Review of the Department of Justice’s Reporting Procedures for Loss of Sensitive Electronic Information

Evaluation and Inspections Report I-2007-005
June 2007
Office of the Inspector General

Appendix VI
FBI Reporting Procedures

Introduction

Between December 2005 and November 2006, the FBI reported 206 computer security incidents to DOJCERT, including 43 incidents involving potential PII loss and 35 incidents potentially involving classified information.108 The FBI considers all of its information to be sensitive – either Sensitive But Unclassified or classified – and requires its employees to report incidents that result in the loss of classified or Sensitive But Unclassified information as well as the loss or theft of all portable electronic devices or removable storage media, such as laptops, BlackBerry devices, hard drives, CDs, and flash drives. Sensitive But Unclassified is defined in the FBI’s Security Policy Manual as “information that requires protection due to the risk or magnitude of loss or harm that could result from inadvertent or deliberate disclosure, modification and/or destruction of the information.” The FBI Security Policy Manual states that records requiring protection under the Privacy Act are a subset of Sensitive But Unclassified information.109 The FBI does not currently have a separate definition for PII. The FBI uses the definition of classified information contained in Executive Order 12958, as Amended, Classified National Security Information, dated March 25, 2003.

Reporting Procedures

Within the FBI, computer security incidents are reported to two separate offices, but only one of those offices is required to report incidents to DOJCERT. One office’s procedure for reporting computer security is defined in an FBI policy issued by the Security Division called the Security Policy Manual.110 The other office’s procedure is defined in the FBI’s four Incident Response Plans.111 Both offices should be notified as soon as an employee informs both his or her supervisor and the Chief Security Officer that a computer security incident has occurred.112

Procedures Defined in FBI Security Policy

The Security Policy Manual, issued by the Security Division, requires FBI employees to report potential computer security incidents to the Security Compliance Unit via a web-based form.113 The form is available to all employees on the FBI intranet and may be completed by either the employee who discovered the incident, the employee’s supervisor, the Division’s Chief Security Officer, or any other individual with direct knowledge of an incident. Employees must identify the type of security incident that occurred, choosing from five categories provided, and answer additional questions that are specific to that category of security.114 For example, incidents identified as “Information Technology Security” require employees to describe the circumstances surrounding the loss of electronic information or the loss of a portable electronic device. Employees must also provide the serial number and classification level of a lost portable electronic device.

The Security Compliance Unit said that it tracks all reported security incidents in an Access database and provide monthly reports to the Section Chief of the Security Operations Section in FBI Headquarters. The Security Compliance Unit also said that it generates quarterly reports of security incidents, by type of incident, to keep the Career Services Management Unit (which develops FBI training) and the Policy Unit (which develops FBI policy) aware of areas of security that may need more attention.

Procedures Defined in Incident Response Plans

The FBI maintains four Incident Response Plans that conform to the DOJCERT template to cover the following four types of systems: the system that has been classified Top Secret, the systems that have been classified Secret, the unclassified systems, and the systems operated by the Criminal Justice Information Services Division. All four plans have been updated to reflect the changes DOJCERT made to the November 2006 template and identify the seven categories of incidents that should be reported to DOJCERT within specified timeframes.115

The Division’s Chief Security Officer is required to review each reported incident and determine if the incident fits into one of the categories identified in the Incident Response Plans.116 If it does, the division’s Chief Security Officer is required to contact the FBI’s Enterprise Security Operations Center. After-hours reporting procedures are the same as normal business hours procedures because the Enterprise Security Operations Center is staffed 24 hours a day, 7 days a week. The center should implement the procedures in the Incident Response Plans and notify DOJCERT via the Archer Database. Incidents reported to the center should also be tracked in the FBI’s Security Information Management System. Quarterly reports generated from this system are provided to the FBI’s CIO. Chart 17 shows the FBI’s procedures for reporting all computer security incidents, including those involving sensitive, PII, and classified information.

