May 20,2013. Dear Mr. Chairman:



Similar documents
Statement of Dr. Simon Szykman, Chief Information Officer U.S. Department of Commerce

OFFICE OF THE SECRETARY

OFFICE OF THE SECRETARY Office of the Secretary s Working Capital Fund Billing Control Issues Resulted in Incorrect Charges

FOR PUBLIC RELEASE. Office of the Secretary. Commerce Should Strengthen Accountability and Internal Controls in Its Motor Pool Operations

EPA Can Better Assure Continued Operations at National Computer Center Through Complete and Up-to-Date Documentation for Contingency Planning

SOCIAL SECURITY. July 19, 2004

Security Concerns with Federal Emergency Management Agency's egrants Grant Management System

OFFICE OF INSPECTOR GENERAL

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Computer Security Roles and Responsibilities and Training Should Remain Part of the Computer Security Material Weakness.

W September 14, Final Report on the Audit of Outsourcing of Desktop Computers (Assignment No. A-HA ) Report No.

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

Department of Homeland Security

INTERNATIONAL TRADE ADMINISTRATION Improvements Are Needed to Strengthen ITA s Information Technology Security Program

2IÀFHRI,QVSHFWRU*HQHUDO

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION CONTRACT WITH DELL MARKETING, L.P., FOR MICROSOFT LICENSING AND MAINTENANCE

OFFICE OF THE SECRETARY Internal Controls for Purchase Card Transactions Need to Be Strengthened

Office of Inspector General

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL Verification of Previous Office of Inspector General Recommendations September 2009

The Certification and Accreditation of Computer Systems Should Remain in the Computer Security Material Weakness. August 2004

Our mission is to promote efficiency, effectiveness, and integrity of the Department s programs and operations.

Review of U.S. Coast Guard's FY 2014 Drug Control Performance Summary Report

~ l O~rs. UNITED STATES DEPARTMENT OF COMMERCE Office of Inspector General Washington. D.C August 9, 20 12

PROFESSIONAL JUDGMENT AT THE UNIVERSITY OF COLORADO

MEMORANDUM FOR THE HEADS OF DEPARTMENTS AND AGENCIES

TESTIMONY OF STEVE COOPER DEPARTMENT OF COMMERCE CHIEF INFORMATION OFFICER BEFORE THE SUBCOMMITTEES ON

Boyce Norris, Jr., Director, Office of Public Housing, 4APH. Nancy H. Cooper District Inspector General for Audit-Southeast/Caribbean, 4AGA

SOFTWARE LICENSES. DOD s Plan to Collect Inventory Data Meets Statutory Requirements

March 28, Dear Chairmen Rockefeller, Murray, Mica, and Latham:

NATIONAL OCEANIC AND ATMOSPHERIC ADMINISTRATION. Opportunities to Strengthen Internal Controls Over Improper Payments PUBLIC RELEASE

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

DoD Needs an Effective Process to Identify Cloud Computing Service Contracts

Agencies Need Better Controls to Achieve Significant Savings on Mobile Devices and Services

PUBLIC RELEASE OFFICE OF THE CHIEF INFORMATION OFFICER. Management Attention Is Needed To Assure Adequate Computer Incident Response Capability

Controls Over EPA s Compass Financial System Need to Be Improved

Department of Homeland Security Office of Inspector General

ZOl& F?.i) l S P1112: 05 February 12, 2016

INSPECTOR GENERAL DEPARTMENT OF DEFENSE 4800 MARK CENTER DRIVE ALEXANDRIA, VIRGINIA

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

Congressionally Requested Inquiry Into the EPA s Use of Private and Alias Accounts

LEGAL SERVICES CORPORATION OFFICE OF INSPECTOR GENERAL REVIEW OF GRANTEE'S TRANSFEROFFUNDS AND COMPLIANCE WITH PROGRAM INTEGRITY STANDARDS

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

U.S. DEPARTMENT OF THE INTERIOR OFFICE OF INSPECTOR GENERAL. Evaluation Report. Working Capital Fund. Photos Courtesy of Microsoft Clip Art Gallery

January 3, The Honorable Bob Wenzel Acting Commissioner of Internal Revenue Internal Revenue Service

