From the oig report-
According to DS and IRM officials, Department employees must use agency-authorized information systems to conduct normal day-to-day operations because the use of non- Departmental systems creates significant security risks. Department policies have evolved considerably over the past two decades; but since 1996, the FAM and FAH have contained numerous provisions regulating the use of such outside systems, including computers, personal devices, Internet connections, and email. (See Appendix A for a compilation of related cybersecurity laws and policies that were in effect during the tenures of each Secretary, from Secretary Albright through Secretary Kerry.)
..Employees Generally Must Use Department Information Systems To Conduct Official Business
The Department’s current policy, implemented in 2005, is that normal day-to-day operations should be conducted on an authorized Automated Information System (AIS), which “has the proper level of security control to ... ensure confidentiality, integrity, and availability of the resident information.”112 The FAM defines an AIS as an assembly of hardware, software, and firmware used to electronically input, process, store, and/or output data.113 Examples include: mainframes, servers, desktop workstations, and mobile devices (such as laptops, e-readers, smartphones, and tablets).
This policy comports with FISMA, which was enacted in December 2002 and requires Federal agencies to ensure information security for the systems that support the agency’s operations and assets, including information security protections for information systems used by a contractor of an agency or other organization on behalf of an agency.114 FISMA defines information security as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide for the integrity, confidentiality, and availability of the information and systems.115 In 2006, as required by FISMA, NIST promulgated minimum security requirements that apply to all information within the Federal Government and to Federal information systems.116 Among these are requirements for certifying and accrediting information systems, retaining system audit records for monitoring purposes, conducting risk assessments, and ensuring the protection of communications.
..
In 2007, the Department adopted additional policies to implement these requirements, including numerous provisions intended to ensure that non-Departmental information systems that process or store Department information maintain the same minimum security controls. Further, non-Departmental systems that are sponsored by the Department to process information on its behalf must be registered with the Department.117
Restrictions Apply to the Use of Non-Departmental Systems
The FAM and FAH contain a number of restrictions regarding the use of non-Departmental computers, mobile devices, Internet connections, and personal email to transmit Department information. These provisions have evolved since 1996, but employees must implement safeguards or request approval before using such equipment. Figure 2 shows the evolution of these provisions and related statutes and regulations.
..
Restrictions Apply to the Use of Non-Departmental Systems
The FAM and FAH contain a number of restrictions regarding the use of non-Departmental computers, mobile devices, Internet connections, and personal email to transmit Department information. These provisions have evolved since 1996, but employees must implement safeguards or request approval before using such equipment. Figure 2 shows the evolution of these provisions and related statutes and regulations.
Privately Owned Computers and Mobile Devices: In 1996, the FAM directed Department systems managers to ensure that privately owned computers were not installed or used in any Department office building.118 In 2008, the Department amended this provision to prohibit the use or installation of non-U.S. Government-owned computers in any Department facility without the written approval of DS and IRM, with certain exceptions.119
In 2009, the Department adopted polices addressing the specific requirements for use of non- Department-owned personal digital assistants (PDAs).120 Under this policy, PDAs could only be turned on and used within Department areas that are strictly unclassified (such as the cafeteria) and could not connect with a Department network except via a Department-approved remote- access program, such as Global OpenNet.121 In 2014, the Department amended this provision to authorize Department managers in domestic locations to allow non-Department-owned PDAs within their specific work areas, provided users maintain a minimum 10-foot separation between the PDA and classified processing equipment. In 2015, the Department replaced these provisions with a new FAH provision that included the domestic 10-foot-separation rule and the ban on connecting to a Department network except via a Department-approved remote-access program.122
Related to these provisions is the Department policy on “remote processing”—the processing of Department unclassified or sensitive but unclassified (SBU) information on non-Department- owned systems (such as a home computer or a tablet) or on Department-owned systems (such as a Department-issued laptop) at non-Departmental facilities (such as at an employee’s home or a hotel)—which has been in place since 2008.123 Under this policy, management and employees must exercise “particular care and judgment” when remotely processing SBU information.124 Offices that allow employees to remotely process SBU information must ensure that appropriate administrative, technical, and physical safeguards are maintained to protect the
