U. S. Department of Justice
Drug Enforcement Administration
| www.dea.gov | Washington, D.C. 20537 MAR 19 2008 |
MEMORANDUM
| TO: | Raymond J. Beaudet Assistant Inspector General for Audit Office of the Inspector General |
| FROM: | Gary W. Oetien Deputy Chief Inspector Office of Inspections |
| SUBJECT: | DEA’s Response to the OIG’s Draft Report: The Drug Enforcement Administration’s Control over Weapons and Laptop Computers Follow-up Audit |
The Drug Enforcement Administration (DEA) has reviewed the Department of Justice (DOJ), Office of the Inspector General’s (OIG) draft audit report, entitled: The Drug Enforcement Administration’s Control over Weapons and Laptop Computers Follow-up Audit. DEA acknowledges OIG for its efforts in conducting a review of DEA’s control over weapons and laptops. As a result of this review, DEA concurs with six of the seven recommendations promulgated in the draft report and will take the necessary steps to implement the recommendations.
DEA appreciates that OIG noted the DEA made significant improvement in its rate of loss for laptop computers, decreasing by more than 50 percent, compared to OIG’s 2002 audit of DEA’s weapons and laptops. OIG also noted in its report that the DEA’s Firearms Training Unit (TRDG) corrected all weapons-related deficiencies directed to TRDG in OIG’s 2002 audit report.
OIG reported during its current review that DEA was not accurately reporting lost/stolen weapons and that all lost/stolen weapons were not entered into the National Crime Information Center (NCIC) database. In April 2007, DEA implemented a new policy regarding the loss/theft of firearms and has since ensured that all lost/stolen weapons are accurately reported and entered into the NCIC database.
OIG noted in its review that DEA was unable to provide assurance that the contents for 226 of 231 lost or stolen laptops did not contain sensitive information or personally identifiable information (PII). Moreover, OIG stated that this finding was similar to the findings in its 2002 audit report.
DEA notes that PII was federally codified in May 2006, in an Office of Management and Budget (OMB) memorandum (06-15), entitled: Safeguarding Personally Identifiable Information. In October 2006, DEA issued a broadcast message to all DEA employees requiring them to report losses of PII. OIG’s recent review, which covered the period from January 2002 to June 2007, implies that DEA was deficient in its reporting of PII during their current and previous review when, in fact, DEA was not required to report PII until May 2006.
DEA provides the following response to the OIG’s recommendations:
Recommendation 1. Ensure that all DEA Forms 29 submitted are complete, accurate, and promptly submitted in accordance with DEA policy.
DEA concurs with the recommendation. DEA has recently implemented new interim policy, (pending revision of DEA’s Information Technology Rules of Behavior) regarding lost/stolen/missing DEA owned laptop computers by all DEA personnel, Task Force Officers (TFO) and contractors (Attachment 1). The new policy supersedes the memorandum issued by former Administrator Asa Hutchinson, dated October 18, 2002, entitled: “Improving Inventory Controls of Laptop Computers,” which had been DEA’s policy for the reporting of lost/stolen/missing laptop computers. The new interim policy will be incorporated into DEA’s Interim Information Technology Rules of Behavior and the Administrative Manual.
The new laptop policy requires that immediate verbal notification be made to the Special Agent in Charge (SAC), Regional Director (RD), or Headquarters Office Head (HOH) by the individual who had custody or control of the laptop computer at the time of the loss/theft or who becomes aware that any laptop computer is unaccounted for or missing. The SAC/RD/HOH, or their designee, is responsible for the immediate telephonic reporting of the loss/theft of the laptop computer to the DEA Headquarters (HQ) Command Center (OMC). Within 48 hours after the discovery of the loss/theft, the SAC/RD/HOH will notify the Chief Inspector (IG), the Office of Security Programs (IS), Office of Professional Responsibility (OPR), the Office of Administration (SA), the Office of Information Systems (SI), and the Board of Professional Conduct (HRB) via a teletype or memorandum of the loss/theft. The person reporting the lost/stolen or missing laptop computer must complete the DEA Form 29 within five business days of discovering the lost/stolen or missing laptop computer. The OPR Inspector or Field Supervisory Special Agent assigned the loss/theft investigation will review the DEA Form 29 during the course of their investigation to ensure the form contains all necessary information.
