Follow-up Review of the FBI’s Progress Toward Biometric Interoperability Between IAFIS and IDENT
Evaluation and Inspections Report I-2006-007
Office of the Inspector General
Since our December 2004 report, the FBI has taken a series of actions to lessen the risk of criminal aliens or terrorists entering the United States. For example, the FBI has begun implementing the first phase of the IPT’s interoperability plan and has initiated improvements to IAFIS. Specifically, the FBI has increased the frequency of its transmissions to the DHS of the Known or Suspected Terrorists records and improved IAFIS availability, as the OIG recommended. The FBI also proactively enhanced IAFIS capacity for processing fingerprint search transactions from the DHS, improved response time for those transactions, and designated the transactions as high priority in IAFIS.
The FBI increased transmissions of Known or Suspected Terrorists records.
In a May 2, 2005, memorandum to the OIG responding to recommendations in our December 2004 report, the Department stated that the FBI had changed its process to provide Known or Suspected Terrorists records to the DHS within 7 days of establishing the record in IAFIS. In a follow-up memorandum to the OIG, the Department stated that the FBI began providing these records on a daily basis on June 24, 2005.
To ensure that the DHS was receiving the Known or Suspected Terrorists extracts on a daily basis, we asked DHS officials whether they had experienced any difficulties in receiving the information. DHS officials responded that they have been receiving the extracts without difficulty, although they commented that they do not always receive the records on a daily basis. To clarify the extracts’ frequency of transmission, we asked the Chief of the CJIS Division section responsible for the collection and transmission of the Known or Suspected Terrorists fingerprints why the DHS was not always receiving daily transfers. The Section Chief explained that with the automated extract process, IAFIS communicates with IDENT on a daily basis, but when there are no new records to send, IAFIS does not send extracts.
The FBI has improved IAFIS availability.
In our 2004 review, we found that IAFIS experienced 161 hours of downtime (about 60 percent of it scheduled and 40 percent unscheduled) from November 2003 through April 2004, resulting in an average monthly availability of approximately 96 percent during that period.79 At that time, CJIS Division officials acknowledged that the downtime exceeded the IAFIS requirement of 99-percent availability. They told us that they were working to limit scheduled downtime to four occasions per year by researching methods of installing faster software, including upgrades that could be accomplished without taking the system out of service.
In a series of memorandums responding to our recommendation that the FBI meet its 99-percent availability requirement for IAFIS, the Department described efforts to upgrade the system. In its December 16, 2004, memorandum to the OIG, the Department noted that the FBI had improved availability annually since the system became operational in 1999. The Department reiterated that the CJIS Division was working to reduce unscheduled outages through a series of software and hardware upgrades that would be completed by April 2005. In a May 2, 2005, memorandum, the Department stated that the FBI had completed many of these upgrades, but officials believed it was premature to determine how the upgrades specifically affected IAFIS availability. In an October 6, 2005, memorandum, the Department stated that the FBI’s upgrades had improved the overall system availability and that IAFIS was available to users an average of 99.3 percent of the time from May to August 2005. Specifically, the system had 361 minutes of unscheduled downtime and 873 minutes of scheduled downtime (for system maintenance and enhancements).
In our current review, we examined IAFIS availability hours and found that the system was available an average of 98.7 percent of the time from January through November 2005 and that the average availability had risen to 99.3 percent for the period following the series of improvements (May through November 2005). We found that when compared with a similar time period, IAFIS’s average availability had increased by 3.1 percent in 2005.80 However, when we reviewed the availability on a monthly basis for the period of May through November 2005 (following the IAFIS improvements), we found that June and September fell below the FBI requirement of 99 percent, as shown in Chart 1.
Chart 1: Average IAFIS Availability per Month
When we asked CJIS Division officials about the drop in availability during June and September, they explained that they performed scheduled maintenance during those months in accordance with their quarterly maintenance goals. The CJIS Division coordinates the specific time periods for that maintenance with all IAFIS users, including the DHS, so that downtime will be the least disruptive to their operations.
We found that the CJIS Division has decreased the average number of IAFIS downtime minutes by 80.7 percent – from an average of 1,618 minutes per month from November 2003 through April 2004 to 312 minutes per month from May through November 2005. Additionally, the CJIS Division has decreased the percentage of time IAFIS is down due to unscheduled outages from 40.4 percent for the period covered in our prior report to 28.8 percent for the period May through November 2005. A CJIS Division official stated in February 2006 that the CJIS Division has sustained the 99-percent average IAFIS availability since November 2005.
