The Department of Justice’s Victim Notification System

Audit Report 08-04
January 2008
Office of the Inspector General

Appendix XII
Executive Office for United States Attorneys Response

DOJ Seal

 U. S. Department of Justice

Executive Office for United States Attorneys
Office of Legal Programs and Policy   Suite 7600, Bicentennial Building
600 E Street, NW
Washington, D.C. 20530-0001



 (202) 616-6444
FAX (202) 616-6647
  January 17, 2008  

 

MEMORANDUM

TO: Raymond J. Beaudet
Assistant Inspector General for Audit
Office of the Inspector General

       /s/
FROM: Kenneth E. Melson
Director
SUBJECT: Response to OIG Report on the Department’s
Victim Notification System

Thank you for the opportunity to review the Department of Justice, Office of the Inspector General’s (OIG) draft audit report entitled, “The Department of Justice’s Victim Notification System.” The Executive Office for United States Attorneys (EOUSA) is proud of what it has accomplished with the Victim Notification System (VNS) since its implementation in January 2002. Since that time, 31,891,296 notification events have been provided to over one million victims of federal crimes. The VNS is the most robust system in the country for providing notification to victims of crime, far surpassing any other system in its complexity and the number of notifications sent. It also is the only system which we are aware of that by default opts-in all victims of crimes. Without the system, the United States Attorneys’ Offices (USAO) would not be capable of meeting the requirements of the Crime Victims Rights Act to provide victims with notification of all public court proceedings. EOUSA concurs with most of the recommendations resulting from this review and provides its response below.

Providing notifications to victims requires the cooperation of many organizations beyond EOUSA and we will work with the USAOs, other Department components, and the other government agencies to resolve and implement solutions to the OIG’s findings. EOUSA expects the full cooperation of all the parties mentioned in working to continue to improve our ability to provide notifications of public court proceedings to victims of crime and will take all appropriate steps to help achieve compliance with OIG’s recommendations.

VNS provides notifications worldwide to victims of every background and experience, regarding an immense array of crimes and types of proceedings. It is necessarily broad and simple in its delivery. Its role is not to provide victims with all information they may want, or to inform victims about the system itself. That role is best handled by individuals who know the facts of the case and can thoroughly explain the situation to a victim. The role of VNS is to assist the Department with its provision of statutorily-mandated victim notifications. EOUSA will continue to seek to improve VNS to ensure that notifications are accurate and timely; however, VNS cannot replace the human interaction by USAO personnel with victims to provide them with additional information concerning their cases.

Documentation detailing EOUSA’s efforts to implement the action plan will be provided to the OIG until all corrective actions are taken.

ACTION PLAN

Recommendation 1: Develop a written plan to: (1) archive VNS data, which should include a schedule for the initial archiving, parameters for subsequent archiving, and the criteria it will utilize to determine the records ready for archiving; or (2) acquire new equipment that will resolve the capacity issue.

Response to Recommendation 1: Regarding the archiving of data, the OIG found “... because data in the VNS has never been archived, storage space on the VNS server has been filled to almost 80 percent of its capacity, affecting both data access speed and performance of the System.” Archival of data was included as a contract requirement in order to lessen the impact on system performance. However, EOUSA would note that despite the decline in performance resulting from the capacity issues, the System continued to operate within the parameters of the contract as evidenced by the monthly performance reports.

During the period covered by the OIG report new equipment was acquired by EOUSA and the installation of that equipment was completed on October 20, 2007. Funding for this equipment was provided in part from the annual OVC grant for VNS ($284,640) and from funds provided by EOUSA ($116,960). The replacement of the old equipment has alleviated the storage space issues for the projected life span of the new equipment and negates the necessity for archiving data. The next VNS contract has been tasked with addressing the issue of data archival in light of the decreasing cost of on-line data storage and the significant technology advances in this area.

