Some Justice laptops lack encryption, IG finds

A quarter of a sampling of laptops from the Justice Department's Criminal Division recently tested by the department's inspector general didn't have the required encryption.

The IG found that 10 of 40 mobile computers it tested – overall, the division has about 800 laptops – weren’t encrypted. According to an audit by the IG, all of the unencrypted workstations came from the division’s International Criminal Investigative Training Assistance Program (ICITAP), one of seven sections in the criminal division.

The IG also found that some laptops didn’t have the baseline configurations required by the department, and one unencrypted laptop from ICITAP had an unauthorized peer-to-peer network, Limewire, installed and running. The computers without the baseline configurations came from ICITAP and the division's Computer Crimes and Intellectual Property section.

Meanwhile, the IG found weaknesses in the oversight of data security policies in contracts the division uses for litigation support services. In particular, seven of the nine contractors tested that held one type of contract processed sensitive information from Justice on laptops without encryption.

“This is a troubling issue that must be quickly addressed,” the IG wrote in a report released April 1 that detailed the audit’s findings. The audit was done from July through December 2009.

The IG made 10 recommendations, all of which Justice agreed with. The department concurred with recommendations to:

• Ensure that all of the division’s laptops are encrypted.
• Give all laptops to the division's Information Technology Management staff for encryption before use.
• Formalize laptop encryption procedures.
• Ensure the IT Management staff approves baseline configurations on all laptops used to process Justice data.
• Maintain a record of encryption for all of the division’s laptops.
• Enhance procedures to ensure inventory of laptops is accurate.
• Ensure contractor-owned computers that process Justice data are encrypted and make sure contractors know the proper rules for handling department data.
• Put proper language in related contracts.

Despite agreeing to the recommendations, the Criminal Division said in a written response to a draft of the report that the audit found less than 2 percent of the division’s laptops that did not satisfy encryption requirements. The division also said the noncompliance with encryption requirements was limited to one section and was the result of “an isolated occurrence several years ago.” The division also said that laptops identified as unencrypted "have since been reimaged and encrypted, or excised."

The IG agreed that the lack of encryption may have been caused by “an isolated occurrence several years ago.” However, auditors disagreed with the division's assertion that the audit showed that less than 2 percent of laptops weren’t compliant. The IG noted that 10 of the 40 – or 25 percent of computers tested -- weren’t encrypted, and it can’t be assumed that the division's 759 untested computers all had encryption.