Combined DNA Index System Operational and Laboratory Vulnerabilities

Audit Report 06-32
May 2006
Office of the Inspector General


CODIS Development and Design

The Federal Bureau of Investigation (FBI) has provided the law enforcement community with the Combined DNA Index System (CODIS), a national DNA‑profile matching service comprised of databases containing DNA profiles from crime scenes, convicted offenders, and missing persons.

CODIS began as a pilot project in 1990. The DNA Identification Act of 1994 formalized the FBI’s authority to establish a National DNA Index System (NDIS) for law enforcement purposes and NDIS became operational in 1998.1 The Act authorized the FBI to establish an index of DNA identification records of persons convicted of crimes, and analyses of DNA samples recovered from crime scenes and from unidentified human remains. The Act further specified that the index include only DNA information that is based on analyses performed in accordance with the FBI’s Quality Assurance Standards (QAS).

The FBI implemented CODIS as a database with three hierarchical levels that enables federal, state, and local crime laboratories to compare DNA profiles electronically. As illustrated on the following page, the three distinct levels are: NDIS, managed by the FBI as the nation’s DNA database containing DNA profiles uploaded by participating states; the State DNA Index System (SDIS), serving as each state’s DNA database containing DNA profiles from local laboratories; and the Local DNA Index System (LDIS), used by local laboratories. DNA profiles originate at the local or state level and flow upward to the state (if from the local level) and national levels. For example, the local laboratory in the Palm Beach, Florida, Sheriff’s Office sends its profiles to the state laboratory in Tallahassee, which then uploads the profiles to NDIS. A laboratory’s profiles need to be uploaded to NDIS before they benefit the system as a whole.

NDIS is the highest level in the CODIS hierarchy and enables the laboratories participating in the CODIS Program to compare DNA profiles on a national level. Each state participating in CODIS has one designated SDIS laboratory. The SDIS laboratory maintains its own database and is responsible for overseeing NDIS communications for all CODIS-participating laboratories within the state.

Figure 1 – Example of System Hierarchy within CODIS2 Example of System Hierarchy within CODIS. Click on image for a text-only version.
Source: OIG analysis of CODIS system hierarchy

The FBI has distributed CODIS software free of charge to state or local law enforcement laboratory performing DNA analysis. Before a laboratory is allowed to participate at the national level and upload DNA profiles to NDIS, a Memorandum of Understanding (MOU) must be signed between the FBI and the applicable state’s SDIS laboratory. The MOU defines the responsibilities of each party, includes a sublicense for the use of CODIS software, and delineates the standards that laboratories must meet in order to utilize NDIS. Although officials from LDIS laboratories do not sign an MOU, LDIS laboratories that upload DNA profiles to an SDIS laboratory are required to adhere to the MOU signed by the SDIS laboratory.

CODIS Contents and Growth

As of November 2005, NDIS contained nearly 2.9 million profiles in the following five indices (or databases): (1) the Convicted Offender database, (2) the Forensic database, (3) the Unidentified Human Remains database, (4) the Missing Persons database, and (5) the Relatives of Missing Persons database. The first two databases work together to form CODIS’ crime-solving capabilities, since they can be searched against one another to assist law enforcement personnel in solving crimes. The remaining three databases can be searched against one another in order to identify missing and unidentified persons.

The Convicted Offender database contains DNA profiles from persons convicted of qualifying federal or state crimes where the applicable jurisdiction requires the creation of a DNA record for the convicted person. The Forensic database contains DNA profiles from persons whose identity is not known with certainty; these DNA profiles come from evidence either left at or removed from a crime scene. The DNA profiles in the two databases are compared to determine if a convicted offender can be linked to a crime or if crimes can be linked to each other.

