Compliance with Standards Governing Combined DNA Index System Activities at the Nebraska State Patrol Crime Laboratory
Report No. GR-60-04-009
Office of the Inspector General
The Office of the Inspector General, Audit Division, has completed an audit of compliance with standards governing Combined DNA Index System (CODIS) activities at the Nebraska State Patrol Crime Laboratory (Laboratory).1 The Federal Bureau of Investigation (FBI) began the CODIS Program as a pilot project in 1990. The DNA Identification Act of 1994 (Public Law 103-322) formalized the FBI's authority to establish a national DNA index for law enforcement purposes. The Act specifically authorized the FBI to establish an index of DNA identification records of persons convicted of crimes, and analyses of DNA samples recovered from crime scenes. The Act further specified that the index include only DNA information that is based on analyses performed in accordance with standards issued by the FBI.
The FBI implemented CODIS as a distributed database with three hierarchical levels that enables federal, state, and local crime laboratories compare DNA profiles electronically. The National DNA Index System (NDIS) is the highest level in the CODIS hierarchy and enables the laboratories participating in the CODIS Program to compare DNA profiles on a national level. The NDIS became operational in 1998 and is managed by the FBI as the nation's DNA database containing DNA profiles uploaded by participating states. DNA profiles originate at the local level, flow to the state and national levels, and are compared to determine if a convicted offender can be linked to a crime, or if crimes can be linked to each other.
The FBI provides CODIS software free of charge to any state or local law enforcement laboratory performing DNA analysis. A laboratory's profiles have to be uploaded to NDIS before they benefit the system as a whole. Before a laboratory is allowed to participate at the national level a Memorandum of Understanding (MOU) must be signed between the FBI and the applicable state laboratory. The MOU defines the responsibilities of each party, includes a sublicense for the use of the CODIS software, and delineates the standards laboratories must meet in order to utilize NDIS.2
The objective of the audit was to determine if the Laboratory was in compliance with standards governing CODIS activities. Specifically, we performed testing to determine if the: 1) Laboratory was in compliance with the NDIS participation requirements; 2) Laboratory was in compliance with the quality assurance standards issued by the FBI; and 3) Laboratory's DNA profiles in CODIS databases were complete, accurate, and allowable.
We determined that the Laboratory was in compliance with the standards governing CODIS activities with one exception. Specifically, we noted that 2 of the 100 convicted offender profiles reviewed were unallowable for inclusion in NDIS. Laboratory officials agreed with our finding and provided documentation demonstrating that the two unallowable profiles were removed from NDIS on May 20, 2004. We made one recommendation to address the Laboratory's compliance with standards governing CODIS activities, which is discussed in detail in the Findings and Recommendations section of the report. Our audit scope and methodology are detailed in Appendix I of the report and the audit criteria is detailed in Appendix II of the report.
In addition, our audit disclosed that the Laboratory did not store backup tapes of CODIS-related information at an off-site location as part of its disaster recovery plan. While on-site storage of backup tapes may be acceptable when proper precautions are undertaken, in our judgment, it is preferable to store CODIS backup tapes in a secure location away from the Laboratory to better protect against the loss of data if a disaster were to occur. Laboratory officials agreed with our observation and stated they were working on a plan to begin storing the CODIS backup tapes at a secure off-site location. This issue is discussed in the Other Reportable Matters section of the report since it is not directly related to compliance with standards governing CODIS activities.
We discussed the results of our audit with Laboratory officials and have included their comments in the report as applicable. In addition, we requested a written response to a draft of our audit report from the FBI and the Laboratory. The FBI stated that it would review our recommendation to determine what, if any, further action is warranted. The Laboratory did not provide a written response.