Subject: GSA On-line Procurement Programs Lack Documentation and Reliability Testing

U.S. Chemical Safety and Hazard Investigation Board Should Determine the Cost Effectiveness of Performing Improper Payment Recovery Audits

March 28, 2001 Audit Report No Controls Over the FDIC s Laptop Computer Inventory

Office of Inspector General

How To Write A Report On The Recovery Act Of 2009

Department of Homeland Security Office of Inspector General

Information Technology

Office of the Inspector General United States Office of Personnel Management. Statement of Michael R. Esser Assistant Inspector General for Audits

NOTICE: This publication is available at:

Department of Homeland Security Office of Inspector General. Immigration and Customs Enforcement Management Controls Over Detainee Telephone Services

How To Check If Nasa Can Protect Itself From Hackers

Improved Security Planning Needed for the Customer Technology Solutions Project

NATIONAL TELECOMMUNICATIONS AND INFORMATION ADMINISTRATION Significant IT Security Program Improvements Are Needed to Adequately Secure NTIA s Systems

Office of Inspector General

INSPECTION U.S. DEPARTMENT OF THE INTERIOR WEB HOSTING SERVICES

VA Office of Inspector General

Congressionally Requested Inquiry Into EPA s Handling of Freedom of Information Act Requests

EPA Could Improve Processes for Managing Contractor Systems and Reporting Incidents

Lawrence County Engineer, Ohio, Generally Accounted For and Expended FEMA Grant Funds Properly

FROM: Allen Crawley - ~ Assistant Inspector General for Systems Acquisition and IT Security

The City of Atlanta, Georgia, Effectively Managed FEMA Public Assistance Grant Funds Awarded for Severe Storms and Flooding in September 2009

Smithsonian Institution

Office of Inspector General

Department of Homeland Security

The United States Secret Service Has Adequate Oversight and Management of its Acquisitions (Revised)

Office of Inspector General

ASSESSMENT REPORT GPO WORKERS COMPENSATION PROGRAM. September 30, 2009

Office of the Auditor General Performance Audit Report. Statewide UNIX Security Controls Department of Technology, Management, and Budget

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL. March 9, 2012

OFFICE OF THE INSPECTOR GENERAL SOCIAL SECURITY ADMINISTRATION

REVIEW OF GRANTEE S TRANSFER OF FUNDS AND COMPLIANCE WITH PROGRAM INTEGRITY STANDARDS

Actions Taken by the Federal Emergency Management Agency in Response to an Allegation Concerning the Application for a Station Construction Grant

Office of Inspector General

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Office of the Secretary

DHS Missing Data Needed to Strengthen its Immigration Enforcement Efforts

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

U.S. SMALL BUSINESS ADMINISTRATION WASHINGTON, DC 20416

Office of Inspector General

United States Department of Agriculture Office of Inspector General

Division of Insurance Internal Control Questionnaire For the period July 1, 2013 through June 30, 2014

1/ff~. Schanz Inspector General. March 26, 2015

Office of Inspector General

GAO. VETERANS AFFAIRS Status of Effort to Consolidate VA Data Centers. Report to the Honorable Chaka Fattah, House of Representatives

Instructions for Completing the Travel Order Form (CD-29) Check appropriate block for temporary duty (includes TDY and long-term) or relocation.

Department of Homeland Security Office of Inspector General. DHS Risk Assessment Efforts in the Dams Sector

Department of Homeland Security Office of Inspector General. FLETC Leases for Dormitories 1 and 3

Office of Inspector General

DEPARTMENT OF DEFENSE 6000 DEFENSE PENTAGON WASHINGTON, D.C

Commissioners Irving A. Williamson, Chairman Deanna Tanner Okun Daniel R. Pearson Shara L. Aranoff Dean A. Pinkert David S.

