Tag Archives: State/IRM

A Small Post in Africa Just Fired “Several Dozen Male Employees”

February 15, 2022 By in AF |Africa, Diplomatic Security, Huh? News, Investigations, Locally Employed Staff, NEA|Near East Asia, Oversight, Realities of the FS, Security, State Department, U.S. Missions Tags: , , , , , , ,
We received the following in our inbox recently:

The Embassy held a town hall and finally disclosed that several dozen male employees had been separated from employment.

Charges included:

— improper used of government computers

— immoral conduct for posting obscene images and videos to a social media chat group

Criminal investigation is ongoing.

TDY staff have been flown in from other AF posts, NEA and Washington DC.

Outgoing ambassador departs soon; incoming ambassador to arrive in February.

Most of the job vacancies should be listed on the Embassy website in the coming weeks.

So this is a small post.  Since most jobs are expected to be advertised on the embassy website, we can assume that those separated from employment were locally hired staffers. “Several” means more than two and fewer than many.
Let’s say we have about a hundred employees at this post, with half of those male. Several dozens, say three dozens would be 36 employees. If four dozens, that would be the entire male population, half of the locally hired staff, wouldn’t it?
How would embassies ever find out what shenanigans are going on in their computer systems?
Information Systems Security Officers (ISSO) are responsible for implementing the Department’s information systems security program and for working closely with system managers on compliance with information systems security standards. The Bureau of Information Resource Management’s Office of ISSO Oversight, Regional, and Domestic Division, assists, supports, and coordinates the activities of domestic and overseas ISSOs.
In 2017, OIG inspection reports have repeatedly found deficiencies in the performance of ISSO duties. The Management Assistance Report then notes the following:

OIG reviewed information management findings in reports of overseas inspections conducted from fall FY 2014 to spring FY 2016 and found that 33 percent (17 out of 51) reported findings on the non-performance of ISSO duties. Specifically, the reports noted that information management personnel failed to perform regular reviews and analyses of information systems audits logs, user libraries, emails, workstations, servers, and hard drives for indications of inappropriate or unusual activity in accordance with Department standards.

But what if this post was previously:
— informed in 2019 that its unclassified and classified Information Systems Security Officers (ISSO) did not perform all information systems security duties, such as review and analysis of information systems audit logs for inappropriate or unusual activity, as required by 12 FAM 613.4?
— informed that its ISSOs did not brief new employees on their information security responsibilities and the Department’s policies? OIG notes that ISSO briefings are particularly important for LE staff who have never worked for the U.S. Government.
— informed that its ISSOs did not use the Department’s ISSO resources, such as standard operating procedures and checklists, to prioritize and plan their duties?
— made aware that a lack of planning and training as well as competing priorities led the embassy to neglect these duties and this has resulted in the security of the Department’s computer systems at risk?
Who should then be held accountable for this incident?
Or.
Perhaps, it took the embassy this long to finally conduct a systems audit logs and other systems security duties as required, and that’s how they found out about these obscene images?
Who should get an award?
Makes one wonder about that 17 posts who were reported for non-performance of ISSO duties.
What might they find there when they finally do perform those duties?

 

###

@StateDept Chief Information Officer Frontis Wiggins to Retire Effective December 8

November 30, 2017 By in Foreign Service, Functional Bureaus, Realities of the FS, Retirement, Staffing the FS, State Department, Technology and Work, Trends Tags: , , , ,

Posted: 2:22 am ET

 

Another 30-plus year veteran of the State Department is leaving effective December 8. Frontis Wiggins, the agency’s chief information officer, and a career employee of over thirty years announced his retirement to his IRM colleagues via email on November 20:

“Today, I am announcing that I will retire from the U.S. Department of State, effective Friday, December 8, 2017. I will have more information to share with you in the near future.”

The State Department’s average annual attrition the last five years for Information Technology Managers at the  FE-MC rank like Mr. Wiggins is 1. In 2016, the average annual projected leadership attrition for this skill group and rank the next five years was zero.

Next to security officers and office management specialists, information management specialists in the State Department are projected to have the third highest overall attrition in the next five years (2016-2020).

His official bio via state.gov:

Frontis B. Wiggins, a member of the Senior Foreign Service with the rank of Minister-Counselor, is currently the Chief Information Officer for the U.S. Department of State. In this capacity, he is responsible for the Department’s information resources and technology initiatives which provide core information, knowledge management, and technology (IT) services to the Department of State and its 260 overseas Missions. He is directly responsible for the Information Resource Management (IRM) Bureau’s budget of $569 million, and oversees State’s total IT/ knowledge management budget of approximately one billion dollars.

