Keeping Up With the State Department Spox’s Explainer on the Clinton Separation Statement

Posted: 12:42 am EDT

 

The hunt for Secretary Clinton’s OF-109 Separation Statement was all over the news last week, although it seemed, oh, so much longer.  Fox News was searching for it. The Daily Caller found a whistleblower who alleged double standard.  Media Matters  called out the conservative media’s own double standard. Add the official spokesperson of the State Department and we got a free roller coaster ride plus coupons.

It looks like 12 FAM 564.4 is the relevant regulation um, excuse me, “recommendation” in the Foreign Affairs Manual. Waiting for the spox to clarify that although the briefing is mandatory, signing the separation statement is really optional and voluntary!

12 FAM 564.4 Termination
(TL:DS-88; 02-13-2003) (Uniform State, AID, OPIC, TDP)
a. A security debriefing will be conducted and a separation statement will be completed whenever an employee is terminating employment or is otherwise to be separated for a continuous period of 60 days or more. The debriefing is mandatory to ensure that separating personnel are aware of the requirement to return all classified material and of a continuing responsibility to safeguard their knowledge of any classified information. The separating employee must be advised of the applicable laws on the protection and disclosure of classified information (see 12 FAM 557 Exhibit 557.3) before signing Form OF-109, Separation Statement (see 12 FAM 564 Exhibit 564.4).

 

Via DPB, March 17, 2015 with State Department Spokesperson Jennifer Psaki:

QUESTION: So when you say – it is my understanding that all employees – and I think you even alluded to this when it first came up, that all employees were required to sign this document on completion of their government service. Is that not the case?

MS. PSAKI: Required is not the accurate term. It’s – we’re looking into how standard this is across the federal government and certainly at the State Department. But there’s no – we’re not aware of any penalty for not signing it.

QUESTION: Well, at the State Department, though, is it – it is common practice, though, is it not, for employees, at least employees below the rank of Secretary of State to sign such a thing – to sign such a document when they leave? Is it not?

MS. PSAKI: Well, I just don’t want to characterize how common practice it is. Certainly, I understand there’s been a focus on this form. We’ve answered the question on whether or not Secretary Clinton signed the form, and we’ll see if there’s more statistics we can provide about how common it is.

QUESTION: It’s your understanding, though, that not completing this form is not a violation of any rule or regulation?

MS. PSAKI: It’s not a violation of any rule, no.

QUESTION: And when you said that you have found no record of her two immediate – was it her two immediate predecessors?

MS. PSAKI: Correct.

 

Continue reading

AFSA Politely Asks the State Dept: Is Adherence to the Foreign Affairs Manual Optional For Some?

Posted: 1:01  am EDT

 

The Daily Press Briefing of March 11  toppled me off my chair when I heard the official spokesperson of the State Department, Jennifer Psaki said from the podium, “The FAM is not a regulation; it’s recommendations.”  (see NewsFlash: “The FAM is not a regulation; it’s recommendations.” Hurry, DECLINE button over there!).

On March 17, the American Foreign Service Association (AFSA) wrote to Arnold Chacon, the Director General of the Foreign Service and the State Department’s top HR official requesting clarity on the applicability of 3 FAM to career and political/non-career employees of the oldest executive agency in the union.

We would be grateful if you could help us understand if there is, in practice or by law, any difference in how these standards apply to and are enforced for non-career appointees as opposed to career employees, both Foreign Service and Civil Service.

AFSA noted the March 10 press briefing, where “Spokesperson Jen Psaki referred to 3 FAM as “guidelines” as distinguished from “law”:

As the Foreign Service, we have always understood the FAM to consist of regulations to which we must adhere. AFSA would like to ask if non-career appointees are formally subject to all of the rules and regulations in 3 FAM.

Screen Shot 2015-03-18

Foreign Affairs Manual

 

3 FAM is the section of the Foreign Affairs Manual that covers personnel:

This volume of the FAM sets forth the policies and regulations governing the administration of the personnel system applicable to the Department of State. Regulations adopted jointly by the Department of State and other agencies (e.g. Broadcasting Board of Governors, USAID, Commerce, Agriculture, Peace Corps,) are so identified wherever they appear in this volume. (see pdf)

Volume 3 of the FAM is organized around eight major personnel topics, each of which is assigned a series of nine chapters of 89 subchapters. In so far as is practicable, each subchapter is restricted to a single topic. Since some topics relate to both Foreign Service and Civil Service employees, while others relate to employees of only one of the services, subchapters, or parts thereof, contain a legend, which indicates coverage.

☞Chapters in the 1000 series contain general information on the organization of the FAM and general policies and regulations relating to all Civil Service and/or Foreign Service employees.

☞Chapters in the 2000 series contain regulations and policies, which govern the day-to-day operations of the Foreign Service and Civil Service personnel systems.

☞Chapters in the 3000 series contain regulations and policies which govern Civil Service and Foreign Service pay, leave administration, benefits (e.g. Federal Employees Health Benefits (FEHB), Federal Employees Group Life Insurance (FEGLI), Office of Worker’s Compensation Program (OWCP), Unemployment Compensation for Federal Employees (UCFE), Reasonable Accommodations), allowances and travel. In addition, Chapters in the 3000 series contains special program regulations and policies such as Transit Subsidy Program, Student Loan Repayment Program (SLRP), and Professional Liability Insurance (PLI).

