@StateDept Launches New System of Records to Capture All Emails — Hunting For Leakers, Plus Other Stuff

Posted: 1:55 am ET

 

We just stumbled into a December 12, 2017 announcement on the Federal Register about a “New System of Records” signed by Mary R. Avery, the Senior Agency Official for Privacy in the Office of Global Information Services of the State Department’s Bureau of Administration. The notice says that the “purpose of the Email Archive Management Records system is to capture all emails and attachments that interact with a Department of State email account and to store them in a secure repository that allows for search, retrieval, and view when necessary.”

In accordance with 5 U.S.C. 552a(e)(4) and (11), this system of records takes effect upon publication, with the exception of the routine uses that are subject to a 30-day period during which interested persons may submit comments to the Department.

The individuals covered by this new system? All State Department folks with state.gov emails, including people with interactions to those state.gov accounts, or mentioned in those email accounts:

“Individuals who maintain a Department of State email account that is archived in the system. The system may also include information about individuals who interact with a Department of State email account, as well as individuals who are mentioned in a Department of State email message or attachment.”

“The records in this system include email messages and attachments associated with a Department of State email account, including any information that may be included in such messages or attachments. The system may also include biographic and contact information of individuals who maintain a Department of State email account, including name, address, email address, and phone number.”

The location of this new system is reportedly at the State Department or annexes and post overseas but also that information “may also be stored within a government-certified cloud, implemented, and overseen by the Department’s Messaging Systems Office (MSO.”  

Does anyone know if this new system is managed by a specific contractor or contractors, and if so, which one/s?

Note that the new system does not just capture “record” emails for federal record purposes, but “all” emails.  The hunt for leakers starts here? Although if you read carefully item #f below, it looks like emails will also be shared and screened for potential insider attacks, not just on networks, but for “for terrorist screening, threat-protection and other homeland security purposes.”

And item #h… oh, my … for people with planned or ongoing litigations!  It has always been said that employees should have no expectation of privacy when using government systems; this new system clarifies it for everyone on how the State Department intends to use and share information in its email system.

Information in this new system may be shared with the following:

(a) Other federal agencies, foreign governments, and private entities where relevant and necessary for them to review or consult on documents that implicate their equities;

(b) a contractor of the Department having need for the information in the performance of the contract, but not operating a system of records within the meaning of 5 U.S.C. 552a(m).

(c) appropriate agencies, entities, and persons when (1) the Department of State suspects or has confirmed that there has been a breach of the system of records; (2) the Department of State has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Department of State (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department of State efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(d) another Federal agency or Federal entity, when the Department of State determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

(e) an agency, whether federal, state, local or foreign, where a record indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, so that the recipient agency can fulfill its responsibility to investigate or prosecute such violation or enforce or implement the statute, rule, regulation, or order.

(f) the Federal Bureau of Investigation, the Department of Homeland Security, the National Counter-Terrorism Center (NCTC), the Terrorist Screening Center (TSC), or other appropriate federal agencies, for the integration and use of such information to protect against terrorism, if that record is about one or more individuals known, or suspected, to be or to have been involved in activities constituting, in preparation for, in aid of, or related to terrorism. Such information may be further disseminated by recipient agencies to Federal, State, local, territorial, tribal, and foreign government authorities, and to support private sector processes as contemplated in Homeland Security Presidential Directive/HSPD-6 and other relevant laws and directives, for terrorist screening, threat-protection and other homeland security purposes.

(g) a congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual.

(h) a court, adjudicative body, or administrative body before which the Department is authorized to appear when (a) the Department; (b) any employee of the Department in his or her official capacity; (c) any employee of the Department in his or her individual capacity where the U.S. Department of Justice (“DOJ”) or the Department has agreed to represent the employee; or (d) the Government of the United States, when the Department determines that litigation is likely to affect the Department, is a party to litigation or has an interest in such litigation, and the use of such records by the Department is deemed to be relevant and necessary to the litigation or administrative proceeding.

(i) the Department of Justice (“DOJ”) for its use in providing legal advice to the Department or in representing the Department in a proceeding before a court, adjudicative body, or other administrative body before which the Department is authorized to appear, where the Department deems DOJ’s use of such information relevant and necessary to the litigation, and such proceeding names as a party or interests:

(a) The Department or any component of it;

(b) Any employee of the Department in his or her official capacity;

(c) Any employee of the Department in his or her individual capacity where DOJ has agreed to represent the employee; or

(d) The Government of the United States, where the Department determines that litigation is likely to affect the Department or any of its components.

(j) the National Archives and Records Administration and the General Services Administration: For records management inspections, surveys and studies; following transfer to a Federal records center for storage; and to determine whether such records have sufficient historical or other value to warrant accessioning into the National Archives of the United States.

#

Burn Bag: If an email server goes down and the Embassy doesn’t make a sound …

Via Burn Bag:

“It appears that a certain U.S. diplomatic post in sub-Saharan Africa has been without official email communications for a whole week.  How can this happen in a time of frequent security concerns and emergency evacuations from the region?

No one in Washington seems to know or care. AF bureau appears clueless, not even working to help out. So if an email server goes down and the Embassy doesn’t make a sound, does that outpost even exist anymore?”

computerslam

#

OIG: Only 41,749 State Dept Record Emails Preserved Out Of Over a Billion Emails Sent

Posted: 4:29 pm EDT
Updated: March 12, 9:29 pm PST
[twitter-follow screen_name=’Diplopundit’ ]

State Department deputy spokeswoman Marie Harf told CNN that since the inspector general is independent from the department “they will have to speak to the timing and details of releasing this report, which they control.”