In April 2007, DEA implemented new policy regarding the loss or theft of firearms. The reporting of a lost or stolen firearm mirrors the above-mentioned loss/theft/missing laptop computer policy with the exception of the time allowed for preparing the DEA Form 29. Presently, an individual is required to complete the form within 48 hours of discovering that the firearm is lost/stolen. The Agents Manual will be revised to change the time for completing the DEA Form 29 from 48 hours to five business days. The Agents Manual will still require immediate verbal notification by the SAC/RD/HOH, or their designee, to OMC and subsequent notification within 48 hours, via a teletype or memorandum, to OPR, HRB, and TRDG.
Recommendation 2. Ensure that weapon and laptop computer losses are accurately and promptly entered into the NCIC database.
DEA concurs with the recommendation. DEA has recently implemented new interim policy regarding the reporting of lost/stolen/missing DEA owned laptop computers by all DEA personnel, TFOs, and contractors (Attachment 1). The new policy supersedes the memorandum issued by former Administrator Asa Hutchinson, dated October 18, 2002, entitled, “Improving Inventory Controls of Laptop Computers” which had been DEA’s policy for the reporting of lost/stolen/missing laptop computers. The new interim policy will be incorporated into DEA’s Interim Information Technology Rules of Behavior and the Administrative Manual.
Unlike the policy stated in former Administrator Hutchinson’s 2002 memorandum, DEA’s new laptop policy requires that the notification teletype or memorandum prepared by the SAC/RD/HOH within 48 hours of the loss/theft of the laptop computer document that the laptop was entered into NCIC as well as the name of the agency that entered the laptop computer into NCIC and the date entered. The new policy also requires that the NCIC entry confirmation be an attachment to the report of investigation regarding the loss/theft of the laptop.
In April 2007, DEA implemented new policy regarding the loss or theft of firearms. Since April 2007, there have been 13 incidents involving lost or stolen weapons and 12 of the weapons were entered into NCIC. The instance where the weapon’s serial number was not entered into NCIC involved a TFO reporting his weapon lost on one day and finding it in his residence the following day.
Recommendation 3. Revise the DEA Agents Manual to include procedures for actions required by DEA personnel to report lost or stolen laptop computers. At a minimum the Agents Manual should be revised to require information on laptop make, serial number, model number, NCIC record number, and a statement on the contents of the laptop and whether it contained classified, sensitive, or PII. The DEA Agents Manual should also be revised to require that the investigation of lost or stolen laptops verify the contents of any missing laptop and ensure this information is described in detail in the case file.
DEA concurs with the recommendation. DEA has recently implemented new interim policy regarding the reporting of lost/stolen/missing DEA owned laptop computers by all DEA personnel, TFOs, and contractors (Attachment 1). The new policy supersedes the memorandum issued by former Administrator Asa Hutchinson, dated October 18, 2002, entitled, “Improving Inventory Controls of Laptop Computers” which had been DEA’s policy for the reporting of lost/stolen/missing laptop computers. The new policy will not be included into the Agents Manual since laptop computers are utilized not only by Special Agents, but also Intelligence Research Specialists, Diversion Investigators, Forensic Chemists, support staff, and contractors. The interim policy will be incorporated into DEA’s Interim Information Technology Rules of Behavior and the Administrative Manual.
DEA’s interim policy mandates that during the immediate telephonic notification to OMC by the SAC/RD/HOH, or their designee, information supplied to OMC will include the laptop’s make, model number, and serial number. Also included in the information supplied to OMC is whether any classified, sensitive but unclassified (SBU) or personal identifying information (PII) was stored on the laptop, and if so, a summary of the information stored including any risk posed by the loss or compromise of the information stored. The notification teletype or memorandum prepared by the SAC/RD/HOH within 48 hours of the loss/theft of the laptop computer will include the above-mentioned information along with facts that the laptop data was entered into NCIC, the name of the agency that entered the laptop computer into NCIC, and the date entered.
The interim policy requires that the OPR Inspector or Field Supervisory Special Agent assigned the loss/theft investigation prepare a report of investigation. This report will address various areas to include whether the laptop’s use was consistent with DEA policy, confirmation of the installation of approved encryption software, and the type of information processed or stored on the laptop computer.
