State/OIG Challenges: Access and OIG Network Vulnerabilities

Posted: 01:42 EST
Updated: 3/3/2015 @1051 PST
[twitter-follow screen_name=’Diplopundit’ ]

Update: In response to our inquiry, State/OIG informed us that the 128 debarment and suspension referrals it made to the State Department “were accepted by the Department and action was taken.” However, we were also informed that the OIG actually “made more referrals, but no action has been taken by the Department to date.”*

As to the issue of OIG’s IT independence and integrity, “a memorandums of understanding have been executed in which the Department has agreed to obtain prior approval from OIG before accessing its network. In addition, we are engaging a third party to explore options to enhance the independence of our network system.”**

 

* * *

Last week, the State Department Inspector General Steve Linick appeared before the Committee on Homeland Security and Government Affairs on the Senate panel’s hearing on improving the efficiency, effectiveness and independence of inspector generals.  State/OIG has oversight of an agency with more than 72,000 employees (includes locally employed staff) in over 280 overseas missions and domestic entities, the BBG and the U.S. Section of the International Boundary and Water Commission. These agencies’ total annual appropriated funding includes approximately $15 billion, nearly $7 billion in consular fees and other earned income, and full or partial oversight of an additional $17 billion in Department-managed foreign assistance.

Some highlights:

  • Although the Department has made improvements on overseas security, challenges remain. Through our inspection and audit work, OIG continues to find security deficiencies that put our people at risk. Those deficiencies include failing to observe set-back and perimeter requirements and to identify and neutralize weapons of opportunity. Our teams also uncover posts that use warehouse space and other sub-standard facilities for offices, another security deficiency. Our audit of the Local Guard Program found that firms providing security services for embassy compounds were not fully vetting local guards they hired abroad, placing at risk our posts and their personnel. In other audits, we found that the Bureau of Diplomatic Security (responsible for setting standards) and the Bureau of Overseas Buildings Operations (responsible for constructing facilities to meet those standards) often do not coordinate adequately to timely address important security needs.
  • We found that follow-through on long-term security program improvements involving physical security, training, and intelligence-sharing lacked sustained oversight by Department principals. Over time, the implementation of recommended improvements slows. The lack of follow-through explains, in part, why a number of Benghazi ARB recommendations mirror previous ARB recommendations.
  • The Department’s obligations in FY 2014 equaled approximately $9 billion in contractual services and $1.5 billion in grants, totaling approximately $10.5 billion. However, the Department faces challenges managing its contracts, grants, and cooperative agreements. These challenges have come to light repeatedly in OIG audits, inspections, and investigations over the years. […]In FY 2014, more than 50 percent of post or bureau inspections contained formal recommendations to strengthen controls and improve administration of grants.
  • OIG’s assessments of the Department’s cybersecurity programs have found recurring weaknesses and noncompliance with the Federal Information Security Management Act (FISMA) with respect to its unclassified systems.[…] Our work in the information security area is ongoing. Since my arrival, OIG has arranged for penetration testing of the Department’s unclassified networks in order to better assess their vulnerability to attack.

What’s happening in FY2015? The following were specifically identified in IG Linick’s testimony (pdf):

  • Planned FY 2015 security audits include an audit of the approval and certification process used to determine employment suitability for locally employed staff and contracted employees, an audit of emergency action plans for U.S. Missions in the Sahel region of Africa, and an audit of the Vital Presence Validation Process (VP2) implementation. VP2 is the Department’s formal process for assessing the costs and benefits of maintaining its presence in dangerous locations around the world. Note: The VP2 is a result of the tragedy in Benghazi.
  • The DS/International Programs Directorate of the Bureau of Diplomatic Security is up for inspection. Note: This is  one of the main bureaus in aftermath of the Benghazi attack that came under congressional scrutiny. Charlene Lamb has now been succeeded by Christian J. Schurman who was named Deputy Assistant Secretary of State and Assistant Director for International Programs on September 15, 2014. DAS Schurman is a Diplomatic Security (DS) Special Agent with 27 years of service who was recently promoted to the rank of Minister Counselor in April 2014.
  • In FY 2015, OIG plans on issuing, among others, audits involving non-lethal aid and humanitarian assistance in response to the Syrian crisis, the Iraq Medical Services Contract, and the Bureau of International Narcotics and Law Enforcement’s Embassy Air Wing Contract in Iraq.
  • ESP is conducting a joint review with the Department of Justice’s OIG of the handling of the use of lethal force during a counternarcotics operation in Honduras in 2012.

