Since 1990, OIG reports have found numerous deficiencies with the FBI's IT program, including outdated infrastructures, fragmented management, ineffective systems, and inadequate training. While the FBI has implemented many of the OIG's IT recommendations (93 out of 148), significant further actions are necessary to ensure that the FBI's IT program effectively supports its mission. Recent audits and reviews conducted by the OIG have found repeated deficiencies in the FBI's IT control environment and compliance with information security requirements. These repeated deficiencies illustrate that, in the past, FBI management had not paid sufficient attention to improving its IT program. Until recently, the FBI lacked a system of management controls to ensure that recommendations issued by the OIG were implemented in a timely and consistent manner. Inadequate progress toward implementing IT recommendations and correcting deficiencies contributed to breaches in computer security and failures in mission-critical investigative activities. However, current FBI leadership has stated that they are committed to enhancing controls to ensure recommendations are implemented in a consistent and timely manner, and the FBI recently established a system to facilitate the tracking and implementation of recommendations. Additionally, the FBI expects significant improvements from its current IT modernization efforts, which the FBI believes will correct many of the deficiencies identified by the OIG.

1. OIG Reports on the FBI's IT

To assess the FBI's progress in implementing recommendations directed toward improving its information technology, this audit examined the following OIG reports that considered the FBI's use and management of IT:

• the 1990 report on the FBI's automated data processing (ADP) controls,

• the 2002 report on the FBI's IT investment management (ITIM),

• five reports issued for FYs 1996 through 2001 on the FBI's control environment over its financial IT systems,¹⁴

• three reports issued for FYs 2001 and 2002 specific to the FBI's compliance with GISRA, and

• two special review reports issued in 1999 and 2002 that contained FBI IT-related recommendations.

Although the FBI made measurable progress in implementing the OIG's IT recommendations contained in these reports (93 out of 148), it still must take significant actions to achieve a successful IT program. For the recommendations we examined, we assessed the status of the recommendations (whether open or closed). To accomplish our assessment, we reviewed the latest available correspondence between the OIG and FBI regarding actions required to close recommendations, and made inquiries with FBI officials.¹⁵ We considered recommendations with a closed status to be implemented, based on the OIG's judgment that the requirements of the recommendation were met. As a result, we considered closed recommendations to be an indicator of the FBI's progress in addressing deficiencies. Yet, while closed recommendations can be an indicator of progress, the underlying deficiency may re-appear in future audits and reviews.

The following sections provide background information on these reports and an assessment of the FBI's progress toward implementing IT-related recommendations contained in them.¹⁶

A. Report on the FBI's ADP Controls

In 1990, the OIG issued a report entitled, "The FBI's Automatic Data Processing General Controls." The objectives of the audit were to determine whether the ADP general controls: (1) had been designed according to management direction and known legal requirements; and (2) were operating effectively to provide reliability of, and security over, the data being processed.

(1) Background on Report Findings

This report found 11 major internal control weaknesses, many of which still exist today. Specifically, the report found the following.

1. The FBI's phased implementation of its 10-year Long Range Automation Strategy, scheduled for completion in 1990, was severely behind schedule.

2. The FBI's Information Resources Management program was fragmented and ineffective, and the FBI's Information Resources Management official did not have effective organization-wide authority.

3. The FBI had not developed and implemented a data architecture.

4. The FBI had not adequately involved top management in FBI Headquarters (FBIHQ) or the field offices in systems development through an Executive Review Committee.

5. The FBI's major mainframe investigative systems were labor intensive, complex, untimely, and non-user friendly and few special agents used these systems.

(2) FBI's Progress in Taking Corrective Actions

As discussed in more detail in the following section, the December 2002 OIG report entitled, "The FBI's Management of IT Investments," noted that many of the weaknesses identified in the 1990 report on ADP controls still existed 12 years later. Regarding the first weakness, the FBI's IT infrastructure is still severely outdated. Regarding the second weakness, the FBI has completed several restructurings, including one in February 2002 that was intended to give the Information Resources Management program more authority over the divisions that manage IT. Regarding the third weakness, the FBI is still developing an enterprise architecture framework, which includes the technical or data architecture. Regarding the fourth weakness, the FBI did not formally establish IT investment review boards or committees until March 2002. Regarding the fifth weakness, the FBI's major investigative systems remain labor intensive, complex, non-user friendly, and many special agents do not use these systems.

B. Report on the FBI's IT Investment Management

In December 2002, the OIG issued a report entitled, "The FBI's Management of IT Investments." The objectives of the audit were to: (1) determine whether the FBI was effectively managing its IT investments; and (2) assess the FBI's IT-related strategic planning and performance measurement activities.

(1) Background on Report Findings

The OIG concluded that the FBI had not effectively managed its IT investments because it had not fully implemented the management processes associated with successful IT investments. As discussed in the ITIM report, the foundation for sound IT investment management includes the following fundamental elements:

• defining and developing IT investment boards,

• following a disciplined process of tracking and overseeing each project's cost and schedule milestones over time,

• identifying existing IT systems and projects,

• identifying the business needs for each IT project, and

• using defined processes to select new IT project proposals.

The FBI failed to implement these critical processes. The FBI did not have a fully-functional investment review board operation because the FBI did not provide adequate resources for operating the IT investment boards. Specifically, the OIG found insufficient evidence to demonstrate that: (1) executives and line managers supported and carried out IT investment board decisions and (2) board members understood the board's policies and procedures and were knowledgeable in using the IT investment approach through training, education, or experience. Additionally, the FBI did not provide ample time to adequately prepare and train IT board members prior to initiating the pilot test of its recently developed ITIM process. This resulted in inadequate training of board members and insufficient time to develop IT proposals. For example, Technical Review Board members had only three business days to review over 50 IT proposals prior to their first board meeting.

The OIG also found that the FBI was not effectively overseeing its IT projects. For example, while the FBI had issued project management guidance, the guidance was not being followed consistently. The OIG obtained differing answers from the FBI as to which document represented the official project management guidance.

Because the FBI had not fully implemented the critical processes associated with effective IT investment management, the report concluded that the FBI continued to spend hundreds of millions of dollars on IT projects without adequate assurance that these projects would meet their intended goals.

The OIG concluded that these shortcomings primarily resulted from a lack of management attention in the past to IT investment management. However, the FBI has recognized that its past methods for managing IT projects have been deficient, and the FBI committed to changing those practices. In January 2002, the FBI developed a conceptual model for selecting, controlling, and evaluating IT investments. The model seeks to define a process that will promote a Bureau-wide perspective on IT investment management, so that only IT projects with the highest probability of improving mission performance are selected. Further, the process is intended to provide the methods, structures, disciplines, and management framework that govern how IT projects are controlled and evaluated.

In addition to developing a conceptual model for a new IT investment management process, in early 2002 the FBI began a pilot test of the new process for the selection of IT proposals. The OIG found that the FBI made improvements during the pilot testing of the new selection process. Pursuant to the new process, the FBI created three IT investment review boards that reviewed IT proposals for technical compliance and "mission fit." These boards, comprised of the FBI Director, FBI executives, and FBI IT managers, selected new IT proposals for inclusion in the FY 2004 budget request.

The OIG ITIM report concluded that while the FBI had made efforts to improve its IT investment management practices, the FBI must take further actions to ensure that it can implement the fundamental processes necessary to build an IT investment foundation, as well as the more mature processes associated with highly effective IT investment management. These actions include:

• fully developing and documenting its new IT investment management process - which is necessary to completely implement the activities defined in the FBI's conceptual model;

• requiring increased participation from IT program managers and users - which is necessary to ensure senior management acceptance and foster understanding and institutionalization of the IT investment management process; and

• further developing the FBI's project management and enterprise architecture functions - which is necessary to execute the control and evaluate components of the IT investment management process as well as advance its investment management capability.

The ITIM report also included a review of the FBI's management of Trilogy, the FBI's largest and most critical IT modernization project. The report noted that the lack of critical IT investment management processes contributed to missed milestones and led to uncertainties about cost, schedule, and technical goals. Specifically, despite $78 million in additional funding, the FBI missed its July 2002 milestone date for completing the physical IT infrastructure upgrades to field offices, including new computer hardware and networks. In addition, the user application (Virtual Case File) component of Trilogy, recognized by FBI officials as the most important aspect of the project in terms of improving agent performance, was at high risk of not being completed within the funding levels appropriated by Congress.

The ITIM report also concluded that the FBI's IT strategic planning and IT performance measurement was inadequate. The FBI's strategic plan did not include goals for IT investment management, and the FBI's strategic plan and performance plan were not consistent with the DOJ's annual performance plan.

(2) FBI's Progress in Taking Corrective Actions

The ITIM report contained 30 recommendations directed toward improving the FBI's management of its IT investments. Because the ITIM report was issued in December 2002, too little time had passed (as of April 2003) to enable us to assess the FBI's progress in implementing the recommendations identified in that report.

While FBI management has stated that improving technology is a high priority, the ITIM report demonstrates that the FBI must take significant action to implement a successful IT program that fully supports its mission. It also demonstrates that a successful IT program depends on effective management control processes. Without effective management controls in place, major projects designed to improve technology, such as Trilogy, may not deliver their intended benefits on schedule and on budget. The following section discusses in more detail OIG findings and recommendations related to the FBI's control environment over its IT systems.

C. Reports on the FBI's Control Environment over its Financial IT Systems

The OIG conducts annual financial statement audits of the FBI, with the most recent report covering FY 2001. To support these financial statement audits, the OIG performs detailed reviews of the FBI's control environment over its financial IT systems. Financial statement audits are intended to play a central role in (1) providing more reliable and useful financial information to decision-makers, and (2) improving the adequacy of internal controls and underlying financial management systems.

In FY 1996, the OIG began conducting annual reviews of the FBI's internal controls over IT systems using the GAO's Federal Information System Controls Audit Manual (FISCAM). The FISCAM describes the computer-related controls that auditors should consider when assessing the integrity, confidentiality, and availability of computerized data.

The general methodology applied to assess computer-related controls requires auditors and reviewers to evaluate:

• general controls at the entity or installation level;

• general controls as they are applied to the applications being examined, such as a payroll system or a loan accounting system; and

• application controls, which are the controls over input, processing, and output of data associated with individual applications.

According to the FISCAM, general controls are the policies and procedures that apply to all or a large segment of an entity's information systems and help ensure their proper operation. Examples of primary objectives for general controls are to safeguard data, protect computer application programs, prevent system software from unauthorized access, and ensure continued computer operations in case of unexpected interruptions. The FISCAM provides six categories for assessing the effectiveness of general controls. These categories are:

• entity-wide security program planning and management controls,

• access controls,

• application software development and change controls,

• system software controls,

• segregation of duty controls, and

• service continuity controls.

The effectiveness of general controls is a significant factor in determining the effectiveness of application controls. Without effective general controls, application controls may be rendered ineffective by circumvention or modification.

Application controls are directly related to individual computerized applications. These controls help ensure that transactions are valid, properly authorized, and completely and accurately processed and reported. Both general and application controls must be effective to help ensure the reliability, appropriate confidentiality, and availability of critical automated information.

The nature and extent of audit procedures required to assess computer-related controls varies depending on the audit objectives and other factors. If general controls are not operating effectively, the application-level controls are generally not tested. However, if an audit objective is to identify control weaknesses with an application where more employees may have the potential to take advantage of a weakness, an assessment of the application controls may be appropriate.

During the course of these IT reviews, the OIG grouped the vulnerabilities and weaknesses found into the following categories defined by Government Auditing Standards and the American Institute of Certified Public Accountants.

• Reportable Conditions - matters coming to the auditors' attention that, in their judgment, should be communicated because they represent significant deficiencies in the design or operation of internal control, which could adversely affect the organization's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements.

• Material Weaknesses - reportable conditions in which the design or operation of one or more of the internal control components does not reduce to a relatively low level the risk that misstatements caused by error or fraud in amounts that would be material in relation to the financial statements being audited may occur and not be detected by employees in the normal course of performing their assigned functions.¹⁷

As of April 2003, the OIG had issued reports for FYs 1996 through 2001 that indicated consistent weaknesses in the FBI's general and application controls. However, we found that the FBI had made progress in correcting deficiencies associated with the control environment over its financial IT systems. Of the 105 recommendations contained in the detailed reports supporting the financial statement audits from FYs 1996 to 2001, 83 have been implemented and closed, and 22 are still open. Of the 22 open recommendations, 13 correspond to material weaknesses in the FBI's IT management controls, indicating that without compensating controls there is an increased risk that material misstatements to the financial statements will not be detected.