Recommendation 2: Ensure that it is utilizing the newer version of the Tracker software, called Front Range, to allow for a more user-friendly data extraction and reporting function. Further, ensure that Front Range's feature that automatically e-mails the caller upon the closing of a ticket has been enabled and is being utilized to the fullest extent.

Response to Recommendation 2: As part of the Call Center/Help Desk procedure contacts by victims and government users of the System with the contractor staff are logged and notes of the substance of the contact are maintained. The software used by the contractor for this purpose was Tracker. As noted in the Report on page 13, Tracker was replaced with Front Range on July 5, 2007.

EOUSA does plan to implement the email feature available within Front Range to survey individuals upon the closing of a “ticket” regarding customer satisfaction with the Help Desk. This feature is expected to be implemented in a future release to VNS.

Recommendation 3: Develop a universal interface for federal investigative agencies to upload data directly to the VNS.

Response to Recommendation 3: EOUSA has considered the universal interface one of several priorities since we conceived the idea almost three years ago. However, the enactment of the CVRA in 2004 has forced EOUSA to adopt many changes in VNS to accommodate that new law. As noted in the OIG report, funding for VNS actually declined since FY 2004. However, EOUSA accomplished the required changes to implement the CVRA within the declining allocation provided by OVC. Absent those demands on the VNS budget, the universal interface would likely have been implemented. EOUSA does plan to proceed with the universal interface when adequate funds are made available by OVC.

Recommendation 4: Work with the AOUSC to develop the hardware to connect the VNS and the AOUSC, develop a plan to connect individual federal court districts to the VNS using this interface, and endeavor to ensure that all federal districts are connected to the VNS.

Response to Recommendation 4: EOUSA and AOUSC have agreed to develop the ability to connect individual district courts to VNS. That technical development is underway and the projected completion date is late March 2008. Approximately 94 percent of this project was funded by EOUSA; a minimal amount was funded from the OVC annual grant to EOUSA for VNS. (Total expenditure $726,078, OVC funded $46,038.)

As part of the project with AOUSC, EOUSA intends to develop a plan to promote the connection of the individual district Courts to VNS. We believe this plan will ultimately result in the majority of U.S. District Courts participating in the VNS. However, absent Congressional action, the Department of Justice as part of the Executive Branch of the government will not be able to “ensure” the Courts, as part of the Judicial Branch, connect to VNS.

It must be noted that while EOUSA was able to provide funding for VNS this one fiscal year, we will not be able to continue to supplement funding for VNS in the future and must rely on sufficient funds being provided by OVC to continue with the operation, maintenance and enhancements for this System.

Recommendation 5: Work with VNS-participating agencies to develop and implement procedures for federal VNS users to ensure that victims’ contact information is current and updated.

Response to Recommendation 5: EOUSA agrees that it is essential that VNS contain current and accurate victim-contact information so that victims receive timely notification of court events. EOUSA also notes that frequently, it is difficult to obtain up-to-date victim contact information during the course of a criminal investigation. For example, in large-victim cases, often the only source of victim contact information is from a defendant’s files, and this information can be incomplete or inaccurate. In addition, victims often will move without informing investigators of their new addresses. In spite of these inherent difficulties, EOUSA will work with VNS-participating agencies to develop and implement additional procedures to ensure that victim contact information is as up-to-date and accurate as possible.

Recommendation 6: Develop long-range plans for the VNS and its management that include: (1) future software and hardware upgrades, (2) replacement of outdated equipment, (3) expansion of VNS server storage capacity, (4) a projection of enhancements needed to account for the future needs of government and victim users, and (5) a formal succession plan for VNS project management.

