"Secretary Clinton: By Secretary Clinton’s tenure, the Department’s guidance was considerably
more detailed and more sophisticated. Beginning in late 2005 and continuing through 2011, the
Department revised the FAM and issued various memoranda specifically discussing the
obligation to use Department systems in most circumstances and identifying the risks of not
doing so. Secretary Clinton’s cybersecurity practices accordingly must be evaluated in light of
these more comprehensive directives."
...
Secretary Clinton used mobile devices to conduct official business using the personal email
account on her private server extensively, as illustrated by the 55,000 pages of material making
up the approximately 30,000 emails she provided to the Department in December 2014.
Throughout Secretary Clinton’s tenure, the FAM stated that normal day-to-day operations
should be conducted on an authorized AIS,147 yet OIG found no evidence that the Secretary
requested or obtained guidance or approval to conduct official business via a personal email
account on her private server. According to the current CIO and Assistant Secretary for
Diplomatic Security, Secretary Clinton had an obligation to discuss using her personal email
account to conduct official business with their offices, who in turn would have attempted to
provide her with approved and secured means that met her business needs. However, according
to these officials, DS and IRM did not—and would not—approve her exclusive reliance on a
personal email account to conduct Department business, because of the restrictions in the FAM
and the security risks in doing so.
During Secretary Clinton’s tenure, the FAM also instructed employees that they were expected
to use approved, secure methods to transmit SBU information and that, if they needed to
transmit SBU information outside the Department’s OpenNet network on a regular basis to nonDepartmental
addresses, they should request a solution from IRM.148 However, OIG found no
evidence that Secretary Clinton ever contacted IRM to request such a solution, despite the fact
that emails exchanged on her personal account regularly contained information marked as SBU.
Similarly, the FAM contained provisions requiring employees who process SBU information on
their own devices to ensure that appropriate administrative, technical, and physical safeguards
are maintained to protect the confidentiality and integrity of records and to ensure encryption
of SBU information with products certified by NIST.149 With regard to encryption, Secretary
Clinton’s website states that “robust protections were put in place and additional upgrades and
techniques employed over time as they became available, including consulting and employing
third party experts.”150 Although this report does not address the safety or security of her
system, DS and IRM reported to OIG that Secretary Clinton never demonstrated to them that her
private server or mobile device met minimum information security requirements specified by
FISMA and the FAM. "
etc. etc.
= new reply since forum marked as read