The Federal Bureau of Investigation’s Control Over Weapons and Laptop Computers Follow-Up Audit

Audit Report 07-18
February 2007
Office of the Inspector General

Executive Summary

In 2001, the Attorney General requested that the Office of the Inspector General (OIG) conduct audits of the controls over weapons and laptop computers throughout the Department of Justice (DOJ) to address concerns about the DOJ’s accountability for such property. In response, the OIG conducted separate audits of the controls over weapons and laptop computers at the Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA), the Federal Bureau of Prisons (BOP), and the United States Marshals Service (USMS). Audit reports on each component, including the FBI, were issued, as well as an overall report summarizing the results from each audit.1

The OIG’s 2002 report on the FBI disclosed significant losses of weapons and laptop computers and examined the adequacy of the FBI’s response to these losses. The report concluded that the FBI’s procedures to prevent the loss of such equipment were not adequate. Specifically, we found that the FBI:

To help address these deficiencies, we made 10 recommendations, including that the FBI establish firm deadlines for reporting lost or stolen weapons and laptop computers. The FBI agreed with each of our recommendations and outlined a plan for taking corrective action.

Follow-up Audit

We conducted this follow-up audit to assess the progress of the FBI in addressing the deficiencies regarding control over weapons and laptops. The FBI had the greatest number of losses, as well as the most significant deficiencies in controls, of all the DOJ components we reviewed in our 2002 audits.3

The objective of this follow-up audit was to determine whether the FBI has implemented adequate corrective action to the findings in the original audit report.4 To conduct this follow-up audit, we interviewed FBI officials, reviewed documents, and tested controls at FBI Headquarters in Washington, D.C., the FBI Training Academy at Quantico, Virginia, and FBI field offices in Chicago, Illinois; Los Angeles, California; Miami, Florida; New York, New York; and Washington, D.C. Fifty-two percent of the FBI’s 52,263 weapons and 54 percent of its 26,166 laptop computers were assigned to these offices.5

To determine whether the FBI has made progress in reducing its number of lost and stolen weapons and laptop computers, we compared the rate of loss identified in our 2002 audit to the rate found in this follow-up audit. Our prior audit found that over a 28-month period the FBI reported 354 weapons and 317 laptop computers as lost or stolen. Our follow-up audit found that over a 44-month period the FBI reported 160 weapons and 160 laptop computers as lost or stolen. We determined that, except for stolen laptop computers, the rate of loss for each property category decreased, as detailed below.6

MISSING WEAPONS AND LAPTOP COMPUTERS
2002 AUDIT VS. FOLLOW-UP AUDIT7
Category

Number of Lost or Stolen Items Reported Losses Reported Per Month
2002 Audit
(28 Month Period) 		Follow-up Audit
(44 Month Period) 		2002
Audit 		Follow-up
Audit

Lost Functional Weapons

107

48

3.82

1.09

Stolen Functional Weapons

105

94

3.75

2.14

Lost Training Weapons

142

18

5.07

0.41

Stolen Training Weapons

0

0

0

0

Total Lost or Stolen Weapons

354

1608

 
 

Lost Laptop Computers

300

116

10.71

2.64

Stolen Laptop Computers

17

44

0.61

1.00

Total Lost or Stolen Laptops

317

160

  
Source: OIG analysis of FBI data

Yet, despite the FBI’s progress in decreasing the rate of loss for weapons and laptops, the FBI still reported 160 weapons and laptops that were lost or stolen. We recognize that in an organization the size of the FBI, some weapons and laptops will inevitably be stolen or go missing. However, it is important that the FBI take appropriate steps to minimize these losses. When losses occur, the FBI must timely report the loss, be able to identify the contents of lost laptops, and determine whether the laptop is encrypted. In addition, the FBI must investigate these losses and thefts, enter required data into the National Crime Information Center (NCIC), and report the losses to DOJ as required.

Our audit found that the FBI has not taken sufficient corrective action on several recommendations outlined in our 2002 audit report to address the issue of missing and stolen equipment. Perhaps most troubling, the FBI could not determine in many cases whether the lost or stolen laptop computers contained sensitive or classified information. Such information may include case information, personal identifying information, or classified information on FBI operations.

