Audit Report

To understand the full context of these recommendations, it is necessary to view the associated report in its entirety. Recommendations that have been repeated in subsequent reports are designated in the following tables by having multiple years in the FY column. The FY column also contains the recommendation number and a designation as to whether the recommendation resulted from a material weakness (MW), reportable condition (RC), or management letter comment (MLC).⁵⁰

1. Recommendations in the Detailed IT Reports Issued in Support of the Annual FBI Financial Statement Audits

Entity-Wide Security Program Planning and Management Controls: Closed Recommendations

FY(s)	Recommendation	FBI's Progress
1998 RC#16	The FBI should take steps to clearly assign, identify, and communicate information security responsibilities. Such steps should include the development of detailed organizational charts, job descriptions, and security plans, all of which should be kept current.	The FBI hired a contractor in August 1999 to complete this task. This recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.
1998 RC#17	Allocate sufficient resources to ensure the proper implementation of its policy requiring all ADPT systems used to process, store, or transmit classified or sensitive information to be accredited every three years.	The FBI hired a contractor in August 1999 to complete this task. This recommendation was closed in October 2002 based on a review of the corrective actions taken.
1999 MW#1 1998 RC#14	Ensure that risk assessments of the FBIHQ Data Center, its other general support systems, and all major applications are conducted as required by OMB Circular A-130, and by the FBI's Manual of Investigative Operations and Guidelines: FBI ADPT Security Policy, Part II, Section 35:8.1.3, ADPT Security Policy.	The FBI's March 2001 response to the recommendation stated that a contractor was to conduct a risk assessment and revise the system security plan for the administrative Information Support Systems. This recommendation was closed by the OIG on final issuance of the FY 1999 report, based on a review of risk assessments provided.
1999 MW#3 1998 RC#17	Ensure that the systems and applications are accredited every three years.	The FBI's March 2001 response to the recommendation stated that the re-accreditation of the FBIHQ and Clarksburg Data Centers, the FBI LAN/Wide Area Network (WAN) and the legacy administrative applications were completed during June 2000. This recommendation was closed by the OIG upon final issuance of the FY 1999 report, after a review of the accreditation packages.
1999 MW#4	Renew the interim accreditation for general control systems and major applications and ensure these accreditations: a. reflect a more accurate estimate of the anticipated final accreditations, according to the contractor's planned deliverable due dates and actual progress to date; and b. address the increased threats and vulnerabilities to the FBI's systems, applications, and connectivity, which were identified during penetration test work.	The FBI's March 2001 response to the recommendation stated that the re-accreditation of the FBIHQ and Clarksburg Data Centers, the FBI LAN/WAN, and the legacy administrative applications were completed during June 2000. This recommendation was closed by the OIG in October 2002 based on a review of corrective actions taken.
1999 MW#5 1998 RC#18	The FBI should improve security and application controls by determining which of its systems are classified as "major applications," and ensuring that for each major application, including the Financial Management System and Bureau Personnel Management System (BPMS): security plans are developed in accordance with OMB Circular A-130, implemented, disseminated to systems users, and periodically updated, as necessary; risks are assessed when there is a major systems modification, or, at a minimum, every three years; and the system is accredited at least every three years.	The FBI's March 2001 response to the recommendation stated that the necessary actions were completed and the FBIHQ and Clarksburg Data Centers, the FBI LAN/WAN, and the legacy administrative systems were re-accredited. This recommendation was closed by the OIG upon final issuance of the FY 1999 report based on a review of risk assessment, security plans, and accreditation statements.

