Some Justice laptops lack encryption, IG finds

Department's IG finds 10 of 40 laptops tested from the Criminal Division didn't have required protections

A quarter of a sampling of laptops from the Justice Department's Criminal Division recently tested by the department's inspector general didn't have the required encryption.

The IG found that 10 of 40 mobile computers it tested – overall, the division has about 800 laptops – weren’t encrypted. According to an audit by the IG, all of the unencrypted workstations came from the division’s International Criminal Investigative Training Assistance Program (ICITAP), one of seven sections in the criminal division.

The IG also found that some laptops didn’t have the baseline configurations required by the department, and one unencrypted laptop from ICITAP had an unauthorized peer-to-peer network, Limewire, installed and running. The computers without the baseline configurations came from ICITAP and the division's Computer Crimes and Intellectual Property section.

Meanwhile, the IG found weaknesses in the oversight of data security policies in contracts the division uses for litigation support services. In particular, seven of the nine contractors tested that held one type of contract processed sensitive information from Justice on laptops without encryption.

“This is a troubling issue that must be quickly addressed,” the IG wrote in a report released April 1 that detailed the audit’s findings. The audit was done from July through December 2009.

The IG made 10 recommendations, all of which Justice agreed with. The department concurred with recommendations to:

  • Ensure that all of the division’s laptops are encrypted.
  • Give all laptops to the division's Information Technology Management staff for encryption before use.
  • Formalize laptop encryption procedures.
  • Ensure the IT Management staff approves baseline configurations on all laptops used to process Justice data.
  • Maintain a record of encryption for all of the division’s laptops.
  • Enhance procedures to ensure inventory of laptops is accurate.
  • Ensure contractor-owned computers that process Justice data are encrypted and make sure contractors know the proper rules for handling department data.
  • Put proper language in related contracts.

Despite agreeing to the recommendations, the Criminal Division said in a written response to a draft of the report that the audit found less than 2 percent of the division’s laptops that did not satisfy encryption requirements. The division also said the noncompliance with encryption requirements was limited to one section and was the result of “an isolated occurrence several years ago.” The division also said that laptops identified as unencrypted "have since been reimaged and encrypted, or excised."

The IG agreed that the lack of encryption may have been caused by “an isolated occurrence several years ago.” However, auditors disagreed with the division's assertion that the audit showed that less than 2 percent of laptops weren’t compliant. The IG noted that 10 of the 40 – or 25 percent of computers tested -- weren’t encrypted, and it can’t be assumed that the division's 759 untested computers all had encryption.

About the Author

Ben Bain is a reporter for Federal Computer Week.

Featured

  • FCW PERSPECTIVES
    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.