January 18, 2007

Mr. Guy K. Zimmerman
Assistant Inspector General for Audit
U.S. Department of Justice
Office of the Inspector General
Washington, D.C.

Re: OIG's Draft Audit Report The Federal Bureau of Investigation's Control over Weapons and Laptops Follow-Up Audit

Dear Mr. Zimmerman:

The FBI appreciates the opportunity to respond to findings and recommendations made in your report entitled "The Federal Bureau of Investigation's Control over Weapons and Laptops Follow-Up Audit" (hereinafter "Report").

Your transmittal memorandum requested the FBI provide comments on the recommendations set forth in the Report. This letter will convey the FBI's response to each of the recommendations and I request that it be appended to the Report.

The Report concludes that "the FBI has made progress in decreasing the rate of loss for weapons and laptops" and notes the positive trend in this direction since our implementation of corrective action policies in 2002. This progress reflects the FBI =s commitment to minimizing such losses. Data contained in the Report reflects a 349% reduction in the average number of weapons lost or stolen in any given month when compared to data in your 2002 report. A similar reduction of 312% was reported for lost or stolen laptop computers. The Report further notes "we recognize that in an organization the size of the FBI, some weapons and laptops will inevitably be stolen or go missing." We believe we have taken and continue to take appropriate steps to minimize these losses. The data in the Report supports this position.

The FBI objects, however, to certain conclusions and negative inferences made in the Report based on the inclusion of specific data related to the overall number of weapons reported as lost during the audit period. Overall, 160 weapons were reported as lost or stolen during the most recent audit period. The FBI detailed for the OIG auditors that 43 of the 160 weapons were, in fact, lost or stolen during the prior audit period and were reported during the current audit period as a result of corrective actions taken to comply with the 2002 audit report. The actual number of weapons lost or stolen during the most recent 44 months, the current audit period, total 117. The FBI's objection was noted in footnote 8 of the Report along with justification provided by the OIG for including the 43 weapons in the Report's current loss calculations. We respectfully disagree with the justification provided and strongly believe the inclusion of the 43 weapons inaccurately reflects the results of continuing improvements made by the FBI in safeguarding its weapons inventory.

We acknowledge that more needs to be done to ensure the proper handling of the loss and theft of laptop computers and, more importantly, the information maintained thereon. One of the most important steps taken requires the encryption and password protection of all FBI laptop computers. As set forth by the Security Division in a Security Bulletin dated July 14, 2006, all FBI laptops must have basic configurations which include encryption to protect Sensitive but Unclassified information such as Personally Identifying Information (PII). This specific Security Bulletin contains a total of nine requirements and recommendations designed to minimize the potential for loss of FBI laptops and information. Additional policies related to the protection of not only PII information but also all other classifications of National Security related information were promulgated in April 2006 in the FBI's comprehensive Security Policy Manual.

Our continued commitment to strengthen our response to and internal control over the loss and theft of weapons and laptop computers is found in our response to the Report's recommendations. Overall, the Report identified 13 recommendations. The FBI concurs with 12 of the recommendations and offers an alternative action plan for one.

Individual recommendations and our respective responses are set forth below:

Response to Weapon and Laptop Losses

1. OIG Recommendation:  Ensure that the Asset Management Unit (AMU) maintains all Form FD-500s with accompanying documentation and required information.

The FBI agrees with the OIG recommendation. As of October 1, 2006 the AMU began scanning and electronically maintaining all Form FD-500s and accompanying information received. As resources permit, all previously submitted and processed Form FD-500s will be scanned for electronic retention purposes.

2. Recommendation:  Ensure that the most current version of the Form FD-500 is used to report weapon and laptop losses.

The FBI agrees with the OIG recommendation. On October 1, 2006 the AMU began conducting preliminary reviews of each submitted Form FD-500. Since that date, any submission found to have been made on an outdated form is returned for correction and proper submission.

3. Recommendation:  Ensure that all Form FD-500s that are submitted to the Asset Management Unit are complete, accurate and timely. Specifically, the FBI should ensure that the contents of the lost or stolen laptop computers accompany the Form FD-500.

The FBI agrees with a portion of the OIG recommendation. As noted in the response to OIG Recommendation #2 above, on October 1, 2006 the AMU began conducting a preliminary review of each Form FD-500 submitted. Form FD-500s found to be missing required information, to include annotating the classification level of the laptop computer, are returned to the submitting division for correction. The FBI disagrees with the specific request to ensure that the contents of the lost or stolen laptop computer accompany the Form FD-500.

Certain security risks arise if a policy were to be implemented requiring the contents of the lost or stolen laptop computer accompany the Form FD-500. As an alternative, the Security Division Policy Manual (effective April 3, 2006) defines reportable incidents which would be applicable to the loss or theft of a laptop computer approved for processing classified or sensitive information. The Policy Manual dictates the Security Division be notified in the event the loss or theft of a laptop computer occurs. The Policy Manual provides guidance for information required within the EC. This alternative action, already in place, adequately addresses this aspect of recommendation 3.

4. Recommendation:  Revise the Form FD-500 to include:

1. whether or not the loss was reported to the Inspection Division for investigation;

2. separate designation for "sensitive" and "classified" categories;

3. tracking of the classification level of NSI contained on a laptop;

4. whether sensitive information contained personally identifying information; and

5. whether the lost or stolen laptop computer was protected with encryption software.

