The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) appreciates the opportunity to respond to the Office of Inspector General’s (OIG) findings and recommendations on the draft audit report entitled “The Bureau of Alcohol, Tobacco, Firearms and Explosives’ Controls Over Its Weapons, Laptop Computers and Other Sensitive Property.” ATF is committed to strengthening its controls over the loss and theft of weapons and laptop computers.

ATF has reviewed the OIG’s draft report and this memorandum will convey ATF’s response to each of the recommendations. With respect to most of the recommendations, ATF agrees or partially agrees with the recommendations. ATF disagrees with one recommendation. In the instances where ATF disagrees or partially agrees, ATF has outlined the policies and procedures that currently exist that address the concerns raised by the OIG. ATF has also addressed the specific actions ATF will take to increase awareness of those policies and procedures, and to ensure that employees comply with those policies and procedures.

We are revising our procedures of reporting losses of weapons or laptops. Effective September 30, 2008, ATF will require all losses of weapons or laptops to be reported to the ATF Joint Support Operations Center (JSOC). The JSOC is a 24-hour operation, and the employees who staff the JSOC will be assigned the following responsibilities: 1) ensure the timely documentation of the loss of weapons and laptop computers; 2) ensure the timely reporting of the loss of a laptop computer to the Department of Justice Computer Emergency Response Team (DOJCERT), and 3) ensure the timely entry of the loss of a laptop computer or weapon into the National Crime Information Center’s (NCIC) database.

ATF’s Deputy Director will also issue a memorandum to all employees to remind them of their responsibility to account for weapons, laptops, ammunition, and explosives. This memorandum will also address the importance of reporting losses in a timely manner.

ATF’s respective responses to the OIG’s recommendations are set forth below:

Recommendation Number 1:  Ensure that ATF staff notifies the Materiel Management Branch of all weapon and laptop computer losses and maintain copies of all supporting documentation.

ATF’s Response:  ATF agrees with this recommendation. ATF currently has reporting procedures in place that address the reporting of lost or stolen weapons and laptops. The notification procedures are outlined in ATF Order 1850.2D, Personal Property Management Program, dated April 29, 2008, Chapter E, Paragraph 72 and 73. ATF recognizes that we need to implement measures to ensure that the provisions of the order are followed by each ATF employee.

ATF recognizes the need for a more reliable and comprehensive reporting method for sensitive items that have a short reporting deadline. Accordingly, ATF is revising its current reporting procedures to include simultaneous electronic notification to the Internal Affairs Division (IAD), the Materiel Management Branch (MMB), the ATF JSOC, and the Information Services Division (ISD) (information technology assets) when accountable property is lost or stolen. ATF believes these additional steps will strengthen its existing procedures to ensure the timely reporting, and ensuring the MMB is timely notified. This revised procedure will be in effect no later than September 30, 2008.

ATF recognizes the need to reinforce the importance of the reporting process. ATF’s Deputy Director will issue a memorandum to all employees which will accomplish the following four tasks: 1) reference ATF Order 1850.2D; 2) underscore their responsibility to account for weapons, laptops, ammunition and explosives; 3) initiate the new form and electronic reporting process; and 4) summarize the deadlines relative to the timely reporting of such losses.

Recommendation Number 2:  Ensure that for each loss Materiel Management provides Internal Affairs with the Report of Survey and information needed to conduct an investigation.

ATF’s Response:  ATF agrees with this recommendation. ATF’s current procedure requires the MMB to initiate a Report of Survey (ROS) within 3 working days of notification of any loss or theft. A copy of the ROS is provided to the IAD. The ROS includes all of the pertinent information relating to the loss or theft to include a copy of the electronic notification, copies of any police report, and any other pertinent documentation. The notification procedures are outlined in ATF Order 1850.2D, of the Property Management Program, dated April 29, 2008, Chapter E, Paragraph 72 and 73.

ATF is aware that the OIG auditors found instances of losses or thefts of weapons and laptops that were not reported to the IAD. ATF is revising its current reporting procedures contained in ATF Property Management Order 1850.2D to include simultaneous electronic notification to the IAD, MMB, ATF JSOC and ISD (information technology assets) when accountable property is lost or stolen. ATF believes these additional steps will strengthen its existing procedures to ensure the timely reporting, and to ensure the MMB is timely notified. This revised procedure will be in effect no later than September 30, 2008.