confidentiality and integrity of records and to ensure encryption of SBU information with products certified by NIST. Employees must implement and regularly update basic home security controls, including a firewall, anti-spyware, antivirus, and file-destruction applications for all computers on the network.125 In 2014, the Department added a provision to the FAH to require users who process SBU information on non-Department-owned storage media to encrypt it with products certified by NIST. 126
Internet Connections: Since the end of 2002, the FAM has required all Department facilities to use the Department’s primary Internet connection, OpenNet, to establish Internet connectivity.127 The Department further regulated access to the Internet by establishing rules in 2004 addressing the use of non-Departmental Internet connections in Department facilities.128
Personal Email: Since 2002, Department employees have been prohibited from auto-forwarding their email to a personal email address “to preclude inadvertent transmission of SBU email on the Internet.”129
The FAM also reminds employees that “transmissions from the Department’s OpenNet to and from non-U.S. Government Internet addresses, and other .gov or .mil addresses, unless specifically directed through an approved secure means, traverse the Internet unencrypted.”130 The FAM further states that, with regard to SBU information, the Department is expected to provide, and employees are expected to use, approved secure methods to transmit such information when available and practical. However, if such secure methods are not available, employees with a valid business need may transmit SBU information over the Internet unencrypted so long as they carefully consider that unencrypted emails can pass through foreign and domestic controlled ISPs, placing the confidentiality and integrity of the information at risk. In addition, the FAM instructs employees transmitting SBU information outside the
Department’s OpenNet network on a regular basis to the same official or personal email address to request a solution from IRM.131
In 2015, the Department amended the FAM to incorporate NARA’s guidance, which advises employees that “personal accounts should only be used in exceptional circumstances.”132 This provision also states that “Department employees are discouraged from using private email accounts (e.g., Gmail, AOL, Hotmail, etc.) for official business [except] in those very limited circumstances when it becomes necessary to do so.” However, the FAM gives no further guidance about what type of circumstances would permit use of personal email.
The Department Has Issued Numerous Warnings About Cybersecurity Risks
One of the primary reasons that Department policy requires the use of Department systems is to guard against cybersecurity incidents. Threats and actual attacks against the Department have been on the rise for nearly a decade. For example, in May 2006, the Department experienced large-scale computer intrusions that targeted its headquarters and its East Asian posts.133 Consequently, the Department has issued numerous announcements, cables, training requirements, and memos to highlight the various restrictions and risks associated with the use of non-Departmental systems, especially the use of personal email accounts.
As early as 2004, Department cables reminded staff that only Department-approved software should be installed on the Department’s information systems because outside software may bypass firewall and anti-virus checks, creating an open channel for hackers and malicious code, thus placing Department networks at serious risk.134 Since then, the Department has published prohibitions or warnings related to the use of instant messaging, PDAs and smartphones, thumb drives, CDs and DVDs, Internet browsers, and personally owned devices.135 Employees are also reminded of these issues through the Department’s required annual Cybersecurity Awareness course.136 Further, in 2005 DS’s Cyber Threat Analysis Division (CTAD) began issuing notices to Department computer users specifically highlighting cybersecurity threats. For example, CTAD’s
She did not have authorization to keep it on her own server, allow her housekeeper to move it, etc .
https://nypost.com/2016/11/06/clinton-directed-her-maid-to-print-out-classified-materials/
LOL
Dumbfuck, it's not different rules for different folks. You said others have been jailed for doing what she did. You lied and got caught. The guy you referenced didn't go to jail for sending classified material from a private server. Hillary didn't avoid prison for taking photos of a sub.
And for your edification ... a sub is not an email server.
THe crime in question is being "grossly negligent" with classified information.
Both did that. The average guy got sent to jail. Hillary gets a pass.
Your denial of the double standard, just shows you to be a partisan hack.
Idiotboi, he was convicted of “unauthorized retention of defense information. Hillary was not accused of anything like that. You’re a ******* retard. She had authorization to retain classified material. That’s why Saucier’s defense that Hillary did it too, failed him miserably. Because they’re not the same circumstances.
Great, be the first to post the law that says she was not allowed to use a private email server......