We concluded that while the FBI has made some progress, it must take further action to enhance its controls over its IT environment. As of April 2003, material weaknesses and other control vulnerabilities remained in each of the FISCAM general control areas, except for system software. The following sections provide further details on each of these control categories, the weaknesses noted in these control categories, as well as the FBI's progress toward correcting the weaknesses.

(1) Entity-Wide Security Program Planning and Management Controls

According to the FISCAM, an entity-wide process for security program planning and management is the foundation of an organization's security control structure and a reflection of senior management's commitment to addressing security risks. The security program should establish a framework and a continuing cycle of activity for assessing risk, developing and implementing effective security procedures, and monitoring the effectiveness of these procedures.

According to the FISCAM, without a well-designed security program, security controls may be inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures for controls over low-risk resources.

(a) Background of Entity-Wide Security Program Planning and Management Control Findings

Reviews of the FBI's general computer controls for FYs 1996 through 2001 included repeated deficiencies pertaining to entity-wide security program planning and management controls. During the FY 1998 review, the OIG reported that the Payroll System did not have a security plan. That condition was reported again during the FY 1999 review. Additionally, the OIG reported in FY 2000 that a security plan had been written, but it did not address (1) specific rules of behavior, (2) training, and (3) the rules of the system. Further, the OIG reported in FY 2001 that the plan did not address an incident response capability, rules of behavior, and system interconnection. These reports for FYs 1998 through 2001 also stated that vulnerabilities existed because FBI management did not thoroughly review the FBI's "Payroll System Security Plan" that was written by a contractor.

As of April 2003, the deficiencies associated with the FBI's security program plans were considered to be a material weakness. The OIG made eight recommendations in the reviews for FYs 1996 through 2001 that were directed toward correcting the identified security program planning and management control vulnerabilities. Four of these recommendations were repeated in more than one year's report.

(b) FBI's Progress in Taking Corrective Actions

Since FY 1996, the FBI has made progress in correcting the vulnerabilities in its entity-wide security planning and management controls. Six of the eight recommendations were closed as of April 2003, while the other two remained open. Of the six recommendations that were implemented, four were last reported by the OIG as material weaknesses, while the other two were reportable conditions. The following table summarizes how the open and closed recommendations correspond to the reported vulnerability.

By implementing six of the recommendations, the FBI improved its entity-wide security program planning and management controls by:

• taking steps to clearly assign, identify, and communicate information security responsibilities (reportable condition);

• allocating sufficient resources to ensure the proper implementation of its Automated Data Processing and Telecommunications (ADPT) policy (reportable condition);

• ensuring that risk assessments of the FBI Headquarters Data Center, its other supporting systems, and all major applications are conducted as required by OMB Circular A-130 and by the FBI's Manual of Investigative Operations and Guidelines (material weakness);

• ensuring that the systems and applications are accredited every three years (material weakness);

• renewing the interim accreditation for general control systems and major applications (material weakness); and

• improving security and application controls by determining which of its systems are classified as "major applications" (material weakness).

Despite the progress, additional corrective actions are necessary to mitigate the remaining weaknesses. Specifically, the FBI must still ensure that:

• the ADPT security plans are completed appropriately (material weakness), and

• the Payroll System Security Plan incorporates an incident response capability and rules of behavior (material weakness).

Regarding the completion of ADPT security plans, the OIG first recommended this action in the FY 1998 report, and has since repeated it in the FY 1999, 2000, and 2001 reports because the FBI's corrective actions to date have been inadequate. Without an approved security plan, the integrity of sensitive information maintained by the FBI is at risk of being compromised.

(2) Access Controls

(a) Background of Access Control Findings

Reviews of the FBI's general computer controls for FYs 1996 through 2001 included repeated deficiencies pertaining to access controls. The access control findings discussed in the FY 2001 report were considered to be a material weakness of the FBI. In the reviews for FYs 1996 through 2001, the OIG made 42 recommendations that were directed toward correcting the identified access control vulnerabilities.¹⁸ Ten of these recommendations were repeated in subsequent reports.

The OIG's most recent report, covering FY 2001, stated that there were two findings associated with access controls: (1) auditing controls over the local area network (LAN), and (2) excessive access privileges granted to systems programmers.

1. Auditing Controls Over the Local Area Network

The OIG's review for FY 1998 reported that an automated tool was used to assess the technical controls over the FBI's Finance Division LANs. The assessment found weaknesses in three areas of security: account restrictions, system monitoring, and data confidentiality.

In FY 1999, another automated tool was used to perform the assessment of the technical controls over the FBI's Finance Division LANs. Although corrective action had been initiated on the prior weaknesses found, the OIG reported that these weaknesses still existed during FY 1999. The FY 2000 report stated that auditing remained disabled on the Finance Division's Windows NT and Novell NetWare environments.

According to the OIG FY 2001 review, although FBI management had indicated that corrective actions have been taken with respect to the recommended settings, the conditions continued to be identified during the annual financial statement audit process. The FY 2001 report further stated that the cause for this weakness was the Finance Division LAN administrators not fully implementing the FBI's audit policy on logical access controls on their Windows NT and NetWare LANs.

2. Excessive Access Privileges Granted to Systems Programmers

The FY 2001 report stated that access control profiles were not configured to restrict access to sensitive database utilities and payroll files. Specifically, the report noted instances where three systems programmers had access to database utilities and had full control of the payroll and Oracle datasets. The FY 2001 report further stated that the cause was due to the FBI granting systems programmer profiles to database programmers, thus providing them with unnecessary access to sensitive utilities. The OIG also reported in FY 2001 that the FBI's Systems Programming and Integration Unit (SPIU) was in the process of developing a database programmer profile that would provide access control to the needed datasets.

(b) FBI's Progress in Taking Corrective Actions

The FBI has made progress in correcting the vulnerabilities in this FISCAM category area since FY 1996. Of the 42 recommendations, 32 were closed as of April 2003, while the other 10 remained open. Of the 32 recommendations that were implemented, 15 were last reported by the OIG as material weaknesses, 13 were reportable conditions, and 4 were management letter comments. The following table summarizes how the open and closed recommendations correspond to the reported vulnerability.

By implementing 32 of the recommendations, the FBI improved its access control environment. These improvements included:

• establishing procedures that require new users to immediately change their initial password (reportable condition);

• reviewing user access to sensitive system files (reportable condition);

• establishing and distributing procedures requiring local security administrators to periodically, at least quarterly, review employees' access privileges in relation to their current job functions (reportable condition);

• deleting users that no longer require access to the network or do not have a demonstrated need for their access (material weakness); and

• requiring all system administrators to change their passwords at least every 30 days (material weakness).

Despite the progress made, additional corrective actions are necessary to mitigate the remaining weaknesses. Specifically, the FBI still must ensure that:

• an entity-wide data assessment of network systems is periodically performed to determine where potential vulnerabilities exist (reportable condition);

• user authentication controls are strengthened by an active token for user authentication (reportable condition);

• computer security training is provided to users at least annually (reportable condition);

• policies and procedures for the FBI's IT environments are complied with (material weakness); and

• the auditing function on the Finance Division's Netware environment is enabled (material weakness).

With respect to complying with policies and procedures and enabling the auditing function, the OIG first recommended these actions in the FY 1998 report, and has since repeated them in the FY 1999, 2000, and 2001 reports because the FBI's corrective actions to date have been inadequate. These actions are necessary to reduce the risk of processing erroneous or fraudulent transactions, and ensure that there can be a reconstruction of events if a system compromise or malfunction occurs.

(3) Application Software Development and Change Controls

According to the FISCAM, application software is designed to support a specific operation, such as payroll or loan accounting. Typically, several applications may operate under one set of operating system software. Establishing controls over the modifications of application software programs helps to ensure that only authorized modifications are implemented. Without proper application software development and change controls, there is a risk that security features could be inadvertently or deliberately omitted or "turned off" or that processing irregularities or malicious code could be introduced.

(a) Background of Software Development and Change Control Findings

Reviews of the FBI's general computer controls for FYs 1996 through 2001 included repeated deficiencies pertaining to software development and change control findings. During the FY 2000 review, the OIG noted that although the FBI had developed a change control manual in July 1997 entitled "The Architecture Change Management (ACM) Plan," it did not address changes to the computer-based application and its environment. The OIG also reported in FY 2000 that project managers were not using the ACM because the procedures set forth by the ACM did not reflect the FBI's current information technology architecture, including recent changes to hardware, software, and firmware.

During the FY 2001 review, the OIG noted that the FBI had documented a change control process entitled, "Change Management Rules, Standards and Procedures," which replaced the ACM. However, this process had not been implemented on the Property Management Application (PMA) and the Payroll Application.

According to the FY 2001 report, the failure to implement the change management rules occurred because the FBI's Quality Configuration and Methods Unit (QCMU) did not enforce the Change Management Rules, Standards, and Procedures. The FY 2001 report further stated that the Unit plans to perform audits of divisions as a means of enforcing the procedures. The OIG reported that this weakness increases the chance that two or more independent changes to the system will conflict with one another and, consequently, the system will not function properly.

In the reviews for FYs 1996 through 2001, the OIG made eight recommendations that were directed toward correcting the identified system software development and change control findings.¹⁹ Four of these recommendations were repeated in subsequent reports. As of the issuance of the FY 2001 report, the deficiencies associated with the FBI's software development and change controls were considered to be a material weakness.

(b) FBI's Progress in Taking Corrective Actions

Since FY 1996, the FBI has made progress in correcting the software development and change control deficiencies. Six of the eight recommendations pertaining to this FISCAM category were closed as of April 2003, while the other two remained open. Of the six recommendations that were implemented, three were last reported by the OIG as material weaknesses, while the other three were management letter comments. The following table summarizes how the open and closed recommendations correspond to the reported vulnerability.

By implementing six of the recommendations, the FBI improved its software development and change controls by:

• developing and maintaining a configuration management process addressing changes to overall ADPT resources (management letter comment);

• expediting the implementation of the ACM methodology entity-wide (management letter comment);

• developing and implementing procedures to ensure all system problems are recorded (management letter comment);

• ensuring that the Information Resources Division enhances the ACM document to comprehensively address any type of change to the computer based application system and its environment (material weakness);

• ensuring that the methodology set forth with the ACM is consistently applied to the Financial Management System application (material weakness); and

• enforcing the emergency change procedures stated within ACM (material weakness).

Despite the progress made, additional corrective actions are necessary to mitigate the remaining weaknesses. Specifically, the FBI must ensure that:

• a policy is developed and implemented requiring periodic independent reviews of all major systems development activities at each major activity milestone (management letter comment); and

• an automated software management system is implemented in order to automate the transfer of all program code necessary to run a system (material weakness).

Regarding the implementation of an automated software management system, the OIG first recommended this action in the FY 1996/1997 report, and has since repeated it in the FY 1998, 1999, and 2000 reports because the FBI's corrective actions to date have been inadequate. Change requests maintained in multiple databases increase the risk that the FBI's Information Resources Division may not have the most current and accurate status of all requests. Additionally, poor change controls can create risks that inaccurate and unauthorized computer changes are implemented into the production environment. This weakness could cause inaccurate data or loss of data to the application.

(4) System Software Controls

According to the FISCAM, system software is a set of programs designed to operate and control the processing activities of computer equipment. Generally, one set of system software is used to support and control a variety of applications that may run the same computer hardware. System software helps control and coordinate the input, processing, output, and data storage associated with all the applications that run on a system. Some system software can change data and program code on files without leaving an audit trail.

Controls over access to and modification of system software are essential in providing reasonable assurance that operating system-based security controls are not compromised and that the system will not be impaired. Inadequate controls over system software could enable unauthorized individuals to circumvent security controls to read, modify, or delete critical or sensitive information and programs; authorized users of the system to gain unauthorized privileges to conduct unauthorized actions; or system software being used to circumvent edits and other controls built into application programs. Such weaknesses seriously diminish the reliability of information produced by all of the applications supported by the computer system and increase the risk of fraud and sabotage.

(a) Background on System Software Control Findings

The FY 2001 review did not report any material weaknesses associated with system software controls. The most recent vulnerabilities were noted in the FY 2000 and FY 1999 reports.

(b) FBI's Progress in Taking Corrective Actions

The FBI has corrected the deficiencies identified in the detailed IT reports for FYs 1996 through 2000. The reports for FYs 1996 through 2000 made seven recommendations that were directed toward correcting the identified system software control vulnerabilities.²⁰ All seven recommendations pertaining to this FISCAM control category were closed as of April 2003. Two of the recommendations were last reported by the OIG as material weaknesses, one was a reportable condition, and the remaining four were management letter comments. The following table summarizes how the open and closed recommendations correspond to the reported vulnerability.

