IRC Freenode #HillarySoQualified, make it happen

Lets take this thing to the moon, new live thread parellelled on reddit/r/self: https://voat.co/v/politics/comments/980912

1. Was she reimbursed for the cost of her email server and support services by the State Department.
2. Was her server included in the Federal Information Systems Inventory (Required by OMB A-130, among others places.)
3. Was her server included in the State Department's annual audits and reviews for compliance with the Federal Information Security Management Act of 2002, and were there any findings relevant to her server.
4. Did she withhold information about her server to prevent it from being included in these audits or discussions with auditors and the Inspector General.

From an interested, outside observer that happens to be an auditor with specializations in infosec.

For additional information look into the following topics:

Federal Information Security Management Act of 2002

State Department Financial Management Reports 2009-2013, which Hillary signed, which provides assurances around internal controls to comply with laws and regulations, at least one for each year she was SoS.

Various State Department FISMA audits, compliance reviews, communications with the auditors, and analysis of the Inspector General.

National Institute of Standards and Technology (NIST) Special Publication 800 series, particularly NIST SP800-45.

https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/FY09_FISMA.pdf

2011 Evaluation of Department of State Information Security Program - https://oig.state.gov/system/files/182933.pdf

2009 - https://oig.state.gov/system/files/213359.pdf

2013 - https://oig.state.gov/system/files/aud-it-15-17.pdf

2012 FISMA Audit Report: https://oig.state.gov/system/files/202261.pdf

From the 2009 oig.state.gov report above:

In response to four FY 2008 FISMA report recommendations relating to inventory systems management and oversight of contractor systems, IRM/IA modified its procedures for collecting, analyzing, and managing inventory systems. The review team found that IRM/IA had implemented several controls procedures that were reviewed and verified during the team’s analysis of 3rd and 4th quarter inventory records. Specifically, the following controls were implemented:

• The inventory toolkits were updated to provide guidance on inventory identification, analysis, and recording. The FY 2009 inventory data call provided increased focus on defining and identifying “contractor systems” and “system connections” that were missing in FY 2008.

• The FY 2009 inventory data call was initiated in early November 2008.

• Routine quarterly inventory data calls were made, and they reminded bureau and post systems owners to report new systems and significant changes to systems to ensure the accuracy of their FISMA-reportable inventory.

FISMA requires the Department to keep an inventory of information systems. OMB Circulars A-123, A-127 ( Financial Management Systems), and A-130 (Management of Federal Information Resources) require agencies too develop and maintain an information systems inventory, document the types of information systems required to be reported, and detail how and how often those reports must be submitted to OMB. FIPS Publication 199 requires that agencies categorize their information systems as low-, moderate-, or high-impact. Systems with privacy-related information automatically raise the systems to the level of “Major Information Systems,” thereby needing to be reported in the information system inventory.

From the 2012 Report:

Recommendation 17. We recommend that the Chief Information Office, in coordination with Information Resource Management/Information Assurance, continue to review the security authorization and annual assessments to ensure that Information System Owner, Information System Security Officer, and Security Control Assessor for all Federal Information Security Management Act reportable systems use the published Certification & Accreditation Toolkit templates during the annual controls assessment to assess the required National Institute of Standard s and Technology Special Publication 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations,”controls applicable and update the System Security Plan accordingly.

Management Response: The Department did not concur with the recommendation, stating that it “asserts that the referenced practices and controls are being fully implemented.

EDIT: Misleading auditors and misrepresenting management responses are no fucking joke, especially when done by executives.

EDIT2: NIST has been working on new guidance in relation to FISMA since around last October titled Trustworthy Email: http://csrc.nist.gov/publications/drafts/800-177/sp800-177_draft.pdf

EDIT3: This document is critical in understanding the tone and nature of discussions around cybersecurity during her tenure as SoS. Page 39 is illustrative, and this section is relevant to the topics raised to executive level for financial management. https://www.whitehouse.gov/sites/default/files/omb/assets/egov_docs/fy11_fisma.pdf

Page 45

"Email Gateway Security - The purpose of the Mail Gateway Reference Architecture is to improve and standardize the Electronic Mail Gateways currently in use by the Federal Civilian Government, help departments/agencies (D/As) comply with FISMA mail security requirements and to improve the Federal Government’s overall security posture by reducing electronic mail vulnerabilities.

Telework - The main objective of this document is to help agencies to securely implement a Telework infrastructure and ensure that those infrastructures comply with Federal cybersecurity requirements. This document presents a framework for planning, procuring, deploying, and maintaining Telework infrastructures with a focus on cybersecurity."

Reposted to reddit with updates, we'll see if it sticks this time: https://www.reddit.com/r/self/comments/4edwt8/my_analysis_of_hillary_clintons_email_server/