EXECUTIVE OFFICE OF THE PRESIDENT OFFICE OF MANAGEMENT AND BUDGET WASHINGTON, D.C

AUDIT REPORT AUDIT OF MULTIFAMILY OPERATIONS BOWDOIN APARTMENTS PROJECT NO: MALDEN, MASSACHUSETTS 2001-BO-1003 JANUARY 29, 2001

Management Oversight of Federal Employees Compensation Act Operations within the U.S. Department of Agriculture

Project Delays Prevent EPA from Implementing an Agency-wide Information Security Vulnerability Management Program

Transcription:

UNITED STATES DEPARTMENT OF COMMERCE The Inspector General Washington, D.C. 20230 May 20,2013 The Honorable Lamar Smith Chairman Committee on Science, Space and Technology United States House of Representatives Washington, DC 205 15-630 I Dear Mr. Chairman: This responds to the Committee on Science, Space and Technology's letter of November 15, 2012, in which it was requested we examine issues related to the Department of Commerce's (DOC) use of personal and/or alias email accounts to conduct official government business. Pursuant to your request, we conducted an inquiry focused on the following: a) Whether it is possible to determine the extent personal email accounts are used by DOC employees to conduct official business. b) Whether DOC has procedures in place to collect, maintain, and access records created by personal or alias email accounts. c) Whether DOC has provided appropriate training for staff related to the use of personal or alias email accounts. d) Whether DOC has reprimanded, counseled, or taken administrative action against any employees for using personal or alias email accounts. e) Whether DOC officials have promoted or encouraged the use of personal or alias emails for conducting official government business. For the purposes of this inquiry, "personal email account" is defined as an account established with a commercial internet service provider such as Yahoo!, Gmail, or Hotmail. "Unofficial alias email account" is defined as a DOC email account where the name or position of the account holder is not readily apparent. "Official alias account" is defined as a DOC established email account with a clearly identifiable account holder or purpose, such as one using an individual account holder's title or a group account holder's function. In the course of our inquiry, which focused on the Office of the Secretary (OS), National Oceanic and Atmospheric Administration (NOAA), and the National Institute of Standards and Technology.(NIST), we examined various policies and procedures. We also interviewed senior leadership within the Department including: the Acting Secretary of Commerce, the Under Secretary of Commerce for Standards and Technology and NIST Director, the then-under Secretary of Commerce for Oceans and Atmosphere and National Oceanic and Atmospheric Administration (NOAA) Administrator, and the Assistant Secretary of Commerce/Deputy Administrator of NOAA (current Acting NOAA Administrator).

2 In addition, we interviewed the DOC Chief Information Officer (CIO) and other relevant CIO staff from the Department, NIST, and NOAA. We also reviewed relevant training materials and information pertaining to personnel action resulting from the use of personal or alias email to conduct official business. Our findings and recommendations are presented below. We are also transmitting these results to the DOC CIO for action and response, as well as to the Acting Secretary of Commerce. a. The extent to which personal email accounts are used by DOC employees to conduct official business could not be determined. We were unable to determine the extent of personal email use by DOC employees to conduct official business because DOC does not have the technology, policies, or procedures in place to provide this information. b. Current DOC policy and procedures regarding the use of personal or alias email accounts for official business is only found in a ''Remote Access Policy, and, therefore, is not interpreted as a blanket policy. DOC presently lacks a comprehensive, Department-wide policy prohibiting the use of personal email to conduct official government business. The policies currently in place do not address all circumstances of use of personal email to conduct official business. In addition, DOC, including NIST and NOAA, does not have any policy regarding unofficial alias email accounts. The Commerce Interim Technical Requirements (CITR)-008: Remote Access Policy, states, "When working from a remote location, only DOC-authorized e-mail accounts must be utilized to conduct official business on behalf of the Department. Personal e-mail accounts (e.g. Hotmail, Yahoo, or Gmail) must not be used to conduct official business." In addition to this policy, DOC requires all users of network services in the Office of the Secretary (OS) 1 to read and sign an "OS Network Rules of Behavior" agreement which states, ~~I may not use personal e-mail (e.g. yahoo, gmail, etc...) to send official DOC business information." Per the DOC CIO, users are not granted access to the OS network until this document is read and signed. While DOC CIO policy (such as the CITR-008) applies to all DOC operating units and bureaus, DOC operating units and bureaus can also implement more stringent policies. For example, NIST has an "IT Resources, Access and Use Policy" that prohibits ~~sending personal email that might be construed by the recipient to be an official communication." NIST's "Automatic Email Forwarding Use Policy" prohibits automatic forwarding of email from an employee's NIST 1 This requirement applies to the following OS operating units: Office of Business Liaison, Center for Faith Based and Neighborhood Partnerships, Native American Affairs, Office of the Chief Financial Officer and Assistant Secretary for Administration, Office of the Chief Information Officer, Office of the Executive Secretariat, Office of General Counsel, Office of Legislative and Intergovernmental Affairs, Office of Policy and Strategic Planning, and Office of Public Affairs.

