Skip to content

Judicial Watch • State Dept. OIG Report on HRC Emails

State Dept. OIG Report on HRC Emails

State Dept. OIG Report on HRC Emails

Page 1: State Dept. OIG Report on HRC Emails

Category:

Number of Pages:83

Date Created:May 24, 2016

Date Uploaded to the Library:May 25, 2016

Tags:Secretaries, Powell, Dept, OIG, HRC, chief, personal, staff, Emails, email, unclassified, Hillary Clinton, Benghazi, government, Secretary, clinton, Obama, State Department, White House, federal, records, FOIA, department, office


File Scanned for Malware

Donate now to keep these documents public!


See Generated Text   ∨

Autogenerated text from PDF

UNCLASSIFIED
ESP-16-03
Office Evaluations and Special Projects
May 2016
Office the Secretary: Evaluation
Email Records Management and
Cybersecurity Requirements
IMPORTANT NOTICE: This report intended solely for the official use the Department State the
Broadcasting Board Governors, any agency organization receiving copy directly from the Office Inspector General. secondary distribution may made, whole part, outside the
Department State the Broadcasting Board Governors, them other agencies
organizations, without prior authorization the Inspector General. Public availability the document
will determined the Inspector General under the U.S. Code, U.S.C. 552. Improper disclosure this
report may result criminal, civil, administrative penalties.
UNCLASSIFIED
UNCLASSIFIED
May 2016
OFFICE EVALUATIONS AND SPECIAL PROJECTS
Office the Secretary: Evaluation Email Records
Management and Cybersecurity Requirements
ESP-16-03
What OIG Evaluated part ongoing efforts respond
requests from the current Secretary State
and several Members Congress, the Office Inspector General (OIG) reviewed records
management requirements and policies
regarding the use non-Departmental
communications systems. The scope this
evaluation covers the Office the Secretary,
specifically the tenures Secretaries State
Madeleine Albright, Colin Powell, Condoleezza
Rice, Hillary Clinton, and John Kerry.
This report (1) provides overview laws,
regulations, and policies related the
management email records; (2) assesses the
effectiveness electronic records
management practices involving the Office
the Secretary; (3) evaluates compliance with
records management requirements; and (4)
examines information security requirements
related the use non-Departmental
systems.
What OIG Recommends
OIG makes eight recommendations. They
include issuing enhanced and more frequent
guidance the permissible use personal
email accounts conduct official business,
amending Departmental policies provide
for administrative penalties for failure
comply with records preservation and
cybersecurity requirements, and developing
quality assurance plan address
vulnerabilities records management and
preservation. The Department concurred with
all OIG recommendations.
What OIG Found
The Federal Records Act requires appropriate management and
preservation Federal Government records, regardless
physical form characteristics, that document the organization,
functions, policies, decisions, procedures, and essential
transactions agency. For the last two decades, both
Department State (Department) policy and Federal regulations
have explicitly stated that emails may qualify Federal records. the case throughout the Federal Government, management
weaknesses the Department have contributed the loss
removal email records, particularly records created the
Office the Secretary. These weaknesses include limited ability retrieve email records, inaccessibility electronic files, failure comply with requirements for departing employees, and
general lack oversight.
OIG ability evaluate the Office the Secretary compliance
with policies regarding records preservation and use nonDepartmental communications systems was, times, hampered these weaknesses. However, based its review records,
questionnaires, and interviews, OIG determined that email usage
and preservation practices varied across the tenures the five
most recent Secretaries and that, accordingly, compliance with
statutory, regulatory, and internal requirements varied well.
OIG also examined Department cybersecurity regulations and
policies that apply the use non-Departmental systems
conduct official business. Although there were few such
requirements years ago, over time the Department has
implemented numerous policies directing the use authorized
systems for day-to-day operations. assessing these policies,
OIG examined the facts and circumstances surrounding three
cases where individuals exclusively used non-Departmental
systems conduct official business.
UNCLASSIFIED
UNCLASSIFIED
CONTENTS
OBJECTIVES AND METHODOLOGY ..........................................................................................................................
BACKGROUND .................................................................................................................................................................
PRESERVATION REQUIREMENTS HAVE GENERALLY REMAINED CONSISTENT LAWS AND POLICIES RELATED THE USE EMAILS HAVE EVOLVED .........................................
MANAGEMENT WEAKNESSES CONTRIBUTE LOSS EMAIL RECORDS ........................................
STAFF EMAIL USAGE AND COMPLIANCE WITH RECORDS
MANAGEMENT REQUIREMENTS VARY ...............................................................................................................
CYBERSECURITY RISKS RESULT FROM THE USE NON-DEPARTMENTAL
SYSTEMS AND EMAIL ACCOUNTS ........................................................................................................................
Employees Generally Must Use Department Information Systems Conduct Official Business .............................................................................................................................
Restrictions Apply the Use Non-Departmental Systems ...............................................................
The Department Has Issued Numerous Warnings About Cybersecurity Risks ................................
Three Officials Exclusively Used Non-Departmental Systems for Day-to-Day Operations .........
CONCLUSION ................................................................................................................................................................
RECOMMENDATIONS ................................................................................................................................................
APPENDIX RELEVANT LAWS AND POLICIES DURING THE TENURES THE FIVE MOST
RECENT SECRETARIES STATE ............................................................................................................................
APPENDIX MANAGEMENT RESPONSES .........................................................................................................
ABBREVIATIONS ...........................................................................................................................................................
OIG TEAM MEMBERS ..................................................................................................................................................
UNCLASSIFIED
UNCLASSIFIED
OBJECTIVES AND METHODOLOGY April 2015, the Office Inspector General (OIG) initiated evaluation address concerns
identified during recent audits and inspections and respond requests from the current
Secretary State and several Members Congress involving variety issues, including the
use non-Departmental systems conduct official business, records preservation
requirements, and Freedom Information Act (FOIA) compliance. This report, which the
fourth and final document OIG findings these areas, addresses efforts undertaken the
Department State (Department) preserve and secure electronic records and
communications involving the Office the Secretary. Specifically, this report (1) provides
overview laws, regulations, and policies related the management email records; (2)
assesses the effectiveness electronic records management practices involving the Office
the Secretary; (3) evaluates staff compliance with records management requirements; and (4)
examines information security requirements related the use non-Departmental systems. part the current evaluation, OIG reviewed laws, policies, and practices from (and, some
cases, prior to) 1997 through the present, covering the tenures five Secretaries: Madeleine
Albright (January 23, 1997 January 20, 2001); Colin Powell (January 20, 2001 January 26, 2005);
Condoleezza Rice (January 26, 2005 January 20, 2009); Hillary Clinton (January 21, 2009
February 2013); and John Kerry (February 2013 Present).
OIG reviewed the requirements the Federal Records Act and the Federal Information Security
Management Act (FISMA) and related regulations; circulars and directives issued the
President, the National Archives and Records Administration (NARA), the National Institute
Standards and Technology (NIST), and the Office Management and Budget (OMB); applicable
OIG has identified the following issues: inconsistencies across the Department identifying and preserving records,
hacking incidents and other issues affecting the security Department electronic communication, delays and other
processing problems related FOIA requests, and concerns about Ambassador use private email conduct
official business. See OIG, Review State Messaging and Archive Retrieval Toolset and Record Email (ISP-I-15-15,
March 2015); OIG, Audit the Department State Information Security Program (AUD-IT-15-17, October 2014);
OIG, Management Alert: OIG Findings Significant and Recurring Weaknesses the Department State
Information System Security Program (AUD-IT-14-03, November 2013); OIG, Inspection the Bureau
Administration, Global Information Services, Office Information Programs and Services (ISP-I-12-54, September
2012); and OIG, Inspection Embassy Nairobi, Kenya (ISP-I-12-38A, August 2012).
For purposes this work, OIG uses the term non-Departmental systems mean hardware and software that
not owned, provided, monitored, certified the Department State.
Previous reports include the following: OIG, Potential Issues Identified the Office the Inspector General the
Intelligence Community Concerning the Department States Process for the Review Former Secretary Clintons
Emails under the Freedom Information Act (ESP-15-04, July 2015), OIG, Evaluation the Department State
FOIA Processes for Requests Involving the Office the Secretary (ESP-16-01, January 2016), and OIG, Classified
Material Discovered Unclassified Archival Material (ESP-16-02, March 2016). U.S.C. chapters 21, 29, 31, and 33.
Pub. No. 107-347, title III, 116 Stat. 2946 (2002). 2014, FISMA was replaced the Federal Information Security
Modernization Act, U.S.C. 3551 (2014).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Department directives issued the Foreign Affairs Manual (FAM) and the Foreign Affairs
Handbook (FAH); and guidance and policies cables and memoranda. Appendix summarizes
the relevant laws and policies that OIG reviewed during this evaluation.
OIG employed number strategies test compliance with email records preservation
requirements applicable each Secretary tenure, including (1) sending questionnaires
current and former staff the Office the Secretary requesting information about email usage
and preservation practices; (2) reviewing records and public statements related email usage;
(3) comparing stated practices against applicable laws and policies; and (4) searching available
hard-copy and electronic files identify and analyze email records and assess staff practices.
OIG faced number challenges conducting this testing, which will discussed greater
detail throughout the report.
OIG also interviewed dozens former and current Department employees, including the
Deputy Secretary for Management and Resources (D-MR); the Under Secretary for Management
(M); the Assistant Secretary and other staff the Bureau Administration (A); and various staff the Office the Secretary and its Executive Secretariat (S/ES), the Office the Legal Adviser
(L), the Bureau Information Resource Management (IRM), and the Bureau Diplomatic
Security (DS). conjunction with the interviews, OIG reviewed paper and electronic records and
documents associated with these offices. OIG also consulted with NARA officials. Finally, OIG
interviewed Secretary Kerry and former Secretaries Albright, Powell, and Rice. Through her
counsel, Secretary Clinton declined OIG request for interview.
