OPM’s Security Clearance Backlog Now At 500,000+ Govt-Wide

Posted: 4:14 am ET


The State Department recently sent an agency-wide message from the Under Secretary for Management which provide timelines for job applicants and employees who are in the process of applying or renewing their security clearances. The Bureau of Diplomatic Security adjudicates security clearances and renewals for all State Department employees but we understand that contractors are mostly processed by the Office of Personnel Management (OPM).  The message notes that OPM currently has a backlog of more than 500,000 clearances government-wide.

In terms of length of adjudication, apparently 60% of the Department’s initial Top Secret investigations are completed within six months while 66% of its initial Secret investigations are completed in four months. When compared government-wide, the Department adjudicates security clearances much faster than the government-wide average. So that’s good, except, of course, if you’re the one waiting for it, six months is a loooong time. We don’t know what is the average wait time for the remaining 40% awaiting their TS clearance or the 34% awaiting for their Secret clearance?

But the OPM backlog of more than 500,000 clearances government-wide? Not so good.  With a new administration transitioning in next year, waiting for a security clearance may just be like Beetlejuice waiting at the DMV without an appointment.

Via reactiongifs.com

Via reactiongifs.com

In related news, OPM is also in the news because the House Oversight and Reform Committee released its report yesterday on The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation (read PDF or read below).  The report details the  exfiltration by two hacking teams of the security background data on 21.56 million individuals, the personnel files of 4.2 million former and current US government employees and the fingerprints for 5.6 million of them.

You will not be surprised to hear that OPM/OIG has warned since at least 2005 that the information maintained by OPM was vulnerable to hackers. US-CERT had also warned the department of a malware  operating on its servers in 2012, and again in 2014, CERT warned that a hacker had managed to get information out of the OPM servers. The report notes that the damage could have been mitigated if the security of the sensitive data in OPM’s critical IT systems had been prioritized and secured.

Read the report here:



HOGR Democrats Invoke 1928 Statute Then Release in Full Colin Powell’s Email Tips to #HillaryClinton

Posted: 1:45 am ET


Remember when former Secretary of State Colin Powell said this:

On September 7, Rep. Elijah E. Cummings, Ranking Member of the House Committee on Oversight and Government Reform (HOGR), publicly released an email exchange between former Secretary of State Colin Powell and then-Secretary of State Hillary Clinton in January 2009 on the use of blackberry and personal email. The bit about official records is going to drive FOIA advocate nuts.

According to Cummings’ press release, he obtained the email exchange between Secretary Powell and Secretary Clinton through a unique statutory provision known as the “Seven Member Rule” in which any seven members of the Oversight Committee may obtain federal records from federal agencies.

The Seven Member Rule is unique authority passed by Congress and signed by the President in 1928 that requires any executive agency to “submit any information requested of it relating to any matter within the jurisdiction of the committee” when requested by seven members of the Committee on Oversight and Government Reform.

The Members requested the Powell-Clinton emails by September 6, 2016. Two emails were produced by the State Department to the House Oversight Committee on September 6, 2016, and clearly marked “NOT FOR PUBLIC RELEASE.”  But of course, it was publicly released in full on September 7, 2016 with only one redaction; presumably, Secretary Powell’s AOL email address.


Read directly via the House Oversight Committee here (PDF).






Snapshot: ARB Recommendations — Procedural Action and Responsibilities

Posted: 1:26 am ET


Via 12 FAH 12 Exhibit H-013 | M/PRI 12-08-2014

Per 12 FAH 12, following receipt of an Accountability Review Board’s report, the Secretary will determine what actions should be taken with respect to the recommendations.  The Deputy Secretary of State for Management and Resources will oversee the Department’s progress on ARB implementation. The Under Secretary for Management (M), in coordination with the Under Secretary for Political Affairs (P), is responsible for implementation of ARB recommendations.  On behalf of the Secretary and other Department principals, the Office of Management Policy, Rightsizing and Innovation (M/PRI) will coordinate and track recommendations and manage the overall implementation process. 

Screen Shot


Related item:



Quote: “I’m not talking about guillotining somebody, or hanging, or boil them in oil.”