Prior to our follow-up audit the FBI did not maintain records indicating which of its laptop computers actually contained sensitive or classified information. Moreover, during this follow-up review, the FBI could not identify for us the contents of many of the lost and stolen laptops, including whether they contained sensitive or classified information.

The following sections of this Executive Summary summarize the main findings of this follow-up audit.

Reporting Weapons and Laptop Losses

During our initial review in 2002, we found that the FBI did not specify deadlines for submitting the Report of Lost or Stolen Property form (Form FD-500) to report the loss of FBI property. As a result, we recommended that the FBI establish and adhere to firm deadlines to ensure that: (1) employees promptly report the loss or theft of FBI property to their supervisors; (2) supervisors report losses or thefts to headquarters units, including the Firearm Training Unit (FTU), OPR, the Asset Management Unit, and the Security Division; (3) OPR initiates and completes an investigation into the loss; and (4) information from the Form FD-500 is entered into NCIC (when appropriate).

In response, the FBI revised its policy to require that employees report lost or stolen weapons and laptop computers to their division office within 5 days after discovery of the loss. Division offices, in turn, are required to submit a Form FD-500 to the FBI’s Finance Division and the Asset Management Unit within 10 days of the loss. All losses of weapons and laptop computers are required to be entered into the NCIC database and forwarded to the FBI Inspection Division for investigation.9

We reviewed the reporting actions taken by the FBI in response to lost or stolen weapons and laptop computers by examining the Forms FD-500 during our 44-month review period. We assessed whether the loss was reported to the Asset Management Unit, entered into NCIC, and referred to the Inspection Division for investigation and OPR for adjudication. The table below categorizes our findings.

FBI REPORTS OF THE LOSS OR THEFT OF
WEAPONS AND LAPTOP COMPUTERS
FEBRUARY 1, 2002, THROUGH SEPTEMBER 30, 2005
WEAPONS: Submitted a loss report - 157 yes/3 no; Entered the loss into NCIS - 137 yes/23 no; Referred the loss to OPR/Inspection Division - 128 yes/32 no. LAPTOP COMPUTERS: Submitted a loss report - 152 yes/8 no; Entered the loss into NCIS - 24 yes/136 no; Referred the loss to OPR/Inspection Division - 38 yes/122 no.
Source: OIG analysis of FBI data

Of the 160 missing weapons, the FBI was able to provide Forms FD-500 for 157 weapons. The remaining three weapons were missing the required form. Of the 157 lost or stolen weapons that were reported using a Form FD-500, we found:

Of the 160 missing laptop computers, the FBI was able to provide Forms FD-500 for 152 laptops. Eight laptops were missing the required form. Of the 152 that were reported using a Form FD-500, we found:

Thus, although the FBI has strengthened its policy for reporting lost or stolen weapons and laptop computers by revising the Form FD-500 and establishing a new 10-day deadline for reporting losses, the FBI did not ensure that its staff always used the revised form or reported the loss within 10 days, as required. We recommend that the FBI ensure that its staff prepare complete and accurate loss reports using the latest version of the Form FD-500 and submit those reports to the appropriate offices in a timely manner.

Contents of Lost or Stolen Laptop Computers

Our review of the 152 Forms FD-500 for lost and stolen laptops revealed that 101 were identified as not containing sensitive or classified information, 43 were not marked as either containing or not containing sensitive or classified information, and 8 were marked as containing sensitive or classified information.13

We asked the FBI’s Security Division for any additional information that it had on the 160 laptop losses. We were provided limited information on only 12 laptop losses that the Security Division had reviewed. Two of the 12 laptop losses that the Security Division reviewed were initially part of the 101 that were identified on the Forms FD-500 as not containing sensitive or classified information. The Security Division determined that these two laptop computers contained sensitive but unclassified information. Therefore, we added these two laptop losses to the eight that were identified on the Forms FD-500 as containing sensitive or classified information. Details related to the 10 laptops are provided in the table below.

