State Department Insecurity

Regardless of what one might think about the FBI’s decision to let ex-Secretary of State and Democratic Party Presidential nominee Hillary Clinton escape prosecution over her handling of State Department emails on her unsecured personal email server, you’d think the hoo-raw over the matter for all this time at least would prompt State to take seriously Department handling of emails.

You’d think wrong.

State’s Inspector General has issued a report that, in its totality, shows that the State Department just doesn’t care about national secrets, to the point of not even troubling itself to shut down unused email accounts.  This despite repeated “suggestions” that they do just that.

The report, titled Management Assistance Report: Inactive Accounts Within the Department of State’s Active Directory, has this in its opening paragraphs.

Acting on behalf of the Office of Inspector General (OIG), Office of Audits, Williams, Adley & Company-DC, LLP (Williams Adley), an independent public accounting firm, evaluated whether the Department disabled inactive AD user accounts in accordance with its internal policies.  …  The Department’s AD account policy states that Department officials should disable inactive user accounts after 90 or more days.

Nope.

Of the 40,794 domestic AD accounts tested for this audit, Williams Adley found 2,601 (6.4%) had not been disabled after 90 days of inactivity. Of the 2,601 inactive accounts, 1,932 (74%) accounts were inactive for more than 1 year….

This has been an ongoing passive-aggressive resistance problem [SBU means “Sensitive but Unclassified;” its line-out in the original means the indicated paragraph has been completely declassified so the public can see it].

(SBU) OIG reported a similar deficiency in its FY 2015 Federal Information Security Management Act audit report.

And

(SBU) In its 2014 report on AD, OIG stated that the deficiencies it identified with AD Rights Management primarily occurred because IRM had not established a governance structure or strategy to ensure that AD Rights Management was implemented and managed consistently.

The report concludes with these two tidbits tied back to an earlier recommendation [Emphasis within the paragraphs added by me.]

Recommendation 1: (SBU) OIG recommends that the Bureau of Information Resource Management amend the “Program Management Plan for PIV Login to OpenNet Deployment” to address the identification and removal process of mailbox, service, and terminated user accounts.

Management Response (April 2016): (SBU) IRM non-concurs with this recommendation. The Program Management Plan for PIV Login was created to deploy and implement PIV domestically and overseas. Now that IRM has completed that goal, the plan has been completed and does not lend itself to amendment.

In other words, State considers complying—to set out instructions for complete removal of these accounts—to be too much like work.

Recommendation 2: (SBU) OIG recommends that the Bureau of Information Resource Management implement the new guidance from the “Program Management Plan for PIV Login to OpenNet Deployment,” once amended in response to Recommendation 1 of this report.

Management Response (April 2016): (SBU) IRM non-concurs with this recommendation. The Program Management Plan for PIV Login was created to deploy and implement PIV domestically and overseas. Now that IRM has completed that goal, the plan has been completed and does not lend itself to amendment.

Again, that’s just too much like work.

The State Department needs a complete housecleaning, including a complete turnover of non-Foreign Service personnel.

Elections have consequences.

1 thought on “State Department Insecurity

  1. Sounds like a quibble, but it’s not — You said, “… to the point of not even troubling itself to shut down unused email accounts.”

    The report, however, refers to “AD accounts,” spelled out in the title as Active Directory accounts. That’s actually much more serious than email accounts. AD is your total system access account – all the files, and what you can do with them, not just emails. Often, the email account is separate, though (for convenience) the passwords may be linked in your IT’s implementation of the (Microsoft) servers. AD is a MS construct; UNIX/Linux can be integrated with it. Wikipedia has a pretty clear summary https://en.wikipedia.org/wiki/Active_Directory.

Leave a Reply

Your email address will not be published. Required fields are marked *