Report Contents
What OIG Evaluated
As part of ongoing efforts to respond to requests from the current Secretary of State and several Members of Congress, the Office of Inspector General (OIG) reviewed records management requirements and policies regarding the use of non-Departmental communications systems. The scope of this evaluation covers the Office of the Secretary, specifically the tenures of Secretaries of State Madeleine Albright, Colin Powell, Condoleezza Rice, Hillary Clinton, and John Kerry.
This report (1) provides an overview of laws, regulations, and policies related to the management of email records; (2) assesses the effectiveness of electronic records management practices involving the Office of the Secretary; (3) evaluates compliance with records management requirements; and (4) examines information security requirements related to the use of non-Departmental systems.
What OIG Recommends
OIG makes eight recommendations. They include issuing enhanced and more frequent guidance on the permissible use of personal email accounts to conduct official business, amending Departmental policies to provide for administrative penalties for failure to comply with records preservation and cybersecurity requirements, and developing a quality assurance plan to address vulnerabilities in records management and preservation. The Department concurred with all of OIG’s recommendations.
What OIG Found
The Federal Records Act requires appropriate management and preservation of Federal Government records, regardless of physical form or characteristics, that document the organization, functions, policies, decisions, procedures, and essential transactions of an agency. For the last two decades, both Department of State (Department) policy and Federal regulations have explicitly stated that emails may qualify as Federal records.
As is the case throughout the Federal Government, management weaknesses at the Department have contributed to the loss or removal of email records, particularly records created by the Office of the Secretary. These weaknesses include a limited ability to retrieve email records, inaccessibility of electronic files, failure to comply with requirements for departing employees, and a general lack of oversight.
OIG’s ability to evaluate the Office of the Secretary’s compliance with policies regarding records preservation and use of non-Departmental communications systems was, at times, hampered by these weaknesses. However, based on its review of records, questionnaires, and interviews, OIG determined that email usage and preservation practices varied across the tenures of the five most recent Secretaries and that, accordingly, compliance with statutory, regulatory, and internal requirements varied as well.
OIG also examined Department cybersecurity regulations and policies that apply to the use of non-Departmental systems to conduct official business. Although there were few such requirements 20 years ago, over time the Department has implemented numerous policies directing the use of authorized systems for day-to-day operations. In assessing these policies, OIG examined the facts and circumstances surrounding three cases where individuals exclusively used non-Departmental systems to conduct official business.
Report Terms
Report Recommendations
The Bureau of Administration should • continue to issue guidance, including periodic, regular notices, to Department employees to remind them that the use of personal email accounts to conduct official business is discouraged in most circumstances, • clarify and give specific examples of the types of limited circumstances in which such use would be permissible, and • instruct employees how to preserve Federal records when using personal email accounts.
The Bureau of Administration should amend the Foreign Affairs Manual to reflect the updates to Department recordkeeping systems that provide alternatives to print and file emails that constitute Federal records.
The Office of the Secretary, Executive Secretariat, should work with the Office of Information Programs and Services to conduct an inventory of all electronic and hardcopy files in its custody and evaluate them to determine which files should be transferred to the Office of Information Programs and Services in accordance with records disposition schedules or Department email preservation requirements.
The Office of the Secretary, Executive Secretariat, should work with the Office of Information Programs and Services to improve policies and procedures to promote compliance by all employees within its purview, including the Secretary, with records management requirements. These policies should cover the retirement of records in accordance with records disposition schedules, preservation of email and other electronic records of departing officials, and training of employees on their records preservation responsibilities.
The Office of the Secretary, Executive Secretariat, should work with the Office of Information Programs and Services to ensure that all departing officials within its purview, including the Secretary of State, sign a separation form (DS-109) certifying that they have surrendered all Federal records and classified or administratively controlled documents. In addition, staff should ensure that all incoming officials within its purview, including the Secretary, are thoroughly briefed on their records preservation and retention responsibilities, including records contained on personal email accounts.
The Department’s Transparency Coordinator should work with the Office of Information Programs and Services to develop a quality assurance plan to promptly identify and address Department-wide vulnerabilities in the records preservation process, including lack of oversight and the broad inaccessibility of electronic records.
The Bureau of Information Resource Management should: - issue regular notices to remind Department employees of the risks associated with the use of non-Departmental systems; - provide periodic briefings on such risks to staff at all levels; and - evaluate the cost and feasibility of conducting regular audits of computer system usage to ascertain the degree to which Department employees are following the laws and policies concerning the use of personal email accounts.
The Director General of the Foreign Service and Director of Human Resources should amend the Foreign Affairs Manual to provide for administrative penalties for Department employees who (1) fail to comply with recordkeeping laws and regulations or (2) fail to comply with Department policy that only authorized information systems are to be used to conduct day-to-day operations. The amendment should include explicit steps employees should take if a reasonable suspicion exists that documents are not being preserved appropriately, including a reminder that the Office of Inspector General has jurisdiction to investigate and refer to appropriate authorities suspected violations of records preservation requirements.