The Unidentified Human Remains database contains DNA profiles from the remains of individuals that cannot be identified by fingerprint, dental, medical, or anthropological examinations, and of individuals who are living, but are unidentifiable using typical investigative methods (such as children and others who cannot or refuse to identify themselves). The Relatives of Missing Persons database contains DNA profiles generated from the relatives of known missing individuals, while the Missing Persons database contains DNA records of missing persons obtained from their effects or deduced from their relatives’ profiles. Profiles in these two databases are compared to DNA profiles from unidentified remains or unidentified individuals in an attempt to make an identification.

CODIS has been expanded through various means since NDIS first became operational in 1998, as described below. Laws governing which profiles can be included in NDIS have expanded at both state and federal levels, creating additional databases within CODIS. Further, the number of participating and contributing laboratories has grown significantly. These factors have caused the number of profiles in NDIS to increase dramatically.

Expanding Federal Legislation

The DNA Identification Act of 1994 authorized the FBI to establish NDIS but did not authorize the collection of DNA samples from federal offenders. Enactment of the DNA Analysis Backlog Elimination Act of 2000 remedied this by authorizing collection of DNA samples from federal offenders and from those who commit qualifying crimes in the District of Columbia, the military, and on tribal reservations.3 Additionally, in response to the events of September 11, 2001, the USA Patriot Act of 2001 expanded the list of offenses for which offender samples would be collected to include acts of terrorism and all crimes of violence.4

The Justice for All Act, signed into law on October 30, 2004, authorized the FBI to expand NDIS to include an additional index for DNA profiles of indicted persons.5 As a result, those state and local laboratories located in a state where the law authorizes the collection of DNA samples from indicted persons may include the DNA profiles of indicted persons in NDIS. Accordingly, the FBI added the Indicted Persons Index to NDIS in January 2005. The Act also required the state to have expungement procedures in place for removing the implicated profiles in the event that charges are dismissed or prosecution of the charges results in an acquittal. In addition, the Act expanded the list of offenses that require collection of a DNA sample when committed in the District of Columbia, the military, and on tribal reservations to include all felony and comparable military offenses.

The Justice for All Act also authorized the FBI to permit NDIS‑participating laboratories to perform a one-time search of certain DNA profiles, which were not allowed to be stored in NDIS, against NDIS databases. Specifically, NDIS-authorized users “may also access that index [NDIS] for purposes of carrying out a one-time keyboard search on information obtained from any DNA sample lawfully collected for a criminal justice purpose except for a DNA sample voluntarily submitted solely for elimination purposes.” The Act further defines keyboard searches as “a search under which information obtained from a DNA sample is compared with information in the index [NDIS] without resulting in the information obtained from a DNA sample being included in the index [NDIS].”

The FBI concluded that “DNA samples lawfully obtained for a criminal justice purpose” included: (1) DNA samples obtained by a state in accordance with applicable state law that are not otherwise authorized for inclusion in NDIS, such as an arrestee sample; or (2) DNA samples obtained by a state or relevant law enforcement agency in accordance with a judicial court order, such as a suspect exemplar obtained pursuant to court order.

Finally, on January 5, 2006, the DNA Fingerprint Act of 2005 was signed into law, and further changed the scope of NDIS as follows:

  • Federal arrestee profiles can be submitted to NDIS.

  • Federal detainee profiles can be submitted to NDIS.

  • States with legislation authorizing collection of arrestee profiles can submit those profiles to NDIS.

  • The responsibility for initiating expungement procedures for profiles in the indicted persons index was reassigned to the person whose charges were dismissed or not prosecuted.

  • These changes eliminated the need for the one-time search provision authorized by the Justice for All Act of 2004, because many of the profiles that could have been searched using that provision can now be added directly to NDIS for routine searches.

According to the CODIS Unit Chief, in January 2006, the FBI assessed the implications of this new law, and made changes to the NDIS procedures to reflect this expansion of NDIS. As a result of this new law, and in conjunction with additional administrative changes, the following indices were added to NDIS in January 2006:

  • Arrestee Index, which consists of DNA records of persons who have been arrested or indicted or charged in an information with a crime and are required by law to provide DNA samples. This index replaces the Indicted Persons Index created in 2005 as a result of the Justice for All Act.