DETAIL ON LAPTOP LOSSES
CONTAINING SENSITIVE OR CLASSIFIED INFORMATION
No. Date of
Loss 		Office
Reporting
Loss 		Type of
Loss		 Encrypted? Nature of
Contents

1

07/12/02

Boston Field Office

Stolen

Yes

Software for creating identification badges.

2

09/02/02

Indianapolis Field Office

Lost

Unknown

Unknown

3

09/24/02

New Orleans Field Office

Stolen

Unknown

Used to process surveillance-related electronic digital imaging.

4

07/15/03

Phoenix Field Office

Lost

Unknown

Unknown

5

03/11/04

Security Division

Stolen

Yes

System security plan for an electronic access control system.

6

05/19/04

Washington Field Office

Lost

Unknown

Unknown

7

05/06/05

Security Division

Lost

Unknown

Unknown - SCU determined contents to be sensitive, but unclassified.

8

06/24/05

CJIS Division

Stolen

Yes

Unknown - SCU determined contents to be sensitive, but unclassified.

9

08/21/05

San Diego Field Office

Stolen

Unknown

Unknown - SCU determined contents to be sensitive, but unclassified.

10

Unknown
(approx.
07/02)

Quantico Laboratory Division

Stolen

Unknown

Names, addresses, and telephone numbers of FBI personnel.

Source: FBI Forms FD-500

Although 8 of the 10 laptop losses were identified on the Forms FD-500 as containing sensitive or classified information, the Forms FD-500 for these eight laptop losses did not specifically make a distinction as to whether the information was sensitive or classified National Security Information (NSI).14 We asked FBI Asset Management Unit and Security Division officials whether they could identify if any of the eight laptops did in fact contain National Security Information. The Security Division provided us information to indicate that the laptop loss reported by the CJIS Division on June 24, 2005, contained sensitive but unclassified information. However, FBI officials informed us that they did not know whether the remaining seven laptops that were identified as containing sensitive information actually contained classified information.

According to the OPR and Inspection Division records, the FBI investigated 6 of the 10 laptop losses that were known to contain sensitive or classified information. Of the six laptop losses that were investigated, one resulted in a 3-day suspension, two investigations were pending as of February 2006, and three resulted in no action taken against the employee. The FBI did not investigate the remaining four losses, including the loss of laptop computers that contained personal identifying information of FBI personnel and software for creating identification badges.15

Similarly, we asked FBI Security Division officials if they conducted any type of review to determine the contents of the remaining seven laptop losses or to assess the potential damage to national security and the FBI’s operations. Security Division officials stated that they are reviewing the Forms FD-500 and contacting the appropriate field offices to determine what kind of information was on the laptops. However, the Security Division officials informed us that because these losses occurred some time ago it is doubtful that the FBI would still have information about the content of the laptops.

51 Laptop Losses

As noted above, the Forms FD-500 for 43 of the 51 laptop computers did not indicate, as required, whether the laptops contained sensitive or classified information. The employees who completed the forms did not check the box to indicate whether sensitive or classified information was on the laptop, nor did the Accountable Property Officer or the Asset Management Unit complete that section of the form when it was submitted. Moreover, the forms that were completed did not contain an adequate description of the information contained on the laptops. See Appendix IV. An analysis of the 51 laptop computers is provided in the table below.16

ANALYSIS OF THE 51 LAPTOP COMPUTERS
UNKNOWN TO HAVE SENSITIVE OR CLASSIFIED INFORMATION
Category Assigned
To
Employee 		Unassigned Total

Unexplained Losses17

3

22

25

Loss Identified During FBI Physical Inventories

5

16

21

Stolen from Vehicle

1

1

2

Stolen from FBI Office

0

1

1

Other

2

0

2

TOTAL

11

40

51
Source: FBI Forms FD-500

Seven of these 51 laptop computers were assigned to divisions within the FBI that handle some of the most sensitive information related to national security. Six were assigned to the Counterintelligence Division and 1 was assigned to the Counterterrorism Division. Yet, the FBI did not know the contents of these computers or whether they contained sensitive or classified information.