Recommendation 4. Revise its policy to ensure that all laptop computers are encrypted.
DEA does not concur with the recommendation. In early 2007, DEA’s Office of Information Systems and the Office of Security Programs established a program to deploy and implement full hard-drive encryption on laptops that are used to process sensitive information. As of December 2007, laptops that process sensitive information or PII have full disk encryption implemented in compliance with the July 30, 2007 DEA Chief Information Officer (CIO) mandate. In this memorandum, the CIO stated, “ Mobile computing devices are authorized to process and store PII and ‘sensitive but classified’ (SBU) data, provided they are encrypted with PointSec software (or other Office of Information Systems approved encryption software) and are not utilized to access the Internet.” PII is primarily defined as any personal information that can be linked to an individual (i.e., names, social security numbers, dates of birth, etc), while SBU data includes such items as DEA-6s (and other investigative reports/documents), court orders, subpoenas, etc. All mobile computing devices that are used exclusively to support electronic surveillance, computer forensics, polygraph examinations, and other digital monitoring functions are exempt from the security requirements mandated above.”
These exemptions are required based on attempts to load mission support applications onto laptops that were installed with the approved DEA encryption software. Problems with Global Positioning Satellite (GPS) monitoring, video surveillance, polygraphs and computer forensics were reported. Analysis of these problems revealed that the software lacks support for all the Operating Systems needed. The system partitioning requirements are impacted by loading the encryption software. The software caused video surveillance and control capabilities to be slowed down to a point of inoperability. DEA requests that the recommendation be changed to accommodate/exempt laptops supporting operational functions (such as Tracking and Monitoring, Video Surveillance, Polygraphs and Computer Forensics) that are rendered inoperable when full disk encryption is installed and implemented.
Recommendation 5. Ensure that each division maintains supporting documentation for laptop purchases and disposals.
DEA concurs with this recommendation. DEA will notify the field and Headquarters offices of the requirement to maintain laptop purchase and disposal documents in a centralized location in each division and headquarters office. The memorandum will be issued within 60 days of the issuance of the Final Report. The DEA Administrative Manual and the Property Management Handbook will also be revised to reflect this requirement for laptop purchase and disposal documentation.
Recommendation 6. Prepare and submit to DOJ Justice Management Division complete and accurate semiannual Department Theft Reports regarding the loss of weapons and laptop computers and to DOJCERT incident reports regarding the loss of laptop computers.
DEA concurs with this recommendation. Losses and thefts of government and personally-owned property sustained by DEA or DEA employees will be reported in accordance with the requirements and procedures contained in DOJ Order 2630.2A, Protecting and Controlling Federally Controlled Property and Loss/Theft Reporting Procedures. The semiannual report will be reconciled with the appropriate DEA components in December and June, to ensure accuracy, then consolidated by the DEA Security Programs Manager for timely transmittal to the DOJ Security Officer in January and July.
Incident reports regarding the theft or loss of laptop computers will be governed by DEA’s new interim policy regarding the reporting of lost/stolen/missing DEA owned laptop computers (Attachment 1). In accordance with this policy, the Office of Security Programs will receive reports of stolen, missing, or lost laptops, categorize incidents in accordance with DOJ/DEA policy, and ensure incidents are reported to DOJCERT and/or the Security and Emergency Planning Staff (SEPS) based on information sensitivity timeframes.
Recommendation 7. Strengthen the exit processing for departing employees to ensure that documentation on the Employee Clearance Record clearly indicates specifics on remitted laptops.
DEA concurs with this recommendation. The Office of Security Programs is drafting clearance procedures for separating and transferring employees that will include an inventory and disposition of all assigned government equipment to include full identification of remitted laptops. The clearance procedures will accompany an updated version of the DEA Form 171a (Employee Clearance Record).
Documentation detailing DEA’s efforts to implement the attached action plan will be provided to the OIG on a quarterly basis, until such time that all corrective actions have been completed. If you have any questions regarding DEA’s response to the OIG’s recommendation, please contact Senior Inspector Michael Stanfill at 202-307-8769.
Attachment