Posted: 2:30 am ET


Via ADST/Oral History – Sherman Funk, Former State/OIG:

When I first came Shultz asked me my initial impressions of the Department. I had been here about six weeks. And I told him that I never in my life had encountered such an absolutely superb bunch of people. And he sort of smiled at me, and I said, “But what bothers me is that on the other hand I’d never in my life encountered such a thoroughly screwed up organization, and what I don’t understand is how you can have both. How the people could be so God damned good, and the organization be so thoroughly screwed up.” And I’m still bothered by that, because I don’t know any other place where you find such high caliber persons, where you also find things so badly run. And I still find it. I happened to think the world of many of the people in PER now. Yet they went ahead and they gave an award of $100,000, more than $100,000 U.S. dollars, to somebody to get that person to stop suing the State Department. A clear case of blackmail. And their rationale was, “We have so many class action suits for women, and class action suits for blacks, we don’t want to get involved in other class action suits on a religious basis.” And that was totally ___. There was ample information, they could have fought this one. It was a lack of will, and people sensed that. I’ve seen again and again that we make a recommendation for disciplinary action and unless the thing is so heinous that they’re afraid to say no — afraid the newspapers would find out about it — the chances are they’ll dick around and try to knock it down. We don’t want to be that harsh on the person. I’m not talking about guillotining somebody, or hanging, or boil them in oil. I’m talking about a few weeks suspension for something that is very serious — misuse of a lot of money, millions of dollars. It was like pulling teeth because nobody wants to be responsible for it.

Read in full here.



Watch Out! Hatch Act Snares HUD Secretary Julián Castro, Other Federal Employees

Posted: 3:38 am ET


On July 18, 2016, the U.S. Office of Special Counsel (OSC) announced its finding that Secretary of Housing and Urban Development Julián Castro violated the Hatch Act during a Yahoo News interview on April 4, 2016. According to OSC’s report, Secretary Castro’s statements during the interview “impermissibly mixed his personal political views with official agency business despite his efforts to clarify that some answers were being given in his personal capacity.”

OSC apparently conducted an investigation after receiving a complaint about the interview. The OSC stresses that “federal employees are permitted to make partisan remarks when speaking in their personal capacity, but not when using their official title or when speaking about agency business.” The investigation concludes:

While the Hatch Act allows federal employees, including cabinet secretaries, to express their personal views about candidates and political issues as private citizens, it restricts employees from using their official government positions for partisan political purposes. In passing this law, Congress intended to promote public confidence in the Executive branch by ensuring that the federal government is working for all Americans without regard to their political views. Despite his efforts to clarify that he was speaking only for himself and not as a HUD official when answering political questions, Secretary Castro’s statements impermissibly mixed his personal political views with official government agency business.

OSC’s report can be found here (PDF) or read it below.  Secretary Castro’s response can be found here (PDF).

Take note of these other cases:


CIA Officer Declared as @StateDept Officer at Consulate Milan Faces Extradition to Italy

Posted: 1:33 pm ET


Via WaPo:

More than 13 years after an Egyptian cleric was kidnapped off the streets of Milan by CIA operatives, one former agency officer now living in Portugal faces extradition to Italy and the possibility of a four-year prison sentence for the abduction — an outcome that a former agency historian describes as “unprecedented.”

Sabrina De Sousa, 60, was one of 26 Americans convicted in absentia by Italian courts for her alleged role in the February 2003 rendition of Hassan Mustafa Osama Nasr, also known as Abu Omar.
De Sousa’s extradition and potential imprisonment would be an astonishing turn of events for a case that raises major questions about how much diplomatic protection CIA case officers abroad possess when carrying out operations sanctioned by their superiors. During her CIA tenure, De Sousa was registered in Italy as a State Department officer at the U.S. consulate in Milan. She did not work as a “NOC” — a non-official cover operative.

“Those of us who were convicted were accredited diplomats and declared to the Italian government,” De Sousa said. “We instead find ourselves treated like NOCs with our U.S. government affiliation disavowed. I would have never joined the CIA if I was told there was a remote possibility that I would never see my mother in Goa again and not travel abroad. This has set a terrible precedent. This rendition was funded by Congress with approval of senior government officials in the U.S., Italy and Egypt.”

It all began on Feb. 17, 2003, when two men snatched Omar while he was walking to a mosque in Milan and stuffed him into a van. The cleric was flown to Egypt where he was beaten and subjected to electric shock , but eventually released. It wasn’t until early 2005 when reports surfaced that Italian authorities were investigating the CIA officers for breaking local laws against detaining terrorist suspects in Europe.
In early 2009, De Sousa resigned from the CIA, after failed bids to persuade the State Department to grant her immunity.