  • Legal Index, which consists of DNA records of persons whose DNA samples are collected under applicable legal authorities, when the resulting profiles do not belong in one of the other index categories.

  • Spouse Index, which consists of the DNA records of a presumptive parent of a common child of a missing person. These records will help deduce the profile of a missing parent when the child’s DNA profile is available.

Expanding State Legislation

Individual states also have gradually expanded legislation, particularly as it pertains to the offenses for which, if convicted, a person must supply a DNA sample to that state’s CODIS convicted offender database. States also have moved toward requiring a DNA sample from all convicted felons, rather than limiting their collections to offenders convicted of sexual or violent offenses. Figure 2 displays three snapshots, showing the dramatic increase in offender DNA sample collection legislation across the United States.

Figure 2 – Expansion of State Legislation Governing
Offender DNA Sample Collection

[Image Not Available Electronically]

 Source: Smith Alling Lane, a professional services corporation

These legislative expansions at the state level have resulted in a dramatic increase through the years in the NDIS offender DNA database, as shown on page 7.

Increasing Number of CODIS Participants

Another means of expansion to NDIS has been the increasing number of participating and contributing state and local laboratories. For example, in May 1999, 32 laboratories in 12 states and 1 federal agency (the FBI) participated in NDIS. At the start of our audit in May 2005, 176 laboratories in 50 states and 2 federal agencies (the FBI and the Army) participated in NDIS.6 These numbers translate to a 450-percent increase in the number of NDIS-participating laboratories in a 6-year period.

Within these numbers is a secondary area of increase in the number of contributing NDIS laboratories. For a variety of reasons, not every “participating” laboratory was able to immediately contribute profiles to NDIS in the past.7 For example, as of May 1999, only 10 of 12 participating states had contributed offender DNA profiles to NDIS, and only 28 of 32 laboratories had contributed forensic DNA profiles to NDIS. However, as of May 2005, all 176 NDIS-participating laboratories had contributed profiles to NDIS.

Increasing Number of Profiles in NDIS

The preceding factors of expansion, including federal and state legislation and increasing numbers of participants, have caused a dramatic increase in the number of profiles contained in the NDIS databases. The following figures and data demonstrate the increases observed.

Figure 3 – NDIS Offender Database
Cumulative Totals by Year

NDIS Offender Database Cumulative Totals by Year (in millions): 2000-0.5, 2001-0.8, 2002-1.2, 2003-1.5, 2004-2.0, through November 2005-2.7.
Source: FBI CODIS Unit Chief

Figure 3 illustrates the significant increase from less than 500,000 profiles in 2000 to over 2.7 million profiles by November 2005. Just as dramatic is the increase in forensic profiles, from approximately 22,000 in 2000 to nearly 122,000 by November 2005, as shown in Figure 4.

Figure 4 – NDIS Forensic Database
Cumulative Totals by Year

NDIS Forensic Database Cumulative Totals by Year (in thousands): 2000-22, 2001-28, 2002-46, 2003-71, 2004-94, through November 2005-122.
Source: FBI CODIS Unit Chief

CODIS Management and Measurements

The FBI’s CODIS Unit has only existed since June 2003, following a reorganization within the FBI Laboratory Division. The predecessor of the CODIS Unit, the Forensic Science Systems Unit, managed other Laboratory Division databases in addition to the CODIS Program. The reorganization transferred those other databases to the operational unit counterparts to which they pertained. The Forensic Science Systems Unit, encompassing the CODIS Program and NDIS, was transferred from the Forensic Science Support Section, Operational Support Branch to the Scientific Analysis Section, Forensic Analysis Branch, effective June 2003. With this transfer came the name change to the CODIS Unit.