Response to Recommendation 6: (1) Future hardware and software upgrades are currently being addressed by the next VNS contract which is scheduled for award in 2008. That agreement will require the contractor to provide a plan for periodic replacement of VNS hardware and/or software; (2) the “outdated” equipment referred to in the Report was replaced on October 20, 2007; (3) Server storage capacity was resolved with the October 20, 2007 equipment replacement. Future storage issues will be part of the contract life cycle plans incorporated in the next VNS contract (see Response to Recommendation #1); (4) Regarding a plan for future enhancements, in early September 2007, EOUSA held a conference for USAO victim/witness staff members at the National Advocacy Center in Columbia, South Carolina. During that conference approximately 67 staff members representing offices from across the country attended a session dedicated to soliciting ideas for improving VNS and long range needs for users and victims. Those ideas will be used in conjunction with the next VNS contract to plan for the future. The new contract will contain provisions for the contractor to evaluate the current technology and to provide proposals for improvements to the System. However, any such long range plans for future needs are subject to sufficient funds, beyond the static allotment which has been furnished to EOUSA for this program since 2002, being made available from OVC; (5) EOUSA is responsible for maintaining several of the Department’s largest systems including LIONS, CDCS, and USA-5. Program managers have changed a number of times for these systems and others, so EOUSA does not believe there is reason for concern that there is no written succession plan for the program manager of VNS; however, EOUSA will provide the OIG with a written plan in the near future.

Recommendation 7: Work with VNS-participating agencies to develop and implement a nationwide procedure for addressing undeliverable correspondence and e-mail.

Response to Recommendation 7: Regarding undeliverable email notices, the use of email as a notification method has increased significantly since FY05 due to an engineering change implemented in early FY06. (Successful emails: FY05 - 34,358; FY06 - 598,073; FY07 868,857. Successful means VNS generated and transmitted the email notice.) EOUSA has recognized the need to address the undeliverable email issues, however, the need to devote the limited amount of VNS funding to CVRA related issues has impacted our ability to resolve this matter. The new VNS contract will require a technical solution to this issue; however the technical change cannot be made until sufficient funding is made available.

Regarding undeliverable correspondence, EOUSA does encourage USAOs to make their best efforts to follow up on returned mail to obtain more accurate addresses. Further, it must be acknowledged that it is the responsibility of investigative agencies to ensure that accurate addresses are initially entered into VNS. However, recognizing the importance of ensuring that victims receive notifications, EOUSA will work with other agencies to develop a nationwide policy regarding returned mail.

Recommendation 8: Improve the Call Center automated assistance to allow callers to reach an operator at any point during a call.

Response to Recommendation 8: The current Call Center process, which only allows access to the Help Desk by victims once the ID/PIN is correctly entered, was engineered to provide some authentication for the Help Desk to assist in protecting the victim’s personal information in the System. However, we agree the System should permit a caller to reach an operator at any point after the user ID/PIN has been authenticated. An engineering change to allow this access will be considered for a future release to VNS.

Recommendation 9: Follow up with the sub-contractor at the VNS Call Center to fulfill its requirement to have a Spanish-speaking operator available during all hours of operation.

Response to Recommendation 9: Section C.5.10(b)(4) of the VNS contract requires: “The victim must also have the option of speaking directly with a Call Center operator (during Call Center hours of operation, see Section C.6) to obtain case information in either English or Spanish.” According to the contractor, about one operator call per month requires a fluent Spanish speaking operator. The VNS Project Manager has discussed the requirement with the VNS contractor. Currently, the Call Center has one fluent Spanish speaker and the remaining staff has some Spanish speaking capability. The contractor is aware of the requirement and is taking steps to recruit Spanish speakers.

In the interim, we have devised a plan which will make use of a department within Appriss which provides Spanish translations. If a Spanish speaker is not available at the Call Center, the Call Center will contact by telephone the Appriss translation department (located in the same building as the VNS Call Center), establish a 3-way call and have the Appriss division provide the translation for the Help Desk. This is intended as temporary solution until such time as the Call Center can hire operators fluent in Spanish.

Recommendation 10: Work with the USMS to ensure that the accurate custody status of defendants is available to victims utilizing VNS services.