By implementing the seven recommendations, the FBI improved its system software control environment as of the issuance of the FY 2001 IT report. Examples of these improvements include:

• performing an analysis to determine which libraries and associated members are necessary for proper system performance (management letter comment);

• implementing procedures to ensure that all system documentation is current and complete and that changes to documentation are reflected timely and disseminated to applicable individuals (management letter comment);

• implementing a system software control policy to ensure that system software is current (management letter comment);

• configuring the parameters in order to log all the associated transactions for the respective System Management Facility records (material weakness); and

• establishing and implementing a formal change control process for changes to system software (reportable condition).

Regarding the implementation of a formal change control process, the OIG first recommended this action in the FY 1996/1997 report, and then repeated it in the FY 1998 and 1999 report before the FBI completed adequate corrective action. While no open recommendations pertaining to system software controls remain for the FYs 1996 through 2001 reports, testing conducted for the FY 2002 review indicates additional vulnerabilities exist with system software controls. The FBI's ability to make lasting improvements to its IT control environment depends on a strong commitment from management, rather than short-term fixes that represent temporary progress.

(5) Segregation of Duty Controls

According to the FISCAM, work responsibilities should be segregated so that one individual does not control all critical stages of a process. For example, while users may authorize program changes, programmers should not be allowed to do so because they are not the owners of the system and do not have the responsibility to see that the system meets user needs. Similarly, one computer programmer should not be allowed to independently write, test, and approve program changes. Often, segregation of duties is achieved by splitting responsibilities between two or more organizational groups. Dividing duties among two or more individuals or groups diminishes the likelihood that errors and wrongful acts will go undetected because the activities of one group or individual will serve as a check on the activities of the other.

Inadequately segregated duties increase the risk that erroneous or fraudulent transactions could be processed, that improper program changes could be implemented, and that computer resources could be damaged or destroyed. The extent to which duties are segregated depends on the size of the organization and the risk associated with its facilities and activities. A large organization will have more flexibility in separating key duties than a small organization that must depend on only a few individuals to perform its operation. Smaller organizations may rely more extensively on supervisory review to control activities. Similarly, activities that involve extremely large dollar transactions, or are otherwise inherently risky, should be divided among several individuals and be subject to relatively extensive supervisory review.

(a) Background on Segregation of Duty Findings

Reviews of the FBI's general computer controls for FYs 1996 through 1998, and 2000 through 2001 included repeated deficiencies pertaining to segregation of duty controls. The OIG made five recommendations in the reviews for FYs 1996 through 1998 and 2000 through 2001 that were directed toward correcting the identified segregation of duty vulnerabilities.²¹ Two of these recommendations were repeated in the FY 2001 report.

The FY 2001 report stated that there were three findings associated with segregation of duty controls pertaining to: (1) policies and procedures for segregation of duties, (2) physical and logical controls for segregation of duties, and (3) documented procedures for the FBI's Payroll Application.

1. Policies and Procedures for Segregation of Duties

The OIG stated in its FY 2000 report that the FBI has not established guidance, policies, procedures, or awareness of segregation of duties within the divisions and units. The result is unclear segregation of job responsibilities. This condition was also reported in the FY 2001 report.

According to the FY 2001 report, unclear, inconsistent policies and a lack of guidelines to separate the units created an environment where duties occasionally overlap. As a result, it was difficult to define responsibilities between the various units within the FBI.

2. Physical and Logical Controls for Segregation of Duties

The OIG reported in FY 2000 that application programmers had access to both the test and production regions in the PMA and Payroll Application. The FY 2001 report further stated that the application system administrator for the PMA was appropriately granted program update access to the test environment. However, the application system administrator also could move programs back into the production environment. Specifically, the Payroll Application programmers had the ability to move programs (source code) from the library to the test environment, make changes, and move the programs back into the quality assurance environment for testing.

According to the FY 2001 report, inadequate segregation of duties within the units and divisions caused application administrators and programmers to inappropriately be granted access to both the test and production regions.

3. Documented Procedures for the Payroll Application

The FY 2001 report stated that documented procedures do not exist for the Payroll Application's administrative functions. The report further stated that this weakness is caused by the failure to require a consistent administrative process for payroll-related functions by the Payroll Administration and Processing Unit and the Personnel Staffing Unit.

(b) FBI's Progress in Taking Corrective Actions

Since FY 1996, the FBI has made progress in correcting deficiencies associated with segregation of duty controls. Four of the five recommendations pertaining to this FISCAM category were closed as of April 2003, while one remained open. Of the four recommendations that were implemented, two were last reported by the OIG as a material weakness, while the other two were management letter comments. The following table summarizes how the open and closed recommendations correspond to the reported vulnerability.

By implementing four of the recommendations, the FBI improved its segregation of duty controls by:

• assessing the need for additional personnel at the staff level within the data security administrative function (management letter comment);

• performing an analysis of the potential benefits of applying business process re-engineering and/or activitiy-based costing processes to current operations in order to enhance effectiveness, efficiency, and productivity (management letter comment);

• ensuring application administrators and programmers do not have direct update access to both test and production application programs (material weakness); and

• establishing guidance policies, procedures, and awareness of segregation of duties within the divisions and units (material weakness).

Despite the progress made, an additional corrective action is necessary to mitigate the remaining weaknesses. Specifically, the FBI still must ensure that the payroll-related functions are documented and maintained to ensure the consistent application of the payroll-related administrative process (material weakness).

Because a segregation of duty deficiency was not corrected as of April 2003, the FBI is subject to the risk that erroneous transactions could be processed, improper program changes could be implemented, and computer resources could be damaged or destroyed.

(6) Service Continuity Controls

According to the FISCAM, losing the capability to process, retrieve, and protect information maintained electronically can significantly affect an agency's ability to accomplish its mission. For this reason, an agency should have (1) procedures in place to protect information resources and minimize the risk of unplanned interruptions, and (2) a plan to recover critical operations should interruption occur. The procedures and plan should consider the activities performed at general support facilities, such as data processing centers and telecommunications facilities, as well as the activities performed by the users of specific applications. To determine whether the recovery plan will work as intended, the plan should be tested periodically in disaster simulation exercises.

Although often referred to as disaster recovery plans, controls to ensure service continuity should address the entire range of potential disruptions. These disruptions may include relatively minor interruptions, such as temporary power failures, as well as major disasters, such as fires or natural disasters, that would require reestablishing operations at a remote location. If controls are inadequate, even relatively minor interruptions can result in lost or incorrectly processed data, which can cause financial losses, expensive recovery efforts, and inaccurate or incomplete financial or management information. For some operations, such as those involving health care or safety, system interruptions could also result in injuries or loss of life.

To mitigate service interruptions, it is essential that the related controls be understood and supported by management and staff throughout the organization. Senior management commitment is especially important to ensure that adequate resources are devoted to emergency planning, training, and related testing. In addition, all staff with service continuity responsibilities, such as staff responsible for backing up files, should be fully aware of the risks if these duties are not fulfilled.

(a) Background on Service Continuity Control Findings

Reviews of the FBI's general computer controls for FYs 1996 through 2000 reported repeated deficiencies pertaining to service continuity controls. The FY 2000 report identified two service continuity findings that were included in the material weakness. During the FY 2001 review, the OIG did not report any additional service continuity control deficiencies, although certain previously reported material weaknesses remained. These weaknesses are discussed below.

The FY 2000 report stated that the FBI's Contingency/Disaster Recovery Plans did not address specific applications, were incomplete, outdated, and did not include requirements such as testing scenarios and plans. While the FBI's Headquarters Data Center unit chief has attempted to update the plans, the business process owners had not adequately defined risks and critical recovery needs.

Because of this deficiency, during an extended outage or disaster, information system processing functions and vital business operations may be damaged and unable to function since critical information and computer resources are unavailable or inaccessible.

Additionally, the OIG reported in FY 1999, and again in FY 2000, that Data Center employees still had not been trained in disaster recovery, emergency, and contingency procedures. Without proper knowledge of procedures and priorities, the staff may be unable to perform critical duties to resume operations.

The reports for FYs 1996 through 2000 made 17 recommendations that were directed toward correcting the identified service continuity control vulnerabilities.²² Nine of these recommendations were repeated in subsequent reports.

(b) FBI's Progress in Taking Corrective Actions

Since FY 1996, the FBI has made progress in correcting deficiencies associated with service continuity controls. Of the 17 recommendations pertaining to this FISCAM category, 15 were closed as of April 2003, while the other two remained open. Of the 15 recommendations that were implemented, 13 were last reported by the OIG as material weaknesses, while the remaining 2 were management letter comments. The following table summarizes how the open and closed recommendations correspond to the reported vulnerability.

By implementing 15 of the recommendations, the FBI improved its service continuity control environment. Examples of these improvements include:

• developing procedures to ensure that daily back-up tapes are stored in a fireproof vault that is secure and not located within the immediate Data Center (management letter comment);

• developing a comprehensive contingency plan that provides an entity-wide approach for the recovery of mission-critical data processing operation in the event of a disaster (material weakness);

• assigning responsibility to a team of individuals to ensure full back-up and recovery is performed (material weakness);

• ensuring all data personnel are informed when the ADPT contingency plan has been completed and approved and that employees have access to the plan (material weakness); and

• briefing Data Center personnel on emergency procedures and responsibilities through training sessions and by distributing written policies and procedures (material weakness).

Despite the progress made, additional corrective actions are necessary to mitigate weaknesses previously reported in the FY 1999 and 2000 reports. The FBI still must:

• continue to update the ADPT contingency plan, addressing the weaknesses identified in the FY 1999 report (material weakness); and

• ensure that the Finance Division has developed and distributed to end-users, a contingency plan covering its information technology applications (material weakness).

The OIG first recommended in the FY 1999 report that the Finance Division develop and distribute a contingency plan covering its IT applications. This recommendation was repeated in the FY 2000 report, indicating that the FBI had not taken adequate corrective action. Without effective service continuity controls, information system processing functions and vital business operations may be damaged and unable to function during an extended outage or disaster because critical information and computer resources could be unavailable or inaccessible.

(7) Application Controls

According to the FISCAM, application controls are the structure, policies, and procedures that apply to separate, individual application systems such as accounts payable, inventory, payroll, grants, or loans. An application system is typically a collection or group of individual computer programs that relate to a common function. Some applications may be complex, comprehensive systems involving numerous computer programs and organizational units, such as those associated with benefit payment systems.

Application controls help ensure that transactions are valid, properly authorized, and completely and accurately processed by the computer. These controls are commonly categorized into three phases of a processing cycle:

• input - data is authorized, converted to an automated form, and entered into the application in an accurate, complete, and timely manner;

• processing - data is properly processed by the computer and files are updated correctly; and

• output - files and reports generated by the application actually occur and accurately reflect the results of processing, and reports are controlled and distributed to the authorized users.

According to the FISCAM, inadequate application controls can result in invalid, incomplete, or improperly classified data. Additionally, there is a heightened risk of inaccurate valuation or allocation of data and unauthorized transactions.

(a) Background on Application Control Findings

Reviews of the FBI's general computer controls for FYs 1998 through 2001 included deficiencies in application controls. The FY 2001 report reviewed the FBI's PMA and reported two findings: excessive access privileges were granted over the PMA, and input and processing control weaknesses existed on the PMA. The FY 2001 report further stated that these weaknesses occurred because the FBI lacked security oversight to monitor access of all users, and the PMA did not have the appropriate input and processing controls built in during its initial design. According to the FBI, adding the controls to the application was not a priority due to limited PMA resources.

Because of these application control weaknesses, the PMA allowed users to make unauthorized changes to property data, leading to errors in the property computer application. In the reviews for FYs 1998 through 2001, the OIG made 15 recommendations to correct the identified application control weaknesses.²³

(b) FBI's Progress in Taking Corrective Actions

Since FY 1998, the FBI has made progress toward correcting the identified weaknesses. Of the 15 recommendations pertaining to this FISCAM category, 10 were closed as of April 2003 while the other 5 remained open. Of the ten recommendations that were implemented, nine were considered reportable conditions, while one was a material weakness. The following table summarizes how the open and closed recommendations correspond to the reported vulnerability.

By implementing ten of the recommendations, the FBI improved its application control environment. Examples of these improvements include:

• defining, documenting, and communicating the roles and responsibilities for changing code to the Payroll Application (reportable condition);

• reviewing the list of users having access to code, determining which users should not be making changes in accordance with their duties and responsibilities, and revoking access to users who should not be making changes (reportable condition);

• ensuring that user access to payroll code is authorized, documented, and periodically reviewed (reportable condition);

• adhering to the FBI's change management processes for applications and system software once formal processes have been developed (reportable condition); and

• reviewing the budgetary module of the Financial Management System (FMS), determining the cause of the application security weakness allowing the transfer of funds beyond an authorized balance, and taking the appropriate measures to ensure adequate controls are in place (material weakness).

