State/OIG Reviews @StateDept Policies and Controls Protecting PII and National Security Data

Posted: 2:03 am ET

 

State/OIG recently posted online its review of the State Department’s policies and controls protecting personally identifiable information (PII) data and national security data. Below is an excerpt:

The Consolidated Appropriations Act, 2016,1 Section 406, Federal Computer Security, requires the Inspector General of each covered agency to submit a report that contains a description of controls utilized by covered agencies to protect sensitive information maintained, processed, and transmitted by a covered system. Specifically, the Consolidated Appropriations Act requires a description of controls utilized by covered agencies to protect two types of data contained within covered systems: personally identifiable information (PII) data and national security data. Information related to national security data is covered in a classified annex to this information report.
[…]
Specifically, Williams Adley selected and reviewed 4 systems from a Department-provided listing of 216 systems (Electronic Medical Records System (eMED), Integrated Personnel Management System (IPMS), Consular Consolidated Database (CCD), and Consular Lookout and Support System (CLASS)) that provide access to PII. In addition, Williams Adley reviewed 2 National Security Systems (NSS) from a Department-provided listing of 60 systems (Chief of Mission and Special Embassy Programs Database (NSDD 38), and Principal Officers Executive Management System (POEMS)).

This report describes the policies and controls used by the Department for five specific topics identified in the Act:

(1) logical access policies and practices;

The review found only two of the six systems reviewed (eMED and IPMS) had system-specific logical access control policies.

(2) logical access controls and multi-factor authentication used;

With respect to why logical access controls or multi-factor authentication are not being used, according to Department officials, two of the six systems (IPMS and one NSS) did not implement multi-factor authentication to govern system-level privileged user access because functional capabilities are not available. According to Department officials, IPMS is currently planning multi-factor implementation, while the one NSS is waiting for the Department to provide the functional capabilities necessary to implement multi-factor authentication to govern privileged user logical access.

(3) the reasons logical access controls or multi-factor authentication have not been used;

With respect to access and multi-factor authentication, Williams Adley found the Department has not fully implemented multi-factor authentication at the entity level; however, it had implemented other logical access compensating controls to govern privileged user access. Four of the six systems reviewed (eMED, CCD, CLASS, and one NSS) had either fully or partially implemented multi-factor authentication to government system-level privileged user logical access. The two systems that did not utilize multi-factor authentication to govern logical access of privileged users (IPMS and one NSS) relied on username and password combinations. Nevertheless, all six systems had some type of logical access controls in place.

(4) information security management practices used for covered systems;

With respect to information security management practices used for covered systems, Williams Adley found the Department uses a federated model to manage software inventory. In addition, the Department has implemented a defense-in-depth information system program. Further, the Department monitors network traffic, detects and responds to incidents, and scans for security compliance and vulnerabilities. However, the Department has only partially implemented a data loss prevention system and has not implemented digital rights management technology.

(5) policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors.

With respect to policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors, Williams Adley found the Department has a number of policies related to this topic. The relevant Department policies and procedures are established within the Department’s Foreign Affairs Manual (FAM).

The report notes that the Bureau of Information Resource Management, the Executive Secretariat’s Office of Information Resource Management, and the Bureau of Diplomatic Security, provided comments to a draft of the report. Because the comments were marked sensitive, the comments have been reprinted, in their entirety, in the classified annex of the report (AUD-IT- 16-45A).

The publicly available report is available here: https://oig.state.gov/system/files/aud-it-16-45.pdf

#

 

Americans Targeted in South Sudan, a Country That Gets $1.5B in American Humanitarian Aid

Posted: 3:36 am ET

 

The AP report says that “the attack on the Terrain hotel compound in Juba last month shows the hostility toward foreigners and aid workers by troops under the command of South Sudan’s President Salva Kiir, who has been fighting supporters of rebel leader Riek Machar since civil war erupted in December 2013.”  (See How the World’s Youngest Nation Descended Into Bloody Civil War).  The State Department’s official spox declined to say whether Americans were targeted but the Daily Beast piece includes the beating of an American “with belts and rifle butts for about an hour, accusing him of hiding rebels. “You tell your embassy how we treated you,” one soldier told him as he fled to a nearby UN compound.”  During the attack on the Terrain, several survivors also told the AP that soldiers specifically asked if they were Americans.

