State/OIG Challenges: Access and OIG Network Vulnerabilities

March 3, 2015 By in Congress, Functional Bureaus, Hearings, Oversight, Security, State Department, Technology and Work Tags: , , , , , ,

Posted: 01:42 EST
Updated: 3/3/2015 @1051 PST
[twitter-follow screen_name=’Diplopundit’ ]

Update: In response to our inquiry, State/OIG informed us that the 128 debarment and suspension referrals it made to the State Department “were accepted by the Department and action was taken.” However, we were also informed that the OIG actually “made more referrals, but no action has been taken by the Department to date.”*

As to the issue of OIG’s IT independence and integrity, “a memorandums of understanding have been executed in which the Department has agreed to obtain prior approval from OIG before accessing its network. In addition, we are engaging a third party to explore options to enhance the independence of our network system.”**

 

* * *

Last week, the State Department Inspector General Steve Linick appeared before the Committee on Homeland Security and Government Affairs on the Senate panel’s hearing on improving the efficiency, effectiveness and independence of inspector generals.  State/OIG has oversight of an agency with more than 72,000 employees (includes locally employed staff) in over 280 overseas missions and domestic entities, the BBG and the U.S. Section of the International Boundary and Water Commission. These agencies’ total annual appropriated funding includes approximately $15 billion, nearly $7 billion in consular fees and other earned income, and full or partial oversight of an additional $17 billion in Department-managed foreign assistance.

Some highlights:

  • Although the Department has made improvements on overseas security, challenges remain. Through our inspection and audit work, OIG continues to find security deficiencies that put our people at risk. Those deficiencies include failing to observe set-back and perimeter requirements and to identify and neutralize weapons of opportunity. Our teams also uncover posts that use warehouse space and other sub-standard facilities for offices, another security deficiency. Our audit of the Local Guard Program found that firms providing security services for embassy compounds were not fully vetting local guards they hired abroad, placing at risk our posts and their personnel. In other audits, we found that the Bureau of Diplomatic Security (responsible for setting standards) and the Bureau of Overseas Buildings Operations (responsible for constructing facilities to meet those standards) often do not coordinate adequately to timely address important security needs.
  • We found that follow-through on long-term security program improvements involving physical security, training, and intelligence-sharing lacked sustained oversight by Department principals. Over time, the implementation of recommended improvements slows. The lack of follow-through explains, in part, why a number of Benghazi ARB recommendations mirror previous ARB recommendations.
  • The Department’s obligations in FY 2014 equaled approximately $9 billion in contractual services and $1.5 billion in grants, totaling approximately $10.5 billion. However, the Department faces challenges managing its contracts, grants, and cooperative agreements. These challenges have come to light repeatedly in OIG audits, inspections, and investigations over the years. […]In FY 2014, more than 50 percent of post or bureau inspections contained formal recommendations to strengthen controls and improve administration of grants.
  • OIG’s assessments of the Department’s cybersecurity programs have found recurring weaknesses and noncompliance with the Federal Information Security Management Act (FISMA) with respect to its unclassified systems.[…] Our work in the information security area is ongoing. Since my arrival, OIG has arranged for penetration testing of the Department’s unclassified networks in order to better assess their vulnerability to attack.

What’s happening in FY2015? The following were specifically identified in IG Linick’s testimony (pdf):