Source: OIG analyses as of April 2003

Access Controls: Closed Recommendations

FY(s)	Recommendation	FBI's Progress
1996/97 RC#2	The FBI should consider reducing the PWEXP⁵¹ duration from 90 days. Further, the grace period for the expiration of user passwords should be reduced to 5 days.	The FBI's February 1999 response to the recommendation stated that no action would be taken and that that the Bureau was well within the DOJ mandate that called for password expiration every 180 days. Upon further review, the OIG agreed with the FBI's position that no corrective action was necessary. As a result, this recommendation was closed by the OIG upon the issuance of the FY 1996/97 final report.
1996/97 RC#3	Set the TAPE parameter (from the FBI's mainframe computer security package) to "ON."	The FBI's February 1999 response to the recommendation stated that if the Bureau followed the recommendation, the software would not function properly. Upon further review, the OIG agreed with the FBI's position that no corrective action was necessary. As a result, this recommendation was closed on issuance of the FY 1996/97 final report.
1996/97 RC#4	The PWVIEW parameter (from the FBI's mainframe computer security package) should always be set to "NO." If this parameter is changed, proper authorization should be obtained from the data security officer.	The FBI's February 1999 response to the recommendation stated that the Bureau agreed with the recommendation. This recommendation was closed by the OIG upon issuance of the FY 1996/97 final report based on a review of the corrective actions taken.
1996/97 RC#5	Establish procedures that require new users to immediately change their initial password. These procedures should be distributed to the user when they are notified that access has been established.	The FBI's July 1999 response to the recommendation provided information demonstrating adequate corrective actions. This recommendation was closed by the OIG in December 1999 based on a review of the corrective actions taken.
1996/97 RC#6	The FBI should review user access to sensitive system files. After the review, data set access should be modified to restrict user access, including READ and EXECUTE, to sensitive system files.	The FBI's February 1999 response to the recommendation stated that although the Bureau was performing this function, it did not have a formal process documenting these reviews. This recommendation was subsequently closed by the OIG upon issuance of the final report based on a review of the corrective actions taken.
1996/97 RC#10	Develop the Authorized Program Facility administrative policies and procedures to ensure compliance with the manufacturer's integrity rules for all its mainframe operating systems.	The FBI's February 1999 response to the recommendation stated that the Bureau conducted semiannual audits to ensure that data sets that no longer needed to be authorized had been removed. This recommendation was closed by the OIG upon issuance of the final report, based on a review of the corrective actions taken.
1996/97 RC#11	Establish policies and procedures to ensure that Novell users are assigned unique passwords.	The FBI's February 1999 response to the recommendation stated that the FBI agreed with the recommendation and that immediate corrective action had been taken. This recommendation was closed by the OIG upon issuance of the final report based on a review of the corrective actions taken.
1996/97 RC#12	Modify the Novell Network Administrator facility to prevent Finance Division users from viewing other users' access capabilities.	The FBI's February 1999 response to the recommendation stated that corrective action had been taken. This recommendation was closed by the OIG upon issuance of the final report based on a review of the corrective actions taken.
1996/97 RC#13	Establish and distribute procedures requiring local security administrators to periodically, at least quarterly, review employees' access privileges in relation to their current job functions.	The FBI's February 1999 response to the recommendation stated that alternative corrective actions were implemented. The recommendation was closed by the OIG upon the final report's issuance based on acceptable corrective actions taken.
1996/97 RC#14	Evaluate the risks of retaining inactive user identifications beyond 180 days on the system. Modify policies and procedures to ensure compliance.	The FBI's February 1999 response to the recommendation stated that the user accounts were being removed after 180 days of inactivity. This recommendation was closed by the OIG upon issuance of the final report based on a review of the corrective actions taken.
1996/97 MLC#23	Develop and implement exit procedures that require the local security administrator or security officer to promptly remove user access for terminated employees.	The FBI's February 1999 response to the recommendation stated that the FBI recommended an alternative corrective action. This recommendation was closed by the OIG upon the final report's issuance based on a review of the corrective actions taken.
1996/97 MLC#24	Create an electronic file that identifies terminated and transferred employees. In addition, continue periodically reviewing user access profiles and privileges.	The FBI's February 1999 response to the recommendation stated that the corrective action for this recommendation was completed in October 1998. This recommendation was closed in December 1999 based on a review of the corrective actions taken.
1996/97 MLC#25	Implement appropriate access controls in order to operate at the B1 level of trust.	The FBI's February 1999 response to the recommendation stated that factual inaccuracies existed in the recommendation. However, the recommendation was subsequently closed by the OIG upon issuance of the final report based on acceptable alternative corrective action taken.
1996/97 MLC#26	Review daily reports for the System Management Facility (SMF) record 07 to ensure that SMF records are not being lost due to the untimely dumping of buffer files to tape. Record and include SMF records 17, 18, and 60-69 in normal backup procedures.⁵²	The FBI's February 1999 response to the recommendation stated that an alternative corrective action was implemented. This recommendation was closed by the OIG upon issuance of the final report based on a review of the corrective actions taken.
1998 RC#1 1996/97 RC#1	Set the MODE parameter to "FAIL."	The FBI's February 1999 response to the recommendation stated that the testing of the "FAIL" global mode would be initiated to determine if any adverse problems surfaced that would preclude making this a permanent setting. This recommendation is revisited annually by the OIG and was closed on final issuance of the FY 1996/97 and 1998 reports based on a review of the corrective actions taken.
1998 RC#2	Initiate, plan and execute a project to refine the CA-Top Secret⁵³ profiles to support role-based access controls based upon the access required by system users to complete the responsibilities of assigned roles and responsibilities.	The FBI's June 2000 response did not address this recommendation. However, the recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.
1998 RC#3	Periodically perform an entity-wide data assessment on network systems to determine where potential liabilities exist.	The FBI's June 2000 response to the recommendation stated that the FBI did not agree with the recommendation. Although in their response the FBI disagreed with the finding, documentation was subsequently provided that supported corrective actions taken. The recommendation was closed by the OIG upon issuance of the final report.
1999 MW#7 1998 RC#8a	Delete users that no longer require access to the network or do not have a demonstrated need for their access.	The FBI's March 2001 response to the recommendations stated that the Financial Division Systems Administrators had completed the recommended secure networking environment changes pertaining to these recommendations. These recommendations were closed by the OIG based upon a review of the corrective actions taken.
1999 MW#8 1998 RC#8e 1998 RC#8b 1998 RC#8c 1998 RC#8d	Require unique passwords for all user accounts, particularly system administrators. Restrict users from having concurrent logins. Enable time restrictions for user accounts. Assign account expiration for temporary user accounts.
1999 MW#9 1998 RC#8f	Require all system administrators to change their passwords at least every 30 days.
1999 MW#11	Conduct a complete audit of the CA-Top Secret and FMS application security to identify all security control weaknesses and develop a plan of action for implementing an effective security program.	The FBI's March 2001 response to the recommendation stated that the FBI is continuing its efforts to modify and hone the FMS Top-Secret Security profiles to ensure the "least privilege" type of access is provided to the FMS customers. This recommendation was closed by the OIG upon issuance of the FY 1999 final report based on a review of the corrective actions taken.
1999 MW#12 1998 RC#4 1996/97 RC#8	Periodically perform an entity-wide data assessment on the mainframe and network systems to determine where potential liabilities exist.	The FBI's March 2001 response to the recommendations stated that during FY 2000, a number of actions were completed relative to the recommendations. These recommendations were closed by the OIG upon issuance of the FY 1999 final report based on a review of the corrective actions taken.
1999 MW#13 1998 RC#5 1996/97 RC#7	Initiate, plan, and execute a project to refine the CA-Top Secret profiles to support role-based access controls based upon the access required by the systems users to complete the responsibilities of assigned roles and responsibilities.
1999 MW#14 1998 RC#10 1996/97 RC#9	Consider installing "smart card" technology to provide a more robust means of authentication for legitimate users of the FBI systems.
1999 MW#15	Establish and implement a policy that prevents employees from indiscriminately activating dial-up access to FBI systems.	FBI's March 2001 response to the recommendation stated that the Bureau had purchased commercial-off-the-shelf software and was developing a procedure to perform "war dialing" exercises on all FBI Private Branch Exchange lines. This recommendation was closed by the OIG based on a review of the corrective actions taken.
1999 MW#16	Review the Finance Division's access privileges on the Novell NetWare file and directory objects to ensure that only those individuals requiring read, write, create, modify, and scan have such privileges.	The FBI's March 2001 response to the recommendation indicated that the Finance Division system administrators reviewed the access privileges on the Novell NetWare file and directory objects and made changes to insure proper access. This recommendation was closed by the OIG upon issuance of the FY 1999 final report based on a review of the corrective actions taken.
2000 MW#5	Ensure that the Finance Division Windows NT configuration meets the criteria presented in the FBI Windows NT baseline documentation.	The FBI's September 2001 response to the recommendation stated that the Finance Division system administrators reviewed access privileges on the Novell NetWare file and directory objects and made changes to insure proper access. Changes were made to allow access to file and directory objects based on assignment. This recommendation was closed by the OIG upon issuance of the FY 2000 final report based on a review of corrective actions taken.
2000 MW#6	Ensure all shares providing full access are removed. In addition, all Finance Division administrators should receive network security training to properly ensure that they are kept abreast of current and proper administrative techniques.	The FBI's June 2002 response to the recommendation stated that all employees responsible for the Division's servers had been properly trained and certified. The FBI also provided a list of the courses offered. This recommendation was closed by the OIG in October 2002 based on a review of corrective actions taken.
2000 MW#7	Ensure all user accounts inactive for over 90 days are suspended and user accounts inactive for 180 days are deleted from the Finance Division's LAN.	The FBI's June 2002 response to the recommendation provided information and evidence of corrective action. This recommendation was closed by the OIG in October 2002.
2000 MW#8	Ensure the current service pack is installed on all Microsoft Windows NT environments.	The FBI's September 2001 response to the recommendation stated that a team was formed to ensure that proper software updates and configuration standards are maintained. The recommendation was closed by the OIG upon issuance of the FY 2000 final report based on a review of corrective actions taken.
2000 MW#9	(U) Ensure the database administrator Top Secret Accessor Identification (ACID) profile is reviewed and altered to ensure that only the least amount of privileges are granted to complete assigned job tasks.	The FBI's September 2001 response to the recommendation stated that the FBI reviewed the profile of the database administrator and altered the profile to provide privileges required to complete tasks. The OIG closed this recommendation in October 2002 based on a review of the corrective actions taken.
2000 MW#10	Ensure the removal of the IBMUSER account from the mainframe.	The FBI's September 2001 response to the recommendation stated that this issue was resolved before December 2000. This recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.

