Processing Classified Information on Portable Computers in the Department of Justice
Audit Report 05-32
Office of the Inspector General
|This Office of the Inspector General audit examines the policies and practices in the Department of Justice (DOJ or Department) for the processing of classified information in portable computers. Our approach for conducting this audit included: (1) interviewing officials from within and outside the Department about classified portable computing policies and practices and (2) examining government-wide and DOJ policy related to processing classified information.
During our initial discussions with the Department’s Deputy Chief Information Officer and the Assistant Director of the Security and Emergency Planning Staff (SEPS), they identified DOJ components that process classified information using portable computers. We selected the Drug Enforcement Administration (DEA), the Federal Bureau of Investigation (FBI), and the Executive Office for United States Attorneys (EOUSA) to examine the use of portable computers for processing classified information.
We extended our interviews beyond the DOJ to determine how other federal agencies address the storing and processing of classified information using portable computers. We met with staff from SEPS and the Chief Information Officer’s office and discussed their knowledge of other federal agencies that process classified information on portable computers. Based on their input, we interviewed Information Technology (IT) and security personnel from the National Security Agency, the Central Intelligence Agency (CIA), and the Department of Energy. Based on input from the CIA, we also contacted the National Reconnaissance Office within the Department of Defense. (See Appendix I for additional information on our objectives, scope, and methodology.)
Our original intention was to examine the policies and practices in the DOJ for the processing of classified information on portable computers. However, IT and security staff informed us that we should also review government-wide policy that applies to all IT systems, whether they process classified or unclassified information. Therefore, our audit includes a review of the following government-wide policy (National Institute of Standards and Technology, Special Publication 800-37; Committee on National Security Systems, National Information Assurance Certification and Accreditation Process; and the Director of Central Intelligence Directives, DCID 6/3) that requires all computer systems be certified before they can be placed in operation.
The certification of an IT system involves a comprehensive evaluation of the technical and non-technical security features and other safeguards in place on a system. The certification is made as part of and in support of the accreditation process. The certification process validates that appropriate safeguards have been implemented on the system. The process culminates in the accreditation of the system (permission for the system to operate).
During our research, we identified the organizations that have the responsibility to develop government-wide policy related to the certification and accreditation of IT systems. The policies cover all IT systems, including portable computers. As detailed in the following table, three organizations have the responsibility to develop policy for the certification and accreditation of all IT systems.
Government-wide Certification and Accreditation Authority
The Federal Information Security Management Act (FISMA) delegates policy development and oversight to the National Institute of Standards and Technology (NIST) for information systems other than national security systems. Certification and accreditation procedures for systems other than national security systems — unclassified systems (systems that process only unclassified information) — are documented in NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.
To separate unclassified from classified systems, NIST Special Publication 800-59 includes six questions designed to determine whether the system meets the definition of a national security system. According to the publication, “In order for a system to be designated a national security system, one of the following questions must be answered in the affirmative:”
Based on the NIST policy, any system that stores, processes, or communicates classified information is a national security system and falls under the jurisdiction of the Committee on National Security Systems.
Executive Order 13231, Critical Infrastructure Protection, identifies the government-wide committees that develop policy for the protection of information systems. Based on Executive Order 13231, the Committee on National Security Systems is responsible for policy over national security systems. The Committee on National Security Systems has documented procedures for the certification and accreditation of national security systems in the National Information Assurance Certification and Accreditation Process (NIACAP).
National security systems store, process, or transmit classified information as defined by Executive Order 12958, Classified National Security Information. The Order defines three levels of Classified National Security Information:
Executive Order 12333, United States Intelligence Activities, requires that the Director of Central Intelligence, “Ensure the establishment by the Intelligence Community of common security and access standards for managing and handling foreign intelligence systems, information, and products.” In addition, Executive Order 12958, Section 4.3, delegates to the Director of Central Intelligence authority over special access programs pertaining to intelligence activities. Further, certification and accreditation of systems used to process intelligence information, referred to as Sensitive Compartmented Information, is documented in Director of Central Intelligence Directive (DCID) 6/3.8
The policies developed by the Committee on National Security Systems and the CIA take precedence over the standards developed by the Department’s Chief Information Officer for national security systems.
When necessary, DOJ employees store, process, and transmit classified information using portable computers. Employees may also process sensitive but unclassified information, send and receive e mail, and obtain research data from the Internet on portable computers. Currently, employees who process both classified and unclassified information must utilize two separate portable computers in order to accomplish their assignments. Carrying two portable computers is necessary because the current DOJ policy does not explicitly authorize the use of two hard drives, one for classified information and one for unclassified information, in a single portable computer.
DOJ Order 2640.2E, titled Information Technology Security, establishes uniform policy, responsibilities, and authorities for the implementation and protection of DOJ’s IT systems that store, process, or transmit classified and unclassified information. The Assistant Director of SEPS and the Deputy Chief Information Officer described the distinction between the responsibilities of the two offices as the Chief Information Officer being responsible for security of classified and unclassified IT systems and SEPS being responsible for security of the classified information.
The Department’s Chief Information Officer issued 17 Information Technology Security Standards between December 4, 2003, and January 30, 2004, for DOJ systems that process classified and unclassified information. In addition, an 18th standard was issued on August 19, 2004, titled Information Technology Security Standard, Management Controls, 1.6 Classified Laptop and Standalone Computers Security Policy (Standard 1.6). Standard 1.6 established uniform information technology security management controls for laptop (portable) and standalone computers storing, processing, or transmitting National Security Information in the DOJ.9 All IT systems in the DOJ that process classified information must be certified and accredited in accordance with standards established by the Department’s Chief Information Officer before the system can be used.
Policy issued by SEPS, titled Security Program Operating Manual (SPOM), revised November 5, 2004, provides guidance for the safeguarding of classified information. The SPOM applies to classified information, security controls, security clearance requirements for employees, and the facilities authorized to store the information.
Classified National Security Information cannot be processed in public areas or while being transported. According to the SPOM and DCID 6/9, such information can be processed in only four specific types of facilities — a Sensitive Compartmented Information Facility (SCIF), a Temporary Secure Working Area, an Open Storage Area, or a Restricted Area.
A SCIF is an accredited area, room, group of rooms, buildings, or installation where Sensitive Compartmented Information may be stored, used, discussed, and electronically processed. A Temporary Secure Working Area is a space where Sensitive Compartmented Information may be handled, discussed, or processed, but should not be stored. SEPS oversees design and security of SCIFs and Temporary Secure Working Areas within the DOJ, with the exception of the FBI who is responsible for the design and security of SCIFs and Temporary Secure Working areas under its jurisdiction.
An Open Storage Area is used when the volume or bulk of classified material is such that the use of security containers is not practical. When a component determines that an Open Storage Area is necessary, its location and construction must be approved by the Department Security Officer. A Restricted Area can be established when it is necessary to control access to classified material in an area not approved for open storage. All classified material must be secured during non-working hours in approved security containers or vaults. Open Storage Areas and Restricted Areas are accredited by SEPS for the DOJ, with the exception of the FBI who is responsible for the design and security of Open Storage Areas and Restricted Areas under its jurisdiction.
In Restricted Areas or Temporary Secured Working Areas, the user must maintain constant possession of the hard drive containing classified information, or it must be locked in an approved security container. Further, if the hard drive cannot be removed from the computer, the computer must be disconnected from its peripheral devices, i.e., a mouse, monitor, keyboard, and printer, and locked in an approved security container when not in use.