The Federal Bureau of Investigation’s Control Over Weapons and Laptop Computers Follow-Up Audit

Audit Report 07-18
February 2007
Office of the Inspector General


Appendix XIX
Office of the Inspector General, Audit Division
Analysis and Summary of Actions
Necessary to Close the Report

We provided a draft audit report to the FBI for review and comment. The FBI’s comments, which detail the actions it has taken or plans to implement in response to our recommendations, have been included as Appendix XVIII to this report.

In its response, before responding to the recommendations, the FBI expressed its disagreement with the inclusion of 43 of the 160 weapons reported as lost or stolen during the 44-month period reviewed in this follow-up audit. The FBI points out that while these 43 weapons were reported as lost or stolen during the current review period, the loss actually occurred prior to this period. We included these 43 weapons in the totals for several reasons. First, our approach in the follow-up audit was consistent with our approach in the original 2002 audit of FBI accountability for weapons and laptops that also included weapons lost or stolen prior to the review period but reported during the review period. Second, none of these 43 weapons were included in the 354 lost or stolen weapons reported in the 2002 audit, so there was no “double counting” in the sample. Third, removing these weapons from the analysis would inaccurately characterize the number of weapons reported by the FBI as lost or stolen during this 44-month period. However, we noted this issue in the report, along with the FBI’s objection and the reasons for our methodology.

This Appendix summarizes our analysis of the FBI’s comments and proposed actions required to close the report.

Recommendations:

  1. Resolved. The FBI agreed with our recommendation to ensure that the AMU maintains all Forms FD-500 with accompanying documentation and required information. In response, the FBI stated that the AMU began scanning and electronically maintaining all Forms FD-500 and accompanying documentation and required information. In addition, the FBI stated that all previously submitted and processed Forms FD-500 will be scanned for electronic retention purposes, as resources permit. To close this recommendation, please provide evidence of new or strengthened controls and additional guidance that have been implemented (for example, periodic reconciliations between Forms FD-500 and a PMA list of lost and stolen weapons and laptop computers) to ensure that the AMU maintains all Forms FD-500.

  2. Resolved. The FBI agreed with our recommendation to ensure that the most current version of the Form FD-500 is used to report weapon and laptops losses. In its response, the FBI stated that on October 1, 2006, the AMU began conducting preliminary reviews of each submitted Form FD-500 and intends to return any outdated form back to the originating field office for correction and proper submission. This recommendation can be closed when the FBI provides to us a copy of the directive that instructed the AMU to perform preliminary reviews of Forms FD-500.

  3. Resolved. The FBI agreed with our recommendation to ensure that all Forms FD-500 that are submitted to the AMU are complete, accurate, and timely. In its response, the FBI stated that on October 1, 2006, the AMU began conducting preliminary reviews of each submitted Form FD-500. The FBI said that forms found to be lacking required information are returned to the submitting office for correction.

  4. However, the FBI stated that it disagreed with our specific request to ensure that a description of the contents of lost or stolen laptop computers accompany the Forms FD-500. The FBI cited security risks as the reason for why the content information should not accompany the Forms FD-500 to the AMU. Also, the FBI stated that it already has policy in place requiring that its Security Division be notified in the event of a laptop loss or theft and that this requirement adequately addresses our recommendation.

    In our report, we stated that “[a]side from reviewing the Forms FD-500 we asked FBI officials if they could determine the content of the 51 lost or stolen laptop computers and whether they contained sensitive or classified information. FBI officials explained that they did not maintain such information and, therefore, could not determine the content of the laptops or whether sensitive or classified information was contained on them. We asked FBI officials why they do not have this information. Security Division officials speculated that the SCU may not have been notified of the lost and stolen laptop computers and, therefore, would not have followed up in determining the contents of the lost or stolen laptops.”

    Further, we stated in our report that “FBI officials acknowledged to the OIG that there was a breakdown in obtaining necessary information on the contents of the laptops that were lost or stolen. The FBI Security officials suggested that part of the cause may be attributed to the lack of a centralized unit within the FBI that could identify the contents of lost or stolen laptops or make sure that Forms FD-500 are complete and accurate.” In addition, we noted that some of the Forms FD-500 that we reviewed were accompanied by general descriptions of the contents of the lost or stolen laptops. However, a description of laptop contents was not found for all Forms FD-500 relating to lost and stolen laptops.

    Based on these results, our intent was to recommend that not only should the AMU ensure that Forms FD-500 be complete, accurate, and timely, but also that a general description of the contents of lost or stolen laptops be submitted to the Security Division. The specific request in our recommendation would ensure that the Security Division receives adequate information in order for it to be able to appropriately address laptop losses and perform timely damage assessments. We do not believe this would present a security concern, but rather it would be consistent with the FBI’s security policy. Therefore, we consider this recommendation to be resolved. To close this recommendation, please provide us with a copy of the directive that instructed the AMU to perform preliminary reviews of Forms FD‑500 to ensure completeness, accuracy, and timeliness. Also, please provide evidence of new or strengthened controls and additional guidance that have been implemented to ensure that the Security Division timely receives a general description of the contents of lost or stolen laptops.

  5. Resolved. The FBI agreed with our recommendation to revise the Forms FD-500 to include additional information such as whether or not the loss was reported to the Inspection Division for investigation, the classification level of National Security Information contained on the laptop, whether the laptop contained personal identifying information, and whether the laptop was protected with encryption software. The FBI stated that it was developing an electronic Form FD-500 that will capture this information. In addition, the FBI stated that a mandatory field will appear in the PMA requiring the classification level approved for each laptop computer. This recommendation can be closed when we receive evidence that the Form FD-500 was revised and a new field relating to laptop classification levels was added to the PMA.