Chart 17: Flowchart of the FBI’s Procedures for Reporting All Computer Security Incidents, Including Sensitive, PII, and Classified (Includes After-Hours Reporting Procedures)

[Image Not Available Electronically]

FBI officials told us that the Security Compliance Unit and the Enterprise Security Operations Center are supposed to routinely discuss information security incidents with each other and the actions each section will take to respond to those incidents. However, according one official, these discussions do not always occur within the timeframes established in the Incident Response Plans. The Security Compliance Unit is not involved in the communications between the center and DOJCERT.

Indications of Compliance with Reporting Procedures

Lost Electronic Device Reporting Procedures

The FBI was not in full compliance with DOJCERT’s reporting requirements for lost electronic devices. The requirements in the Security Policy Manual (issued by the FBI Security Division) for reporting losses of electronic devices are not consistent with the requirements in the FBI’s Incident Response Plans (issued by the Enterprise Security Operations Center). In reviewing the information the FBI provided to us and the information we analyzed from the Archer Database, we noticed a discrepancy between the number of lost electronic devices that had been reported to the Security Compliance Unit and the number of lost electronic devices that had been reported to the Enterprise Security Operations Center (who is required to report all computer security incidents to DOJCERT).

For the period from December 2005 through November 2006, FBI employees reported 35 lost or stolen laptops to the Security Compliance Unit, but reported only 7 lost or stolen laptops to the Enterprise Security Operations Center, and therefore to DOJCERT.117 We asked the FBI to explain the discrepancy, and officials stated that, prior to the release of OMB Memorandum M-06-16 in June 2006, the FBI did not realize that all losses of electronic devices were considered reportable incidents as defined by DOJCERT’s Incident Response Plan template. Previously, the FBI relied on Chapter 22 of its Security Policy Manual, dated April 2006, which addresses the reporting procedures for loss of portable electronic devices. This policy requires FBI employees to report security violations involving portable electronic devices to the Security Compliance Unit and does not mention the Enterprise Security Operations Center.

Additionally, we noted that although the FBI stated it did not realize that all losses of electronic devices were considered reportable incidents as defined by DOJCERT’s Incident Response Plan template, the FBI’s January 2006 Incident Response Plan for unclassified systems required FBI IT security staff to report thefts of computer assets to the Enterprise Security Operations Center.

The OIG recently released an audit that found deficiencies in the FBI’s procedures for reporting the loss of laptops, including failure to report those incidents in a timely manner.118 In response to a recommendation in that audit, the FBI agreed to revise its policies and to develop additional guidance for reporting incidents to DOJCERT.

Classified Reporting Procedures

The FBI was not following the chain-of-command reporting procedures for reporting of classified computer security incidents. Between December 2005 and November 2006, FBI employees reported 107 classified computer security incidents to the Security Compliance Unit. Our analysis of data from the Archer Database showed that the Enterprise Security Operations Center reported 35 classified computer security incidents to DOJCERT.119 However, the Department’s Security and Emergency Planning Staff (SEPS) did not receive any reports of classified computer security incidents from the FBI during that same time period.

The Department’s Definition of a Reportable Classified Incident. The Department’s Security Program Operating Manual (SPOM) requires all components to report “any incident involving a possible loss, compromise, or suspected compromise of classified information” immediately to the Department Security Officer, who is the Director of SEPS.120 The SPOM identifies nine categories of reportable classified incidents meeting this definition including:

Classified Incidents Reported to the Security Compliance Unit. The Security Compliance Unit utilizes the FBI’s Security Policy Manual to define a classified incident as “a failure to safeguard FBI classified and sensitive material according to FBI policies, Executive Order 12958, and Director of National Intelligence Directives.”122 The FBI’s Security Policy Manual identifies eight categories of reportable classified incidents meeting this definition including:

We noted that the Security Policy Manual’s definition of reportable classified incidents was nearly identical to the SPOM’s definition of reportable classified incidents. Even though the SPOM requires components to report classified incidents to SEPS, the FBI stated that it was unaware of any FBI policy requiring it to notify SEPS. However, the FBI also directed us to another passage from its Security Policy Manual, which requires the FBI to notify the Director of National Intelligence of:

a significant security violation or a compromise of intelligence information that is either extensive in scope, indicates pervasive breach of security procedures, or is otherwise likely to have a serious effect on national security interests. This notification is to be made through the AD [Assistant Director], Security Division, to the Department of Justice Security Officer.124