Source: OIG analyses as April 2003

Access Controls: Open Recommendations

FY(s)	Recommendation	FBI's Progress
1998 RC#7	Periodically perform an entity-wide data assessment on network systems to determine where potential liabilities exist.	The FBI's June 2000 response to the draft report stated that the FBI's Information Resources Division (IRD) Server Team installed a Gateway 8400 server to address this recommendation. Verification is still required to close this recommendation.
1998 RC#9	Develop formal procedures to establish audit trails in the security features of networks that are consistent across all divisions/departments, including the activation of NetWare's "Intruder Detection." These procedures should include provisions to reinforce the active monitoring of that security information.	The FBI's June 2000 response to the draft report stated that the FBI is taking corrective actions, but technical controls over the Finance Division LAN were not fully implemented. This recommendation can be closed when annual financial statement audit test work verifies that the FBI has developed formal procedures to establish audit trails in the security features of its networks that are consistent across all divisions and departments, including the activation of NetWare's "Intruder Detection."
1998 RC#11	Strengthen user authentication controls by implementing an active token for user authentication.	The FBI's June 2000 response to the draft report stated that the necessary corrective action had been completed. This recommendation can be closed when annual financial statement audit test work verifies that user authentication controls have been strengthened by implementation of an active token for user authentication.
1998 RC#12	Provide computer security training to users at least annually. Training should include a process for reporting computer-related incidents.	The FBI's June 2000 response to the draft report stated that the necessary corrective action had been completed. This recommendation can be closed when annual financial statement audit test work verifies that computer security training has been provided to users at least annually.
1998 RC#13	Establish a computer incident response team to manage computer related security incidents.	The FBI's June 2000 response to the draft report stated that the necessary corrective action had been completed. This recommendation can be closed when annual financial statement audit test work verifies that the FBI has established a computer incident response team for managing computer related security incidents.
2000 MW#4 1999 MW#17,18	Ensure all accounts have strong passwords.	The FBI's March 2001 response to the recommendation stated that a new policy was created requiring unique passwords, and those passwords had to be changed every 90 days. The OIG's October 2002 response to the FBI stated that this recommendation remains open until it can be verified that strong password controls are in place and the FBI has established a policy requiring a unique password and each user account is periodically reviewed for compliance.
1999 MW#19	Ensure that the Finance Division's LAN administrators check their Novell NetWare configuration against the parameters in the FBI Novell NetWare Baseline Documentation and ensure it agrees with the recommended FBI MIOG, and FBI ADPT Security Policy configuration settings.	The FBI's March 2001 response to the recommendation stated that the Finance Division system administrators enabled auditing on all volumes with the exception of CD-ROM volumes. The FBI's response dated June 2002 stated that all Finance Division servers had been upgraded and configured to meet current security guidelines and that auditing has been enabled on all volumes. The OIG's response dated October 2002 stated that this recommendation can be closed when annual financial statement audit test work verifies that auditing is enabled as required.
2001 MW#3 2000 MW#2 1999 MW#6 1998 RC#6	Ensure compliance with documented policies and procedures as they pertain to account restrictions, system monitoring, and data confidentiality for the FBI's information technology environments.	According to OIG correspondence to the FBI, these recommendations can be closed when annual financial statement audit test work verifies the FBI's Trilogy upgrades, scheduled for February 2003, include automated systems for monitoring server configurations to ensure that settings that affect policies and procedures are not changed accidentally.
2001 MW#4 2000 MW#3 1999 MW#10 1998 RC#8g	Enable the auditing function on the Finance Division's Netware environment.	According to OIG correspondence to the FBI, this recommendation can be closed when annual financial statement audit work verifies that auditing is enabled on all volumes and objects on the Finance Division's LAN.
2001 MW#5	Continue developing the database programmer profile to ensure the database staff are only granted the access needed to perform their job tasks. Additionally, we recommend the systems programmer ACID not access the "PAY.* datasets."	The FBI's September 2002 response to the recommendation stated that the Unit Chiefs of the Systems Programming and Integration Unit (SPIU) and the Data Management Unit had agreed to a restructuring of functions for staff in both units. A transition plan to implement this restructure had been finalized. Additionally, Systems Security and Access Unit staff were in the process of implementing separate security profiles for SPIU and Data Management Unit staff based on the access levels agreed to by the Unit Chiefs of each unit. Further, Systems Security and Access Unit staff had removed access to the "PAY.* datasets" for the systems programmer ACID in question.

Source: OIG analyses of April 2003

Application Software Development and Change Controls: Closed Recommendations

FY(s)	Recommendation	FBI's Progress
1996/97 MLC#28	Develop and maintain a configuration management process addressing changes to overall ADPT resources. Configuration changes should be reviewed, approved, tested, evaluated, and documented to show the impact on computer and telecommunications security features.	The FBI's February 1999 response to the recommendation stated that although the FBI had developed the Architecture Change Management Rules, Standards, and Procedures Version 1.0 document, the implementation was still ongoing. The ongoing status was also repeated in the FBI's response dated July 1999. The recommendation was closed by the OIG in October 2002 based on a review of corrective actions taken.
1996/97 MLC#29	Expedite the implementation of the ACM methodology entity-wide. Remove write access privilege from the profile of an individual who does not require that type of access.	The FBI's February 1999 response to the recommendation stated that although the Bureau developed ACM procedures and incorporated the LAN management into the ACM Rules, Standards and Procedures, the status of the corrective action was still ongoing. This recommendation was closed by the OIG in October 2002 based on a review of corrective actions taken.
1996/97 MLC#31	The SPIU should develop and implement procedures to ensure all system problems are entered into NetMan.	The FBI's February 1999 response to the recommendation stated that the SPIU Unit Chief would draft a policy mandating the entering of all system problems into NetMan and that this policy would be effective by March 1999. This recommendation was closed in December 1999 by the OIG based on a review of the corrective actions taken.
2000 MW#17 1999 RC#36 1996/97 RC#17	Ensure the IRD enhances the ACM document to comprehensively address any type of change to the computer based application system and its environment, including changes to hardware, software, and firmware. Once the enhancements are made, ensure the FMS program owners consistently apply the policy to establish a division-wide commitment to software maintenance.	The FBI's September 2001 response to the recommendation stated that FBI management did not totally agree with the recommendation. However, the QCMU had developed an action plan to ensure all IRD software development and maintenance projects complied with change management policies and procedures by an estimated completion date of September 2001. This recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.
2001 MW#6 2000 MW#19	a. Ensure that the methodology set forth within the ACM is consistently applied to the FMS application. All changes should be documented in the Service Center software. b. Implement the unit test and system plans throughout IRD to standardize, control, and document changes made to the application and system software. The use of the Service Center software to track all change requests, from initiation through final disposition, should be enforced with the planned compliance audits throughout IRD.	The FBI's September 2001 response to the recommendation stated that the QCMU developed an action plan to ensure all IRD software development and maintenance projects complied with change management policies and procedures. The recommendation was closed in October 2002 based on a review of the corrective actions taken.
2000 MW#18 1999 RC#44	Enforce emergency change procedures stated within the ACM for applications. At a minimum, the emergency change procedures should be documented after the fact and should specify: when emergency software changes are warranted; who may authorize emergency changes; how emergency changes are to be documented; and within what period after implementation the change must be tested and approved.	The FBI's September 2001 response to the FY 2000 recommendation stated that the IRD Payroll Application Project Manager had been advised that he must follow the ACM Procedures defined in the IRD and that all emergency changes need to be entered in the Service Center Management tool. The FY 2000 recommendation was closed by the OIG upon final issuance of the FY 2000 report and the OIG followed-up on this recommendation through its monitoring of the status of the FY 1999 report. The FY 1999 recommendation was subsequently closed by the OIG in October 2002 based on a review of corrective actions taken.

