Is @StateDept Reporting Its Vacant Positions Under the Vacancies Reform Act? Barely, According to GAO Database

Posted: 1:56 am ET
[twitter-follow screen_name=’Diplopundit’]

 

The Federal Vacancies Reform Act of 1998 (Vacancies Reform Act) was enacted on October 21, 1998. (Pub. L. No. 105 -277, Div. C, tit. 1, §151, 112 Stat. 2681-611-16, codified at 5 U.S.C.§§3345-3349d.) The provides new rules for the temporary filling of vacant executive agency positions that require presidential appointment with Senate confirmation. According to the Government Accountability Office, under the Act, an acting officer may serve in a vacant position for no longer than 210 days, with adjustments to be made if the President submits a nomination to fill the position and under other specified circumstances.

The Act requires executive departments and agencies to report to the Congress and to the Comptroller General (GAO) certain information about a vacancy immediately upon the occurrence of events specified in the Act. The Act also provides that the Comptroller General report to specified congressional committees, the President, and the Office of Personnel Management if the Comptroller General determines that an acting officer is serving longer than permitted by the Act.

The GAO notes that its database includes only vacancy information that federal departments and agencies have actually submitted to GAO and may not be complete or the most up-to-date information regarding those vacancies.

The Partnership for Public Service’s  appointment update notes that 48 positions have been referred to the Senate Foreign Relations Committee, 16 have been reported out, and only 9 have been confirmed as of July 31, 2017. PPS’ Political AppointeeTracker for the State Department includes 131 positions.

The State Department has only 36 vacant positions reported to the GAO.  The GAO database for State Department includes one filled vacancy, the Secretary of State, zero officials with pending nominations, 24 positions with identified acting officials (some of those listed have since left the positions), and the rest are positions with no acting officials.

Here’s the relevant part going forward with a ghost town at the top floors of the State Department, via the GAO:

If a vacancy exists during the 60-day period beginning on a transitional inauguration day, the 210-day period begins 90 days after such transitional inauguration day or the date the vacancy occurs, whichever is later. 5 U.S.C. § 3349a(b). The State CFO position became vacant on January 20, 2009, the transitional inauguration day. Accordingly, the 210-day period began to run 90 days after January 20, 2009—on April 20, 2009—and ended on November 16, 2009. Consequently, the position should have been vacant beginning November 17, 2009, until June 12, 2012, when the position was filled.  […]  We have previously determined that using the acting title of a position during the period in which the position should be vacant violates the time limitations in the Vacancies Reform Act.

The item above is from the GAO report on the Violation of the 210-Day Limit Imposed by the Federal Vacancies Reform Act of 1998—Chief Financial Officer, Department of State when James Millette served as Acting CFO at State after November 16, 2009, through on or about November 15, 2011.

#

 

Advertisements

State/OIG Issues Alert on Recurring Weaknesses of State Department’s Computer Security

|| >    We’re running our crowdfunding project from January 1 to February 15, 2014. If you want to keep us around, see Help Diplopundit Continue the Chase—Crowdfunding for 2014 via RocketHub  <||

 

— By Domani Spero

In November 2013, Inspector General Steve Linick issued a management alert memo to the State Department’s Management Control Steering Committee concerning the “significant and recurring weaknesses” of its information system security program over the past three fiscal years (2011-2013).

The recurring weaknesses identified were in six areas: Authority to Operate (ATO), Baseline Controls, Scarming and Configuration Management Controls, Access Controls, Cyber Security Management, and Risk Management and Continuous Monitoring Strategies.

A backgrounder from the OIG report:

The Department of State (Department) is entrusted to safeguard sensitive information, which is often the target of terrorist and criminal organizations. Cyber attacks against Government organizations appear to be on the rise,’ including state-sponsored efforts to exploit U.S. Government information security vulnerabilities. The Department is responsible for preserving and protecting classified information vital to the preservation of national security in high risk environments across the globe. The Department also undertakes significant numbers of financial and other transactions, including, for instance, the daily collection of millions of dollars in consular fees. In addition, the Department maintains records on approximately 192 million current passports,5 which contain such sensitive personally identifiable information (PII) as dates of birth and social security numbers. To protect this information, the Department must ensure that its Information System Security Program and management control structure are operationally effective.

