What’s Next For Former FSO Michael Sestak, Plus Some Unanswered Questions

Posted: 2:05 pm EDT

 

On August 14, 2015, former FSO Michael T. Sestak was sentenced to 64 months imprisonment for receiving over $3 million in bribes in exchange for visas at the U.S. Consulate General in Ho Chi Minh City, Vietnam.

The Preliminary Consent Order of Forfeiture filed in the District Court of Columbia includes forfeiture of a) “any property, real or personal, which constitutes or is derived from proceeds traceable to the offense;” and  b) “a money judgment equal to the value of any property, real or personal, which constitutes or is derived from proceeds traceable to the offense.”

The consent order identifies 1) any and all funds and securities seized from Scottrade Account #XXXX001S, held in the name of Anhdao Thuy Nguyen (“Scottrade Account”); and 2) $198,199.13 seized from the Department of Treasury from the Treasury Suspense Account under Seizure Number 38l30010—O1 (“Treasury Account”); and 3) a money judgment in the amount of at least $6,021,440.58, for which the defendant (Sestak) is jointly and severally liable with any co-conspirators ordered to pay a forfeiture money judgment as a result of a conviction for either offense.

In the plea agreement, Sestak agreed to sell nine properties in Thailand and that the proceeds would be paid to the United
States to satisfy a portion of the money judgment entered against him. The consent order also notes that “upon entry of a forfeiture order, Fed. R. Crim. P. 32.2(b)(3) authorizes the Attorney General or a designee to conduct any discovery the Court considers proper in identifying, locating, or disposing of property subject to forfeiture.”

In a pre-sentencing filing,  Mr. Sestak requested that any term of incarceration occur in a Camp-level facility. Specifically, at FCI Miami or if that’s not available, FCI Pensacola.  Defense justification is based on Sestak’s “lack of criminal history, the non-violent nature of the crimes, his cooperation with the Government, his lifetime of public service, his age, education, and status as a trustee during his pretrial confinement at Northern Neck Regional Jail.”‘

We had a chance to ask a few questions from his lawyer, Gray Broughton; we wanted to know where will be the location of his incarceration.

“The Bureau of Prisons will ultimately make a determination as to where Mr. Sestak is incarcerated,” said Mr. Broughton.  The defense lawyer again cited the nonviolent nature of the crimes and Mr. Sestak’s “clean criminal history.”  Mr. Sestak should be housed in a lower security level facility, according to his lawyer and that his prior employment with the U.S. Marshal will be taken into consideration by the Bureau of Prison.
We asked about the plea deals received by Sestak and main co-conspirator Bihn Vo.   Sestak’s lawyer believed the government made the best deal it could:

Mr. Sestak received a sentence of 64 months – 32 months less than codefendant Binh Vo, who received a sentence of 96 months. The Government will end up getting roughly $5M from Binh Vo – the $3M it already seized and the $2M he has agreed to pay in the next year. Binh Vo’s money (and his wife) are all currently outside of the U.S., so the U.S. doesn’t have any control over either. It made the best deal it felt it could with Binh Vo.

We were also interested in the duration of the sentence. By our calculation, Mr. Sestak would be almost 50 by the time he completes his sentence.  Mr. Broughton, however, told us that “assuming good behavior, Mr. Sestak would serve 85% of the sentence.” He will reportedly also get credit for the 27 months he has been in jail since his arrest, towards his sentence. We’re not sure if he’ll get credit for the full 27 months. But if that’s the case, and if our math is correct, he’d be out between 2-3 years.

We asked what happened to the 500 visa applicants that Mr. Sestak had issued visas to in Vietnam. And if Mr. Sestak was asked to help track or account for the applicants who paid bribes for their visas. Mr. Broughton said, “I don’t know what happened to the visa applicants. I am not aware of any efforts by the US Government in that regard.”

Mr. Broughton also released the following statement after the sentencing:

**
Michael Sestak received a fair, well-reasoned sentence today. The Court had the unenviable task of taking a multitude of opposing factors into consideration in devising Mr. Sestak’s sentence. 

As counsel for the U.S. Government readily admitted during Mr. Sestak’s sentencing hearing, Binh Vo was the mastermind of the visa fraud conspiracy. Binh Vo also had the largest pecuniary gain and will likely have millions of dollars waiting for him upon his release – along with his wife Alice Nguyen, who was able to avoid prosecution as a result of Binh Vo’s plea agreement. The Court appeared to appreciate that a sentence greater than or equal to Binh Vo’s sentence of 8 years would be fundamentally unjust for Michael Sestak, even though the U.S. Sentencing Guidelines recommended a sentence of approximately 20 years.
 
What made things difficult for the Court in determining an appropriate sentence is that Mr. Sestak was an essential component to the conspiracy and a public servant who had taken an oath of loyalty to his Country. It was Mr. Sestak’s status as a public official and the theory that would-be criminals will think twice before committing similar crimes that caused the Court to sentence Michael Sestak to something greater than time served.
 
Ultimately, the Court balanced these countervailing factors by issuing a sentence of 64 months – 32 months less than codefendant Binh Vo, who received a sentence of 96 months.
 
Michael Sestak is a good man who made made a huge mistake. Even after his release from prison, Mr. Sestak’s actions – and the shame that follows – will haunt him forever.
**

 

With the case concluded for all charged co-conspirators, we thought we’d asked the State Department what systemic changes had Consular Affairs instituted at USCG Ho Chi Minh City and worldwide following the Sestak incident.

The State Department, on background says this:

The Bureau of Consular Affairs takes all allegations of malfeasance seriously and continually works to improve its operations. Following any detection of vulnerabilities, CA works to improve management controls and guidance to the field. After the incident in Ho Chi Minh City, the management controls at post were comprehensively reviewed to determine what improvements could be made to their processes. As a matter of policy, we do not discuss the specifics of internal management controls.

Most of the Sestak visa cases were allegedly previous refusals. If true, we don’t quite understand how one officer could overturn so many visa refusals and issue close to 500 visas without red flags, if consular management controls worked as they should.  We wanted to know what consequences will there be for supervisors, embassy senior officials and principal officers who fail to do their required oversight on visas. And by the way, what about those who also do not follow the worldwide visa referral policy, particularly, Front Office occupants? The State Department would only say this:

As a matter of policy we do not discuss specific internal personnel actions. Protecting the integrity of the U.S. visa is a top priority of the U.S. government. We have zero tolerance for malfeasance. We work closely with our law enforcement partners to vigorously investigate all allegations of visa fraud. When substantiated, we seek to prosecute and punish those involved to the fullest extent of the law.