 

IG Linick also highlighted new OIG initiatives to enhance the effectiveness and efficiency of OIG’s independent oversight of the Department’s programs and operations including:

  • the issuance of issue Management Alerts and Management Assistance Reports
  • the creation of the Office of Evaluations and Special Projects (ESP), and using ESP to improve OIG’s capabilities to meet statutory requirements of the Whistleblower Protection Enhancement Act of 2012
  • new oversight of overseas contingency operations specifically for Operation Inherent Resolve (OIR)—the U.S.-led overseas contingency operation directed against the Islamic State of Iraq and the Levant (ISIL),
  • data and technology enhancements
  • suspension and debarment:  between 2011 and 2014, OIG referred 128 cases to the Department for action *
  • new offices in Charleston, South Carolina, where one of the Department’s Global Financial Services Center resides, and in Frankfurt, Germany, the site of one of the Department’s Regional Procurement Support Office.
  • co-locating an OIG attorney-investigator as a full-time Special Assistant U.S. Attorneys (SAUSAs) in the U.S. Attorney Office for the Eastern District of Virginia in order to prosecute more quickly and effectively cases involving fraud against the Department of State

 

This hearing followed a well -publicized accessibility issues the Peace Corps and EPA OIG had with their own agencies. In his prepared testimony, IG Linick stated that “unfettered and complete access to information is the linchpin that ensures independence and objectivity for the entire OIG community.

He was careful to note “the importance of forging productive relationships with Department leadership and decision-makers” and cited the Department notice issued by Secretary Kerry at the start of his tenure over a year ago “outlining OIG authorities and obligations under the IG Act and advising staff of our need for prompt access to all records and employees.”  He then shared with Congress the OIG’s two main challenges:

  • Access: Generally, most of our work is conducted with the Department’s full cooperation and with timely production of material. However, there have been occasions when the Department has imposed burdensome administrative conditions on our ability to access documents and employees. At other times, Department officials have initially denied access on the mistaken assumption that OIG was not entitled to confidential agency documents. In these instances, OIG ultimately was able to secure compliance but only after delays and sometimes with appeals to senior leadership. These impediments have at times adversely affected the timeliness of our oversight work, resulting in increased costs for taxpayers.Delays in responding to document requests also occur because the requested information has not been maintained at all or in a manner to allow timely retrieval. Such disorganization of information may negatively impact not only OIG audits, inspections, evaluations, and investigations but also the integrity of Department programs and operations. For example, an OIG Management Alert identified missing or incomplete files for contracts and grants with a combined value of $6 billion.
  • OIG Network Vulnerabilities:  Vulnerabilities in the Department’s unclassified network also affect OIG’s IT infrastructure, which is part of the same network. We noted in our November 2013 information security Management Alert that there are literally thousands of administrators who have access to Department databases. That access runs freely to OIG’s IT infrastructure and creates risk to OIG operations. Indeed, a large number of Department administrators have the ability to read, modify, or delete any information on OIG’s network including sensitive investigative information and email traffic, without OIG’s knowledge. OIG has no evidence that administrators have actually compromised OIG’s network. However, the fact that the contents of our unclassified network may easily be accessed and potentially compromised unnecessarily places our independence at risk. We have begun assessing the best course of action to address these vulnerabilities. **

* * *

Advertisements

GAO: State Dept Management of Security Training May Increase Risk to U.S. Personnel

— Domani Spero

The State Department has established a mandatory requirement that specified U.S. executive branch personnel under chief-of-mission authority and on assignments or short-term TDY complete the Foreign Affairs Counter Threat (FACT) security training before arrival in a high-threat environment.

Who falls under chief-of-mission authority?

Chiefs of mission are the principal officers in charge of U.S. diplomatic missions and certain U.S. offices abroad that the Secretary of State designates as diplomatic in nature. Usually, the U.S. ambassador to a foreign country is the chief of mission in that country. According to the law, the chief of mission’s authority encompasses all employees of U.S. executive branch agencies, excluding personnel under the command of a U.S. area military commander and Voice of America correspondents on official assignment (22 U.S.C. § 3927). According to the President’s letter of instruction to chiefs of mission, members of the staff of an international organization are also excluded from chief
-of-mission authority. The President’s letter of instruction further states that the chief of mission’s security responsibility extends to all government personnel on official duty abroad other than those under the protection of a U.S. area military commander or on the staff of an international organization.

The Government Accountability Office (GAO) recently released its report which examines (1) State and USAID personnel’s compliance with the FACT training requirement and (2) State’s and USAID’s oversight of their personnel’s compliance. GAO also reviewed agencies’ policy guidance; analyzed State and USAID personnel data from March 2013 and training data for 2008 through 2013; reviewed agency documents; and interviewed agency officials in Washington, D.C., and at various overseas locations.

High Threat Countries: 9 to 18

The June 2013 State memorandum identifying the nine additional countries noted that personnel deploying to three additional countries will also be required to complete FACT training but are reportedly exempt from the requirement until further notice. State Diplomatic Security officials informed the GAO that these countries were granted temporary exceptions based on the estimated student training capacity at the facility where FACT training is currently conducted. We know from the report that the number of countries that now requires FACT training increased from 9 to 18, but they are not identified in the GAO report.

“Lower Priority” Security Training for Eligible Family Members

One section of the report notes that according to State officials, of the 22 noncompliant individuals in one country, 18 were State personnel’s employed eligible family members who were required to take the training; State officials explained that these individuals were not aware of the requirement at the time. The officials noted that enrollment of family members in the course is given lower priority than enrollment of direct-hire U.S. government employees but that space is typically available.

