducts on about 190 days per year, while at FLETC there may be some limitations on nighttime training. We also determined that the Fort Pickett site held advantages in terms of proximity to Washington, D.C., and exclusivity of use, both of which were requirements highlighted in reports stemming from the Benghazi ARB.

We found that neither the FASTC nor the FLETC estimate for capital costs fully meets best practices. The FASTC estimate fully or substantially meets three of the four characteristics—comprehensive, well documented, and accurate—and partially meets one characteristic of reliable cost estimates— credible; the FLETC estimate partially or minimally meets all four characteristics.10 FLETC officials noted that their estimate was prepared in a short period of time based on incomplete information regarding State’s requirements; more complete information would have enabled them to develop a more comprehensive estimate. See enclosure V for more detail on our assessment. Our assessment of the reliability of these cost estimates focused on the processes used to develop the estimates rather than estimates themselves, enabling us to make a more direct comparison of their reliability.

In addition to capital costs for acquisition and construction of a DS training center, the government will incur costs of sending students to training. These recurring student costs include travel, lodging, meals and incidental expenses, and compensation for time spent traveling. We projected these costs over 10, 25, and 50 years in three different scenarios for both the FASTC and FLETC proposals. We estimate that the costs of sending students to FASTC over 10 years will be $43 million to $121 million less, in net present value, than sending students to FLETC.11 The difference in student costs between FASTC and FLETC increases over time, from between $122 million and $323 million less for FASTC after 25 years, to between $309 and $736 million after 50 years. See enclosure III for further details on the assumptions used in each of these scenarios.

Click on 672362 to read the full report (38 pages – pdf).

Maybe this is the end of it and the project at Fort Pickett can finally go forward?  It is likely that there will be at least one more hearing on this, one congressional committee (was that HOGR?) promised a hearings once the GAO report is completed.


State Dept: “In the process of updating” its new rules for speaking and writing. Again.

Posted: 1:23  am EDT


In December 2012, we were informed by inside the building sources that the State Department was rewriting its 3 FAM 4170 rules on official clearance for speaking, writing, and teaching. (see State Dept to Rewrite Media Engagement Rules for Employees in Wake of Van Buren Affair).

On July 27, 2015, two months short of Year 3 since Peter Van Buren retired, the State Department without much fanfare released its new 3 FAM 4170 rules in 19 pages. (see State Dept Releases New 3 FAM 4170 aka: The “Stop The Next Peter Van Buren” Regulation).

The new 3 FAM 4171.b says (see pdf):

 Former Department of State employees (including former interns and externs) must seek guidance from A/GIS/IPS for applicable review process information. Former USAID employees (including former interns and externs) must consult the Bureau for Legislative and Public Affairs for applicable review process information.

On September 3, we asked the State Department for guidance on pre-publication requirement for former/retired employees under the new 3 FAM 4170.

Last Friday, after a second inquiry, we finally got a response from a State Department spokesman as follows:

 The Department is in the process of updating the Foreign Affairs Manual (FAM) guidance relating to the pre-publication obligations of former employees.  Former employees’ obligations will vary based upon the non-disclosure agreements they may have signed. For example, they may have obligations under the Classified Information Non-Disclosure Agreement (SF-312) or the SCI (Sensitive Compartmented Information) Non-Disclosure Agreement (Form 4414).

If employees have signed a non-disclosure/secrecy agreement with another agency, then they may also have pre-publication review obligations with those agencies as well. This obligation is separate from any requirement for pre-publication review that an employee may have with the State Department but the Department can provide the coordination with those other agencies, if requested.

SF-312 Classified Information Nondisclosure Agreement via specifically contains the following paragraphs:

3. I have been advised that the unauthorized disclosure, unauthorized retention, or negligent handling of classified information by me could cause damage or irreparable injury to the United States or could be used to advantage by a foreign nation. I hereby agree that I will never divulge classified information to anyone unless: (a) I have officially verified that the recipient has been properly authorized by the United States Government to receive it; or (b) I have been given prior written notice of authorization from the United States Government Department or Agency (hereinafter Department or Agency) responsible for the classification of information or last granting me a security clearance that such disclosure is permitted. I understand that if I am uncertain about the classification status of information, I am required to confirm from an authorized official that the information is unclassified before I may disclose it, except to a person as provided in (a) or (b), above. I further understand that I am obligated to comply with laws and regulations that prohibit the unauthorized disclosure of classified information.

5. I hereby assign to the United States Government all royalties, remunerations, and emoluments that have resulted, will result or may result from any disclosure, publication, or revelation of classified information not consistent with the terms of this Agreement.

8. Unless and until I am released in writing by an authorized representative of the United States Government, I understand that all conditions and obligations imposed upon me by this Agreement apply during the time I am granted access to classified information, and at all times thereafter.

Sensitive Compartmented Information Non-Disclosure Agreement Form 4414 via NCSC (pdf) contains the following:

4. (U) In consideration of being granted access to SCI and of being assigned or retained in a position of special confidence and trust requiring access to SCI, I hereby agree to submit for security review by the Department or Agency that last authorized my access to such information or material, any writing or other preparation in any form, including a work of fiction, that contains or purports to contain any SCI or description of activities that produce or relate to SCI or that I have reason to believe are derived from SCI, that I contemplate disclosing to any person not authorized to have access to SCI or that I have prepared for public disclosure. I understand and agree that my obligation to submit such preparations for review applies during the course of my access to SCI and thereafter, and I agree to make any required submissions prior to discussing the preparation with, or showing it to, anyone who is not authorized to have access to SCI. I further agree that I will not disclose the contents of such preparation with, or show it to, anyone who is not authorized to have access to SCI until I have received written authorization from the Department or Agency that last authorized my access to SCI that such disclosure is permitted.