☞Chapters in the 4000 series contain regulations and policies which govern the conduct of Foreign Service and Civil Service employees; provide penalties for misconduct; establish grievance and appeals procedures; and provide for awards for outstanding performance.

☞Chapters in the 5000 series contain regulations and policies, which govern labor management relations in the Department.

☞Chapters in the 6000 series contain regulations and policies, which govern the administration of the retirement program for Civil Service and Foreign Service employees.

☞Chapters in the 7000 series contain regulations and policies, which govern the administration of the Foreign Service National personnel system for Overseas Employees.

☞Chapters in the 8000 series contain regulations and policies, which govern the administration of the various overseas employment programs administered by the Office of Overseas Employment (HR/OE).

If it comes from the podium, it is official.

So it is, of course, understandable that AFSA is concerned when she calls the FAM “guidelines.”  But equally troubling to hear her say from the official podium that the FAM is not regulations but recommendations, as if somehow adherence to it is voluntary and optional. We’ve asked state.gov for a comment and the nice person there told us they’re consulting with their subject matter experts and hopefully will have something for us.

Anyone has an in with the folks at the Office of the Legal Adviser?  Would you kindly please ask them to wade in on this?

#

Ex-Chief Information-Disclosure Guru on Hillary’s Email Defense and the Folks Asleep at the Switch

Posted: 12:40  am EDT

 

.

Dan Metcalfe spent more than thirty years working at the U.S. Department of Justice where he served from 1981 to 2007 as director of the Office of Information and Privacy. He was responsible for overseeing the implementation of the FOIA throughout the entire executive branch. He now teaches secrecy law at American University’s Washington College of Law. His deconstruction of the former secretary of state’s explanation on her exclusive use of private email is probably the best one we’ve seen so far. There is also an analysis here from the National Security Archive.

Below is an excerpt from the op-ed piece Mr. Metcalfe wrote for Politico:

[T]here is the compounding fact that Secretary Clinton did not merely use a personal email account; she used one that atypically operated solely through her own personal email server, which she evidently had installed in her home. This meant that, unlike the multitudes who use a Gmail account, for instance, she was able to keep her communications entirely “in house,” even more deeply within her personal control. No “cloud” for posterity, or chance of Google receiving a congressional subpoena—not for her. No potentially pesky “metadata” surrounding her communications or detailed server logs to complicate things. And absolutely no practical constraint on her ability to dispose of any official email of “hers,” for any reason, at any time, entirely on her own. Bluntly put, when this unique records regime was established, somebody was asleep at the switch, at either the State Department or the National Archives and Records Administration (which oversees compliance with the Federal Records Act)—or both.

[…] as Secretary Clinton might like to claim personal “credit” for this successful scheme when talking with her friends about it within the privacy of her own home—perhaps while leaning against her private Internet server in her basement—the fact is that she didn’t invent this form of law circumvention; she just uniquely refined it. Yes, it was the Bush administration—specifically, the White House Office of Administration in concert with Vice President Dick Cheney, Karl Rove and the Republican National Committee—that likewise succeeded with wholesale email diversion back in the pre-smartphone days of freewheeling Blackberry usage.

Unfortunately for all of us, the competition for perverse “honors” in the world of circumventing both the letter and the spirit of federal records laws is indeed quite stiff.

Read more here in Politico Magazine.

An internet security expert tells Quartz  that a home server is “kind of like putting your money in your mattress.”

.

.

It did, did’t it? Lockbox.

Then there’s this guy who in 1994 was a 22 year old who worked as a computer programmer for a company called Information Management Consultants tasked with sorting through presidential docs in 1993.  He wondered if the Clinton team included technical wizards who designed a flawless keyword search when combing through her emails:

If so, she should release technical documentation of the search algorithm, the test procedure, and the test results — assuming they tested it. Without that information, we have no basis for sharing Hillary Clinton’s “absolute confidence” that the State Department has received all her work-related email communication.

Hey, wouldn’t it be nice to know who should get a large medal for being asleep at the switch at the State Department on this? Asleep at the switch doesn’t sound very good but perhaps it is a kinder version for whatever it was that happened at HST.

#

OIG: Only 41,749 State Dept Record Emails Preserved Out Of Over a Billion Emails Sent

Posted: 4:29 pm EDT
Updated: March 12, 9:29 pm PST

State Department deputy spokeswoman Marie Harf told CNN that since the inspector general is independent from the department “they will have to speak to the timing and details of releasing this report, which they control.”

So we asked the IG and we’re told that “the timing of the release of this report (ISP-I-15-15) was purely coincidental to the recent email issue.”

*

State/OIG did a review (pdf) of the Department’s State Messaging and Archive Retrieval Toolset (SMART) and Record Email in Washington, DC, between January 24 and March 15, 2014. According to the OIG, in 2013, Department employees created 41,749 record emails. These statistics are similar to numbers from 2011, when Department employees created 61,156 record emails out of more than a billion emails sent. Department officials have noted that many emails that qualify as records are not being saved as record emails.