OIG conducted this work accordance with quality standards for evaluations set forth the
Council the Inspectors General Integrity and Efficiency.
BACKGROUND
The Federal Records Act requires the head each agency make and preserve records
containing adequate and proper documentation the organization, functions, policies,
decisions, procedures, and essential transactions the agency and designed furnish the
The Department articulates official guidance, including procedures and policies, matters relating Department
management and personnel the Foreign Affairs Manual and Handbook. FAM 1111.1 (July 2013). addition Secretary Clinton, eight former Department employees declined OIG requests for interviews: (1) the
Chief Staff Secretary Powell (2002-05); (2) the Counselor and Chief Staff Secretary Clinton (2009-13); (3) the
Deputy Chief Staff for Policy Secretary Clinton (2009-11) and the Director Policy Planning (2011-13); (4) the
Deputy Chief Staff for Operations Secretary Clinton (2009-13); (5) the Deputy Assistant Secretary for Strategic
Communication (2009-13); (6) the Director the S/ES Office Information Resources Management (2008-13); (7)
Special Advisor the Deputy Chief Information Officer (2009-13) who provided technical support for Secretary
Clinton personal email system; and (8) Senior Advisor the Department, who supervised responses
Congressional inquiries (2014-15). Two additional individuals did not respond OIG interview requests: the Deputy
Secretary State for Management and Resources (2011-13) and individual based New York who provided
technical support for Secretary Clinton personal email system but who was never employed the Department.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
information necessary protect the legal and financial rights the Government and persons
directly affected the agency activities. Effective records management critical for
ensuring that sufficient documentation agency business created, that agency can
efficiently locate and retrieve records needed the daily performance its mission, and that
records historical significance are identified, preserved, and made available the public.
Citing its responsibilities under the Federal Records Act, the Department sent letters October
and November 2014 the representatives former Secretaries Albright, Powell, Rice, and
Clinton requesting that they make available copies any Federal records their possession,
such emails sent received personal email account while serving Secretary State. response, Secretary Albright representative advised that Secretary Albright did not use
Department personal email account during her tenure, and Secretary Rice representative
advised that Secretary Rice did not use personal email account conduct official business.
Representatives for Secretaries Powell and Clinton acknowledged that the Secretaries used
personal email accounts conduct official business.
Secretary Powell has publicly stated that, during his tenure Secretary, installed laptop
computer private line and that used the laptop send emails via his personal email
account his principal assistants, individual ambassadors, and foreign minister colleagues.
Secretary Powells representative advised the Department 2015 that did not retain those
emails make printed copies. Secretary Powell has also publicly stated that generally sent
emails his staff via their State Department email addresses but that personally does not
know whether the Department captured those emails its servers.13
Secretary Clinton employed personal email system conduct business during her tenure
the United States Senate and her 2008 Presidential campaign. She continued use personal
email throughout her term Secretary, relying account maintained private server,
predominantly through mobile devices. Throughout Secretary Clinton tenure, the server was
located her New York residence. U.S.C. 3101. The FAM assigns these recordkeeping responsibilities officials within the Bureau
Administration. FAM 214 (May 2009); FAM 214.2 (November 25, 1998); FAM 216.4 (January 17, 1997).
GAO, National Archives and Records Administration: Oversight and Management Improvements Initiated, but More
Action Needed (GAO-11-15, October 2010).
Letter from Margaret Grafeld, Deputy Assistant Secretary for Global Information Systems, Bureau
Administration, U.S. Department State, Paul Wester, Jr., Chief Records Officer for the U.S. Government, NARA
(April 2015) [hereinafter Grafeld Letter].
Colin Powell, Worked For Me: Life and Leadership 109 (2012).
Grafeld Letter. Secretary Powell did not provide his emails the Department any form.
ABC News, This Week Transcript: Former Secretary State Colin Powell (March 2015), available
http://abcnews.go.com/Politics/week-transcript-secretary-state-colin-powell/story?id=29463658. March 17, 2009 memorandum prepared S/ES-IRM staff regarding communications equipment the
Secretary New York residence identified server located the basement.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED December 2014, response Department requests, Secretary Clinton produced the
Department from her personal email account approximately 55,000 hard-copy pages,
representing approximately 30,000 emails that she believed related official business.
letter the Department, her representative stated that was the Secretary practice email
Department officials their government email accounts matters pertaining the conduct government business. Accordingly, the representative asserted, the extent that the
Department retained records government email accounts, the Department already had
records the Secretary email preserved within its recordkeeping systems.15
PRESERVATION REQUIREMENTS HAVE GENERALLY REMAINED
CONSISTENT LAWS AND POLICIES RELATED THE USE
EMAILS HAVE EVOLVED
The requirement manage and preserve emails containing Federal records has remained
consistent since least 1995, though specific policies and guidance related retention
methods have evolved over time. general, the Federal Records Act requires appropriate
management, including preservation, records containing adequate and proper documentation
the organization, functions, policies, decisions, procedures, and essential transactions the
agency. Although emails were not explicitly mentioned the Federal Records Act FAM until
the mid-1990s, the law has stated since 1943 that document can constitute record regardless
physical form characteristics.
NARA promulgates regulations providing guidance agencies implementation the Federal
Records Act and recordkeeping obligations more generally. Since 1990, the regulations issued
NARA have explained that the medium the record may paper, film, disk, other physical type form and that the method recording may manual, mechanical, photographic, electronic,
any other combination these other technologies. These regulations also have stated that
record can made agency personnel the course their official duties, regardless the
method(s) the medium involved. See Appendix for compilation preservation laws
and policies that were effect during the tenures each Secretary, from Secretary Albright
through Secretary Kerry. Figure shows the evolution management and preservation
requirements related emails containing Federal records.
Letter from Cheryl Mills, cdmills Group, Patrick Kennedy, Under Secretary State for Management (December 2014). U.S.C. 3101.
H.R. 2943, Records Disposal Act 1943, Stat. 380 (July 1943). U.S.C. 2904. C.F.R. 1222.12(b)(2) (1990). C.F.R. 1222.12(b)(3) (1990).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Source: OIG analysis laws and policies.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Email Records Equivalent Other Records: 1995, NARA amended the Code Federal
Regulations confirm that messages created received electronic mail systems may meet
the definition record. The regulations also referenced the use electronic communications
systems external the Government, indicating that agencies with access external electronic
mail systems shall ensure that Federal records sent received these systems are preserved the appropriate recordkeeping system. recordkeeping system manual electronic
system that captures, organizes, and categorizes records facilitate their preservation, retrieval,
use, and disposition. The FAM adopted similar requirements 1995, providing pertinent
part that:
all employees must aware that some the variety the messages being exchanged email are important the Department and must preserved; such messages are
considered Federal records under the law.
The FAM also included examples emails that could constitute Federal records, including those
providing key substantive comments draft action memorandum, documenting significant
Department decisions and commitments reached orally, and conveying information value
important Department activities. The Department has frequently reminded employees this
requirement, including through November 2009 announcement all employees that noted
that Federal records can found any media, including email, instant messages, social
media, etc. However, the Department believes that the majority the millions emails sent and from Department employees each year are non-permanent records with long-term
value. 2014, Congress amended the Federal Records Act explicitly define Federal records
include information created, manipulated, communicated, stored digital electronic
form.
Methods Preservation: According NARA regulations, agency must ensure that
procedures, directives and other issuances include recordkeeping requirements for records
all media, including those records created received electronic mail systems. These
recordkeeping requirements include identifying specific categories records maintained C.F.R. 1222.34(e) (1995). C.F.R. 1222.24(a)(4) (1995). C.F.R. 1220.18 (2009). FAM 443.1(c) (October 30, 1995). FAM 443.2(d) (October 30, 1995).
See, e.g., STATE 120561; Department State, Records Management Responsibilities, Announcement No.
2009_11_125, November 23, 2009.
Presidential and Federal Records Act Amendments 2014, Pub. No: 113-187, 128 Stat. 2003 (November 26,
2014) (amending U.S.C. 3301(a)). C.F.R. 1222.24 (October 2009).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED agency personnel. Such maintenance includes ensuring that complete records are filed
otherwise identified and preserved, records can readily found when needed, and permanent
and temporary records are physically segregated from each other (or, for electronic records,
segregable). Guidance issued both NARA and the Department emphasize that every
employee has records management responsibilities and must make and preserve records
according the law and Department policy. the Department, compliance with this regulation and preservation emails that constitute
Federal records can accomplished one three ways: print and file; incorporation into the
State Messaging and Archive Retrieval Toolset (SMART); the use the NARA-approved
Capstone program for capturing the emails designated senior officials. Since 1995, the FAM
has instructed employees, until technology allowing archival capabilities for long-term
electronic storage and retrieval E-mail messages available and installed, emails warranting
preservation records must printed out and filed with related Department records. NARA
regulations codified 2009 also specified that agencies must not use electronic mail system store the recordkeeping copy electronic mail messages identified Federal records unless
that system contains specific features. However, according the Department, its technology
has lagged behind this mandate. FAM 414.8 (September 17, 2004). The prior version was located FAM 413.10 (October 30, 1995). See also,
NARA, Frequently Asked Questions about Records Management General, available at:
http://www.archives.gov/records-mgmt/faqs/general.html#responsibility (January 20, 2001) (stating that Federal
employees are responsible for making and keeping records their work. FAM 443.3 (October 30, 1995). S/ES-IRM reported OIG that has preserved email files numbering the
thousands for selected senior officials dating back least far Secretary Powell administration, although OIG
found that these files are maintained format that makes them almost impossible review use. C.F.R. 1236.22 (2009). These required features are specified C.F.R. 1236.20(b) follows:
(a) General. Agencies must use electronic paper recordkeeping systems combination those
systems, depending their business needs, for managing their records. Transitory email may managed specified 1236.22(c).
