The OIG provided a draft of this audit report to the DEA for its review and comment. In its response to our report, the DEA concurred with six of our seven recommendations and provided supplementary comments regarding certain information contained in the report. Before addressing the actions necessary to resolve and close the report recommendations, we first address statements by the DEA concerning our findings that the DEA did not appropriately encrypt its laptop computers and did not know the contents of its lost and stolen laptops.
The DEA disagreed with our recommendation to revise its policy to ensure that all laptop computers are encrypted. The DEA requested that our recommendation be modified to recognize the need for an exemption for laptops supporting operational functions, such as tracking and monitoring using GPS, video surveillance, polygraph examinations, and computer forensics. The DEA stated that it has had difficulty operating software applications for these uses when employed on encrypted laptops and that these laptops are not authorized to process sensitive case information or personally identifiable information (PII).
We recognize that encryption software can sometimes cause problems in operating certain software applications. However, for several reasons, we believe that all DEA laptops should be encrypted and the DEA should work with the Department to identify a compatible encryption product for these laptops.
First, despite DEA’s assertion that the laptops that were not encrypted were not authorized to process sensitive case information or PII, such laptops can and do contain such sensitive information. For example, our audit found five unencrypted laptops that contained sensitive case information or PII, including one laptop that the DEA would have exempted. Moreover, the DEA could not determine what was on 226 lost or stolen laptops and therefore was unable to ensure that the laptop contents contained no sensitive information or PII. These findings support our belief that, notwithstanding DEA policy, these laptops may process sensitive information, and that the DEA should encrypt all laptops to mitigate the possibility of loss of sensitive information and PII.
Second, we discussed the DEA’s exemption policy with the Acting Director of the DOJ Information Technology Security Staff. He stated that he believed the DEA should work with the DOJ information technology staff to find a solution to its encryption issues. We agree. Only if a solution cannot be found for the encryption issues should the DEA consider waiving the encryption requirement. In that event, the DEA needs to clearly instruct personnel that these laptops are not to be used for processing sensitive information or PII. Further, these laptops should be marked to indicate that they are not authorized for processing sensitive information or PII.
Finally, we note that the process the DEA used to waive the encryption for the laptops did not comply with DOJ policy. In February 2007, the Deputy Attorney General issued a memorandum addressing the protection of PII and other sensitive data. The memorandum delegated the authority to make a written determination that particular agency data is non-sensitive and exempt from encryption requirements to the head of the component, and limited further delegation to the component head’s principal deputy. However, the DEA reported in its response that the DEA Chief Information Officer, not the Administrator or Deputy Administrator, exempted laptops used for supporting operational functions, which is contrary to the process required by the Deputy Attorney General’s memorandum.
With regard to the DEA’s investigation of laptop losses, the DEA response discusses our finding that it was unable to provide assurance that 226 of the 231 lost or stolen laptops did not contain sensitive information or PII. The DEA’s response states that PII was federally codified in May 2006 in an OMB memorandum, and that the DEA then issued a message to all DEA employees requiring them to report losses of PII. The DEA response then states that the OIG report “implies that DEA was deficient in its reporting of PII during their current and previous review when, in fact, DEA was not required to report PII until May 2006.”
First, the DEA’s argument regarding when it was required to report lost laptops is not correct. Contrary to the DEA’s assertion that its reporting obligation was not defined until the May 2006 OMB memorandum DOJ Order 2640.2E, “Information Technology Security,” dated November 28, 2003, required that incidents that result in the loss or compromise of information shall be reported to the Department Security Officer and Department Chief Information Officer. Further, DOJ Information Technology Security Standard “Incident Response”, Version 1.0, dated March 2005, required components to report all incidents of data loss to the DOJCERT.
Second, as noted in our report, the DEA did not know the contents of most of the missing or stolen laptops. All DEA laptops have the potential to be used for sensitive casework, and to contain sensitive or PII information. Therefore, if laptops were lost or stolen, the DEA should have investigated the loss, determined what was on the laptop, and reported the loss to the Department. We believe this responsibility arose independently from, and before, the OMB memorandum in May 2006.
The following is our analysis of the DEA’s response to our specific recommendations.
