Processing Classified Information on Portable Computers in the Department of Justice

Audit Report 05-32
July 2005
Office of the Inspector General

Findings and Recommendations


  1. STANDARD 1.6 HAS INAPPROPRIATE REFERENCES AND IS INCOMPLETE

    Standard 1.6 uses references to policies that were written for unclassified IT systems. Standard 1.6 does not address systems that process Classified National Security Information separately from systems that process Sensitive Compartmented Information. Furthermore, Standard 1.6 provides incomplete guidance and instruction for network connections, and two of its attachments are not referred to in the body of the policy. We recommend that Standard 1.6 be revised to reduce the difficulty that DOJ components may have when attempting to comply with Standard 1.6.

Standard 1.6 contains the following categories of specific requirements for laptops and standalone computers that store, process, or transmit National Security Information:

  • Administrative Security
  • Physical Security
  • Personnel Security
  • Identification and Authentication
  • Audit Trail and Review
  • Logical Access Control
  • Password Management
  • Software Security
  • Telecommunications Security
  • Media Security
  • Continuity of Operations
  • Incident Response
  • Encryption

Standard 1.6 also contains seven attachments: a security acknowledgement statement for authorized end-users, a security acknowledgement statement for system administrators, hardware and software configurations of classified laptop and standalone computers, a list of acronyms, a sample classified computer usage log, a sample classified computer maintenance log, and a classified laptop and standalone computer technical checklist (see Appendix III, pages 35-47 for specifics).

Our review of Standard 1.6 identified three primary areas of concern, discussed in greater detail below. Standard 1.6 uses references that apply to unclassified IT systems, does not address systems that process Classified National Security Information separately from systems that process Sensitive Compartmented Information, and provides incomplete guidance and instructions for several attachments.

Inappropriate References in Standard 1.6

Standard 1.6 uses references to policies that do not apply to portable or standalone computers that process, store, or transmit classified information (see Appendix III, page 29). The following five policy references used in Standard 1.6 do not apply to portable or standalone computers that process classified information:

  • Office of Management and Budget Circular A-130, Revised, (Transmittal Memorandum No. 4; Subject: Management of Federal Information Resources) — This Circular discusses national security systems, but states in the section titled Applicability and Scope that, “Information classified for national security purposes should also be handled in accordance with the appropriate national security directives.” Further, the Circular states, “The policies and procedures established in this Circular will apply to national security systems in a manner consistent with the applicability and related limitations regarding such systems set out in Section 5141 of the Clinger-Cohen Act (Pub. L. 104-106, 40 U.S.C. 1451).” The Clinger-Cohen Act relates to the budget process for IT systems, not the processing of classified information.

  • Federal Information Processing Standards Publication 197, Advanced Encryption Standard (FIPS 197) — FIPS 197 does not apply to classified systems. The Standard states, “This standard may be used by Federal departments and agencies when an agency determines that sensitive (unclassified) information (as defined in P. L. 100-235) requires cryptographic protection.” Rather than referencing FIPS 197 for encryption of classified information on portable or standalone computers, the DOJ should reference the methods prescribed by the Committee on National Security Systems.

  • DOJ Order 2620.7, Control and Protection of Limited Official Use Information — The subject of DOJ Order 2620.7 is control and protection of limited official use information. Therefore, it does not apply to classified systems, and the reference to this order should be deleted.

  • 5 CFR Part 930, Training Requirement for the Computer Security Act — 5 CFR Part 930 does not apply to classified systems. The authority for the regulation, Public Law 100-235, is limited to sensitive but unclassified information. Standard 1.6 should instead refer to computer security training (IT Security Standard 2.8) and protection of classified information training (SPOM, Chapter 3).

  • 18 U.S.C. 2510, Electronic Communications Privacy Act — This Act discusses the interception of wire, electronic, and oral communications. Standard 1.6 does not allow any type of telecommunications for portable or standalone computers processing classified information.

We believe the references that do not apply to portable or standalone computers that process classified information should be removed. Also, any instructions provided in Standard 1.6 that were derived from those incorrect references should be deleted from the document. The Assistant Director of SEPS concurred with our position that unclassified references should not be used in standards for storing, processing, or transmitting classified information.

Separate Authority Governing Classified National Security Information and Sensitive Compartmented Information

Standard 1.6 provides a uniform policy for portable and standalone computers that store, process, or transmit classified information (see Appendix III, page 25). However, there are two organizations outside the DOJ that have government-wide authority over the security of systems that store, process, or transmit classified information. The Committee on National Security Systems issued certification and accreditation policy for systems that process Classified National Security Information. Further, the CIA issued certification and accreditation policy for systems that process Sensitive Compartmented Information. Despite unique and specific guidance regarding Classified National Security Information and Sensitive Compartmented Information from these government-wide authorities, Standard 1.6 does not differentiate between the two or provide separate processing requirements for information classified under these distinct designations.