He joined the Foreign Service in 1985 and has served overseas in Cairo, Budapest, Hong Kong, Paris, Information Management Officer Beijing, and Director of Regional Information Management Center (RIMC) Frankfurt. Senior level assignments in D.C. have included the Principal Deputy CIO, Deputy CIO for Foreign Operations, the Dean of the School of Applied Information Technology (SAIT) at the Foreign Service Institute (FSI), and the Director of Information Resource Management’s Messaging Systems Office.

Mr. Wiggins holds a Bachelor of Arts in History from the College of William and Mary, a Master’s Degree in Information Systems from George Washington University, and is a member of their Honor Society. He is a graduate of the Chief Information Officer’s University class of 2006 and has received numerous Meritorious and Superior Honor awards during his career, as well as being the first recipient of AFSA’s Tex Harris Award for constructive dissent in 2000. He speaks seven foreign languages with varying degrees of fluency.

A colleague of Mr. Wiggins who was at FSI where he was once dean told us that everyone there raved at that time that he would be the next CIO. “There was a lot of excitement in the field when he did become CIO because he worked up through the ranks and was familiar with the work in the trenches. He seemed keen on modernizing our aging IT infrastructure, so there’s been a lot of hope that things *might* actually change for the better in IRM.”

Mr. Wiggins was “leading the charge for much-needed modernization of our IT infrastructure” at the State Department we were told. And that “this is a sad time for IT in the Department.”

One source confirmed for us that Rob Adams, the Principal Deputy CIO will be Acting CIO after Mr. Wiggins’ departure.  Federal News Radio who reported on Wiggins’ departure says that Adams joined the State Department in 1988 after serving in the Marine Corps for four years.  Federal News also note that Wiggins will become the eighth cabinet agency CIO to leave in the past year.

#


State/OIG Reviews @StateDept Policies and Controls Protecting PII and National Security Data

August 22, 2016 By in Diplomatic Security, Functional Bureaus, Oversight, Security, State Department, Technology and Work Tags: , , , , , , ,

Posted: 2:03 am ET
[twitter-follow screen_name=’Diplopundit’ ]

 

State/OIG recently posted online its review of the State Department’s policies and controls protecting personally identifiable information (PII) data and national security data. Below is an excerpt:

The Consolidated Appropriations Act, 2016,1 Section 406, Federal Computer Security, requires the Inspector General of each covered agency to submit a report that contains a description of controls utilized by covered agencies to protect sensitive information maintained, processed, and transmitted by a covered system. Specifically, the Consolidated Appropriations Act requires a description of controls utilized by covered agencies to protect two types of data contained within covered systems: personally identifiable information (PII) data and national security data. Information related to national security data is covered in a classified annex to this information report.
[…]
Specifically, Williams Adley selected and reviewed 4 systems from a Department-provided listing of 216 systems (Electronic Medical Records System (eMED), Integrated Personnel Management System (IPMS), Consular Consolidated Database (CCD), and Consular Lookout and Support System (CLASS)) that provide access to PII. In addition, Williams Adley reviewed 2 National Security Systems (NSS) from a Department-provided listing of 60 systems (Chief of Mission and Special Embassy Programs Database (NSDD 38), and Principal Officers Executive Management System (POEMS)).

This report describes the policies and controls used by the Department for five specific topics identified in the Act:

(1) logical access policies and practices;

The review found only two of the six systems reviewed (eMED and IPMS) had system-specific logical access control policies.

(2) logical access controls and multi-factor authentication used;

With respect to why logical access controls or multi-factor authentication are not being used, according to Department officials, two of the six systems (IPMS and one NSS) did not implement multi-factor authentication to govern system-level privileged user access because functional capabilities are not available. According to Department officials, IPMS is currently planning multi-factor implementation, while the one NSS is waiting for the Department to provide the functional capabilities necessary to implement multi-factor authentication to govern privileged user logical access.

(3) the reasons logical access controls or multi-factor authentication have not been used;

With respect to access and multi-factor authentication, Williams Adley found the Department has not fully implemented multi-factor authentication at the entity level; however, it had implemented other logical access compensating controls to govern privileged user access. Four of the six systems reviewed (eMED, CCD, CLASS, and one NSS) had either fully or partially implemented multi-factor authentication to government system-level privileged user logical access. The two systems that did not utilize multi-factor authentication to govern logical access of privileged users (IPMS and one NSS) relied on username and password combinations. Nevertheless, all six systems had some type of logical access controls in place.

(4) information security management practices used for covered systems;

With respect to information security management practices used for covered systems, Williams Adley found the Department uses a federated model to manage software inventory. In addition, the Department has implemented a defense-in-depth information system program. Further, the Department monitors network traffic, detects and responds to incidents, and scans for security compliance and vulnerabilities. However, the Department has only partially implemented a data loss prevention system and has not implemented digital rights management technology.

