| MEMORANDUM FOR |
GLENN A. FINE
INSPECTOR GENERAL |
| |
| FROM: |
Vance E. Hitch
Chief Information Officer |
| |
| SUBJECT: |
Response to DRAFT Inspector General Report on Processing Classified Information on Portable Computers in the Department of Justice |
| |
We have reviewed your draft report on the processing of classified information on portable computers in the Department and we have several comments to offer.
The Department of Justice Security Program Operating Manual (SPOM), November 3, 2004 contains a number of requirements that specifically apply to classified laptop and standalone computers, in addition to those requirements stated in IT Security Standard 1.6, Classified Laptop and Standalone Computers. Where applicable in our response, reference will be made to the appropriate section of the SPOM.
Finding #l Standard l.6 Has Inappropriate References and is Incomplete
OIG Recommendation: Remove any references to statute, policy, or procedures that are not applicable to processing classified information.
OCIO Response: We concur. The next release of the Standard 1.6 will remove references that are not applicable to classified information. The standard is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
OIG Recommendation: Address systems in accordance with policy from the Committee on National Security Systems for Classified National Security Information independently from the Director of Central Intelligence Directives for Sensitive Compartmented Information.
OCIO Response: We concur. The contents of Standard 1.6 are consistent with the best practices embodied in documentation published by the Committee on National Security Systems for Classified National Security Information and the Director of Central Intelligence Directives for Sensitive Compartmented Information (SCI). ITSS will ensure that the revised version of Standard 1.6 clearly indicates which requirements are applicable only to non-SCI computers and which requirements are applicable only to SCI computers. The standard is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
OIG Recommendation: Indicate what policy applies when classified portable computers are allowed to be connected to classified networks.
OCIO Response: We concur. Standard 1.6 was not intended to apply when classified portable computers are allowed to be connected to classified networks. Such computers would be subject to the requirements contained in the DOJ Security Program Operating Manual (SPOM) and the other DOJ IT Security Standards. An appropriate statement that identifies the relevant policies for classified portable computers when those computers are allowed to be connected to classified networks will be added to Standard 1.6. The standard is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
OIG Recommendation: Refer to Attachment 2 (Security Acknowledgment Statement for System Administrators) in the body of the policy and delineate the process for reviews of the security configuration by independent testers and validation of the system security by certification agents.
OCIO Response: We concur. The next release of Standard 1.6 will include an appropriate reference in the body of the policy and will delineate the process for reviews of the security configuration by independent testers and validation of the system security by certification agents. The standard will also refer to the requirements for independent testing that are contained in the ITS Standard 2.6. Standard 1.6is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
OIG Recommendation: Refer to Attachment 5 (Sample Classified Computer Usage Log) in the body of the policy and provide written instructions for the preparation and retention of the log.
OCIO Response: We concur. ITSS will determine the most appropriate way to reference Attachment 5 in the body of the policy. This reference will require use of the log and will allow the Authorizing Official to accept the risk for not using the log after a risk-based decision. The standard is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
Finding # 2 - Increasing Efficiency When Processing Classified Information on Portable Computers
OIG Recommendation: Consider the use of removable hard drives for processing both classified and unclassified information on the same portable computer by using two separate removable hard drives. This would require that the hard drive become the classifiable device instead of the portable computer and that appropriate security safeguards be developed.
OCIO Response: We concur. This has been a proven process in the past. This scenario is explicitly supported by section 8-304 in the SPOM. The next release of Standard 1.6 will support this concept of operations. The standard is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
OIG Recommendation: Document the process that gives DOJ components the flexibility to incorporate safeguards through new type accreditations to protect classified computers from unauthorized access.
OCIO Response: We concur. ITSS will update Standard 1.6 to encourage components to utilize a type accreditation for non-networked classified computers. ITSS will add a section to Standard 1.6 to address accreditation requirements and endorse the concept of type accreditation for non-networked classified computers. Reference will be made to the JMD type accreditation package and that components have the flexibility to incorporate appropriate additional safeguards to protect classified computers from unauthorized access. Standard 1.6 is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
OIG Recommendation: Adopt the encryption standard specified by the Committee on National Security Systems.
OCIO Response: We concur. The Committee on National Security Systems (CNSS) requires the use of Type I encryption to protect the transmission of classified information over public data lines and other non-secure channels. ITSS will contact the National Security Agency (NSA) during July 2005 to determine the current status of initiatives to develop encryption standards for data stored on classified computers. To the extent that such standards are available from the CNSS and NSA, Standard 1.6will be revised to reference these encryption standards. The standard is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
OIG Recommendation: Consider enhancing security by writing policy to limit classified data on a hard drive to what is necessary to accomplish the mission.
OCIO Response: We concur. The next update of Standard 1.6 will specifically address this recommendation. The standard is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
OIG Recommendation: Consider enhancing security by programming the computer to send a message to the system administrator if a computer with a classified hard drive is connected to the Internet.
OCIO Response: We concur. The OCIO is working with other agencies and industry to find ways to enhance security across the DOJ. This would include mechanisms to securely notify the system administrator if a computer with a classified hard drive was connected to the Internet. The ITSS will send a request to the Department of Homeland Security Science and Technology Directorate by July 30, 2005 requesting that the DHS issue guidance about such capabilities.
OIG Recommendation: Consider enhancing security by installing an electronic device on portable computers to track the equipment in the event it is lost or stolen.
OCIO Response: We concur. At this time, it appears that such tracking mechanisms require a substantial facilities infrastructure that could not be justified to track a limited number of classified computers. In addition, any such device that includes a transmitter is not permitted in Sensitive Compartmented Information Facilities (SCIFs). ITSS will send a request to the Department of Homeland Security Science and Technology Directorate by July 30, 2005 requesting that the DHS issue guidance about such tracking mechanisms.
OIG Recommendation: Create a new label for portable computers that indicates the computer may contain classified information, but is also cleared to process unclassified information.
OCIO Response: We concur. Section 8-304 of the November 2004 version of the DOJ Security Program Operating Manual (SPOM) addresses the labeling of computers that use removable drives to switch between classified operations and unclassified operations. The SPOM requires the use of different banners to be displayed on computer screens for unclassified and classified processing. The next version of Standard 1.6 will reference this section of the SPOM. The standard is currently being revised and will be released for component review by July 30, 2005. The revised standard will be finalized by September 30, 2005.
Thank you for the opportunity to review the draft report. If you have any questions or require additional information, please contact Kevin Deeley on (202) 353-2421 or via email at kevin.deeley@usdoj.gov.
|
