1. GAO Reports

The GAO is the investigative arm of Congress. The GAO examines the use of public funds, evaluates federal programs and activities, and provides analyses, options, recommendations, and other assistance to help Congress make effective oversight, policy, and funding decisions. Since 1998, the GAO has issued several reports and related testimony that highlight deficiencies with the FBI's IT, including one report that provides an IT recommendation.

According to the "GAO's Agency Protocols," issued in December 2002, the GAO's recommendations are intended to improve the economy, efficiency, and effectiveness of an agency's operations and to improve the accountability of the federal government for the benefit of the American people. Consequently, the GAO monitors agencies' progress in implementing these recommendations. To accomplish this monitoring, the GAO maintains a database of open recommendations. As new reports with recommendations are issued, their recommendations are incorporated into the database. This database serves both the GAO and the agencies by helping them meet their record maintenance and monitoring responsibilities.

The GAO's goal is to remove all closed recommendations from the database on an ongoing basis. However, toward the end of each fiscal year, special attention is directed to this effort. The GAO removes a recommendation from its database after determining that (1) the agency has implemented the recommendation or has taken action that in substance meets the intent of the recommendation, or (2) circumstances have changed and the recommendation is no longer relevant. The open recommendation database is available to the public on the GAO's website (www.gao.gov). Specific recommendations can be identified because the database is searchable by agency, Congressional committee, and key words. Congressional oversight and authorization committees, as well as the Appropriations Committees, can use the database to prepare for hearings and budget deliberations.

Additionally, when the GAO issues a report containing recommendations to the head of an agency, 31 U.S.C. Section 720 requires that the agency head submit a written statement of the actions taken by the agency on the GAO's recommendations to the Senate Committee on Governmental Affairs and the House Committee on Government Reform no later than 60 days after the date of the report. The agency's statement of action is also to be submitted to the House and Senate Committees on Appropriations with the first request for appropriations that is submitted more than 60 days after the date of the report. If the Congressional requestor has asked that the distribution of the report be restricted, as provided by the "GAO's Congressional Protocols," the 60-day period will begin on the date the report is released.

Because agency personnel serve as the primary source of information on the status of recommendations, the GAO requests that the agency also provide it with a copy of the agency's statement of action to serve as preliminary information on the status of recommendations. The GAO will follow up by discussing the status of recommendations with cognizant agency officials; obtaining copies of agency documents supporting the recommendations' implementation; and performing sufficient work to verify that the recommended actions are being taken and, to the extent possible, that the desired results are being achieved.

While conducting an audit on the FBI's counterterrorism program,⁵⁴ the OIG found that the FBI had not implemented a GAO recommendation in its report entitled, "Need for Comprehensive Threat and Risk Assessments of Chemical and Biological Attacks." Among the reasons identified by the OIG was that the FBI does not have a system of management controls to ensure timely implementation of GAO, OIG, or other agency issued recommendations. Because of the FBI's non-compliance with this GAO recommendation, we examined whether the FBI has implemented recommendations relating to IT that have been issued by the GAO in the last five years.

To assess the FBI's progress in implementing recommendations directed toward improving its information technology, we examined the following GAO reports that discussed the FBI's use and management of information technology:

• the 2000 report on the FBI's National Instant Criminal Background Check System (NICS);

• the 2000 report on the DOJ's Campaign Finance Task Force; and

• the 2002 Enterprise Architecture Report.

Based on our review of these reports, only the report on the NICS had a recommendation that related to IT. We found that the FBI timely implemented this recommendation. Because the remaining two reports included some discussion of the FBI's IT program, we summarized the reports' findings to supplement our analyses of the FBI's progress in improving its IT.

A. Report on the FBI's National Instant Criminal Background Check System

In February 2000 GAO issued "Gun Control: Implementation of the National Instant Criminal Background Check System." The National Instant Criminal Background Check System is a computer system maintained by the FBI that is designed to provide background screening for all types of firearms bought from federal firearms licensees. In this report, the GAO:

• provided statistics on background checks, denials, and appeals;

• described enforcement actions taken against persons who allegedly falsify their status on firearm-purchase applications;

• discussed the NICS's computer system architecture, capacity management system availability, transaction response time, retention of records, monitoring activities, and the prospect of making the NICS a fingerprint-based system rather than a name-based system; and

• discussed pawnshop issues.

The report stated that the FBI did not authorize NICS before it began operations on November 30, 1998. System authorization was not obtained, according to FBI officials, due to insufficient time and resources to formally test security controls between the date that the FBI received the system from the contractor and the Congressionally-mandated date for system operation. However, while a formal test of security controls was not conducted, the security officer responsible for NICS' authorization stated that a subset of NICS' security requirements was assessed and a number of vulnerabilities were disclosed. The FBI requested an interim approval to operate NICS from the FBI's National Security Division, which is the FBI's authorization authority. According to an FBI National Security Division representative, the interim approval was granted for one year beginning November 30, 1998.

However, the GAO's report stated that, according to the security officer responsible for NICS authorization, all authorization requirements - such as certification testing - were not completed during the interim period because of competing priorities, such as the authorization of NCIC 2000 and the Integrated Automated Fingerprint Identification System. Additionally, the GAO's report stated that according to the DOJ, the completion of security testing was overshadowed by more urgent issues directly impacting NICS' ability to function; therefore, security testing was delayed. On December 2, 1999, the National Security Division extended the interim approval to operate NICS through April 2000. Further, the GAO's report stated that according to the security officer, security testing for NICS was completed on December 21, 1999. The FBI planned to obtain full authorization by March 31, 2000.