(b) Electronic recordkeeping. Recordkeeping functionality may built into the electronic information
system records can transferred electronic recordkeeping repository, such DoD-5015.2 STDcertified product. The following functionalities are necessary for electronic recordkeeping:
(1) Declare records. Assign unique identifiers records.
(2) Capture records. Import records from other sources, manually enter records into the system,
link records other systems.
(3) Organize records. Associate with approved records schedule and disposition instruction.
(4) Maintain records security. Prevent the unauthorized access, modification, deletion declared
records, and ensure that appropriate audit trails are place track use the records.
(5) Manage access and retrieval. Establish the appropriate rights for users access the records and
facilitate the search and retrieval records.
(6) Preserve records. Ensure that all records the system are retrievable and usable for long
needed conduct agency business and meet NARA-approved dispositions. Agencies must
develop procedures enable the migration records and their associated metadata new
storage media formats order avoid loss due media decay technology obsolescence.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED 2009, IRM introduced SMART throughout the Department, enabling employees preserve
record copy emails through their Department email accounts without having print and file
them. However, the Office the Secretary elected not use SMART preserve emails, part
because concerns that the system would allow overly broad access sensitive materials.
result, printing and filing remained the only method which emails could properly preserved
within the Office the Secretary full compliance with existing FAM guidance. August 2012, OMB and NARA issued memorandum requiring agencies eliminate paper
recordkeeping and manage all email records electronic format December 31, 2016.33
Subsequently, August 2013, NARA published bulletin authorizing agencies use the
Capstone approach manage emails based upon the sender recipient role within the
agency (rather than the content the email), which allows for the capture records that
should preserved permanent from the accounts officials near the top agency organizational subcomponent. February 2015, S/ES began retaining the emails
senior Department officials within its purview using the Capstone approach, practice that was
broadened approximately 200 senior officials across the Department September 2015.
However, employee not senior official under Capstone, she would still
responsible for preserving emails appropriate agency recordkeeping system, such
through the use SMART printing and filing.
Requirements for Email Records Personal Accounts: previously stated, documents can
qualify Federal records regardless the location, method creation, the medium
involved. Consequently, records management requirements have always applied emails
(7) Execute disposition. Identify and effect the transfer permanent records NARA based
approved records schedules. Identify and delete temporary records that are eligible for disposal.
Apply records hold freeze disposition when required.
(c) Backup systems. System and file backup processes and media not provide the appropriate
recordkeeping functionalities and must not used the agency electronic recordkeeping system.
Prior OIG reports have observed that that use the SMART system create record emails has varied widely across
Department offices. OIG, Review State Messaging and Archive Retrieval Toolset and Record Email (ISP-I-15-15,
March 2015) and OIG, Inspection the Bureau Administration, Global Information Services, Office Information
Programs and Services (ISP-I-12-54, September 2012).
OMB and NARA, Memorandum for The Heads Executive Departments and Agencies and Independent Agencies:
Managing Government Records Directive (OMB Memorandum M-12-18) (August 24, 2012).
NARA, Guidance New Approach Managing Email Records, Bulletin No. 2013-02 (August 29, 2013), available https://www.archives.gov/records-mgmt/bulletins/2013/2013-02.html. January 29, 2015, the Executive Secretary notified the covered officials the offices the Secretary (S), the
Deputy Secretaries State (D), the Under Secretary for Political Affairs (P), and the Counselor the Department (C)
that February 2015, S/ES-IRM would begin permanently retaining all email activity their State Department
accounts. This notice also stated: You should not use your private email accounts (e.g., Gmail) for official business.
Later 2015, the Under Secretary for Management notified all Assistant Secretaries and equivalents and Principal
Deputies that all their email will permanently stored and indexed beginning September 2015. See Memorandum All Assistant Secretaries, Assistant Secretary Equivalents, And Principal Deputies: Email Retention (July 29, 2015).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
exchanged personal email accounts, provided their content meets the definition record. 2004, NARA issued bulletin noting that officials and employees must know how ensure
that records are incorporated into files electronic recordkeeping systems, especially records
that were generated electronically personal computers. 2009, NARA amended its
regulations explicitly address official emails personal accounts:
Agencies that allow employees send and receive official electronic mail messages
using system not operated the agency must ensure that Federal records sent
received such systems are preserved the appropriate agency recordkeeping
system. the 2014 amendments the Federal Records Act, Congress added provision prohibiting
agency employees from creating sending record using non-official electronic messaging
account unless they copy their official electronic messaging account the original creation
transmission the record forward complete copy the record their official electronic
messaging account within days. Shortly before the enactment the 2014 amendments, the
Department issued interim directive with similar requirements and subsequently updated
the FAM October 2015 follows:
Under the Presidential and Federal Records Act Amendments 2014, employees are
prohibited from creating sending record using non-official email account unless
the employee (1) copies the employee official email account the original creation
transmission, (2) forwards complete copy record (including any attachments)
the employee official email account not later than days after the original creation
transmission .The U.S. National Archives and Records Administration has advised that
personal accounts should only used exceptional circumstances. Therefore,
Department employees are discouraged from using private email accounts (e.g., Gmail,
AOL, Hotmail, etc.) for official business. However, those very limited circumstances
when becomes necessary so, the email messages covering official business sent
from received personal account must captured and managed Department
email system manner described above accordance with the Presidential and
Federal Records Act Amendments 2014. employee has any emails (regardless
age) his her private email account(s) that have not already been forwarded the
employee official email account, then such emails need forwarded the
employee state.gov account soon possible. Employees are reminded that private
email accounts should not used transmit receive classified information. C.F.R. 1236.22(b). U.S.C. 2911(a).
Department State, Message from Under Secretary for Management Patrick Kennedy regarding State
Department Records Responsibilities and Policy, Announcement No. 2014_10_115, October 17, 2014. FAM 443.7 (October 23, 2015). Furthermore, the Consolidated Appropriations Act 2016, which became Public
Law 114-113 December 18, 2015, requires, Section 7077, that the Department update policies and directives
needed comply with Federal statutes, regulations, and presidential executive orders and memoranda concerning
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
However, forwarding copying employee official email account alone not sufficient
fully meet records management requirements unless employee email being captured
under the Capstone approach. such email qualifies record, employees are still
responsible for preserving appropriate agency recordkeeping system, such through
the use SMART printing and filing.
Safeguards for Loss Removal Records: Both the Federal Records Act and NARA regulations
also focus preventing the removal, loss, alienation Federal records. The Act requires the
head each agency establish safeguards against the removal loss records, including
making known officials and employees the agency (1) that records the custody the
agency are not alienated destroyed and (2) the penalties provided law for the
unlawful removal destruction records. Although the FAM itself does not contain any
explicit administrative penalties for removal destruction records, does advise employees
that such penalties exist and cites the Federal Records Act for this assertion.
NARA regulations require each agency have procedures ensure that departing officials and
employees not remove Federal records from agency custody.42 The Department has
implemented these requirements through various FAM and FAH provisions that prohibit
employees from removing, retiring, transferring, destroying Department records; prohibit
departing employees from removing any records; require each departing employee sign
separation statement certifying that she has surrendered all documentation related the
official business the Government; and require review documents proposed for removal departing employee. For example, since 1982, the Department has given the
the preservation all records made received the conduct official business, including record emails, instant
messaging, and other online tools. The Act also required the Department direct departing employees that their
records belong the Federal government and report within days the steps required implement the
recommendations issued OIG the March 2015 Review State Messaging and Archive Retrieval Toolset and
Record Email (ISP-1-15-15) and any recommendations from the OIG review the records management practices
the Department State. Section 7077 also contains prohibition from the use certain appropriated funds
support the use establishment email accounts email servers created outside the .gov domain not fitted for
automated records management part Federal government records management program contravention
the Presidential and Federal Records Act Amendments 2014 and provision for withholding $10,000,000 from the
Capital Investment Fund until the records management reports required under Section 7077 are submitted
Congress. U.S.C. 3105. FAM 413(a)(6) (September 17, 2004). NARA regulations interpreting the Federal Records Act refer the criminal
penalties U.S.C. 641, 2071, but not cite any administrative penalties. C.F.R. 1230.12. C.F.R. 1222.24(a)(6) (October 2009). FAM 431.5(d) (July 31, 2012); FAM 432.4(d) (July 31, 2012); FAM 414.7 (June 19, 2015); FAM 564.4 (July 10,
2015); FAH-4 H-217.2 (August 13, 2008). These are the most current versions these provisions, but the
requirements have existed least since 1995. See also FAH-4 H-218a (April 15, 1997). For related discussions
agency responsibilities concerning removal agency documents senior officials upon departure, see also GAO,
Federal Records: Removal Agency Documents Senior Officials Upon Leaving Office (GAO/GGD-89-91, July 1989),
and GAO, Document Removal Agency Heads Needs Independent Oversight (GAO/GGD-91-117, August 1991).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
responsibility the management section each bureau, office, post ensure that every
departing employee has signed separation statement (form DS-109) that includes the
following certification: have surrendered responsible officials all unclassified documents and
papers relating the official business the Government acquired while the employ
the Department. Numerous Department cables and announcements have emphasized the
responsibility every employee sign separation statement before she departs.
Since 2004, both the Department and NARA have issued multiple notices emphasizing the need preserve emails that constitute Federal records and surrender all Federal records prior
departing government employment. These include August 2004 memorandum from the
Executive Secretary that reminded departing officials not remove any documentary materials,
whether personal official and whether written electronic form, until such materials have
been reviewed records and security officers. The memorandum also required departing
officials ensure that all record material they possess incorporated the Department
official files. The Department reiterated this guidance April, June, and October 2008. S/ES
conducts annual workshops with the Agency Records Officer records management for
departing senior officials and their staffs. Such workshops were held February 2007,
September 2008, June 2009, April 2010, October 2011, October 2012, October 2013, October
2014, and June 2015. FAM 417.2 (March 16, 1982); FAM 413.9 (October 30, 1995); FAM 414.7 (September 17, 2004).