Of these 51 laptops, 11 were referred to FBI’s OPR/Inspection Division. Two resulted in disciplinary action of the employee -- one letter of censure and one 3-day suspension. The documentation maintained at OPR/Inspection Division did not indicate the contents of these laptop computers.

This is a significant deficiency. Some of these laptops may have contained classified or sensitive information, such as personally identifiable information or investigative case files.18 Without knowing the contents of these lost and stolen laptop computers, it is impossible for the FBI to know the extent of the damage these losses might have had on its operations or on national security.

FBI officials acknowledged to the OIG that there was a breakdown in obtaining the necessary information on the contents of the laptops that were lost or stolen. They suggested that part of the cause may be attributed to the lack of a centralized office in the FBI that could ensure that Forms FD-500 are complete and accurate.

Entering Losses of Weapons into NCIC

FBI policy states that lost and stolen weapons and laptops are required to be entered into NCIC. Our 2002 audit found that 14 of the 276 (5 percent) lost or stolen FBI weapons had not been entered into NCIC. Entering these items into NCIC could increase the chance of recovering the weapon or identifying the weapon if it is used in the commission of a crime.

In our follow-up audit, we found no NCIC records for 23 of the 160 (14 percent) lost or stolen weapons and no NCIC record for 136 of the 160 (85 percent) lost or stolen laptops.19 At our exit conference, FBI officials stated that 10 of the 23 weapons currently do not have a record in NCIC. The remaining 13 included 6 weapons that had active records and 7 weapons that have been recovered.

We also queried NCIC to determine whether the lost and stolen weapons and laptop computers were recovered and, for the weapons, whether they were used in the commission of a crime. We identified no instances where law enforcement recovered any of the 160 lost or stolen weapons the 160 lost or stolen laptop computers. However, after completion of our fieldwork, the FBI reported to us that seven weapons had been recovered. Details of those weapons are listed in Appendix III.

Referring and Investigating Losses

Our 2002 audit found that losses of weapons and laptops were not regularly referred to OPR for investigation and that disciplinary action was generally not taken when individuals deviated from FBI policies concerning the handling of weapons and laptops. As a result, we recommended the FBI revise its policy and establish criteria for disciplining employees whose negligence resulted in the loss or theft of a weapon or laptop.

In response to our recommendation, the FBI stated that all weapon and laptop losses are required to be referred to OPR/Inspection Division. In our follow-up audit, we reviewed documentation related to OPR’s and the Inspection Division’s investigations. The results follow.

Weapons Loss

The MAOP requires that each weapon loss must be referred to OPR. However we found that 32 weapons (20 percent) were not referred. Further, of the total 160 lost or stolen weapons OPR/Inspection Division opened an internal investigation into 70 (43 percent) of those losses. OPR/Inspection Division explained that it did not open an internal investigation for the remaining 90 losses for the following reasons:

We found it troubling that many of the weapon losses were not referred to OPR/Inspection Division for investigation even though the requirement in the MAOP clearly states that each weapon loss must be referred to OPR. As we previously mentioned, FBI officials told us that they do not investigate these losses because of insufficient information to indicate possible misconduct or negligence by an employee or the fact that the weapon was not specifically assigned to an employee.

Laptops Loss

The MAOP requires that each laptop loss must be referred to OPR. We found that 122 laptops (76 percent) were not referred. Further, of the total 160 lost or stolen laptops OPR/Inspection Division initiated an internal investigation into 21 (13 percent) of the losses. OPR/Inspection Division explained that it did not initiate an internal investigation for 139 losses because of the following reasons:

Similar to lost or stolen weapons, OPR/Inspection Division explained that cases are opened when there is sufficient evidence of an employee’s misconduct, and that cases were not opened if the lost or stolen laptop was not assigned to specific FBI personnel.20

Lack of Centralized Oversight and Monitoring

In our analysis of the FBI’s response to lost and stolen weapons and laptop computers, we identified several weaknesses that resulted in inadequate reporting of weapon and laptop losses within the FBI. When reports were submitted, there did not appear to be any type of review at the FBI’s Asset Management Unit to ensure that all necessary information and documentation was received. Also, there did not appear to be consistent notification to the proper headquarters units, such as the Security Division or the OPR/ Inspection Division.