Source: OIG analyses as of April 2003

System Software Controls: Closed Recommendations

FY(s)	Recommendation	FBI's Progress
1996/97 MLC#33	Perform an analysis to determine which libraries and associated members are necessary for proper system performance. A periodic assessment should be performed on the Multiple Virtual Storage operating system to archive and/or delete data sets no longer needed or being used.	The FBI's February 1999 response to the recommendation stated that the Bureau agreed with the recommendation. This recommendation was subsequently closed by the OIG upon issuance of the final report based on a review of the corrective actions taken.
1996/97 MLC#34	The SPIU should implement procedures to ensure that all system documentation is current and complete and that changes to documentation are reflected timely and disseminated to applicable individuals.	The FBI's February 1999 response to the recommendation stated that the SPIU has implemented Change Management to comply with the recommendation. This recommendation was closed by the OIG upon issuance of the final report based on a review of the corrective actions taken.
1996/97 MLC#35	Conduct the following reviews at least quarterly: compare system programmer access privileges per the applicable security software to the employee's current job functions, and adjust accordingly; and, determine system programmer's use of sensitive utilities and reasonableness.	The FBI's February 1999 response to the recommendation stated that the FBI has put an alternate corrective action plan in place because the recommendation was not workable with the current SPIU personnel resources. The recommendation was subsequently closed by the OIG upon the issuance of the final report based on a review of alternative corrective action taken.
1996/97 MLC#36	The SPIU should develop and implement a system software control policy to ensure that system software is current.	The FBI's February 1999 response to the recommendation stated that the FBI would implement the recommended policy regarding system software control by the estimated completion date of March 1999. Additionally, the FBI stated that as of January 1999, all systems executing mission-critical applications had been upgraded. This recommendation was closed by the OIG on issuance of the final report based on a review of the corrective actions taken.
2000 MW#11	Configure the operating system parameters to log all the associated transactions for the respective SMF records.	The FBI's September 2001 response to the recommendation stated that the Bureau employed an alternative method that complied with the applicable regulations. The recommendation was closed in October 2002 by the OIG based on a review of the alternative corrective action taken.
2000 MW#12	Establish and implement a formal change control process for changes to Supervisor Calls and Programs Property Tables programs.	The FBI's September 2001 response to the recommendation stated that the FBI established and implemented an internal change management methodology and process for changes to Supervisor Calls, while a similar process would soon be completed for Programs Property Tables programs. The recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.
1999 RC#35 1998 MLC#21 1996/97 RC#18	Establish and implement a formal change control process for changes to system software. The policies and procedures should include: documented justification for making the change or utilizing sensitive utilities and management approval; and periodic inspections, investigations of unusual activities, and recommended actions in the event these activities occur.	The FBI's March 2001 response to the recommendation stated that the SPIU developed an internal change management methodology and process to complement the architecture change management rules, standards, and procedures. In March 2000, this new process was presented to all SPIU personnel. The recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.

Source: OIG analyses as of April 2003

Service Continuity Controls: Closed Recommendations

FY(s)

Recommendation

FBI's Progress

1996/97
MLC#21

Develop procedures to ensure that daily back-up tapes are stored in a fireproof vault that is secure and not located within the immediate Data Center to prevent the loss of up to nine days of electronic transactions.

The FBI's February 1999 response to the recommendation cited a 3-phase implementation process allowing the FBIHQ Data Center to store the weekly backups from each of its two facilities online. This recommendation was closed by the OIG upon issuance of the final report based on a review of the corrective actions taken.

1996/97
MLC#22

Keep the daily backup tapes in a fire rated safe if they are located within each division and at the designated off-site location to facilitate recovery in the event of a disaster affecting access to FBIHQ.

The FBI's February 1999 response to the recommendation stated that the Bureau had taken corrective action to ensure LAN server backups were performed on a regular basis and secured accordingly. This recommendation was closed by the OIG upon the final report's issuance based on a review of the corrective actions taken.

1999
MW#20
1998
RC#20b
1996/97
RC#15

Continue plans to develop a comprehensive contingency plan that provides an entity-wide approach for the recovery of mission-critical data processing operation in the event of a disaster, including all FBI resources and business processes. The plan should provide detailed procedures for the recovery of computer operations, including mainframes, microcomputers, workstations, networks and telecommunications, hardware, and facilities.

The FBI's March 2001 response to the recommendations stated that as part of its corrective action, the FBI entered into a contract for the development of a continuity of operations report (COOP) and a concept of operations report (CONOP). The CONOP is for the development of an FBIHQ COOP support system designed to provide critical, uninterrupted FBIHQ support should a terrorist act, natural disaster, or major accident deny use or access to the FBIHQ or its resources. The COOP was scheduled for completion in April 2000. These recommendations were closed upon the issuance of the FY 1999 final report based on a review of the corrective actions taken.

1999
MW#21

Assign responsibility to a team of individuals to ensure full back-up and recovery is performed.

1999
MW#22
1998
RC#20b
1996/97
RC#16

Periodically test the comprehensive plan, document the test results, and update the plan as necessary.

1999
MW#25

Design and implement tests of the current disaster recovery plan to ensure that it works and restoration of services occurs in a time frame which is consistent with the expectations of FBI management. Testing should occur not less than annually and include but not be limited to the following components:

supervision by a disaster recovery coordinator;
variation in disaster recovery coordinator;
utilization of multiple teams;
stated objectives;
debriefing sessions; and
retention of adequate documentation.

The FBI's March 2001 response to the recommendation stated that the Data Center Contingency Plan was last updated on February 2001, and is revised semiannually in accordance with Federal Information Processing Standards (FIPS) Publication No. 87, ADP Contingency Planning Guidelines. The OIG responded by stating that the recommendation can be closed when annual financial statement audit test work verifies that management has designed and implemented tests of the current disaster recovery plan. This recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.

1999
MW#26

Ensure that the FBI or co-located DOJ disaster recovery facility has full back-up capacity.

The FBI's March 2001 response to the recommendation stated that implementation of the IBM Capacity Backup feature ensures that each disaster recovery facility has full backup capacity. The OIG responded by stating that the recommendation can be closed when annual financial statement audit test work verifies that the FBI or co-located DOJ disaster recovery facility has full back-up capacity. This recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.

1999
MW#32

Ensure all data center personnel are informed when the ADPT contingency plan has been completed and approved and that employees have access to the plan.

The FBI's March 2001 response to the recommendation stated that Data Center Unit employees had been briefed on emergency procedures and responsibilities through hands-on training and by distributing written policies and procedures. The recommendation was closed by the OIG upon issuance of the FY 1999 final report based on a review of the corrective actions taken.

1999
MW#33

Develop entity-wide policies and procedures for performing back-ups, which include:

the required frequency with which files should be backed-up;
off-site rotation policies;
retention policies;
monitoring to ensure that back-ups are complete; and
definition of roles and responsibilities.

The FBI's March 2001 response to the recommendation stated that Application Project Managers are responsible for determining the backup frequency and retention periods as documented in the FBIHQ Computer Center User Reference Manual. This recommendation was closed by the OIG upon issuance of the FY 1999 final report based on a review of the corrective actions taken.

2000
MW#13
1999
MW#28

Include test scenarios and test plans, as suggested by FIPS Publication No. 87, in the FBI's Headquarters Data Center Contingency Plan. Specifically:

identify test scenarios for emergency procedures and disaster recovery, and
establish processing priorities in the event of a disaster.

The FBI's September 2001 response to the recommendation stated that the Data Center Contingency Plan was last updated in February 2001 and that the plan had been finalized and copies were maintained off-site and were disseminated. This recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.

2000
MW#14a
1999
MW#27

2000
MW#14b
1999
MW#28

2000
MW#14c
1999
MW#29

2000
MW#14d
1999
MW#24

Test the contingency plan.

Prepare and maintain a long-term schedule of the planned semiannual tests to ensure all critical functions covered by the Business Recovery Plan are tested every one to two years, whenever significant changes to the plan have been made, or when there is turnover of key people involved in disaster recovery.

Test a number of different scenarios while conducting semiannual tests.

Conduct a full test two to three years to ensure the viability of the disaster recovery plan.

Finalize the plan and maintain copies at an off-site location.

The FY 2000 recommendation was closed by the OIG upon final issuance of the FY 2000 final report.

The OIG followed up on this recommendation through its monitoring of the status of the FY 1999 report. The FY 1999 recommendation was subsequently closed by the OIG in October 2002 based on a review of corrective actions taken.

The OIG followed up on this recommendation through its monitoring of the status of the FY 1999 report. The FY 1999 recommendation was subsequently closed by the OIG in October 2002 based on a review of corrective actions taken.

The OIG followed up on this recommendation through its monitoring of the status of the FY 1999 report. The FY 1999 recommendation was subsequently closed by the OIG in October 2002 based on a review of corrective actions taken.