The report further stated that because of the system vulnerabilities that were identified before NICS went operational and the delays experienced in authorizing the system, the FBI continued to lack an adequate basis for knowing whether NICS assets (hardware, software, and data) were sufficiently secure and were not vulnerable to corruption and unauthorized access. Additionally, it had not yet been authorized as secure in accordance with the DOJ's own requirements, and attempts to do so had been delayed. The report also stated that further delays in authorizing NICS would expose the system and the data it processes about individuals to unnecessary risk. Therefore, it was extremely important that the FBI fulfill its commitment to authorize NICS by March 31, 2000.

We determined that the FBI timely implemented the report's one IT-related recommendation. This recommendation pertained to the certification and accreditation of the NICS by March 31, 2000. According to the GAO's website, the recommendation's status was closed.

To confirm that the status of this recommendation was closed, we interviewed FBI officials and reviewed documentation supporting the authorization and accreditation of the NICS as of March 31, 2000.

B. Report on the DOJ's Campaign Finance Task Force

In May 2000, the GAO issued a report entitled, "Campaign Finance Task Force: Problems and Disagreements Initially Hampered Justice's Investigation." The objective of this review was to examine the management and oversight, operations, and results of the Campaign Finance Task Force from its inception through December 31, 1999.

Among its findings, the report stated that the FBI lacked an adequate information system that could manage and interrelate the evidence that had been gathered in relation to the Campaign Task Force's investigations. Specifically, the Campaign Finance Task Force was overwhelmed with documents and other evidence and lacked sufficient staff and electronic system resources to input and organize the information being gathered. The report also stated that the lead investigator noted that after several months, the large volume of documents obtained overwhelmed the Campaign Finance Task Force's electronic data management system and a new system had to be purchased.

This report did not contain any FBI IT-related recommendations. However, the deficiencies described in this report are consistent with ones reported by the OIG. The more recently issued McVeigh and ITIM reports stated that similar vulnerabilities with the FBI's information management systems have continued, demonstrating that additional corrective actions are necessary.

C. Report on the FBI's Enterprise Architecture

In February 2002, the GAO issued a report entitled, "Enterprise Architecture Use Across the Federal Government Can Be Improved." The objectives of the report were to determine (1) the status of federal agencies' efforts to develop, implement, and maintain enterprise architectures; and (2) OMB's actions to oversee these efforts.

The report stated that the FBI needed to fully establish the management foundation that is necessary to begin developing, implementing, and maintaining an enterprise architecture. While the FBI implemented most of the core elements associated with establishing the management foundation, it had not yet established a steering committee or group that has responsibility for directing and overseeing the development of the architecture.

In addition, the GAO indicated that although establishing the management foundation is an essential first step, important further steps still need to be taken for the FBI to fully implement the set of practices associated with effective enterprise architecture management. These include having a written and approved policy for developing and maintaining the enterprise architecture and requiring that IT investments comply with the architecture.

This report did not contain any FBI IT-related recommendations. However, the recently issued ITIM report stated that the FBI still has not fully established an enterprise architecture, although progress is being made. Specifically, a baseline architecture was being developed in a data repository, which ultimately will be maintained in the FBI's intranet. This data repository, when complete, is intended to describe how all of the FBI's IT systems align with the business processes of the Bureau. Additionally, the enterprise architecture office was developing a technical reference model that will outline the technical architecture of the Bureau's IT systems. Also, the FBI was creating a commercial off-the-shelf roadmap of all commercially-available hardware and software that will comply with the FBI's technical architecture. Despite the progress being made, the ITIM report ultimately concluded that the FBI's enterprise architecture development was not far enough along to adequately support the FBI's IT investment management activities.

D. Summary of GAO Reports

The three GAO reports we examined noted deficiencies with certain aspects of the FBI's IT program. The Gun Control report stated that the FBI did not properly authorize an IT system (NICS) through accreditation and certification. However, we found that the system was subsequently certified and accredited as of March 31, 2000. Additionally, the report on the FBI's Campaign Finance Task Force stated that the FBI lacked an adequate information system that could manage and interrelate the evidence that had been gathered in relation to the Campaign Task Force's investigations. These deficiencies were similar to those reported by the OIG Campaign Finance report. Further, the report on the FBI's enterprise architecture stated that the Bureau lacked a foundation for managing enterprise architecture. The recently released ITIM report reiterated the importance of having an established enterprise architecture when developing an IT investment management process.

2. Other Reports on the FBI's IT

In addition to the OIG and the GAO, other entities have issued reports in recent years that included analyses of the FBI's IT management. One report of particular relevance to IT security was issued by the Webster Commission. This report entitled, "A Review of FBI Security Programs" was issued in March 2002. This Commission, chaired by former FBI Director William H. Webster, was established to investigate the espionage of FBI Supervisory Special Agent Robert Hanssen.

The report identified a wide range of problems affecting the FBI's computer systems and information security policies, including the following.

• Classified information had been moved into systems not properly accredited for protection of classified information.

• Until recently, the FBI had not begun to certify and accredit most of its computer systems, including many classified systems.

• Inadequate physical protections placed electronically-stored information at risk of compromise.

• The FBI's approach to system design had been deficient. It had failed to ascertain the security requirements of the "owners" of information on its systems and identify the threats and vulnerabilities that must be countered.

• Classified information stored on some of the FBI's most widely- utilized systems was not adequately protected because computer users lacked sufficient guidance about critical security features.

• Some FBI inspectors had insufficient resources to perform required audits. When audits were performed, audit logs were reviewed sporadically, if at all.

According to the Webster Commission's report, these findings resulted from the FBI's lack of attention to IT security in developing and managing computer systems. The report highlights the importance of computer security as it shows how breaches, such as those that GISRA audits continue to identify, present national security risks.