See, e.g., Procedures for the Removal Personal Papers and Non-Record Material FAM 400, FAH-4,
Announcement No. 2000_01_021, January 14, 2000; Procedures for the Removal Personal Papers and Non-Record
Material, Announcement No. 2005_02_017, February 2005; STATE 00018818 (February 2005); STATE 56010
(May 09, 2014).
See, e.g., NARA, Protecting Federal records and other documentary materials from unauthorized removal, Bulletin
No. 2005-03 (December 22, 2004); NARA, NARA Guidance for Implementing Section 207(e) the E-Government Act 2002, Bulletin No. 2006-02 (December 15, 2005); Department State, Records Management Procedures,
Announcement No. 2007_02_147, February 28, 2007; Department State, Preserving Electronic Message (E-mail)
Records, Announcement No. 2009_06_090, June 17, 2009; STATE 111506 (September 15, 2014); Department
State, Departing Officials: Procedures for the Removal Personal Papers and Non-Record Material, Announcement
No. 2008_04_089, April 17, 2008; Department State, Reminder Departing Officials: Procedures for the Removal
Personal Papers and Non-Record Material, Announcement No. 2008_06_095, June 16, 2008; Department State,
Reminder Departing Officials: Procedures for the Removal Personal Papers and Non-Record Material,
Announcement No. 2008_10_087, October 16, 2008 The willful and unlawful removal destruction records
punishable fine imprisonment three years, both (18 U.S.C. 2071). STATE 120561 (November
23, 2009); Department State, Records Management Responsibilities, Announcement No. 2009_11_125, November
23, 2009; NARA, Continuing Agency Responsibilities for Scheduling Electronic Records, Bulletin No. 2010-02 (February 2010); Department State, Message from Under Secretary for Management Patrick Kennedy regarding State
Department Records Responsibilities and Policy, Announcement No. 2014_10_115, October 17, 2014.
Memorandum from Karl Hoffman, Executive Secretary, all Under Secretaries and Assistant Secretaries, Refresher Records Responsibilities and Review (August 2004).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
MANAGEMENT WEAKNESSES CONTRIBUTE LOSS
EMAIL RECORDS discussed above, the Federal Records Act and related NARA regulations impose records
management responsibilities both Federal agencies and individual employees. For agencies,
these responsibilities include establishing effective controls manage the creation,
maintenance, use, and disposition records order achieve adequate and proper
documentation the policies and transactions the Federal Government. According
NARA, effective records disposition program depends scheduling all records, regardless location and regardless physical form characteristics (paper electronic). Therefore,
agencies must implement records maintenance program that complete records are filed
otherwise identified and preserved, records can readily found when needed, and permanent
and temporary records are physically segregated are segregable from each other.
According 2010 U.S. Government Accountability Office (GAO) report, most agencies not
prioritize records management, evidenced lack staff and budget resources, absence
up-to-date policies and procedures, lack training, and lack accountability. its most
recent annual assessment records management, NARA identified similar weaknesses across
the Federal Government with regard electronic records particular. NARA reported that
percent agencies had elevated risk for the improper management electronic records,
reflecting serious challenges handling vast amounts email, integrating records management
functionality into electronic systems, and adapting the changing technological and regulatory
environments. effort develop solutions its own electronic records management challenges and
comply with NARA and OMB requirements, 2013 the Department established the Electronic
Records Management Working Group (ERMWG). The Under Secretary for Management U.S.C. 3101, 3102. records schedule identifies records either temporary permanent. All records schedules must approved
NARA. records schedule provides mandatory instructions for the disposition the records (including the transfer
permanent records and disposal temporary records) when they are longer needed the agency. part the
ongoing records life cycle, disposition should occur the normal course agency business. U.S.C. 3303, 3303a.
See http://www.archives.gov/records-mgmt/publications/disposition-of-federal-records/chapter-2.html C.F.R. 1222.34.
GAO, Information Management: The Challenges Managing Electronic Records (GAO-10-838T, July 17, 2010).
NARA, Records Management Self-Assessment 2014 (November 2015).
The ERMWG chaired the Director the Office Management Policy, Rightsizing and Innovation, and its
members include the Chief Information Officer (CIO) and representatives from IRM, and
OMB and NARA Memorandum M-12-18, Memorandum for The Heads Executive Departments and Agencies and
Independent Agencies: Managing Government Records Directive, requires each agency designate Senior Agency
Official (SAO) the Assistant Secretary level its equivalent with direct responsibility for ensuring the department agency efficiently and appropriately complies with all applicable records management statutes, regulations, and
NARA policy, and the requirements this Directive. The SAO must located within the organization make
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
approved recommendations submitted the ERMWG, which included updating guidance
preserving senior officials emails, developing pilot program for the Capstone approach
record email, and directing IRM perform cost-benefit analysis upgrading SMART
opposed obtaining other solutions for preserving the emails senior officials. September 2015, Secretary Kerry named former career Senior Foreign Service Officer the
Department Transparency Coordinator. The Transparency Coordinator has been tasked with
leading the Department efforts conjunction with the ERMWG meet the President
Managing Government Records directive, responding OIG recommendations, and working
with other agencies and the private sector explore best practices and new technologies.
While these are positive steps, OIG identified multiple email and other electronic records
management issues during the course this evaluation. its technical comments this
report, the Department noted that its budget has been declining over the past years and has not
kept pace with inflation time when its national security mission growing. According the
Department, did request additional resources for records management for fiscal year 2017, but
additional funding will still needed fully address its records management challenges.
Insufficient Oversight the Recordkeeping Process: During the 20-year period covered this
evaluation, S/ES has had day-to-day responsibility for the Secretary State records
management responsibilities, and relies upon guidance and records schedules promulgated the Bureau Administration. The Bureau Administration plans, develops, implements,
and evaluates programs, policies, rules, regulations, practices, and procedures behalf the
Secretary ensure compliance with the letter and spirit relevant statutes, executive orders,
and guidelines. The Office Information Programs and Services (IPS) the component the
Bureau specifically tasked with issuing records guidance and overseeing records management
efforts the Department. Upon request, IPS reviews the records management practices
Department offices. The Acting Co-Director IPS currently serves the Agency Records Officer
with program management responsibility for all records Department-wide throughout their life
cycle (creation, acquisition, maintenance, use, and disposition). IPS has provided briefings,
conjunction with S/ES, Office the Secretary staff and has issued Department-wide notices
and cables about records retention requirements, some which included requirements save
email records, including records contained personal emails. According the FAM, the
Agency Records Officer responsible for seeing that the Department and all its component
elements the United States and abroad are compliance with Federal records statutes and
adjustments agency practices, personnel, and funding may necessary ensure compliance and support the
business needs the department agency. The Under Secretary for Management has served the Department
SAO since 2012. Action Memo for the Secretary, Designating Senior Agency Official (SAO) for Managing
Government Records (November 27, 2012).
ERMWG, Action Memo for Under Secretary Kennedy: Preserving Electronically Senior Officials Record Email
Messages (August 22, 2014). FAM 414.3 (June 2009).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
regulations, yet IPS has not reviewed Office the Secretary records retention practices
during the current past four Secretaries terms.
Although NARA responsible for conducting inspections surveys agencies records and
records management programs and practices, last reviewed the Office the Secretary
records retention practices 1991 quarter century ago. Beginning 2009, NARA has relied annual records management self-assessments and periodic reports from the Department
gauge the need conduct formal inspections. The Department last two self-assessments did
not highlight any deficiencies.
Print and File Requirements Not Enforced: S/ES staff have provided numerous trainings for the
Office the Secretary records preservation responsibilities and the requirement print and
file email records. However, S/ES staff told OIG that employees the Office the Secretary
have printed and filed such emails only sporadically. its discussions with OIG, NARA stated
that this lack compliance exists across the government. Although the Department aware
the failure print and file, the FAM contains explicit penalties for lack compliance, and
the Department has never proposed discipline against employee for failure comply. OIG
identified one email exchange occurring shortly before Secretary Clinton joined the Department
that demonstrated reluctance communicate the requirement incoming staff. the
exchange, records officials within the Bureau Administration wondered whether there was
electronic method that could used capture the Secretary emails because they were not
comfortable advising the new administration print and file email records.
Limited Ability Retrieve Email Records: Even when emails are printed and filed, they are
generally not inventoried indexed and are therefore difficult retrieve. illustration,
almost 3,000 boxes, each filled with hundreds pages documents, would have
reviewed manually, page-by-page basis, order identify and review all printed and filed
emails from the Office the Secretary since 1997. help alleviate this problem, the Office
the Secretary could have adopted electronic email management system 2009 with the
introduction SMART. SMART allows users designate specific emails sent received
through the Department email system record emails; other SMART users can search for and
access record emails, depending the access controls set the individual who originally
saved the email. However, prior OIG reports have repeatedly found that Department employees
enter relatively few their emails into the SMART system and that compliance varies greatly
across bureaus, part because perceptions Department employees that SMART not
intuitive, difficult use, and has some technical problems. FAM 414.2 (June 2009). U.S.C. 2906. For in-depth assessment NARA oversight practices, see GAO, National Archives and
Records Administration: Oversight and Management Improvements Initiated, but More Action Needed (GAO-11-15,
October 2010).
OIG, Review State Messaging and Archive Retrieval Toolset and Record Email (ISP-I-15-15, March 2015) and OIG,
Inspection the Bureau Administration, Global Information Services, Office Information Programs and Services
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED 2015, the Department began permanently retaining the emails approximately 200 senior
officials pursuant the Capstone approach discussed previously. The Department also plans
purchase off-the-shelf product electronically manage its emails keeping with OMB and
NARA requirement that December 2016. This product will adapted
Department requirements include interface that requires users determine the record
value and sensitivity email with one click and auto-tagging feature that will allow emails stored according disposition schedules. The new system will also able process
legacy email files, such the Personal Storage Table (.pst) files departed officials.
addition, the Department expects that the product will improve the Department ability
perform more comprehensive email searches. Inventory Archived Electronic Files: The S/ES Office Information Resources
Management (S/ES-IRM), the unit that handles information technology for the Office the
Secretary, reported OIG that has maintained electronic copies email records for selected
senior officials dating back far Secretary Powell tenure. These records consist
thousands electronic files, principally saved .pst files. During OIG fieldwork, S/ES-IRM did
not have inventory the .pst other electronic files that consistently identified the former
email account holder. However, early 2016, S/ES-IRM began create comprehensive
inventory these files.