Below are the highlights of the OIG review:

  • A 2009 upgrade in the Department of State’s system facilitated the preservation of emails as official records. However, Department of State employees have not received adequate training or guidance on their responsibilities for using those systems to preserve “record emails.” In 2011, employees created 61,156 record emails out of more than a billion emails sent. Employees created 41,749 record emails in 2013.
  • Record email usage varies widely across bureaus and missions. The Bureau of Administration needs to exercise central oversight of the use of the record email function.
  • Some employees do not create record emails because they do not want to make the email available in searches or fear that this availability would inhibit debate about pending decisions.
  • System designers in the Bureau of Information Resource Management need more understanding and knowledge of the needs of their customers to make the system more useful. A new procedure for monitoring the needs of customers would facilitate making those adjustments.

Additional details from the OIG report:

The need for official records

The Department of State (Department) and its employees need official records for many purposes: reference in conducting ongoing operations; orientation of successors; defending the U.S. Government’s position in disputes or misunderstandings; holding individuals accountable; recording policies, practices, and accomplishments; responding to congressional and other enquiries; and documenting U.S. diplomatic history. Record preservation is particularly important in the Department because Foreign Service officers rotate into new positions every 2 or 3 years. Federal law requires departments, agencies, and their employees to create records of their more significant actions and to preserve records according to Governmentwide standards.

Who has responsibility for the preservation of official records?

Every employee in the Department has the responsibility of preserving emails that should be retained as official records.3 The Office of Information Programs and Services in the Bureau of Administration’s Office of Global Information Services (A/GIS/IPS) is responsible for the Department’s records management program, including providing guidance on the preservation of records for the Department and ensuring compliance. IRM administers the enterprise email system, including SMART, and therefore provides the technical infrastructure for sending and receiving emails and preserving some as record email.

What constitute official records? 

If an employee puts down on paper or in electronic form information about “the organization, functions, policies, decisions, procedures, operations, or other activities of the Government,” the information may be appropriate for preservation and therefore a record according to law, whether or not the author recognizes this fact. Whether the written information creates a record is a matter of content, not form. Federal statutes, regulations, presidential executive orders, the Foreign Affairs Manual (FAM), Department notices, cables, and the SMART Messaging Guidebook contain the criteria for creating and maintaining official records and associated employee responsibilities.

Which email messages should be saved as records?

According to Department guidance referenced above, email messages should be saved as records if they document the formulation and execution of basic policies and actions or important meetings; if they facilitate action by agency officials and their successors in office; if they help Department officials answer congressional questions; or if they protect the financial, legal, and other rights of the government or persons the government’s actions directly affect. Guidance also provides a series of questions prompting employees to consider whether the information should be shared, whether the successor would find the email helpful, whether it is an email that would ordinarily be saved in the employee’s own records, whether it contains historically important information, whether it preserves the employee’s position on an issue, or whether it documents important actions that affect financial or legal rights of the government or the public.

 

The OIG report notes that it has previously examined the Department’s records management, including electronic records management, in its 2012 inspection of A/GIS/IPS. OIG found that A/GIS/IPS was not meeting statutory and regulatory records management requirements because, although the office developed policy and issued guidance on records management, it did not ensure proper implementation, monitor performance, or enforce compliance. OIG also noted that, although SMART users can save emails as records using the record email function, they save only a fraction of the numbers sent. OIG recommended that the Bureau of Administration implement a plan to increase the number of record emails saved in SMART.

That was in 2012.

The OIG team also found that “several major conditions impede the use of record emails: an absence of centralized oversight; a lack of understanding and knowledge of record-keeping requirements; a reluctance to use record email because of possible consequences; a lack of understanding of SMART features; and impediments in the software that prevent easy use.”

To show how misunderstood is the requirement to save record emails, see the following chart. The U.S. Embassy in Hanoi had 993 record emails compared to US Embassy Islamabad that only had 121 record emails preserved. The US Consulate General in Guangzhou had 2 record emails while  USCG Ho Chi Minh City had 539. It looks like the US Embassy in Singapore with 1,047 record emails had the highest record emails preserved in 2013. The frontline posts like Baghdad had 303, Kabul had 61, Sana’a had 142 and Tripoli had 10 record emails in 2013. The only explanation here is that the folks in Singapore had a better understanding of record email requirements than the folks in our frontline posts. Given that the turn-over of personnel at these frontline posts is more frequent, this can have consequential outcome not just in the public’s right to know but in continuity of operations.

Screen Shot 2015-03-11

Again, via the OIG:

Many inspections of embassies and bureaus have found that the use of SMART and the record email function are poorly understood. This lack of understanding is one of the principal causes of the failure of U.S. embassies to use record email more often. The inspections show that many employees do not know what types of emails should be saved as record emails. The employees typically need more and clearer guidance and more training. OIG has made formal and informal recommendations to increase the use of record email, to write and distribute formal embassy or bureau guidance on record email, and to arrange for training.

The A/GIS/IPS office is under the Assistant Secretary for the Bureau of Administration, an office that reports to the Under Secretary for Management (M). The Bureau of Information Resource Management (IRM) also reports to M.

 #

NewsFlash: “The FAM is not a regulation; it’s recommendations.” Hurry, DECLINE button over there!

Posted: 12:30 pm EDT

 

“I don’t have the FAM in front of me. I can certainly check and see if there were certain policies, if there were regulations. The FAM is not a regulation; it’s recommendations.”