Despite the progress made, additional corrective actions are necessary to mitigate the remaining weaknesses. Specifically, the FBI must:

• coordinate with the General Services Administration to synchronize file formats so that data sent via Simplified Intergovernmental Buying and Collection will correctly interface with the FMS application (reportable condition);

• ensure the Federal Procurement Data Statistics (FPDS) screen is modified to include all the fields required for accurate procurement reporting (reportable condition);

• remove the additional access capability from any PMA user not authorized or required to have the additional access to complete their job function (material weakness); and

• develop and implement a plan to ensure: (a) input control weaknesses identified in the PMA are appropriately addressed, and (b) the risk associated with the processing control weaknesses in the PMA is mitigated to ensure that all property is entered and purchase order and property numbers are accounted for (material weakness).

Inadequate input controls on the PMA can lead to errors in the property data, cause time consuming physical inventory counts and reconciliation, and require the Property Management Unit to correct errors in the application data.

(8) Other Financial-Related IT Recommendations

In the FY 1996/1997 detailed report issued in support of the Financial Statement Audit, the OIG provided the FBI with three recommendations not categorized by FISCAM general control areas.²⁴ These recommendations, reported as management letter comments, involved the Year 2000 issue, strategic planning, and network encryption. All of the recommendations were closed upon issuance of the final report. The following table summarizes how the closed recommendations correspond to the reported vulnerability.

By implementing these recommendations, the FBI:

• provided to the FBI Director monthly briefings on the status of the Year 2000 project (management letter comment);

• developed a strategic plan that includes projects technology spending for a 3 to 5-year period (management letter comment); and

• evaluated encryption alternatives to reduce the risk of compromising sensitive information (management letter comment).

(9) Summary

The FBI made progress in correcting deficiencies associated with the control environment over its IT systems. Of the 105 recommendations contained in the detailed reports supporting the financial statement audits from FYs 1996 to 2001, 83 have been implemented and closed, and 22 are still open. The following table summarizes the status of the FBI's IT control environment recommendations by category.

Of the 83 recommendations that have been implemented, 40 were originally reported by the OIG as material weaknesses, 25 were reportable conditions, and 18 were management letter comments. The following table summarizes how the open and closed recommendations correspond to the reported vulnerability.

By implementing 83 of the 105 recommendations, the FBI improved its IT internal control environment. The FY 2001 report did not contain any system software control deficiencies. The FBI also made progress toward correcting deficiencies in entity-wide security program planning, access controls, application software development, segregation of duties, service continuity, and application controls.

Despite the progress made, as of April 2003 uncorrected deficiencies remained in the following general control areas:

• entity-wide security program planning and management;

• access controls; and

• application software development and change controls.

In addition to these findings, other vulnerabilities existed in the remaining FISCAM control areas (except for system software controls). The FBI is at increased risk of failures in its financial management and computer security functions. As a result, the FBI must take additional actions to correct these deficiencies. Also, 13 of the 22 open recommendations related to material weaknesses, which suggests that without compensating controls, there is an increased risk that material errors in the financial statements will not be detected.

We noted that 30 of the open and closed recommendations were repeated in subsequent reports. Further, many of the findings and recommendations noted in these internal control reports of the FBI's IT environment were also repeated in audits of the FBI's compliance with GISRA. The following table summarizes the status of recommendations that have been repeated in subsequent OIG reports.

Because of the uncorrected and repeated deficiencies identified in these reviews, we believe that the FBI's overall progress in implementing financial-related IT internal control recommendations has been weak. Moreover, FBI management had not consistently responded to OIG inquiries about the status of corrective actions and the FBI lacked an effective management process for tracking, responding to, and implementing recommendations. However, during FY 2002, the OIG noted significant improvement in the FBI's responsiveness to responding to inquiries about corrective actions. During FY 2002, the Inspection Division began developing written policies and procedures designed to assist the FBI with its audit follow-up responsibilities. Further, the Inspection Division created a database to track audit recommendations, responses to the OIG and other inquiries, and corrective actions. The FBI's efforts to improve its audit follow-up responsibilities are discussed in more detail later in this report.

While the Inspection Division has improved the FBI's responsiveness to audit recommendations, the ability of the FBI to correct many of its IT deficiencies ultimately rests with the commitment and actions from senior FBI management.

D. Computer Security Reports in Response to GISRA

The FY 2001 Defense Authorization Act (Public Law 106-398) includes Title X, subtitle G, "Government Information Security Reform Act." GISRA became effective on November 29, 2000, and amended the Paperwork Reduction Act of 1995 by enacting a new subchapter on "Information Security." It required federal agencies to:

• perform an annual independent evaluation of their information security practices;

• ensure information security policies are founded on a continuous risk management cycle;

• implement controls that appropriately assess information security risks;

• promote continuing awareness of information security risks;

• continually monitor and evaluate information security policies;

• control effectiveness of information security practices; and

• provide a risk assessment and report on the security needs of the agencies' systems, and include the report in their budget request to the Office of Management and Budget.

Beginning in FY 2001, GISRA also required the OIG to independently evaluate the DOJ's information security program and practices. In addition to the FISCAM, the OIG used standards provided by the National Institute of Standards and Technology (NIST) as the basis for its audit approach.²⁵

The NIST has issued guidance detailing the specific controls that should be documented by federal agencies in their system security plan.²⁶ The purpose of the security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The system security plan also delineates responsibilities and expected behavior of all individuals who access the system.

The NIST has separated the security plan controls into three major control areas: (1) management controls, (2) operational controls, and (3) technical controls. Within each of the three control areas, there are a number of subordinate categories of controls. For example, technical controls include password management, logon management, account integrity management, and system auditing management.

Management controls address security topics that can be characterized as managerial. These controls represent techniques and concerns that normally are addressed by management in the organization's computer security program. In general, these controls focus on the management of the computer security program and the management of risk within the organization.

Operational controls address security controls that are implemented and executed by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems). These controls often require technical or specialized expertise and rely upon management activities as well as technical controls.

Technical controls focus on security controls that the computer system executes. These controls are dependent upon the proper functioning of the system for their effectiveness. The implementation of technical controls, however, always requires significant operational considerations and should be consistent with the management of security within the organization.

For FY 2001, the OIG selected the FBI's administrative and investigative mainframe systems as two of four classified systems it reviewed for the GISRA audit. For FY 2002, the OIG selected two FBI investigative applications, the Automated Case Support (ACS) system²⁷ and the DRUGX Interactive Trusted Guard,²⁸ as two of three classified systems it reviewed. The criteria used for findings and recommendations were based upon the guidelines established by the NIST.

(1) FY 2001 GISRA Report

In May 2002, the OIG issued its FBI GISRA audit report for FY 2001. The objective of the audit was to determine DOJ compliance with GISRA requirements. The OIG assessed whether adequate computer security controls existed to protect DOJ systems from unauthorized use, loss, or modification.

The OIG found that since May 2002, the FBI made progress in correcting some of the management, operational, and technical control deficiencies that were identified in the report. Of the 23 recommendations contained in the GISRA report, 6 have been implemented and closed, and 17 are still open.

Despite the progress made, the FBI must take further action to enhance these controls. As of April 2003, vulnerabilities remained in the security controls of the FBI's administrative and mainframe IT systems. The following sections provide details on: (1) the background of the FY 2001 GISRA report findings related to management, operational, and technical controls; and (2) the FBI's progress in taking corrective actions.

(a) Background on Management Control Findings

The FY 2001 GISRA report identified management control vulnerabilities with enforcement of security policies, procedures, standards, and guidelines governing the FBI's administrative and investigative mainframes. The report stated that although the FBI has established security policies, procedures, standards, and guidelines, management failed to ensure that they were performed and enforced. The report made six recommendations that were directed toward correcting the identified management control vulnerabilities.²⁹

(b) FBI's Progress in Taking Corrective Actions

The FBI has made progress in correcting management control weaknesses since the report was issued in May 2002. Two of the six recommendations pertaining to management controls were closed, while the other four remain open as of April 2003. The recommendations that were closed related to (1) defining and documenting all criticality levels used to classify applications, and (2) documenting a corrective action plan to address the vulnerabilities identified in the risk analyses for the investigative and administrative mainframe systems.³⁰

Despite the progress made, additional actions are necessary to mitigate the remaining management control vulnerabilities. Specifically, the FBI still must demonstrate that it is:

• distributing, obtaining, and maintaining signed statements of end-users' acceptance of the Automated Information System Rules of Behavior for the investigative and administrative mainframe systems;

• ensuring that the Management of Investigative Operations and Guidelines (MIOG) and other FBI security policies reflect the evolving systems environment and are enforced;

• obtaining a full accreditation for the investigative and administrative mainframe systems from the FBI's approving authority - a conditional accreditation should be unacceptable; and

• conducting annual refresher computer training for all employees.

The OIG in its FYs 1998 and 2000 reports on the FBI's control environment over its financial-related IT systems reported findings on security policies, procedures, standards, and guidelines. Accordingly, the OIG made recommendations in its FY 1998 (recommendation 15) and FY 2000 (recommendation 1) reports that were similar to the recommendations made in the FY 2001 GISRA report. These recommendations remained open as of April 2003. Additionally, four of the six GISRA recommendations pertaining to management control issues remained open as of April 2003. As a result, we believe that the FBI has not taken adequate corrective actions to reduce the potential for sensitive information from being compromised, lost, misused, or altered without authorization.

(c) Background on Operational Control Findings

The FY 2001 GISRA report identified operational control vulnerabilities with physical controls and system and network backup and restoration controls. The report stated that vulnerabilities existed because FBI management: (1) did not enforce physical controls at FBI Headquarters, and (2) had not taken the necessary steps to identify priorities of the system for restoration or to ensure Data Center personnel were aware of and tested appropriate contingency planning and backup procedures. The report made four recommendations directed toward correcting the identified operational control vulnerabilities.³¹

(d) FBI's Progress in Taking Corrective Actions

The FBI has made progress in correcting operational control weaknesses since the report was issued in May 2002. Two of the four recommendations pertaining to operational controls were closed as of April 2003, while the other two remain open. The recommendations that were closed related to (1) restricting physical access to all wiring closets, and (2) establishing optimal operating system capacities and implementing procedures to alleviate the near capacity usage.

Despite the progress made, additional actions are necessary to mitigate the remaining operational control vulnerabilities. Specifically, the FBI must:

• document procedures for identifying and restoring mission-critical systems; and

• complete the production test exercise involving the transfer of production operations and applications to the backup site and training Data Center staff for this contingency control.

The OIG in its FYs 1999 and 2000 reports on the FBI's control environment over its financial-related IT systems reported findings in system and network backup and in restoration controls. Accordingly, the OIG made seven recommendations in its FY 1999 report (recommendations 23 and 25-31) and three recommendations in its FY 2000 report (recommendations 13-15) that were similar to the recommendations made in the FY 2001 GISRA report. Because two of the four GISRA recommendations pertaining to operational controls remained open as of April 2003, we conclude that the FBI has not demonstrated that adequate corrective action was taken to reduce the potential for failed restoration procedures or unexpected loss or disruption of services.

(e) Background on Technical Control Findings

The FY 2001 GISRA report identified technical control vulnerabilities with password management, logon management, account integrity management, system auditing management, and system patches. The report stated that vulnerabilities existed because of the following.

• FBI management did not ensure that operating systems' password settings were appropriate and DOJ security policies were being followed.

• FBI security management did not implement logon management controls or provide oversight to ensure DOJ and FBI security policies were followed.

• Budgetary constraints have prevented the FBI from being able to implement automated software change controls. Additionally, the FBI had not established procedures consistent with its security policy or updated them to reflect its current information technology environment.

• Security parameters were not appropriately set to enable auditing.

• FBI management had not taken the necessary measures to ensure proper safeguards were in place to prevent unauthorized access, loss, or misuse to the system.

The report made 13 recommendations that were directed toward correcting the identified technical control vulnerabilities.

(f) FBI's Progress in Taking Corrective Actions

The FBI has made limited progress in correcting technical control weaknesses since the report was issued in May 2002. Two of the 13 recommendations pertaining to technical controls were closed as of April 2003, while the other 11 remained open. The closed recommendations related to: (1) fully implementing and using the System Access Request function to document user logon and verify that user access is commensurate with assigned responsibilities, and (2) ensuring that the communication carrier signals are not connected to unencrypted network devices.