Unavailable Inaccessible Electronic Files: When OIG requested specific .pst files,
encountered difficulties obtaining and accessing those files. S/ES-IRM was unable produce
all the .pst files OIG requested, and some the requested files were corrupted and their
recovery required considerable resources. Some .pst files were password protected, and staff did
not know the passwords needed open those files. Other files contained data all. the
.pst files OIG was able review, many were incomplete that they did not span the particular
employee entire term service, were mislabeled, were missing key files such populated
sent inbox folders. According S/ES-IRM, part the inventory process currently
underway, moving all .pst files its possession onto servers and clearly labeling them.
Failure Transfer Email Records IPS: All Department offices are required retire, transfer,
records IPS accordance with the Department records disposition schedules. For records
(ISP-I-12-54, September 2012). noted previously, the Office the Secretary did not implement SMART part
because concerns the system would allow users access highly sensitive records. November 30, 2015, the Department issued Request for Information determine the capabilities the
private sector provide and support system satisfy recordkeeping requirements involving emails December
31, 2016. Department State Email Management, Solicitation No. SAQMMA16I0008 (November 30, 2015).
The term .pst refers the format used store copies email messages, calendar events, and other items within
Microsoft software.
According NARA regulations, creating .pst files not approved method preserving Federal records,
because .pst files not have the required controls electronic records system. C.F.R. 1236.10. FAM 433 (July 31, 2012).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
specific the Office the Secretary, the relevant schedules require transferring most records IPS the end the tenure the Secretary.65 S/ES has regularly retired paper copies such
records throughout the Secretaries terms. However, S/ES has not consistently retired electronic
email records. April 2015, S/ES retired nine lots electronic records containing approximately gigabytes data, consisting emails, memoranda, travel records, and administrative
documents from the tenures former Secretaries Powell, Rice, and Clinton. However, the only
email accounts included this material were those six former Secretary Powell staff and
two former Secretary Rice staff. email accounts from Secretary Clinton staff were the
retired material. addition retiring records accordance with disposition schedules, offices must comply
with Department policy requiring them electronically capture the email accounts selected
senior officials upon their departure. January 2009 memorandum from the Under Secretary for
Management required Executive Directors and Management Officers notify their system
administrators the departure Presidential and political appointees and directed the
administrators copy the email accounts those officials two sets CDs. The
memorandum instructed the office keep one the CDs and send the other IPS for records
preservation. The memorandum included attachment identifying all officials who were
subject these requirements, including officials from the offices under the purview S/ES. August 2014, the Under Secretary sent another memorandum reiterating the requirement
electronically capture the email accounts senior officials and broadening the list officials
subject the requirement. The Director S/ES-IRM told OIG that S/ES complied with this
requirement creating .pst files covering the email accounts the specified officials upon
their departure. However, S/ES has never sent any CDs IPS. its most recent self-assessments its records management, the Department stated that has established procedure for
departing officials have their emails sent the Departments Records Officer for
preservation, but failed note that has not complied with that procedure for the most
senior officials the organization.
Failure Follow Department Separation Processes: noted previously, NARA regulations
require each agency adopt procedures ensure that departing officials and employees
The schedule for records specific the Office the Secretary available at:
https://foia.state.gov/_docs/RecordsDisposition/A-01.pdf
Under Secretary Patrick Kennedy, Memorandum for All Under Secretaries, Assistant Secretaries, Executive
Directors and Post Management Officers: Preserving Electronically the Email Senior Officials upon their Departure
(January 2009).
The list officials included the Secretary, Deputy Secretaries, Counselor, Chief Protocol, Special Assistants the
Secretary, the Chief Staff, and the Deputy Chief Staff.
Under Secretary Patrick Kennedy, Memorandum: Senior Officials Records Management Responsibilities (August
28, 2014).
See, e.g., Department State, Senior Agency Official for Records Management 2014 Annual Report Template
(February 2015).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
not remove Federal records from agency custody. The Department has implemented these
requirements through various FAM provisions, including one that requires every departing
employee sign separation statement (DS-109) certifying that she has surrendered all
documentation related the official business the Government. This function handled for
the Office the Secretary the Office the S/ES Executive Director (S/ES-EX). However, S/ESEX told OIG that, the head the agency, the Secretary not asked follow the exit process.
Consequently, Secretaries Albright, Powell, Rice, and Clinton did not sign DS-109 the end
their tenures.
Notwithstanding the failure adhere separation requirements, all departing Secretaries
State from Secretary Albright have followed the procedures governing the removal
personal papers. The FAH specifies that departing officials who wish remove any documents
must prepare inventory these personal papers and any non-record materials for review
Department officials. Once the reviewing official satisfied that removal the documents
would comply with Federal law and regulations, the reviewing official completes and signs Form
DS-1904 (Authorization for the Removal Personal Papers and Non-Record Materials). the
form itself notes, this process especially important ensure that the the official records
the Department are not diminish[ed]. S/ES officials signed DS-1904 forms after the departures Secretaries Albright, Powell, Rice, and Clinton. OIG reviewed the completed forms for these
four Secretaries; none listed email proposed for removal. However, contrast the Form
DS-109, the DS-1904 does not impose specific requirement surrender documents.
Failure Notify NARA Loss Records: Federal laws and regulations require agency head notify NARA any actual, impending, threatened unlawful removal loss agency
records. Although numerous senior officials emailed Secretaries Powell and Clinton their
personal email accounts conduct official business, the Department did not make formal
request the former Secretaries for the Federal records contained within these personal
accounts until October and November 2014. The Department also did not promptly notify
NARA about the potential loss records. NARA officials told OIG they learned former C.F.R. 1222.24 (2009). FAM 564.4 (July 10, 2015); FAM 414.7 (June 2015). These are the most current versions these provisions,
but the requirements have existed since least 1995. FAH-4 H-217.2 (August 13, 2008). U.S.C. 3106; C.F.R. 1230.14. letters the respective representatives Secretaries Powell and Clinton, the Department asked that, should
they aware become aware the future federal record, such email sent received personal
email account while serving Secretary State, that copy this record made available the Department.
addition, the Department advised that they should note that diverse Department records are subject various
disposition schedules, with most Secretary State records retained permanently. Therefore, the Department asked
that record provided the Department there reason believe that may not otherwise preserved
the Department recordkeeping system. May 2014, the Department undertook efforts recover potential Federal records from Secretary Clinton.
Thereafter, July 2014, senior officials met with former members Secretary Clinton immediate staff, who were
then acting Secretary Clinton representatives. the meeting, her representative indicated that her practice
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Secretary Clinton email practices through media accounts March 2015. Immediately
thereafter, NARA requested that the Department provide report concerning the potential
alienation Federal email records created former Secretary Clinton and actions taken
recover such records. April 2015, the Department informed NARA the information obtained from the former
Secretaries concerning their email records. NARA subsequently requested additional
information about how the Department implements records management requirements with
regard senior officials. NARA also requested that the Department contact the Internet
service providers (ISPs) associated with the personal accounts Secretaries Powell and Clinton inquire still possible retrieve the email records that may still present their
servers. The Under Secretary for Management subsequently informed NARA that the
Department sent letters the representatives Powell and Clinton conveying this request.79
Well before the disclosure April 2015, Department officials discussed 2011 whether there
was obligation search personal email accounts for Federal records. 2013, this issue
arose again. Specifically, early June 2013, Department staff participating the review
potential material for production congressional committees examining the September 2012
Benghazi attack discovered emails sent the former Policy Planning Director via his
Department email account personal email address associated with Secretary Clinton.
ensuing weeks, partly result the staff discovery, Department senior officials discussed
using personal account was based Secretary Powell similar use, but Department staff instructed Clinton
representatives provide the Department with any Federal records transmitted through her personal system.
August 22, 2014, Secretary Clinton former Chief Staff and then-representative advised Department leadership that
hard copies Secretary Clinton emails containing responsive information would provided but that, given the
volume emails, would take some time produce. Subsequently, October 2014, the Department began making
formal, written requests the representatives Secretaries Albright, Powell, Rice and Clinton produce any Federal
records maintained personal accounts. Secretary Clinton produced emails hard copy form December 2014.
Thereafter, March 2015, the Department made similar request four Secretary Clinton immediate staff.
They produced email from their personal accounts during the summer 2015.
Letter from Paul Wester, Jr., Chief Records Officer for the U.S. Government, NARA, Margaret Grafeld,
Deputy Assistant Secretary for Global Information Systems, Bureau Administration, U.S. Department State (March 2015).
Grafeld Letter.
Letter from Paul Wester, Jr., Chief Records Officer for the U.S. Government, NARA, Margaret Grafeld,
Deputy Assistant Secretary for Global Information Systems, Bureau Administration, U.S. Department State (July
2015).
Letter from Patrick Kennedy, Under Secretary State for Management, Laurence Brewer, Acting Chief Records
Officer for the U.S. Government, NARA (November 2015). Secretary Clinton responded the Department that she
has provided with all official emails her possession and pledged provide any other record emails they
become available. May 2016, the Department has not received response from Secretary Powell.
This was prompted FOIA matter, which plaintiff inquired about document received showing that staff
assistant the Office the Secretary had received work-related email her personal account from someone who
was not Federal employee; the staff assistant had forwarded the email her official account. This matter was
ultimately resolved without further litigation.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
the Department obligations under the Federal Records Act the context personal email
accounts. discussed earlier this report, laws and regulations did not prohibit employees
from using their personal email accounts for the conduct official Department business.
