Processing Classified Information on Portable Computers in the Department of Justice

Audit Report 05-32
July 2005
Office of the Inspector General

Introduction


This Office of the Inspector General audit examines the policies and practices in the Department of Justice (DOJ or Department) for the processing of classified information in portable computers. Our approach for conducting this audit included: (1) interviewing officials from within and outside the Department about classified portable computing policies and practices and (2) examining government-wide and DOJ policy related to processing classified information.

During our initial discussions with the Department’s Deputy Chief Information Officer and the Assistant Director of the Security and Emergency Planning Staff (SEPS), they identified DOJ components that process classified information using portable computers. We selected the Drug Enforcement Administration (DEA), the Federal Bureau of Investigation (FBI), and the Executive Office for United States Attorneys (EOUSA) to examine the use of portable computers for processing classified information.

We extended our interviews beyond the DOJ to determine how other federal agencies address the storing and processing of classified information using portable computers. We met with staff from SEPS and the Chief Information Officer’s office and discussed their knowledge of other federal agencies that process classified information on portable computers. Based on their input, we interviewed Information Technology (IT) and security personnel from the National Security Agency, the Central Intelligence Agency (CIA), and the Department of Energy. Based on input from the CIA, we also contacted the National Reconnaissance Office within the Department of Defense. (See Appendix I for additional information on our objectives, scope, and methodology.)

Our original intention was to examine the policies and practices in the DOJ for the processing of classified information on portable computers. However, IT and security staff informed us that we should also review government-wide policy that applies to all IT systems, whether they process classified or unclassified information. Therefore, our audit includes a review of the following government-wide policy (National Institute of Standards and Technology, Special Publication 800-37; Committee on National Security Systems, National Information Assurance Certification and Accreditation Process; and the Director of Central Intelligence Directives, DCID 6/3) that requires all computer systems be certified before they can be placed in operation.

Government-wide Policy on the Certification and Accreditation of IT Systems

The certification of an IT system involves a comprehensive evaluation of the technical and non-technical security features and other safeguards in place on a system. The certification is made as part of and in support of the accreditation process. The certification process validates that appropriate safeguards have been implemented on the system. The process culminates in the accreditation of the system (permission for the system to operate).

During our research, we identified the organizations that have the responsibility to develop government-wide policy related to the certification and accreditation of IT systems. The policies cover all IT systems, including portable computers. As detailed in the following table, three organizations have the responsibility to develop policy for the certification and accreditation of all IT systems.

Government-wide Certification and Accreditation Authority

Organization Type of Information Source of Authority
National Institute of
Standards and
Technology (NIST)		 Unclassified Federal Information Security
Management Act (FISMA)
(December 17, 2002)
Committee on National
Security Systems (CNSS)7		 Classified National
Security Information (CNSI)		 Executive Order 13231
(as amended September 17, 2003)
Central Intelligence
Agency (CIA)		 Sensitive Compartmented
Information (SCI)		 Executive Order 12333
(as amended August 27, 2004)
and Executive Order 12958
(as amended March 25, 2003)

The Federal Information Security Management Act (FISMA) delegates policy development and oversight to the National Institute of Standards and Technology (NIST) for information systems other than national security systems. Certification and accreditation procedures for systems other than national security systems — unclassified systems (systems that process only unclassified information) — are documented in NIST Special Publication 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems.

To separate unclassified from classified systems, NIST Special Publication 800-59 includes six questions designed to determine whether the system meets the definition of a national security system. According to the publication, “In order for a system to be designated a national security system, one of the following questions must be answered in the affirmative:”

  • Does the function, operation, or use of the system involve intelligence activities?

  • Does the function, operation, or use of the system involve cryptologic activities related to national security?

  • Does the function, operation, or use of the system involve command and control of military forces?

  • Does the function, operation, or use of the system involve equipment that is an integral part of a weapon or weapons system?

  • Is the system critical to the direct fulfillment of military or intelligence missions?

  • Does the system store, process, or communicate classified information?

Based on the NIST policy, any system that stores, processes, or communicates classified information is a national security system and falls under the jurisdiction of the Committee on National Security Systems.

Executive Order 13231, Critical Infrastructure Protection, identifies the government-wide committees that develop policy for the protection of information systems. Based on Executive Order 13231, the Committee on National Security Systems is responsible for policy over national security systems. The Committee on National Security Systems has documented procedures for the certification and accreditation of national security systems in the National Information Assurance Certification and Accreditation Process (NIACAP).

National security systems store, process, or transmit classified information as defined by Executive Order 12958, Classified National Security Information. The Order defines three levels of Classified National Security Information:

  • Top Secret — classified information where the unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security;

  • Secret — classified information where the unauthorized disclosure could reasonably be expected to cause serious damage to national security; and

  • Confidential — classified information where the unauthorized disclosure could reasonably be expected to cause damage to national security.

