@StateDept Chief Information Officer Frontis Wiggins to Retire Effective December 8

Posted: 2:22 am ET

 

Another 30-plus year veteran of the State Department is leaving effective December 8. Frontis Wiggins, the agency’s chief information officer, and a career employee of over thirty years announced his retirement to his IRM colleagues via email on November 20:

“Today, I am announcing that I will retire from the U.S. Department of State, effective Friday, December 8, 2017. I will have more information to share with you in the near future.”

The State Department’s average annual attrition the last five years for Information Technology Managers at the  FE-MC rank like Mr. Wiggins is 1. In 2016, the average annual projected leadership attrition for this skill group and rank the next five years was zero.

Next to security officers and office management specialists, information management specialists in the State Department are projected to have the third highest overall attrition in the next five years (2016-2020).

His official bio via state.gov:

Frontis B. Wiggins, a member of the Senior Foreign Service with the rank of Minister-Counselor, is currently the Chief Information Officer for the U.S. Department of State. In this capacity, he is responsible for the Department’s information resources and technology initiatives which provide core information, knowledge management, and technology (IT) services to the Department of State and its 260 overseas Missions. He is directly responsible for the Information Resource Management (IRM) Bureau’s budget of $569 million, and oversees State’s total IT/ knowledge management budget of approximately one billion dollars.

He joined the Foreign Service in 1985 and has served overseas in Cairo, Budapest, Hong Kong, Paris, Information Management Officer Beijing, and Director of Regional Information Management Center (RIMC) Frankfurt. Senior level assignments in D.C. have included the Principal Deputy CIO, Deputy CIO for Foreign Operations, the Dean of the School of Applied Information Technology (SAIT) at the Foreign Service Institute (FSI), and the Director of Information Resource Management’s Messaging Systems Office.

Mr. Wiggins holds a Bachelor of Arts in History from the College of William and Mary, a Master’s Degree in Information Systems from George Washington University, and is a member of their Honor Society. He is a graduate of the Chief Information Officer’s University class of 2006 and has received numerous Meritorious and Superior Honor awards during his career, as well as being the first recipient of AFSA’s Tex Harris Award for constructive dissent in 2000. He speaks seven foreign languages with varying degrees of fluency.

A colleague of Mr. Wiggins who was at FSI where he was once dean told us that everyone there raved at that time that he would be the next CIO. “There was a lot of excitement in the field when he did become CIO because he worked up through the ranks and was familiar with the work in the trenches. He seemed keen on modernizing our aging IT infrastructure, so there’s been a lot of hope that things *might* actually change for the better in IRM.”

Mr. Wiggins was “leading the charge for much-needed modernization of our IT infrastructure” at the State Department we were told. And that “this is a sad time for IT in the Department.”

One source confirmed for us that Rob Adams, the Principal Deputy CIO will be Acting CIO after Mr. Wiggins’ departure.  Federal News Radio who reported on Wiggins’ departure says that Adams joined the State Department in 1988 after serving in the Marine Corps for four years.  Federal News also note that Wiggins will become the eighth cabinet agency CIO to leave in the past year.

#


Advertisements

Senators Seek to INTVW @StateDept CIO Taylor; Wait, Wasn’t He Overseas When Pagliano Was Hired?

Posted: 3:05 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

.

Two Senate chairmen are pressing the State Department for more information about the staffer who maintained Hillary Clinton’s controversial email server, including requesting an audience with his former supervisor.

Senate Judiciary Chairman Chuck Grassley (R-Iowa) and Homeland Security Chairman Ron Johnson (R-Wis.) asked that Steven Taylor, State’s chief information officer, sit for a closed-door interview about the duties of his former subordinate Bryan Pagliano, according to a letter the senators sent to Secretary of State John Kerry.
.

Mr. Taylor is a member of the Senior Foreign Service with the rank of Minister Counselor. He has been the Chief Information Officer of the State Department since April 3, 2013. He was previously appointed as Acting CIO on August 1, 2012. Preceding his assignment as CIO, he was the Department’s Deputy Chief Information Officer (DCIO) and Chief Technology Officer of Operations from June, 2011.

We should note that Secretary Clinton left the State Department on February 1, 2013, two months before Mr. Taylor was appointed CIO. In fact, according to this official biography, prior to his DCIO assignment in 2011, he served as Management Counselor in Cairo and Athens. So we’re guessing that between 2005 to 2011, this poor man was posted overseas and nowhere near the hiring desk when Mr. Pagliano was brought into the IT bureau of the State Department in 2009.

Not that it’s going to matter. The senators will probably drag Mr. Taylor before a closed-door interview still the same. Pagliano joined the State Department in May 2009. Maybe the senators should try the Bureau of Human Resources for their hiring and work duties questions?