INTERNAL CONTROLS

In our 2002 audit, we reported that the FBI failed to give sufficient attention to property management. Periodic inventories of accountable property were not conducted, departing employees did not always return all property that had been issued to them, and the destruction of outdated, damaged, or excessed laptop computers was not adequately documented. Additionally, while the FBI documented the disposal of laptop computers, it did not adequately document that all sensitive or classified information had been sanitized prior to their disposal.

In our follow-up audit we noted improvements in the areas of conducting physical inventories and reconciling property records to the financial records. However, we identified continuing weaknesses in several areas. Specifically, the FBI failed to adequately: (1) maintain records on how many of its laptop computers were authorized to process classified information; (2) improve its documentation of the disposal of excess laptop computers and hard drives to ensure that all sensitive or classified information had been sanitized prior to disposal; (3) report weapon and laptop losses to the DOJ; (4) improve the process to ensure that property is recovered from employees before they leave FBI service; and (5) adhere to its policy on property storage.

Physical Inventories

The FBI’s regulations require an annual inventory of all sensitive capitalized assets and sensitive property items, which include weapons and laptop computers. The FBI is also required to conduct a full inventory of all property and equipment every 2 years.

During our follow-up audit, we reviewed FBI-wide inventory reports for the years 2003 through 2005. We noted that the FBI had completed biennial inventories of all accountable property and annual inventories of sensitive items, including weapons and laptop computers.

Reconciling Property Records to the Financial System

In our 2002 audit report, we determined that the FBI’s financial system was not fully integrated with the Property Management Application. As a result, the financial and property management systems did not automatically verify whether the number of items actually purchased agreed with the number of items placed into inventory. We recommended that the FBI implement a policy requiring that property records be reconciled with financial records to ensure the completeness of the FBI’s property records.

In response to this recommendation, the FBI stated that the Asset Management Unit and Contract Unit would coordinate to ensure that the Property Management Application was updated manually to include purchases of non-capitalized property, including weapons and laptops. Further, FBI divisions were instructed to generate and review on-order reports on a monthly basis to ensure that newly purchased property was added to the PMA.21 In addition, the Asset Management Unit generated delinquent on-order reports and distributed them to the appropriate APOs for follow-up.

In our follow-up review, we determined that the FBI’s financial system was still not fully integrated with the PMA, although all divisions currently have the capability to generate an on-order report. In addition, we verified that FBI divisions have been instructed to generate the report on a monthly basis to review newly purchased property that should be placed in the PMA. We also noted that the Asset Management Unit generates delinquent on-order reports and distributes all copies to the APOs for follow-up.

As a result of our follow-up review, we concluded that the FBI had implemented a sufficient policy requiring that property records be reconciled to the financial records to ensure the property records are complete.

Accuracy and Completeness of Property Records in the PMA

In our 2002 audit, we performed two tests to determine the accuracy and completeness of the PMA. We judgmentally selected weapons and laptop computers from the PMA and physically verified their existence. We also judgmentally selected items that were physically located at selected field and headquarters offices and traced them to the PMA. In our 2002 audit the FBI was able to provide all weapons and laptop computers for our physical verification.

During our follow-up audit, we performed the same two tests to determine the accuracy and completeness of the PMA. First, we selected a random sample of 497 weapons and 477 laptop computers from the PMA and physically verified their existence. We evaluated property records and property management activities at FBI headquarters and offices in New York, New York; Los Angeles, California; Washington, D.C.; Chicago, Illinois; and Miami, Florida.22 The FBI was able to provide all weapons and laptop computers for our physical verification, except for one weapon and two laptop computers assigned to FBI headquarters, for which the FBI provided confirmations of their existence.

We also tested the completeness of the property records by selecting a sample of 10 weapons and 10 laptop computers held at each of the field offices. We reviewed and traced them to the PMA and found no discrepancies.