(5) policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors.

With respect to policies and procedures that ensure information security management practices are effectively implemented by other entities such as contractors, Williams Adley found the Department has a number of policies related to this topic. The relevant Department policies and procedures are established within the Department’s Foreign Affairs Manual (FAM).

The report notes that the Bureau of Information Resource Management, the Executive Secretariat’s Office of Information Resource Management, and the Bureau of Diplomatic Security, provided comments to a draft of the report. Because the comments were marked sensitive, the comments have been reprinted, in their entirety, in the classified annex of the report (AUD-IT- 16-45A).

The publicly available report is available here: https://oig.state.gov/system/files/aud-it-16-45.pdf

#

 

State/OIG Issues Report on @StateDept IT Incident Response and Reporting Deficiencies

February 23, 2016 By in Diplomatic Attacks, Diplomatic Security, Functional Bureaus, Govt Documents, Oversight, Security, State Department, Technology and Work, Trends Tags: , , , , , , , , , ,

Posted: 2:03 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

An independent accounting firm hired by State/OIG determined that the State Department’s IT incident response and reporting (IR&R) program was not operating effectively. Specifically, of the 25 cyber security incidents evaluated, Williams, Adley found that five were miscategorized, six were not remediated in a timely manner, one was not identified in a timely manner, one was missing incident information, four were not reported to the U.S. Computer Emergency Readiness Team (US-CERT) in a timely manner, and two were not reported to US-CERT as required.

The deficiencies in the IR&R program occurred primarily because of inadequate communication between the Bureau of Information Resource Management (IRM) and the Bureau of Diplomatic Security (DS) and inadequate management oversight that would ensure that personnel within the Department’s incident response team fully complied with prescribed categorization guidelines, reporting requirements, and remediation timelines.

Without an effective IR&R program, the Department may be unable to properly identify weaknesses, restore IT operations in a timely manner, and identify and respond to cyber security incidents, which could potentially lead to interruptions of critical operations and hinder the Department’s ability to achieve its core mission.
[…]
Williams, Adley determined that the Department’s IR&R program was not operating effectively for the months of September and October 2014. Specifically, Williams, Adley reviewed the Department’s handling of 25 cyber security incidents out of 303 incidents (CAT 1 to CAT 6) reported during the scope period8 to determine whether the Department complied with its information security policies and procedures.

Screen Shot

According to the audit, remediation of one denial of service attack took over 200 hours, remediation of four malicious code attacks took between 174 hours and 312 hours, and remediation of one probe attack took over 175 hours.

Here’s the proposed solution according to the audit:

DS officials stated that a proposed solution was currently being developed that would improve the responsiveness of and communications between DS and IRM. Specifically, the Department would create a Joint Concept of Operations, via a Memorandum of Understanding, that would enhance the current capabilities of the DS Foreign Affairs Cybersecurity Center. Although the Memorandum of Understanding was in the initial drafting phase as of the date of this report, it is a proposed solution that, when fully implemented, will allow the Department to approve a Joint Security Operations Center concept that will potentially consolidate core IRM and DS cyber security functions and thus strengthen the responsiveness of and communications between IRM and DS. This effort will serve as the first step in improving communications between IRM and DS.

The State Department’s response to the OIG requests that the two recommendations be closed  due to agency actions but also expressed concerns over the OIG’s use of this press article from nextgov cited in the audit:

Screen Shot

WaPo reported about the down email system due to hacking concerns here and we did a blogpost of the incident here (see  State Department’s Computer Systems Hacked, 5th Known Agency Breach This Year?).

 Read the full OIG report here:  Management Assistance Report: Department of State Incident Response and Reporting Program (PDF).

#

 

State/OIG Reminds @StateDept of IT Contingency Planning Deficiencies

February 18, 2016 By in Functional Bureaus, Govt Documents, Oversight, Regional Bureaus, Security, State Department, Technology and Work, U.S. Missions Tags: , , , , , , ,

Posted: 12:59 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last week, State/OIG issued a Management Assistance Report (MAR-PDF) reminding the State Department of continued deficiencies identified in information technology contingency planning at its overseas posts:

OIG identified IT contingency planning deficiencies in 69 percent (20 out of 29) of overseas inspections performed during FYs 2014 and 2015. The issues identified ranged from information management staff at posts not developing, updating, or testing IT contingency plans to plans that lacked appropriate key stakeholders and contact information as part of emergency preparedness, contrary to requirements set forth in 5 Foreign Affairs Manual (FAM) 1064, 12 FAM 623.7, 12 FAM 632.3, and National Institute of Standards and Technology Special Publication 800-34. This report recommends that the Department take action to ensure that information management personnel are held accountable for IT contingency planning by making this responsibility explicit in their work requirements.