The OIG recognizes that not all classified incidents will meet the “significant” standard that requires reporting to the Director of National Intelligence, as outlined in § 17.10 of the Security Policy Manual. However, because the FBI’s general definition of a classified security incident, found in §§ 17.3 and 17.4 of the Security Policy Manual, matches the Department’s definition, the FBI should be reporting all of these incidents to SEPS as required by the SPOM. As noted above, the Security Compliance Unit’s role is to track all reported security incidents in a database, and provide monthly reports to the Section Chief of the Security Operations Section in FBI Headquarters. FBI policy does not require the Security Compliance Unit to report any computer security incident to any entity outside the FBI, including SEPS.

Classified Incidents Reported to the Enterprise Security Operations Center. The Enterprise Security Operations Center defined a classified incident as “an event where an individual gains logical or physical access without permission or a ‘need to know’ to a network, system, application, data, or other resource that contains National Security Information,” and stated that the loss of an electronic device or media (such as a laptop, CD, or flash drive) or the placement of information “on a lower level medium than it is intended for” also constituted a classified incident.125 As noted above, the Enterprise Security Operations Center is required to report computer security incidents to DOJCERT.

The FBI stated that the Enterprise Security Operations Center had mistakenly believed that DOJCERT was a subcomponent of SEPS. As a result, the FBI believed that reporting classified computer security incidents to DOJCERT constituted reporting them to SEPS.126 Between December 2005 and November 2006, the Enterprise Security Operations Center reported 35 classified computer security incidents to DOJCERT.127

While this practice does not exactly match the requirements set out in the SPOM, DOJCERT provides SEPS the opportunity to review all data loss incidents, including classified incidents, via e-mail notification. We are more concerned that at least 72 classified computer security incidents which were reported to the Security Compliance Unit by FBI employees between December 2005 and November 2006 were not reported to either DOJCERT or SEPS.128

Timeliness of Reporting.

Our analysis of the Archer Database showed that the FBI was not always reporting computer security incidents, including PII, within the required timeframes specified in both the DOJCERT and FBI Incident Response Plans. Between December 2005 and November 2006, the FBI reported only 45 percent of its computer security incidents to DOJCERT within the required timeframes. Further, none of the PII incidents that occurred on or after July 12, 2006 for which we could determine timeliness were reported within the required 1-hour timeframe.129 Table 12 shows the FBI’s reporting in each category.130

Table 12: The FBI’s Timeliness in Reporting Incidents to DOJCERT

Category Reporting timeframe* Incidents reported Reported within timeframe Reported after timeframe Could not compute timeliness**

Category 0 (Exercise/Test)

None

0

N/A

N/A

N/A

Category 1
(Unauthorized Access)

1 hour

15

2

13

0

Category 2
(Denial of Service)

2 hours

1

0

1

0

Category 3
(Malicious Code)

1 day

42

14

28

0

Category 4
(Improper Usage)

1 week

113

50

57

6

Category 5 (Scans/Probes)

1 month

21

18

3

0

Category 6 (Investigation)

None

13

N/A

N/A

13

Category 7
(Spam)

1 month

1

1

0

0

Total

 

206

85

102

19

PII incidents occurring on or after 7/12/06***

1 hour

26

0

25

1

* For purposes of this table, reporting timeframes for Categories 0-7 refer to the timeframes defined in the Incident Response Plan. Reporting timeframe for PII incidents refers to the timeframe defined in OMB Memorandum M-06-19.

** Some records did not include information to indicate when DOJCERT received the reports. Category 0 and 6 incidents, for which there are no reporting timeframes, are also included in this category.