That’s a direct quote from the official spokesperson of the U.S. Department of State, Jennifer Psaki, who managed to change internal agency policy in just eight words during the Daily Press Briefing on March 10, 2015. Here is a screenshot from the transcript that you may look at just as soon as you’ve picked up your jaw from the floor.

Screen Shot 2015-03-11

click on image for larger view

 

Dammit! Yahoo called the FAM “regulations.” It obviously has no idea there’s something wrong with its search engine!

Screen Shot 2015-03-09

 

Okay, let’s try searching for this at the State Department’s official website at state.gov.

Screen Shot 2015-03-11

click image for larger view

Well, it turns out, those folks running the official agency website also have no idea they have this  all wrong. Calling the FAM “regs” is not acceptable because that stands for “regulations.” This would make us all think that the FAM is regulations. And according to the official spokesperson, the FAM is really just recommendations.  And if so, this must mean that the Foreign Affairs Manual is just a suggestion or proposal for the best course of action for State Department employees. Are folks subjected to it free to decline some or all those recommendations?

The Office of Directives Management must now change the URL from http://www.state.gov/m/a/dir/regs/ to http://www.state.gov/m/a/dir/recommendations/  — otherwise this will all lead to confusion.

But this is actually great news.

That FSO who was imposed charges to the amount of $14,804.01 by the State Department for packing, shipping, storing and repacking household effects (HHE) that included 44 boxes of marble tiles weighing 5871 pounds – may now go back and ask for a refund.  The specialist who was disciplined “for improper personal conduct and failure to follow regulations” following an extramarital sexual relationship with a local national and not informing his wife about the affair, may now go back and tell the FSGB that he’ll decline the State Department’s recommendations.

FSGB No. 2009-041:  The Department argues that the regulation in effect in 1999, 6 FAM 161.4 (currently 14 FAM 611.5(2)) clearly prohibits shipment and storage of construction materials as HHE.  As a Foreign Service Officer, grievant is responsible for knowing all of the applicable regulations.

FSGB No. 2011-051 (pdf):  Department regulations state the applicable policies regarding employee conduct that may result in disciplinary action. Grievant was obliged to know these regulations and to conform his conduct accordingly. 3 FAM 4130, Standards for Appointment and Continued Employment, provides guidelines for when disciplinary action may be taken against an employee. 3 FAM 4138 provides that disciplinary action may be taken for:

criminal, dishonest or disgraceful conduct (see section 3 FAM 4139.14); . . . conduct which furnishes substantial reason to believe that the individual may be or is being subject to coercion, improper influence, or pressure which is reasonably likely to cause the individual to act contrary to the national security or foreign relations of the United States; . . . conduct which clearly shows poor judgment or lack of discretion which may reasonably affect an individual or the agency’s ability to carry out its responsibilities or mission.

This is going to put the entire Foreign Service Grievance Board out of work, right?

Anyone who’s ever been cited for FAM infractions and/or been disciplined as a result of the contents in the Foreign Affairs Manual may consider ringing their lawyers.  All employees, presumably, are now welcome to decline any or all recommendations under the FAM?

Arrggghhh! Quit laughing. This isn’t funny!

#

Former Secretary Clinton talks about her state.gov private emails

Posted: 01:11 am  EDT

 

Excerpt from the transcript of Hillary Clinton’s remarks on the email controversy swirling about via Time’s @ZekeJMiller:

There are four things I want the public to know.

First, when I got to work as secretary of state, I opted for convenience to use my personal email account, which was allowed by the State Department, because I thought it would be easier to carry just one device for my work and for my personal emails instead of two.

Looking back, it would’ve been better if I’d simply used a second email account and carried a second phone, but at the time, this didn’t seem like an issue.

Second, the vast majority of my work emails went to government employees at their government addresses, which meant they were captured and preserved immediately on the system at the State Department.

Third, after I left office, the State Department asked former secretaries of state for our assistance in providing copies of work- related emails from our personal accounts. I responded right away and provided all my emails that could possibly be work-related, which totalled roughly 55,000 printed pages, even though I knew that the State Department already had the vast majority of them. We went through a thorough process to identify all of my work- related emails and deliver them to the State Department. At the end, I chose not to keep my private personal emails — emails about planning Chelsea’s wedding or my mother’s funeral arrangements, condolence notes to friends as well as yoga routines, family vacations, the other things you typically find in inboxes.

No one wants their personal emails made public, and I think most people understand that and respect that privacy.

Fourth, I took the unprecedented step of asking that the State Department make all my work-related emails public for everyone to see.

I am very proud of the work that I and my colleagues and our public servants at the department did during my four years as secretary of state, and I look forward to people being able to see that for themselves.

Again, looking back, it would’ve been better for me to use two separate phones and two email accounts. I thought using one device would be simpler, and obviously, it hasn’t worked out that way.

 

The Clinton folks have also released a Q&A on her email use:

 

.

.

So if we tell over 70,000 employees that they should secure their email accounts and “avoid conducting official Department business from your personal email accounts,” then we go off and use our own private non-government email, what leadership message are we sending out to the troops?  Follow what I say not what I do?

.

