State/OIG Reviews @StateDept Policies and Controls Protecting PII and National Security Data

Posted: 2:03 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

State/OIG recently posted online its review of the State Department’s policies and controls protecting personally identifiable information (PII) data and national security data. Below is an excerpt:

The Consolidated Appropriations Act, 2016,1 Section 406, Federal Computer Security, requires the Inspector General of each covered agency to submit a report that contains a description of controls utilized by covered agencies to protect sensitive information maintained, processed, and transmitted by a covered system. Specifically, the Consolidated Appropriations Act requires a description of controls utilized by covered agencies to protect two types of data contained within covered systems: personally identifiable information (PII) data and national security data. Information related to national security data is covered in a classified annex to this information report.
[…]
Specifically, Williams Adley selected and reviewed 4 systems from a Department-provided listing of 216 systems (Electronic Medical Records System (eMED), Integrated Personnel Management System (IPMS), Consular Consolidated Database (CCD), and Consular Lookout and Support System (CLASS)) that provide access to PII. In addition, Williams Adley reviewed 2 National Security Systems (NSS) from a Department-provided listing of 60 systems (Chief of Mission and Special Embassy Programs Database (NSDD 38), and Principal Officers Executive Management System (POEMS)).

This report describes the policies and controls used by the Department for five specific topics identified in the Act:

(1) logical access policies and practices;

The review found only two of the six systems reviewed (eMED and IPMS) had system-specific logical access control policies.

(2) logical access controls and multi-factor authentication used;

With respect to why logical access controls or multi-factor authentication are not being used, according to Department officials, two of the six systems (IPMS and one NSS) did not implement multi-factor authentication to govern system-level privileged user access because functional capabilities are not available. According to Department officials, IPMS is currently planning multi-factor implementation, while the one NSS is waiting for the Department to provide the functional capabilities necessary to implement multi-factor authentication to govern privileged user logical access.

(3) the reasons logical access controls or multi-factor authentication have not been used;

With respect to access and multi-factor authentication, Williams Adley found the Department has not fully implemented multi-factor authentication at the entity level; however, it had implemented other logical access compensating controls to govern privileged user access. Four of the six systems reviewed (eMED, CCD, CLASS, and one NSS) had either fully or partially implemented multi-factor authentication to government system-level privileged user logical access. The two systems that did not utilize multi-factor authentication to govern logical access of privileged users (IPMS and one NSS) relied on username and password combinations. Nevertheless, all six systems had some type of logical access controls in place.

(4) information security management practices used for covered systems;

With respect to information security management practices used for covered systems, Williams Adley found the Department uses a federated model to manage software inventory. In addition, the Department has implemented a defense-in-depth information system program. Further, the Department monitors network traffic, detects and responds to incidents, and scans for security compliance and vulnerabilities. However, the Department has only partially implemented a data loss prevention system and has not implemented digital rights management technology.

(5) policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors.

With respect to policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors, Williams Adley found the Department has a number of policies related to this topic. The relevant Department policies and procedures are established within the Department’s Foreign Affairs Manual (FAM).

The report notes that the Bureau of Information Resource Management, the Executive Secretariat’s Office of Information Resource Management, and the Bureau of Diplomatic Security, provided comments to a draft of the report. Because the comments were marked sensitive, the comments have been reprinted, in their entirety, in the classified annex of the report (AUD-IT- 16-45A).

The publicly available report is available here: https://oig.state.gov/system/files/aud-it-16-45.pdf

#

 

Advertisements

When the Boss Is Last to Know: Chaffetz Snoops at the Secret Service

Posted: 1:06 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

The Department of Homeland Security Inspector General has completed its independent investigation into allegations that one or more Secret Service agents improperly accessed internal databases to look up the 2003 employment application of Congressman Jason Chaffetz, Chairman of the House Committee on Oversight and Government Reform. The Inspector General has confirmed that between March 24 and April 2, 2015, on approximately 60 different occasions, 45 Secret Service employees accessed Chaffetz’ sensitive personal information. The OIG concluded that only 4 of the 45 employees had an arguable legitimate need to access the information.

Here is the IG’s conclusion:

This episode reflects an obvious lack of care on the part of Secret Service personnel as to the sensitivity of the information entrusted to them. It also reflects a failure by the Secret Service management and leadership to understand the potential risk to the agency as events unfolded and react to and prevent or mitigate the damage caused by their workforce’s actions.

