A provision in the $1.1 trillion omnibus funding bill lawmakers are weighing to avoid a government shutdown includes specific new rules prohibiting the secretary of State from using government funds to setup a private email server, and establishes new standards for preserving electronic records, including emails and instant messages.
“None of the funds appropriated by this act … may be made available to support the use or establishment of email accounts or email servers created outside the .gov domain or not fitted for automated records management as part of a Federal government records management program in contravention of the Presidential and Federal Records Act Amendments of 2014,” the bill states on page 1443.
The inclusion, first spotted by The Hill, is clearly aimed at methods used by former Secretary of State Hillary Clinton during her tenure, including using a private email server now the subject of an FBI investigation over whether it insecurely housed classified emails.
Clinton deleted a large portion of the emails housed on the server before turning it and other emails over to federal investigators, citing many as personal.
The provision goes on to mandate the department update its record-keeping practices to preserve all forms of electronic communication, and ensure exiting employees turn over their relevant records.
“The Secretary of State and USAID Administrator shall update the policies, directives, and oversight necessary to comply with Federal statutes, regulations, and presidential executive orders and memoranda concerning the preservation of all records made or received in the conduct of official business, including record emails, instant messaging, and other online tools,” the bill states.
As the bill points out, Congress addressed many of those issues via cited legislation in 2014. If lawmakers pass the omnibus, the departments will have a month to report back to Congress on the establishment of new guidelines for preserving electronic records, or have $10 million withheld until they comply.
“Not later than 30 days after enactment of this Act, the Secretary of State and USAID Administrator shall each submit a report to the Committees on Appropriations and to the National Archives and Records Administration detailing, as appropriate and where applicable, the policy of each agency regarding the use or the establishment of email accounts or email servers created outside the .gov domain or not fitted for automated records management as part of a Federal government records management program,” the bill reads.
It also spells out the need for agency heads to clearly instruct employees on their policies regarding digital communication and security — a problem that is widespread across the federal government, according to cybersecurity firm Lookout.
In a report out earlier this year the firm found about 40 percent of more than 1,000 government employees surveyed are breaking rules against using personal devices at work — 50 percent of whom access work email from personal devices.
Another 49 percent download work documents on those devices, and of those, 27 percent use their device for work email often and download documents frequently. Another 17 percent store work documents on personal file-sharing applications, while 24 percent send work documents to personal email accounts.
Seven percent of those personal devices have been jailbroken, rooted or otherwise manipulated with custom aftermarket software, leaving them open to a wider breadth of cybersecurity flaws.