The secretary of state is the highest classifying authority at the State Department. Since she did not have a state.gov account, does this mean, she never sent/receive any classified material via email in the entirety of her tenure at the State Department? If so, was there a specific person who routinely checked classified email and cable traffic intended for the secretary of state?

.

The podium heads insist that there is no restriction in use of private emails. Never mind that this is exclusive use of private emails. If a junior diplomat or IT specialist sets-up his/her own email server to conduct government business at the home backyard shed in Northern Virginia, do you think Diplomatic Security would not be after him or her? Would he/she even gets tenured by the Tenuring Board despite systems management practices contrary to published guidelines?  If the answer is “yes,” we’d really like to know how this works. For ordinary people.

And then there’s this — if there were a hundred people at State that the then secretary of state regularly sent emails to, was there not a single one who said, “wait a minute’ this might not be such a great idea?

.

Bottomline despite this brouhaha? Her personal email server will remain private. She has full control over what the public get to see. End of story. Or maybe not.

.

Oops, what’s this? Oh, dear.

#

 

FOIA Access to Information Scorecard 2015: State Department Gets an “F”

Posted: 5:27 pm EDT
Updated: March 13, 8:54 pm EDT, WSJ video added

 

Yesterday, we did a snapshot of the FOIA operation in FY2014 based on the State Department’s annual reporting.

The following excerpt extracted from Making the Grade, Access to Information Scorecard 2015 (pdf)  originally published by the Center for Effective Government. To support their work, please check them out here.

A building block of American democracy is the idea that citizens have a right to information
about how their government works and what it does in their name. An informed citizenry is a key component of a healthy democracy. And without detailed information about what government does, citizens can’t hold their elected and appointed officials accountable for their actions.

These values were codified into law in 1966 with the passage of the Freedom of Information Act (FOIA). This law gives anyone a right to request information from government agencies
and requires agencies to promptly provide that information unless disclosure would harm a “specifically protected interest” established by law; protecting the personal privacy rights of individuals is one such interest. Over the years, millions of citizens have benefitted from the law’s disclosure of information about the safety of consumer products, environmental health risks in their communities, and public spending.

[…]

This is the second year the Center for Effective Government has conducted an in-depth analysis of FOIA implementation for the 15 federal agencies that together received over 90 percent of all the freedom of information requests in 2012 and 2013 (the most recent years for which data is available).

Image from Center for Effective Government

Image from Center for Effective Government

  • The Department of State score (37 percent) was particularly dismal. While its website is a bright spot for the agency (with a solid 80 percent on that sub-score), its 23 percent processing score is completely out of line with any other agency’s performance.
  • The State Department was the only agency in the scorecard whose rules do not require staff to notify requesters when processing is delayed, even though this is mandated by law.
  • While 65 percent of its requests were simple, only eight percent were processed within the required 20 days. The State Department had the second-largest request backlog and the third-lowest rate of fully-granted requests. Only 51 percent of requests were granted in full or in part at the State Department. The agency also had the longest average processing time for appeals – 540 days, or roughly a year and a half – and the second-largest backlog of appeals.

 #

Daily Press Briefing Needs IT and FOIA Specialists on HRC Emails, Plus HAK Files Go to Court

Posted: 1:25 am EDT

Clip via PostTV

Argghhhh! Whaaat?

Email System

The State Department has multiple automated information systems. All employees, including locally employed staff and contractors (apparently with the exception of Secretary Clinton and who knows how many others), have state.gov email addresses for use in their unclassified workstations.  But not everyone has classified access and in some places, you have to go to a controlled location just to read your classified email.  Here is a quick description from publicly available documents:

    • OpenNet is the Department’s internal network (intranet), which provides access to Department-specific Web pages, email, and other resources.
    • ClassNet is the Department’s worldwide national security information computer network and may carry information classified at or below the Secret level.
    • SMART-SBU or just “SMART” replaces existing Department of State unclassified email and cable systems with a Microsoft Outlook-based system.
    • SMART-C is the Classified State Messaging and Archive Retrieval Toolset

 

No one “scans” emails for classified material?

The real question seems to be — well, if all her email communication was conducted through a private email  server —  how can we be sure that no classified and sensitive information were transmitted using her private email account?  We can’t, how can we?

However, for ordinary employees with badges and logins, an Information System Security Officer (ISSO) has “read access to the employee’s mailbox to ensure that no messages contain classification levels higher than that allowed on the authorized information system” (see 12 FAM 640-pdf). Which seems to indicate that ISSOs as a matter of course, “scan” State Department electronic mailboxes and files to ensure that there are no material there beyond “Sensitive But Unclassified” in the unclass system, for example.


Moving on to fumigation

Anyways — remember the WikiLeaks fallout? At that time, federal employees and contractors who believe they may have inadvertently accessed or downloaded classified or sensitive information on computers that access the web via non-classified government systems, or without prior authorization, were told to contact their information security offices for assistance.

If the unthinkable does happen, their unclassified computers required the equivalent of um… let’s say, digital “fumigation.” But who does that for private email servers?

The office that handles FOIA requests is the Office of Information Programs and Services (A/GIS/IPS/RL) under the Bureau of Administration. The Department also has its own chief information officer. Can we please have the State Department’s IT and FOIA experts talk about this from the podium?  Please, please, please, pretty please, this is getting more painful to watch every day.