Screen Shot 2015-09-30

via dhs/oig

All personnel involved – the agents who inappropriately accessed the information, the mid-level supervisors who understood what was occurring, and the senior leadership of the Service – bear responsibility for what occurred. Better and more frequent training is only part of the solution. Ultimately, while the responsibility for this activity can be fairly placed on the shoulders of the agents who casually disregarded important privacy rules, the Secret Service leadership must do a better job of controlling the actions of its personnel. The Secret Service leadership must demonstrate a commitment to integrity. This includes setting an appropriate tone at the top, but more importantly requires a commitment to establishing and adhering to standards of conduct and ethical and reasonable behavior. Standards of conduct and ethics are meaningful only if they are enforced and if deviations from such standards are dealt with appropriately.

It doesn’t take a lawyer explaining the nuances of the Privacy Act to know that the conduct that occurred here – by dozens of agents in every part of the agency – was simply wrong. The agents should have known better. Those who engaged in this behavior should be made to understand how destructive and corrosive to the agency their actions were. These agents work for an agency whose motto – “worthy of trust and confidence” – is engraved in marble in the lobby of their headquarters building. Few could credibly argue that the agents involved in this episode lived up to that motto. Given the sensitivity of the information with which these agents are entrusted, particularly with regard to their protective function, this episode is deeply disturbing.

Additionally, it is especially ironic, and troubling, that the Director of the Secret Service was apparently the only one in the Secret Service who was unaware of the issue until it reached the media. At the March 24th hearing, he testified that he was “infuriated” that he was not made aware of the March 4th drinking incident. He testified that he was “working furiously to try to break down these barriers where people feel that they can’t talk up the chain.” In the days after this testimony, 18 supervisors, including his Chief of Staff and the Deputy Director, were aware of what was occurring. Yet, the Director himself did not know. When he became aware, he took swift and decisive action, but too late to prevent his agency from again being subject to justified criticism.

Read the full report here. Check out Appendix 1 for the chronological access to the Chaffetz record which includes multiple field offices, including the London office. Appendix 2 is the timeline of record access.

We can’t remember anything like this happening in the recent past.  There was the 1992 passportgate, of course, which involves a presidential candidate, but that’s not quite the same. In 2009, the DOJ said that a ninth individual pleaded guilty for illegally accessing numerous confidential passport application files, although it was for what’s considered “idle curiosity.”

Whether the intent of the Chaffetz record breach was to embarrass a sitting congressman or curiosity (not everyone who looked at the files leak it to the media), the files are protected by the Privacy Act of 1974, and access by employees is strictly limited to official government duties. Only 4 of the 45 employees who did access the Chaffetz records had a legitimate reason to access the protected information. If the DOJ pursued 9 State Department employees for peeking at the passport records of politicians and celebrities, we can’t imagine that it could simply look away in this case. Particularly in this case.  Winter is definitely coming to the Secret Service.

#

 

“M” Writes Update to State Department Employees Regarding OPM Breach

Posted: 1:36 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

It took 18 days before I got my OPM notification on the PII breach. Nothing still on the reported background investigation breach. OPM says it will notify those individuals whose BI information may have been compromised “as soon as practicable.”  That might not happen until the end of July! The hub who previously worked for State and another agency has yet to get a single notification from OPM. We have gone ahead and put a fraud alert for everyone in the family. What’s next? At the rate this is going, will we soon need fraud alerts for the pets in our household? They have names and passports, and could be targeted for kidnapping, you guys!!

And yes, I’ve watched the multiple OPM hearings now, and no, I could not generate confidence for the OPM people handling this, no matter how hard I try. Click here for the timeline of the various breaches via nextgov.com, some never disclosed to the public.

Still waiting for the White House to do a Tina Fey:

you're all fired

via giphy.com

On June 25, the Under Secretary for Management, Patrick Kennedy sent a message to State Department employees regarding the OPM breach. There’s nothing new on this latest State update that we have not seen or heard previously except the detail from the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov (pdf) on how to protect personal information from exploitation (a tad late for that, but anyways …) because Foreign Intelligence Services and/or cybercriminals could exploit the information and target you.