We imagined that the Bureau of Consular Affair’s Consular Integrity Division would be tasked with reviewing procedures and lessons learned on what went wrong in the Sestak case. We wanted to know if that’s the case and wanted to ask questions from the office tasked with the responsibility of minimizing a repeat of the Sestak case. Here is the official response:

The Consular Integrity Division regularly reviews incidents of malfeasance or impropriety and makes recommendations for procedural changes to reduce vulnerabilities and updates training materials for adjudicators and managers based on the lessons learned, including the case in Ho Chi Minh City. The Consular Integrity Division also does reports on the management controls at overseas posts, as well as reports that review global management controls issues, which inform CA leadership about any issues of concern.

No can do.  So far, we’ve only learned that the CID reviewed incidents of malfeasance including the Sestak case but it doesn’t tell us if it did a specific report on HCMC and what systemic changes, if any, were actually made.

We tried again. With a different question: According to in country reports, USCG Ho Chi Minh City received a letter from a jilted man in central Vietnam that helped DS crack the Sestak case. ConGen Ho Chi Minh City is one of the few consular posts that actually has a Regional Security Officer-Investigator, dedicated to visa investigations. If this case started with this reportedly jilted lover, the question then becomes how come neither the RSO-I or the internal consular management controls did not trip up the FSO accused in this case? If there was no anonymous source, would the authorities have discovered what was right under their noses?

As a matter of policy, we do not discuss the details of investigations. Protecting the integrity of the U.S. visa is a top priority of the U.S. government. We continually work to improve its operations, both in the field and here in Washington DC.

Ugh! Sestak was charged in May 2013. In July that year, the State Department told Fox News it was reviewing thoroughly alleged “improprieties” regarding a consular official in Guyana allegedly trading visas for money and possibly sex. In another article in 2014,  former Peace Corps, Dan Lavin,  said, “The State Department makes millions off of the poorest people in the world just by selling them the opportunity to fill out the application.” He also made the following allegation: “There are people at the embassy who can get you a visa,” Lavin said. “If you’re a Sierra Leonean, you go to a man called a ‘broker’; you then pay that ‘broker’ $10,000 and he personally gives that money to someone at the embassy who in turn gets you a visa.”  Apparently,  when asked about the accusations, a spokesperson at the U.S. embassy in Freetown declined to comment.

In any case, we also wanted to know if there were systemic changes with the State Department’s RSO-I program and how they support consular sections worldwide? Or to put it another way, we were interested on any changes Diplomatic Security had implemented in the aftermath of the Sestak case. Here is the amazing grace response, still on background:

It is the mission of DS special agents assigned as Assistant Regional Security Officer-Investigators (ARSO-I) to find fraud in the countries where they serve.

Sigh, we know that already. We thought we’d also ask about those 489 Vietnamese who got their visas under this scheme. What happened to them? Did Diplomatic Security, DHS or some other agency tracked them down?

The Bureau of Consular Affairs conducted a review of visas issued by Mr. Sestak. The Department revoked those visas that were improperly issued. If the visa holder had already travelled to the United States on the improperly issued visa, the Department of State notified the Department of Homeland Security so that agency could take action as appropriate.

We don’t know how many “improperly issued” visas were revoked. All 489?

We don’t know how many of those able to travel to the U.S. were apprehended and/or deported to Vietnam.

Frankly, we don’t really know what happened to the 489 Vietnamese nationals who paid money to get visas.

Calvin Godfrey who covered this case from Vietnam writes:

State Department investigators managed to track down and interrogate a few, though they wouldn’t say how many. The Washington DC office of the US Immigration and Customs Enforcement Agency didn’t respond to a list of questions about their efforts to track them down.

We also don’t know how much was the total proceed from this illegal enterprise. The USG talks about $9.7 million but one of the co-conspirators in an email, talked $20 million. Below via Thanh Nien News:

Prosecutors only put the gang on the hook for a $9.7 million — a “conservative estimate” they came up with by multiplying $20,000 by 489. Statement written by Hong Vo the middle of the illicit ten-month visa auction:

“I can’t believe Binh has pretty much made over $20m with this business,” she wrote to her sister, identified only as Conspirator A.V. “Slow days… are like 3 clients… and that’s like 160k-180.”

 

Then there’s the individual who purportedly started this ball rolling in Vietnam. Below excerpted from Thanh Nien News:

The State Department was quick to crow over Vo’s sentencing, but it remains deeply disingenuous about how this case came about and what it means.

“This case demonstrates Diplomatic Security’s unwavering commitment to investigating visa fraud and ensuring that those who commit this crime are brought to justice,” crowed Bill Miller, the head of the Diplomatic Security Service (DSS) in a press release generated to mark Vo’s sentencing.

The problem there is that the whole case didn’t come about through careful oversight; it came about because a sad sack from Central Vietnam loaned his pregnant wife $20,000 to buy a US visa from Sestak and the Vos. Instead of coming home with their baby boy, she disappeared, married another man and blabbed about it on Facebook. The sad sack wrote rambling letters to the President and the State Department’s OIG trying to get his wife and money back.

That Vietnamese informant reportedly is a recipient of threats from some of the Sestak visa applicants. Poor sod. So, now, one of the co-conspirators got 7 months, another 16 months, Sestak got 5 years, Vo got 8 years,  one alleged co-conspirator was never charged, and we don’t know what happened to close to 500 visa applicants. Also, the USG gets less than half the $20 million alleged gains. It looks like, at least Vo, will not be flipping burgers when he gets out of prison.

Now life goes on.
 #

State Dept Releases New 3 FAM 4170 aka: The “Stop The Next Peter Van Buren” Regulation

Posted: 3:41 am EDT

Congratulations!  This is almost three years in the making!

We’ve previously covered the Peter Van Buren case quite extensively in this blog (see After a Year of Serious Roars and Growls, State Dept Officially Retires FSO-Non Grata Peter Van Buren). The State Department officially retired Mr. Van Buren on September 30, 2012. He left with full retirement. In December 2012, we were informed by inside the building sources that the Department was rewriting its 3 FAM 4170 rules on official clearance for speaking, writing, and teaching. (see State Dept to Rewrite Media Engagement Rules for Employees in Wake of Van Buren Affair).

On July 27, 2015, two months short of Year 3 since Mr. Van Buren retired, the State Department without much fanfare released its new 3 FAM 4170 rules in 19 pages. For the FAM is not a regulation; it’s recommendations” crowd, we hope you folks have great lawyers.

My! Look who’s covered!

The updated FAM, same as the old FAM, is divided into two meaty parts — official capacity public communication and personal capacity public appearances and communications.  The new version of 3 FAM 4170 is all encompassing, covering the following (not exhaustive list):

— all personnel in the United States and abroad who are currently employed (even if in Leave Without Pay status) by the Department of State and the United States Agency for International Development (USAID), including but not limited to Foreign Service (FS) employees, Civil Service (CS) employees (including schedule C appointees and annuitants returning to work on temporary appointments on an intermittent basis, commonly referred to as “While Actually Employed (WAE)” personnel), locally employed staff (LE Staff), personal service contractors (PSCs), employees assigned to fellowships or details elsewhere and detailees or fellows from other entities assigned to the Department, externs/interns, and special government employees (SGEs).