So we asked the IG and we’re told that “the timing of the release of this report (ISP-I-15-15) was purely coincidental to the recent email issue.”

*

State/OIG did a review (pdf) of the Department’s State Messaging and Archive Retrieval Toolset (SMART) and Record Email in Washington, DC, between January 24 and March 15, 2014. According to the OIG, in 2013, Department employees created 41,749 record emails. These statistics are similar to numbers from 2011, when Department employees created 61,156 record emails out of more than a billion emails sent. Department officials have noted that many emails that qualify as records are not being saved as record emails.

Below are the highlights of the OIG review:

  • A 2009 upgrade in the Department of State’s system facilitated the preservation of emails as official records. However, Department of State employees have not received adequate training or guidance on their responsibilities for using those systems to preserve “record emails.” In 2011, employees created 61,156 record emails out of more than a billion emails sent. Employees created 41,749 record emails in 2013.
  • Record email usage varies widely across bureaus and missions. The Bureau of Administration needs to exercise central oversight of the use of the record email function.
  • Some employees do not create record emails because they do not want to make the email available in searches or fear that this availability would inhibit debate about pending decisions.
  • System designers in the Bureau of Information Resource Management need more understanding and knowledge of the needs of their customers to make the system more useful. A new procedure for monitoring the needs of customers would facilitate making those adjustments.

Additional details from the OIG report:

The need for official records

The Department of State (Department) and its employees need official records for many purposes: reference in conducting ongoing operations; orientation of successors; defending the U.S. Government’s position in disputes or misunderstandings; holding individuals accountable; recording policies, practices, and accomplishments; responding to congressional and other enquiries; and documenting U.S. diplomatic history. Record preservation is particularly important in the Department because Foreign Service officers rotate into new positions every 2 or 3 years. Federal law requires departments, agencies, and their employees to create records of their more significant actions and to preserve records according to Governmentwide standards.

Who has responsibility for the preservation of official records?

Every employee in the Department has the responsibility of preserving emails that should be retained as official records.3 The Office of Information Programs and Services in the Bureau of Administration’s Office of Global Information Services (A/GIS/IPS) is responsible for the Department’s records management program, including providing guidance on the preservation of records for the Department and ensuring compliance. IRM administers the enterprise email system, including SMART, and therefore provides the technical infrastructure for sending and receiving emails and preserving some as record email.

What constitute official records? 

If an employee puts down on paper or in electronic form information about “the organization, functions, policies, decisions, procedures, operations, or other activities of the Government,” the information may be appropriate for preservation and therefore a record according to law, whether or not the author recognizes this fact. Whether the written information creates a record is a matter of content, not form. Federal statutes, regulations, presidential executive orders, the Foreign Affairs Manual (FAM), Department notices, cables, and the SMART Messaging Guidebook contain the criteria for creating and maintaining official records and associated employee responsibilities.

Which email messages should be saved as records?

According to Department guidance referenced above, email messages should be saved as records if they document the formulation and execution of basic policies and actions or important meetings; if they facilitate action by agency officials and their successors in office; if they help Department officials answer congressional questions; or if they protect the financial, legal, and other rights of the government or persons the government’s actions directly affect. Guidance also provides a series of questions prompting employees to consider whether the information should be shared, whether the successor would find the email helpful, whether it is an email that would ordinarily be saved in the employee’s own records, whether it contains historically important information, whether it preserves the employee’s position on an issue, or whether it documents important actions that affect financial or legal rights of the government or the public.

 

The OIG report notes that it has previously examined the Department’s records management, including electronic records management, in its 2012 inspection of A/GIS/IPS. OIG found that A/GIS/IPS was not meeting statutory and regulatory records management requirements because, although the office developed policy and issued guidance on records management, it did not ensure proper implementation, monitor performance, or enforce compliance. OIG also noted that, although SMART users can save emails as records using the record email function, they save only a fraction of the numbers sent. OIG recommended that the Bureau of Administration implement a plan to increase the number of record emails saved in SMART.

That was in 2012.

The OIG team also found that “several major conditions impede the use of record emails: an absence of centralized oversight; a lack of understanding and knowledge of record-keeping requirements; a reluctance to use record email because of possible consequences; a lack of understanding of SMART features; and impediments in the software that prevent easy use.”

To show how misunderstood is the requirement to save record emails, see the following chart. The U.S. Embassy in Hanoi had 993 record emails compared to US Embassy Islamabad that only had 121 record emails preserved. The US Consulate General in Guangzhou had 2 record emails while  USCG Ho Chi Minh City had 539. It looks like the US Embassy in Singapore with 1,047 record emails had the highest record emails preserved in 2013. The frontline posts like Baghdad had 303, Kabul had 61, Sana’a had 142 and Tripoli had 10 record emails in 2013. The only explanation here is that the folks in Singapore had a better understanding of record email requirements than the folks in our frontline posts. Given that the turn-over of personnel at these frontline posts is more frequent, this can have consequential outcome not just in the public’s right to know but in continuity of operations.

Screen Shot 2015-03-11

Again, via the OIG:

Many inspections of embassies and bureaus have found that the use of SMART and the record email function are poorly understood. This lack of understanding is one of the principal causes of the failure of U.S. embassies to use record email more often. The inspections show that many employees do not know what types of emails should be saved as record emails. The employees typically need more and clearer guidance and more training. OIG has made formal and informal recommendations to increase the use of record email, to write and distribute formal embassy or bureau guidance on record email, and to arrange for training.

The A/GIS/IPS office is under the Assistant Secretary for the Bureau of Administration, an office that reports to the Under Secretary for Management (M). The Bureau of Information Resource Management (IRM) also reports to M.

 #