Wait, what did OPM say about families? “[W]e have no evidence to suggest that family members of employees were affected by the breach of personnel data.” 

Via the NCSC:

Screen Shot 2015-06-26

no kidding!

Screen Shot 2015-06-26

you don’t say!

Here is M’s message from June 25, 2015 to State employees. As far as we know, this is the first notification posted publicly online on this subject, which is  good as these incidents potentially affect not just current employees but prospective employees, former employees, retirees and family members.

Dear Colleagues,

I am writing to provide you an update on the recent cyber incidents at the U.S. Office of Personnel Management (OPM) which has just been received.

As we have recently shared, on June 4th, OPM announced an intrusion impacting personnel information of approximately four million current and former Federal employees. OPM is offering affected individuals credit monitoring services and identity theft insurance with CSID, a company that specializes in identity theft protection and fraud resolution. Additional information is available on the company’s website, https://www.csid.com/opm/ and by calling toll-free 844-777-2743 (international callers: call collect 512-327-0705). More information can also be found on OPM’s website: www.opm.gov.

Notifications to individuals affected by this incident began on June 8th on a rolling basis through June 19th. However, it may take several days beyond June 19 for a notification to arrive by email or mail. If you have any questions about whether you were among those affected by the incident announced on June 4, you may call the toll free number above.

On June 12th, OPM announced a separate cyber intrusion affecting systems that contain information related to background investigations of current, former, and prospective Federal Government employees from across all branches of government, as well as other individuals for whom a Federal background investigation was conducted, including contractors. This incident remains under investigation by OPM, the Department of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI). The investigators are working to determine the exact number and list of potentially affected individuals. We understand that many of you are concerned about this intrusion. As this is an ongoing investigation, please know that OPM is working to notify potentially affected individuals as soon as possible. The Department is working extensively with our interagency colleagues to determine the specific impact on State Department employees.

It is an important reminder that OPM discovered this incident as a result of the agency’s concerted and aggressive efforts to strengthen its cybersecurity capabilities and protect the security and integrity of the information entrusted to the agency. In addition, OPM continues to work with the Office of Management and Budget (OMB), the Department of Homeland Security, the FBI, and other elements of the Federal Government to enhance the security of its systems and to detect and thwart evolving and persistent cyber threats. As a result of the work by the interagency incident response team, we have confidence in the integrity of the OPM systems and continue to use them in the performance of OPM’s mission. OPM continues to process background investigations and carry out other functions on its networks.

Additionally, OMB has instructed Federal agencies to immediately take a number of steps to further protect Federal information and assets and improve the resilience of Federal networks. We are working with OMB to ensure we are enforcing the latest standards and tools to protect the security and interests of the State Department workforce.

We will continue to update you as we learn more about the cyber incidents at OPM. OPM is the definitive source for information on the recent cyber incidents. Please visit OPM’s website for regular updates on both incidents and for answers to frequently asked questions: www.opm.gov/cybersecurity. We are also interested in your feedback and questions on the incident and our communications. You can reach out to us at DG DIRECT (DGDirect@state.gov) with these comments.

State Department employees who want to learn additional information about the measures they can take to ensure the safety of their personal information can find resources at the National Counterintelligence and Security Center (NCSC) at http://www.ncsc.gov. The following are also some key reminders of the seriousness of cyber threats and of the importance of vigilance in protecting our systems and data.

Steps for Monitoring Your Identity and Financial Information

  • Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.
  • Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228. Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year. Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.
  • Review resources provided on the FTC identity theft website, www.Identitytheft.gov. The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.
  • You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name. Simply call TransUnion® at 1-800-680-7289 to place this alert. TransUnion® will then notify the other two credit bureaus on your behalf.

Read in full here.

#

State Dept Issues Letters to U.S.Passport Holders With Potentially Compromised Personal Information

Posted: 3:21 am  EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On May 7, we blogged about the indictment of a domestic passport agency contractor and two others alleged to have used stolen U.S. passport information in Texas (see U.S. Passport Agency Contractor, Two Others Indicted for Alleged Use of Stolen Passport Information; also Bringing Cellphones to Work Ends For Federal Employees in 22 Domestic Passport Offices).

We are presuming that the notice below to U.S. passport applicants regarding compromised personal information is related to the  case in Houston since it refers passport applicants to DOJ for further details. We do not think this is related to the current technical problems with visa/passport issuances.