In addition to responding to our recommendation, the CJIS Division initiated another project to further improve IAFIS availability. In 2005, an FBI contractor began a study to identify areas where overall IAFIS availability can be improved, including improving TPRS processing for the DHS. After the review, the CJIS Division expects the contractor to propose solutions for performing quarterly maintenance without affecting the TPRS services, including performing monthly maintenance activities without (or minimizing) a service outage.
The FBI increased IAFIS capacity.
In our 2004 review, we found the existing IAFIS capacity of 8,000 daily TPRS transactions was sufficient to handle the projected DHS workload increase that would result from deployment of the integrated IDENT/IAFIS workstations. We also reported in 2004 that the CJIS Division was planning to increase IAFIS capacity to 20,000 daily TPRS transactions.81 We concluded that the current and planned IAFIS capacity was sufficient for the DHS’s workload projections through 2005, which assumed that less than 1 percent of the visitors subjected to US-VISIT (about 800 per day) would be subjected to direct IAFIS fingerprint searches at ports of entry.
However, we pointed out in our December 2004 review that DHS inspection policy states that “all subjects who are suspected of being inadmissible to the United States shall be queried through IDENT/IAFIS.” Had the DHS checked all visitors referred to secondary inspection against IAFIS, the workload would have exceeded the planned capacity of 20,000 daily TPRS transactions. According to data US‑VISIT officials provided in 2004, CBP inspectors referred an average of 22,350 visitors to secondary inspection each day between July 1, 2003, and June 30, 2004.82 Thus, we recommended that the Department coordinate with the DHS to identify the actual capacity needed.
In our current review, we found that the Department had not pursued discussions with the DHS regarding expanding IAFIS capacity beyond the 20,000 daily TPRS transactions.83 In an October 6, 2005, memorandum to the OIG, the Department stated that it did not anticipate that all visitors referred to secondary inspection would be fingerprinted and checked against IAFIS. Only those thought to be inadmissible were to be checked against IAFIS to determine whether they had a prior criminal history record. Because of the ongoing discussion with the DHS regarding interoperability, the Department stated it was premature to determine whether additional IAFIS capacity was needed. For example, if the FBI and the DHS select a shared data model for full interoperability, meaning that the DHS would be searching copies of IAFIS data, then the issue of IAFIS capacity would be eliminated. Therefore, the CJIS Division officials said they have no current plans to expand IAFIS capacity beyond its current 20,000 TPRS transactions per day.
Although the FBI has no plans to expand IAFIS capacity, the Department responded to our recommendation by identifying the costs associated with increasing IAFIS capacity beyond 20,000 daily TPRS transactions. In its October 6, 2005, memorandum to the OIG, the Department stated that while it and the DHS had not specifically identified the transaction volume that would be generated if all visitors referred to secondary inspection were searched against IAFIS, it estimated a cost of between $3 million to $10 million for each additional increment of 10,000 daily TPRS transactions.
We asked DHS officials about their current plans for submitting TPRS transactions to IAFIS. In these interviews, DHS officials stated that the DHS is not planning to expand the number of visitors in secondary inspection subjected to TPRS transactions or change the pool of visitors subjected to US‑VISIT at this time.
We analyzed FY 2005 TPRS transaction data from the CJIS Division to determine whether the current IAFIS capacity is sufficient. We found that in FY 2005, IAFIS processed an average of 4,199 daily TRPS transactions from the DHS.84 Therefore, the FBI’s IAFIS capacity of 20,000 daily TPRS transactions is more than sufficient to handle the DHS’s current average daily workload for criminal checks.
The FBI improved IAFIS response time.
The CJIS Division provides IAFIS responses to law enforcement agencies within 2 hours, but the DHS requires faster response times, particularly at Border Patrol stations that must process large numbers of apprehended aliens. According to CJIS Division documentation, its goal is to provide TPRS responses to the DHS within 2 minutes 90 percent of the time and within 3 minutes 100 percent of the time.
We found that the CJIS Division’s IAFIS upgrades increased the percentage of responses returned within 3 minutes since 2004. During the period October through December 2005, IAFIS provided 98.2 percent of the TPRS responses within 3 minutes, compared to 93.7 percent during the same 3‑month period in 2004. Even with a 6.1‑percent increase in the total number of transactions during the most recent period, IAFIS supplied faster responses for a greater percentage of transactions, especially at the 30‑second and 1‑minute intervals. For example, as shown in Table 1, there was a 132.6‑percent change in the percentage of TPRS transactions processed within 1 minute from FY 2004 to FY 2005. These upgrades allowed IAFIS to provide responses to 88.2 percent of the DHS’s fingerprint searches within 1 minute.