Recommendations from 2011 OIG Memorandum Report Unimplemented

OIG inspection teams continue to report IT contingency planning findings in overseas inspection reports, despite a December 2011 OIG memorandum2 to the Bureau of Information Resource Management with two recommendations addressing the topic. The memorandum identified IT contingency planning issues involving bureaus’ and posts’ lack of attention to developing and testing IT contingency plans as part of their emergency preparedness activities. The Bureau of Information Resource Management stated in compliance responses that it was planning to implement a tracking mechanism and develop a SharePoint site to capture risk scoring compliance for posts and bureaus. However, after 4 years the bureau still lacks a tracking mechanism and a SharePoint site as mentioned in their compliance responses. The September 2015 compliance response noted that the bureau is researching other alternatives to comply with OIG recommendations.

 So State/OIG is trying again with this MAR and a nudge on the Work Requirements of Information Management Staff

A review of Foreign Service employee evaluation reports for information management officers or the most senior information management personnel at embassies and consulates revealed that only 12 percent (32 out of 272) had a stated work requirement to develop and test IT contingency plans. According to 5 FAM 825 and 5 FAM 826, responsibility for the development and testing of IT contingency plans lies with the information management staff overseas.

Recommendation 1: The Bureau of Information Resource Management, in coordination with the regional bureaus, should include the requirement to complete and test information technology contingency plans in the work requirements for information management personnel. (Action: IRM, in coordination with AF, EAP, EUR, NEA, SCA, and WHA).

In related news:

#

Did We Ship Anyone Off to Timbuktu? Who at Senior Levels Knew What and When About HRC’s Communications

February 3, 2016 By in Foreign Service, FSOs, Functional Bureaus, Govt Documents, Hillary Clinton, Huh? News, Leadership and Management, Oversight, Politics, Public Service, Realities of the FS, Secretary of State, Security, State Department, Top Ranks, Trends Tags: , , , , , , , , , , , 3 Comments

Posted: 2:52 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

The WSJ called the oldest executive agency in the union, the Department of Hillary, and accused  the entire State Department of “vigorously protecting Hillary Clinton.” It asks, “how it is that the nation’s diplomatic corps has become an arm of the Clinton presidential campaign?”

That is a sweeping accusation and we do not believe that to be true, but whether it’s true or not is immaterial. The perception is widely shared, even by reporters covering the State Department.  Our interest on HRC primarily relates to her tenure at State. We think that her management of the department — whether it relates to her email server, having a deputy chief of staff holding four jobs, special access to certain groups, operation in a bubble of mostly yes-people — was galling and distressing.  We do agree with Prof. Jonathan Turley when he writes that he “consider the decision to use exclusively an unsecure server for “convenience” to be a breathtakingly reckless act for one of the top officials in our government.”

Last month HRC was also quoted as saying, “I’m not willing to say it was an error in judgment.”

Folks will have to make up their own minds whether they agree with her or not, but the State Department is still paying a price for it. And the way this mess has been handled places at risk the institution’s deeply held tradition that the career service stay above the political fray.

The National Security Archive bluntly writes:

[T]he Federal Records Act, federal regulations on the books at the time (36 CFR 1263.22)[Official as of October 2, 2009], and NARA guidance which the State Department received (NARA Bulletin 2011-03), should have prevented Clinton’s actions, requiring her to provide “effective controls over the creation and over the maintenance and use of records in the conduct of current business”. (Read here for our analysis of why Clinton, and hundreds of others at State, including its FOIA shop and IT department, were in the wrong for not blowing the whistle on her personal email usage.) Read more here.

At some point in the near future, there will need to be a reckoning about what the senior officials, the career senior officials in Foggy Bottom knew about what during the Clinton tenure.

On Saturday, January 24, 2009 8:26 p.m. Lewis Lukens sent an email to M/Patrick Kennedy (email released via FOIA lawsuit by Judicial Watch (PDF). Lukens who was then the Executive Secretary (he was subsequently appointed US Ambassador to Senegal and Guinea-Bissau), writes, “I talked to cheryl about this. She says problem is hrc does not know how to use a computer to do email  only bb. But I said would not take much training to get her up to speed.” The email chain talks about setting up “a stand alone PC in the Secretary’s office, connected to the internet” but apparently a separate system not through the State Department system that would allow HRC to “check her emails from her desk.”

What’s the difference between using a State Department system and a stand alone system for somebody who doesn’t know how to use a computer? But more that that, we want to understand why it was necessary to set up a stand alone system. Did previous secretaries of state have their own stand alone systems? Did they have their own private email servers? Can somebody please explain why that was necessary?