Executive Order 12333, United States Intelligence Activities, requires that the Director of Central Intelligence, “Ensure the establishment by the Intelligence Community of common security and access standards for managing and handling foreign intelligence systems, information, and products.” In addition, Executive Order 12958, Section 4.3, delegates to the Director of Central Intelligence authority over special access programs pertaining to intelligence activities. Further, certification and accreditation of systems used to process intelligence information, referred to as Sensitive Compartmented Information, is documented in Director of Central Intelligence Directive (DCID) 6/3.8

The policies developed by the Committee on National Security Systems and the CIA take precedence over the standards developed by the Department’s Chief Information Officer for national security systems.

DOJ Policy

When necessary, DOJ employees store, process, and transmit classified information using portable computers. Employees may also process sensitive but unclassified information, send and receive e mail, and obtain research data from the Internet on portable computers. Currently, employees who process both classified and unclassified information must utilize two separate portable computers in order to accomplish their assignments. Carrying two portable computers is necessary because the current DOJ policy does not explicitly authorize the use of two hard drives, one for classified information and one for unclassified information, in a single portable computer.

DOJ Order 2640.2E, titled Information Technology Security, establishes uniform policy, responsibilities, and authorities for the implementation and protection of DOJ’s IT systems that store, process, or transmit classified and unclassified information. The Assistant Director of SEPS and the Deputy Chief Information Officer described the distinction between the responsibilities of the two offices as the Chief Information Officer being responsible for security of classified and unclassified IT systems and SEPS being responsible for security of the classified information.

The Department’s Chief Information Officer issued 17 Information Technology Security Standards between December 4, 2003, and January 30, 2004, for DOJ systems that process classified and unclassified information. In addition, an 18th standard was issued on August 19, 2004, titled Information Technology Security Standard, Management Controls, 1.6 Classified Laptop and Standalone Computers Security Policy (Standard 1.6). Standard 1.6 established uniform information technology security management controls for laptop (portable) and standalone computers storing, processing, or transmitting National Security Information in the DOJ.9 All IT systems in the DOJ that process classified information must be certified and accredited in accordance with standards established by the Department’s Chief Information Officer before the system can be used.

Policy issued by SEPS, titled Security Program Operating Manual (SPOM), revised November 5, 2004, provides guidance for the safeguarding of classified information. The SPOM applies to classified information, security controls, security clearance requirements for employees, and the facilities authorized to store the information.

Classified National Security Information cannot be processed in public areas or while being transported. According to the SPOM and DCID 6/9, such information can be processed in only four specific types of facilities — a Sensitive Compartmented Information Facility (SCIF), a Temporary Secure Working Area, an Open Storage Area, or a Restricted Area.

A SCIF is an accredited area, room, group of rooms, buildings, or installation where Sensitive Compartmented Information may be stored, used, discussed, and electronically processed. A Temporary Secure Working Area is a space where Sensitive Compartmented Information may be handled, discussed, or processed, but should not be stored. SEPS oversees design and security of SCIFs and Temporary Secure Working Areas within the DOJ, with the exception of the FBI who is responsible for the design and security of SCIFs and Temporary Secure Working areas under its jurisdiction.

An Open Storage Area is used when the volume or bulk of classified material is such that the use of security containers is not practical. When a component determines that an Open Storage Area is necessary, its location and construction must be approved by the Department Security Officer. A Restricted Area can be established when it is necessary to control access to classified material in an area not approved for open storage. All classified material must be secured during non-working hours in approved security containers or vaults. Open Storage Areas and Restricted Areas are accredited by SEPS for the DOJ, with the exception of the FBI who is responsible for the design and security of Open Storage Areas and Restricted Areas under its jurisdiction.

In Restricted Areas or Temporary Secured Working Areas, the user must maintain constant possession of the hard drive containing classified information, or it must be locked in an approved security container. Further, if the hard drive cannot be removed from the computer, the computer must be disconnected from its peripheral devices, i.e., a mouse, monitor, keyboard, and printer, and locked in an approved security container when not in use.


Footnotes

  1. See Appendix II for a complete list of the voting members of the Committee on National Security Systems.

  2. Sensitive Compartmented Information is classified information concerning or derived from intelligence sources, methods, or analytical processes, which is required to be handled exclusively within formal access control systems established by the Director of Central Intelligence.

  3. During this audit, we analyzed a draft copy of Standard 1.6 (Standard 1.3, version 0.5), issued March 31, 2004, by the Office of the Chief Information Officer. We received a copy of the final version of Standard 1.6 on September 8, 2004.


Previous Page Back to Table of Contents Next Page