  6. Resolved. The FBI agreed with our recommendation to ensure that the Security Division performs a damage assessment of all laptops that are lost or stolen and maintains documentation on this information. The FBI stated that each Division’s Chief Security Officer is required to ensure that damage assessments are completed and the results are incorporated in the formal notification reporting the loss or theft of a laptop computer. This recommendation can be closed when the FBI provides evidence of new or strengthened controls that have been established to ensure that the Division’s Chief Security Officers are conducting and properly reporting damage assessments of lost or stolen laptop computers.

  7. Resolved. The FBI agreed with our recommendation to ensure that weapon and laptop losses are appropriately entered into NCIC. The FBI stated that this recommendation will be addressed with the development of the new electronic Form FD-500 that will capture information related to the NCIC entry and the AMU’s preliminary review of the Forms FD-500 information for completeness. This recommendation can be closed when the FBI provides evidence of the revised Form FD-500 and a copy of the directive that instructed the AMU to perform preliminary reviews of Forms FD-500 information to ensure completeness.

  8. Resolved. The FBI agreed with our recommendation to assign to the AMU monitoring responsibilities over weapon and laptop losses to ensure that all proper notifications are made. The FBI stated that as of January 3, 2007, the AMU assumed the responsibility for ensuring that all appropriate FBI entities are made aware of the receipt of Forms FD-500 reporting the loss or theft of weapons and laptop computers. The AMU will provide copies of Forms FD-500 and related documentation to FBI entities responsible for investigative and administrative follow-up action in weapon and laptop losses. In addition, the FBI stated that it will notify all divisions no later than February 15, 2007, of all existing policy related to the issue of responding to lost or stolen weapons and laptop computers. Further, the AMU will provide, on a monthly basis, copies of all Forms FD-500 received to the Assistant Director, Finance Division. This recommendation can be closed when we receive a copy of the directive that assigned monitoring responsibilities to the AMU to ensure proper notifications are made regarding lost or stolen weapons and laptops. In addition, please provide a copy of the summary electronic communication that will be disseminated to all FBI divisions no later than February 15, 2007, regarding all existing policy on responding to lost or stolen weapons and laptops.

  9. Resolved. The FBI agreed with our recommendation to maintain and submit complete, accurate, and timely reports to the DOJ CIO containing all appropriate FBI laptops authorized to process classified information. The FBI stated that it was reviewing existing report submission policies to determine the appropriate guidance and monitoring needed to ensure all required and applicable reporting is submitted timely to the DOJ CIO. This review will be completed by February 28, 2007. To close this recommendation, please provide evidence of new or strengthened controls and additional guidance that have been implemented to ensure the FBI provides complete, accurate, and timely reports to the DOJ CIO.

  10. Resolved. The FBI agreed with our recommendation to improve the documentation supporting the destruction of excess laptop computers and hard drives. The FBI stated that it was reviewing existing policies in order to provide additional guidance that will support the proper completion of all required steps related to the disposal of excess laptop computers and hard drives. To close this recommendation, please provide evidence of new or strengthened controls and additional guidance that have been implemented to ensure the FBI maintains supporting documentation related to the destruction of excess laptop computers and hard drives.

  11. Resolved. The FBI agreed with our recommendation to revise its guidance regarding when field offices can degauss their own hard drives. The FBI stated that it was reviewing existing policies in order to provide additional guidance on procedures for the degaussing of hard drives. To close this recommendation, please provide a copy of any guidance developed regarding when field offices can degauss their own hard drives.

  12. Resolved. The FBI agreed with our recommendation to submit complete, accurate, and timely semiannual reports summarizing the loss and theft of property to the JMD. The FBI stated that it was reviewing existing report submission policies to determine the appropriate guidance and monitoring needed to ensure all required and applicable reporting is submitted in a timely manner. To close this recommendation, please provide evidence of new or strengthened controls and additional guidance that have been implemented to ensure the FBI submits complete, accurate, and timely semiannual reports to JMD.

  13. Resolved. The FBI agreed with our recommendation to submit complete, accurate, and timely incident reports summarizing the loss of appropriate FBI laptop computers to the DOJCERT, as required. The FBI stated that it was reviewing existing report submission policies to determine the appropriate guidance and monitoring needed to ensure all required and applicable reporting is submitted timely. To close this recommendation, please provide evidence of new or strengthened controls and additional guidance that have been implemented to ensure the FBI submits complete, accurate, and timely reports to DOJCERT.

  14. Resolved. The FBI stated that it disagreed with this recommendation, but it proposed action that satisfies the intent of our recommendation. It acknowledged that sufficient documentation was not maintained with regard to the 50 separated employees selected for testing during the current audit period. The FBI proposed to issue additional guidance by January 31, 2007, to division heads restating the current policies and procedures to be implemented upon the separation of an employee and emphasizing the need to maintain proper documentation of such actions. These proposed actions would strengthen exit processing for departing employees, which addresses the intent of our recommendation. To close this recommendation, please provide evidence of new or strengthened controls and additional guidance that have been implemented to ensure the FBI maintains proper documentation on its exit processing of departing employees.



« Previous Table of Contents Next »