The CODIS Unit is charged with overseeing CODIS and NDIS operations and administration and ensuring that those operations comply with applicable requirements. As part of those efforts, the FBI contracted with Scientific Applications International Corporation (SAIC) in 1995 to develop CODIS software and software upgrades, to provide training and technical assistance to software users, and to physically maintain and secure NDIS. SAIC continues to maintain and operate the CODIS software and system.

According to the CODIS Unit Chief, as of November 2005, 175 laboratories were participating in NDIS.8 These laboratories collectively uploaded nearly 2.9 million profiles to NDIS, of which 96 percent were convicted offender profiles. Specifically, NDIS includes:

  • 2,743,068 convicted offender profiles;

  • 123,835 forensic profiles;

  • 1,481 relatives of missing person profiles;

  • 621 unidentified human remains profiles; and

  • 269 missing person profiles.

The success of CODIS is primarily measured through the number of cases that CODIS assists through a “hit” (a match between DNA profiles produced by CODIS that would not otherwise have been developed), also referred to as “investigations aided.” Through November 2005, CODIS aided 29,666 investigations in 49 states and 2 federal laboratories, as shown in Figure 6.

Figure 6 – Investigations Aided by CODIS
As of November 2005

[Image Not Available Electronically]

 Source: FBI, December 2005

The FBI also provides CODIS software to foreign law enforcement agencies with DNA capabilities to aid in criminal justice investigations. As of November 2005, 39 sites in 24 countries had received CODIS software.9

Prior Reviews

The Department of Justice Office of the Inspector General (OIG) previously conducted an audit to determine the extent of state and local laboratory participation in CODIS, particularly for those entities receiving laboratory grants, and to evaluate the FBI’s implementation and monitoring of CODIS.10 At the time of that audit, the FBI did not have the resources to directly evaluate laboratory compliance with the QAS and NDIS requirements. Consequently, oversight was limited to self-certification with the QAS and NDIS participation requirements on the part of each laboratory. We deemed self-certifications to present a high risk that FBI management would not detect instances of non-compliance by NDIS-participating laboratories. Consequently, we audited eight individual laboratories to determine compliance with applicable standards.11 The collective results of these efforts were described in the OIG’s 2001 audit report. In that report we concluded that:

  • The FBI needed to improve its oversight of CODIS-participating laboratories to ensure the laboratories were in compliance with applicable legislation, the FBI’s quality assurance standards, and the FBI requirements for laboratories participating in NDIS. Our audits of eight state and local laboratories disclosed that four laboratories did not fully comply with the FBI’s quality assurance standards and NDIS participation requirements. Also, we noted that the FBI did not have a process in place to ensure that laboratories instituted appropriate corrective action for findings of quality assurance audits.

  • The FBI needed to initiate procedures to ensure that DNA profiles in CODIS are complete, accurate, and allowable. At six of the eight laboratories audited, we found 49 unallowable or incomplete forensic profiles in CODIS out of the 608 forensic profiles reviewed. The unallowable profiles were from a known person other than a suspected perpetrator, such as a victim, an entry that is strictly prohibited from inclusion in CODIS. Further, at 2 of the 8 laboratories we identified 6 incomplete or unallowable convicted offender profiles in CODIS out of the 700 convicted offender profiles we reviewed. We found that the unallowable profiles in CODIS were uploaded either inadvertently or because a laboratory did not fully understand the rules governing acceptable profiles.

As a result of these findings, we made the following recommendations to the FBI:

  • Require that the accuracy, completeness, and allowability of the DNA profiles in the national index be routinely verified through audits or other means.

  • Ensure that analysts performing DNA testing at laboratories uploading DNA profiles to the national index are aware of the NDIS requirements, particularly those requirements delineating the types of allowable profiles.

  • Develop and implement a process to ensure that laboratories adequately resolve all deficiencies noted during the QAS‑required audits.