3 email account.to andther email account. If an exception is granted under this particular policy, storage is required for those emails on NIST's server. The DOC CIO stated his office is drafting a formal DOC-wide policy memorandum referencing the existing DOC policies outlined above and incorporating additional language clearly forbidding the use of personal email accounts for official business. He stated that during Quarter 3, Fiscal Year 20 13, DOC plans to release an enterprise-wide DOC Acceptable Use Policy/CITR which will incorporate the proposed policy memorandum and expand on related issues, such as prohibiting the forwarding of DOC email to a personal device (e.g., personal smartphone). As stated in section a. above, DOC does not have technology, policies, or procedures in place to identify, collect, maintain, or access personal email accounts used to conduct official business. c. There is a lack ofconsistent, adequate training regarding the use ofpersonal or alias email accounts for official business. Because there is not a comprehensive policy regarding the use of personal or alias email accounts for official business, we found a corresponding lack of consistent and adequate training within the Department. The DOC CIO reported that the training provided by his office does not address the use of personal or alias email accounts for official business. DOC Office of Human Resources confirmed that there is no formal training on this issue. Per the NOAA CIO, the NOAA annual IT Security Awareness training previously included statements regarding the inappropriateness of employees using personal email accounts for official business in a Records Management module. However, NOAA currently does not incorporate this particular statement in its training. According to the NOAA CIO, the Records Management module was removed in 20 I 0 in order to keep the training to a certain length. d. We identified no record ofadverse personnel action resulting from the use ofpersonal or unofficial alias email accounts for official business. We requested from the DOC Office of Human Resources (in coordination with the Office of General Counsel and bureau human resource offices) all records related to any adverse personnel action taken against an employee for using personal email or unofficial alias email accounts to conduct official business. Based on its query, the DOC Office of Human Resources reported that it did not locate any records of adverse personnel actions taken because of the use of personal or unofficial alias email accounts to conduct official business for the bureaus it services, including: the Office of the Secretary, Bureau of Industry and Security, Economic Development Administration, International Trade Administration, Minority Business Development Agency, and National Telecommunications and Information Administration. NIST and NOAA also reported they did not locate any records of adverse personnel actions taken because of the use of personal or unofficial alias email accounts to conduct official business. Based on our review of OIG investigative records, we identified a case where an Economic Development Administration (EDA) employee used his personal email account to conduct

4 official business. The investigation focused on potential conflicts of interest and appearances of preferential treatment for EDA grantees the employee oversaw. During the investigation, OIG found the employee regularly used his personal email account for EDA official business. In June 2012, we transmitted our report to EDA including that and other findings. We recommended that EDA implement a policy prohibiting employees from using personal email accounts to conduct official business; however, EDA did not address this recommendation in its response dated September 25., 20 12. EDA ultimately issued a memorandum to the employee advising him to not use his personal email to conduct official business. e. Senior DOC officials have not encouraged the use ofpersonal or unofficial alias email for official business, and have not used personal or unofficial alias email for official business except for incidental instances. None of the DOC officials we interviewed were aware of any DOC official promoting or encouraging the use of personal or unofficial alias email accounts to conduct official business. Except for incidental instances, the Acting Secretary; the Under Secretary of Commerce for Standards and Technology and NIST Director; the then-under Secretary of Commerce for Oceans and Atmosphere and NOAA Administrator; and the Assistant Secretary of Commerce/Deputy Administrator of NOAA (current Acting NOAA Administrator) all stated they have not used their personal email to conduct official business. As stated below, former Under Secretary of Commerce for Oceans and Atmosphere and NOAA Administrator stated she had a general awareness of a practice by some employees to sometimes use their personal email accounts for official business out of convenience, but that they would copy their official account when doing so. I. The Acting Secretary informed us that she used her personal email account once on a Saturday after not being able to connect to the DOC email server. She stated the email content consisted of a request to a staff member to schedule a meeting with her first thing on the following Monday morning. 2. The Assistant Secretary of Commerce/Deputy Administrator of NOAA (current Acting NOAA Administrator) identified five emails with a representative from the academic community, with whom she had a long-standing professional relationship, based on a search of her personal email account that discussed NOAA-related matters. We reviewed these emails and determined they were not substantive in nature. The emails consisted of forwards of academic articles, discussions, and presentations of potential interests involving weather, a string of emails while she was out of town as to what phone number was best to reach her on to discuss official business, and an email with a subject line only "eager to see draft declaration." The last was related to a Weather Ready Nation community dialog, "Sense of Attendees" declaration that came out of the dialog. 3. The former Under Secretary of Commerce for Oceans and Atmosphere and NOAA Administrator stated she was not aware of anyone in DOC or NOAA using personal or alias email accounts for official government business, unless they copied their official NOAA account. She stated as a matter of convenience some NOAA employees email

