Table Of ContentPhilip Kiko
Chet aia Oncae OMtice ot he
Chiet Aoministeative @tticer
G.&. Bouse of Representatives
‘Washington, WE 20515-9860
February 3, 2017
To: ‘The Honorable Gregg Harper
Chairman, Commitice on House Administration
‘The Honorable Rovert A. Brady
Ranking Member, Committee on House Administration
Philip G. Kiko
‘Chief Administrative Officer
Paul D. frving
‘Sergeant at Arms
Gencral (O1G) and HIR Cybersecurity have documented mul
artis, IT security violations, and shared employee policy violations by five
[by multiple House offices, hereafter referred to as “the employees
ice gathered to this poinl, we have concluded thatthe employees aro an
ak to the House of Representatives, possloly threatening the intcgricy of
ms and thereby Moniber's capacity to serve constituents
fembers and the House, we
(GAO) aad the Sergeant
stems and non-public
Tesponsiye to the needs of the
juiry and their Full support has greatly informed this
Tecommendation. a ae -
With the approval of the Commnitic, the CAO and the SAA will take the following actions:
* Disable and remove all access to House information technology sesources
otk network and local accounts,
Disable and remove access (o email accounts, remote aesess accouunt/tokens, mobile
phones and devices,
Disable any prox card access.
Demand that these individuals surrender equipr
Revoke all parking posses and privileges.
Instruct all House office Members’ and their staff where these employees 1
change their House account passwords and personal passwords (c.2., ‘Vunes)
“may have shared with these employees.
‘that the House Superintendent rekey any room or facility used by
s to store data or equipment
to protect Member's inventory, alert the Unized States Capitol Pol:
‘any suspicious activity related to House assets and property by the
including
992016, the CAO Office of Acquisitions Managemen! discovered suspicious
for mobile equipment by Mr. Omar Awan’, a shared employ:
er offices. Me. Awan structured these purchase orders in such a
fice below the accountable equipment thresholé of $500
© Officer reporied the suspicious activity to the Commit
‘The Committee on Hose Administration requested the O1G to
ofthis activity.
purchase orders, vouchers, and emails, the O1Gs ina
‘above referenced individuals. While performing the inquiry
‘of iregular procurements as well as violations of both [7
We have determined twenty House offices wer
3s, and potentially over 40 House Offices may
‘of the inquiry widened, the Commitee on
‘Chairman of the Democratic
the OIG identified. As2
‘he CAO to copy the data
matter to the epee oe Aditinistration directed the Inspector General to refer
‘ater to the United States Capitol Police (USCP). The SCP inkinad cr eae
that continues to this day.
In late 2016, the former Chairman of the Demoer
tesign from Congress to assume a new position. The CAO and SAA worked eatiate
Chairman to account for his inventory, including the one server.
While reviewing the inventory, the CAO discovered
id not match that of the onc imaged in Seplember. The CAO alse discovered that he
Servet in question was still operating unécr the employee's conuol, contrary to the
explicit instructions of the former Chairman to turn over all equip-nent, and fully
ooperate with the inquiry and investigation,
‘The USCP interviewed relevant staff regarding the missing server.
On January 24, 2017, the CAO acquired the serve: fram the control ofthe empl
‘transferred that server to the USCP.
Caucus announced his intention to
tthe serial number of the server
of Evidence Gathered by the House O1G
ng over the inguiry tothe USCP, the OIG guheted signa! even ev tthe
‘irregularities und IT security policy violations by the employees. The ev
bby the OIG has been provided to you.
of House vouchers documenting irregular transuctions:
Sf CDWG doraneatings et ss
c ‘and vouchers documenting structured purchases;
es House Member's Chiefs of Stall,
Pact cauipent vendor
‘wages of each employee:
‘end computer access logs;
of stored equipment; and,
es issued
US. House of Representatives is
ne Se dpe CAO to mstain an insti of all
re price of $500 or more
ing purchases and comingliag
“lurty “tour purchases totaling nearly $38,000 where the employ
to avoid the $500 accountable equipment thresh:
$219,000 in outstanding invoices owed to C.
employees, some of which were ic
known to the Member's office.
Eighty-three pieces of missing equipm
been “written off” from the House inventory by CAO
employees. Missing equipment
‘equipment, and computers
Fourteen examples of equipment delivered to
Of the House af Representatives, thus
process.
Examples of unopened equipment being stored et uknown
all prohibit the ee or subleting of jo
) different Member or Committee offices o: 2) individuals w
¢my job duties nor sublet any portion of =,
assigned email accounts for all of:
Summary of House IT Security Poti
bet office's equipment ut they belonged to another office.” She tld him to ge
‘them out of her Member's office. Pee
© Gas Member office believed the employees were contactors, not House employees.
Furthermore, the office believed that one ofthe employees cathe entecon hue
with the other four employees effectively reporting #0 hien
* One of he employees appears to have violated outside fiduciary
sa business,
esttictios on senio: staff.
Violations
‘The OIG documented numerous and egregious violations of House [1 Security, including
Principles of Behavior for Information Systems Users: Users must access and use only
{information for which they have official authorization
SPOL 002.0 Protecting Systems from Unauthorized Use Section 2.2 Users shal
use only information for which they have officiel authorization,
:00 Password Protection: Policy 2.6 - Do not share UserlDs and passwords
|= Protection of Sensitive Information, Section 2.3 ~ All Hou:
‘be stored on Iouse ovmed equipment.
curity Policy for Privileged Account Management - Sccuity See
‘shall not share access to an individual Privileged Account
ed permissions in pffives so thal cach of he five cay
ces. This could have resulted in Member's data being aco
unauthorized by the office, HIR Cybersecurity iden
iby he shared eyslom mimisirors tat have groups outside
admisiative permissions
accounts, including some assigned to Members, nine U1
Poffices who owned these secounts did noc enpiay ta exp
[Demoeratic Caucus compiter, even tough the en
je Caucus computers 5735 times, even
joy these employees, HIR Cybersecuriy
‘Caucus server as an entry point snd