 

 

In related news — when you see reports that US embassies have been cited multiple times by State/OIG for use of  “personal email folders,” we suggest you take a deep breath.  That’s not/not the same as the use of personal private emails like Yahoo or Gmail. What those OIG reports are probably referring to are the personal storage folders, also known as  .pst files in Microsoft Outlook on the employees’ hard disk drives. Why would you want to save your emails in the personal folders of your computer?

Because a .pst file is kept on your computer, it is not subject to mailbox size limits on the mail server. By moving items to a .pst file on your computer, you can free up storage space in the mailbox on your mail server.

 

Just because you have classification authority, must you?

Below is an excerpt from the State Department Classification Guide | January 2005, Edition 1 (pdf via the Federation of American Scientists)

High Level Correspondence. This includes letters, diplomatic notes or memoranda or other reports of telephone or face-to-face conversations involving foreign chiefs of state or government, cabinet-level officials or comparable level figures, e.g., leaders of opposition parties. It should be presumed that this type of information should be classified at least CONFIDENTIAL, though the actual level of classification will depend upon the sensitivity of the contained information and classification normally assigned by the U.S. to this category of information. Information from senior officials shall normally be assigned a classification duration of at least ten years. Some subjects, such as cooperation on matters affecting third countries, or negotiation of secret agreements, would merit original classification for up to 25 years.

One thing to remember here, and it’s an important one — the secretary of state is the highest classification authority at the State Department.

CFR 2005 Title 22 Volume I Section 9-10:

(a) In the Department of State authority for original classification of information as ‘‘Top Secret’’ may be exercised only by the Secretary of State and those officials delegated this authority in writing, by position or by name, by the Secretary or the DAS/ CDC, as the senior official, on the basis of their frequent need to exercise such authority.

But why would the USG’s classification guide or classification authority even apply to an email server that apparently is not owned nor physically possessed or maintained by the State Department?


No one is coming out of this smelling like roses

The 67th secretary of state exclusively used private email during her entire tenure at the State Department. She left the State Department on February 1, 2013.  The official word is that in October 2014 — to improve record-keeping or something — the State Department “reached out to all of the former secretaries of state to ask them to provide any records they had,” Secretary Clinton reportedly sent back “55,000 pages of documents to the State Department very shortly” after the letter was sent to her. “She was the only former Secretary of State who sent documents back in to this request,” said Ms. Harf.  This storyline is not even walking quite straight anymore according to the NYT’s follow-up report of March 5.

What appears clear is that the USG cannot possibly know the answer to the endless questions surrounding these emails since it does not have possession of the private email server used in the conduct of official business. But somebody must know how this set-up came to be in 2009.  What originated this, what security, if any  were put in placed?

As if we don’t have enough  disturbing news … have you seen this?

 

But 56th took his files with him!

In related news,  the National Security Archive  filed suit against the State Department this week under the Freedom of Information Act to force the release of the last 700 transcripts of former Secretary of State Henry Kissinger’s telephone calls (telcons). The Archive’s appeal of State’s withholding dates back to 2007.

.

 

The 56th secretary of state had reportedly removed the telcons, along with his memcons and office files, from the State Department when he left office at the end of 1976. According to the FOIA-released declassification guide for the State Department “information that still requires protection beyond 25 years should be classified for only as long as considered necessary to protect the national security.”

But … but …it’s been almost 40 years, heeeellloo!

Where are we again? Oh, utterly distressed by this whole thing.

 

 

Related post:

Don’t read WL from your workstation, if read elsewhere make sure you wash your eyes or you go blind….

 

Related items:

It could be very long time before Hillary Clinton’s State Department e-mails see the light of day (WaPo)

12 FAM 640  DOMESTIC AND OVERSEAS AUTOMATED INFORMATION SYSTEMS CONNECTIVITY (pdf)

Leaked Guccifer emails did say “confidential” but the purported sender of those emails was no longer in USG service and presumably, no longer had any classification authority.

 

Snapshot: State Dept FY2014 FOIA Personnel and Costs

Posted: 9:46 am EST

 

Via FY 2014 FOIA Annual Report:

During this fiscal year the Department experienced a 60 percent increase in FOIA lawsuits over fiscal year 2013. The majority of new lawsuits involved voluminous sensitive records that required careful coordination with other federal agencies. To meet the demands of this upswing in FOIA lawsuits, the Department reallocated resources from FOIA processing to FOIA litigation, which directly impacted efforts to manage and reduce the backlog of pending FOIA requests that are not in litigation.

Despite all efforts, including employing best practices established during the successful backlog reduction project in fiscal year 2013 as well as processing over 88 percent of the thousands of referrals that were pending from last fiscal year and received by the Department this fiscal year, the FOIA request backlog rose by 15.8 percent this fiscal year. However, the Department achieved a significant reduction in the FOIA appeal backlog lowering the backlog by 13.7 percent. The Department also closed its ten oldest requests and consultations. These accomplishments are especially noteworthy in light of the fact that the Department reallocated FOIA processing resources to address large, complex FOIA litigation cases and to provide assistance to the Department on significant special document productions throughout the fiscal year.