Reporting Requirements for Laptop Computers Containing NSI

The DOJ’s Office of the Chief Information Officer (CIO) requires the FBI to report the number of laptop computers it has authorized for processing classified information. During our follow-up audit, we requested but did not receive from the FBI or the DOJ CIO these required reports. FBI officials told us that they did not keep records related to the classification level of each laptop, and the DOJ CIO confirmed that the FBI had not submitted the report. Further, the DOJ Office of the CIO stated that it had requested that the FBI submit the report by June 4, 2006. When we contacted DOJ CIO on June 12, 2006, we determined that the FBI had not submitted the report.

In September 2006, the FBI provided us with a list containing classification levels for 1,925 of its approximately 25,000 laptop computers. According to the FBI, it deployed a software application in June 2006 to register all FBI electronic devices. The application requires users to register their assigned devices and to indicate the security classification of each device. FBI officials told us that they are in the process of completing the registration for the remaining 23,000 laptops.

Reporting Losses to DOJ

DOJ Semiannual Theft Reports

DOJ regulations require all components to submit to DOJ semiannual reports summarizing loss of government property that occurred in the preceding six months from January 1 and July 1 of each year. In our 2002 audit, we found that four of the five semiannual reports submitted by the FBI to the DOJ were submitted late, ranging from 6 to 106 days. In addition, the semiannual reports were inaccurate with respect to the number of weapon and laptop losses. We recommended that the FBI submit complete, accurate, and timely semiannual reports to the DOJ Security Officer. The FBI agreed with our recommendation.

However, in this follow-up audit, we found that one required report was not submitted at all, and all of the submitted reports were incomplete and inaccurate. For example, in its semiannual reports the FBI reported to the DOJ only 106 lost or stolen weapons compared to the 160 we found in our review, and 97 laptop computer losses compared to the 160 we found in our review. Further, only three of the seven laptop computers that were identified as having sensitive or classified information were reported to DOJ. The remaining four were not reported in the semiannual reports. In our judgment, the FBI has not adequately improved its procedures relating to timely and accurate semiannual reports of losses of government property.

DOJCERT

DOJ regulations also require all components to submit immediate reports summarizing computer security incidents involving the loss of both classified and unclassified systems to the Department of Justice Computer Emergency Response Team (DOJCERT). The DOJCERT assists in handling computer security incidents throughout DOJ.23

We contacted DOJCERT officials to determine if the FBI submitted the required incident reports for the 160 laptop computers that were identified as lost or stolen during our review period. We determined that of the 160 laptops that FBI reported as lost or stolen during the 44-month review period, it had only submitted one incident report to the DOJCERT. This incident report contained information regarding a laptop computer that contained sensitive information reported stolen from the FBI’s Criminal Justice Information Services (CJIS) Division on June 24, 2005. The FBI did not report any of the other lost or stolen laptop computers to the DOJCERT, including the other 9 that the FBI believed contained sensitive or classified information.

We asked the FBI’s Enterprise Security Operations Center (ESOC), the unit responsible for submitting incident reports summarizing computer losses, why only one incident was reported to the DOJCERT. In response, the ESOC officials stated that prior to an OMB memorandum, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, dated July 12, 2006, the FBI was only responsible for submitting incidents to the DOJCERT that pertained to the loss of Personally Identifiable Information. However, as stated previously, as a result of our review we identified a stolen laptop containing the names, addresses and phone numbers of FBI personnel that was not reported to the DOJCERT. Further DOJCERT officials confirmed that the reporting of incidents involving the loss of both classified and unclassified systems to the DOJCERT has been a requirement since the inception of the United States Computer Emergency Readiness Team (US-CERT) in 2003.24

Disposal of Weapons and Laptop Computers

In our 2002 audit report, we found that the documentation for laptop disposals did not identify whether hard drives were properly destroyed and disposed of and were free of classified information. We recommended that the FBI improve its documentation of outdated, damaged, or excess laptop computers and hard drives that have been discarded.