— Former Department of State employees (including former interns and externs) must seek guidance from A/GIS/IPS for applicable review process information. Former USAID employees (including former interns and externs) must consult the Bureau for Legislative and Public Affairs for applicable review process information.

— Employee testimony, whether in an official capacity or in a personal capacity on a matter of Departmental concern, may be subject to the review requirements of this subchapter. Employees should consult with the Department of State’s Office of the Legal Adviser or USAID’s Office of the General Counsel, as appropriate, to determine applicable procedures.

In practical terms, we think this means that if you get summoned to appear before the House Select Benghazi Committee and is testifying in your personal capacity as a former or retired employee of the State Department, these new regulations may still apply to you, and you may still need clearance before your testimony.

Convince us that we’re reading this wrong, otherwise, somebody poke Congress, please.

Also, does this mean that all retired FSOs who contribute to ADST’s Oral History project are similarly required to obtain clearance since by its definition, “online forums such as blogs” and “a person or entity engaged in disseminating information to the general public” are considered media organizations under these new rules?

Institutional interest vs. public interest

We are particularly interested in the personal capacity publication/communication rules because that’s the one that can get people in big trouble, as shown in the Van Buren case. Here’s the equivalent of our bold Sharpie.

3 FAM 4176.4 says:  “A principal goal of the review process for personal capacity public communications is to ensure that no classified or other protected information will be disclosed without authorization. In addition, the Final Review Office will evaluate whether the employee’s public communication is highly likely to result in serious adverse consequences to the efficiency or mission of the Department, such that preventing those consequences outweighs the employee’s presumptively high interest in communicating and the public’s interest in receiving the communication.”

 

Institutional interest trumps public interest? Where do you draw the line? You can still write a dissent cable as the “3 FAM 4172.1-3(D). No Review of Dissent Channel Communications” included in the 2009 version of the FAM survives as 3 FAM 4171 (e) in the current rules:

Views on matters of Departmental concern communicated through methods of internal communication (including, for example, the Department’s internal dissent channel) or disclosures made pursuant to 5 U.S.C. 2302(b)(8)(B) are not subject to the review requirements of this subchapter.

Which is fine and all, except — who the heck gets to read your dissent cable except the folks at Policy Planning? The State Department is not obligated to share with Congress or with the American public any dissenting opinions from its diplomats. One might argue that this is appropriate, after all, you can’t have diplomats second guessing in public every foreign policy decision of every administration. So, the American public typically only hears about it when a diplomat quits.  But given the two long wars in Iraq and Afghanistan, is the American public best served by this policy?  And by the way, candid opinion like the case of the six-page memo, entitled “The Perfect Storm,” in the lead up to the Iraq War, is still classified. Why is that?

The new regs also say this:

“To the extent time and resources allow, reviewers may assist the employee in identifying possible modifications or other adjustments to avoid the inclusion of non-classified but otherwise protected information, or the potential for adverse consequences to the Department’s mission or efficiency (including the employee’s ability to perform his or her duties effectively in the future).”

If we weigh the Van Buren book against these parameters, how much of the book’s 288 pages would survive such “modifications” or “adjustments.”

There goes the book, We Meant Well in Afghanistan, Also.

The Peter Van Buren Clause

We’ve come to call “3 FAM 4172.1-7 Use or Publication of Materials Prepared in an Employee’s Private Capacity That Have Been Submitted for Review as the Peter Van Buren clause. Below is the original language from the 2009 version of the FAM:

An employee may use, issue, or publish materials on matters of official concern that have been submitted for review, and for which the presumption of private capacity has not been overcome, upon expiration of the designated period of comment and review regardless of the final content of such materials so long as they do not contain information that is classified or otherwise exempt from disclosure as described in 3 FAM 4172.1-6(A).

That section of the FAM appears to survive under the current 3 FAM 4174.3 Final Review Offices, underlined for emphasis below.

c. To ensure that no classified information is improperly disclosed, an employee must not take any steps to proceed with a public communication (including making commitments to publishers or other parties) until he or she receives written notice to proceed from the Final Review Office, except as described below. If, upon expiration of the relevant timeframes below, the Final Review Office has not provided an employee with either a final response or an indication that a public communication involves equities of another U.S. Government entity (including a list of the entity or entities with equities), the employee may use, issue, or publish materials on matters of Departmental concern that have been submitted for review so long as such materials do not contain information described in 3 FAM 4176.2(a) and taking into account the principles in 4176.2(b). When an employee has been informed by the Final Review Office that his or her public communication involves equities of another U.S. Government entity or entities, the employee should not proceed without written notice to proceed from the Final Review Office. Upon the employee’s request, the Final Review Office will provide the employee with an update on the status of the review of his or her public communication, including, if applicable, the date(s) on which the Department submitted the employee’s communication to another entity or entities for review. Ultimately, employees remain responsible for their personal capacity public communications whether or not such communications are on topics of Departmental concern.

The Van Buren clause appears to survive, until you take a closer look; italicized below for emphasis:

3 FAM 4176.2 (a) Content of Personal Capacity Public Communications

a. When engaging in personal capacity public communications, employees must not:

(1) Claim to represent the Department or its policies, or those of the U.S. Government, or use Department or other U.S. Government seals or logos; or

(2) Disclose, or in any way allow the public to access, classified information, even if it is already publicly available due to a previous unauthorized disclosure.

3 FAM 4176.2 (b) Content of Personal Capacity Public Communications

b. As stated in 3 FAM 4174.2(c)(1), a purpose of this review process is to determine whether the communication would disclose classified or other protected information without authorization. Other protected information that is or may be subject to public disclosure restrictions includes, but is not limited to: 

(1) Material that meets one or more of the criteria for exemption from public disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. 552(b), including internal pre-decisional deliberative material; 

(2) Information that reasonably could be expected to interfere with law enforcement proceedings or operations;

(3) Information pertaining to procurement in violation of 41 U.S.C. 2101-2107;

(4) Sensitive personally identifiable information as defined in 5 FAM 795.1(f); or

(5) Other nonpublic information, when used in a manner as prohibited by 5 CFR 2635.703.

Can one make the case that the conversations between the writer and his boss in the Van Buren book are “internal pre-decisional deliberative material?” Or that any conversation between two FSOs are deliberative? Of course. State can make a case about anything and everything.  Remember, it did try to make the case that the book contained classified information. (see “Classified” Information Contained in We Meant Well – It’s a Slam Dunk, Baby!). Also, we should note that documents marked SBU or sensitive but unclassified are typically considered nonpublic information.  Under these new rules, it’s not just classified information anymore, anything the agency considers deliberative material or any nonpublic material may be subject to disclosure restrictions.