This recommendation was closed by the OIG upon final issuance of the FY 2000 report based on a review of corrective actions taken.

2000
MW#15
1999
MW#31

Brief Data Center personnel on emergency procedures and responsibilities through training sessions and by distributing written policies and procedures. Training sessions should be held at least once a year and whenever changes to emergency plans are made.

The FBI's September 2001 response to the recommendation stated that the Data Center Unit employees have been briefed on emergency procedures and responsibilities through hands on training and by distributing written policies and procedures. This recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.

Source: OIG analyses as of April 2003

Application Controls: Closed Recommendations

FY(s)	Recommendation	FBI's Progress
1998 RC#19	Evaluate FMS security features to determine if control over application transactions can be more effectively managed by CA-Top Secret.	The FBI's June 2000 response to the recommendation stated that that the System Security Access Unit generates a FMS CA-Top Secret profile file on a weekly basis for review by the FMS staff. This recommendation was closed by the OIG in October 2002 based on a review of the corrective actions taken.
1999 MW#34	Review the budgetary module of the FMS, determine the cause of the application security weakness allowing for the transfer of funds beyond the authorized balance, and take the appropriate measures to ensure adequate controls are in place.	The FBI's March 2001 response to the recommendation stated that the FMS software vendor was notified and, after a review of the test data, provided the FBI with a software resolution. The software resolution was successfully tested and implemented into the production FMS in March 2000. This recommendation was closed by the OIG upon issuance of the FY 1999 final report based on a review of the corrective actions taken.
1999 RC#37	Define, document, and communicate the roles and responsibilities for changing code to the Payroll Application.	The FBI's March 2001 response to the recommendations stated that the IRD has limited the number of programmers who can move code to the production environment. Limiting the number of programmers minimizes the risk for unauthorized access to the production environment. These recommendations were closed by the OIG upon issuance of the FY 1999 final report based on a review of the corrective actions taken.
1999 RC#38	Review the list of users having access to the Payroll application code, determine which users should not be making changes in accordance with their duties and responsibilities, and revoke access to users who should not be making changes.
1999 RC#39	Ensure that user access to payroll code is authorized, documented, and periodically reviewed.
1999 RC#40	Establish a new Payroll test and development environment.	The FBI's March 2001 response to the recommendations stated that the IRD has created a separate test environment for the Payroll Application. This environment mimics the production environment and permits the programmers to perform complete tests on all changes. When all parties involved are satisfied, the changes are moved to the production environment. These recommendations were closed by the OIG upon issuance of the FY 1999 final report based on a review of the corrective actions taken.
1999 RC#41	Establish a separate test environment for developing and/or modifying application changes.
1999 RC#42	Periodically review and modify the new test environment.
1999 RC#43	Adhere to the FBI's change management processes for applications and system software once formal processes have been developed.
2000 RC#22	Perform an assessment of financial data to ensure the issue has not impacted the FY 2000 Financial Statements.	The FBI's September 2001 response to the recommendation stated that the FMS software vendor was made aware of the problem and provided the FBI a software resolution which was tested and implemented into the production FMS in March 2000. This recommendation was closed by the OIG in October 2002 based on an assessment of the financial data in the FY 2000 financial statements.

Source: OIG analyses as of April 2003

Application Controls: Open Recommendations

FY(s)	Recommendation	FBI's Progress
2000 RC#23	Coordinate with the General Services Administration to synchronize file formats so that data sent via Simplified Intergovernmental Buying and Collection will correctly interface with the FMS application.	The FBI's September 2001 response to the recommendation stated that the Finance Division had not made a request to have the process looked into or to change the file format. The OIG responded by stating that the recommendation could be closed when it verifies that the file formats are synchronized so data can be sent via Simplified Intergovernmental Buying and Collection to correctly interface with the FMS application. Additionally, in October 2002, the OIG's updated response stated that the recommendation could be closed when annual financial statement audit test work verifies that the Intra-governmental Payment and Collection System is in place and manual data entry obligations and expenses are effective.
2000 RC#24	Ensure the FPDS screen is modified to include all the fields required for accurate procurement reporting.	The FBI's September 2001 response to the recommendation stated that the Property Procurement and Management Section was submitting a request detailing the specific fields that need to be added. The OIG responded by stating that this recommendation can be closed when annual financial statement audit test work verifies that the corrective action was completed. 2000RC#25 Currently there is no restriction in place to prevent operators from selecting any valid field identification or buyer identification. Continue to pursue actions initiated to correct this problem as soon as possible. The FBI's September 2001 response to the recommendation stated that the software vendor had been requested to make enhancements so that the FMS will subsequently ensure the appropriate enhancements are incorporated. The OIG's most recent response dated October 2002 stated that the recommendation can be closed pending verification of corrective action.
2001 MW#10	Remove the additional access capability from any PMA user not authorized or required to have the additional access to complete their job function.	The FBI's September 2002 response to the recommendation stated that the Financial Systems Unit cost code 0448 is charged with the responsibility of providing technical support for the PMA to include software development and maintenance, quality assurance, ad-hoc reporting, physical inventory support, responsiveness to oversight inquiries, and troubleshooting calls. Due to the nature of PMA activity, Financial Systems Unit management has designated that up to six employees in 0448 should have global access to PMA reporting. In support of this, the Financial Systems Unit will replace 0448 references with software embedded accessor identifications. The OIG responded by stating that this recommendation can be closed upon verification of corrective action.
2001 MW#11	Develop and implement a plan to ensure: input control weaknesses identified in the PMA are appropriately addressed, and the risk associated with the processing control weaknesses in the PMA are mitigated to ensure that all property is entered, and purchase order and property numbers are accounted for.	The FBI's September 2002 response to the recommendation stated that the Unit Chief of the Property Management Unit will request that the programmers assigned to the Financial Systems Unit modify the PMA to require users to verify the barcode number and the serial number before property is entered into the PMA. In addition, the PMU will contact the Firearms Training Unit and the Firearms-Toolmarks Unit to request that they begin reviewing the firearms and firearm accessories data maintained on the PMA.

Source: OIG analyses as of April 2003

FY 2001 GISRA Report's Management Controls: Open Recommendations

Recommendation	FBI's Progress
#2. Distribute, obtain, and maintain signed statements of end-users' acknowledgement of the Automated Information System Rules of Behavior for the investigative and administrative mainframe systems.	Although the FBI did not initially agree with this recommendation in their April 2002 response to the OIG's recommendation, the subsequent response dated June 2002 concurred with the recommendation and indicated that alternative corrective actions were in place. However, the documentation sent to the OIG in June 2002 did not provide adequate evidence to show employee acknowledgement of the Rules of Behavior. The provided documentation lacks signatures, proof of being an FBI document, and a means to determine that those employees who missed the mandatory training sessions received the Rules of Behavior. The OIG is requesting that all FBI users receive the proper training in regard to the rules of behavior and that it receive documentation demonstrating that FBI users receive training.
#3. Ensure the MIOG and other FBI security policies reflect the evolving systems environment and are enforced.	The FBI reported that a top to bottom review of existing FBI policy is underway and it is anticipated that the current MIOG policies and procedures will be substantially altered to conform to current standards. To close the recommendation, the FBI should provide the OIG with a copy of the updated procedures and evidence that the procedures are being enforced.
#5. Obtain a full accreditation for the investigative and administrative mainframe systems from the FBI's approving authority; a conditional accreditation should be unacceptable.	The FBI's responses to this recommendation stated that the OIG "requirement" for full accreditation of the administrative and investigative mainframes without conditions is not only unachievable in the current FBI environment, but outside of the OIG authority. The FBI further stated that the Designated Approving Authority (DAA) is the only official, besides the Principal Accrediting Authority, with the authority to "formally assume responsibility for operating a system at an acceptable level of risk." According to the FBI, the DAA has made the decision to permit the investigative and administrative mainframe systems to operate at their current level of risk for technical, management, and operational reasons. To resolve and close this recommendation, the FBI should provide the OIG with documentation evidencing that the DAA has accepted the inherent risk by signing the accreditation memorandum granting full accreditation to the investigative and administrative mainframe systems.
#6. Conduct annual refresher computer training for all employees.	The FBI's responses to this recommendation stated that it is working on an initiative that includes developing a variety of training awareness curricula for delivery to every employee. It also stated that the design and development of this effort is expected to continue through the calendar year and be ready for implementation at or near the start of 2003. Because the documentation the FBI submitted to the OIG in June 2002 was not complete with signatures, titles, dates and times, the recommendation remained open as of April 2003.