Additional actions are necessary to mitigate the remaining technical control vulnerabilities. Specifically, the FBI still must demonstrate to the OIG that it is:

• implementing and enforcing DOJ password policies by re-setting and monitoring operating system settings accordingly,

• requiring that system administrators periodically review and delete all system accounts that have been unused for more than 90 days,

• enabling account lockout on all systems so that lockout occurs after three unsuccessful logon attempts,

• enforcing the use of the FBI's Service Center as a centralized approval point to track all change requests from initiation through final disposition,

• implementing the format and content standards for information technology development and maintenance support test plans,

• updating the Architecture Change Management Policy to reflect the FBI's current information application and system software environment,

• documenting procedures to establish the supervisory review process of software change when deviations from normal procedures occur,

• enabling audits to capture the necessary system information to comply with DOJ policy, and

• applying manufacturer patches in a timely manner to prevent system compromise to all network operating systems.

Additionally, the FBI disagreed with one OIG recommendation in the report, and this recommendation was in an "unresolved" status as of April 2003.³² The recommendation relates to enforcing DOJ security policies and ensuring sufficient controls for FBI systems to operate.

Findings with password management, logon management, account integrity management, system auditing management, and system patches were reported by the OIG in its FYs 1996 to 2000 reports on the FBI's control environment over its IT systems. Accordingly, the OIG made one recommendation in its FY 1996/97 report (recommendation 18); three recommendations in its FY 1998 report (recommendations 6, 8, and 21); seven recommendations in its FY 1999 (recommendations 6, 8, 10, 17-19, and 35) and FY 2000 reports (recommendations 2-4, 7, 8, 16, and 17) that were similar to the recommendations made in the FY 2001 GISRA report. Because 11 of the 13 GISRA recommendations remained open as of April 2003, in our judgment the FBI has not demonstrated that adequate corrective action was taken to reduce the potential for: (1) unauthorized disclosure, unauthorized data modification, and the misuse and abuse of the FBI's automated resources; and (2) critical system data pertaining to individual user accountability, reconstruction of system events, and problem identification to be permanently lost.

(g) Summary

The FBI made limited progress in correcting deficiencies reported in the OIG FY 2001 GISRA audit. Of the 23 recommendations contained in the report, 6 have been implemented and closed, and 17 remain open. The following table summarizes the status of the FBI's FY 2001 GISRA report recommendations by NIST category.

By implementing six of the recommendations, the FBI made improvements to its computer security over its Headquarters and Data Centers investigative and mainframe systems. These improvements included: (a) defining and documenting all criticality levels used to classify applications, (b) establishing optimal operating system capacities and implementing procedures to alleviate the near capacity usage, (c) fully implementing and using the System Access Request function to document user logon and verify that user access is commensurate with assigned responsibilities, and (d) ensuring that the communication carrier signals are not connected to unencrypted network devices.

Despite the progress made, as of April 2003 significant vulnerabilities remained with management, operational, and technical controls. The OIG assessed these vulnerabilities as high-to-moderate risk for the protection of the FBI's administrative and investigative mainframe systems from unauthorized use, loss, or modification. Specifically, vulnerabilities remained in the following areas:

• security policies, procedures, standards, and guidelines;

• system and network backup and restoration controls;

• password management;

• logon management;

• account integrity management;

• system auditing management; and

• system patches.

These vulnerabilities resulted from DOJ and FBI security management not enforcing existing security policies, not developing a complete set of policies to effectively secure the administrative and investigative mainframes, and not holding FBI personnel responsible for timely correction of recurring findings. Further, the report stated that the lack of timely and effective oversight from DOJ and FBI management caused inconsistencies in the implementation of security guidelines and resulted in a weakened security infrastructure.

The FY 2001 GISRA report stated that FBI management has been slow in correcting deficiencies and implementing suggested corrective actions in its systems' environment. Since FY 1996, the OIG has reviewed the FBI's Headquarters Data Center computer systems' general controls as part of the FBI annual financial statement audit. Many of the vulnerabilities previously reported to the FBI in reviews of general controls as part of the FBI financial statement related reports from FYs 1996 through 2000 continued to exist during the FY 2001 GISRA audit. As a result, the FY 2001 GISRA report concluded that there was a lack of commitment and oversight from DOJ and FBI management regarding corrective action on prior audit findings. This lack of oversight caused inconsistencies in the implementation of security guidelines and resulted in a weakened data security infrastructure. As discussed in the following sections, some of these vulnerabilities were reported again in the FY 2002 GISRA audits.

(2) FY 2002 GISRA Report on the ACS System

In November 2002, the OIG issued the FY 2002 GISRA report on the ACS system.³³ The objective of the audit was to determine the DOJ's compliance with GISRA requirements. The ACS system was selected as one of the subset of systems to be tested to determine the effectiveness of the DOJ's overall security program for FY 2002. In determining if the DOJ was compliant with GISRA requirements, the OIG assessed whether adequate computer security controls existed to protect the ACS system from unauthorized use, loss, or modification.

(a) Background on Report Findings

The FY 2002 GISRA report on the ACS system found the following improvements or satisfactory operations in the ACS system's information security.³⁴

• The overall policy for change control dictates the creation of a Change Control Board, which is an important control in ensuring that changes made to the system are approved.

• Security requirements are included in each requirement document to ensure that security is reviewed and integrated into the initial stages of system development.

• The investigative mainframe applications, including the ACS system, have been certified and accredited in accordance with the National Information Assurance Certification and Accreditation Process.

• Record counts are used within the Investigative Case Management system to track cases and investigative leads.³⁵

• The FBI has developed a system security plan for the investigative mainframe applications that has been approved by management and includes the elements identified in the NIST Publication 800-18.

• Effective procedures are in place requiring re-investigations (which strengthen personnel security) to be performed in a timely manner.

• Controls are in place over the security of personally identifiable information.

• A help desk is in place for the ACS system users.

• The IT contingency plan for the FBI Headquarters Data Center identifies critical data files and operations. The plan also identifies the frequency of data backups and includes procedures to allow the FBI to continue essential functions if information technology support is interrupted.

• The FBI's investigative mainframe applications use the mainframe security software to control password derivations, which complies with DOJ Order 2640.2D.

• The FBI has an up-to-date network diagram of the FBI LAN rings on which the investigative mainframe resides, which houses the ACS system.

• An automated system is used to request and approve access to the ACS system. This system has automated capabilities for requesting access and ensuring that approvals are received before access is granted. In addition, this system automatically adds requests into a queue for the access administrator's workload, thereby minimizing the time required to turn these requests around and eliminating the possibility of lost requests.

However, security controls needed improvement to protect the ACS system from unauthorized use, loss, or modification. Specifically, the report identified vulnerabilities in 6 of the 17 control areas, including life cycle, personnel security, security awareness, training and education, incident response capability, and logical access. The report stated that similar technical control vulnerabilities were noted in the FY 2001 GISRA audit.

These vulnerabilities occurred because the managers of the ACS system management did not consistently apply DOJ and FBI policies and procedures.

(b) FBI's Progress in Taking Corrective Actions

The FY 2002 GISRA report on the ACS system made eight recommendations directed toward correcting the noted deficiencies. As of April 2003, six of the recommendations were open, and two were closed. Although we did not formally assess the FBI's progress in taking corrective actions given the relatively recent issuance of the report, the report stated that it is critical for the FBI to take immediate corrective actions on the recommendations pertaining to technical control vulnerabilities because of similar vulnerabilities noted in prior audits. As a result, the FY 2002 GISRA report on the ACS system, like the FY 2001 GISRA report, noted repeated deficiencies in general control areas. Specifically, vulnerabilities were noted within password management, logon management, account integrity management, system auditing management, and system patches. The report further stated that, if not corrected, these security vulnerabilities threaten the ACS system and its data with the potential for unauthorized use, loss, or modification.

(3) FY 2002 GISRA Report on the DRUGX Trusted Guard

In November 2002, the OIG also issued the FY 2002 GISRA report on the DRUGX Interactive Trusted Guard (DRUGX Trusted Guard).³⁶ The objective of the audit was to determine the DOJ's compliance with the requirements of GISRA. The DRUGX Trusted Guard was selected as one of the subset of systems to be tested to determine the effectiveness of the DOJ's overall security program for FY 2002. In determining if the DOJ is compliant with GISRA requirements, the OIG's contractor assessed whether adequate computer security controls existed to protect the DRUGX Trusted Guard from unauthorized use, loss, or modification.

(a) Background on Report Findings

The FY 2002 GISRA report on the DRUGX Trusted Guard found improvements or satisfactory operations in the DRUGX Trusted Guard's information security. Specifically, improvements or satisfactory operations included:

• The FBI has developed a comprehensive system security plan for the DRUGX Trusted Guard system that follows the NIST Special Publication 800-18 and contains required data concerning existing controls of the system and the environment.

• Effective procedures are in place requiring re-investigations to be performed in a timely manner.

• Controls are in place over the security of personal information.

• The connection between the FBI's network and the DRUGX application is completed through a trusted guard, providing a secure interconnection between two computer systems or networks.

• No printers are attached to the DRUGX Trusted Guard, which eliminates the possibility of printed output falling into unauthorized hands.

• All damaged media from the DRUGX Trusted Guard is destroyed and an associated electronic communication is created to account for that media.

• The FBI has a current network diagram of the FBI LAN rings, to which the DRUGX Trusted Guard is connected.

However, security controls needed improvement to protect the DRUGX Trusted Guard from unauthorized use, loss, or modification. Specifically, the OIG found security vulnerabilities in 8 of the 17 control areas, including security controls, personnel security, contingency planning, security awareness, training and education, incident response capability, identification and authentication, logical access, and audit trails.

These vulnerabilities occurred because FBI management did not enforce the documented policies and procedures for the DRUGX Trusted Guard. Additionally, FBI management did not always ensure that IT policies and procedures were implemented.

(b) FBI's Progress in Taking Corrective Actions

The FY 2002 GISRA report on the DRUGX Trusted Guard made 12 recommendations directed toward correcting the noted deficiencies. As of April 2003, eight of the recommendations were open and four were closed. Although we did not formally assess the FBI's progress in taking corrective actions, the security vulnerabilities documented in this report, if not corrected, threaten the DRUGX Trusted Guard and its data with the potential for unauthorized use, loss, or modification.

(4) Summary of Reports on the FBI's Compliance with GISRA

As stated in the sections above, the three GISRA reports issued by the OIG related to FBI systems have found vulnerabilities associated with management, operational, and technical controls. Additionally, the FY 2001 GISRA report stated that the FBI has been slow to take corrective actions since many of these vulnerabilities were previously reported in annual audits of general controls. Further, the FY 2002 GISRA report on the FBI's ACS system stated that similar vulnerabilities continued.

The FY 2002 GISRA reports on the FBI's ACS and DRUGX Trusted Guard systems stated that within the FBI, only the Inspection Division tracked remedial actions to reported computer security vulnerabilities. With the exception of audits performed by the OIG, the FBI's Inspection Division did not track the ACS or DRUGX systems' vulnerabilities identified in other audits and the corresponding corrective actions. Further, these reports stated that the Inspection Division did not receive any other audit results or reviews outside of the OIG audits and therefore has limited knowledge of other reported vulnerabilities.

According to the FY 2002 GISRA reports, without an effective tracking system, the FBI is unable to identify, assess, prioritize, and monitor the progress of corrective efforts for security weaknesses found in programs and systems. As a result, the FY 2002 GISRA reports recommended that the FBI determine the responsible organization for tracking and maintaining all vulnerabilities identified during audits and reviews. In addition, the reports recommended that the FBI develop a mechanism for tracking the vulnerabilities and the status of the associated corrective actions resulting from all IT audits and reviews.

During FY 2002, the Inspection Division began developing written policies and procedures designed to assist the FBI with its audit follow-up responsibilities. To help in this effort the Inspection Division created a database to track: (1) recommendations; (2) responses to OIG, GAO, and other inquiries; and (3) the status of corrective actions. However, for system audits, the FBI has reported that its Information Assurance Section has taken steps to centrally manage the status of vulnerabilities and corrective actions. We believe that the FBI should consider using the Inspection Division to oversee all recommendations, including those generated from system audits. The FBI's recent actions to improve its audit follow-up responsibilities are discussed in more detail later in this report.

E. Reports on OIG Special Investigations of the FBI

Since 1998, the OIG has issued the following two special investigation reports containing FBI IT or document management related recommendations:

• the 1999 report on the DOJ's Campaign Finance Task Force investigation (Campaign Finance); and

• the 2002 report on the FBI's investigation into the related production of documents in the Oklahoma City Bombing case (McVeigh).

These reports considered the policies and procedures related to the management of information and documents within the FBI, the dissemination of information to organizations outside the FBI, and the effectiveness of information technology utilized by the FBI. The reports cited deficiencies in the FBI's IT and document management and contained 20 IT-related recommendations designed to correct IT deficiencies.³⁷ The following table summarizes the status of the recommendations issued to the FBI.

