Some Justice laptops lack encryption, IG finds

Department's IG finds 10 of 40 laptops tested from the Criminal Division didn't have required protections

A quarter of a sampling of laptops from the Justice Department's Criminal Division recently tested by the department's inspector general didn't have the required encryption.

The IG found that 10 of 40 mobile computers it tested – overall, the division has about 800 laptops – weren’t encrypted. According to an audit by the IG, all of the unencrypted workstations came from the division’s International Criminal Investigative Training Assistance Program (ICITAP), one of seven sections in the criminal division.

The IG also found that some laptops didn’t have the baseline configurations required by the department, and one unencrypted laptop from ICITAP had an unauthorized peer-to-peer network, Limewire, installed and running. The computers without the baseline configurations came from ICITAP and the division's Computer Crimes and Intellectual Property section.

Meanwhile, the IG found weaknesses in the oversight of data security policies in contracts the division uses for litigation support services. In particular, seven of the nine contractors tested that held one type of contract processed sensitive information from Justice on laptops without encryption.

“This is a troubling issue that must be quickly addressed,” the IG wrote in a report released April 1 that detailed the audit’s findings. The audit was done from July through December 2009.

The IG made 10 recommendations, all of which Justice agreed with. The department concurred with recommendations to:

  • Ensure that all of the division’s laptops are encrypted.
  • Give all laptops to the division's Information Technology Management staff for encryption before use.
  • Formalize laptop encryption procedures.
  • Ensure the IT Management staff approves baseline configurations on all laptops used to process Justice data.
  • Maintain a record of encryption for all of the division’s laptops.
  • Enhance procedures to ensure inventory of laptops is accurate.
  • Ensure contractor-owned computers that process Justice data are encrypted and make sure contractors know the proper rules for handling department data.
  • Put proper language in related contracts.

Despite agreeing to the recommendations, the Criminal Division said in a written response to a draft of the report that the audit found less than 2 percent of the division’s laptops that did not satisfy encryption requirements. The division also said the noncompliance with encryption requirements was limited to one section and was the result of “an isolated occurrence several years ago.” The division also said that laptops identified as unencrypted "have since been reimaged and encrypted, or excised."

The IG agreed that the lack of encryption may have been caused by “an isolated occurrence several years ago.” However, auditors disagreed with the division's assertion that the audit showed that less than 2 percent of laptops weren’t compliant. The IG noted that 10 of the 40 – or 25 percent of computers tested -- weren’t encrypted, and it can’t be assumed that the division's 759 untested computers all had encryption.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.