*** PII incidents were reported in varying incident categories.

Source: Archer Database

The FBI is aware of the Department requirement to report all incidents involving PII loss within 1 hour and has incorporated that requirement into its four Incident Response Plans. However, one FBI official stated that the Department’s guidance concerning PII “is clear as mud.” The FBI has raised concerns about this timeframe with the Department’s CIO and asked for clarification. Specifically, the FBI told us they asked the Department to more clearly define the action that should trigger the 1-hour timeframe. An Assistant Special Agent in Charge assigned to a large field division told us that the 1-hour timeframe is “very difficult, if not impossible, to meet on a practical basis” and further noted that his particular office is so large that “I couldn’t find someone within 1 hour if my life depended on it.” The FBI would like the Department to work with the components to develop criteria and thresholds for reporting incidents involving PII loss so that the components can better determine which incidents may be serious enough to warrant reporting.

While the FBI is aware of the Department requirement to report all potential losses of PII within 1 hour, not all FBI employees had been notified of the requirement as of the end of 2006. For example, one Assistant Special Agent in Charge stated that, at the end of 2006, knowledge of the requirement was inconsistent in his field division, with employees in the sections that handle large amounts of PII, such as the White Collar Crime Section, aware of the requirement and employees in other sections, such as the Counterterrorism Section, not likely to be aware. The Assistant Special Agent in Charge also expressed concern that employees might not realize the urgency of the situation when an incident involving PII loss occurs.

Ensuring All Incidents Are Reported

The FBI said that it conducts training to ensure that employees are aware of the requirement to report computer security incidents, including those involving PII loss. The FBI said that it administers the Department’s annual Computer Security Awareness Training to remind employees of the requirement to report computer security incidents. The requirement is also included in the Information Technology Rules of Behavior, which employees are required to sign. The Computer Security Awareness Training has been updated to include the requirement that losses of PII be reported within 1 hour. FBI employees were scheduled to take this annual training between January 2007 and April 2007. An official in the FBI’s Security Division noted that the division always sees a spike in reporting incidents immediately after employees complete their annual training. All FBI staff with relevant responsibilities interviewed agreed that, beyond conducting training to ensure that all employees are aware of the requirement to report security incidents, there is no way to guarantee that every incident is properly reported. Employees are also reminded that failure to report a security incident is, in itself, a security incident. However, one Assistant Special Agent in Charge noted that employees may delay reporting a lost or stolen device because they fear the possibility of punishment. In addition to training, FBI staff identified the annual property inventory as a method of verifying whether all lost or stolen electronic devices were reported.

Notification to Affected Parties

The FBI has not developed policies concerning notification to affected parties in the event of a loss of PII.

Determining the Type of Data Lost

The FBI said that it determines the type of data lost through written questions and employee interviews. The Security Compliance Unit is supposed to review the initial report of the incident and send a series of questions to the Chief Security Officer. The Security Compliance Unit said that it began specifically asking about the loss of PII after that type of loss became an important issue for the government, although no written FBI policy requires the unit to obtain that information. Using the questions provided by the Security Compliance Unit, the Chief Security Officer is supposed to interview the employee reporting the loss to determine what type of information the device may have contained. Based on the employee’s response, the Chief Security Officer should facilitate communication between the employee, the employee’s supervisor, and the appropriate division in FBI Headquarters to conduct a damage assessment of the incident.131 In addition, the Enterprise Security Operations Center can review server log-in records and e-mail servers to determine when an employee last logged in and which files the employee accessed during that time.


Footnotes

  1. As of January 31, 2007, the loss of PII has been confirmed in 1 of the 43 incidents. The remaining 42 incidents involve potential losses of PII.

  2. 5 U.S.C. § 552a.

  3. FBI Security Policy Manual, POL05-0001-SecD, revised April 3, 2006.

  4. The procedure defined in the Incident Response Plans is the same in each of the four plans.

  5. Each FBI field division and each division within FBI Headquarters has a Chief Security Officer.

  6. Subsequent to FBI Special Agent Robert Hanssen’s arrest for espionage, the Commission for the Review of FBI Security Programs was formed. As a result of a recommendation from the Commission, the FBI established the Security Compliance Unit at FBI Headquarters in 2003 to coordinate and oversee all information and physical security compliance activity and violations. FBI employees, contractors, and task force members are required to report all types of security incidents, including data loss incidents and losses of PII, to the Security Compliance Unit.

  7. The five categories are Information Technology Security, Technical Security, Personnel Security, Physical Security, and Control/Loss of Documents.

  8. Incidents in these seven categories can be caused by either internal sources (threats that originate inside the FBI) or external sources (threats that originate outside the FBI). Threats caused by internal sources are reported to both the Security Compliance Unit and the Enterprise Security Operations Center. Threats caused by external sources are reported only to the Enterprise Security Operations Center.

  9. Some FBI divisions have an Information Systems Security Officer who makes this initial determination. If this is the case, the Information Systems Security Officer notifies both the division’s Chief Security Officer and DOJCERT. However, for budgetary reasons, not all divisions have an Information Systems Security Officer.

  10. One of the laptops that was reported to the Security Compliance Unit was a classified laptop.

    FBI officials told us that 35 lost or stolen laptops were reported to the Security Compliance Unit. We reviewed data from DOJCERT’s Archer Database and determined that seven lost or stolen laptops had been reported to the Enterprise Security Operations Center and to DOJCERT. We did not verify the information from either of these sources.

  11. OIG, The Federal Bureau of Investigation’s Control Over Weapons and Laptop Computers Follow-Up Audit, Audit Report 07-18, February 2007.

  12. We did not conduct a case file review to determine whether the 35 classified computer security incidents reported to the Enterprise Security Operations Center were among the 107 classified computer security incidents reported to the Security Compliance Unit.

  13. Security Program Operating Manual, § 1-300. The Security Program Operating Manual is written by SEPS and applies to the entire Department.

  14. Security Program Operating Manual, § 1-302.

  15. FBI Security Policy Manual, § 17.3.

  16. FBI Security Policy Manual, § 17.4.

  17. See FBI Security Policy Manual, § 17.10. The FBI also told us that computer security incidents meeting this standard are defined as “loss or compromise of information storage media or equipment containing intelligence information of such quantity or sensitivity as to potentially jeopardize intelligence activities, sources or methods.”

  18. The placement of information “on a lower level medium than it is intended for” is commonly referred to as a classified spill.

  19. As noted earlier, both DOJCERT and SEPS are part of the Justice Management Division. However, the offices are in separate chains of command. DOJCERT reports to the Department’s CIO, who reports to the Assistant Attorney General for Administration. SEPS reports to the Deputy Assistant Attorney General for Human Resources/Administration, who also reports to the Assistant Attorney General for Administration. See JMD’s organizational chart at www.usdoj.gov/jmd/orginfo/chart.htm.

  20. The FBI stated in a February 2007 e-mail sent to the OIG that it now understands that SEPS and DOJCERT have different, but complimentary, missions and that the FBI should make overlapping reports of classified computer security incidents.

  21. We did not conduct a case file review to determine whether or not the 35 classified, IT-related security incidents reported to the Enterprise Security Operations Center were among the 107 classified, IT-related security incidents reported to the Security Compliance Unit.

  22. We did not analyze incidents for timeliness that occurred before OMB established the 1-hour timeframe in July 2006. Additionally, we could not analyze one incident that occurred after OMB established the 1-hour timeframe because there was no information in the Archer Database to indicate when DOJCERT received the report.

  23. Our calculations are based on Categories 1 through 5 and Category 7. We did not include incidents found in Categories 0 and 6 because they had no associated time criteria, nor did we include incidents for which the Archer Database contained no information to indicate when DOJCERT received the report that an incident had occurred.

  24. For example, if an employee states that a stolen laptop contained information related to a violent crime case still under investigation, the Chief Security Officer will help the employee and the supervisor arrange a meeting with someone from the Violent Crimes Unit at FBI Headquarters to determine if the theft of the laptop could have an impact on the ongoing investigation.


« Previous Table of Contents Next »