We found the FBI's current and planned corrective actions, including the implementation of Trilogy, have the potential to address 16 of the 20 recommendations that we examined from the Campaign Finance and McVeigh reports. However, the ultimate success of Trilogy will not be determined until at least June 2004 when the final phases of the project are scheduled for completion.

The following section provides background information on Trilogy, since its successful completion is critical to not only addressing OIG recommendations but also the future of the FBI's IT program.

(1) Background on Trilogy

Trilogy is an IT modernization project designed to upgrade the FBI's: (1) hardware and software or Information Presentation Component (IPC), (2) communication networks or Transportation Network Component (TNC), and (3) User Application Component (UAC). The IPC and TNC upgrades will provide the physical infrastructure needed to run the applications from the UAC.

• The IPC refers to how users see and interact with information. The IPC provides new desktop computers, servers, and commercial-off-the-shelf office automation software, including a web-browser and e-mail to enhance usability by the agents.

• The TNC is the complete communications infrastructure and support to create, run, and maintain the FBI's networks. The TNC includes high capacity wide-area and local-area networks, authorization security, and encryption of data transmissions and storage.

• The UAC is intended to replace five of the FBI's primary investigative applications in order to reduce agents' reliance on paperwork and improve efficiency. Through the creation of the Virtual Case File (VCF), a web-based "point-and-click" case management system, agents are expected to have multi-media capability that will allow them to scan documents, photos, and other electronic media into the case file.

In November 2000, Congress appropriated $100.7 million for the first year of the $379.8 million Trilogy project, which was to be funded over a 3-year period from the date contractors were hired. The $100.7 million was a combination of new program funding and a reprogramming of base resources. When the FBI requested contractor support for Trilogy, it combined the IPC and TNC portions for continuity because both portions encompass physical IT infrastructure enhancements. By direction of the DOJ Chief Acquisition Officer , the TNC/IPC and the UAC contracts were awarded to two different contractors. The contractor for the IPC and TNC portions was hired in May 2001, and the originally-scheduled completion date for these components was May 2004. A different contractor was hired in June 2001 to complete the UAC portion of Trilogy by June 2004.

After the September 11, 2001, terrorist attacks, the urgency of completing Trilogy increased, and the FBI explored options to accelerate the deployment of all three components of Trilogy. The FBI informed Congress in February 2002 that with an additional $70 million, the FBI could accelerate the deployment of Trilogy. This acceleration would include completion of the IPC/TNC phase by July 2002 and rapid deployment of the most critical analytical tools included as part of the UAC.

In January 2002, Congress supplemented the FY 2002 Trilogy budget with $78 million to expedite the deployment of all three components.³⁸ This supplemental appropriation increased the total funding of Trilogy from approximately $380 million to $458 million. Even with these additional funds, the FBI missed its July 2002 milestone date for completing the "Fast Track" portion of the IPC and TNC phases.³⁹

In April 2003, the FBI Director reported to the Senate Appropriations Committee that over 21,000 new desktop computers and nearly 5,000 printers and scanners have been deployed throughout the FBI (IPC phase). Additionally, the FBI reported that it completed the Trilogy Wide Area Network (TNC phase) on March 28, 2003. The new network, which has been deployed to 622 sites, provides increased bandwidth and three layers of security. According to the FBI, the network is highly expandable, so additional capacity or even additional sites can be added as needed. This network replaces the FBI's antiquated local area and wide area networks, enabling FBI personnel to transmit data at much greater speeds. Further, the FBI expects to use the network to transport the Investigative Data Warehouse, which will link 31 FBI databases for single-portal searches and data mining. Also, the network lays the foundation for improved information sharing with partner agencies and other new applications, such as the VCF.

The VCF will serve as the backbone of the FBI's information systems, replacing the FBI's paper files with electronic case files that include multi-media capabilities. The FBI expects to deploy the VCF in three releases. The initial VCF release will consolidate data from the current ACS and IntelPlus systems and has a targeted completion date of December 2003. This release is intended to allow different types of users, such as agents, analysts, and supervisors, to access from their desktop computers a variety of information that is specific to their individual needs. This VCF release is also intended to enhance the FBI's capability to establish and track case leads, index case information, and with digital signatures move document drafts more quickly through the approval process.

The second and third releases are intended to install three other investigative applications into the VCF: the Integrated Intelligence Information Application (IIIA), Telephone Application, and Criminal Law Enforcement Application. These releases have a targeted completion date of June 2004 and are intended to provide agents with audio/video streaming capability and content management capability. According to the FBI, content management should help agents access information from the FBI's data warehouse, based on a single query from all of the FBI's systems.

The OIG ITIM report, issued in December 2002, stated that the VCF, which FBI officials have stated is the most important aspect of the Trilogy project in terms of improving agent performance, was at high risk of not being completed within the funding levels appropriated by Congress. FBI officials confirmed the OIG's assessment in January 2003 when they told us that an additional $138 million was needed to complete Trilogy, bringing the total project cost to $596 million.⁴⁰ Despite the cost overruns, FBI officials stated that they still expect to deliver the first release of VCF in December 2003, and that funding for the second and third releases of the VCF has been secured.

The following sections provide further details on the IT and document management related deficiencies noted in Campaign Finance and McVeigh reports, as well as an assessment of the how the VCF will address these deficiencies.

(2) Campaign Finance Report

In July 1999, the OIG issued a report entitled "Handling of FBI Intelligence Information Related to the Justice Department's Campaign Finance Investigation" (Campaign Finance). In response to a request by the Attorney General, the OIG reviewed the FBI's practices for disseminating intelligence information associated with the Campaign Finance Task Force (Task Force) investigation.

The report noted deficiencies in the use and maintenance of the FBI's computer database systems, including: the Task Force's lack of familiarity with the FBI's databases, the FBI's practices and policies that limited the usefulness of the databases, the training of FBI personnel on the ACS system, and the entry of foreign names into the FBI's databases. These findings highlighted the need for FBI and Task Force personnel to be familiar with information search techniques within the FBI's databases, how information should be entered into the databases in order to take advantage of search capabilities, and potential errors in data entry to ensure that all possible searches within the databases are conducted. Of the Campaign Finance report's 18 recommendations, 5 pertained to the IT-related deficiencies.⁴¹ These five recommendations included:

1. revising the FBI's Manual of Administrative Operations and Procedures (MAOP) to require more comprehensive indexing of names appearing in any FBI document and requiring that all documents be uploaded into the Electronic Case File database (Recommendation IV.A),

2. training agents who are principally responsible for the information that is entered into the ACS system (Recommendation IV.B),

3. making agents responsible for determining what information is entered into the IIIA⁴² system (Recommendation IV.C),

4. ensuring that any task force using the FBI's databases should obtain at least a fundamental appreciation for their operation (Recommendation IV.D), and

5. ensuring that the FBI's database operators are conversant with the format of Chinese and other foreign names (Recommendation IV.E).

(a) Recommendation IV.A

Regarding the uploading of documents, the FBI issued ECs in July 2000 and June 2002 that required all e-mails and ECs to be uploaded into the ACS system, unless otherwise prohibited by their sensitive nature. Additionally, FBI officials stated that with the VCF, most documents will have to be uploaded since the VCF will contain all official records and case files, except for Top Secret/Sensitive Compartmented Information (SCI) information.⁴³ As a result, FBI officials stated that agents will no longer be able circumvent the case management system by not uploading documents.

Rather than revising the MAOP, the FBI is implementing alternative corrective action by ensuring that the VCF will facilitate the comprehensive indexing of names appearing in FBI documents. FBI officials stated to us that the VCF will provide indexing on various web-based documents by sorting data fields into searchable databases. The index of data fields, except for narrative fields, will be automatically created once the document is approved and entered into the VCF. Agents and analysts can then search the index of data fields by using search screens or viewing the serialized document. Because the first release of the VCF is not scheduled for completion until December 2003, this recommendation remains open.

(b) Recommendation IV.B

FBI officials said that they increased the ACS system training for veteran agents. According to the FBI, since 1999 over 400 veteran and 2,300 new agents received training on the ACS system. However, it is not clear whether the ACS training provided to veteran agents has been adequate since this represents less than 25 percent of all FBI agents. Additionally, we were unable to assess the FBI's web-based training for the VCF since it will not occur until October and November 2003. As a result, this recommendation remains open.

(c) Recommendation IV.C

According to the FBI, during 2000 several initiatives were undertaken to make agents responsible for determining what information is entered into the IIIA system and improving the accuracy of information in the IIIA system. These initiatives included:

• expanding the amount of data electronically transferred from the ACS to the IIIA systems;

• establishing a more user-friendly IIIA search interface;

• using a macro to collect accomplishment information electronically;

• automating the indexing, serialization, and entry of certain data;

• improving the oversight provided to the uploading of particular surveillance logs; and

• automating the selection of approved cryptonyms (codenames/codewords).

In addition to these improvements, the FBI stated that the IIIA system will ultimately be replaced by the second and third releases of the VCF. Further changes are planned for the IIIA system since the VCF development is not based on a system-by-system replacement per se, but rather a re-engineering of business practices and policies. As a result, certain sub-systems and data sets will be retired, while others will be transferred to the VCF. The FBI is continuing to schedule and prioritize the functional components that must be integrated into the VCF for each delivery through June 2004. Because the second and third releases of the VCF are not scheduled for completion until June 2004, this recommendation remains open.

(d) Recommendation IV.D

According to the FBI, appropriate training will be conducted whenever a relevant task force is created. In May 2003, the FBI said that the VCF training plan includes all Bureau task force members who will have access to the VCF application. To prepare for the VCF training scheduled in October and November 2003, the FBI is assessing its FBI employees' basic computer literacy skills. This assessment identifies employees in need of additional computer skills so that the necessary supplemental training can be taken prior to the scheduled VCF training. Because training on the VCF has not yet taken place, this recommendation remains open.

(e) Recommendation IV.E

The FBI said that it made enhancements to the IIIA system in July 2000 so that variations of a name are identified during a search. Additionally, FBI officials told us that on May 3, 2002, the Language Training and Assessment Unit (LTAU) announced a project to adopt and implement standards for the uniform "Romanization" of foreign personal and place names. Also in May 2002, the LTAU began work on implementing standardization systems for "Romanizing" Arabic by offering training to all applicable FBI employees. According to the FBI, by the end of the second quarter of FY 2003, 371 FBI employees had received training in Arabic "Romanization," while classes continue to be held. Regarding Chinese "Romanization," the LTAU announced in September 2002 that training on Chinese "Romanization" was being offered to all applicable FBI employees. As of June 9, 2003, a total of 80 FBI employees had been trained in Chinese "Romanization," while classed continue to be held. Further, the LTAU has been working with the VCF project management team to create a keyboard for the "Romanization" of names.

In addition to training, the FBI expects the VCF to help database operators apply foreign names to searches within databases. For example, the VCF will allow the addition of standard telegraphic code (STC) for Asian names, Unicoded⁴⁴ for other foreign names, and it will deploy a name search engine that incorporates variations on names. Because the first release of the VCF is not scheduled for completion until December 2003, this recommendation remains open.

(f) Summary

Despite the FBI's progress in taking corrective actions, a more comprehensive enterprise-wide solution to the underlying deficiencies will not occur until the VCF is implemented. As a result, some of these deficiencies have gone uncorrected for over three years.

(3) McVeigh Report

In March 2002, the OIG issued a report entitled, "An Investigation of the Belated Production of Documents in the Oklahoma City Bombing Case." The McVeigh report concluded that the belated production of case-related documents resulted in part from the following long-standing problems at the FBI: (1) antiquated and inefficient computer systems, (2) inattention to information management, and (3) inadequate quality control systems. The report further stated that the FBI's troubled information management systems were likely to have a continuing negative effect on the FBI's ability to properly investigate crimes.

The McVeigh report stated that the FBI had not given sufficient attention to correcting deficiencies in information management and the ACS system. The IT-related findings of the report showed that the ACS system was extraordinarily difficult to use, had significant deficiencies, and was not suitable for the FBI in the 21st century. The report noted that inefficiencies and complexities within the ACS system, combined with the lack of a true information management system, contributed to the FBI's failure to provide hundreds of investigative documents to the defendants in the Oklahoma City bombing case. To overcome these problems, the report made recommendations on how future information systems should be developed.

The McVeigh report provided 21 recommendations to the FBI, 15 of which directly related to IT.⁴⁵ Of these 15 recommendations, 11 involved the FBI's completion of the VCF, 3 involved special agent computer training, and 1 pertained to deadlines for the completion of case leads.

(a) Deadlines for the Completion of Leads

In the McVeigh report, the OIG recommended (recommendation 13) that the FBI ensure that deadlines for the completion of investigative leads are clear and not undermined by the automated system, such as the ACS system's setting of a 60-day deadline for "immediate" leads. The FBI stated that as of August 26, 2002, the settings for deadlines within the ACS system were changed to one day for "immediate" and "priority" leads. Based on the OIG's review of the policy changes for leads documented in three Electronic Communications (EC) and the MIOG, we believe that the FBI's actions to address this recommendation are adequate.