Sherman Funk: This story sounds incredible, but it is absolutely true (Via ADST)

Posted: 12:17 am EDT


The Foreign Relations Authorization Act for fiscal years 1986 and 1987 (P.L. 99-93) amended the IG Act to include the Department of State and the Foreign Service. The Omnibus Diplomatic Security and Antiterrorism Act of 1986, (P.L. 99-399) required the establishment of an independent OIG at State by October 1, 1986. The OIG was established on August 27, 1986.  Sherman M. Funk was the State Department Inspector General from 1987–1994 . He served under four secretaries of state (Schultz, Baker, Eagleburger and Christopher).

Below is an excerpt from Mr. Funk’s oral history via ADST.

There’s a story which nobody believes that is absolutely true and people are still in jail as a result of it, the Japanese. This story sounds incredible, but it is absolutely true. When they built the new embassy in Tokyo, and a compound, the specifications called for two manholes on access points in the rear courtyard where the oil tank was buried. Nobody thought of asking why you needed two. And the embassy opened, and shortly after it opened the truck appeared, a big oil tank truck, guys wearing uniforms driving it. And the night before the security called in and said that they were getting oil, and they went through and opened up one of the manholes, put a hose down and they filled the tank. A couple days later another truck appeared in the morning, also a call to come through saying we were getting a delivery. Nobody thought of asking why deliveries so close. The truck came in, opened up the other manhole and put a thing down and it was true half of the oil had been pumped in a couple days before.

This went on for sixteen years, and in the sixteen years only one person, a young assistant GSO, ever inquired why we were buying so much oil. One person. And the admin counselor called in the senior FSN, the GSO type, and said make a study of why we’re spending so much money. The guy came back with the report that the weather is so volatile here, we have equipment which needs the oil. The person who did that report was the guy in charge of the scam. Toward the end one of the workers got disgruntled, that he wasn’t getting enough money on the scam, and went to the assistant security officer, our assistant regional officer, and said that, “You’re being robbed.” The assistant legal security officer went to the same FSN and asked him to look at it. The guy came back and said no problem. That went on for another year.

Now people who listen to that story say it’s not possible. Sixteen years we used enormous volumes of oil. In fact, we prosecuted. One of my lawyers and two of my investigators went out, we went to Tokyo, worked with the courts. It was hideously embarrassing for the Japanese by the way, and they were very tough on these people involved. We’re getting back most of the money, we’re suing the companies because they should have had controls to prevent that. But one of their biggest arguments, and if that were argued in the States, they would win, was you guys are so stupid why didn’t you guys know something was wrong. We just deliver for your requirements. To me, I find that so incredible, and it went on for sixteen damn years, but we’re getting millions of dollars back now. But we had to sue for it.

What kind of naiveté is it to ask somebody who would benefit from it? And if the thing was going on, he would certainly know what was going on. How much management moxie does it take? How much common sense does it take? Twice they went back to the same person who was the contact point in the embassy, who would make the telephone calls to have the deliveries come in the next morning. Incredible.

Read the full oral history interview here (PDF) conducted by Charles Stuart Kennedy on July 14, 1994.


Why did the State Dept add Albright, Powell, and Rice to email saga — for dramatic tension?

Posted: 2:53 am EDT


Last August, we did a timeline of the Clinton email controversy (See Clinton Email Controversy Needs Its Own Cable Channel, For Now, a Timeline).  Also @StateDept Officials on Clinton Private Email Debacle: Yo! Had Been Caught Off Guard? Ay, Caramba!

To recall, this report from WaPo:

But State Department officials provided new information Tuesday that undercuts Clinton’s characterization. They said the request was not simply about general rec­ord-keeping but was prompted entirely by the discovery that Clinton had exclusively used a private e-mail system. They also said they *first contacted her in the summer of 2014, at least three months before **the agency asked Clinton and three of her predecessors to provide their e-mails.

At that time, we wrote this:

If the State Department had first contacted her in the summer of 2014, we have yet to see that correspondence. It was potentially sent sometime in August 2014, three months before the letters to Clinton and predecessors went out in November 12, 2014 from “M” (see below).  Three months is an early call?  C’mon! Secretary Clinton left State in February 2013.
It took six months for three senior State Department officials to tell WaPo that they “had been caught off guard” by the secretary of state’s exclusive use of a private account?  These officials “were concerned by the practice”, so much so that they issued a three month-“early call” in the summer of 2014, 1 year and 6 months after the end of the Clinton tenure.  And we’re only hearing about this concern now, 2 years and 7 months after Secretary Clinton left office?