Letter Regarding Compromised Personal Information | JUNE 5, 2015

The U.S. Department of State mailed letters on June 9 to a limited number of U.S. passport customers whose personal information may have been compromised. The letter provides specific details regarding the breach of personal information, how to contact us for further assistance, and guidance on how to protect yourself from identity theft.

The Department has taken immediate action to help protect you. The letter mentions an offer from the Department to sign-up for one year of free credit monitoring services. This service monitors your credit records at all 3 credit reporting agencies and notifies you when there are certain changes to your credit bureau file(s).  In addition, the identity theft insurance policy will reimburse you for certain out-of-pocket expenses and lost wages in the event you are a victim of identity theft.  We have also flagged your U.S. passport record in our databases to prevent others from using your identity to renew or replace your passport.  Your U.S. passport is still valid for international travel.

We apologize for any inconvenience and concern this incident may cause you.  We are thoroughly examining our information security systems and procedures to safeguard against unauthorized access of passport records.

Customers requesting more details on this case should contact the U.S. Department of Justice  at the number or website address provided in their notification letter.

The case USA v. McClendon et al, criminal case #: 4:15-cr-00233-1 is set for jury selection and trial on October 13, 2015 in the U.S. District Court of the Southern District of Texas (Houston).

#

1) More Systems Compromised in #OPMHack, 2) A Love Letter to Hackers, and 3) What’s a Credit Freeze?

Posted: 3:29 am  EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On June 4, OPM released a statement on “a cybersecurity incident” that potentially affected personnel data of current and former federal employees, including personally identifiable information (PII) (see OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info).  The initial estimate was that the OPM hack affected potentially 4 million employees. On June 12, fedscoop reported that the American Federation of Government Employees (AFGE) believed that the breach may have compromised personal data of as high as 14 million employees.

We understand that the State Department issued a notice to employees concerning the OPM breach on June 4. A second notice dated June 12 (am told this was actually a June 11 notice) was shared with BuzzFeed (see below). Several unnamed State Department employees were quoted in that BuzzFeed article, a tell-tale sign of growing frustration that we can also see from our inbox.

.

.

.

.

.

Excerpt from email sent by Under Secretary of Management Pat Kennedy on June 12 (via BuzzFeed)

This is an update to my previous e-mail of June 4th [repeated at the very end of this message.]

As was communicated last week, the U.S. Office of Personnel Management (OPM) recently became aware of a cybersecurity incident affecting its systems and data that may have exposed the Personally Identifiable Information (PII) of some current and former Federal employees. This email provides additional information regarding next steps for those affected State Department employees. But, every employee should read this email.

In the coming weeks, OPM will be sending notifications to individuals whose PII was potentially compromised in this incident. The email will come from [DELETED] and it will contain information regarding credit monitoring and identity theft protection services being provided to those Federal employees impacted by the data breach. In the event OPM does not have an email address for the individual on file, a standard letter will be sent via the U.S. Postal Service.

As a note of caution, confirm that the email you receive is, in fact, the official notification. It’s possible that malicious groups may leverage this event to launch phishing attacks. To protect yourself, we encourage you to check the following:

1. Make sure the sender email address is [DELETED]

2. The email is sent exclusively to your work email address. No other individuals should be in the To, CC, or BCC fields.

3. The email subject should be exactly [DELETED]

4. Do not click on the included link. Instead, record the provided PIN code, open a web browser then manually type the URL {DELETED]. You can then use the provided instructions to enroll [DELETED].

5. The email should not contain any attachments. If it does, do not open them.

6. The email should not contain any requests for additional personal information.

7. The official email should look like the sample screenshot below.

Additional information has also been made available beginning on June 8, 2015 on the company’s website [DELETED].

Regardless of whether or not you receive this notification, employees should take extra care to ensure that they are following recommended cyber and personal security procedures. If you suspect that you have received a phishing attack, contact your agency’s security office.

In general, government employees are often frequent targets of “phishing” attacks, which are surreptitious approaches to stealing your identity, accessing official computer systems, running up bills in your name, or even committing crimes using your identity. Phishing schemes use e-mail or websites to trick you into disclosing personal and sensitive information.

Oh, man.

Hopefully no one will copy this “recipe” to send folks a fake notification to enroll somewhere else.