Note that the number of FOIA requests and administrative appeals backlogs at the end of FY2014 (September 30,2014) is 10,045 or 1,376 cases more than FY2013. Processing of simple FOIA cases can take anywhere between 3 days to 1,576 days or 4.3 years. Processing complex cases can take anywhere between 11 days to 2,237 days or 6.1 years. The average number of days for processing expedited FOIA cases is 385.6 days. (see pdf)

In the table below, the “Equivalent Full-Time FOIA Employees” include When Actually Employed (WAE) former Foreign Service Officers who perform document review and students who work part-time throughout the year to process FOIA requests. Note that the breakdown of personnel does not identify exactly how many WAE and how many students are working FOIA cases, only that they are equivalent to “full-time employees.”  WAE employees have no regularly scheduled tour of duty and the hours worked cannot exceed 1,040 in a calendar year. As for the students, we don’t know how many students rotate through the FOIA office requiring training every year.   Also useful to know that each bureau has its own WAE application and appointment procedures and the ability to hire is limited by the bureau’s budgets.

Screen Shot 2015-03-08

According to the annual report, the processing costs below include “a percentage of the costs incurred by IT staff who were employed to support the FOIA program as one of their major duties”  The IT staffing numbers are not reflected in personnel data column so we also have no idea how many IT staff supports the FOIA office.

Screen Shot 2015-03-08

 #

In related news:

 #

Rabbit Hole News: State Dept’s Private Email Usage Policy, Plus Attn: State/OIG – Firecracker Coming Your Way

Posted: 01:47 EST
Updated: 11:19 EST
Updated 15:14 EST

 

Shortly after the NYT broke the story about the former secretary of state’s exclusive used of a personal email account to conduct government business, we sent an inquiry to the State Department’s Office of Inspector General. We don’t know if they could comment about it but we wanted to ask anyway.  We’ve looked at the regs but the FAM is silent on the use of private email, or at least we thought it was. It almost seem as if the rule makers presumed that all employees will be using official email, thus, the rules only spell out the requirement for the preservation of records.

If Secretary Clinton was using a private email account and if her close advisers were also using private email accounts, we wanted to know how is this reconciled with the ability of individuals to FOIA government documents. We were also interested how this would keep other senior or even regular employees from using Yahoo or Gmail to conduct official business.

State/OIG’s response was, “we are not in a position to comment at this time.”

Actually, we asked the wrong questions.

In 2012, we blogged about the OIG inspection report of the U.S. Embassy in Kenya. (See State/OIG Releases Ambassador Scott Gration’s Embassy Report Card – And Look, No Redactions!). We mentioned in passing the ambassador’s use of commercial email for official government business. In light of these news reports that Secretary Clinton exclusively used nongovernment email during her four year tenure as secretary of state, the old 2012 report is getting some legs again.

 

.
Below is an excerpt from that 2012 report specifically addressing the ambassador’s use of commercial email for daily communication of official government business. The ambassador was also slammed for using “a government-owned laptop that is not physically or electronically connected to the Department’s OpenNet network.”  

Mission Leadership Challenge 

Very soon after the Ambassador’s arrival in May 2011, he broadcast his lack of confidence in the information management staff. Because the information management office could not change the Department’s policy for handling Sensitive But Unclassified material, he assumed charge of the mission’s information management operations. He ordered a commercial Internet connection installed in his embassy office bathroom so he could work there on a laptop not connected to the Department email system. He drafted and distributed a mission policy authorizing himself and other mission personnel to use commercial email for daily communication of official government business. During the inspection, the Ambassador continued to use commercial email for official government business. The Department email system provides automatic security, record-keeping, and backup functions as required. The Ambassador’s requirements for use of commercial email in the office and his flouting of direct instructions to adhere to Department policy have placed the information management staff in a conundrum: balancing the desire to be responsive to their mission leader and the need to adhere to Department regulations and government information security standards. The Ambassador compounded the problem on several occasions by publicly berating members of the staff, attacking them personally, loudly questioning their competence, and threatening career-ending disciplinary actions. These actions have sapped the resources and morale of a busy and understaffed information management staff as it supports the largest embassy in sub-Saharan Africa.

Authorized Automated Information Systems 

The Ambassador uses a government-owned laptop that is not physically or electronically connected to the Department’s OpenNet network. Authorized Department OpenNet email systems are available on the Ambassador’s office desktop. According to 12 FAM 544.3 and 11 State 73417 (from the Assistant Secretary for Diplomatic Security to the Ambassador), it is the Department’s general policy that normal day-to-day operations be conducted on an authorized information system, which has the proper level of security controls. The use of unauthorized information systems increases the risk for data loss, phishing, and spoofing of email accounts, as well as inadequate protections for personally identifiable information. The use of unauthorized information systems can also result in the loss of official public records as these systems do not have approved record preservation or backup functions. Conducting official business on non-Department automated information systems must be limited to only maintaining communications during emergencies.

Recommendation 57: Embassy Nairobi should cease using commercial email to process Department information and use authorized Department automated information systems for conducting official business. (Action: Embassy Nairobi)

Source:  Inspection of Embassy Nairobi, Kenya | Report Number ISP-I-12-38A, August 2012 | pdf

 

We should point out that the 2012 report was issued prior to the tenure of IG Steve Linick and Secretary Clinton tenure at the State Department ended in February 2013.  But with 2016 just around the corner, this email debacle will not die a quiet death.