The attack on the Terrain compound occurred on July 11.  On July 17, the Special Envoy to South Sudan tweeted that the U.S. is not going to take “offensive action” against South Sudan.

On August 15, over a month after this horrific incident, USUN Ambassador Samantha Power released a statement that the United States is “outraged of the assaults and rapes of civilians … last month.” The US Embassy in Juba received distressed calls, so officials knew this happened before it became  front page news. Still, it took the US over a month to publicly acknowledge this outrage.

A brief backgrounder here — South Sudan gained independence on July 9, 2011, after being at war with Sudan for nearly 40 of the past 57 years. USCG Juba became the US Embassy at the same time.  In early 2013, State/OIG conducted an inspection of the USG’s newest embassy in the world.  One of the OIG’s key findings at that time is the Department inability to staff Embassy Juba adequately, “preventing the embassy from functioning as effectively as it should.”  The embassy operates out of a small chancery deemed too small to accommodate additional staff and the new embassy is not scheduled for construction until 2018. The report warns that the current facility puts embassy employees at risk. The inability to add more staff also leaves assistance programs vulnerable to failure or misuse of funds. The report indicates that the Department has decided to keep the mission with its current footprint until construction of a new embassy, which won’t happen until 2018. It will be a number of years, however, until the new embassy is ready. The OIG concludes that personnel and the integrity of our programs will remain at risk.  (see US Embassy Juba: Dear Congress, This Facility Puts Employees “At Risk” But Hey, Waivers) and US Embassy Juba: An All-in-One Consular Officer on First Rodeo Works Out of a Storage Closet.

The US Embassy in Juba has a small U.S. force guarding it but its ability to function as an embassy is only possible with the protection of the host country.  With South Sudan government troops targeting Americans, how is it that the US Embassy in Juba is still open?

Below is an excerpt from the Daily Press Briefing with the spox addressing what Embassy Juba did during and following the attack. It also show the limits of what the US Government can do despite being the largest donor in South Sudan.

Via DPB on August 15, 2016:

MS TRUDEAU: Yes. And I’m glad for this. Please.

QUESTION: There was a fairly disturbing account put out today of the July 11th attack on the Terrain hotel compound. And as part of it, survivors are saying that they waited for hours after calling for help from the U.S. embassy as well as other embassies in the area, with no one responding. Do you dispute that, and do you have any timeline that you can share with us about what occurred during the time of the assault?

MS TRUDEAU: Okay. So I think we’ve all seen those horrific reports. I want to say at the top that privacy considerations will prevent me from talking about any specific part of this in detail. But as I go through this, I do not in any way want to minimize in any way, shape, or form what people might have gone through during that crisis in South Sudan.

So in terms of the timeline: In the midst of the ongoing fighting throughout the city between government and opposition forces, Embassy Juba actively responded to the July 11 assault on a private compound hosting U.S. citizens, among others. Upon learning about the attacks at Terrain camp, Ambassador Phee immediately – herself – immediately contacted South Sudanese government officials, including officials in the presidential guard and National Security Service. National Security Service sent a response force to the site and put a stop to the attack. Presidential guard forces also went to the scene, but they arrived after the National Security Service.

Following the attack and in the midst of ongoing fighting and violence throughout Juba, including in the immediate vicinity of the embassy, the U.S. embassy ensured that U.S. citizens and foreign nationals affected by the attack were moved to safety and provided emergency medical assistance. The U.S. embassy also facilitated the rapid departure of those involved from South Sudan by air ambulance.