Table 1: Percentage of TPRS Transactions Processed
The FBI designated TPRS transactions as high priority.
To ensure that all TPRS transactions from the DHS are processed as quickly as possible, the CJIS Division created a new designation for TPRS transactions. The designation, referred to as “high priority,” means that IAFIS processes those transactions before other criminal fingerprint search transactions. On December 4, 2005, IAFIS began processing TPRS transactions as high priority.
During our 2004 review, Department officials proposed that they conduct a study to determine how many individuals whose fingerprints were in IDENT but who were not subjected to fingerprint searches against IAFIS had records in the IAFIS Criminal Master File. This population would have included both visitors subject to US-VISIT and those exempt from the US‑VISIT requirements. The study would have provided the Homeland Security Council with more information to use in making a decision on a uniform fingerprint collection methodology for foreign nationals. Department officials told us that they wanted to obtain statistically valid random samples of data from US‑VISIT and other relevant immigration databases in IDENT and search that data against IAFIS. The Department had discussed the possible study with the DHS, but the two agencies had not agreed on the parameters of the study or on the data to be sampled. Our December 2004 report recommended that the Department undertake such a study.
In response to our recommendation, the Department CIO wrote to the Director of the US‑VISIT office on March 1, 2005, to request that the DHS provide a sample of approximately 5,000 records from the US‑VISIT Enrollment and Border Crossing Card databases for comparison to IAFIS. The CIO also stated in the letter that while the process of extracting data from IAFIS into IDENT had produced valuable results in the short term, Department officials believed that other criminal aliens could be identified and therefore denied admission.85
However, after the DHS’s May 2005 decision to adopt the NIST Technology Standard, and the subsequent progress made toward achieving interoperability, the Department announced that it was no longer planning to conduct the study. In an October 6, 2005, memorandum from the Department to the OIG, the Department stated that its primary interest in pursuing the study was to encourage further efforts toward interoperability. Given the fact that the FBI and the DHS had already begun planning for full interoperability and preparing to implement the iDSM, the Department stated, “it is less imperative from [the Department’s] perspective to conduct the study.”
Nonetheless, Department officials stated that the study was still needed to assess the risk of unknowingly admitting criminal aliens into the United States, particularly those exempt from US-VISIT, and suggested to the OIG that the DHS conduct the study. Officials from the Office of the CIO and the Justice Management Division confirmed that although the Department’s interest in conducting the study had lessened, the study was still needed to assess this risk.
Once full interoperability is achieved in December 2009, the DHS will be able to use 10 fingerprints to screen the US-VISIT population against IAFIS or copies of IAFIS data. However, Department officials stated that it would be valuable to know the “hit rate” (i.e., the number of hits against IAFIS records) of individuals exempt from US‑VISIT requirements, particularly the Border Crossing Card population. Department officials explained that because these visitors are not screened against IAFIS upon entry to the United States, the DHS does not know how many may have matches in the FBI’s database. The DHS could use that information to inform future immigration policy decisions, such as whether to expand the pool of individuals to which US‑VISIT applies. Because it is the DHS’s responsibility to prevent inadmissible aliens from entering the country, Department officials asserted that the DHS, not the Department, should undertake the study.
We then asked DHS officials whether they intended to conduct a study similar to the one proposed by the Department using US‑VISIT or Border Crossing Card data. On March 29, 2006, officials from the US-VISIT office indicated that the need for conducting this study has been “overcome by events” because the DHS has already decided to implement a 10‑fingerprint standard for US-VISIT.
We believe that until full interoperability is achieved, the DHS’s policy of using IAFIS to check the fingerprints of less than 1 percent of the visitors subjected to US-VISIT will continue to create a risk that criminal aliens or terrorists could enter the United States undetected. Once full interoperability is achieved, this risk will be reduced because the visitors subjected to US‑VISIT will be checked against the full Criminal Master File. However, this risk will not be eliminated because a substantial number of visitors exempt from US-VISIT, such as Border Crossing Card holders, will not have their fingerprints searched against IAFIS.
Since our December 2004 report, the FBI and the DHS have made progress toward achieving full interoperability among IAFIS, IDENT, and US-VISIT. The DHS’s May 2005 decision to implement a 10-fingerprint enrollment standard for US-VISIT resolved the primary barrier to interoperability that we identified in 2004. Since then, the FBI and the DHS have formed an interoperability working group and began implementing the first phase of a three-phase plan to make IAFIS, IDENT, and US‑VISIT interoperable by December 2009. FBI officials stated that, a s of June 2006, they were on schedule with the interoperability plan.