 

3 FAM 4174.2 Overview (2015): Waving the ‘suitability for continued employment’ flag

c. Employees’ personal capacity public communications must be reviewed if they are on a topic “of Departmental concern” (see 3 FAM 4173). Personal capacity public communications that clearly do not address matters of Departmental concern need not be submitted for review.

(1) The personal capacity public communications review requirement is intended to serve three purposes: to determine whether the communication would disclose classified or other protected information without authorization; to allow the Department to prepare to handle any potential ramifications for its mission or employees that could result from the proposed public communication; or, in rare cases, to identify public communications that are highly likely to result in serious adverse consequences to the mission or efficiency of the Department, such that the Secretary or Deputy Secretary must be afforded the opportunity to decide whether it is necessary to prohibit the communication (see 3 FAM 4176.4).

(2) The purposes of the review are limited to those described in paragraph (1); the review is not meant to insulate employees from discipline or other administrative action related to their communications, or otherwise provide assurances to employees on matters such as suitability for continued employment (see, e.g., 3 FAM 4130 for foreign service personnel and 5 CFR 731 for civil service personnel). Ultimately, employees remain responsible for their personal capacity public communications whether or not such communications are on topics of Departmental concern.

 

More 3 FAM 4170 Fun: Not meant to insulate employees from discipline or other administrative action

3 FAM 4176.1(e) General

e. As stated in 3 FAM 4174.2(c)(1), the review process is limited to three purposes. (See also 3 FAM 4176.4.) Therefore, completion of the review process is not a Department “clearance” or “approval” of the planned communication, and is not meant to insulate employees from discipline or other administrative action related to their communications, including for conducting personal capacity public communications that interfere with the Department’s ability to effectively and efficiently carry out its mission and responsibilities, by, for example, disrupting operations, impairing working relationships, or impeding the employee from carrying out his or her duties. Ultimately, employees remain responsible for their personal communications whether or not the communications are on topics of Departmental concern.

 

3 FAM 4176.3 Employee must disclose his/her identity to Department reviewers

a. PA reviews all personal capacity public communications on matters of Departmental concern by senior officials at the Assistant Secretary level and above, including Chiefs of Mission. For all other employees wishing to communicate publicly in their personal capacity on matters of Departmental concern, there are two review processes available:

(1) Individuals may, as a first step, submit their requests for review to the Final Review Office (as described in 3 FAM 4174.3(a)). For employees submitting a request to PA, such requests should be submitted via PAReviews@state.gov. The Final Review Office will then consult with the employee’s immediate supervisor(s) and any other offices concerned with the subject matter in accordance with 3 FAM 4176.4(c). The Final Review Office will then make the final determination; and

(2) Alternatively, employees may initially submit their requests for review to their immediate supervisor(s), the Public Affairs Office in their bureaus or posts, and any other Department offices concerned with the subject matter. The materials must then be submitted to the Final Review Office, noting all such reviewers and any comments received. The Final Review Office will then verify those reviews, assess whether other reviews are needed, and make the final determination.

b. Supervisors, Public Affairs Offices, or any other offices involved in the review process must flag for the Final Review Office any view that the proposed public communication may:

(1) Contain classified or other protected information;

(2) Result in serious adverse consequences to the efficiency or mission of the Department; or

(3) Be or become high impact or high profile, for example communication that is controversial, or otherwise involves a sensitive Department priority; and

(4) The Final Review Office will then apply the standard described in 3 FAM 4176.4(a).

c. In all cases, an employee must disclose his or her identity to the relevant Department reviewers.

d. If another U.S. Government entity seeks Department review of a personal capacity public communication by that entity’s employee, the Department office in receipt of such request must coordinate with PA.

 

3 FAM 4177 Noncompliance may result in disciplinary action, criminal prosecution and/or civil liability.

a. Failure to follow the provisions of this subchapter, including failure to seek advance reviews where required, may result in disciplinary or other administrative action up to and including separation. Violations by USAID employees may be referred to the Deputy Administrator for Human Resources or USAID’s Office of the Inspector General (see 3 FAM 4320). Disciplinary action will be pursued consistent with applicable law, including 5 U.S.C. 2302

b. Publication or dissemination of classified or other protected information may result in disciplinary action, criminal prosecution and/or civil liability.

This is the part where we must remind you that what the former State Department spokesperson said about the FAM being recommendations is a serious bunch of hooey!

Oh, hey, remember the 2-day clearance for tweets …’er scandal?

We wrote about it here and here, and the “ain’t gonna happen 2-day clearance” for social media posting is now part of the Foreign Affairs Manual.  Apologies if the 2-working day review timeframe below for social media postings is too shocking for 21st century statecraft innovation purists. These are the rules, unless you can get the current State Department spokesperson to say from the podium that these are merely recommendations that employees/retirees/interns/charforce are free to ignore. We must add that the 2009 version of these rules, required that materials of official concern submitted in the employee’s private capacity must “be submitted for a reasonable period of review, not to exceed thirty days.” The old rules made no distinction whether the submitted material is a book manuscript, an article, a blogpost or a tweet.
screen grab from 3 FAM 4172

screen grab from 3 FAM 4170

Yo! What’s Missing?

The new regs emphasized the need for official clearance for official and private communication “to ensure that no classified information is improperly disclosed.” It however, does not include any guidance on the use of a private server for emails and social media postings where classified information could be improperly disclosed.

A Much Better FAM Version, Hey?

From the organizational perspective, some folks would say that this is a “much better” version of the FAM.  We’d call this a much better plug. An insider could argue that this is a “very fine sieve.”

Okeedokee, but what do you think will be its consequences for the rank and file? No one will officially admit this as the intent, but after reading this new version of 3 FAM 4170, this is what we think it really says:

The updated regs also says that “In light of the rapid pace with which many social media platforms are used, all offices, sections, or employees who routinely post to such platforms in their official capacity are encouraged to seek advance blanket authorization to engage for their social media communications, in accordance with 3 FAM 4175.1(c).”

The blanket authorization as far as we can tell only applies to those who are engaged in social media platforms in their official capacities, it makes no similar provision for employees in social media platforms in their private capacities.

Fun With Fido or Grumpy Cat

The new regs helpfully notes that “Employees who, in their personal capacity, wish to communicate publicly on matters that are clearly not “of Departmental concern” (see 3 FAM 4173) need not seek Department review under the procedures outlined herein, and need not use the personal capacity disclaimer discussed below in paragraph (b).”

So, basically, if you blog, tweet or write a book about Kitty Kat or Fidodog, or about their travels and adventures in Baghdad, Kabul, Sanaa, and all the garden spots, you don’t need to seek Department review. That is, as long as Kitty Kat is not secretly arming the rodent insurgents and tweeting about it and Fidodog is not flushing government money down the toilet and blogging about it.