We believe that Standard 1.6 should address the systems that process Classified National Security Information and Sensitive Compartmented Information separately, because those systems are subject to policies developed by two separate government-wide authorities. SEPS, a voting member of the Committee on National Security Systems for the Department of Justice (see Appendix II, page 22), agrees with our position.

Incomplete Guidance and Instructions

We found three areas, described below, where the guidance and instructions provided in Standard 1.6 are incomplete and therefore need revision.

Lack of Instructions for Network Connections. Section 3.1, states that, “No external systems, networks, or communications devices may be connected to classified laptop and standalone computers.” (See Appendix III, pages 30 and 31.) However, the Deputy Chief Information Officer informed us that classified portable computers can be connected to classified networks if the approval to do so is documented in the security plan for the certification and accreditation of the applicable network. Based on that information, Standard 1.6 is not accurate regarding Department policy on the connection of portable computers to external systems, networks, or communication devices. In our opinion, Standard 1.6 should not provide a blanket prohibition, but should indicate what policies apply when classified laptop computers are authorized to be connected to classified networks.

No Explanation of Security Configuration Tests. We asked the Deputy Chief Information Officer why Attachment 2, entitled “Security Acknowledgement Statement for System Administrators” (see Appendix III, pages 37-39), requires that the System Administrator “make the computer(s) available for reviews of the security configuration by independent testers” and “ensure that the Certification Agent (CA) or a CA appointed agent validates system security at least annually.” The Deputy Chief Information Officer stated that logistical and organizational issues concerning certification and independent testing are being negotiated. However, Attachment 2 is not referred to in the body of Standard 1.6. Therefore, the process for reviews of the security configuration by independent testers and a validation of system security by certification agents should be documented in the body of the policy.

No Instructions for Tracking Log. Attachment 5, “Sample Classified Computer Usage Log” (see Appendix III, page 44), has no instructions for completing the log. In addition, Standard 1.6 does not refer to the log or provide a retention period for the log. As written, either the end-user or the administrator must record every action taken on every document accessed, along with start and end times. As presented, we consider the log to be unduly burdensome and in need of revision. The Deputy Chief Information Officer explained that there is a need for a manual record of the total time an individual was logged onto the classified system. We understand the value of a tracking log, but the attachment will require modification in order to capture only the required information, and instructions will have to be prepared to inform the end-users and administrators about how to complete the log and for how long it should be retained. The Deputy Chief Information Officer indicated that this issue would be addressed in the next revision of Standard 1.6.

Conclusion

Standard 1.6 includes inaccurate and confusing references directed at unclassified systems, does not address systems that process Classified National Security Information separately from Sensitive Compartmented Information, and is incomplete in providing guidance and instructions. We believe that Standard 1.6 could be confusing to DOJ components and should be revised to correct these deficiencies.

Recommendations

We recommend that the Justice Management Division revise Standard 1.6 to:

  1. Remove any references to statute, policy, or procedures that are not applicable to processing classified information.

  2. Address systems in accordance with policy from the Committee on National Security Systems for Classified National Security Information independently from the Director of Central Intelligence Directives for Sensitive Compartmented Information.

  3. Indicate what policy applies when classified portable computers are allowed to be connected to classified networks.

  4. Refer to Attachment 2 (Security Acknowledgement Statement for System Administrators) in the body of the policy and delineate the process for reviews of the security configuration by independent testers and validation of the system security by certification agents.

  5. Refer to Attachment 5 (Sample Classified Computer Usage Log) in the body of the policy and provide written instructions for the preparation and retention of the log.


  1. INCREASING EFFICIENCY WHEN PROCESSING CLASSIFIED INFORMATION ON PORTABLE COMPUTERS

    The Department should consider modification of any practices for processing classified information on portable computers from those prescribed in Standard 1.6. We believe that the DOJ’s Chief Information Officer should consider revising the policy to allow for a variety of innovative features and methods to enhance the ability of the DOJ to accomplish its mission, while adequately securing its classified information.

We met with four DOJ components (DEA, FBI, EOUSA, and Justice Management Division) and four outside agencies (CIA, National Security Agency, National Reconnaissance Office, and the Department of Energy) to determine how they address the storage of classified information using portable computers and to determine whether more effective practices are available to enhance security. All of the agencies contacted, with the exception of the DEA, store and process some of their classified information on portable computers.

From discussions with those interviewed and our review of Standard 1.6 and the SPOM, we identified four security policy enhancements we believe the Department should consider for classified portable computers. The following sections describe those enhancements.