On May 28, just days before the OPM breach was reported, OPM issued a solicitation for OPM Privacy Act Incident Services. The services required include 1) notification services, 2) credit report access services, 3) credit monitoring services, 4) identity theft insurance and recovery services, and 5) project management services. According to the solicitation, these services will be offered, at the discretion of the Government, to individuals who may be at risk due to compromised Personally Identifiable Information (PII).  The $20,760,741.63 contract for Call 1 was awarded to Winvale Group, LLC on June 2 but was published on fedbiz on June 5, the day after the breach was reported. Call 1 contract includes services to no more than 4 million units/employees.

Note that the State Department notice dated June 12 says that “email should not contain any attachments (#5). The OPM Services awarded on June 2 includes the following:

3.1.1.2 Contractor email Notification: The Contractor will prepare and send email notifications to affected individuals using read receipts. Emails (or attachments) will appear on Government letterhead, will contain Government-approved language, and will contain the signature of the Government official(s). Emails may contain one or more attachments. Email notification proof(s) will be provided to the Government for approval not later than 48 hours after award of a Call against the BPA. The Government will approve the email notification within 24 hours to enable the Contractor to begin preparation for distribution. The Contractor will require, receipt, track, and manage read receipts for email notifications.

Get that?

Now this. Somebody from State sent us a love letter for the hackers:

Dear Hackers: While you’re in there, please get my travel voucher for $291.46 approved, permanently cripple Carlson Wagonlit so we can stop wasting money on a useless product, and figure out how many special political hires there really are roaming our halls.  Oh and please don’t use my SF-86 info against my parents, it isn’t their fault I was an idiot and gave the government every last bit of info on my entire life.  I’m sure there’s more but it’s the weekend, let’s chat Monday. #LetsActLikeNothingHappened #SeriouslyThoughWTF .

And because the initial report is often understated per abrakadabra playbook hoping the bad news will go away, we’re now hearing this:

Oops, wait, what’s this?

Well, here is part of that email sent from “M” on  June 15, 5:35 pm ET:

“OPM has recently discovered that additional systems were compromised. These systems include those that contain info related to background investigations of current, former, and prospective Federal government employees, as well as other individuals from whom a Federal background investigation was conducted. This separate incident…was discovered as a result of OPM’s aggressive efforts to update its cybersecurity posture… OPM will notify those individuals whose info may have been compromised as soon as practical. You will be updated when we have more info on how and when these notifications will occur.”

So that original OPM estimate of 4 million affected employees is now OBE. That original $20 million contract will potentially go up.

Brian Krebs‘ piece on credit monitoring, the default response these days when a breach happens is worth a read. Basically, he’s saying that credit monitoring services aren’t really built to prevent ID theft (read Are Credit Monitoring Services Worth It?).

What can you do besides the suggestions provided by the State Department and OPM? Brian Krebs suggests a “credit freeze” or a “security freeze” not discussed or offered by OPM. Check out the very informative Q&A here.

 

We  know what else is on our to-do list today.

#

Bringing Cellphones to Work Ends For Federal Employees in 22 Domestic Passport Offices

Posted: 3:19  pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

 

WaPo reported last week that federal employees responsible for reviewing and processing U.S. passports are now prohibited from bringing their cellphones to work.  The new rule would affect the 1,200 government workers and 1,000 private contractors in passport offices across 22 domestic locations. What started this off? Who knows except that there apparently was a contractor in Houston:

“The rumor among passport workers is that a contractor in Houston was taking pictures of private information on passports.”

A State Department official confirmed the new policy to WaPo:  “The Department has a serious and important obligation to protect the personally identifiable information (PII) of U.S. citizens applying for passports,” the official said. “Prohibiting cellphones throughout our Passport Agencies, where employees review and process passport applications, is an effort to further protect passport applicant’s PII.”  

The National Federation of Federal Employees (NFFE) Local 1998 that represents Passport Agency workers nationwide is not happy.  The union wondered what use is getting these employees secret clearances if they can’t be trusted with the information?

Read in full here.

Our own source at the Consular Affairs bureau declined to confirm the rumor but did confirm the ban on cell phones.

The last time the Passport Agency made a huge splash was back in 2008 when illegal access of politician and celebrity passport records were discovered.  Nine State Department employees and contractors were charged and pleaded guilty in that case.

#