#

Related items:

Read the new 3 FAM 4170 July 27, 2015 | REVIEW OF PUBLIC SPEAKING, TEACHING, WRITING, AND MEDIA ENGAGEMENT

Download it here (pdf).

 

Purported ISIS ‘Hit List’ With 1,482 Targets Includes State Department Names

Posted: 6:52 pm EDT


According
to CNN, a group calling itself the Islamic State Hacking Division recently posted online a purported list of names and contacts for Americans it refers to as “targets,” according to officials.

Though the legitimacy of the list is questionable, and much of the information it contains is outdated, the message claims to provide the phone numbers, locations, and “passwords” for 1400 American government and military personnel as well as purported credit card numbers, and excerpts of some Facebook chats.

The Guardian describes the list as a spreadsheet, published online last week which exposes names, email addresses, phone numbers and passwords. The 1,482 names include members of the U.S. Marine Corps, NASA, the State Department, the U.S. Air Force, and the FBI.

The Daily Mail  reports that the list includes an accompanying message that reads:  ‘Know that we are in your emails and computer systems, watching and recording your every move, we have your names and addresses, we are in your emails and social media accounts.’

The list apparently also includes the names of eight Australians and UK government personnel. In Australia where there this is huge news, Prime Minister Tony Abbott told the press, “We’ve just discovered that it’s actually able to launch cyber attacks in this country so this is a very sophisticated and deadly threat to us even here in Australia.” A chief executive of a forensic data firm in the country went so far as to advise that Canberra’s public servants get off social media. He also recommended that “on the day [ADFA] cadets enlist, their entire electronic lives be erased” and that “they should not exist on digital networks until they retire from Defence.”

The reaction here is a little less ZOMG!  Last week, then Army Chief of Staff Gen. Ray Odierno said in a press conference that “this is the second or third time they’ve claimed that and the first two times I’ll tell you, whatever lists they got were not taken by any cyber attack.”

“This is no different than the other two,” Odierno said. “But I take it seriously because it’s clear what they’re trying to do … even though I believe they have not been successful with their plan.”

CNN reports that Pentagon spokesman Lt. Col. Jeffrey Pool also cautioned that many of the military email addresses looked at least several years old, based on their suffixes. He said that shortly after this list was posted, a reminder went out to service personnel that they should limit the personal information they put on social media. “If any of your information on it is accurate, you’re very concerned,” former Homeland Security adviser Fran Townsend told CNN, “as are government officials.”

According to the Washington Examiner, State Department employees comprise about a quarter of the alleged personal information on the list. That would be about 370 names. It also says that at the bottom of the leaked document, originally posted on zonehmirrors.org, are receipts from State Department employees along with their credit card numbers.  The report notes that Islamic State supporters tweeted a link to the document and also tweeted, in one instance, information claiming to be the personal details of a staff member from the U.S. embassy in Cairo that said: “To the lone wolves of Egypt.”

Technology security expert, Troy Hunt,  writes that “nothing makes headlines like a combination of ISIS / hackers / terrorism!” and has taken a closer look with an analysis here. Mr. Hunt’s conclusion — drawn merely from looking at the leaked list and applying what he observed from experience with previous data dumps leaked list —  is that “the data is almost certainly from multiple locations and very unlikely to be from a single data breach.” Also that “most of the data is easily discoverable via either existing data breaches or information intentionally made public.” He writes, “Even the source of the amalgamated data is unverifiable – it could be someone who does indeed wish harm on the individuals named, it could be a kid in his pyjamas, there’s just not enough information to draw a conclusion either way.”

In his analysis of the ISIS list, Mr. Hunt says that “there are many sources from which attributes in this list can be compiled.” As an example, he cited the Adobe breach of 2013 in which 152M records were leaked, which includes 257k .gov email addresses. He writes:

The ISIS list has a lot of state.gov email addresses – Adobe leaked 1,657 of those and they look just like this:

state.gov email addresses in the Adobe data breach

state.gov email addresses in the Adobe data breach via Troy Hunt (used with permission)

“Adobe also leaked password hints so you can begin to quite easily build a profile around people working in the US State Department,” he said.

Would be good to know if any of the names in the Adobe breach are showing up in the ISIS list. We have not seen the purported ISIS list or the names from the Adobe hack but we hope somebody at State is looking at those names. Folks probably need to work on their password hints, too.

In a separate post, Mr. Hunt also notes this:

“The hyperbole and the fear, uncertainty and doubt that spread over this was just off the scale compared to the significance of the actual data. Here we have what amounts to little more than easily discoverable information mostly already in the public domain and suddenly it’s become a huge terror hack. [….] However, the legitimacy of the claims that this was an “ISIS hack” appear to have gotten in the way of a good story and the news has simply run with it.

A couple more reading clips below from Troy Hunt:

.

.

There’s not much one can do with the Adobe, Target, Home Depot, OPM hack except to sign up for credit monitoring service or put a credit freeze on one’s account. That is, if we’re concerned about identity thief. But those services  will not work against potential blackmails related to a foreign government hack, or online threats related to potentially scraped data, collected from websites and social media accounts.

We are persuaded by Mr. Hunt’s analysis that this was not a real hack. But real or not, the information is out there and thinking about ‘lone wolf’ offenders seduced by ISIS’ call, in the U.S. or elsewhere is not paranoid.  Folks might consider this a good excuse to review their digital footprint.

The threats online — whether real or part of propaganda — is not going to abate anytime soon. This is the world as it is, and not an attempt at hyperbole.  Employees overseas can report these threats to RSOs but hey, have you seen the rundown of the RSO’s managed programs?   We don’t even know what specific office at State tracks these breaches or who has responsibility for online threats. Was anyone notified by State when the Adobe breach occurred in 2013 and leaked hundreds of official emails? Were those emails changed?  A talkinghead writinghead would like to know.

Also some of USG’s overseas posts still display the official email addresses of personnel in public affairs, and those dealing with contracts, solicitations, and acquisitions on their websites. Those should be generic e-mail accounts not linked to an individual’s name but linked instead to the section, function or office, e.g. Sanaacontracts@state.gov. Makes better sense as people rotate jobs anyway.

We’re trying to find if Diplomatic Security has any response, guidance, reminder for State Department personnel given this report and the Burn Bag received earlier.  Would be a good time as any to issue an opsec reminder. We will have a follow-up post if/when we get an official response.

 #

Q&A With QDDR’s Tom Perriello, Wait, What’s That? Whyohwhyohwhy?

Posted: 4:36 pm EDT

 

The State Department says that the Quadrennial Diplomacy and Development Review (QDDR): provides a blueprint for advancing America’s interests in global security, inclusive economic growth, climate change, accountable governance and freedom for all.