However, email messages regarding official business sent from personal email account
fell within the scope the Federal Records Act their contents met the Act definition
record. OIG found that the Department took action notify NARA potential loss
records any point time.
STAFF EMAIL USAGE AND COMPLIANCE WITH RECORDS
MANAGEMENT REQUIREMENTS VARY part this evaluation, OIG sought examine whether staff the Office the Secretary
complied with relevant email records management requirements, including those associated
with the use personal email accounts. However, OIG was unable systematically assess the
extent which Secretaries Albright, Powell, Rice, Clinton, and Kerry and their immediate staff
managed and preserved email records. particular, OIG could not readily retrieve and analyze
email records, part because the previously discussed weaknesses the Department
records management processes. Although hard-copy and electronic email records dating back Secretary Albright tenure exist, these records have never been organized indexed. For
example, the Department could not immediately retrieve and make available for review specific
email accounts identified and requested OIG, which led 3-month-long delays
obtaining the requested records. addition, OIG was unable reconstruct many events
because staff turnover and current employees limited recollections past events. These
problems were compounded the fact that multiple former Department employees and other
individuals declined OIG requests for interviews, and OIG lacks the authority compel anyone
who not current Department employee submit interviews answer questions.
Moreover, OIG was unable assess the degree which Federal records sent though personal
email accounts have been appropriately managed Secretaries State and their immediate
staffs. Emails sent from the personal accounts these individuals other Department employees
may may not exist the Department email accounts the recipients, but OIG has limited
ability determine which accounts might contain these records unless the sender the emails
provides detailed information about the recipients. The Department currently lacks the resources
and technical means systematically review electronic files its possession for records.
Despite these issues, OIG discovered anecdotal examples suggesting that Department staff have
used personal email accounts conduct official business, with wide variations among
The current Deputy Secretary for Management and Resources, who during the summer 2013 served Counselor the Department, told OIG that she recalled conversations with Secretary Kerry about email usage, but the
conversations focused only Secretary Kerry practices. his interview with OIG, Secretary Kerry reported that
was not involved any the discussions regarding Secretary Clinton emails and that first became aware her
exclusive use personal email account when aide informed him around the time the information became public.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Secretaries and their immediate staff members. For instance, OIG reviewed the Department
email accounts (.pst files) senior Department employees who served the immediate staffs Secretary Powell and Secretary Rice between 2001 and 2008. Within these accounts, OIG
identified more than Department employees who periodically used personal email accounts conduct official business, though OIG could not quantify the frequency this use.
OIG also reviewed S/ES-IRM report prepared 2010 showing that more than 9,200 emails
were sent within one week from S/ES servers web-based email domains, including
gmail.com, hotmail.com, and att.net.82 S/ES-IRM told OIG that longer has access the tool
used generate this particular report. another instance, June 2011, email message
Secretary Clinton with the subject line Google email hacking and woeful state civilian
technology, former Director Policy Planning wrote: State technology antiquated
that ONE uses State-issued laptop and even high officials routinely end using their
home email accounts able get their work done quickly and effectively.
Notwithstanding the limitations its ability conduct systematic evaluation, the information
available allowed OIG establish that email usage and compliance with statutory, regulatory,
and Department requirements varied across the past five Secretaries tenures. The practices
each Secretary and their immediate staff are discussed below.
Secretary Albright (January 23, 1997 January 20, 2001): During Secretary Albright tenure,
desktop unclassified email and access the Internet were not widely available Department
employees. OIG searched selected hard-copy records from her tenure and did not find any
evidence indicate that Secretary Albright used either Department personal email accounts
during that period. OIG additionally interviewed Secretary Albright and current and former
Department staff, who further confirmed that she did not use email while serving Secretary.
her interview with OIG, Secretary Albright noted that email use was still its early stages when
she became Secretary, and the time she had familiarity with the practice.
With regard Secretary Albright immediate staff, OIG did not find any emails that appeared from personal accounts and only found few emails from staff Department accounts
related the Secretary schedule. Staff responses OIG questionnaires also identified
minimal email usage though two staff noted retaining emails Department servers. These
responses suggest staff may not have consistently complied with the preservation requirement print and file emails containing Federal records.
Not all these emails may indicate the use personal email conduct official business. Some these emails
could communications with individuals outside the Department. Others could communications employees personal matters, which permissible under the Department limited-use policy.
OIG sent questionnaires former Secretary Albright staff and received responses, which were
anonymous. None the respondents reported having personal email account while employed with the
Department, and most did not acknowledge using Department account. Two noted that they retained their emails Department servers and one recalled receiving training the topic email preservation. FAM 443.3 (October 30, 1995).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Secretary Powell (January 20, 2001 January 26, 2005): During Secretary Powell tenure, the
Department introduced for the first time unclassified desktop email and access the Internet system known OpenNet, which remains use this day. Secretary Powell did not
employ Department email account, even after OpenNet introduction. has publicly written: complement the official State Department computer office, installed laptop
computer private line. personal email account the laptop allowed direct
access anyone online. started shooting emails principal assistants, individual
ambassadors, and increasingly foreign-minister colleagues
OIG identified emails sent from and received Secretary Powell personal account selected
records associated with Secretary Powell. During his interview with OIG, Secretary Powell stated
that accessed the email account via his personal laptop computer his office, while
traveling, and his residence, but not through mobile device. His representative advised the
Department that Secretary Powell did not retain those emails make printed copies.
Secretary Powell also stated that neither nor his representatives took any specific measures preserve Federal records his email account. Secretary Powell representative told OIG that
she asked Department staff responsible for recordkeeping whether they needed anything preserve the Secretary emails prior his departure, though she could not recall the names titles these staff. According the representative, the Department staff responded that the
Secretary emails would captured Department servers because the Secretary had emailed
other Department employees.
However, according records management requirements and OIG discussion with NARA,
sending emails from personal account other employees their Department accounts not appropriate method preserving emails that constitute Federal records. Guidance issued both NARA and the Department emphasize that all employees have records management
responsibilities and must make and preserve records that they send and receive. Moreover,
keeping with NARA regulations, the Department policies specifically acknowledged that its
email system the time did not contain features necessary for long-term preservation
Federal records. Therefore, Secretary Powell should have preserved any Federal records
Colin Powell, Worked for Me, 109 (2012).
Grafeld Letter. C.F.R. 1234.24(b)(2) (August 28, 1995). FAM 414.8 (September 17, 2004). The prior version was located at: FAM 413.10 (October 30, 1995). See also,
NARA, Frequently Asked Questions about Records Management General, available at:
http://www.archives.gov/records-mgmt/faqs/general.html#responsibility (January 20, 2001) (stating that Federal
employees are responsible for making and keeping records their work. C.F.R. 1234.24(d) (August 28, 1995). 2009, this provision was moved C.F.R. 1236.22(d) (October
2009). states, Agencies must not use electronic mail system store the recordkeeping copy electronic mail
messages identified Federal records unless that system has certain listed attributes. noted previously, Department guidance explained that messages must printed and filed until until
technology allowing archival capabilities for long-term electronic storage and retrieval E-mail records available
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
created and received his personal account printing and filing those records with the
related files the Office the Secretary.
NARA agrees that the records should have been printed and filed but also told OIG that any
effort transfer such records the Department would have mitigated the failure preserve
these records. minimum, Secretary Powell should have surrendered all emails sent from
received his personal account that related Department business. Because did not the time that departed government service any time thereafter, Secretary Powell did
not comply with Department policies that were implemented accordance with the Federal
Records Act. attempt address this deficiency, NARA requested that the Department
inquire with Secretary Powell internet service email provider determine whether still
possible retrieve the email records that might remain its servers.92 The Under Secretary for
Management subsequently informed NARA that the Department sent letter Secretary
Powell representative conveying this request. May 2016, the Department had not
received response from Secretary Powell his representative.
Members Secretary Powell immediate staff who responded OIG questionnaires described
minimal email usage overall two staff recalled printing and filing emails Department
recordkeeping systems. While the limited number respondents also asserted they did not
use personal email accounts for official business, OIG discovered some personal email usage for
official business Secretary Powell staff through its own review selected records.
Secretary Rice (January 26, 2005 January 20, 2009): Secretary Rice and her representative
advised the Department and OIG that the Secretary did not use either personal Department
email accounts for official business. OIG searched selected records and did not find any
evidence indicate that the Secretary used such accounts during her tenure.
OIG received limited responses questionnaires sent former Secretary Rice staff. Two staff
recalled printing and filing emails, and only one acknowledged the use personal email
and installed that will preserve messages for periods longer than current E-mail systems routinely maintain them.
FAM 443.3 (October 30, 1995). FAM 443.3 (October 30, 1995).
Letter from Paul Wester, Jr., Chief Records Officer for the U.S. Government, NARA, Margaret Grafeld,
Deputy Assistant Secretary for Global Information Systems, Bureau Administration, U.S. Department State (July
2015).
Letter from Patrick Kennedy, Under Secretary State for Management, Laurence Brewer, Acting Chief Records
Officer for the U.S. Government, NARA (November 2015).
OIG sent questionnaires former Secretary Powell staff and received responses, which one was
anonymous. Two respondents stated they created records printing copies emails from their Department
accounts and filing them into the Department records system. One respondent recalled receiving records retention
training.
Grafeld Letter.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
accounts for official business. OIG reviewed hard-copy and electronic records Secretary
Rice immediate staff and discovered that other staff who did not reply the questionnaire did
use personal email accounts conduct official business.