Some of the examples of weaknesses cited include the following:

  • In FY 2013, OIG found another instance of access control weakness. Specifically, OIG reported that 36 employees assigned to the [Redacted] (b) (5).  Pursuant to 12 FAM 232, those systems can only be accessed by individuals possessing appropriate clearances. The 36 employees did not possess such clearances.
  • On August 20, 2013, the Bureau of Information Resource Management (IRM) reported that the Department had a total of 6,369  system administrators. According to IRM officials, system administrators are given network-wide permissions to allow them to collaboratively manage and troubleshoot issues.“ However, such broad access by large numbers of system administrators also subjects the system to risk. The recent, highly-publicized breach of information pertaining to national security matters by Edward Snowden, a contract systems administrator, starkly illustrates the issue.”
  • The Bureau of Diplomatic Security did not have the administrative credentials needed for Demilitarized Zone servers  to perform periodic scanning.

State/OIG made three recommendations including directing the Office of the Chief Information Officer to employ the services of the National Security Agency (NSA) to conduct independent penetration testing to further evaluate the Information System Security Program and outline a range of technical and procedural countermeasures to reduce risks.

On December 13, 2013, James Millette, the chairman of the Steering Committee and the State Department’s Comptroller who also heads the State Department’s Bureau of the Comptroller and Global Financial Services (CGFS) sent the OIG a written response which says  that they “respectfully disagree on the level of severity these weaknesses collectively represent.” Part of the response also includes the following:

Your memo recommended that the MCSC direct IRM to employ the services of the National Security Agency (NSA) to conduct independent penetration testing. The Committee believes that DS, like the OIG, has direct lines to the Secretary and has the capability to be independent in these matters. In addition, DS assured the Committee that they have the capability and work with and have the confidence of NSA in these matters. We believe OIG would not disagree that DS has the capability to adequately perform the testing. However, we fully understand the issue of perception of independence. Therefore the MCSC is supportive of DS and IRM having further discussions with the OIG on this matter to determine the best plan of action to perform penetration testing that meets the needs of the OIG and Department management. In addition, at the meeting, we suggested that there may be other alternatives to NSA, such as using a 3rd party to review the methodology used by DS.

That’s an old timer at the State Department telling the new IG that the Committee believes that Diplomatic Security (DS)  like the Office of the Inspector General (OIG) has “direct lines” to the Secretary?  Really!  It is a fact that DS reports to “M” or the Under Secretary for Management  and not directly to the Secretary.  (Unless, the Committee thinks the OIG also reports to “M” just like DS)?  OIG is one of the ten offices at State that reports directly to the Secretary.  If  the Secretary in practice delegates that authority, he has two deputies above the under secretaries, and one of them is for management and resources.

On Jan 13, 2014, the Inspector General sent another memo to the Management Control Steering Committee. The memo indicates closure of one recommendation but left the other two issues “unresolved.” This is also where the OIG patiently explains to the Committee what it means by “independence.”

OIG considers Recommendation 3, pertaining to independent penetration testing, unresolved. The MCSC indicated that it is supportive of the Bureau of Diplomatic Security (DS) and IRM having further discussions with OIG on this matter, but it further stated that “OIG would not disagree that DS has the capability to adequately perform the testing.” The issue, however, is not about DS’s “capability” but its independence and perceived independence.

According to the National Institute of Standards and Technology (NIST):

An independent assessor is any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an information system. Impartiality implies that the assessor is free from any perceived or actual conflicts of interest with respect to the development, operation, and/or management of the information system or the determination of security control effectiveness.

Because DS is actively involved in the Department’s Information System Security Program, it cannot be considered an independent, impartial assessor. The recommendation will remain open until OIG reviews and accepts documentation showing that independent penetration testing has been implemented. The penetration testing must be performed by the National Security Agency or an equally qualified organization independent of the Department and approved by OIG.

The NSA is already conducting pentest on critical U.S. infrastructures among other things.  Why is State thinking only DS, or third party and not NSA?

* * *

Related item:

-01/13/14   Mgmt Alert on OIG Findings of Significant and Recurring Weaknesses in the Dept of State Info System Security Program (MA-A-0001)  [6298 Kb]