AUTOMATED INFORMATION SYSTEMS IN THE
UNITED STATES MARSHALS SERVICE
Audit Report 97-11, (9/97)
TABLE OF CONTENTS
AUTOMATED INFORMATION SYSTEMS IN THE USMS
STATEMENT ON MANAGEMENT CONTROL STRUCTURE
STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS
APPENDIX I - SCOPE AND METHODOLOGY
APPENDIX II - USMS AUTOMATED SYSTEMS
APPENDIX IV - USMS AIS USERS SURVEY RESULTS
EXECUTIVE SUMMARY
The United States Marshals Service (USMS) enforces federal laws and provides support to the federal justice system in executing arrest warrants, maintaining custody of prisoners, providing court security, protecting witnesses, and managing seized assets. Information systems are used to collect, process, store, and transmit information critical to the USMS's mission. For FY 1996, the USMS reported expenditures of about $8.9 million for various information technology initiatives.
Prior reviews of information systems at the USMS have identified problems with planning, clearly assigning responsibilities, and timely implementing systems. We found that these and other problems continued to exist. USMS management places emphasis on staff meeting its law enforcement mission. However, because of this emphasis and the frequent shifting of priorities among information system initiatives, the management of systems to support the USMS law enforcement mission has suffered from a lack of full implementation of some systems, failure to integrate systems using like data, and lack of adequate support for users in some locations.
The Information Technology Management Reform Act of 1996 required improvements to management of information systems throughout the government. A Chief Information Officer (CIO) has been appointed and the headquarters level management of information technology has been restructured. Senior USMS management must now ensure improvements to information systems necessary to properly support the mission of the USMS.
INTRODUCTION
Our objective was to evaluate the effectiveness of planning, acquisition, implementation, and management of Automated Information Systems (AIS) in the USMS. Our audit scope and methodology are described in Appendix I.
The USMS consists of a headquarters, 94 district offices, and 224 suboffices. At headquarters, the Information Services Division is responsible for designing, implementing, and operating information systems. District offices are headed by a United States Marshal and staffed with Deputy Marshals and administrative personnel. Many district offices also have suboffices in other cities where federal courts are located. The staff in district offices and suboffices are the primary users of USMS automated systems.
Information systems are intended to support the USMS by providing law enforcement and administrative personnel with timely information on fugitive apprehension cases, prisoners under USMS control, and witnesses under USMS protection. See Appendix II for a complete list of USMS information systems.
The USMS information systems have been the subject of several prior reviews and audits. The prior reports are summarized in Appendix III.
Specific policies and a procedural approach for management of AIS in the Department of Justice are contained in DOJ Order 2830.1D, Automated Information Systems Policies. In a 1993 Office of the Inspector General (OIG) report regarding Justice Management Division (JMD) AIS procurement activities, we noted that "the Departmental AIS policies as currently written are inconsistent with current acquisition management practices and are no longer effective in guiding Departmental components in managing AIS." In 1995 JMD circulated for comment a revised DOJ Order on AIS policies. However, as of June 30, 1997, the order had not been finalized.
On July 17, 1996, the President issued an executive order implementing the Information Technology Management Reform Act of 1996. The order requires agencies to significantly improve the management of their information systems, refocus information technology management to support directly their strategic missions, rethink and restructure the way they perform their functions before investing in information technology to support that work, and establish clear accountability for information resources management activities by creating agency CIOs.
FINDINGS AND RECOMMENDATIONS
AUTOMATED INFORMATION SYSTEMS IN THE USMS
The USMS's planning for AIS generally complied with requirements, but implementation of important systems was not complete, systems using common data elements were not integrated, and the support system for users needed improvement. In addition, improvements were needed in AIS and computer security training.
We focused our audit on three USMS information systems.
· The Marshals Automated Resources to Support Headquarters and Local Systems (MARSHALS) is intended to serve as the delivery platform for USMS systems and software applications.
· The Prisoner Tracking System (PTS) is based on separate databases maintained in each district office. PTS tracks federal prisoners under USMS jurisdiction.
· The Warrant Information Network (WIN) is based on a centralized database maintained at USMS Headquarters. WIN tracks warrants on federal fugitives.
We focused our work on these systems because, in our judgment and in the judgment of USMS management, these are the most crucial systems to the accomplishment of the USMS law enforcement mission. In addition, we surveyed USMS systems users regarding their use of: Financial Management Information System (FMIS), word processing software, E-mail software, and the Seized Asset Management System (SAMS), which is being phased out by the USMS.
Planning and Implementation
We reviewed the USMS AIS Strategic Plan 1993 through 1997 and Tactical Plan 1993 through 1995. These plans were developed based on guidance provided by the JMD and were designed to ensure compliance with federal requirements for AIS.
Generally, the USMS AIS plan complied with Department requirements. However, the USMS did not implement MARSHALS, WIN, and PTS as originally described in their AIS plan. Also, the WIN and PTS law enforcement databases were not designed to share common data elements.
Implementation of MARSHALS
MARSHALS provides local area networks in district offices and suboffices which are connected through a wide area network. MARSHALS was designed to serve as a platform for providing office automation software such as word processing and E-mail. MARSHALS was also designed to serve as a gateway for providing USMS employees with access to USMS law enforcement and administrative automated systems. As of February 1997, MARSHALS was implemented in 63 district offices, 6 headquarters locations, and 2 additional sites. MARSHALS has not been implemented in the remaining 31 district offices and their suboffices1.
In the past there had been uncertainty of authorization and funding of the continued implementation of MARSHALS. USMS officials told us that in FY 1996 the USMS increased funding levels for AIS activities, and USMS has committed to the completion of the MARSHALS networking project for all districts in FY 1997. They also told us that additional district office installations have been accomplished with existing Information Services Division staff and a General Services Administration contract for wiring.
The Department gave USMS approval for their request to expend about $13 million for MARSHALS. However, as of the end of our audit work, the USMS had expended only $7.8 million on MARSHALS.2 USMS officials were unable to explain the status of the $5.2 million authorized but not expended.
Implementation of WIN and PTS
The USMS originally planned to provide direct access to WIN in all 94 district offices. However, development of WIN was drastically curbed in FY 1988 when the USMS determined to integrate WIN with other databases. In January 1997, the CIO told us that the personnel shortage to support WIN has been remedied; and a new version of WIN is expected to be implemented, providing WIN capability to the 63 districts, 6 headquarters locations and 2 additional sites with MARSHALS installed in 1997.
The PTS has been installed in all district offices; however, the system is primarily a district office database which cannot share data with other USMS district offices. The offices with MARSHALS connection can view or print a limited subset of another district office's prisoner database but cannot copy and transmit the files. The remaining non-networked district offices cannot electronically access any other district's PTS files. Without the ability to electronically share files, all data must be entered separately by each office. In our judgment, the lack of a coordinated link of PTS data prevents USMS staff from maximizing the use of electronic data.
Integration of WIN with PTS
We found that WIN and PTS were not integrated. Specifically, related law enforcement information contained in both systems was not available through a common interface. Users had to query both systems separately in order to obtain required information on fugitives and federal prisoners who were the responsibility of the USMS. Additionally, there is duplication of data entry and data redundancy. The existence of these two separate systems duplicates resources, such as data entry, computer processing, and hardware and software support. Although WIN and PTS were developed by the same contractor, no effort was made to integrate the two systems.
Integration of WIN with other systems has been proposed twice in the past. According to USMS officials, in 1988 management decided that WIN should be integrated with other systems to maximize efficiency. In 1990 the USMS proposed integrating WIN and other databases under an Offender Based Information System (OBIS). JMD reported that a requirements analysis and systems design for OBIS was completed in FY 1991 at a cost of $755,530. However, USMS officials told us that OBIS was terminated due to budgetary and other organizational causes.
The current AIS plan recommended integration of WIN and PTS to reduce the duplication of data entry and data redundancy as well as to foster data sharing. The project, similar to OBIS, combines elements from the prisoner tracking, prisoner transportation, and prisoner location databases.
In our judgment, the USMS needs to complete integration of WIN and PTS to improve the utility of these two mission critical systems. Additionally, the USMS needs to take steps that will ensure that future AIS planning and development provides full integration of electronically stored data.
The Information Services Division staff also told us that they have determined significant portions of the OBIS initiative to still be valid, and they have decided to pursue the valid portions under a new project called the Justice Detainee Information System.
The Information Services Division staff also indicated that they have taken significant steps toward the consolidation of data elements. Both the WIN and PTS have been reformulated to a common standardized database. A concerted effort has been made to upgrade district office file servers to a more modern open-system hardware environment. The telecommunication network is being modernized to provide faster and more reliable data transfer. Preliminary trials of the consolidated system, aimed at testing the validity and integrity of the WIN/PTS conversion to a single database platform, was planned for the District of Eastern Virginia during the second quarter of FY 1997.
Life Cycle Costs
DOJ Order 2830.1D requires the use of a life cycle management methodology to ensure systems are planned, developed, and operated in an efficient and effective manner at the lowest total life cycle cost. A June 1995 report by the JMD Systems Policy Staff noted that the USMS did not have a method of tracking its obligations by project or by AIS authority.
In August 1996, the USMS began tracking obligations by AIS project using commercial database software. However, that database cannot interact with USMS's financial management system. During our audit, we discussed with JMD staff the USMS's problems in tracking life cycle costs. The Assistant Director, Financial Management Systems Analysis Group, JMD, indicated to us that data fields in the Financial Management Information System (a JMD financial system used by the USMS) could be coded to track transactions by AIS project.
AIS Support
The USMS supports its AIS with a three-tiered system consisting of a Headquarters-maintained help desk, regionally-assigned senior system administrators, and district office-assigned system administrators. We found the AIS support system to be logically structured and capable of delivering appropriate services to users. However, inefficiencies in the implementation and management of the system required improvements as detailed below.
Help Desk Administration
The help desk is designed to provide phone-in technical support service similar to services provided by major hardware and software manufacturers. Help desk staff assist field users in finding solutions for local problems.
The help desk used a database to store common problems and questions identified through telephone calls from users. Each telephone call and the related questions and problems should have been entered into the database, but we found that help desk staff did not routinely enter the necessary data. Additionally, the help desk did not document the response to each problem or question and did not document the status of each request for assistance. As a result, neither we nor the USMS could directly test the timeliness and accuracy of support provided by the help desk.
We conducted a user survey (see Appendix IV for details on the survey) to ascertain user satisfaction with the help desk and the quality of service provided. After our survey, the Information Services Division staff told us that they have contracted with an independent firm for help desk services and that there has been a perceived improvement in response by users in the field. An automatic call distribution system now routes calls to the most knowledgeable help desk specialist.
Systems Administrators
The systems administrator position was a collateral duty usually assigned to either a Deputy U.S. Marshal or an administrative officer. Systems administrators manage automated systems in the district office and train other district office staff. Information Services Division staff told us that district offices were approved to hire computer specialists. In our judgment, such specialists will substantially improve the computer expertise in the districts.
In its November 1995 report on computer security at the USMS, the JMD Computer and Telecommunications Security Staff stated that the Information Services Division did not provide field office system administrators with UNIX system (network operating system) documentation or UNIX training. JMD recommended that "all field site systems administrators should be provided with UNIX system documentation and sufficient training in order to effectively manage district systems."
During the course of our audit, the Information Services Division, with the aid of a contract with a professional computer trainer, developed and began presenting additional systems administrator training on using UNIX software, customizing PC and network systems, maintaining hardware, and managing computer security. As of August 27, 1996, 23 system administrators had completed the new training. The remaining system administrators are scheduled to complete the training by July 1997. Although we did not test the new training, we reviewed the training agenda and noted that it appears sufficient to address the training needs identified by our audit and the JMD review.
Senior Systems Administrators
To provide field staff with access to computer professionals, the USMS developed a system of regional senior systems administrators. The senior systems administrators were established by the USMS in October 1993. Each senior systems administrator was located in a district office and was to travel throughout a specified region providing assistance to other district offices and suboffices. Senior systems administrators were also to serve as the systems administrators for their home district offices.
We reviewed the assignment of senior systems administrators and identified five instances where positions were not assigned in the best interest of AIS users.
· The Central District of California (Los Angeles, California)
Because this office made extensive use of AIS and needed technical support, the U.S. Marshal requested that a senior systems administrator be assigned to Los Angeles. A candidate was selected for the position but, to accommodate the personal needs of the candidate, he was assigned to the District of Arizona. Subsequently, the U.S. Marshal requested an additional systems administrator position to meet the needs of the office.
· The Southern District of Florida (Miami, Florida)
To accommodate personal needs, the candidate selected as the senior systems administrator was assigned to the West Palm Beach, Florida suboffice rather than the district office in Miami. The Supervisory Deputy U.S. Marshal told us that about 80 percent of the senior systems administrator's time was spent working for the Miami office. In addition, the senior systems administrator traveled from West Palm Beach to Miami about 39 days on temporary duty, including overnight accommodations, at the government's expense.
The Chief Information Officer told us, after completion of our work in Miami, the senior systems administrator was directed by the deputy director to relocate to the Miami office. In January 1997 the CIO told us that, subsequent to being notified of the reassignment, the individual retired from the USMS, and the vacancy was opened to all sources.
· The Northern District of New York (Utica, New York)
The District had a total of 25 staff with 10 located in Utica and the rest in suboffices. A senior systems administrator was assigned to Utica to accommodate the personal needs of the candidate selected. District office officials in Utica told us that there was no need for a senior systems administrator there. In contrast, the Southern District of New York did not have a senior systems administrator. We were told that apparently the USMS selected Utica to receive a newly acquired and updated Altos 7000 computer because Utica had a senior systems administrator assigned.
The CIO told us that, after our work in Utica, the senior systems administrator began spending about 75 percent of his time on travel status. The CIO stated that he considers the Utica, NY senior systems administrator's assigned location to be irrelevant since he is now travelling 75 percent of his time installing new MARSHALS district sites.
· The Western District of Washington (Seattle, Washington)
The Chief Deputy U.S. Marshal in Seattle (who has since been replaced) would not authorize the senior systems administrator to travel. The rationale for this policy was that the senior systems administrator was assigned to the District of Western Washington and was only responsible for that district's automated systems.
After our audit work in Seattle, the senior systems administrator began extensive travel throughout the region to install MARSHALS in other offices.
· The District of New Mexico (Albuquerque, New Mexico)
The Albuquerque senior systems administrator told us that she requested to be assigned to the Albuquerque District Office because her husband had been transferred to Albuquerque. Albuquerque was then in the region covered by the senior systems administrator in Phoenix, Arizona. Consequently, the Albuquerque senior systems administrator did not have regional responsibilities. The Albuquerque senior systems administrator told us that she lacked the necessary background and training to address network problems. In January 1997, the CIO told us that the employee has been provided with several training courses and other learning opportunities; however, there may be a learning curve to overcome.
While district office managers have line authority over the senior systems administrators and perform their annual performance evaluations, the Headquarters' Information Services Division directs their job tasks. One Chief Deputy U.S. Marshal told us that he did not feel comfortable signing travel authorizations for the senior systems administrator because he did not know the purpose or justification for the travel. The same manager told us that he was not comfortable with completing the senior systems administrator's performance evaluation because he, the manager, knew very little about computer systems.
In our user survey, we asked about satisfaction with the senior systems administrators and the quality of service provided. Users identified some concerns regarding the senior systems administrators. Thirty-nine percent of survey respondees indicated that the senior systems administrator did not routinely travel to their offices, and 24 percent neither knew the senior systems administrator nor how to obtain their assistance. However, 33 percent of users were satisfied with the speed of the senior systems administrators response to questions.
The CIO provided comments in response to our survey results. He stated that a senior systems administrator can, at best, provide adequate support to no more than two or three districts. Prior to FY 1996, funds were not allocated for travel by senior systems administrators. An additional 20 computer specialist positions are expected to be filled by the end of FY 1997.
AIS Training
In our user survey, we asked about satisfaction with AIS training and users identified significant concerns. Of the users expressing an opinion: more than half indicated that training on the MARSHALS system and computer applications such as WIN, PTS, financial management, and word processing had been inadequate; 80 percent indicated that additional training by the Information Services Division would improve their job performance; and 88 percent indicated that periodic refresher training would be beneficial.
The Information Services Division staff told us that, after completion of our survey, the USMS began pursuing a dual track strategy for training. For system users in the field, training will be focused on applications. For computer specialists, the training will be expanded to cover operating systems, programming languages, and databases.
Computer Security Training
The Computer Security Act of 1987 requires periodic training in computer security awareness and accepted computer security practice for all employees involved in the management, use, or operation of computer systems. The training should enhance employees' awareness of the threats to and the vulnerability of computer systems, and encourage the use of improved computer security practices.
To provide the required computer security training, the USMS Internal Security Division sent a copy of a video entitled "CTSS Computer Security 101 Video" to all of the USMS district offices. We reviewed computer security training records for all USMS employees at the 20 USMS offices we audited. We found that in 6 of the 20 offices there was no documentation to indicate that the staff had received computer security training in the previous 12 months.
The USMS Internal Security Division Computer Security Specialist told us that the videotape did not have the necessary impact to provide an annual reinforcement for computer security. The USMS Information Services Division is working with JMD to develop an interactive computer course to provide the required training.
Management's Perspective and Actions on AIS Management
We interviewed the Director of the USMS to obtain his perspective on management of AIS. The Director, USMS, stated that his general assessment of the USMS Information Services Division function when he first arrived indicated that Information Services Division was fragmented and there was no future vision and overall plan to get the USMS involved with the technological issues of the 21st Century. Based on his assessment, the Director selected a CIO for the department. The Director emphasized his support for the CIO and his efforts to date.
The CIO took actions upon his appointment to restructure and improve AIS management.
· Enhanced training has been provided to system administrators, senior systems administrators, Deputy U.S. Marshals, and administrative officers.
· A contract for professional Help Desk personnel has been established and new contracted personnel are staffing the Help Desk. An Automatic Call Distribution system has been implemented for Help Desk calls. Incoming calls have increased significantly and the database is being routinely maintained to document the questions asked and responses made.
· During the first year of the CIO's tenure, priority was placed on user support. Priority will now be switched over to systems development.
· AIS planning is being refocused on one and three-year plans. Pilot projects will be developed and expanded based on the success of the pilots.
· A USMS Technology Committee has been implemented as an advisory committee and a technology advocate.
· Using a personal computer database, a system for accumulating AIS life cycle costs has been established.
In our judgment, by appointing a CIO and restructuring the Headquarters level management for AIS, the USMS has taken necessary first steps to improve its management of information systems. Senior USMS management must now ensure completion of improvements to information systems necessary to properly support the mission of the USMS.
Recommendations and Status of Corrective Actions
We recommend that the Director, USMS:
1. Initiate a plan to integrate operational systems that use common data elements.
Closed. This recommendation is closed based on information provided by the USMS regarding the Justice Detainee Information System development plan, which incorporates a strategy for integrating various operational databases into a centralized system.
2. Ascertain the status of all AIS systems and update the AIS Plan to provide for full and timely implementation of systems deemed needed for operations.
Closed. This recommendation is closed based on our receipt of the portion of the AIS Plan dealing with the Justice Detainee Information System, and the USMS management commitment to implement MARSHALS and other applications in all district offices.
3. Accumulate AIS cost by project and life cycle.
Closed. This recommendation is closed based on the August 1996 USMS implementation of an internal database and life cycle cost accumulating system which will account for subsequent AIS equipment and expenditures.
4. Improve the quality of technical assistance provided in order to ensure that: (a) user problems are entered in the Help Desk database, (b) system administrators are adequately trained on USMS automated systems and are kept current on system upgrades and changes, and (c) all system users have access to senior system administrators.
Closed. The recommendation is closed because the USMS Information Service Division has addressed the management issues raised by the report as follows: (a) a contract for professional Help Desk personnel has been established and the call database is being routinely maintained as part of that contract, (b) a program incorporating Systems Administrator training has been established, and (c) a program to increase hiring of computer professionals throughout the USMS has provided users more direct access to computer specialists.
5. Provide systems users with required AIS training to address users' concerns.
Resolved. The USMS has agreed to establish a training plan which assures that new users are provided basic AIS systems training and existing users are provided continued training on system developments.
STATEMENT ON MANAGEMENT CONTROL STRUCTURE
In planning and performing our audit of the Automated Information Systems at the USMS, we considered the USMS's management control structure for the purpose of determining our auditing procedures. We did not review management controls in order to express an opinion on the management control structure. However, we noted certain matters involving the management control structure that we consider to be reportable conditions under generally accepted government auditing standards.
Reportable conditions involve matters coming to our attention relating to significant deficiencies in the design or operation of the management control structure that, in our judgment, could adversely affect the ability of the USMS to effectively monitor AIS operations. We identified a weakness in the following area:
· the USMS could not document that they provided computer training to the districts in accordance with the Computer Security Act.
Because we are not expressing an opinion on the USMS management control structure, this statement is intended solely for the information and use of USMS management in monitoring AIS operations. This restriction is not intended to limit the distribution of this report, which is a matter of public record.
STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS
We have audited the USMS AIS. In connection with the audit, and as required by the standards, we reviewed program activities and records to obtain reasonable assurance about the USMS compliance with laws and regulations that, if not complied with, we believe could have a material effect on program operations. Compliance with laws and regulations applicable to AIS activities is the responsibility of management.
An audit includes examining, on a test basis, evidence about laws and regulations. The specific laws and regulations against which we conducted our tests were: (1) the Computer Security Act of 1987 (Public Law 100-235), (2) Office of Management and Budget Circular A-130, (3) Office of Management and Budget Circular A-123, (4) the Federal Acquisition Regulation (FAR), (5) the Federal Information Resources Management Regulation, and (6) the Justice Acquisition Regulation (JAR).
Except for those issues cited in the Findings and Recommendations section of the report, our tests indicated that, for those items reviewed, the USMS was in compliance with the laws referred to above. With respect to those transactions not tested, nothing came to our attention that caused us to believe that USMS management was not in compliance with the laws cited above.
1. For these offices communication is achieved through NCIC-NLETS ACCESS - a USMS application which allows communication with the National Crime Information Center - National Law Enforcement Tracking System.
2. This amount includes FY 1995 expenditures of $650,000.
#####