Source: OIG analyses as April 2003

FY 2001 GISRA Report's Technical Controls: Open Recommendations

Recommendation	FBI's Progress
#11. Implement and enforce DOJ password policies by re-setting and monitoring operating system settings accordingly.	The FBI's April 2002 response to the recommendation stated that limitations with Novell and Windows NT software prevented full compliance with DOJ directives. The OIG disagreed with the FBI's position and indicated that DOJ policies could be complied with through password masking. FBI officials subsequently stated that they have implemented the DOJ policy with respect to passwords, with the exception of one, password masking, which is not available to ensure a mix of alphabetic, numeric, and special characters. The OIG has obtained information from Novell and found that since 1999, Novell has provided an enhancement to the Novell Client software, which allows enforcement of a password policy using locally stored data to ensure a mix of alphabetic, numeric, and special characters. To close this recommendation, the FBI should implement a password policy to ensure a mix of alphabetic, numeric, and special characters and provide the OIG with a screen shot demonstrating that password setting have been implemented according to DOJ policy.
#13. Enforce DOJ security policies and ensure sufficient controls for FBI systems to operate so that authorized users have access to only the information they are entitled to.	The FBI's April 2002 response to the recommendation stated that controls are in place to limit a user's access to only the information he/she needs to perform his/her job and requested more information to further respond. The OIG stated in December 2002 that the FBI continued to disagree with this recommendation. However, the FBI has subsequently agreed that there were deficiencies with network accounts, and consequently initiated and completed a major effort to correct password deficiencies and ensure that password control options are set properly and enforced. In April 2003, the OIG stated that to close the recommendation, the FBI should provide documentation that identifies users with access to administrative and investigative systems as well as their roles and responsibilities. After reviewing this documentation, the OIG can determine if users have proper access to the systems and satisfy the terms to this recommendation.
#14. Require that system administrators periodically review and delete all system accounts that have been unused for more than 90 days.	The FBI's April 2002 response to the recommendation stated that no automated process existed on its local networks to assist system administrators with the function of periodically reviewing and deleting system accounts that have been unused for more than 90 days, but the process would be automated and centrally administered by the Enterprise Operations Center when Trilogy upgrades are completed in October 2002. In order to close this recommendation, the OIG requested the FBI to provide them with documentation evidencing that it is requiring system administrators to periodically review and delete all system accounts that have not been used for more than 90 days. In April 2003, the OIG informed the FBI that the updated status of this recommendation was pending and would be provided based upon the results of the FY 2003 financial statement audit of the FBI.
#15. Enable account lockout on all systems so that it occurs after three unsuccessful logon attempts.	The FBI's April 2002 response to the recommendation stated that account lockout settings have been set to comply with the DOJ's standards. In order to close this recommendation, the OIG requested the FBI to provide them with documentation (screen shots) evidencing that account lockout has been enabled on all systems so that it occurs after three unsuccessful logon attempts. Because the FBI's responses have not provided the OIG with appropriate documentation, the recommendation remained open as of April 2003.
#17. Enforce the use of the FBI's Service Center as a centralized approval point to track all change requests from initiation through final disposition.	The FBI's April 2002 response to the recommendation stated that the Service Center application is now the only approved method for recording system changes as a result of its February 2002 system upgrades. Subsequently, the FBI provided the OIG with documentation supporting that policies and procedures existed for the centralized approved change management process. However, the OIG stated in December 2002 that these polices were not being enforced. Although the OIG closed the recommendation in December 2002, in order to track its status with the GISRA FY 2002 review of the FBI's ACS system, we considered the recommendation to be open since the FBI could not demonstrate that policies were being enforced.
#18. Implement the format and content standards for information technology development and maintenance support test plans.	The FBI's April 2002 response to the recommendation stated that it created and implemented format and content standards for application development and modification by FY 2002. However, in the FBI's memorandum dated March 11, 2003, the FBI stated that it anticipates completion for the implementation of the format and content standards for information technology development and maintenance support test plans to be December 2003. In order to close this recommendation, the OIG requested the FBI to provide them with documentation evidencing that the format and content standards for IT development and maintenance support test plans are fully implemented.
#19. Update the Architecture Change Management Policy to reflect the FBI's current information application and system software environment.	The FBI's April 2002 response to the recommendation stated that the FBI did not concur with the recommendation as it was written. As a result, the recommendation was considered unresolved upon final report issuance in May 2002. The FBI's next response dated June 2002 stated that a FBI-wide Configuration Management (CM) policy was created and approved by the Chief Information Officer on October 1, 2001. The FBI has since acquired a contractor to assist them in complying with the FBI-wide Configuration Management (CM) policy. The new CM procedures have been developed and were to be validated in March 2003. Once validated, the FBI will develop a plan for implementing the procedures through the IRD. To close this recommendation, the FBI should provide the OIG with documentation demonstrating that the CM procedures as well as a copy of the developed plan for implementing the CM procedures.
#20. Document procedures to establish the supervisory review process of software change when deviations from normal procedures occur.	The FBI's April 2002 response to the recommendation stated that as of March 2002, a review board now meets every two weeks to ensure supervisory review and determine procedures for any deviations that may occur. In order to close this recommendation, the OIG requested the FBI to provide a copy of documented procedures for that process.
#21. Enable auditing to capture the necessary system information to comply with DOJ policy.	The FBI's April 2002 response to the recommendation stated that the auditing functions were enabled only on servers that met required processing and storage capacity to support those functions. The response further stated that as obsolete servers are being replaced, auditing functions are enabled on replacement servers and estimates a complete phase out of obsolete servers by July 2003. In order to close this recommendation, the OIG requested the FBI to provide documentation evidencing that auditing (or some other compensating control) is enabled on all servers to capture the necessary system information in order to comply with DOJ policy.
#22. Require that audit trail activity be reviewed regularly.	The FBI's April 2002 response to the recommendation stated that it is impractical to conduct regular reviews of audit trail activity for either all personnel or all information systems. As a result, the recommendation was considered unresolved upon final report issuance in May 2002. In December 2002, the OIG stated that FBI continued to indicate that it is impractical to conduct regular reviews of audit trail activity for either all personnel or all information systems. However, the FBI has since agreed that security audit is an essential part of system security. The Security Division is systematically addressing audit requirements for each FBI information system in the ongoing Certification and Accreditation effort. The Information Assurance Section has also begun the build-out of the Enterprise Security Operations Center (ESOC) that will have multiple security capabilities. To close this recommendation, the FBI should provide the OIG with documentation demonstrating that the initial and full operating capability of the ESOC upon completion.
#23. Apply manufacturer patches in a timely manner to prevent system compromise to all network operating systems.	The FBI's April 2002 response to the recommendation stated that in March 2002, manufacturer's patches were implemented as a required part of the change management process to ensure that changes do not result in negative impacts to applications and/or users. In order to close this recommendation, the OIG requested that the FBI provide documentation evidencing the corrective action taken. Because the FBI's responses have not provided the OIG with appropriate documentation, the recommendation remained open as of April 2003.