Well, now we have an email (released via Judicial Watch due to FOIA litigation) from Cheryl Mills to Secretary Kerry’s Chief of Staff David Wade dated August 22, 2014 citing a request made in July 2014 about getting hard copies of the Clinton emails to/from accounts ending in .gov during her tenure at the State Department.  The email was cc’ed to Philippe Raines (former Public Affairs DAS), and Deputy Legal Adviser Richard Visek.

Screen Shot

So it looks like four months after the original request for the emails was made by Secretary Kerry’s chief of staff, the Under Secretary for Management Patrick Kennedy sent a Letter to Hilary Clinton’s representative, Cheryl Mills re: the Federal Records Act of 1950, dated November 12, 2014; to Colin Powell, to Condoleezza Rice; to Madeleine Albright saying in part:

The Department of State has a longstanding and continujng commitment to preserving the history of U.S. diplomacy, established in authorities under the Federal Records Act of 1950. l am writing to you, the representative of Secretary of State Hillary Clinton, as well as to representatives of other fonner Secretaries (principals), to request your assistance in further meeting this requirement.


U.S. Secretary of State John Kerry poses for photo at the groundbreaking ceremony for the U.S. Diplomacy Center with former Secretaries of State Henry A. Kissinger, James A. Baker, III, Madeleine K. Albright, Colin L. Powell, and Hillary Rodham Clinton at the U.S. Department of State in Washington, DC on September 3, 2014. [State Department photo/ Public Domain]

On March 3, 2015, four months after the Kennedy letter was sent to Mills and eight months after the original request was made by Kerry’s chief of staff to Mills, then deputy spokesperson of the State Department, Marie Harf also said this from the podium:

MS. HARF: … When in the process of updating our records management – this is something that’s sort of ongoing given technology and the changes – we reached out to all of the former secretaries of state to ask them to provide any records they had. Secretary Clinton sent back 55,000 pages of documents to the State Department very shortly after we sent the letter to her. She was the only former Secretary of State who sent documents back in to this request. These 55,000 pages covered her time, the breadth of her time at the State Department.

No mention that the original request was specific to Secretary Clinton.

And the three previous secretaries of state were added here to what … enhance dramatic tension? Oy!

The letter asks for “any records.” Why did they stop at Colin Powell and did not include James Baker, heck why not go all the way to Henry Kissinger, which by the way, would have made the National Security Archive really happy (see The State Department Kissinger Telcons: The Story of a FOIA Request).


@StateDept Process From Document Production to FOIA Website Needs a Flowchart, Please

Posted: 12″25 am EDT


This is from the Civil Action No. 15-cv-123 (RC), Leopold v. U.S. State Department (PDF) related to the Clinton email production mandated by the court. The declaration is by Eric F. Stein who says he serve as a senior advisor and deputy to the Deputy Assistant Secretary on all issues related to GIS offices and programs. “I oversee all aspects of State’s effort to review, process, and produce the non-exempt portions of the emails provided to State by former Secretary Clinton, including the review and referral of documents to appropriate offices and agencies, and the posting of the documents on the Freedom of Information Act (“FOIA”) website every month. I make the following statements based upon my personal knowledge, which in turn is based upon information furnished to me in the course of my official duties.”  Below is an excerpt of the declaration describing the steps  the documents must go through before they are posted on the foia.state.gov website.

4. This declaration describes the steps that these documents must go through in order to be posted on the FOIA website, and, roughly, how much time those steps take, as of the time of the signing of this declaration, in support of State’s proposal to make this interim production on its website on February 13, as of the time of the signing of this declaration. The time estimates in this declaration depend on several variables, but most importantly on the need to continue devoting sufficient resources to completing the remaining 86% of the project by February 29.

5. Posting documents on State’s FOIA website involves several steps, and State’s ability to efficiently carry out these steps is sometimes limited by the available technology and by the availability of personnel who are sufficiently familiar with the technology. The FOIA system where the documents reside, named FREEDOMS, can be extremely rigid and slow, making the necessary steps in the process more time-consuming than one might otherwise expect. For example, as described herein, most steps must be applied document-by-document, as opposed to in an automated or batch fashion.

6. Where, as with the documents that are the subject of this declaration, feedback from the legal review has been provided to the FOIA office, and FOIA staff has modified redactions in FREEDOMS in accordance with that feedback, the final quality control process and posting begins. This process, which cannot be automated, starts with the manual, document-by- document process of removing internal markings that are used for tracking purposes during the review process. It could take anywhere from two to four hours1 to complete this task for the documents that are the subject of this declaration, depending on the availability of staff to do this work.