(b) Special Agent Computer Training

The McVeigh report contained the following three recommendations related to computer training for special agents:

• the FBI should evaluate its computer training in order to develop a clear understanding of what agents need to perform their jobs effectively (recommendation 8);

• the FBI should consider whether computer usage should be a part of the core skills needed to graduate from new agent training (recommendation 9); and

• the FBI should consider mandatory refresher training for veteran agents (recommendation 10).

Regarding recommendation 8, the FBI has reported to the OIG that it has undertaken various initiatives to improve its computer training for special agents. In April 2003, the FBI stated that its Training Division was assessing the computer skills agents need to perform their jobs and was determining the need for additional improvements to the computer training curriculum for new agents. The Training Division was using instruments such as surveys, evaluations, and questionnaires to evaluate and make adjustments to its computer training. These instruments, which are completed by agents and managers in the field, were to help the FBI determine whether the curriculum adequately prepared new agents. In May 2003, the FBI provided the OIG with copies of the instruments used, as well as two ECs issued in July 2002, which included a request to add additional computer training for new agents. We believe that the FBI's actions to address this recommendation are adequate.

Regarding recommendation 9, the FBI reported to the OIG that the Training Division has implemented a policy requiring all new agents to pass an exam on core computer competency skills prior to graduation. In May 2003, the FBI provided the OIG with an EC dated August 14, 2002, that mandates the "Final Investigative Computer Competency Skills Assessment," as the twelfth examination required for graduation from the new agent training. After examining this computer skills assessment, we believe that the FBI's actions to address this recommendation are adequate.

Regarding recommendation 10, the FBI has reported to the OIG that it has implemented a program of continual mandatory training for veteran agents and all employees. On December 12, 2000, the Training Division issued an EC requiring that each FBI employee receive 15 hours of training per year. The Training Division developed a continuing education program to establish employee and supervisor responsibilities for complying with the program and to identify training opportunities for FBI employees. To enforce the training requirement, the FBI linked the continuing education requirement to the performance evaluations of employees and supervisors. Additionally, in June 2001 the FBI revised the training section of the MAOP to incorporate the new continuing education policies. After examining continuing education program guidelines and policy changes, we believe that the FBI's actions to address this recommendation are adequate.

In our judgment, the FBI has demonstrated that it has taken adequate corrective actions to address the training deficiencies identified in the McVeigh report. While these actions have clearly been important, the FBI must also ensure that agents receive adequate training on the VCF, which will be critical to its success.

(c) Recommendations Involving the VCF

FBI officials have stated that when implemented, the VCF or UAC portion of Trilogy will address 11 of the 15 IT-related recommendations contained in the McVeigh report. These 11 recommendations are to:

• foster an attitude among all employees that information management is an essential part of the FBI's mission and that automation is a key tool in managing the storage, analysis, and retrieval of information (recommendation 1);

• consider whether Trilogy's document management systems can be simplified, such as by having supervisors review electronic copies of documents, and whether its record keeping formats can be reduced in number (recommendation 2);

• evaluate whether inserts should be eliminated (recommendation 3);⁴⁶

• evaluate its practices regarding "originals" of FBI created documents (such as FD-302s) (recommendation 4);

• ensure any new automation is user-friendly, meaning that the steps required to obtain information should be few in number and intuitive (recommendation 5);

• ensure any new automation system include an effective document tracking system (recommendation 6);

• eliminate crisis management software and other independent systems (recommendation 7);

• ensure that leads cannot be covered without an explanation of what has been done to the task assigned (recommendation 11);

• ensure future automation systems incorporate a system to allow supervisors to easily track the status of leads (recommendation 12);

• evaluate the feasibility of developing a system of universal lead numbers to eliminate the use of local lead numbers as a tracking mechanism (recommendation 14); and

• evaluate the use of lead numbers on leads and responding reports and determine whether new policies, better enforcement of existing policies, improved training, or better automation is the best method of fixing the problem (recommendation 15).

The following paragraphs discuss how, when completed, the VCF will help implement these 11 recommendations.

Recommendation 1

While the FBI has taken steps to foster an attitude among all employees that information management is an essential part of the FBI's mission (including the creation of a Records Management Division), the VCF must be used by all levels at FBI Headquarters and by field supervisors to ensure its success. In May 2003, FBI officials stated that agents will be required to use the VCF since all official case records and files up to the Secret level will be within the application. According to the FBI, unlike the currently used ACS system, there will not be ways for agents to circumvent the use of the VCF. However, the FBI still has not finalized its policies for how agents will utilize VCF from remote locations.

Recommendation 2

FBI officials stated that the VCF will streamline the workflow process by including electronic signatures and reducing the number of required forms. Under the FBI's current investigative process, a case file could be started by using one of many different standardized forms, such as FD-72, FD-801, and FD-822, depending on the type of investigative category. The forms will be replaced by the "intake" function of the VCF, which simplifies the initiation of a case file by eliminating the need for these forms.

Recommendation 3

FBI officials stated that inserts would be eliminated with the deployment of the VCF. All VCF records will be considered "resident to the case," meaning that they will be considered an official investigative record.

Recommendation 4

FBI officials told us that the VCF will essentially replace all paper copies of investigative events. Because the Records Management application will interface with the VCF, the only official record of the case file will be maintained in the VCF. The intent of the VCF is to reduce, and in some cases eliminate, the need for paper copies of documents.

Recommendation 5

According to FBI officials, the VCF will operate in a "point-and-click" web environment that will simplify the FBI's workflow process for document storage and retrieval. Agents not familiar with using a computer keyboard can have their secretaries type information into the VCF, but the agents will still have to sign-off on the file using a mouse to create an electronic signature. Additionally, the FBI is building an integrated data warehouse comprised of data from the ACS system, analyzed terrorism and intelligence data, and other law enforcement data. Through servers built on the FBI's new Trilogy networks, the VCF will interface with the data warehouse. The VCF will contain tools to assist FBI agents and analysts in performing queries and searches.

Recommendation 6

FBI officials told us that the VCF's automated document creation, receipt, and management system will partially eliminate the need for traditional tracking systems. The VCF will include capabilities to scan into the case file any documents received from sources external to the FBI, as well as to capture summary descriptions of any documents and items, such as physical evidence, that cannot be stored electronically. The FBI's intent is to eventually track external items through a bar code identification system that would be placed upon a physical label on the external document and then linked to an electronic record. Additionally, FBI officials said that the Records Management Division (RMD) is establishing systems and processes to effectively track documents and records contained in FBI systems.

Recommendation 7

According to FBI officials, the VCF will consolidate five of the FBI's investigative applications. However, FBI officials recognize that the VCF is only a starting point since numerous other investigative and application systems exist that could be integrated into the VCF. Additionally, because of unresolved connectivity issues, crisis management software may still need to be used by agents after the initial deployment of the VCF. The FBI is identifying and defining other databases and crisis management software that should be included in future VCF releases to maximize the efficiency of the workflow process. FBI officials told us that additional funding will be needed to solve the connectivity issues at remote locations, as well as to consolidate and eliminate other databases and crisis management software.

Recommendations 11, 12, 14, and 15

FBI officials said that upon the entry of a lead into the VCF, the system will automatically assign a universal lead number that is unique to each case. The supervisor will then approve and assign the lead to a subordinate agent or receiving office. The VCF allows the supervisor to view the subordinate agent's leads and caseload to allow for the leads and cases to be assigned effectively. Leads can viewed by anyone in the FBI with appropriate access privileges, or by anyone with a profile query established to receive information pertaining to specific types of cases. Additionally, split leads, or leads created from an original lead, will reflect the derivative or parent-child relationship in its lead number to facilitate the tracing of all leads to their origin. This feature allows the originating office and all receiving offices to determine to whom the leads are assigned or whether action on the leads has occurred, which provides agents and managers with a user-friendly tool to ensure lead accountability. Because all leads will be part of the case file, leads cannot be covered without an appropriate explanation unlike the FBI's current system.

Summary

We believe that the FBI has demonstrated progress toward implementing the recommendations in the McVeigh report, based on its corrective actions taken to date, as well as its plans for the VCF. However, the adequacy of the FBI's corrective actions generally cannot be determined until the VCF has been deployed. The FBI's ability to implement many of the OIG's IT recommendations and improve its IT program depends on the successful implementation of the VCF. The following section, therefore, discusses factors affecting the success of the VCF.

(4) Factors Affecting the Success of the VCF

In our judgment, if the VCF can do what the FBI expects, the VCF will represent a significant technological advancement from the ACS system. The VCF has the potential to reduce redundancy in searching multiple databases, improve the FBI's case file management, and maximize the use of information in the FBI's possession.

While the VCF has the potential to significantly improve the FBI's IT, as well as its record management and investigative efficiency, the ultimate success of the VCF depends on a number of different factors, including whether the VCF will meet its technical and performance expectations and be accepted and used by FBI employees.

(a) Technical and Performance Expectations of the VCF

To ensure its success, the VCF must meet technical and performance expectations. As mentioned above, the Trilogy project has encountered significant cost overruns and schedule delays due to the FBI not following critical management processes. The OIG's ITIM report stated that these management problems contributed to difficulties with establishing the technical requirements for the VCF. Because the VCF is focused on making significant changes to five of the FBI's investigative systems, documentation for the exact configuration of these legacy systems was critical to designing the requirements for the VCF. The lack of documentation for the configuration of these five investigative systems caused the FBI to engage in a process of reverse engineering, which is trying to determine the structure and components of the systems after deployment. Because the FBI had to perform reverse engineering on the five systems, there are limitations as to how rapidly the VCF can be developed and deployed.

As of April 2003, the FBI was still defining the technical requirements for the second and third releases of the VCF. Because the technical requirements had not yet been finalized and funding has not been approved, baselines for the VCF had not been established. We believe that the lack of technical, cost, and schedule baselines not only creates uncertainties over how much the VCF will cost and when it will be completed, but also how it will perform upon implementation.

Performance of the VCF could be measured by how well it: (1) allows special agents to access, import, create, and scan documents through a web-based point and click environment; (2) allows supervisors to track case files and lead numbers; (3) streamlines the workflow process through the use of electronic signatures and the reduction of paper forms; and (4) eliminates the need for special agents to use other applications, such as crisis management software. For VCF to make these and other improvements, it must have built-in security features that allow special agents and analysts to access information according to their security clearances and "need to know." Additionally, it must be able to meet the needs of all FBI employees, including those performing counterterrorism duties, which is the FBI's highest priority. It must also lay the foundation for information sharing outside the FBI. We believe that the performance of VCF and, specifically, how it meets the needs of special agents and analysts, will determine how quickly the VCF is accepted and used.

(b) Acceptance and Use of the VCF

If the VCF is to be a vehicle for moving the FBI's information management into the 21st century, it must be accepted and used. Historically, the FBI has been a paper-driven organization. A goal of the VCF is to move toward a near paperless environment so the FBI can maximize the use of technology to digitally capture information for data management and control. According to FBI officials, the VCF is the first real change in the FBI's workflow and processes since the 1950's. Director Mueller recently stated that "Trilogy [VCF] will change the FBI culture from paper to electronic."

As noted in the Campaign Finance and McVeigh reports, special agents did not always use the ACS system to manage their case files. For various reasons, they found alternative ways to manage case files. The VCF must be used by all special agents for the FBI to fully realize its benefits.

FBI officials told us that since the VCF will contain the official case files, agents will have to use the VCF since there will be no other acceptable means to manage case files. However, FBI official also acknowledged that because of unresolved connectivity issues at remote locations, agents may still need to use crisis management software.

2. FBI's Process for Following-Up on Recommendations

Until recently, the FBI had not implemented an effective system of management controls to ensure that recommendations are resolved and implemented in a timely and consistent manner. As previously stated in this report, the FBI is required under OMB Circular A-50 and DOJ Order 2900.6A to establish a process for resolving audit deficiencies and taking corrective actions in a timely manner. As a result, we do not believe that the FBI was in full compliance with OMB Circular A-50 and DOJ Order 2900.6A.

FBI personnel told us that while a formal process to track and resolve recommendations did not exist prior to September 2002, an informal process was used. Upon the final issuance of an OIG or GAO report, the recommendations were forwarded to the responsible FBI Divisions. Someone within the responsible Division was then assigned to respond to the recommendations until closure occurred. However, the FBI recognized that this informal process was not sufficient to ensure corrective actions were timely and responsive. Specifically, the FBI officials indicated to us that the informal process:

• was not documented in formal policies and procedures,

• was not adequately monitored by executive management and not kept up-to-date,

• used multiple applications,

• did not keep measures of timeliness and responsiveness, and

• did not provide for sufficient follow-up once the original response or corrective action plan was submitted.