Foggy Bottom’s Email Debacle Spreads Beyond Clinton Inner Circle

We don’t think this is going to stop at Mr. Taylor.  On September 14, conservative group Judicial Watch has also released a heavily redacted email, obtained through its FOIA lawsuit, between State Department official Eric F. Stein and Margaret P. Grafeld, dated April 21, 2015, with the subject “HRC Emails.”  Stein is deputy director of Global Information Systems (GIS) at the State Department and Grafeld is deputy assistant secretary of Global Information Systems (GIS). Stein reports to Grafeld that the “gaps” in Clinton’s emails include:

  • Jan. 21 – March 17, 2009 (Received Messages)
  • Jan. 21 – April 12, 2009 (Sent Messages)
  • Dec. 30, 2012 – Feb. 1, 2013 (Sent Messages)

Screen Shot 2015-09-15

On September 14, the State Department spox was asked about these gaps during the DPB and he maintained that there is no gap. Here is the exchange:

QUESTION: There was a release today by Judicial Watch from its lawsuit, and it cited several email gaps it claims existed in the former secretary’s list of ledger – full ledger of work-related correspondence.

MR KIRBY: Yep, seen the press report, Brad. We’re not aware of any gaps in the Clinton emails set with the exception of the first few months of her tenure when Secretary Clinton used a different email account that she has already advised she no longer has access to. And as I understand it, Secretary Clinton’s representatives have publicly stated that she used a separate email account in those first few months of her tenure. But beyond that, there’s no gap that we have seen or are aware of in Secretary Clinton’s email messages.

QUESTION: In that early part, you mentioned there was a gap of, I think, one month before – from the first received email to the first sent email. Now, I realize it’s fully possible she didn’t send an email that was work-related in that first month – that first month when she had that account, but is that your understanding or is that still an incomplete – you’re still fully researching all of those emails or unearthing them?

MR KIRBY: I know of no research attempt to deal with those first few months, Brad, because, as I said, former Secretary Clinton’s representatives already indicated that they were aware this gap existed and that she had – no longer had access to them. So it’s difficult if not impossible to do any particular research or forensics to get at those first few months. And as for how many were sent and received in that timeframe, I just don’t know. But this is not something that hasn’t been addressed before by her representatives. And beyond that first couple of months, those first four months, we have seen no gaps.

QUESTION: And in the last part of – in the last part of her tenure, there was what they cited was another gap in January 2013, which I’m guessing you’re saying is not a gap, in fact.

MR KIRBY: That’s correct.

QUESTION: Can you – they produced an email which showed an official saying there’s a gap or listing it as a gap. Do you understand what happened? Were those emails then later recovered or found?

MR KIRBY: Right. So we continue to maintain there’s no gap. I think you’re talking about this period of December 2012 through the end of January 2013.

QUESTION: Right.

MR KIRBY: And upon further review – so originally when they all came in, a cursory sort of preliminary look, a very quick look at the documents by an official here at the State Department revealed a potential gap of about a month or so in emails. But in going through them in a more fulsome manner after that, we’ve determined that in fact, there was no gap – that that time period is covered quite well by the emails that have been provided.

QUESTION: So you have emails from that period and —

MR KIRBY: We do.

QUESTION: — when you get to that point, they’ll be public.

MR KIRBY: We do, and I think you will continue to see – and we’ve been roughly rolling these out – roughly temporally and you will see – as we get to the remainder of the tranches, that you will see emails that were sent and received during that December ’12 to January ’13 timeframe.

That’s not going to end there.  The “gaps” will be too tantalizing to ignore.

This email released by Judicial Watch also includes a few more names, including Richard C. Visek, the State Department’s Deputy Legal Adviser and also the Designated Agency Ethics Official (DAEO). We suspect that it’s only be a matter of time before the somebodies in Congress would request the official apperance and interview with Margaret P. Grafeld, Eric F. Stein, and heaven knows, who else.

Related item:

State/OIG Issues Alert on Recurring Weaknesses of State Department’s Computer Security

|| >    We’re running our crowdfunding project from January 1 to February 15, 2014. If you want to keep us around, see Help Diplopundit Continue the Chase—Crowdfunding for 2014 via RocketHub  <||

 

— By Domani Spero

In November 2013, Inspector General Steve Linick issued a management alert memo to the State Department’s Management Control Steering Committee concerning the “significant and recurring weaknesses” of its information system security program over the past three fiscal years (2011-2013).

The recurring weaknesses identified were in six areas: Authority to Operate (ATO), Baseline Controls, Scarming and Configuration Management Controls, Access Controls, Cyber Security Management, and Risk Management and Continuous Monitoring Strategies.