-04/28/15  Remarks Announcing the Release of the 2015 QDDR Report;  Secretary of State John Kerry; Briefing Room; Washington, DC
-04/28/15  Briefing on the 2015 QDDR Report;  Deputy Secretary of State for Management and Resources Heather Higginbottom; Washington, DC
-04/27/15  Secretary Kerry to Announce Release of 2015 QDDR Report; Office of the Spokesperson; Washington, DC

On May 19, Tom Perriello, the QDDR Special Representative asked if this blog might be interested in doing a Q&A on the QDDR.  On May 26, we sent him the following eight questions via email. By end of June, his QDDR office was still wrestling with the State Department’s clearance process.

On July 6, Mr. Perriello was appointed Special Envoy to the Great Lakes Region of Africa. He assured us that he’s still “pushing hard” to get the Q&A cleared and appreciate the patience.  On July 10, he moved office and told us it is  unlikely that he’ll get clearance before he leaves his office but that “they’re moving.” He gave us a senior advisor as a contact person and we’ve checked in with the QDDR office about once a week since then.  On August 3, the senior advisor told us that the office has just been informed that given its leadership transition, “folks here would like our new Director to be able to respond to the questions that Tom answered. (Our new Deputy Director has just come on board this week, and a new Director for the office is starting in a couple of weeks.) This means that we will be delayed for a few more weeks.”

Whyohwhyohwhy?  So folks, here are the questions we wanted answered. And apparently, Mr. Perriello and his staffer did try to get us some answers, and we appreciate that, but the Q&A is still snared in some cauldron in the bureaucracy as of this writing.  If/When the hybrid answers get to us, we will post it here.

#1. QDDR/CSO: The 2010 QDDR transformed the Office of the Coordinator for Reconstruction and Stabilization (S/CRS) into the Bureau of Conflict and Stabilization Operations (CSO) to enhance efforts to prevent conflict, violent extremism, and mass atrocities. The 2015 QDDR says that “Some progress has been made in this area.”  I understand that CSO no longer has any mission element about stabilization and stabilization operations. It also remains heavy with contractors. One could argue that the current CSO is not what was envisioned in QDDR I, so why should it continue to exists if it only duplicates other functions in the government? Can you elaborate more on what is CSOs new role going forward, and what makes it unique and distinct from the Bureau of Near Eastern Affairs’ Middle East Partnership Initiative (MEPI) and USAID’s Office of Transition Initiatives?

 INSERT ANSWER IN A FEW WEEKS.

#2. Innovation and Risks: The QDDR talks about “promoting innovation.” Innovation typically requires risk. Somebody quoted you saying something like the gotcha attitude of press and Congress contributes to risk aversion from State and USAID. But risks and risk aversion also comes from within the system. I would point out as example the Center for Strategic Counterterrorism Communications previously headed by Ambassador Alberto Fernandez, and its controversial campaign “Think Again Turn Away” which afforded the USG a new way to disrupt the enemy online. Ambassador Fernandez was recently replaced by a political appointee with minimal comparable experience. It also looks like CSCC will be folded into a new entity. So how do you encourage State/USAID employees “to err on the side of engagement and experimentation, rather than risk avoidance” when there are clear bureaucratic casualties for taking on risks?

 INSERT ANSWER IN A FEW WEEKS.

#3. Engagement with American Public: The QDDR says: “Make citizen engagement part of the job. Every Foreign Service employee in the Department and USAID will be required to spend time engaging directly with the American people.” Are you aware that there are over 500 blogs run by Foreign Service employees and family members that could potentially help with engagement with the American public? Isn’t it time for these blogs to be formally adopted so that they remain authentic voices of experience without their existence subjected to the good graces of their superiors here or there?

  INSERT ANSWER IN A FEW WEEKS.

#4. Eligible Family Members:  The State Department has talked about expanding opportunities for eligible family members for a long time now and I regret that I have not seen this promise go very far. There are a couple of things that could help eligible family members — 1) portability of security clearance, so that they need not have to wait for 6-12 months just to get clearances reinstated; and 2) internship to gain experience from functional bureaus or section overseas. Why are we not doing these? And by the way, we’re now in the 21st century and FS spouses still do not have online access to State Department resources that assist them in researching assignments and bids overseas. Employees are already afforded remote access, why is that not possible for family members? Wouldn’t taking care of people start with affording family members access to information that would help them plan their lives every three years?

  INSERT ANSWER IN A FEW WEEKS.

#5. Foreign Assistance: One of the criticisms I’ve heard about QDDR is how it did not even address the reality that the United States has far too many foreign assistance programs — “an uncoordinated diaspora of offices and agencies scattered around the bureaucratic universe in D.C. from the Justice Department to the DoD to the Commerce Department to the Export-Import Bank to the Treasury Department and beyond, to the bewilderment of anyone the United States does business with overseas.” What do you say to that?

  INSERT ANSWER IN A FEW WEEKS.

#6. Data Collection: Somebody called the second set of “three Ds” — data, diagnostics, and design as the “most revolutionary, disruptive element of QDDR II.” I can see development subjected to these three Ds, but how do you propose to do this with diplomacy where successful engagements are based on national interests and the human element and not necessarily data driven? Also data is only as good as its collector. How will data be collected?

  INSERT ANSWER IN A FEW WEEKS.

#7. Institutional Weaknesses: Some quarters look at the State Department and points at several institutional weaknesses today: 1) the predominance of domestic 9-5 HQ staff with little or no real field experience, foreign language and other cultural insight, and 2) the rampant politicization and bureaucratic layering by short term office holders with little or no knowledge of the State Department and less interest in its relevance as a national institution. How does the QDDR address these weaknesses? How does the QDDR propose to recreate a national diplomatic service based on a common core of shared capabilities and understanding of 21st century strategic geopolitical challenges and appropriate longer term responses?

  INSERT ANSWER IN A FEW WEEKS.

#8: QDDR Operation: I remember that you sent out a solicitation of ideas and suggestions for QDDR II and I’m curious at the kind of response you got. Can you also elaborate the process of putting together QDDR II? Finally, the success of QDDR II will be on implementation. Who’s leading the effort and what role will you and the QDDR office have on that? Unless I’m mistaken, the QDDR implementers are also not career officials, what happens when they depart their positions? Who will shepherd these changes to their expected completion?

 INSERT ANSWER IN A FEW WEEKS.

We should note that the senior advisor who has been trying to get this Q&A cleared is also moving on and has now handed this task over to a PD advisor who assured us that they “are committed to responding as soon as possible in the midst of this transition, and we will not start from scratch.”

Folks, you don’t think there’s anything wrong with this entire clearance process, do you? Or the fact that the State Department’s office tasked with developing “a blueprint for advancing America’s interests in global security, inclusive economic growth, climate change, accountable governance and freedom for all” is actually unable to answer eight simple questions without the answers being pushed through a wringer, twice for good measure?