When we issued the report, we considered the status of each recommendation resolved because the FBI and the OIG agreed on the finding noted, and the FBI had planned but not completed its corrective action. In resolving the findings, we relied on:

  • Documentation that the FBI was working to develop a plan to routinely verify the accuracy, completeness, and allowability of the DNA profiles uploaded to the national index system.

  • A draft policy the FBI intended to implement requiring forensic laboratories participating in NDIS to advise DNA analysts of the requirements concerning allowable DNA profiles on an annual basis.

  • Documentation that the FBI initiated a program to monitor laboratory quality assurance audits through a review panel of qualified scientists (referred to as the NDIS Audit Review Panel) to verify that the appropriate standards were used and, when applicable, that the laboratory had taken appropriate corrective actions for audit findings.

Since the issuance of that audit report, the FBI has implemented several corrective action measures, which are further analyzed in Finding III. In addition, since that time, the OIG has completed an additional 24 CODIS laboratory audits. (See Appendix V for a complete listing of these audits.)

Audit Approach

This audit was designed to determine the present status of CODIS operations. The objectives of our audit were to:

  1. assess the adequacy of the FBI’s administration of CODIS, including its oversight of the national DNA database;

  2. analyze findings from DNA laboratory audits, both OIG‑conducted audits and external quality assurance audits, to determine if they reveal trends and vulnerabilities; and

  3. evaluate the FBI’s implementation of corrective actions in response to findings from the OIG’s September 2001 audit.

To accomplish these objectives, we reviewed various data and documentation provided to us by FBI officials, evaluated the results of past OIG CODIS laboratory audits, interviewed members of the CODIS Unit staff, and collected documentation from select NDIS-participating laboratories to analyze:

  • CODIS unit staffing and responsibilities;

  • the accuracy of NDIS Audit Review Panel (Review Panel) records;

  • the timeliness of the Review Panel process;

  • CODIS program goals, objectives, and measurements;

  • CODIS unit oversight and monitoring of participants;

  • weaknesses in compliance with QAS or NDIS participation requirements;

  • the adequacy of the FBI’s corrective actions to our previous recommendations;

  • the FBI’s implementation of legislated changes to NDIS; and

  • the FBI’s management of CODIS operations and infrastructure.

Additionally, to obtain the viewpoints of state and local NDIS‑participating laboratories, we surveyed CODIS administrators at NDIS‑participating laboratories (not including the FBI). The results of our audit are detailed in the Findings and Recommendations section of this report, and the audit objectives, scope, and methodology are presented in Appendix I.

  1. Pub. L. No. 103-322 (1994).

  2. The Department of Justice Office of the Inspector General developed this system hierarchy example using information obtained from the FBI.

  3. Pub. L. No. 106-546 (2000).

  4. Pub. L. No. 107-56 (2001).

  5. Pub. L. No. 108-405 (2004).

  6. These statistics reflect the fact that one laboratory that participated in NDIS in the past was suspended pending facility renovation or relocation.

  7. These reasons can include such factors as technology changes, limited laboratory resources, or the strain placed upon a laboratory’s productivity by changing legislation.

  8. The decrease of one laboratory from May 2005 is due to the fact that the NDIS database was moved to the FBI’s laboratory building, eliminating one of the NDIS sites.

  9. The 24 countries are Belgium, Botswana, Canada, Chile, Colombia, Croatia, Czech Republic, Denmark, England, Estonia, Finland, France, Hong Kong, Hungary, Italy, Netherlands, Norway, Poland, Portugal, Singapore, Slovakia, Spain, Sweden, and Switzerland.

  10. Department of Justice, Office of the Inspector General. Audit Report No. 01-26, The Combined DNA Index System, September 2001.

  11. Of the eight laboratories, three were in Florida and one each in California, Illinois, North Carolina, Pennsylvania, and Virginia. See Appendix V, “FY 2000 Audits” list, for further details.

« Previous Table of Contents Next »