Secretary Clinton (January 21, 2009 February 2013): Former Secretary Clinton did not use
Department email account and has acknowledged using email account maintained
private server for official business. discussed above, December 2014, her representative
produced the Department 55,000 hard-copy pages documents, representing
approximately 30,000 emails that could potentially constitute Federal records that she sent
received from April 2009 through early 2013. Secretary Clinton representative asserted that,
because the Secretary emailed Department officials their government email accounts, the
Department already had records the Secretary email preserved within its recordkeeping
systems. previously discussed, however, sending emails from personal account other employees their Department accounts not appropriate method preserving any such emails that
would constitute Federal record. Therefore, Secretary Clinton should have preserved any
Federal records she created and received her personal account printing and filing those
records with the related files the Office the Secretary. minimum, Secretary Clinton
should have surrendered all emails dealing with Department business before leaving
government service and, because she did not so, she did not comply with the Department
policies that were implemented accordance with the Federal Records Act.
NARA agrees with the foregoing assessment but told OIG that Secretary Clinton production
55,000 pages emails mitigated her failure properly preserve emails that qualified Federal
records during her tenure and surrender such records upon her departure. OIG concurs with
NARA but also notes that Secretary Clinton production was incomplete. For example, the
Department and OIG both determined that the production included email covering the first
few months Secretary Clinton tenure from January 21, 2009, March 17, 2009, for
received messages; and from January 21, 2009, April 12, 2009, for sent messages. OIG
discovered multiple instances which Secretary Clinton personal email account sent and
received official business email during this period. For instance, the Department Defense
provided OIG September 2015 copies emails between Secretary Clinton and General
David Petraeus his official Department Defense email account; these emails were not
the Secretary 55,000-page production. OIG also learned that the 55,000-page production did
OIG sent questionnaires Secretary Rice former staff and received responses. Only one respondent reported
using personal email accounts conduct official business when Department accounts were down inaccessible.
Two respondents said they printed emails and filed them into the Department records systems; another said
believed IRM backed all emails. One respondent stated she did not recall any specific instructions about
retaining emails but assumed all emails were captured electronically.
Letter from Cheryl Mills, cdmills Group, Patrick Kennedy, Under Secretary State for Management (December 2014). FAM 443.3 (October 30, 1995).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
not contain some emails that external contact not employed the Department sent
Secretary Clinton regarding Department business. attempt address these deficiencies,
NARA requested that the Department inquire with Secretary Clinton internet service email
provider determine whether still possible retrieve the email records that might remain its servers. The Department conveyed this request Secretary Clinton representative and November 2015, the Under Secretary for Management reported NARA that the
representative responded follows:
With regard her tenure Secretary State, former Secretary Clinton has provided
the Department December 2014, with all federal e-mail records her custody,
regardless their format the domain which they were stored created, that may
not otherwise preserved, our knowledge, the Department recordkeeping
system. She does not have custody e-mails sent received during the first few weeks her tenure she was transitioning new address, and have been unable
obtain these. the event do, will immediately provide the Department with
federal record e-mails this collection. 100
With regard Secretary Clinton immediate staff, OIG received limited responses its
questionnaires, though two Secretary Clinton staff acknowledged occasional use personal
email accounts for official business. 101 However, OIG learned extensive use personal email
accounts four immediate staff members (none whom responded the questionnaire).
During the summer 2015, their representatives produced Federal records response
request from the Department, portions which included material sent and received via their
personal email accounts. 102 The material consists nearly 72,000 pages hard copy and more
than 7.5 gigabytes electronic data. One the staff submitted 9,585 emails spanning January
22, 2009, February 24, 2013, averaging emails per workday sent personal email
account. this material, there are instances where the four individuals sent received emails
Letter from Paul Wester, Jr., Chief Records Officer for the U.S. Government, NARA, Margaret Grafeld,
Deputy Assistant Secretary for Global Information Systems, Bureau Administration, U.S. Department State (July
2015).
100
Letter from Patrick Kennedy, Under Secretary State for Management, Laurence Brewer, Acting Chief
Records Officer for the U.S. Government, NARA (November 2015).
101
OIG sent questionnaires Secretary Clinton staff and received responses. Three respondents reported that
they did not use personal email accounts conduct official business. Another reported occasionally using personal
email accounts while traveling with the Secretary and when Department accounts were not working. Another said
occasionally used his personal laptop desktop home access the Department OpenNet and that assumed
all data processed OpenNet would available the Department.
102
The material was produced the Department for the following individuals:
Title
Production Dates
Counselor and Chief Staff
6/25/2015; 8/10/2015; 8/12/2015
Deputy Chief Staff for Operations
7/9/2015; 8/7/2015
Deputy Chief Staff/Director Policy Planning
7/30/2015
Deputy Assistant Secretary, Strategic Communications
7/28/2015; 8/6/15
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
regarding Department business using only their personal web-based email accounts.
Accordingly, these staff failed comply with Department policies intended implement NARA
regulations, because none these emails were preserved Department recordkeeping systems
prior their production 2015. 103 noted above, NARA has concluded that these subsequent
productions mitigated their failure properly preserve emails that qualified Federal records
during their service Department employees. However, OIG did not attempt determine
whether these productions were complete. None these individuals are currently employed
the Department.
Secretary Kerry (February 2013 Present): Secretary Kerry uses Department email account OpenNet and stated that, while has used personal email account conduct official
business, has done infrequently. his interview with OIG, Secretary Kerry stated that
used his personal email more frequently when was transitioning from the U.S. Senate the
Office the Secretary. However, after discussions with his aides and other Department staff,
began primarily using his Department email account conduct official business. The Secretary
stated may occasionally use personal email for official business when responding sender
who emailed him his personal account. The Secretary also stated that either copies
forwards such emails his Department account and copies his assistant. OIG limited review
electronic records shows some personal email account usage Secretary Kerry. Secretary
Kerry emails are now being retained using the Capstone approach discussed previously, which
complies with the Federal Records Act and email records management requirements. 104
OIG received responses questionnaires from most Secretary Kerry immediate staff, who
reported occasional use personal email accounts for official business. 105 number staff
also reported that they follow current policy forwarding emails containing Federal records
from personal accounts Department accounts. 106 OIG limited review electronic records
shows some personal email account usage these staff.
Other staff reported that their emails are being retained using the Capstone approach, and
some mentioned preserving emails through printing and filing. Several staff mentioned
preserving emails saving them their Department email accounts. However, previously
103 C.F.R. 1236.22(d) (October 2009); FAM 443.3 (October 30, 1995).
104
NARA, Guidance New Approach Managing Email Records, Bulletin No. 2013-02 (August 29, 2013), available https://www.archives.gov/records-mgmt/bulletins/2013/2013-02.html.
105
OIG sent questionnaires Secretary Kerry staff and received responses (several the non-respondents
had departed were departing the Office the Secretary), well completed questionnaire from Secretary
Kerry. With regard preservation Department emails, many reported retaining files Microsoft Outlook and
others reported that the Department was permanently retaining their email part the new Capstone program for
senior officials. Most staff reported receiving training other guidance records preservation requirements
through variety means, including formal training sessions, briefings, memos, and Department notices. Eleven staff
reported using personal email accounts other devices for official business, usually because Internet connectivity
interruptions while traveling.
106
Eight stated that they forwarded copied these emails their Department accounts for records preservation
purposes.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
noted, NARA regulations state that agencies may only use electronic mail system store the
recordkeeping copy electronic mail messages identified Federal records that system
contains specific features; 107 the current Department email system does not contain these
features. Given that the Office the Secretary does not use the SMART system, staff whose
emails are not being retained under the Capstone approach should still preserving emails
through printing and filing. However, previously noted, the Department the process
adopting new email records management system that will cover the Office the Secretary
with the goal meeting the requirement manage all email records electronic format
December 31, 2016. 108 The Department plans that this system will eventually capture some
the email currently saved Department email accounts and all the email senior officials
currently being preserved.
CYBERSECURITY RISKS RESULT FROM THE USE
NON-DEPARTMENTAL SYSTEMS AND EMAIL ACCOUNTS addition complying with records management and preservation requirements, Department
employees, including those the Office the Secretary, must comply with cybersecurity
policies. Department information must secure and protected from threats. and IRM are the two bureaus within the Department with primary responsibility for ensuring
the security Department electronic information. 109 IRM responsible for establishing effective
information resource management planning and policies; ensuring the availability information
technology systems and operations; and approving development and administration the
Department computer and information security programs and policies. responsible for
providing safe and secure environment for the conduct U.S. foreign policy, including
personal, physical, and information security. 110
According and IRM officials, Department employees must use agency-authorized
information systems conduct normal day-to-day operations because the use nonDepartmental systems creates significant security risks. Department policies have evolved
considerably over the past two decades; but since 1996, the FAM and FAH have contained
numerous provisions regulating the use such outside systems, including computers, personal
devices, Internet connections, and email. (See Appendix for compilation related
cybersecurity laws and policies that were effect during the tenures each Secretary, from
Secretary Albright through Secretary Kerry.) These provisions contemplate limited use
non-Departmental systems, but the exceptions are quite narrow. Among the risks the
107 C.F.R. 1236.22 (October 2009).
108
OMB and NARA, Memorandum for The Heads Executive Departments and Agencies and Independent Agencies:
Managing Government Records Directive (OMB Memorandum M-12-18) (August 24, 2012).
109 FAM 271.1(4) (March 2010).
110 FAM 010 (December 21, 2004).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
targeting and penetration the personal email accounts Department employees, which was
brought the attention the most senior officials the Department early 2011. 111
Another significant risk the introduction viruses and malware onto Department systems,
which increases their vulnerability intrusion.
Based this evaluation and previous OIG inspection, OIG identified three Department
officials Secretary Powell, Secretary Clinton, and former U.S. Ambassador Kenya who
exclusively used non-Departmental systems conduct official business. will discussed
greater detail below, OIG acknowledges significant differences the facts and circumstances
surrounding each these cases.
