FBI needs to step back before moving forward, IG says

Although the FBI is forging ahead with establishing an interoperable fingerprint system with the Homeland Security Department, the Justice Department needs to regroup following a failed $1.18 million effort to modernize a system that manages evidence, according to a semi-annual report released by Justice's inspector general.The recently released 66-page IG report, which summarizes the office's audits, investigations, inspections and special reviews, provided updates on several information technology initiatives Justice agencies started.In March, after two and a half years, FBI officials terminated a contract with a private company for a commercial laboratory information management system that would have used bar code technology to track evidence and improve reporting capabilities at the FBI Laboratory in Quantico, Va. "After many delays and extensive customization" the system did not meet the agency's security requirements, the IG report states.According to the report, the initiative began before the agency's IT investment management processes were established, making it difficult to identify problems with the contract and adequately document security requirements for certification and accreditation of the software. Among several recommendations, the IG report states that an experienced IT manager must oversee any future project.The laboratory conducts more than 1 million examinations of physical evidence annually, but the current system is limited in tracking evidence and reporting capabilities.However, the joint initiative to make the bureau’s 10-fingerprint Integrated Automated Fingerprint Identification System interoperable with DHS’ two-fingerprint Automated Biometric Identification System is on track, the IG report states. In the first phase of the three-phase project, both agencies will establish a joint automated system to share important immigration and law enforcement data. The other two phases will focus on expanding the shared data and access by various federal, state and local law enforcement agencies to that data. The initiative is scheduled to be complete by December 2009."When the interoperability effort is completed, a single request will search all fingerprint records maintained by the FBI and the DHS, and the requestor will receive all associated criminal history and immigration information about an individual," according to the IG report.The IG report also provided updates with respect to the Federal Information Security Management Act (FISMA).A review found that systems within the FBI; the Bureau of Alcohol, Tobacco, Firearms and Explosive (ATF); the Drug Enforcement Agency (DEA); and the Justice Management Division (JMD) were all certified and accredited, security controls were tested and evaluated in the past year, and contingency plans were in compliance with FISMA. However, the FBI, ATF and DEA did not perform electronic authentication risk assessments, and the FBI and ATF did not fully implement Justice's process for tracking system vulnerabilities and corrective actions, the IG report adds."Moreover, departmentwide system configuration policy was not always implemented as required within the DEA and JMD," the IG report states. "With respect to IT security awareness training, we found that ATF did not fully ensure that all of its employees were trained as required by department policy."The IG's office is also reviewing and evaluating several classified and unclassified systems within several Justice agencies and plans to issue reports this fiscal year.In assessing compliance with the Office of Management and Budget guidelines for securing sensitive data, the IG report states that although Justice is implementing additional security controls to protect personally identifiable information, it is not fully compliant for all automated systems."For example, the department failed to ensure that personally identifiable information is transported and stored off-site only in encrypted form," the report states. "We also found that the department is not requiring users who access the system remotely to provide two independent ways of authenticating identity, as required by the National Institute of Standards and Technology Special Publications 800-53 and 800-53 A."Additionally, Justice has established a task force to develop a comprehensive approach to secure wireless access to personally identifiable data on the internal systems and assess technical solutions for remote access.