  • Planned FY 2015 security audits include an audit of the approval and certification process used to determine employment suitability for locally employed staff and contracted employees, an audit of emergency action plans for U.S. Missions in the Sahel region of Africa, and an audit of the Vital Presence Validation Process (VP2) implementation. VP2 is the Department’s formal process for assessing the costs and benefits of maintaining its presence in dangerous locations around the world. Note: The VP2 is a result of the tragedy in Benghazi.
  • The DS/International Programs Directorate of the Bureau of Diplomatic Security is up for inspection. Note: This is  one of the main bureaus in aftermath of the Benghazi attack that came under congressional scrutiny. Charlene Lamb has now been succeeded by Christian J. Schurman who was named Deputy Assistant Secretary of State and Assistant Director for International Programs on September 15, 2014. DAS Schurman is a Diplomatic Security (DS) Special Agent with 27 years of service who was recently promoted to the rank of Minister Counselor in April 2014.
  • In FY 2015, OIG plans on issuing, among others, audits involving non-lethal aid and humanitarian assistance in response to the Syrian crisis, the Iraq Medical Services Contract, and the Bureau of International Narcotics and Law Enforcement’s Embassy Air Wing Contract in Iraq.
  • ESP is conducting a joint review with the Department of Justice’s OIG of the handling of the use of lethal force during a counternarcotics operation in Honduras in 2012.

 

IG Linick also highlighted new OIG initiatives to enhance the effectiveness and efficiency of OIG’s independent oversight of the Department’s programs and operations including:

  • the issuance of issue Management Alerts and Management Assistance Reports
  • the creation of the Office of Evaluations and Special Projects (ESP), and using ESP to improve OIG’s capabilities to meet statutory requirements of the Whistleblower Protection Enhancement Act of 2012
  • new oversight of overseas contingency operations specifically for Operation Inherent Resolve (OIR)—the U.S.-led overseas contingency operation directed against the Islamic State of Iraq and the Levant (ISIL),
  • data and technology enhancements
  • suspension and debarment:  between 2011 and 2014, OIG referred 128 cases to the Department for action *
  • new offices in Charleston, South Carolina, where one of the Department’s Global Financial Services Center resides, and in Frankfurt, Germany, the site of one of the Department’s Regional Procurement Support Office.
  • co-locating an OIG attorney-investigator as a full-time Special Assistant U.S. Attorneys (SAUSAs) in the U.S. Attorney Office for the Eastern District of Virginia in order to prosecute more quickly and effectively cases involving fraud against the Department of State

 

This hearing followed a well -publicized accessibility issues the Peace Corps and EPA OIG had with their own agencies. In his prepared testimony, IG Linick stated that “unfettered and complete access to information is the linchpin that ensures independence and objectivity for the entire OIG community.

He was careful to note “the importance of forging productive relationships with Department leadership and decision-makers” and cited the Department notice issued by Secretary Kerry at the start of his tenure over a year ago “outlining OIG authorities and obligations under the IG Act and advising staff of our need for prompt access to all records and employees.”  He then shared with Congress the OIG’s two main challenges:

  • Access: Generally, most of our work is conducted with the Department’s full cooperation and with timely production of material. However, there have been occasions when the Department has imposed burdensome administrative conditions on our ability to access documents and employees. At other times, Department officials have initially denied access on the mistaken assumption that OIG was not entitled to confidential agency documents. In these instances, OIG ultimately was able to secure compliance but only after delays and sometimes with appeals to senior leadership. These impediments have at times adversely affected the timeliness of our oversight work, resulting in increased costs for taxpayers.Delays in responding to document requests also occur because the requested information has not been maintained at all or in a manner to allow timely retrieval. Such disorganization of information may negatively impact not only OIG audits, inspections, evaluations, and investigations but also the integrity of Department programs and operations. For example, an OIG Management Alert identified missing or incomplete files for contracts and grants with a combined value of $6 billion.
  • OIG Network Vulnerabilities:  Vulnerabilities in the Department’s unclassified network also affect OIG’s IT infrastructure, which is part of the same network. We noted in our November 2013 information security Management Alert that there are literally thousands of administrators who have access to Department databases. That access runs freely to OIG’s IT infrastructure and creates risk to OIG operations. Indeed, a large number of Department administrators have the ability to read, modify, or delete any information on OIG’s network including sensitive investigative information and email traffic, without OIG’s knowledge. OIG has no evidence that administrators have actually compromised OIG’s network. However, the fact that the contents of our unclassified network may easily be accessed and potentially compromised unnecessarily places our independence at risk. We have begun assessing the best course of action to address these vulnerabilities. **

* * *