Source: OIG analyses as of April 2003

Campaign Finance Investigation Report: Open Recommendations

Recommendation	FBI's Progress
IV.A (#9) The Manual of Administrative Operations and Procedures should be revised to require more comprehensive mandatory indexing of names appearing in an FBI document, and entry practices should be changed accordingly. Additionally, FBI policies should be changed to require that all documents be uploaded into the Electronic Case File database.	The FBI's July 1999 response to this recommendation stated that the FBI would establish a working group to revise the procedures governing the uploading of documents and indexing of names in the ACS system. However, the FBI's response dated August 2001, stated that the FBI did not establish a formal working group as originally intended but instead relied upon the Information Resources Division to work with other FBI divisions to improve the ACS system's procedures. The FBI's May 2003 response to this recommendation stated that the not all documents can be uploaded (into the Electronic Case File) due to certain sensitivities and restrictions. However, the FBI issued ECs in July 2000 and June 2002 that required ECs and e-mails to be uploaded into the ACS system, unless otherwise prohibited. Regarding the mandatory indexing of names, the FBI stated that the VCF will facilitate indexing on various web-based documents by providing data fields in searchable database tables. The index is created once the document is approved and serialized into the VCF. The index data can be searched using search screens or viewing the serialized document. Because the first release of the VCF is not scheduled for completion until December 2003, this recommendation remains open.
IV.B (#10) Supplementary training for agents who are principally responsible for the information that is entered into the ACS system should be performed.	The FBI's July 1999 response to this recommendation stated that the FBI was developing a program to provide agents with additional training on the ACS system once the new ACS system procedures are adopted. The FBI's August 2001 response stated that the IRD provided basic ACS system training in 1999 and 2000 to over 200 special agents and close to 1,000 new special agents, while close to 200 special agents received basic ACS system training in 2001. The FBI's May 2003 response stated that 43 veteran agents and 1,374 new agents were trained on the ACS system between August 2001 and May 2003. Additionally, the FBI's response stated web-based VCF training would be conducted between October 2003 and November 2003. To prepare for the VCF training, the FBI is assessing its employees' basic computer literacy skills. This assessment identifies employees in need of additional computer skills so that appropriate training can be taken prior to the VCF training. Because it is not clear whether the ACS training provided to veteran agents has been adequate and we were unable to assess the FBI's web-based training for the VCF (since it will not occur until October and November 2003), this recommendation remains open.
IV.C (#11) Agents should be made responsible for determining what information is entered into the IIIA system or for reviewing entries made by analysts to ensure their accuracy and completeness. Additionally, the FBI should consider increasing the number of IIIA system analysts, particularly in those field offices that generate significant amounts of foreign counter-intelligence information. Finally, when IIIA searches are performed, original IIIA system reports should be provided to the parties who requested the searches, rather than summary electronic communications.	The FBI's July 1999 response to this recommendation stated that the working group addressing the issues concerning ACS would also review the problems with the IIIA system identified by the recommendation. However, the FBI's response dated August 2001 stated that while the FBI did not establish a formal working group as originally intended, it did advise users of the IIIA system of new system enhancements, policies, and procedures through a newsletter. The response further stated that in 1999 and 2000: (1) additional training was provided to users of the IIIA system, and (2) several initiatives were undertaken to improve the accuracy of information in the IIIA system. Additionally, the response stated that Trilogy's new enterprise solution (VCF) would ultimately absorb the IIIA system (scheduled for deployment in June 2004. The FBI's May 2003 response to this recommendation stated that significant changes are planned for the IIIA system since the VCF development is not based on a system-by-system replacement, but rather a re-engineering of business practices and policies. The FBI is continuing to schedule and prioritize the functional components that must be integrated into the VCF for each delivery through June 2004. Because replacement of the IIIA system is planned as part of releases two and three of the VCF scheduled for June 2004, this recommendation remains open.
IV.D (#12) Any task force that is using the FBI's databases should obtain at least a fundamental appreciation for their operation.	The FBI's July 1999 response to this recommendation stated that appropriate training would be conducted whenever a relevant task force is created. The FBI's May 2003 response to this recommendation stated that the VCF training plan includes all Bureau task force members who will have access to the VCF application. Because the VCF training has not yet been completed, this recommendation remains open.
IV.E (#13) Ensure that the FBI's database operators are conversant with the format of Chinese and other foreign names. Additionally, database operators should inquire about whether the requesting party has in fact determined the order of such names, and if in doubt, should always perform an "around the clock" search.	The FBI's July 1999 response to this recommendation stated that the working group addressing the issues concerning the ACS system would also review ways of improving the process of entering and retrieving foreign names in FBI databases. However, the FBI's response dated August 2001, stated that while the FBI did not establish a formal working group as originally intended, it did make enhancements to the IIIA system in July 2000 so that variations of a name are identified during a search. The FBI's May 2003 response to this recommendation stated that on May 3, 2002, the LTAU announced in an EC a project to adopt and implement standards for the uniform "Romanization" of foreign personal and place names. Additionally, in an EC dated May 8, 2002, the LTAU began work on implementing standardization systems for "Romanizing" Arabic by offering training to all applicable FBI employees. According to the FBI, by the end of the second quarter of FY 2003, 371 FBI employees had received training in Arabic "Romanization," while classes continue to be held. Regarding Chinese "Romanization," the LTAU announced in an EC dated September 12, 2002, that training on Chinese "Romanization" was being offered to all applicable FBI employees. As of June 9, 2003, a total of 80 FBI employees had been trained in Chinese "Romanization" while classed continue to be held. The FBI's May 2003 response to this recommendation also stated that the FBI selected a commercial-off-the-shelf application for searching names. The software will search names entered in any order and will create different permutations of ordering. The software will not only search the different orders of names, but also will have algorithms to detect common or likely misspellings, sound-a-likes, and cultural differences. Additionally, the LTAU worked with the VCF project management team to create a keyboard for the "Romanization" of names in accordance with the U.S. Board on Geographic Names. In addition to training, the FBI expects the VCF to help database operators apply foreign names to searches within databases. For example, the VCF will allow the addition of STC for Asian names, Unicoded for other foreign names, and it will deploy a name search engine that incorporates variations on names. Because the first release of the VCF is not scheduled for completion until December 2003, this recommendation remains open.

Source: OIG analyses as of May 2003

McVeigh Report: Closed Recommendations

#8. The FBI should evaluate its computer training in order to develop a clear understanding of what agents need to perform their jobs effectively.	The FBI's September 2002 response to this recommendation stated that training was being assessed by a curriculum review committee. The FBI's April 2003 response to this recommendation stated that the Training Division completed the design of instruments currently being used by new agents and managers to assess what computer skills agents need to perform their jobs and to determine the need for additional improvements to the new agents' computer training curriculum. These instruments, which will evaluate whether the Training Division's computer training program is meeting the needs of field offices and investigators, are in the process of being tested. Based on a review of supporting documentation provided by the FBI, we believe that the FBI has adequately addressed this recommendation.
#9. The FBI should consider whether computer usage should be a part of the core skills needed to graduate from the new agents training academy. The FBI's September 2002 response to this recommendation stated that the Training Division intends to implement policy requiring all new agents to possess core computer competency skills prior to graduation.	The FBI's April 2003 response to this recommendation stated that the Training Division determined that computer training should be a core requirement for graduation from the FBI Academy. Accordingly, the Training Division has implemented a policy requiring all new agents to pass an exam on core computer competency skills prior to graduation. Based on a review of supporting documentation provided by the FBI, we believe that the FBI has adequately addressed this recommendation.
#10. The FBI should consider mandatory refresher training for veteran agents.	The FBI's September 2002 response to this recommendation stated that the Training Division works to encourage the use of investigative computer training for veteran agents. The FBI's April 2003 response to this recommendation stated that the FBI has recently implemented a program of continual mandatory training for veteran agents, and all employees (including the FBI's cadre of intelligence analysts). This mandatory training will include investigative computer training. Based on a review of supporting documentation provided by the FBI, we believe that the FBI has adequately addressed this recommendation.
#13. The FBI should ensure that deadlines for the completion of leads is clear and not undermined by the automated system, such as the ACS system's setting of a 60-day deadline for "immediate" leads.	The FBI's September 2002 response to this recommendation stated that the deadlines set within the ACS system for completing "Immediate" and "Priority" leads would be changed to one day by December 31, 2002. The current procedures for specifying deadlines for routine matters will remain unchanged. The FBI's April 2003 response to this recommendation stated these changes to the ACS system were completed by August 26, 2002. Based on a review of supporting documentation provided by the FBI, we believe that the FBI has adequately addressed this recommendation.

