The other was Jonathan Scott Gration, a former ambassador to Kenya, who ignored instructions in July 2011 not to use commercial email for government businesses and resigned in mid-2012 when the department initiated disciplinary action against him.The IG report cited the Gration report as an example of how the process should work.
The report said it found only three department employees in 19 years who “used non-Departmental systems on an exclusive basis,” and two of them were secretaries of state (Clinton and Powell).
This policy comports with FISMA [Federal Information Security Management Act], which was enacted in December 2002 and requires Federal agencies to ensure information security for the systems that support the agency’s operations and assets, including information security protections for information systems used by a contractor of an agency or other organization on behalf of an agency.
FISMA defines information security as protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide for the integrity, confidentiality, and availability of the information and systems.
The IG report said that it has been department policy since 2005 — four years before Clinton took office — that “normal day-to-day operations” be conducted on government servers.
The report also said that in 2007 the department adopted additional policies requiring “non-Departmental information systems” used to “process or store department information” to meet the same security controls as the department’s systems, and requiring that they be registered with the department. State Department Inspector General, May 26: The Department’s current policy, implemented in 2005, is that normal day-to-day operations should be conducted on an authorized Automated Information System (AIS), which “has the proper level of security control to …