This email was sent three days after HRC took the oath of office of Secretary of State (see starting page 6 below or see PDF here).

So, if they were considering setting up a stand alone PC on the 7th Floor and that did not happen, how could anyone in the top ranks of the career service not know when HRC’s people set up a private server away from the building? If they did not know, they were not doing their jobs. But if they did know, what does that mean?  Did anyone speak up and consequently suffer career purgatory? Please help us  understand how this happened. Email us, happy to chat with anyone in the know because this is giving us ulcers.

A related item about communications — in March 2009, the then Assistant Secretary for Diplomatic Security, Eric Boswell sent a memo to HRC’s Chief of Staff Cheryl Mills concerning the use of Blackberries in Mahogany Row. In that memo, also released via FOIA litigation with Judicial Watch, Boswell writes that “Our review reaffirms our belief that the vulnerabilities and risks associated with the use of Blackberries in Mahogany Row [redacted] considerably outweighs the convenience their use can add to staff that have access to the unclassified OpenNet system on their desktops. [redacted] We also worry about the example that using Blackberries in Mahogany Row might set as we strive to promote crucial security practices and enforce important security standards among State Department staff.”

The last paragraph of the memo says “If, after considering the vulnerabilities that I describe above and the alternatives that I propose, the Secretary determines that she wants  a limited number of staff to use Blackberries in Mahogany Row …. [redacted].” (See below or see PDF here)

What the  career professionals proposed can, of course, be ignored or dismissed by the political leadership. How much of it can one tolerate? Some of it, all of it?

Below is an August 30, 2011 email between then HRC deputy chief of staff Huma Abedin and Steve Mull, who we believed succeeded Lukens as Executive Secretary of the State Department. Following that assignment, he was appointed U.S. Ambassador to Poland, and last year, he was appointed Lead Coordinator for Iran Nuclear Implementation.  The Daily Caller obtained the emails through a Freedom of Information Act lawsuit filed on its behalf by Cause of Action and has reported about the emails here.  It shows the top officials who were loop in on the secretary’s communications setup, but it also points to what we suspect has always been the rationale on the server and email setup that now has consequential repercussions for the agency.  In one part of the email, the executive secretary writes, “We’re working with …. to hammer out the details of what will best meet the Secretary’s need.” (See below or see ScribD file here).

It is not surprising that the career folks worked to accommodate the needs of their principals.  We doubt anyone would last long in any assignment if they simply tell their boss blah, blah, blah can’t be done.

But — no individual in the upper ranks, career or noncareer, has so far been shown to stand up to a principal by saying “no, this is not allowed” or “this is not acceptable,” or even something like  — “this is not against the rules but it looks bad.” 

Does one draw a line between public service and service to a political leadership? Are they one and the same? What would you do?

Last September 2015, WaPo reported this:

But State Department officials provided new information Tuesday that undercuts Clinton’s characterization. They said the request was not simply about general rec­ord-keeping but was prompted entirely by the discovery that Clinton had exclusively used a private e-mail system. They also said they first contacted her in the summer of 2014, at least three months before the agency asked Clinton and three of her predecessors to provide their e-mails.
[…]
But the early call from the State Department is a sign that, at the least, officials in the agency she led from 2009 to 2013 were concerned by the practice — and that they had been caught off guard upon discovering her exclusive use of a private account.

Well, we’re sure the rank and file was caught off guard but which State Department officials were actually caught off guard? At least according to the Mull-Mills email exchange of August 2011, S/ES and M were aware of the existence of Secretary Clinton’s personal email server.

So when unnamed State Department officials talked to the Washington Post journalists last year, dammit, who did they say were actually caught off guard?

If anyone at M who has oversight over IT, Diplomatic Security, FOIA and federal records cited the Federal Records Act between 2009-2013 was shipped to Timbuktu for bringing up an inconvenient regulation, we’d like to hear about it.

Make no mistake, the perception that the Service had picked a side will have repercussions for the Foreign Service and the State Department.  If there is an HRC White House, we may see old familiar faces come back, or those still in Foggy Bottom, may stay on and on and just never leave like Hotel California.

But if there is a Trump or a Whoever GOP White House, we imagine the top ranks, and who knows how many levels down the bureaus will be slashed gleefully by the incoming administration. And it will not be by accident.