Employees Generally Must Use Department Information Systems Conduct
Official Business
The Department current policy, implemented 2005, that normal day-to-day operations
should conducted authorized Automated Information System (AIS), which has the
proper level security control ensure confidentiality, integrity, and availability the
resident information. 112 The FAM defines AIS assembly hardware, software, and
firmware used electronically input, process, store, and/or output data. 113 Examples include:
mainframes, servers, desktop workstations, and mobile devices (such laptops, e-readers,
smartphones, and tablets).
This policy comports with FISMA, which was enacted December 2002 and requires Federal
agencies ensure information security for the systems that support the agency operations
and assets, including information security protections for information systems used
contractor agency other organization behalf agency. 114 FISMA defines
information security protecting information and information systems from unauthorized
access, use, disclosure, disruption, modification, destruction order provide for the
integrity, confidentiality, and availability the information and systems. 115 2006, required FISMA, NIST promulgated minimum security requirements that apply all information
within the Federal Government and Federal information systems.116 Among these are
requirements for certifying and accrediting information systems, retaining system audit records
for monitoring purposes, conducting risk assessments, and ensuring the protection
communications.
111
See, e.g., STATE 65111 (June 28, 2011).
112 FAM 544.3 (November 2005). This provision also states that The Department authorized telework
solution(s) are designed manner that meet these requirements and are not considered end points outside the
Department management control.
113 FAM 091 (January 11, 2016).
114 U.S.C. 3554.
115 U.S.C. 3552(b)(3).
116
NIST, FIPS PUB 200: Minimum Security Requirements for Federal Information and Information Systems (March
2006).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED 2007, the Department adopted additional policies implement these requirements,
including numerous provisions intended ensure that non-Departmental information systems
that process store Department information maintain the same minimum security controls.
Further, non-Departmental systems that are sponsored the Department process
information its behalf must registered with the Department. 117
Restrictions Apply the Use Non-Departmental Systems
The FAM and FAH contain number restrictions regarding the use non-Departmental
computers, mobile devices, Internet connections, and personal email transmit Department
information. These provisions have evolved since 1996, but employees must implement
safeguards request approval before using such equipment. Figure shows the evolution
these provisions and related statutes and regulations.
117 FAH-11 H-412.4(c)(4) (June 25, 2007).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Source: OIG analysis laws and policies.
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Privately Owned Computers and Mobile Devices: 1996, the FAM directed Department
systems managers ensure that privately owned computers were not installed used any
Department office building. 118 2008, the Department amended this provision prohibit the
use installation non-U.S. Government-owned computers any Department facility without
the written approval and IRM, with certain exceptions. 119 2009, the Department adopted polices addressing the specific requirements for use nonDepartment-owned personal digital assistants (PDAs). 120 Under this policy, PDAs could only
turned and used within Department areas that are strictly unclassified (such the cafeteria)
and could not connect with Department network except via Department-approved remoteaccess program, such Global OpenNet. 121 2014, the Department amended this provision
authorize Department managers domestic locations allow non-Department-owned PDAs
within their specific work areas, provided users maintain minimum 10-foot separation between
the PDA and classified processing equipment. 2015, the Department replaced these
provisions with new FAH provision that included the domestic 10-foot-separation rule and the
ban connecting Department network except via Department-approved remote-access
program. 122
Related these provisions the Department policy remote processing the processing
Department unclassified sensitive but unclassified (SBU) information non-Departmentowned systems (such home computer tablet) Department-owned systems (such Department-issued laptop) non-Departmental facilities (such employee home hotel) which has been place since 2008. 123 Under this policy, management and
employees must exercise particular care and judgment when remotely processing SBU
information. 124 Offices that allow employees remotely process SBU information must ensure
that appropriate administrative, technical, and physical safeguards are maintained protect the
118 FAM 625.2-1 (April 12, 1996).
119 FAM 625.2-1 (July 28, 2008). This provision was removed from the FAM 2015, but FAH provision prohibits
the installation non-Department owned information systems within Department facilities without the written
authorization and IRM. FAH-10 H-112.14-2 (September 19, 2014). Both the FAM and FAH provisions include exception for non-Department entity that has approved dedicated space within Department facility.
120
The FAM defined PDAs hand-held computers including standard personal digital assistants; e.g., Palm
devices, Win devices, etc., and multi-function automated information system (AIS) devices; e.g., BlackBerry devices,
PDA/cell phones, etc. FAM 683.1 (December 2009).
121 FAM 683.2-3 (December 2009).
122 FAH-10 H-165.4 (May 20, 2015). These devices are referred Non-Department Owned Mobile Devices
(NDOMDs).
123 FAM 682 (August 2008). This subchapter was later removed from the FAM and moved the FAH FAH10 H-170 (as amended January 11, 2016).
124 FAM 682.2-4 (August 2008). This requirement currently located FAH-10 H-173.4 (January 11, 2016).
SBU information defined the FAM information that not classified for national security reasons but that
warrants requires administrative control and protection from public other unauthorized disclosure for other
reasons. Examples include personnel data, visa and asylum records, law enforcement information, privileged
communications, and deliberative inter- intra-agency communications. FAM 541 (March 2013).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
confidentiality and integrity records and ensure encryption SBU information with
products certified NIST. Employees must implement and regularly update basic home
security controls, including firewall, anti-spyware, antivirus, and file-destruction applications for
all computers the network. 125 2014, the Department added provision the FAH
require users who process SBU information non-Department-owned storage media
encrypt with products certified NIST. 126
Internet Connections: Since the end 2002, the FAM has required all Department facilities
use the Department primary Internet connection, OpenNet, establish Internet
connectivity. 127 The Department further regulated access the Internet establishing rules
2004 addressing the use non-Departmental Internet connections Department facilities. 128
Personal Email: Since 2002, Department employees have been prohibited from auto-forwarding
their email personal email address preclude inadvertent transmission SBU email
the Internet. 129
The FAM also reminds employees that transmissions from the Department OpenNet and
from non-U.S. Government Internet addresses, and other .gov .mil addresses, unless
specifically directed through approved secure means, traverse the Internet unencrypted. 130
The FAM further states that, with regard SBU information, the Department expected
provide, and employees are expected use, approved secure methods transmit such
information when available and practical. However, such secure methods are not available,
employees with valid business need may transmit SBU information over the Internet
unencrypted long they carefully consider that unencrypted emails can pass through
foreign and domestic controlled ISPs, placing the confidentiality and integrity the information risk. addition, the FAM instructs employees transmitting SBU information outside the
125 FAM 682.2-5 (August 2008). Currently, these requirements, amended, are located FAH-10 H-173.4
(January 11, 2016). The amended provision requires NIST FIPS 140-2 encryption for SBU information addition the
use firewall anti-spyware, anti-virus, and file destruction applications.
126 FAH-10 H-172.1 (September 25, 2014). Currently, this requirement located FAH-10 H-173.4 (January 11,
2016). the employee has wireless home network, the FAH requires use NIST-validated product secure the
wireless connection. FAH-10 H-173.4(9) (September 25, 2014).
127 FAM 871 (December 30, 2002). The language this provision was amended 2004, 2009, and 2013, but the
basic requirement use OpenNet has remained consistent.
128 FAM 874.2 (May 2004). Currently, these rules are FAM 872 (May 2014). Department facilities must seek
authorization from the bureau Executive Director post Management Officer use such connection. FAM 872.1
(May 2014). Such systems may not used process SBU information, except limited amounts under exigent
circumstances. FAM 872.2 (May 2014).
129 FAM 751.2 (February 27, 2002). This rule was amended 2011 incorporate prohibition including
personal email address auto-reply message. FAM 752.1(e) (November 14, 2011).
130 FAM 544.3 (November 2005). From 2002 2005, transmission SBU information over the Internet was
completely prohibited. FAM 751.2 (February 27, 2002).
ESP-16-03
UNCLASSIFIED
UNCLASSIFIED
Department OpenNet network regular basis the same official personal email address request solution from IRM. 131 2015, the Department amended the FAM incorporate NARA guidance, which advises
employees that personal accounts should only used exceptional circumstances. 132 This
provision also states that Department employees are discouraged from using private email
accounts (e.g., Gmail, AOL, Hotmail, etc.) for official business [except] those very limited
circumstances when becomes necessary so. However, the FAM gives further
guidance about what type circumstances would permit use personal email.
The Department Has Issued Numerous Warnings About Cybersecurity Risks
One the primary reasons that Department policy requires the use Department systems
guard against cybersecurity incidents. Threats and actual attacks against the Department have
been the rise for nearly decade. For example, May 2006, the Department experienced
large-scale computer intrusions that targeted its headquarters and its East Asian posts.133
Consequently, the Department has issued numerous announcements, cables, training
requirements, and memos highlight the various restrictions and risks associated with the use non-Departmental systems, especially the use personal email accounts. early 2004, Department cables reminded staff that only Department-approved software
should installed the Department information systems because outside software may
bypass firewall and anti-virus checks, creating open channel for hackers and malicious code,
thus placing Department networks serious risk. 134 Since then, the Department has published
prohibitions warnings related the use instant messaging, PDAs and smartphones, thumb
drives, CDs and DVDs, Internet browsers, and personally owned devices. 135 Employees are also
reminded these issues through the Department required annual Cybersecurity Awareness
course. 136 Further, 2005 Cyber Threat Analysis Division (CTAD) began issuing notices
Department computer users specifically highlighting cybersecurity threats. For example, CTAD
131 FAM 544.2 (November 2005).
132 FAM 443.7 (October 23, 2015).
133
See Cyber Insecurity: Hackers Are Penetrating Federal Systems And Critical Infrastructure: Hearing Before the
House Committee Homeland Security, Subcommittee Emerging Threats, Cybersecurity And Science And
Technology, 110th Congress (2007) (statement Donald Reid, Senior Coordinator for Security Infrastructure, Bureau Diplomatic Security, U.S. Department State), 13-15.
134 STATE 204864 (September 22, 2004).
135
See e.g., STATE 096534 (May 2005); Prohibition Against Use Privately Owned Software/Hardware
Department Automated Information Systems, Announcement No. 2006_01_074 (Ja