Response to Recommendation 10: In September 2007, EOUSA funded the cost of the engineering changes which will allow VNS to accept custody status data directly from the USMS. EOUSA has been in contact with USMS regarding this interface between the two systems, and plans to have VNS ready to accept data from USMS by March 2008. Once implemented, the data from USMS will provide VNS and victims with the current custody status of the defendant while their case is being litigated.

Recommendation 11: Ensure that information regarding restitution is consistent throughout the VIS so that it is clear to victims whether restitution information is available to them.

Response to Recommendation 11: EOUSA will undertake additional review of VIS regarding the consistency of the information provided regarding the availability of restitution.

Recommendation 12: Work with VNS-participating agencies to develop a requirement for federal VNS users to record a reason for opting a victim out of the VNS.

Response to Recommendation 12: EOUSA will request an engineering change to VNS which will require users to select one of the opt-out reasons when electing to stop notifications from being provided to a registered victim. This change will need to be carried over to various screens and reports in VNS involving the opt-out function. When sufficient funding is made available this change will be implemented.

Recommendation 13: Perform data integrity checks and implement the encryption of data files received to ensure completion and accuracy in accordance with Department policy.

Response to Recommendation 13: The EOUSA notes that all VNS data files are validated for format as part of the VNS import process; any incomplete or malformed files are rejected, thereby reducing the risk to system integrity and availability. Partial session encryption, rather than complete session encryption, is utilized for data transfers from the FBI and BOP; thereby providing partial rather than complete assurance of data integrity. The EOUSA VNS Program Management office is currently testing complete session encryption with the FBI, BOP, and the Justice Management Division (Rockville Data Center).

Recommendation 14: Update the VNS system security plan to reflect complete and accurate user identification and authentication security information as required by Department standards.

Response to Recommendation 14: The EOUSA has updated the System Security Plan as appropriate, including revision of user identification and authentication implementation.

Recommendation 15: Ensure that a disclaimer notification is developed for the VIS application to notify users when they are about to visit a third party website through a hyperlink.

Response to Recommendation 15: The VNS Program Management office will implement a disclaimer statement for VIS.

Recommendation 16: Modify the VIS application to protect against common web attacks in accordance with the recommendations listed for the specific vulnerabilities in Appendix XI.

Response to Recommendation 16: The EOUSA will assess VIS application with a leading commercial web application vulnerability assessment utility and implement corrective actions as appropriate. The EOUSA will explicitly test for the vulnerabilities listed in Appendix XI.

Recommendation 17: Terminate unnecessary or vulnerable services identified on the VNS servers.

Response to Recommendation 17: The EOUSA has completed actions to terminate unnecessary services on the VNS servers.

Recommendation 18: Apply application and server patches in a timely manner.

Response to Recommendation 18: The EOUSA Enterprise Vulnerability Management Program (EVMP) scans and assesses VNS networks and systems for vulnerabilities on a regular periodic basis (each month) and also on an irregular ad hoc basis. Application and server patches are analyzed, risks weighed, and finally resolved to either be corrected or accepted as risk. Due to technical and business considerations, not all patches are applied. In accordance with the DOJ IT Security Program Management Plan, the EOUSA will continue to resolve vulnerabilities in a timely manner. Patches selected for implementation will continue to be applied in accordance with documented VNS configuration management processes.

Recommendation 19: Adequately secure network devices and server configurations in accordance with the recommendations listed for the specific vulnerabilities in Appendix X.

Response to Recommendation 19: The EOUSA continues to assess VNS infrastructure on a regular periodic basis with the DOJ standard assessment utility in accordance with the DOJ IT Security Program Plan. Several vulnerabilities listed in Appendix X have been corrected. Others have been confirmed as false positives. The EOUSA will continuously monitor and assess VNS for vulnerabilities and implement corrective actions as appropriate to maintain an acceptable level of risk.

Thank you again for the opportunity to provide comments to the Report.


« Previous Table of Contents Next »