In the first phase, the agencies plan to deploy the iDSM, a joint automated system for real-time sharing of key immigration and law enforcement data between the FBI and the DHS by September 2006. If successful, the iDSM will deliver the first interoperable biometric data capability between the FBI and the DHS. In the remaining two interoperability phases, the FBI and the DHS plan to enable full sharing of immigration and law enforcement records among federal, state, and local law enforcement agencies, authorized non-criminal justice agencies, and immigration officials. In addition, the decision to begin sharing immigration information with law enforcement officials through the iDSM partially resolves the second barrier that we identified in 2004.
To support full interoperability, the FBI is upgrading IAFIS to process more flat fingerprint submissions and the DHS is planning to modernize IDENT and convert US-VISIT from a 2‑ to a 10‑fingerprint system.
Moreover, the IPT is developing a cost-benefit analysis that is expected to provide an estimate of the interoperability-related expenses for the IOC development phase. The IPT plans to complete that analysis by August 2006. The interoperability-related expenses will include agency-specific initiatives needed for interoperability, such as portions of the FBI’s NGI, the DHS’s IDENT modernization, and the DHS and DOS joint implementation of a 10-fingerprint enrollment standard for US-VISIT. The final cost will also depend on which of the technical solutions the IPT chooses for full interoperability.
There are significant technological, funding, and policy issues facing the FBI and the DHS if they are to meet the scheduled completion date of December 2009 for full interoperability. We found that the FBI has identified both the broad interoperability risks and the iDSM-specific risks and has devised mitigation strategies that appear to be reasonable. However, the scope of this review did not include a thorough analysis of whether the FBI identified all potential risks to interoperability and appropriately closed or mitigated those risks. Further, although FBI officials stated that they have begun identifying potential risks to the IOC and FOC development phases, they have not completed risk analysis plans for those two phases. We therefore encourage the IPT to continue regularly monitoring the overall risks to interoperability and the iDSM, and to develop similar plans and risk mitigation strategies for the IOC and FOC phases.
The FBI has implemented interim actions since December 2004 to lessen the risk of criminal aliens or terrorists entering the United States undetected until full interoperability can be achieved. Transmitting Known or Suspected Terrorists records to the DHS daily instead of monthly allows the DHS to conduct searches of visitors’ fingerprints using the most current IAFIS extracts. Increasing IAFIS availability to 99 percent lessens the risk that the DHS could unknowingly release aliens who, though they have no criminal records in IDENT, do have criminal records in IAFIS. Also, by increasing the IAFIS capacity from 8,000 to 20,000 daily TPRS transactions, the FBI has provided a capacity that is more than sufficient to handle the DHS’s current average daily workload for criminal checks. Lastly, the FBI’s significant improvement in IAFIS response time and implementation of a high-priority designation for the DHS ensures that criminal aliens or terrorists can be identified as quickly as possible.
However, we believe that until full interoperability is achieved in December 2009, the DHS’s policy of using IAFIS to check the fingerprints of less than 1 percent of the visitors subjected to US‑VISIT will continue to create a risk that criminal aliens or terrorists could enter the United States undetected. Once full interoperability is achieved, this risk will be reduced because the visitors subjected to US‑VISIT will be checked against the full IAFIS Criminal Master File. However, this risk will not be eliminated because a substantial number of visitors exempt from US-VISIT, such as Border Crossing Card holders, will not have their fingerprints searched against IAFIS. Department officials feel that the DHS should initiate a risk analysis to determine the hit rate of these visitors.
Based on the results of our current review, we concluded that the Department and the FBI have implemented actions to address the recommendations we made in our December 2004 report and therefore we are closing them.
Nonetheless, important milestones and outstanding risks must be addressed before full interoperability among the FBI’s IAFIS and the DHS’s IDENT and US-VISIT is achieved. For example, the FBI’s risk management plan for the iDSM states that the equipment purchase must be made by June 2006, and that the equipment must be received by July 2006. The FBI has already noted that if a purchase request is delayed by even 45 days, it could cause them to miss a procurement cycle, which would push back the anticipated completion dates of each of the interoperability phases. The OIG plans to monitor the progress of the interoperability project, including the achievement of these and other milestones.Officials from the Department (including the FBI), DHS, and DOS provided informal comments on this report. Those comments reflected a general concurrence with the facts presented in this report.
|« Previous||Table of Contents||Next »|