We believe that the lack of management attention was a significant cause of the FBI's failure to implement prior OIG and GAO recommendations. According to the Deputy Assistant Director of the Inspection Division, high turnover within FBI management contributed to problems with maintaining current responses to OIG and GAO reports. Under the informal process, when individuals left the FBI or were reassigned within the Bureau, their replacements were not always made aware of recommendations or requests that were left pending. As a result, responses to recommendations and any related corrective action were often delayed, and the auditing or investigating agency had to again request a response to its recommendations.

The FBI has also recognized that improvements in its system of managing follow-up were needed to resolve and timely implement recommendations resulting from OIG and GAO reports. In September 2002, the FBI's Inspection Division began to establish a new management process to improve the FBI's timeliness and responsiveness of corrective actions resulting from OIG and GAO recommendations and to bring the FBI in compliance with applicable regulations (OMB Circular A-50 and DOJ Order 2900.6A) for the follow-up and resolution of audit recommendations. To facilitate the implementation of this new management process, the Inspection Division developed a database, referred to as the "Automated Response and Compliance System" (ARCS). According to the FBI, ARCS is an automated tool that is intended to:

• document and track initiated, ongoing audits and data requests from OIG, GAO, and others;

• track recommendations made in OIG and GAO audits, investigations, and reviews until closure; and

• provide status information to FBI's executive management on, or close to, a real time basis.

The FBI's new database tracks the receipt and resolution of audits, investigations, and data requests from the OIG, GAO, and others. It also tracks the tasks associated with FBI's current re-engineering efforts. Among its functions, the database is intended to provide information to FBI management on a regular basis to keep them informed of a report's progress and to ensure timely implementation of recommendations. However, this database does not include vulnerabilities generated by system audits required by GISRA. The FBI's Information Assurance Section has taken steps to develop a separate database to record and manage the status of system audit vulnerabilities.

The ARCS database tracks audit reports within four hierarchical levels: (1) the report level, (2) the findings level, (3) the recommendation level, and (4) the action or task level. The report level provides general information about the report, such as the report title and number, status, classification level, requesting official (for GAO audits), issue date, received date, response due date, and FBI Division point-of-contact. The findings level describes the findings of the audit. The recommendation level is under the findings level and describes the issuing entity's suggestions to address the findings. The action or task level specifies what corrective actions the Bureau will take in order to satisfy the recommendations (and therefore, the findings).

In conjunction with the development of the database, the FBI has developed policies and procedures for the Inspection Division's responsibilities for resolving OIG and GAO reports. These policies and procedures require the Inspection Division to assign a liaison for each report with outstanding recommendations and for scheduled audits and reviews. The liaison has the primary responsibility for entering information into the database, including deadlines for when tasks should be completed. The liaison also has the responsibility to ensure that the report is assigned to a "project manager" and that individual tasks are assigned to appropriate points-of-contact. This control ensures that appropriate FBI personnel can be held accountable for taking timely corrective actions. The liaison monitors the completion of tasks and is instructed to send periodic e-mail notices when tasks are near their due date or past due. Additionally, Inspection Division management reviews the activities of the liaisons to ensure that liaisons are adequately monitoring their assigned projects.

In January 2003, the Inspection Division officials trained its liaisons on the ARCS system. An Inspection Division official told us that any new liaisons will be trained on an as-needed basis. As of May 2003, 13 liaisons have been trained on the ARCS database.

As of May 2003, the FBI was still adding relevant information to the ARCS database for open GAO reports. For OIG reports, Inspection Division personnel told us that the database had been updated to include all reports with open recommendations. However, we found that the ARCS database did not include the OIG Campaign Finance report that contained 18 open recommendations. Inspection Division personnel told us that certain highly sensitive reports - such as the Campaign Finance report or matters involving the Office of Professional Responsibility may not be added to the database, due to the classified nature of the reports. Based on our inquiry, the Inspection Division began researching the status of the Campaign Finance recommendations.

FBI officials said that the database, which is maintained on the FBI's intranet, generates reports for senior FBI management that provide information on upcoming suspense dates. For example, the Deputy Directors are required to perform quarterly reviews of their Division's progress in completing outstanding tasks. According to FBI officials, the Inspection Division Assistant Director uses reports generated by the ARCS database to discuss outstanding tasks at weekly executive meetings, which are attended by the Assistant Directors, Executive Assistant Directors, and the Director. These and other reports have been periodically forwarded to the Director, upon his request. FBI officials told us that the Director has taken a particular interest in the timeliness and responsiveness of the FBI's corrective actions, re-engineering efforts, and responses to Congressional requests. The Director wants to be notified, especially with regard to high profile reviews, when the FBI has not been timely and responsive in its planned actions.

While the ARCS database can be a useful tool for the FBI's establishment of a management process directed toward improving the timeliness and responsiveness of its corrective actions, the ultimate effectiveness of this system depends on formal and consistent oversight from senior FBI management. Thus far, however, the FBI has not promulgated written directives Bureau-wide that instruct program managers and senior officials outside of the Inspection Division regarding their obligation to take corrective actions that will close recommendations. In our judgment, the FBI must develop and institute formal written procedures that require senior management oversight of the timeliness and responsiveness of recommendations. These written procedures should also incorporate the policies for tracking the status of vulnerabilities generated by IT system audits.

3. Summary

Since 1990, reports issued by the OIG have found numerous deficiencies with the FBI's IT program, including outdated infrastructures, fragmented management, ineffective systems, and inadequate training. While the FBI has implemented many of the recommendations contained in these reports, significant further actions are necessary to ensure that the FBI's IT program effectively supports its mission. Of the 148 IT-related recommendations issued by the OIG, 93 have been closed by the OIG, while 55 remain open. The following table provides a summary of the status of IT recommendations issued to the FBI by the OIG.

OIG audits and reviews indicated that deficiencies remained in the area of general controls over FBI Headquarters data systems, except for system software. As of April 2003, 22 out of 105 recommendations issued for FY reports 1996 through 2001 remained open. Additionally, the FY 2001 GISRA report stated that the FBI has been slow to take corrective actions since many of the vulnerabilities were previously reported in annual audits of general controls. Of the 23 recommendations from the FY 2001 GISRA audit, 17 remained open as of April 2003. Further, the FY 2002 GISRA report on the FBI's ACS system stated that similar vulnerabilities that were reported in the FY 2001 report continued.

The FBI GISRA reports issued in May and November 2002 identified vulnerabilities with management, operational, and technical controls over computer security. These reports also stated that within the FBI, only the Inspection Division tracked remedial actions for reported computer security vulnerabilities. With the exception of audits performed by the OIG, the FBI's Inspection Division did not track the ACS or DRUGX systems' vulnerabilities identified in other audits and their corresponding corrective actions. Further, these reports stated that the Inspection Division did not receive any other audit results or reviews outside of the OIG audits and therefore has limited knowledge of other reported vulnerabilities.⁴⁷

Until recently, the FBI did not establish a system of management controls for tracking recommendations, as required by OMB Circular A-50 and DOJ Order 2900.6A. As a result, the FBI did not consistently implement recommendations and did not adequately improve its information technology to ensure that data is safeguarded and reliable, and computer application programs are secured and protected from unauthorized access. Additionally, non-implementation of previously identified IT problems, especially regarding the ACS system, have contributed to problems in sensitive investigations, such as the Campaign Finance and McVeigh investigations. However, current FBI leadership has stated that they are committed to enhancing controls to ensure recommendations are implemented in a consistent and timely manner. To this end, the FBI recently established a system to facilitate the tracking and implementation of recommendations. Also, the FBI expects the VCF, as part of the Trilogy project, to significantly improve its IT and correct many of the deficiencies identified by the OIG.

According to the FBI, the VCF is intended to not only correct many of the deficiencies identified in the Campaign Finance and McVeigh reports, but also to revolutionize the FBI's workflow process. We believe that the corrective actions underway, including the planned implementation of the VCF, has the potential to address 16 of the 20 open OIG recommendations we examined from the Campaign Finance and McVeigh reports. However, the ultimate effect of the VCF remains to be seen. We believe that the success of the VCF depends on whether it can meet its technical and performance expectations, and be accepted and used by FBI employees.

4. Recommendations

We recommend that the Director of the FBI:

1. Develop, document, and implement Bureau-wide procedures to follow-up and close audit and investigative recommendations, in accordance with OMB Circular A-50 and DOJ Order 2900.6A. This process should include the tracking and resolution of system audit recommendations.

2. Ensure that the ARCS database is complete and includes recommendations from all sources of OIG audits and reviews.

3. Ensure that managers are held accountable for the tracking, resolution, and timely implementation of OIG recommendations.

14. The OIG issued one report for FYs 1996 and 1997.
15. Unless otherwise noted, our review of correspondence was as of April 2003.
16. The OIG recommendations that we examine are listed in Appendix 2. Appendix 2 also shows the status of the recommendations (whether open or closed), and a summary of the FBI's progress toward implementing the recommendations.
17. A third category of vulnerabilities are management letter comments, which the OIG considers to be a reportable matter that does not meet the criteria of a reportable condition or material weakness.
18. These recommendations are listed in Appendix 2.
19. These recommendations are listed in Appendix 2.
20. These recommendations are listed in Appendix 2.
21. These recommendations are listed in Appendix 2.
22. These recommendations are listed in Appendix 2.
23. These recommendations are listed in Appendix 2.
24. These recommendations are listed in Appendix 2.
25. The NIST is a non-regulatory entity of the U.S. Department of Commerce. According to the NIST, its mission is to develop and promote measurements, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life.
26. This guidance is contained in the NIST Special Publication 800-18, "Guide for Developing Security Plans for Information Technology Systems."
27. The FBI uses the ACS system, which resides on the FBI's investigative mainframe, to store information related to FBI investigations and cases, including criminal and intelligence cases. The system allows FBI personnel to open and assign cases, set and assign leads, store text of documents, index, search, and retrieve these documents.
28. The FBI uses the Drug Enforcement Administration (DEA) DRUGX application to share information on current drug investigations. This application was a DOJ joint agency effort involving the FBI and the DEA. The DRUGX Investigative trusted guard (DRUGX trusted guard) permits FBI personnel interactive one-way access to the DRUGX application via the FBI's network. Access to the DRUGX application provides FBI investigative personnel with query access to basic information concerning current drug investigations being conducted by the FBI and the DEA. The purpose of a trusted guard system is to provide a secure interconnection between two computer systems or networks, each of which operates at a different classification level.
29. These recommendations are listed in Appendix 2.
30. According to NIST Special Publication 800-18, information stored within, processed by, or transmitted by a system provides for the value of the system and is one of the major factors in risk management, making the criticality of system applications' definitions essential.
31. (U) These recommendations are listed in Appendix 2.
32. Appendix 2 provides more detail on the FBI's response to the unresolved recommendation. Unresolved recommendations occur when the component disagrees with all or part of the finding.
33. Because the FY 2002 GISRA report on the ACS system was issued in November 2002, we did not examine the FBI's progress toward implementing the recommendations contained in the report.
34. These improvements or satisfactory operations relate to specific security criteria set forth by GISRA. As a result, these improvements are not indicative of the overall functionality of the ACS system, which is discussed later in this report.
35. Investigative Case Management is a case management system within the ACS system.
36. Because the FY 2002 GISRA report on the DRUGX Trusted Guard was issued in November 2002, close to the issuance of this report, we did not examine the FBI's progress toward implementing the recommendations contained in the report.
37. We included recommendations related to document management because FBI documents are generally produced electronically or managed in automated databases and systems.
38. The $78 million is comprised of the $70 million that FBI requested for accelerated deployment, plus $8 million for contractor support.
39. The FBI referred to the accelerated deployment of Trilogy as the "Fast Track."
40. Of this amount, $57 million was needed for the VCF.
41. These five recommendations, along with a summary of the FBI's responses to the recommendations, are listed in Appendix 2.
42. According to the FBI, the IIIA is a real-time collection system that houses over 20 million records to support the counterintelligence and counterterrorism programs.
43. The FBI is currently working on a TS/SCI network, but at this time the VCF is only approved up to the Secret level.
44. Unicode provides a unique number for every character. Fundamentally, computers just deal with numbers. They store letters and other characters by assigning a number for each one.
45. These 15 recommendations, along with a summary of the FBI's responses to the recommendations, are listed in Appendix 2.
46. Inserts are forms used by the FBI to record investigative activity that is not considered to be significant to the investigation.
47. In April 2003, the Inspection Division began tracking findings and recommendations issued by the GAO.