5. (U) I understand that the purpose of the review described in paragraph 4 is to give the United States a reasonable opportunity to determine whether the preparation submitted pursuant to paragraph 4 sets forth any SCI. I further understand that the Department or Agency to which I have made a submission will act upon it, coordinating within the Intelligence Community when appropriate, and make a response to me within a reasonable time, not to exceed 30 working days from date of receipt.

9. (U) Unless and until I am released in writing by an authorized representative of the Department or Agency that last provided me with access to SCI, I understand that all conditions and obligations imposed on me by this Agreement apply during the time I am granted access to SCI, and at all times thereafter.

Whoa! Is there a way out?

The State Department has  several student paid/unpaid internship programs.  The program’s eligibility requirement includes the ability to receive either a Secret or Top Secret clearance (pdf). So, does a student who receives a one-year internship at State be in the hook for life when it comes to obtaining clearance for speaking, writing, teaching and all media engagement as it is written under 3 FAM 4170? Are the interns/externs aware of their obligations under these rules before they sign up for these internships?

Where can interns/externs obtain a release in writing from a State Department representative?  We originally sent our inquiry to A/GIS/IPS cited as the contact office, but could not even get a response from there. There is no easily available email box to send the request either for a clearance or to request a release.

NOTE: For current employees, the reviewing office is the Bureau of Public Affairs (paclearances[at] It looks like State/PA also has The PA Clearances Database accessible online. You need to sign up to register for an account to allow the online submission of clearance requests to the Bureau of Public Affairs. The site says “Using this site will expedite your clearance request.”

For former and retired State Department employees, how far back is the USG going to reach back? For life?

On December 29, 2009, President Obama issued Executive Order 13526 which prescribes a uniform system for classifying, safeguarding, and declassifying national security information.  “No information may remain classified indefinitely,” the order says.  The default declassification date, is 10 years. After 25 years, declassification review is automatic, with nine narrow exceptions that allow information to continue to be classified. Classifications beyond 75 years require special permission.

Given the default declassification at 10 years, can retired and former employees get an automatic release from these obligation at 10 years after they leave their jobs at the State Department?

For employees who are no longer attached in any capacity to the State Department, and haven’t been for 20 years, and have no interest in pursuing consulting or WAE appointments at the agency, ought they not be able to obtain a release from their obligations under these nondisclosure provisions?

Perhaps it’s time for State to put together its own Publication Review Board (PRB)? The CIA has one, and this article by John Hollister Hedley, the Chairman of the PRB on former CIA employees seeking to become published authors is instructive:

The courts have held that this signed agreement is a lifetime enforceable contract.(3) The courts also have noted that the secrecy agreement is a prior restraint of First Amendment freedom. But they ruled it a legitimate restraint, provided it is limited to the deletion of classified information and so long as a review of a proposed publication is conducted and a response given to its author within 30 days.(4)
The important thing is for us to be reasonable and professional about what we protect. It does not take a genius to know what information requires a hard look: for example, in an age of terrorism and for privacy act considerations, we have to protect identities not already in the public domain. Also taboo–because they impact adversely our ability to conduct our business, most of it necessarily in secret–are cover arrangements, liaison relationships, covert facilities, and unique collection and analytic capabilities. These constitute the sources and methods that truly need protection. For the most part, they can easily be avoided without keeping an author from telling a story or restricting an author’s opinion on a variety of intelligence subjects.

In prepublication reviews, we have to show we know the difference between what truly is sensitive and what is not. We do not earn respect just by saying “no,” but neither do we earn respect just by giving away information. Our unique role is to judge whether a denial of disclosure would stand up in court, whether we could make a compelling case in a court of law that specific damage to US national security would result. We can have it both ways: we can protect that which needs to be protected, while being forthcoming about intelligence activities in a way that can help educate, inform, enlighten, and even entertain the general public. That is the cost of doing business in this free society we help to preserve; trying to have it both ways is a challenge that comes with the territory.

The article is focused on pre-publication review of manuscripts but notes that the submissions ranges “from 1,000-page book manuscripts to one-page letters to the editor. There are speeches, journal articles, theses and op-eds, book reviews, and movie scripts. There are scholarly treatises, works of fiction, and, recently, a cookbook featuring a collection of recipes acquired and served by Agency officers and spouses around the world. Perhaps the most novel review (no pun intended) involved an interactive CD-ROM video spy game co-authored by former Director of Central Intelligence (DCI) William Colby and KGB Gen. Oleg Kalugin.”

We should note that the State Department’s pre-publication review has three purposes per 3 FAM 4170:

(1) The personal capacity public communications review requirement is intended to serve three purposes: to determine whether the communication would disclose classified or other protected information without authorization; to allow the Department to prepare to handle any potential ramifications for its mission or employees that could result from the proposed public communication; or, in rare cases, to identify public communications that are highly likely to result in serious adverse consequences to the mission or efficiency of the Department, such that the Secretary or Deputy Secretary must be afforded the opportunity to decide whether it is necessary to prohibit the communication (see 3 FAM 4176.4).

The CIA’s PRB on the other hand says that  the sole purpose of its prepublication review is “to assist authors in avoiding inadvertent disclosure of classified information which, if disclosed, would be damaging to national security–just that and nothing more.”


Related items:

SF312-13 | Classified Information Nondisclosure Agreement

FORM_4414_Rev_12_2013 | Sensitive Compartmented Information Non-Disclosure Agreement