 #

What Information Is Collected on OPM’s Background Investigation Forms?

Posted: 2:44  am EDT


Via
CRS Insight

The information collected will depend on the applicant’s position and the type of background investigation required. OPM uses three standard forms for background investigations: SF-85, SF-85P, or SF-86 form. The forms are typically submitted electronically using OPM’s Electronic Questionnaires for Investigations Processing (e-QIP) system. OPM had suspended use of e-QIP “for security enhancements,” but re-enabled the system on July 23, 2015.

Data Collected for Non-Sensitive Positions

The eight-page SF-85 is required for applicants to non-sensitive positions (e.g., positions that do not require a security clearance) who require physical access to government facilities and who are in positions with a “low risk” to cause damage to the federal government or national security. The responsibilities of these positions are limited and there is little opportunity to use such positions for personal gain. For this reason, the information collected is relatively limited in scope and includes

  • full name, aliases, and SSN;
  • citizenship information;
  • employment information and addresses for the past five years; and
  • information on use or possession of illegal drugs (including marijuana) in the previous year.

Data Collected for “Positions of Public Trust”

The 11-page SF-85P is required for applicants in “Positions of Public Trust,” (i.e., positions that do not involve access to classified information, but that demand a “significant degree of public trust” due to the level of policymaking or other responsibilities). These positions may involve a “significant risk for causing damage [to the federal government] or realizing personal gain.” In addition to the information listed above, the SF-85P requires

  • identifying information (e.g., height, weight, eye and hair color);
  • military service information;
  • employment information and addresses for the past seven years; schools, if any, attended during the past seven years;
  • name, address, and telephone number of three personal references and immediate family members;
  • criminal arrests and/or convictions for the past seven years (excluding incidents prior to the applicant’s 16th birthday or traffic fines under $150);
  • financial information, including bankruptcies during the past seven years and any delinquent financial obligations;
  • foreign travel during the past seven years; and
  • information on use or possession of illegal drugs (including marijuana) in the previous year and any illegal purchase, sale, or transport of drugs in the previous seven years.

Data Collected for Security Clearances and Other National Security Positions

The 127-page SF-86 form is required for applicants to national security sensitive positions, which includes (but is not limited to) positions that require a security clearance. In addition to the information listed above, the SF-86 requires

  • employment information and home addresses for the past 10 years;
  • schools attended for the past 10 years, including a reference at each school attended;
  • personal information (including SSN) for current spouse or cohabitant;
  • foreign contacts, travels, and/or activities;
  • associations with individuals or groups dedicated to terrorism or the violent overthrow of the U.S. government;
  • details on applicant’s “psychological and emotional health,” including, with certain exceptions, details on treatments during the past seven years;
  • additional information on criminal activities, including convictions or charges involving firearms or explosives;
  • alcohol use in the past seven years that has negatively impacted the applicant’s work, personal relationships, finances, or resulted in “intervention by law enforcement/public safety personnel”;
  • use, possession, or other involvement with illegal drugs (including marijuana) in the past seven years or at any time while holding a clearance;
  • details on the applicant’s financial condition and civil court actions; and improper use of information technology systems.

What Other Records Are Contained in OPM’s Personnel Security Background Investigation Files?

OPM’s systems also include information gathered by investigators during the background investigation process, such as summaries of interviews with the applicant’s family members, co-workers, friends, and neighbors. Additionally, investigators may run credit checks, pull civil and criminal court records, and run checks of state and federal agency records to verify information that the applicant provided on the application.

According to OPM’s most recent Privacy Act Notice, personnel investigation records may also include information provided by other agencies, such as:

  • Internal Revenue Service income tax returns;
  • prior security clearance investigative records; and
  • clearance adjudicative records, including polygraph results, if applicable.

It is unclear from OPM’s news release if these types of investigative records were compromised in the breach.

#

Clinton Email Challenge Now a Sharknado, and Secretary Kerry Is Right to be “Concerned”

Posted: 2:13  pm PDT

 

This happened Thursday night. We drafted this post early morning but waited for a piece of information we wanted to see. So yup, overtaken by events.  In any case, you may now read the inspector generals memos referenced to in the NYT report here. See NYT: Criminal Inquiry Sought Over Clinton Emails? Read the Inspector Generals Memos.  We’re also waiting for the OIG to issue a clarification on the DOJ referral the NYT reported.

The memos went possibly from two IG offices — State Department Steve Linick and Intelligence Community Inspector General I. Charles McCullough, III — to the Under Secretary for Management Patrick Kennedy. The IGs memos are also cc’ed to one of the State Department’s deputy secretaries. It looks like, the memos or contents/snippets of it were shared with DOJ, as a DOJ official appears to be the NYT’s source for this story (see tweets below).

Here are the tweets from July 24:

.

 

The report from the NYT includes the following:

— 1.  The memos were provided to The New York Times by a senior government official.

— 2.  The inspectors general also criticized the State Department for its handling of sensitive information, particularly its reliance on retired senior Foreign Service officers to decide if information should be classified, and for not consulting with the intelligence agencies about its determinations.

— 3.  The revelations about how Mrs. Clinton handled her email have been an embarrassment for the State Department, which has been repeatedly criticized over its handling of documents related to Mrs. Clinton and her advisers.

— 4.  Some State Department officials said they believe many senior officials did not initially take the House committee seriously, which slowed document production and created an appearance of stonewalling.

— 5.  State Department officials also said that Mr. Kerry is concerned about the toll the criticism has had on the department and has urged his deputies to comply with the requests quickly.

Today:

.

.

 .

On this whole email debacle at the State Department, it must be said that this might not have happened if not enabled by senior bureaucrats in the agency. We do not believe for a moment that senior officials were not aware about the email practices of then Secretary Clinton or the record retention requirement. But hey, if the practice was done for four years over the protests and dissent of officials at “M”, “A”, the Legal Adviser or the CIO, we’d like to see that email trail.

By the way, this NYT report follows a July 20 Politico report about a contentious hearing where U.S. District Court Judge Richard Leon demanded explanations for why some of the Associated Press’ FOIA requests received no reply for four years or more before the wire service filed suit in March.

“The State Department’s not going to have the luxury of saying, because we’re focusing on Hillary’s emails, we’re doing so at the cost and expense of four-year-old requests. So, that’s not going to be an excuse,” the judge said. “In my judgment, a four-year-old request gets a priority over a recent request.”

On Mr. Kerry’s concern about the toll the criticism has had on the department … the secretary is right to be concerned. Senior officials did not take Congress seriously?  Even if senior bureaucrats do not agree or approve of the conduct of the Select Committee, even if they think this is a sideshow seeking to derail a presidential campaign, the required document production is still part of their jobs. In my view, the most serious consequence on the appearance of stonewalling is it also gives the appearance that bureaucrats are picking sides in this political shitstorm.