To determine if the FBI improved its documentation of laptop disposals, we requested the disposal records for a sample of excessed hard drives at each of the five field offices we visited during our follow-up audit. We found that the FBI field offices did not retain documentation indicating whether it removed hard drives from excessed laptop computers and sent them to FBI headquarters for disposal. Officials at several of the field offices told us that they believed the proper procedure had been followed for laptop disposal, but they could not provide evidence of this. Therefore, we could not confirm whether the FBI was ensuring that the laptops it disposed of were properly sanitized of sensitive or classified information.

Exit Procedures for Departing Employees

During our 2002 audit, we found indications that the FBI was not recovering all issued weapons and laptops from employees prior to their departure from the organization. We recommended that the FBI strengthen procedures to ensure that departing employees return all property that had been issued to them or reimburse the government for the cost of such property. In response to the recommendation, the FBI revised its policy and distributed an electronic communication to all employees who were leaving, notifying them that they could be held accountable for lost or stolen FBI property.

During our follow-up review, we judgmentally selected the files of 50 former employees and reviewed the corresponding Forms FD-281 and FD-193s for both weapons and laptops issued to each of the 50 employees.25 The FBI could provide only 19 Forms FD-281 for weapons and laptop computers, and only 32 of the required 50 Forms FD-193. Based on our overall review of the 160 weapon losses, we concluded that four of the lost or stolen weapons were the result of an agent leaving the FBI and not returning their weapon. In our judgment, the FBI has not sufficiently strengthened its exit processing for departing employees.

Conclusions and Recommendations

The FBI has made progress in decreasing the rate of loss for weapons and laptops, although it still has a significant number of FBI weapons and laptops lost or stolen each year. Moreover, several of the missing laptops contained sensitive information, and the FBI’s documentation does not indicate how many of the other missing laptops contained sensitive or classified information.

Our audit also found that the FBI has not taken sufficient corrective action on several recommendations contained in our 2002 audit report. We determined that FBI is not reporting lost or stolen weapons and laptops as required. T he FBI also is not consistently entering losses of weapons into NCIC or ensuring that all departing employees turn in their weapons.

Our audit report contains 13 recommendations to the FBI related to ensuring compliance with FBI policies and reporting requirements, as well as ensuring that weapon and laptop losses are appropriately reported and investigated. For example, the FBI needs to ensure that employees report the contents of lost laptop computers on the FD-500, that the FBI timely and accurately reports losses of laptops to DOJ, that all lost or stolen weapons are entered into NCIC, and that that all departing employees return FBI property.


Footnotes

  1. Department of Justice, Office of the Inspector General. Audit Report 02-27, The Federal Bureau of Investigation’s Control over Weapons and Laptop Computers, August 2002.

  2. NCIC is a computerized index of criminal justice information, including criminal history information, fugitives, stolen property, and missing persons, that is available to federal, state, and local law enforcement and other criminal justice agencies.

  3. The problems in the Immigration and Naturalization Service (INS) were comparable, but INS functions were transferred to the Department of Homeland Security in 2003.

  4. Appendix I contains more information on the current audit’s objectives, scope, and methodology.

  5. Appendix II contains more information on the current audit’s sampling design.

  6. Because the audit periods were different lengths, we analyzed the rate of loss on a monthly basis.

  7. Our review period for the 2002 audit covered 28 months, from October 1, 1999, to January 31, 2002. Our review period for our follow-up audit covered 44 months, from February 1, 2002, to September 30, 2005.

  8. The FBI objected to the inclusion of 43 of these 160 weapons because while they were reported as lost or stolen during our 44 month follow-up period, the loss actually occurred before our follow-up period. We did not delete these weapons from the table because: (1) the losses were not categorized as such in the FBI's official property management system until after the beginning of our follow-up period, (2) our approach in the follow-up audit was consistent with our approach in the 2002 audit, which also included weapons that were reported as lost or stolen during our review period, (3) none of these 43 weapons were included in the 354 lost or stolen weapons reported in the 2002 audit, (4) to delete them would give the appearance that the FBI had 43 fewer lost or stolen weapons than was actually the case.