Typically, family members shipped to high-threat posts are those who have found employment at post. So they are not just there accompanying their employed spouses for the fun of it, they’re at post to perform the specific jobs they’re hired for. Why the State Department continue to give them “lower priority” in security training is perplexing. You know, the family members employed at post will be riding exactly the same boat the direct-hire government employees will be riding in.

Working Group Reviews

This report includes the State Department’s response to the GAO. A working group under “M” reportedly is mandated to “discover where improvements can be made in notification, enrollment and tracking regarding FACT training.” The group is also “reviewing the conditions under which eligible family members can and should be required to complete FACT training as well as the requirements related to personnel on temporary duty assignment.”

Excerpt below from the public version of a February 2014 report:

Using data from multiple sources, GAO determined that 675 of 708 Department of State (State) personnel and all 143 U.S. Agency for International Development (USAID) personnel on assignments longer than 6 months (assigned personnel) in the designated high-threat countries on March 31, 2013, were in compliance with the Foreign Affairs Counter Threat (FACT) training requirement. GAO found that the remaining 33 State assigned personnel on such assignments had not complied with the mandatory requirement. For State and USAID personnel on temporary duty of 6 months or less (short-term TDY personnel), GAO was unable to assess compliance because of gaps in State’s data. State does not systematically maintain data on the universe of U.S. personnel on short-term TDY status to designated high-threat countries who were required to complete FACT training. This is because State lacks a mechanism for identifying those who are subject to the training requirement. These data gaps prevent State or an independent reviewer from assessing compliance with the FACT training requirement among short-term TDY personnel. According to Standards for Internal Control in the Federal Government , program managers need operating information to determine whether they are meeting compliance requirements.

State’s guidance and management oversight of personnel’s compliance with the FACT training requirement have weaknesses that limit State’s ability to ensure that personnel are prepared for service in designated high-threat countries. These weaknesses include the following:

  • State’s policy and guidance related to FACT training—including its Foreign Affairs Manual , eCountry Clearance instructions for short-term TDY personnel, and guidance on the required frequency of FACT training—are outdated, inconsistent, or unclear. For example, although State informed other agencies of June 2013 policy changes to the FACT training requirement, State had not yet updated its Foreign Affairs Manual to reflect those changes as of January 2014. The changes included an increase in the number of high-threat countries requiring FACT training from 9 to 18.
  • State and USAID do not consistently verify that U.S. personnel complete FACT training before arriving in designated high-threat countries. For example, State does not verify compliance for 4 of the 9 countries for which it required FACT training before June 2013.
  • State does not monitor or evaluate overall levels of compliance with the FACT training requirement.
  • State’s Foreign Affairs Manual notes that it is the responsibility of employees to ensure their own compliance with the FACT training requirement. However, the manual and Standards for Internal Control in the Federal Government also note that management is responsible for putting in place adequate controls to help ensure that agency directives are carried out.

The GAO notes that the gaps in State oversight may increase the risk that personnel assigned to high-threat countries do not complete FACT training, potentially placing their own and others’ safety in jeopardy.

* * *

Enhanced by Zemanta

Officially In: John F. Sopko – from Law Partner to SIGAR

On May 23 President Obama announced the appointment of John F. Sopko as the next Special Inspector General for Afghanistan Reconstruction (SIGAR). The WH released the following brief bio:

Photo from cspan

John F. Sopko is currently a partner at Akin Gump Strauss Hauer & Feld LLP, a position he has held since 2009. From 2007 to 2009, Mr. Sopko served as Chief Counsel for Oversight and Investigations for the U.S. House Committee on Energy and Commerce. Previously, he was Deputy Director of the Homeland Security Institute from 2005 to 2007, and Minority General Counsel and Chief of Investigations for the U.S. House Select Committee on Homeland Security from 2003 to 2005. From 1999 to 2003, Mr. Sopko held a number of roles at the U.S. Department of Commerce, including Deputy Director of the National Technical Information Service, Acting Assistant Secretary and Deputy Assistant Secretary of the National Telecommunications and Information Administration, Deputy Assistant Secretary for Export Enforcement, and Chief Counsel for the Special Matters Unit at the Office of General Counsel. From 1982 to 1997, Mr. Sopko was Deputy Chief Counsel at the U.S. Senate Permanent Subcommittee on Investigations and from 1978 to 1982, he was Special Attorney at the Organized Crime and Racketeering Section of the U.S. Department of Justice.

He holds a B.A. in Economics and Sociology from the University of Pennsylvania and a J.D. from Case Western Reserve University School of Law.

WaPo writes that the previous inspector, Arnold Fields, a retired Marine major general, resigned in January 2011 after “a review by the Council of Inspectors General found that many of his office’s audits barely met minimum quality standards and that Fields had not laid out a clear strategic vision.”

SIGAR conducts audits and investigations to: 1) promote efficiency and effectiveness of reconstruction programs and 2) detect and prevent waste, fraud, and abuse.  President Obama designated Steven J Trent as Acting Inspector General for Afghanistan Reconstruction on September 3, 2011.

This is a presidential appointment that does not require Senate confirmation. So hopefully, the new appointee will hit the ground running.

Domani Spero

Related item:
President Obama Announces More Key Administration Posts | May 23, 2012