As part of its response to the crisis in South Sudan, the U.S. embassy provided emergency services for those in need and assisted in the departure of more than 80 U.S. citizens during last month’s crisis.

We’ve stated we condemn these attacks. We have called for accountability for those who are involved in the violence.

Anything more on South Sudan?

QUESTION: So you can’t confirm that Americans were singled out and were specifically assaulted due to the fact that they were American in the course of the assault?

MS TRUDEAU: I’m not in a position to say that any particular nationality was singled out.

QUESTION: And as part of the report, it suggests that it was South Sudanese soldiers who were in fact committing this assault. So how was the U.S. embassy – how could they be assured that the people that they were calling were the ones who were actually going to help rather than contributing to the ongoing —

MS TRUDEAU: So what I can say is that the attackers in this incident wore uniforms and they were armed. There were both opposition and government troops in Juba at that time. Armed clashes were occurring throughout the city. The area where Terrain is located was controlled by the SPLA on July 10th and 11th.

Matt.

QUESTION: Yeah, I just wanted – you said that the – in the midst of the ongoing attack at Terrain, you said Embassy Juba actively responded.

MS TRUDEAU: We did.

QUESTION: So the active response, though, as far as I can tell from what you said, was that the ambassador made a phone call. Is that —

MS TRUDEAU: The ambassador made several phone calls.

QUESTION: Several phone calls?

MS TRUDEAU: When we were assured that people would go out and bring people in, then we actively ensured that those people were safe. So yeah.

QUESTION: But in the midst of – while it was going – I understand what —

MS TRUDEAU: Yeah.

QUESTION: — you’re saying after it was over what you did, but during it, was there —

MS TRUDEAU: When we received reports, we called the people who are best poised to go out and make it stop, which was the National Security Services as well as the presidential guard.

QUESTION: But – yeah, I understand that, but I mean – but was it just the ambassador or did other people – did other staffers do anything? I mean, I’m just trying to get an idea of what the active response was.

MS TRUDEAU: Yeah, in terms of sequence, it was – it was reaching out to the government officials who were in a position at that place to intervene.

QUESTION: So I think that the point that at least the survivors of this or some of the survivors of the attack is, is there wasn’t any kind – any attempt to intervene. Is that not appropriate or —

MS TRUDEAU: I – it’s – again, there was an immediate response from the U.S. embassy to identify and dispatch the people who could intervene immediately in the attack.

QUESTION: Right. But the embassy itself was not in a position to do anything?

MS TRUDEAU: Was not in a position to do that.

 

#

US Embassy Addis Ababa Restricts Personal Travel of USG Personnel in Ethiopia

Posted:12:09 am ET

On August 9, the US Embassy in Ethiopia issued an emergency message informing U.S. citizens in the country of the restrictions on personal travel by USG personnel:

The U.S. Embassy wishes to inform U.S. citizens that protests in Ethiopia have resulted in violent clashes between demonstrators and government security forces.  As such, Embassy personnel have been restricted from personal travel to areas in the Amhara and Oromia region states.  Restrictions of future travel by Embassy personnel are being reviewed on a case-by-case basis.

While U.S. citizens have not been specifically targeted in the demonstrations, the unpredictability of protests presents significant risks for travelers to the affected regions.  Everyone should increase their level of situational awareness, continuously assess their surroundings, and evaluate their personal level of safety and avoid demonstrations or large gatherings.