This can potentially undermine the expectation of the State Department as an impartial and non-political entity. The perception, right or wrong, that this impartiality is compromised, will not serve it or its employees well in the long run.

You might like to read a couple previous posts on FOIA personnel, costs and the “persistent neglect of fundamental leadership responsibilities” that made this the Clinton email debacle a challenge of Sharknado proportion for the agency. (see Snapshot: State Dept FY2014 FOIA Personnel and Costs and State Dept FOIA Requests: Agency Ranks Second in Highest Backlog and Here’s Why).

#

OPM to Charge Agencies for Credit Monitoring Offered to Federal Employees

Posted: 2:32 am EDT

 

The latest update from “M” on the OPM breach dated July 15, notes that “The State Department never transferred personnel records to the OPM facility. However, if you had other U.S. Government service prior to joining State, you may have had records that were involved.” On the background information breach, it says that “State Department employees’ SF-85 and SF-86 forms (depending on the appointment) were in the OPM system and thus were impacted. However, other background investigation material was not.”

If you have additional questions email DG DIRECT [DGDIRECT@STATE.GOV] or OPM’s new email: cybersecurity@opm.gov

AFSA’s latest update to its membership is dated July 10 and available to read here.

Some developments on the fallout from the data breach:

 

.

.

.

.

.

.

.

.

.

.

#

 

Snapshot: US Embassy Kabul Capital Investments, FY2002-March 2015 Now at $2.17Billion

Posted: 2:45 am EDT

Via GAO-15-410 (pdf):

State’s past and planned capital construction investments in Kabul from 2002 through March 2015 total $2.17 billion in project funding, which includes awarded construction contracts and other costs State incurs that are not part of those contracts. Examples of other State project costs include federal project supervision, construction security, security equipment, and project contingencies.12 Figure 3 shows these investments.

US Embassy Kabul Capital Projects FY2002-2015

US Embassy Kabul Capital Projects FY2002-2015 Past and Planned Capital Investments (via GAO) | click image for larger view

 

In fiscal years 2009 and 2010, State awarded two contracts originally worth $625.4 million in total to meet growing facility requirements at the U.S. embassy in Kabul. The first contract, awarded to Contractor 1 in September 2009 for $209.4 million, was for the design and construction of temporary and permanent structures to include

  • temporary offices and housing,
  • office annex A,
  • apartment building 1,
  • cafeteria and recreation center,
  • perimeter security and compound access facilities,
  • warehouse addition, and
  • utility building.The second contract, awarded to Contractor 2 in September 2010 for $416 million, was for the design and construction of:
  • office annex B,
  • apartment buildings 2 and 3,
  • expansion of existing apartment building 4,
  • compound access and perimeter security facilities, and parking facilities—to include a vehicle maintenance facility.

    State’s plans called for sequencing construction under the two contracts and demolishing older temporary facilities to make space available for new facilities. State’s plans also entailed acquiring the Afghan Ministry of Public Health site adjacent to the compound to build parking facilities for approximately 400 embassy vehicles. In September 2011, after the U.S. and Afghan governments did not reach agreement to transfer that site, State had to remove the parking and vehicle maintenance facilities from the project.

    In September 2011, State partially terminated elements of the first contract—specifically the permanent facilities, including office annex A and apartment building 1—for the convenience of the U.S. government, in part, due to concerns about contractor performance and schedule delays. Contractor 1 completed the temporary offices and housing units, but in September 2011, State transferred contract requirements for the permanent facilities not begun by Contractor 1 to Contractor 2’s contract.

    The estimated completion of project has now been moved from summer 2014 to fall 2017.

    #

     

21.5 Million Americans Compromised, OPM’s Ms. Archuleta Still Not Going Anywhere

Posted: 1:36 am  PDT

Excerpt via opm.gov:

OPM announced the results of the interagency forensic investigation into the second incident.  As previously announced, in late-May 2015, as a result of ongoing efforts to secure its systems, OPM discovered an incident affecting background investigation records of current, former, and prospective Federal employees and contractors.  Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers; residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.  Some records also include findings from interviews conducted by background investigators and fingerprints.  Usernames and passwords that background investigation applicants used to fill out their background investigation forms were also stolen.

While background investigation records do contain some information regarding mental health and financial history provided by those that have applied for a security clearance and by individuals contacted during the background investigation, there is no evidence that separate systems that store information regarding the health, financial, payroll and retirement records of Federal personnel were impacted by this incident (for example, annuity rolls, retirement records, USA JOBS, Employee Express).

This incident is separate but related to a previous incident, discovered in April 2015, affecting personnel data for current and former Federal employees.  OPM and its interagency partners concluded with a high degree of confidence that personnel data for 4.2 million individuals had been stolen.  This number has not changed since it was announced by OPM in early June, and OPM has worked to notify all of these individuals and ensure that they are provided with the appropriate support and tools to protect their personal information.

Analysis of background investigation incident.  Since learning of the incident affecting background investigation records, OPM and the interagency incident response team have moved swiftly and thoroughly to assess the breach, analyze what data may have been stolen, and identify those individuals who may be affected.  The team has now concluded with high confidence that sensitive information, including the Social Security Numbers (SSNs) of 21.5 million individuals, was stolen from the background investigation databases.  This includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.  As noted above, some records also include findings from interviews conducted by background investigators and approximately 1.1 million include fingerprints.  There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems.

If an individual underwent a background investigation through OPM in 2000 or afterwards (which occurs through the submission of forms SF 86, SF 85, or SF 85P for a new investigation or periodic reinvestigation), it is highly likely that the individual is impacted by this cyber breach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely.

So, are we supposed to wait for another credit monitoring offer from OPM’s partners for this BI hack, after already being offered credit monitoring for the personnel data compromised in an earlier breach?

Yes. Wonderful.

Ms. Archuleta should do the right thing and resign.

Part of OPM’s public response to these breaches has been to protect the director’s record at the agency.  While she remains in charge, I suspect that the fixes at OPM will also include shielding the director from further damage. News reports already talk about OPM’s push back. Next thing you know we’ll have “setting the record straight” newsbots all over the place.

While it is true that Ms. Archuleta arrived at OPM with legacy systems still in operation, these breaches happened under her watch. Despite her protestation that no one is personally responsible (except the hackers), she is the highest accountable official at OPM.  Part and parcel of being in a leadership position is to own up to the disasters under your wings.  Ms. Archuleta should resign and give somebody else a chance to lead the fixes at OPM.

via reactiongifs.com

via reactiongifs.com

.

.

.

.

.

.

.

#OPMBreach: Back to Paper SF-86s, No More Social Media at OPM, Scary Movie Chinese Edition

Posted: 2:15 pm EDT

.

.

.

.

.

.

 

Related Posts: