Independent Evaluation Pursuant to the Government Information Security Reform Act
Fiscal Year 2002

The United States Marshals Service's Warrant Information Network

Report No. 03-03
November 2002
Office of the Inspector General


EXECUTIVE SUMMARY

The mission of the United States Marshals Service (USMS) is to protect the Federal courts and ensure the effective operation of the judicial system. Specifically, the USMS is responsible for providing protection for the federal judiciary, transporting federal prisoners, protecting endangered federal witnesses, and managing assets seized from criminal enterprises.

The Warrant Information Network (WIN) contains the warrant, court records, internal correspondence related to the warrant, and other information on individuals for whom federal warrants have been issued. WIN is used to track the status of all federal warrants to aid in the investigations of all federal fugitives. It is also used to access the National Law Enforcement Telecommunication System (NLETS) and National Crime Information Center (NCIC) systems to obtain criminal record information from other federal, state, local and foreign law enforcement agencies participating in or cooperating with USMS fugitive investigations and apprehension efforts and to update the respective systems with new prisoner information.

WIN is accessed by both USMS district offices and headquarters users through the Marshal Network (MNET). MNET is the backbone unclassified network for USMS operations. MNET is a sensitive but unclassified system that provides office automation tools to USMS personnel in carrying out their worldwide mission. MNET is accessible from field sites and from certain other federal agencies and commercial organizations.

The Office of the Inspector General (OIG) was required by the Government Information Security Reform Act (GISRA) to perform an independent evaluation of the United States Department of Justice (Department) information security program and practices. The OIG selected WIN as one of five sensitive but unclassified systems to review pursuant to GISRA for the fiscal year 2002. However, because of WIN's dependence on MNET, audit work was expanded to include MNET as well.

Under the direction of the OIG and in accordance with Government Auditing Standards, PricewaterhouseCoopers LLP (PwC) performed the audits of WIN and MNET. This report contains the audit results of the WIN and MNET systems. Separate reports will be issued for each of the other systems evaluated pursuant to GISRA, including three systems that process classified information.

The audit took place from June through July 2002 and consisted of interviews, on-site observations, and reviews of Department and component documentation to assess WIN's and MNET's compliance with GISRA and related information security policies, procedures, standards, and guidelines.1 We2 used commercial-off-the-shelf and proprietary tools to conduct vulnerability tests and analysis of significant operating system integrity and security controls.

The interviews were conducted using the questionnaire contained in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-26, "Security Self-Assessment Guide for Information Technology Systems." This questionnaire contains specific control objectives and suggested techniques against which the security of a system or group of interconnected systems can be measured. The questionnaire contains 17 areas under 3 general controls (management, operational, and technical). The areas contain 36 critical elements and 225 supporting security control objectives and techniques (questions) about the system. The critical elements are derived primarily from the Office of Management and Budget (OMB) Circular A-130 and are integral to an effective information technology (IT) security program. The control objectives and techniques support the critical elements. If a number of the control objectives and techniques are not implemented, the critical elements have not been met.

The independent auditors assessed management, operational, and technical controls at a high risk to the protection of the WIN and MNET networks from unauthorized use, loss, or modification. Specifically, we identified vulnerabilities in 16 of the 17 control areas as indicated in the chart below:

CONTROL AREAS3 VULNERABILITIES
NOTED
Management Controls  
1. Risk Management  
2. Review of Security Controls X*
3. Life Cycle X*
4. Authorize Processing
(Certification and Accreditation)
X*
5. System Security Plan X*
Operational Controls  
6. Personnel Security X*
7. Physical and Environmental Protection X*
8. Production, Input/Output Controls X*
9. Contingency Planning X*
10. Hardware and Systems Software Maintenance X*
11. Data Integrity X*
12.  Documentation X*
13.  Security Awareness, Training, and Education X*
14. Incident Response Capability X*
Technical Controls  
15. Identification and Authentication X*
16. Logical Access Controls X*
17. Audit Trails X*
Source:  The OIG’s FY 2002 GISRA audit of WIN and MNET.
X* Significant vulnerability in which risk was noted as high.  A high-risk vulnerability is defined as one where extremely grave circumstances can occur by allowing a remote or local attacker to violate the security protection of a system through user or root account access, gaining complete control of a system and compromising critical information.

As a result of the findings identified in this report, we are providing recommendations for improving WIN and MNET systems to ensure that WIN and MNET management:

Because of the significant vulnerabilities noted in this report, it is critical that the USMS take immediate corrective action on the above recommendations. We identified significant vulnerabilities in all but one control area. Specifically, we noted vulnerabilities in the following areas: review of security controls, life cycle, authorized processing, system security plan, personnel security, physical and environmental security, production and input/output controls, contingency planning, hardware and systems software maintenance, data integrity, documentation, security awareness, incident response capability, identification and authentication, logical access controls, and audit trails. We assessed these vulnerabilities as a high risk to the protection of WIN and MNET systems from unauthorized use, loss, or modification. If not corrected, certification and accreditation to operate the WIN and MNET systems should be rescinded until all vulnerabilities are corrected.

We concluded that these vulnerabilities occurred because WIN and MNET management did not fully develop, enforce, or formalize agency-wide policies in accordance with current Department policies and procedures. Additionally, we believe the Department did not enforce its security policies and procedures to ensure that WIN and MNET systems were protected from unauthorized use, loss, or modification through the Department's certification and accreditation process. Furthermore, we believe many of the vulnerabilities identified during this audit could have been prevented if WIN and MNET management had followed-up on corrective actions for similar vulnerabilities identified in previous years.


Footnotes

  1. In a September 1997 audit, report number 97-26, the OIG recommended that the Department develop effective computer security program guidance. The Department then revised its policy and released DOJ Order 2640.2D in July 2001, which was used in the analysis of this year's review.
  2. In this report, "we" refers to either the OIG or to PwC working under the direction of the OIG.
  3. Control Areas as described in the NIST SP 800-26 "Security Self-Assessment Guide for Information Technology Systems."