Recommendation Number 3:  Implement a written policy for reporting losses of ammunition to Internal Affairs for investigation.

ATF’s Response:  ATF agrees with this recommendation. ATF’s current procedures, contained in ATF Personal Property Management Order 1850.2D, dated April 29, 2008, require any incident involving a break-in or theft from an ammunition storage facility to be immediately reported by the ATF Division Chief or Special Agent in Charge to the IAD. The audit revealed that ATF is in fact complying with reporting such incidents, and found that disciplinary actions were taken where the instance involved employee misconduct.

ATF is revising its current procedures to require the simultaneous electronic reporting of any lost or stolen ammunition to the IAD, MMB, and ATF JSOC. In addition to revising its ATF Personal Property Management Order 1850.2D, dated April 29, 2008, all ATF offices will complete a 100 percent ammunition inventory by October 15, 2008, to establish a supported baseline for future perpetual inventories. The MMB will provide instructions to all offices for this inventory no later than September 15, 2008. ATF believes these additional steps will strengthen its existing procedures relative to reporting losses of ammunition.

Recommendation Number 4: Implement procedures to determine the contents of lost, stolen, and or missing laptop computers, specifically:

1. Whether the laptop computer contained classified information;
2. Whether the laptop computer contained sensitive or personally identifiable information; and
3. Whether the lost, stolen, or missing laptop computer was protected with encryption software.

ATF’s Response:  ATF agrees with this recommendation. ATF currently has a procedure in place that requires ATF employees to provide complete, accurate and timely incident reports summarizing the loss of ATF laptop computers. These reports require an assessment of what type of information was on the system or device; whether the system or device contained sensitive or personally identifiable information (PII), and whether or not the system or device was encrypted. These reports are currently submitted to the ATF Help Desk and subsequently reported to the DOJCERT. These procedures are available to all ATF employees through the ATF Intra-web. These current procedures are contained in a Chief Information Officer (CIO) letter dated, March 2007.

ATF is aware that the OIG auditors found instances, whereby ATF was not accurately capturing the contents of lost, missing, or stolen laptops. ATF is revising its current procedures to allow for electronic reporting of laptops and weapons to the ATF JSOC. The JSOC is a 24-hour operation that will be the Bureau’s component responsible for ensuring that all lost or stolen laptops and weapons are immediately recorded in NCIC and reported to DOJCERT. ATF believes these additional steps will strengthen its existing procedures and ensure the timely reporting and determination of the contents of lost, stolen or missing laptop computers. This revised procedure will be effective no later than September 30, 2008. ATF’s Deputy Director will issue a memorandum to all employees emphasizing the new reporting procedure and the importance of meeting the reporting deadlines.

ATF is especially sensitive to the risks that may occur when there is a data breach. ATF has implemented a Data Breach Notification Technical Working Group composed of members from multiple ATF directorates. The working group actually assesses the losses and risks associated with any PII. It then reports to DOJ on the information lost and the procedures being undertaken to remedy the loss. ATF issued data breach notification procedures on August 5, 2008.

Recommendation Number 5: Require that lost, stolen, or missing weapons and laptop computers are appropriately entered into NCIC.

ATF’s Response:  ATF partially agrees with this recommendation. ATF recognizes some inconsistencies in our methodology of reporting weapon and laptop losses to NCIC however; losses are reported to the ATF IAD. The current ATF policy requires all incidents involving sensitive items i.e., laptop computers, firearms or capitalized property to be reported within 24 hours. Losses involving firearms or equipment containing classified information must also be reported to the NCIC and local law enforcement officials within 24 hours of discovery. Occasionally a misplaced weapon or laptop will be found shortly after the initial report to IAD, therefore negating the need for further reporting to NCIC. ATF believes this has contributed to some of the findings during the current review.

ATF’s revised reporting procedures will rely on the JSOC to be the responsible component for ensuring all lost or stolen laptops and weapons are timely recorded in NCIC and reported to the DOJCERT. Since the JSOC is a 24-hour operation, we believe that this component is best suited to meet these short reporting deadlines. This revised procedure will be effective no later than September 30, 2008. ATF’s Deputy Director will issue a memorandum to all employees emphasizing the new reporting procedure and the importance of meeting the reporting deadlines.