Removable Hard Drives and Operating System

We asked officials from the EOUSA, DEA, and FBI: (1) if their agency authorized the use of portable computers with removable hard drives, one to process classified and another to process unclassified on the same computer, and (2) if not, whether they would consider the feature worthwhile. Officials from all three agencies responded negatively to the first question. The responses to the second question varied among the agencies. The EOUSA responded that the issue does come up and it would probably be worthwhile to pursue as long as users understand the applicable security requirements. The DEA responded that while the feature would have fiscal advantages, the risk of procedural errors such as forgetting to exchange removable hard drives for the appropriate type of processing, could negate the utility of interchanging hard drives.10 The FBI responded that the feature could be worthwhile, but it would need to evaluate any proposed use of removable hard drives based on the operational need, technical configuration of the system, and other mitigating factors through the certification and accreditation process.

Three of the four agencies we interviewed outside the DOJ process both classified and unclassified information on the same computer by using two separate removable hard drives — one hard drive for processing classified information and the other for processing unclassified information.11

We discussed the subject of removable hard drives with a major portable computer manufacturer who told us of at least two companies that sell 5-gigabyte (5,000 megabytes) removable hard drives. The drives are priced under $200 each. These drives are generally two inches wide by three inches long, weigh less than two ounces, and fit into any “Type II PC Card slot” in portable computers. As presented in the table below, we believe they have enough storage space for a multi-user operating system, application software, and a reasonable amount of space for processing classified information. The table illustrates one example of a portable computer’s software configuration we believe would meet the needs of many of the DOJ’s classified computer users. With the Chief Information Officer’s approval, 5-gigabyte removable hard drives could be used on the DOJ’s portable computers that process classified information. This computer configuration would allow both unclassified and classified information processing in the same portable computer.

Operating System and Application Software Minimum Requirements
Example of a Usable Software Configuration Space Requirements
Microsoft XP Professional 230 megabytes
Microsoft Office Professional 600 megabytes
Data Encryption 15 megabytes
Virus Detection 16 megabytes
Sub Total 861 megabytes
Remaining Space 4,139 megabytes
Source: Software company websites.

Using removable hard drives offers advantages for portable computers. Without removable hard drives, a user may be required to carry two portable computers while on a traveling assignment — one for handling classified information, which requires it to be double-wrapped, and the other for processing unclassified information, connecting to the Internet, and viewing e-mail.12 With removable hard drives, the user would be required to double wrap only the classified hard drive instead of the entire portable computer. In our opinion, a double-wrapped classified removable hard drive is an effective security enhancement, as it is easier to conceal and is less conspicuous due to its smaller size compared to a portable computer.

Although Standard 1.6 approves of removable hard drives (Appendix III, page 41), it does not specifically authorize the use of dual classified and unclassified hard drives in the same portable computer. Without removable hard drives, users processing classified information on a portable computer must disconnect all of the attached peripheral devices and secure the entire computer in an approved security container when it is to be left unattended. In contrast, with a removable hard drive a DOJ employee merely has to remove the classified hard drive and secure it, not the computer shell.

In order to enhance security of the classified information when using removable hard drives, system administrators must define user profiles within the operating system for classified portable computers. For example, IT security personnel at the National Reconnaissance Office and National Security Agency told us that a multi-user operating system, such as Microsoft Windows 2000 or XP, allows system administrators to define computer users’ profiles and therefore restrict access to the computer’s input/output ports. Specifically, the access to the unclassified drive when the removable classified hard drive is in use can be controlled by the definition of the user’s profile. In addition, they also said that users’ profiles can allow access to Internet connections when the classified hard drive is not in use.

In our view, the use of removable hard drives that can process both unclassified and classified information in the same computer shell is an area that the Department should consider.

Type Accreditations

The concept of type accreditations, defined by the Chief Information Officer in Standard 1.6 for portable and standalone computers, is an abbreviated accreditation process for classified portable and standalone computers that can be used in lieu of a full certification and accreditation process (see Appendix III, page 30).13 The Chief Information Officer developed this approach to limit the unnecessary duplication of the full certification and accreditation requirements. The Department’s Assistant Director of SEPS stated that a type accreditation for classified portable and standalone computers is an acceptable procedure.

Standard 1.6, Attachment 3 (Hardware and Software Configurations of Classified Laptop and Standalone Computers), defines three specific types of computer configurations: classified laptop computers, classified standalone computers, and computers with removable hard drives (see Appendix III, pages 40-42). Each of the three specific types of computer configurations contains a list of recommended hardware configurations, mandatory hardware features, and software configurations.

We believe that Standard 1.6 should allow the DOJ components more flexibility in the design of portable and standalone computer systems. The Deputy Chief Information Officer informed us that flexibility is built into the type accreditation process. However, the process to obtain type accreditations for other configurations is not documented in Standard 1.6. A revised Standard 1.6 should document the process for DOJ components to follow when requesting computer configurations not specified in the Standard. Furthermore, Standard 1.6 should be written to allow the DOJ components flexibility to incorporate innovative safeguards that do not compromise security.