The FBI agrees with the OIG recommendation. An electronic Form FD-500 is being developed which will capture the items set forth in recommendation 4 (a) - (e). This form is set to be available for use by March 31, 2007. One benefit of making the Form FD-500 available only in an electronic format will be that of providing quick reference links to applicable policy and/or procedures. Further, as of January 31, 2007, a mandatory field will appear in Property Management Application requiring the classification level approved for a laptop computer, thus providing an automated tracking mechanism to specifically address Recommendation 4 (c) above.

5. Recommendation:  Ensure that the Security Division performs a damage assessment of all laptops that are lost or stolen and maintains documentation on this information.

The FBI agrees with the OIG recommendation. Each Division's Chief Security Officer is required to ensure a damage assessment is completed with the results incorporated in the formal notification reporting the loss or theft of a laptop computer.

6. Recommendation:  Ensure that weapon and laptop losses are appropriately entered into NCIC.

The FBI agrees with the OIG recommendation. As noted in the response to recommendation #4 above, an electronic Form FD-500 is being developed which will capture the items set forth in recommendation 4 (a) - (e). In addition, information already being captured on the Form FD-500, such as NCIC entry data, will be maintained. Also, the initial vetting of the Form FD-500 information for completeness being conducted by AMU since October 1, 2006 will ensure the appropriate NCIC information has been captured.

7. Recommendation:  Assign to the Asset Management Unit monitoring responsibilities over weapon and laptop losses to ensure that all proper notifications are made.

The FBI agrees with the OIG recommendation. As of January 3, 2007 the AMU assumed the responsibility for ensuring all appropriate FBI entities are made aware of the receipt of Form FD-500s reporting the loss/theft of FBI weapons and laptop computers. AMU will provide copies of the Form FD-500 and any related documentation/information received to components entities for appropriate follow up investigative and/or administrative action.

In addition, a summary EC restating all existing policy related to the response to the loss or theft of a weapon or laptop computer will be prepared and disseminated to all division heads no later than February 15, 2007. Along with this step, AMU will provide, on a monthly basis, to the Assistant Director, Finance Division, copies of all Form FD-500's received reporting losses or thefts of all weapons and laptop computers.

Internal Controls

8. Recommendation: Maintain and submit complete, accurate, and timely reports to the DOJ CIO containing all appropriate FBI laptops authorized to process classified information.

The FBI agrees with this recommendation. A review of existing report submission policies is ongoing to determine the appropriate guidance and monitoring needed to ensure all required and applicable reporting is submitted timely to the DOJ, CIO. This review, resulting in additional guidance, will be complete by February 28, 2007.

9. Recommendation:  Improve the documentation supporting the destruction of excess laptop computers and hard drives.

The FBI agrees with this recommendation. A review of existing policies is ongoing to provide additional guidance supporting the proper completion of all required steps for the disposal of excess laptop computers and hard drives. This review, resulting in additional guidance, will be complete by March 31, 2007.

10. Recommendation:  Revise its guidance regarding when field offices can degauss their own hard drives.

The FBI agrees with this recommendation. A review of existing policies is ongoing to provide additional guidance relating to the procedures for the degaussing of hard drives. This review, resulting in additional guidance, will be complete by March 31, 2007.

11. Recommendation:  Submit complete, accurate, and timely Semiannual Reports to the JMD, FASS.

The FBI agrees with this recommendation. A review of existing report submission policies is ongoing to determine the appropriate guidance and monitoring needed to ensure all required and applicable reporting is submitted in a timely manner. This review, resulting in strengthening the existing reporting processes as well as additional guidance, will be complete by February 28, 2007.

12. Recommendation:  Submit complete, accurate, and timely incident reports summarizing the loss of appropriate FBI laptop computers to the DOJCERT, as required.

The FBI agrees with this recommendation. As noted in earlier responses, a review of existing report submission policies is ongoing to determine the appropriate guidance and monitoring needed to ensure all required and applicable reporting is submitted timely. This review, resulting in additional guidance for reporting to DOJCERT, will be complete by February 28, 2007.

13. Recommendation:  Strengthen the exit processing for departing employees to ensure that all weapons, laptops, and other issued property is returned to the FBI.

The FBI disagrees with this recommendation. The Report states "Based on our overall review of the 160 weapon losses, we concluded that four of the lost or stolen weapons were the result of an agent leaving the FBI and not returning their weapon. In our judgement, the FBI has not sufficiently strengthened its exit processing for departing employees."

In this case specifically, all four weapons cited as lost due to Agents not returning their property subsequent to separation from the FBI occurred prior to January 31, 2002, the end of the prior audit period. These weapons were, in fact, reported due to the FBI's efforts to strengthen accountability in this particular area of property management and were discovered based on those efforts. The FBI acknowledges the fact that sufficient documentation was not maintained with regard to the 50 separated employees selected for testing during the current audit period but would also point out that none of the weapons or laptop computers reported as lost or stolen during this audit period were linked to anyone in the OIG sample.

As a counter proposal to Recommendation 13, the FBI proposes to issue additional guidance to division heads restating the current policies and procedures to be implemented upon the separation of an employee while also emphasizing the need to maintain proper documentation of such actions. This guidance will be prepared and issued by January 31, 2007.

The FBI has made and continues to make significant improvements and changes to ensure consistent enforcement of existing policies related to the loss and theft of weapons and laptop computers. We appreciate this opportunity to respond to your recommendations and will report to you on a regular basis with regard to our implementation progress.

Sincerely yours,

Joseph L. Ford
Associate Deputy Director