Recommendation Number 6:  Develop procedures for updating the property management system to ensure accurate and complete weapons and laptop computer records are maintained.

ATF’s Response:  ATF disagrees with this recommendation because ATF currently has procedures as outlined below. However, ATF acknowledges that enforcement of the use of the Property Management System (Sunflower) and training for those who are responsible for data entry, is necessary. .

Property Custodians are designated in writing by the Property Management Representative and have Sunflower access capabilities that allow them to update user information, process reports, and to initiate and accept transactions involving the transfer of assets between organizational elements. E-mail alert notifications are also a function within Sunflower. This system is used to alert managers when a transaction is awaiting action, or an action has occurred affecting the on- hand balance of their account. The electronic transfers are permanently recorded in the system and provide an automated record of the movement of the property. In addition, the permanent edit history files within the Sunflower Property Management System provide a complete history of all transactions affecting an item from the time it is acquired through disposal. Sunflower is an accredited asset management system that provides an electronic audit trail of all transactions affecting an inventory balance.

Source documentation to support the addition or removal of property assets is provided by Property Management Representatives and Property Custodians to the Property Accountable Officer, and is retained on file for three years in accordance with ATF Order 1345.1, Records Management Program, General Records Control Schedule and 44 U.S.C. Chapter 31. The Sunflower Property Management System provides the ability to track assets from cradle to grave and provides time stamp information for each transaction that is posted to an asset, including the date and name of the individual performing the transaction.

All of the procedures outlined above are in ATF Property Management Order 1850.2D. We will ensure that the memorandum that the ATF Deputy Director sends to all employees includes a reminder to input, update and maintain accurate property accountability information in Sunflower. ATF’s Office of Management and Office of Training and Professional Development will develop and implement standardized, on-line training of the Sunflower system. Finally, ATF will ensure that property custodians are designated, at a minimum, at the level of branch or field office. A fuller contingent of property custodians will enhance ATF’s ability to manage property and ensure accurate and complete computer records. ATF’s property management order will be revised to reflect this minimum level of property custodian coverage.

Recommendation Number 7: Locate or report as missing all sampled items not found during the audit.

ATF’s Response:   ATF partially agrees with this recommendation. The OIG audit covered a 9-month period, during which time some of the sample items were unavailable for physical inspection due to the employee’s unavailability, due to training, or another assignment. Those items not physically inspected were characterized as lost by the audit team. Subsequently to that, ATF employees participated in an exhaustive effort with the audit team in faxing laptop verification certificates to the Atlanta Regional Audit Office. We feel that some of these verification certificates were not received or accepted by the audit staff. Furthermore, ATF offers the following for your consideration regarding the high number of discrepancies identified with the information technology equipment.

In 2004, ATF conducted a major Enterprise System Architecture (ESA) Equipment Refresh that included the exchange of all ATF Government Furnished Computer Equipment for leased equipment under the Seat Management Initiative. This refresh involved approximately 4,600 replacement assets located in 256 different locations throughout the United States, Puerto Rico, and the Virgin Islands. In 2006, at the conclusion of the exchange and donation of the government owned computers, ATF conducted a complete inventory. The 100 percent physical inventory identified 274 laptops, 66 percent of the lost items identified in the audit report as lost or missing. ATF initiated a ROS at the conclusion of the reconciliation period in accordance with the procedures outlined in the DOJ policy Bulletin No.05-02. The ROS process required a full review of our records and revealed paperwork postings errors and loss of paperwork.

ATF recognizes the importance of maintaining accountability of computer assets during these wholesale exchanges under the ESA refresh concept. ATF is revising its procedures and will appoint an additional Contracting Officers Technical Representative (COTR) to the seat management contract from the Materiel Management Branch by September 15, 2008. The COTR will have the responsibility of providing oversight and conducting compliance reviews of the Asset Management function of the ESA contract. ATF’s Chief Procurement Officer will establish a Contract Management Council consisting of ATF and EDS contract employees. The Council will meet weekly to address contract related challenges, and specifically those associated with Asset Management. The ATF CIO and ATF Chief Financial Officer will be briefed on the results of these meetings and contract compliance reviews on a weekly basis, beginning September 30, 2008.

Recommendation Number 8:  Ensure all laptop computers are encrypted.