Also on Addis Ababa:

 

#

 

Photo of the Day: The Room Numbers on His Arm

Posted: 3:25 am ET

Via State/DS:

A Diplomatic Security Assistant Regional Security Officer who responded to the attack checks his weapon. Scrawled in ink on his arm are the room numbers of Americans trapped inside the hotel. The DSS-led team entered the building a second time to rescue them. (U.S. Department of State photo)

A Diplomatic Security Assistant Regional Security Officer who responded to Bamako’s Radisson Blu Hotel attack in Mali checks his weapon. Scrawled in ink on his arm are the room numbers of Americans trapped inside the hotel. The DSS-led team entered the building a second time to rescue them. (U.S. Department of State photo)

 

US Embassy Burma: “Routine Security Drill” Triggers Bomb Scare in Yangon

Posted: 2:36 am ET

#

U.S. Mission Turkey Now on “Authorized Departure” For Family Members in Ankara and Istanbul

Posted: 2:08 am ET

 

The State Department updated its Travel Warning for Turkey on July 26 announcing the “authorized departure” of U.S. Mission Turkey family members from the US Embassy in Ankara and the Consulate General in Istanbul.

The U.S. Department of State continues to warn U.S. citizens of increased threats from terrorist groups throughout Turkey and to avoid travel to southeastern Turkey. The U.S. Department of State is updating this Travel Warning to reflect the July 25, 2016, decision to authorize the voluntary departure of family members of employees posted to the U.S. Embassy in Ankara and U.S. Consulate General in Istanbul, Turkey. The Department of State made this decision following the July 15 attempted coup and subsequent declaration by the Turkish government of a 90-day State of Emergency. The Department continues to monitor the effect of these developments on the overall security situation in the country and advises U.S. citizens to reconsider travel to Turkey at this time. During this period, U.S. citizens in Turkey may see an increase in police or military activities and restrictions on movement.

Read the updated warning here.

Screen Shot

The State Department has already extended its March 29, 2016 mandatory evacuation order for family members of U.S. Government personnel posted to the U.S. Consulate in Adana and family members of U.S. Government civilians in Izmir province through July 26, 2016.  We expect to hear further extension of that order now that the two other posts in the country are now on authorized departure  following the declaration of a 90-day State of Emergency. See @StateDept Extends “Ordered Departure” Status for Consulate Adana/Izmir Prov Through July 26, 2016.

#

@StateDept Extends “Ordered Departure” Status for Consulate Adana/Izmir Prov Through July 26, 2016

Posted: 4:33 am ET

 

The State Department issued a new Travel Warning for Turkey:

  • The Department of State extended its March 29, 2016 ordered departure of family members of U.S. Government personnel posted to the U.S. Consulate in Adana and family members of U.S. Government civilians in Izmir province through July 26, 2016.  The Department of State terminated its March 29, 2016 ordered departure declaration for Mugla province. The U.S. Consulate in Adana remains open and will continue to provide all routine consular services.
  • U.S. Government personnel in Turkey remain subject to travel restrictions in the southeastern provinces of Hatay, Kilis, Gaziantep, Sanliurfa, Sirnak, Diyarbakir, Van, Siirt, Mus, Mardin, Batman, Bingol, Tunceli, Hakkari, Bitlis, and Elazig.  U.S. citizens should avoid areas in close proximity to the Syrian border.
  • U.S. government employees in Turkey are permitted to leave their residences and hotels, but advised to do so during daylight hours given calls for sustained pro-government rallies in public spaces and the possibility that demonstrations and protests could ensue or turn violent with little notice.
  • The U.S. Department of State warns U.S. citizens of increased threats from terrorist groups throughout Turkey and to avoid travel to southeastern Turkey.    In light of the July 15 coup attempt and its aftermath, we suggest U.S. citizens reconsider travel to Turkey at this time.

#

U.S. Embassy Dhaka: Now on “Authorized Departure” For Family Members of USG Personnel

Posted: 3:39 am ET

On July 10, the State Department updated its Travel Warning for Bangladesh and announced the voluntary evacuation of family members of U.S. personnel posted to the U.S. Embassy in Dhaka:

The Department of State warns U.S. citizens to consider carefully whether you need to travel to Bangladesh, in light of the latest attack in a series of extremist events.  Effective July 10, 2016, the Department of State authorized the voluntary departure of family members of U.S. government personnel posted to the U.S. Embassy in Dhaka.  The U.S. Embassy in Dhaka remains open and will provide all routine consular services.  The U.S. government assesses that the terrorist threat is real and credible.

bg-map

On July 1, 2016, attackers killed more than 20 people in a restaurant frequented by foreigners in Dhaka’s diplomatic enclave, including one U.S. citizen.  Other attacks continue to be carried out against religious minorities, bloggers, publishers, and security forces throughout the country.  Daesh (also referred to as ISIL, or ISIS) and Al Qaeda in the Indian Subcontinent (AQIS) have publicly claimed credit for various attacks since September 2015.