Safeguards for Lost or Stolen Computers

Additional effective safeguards for classified computers and hard drives may strengthen security by lowering the risk of unauthorized persons gaining access to classified information in the event a portable computer is lost or stolen.

For example, encryption of the hard drive is a safeguard that IT and security personnel believe can reasonably protect classified information from unauthorized use if a portable computer is lost or stolen.14 As discussed on page 8, the Chief Information Officer’s reference for encryption cites the Federal Information Processing Standard Publication 197 — Advanced Encryption Standard (Appendix III, page 29). Yet, FIPS 197 applies to unclassified systems, not classified systems, which is the focus of Standard 1.6. Further, the Committee on National Security Systems has a Presidential delegation for national security systems through Executive Order 13231. Therefore, we believe the Chief Information Officer should explicitly require the use of the encryption standard specified by the Committee on National Security Systems when defining DOJ standards.

In addition to encryption, we identified three security enhancements that the DOJ could use to protect classified information on portable computers. The following safeguards could help reduce the amount of damage or decrease the chances of unauthorized individuals gaining access to classified data in the event a portable computer or hard drive is lost or stolen:

  • Reduce the risk of unauthorized access to classified information while the portable computer is in transit by limiting the amount of classified information on the hard drive to the minimum amount of information necessary to accomplish the mission. This safeguard, used by the National Security Agency, reduces the amount of damage that can occur if an unauthorized user gains access to the information.

  • Program the computer’s operating system to send a message to the system administrator if the computer is connected to the Internet. Connecting a classified computer to the Internet increases the risk that unauthorized users may obtain access to classified information. The National Reconnaissance Office uses this safeguard. Sending a warning message to a system administrator would allow a DOJ component to take steps to mitigate potential damage to national security in the event of a security breach.

  • Install an electronic device on the portable computer that can track or locate the equipment using global positioning technology. If such a device were installed, the computer could be tracked and located if it was lost or stolen.

We believe that these security enhancements identified by IT and security personnel should be considered by the Chief Information Officer when drafting policy for portable computers processing classified information.

Labeling Requirements for Classified Information Media

Current Department policy, in Chapter 8, Section 8-203, of the SPOM, specifically states, “Classification Markings (Labels) must be displayed on all components of an IT system that have the potential for retaining classified information.” The IT and security staff we interviewed at the National Security Agency indicated that the shell of a portable computer does not retain any retrievable data after removal of the computer’s hard drive containing the operating system. The National Security Agency staff further said that once a computer is powered down, all data in the random access memory is gone and cannot be retrieved, effectively sanitizing the computer shell. In our opinion, Standard 1.6 should specify that the shell does not remain classified after the classified hard drive is removed.

Using removable hard drives on classified portable computers would require creating a new label for the shell to indicate that the computer might contain classified information, but is also cleared to process unclassified information. Therefore, the SPOM should be revised to describe the markings for this type of equipment. The Assistant Director of SEPS agreed with our position on labeling the portable computer shell and indicated that the change to the labeling requirement would occur during the next SPOM revision.

Recommendations

We recommend that the Justice Management Division:

  1. Consider the use of removable hard drives for processing both classified and unclassified information on the same portable computer by using two separate removable hard drives. This would require that the hard drive become the classifiable device instead of the portable computer and that appropriate security safeguards be developed.

  2. Document the process that gives DOJ components the flexibility to incorporate safeguards through new type accreditations to protect classified computers from unauthorized access.

  3. Adopt the encryption standard specified by the Committee on National Security Systems.

  4. Consider enhancing security by writing policy to limit classified data on a hard drive to what is necessary to accomplish the mission.

  5. Consider enhancing security by programming the computer to send a message to the system administrator if a computer with a classified hard drive is connected to the Internet.

  6. Consider enhancing security by installing an electronic device on portable computers to track the equipment in the event it is lost or stolen.

  7. Create a new label for portable computers that indicates the computer may contain classified information, but is also cleared to process unclassified information.


Footnotes

  1. We believe that DEA’s concern does not adequately consider that the SPOM requires computers to contain banners reminding users of the classification for the system. The SPOM states, “to avoid inadvertent compromises, removable hard drives used on IT systems for unclassified and classified processing will utilize desktop backgrounds that display classification banners at the top or bottom.”

  2. The Department of Energy uses classified portable computers with removable hard drives but does not interchange an unclassified hard drive with the classified hard drive. The other three agencies are the CIA, the National Security Agency, and the National Reconnaissance Office.

  3. Double wrap — classified information must be “…enclosed in two opaque layers; both of which provide reasonable evidence of tampering and conceal the contents.”

  4. Accreditation of a system is the permission for an IT system to operate.

  5. Encryption involves a set of mathematically expressed rules for rendering data unintelligible by executing a series of conversions controlled by a key.


Previous Page Back to Table of Contents Next Page