Status of Recommendations:
1. Resolved. The DEA concurred with our recommendation to ensure that all DEA Forms 29 are complete, accurate, and promptly submitted in accordance with DEA policy. The DEA stated that it has implemented new interim policies regarding the reporting of both lost or stolen laptops and weapons, which require immediate verbal notification by the responsible parties to the appropriate Special Agent in Charge, Regional Director, or Headquarters Office Head. The policies also require a DEA Form 29 to be completed within a specified timeframe and to be reviewed to ensure that it contains all necessary information. The DEA also must ensure that its policy also includes notifying DOJCERT within 1 hour of an incident involving a lost or stolen laptop.
This recommendation can be closed when we receive copies of the revised Agents Manual and the Administrative Manual incorporating the guidelines specified in the new policies.
2. Resolved. The DEA concurred with our recommendation to ensure that weapon and laptop computer losses are accurately and promptly entered in the NCIC database. The DEA has implemented an interim policy specifying new reporting requirements regarding the entry of lost or stolen laptops and weapons in the NCIC database.
This recommendation can be closed when we receive copies of the revised DEA Interim Information and Technology Rules of Behavior and Administrative Manual incorporating the new policy governing entry of lost or stolen laptops and weapons in the NCIC database.
3. Resolved. The DEA concurred with our recommendation to revise the DEA Agents Manual to include procedures for actions required by DEA personnel to report lost or stolen laptop computers. The DEA stated that it has implemented a new interim policy regarding the reporting of lost, stolen, or missing DEA-owned laptops by its personnel. According to the DEA’s response, this policy includes recording the laptop make, model number, and serial number, as well as information on the NCIC entry and a summary of any sensitive or PII contained on the laptop.
This recommendation can be closed when we receive copies of the revised DEA Interim Information and Technology Rules of Behavior and Administrative Manual incorporating the new policy governing the reporting of lost, stolen or missing laptop computers.
4. Unresolved. The DEA did not concur with our recommendation to revise its policy and ensure that all laptop computers are encrypted. As discussed above, we believe the DEA should reconsider this issue. In order to resolve and close this recommendation, we believe the DEA should work with the DOJ information technology staff to find a solution to operating its technical programs with a DOJ-approved encryption software package.
5. Resolved. The DEA concurred with our recommendation to ensure that each division maintains supporting documentation for laptop purchases and disposals. The DEA stated that it revised its Administrative Manual and Property Management Handbook to require its field and headquarters offices to maintain purchase and disposal information in a centralized location.
This recommendation can be closed when we receive copies of the revised DEA Administrative Manual and Property Management Handbook incorporating this requirement.
6. Resolved. The DEA concurred with our recommendation to prepare and submit to DOJ Justice Management Division complete and accurate semiannual Department Theft Reports regarding the loss of weapons and laptop computers and to DOJCERT incident reports regarding the loss of laptop computers. The DEA states that it will comply with the reporting requirements of DOJ Order 2630.2A, “Protecting and Controlling Federally Controlled Property and Loss/Theft Reporting Procedures.” The DEA stated that it will reconcile its semiannual report with the appropriate DEA components to ensure accuracy in December and June, and that it will consolidate the information for timely reporting to the DOJ Security Officer in January and July. The DEA also stated that incident reports regarding the theft or loss of laptop computers will be governed by its new policy concerning the reporting of lost, stolen, or missing DEA-owned laptop computers.
This recommendation can be closed when we receive documentation supporting the implementation of the DEA’s new policies for reporting weapon and laptop losses to the DOJ and a copy of an accurate and timely-submitted semiannual Department Theft Report.
7. Resolved. The DEA concurred with our recommendation to strengthen the exit processing for departing employees to ensure that documentation on the Employee Clearance Record clearly indicates specifics on returned DEA laptops. The DEA stated that its Office of Security Programs is drafting clearance procedures for separating and transferring employees that will include an inventory and disposition of all assigned government equipment, including the full identification of returned laptops.
This recommendation can be closed when we receive the new employee clearance procedures, a revised DEA Form 171a (Employee Clearance Record), and documentation verifying that the new procedures have been implemented.