7. Once this process of removing internal control markings is completed, copies of the documents must be prepared for production. This posting process is an involved one, particularly because the review software resides solely on State’s classified network, and several steps are involved in transferring documents from that system to a public-facing website while still protecting sensitive national security information.

8. The first step of the posting process for the documents is to finalize the redactions on those documents. This is known as “burning” the document. Before any document can be produced, the proposed redactions, which appear in grayscale during the review process, need to be fully “burned” to the document so that the redacted information does not appear in the version produced to the public. It will take about an hour to burn this volume of documents.

9. After “burning” occurs, a system developer works to migrate a copy of the burned document out of FREEDOMS onto another review site on the classified network. It is on this classified review site that FOIA staff performs the final quality control checks. It would take approximately two hours to migrate this volume of documents.

10. Once this migration is complete, the documents must go through a final quality control check, during which State looks for several things. This check ensures that redactions to each document are consistent with redactions made in other documents. For example, many messages appear multiple times as part of longer email chains, and some emails that are not part of the same chain contain similar or identical information. The quality control check also helps ensure that redactions are marked with the proper exemptions. If there is information that is being redacted using the B1 exemption, further administrative steps are required to ensure that information requiring classification is properly marked as such. This includes the application of classification stamps which identify the level of classification of the information in the document; these stamps are checked to ensure that they show the appropriate level of classification. Based on my prior experience managing this process, I estimate that about four hours of quality control check time would be needed for the documents that are the subject of this declaration. If any changes are needed to the documents, another hour or two may be needed since documents would need to be unburned so that they can be changed, and then they would need to be burned again. For any documents on which changes were made, State would need to spend anywhere from one to several minutes reviewing that document and ensuring that those changes were now properly reflected. Thus, the total potential time needed for this process could be upwards of six hours.

11. After the documents have completed this final quality control check, the FOIA office then begins the process of transferring them from the classified system to the unclassified system. This is a manual process, requiring a person to do the transferring, and cannot be automated. The specific details of how this is accomplished implicate systems security concerns, and are not appropriate for discussion in a public filing. This migration process is estimated to take approximately one hour.

12. Once the documents have been transferred to the unclassified system, they must be copied to servers where they will reside when they are posted on State’s public-facing FOIA website. This will take another two hours to complete for these documents.

13. Prior to the website being made “live” and accessible to the public, a web developer works to test for and troubleshoot any problems that may have arisen during the transfer process as well as any issues that may occur when the documents become publicly available. This will require approximately an additional hour to complete. 14. Accordingly, the total amount of time required for the team to complete the posting of the interim production could be upwards of 16 hours, approximately two 8-hour days. State believes that its proposal of making the interim production on Saturday, February 13, provides time to address any additional problems that may arise, as have occurred in the past at this final stage in the process.

Thank heavens this guy is not writing a recipe, or we’d all be in thrown out of the test kitchen already.

Frankly, we’ve read this declaration several times and we are getting a headache trying to understanding how FREEDOMS works. FREEDOMS stands for Freedom of Information Document Management System which apparently tracks all case FOIA opening, processing, and closing (see performance goal from FY2005 that we’ve been able to dig up). The system is not listed on the State Department’s Privacy Impact Assessments nor its System of Record Notices.  With one exception, we have not been able to find anything more on its public website or the foia.state.gov website.  The Federal IT Dashboard lists IT Spending in FY 2015 for A/GIS/IPS FREEDOMS/FREEDOMS2 (014-000000322) at $2.1million.

We did find a description of it from the National Archives and Records Administration (NARA) as follows:

Screen Shot






Another Federal Data Breach: Hacker Dumps FBI and DHS Employee Information Online

Posted: 2:56 am EDT


Via motherboard.vice.com:

The data was obtained, the hacker told Motherboard, by first compromising the email account of a DoJ employee, although he would not elaborate on how that account was accessed in the first place. (On Monday, the hacker used the DoJ email account to contact this reporter).  From there, he tried logging into a DoJ web portal, but when that didn’t work, he phoned up the relevant department.

“So I called up, told them I was new and I didn’t understand how to get past [the portal],” the hacker told Motherboard. “They asked if I had a token code, I said no, they said that’s fine—just use our one.”

If that’s true, then it took just one employee and elementary social engineering to start the ball rolling in this newest data breach.