U.S. citizens should take stringent security measures, remain vigilant, and be alert to local security developments.  Be aware that U.S. government officials and their families currently are not permitted to:

  • visit public establishments or places in Bangladesh
  • travel on foot, motorcycle, bicycle, rickshaw, or other uncovered means on public thoroughfares and sidewalks in Bangladesh
  • attend large gatherings in Bangladesh

Read the full announcement here.

 

Related posts:

 

#

U.S. Embassy Juba: 47 Troops Ordered to South Sudan, 130 Pre-Positioned in Djibouti

Posted: 2:19 am PT

 

On July 13, President Obama informed Congress of the deployment of U.S. Armed Forces personnel to the U.S. Embassy in Juba, South Sudan.

In response to the deteriorating security situation in South Sudan, I have ordered the deployment of additional U.S. Armed Forces personnel to South Sudan to support the security of U.S. personnel, and our Embassy in Juba. The first of these additional personnel, approximately 47 individuals, arrived in South Sudan on July 12, 2016, supported by military aircraft. Although equipped for combat, these additional personnel are deployed for the purpose of protecting U.S. citizens and property. These deployed personnel will remain in South Sudan until the security situation becomes such that their presence is no longer needed. Additional U.S. Armed Forces, including approximately 130 military personnel currently pre-positioned in Djibouti, are prepared to provide support, as necessary, for the security of U.S. citizens and property, including our Embassy, in South Sudan.

On July 13, Embassy Juba also announced two charter flights that will depart Juba for Entebbe, Uganda on Thursday, July 14. Passengers are expected to make onward travel plans themselves. A security message issued previously notes that “seating is very limited”  and that the mission “cannot guarantee availability.”  Passengers are limited to one piece of luggage (20 kg/45 lbs) each.  Pets are not included in the charter flights.  Passengers who are not documented with a valid U.S. passport “will likely not be considered for boarding.”

 

Germany and the EU have completed the evacuation of its citizens on July 13.  The UK and India are in the process of also evacuating their citizens from South Sudan.

#

US Embassy Juba: Two Charter Flights For U.S. Citizens to Depart on July 14

Posted: 1:11 pm ET

The U.S. Embassy in Juba sent an emergency message to U.S. citizens in South Sudan informing them on two charter flights departing from Juba to Entebbe (Uganda) on Thursday, July 14.

Evacuation Flights from Juba Beginning | July 13, 2016

The U.S. Embassy in Juba informs resident American citizens that two charter flights will be departing Juba to Entebbe on July 14. U.S. citizens wishing to depart on the first flight should arrive to the airport at 8:30 a.m. to be processed. U.S citizens wishing to depart on the second flight should arrive no later than 12:30 p.m. to be processed.

The U.S. Embassy will not collect money for this flight; however, all passengers will be required to complete and sign a DS-5528 promissory letter for the fare. The amount of the loan will be the cost of a full fare ticket from Juba to Entebbe (approximately USD250). You must arrange your own transportation to the airport and onward from Juba. Due to ongoing security concerns, please remain vigilant when moving about the city.

Notice to all passengers: (1) Bring a valid travel document (passport); (2) you are restricted to one small carryon; and (3) no pets will be allowed. The Embassy continues to monitor the situation and will update you as appropriate.

Read What the Department of State Can and Can’t Do in a Crisis.

 

#