Select Application Controls Review of the Federal Bureau of Prisons's Sentry Database System

Report No. 03-25
July 2003
Office of the Inspector General

SENTRY, the Federal Bureau of Prisons's (BOP) primary mission support database, processes more than 1 million transactions each day and provides data files to a number of external organizations, including the United States Pardon Attorney, United States Marshals Service (USMS), Federal Bureau of Investigation, and United States Parole Commission. The BOP deployed its SENTRY database in 1978. It currently assists in monitoring and tracking approximately 165,000 federal inmates.

The system is designed to automate and assist in the monitoring of inmates consistent with implementation of the Violent Crime Control and Law Enforcement Act of 1994 (VCCLEA),⁴ the Prisoner Litigation Reform Act (PLRA),⁵ and other laws, which may require special treatment of inmates within the BOP prison institutions. All inmate information, which is critical to the safe and orderly operation of BOP facilities, is collected, maintained, and reported within SENTRY. This information includes inmate institution assignment, inmate population, and sentence data. A diagram detailing the various SENTRY modules and a short description of each module follow.

SENTRY Database System Environment

SENTRY resides on a BOP mainframe⁷ computer located at the Justice Data Center in Dallas, Texas (JDC-D) operated by the Department of Justice (Department) Justice Management Division's (JMD) Computer Services. Over 24,000 personal computers are in place - at approximately 200 facilities in the Department and BOP - to grant access to SENTRY by way of the BOP's Washington, D.C., Network Control Center (NCC).⁸ These remote sites include federal correctional facilities, regional offices, Community Corrections Offices (CCO), and other selected offices. The following diagram depicts SENTRY's network configuration:

Source: The Office of the Inspector General's (OIG) analysis of the SENTRY Network Configuration.

SENTRY utilizes a client/server application. This is a network architecture in which each computer or process on the network is either a client or a server. Servers are powerful computers or processes dedicated to managing disk drives, printers, or network traffic. Clients are personal computers (PCs) or workstations on which users run applications. Clients rely on servers for resources, such as files, devices, and even processing power. The client part of the program is referred to as the front-end processor and the server part is referred to as the back-end.

SENTRY is comprised of approximately 700 program routines written in COBOL,⁹ which is used to process data to a database management system (DBMS). SENTRY allows concurrent sharing of data among multiple users. The DBMS maintains the indices that are necessary to translate application program data requirements into the information used by the mainframe's operating system to read or write data to SENTRY. The DBMS application used for SENTRY is the Computer Associate's (CA) Integrated Data Management System (IDMS). The IDMS's function is to process transmitted data between SENTRY and the mainframe operating system. The IDMS writes and retrieves data to and from the physical storage area of the mainframe when SENTRY is accessed.

SENTRY communications are relayed by way of the BOP's Wide Area Network (WAN) circuits. The SENTRY mainframe is accessed by way of Systems Network Architecture (SNA) gateways,¹⁰ which ensure that all SENTRY circuits include end-to-end encryption. Each BOP facility connects directly to the BOP's NCC via the Sprint Federal Telecommunications System (FTS) network. The Sprint FTS and the local exchange carriers provide the communication links for SENTRY. However, the BOP migrated its data communications to the Justice Consolidated Network (JCN),¹¹ which also is implemented primarily through the Sprint FTS contract. The FTS currently provides intercity telecommunications services for federal government agencies.

4. The VCCLEA provided for new police offices, funding for prisons, and funding for prevention programs.
5. In April 1996, the PLRA was enacted by Congress as part of the Balanced Budget Down Payment Act, which limits the prospective relief that can be provided for prison conditions as well as terminates the existing orders for prospective relief unless a court finds that prospective relief remains necessary to correct a current or ongoing violation of a federal right.
6. SENTRY also includes a Property Management Module that tracks BOP's accountable property and automatically computes the depreciation of capitalized property; however it is not directly applicable to the Inmate Population Monitoring Module.
7. A mainframe is a large system capable of handling tens of thousands of online terminals. Large-scale mainframes support multiple gigabytes of main memory and terabytes of disk storage. Large mainframes use smaller computers as front-end processors that connect to communications networks.
8. See Appendix IV for a listing of SENTRY's authorized users.
9. COBOL (Common Business Oriented Language) is a popular high-level programming language used for business applications that runs on large computers.
10. SNAs are IBM's mainframe network standards consisting of a centralized architecture with a host computer controlling many terminals. Enhancements have adapted SNA to today's peer-to-peer communications and distributed computing environment. Gateways perform protocol conversion between different types of networks or applications to facilitate communication between different systems.
11. The OIG previously audited JCN (see OIG Audit Report Number 03-13, "Independent Evaluation Pursuant to the Government Information Security Reform Act," fiscal year 2002, the Justice Consolidated Network, February 2002).