A backgrounder from the OIG report:

The Department of State (Department) is entrusted to safeguard sensitive information, which is often the target of terrorist and criminal organizations. Cyber attacks against Government organizations appear to be on the rise,’ including state-sponsored efforts to exploit U.S. Government information security vulnerabilities. The Department is responsible for preserving and protecting classified information vital to the preservation of national security in high risk environments across the globe. The Department also undertakes significant numbers of financial and other transactions, including, for instance, the daily collection of millions of dollars in consular fees. In addition, the Department maintains records on approximately 192 million current passports,5 which contain such sensitive personally identifiable information (PII) as dates of birth and social security numbers. To protect this information, the Department must ensure that its Information System Security Program and management control structure are operationally effective.

Some of the examples of weaknesses cited include the following:

  • In FY 2013, OIG found another instance of access control weakness. Specifically, OIG reported that 36 employees assigned to the [Redacted] (b) (5).  Pursuant to 12 FAM 232, those systems can only be accessed by individuals possessing appropriate clearances. The 36 employees did not possess such clearances.
  • On August 20, 2013, the Bureau of Information Resource Management (IRM) reported that the Department had a total of 6,369  system administrators. According to IRM officials, system administrators are given network-wide permissions to allow them to collaboratively manage and troubleshoot issues.“ However, such broad access by large numbers of system administrators also subjects the system to risk. The recent, highly-publicized breach of information pertaining to national security matters by Edward Snowden, a contract systems administrator, starkly illustrates the issue.”
  • The Bureau of Diplomatic Security did not have the administrative credentials needed for Demilitarized Zone servers  to perform periodic scanning.

State/OIG made three recommendations including directing the Office of the Chief Information Officer to employ the services of the National Security Agency (NSA) to conduct independent penetration testing to further evaluate the Information System Security Program and outline a range of technical and procedural countermeasures to reduce risks.

On December 13, 2013, James Millette, the chairman of the Steering Committee and the State Department’s Comptroller who also heads the State Department’s Bureau of the Comptroller and Global Financial Services (CGFS) sent the OIG a written response which says  that they “respectfully disagree on the level of severity these weaknesses collectively represent.” Part of the response also includes the following:

Your memo recommended that the MCSC direct IRM to employ the services of the National Security Agency (NSA) to conduct independent penetration testing. The Committee believes that DS, like the OIG, has direct lines to the Secretary and has the capability to be independent in these matters. In addition, DS assured the Committee that they have the capability and work with and have the confidence of NSA in these matters. We believe OIG would not disagree that DS has the capability to adequately perform the testing. However, we fully understand the issue of perception of independence. Therefore the MCSC is supportive of DS and IRM having further discussions with the OIG on this matter to determine the best plan of action to perform penetration testing that meets the needs of the OIG and Department management. In addition, at the meeting, we suggested that there may be other alternatives to NSA, such as using a 3rd party to review the methodology used by DS.

That’s an old timer at the State Department telling the new IG that the Committee believes that Diplomatic Security (DS)  like the Office of the Inspector General (OIG) has “direct lines” to the Secretary?  Really!  It is a fact that DS reports to “M” or the Under Secretary for Management  and not directly to the Secretary.  (Unless, the Committee thinks the OIG also reports to “M” just like DS)?  OIG is one of the ten offices at State that reports directly to the Secretary.  If  the Secretary in practice delegates that authority, he has two deputies above the under secretaries, and one of them is for management and resources.

On Jan 13, 2014, the Inspector General sent another memo to the Management Control Steering Committee. The memo indicates closure of one recommendation but left the other two issues “unresolved.” This is also where the OIG patiently explains to the Committee what it means by “independence.”

OIG considers Recommendation 3, pertaining to independent penetration testing, unresolved. The MCSC indicated that it is supportive of the Bureau of Diplomatic Security (DS) and IRM having further discussions with OIG on this matter, but it further stated that “OIG would not disagree that DS has the capability to adequately perform the testing.” The issue, however, is not about DS’s “capability” but its independence and perceived independence.

According to the National Institute of Standards and Technology (NIST):

An independent assessor is any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an information system. Impartiality implies that the assessor is free from any perceived or actual conflicts of interest with respect to the development, operation, and/or management of the information system or the determination of security control effectiveness.

Because DS is actively involved in the Department’s Information System Security Program, it cannot be considered an independent, impartial assessor. The recommendation will remain open until OIG reviews and accepts documentation showing that independent penetration testing has been implemented. The penetration testing must be performed by the National Security Agency or an equally qualified organization independent of the Department and approved by OIG.

The NSA is already conducting pentest on critical U.S. infrastructures among other things.  Why is State thinking only DS, or third party and not NSA?

* * *

Related item:

-01/13/14   Mgmt Alert on OIG Findings of Significant and Recurring Weaknesses in the Dept of State Info System Security Program (MA-A-0001)  [6298 Kb]