ATF’s Response:  ATF agrees with this recommendation. There are currently 5,848 laptop computers on the ATF network. Since August 20, 2008, the encryption software, Point-Sec, has been installed on 5,810 of these laptops. ATF is currently validating the remaining 38 laptops and their respective user accounts have been disabled until the encryption software is installed. ATF anticipates this will be completed no later than September 30, 2008.

Recommendation Number 9: Ensure complete, accurate, and timely reports are submitted to the DOJ CIO containing all appropriate ATF laptop computers authorized to process classified information.

ATF’s Response: ATF agrees with this recommendation. ATF did provide reports to the DOJ CIO in Fiscal Year 2007 and Fiscal Year 2008; however six of the laptops were omitted from the 2008 report. ATF will review its procedures to determine how this omission occurred and make the necessary adjustment to prevent future occurrences.

Recommendation Number 10: Ensure complete, accurate, and timely semiannual reports identifying lost, stolen, or missing weapons and laptop computers are submitted to the DOJ Security Officer and Justice Management Division.

ATF’s Response:  ATF agrees with this recommendation. ATF recently modified the Sunflower Property Management System to provide an automated collection process of all data relating to the loss, damage, or theft of property assets. We are currently finalizing the semiannual Lost, Damage, and or Destroyed report for submission to DOJ, which is due on September 19, 2008.

Recommendation Number 11: Develop procedures to ensure ATF completes, accurate, and timely incident reports summarizing the loss of ATF laptop computers and submits those reports to DOJCERT, as required by DOJ policy.

ATF’s Response: ATF agrees with this recommendation. ATF currently has a procedure in place that requires ATF employees to provide complete, accurate and timely incident reports summarizing the losses of ATF laptop computers. These reports are currently submitted to the ATF Computer Help Desk and subsequently reported to the DOJCERT. These procedures are available to all ATF employees through the ATF Intra-web. These current procedures were reemphasized to all employees through an ATF CIO letter dated March 2007.

ATF is currently revising its procedures to allow for electronic reporting of laptops and weapons to the ATF JSOC. The JSOC is a 24-hour operation that will be ATF’s responsible component for ensuring all lost or stolen laptops and weapons are timely recorded in NCIC and reported to DOJCERT. This revised procedure will be effective no later than September 30, 2008.

Recommendation Number 12: Maintain documentation for all disposed property, document data clearing of disposed laptop computers, and update active and disposed property records, as necessary.

ATF’s Response: ATF partially agrees with this recommendation. The OIG audit period covered 59 months. ATF did not retain some of the records as prescribed by the following regulations. ATF retains and timely destroys records in accordance with ATF Order 1345.1, Records Management Program, General Records Control Schedule and 44 U.S.C. Chapters 31 and 36 CFR, Subchapter B (Records Management). Additionally, ATF notes that some of the survey reports that were destroyed pertained to property that was lost prior to the 2002 through 2006 timeframe covered by the OIG audit.

Recommendation Number 13: Develop procedures and maintain documentation to ensure that separated employees return all weapons, laptop computers, and other accountable property before they separate from ATF.

ATF’s Response: ATF agrees with this recommendation. ATF Order 2391.1 Employee Clearance Procedures notes that employees must return all ATF property before they separate from ATF. Completed Separation Checklists (ATF Form 2391.1) are forwarded to, and maintained by, the Payroll Processing and Operations Branch (PPOB) in the Human Resources Division. The Separation Checklist forms are maintained separately within PPOB in alphabetical order according to last name. Separated employees have not left ATF with sensitive property. However, we agree that our documentation process needs improvement. We are reviewing our internal control process to ensure the returns of property by employees will be documented by their supervisors and timely entered into Sunflower.

Recommendation Number 14: Enforce current requirements to perform annual inventories of ammunition and maintain a perpetual inventory system at all ammunition storage locations to ensure accurate and complete records.

ATF’s Response: ATF agrees with this recommendation. ATF will conduct an inventory of all ammunition by October 15, 2008. The MMB will provide instructions to all offices for this inventory no later than September 10, 2008. Additionally, effective Fiscal Year 2009, the Office of Inspection will add the inspection of ammunition control logs to its office review process.

Thank you for the opportunity to provide comments to the report. If you would like more information, please contact Acting Assistant Director Kenneth Massey at 202- 648-7500.

Michael J. Sullivan