#

 

 

State/OIG Reviews IRM’s Vendor Management Office’s Role in Vanguard’s $3.5.B Contract

November 10, 2015 By in Budget, Contractors, Functional Bureaus, Govt Documents, Oversight, State Department, Technology and Work Tags: , , , , , ,

Posted: 12:11  am EDT
[twitter-follow screen_name=’Diplopundit’ ]

This is an excerpt from the State/OIG report on IRM’s new Vendor Management Office (VMO):

In a March 2013 action memorandum, the Chief Information Officer (CIO) established the Vendor Management Office (VMO) in the Bureau of Information Resource Management (IRM), Operations, to support the Vanguard Acquisition Strategy. The CIO created the VMO after determining that he needed dedicated staff to monitor the Vanguard contract and assist with the formulation of well-defined performance metrics. The Vanguard Acquisition Strategy, a Department initiative, consolidated existing IRM contracts under the umbrella of one performance-based contract with multiple firm fixed price1 task orders to provide better coordination and improve service delivery. The total Vanguard contract award was $3.5 billion over a period of 10 years and comprised 90 to 95 percent of IRM-wide contracting activity; IRM also has 50 contracts totaling $74 million that do not fall under the VMO or Vanguard.

Three functional support units comprise the VMO: Contract Management, Service Performance Management, and Enterprise Project Lifecycle Management. The VMO is separate from the Bureau of Administration, Office of Logistics Management, Office of Acquisitions Management (AQM), which is responsible for executing the Vanguard contract.
[…]
Since the VMO’s establishment, the CIO has tasked it with coordinating several priority projects that include Public Key Infrastructure deployment, the Virtual Desktop Initiative, the Foreign Affairs Network, and Cyber Security. These are listed objectives in the Department’s IT Strategic Plan. This has led to increased responsibilities for the VMO and the resources needed to support them.

Where is this on the FAM, again?

The language in 1 Foreign Affairs Manual (FAM), 270 Organizations and Functions for the VMO, drafted in August 2014, was still in the clearance process at the time of the inspection.

The VMO operates without authority to require compliance with its procedures. The Department has no guidelines on the operation of a vendor management office in the FAM, which defines authorities and responsibilities for each major component of the Department.

To date, the VMO has operated without a 1 FAM entry or IRM policy or guidance that specifies the office’s authority. On April 13, 2015, IRM circulated a draft 1 FAM, outlining the proposed role and responsibilities of the VMO. In the interim, the VMO has no mechanism beyond consensus building to enforce adherence to its policies, procedures, and processes.

More contractors than direct-hire employees?

At the start of the inspection, the VMO staff consisted of 9 full-time employees, 1 student- trainee, and 16 contract positions. During the inspection, the number of contract positions increased to 24. FY 2014 funding for VMO activities is $1.5 million from diplomatic and consular program funding. As of May 2015, the amount for FY 2015 had increased to $3.9 million because of resources needed to manage new projects.

$376K Performance Incentive Fees to Contractors

The VMO Service Performance Management unit has implemented performance metrics to review and analyze information generated through contractor performance assessments. The CORs and GTMs are required to review and validate performance metrics on a monthly basis. However, between April 2014 and March 2015, the OIG team found that Vanguard GTMs failed to validate, on average, 25 of the 268 performance metrics each month because of other priorities. Despite the lack of review and validation, the CORs and GTMs certify to the contracting officer that the contractor has provided all services as specified in the contract and met all the performance metrics and that the Department can pay contractors their incentive fees. For example, in January and February 2015, the Department paid $376,595 in incentive fees to contractors for superior performance without a review or verification of 20 performance metrics, which could lead to the Department paying for services that it did not receive.

[…]
The system the VMO uses to process performance metric data for contracts is inadequate for mission requirements. The unit currently uses Excel spreadsheets to track, monitor, and analyze contractor compliance with 475 active performance metrics.

What about iSchedule?

The Enterprise Lifecycle Project Management unit created the iSchedule Management System (iSchedule), which provides the framework for integrating information technology project schedules to enable IRM to assign and manage work, monitor and control progress toward milestones, and understand the relationships and dependencies among the information technology projects.
[…]
Despite the VMO’s deployment of the iSchedule application in September 2014, IRM directorates do not use iSchedule on a consistent basis because IRM has not yet made use of the system mandatory. This inconsistent use of iSchedule has resulted in inadequate bureau coordination and incomplete project data and limits visibility on projects, activities, and risk. According to 5 FAH-5 H212, projects may require the formal use of a project management tool.

Inadequate acquisition planning and sole source contracts

The OIG team found little evidence that the Messaging Systems Office and the VMO conducted acquisition planning within the timeframes suggested in the Federal Acquisition Regulation 7.104-General Procedures.

In order to award a new blanket purchase agreement, the Messaging Systems Office submitted a sole source justification based on an urgent and compelling need. The Department’s Office of the Legal Adviser denied the office’s request because of inadequate acquisition planning. Program offices issuing requirements without sufficient lead-time restricts competition and risks increased costs. It can also put a strain on the contracting and administrative staff.