5 from home on their personal accounts regarding NOAA business, and copy their NOAA accounts anytime they do so. She stated she did not know how widespread this practice was, and she could not recall anyone specifically doing it. She stated she did not know if this practice was acceptable under NOAA policy. With regard to unofficial alias email accounts, none of the officials we interviewed were aware of any used to conduct official business. Most mentioned official alias email accounts known to them. The Acting Secretary stated she was aware of an email address used by the DOC Executive Secretariat, the office responsible for controlled correspondence, The_Secretary@doc.gov, to send and receive emails. She stated this is the only official alias email account she is aware of, and she does not have access to the account. The DOC CIO and staff stated they were aware of two official alias email accounts: (I) the DOC CIO has a DOCCIO@doc.gov account for email from the general public, and (2) the Secretary has a The_Secretary@doc.gov account. The DOC CIO stated he is unaware of any unofficial alias email accounts. The NIST Director stated he was aware of an official alias email account at NIST, Director@nist.gov. He stated the account is maintained so a change in leadership does not disrupt an email address used for public inquiry. He stated he has no access to this account, but his Chief of Staff monitors and screens the account for any relevant emails. The NIST CIO and staff stated that NIST creates group accounts for functional use (e.g., a group email account for a project team to use). The N 1ST CIO stated, to his knowledge, alias or group email accounts have never been created for someone using a name different from that of the actual user and/or position. The then-under Secretary of Commerce for Oceans and Atmosphere and NOAA Administrator stated when she began at NOAA she was inundated with emails to her direct NOAA account, so an account was set up within that account using an abbreviation of her official account address with the idea that high priority emails would go to the subaccount within her broader account. She stated this subaccount did not help her and was ultimately abandoned. The NOAA CIO stated the NOAA Administrator had an alternate NOAA email account, with a variation of her name, but it was linked to her official account (i.e., both email addresses were sent to the same Outlook inbox). The NOAA CIO stated he was not aware of any unofficial alias email accounts. Recommendations To ensure proper records management of all emails containing official business, and to facilitate transparency and oversight, we intend to recommend by separate communication that the DOC CIO, in coordination with DOC operating unit/bureau CIOs, take the following actions: I. Finalize the pending policy revision to ensure the Department has a clear, comprehensive policy prohibiting the use of personal email for conducting official business.

6 2. Communicate DOC policies regarding the use of personal emails to all DOC employees, e.g., via initial and annual refresher IT training presentations. An identical copy of this letter has been sent to each signatory of the Committee's November 15, 20 12 letter and the Ranking Subcommittee Members. If I can answer any questions or be of further assistance, please feel free to contact me or David Smith, Deputy Inspector General, at 202-482-4661. Sincerely, ~~3--c.,... Todd J. Zinser cc: Dr. Rebecca Blank, Acting Secretary Cameron Kerry, General Counsel Dr. Kathryn Sullivan, Acting Under Secretary of Commerce for Oceans and Atmosphere and Acting NOAA Administrator Dr. Patrick Gallagher, Under Secretary of Commerce for Standards and Technology and NIST Director Simon Szykman, DOC CIO

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information