The unclassified cable  STATE 065111 on securing email accounts sent to all overseas posts on June 28, 2011 only says “avoid conducting official Department business from your personal email accounts.”

See the magic word there? It did not say you can’t, only that you shouldn’t.

So for the second day in a row, the subject of the Clinton emails was featured in the Daily Press Briefing. The State Department’s deputy spox, Marie Harf was impressive when she said that “There was no prohibition” on the use of personal email.  She emphasized that “There was not then and there is not now a prohibition on using a personal email for official business, and at the time she was in office, there was no time requirement for when those needed to be preserved as records.”

Entertainment value? High.

In any case, the question that we probably should have asked the OIG is this — if an ambassador was “hammered” for his use of nongovernment, private email, can we presume that ordinary bureaucrats would get a similar treatment? And if this is so  — don’t we then have a set of rules that applied to everyone but the head of the agency?   We originally cited 5 FAM 440 (pdf) as the rules governing  Electronic Records, Facsimile Records, and Electronic Mail Records in the State Department.  But wait —  the 2012 OIG report on Kenya cited 12 FAM 544.3 Electronic Transmission Via the Internet (pdf), a section of the FAM that has been in the rules books since 2005. It says in part:

It is the Department’s general policy that normal day-to-day operations be conducted on an authorized AIS [automated information system], which has the proper level of security control to provide nonrepudiation, authentication and encryption, to ensure confidentiality, integrity, and availability of the resident information. The Department’s authorized telework solution(s) are designed in a manner that meet these requirements and are not considered end points outside of the Department’s management control.
[…]
c. Employees should be aware that transmissions from the Department’s OpenNet to and from non-U.S. Government Internet addresses, and other .gov or .mil addresses, unless specifically directed through an approved secure means, traverse the Internet unencrypted. Therefore, employees must be cognizant of the sensitivity of the information and mandated security controls, and evaluate the possible security risks and then decide whether a more secure means of transmission is warranted (i.e., secure fax, mail or network, etc.)

d. In the absence of a Department-provided secure method, employees with a valid business need may transmit SBU information over the Internet unencrypted after carefully considering that:

(1) SBU information within the category in 12 FAM 541b(7)(a) and (b) must never be sent unencrypted via the Internet;

(2) Unencrypted information transmitted via the Internet is susceptible to access by unauthorized personnel;

(3) Email transmissions via the Internet generally consist of multipoint communications that are routed to their destination through the path of least resistance, which may include multiple foreign and U.S. controlled Internet service providers (ISP);

(4) Once resident on an ISP server, the SBU information remains until it is overwritten;

(5) Unencrypted email transmissions are subject to a risk of compromise of information confidentiality or integrity;

(6) SBU information resident on personally owned computers connected to the Internet is generally more susceptible to cyber attacks and/or compromise than information on government owned computers connected to the Internet;

(7) The Internet is globally accessed (i.e., there are no physical or traditional territorial boundaries). Transmissions through foreign ISPs or servers can magnify these risks; and

(8) Current technology can target specific email addresses or suffixes and content of unencrypted messages.

 

General policies, of course, can have exceptions and if that’s what happened here, wouldn’t it be nice to know who were granted exceptions to use private email accounts besides the secretary of state and why? And did the Legal Advisor or somebody else signed off on those exceptions? Was the clintonemail.com server an authorized AIS [automated information system] of the State Department, and if so, who authorized it?

We cannot predict where this email controversy is going to end, but some Internet sleuth is digging up Dubai, Denmark, Luxembourg in what seems to be an already convoluted matter.  If you read the link below there is an interesting question whether the Clinton e-mail server was hosted for some period of time by an outside hosting firm.  If the hosting firm was based overseas at an external location in Texas or elsewhere,  wouldn’t this be an added headache for cybersecurity and something the OIG’s new Office of Evaluations and Special Projects (ESP) might be interested in?

.

.

While the Inspector General of the State Department might not be in a position to comment about this issue publicly at this time, or might not want to wade into the rabbit hole with this political firecracker, it may not have much of a choice.  Even our apolitical neighbors were dismayed by this.  The perception that the rules may have been applied selectively, based on rank undermines the Service.  That in itself is an excellent excuse to review the entire practice and determine to what extent exceptions were made.  The Republican National Committee has reportedly already asked the Office of Inspector General to look into whether Clinton’s practices led her or the department to violate the Federal Records Act.

It’s only a matter of time before there is a formal congressional request. Heads up State/OIG, this firecracker is heading your way.

* * *

Related post:
So wait — Hillary Clinton never got a state.gov email? What does the FAM say?

Related items:

State Department June 28, 2011 Unclassified Cable 065111 on Securing Email Accounts via (foxnews)

NARA Bulletin 2014-06 | September 15, 2014 – Guidance on Managing Email

NARA Bulletin 2013-03 | September 9, 2013 – Guidance for agency employees on the management of Federal records, including email accounts, and the protection of Federal records from unauthorized removal

NARA Bulletin 2011-03 | December 22, 2010 – Guidance Concerning the use of E-mail Archiving Applications to Store E-mail

OMB | Managing Government Records Directive requires that Federal agencies manage all their email electronically by December 31, 2016.