  9. Since the issuance of our initial audit report in 2002, the FBI reorganized OPR and the Inspection Division. In February 2004, the FBI transferred the responsibility for investigations of alleged employee misconduct from OPR to the Inspection Division. The OPR continues to be responsible for adjudicating disciplinary matters.

  10. The Form FD-500 was updated on July 24, 2002, to include new fields. An additional 47 FD-500’s submitted prior to July 24, 2002 did not contain critical information such as the date of loss, NCIC entry, and whether OPR was notified.

  11. An additional 21 Forms FD-500 submitted prior to July 24, 2002 did not contain critical information such as the date of loss, NCIC entry, and whether OPR was notified.

  12. For more detail on the lost and stolen weapons and laptops, see Appendices III through VI.

  13. In addition to the 43 laptop losses for which the Forms FD-500 were not marked to indicate whether the laptops contained or did not contain sensitive or classified information, there were 8 laptop losses for which the Property Management Unit did not retain the Forms FD-500 and had no information on whether these laptops contained or did not contain sensitive or classified information. Therefore, we combined these 8 laptop losses to the 43 and discuss the FBI’s response to these losses in more detail later in our report in the 51 Laptop Losses section.

  14. According to the FBI Security Handbook, sensitive information is information that, if disclosed, could adversely affect the ability of the FBI to accomplish its mission. Examples of sensitive information might be the identity of undercover agents, names of people under investigation, tax return information, or personal data on individuals. Classified information (National Security Information) is information that has been determined pursuant to Executive Order 12958 or any predecessor order to require protection against unauthorized disclosure and is marked to indicate its classified status when in documentary form. For further details on the classification levels of Classified National Security Information see Appendix XVII.

  15. See Appendix IV for a detailed description of the disciplinary action taken relating to the 160 FBI laptops that we identified in our follow-up audit as being lost or stolen.

  16. A more detailed analysis can be found in Appendix VII.

  17. Eight of these 22 laptops were not assigned to an employee.

  18. Personally Identifiable Information is information about an individual maintained by an agency, including, but not limited to, their education, financial transactions, medical history, and criminal or employment history, as well as information which can be used to distinguish or trace an individual's identity, such as their name, social security number, date and place of birth, mother’s maiden name, biometric records, or other personal information which is linked or linkable to an individual.

  19. In our prior audit, we did not determine whether lost or stolen laptop computers were entered into NCIC because at the time the FBI had no requirement to enter this information into NCIC.

  20. When we began our follow-up audit, there were over 10,000 laptops that were not specifically assigned to FBI personnel. All laptop computers are required to be charged out in the PMA and assigned to individuals in an effort to strengthen accountability and minimize unexplained losses. We found that as of March 2006, 37 percent of the FBI’s laptop computers had not been recorded as being assigned to individuals. However, after we inquired about this issue in March 2006, the FBI made a significant effort to assign the laptop computers to specific individuals. Therefore, as of May 2006 less than 1 percent of the FBI’s laptop computers were not assigned to individuals.

  21. An on-order report reflects capitalized and non-capitalized property valued at $1,000 and above, and also sensitive property that should be placed in the PMA.

  22. The universe of weapons and laptop computers for each audited location and details of our sample, by property type, location, and type of test, appear in Appendix II.

  23. According to the DOJCERT, computer security incidents are any unexpected, unplanned event that could have a negative impact on IT resources. Computer security incidents can include the loss of both classified and unclassified systems, unauthorized removal of computer equipment, and exploited weaknesses in a computer system that allows unauthorized access to password files.

  24. The United States Computer Emergency Readiness Team (US-CERT) is a partnership between the Department of Homeland Security and the public and private sectors. Established in 2003 to protect the nation's Internet infrastructure, US-CERT coordinates defense against and responses to cyber attacks across the nation.

  25. The Receipt for Government Property form (Form FD-281) is used for documenting both the receipt and return of government property. The Report of Exit and Separation form (Form FD-193) documents a variety of actions that must be completed upon an employee’s departure.


« Previous Table of Contents Next »