Processing Classified Information on Portable Computers in the Department of Justice

Audit Report 05-32
July 2005
Office of the Inspector General

Appendix V

Office of the Inspector General, Audit Division,
Analysis and Summary of Actions Necessary to Close Report


Recommendation Number:

  1. Resolved. The Office of the Chief Information Officer (OCIO) agreed with our recommendation. The OCIO will revise Standard 1.6 to remove any reference to statutes, policies, or procedures that is not applicable to classified information processing. The OCIO expects that the next revision of Standard 1.6 will be finalized by the end of September 2005. To close this recommendation, the OCIO should provide us a draft copy of the of the Standard 1.6 revision.

  2. Resolved. The OCIO agreed with our recommendation. The OCIO will revise Standard 1.6 to address systems according to policy from the Committee on National Security Systems (CNSS) for Classified National Security Information independently from the Director of Central Intelligence Directives for Sensitive Compartmented Information (SCI). The OCIO stated that the Standard 1.6 revision will indicate the requirements applicable to both non-SCI and SCI computers. To close this recommendation, the OCIO should provide us a draft copy of the of the Standard 1.6 revision.

  3. Resolved. The OCIO agreed with our recommendation. The OCIO will revise Standard 1.6 to indicate what policies apply when classified portable computers are allowed to be connected to classified networks. The OCIO stated that it will add a statement identifying relevant policies to connect classified portable computers to classified networks to the revised Standard 1.6. To close this recommendation, the OCIO should provide us a draft copy of the of the Standard 1.6 revision.

  4. Resolved. The OCIO agreed with our recommendation. The OCIO will revise Standard 1.6 to both reference Attachment 2 (Security Acknowledgement Statement for System Administrators) and delineate the process used to review the security configuration by independent testers and validate system security by certification agents. To close this recommendation, the OCIO should provide us a draft copy of the of the Standard 1.6 revision.

  5. Resolved. The OCIO agreed with our recommendation. The OCIO will revise Standard 1.6 to reference Attachment 5 (Sample Classified Computer Usage Log) and provide written instructions for the preparation and retention of the log. The OCIO also stated that a reference to Attachment 5 will require use of the log and allow an Authorizing Official to accept the risk for not using the log after a risk-based decision. To close this recommendation, the OCIO should provide us a draft copy of the of the Standard 1.6 revision.

  6. Resolved. The OCIO agreed with our recommendation. The OCIO will revise Standard 1.6 to include the use of removable hard drives for processing both classified and unclassified information on the same portable computer by using two separate removable hard drives. To close this recommendation, the OCIO should provide us a draft copy of the Standard 1.6 revision.

  7. Resolved. The OCIO agreed with our recommendation. The OCIO will revise Standard 1.6 to encourage components to use an accreditation process for non-networked classified computers. To do this, the OCIO will add a section to Standard 1.6 addressing accreditation requirements and endorsing the concept of type accreditation for non-networked classified computers. Additionally, the OCIO stated that a revised Standard 1.6 will allow components the flexibility to incorporate appropriate additional safeguards to protect classified computers from unauthorized access. To close this recommendation, the OCIO should provide us a draft copy of the Standard 1.6 revision.

  8. Resolved. The OCIO agreed with our recommendation. In July 2005, the OCIO will contact the National Security Agency (NSA) to determine the current status of initiatives developing encryption standards for data stored on classified computers. Additionally, the OCIO will revise Standard 1.6 to reference both CNSS and NSA encryption standards. To close this recommendation, the OCIO should inform us of the outcome of NSA discussions regarding standards for data stored in classified computers and provide us a draft copy of the Standard 1.6 revision.

  9. Resolved. The OCIO agreed with our recommendation. The OCIO will revise Standard 1.6 to address limiting classified data on hard drives. To close this recommendation, the OCIO should provide us a draft copy of the Standard 1.6 revision.

  10. Resolved. The OCIO agreed with our recommendation. In July 2005, the OCIO will send a request to the Department of Homeland Security (DHS) Science and Technology Directorate to request guidance regarding mechanisms to securely notify system administrators when classified hard drives are connected to the Internet. To close this recommendation, the OCIO should inform us of the outcome of the DHS request.

  11. Resolved. The OCIO agreed with our recommendation. In July 2005, the OCIO will send a request to the DHS Science and Technology Directorate regarding tracking mechanisms. However, the OCIO commented that tracking mechanisms appear to require substantial infrastructure that may not be justified to track a limited number of classified computers. To close this recommendation, the OCIO should inform us of the outcome of the Department of Homeland Security concerning tracking mechanisms.

  12. Closed. The OCIO agreed with our recommendation. The OCIO indicated that the Security Program Operating Manual (SPOM) now addresses the labeling of computers using removable drives to switch between classified and unclassified operations. Different banners will be displayed on computer screens for unclassified and classified processing.


Previous Page Back to Table of Contents Next Page