Source: OIG analyses as of April 2003

McVeigh Report: Open Recommendations

Recommendation	FBI's Progress
#1. The FBI should foster an attitude among all employees that information management is an essential part of the FBI's mission and that automation is a key tool in managing the storage, analysis, and retrieval of information.	The FBI's September 2002 response to this recommendation stated that the FBI was engaging in programs to improve all of its records management capabilities through its restructuring and creation of the RMD. The FBI undertook training of all employees in the areas of information management requirements, procedures, and responsibilities during a 1-day stand down in 2001. Further, the FBI's response stated that future training in records management was being planned. The FBI's April 2003 response to this recommendation stated that the RMD was actively promoting effective information management within the Bureau and was encouraging acceptance of new automation plans by Bureau employees. Since 2002, RMD staff has worked closely with the VCF and SCOPE data warehouse program teams to ensure close coordination of records and information management activities. Additionally, the response stated that the RMD has begun to identify, develop, and implement the quality control mechanisms to ensure that record systems' problems are quickly detected. Also, the RMD is investigating the possibility of establishing an annual awareness campaign. Further, the RMD will establish a Records Management publicity team. Because the RMD's activities are ongoing and the first release of the VCF - which will significantly change the FBI's information and workflow process - is not scheduled for completion until December 2003, this recommendation remains open.
#2. As part of its development of Trilogy, the FBI should consider whether its document management systems can be simplified, such as by having supervisors review electronic copies of documents, and whether its record keeping formats can be reduced in number.	The FBI's September 2002 response to this recommendation stated that the FBI was pursuing the simplification of its document management systems through the development of Trilogy and the VCF. The FBI's April 2003 response to this recommendation stated that the RMD has taken part in the process to simplify the FBI's document information systems through the implementation of the new electronic record keeping system. The VCF system is designed to develop a workflow process that will allow for electronic signatures. The response further stated that it is the responsibility of the VCF to work with the FBI Public Key Infrastructure Team to implement electronic signatures for the approval process. Because the first release of the VCF is not scheduled for completion until December 2003, this recommendation remains open.
#3. The FBI should evaluate whether inserts should be eliminated.	The FBI's September 2002 response to this recommendation stated that inserts would be eliminated with the deployment of the VCF. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.
#4. The FBI should evaluate its practices regarding "originals" of FBI created documents (such as FD-302s). If originals continue to be needed, the FBI should develop a system that more clearly identifies an original.	The FBI's September 2002 response to this recommendation stated that the FBI was examining how "originals" would be managed in the future, within the VCF applications. The FBI's April 2003 response to this recommendation stated the FBI has determined that electronic versions of records in VCF are the "record copies" as part of the Public Key Infrastructure/VCF - Record Management Application (RMA) development. Approval of the requirements for a Public Key Infrastructure was obtained in February 2003. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.
#5. Any new automation system should be user friendly, meaning that the steps required to obtain information should be few in number and intuitive. Information should be provided to the user quickly.	The FBI's September 2002 response to this recommendation stated that the VCF will be in a web-environment, familiar to computer users with simplified workflow processes for document storage and retrieval. In the VCF, basic workflow processes will be accomplished through point and click capabilities. The submission of a document or package to a case file for routing and approval will be accomplished through a single "submit action." Once properly stored, every case and document will be immediately available to all persons who have proper security access through a web-based point and click environment. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.
#6. Any new automation system should include an effective document tracking system. The FBI should consider whether a system that integrates the creation of documents into the tracking system is feasible and appropriate.	The FBI's September 2002 response to this recommendation stated that the development (through Trilogy) of comprehensive automated document creation, receipt, and management systems will eliminate much of the need for traditional document tracking systems. FBI employees will be able to access documents directly from their desktop computers, whether those documents were created by the FBI or received from external sources and scanned into the Trilogy systems. The FBI's April 2003 response to this recommendation stated that with the implementation of VCF, systems and processes will be established to effectively track documents and materials contained in the FBI records systems. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.
#7. The FBI should work toward eliminating crisis management software and other independent systems. The FBI should consider the feasibility of developing an automation system that expands to meet situations rather than developing new software that is compatible with other programs.	The FBI's September 2002 response to this recommendation stated that the focus of the VCF project has been to develop a user-friendly case management and program management tool that attempts to integrate the workflow involved in the recording of events and data with the natural flow of the investigation. The response further states that the information intake process for a crisis response should be the same as intake for routine matters. The VCF project has defined the FBI's case and program management needs and requirements to include crisis management as a component of the workflow and case management. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.
#11. The FBI should ensure that leads cannot be "covered" without an explanation of what has been done to the task assigned. The FBI's September 2002 response to this recommendation stated that the VCF is being designed so as to permit leads to be "covered" as a separate function from the documentation of the lead being covered.	The FBI's April 2003 response to this recommendation stated that in January 2002, the process to identify the VCF program requirements to ensure that leads cannot be "marked covered without an explanation of the action taken" was begun. That phase of the process was completed on November 22, 2002, with the delivery of the program requirements to the VCF contractor. The contractor is to complete the design and implementation phase of the process by July 17, 2003. Upon completion of the design and implementation phase, testing of the VCF system, including the "lead coverage requirement" will begin and is to be completed on October 27, 2003. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.
#12. Future automation systems should incorporate a system to allow supervisors to easily track the status of leads. The FBI should evaluate whether a lead tickler system is appropriate and feasible.	The FBI's September 2002 response to this recommendation stated that VCF will assign unique lead "counters" to each lead in a single case. Split leads or leads created from an original lead will reflect lead counters with a derivative or "parent-child relationship" which will facilitate the tracing of all leads to their origin. The response further states that leads will be capable of being viewed from the desktop computer by the lead originating office and by all receiving offices to determine to whom the leads are assigned or whether action on the lead has occurred. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.
#14. The FBI should evaluate the feasibility of developing a system of universal lead numbers to eliminate the use of local lead numbers as a tracking mechanism.	The FBI's September 2002 response to this recommendation stated that the VCF system of universal lead counters unique to each case will facilitate lead creation, tracking, and action. The system for lead control will provide case agents and managers with a user-friendly tool to ensure lead accountability. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.
#15. The FBI should evaluate the use of lead numbers on leads and responding reports and determine whether new policies, better enforcement of existing policies, improved training, or better automation is the best method of fixing the problem.	The FBI's September 2002 response to this recommendation stated that the VCF system of universal lead counters unique to each case will facilitate lead creation, tracking, and action. The system for lead control will provide case agents and managers with a user-friendly tool to ensure lead accountability. Because the first release of the VCF is not scheduled for delivery until December 2003, this recommendation remains open.

Source: OIG analyses as of April 2003