Read the full report here: https://oig.state.gov/system/files/isp-i-16-03.pdf

#

@StateDept’s Problematic Information Security Program and Colin Powell’s Wired Diplomatic Corps

October 21, 2015 By in Leadership and Management, Legacy, Oversight, Security, Spectacular, Staffing the FS, State Department, Technology and Work, Top Ranks, Trends Tags: , , , , , , ,

Posted: 2:10 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

.

Via the AP:

Clinton approved significant increases in the State Department’ information technology budgets while she was secretary, but senior State Department officials say she did not spend much time on the department’s cyber vulnerabilities. Her emails show she was aware of State’s technological shortcomings, but was focused more on diplomacy.
[…]
Emails released by the State Department from her private server show Clinton and her top aides viewed the department’s information technology systems as substandard and worked to avoid them.

Screen Shot 2015-10-20

click here to view pdf file

The report does not include specific details on the “significant increases” in the IT budget. Where did it go? Why did the Clinton senior staff suffer through the State Department’s antiquated technology without any fixes?

In contrast, here is Colin Powell’s Wired Diplomatic Corps:

Another disturbing aspect of State Department life prior to 2001 was the poor condition of its information technology (IT). Independent commissions warned the organization’s computer networks were “perilously close to the point of system failure” and “the weakest in the U.S. government.” Inadequate funding, concerns over IT security, and simple bureaucratic inertia were all contributing factors. Powell came to an institution in which his employees relied on an antiquated cable messaging system, slow, outdated computers and as many as three separate networks to do their daily work. At several posts diplomats did not enjoy full access to the Internet or the department’s classified network. Such realities were troubling for a new secretary of state, who had served on American Online’s board of directors and considered Internet access an indispensable resource in his own daily life. Powell believed effective twenty-first diplomacy necessitated a modern communications system at State and made its establishment a top priority.

As with embassy construction and security, Powell successfully garnered the financial resources to make substantial quantitative and qualitative improvements in the organization’s information technology. For instance, a secure unclassified computer network with full Internet access was extended to 43,500 desktops during his tenure, making the State Department a fully wired bureaucracy for the first time in its history. This goal was reached in May 2003, under budget and ahead of schedule. Shortly thereafter a modernized classified network was installed at 224 embassies and consulates — every post that the Bureau of Diplomatic Security deemed eligible for such technology. In addition, a Global IT Modernization (GIT-M) program was launched to ensure that all computer hardware is kept state-of-the-art through an aggressive, four-year replacement cycle. Other changes equipped the institution with cutting-edge mainframes, updated secure telephones, and wireless emergency communication systems. Most recently, the State Department began under Powell’s leadership to replace its decades old cable and e-mail systems with one modern, secure, and fully integrated messaging and retrieval system.

These impressive technological changes were complemented by the creation of a new 10-person office for e-Diplomacy in 2002. The unit was established to support State’s information revolution by finding ways to increase organizational efficiency through information technology, making the newly installed systems user-friendly, and continuing to identify new ways to send, store and access information. Furthermore, IT security was enhanced considerably. One department report indicated that by August 2004, 90.4 percent of State’s operational systems had been fully authorized and certified, earning the department OMB’s highest rating for IT improvement under the President’s Management Agenda (PMA). In part, achievements of this type were facilitated through Powell’s hiring of 530 new IT specialists (while controlling for attrition). Through an aggressive recruitment and retention program based on incentives and bonuses, the department’s vacancy rate for such positions, which was “over 30 percent five years ago, [was] essentially eliminated.” As with congressional relations and embassy construction and security, State’s information technology was enhanced significantly under Powell’s leadership.

Read in full here via American Diplomacy — The Other Side of Powell’s Record by Christopher Jones.

So, among the more recent secretaries of state, one stayed home more than most. Secretary Powell knew the IT systems were substandard and he went about making the fixes a priority; he did not hand it off to “H” to lobby Congress or simply talked about the State Department’s “woeful state of civilian technology.” 

Below is a clip from OIG Steve Linick’s Management Alert for recurring information system weaknesses spanning FY2011-FY2013.  The actual FISMA reports do not seem to be publicly available at this time:

Screen Shot 2015-10-20

The FISMA audit dated October 2014 says:

[T]he Chief Information Security Officer stated that the Bureau of Information Resource Management, Office of Information Assurance (IRM/IA), received a budget of $14 million in FY 2014, an increase from $7 million in FY 2013.6 A majority of the budget was used for contractor support to improve FISMA compliance efforts.

We identified control deficiencies in all [Redacted] (b) (5)  of the information security program areas used to evaluate the Department’s information security program. Although we recognize that the Department has made progress in the areas of risk management, configuration management, and POA&M since FY 2013, we concluded that the Department is not in compliance with FISMA, OMB, and NIST requirements. Collectively, the control deficiencies we identified during this audit represent a significant deficiency to enterprise-wide security, as defined by OMB Memorandum M-14-04.

We have been unable to find the FISMA reports during all of Rice, Clinton and Kerry tenures. We’ll keep looking.

#

 

Papal Visit & Telework: And the @StateDept GO Has Reportedly Crashed Already #PopeInDC

September 22, 2015 By in State Department, Technology and Work Tags: , , ,

Posted: 12:11 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last week we’re told that State/IRM had advised all Bureaus that GO can only handle about 25% of State Department teleworkers.  Folks were reportedly told to plan to work in the office.

Apparently, it is expected that “traffic delays will be minor” compared to Foggy Bottom’s connectivity issues.

This week, most of DC’s feds have gone on telework schedule due to the popepocalypse.

And. It looks like today, the State Department’s remote access system has already crashed.  Hard.

General question not related to the papal visit … so what happens if something really bad happens? How will the State Department manage if only 25% of its employees are able to telework? How does this compare to the telework capacity of other federal agencies?

#

Here is the announcement posted online on system status, which does not indicate any mention of capacity issues:

SYSTEM STATUS as of 9/22/2015:
Please be advised due to higher than normal call volume, MRA Service Desk call hold and average wait times are 20 minutes and may be longer in some cases. If you have issues accessing GO, please reference our User Guides in the upper right hand corner of the screen. If you have any other concerns please call MRA at 202-647-2000 option 3 for support.

Customers using IE, Version 11 to log into Global OpenNet(GO) should click here for important instructions on how-to configure browser settings. If the link does not work, please follow the steps below.

  1. Click on Required System Setup
  2. System Setup for Windows 7 User Guide and
  3. go to page 18 for instructions.

ANNOUNCEMENT(S): Windows 10 GO Compatibility: The Windows 10 Operating System (OS) has been tested and confirmed to be compatible with Global OpenNet (GO). For customers using the Windows 10 OS, please reference the Windows 10 User Guide found here or by clicking the “Required System Setup” tab above.

#

Congressional Drama Features Ex-Clinton IT Staffer Bryan Pagliano, Good Excuse to Check Your PLI Coverage

September 10, 2015 By in Congress, Contractors, Controversies, Hearings, Hillary Clinton, Political Appointees, Politics, Secretary of State, Staffing the FS, State Department, Technology and Work Tags: , , , , , , , ,

Posted: 5:27 am EDT
Updated: 3:03 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Bryan Pagliano worked on Hillary Clinton’s 2008 presidential campaign and reportedly helped manage her server at that time. When Clinton became secretary of state in 2009, Pagliano got a job at the State Department.  This report citing public federal records says that he was classified as a GS-15 in his job as a special advisor and deputy chief information officer at the State Department. He earned around $140,000 per year from 2010-2012.  He was also reportedly paid personally by the Clintons to continue managing the private server from 2009 to 2013.

The State Department confirmed on September 3, that Mr. Pagliano was employed by the State Department from May 2009 through February 2013 as an IT specialist, and that he currently serves as a contractor working in the Bureau of Information Resource Management (State/IRM). The State Department also said that it was not consulted on Mr. Pagliano’s decision to take the 5th.   “He has pleaded the Fifth, so to speak. It’s certainly not an admission of guilt, as we all know, but it’s his constitutional right, so we respect that,” the official spokesperson said.

That’s not the end of it, of course. The House Select Committee on Benghazi is reportedly requiring Mr. Pagliano’s presence, which prompted a stern letter Wednesday from Pagliano’s lawyer, who accused the panel and its chairman, Rep. Trey Gowdy (R-S.C.), of engaging in political theater and abusing its subpoena power, according to the Washington Post. Politico also has a report today noting that Pagliano’s lawyer, Mark MacDougall has said in a letter to two congressional panels that he did not ask any Congressional committees for immunity, but “in the event that any committee of the Congress” does authorize such a judicial order, “Mr. Pagliano will, of course, comply with such an order.”

Even if you’re in no danger of getting snared in the Clinton controversies, isn’t this case a good reminder to review one’s Professional Liability Insurance coverage? PLI covers not just admin and disciplinary matters, but also congressional and OIG investigations. For eligible employees, the State Department regulations allow the reimbursement of up to 50% of PLI cost (see 3 FAM 3840 – pdf).

.

.

.

.

.

.

//platform.twitter.com/widgets.js

.

.

.

.

#