The Joint Automated Booking System
Audit Report 05-22
Office of the Inspector General
The Joint Automated Booking System (JABS) is a computer system that helps federal law enforcement agencies book, identify, and share information quickly about persons in federal custody. The U.S. Department of Justice (Department) developed JABS to support its law enforcement agencies in carrying out the Department's mission.
The purpose of this audit was to assess the extent to which the JABS program was meeting its stated goals and to examine the status of implementation of JABS. Our audit focused on efforts to implement JABS from the time component representatives formally signed onto the project in May 1999 through November 2004. Our specific audit objectives, scope, and methodology are more fully addressed in Appendix I.
In 1993 the Department began assessing the feasibility of automating booking procedures in a way that could meet the needs of several of its law enforcement components, rather than having each organization develop its own unique system. The organizations included the Federal Bureau of Investigation (FBI), the Drug Enforcement Administration (DEA), the United States Marshals Service (USMS), and the Bureau of Prisons(BOP). JABS now also serves the Department of Homeland Security (DHS), which assumed the duties of the former Immigration and Naturalization Service (INS) in March 2003 when it was transferred to the DHS from the Justice Department, and the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) which transferred into the Department of Justice in January 2003.
The ATF, FBI, and DEA investigate crimes, arrest criminal suspects, and work with the U.S. Attorney's Offices and other federal, state, and local agencies to coordinate criminal investigations. The USMS apprehends fugitives, protects the federal judiciary, and provides for the confinement, transportation, and processing of defendants. This responsibility for defendants makes the USMS the central agency of contact for virtually all federal offenders, regardless of local variations in how offenders are processed or where they are confined. The exception to this rule is persons detained by the DHS on immigration violations, who are not charged with crimes but are denied admission to the United States, and who are generally not brought to the USMS for arraignment and detention. The BOP confines convicted offenders and many pre-trial defendants. All of these agencies book people they detain or arrest, and the BOP commits offenders to its facilities.
Law enforcement agencies book offenders by collecting fingerprints and photographs, and recording information about the arrest and charges, and the person's identity, address, physical description, and other information, which will be referred to as biographical data in this report. A single arrest may involve as many as three distinct bookings, during which the arresting agency, as well as the USMS and the BOP, may all capture photographs, fingerprints, and biographical data. The diagram below illustrates the stages in the processing of a federal offender.1
Federal Offender Processing
Federal offenders are generally booked first by the arresting agency, which then takes the person to the USMS location, usually a cell block near a federal court. Offenders may also be brought directly to a USMS location, rather than to the arresting agency site, so the first booking in the diagram may not occur.2
The USMS books the person a second time, recording much of the same information again in its legacy data system, the Prisoner Tracking System (PTS). The USMS is responsible for the person's confinement and transportation pending arraignment and other court proceedings. Those who are convicted and sentenced to incarceration are booked a third time, recording much of the same information that has already been recorded once or twice, at the BOP facility at which they begin their sentence. The BOP enters data into its legacy data system, SENTRY.
Prior to JABS implementation, information was recorded manually on hard-copy forms in some agencies. In others, a data system was used to record at least some of the information. Data captured on paper and in a system limited to each agency made it difficult to share information among federal law enforcement agencies. The arresting agencies completed hard-copy forms to bring to the USMS detention facility when the offender was transferred to USMS custody.
In all Department of Justice components, fingerprints were recorded on hard-copy forms (Form FD-249), and sent by mail to the FBI for fingerprint identification services. Arresting officers generally had to take the offender's fingerprints several times to create multiple fingerprint cards that were used for various purposes. Agencies normally received identification responses from the FBI several weeks after submitting the fingerprint cards. In addition, the fingerprint card might be rejected by the FBI as unusable for identification because of poor quality. In these cases, weeks could have passed before the arresting officer was aware there was a problem with the fingerprint quality.
Recognizing the labor intensive and redundant nature of the booking process, the Department established the Joint Automated Booking Station Pilot Project in 1993 to study the feasibility of automating the booking process and sharing data between agencies. The Pilot Project, which began operating in February 1996, took place at eight sites in the Southern District of Florida.
The JABS pilot operated on commercial hardware and software components, including local servers, client workstations, cameras, printers, and digital fingerprint scanners on local area networks (LANs) at the DEA, FBI, USMS, INS, and BOP. The LANs were connected to a central JABS server at the DEA's Miami Field Office. Arresting agencies entered fingerprints, photographs, and biographical information to create an electronic record that was sent to the central server. When the offender was transferred to USMS custody, the USMS could retrieve the existing record from the central server, and review, supplement, and print the existing information. The USMS also created a separate record of the arrest in its legacy data system, the PTS.
A National Institute of Justice evaluation of the JABS Pilot Project published in Fiscal Year (FY) 1997 reported that the project successfully demonstrated that automated bookings saved time, agencies could re-use data originated by another agency, digitized fingerprints could be submitted to the FBI, and a set of common data elements could be used by the participating agencies. The evaluation recommended that a national JABS initiative be developed and the pilot be continued to validate and refine requirements and re-engineered processes, including the electronic forwarding of fingerprints to the FBI and the interfacing of JABS with components' legacy data systems. The interface direction proposed throughout the evaluation report would migrate data from the common point of entry, JABS, into component legacy systems.
The pilot system was terminated when planning for a national system for the Department began in May 1999 and the server for the Pilot Project failed in July 1999.
The project to implement JABS nationwide began in May 1999 when representatives of the Department's law enforcement components signed the JABS Boundary Document, which established high-level requirements for a nationwide JABS. At the same time, efforts began on the central JABS system. Agencies were to be linked to the Core JABS and deployed incrementally as they were prepared to move forward.
The Boundary Document stated the mission of JABS was to: 1) automate the booking process, 2) enable each law enforcement organization to share and exchange booking information, and 3) establish a federal offender tracking system. It presented the environment illustrated in the following graphic, which generally reflects the environment in place during our audit.
JABS is composed of two components: the Core JABS, labeled JABS on the diagram above, and each participating agency's Automated Booking System (ABS). The entity on the diagram labeled EFIPS/IAFIS represents communications between the Core JABS and the FBI's fingerprint system, the Electronic Fingerprint Image Print System (EFIPS)/Integrated Automated Fingerprint Information System (IAFIS). The segment in the diagram above labeled Browser represents the JABS Query Tool, which is part of the Core JABS, but will be discussed in this report as a separate entity because it performs a specialized function and users access it through web browsers, independently from their ABS.
With the ABS, officers use automated booking stations to capture fingerprints and photographs in digital form. These, along with arrest and personal information, are formatted and transmitted electronically through the central JABS server to IAFIS. IAFIS matches the JABS data against FBI information to positively identify offenders and responds quickly to the submitting officer, through JABS, with identifying information about the person.3 The information stored in the national JABS database is available using a web browser for querying, viewing, and printing by authorized JABS users.
Core JABS - The Core JABS is the central processing component that communicates with participating agencies, validates and manages transactions to and from the FBI's IAFIS, stores booking data that can be queried by users, and generates standard reports upon request. The Core JABS uses communications services provided by the Department's Justice Consolidated Network (JCN).
Agency Automated Booking System (ABS) - The JABS architecture was built on the assumption that each participating agency would implement an automated booking system within its own existing or planned technology infrastructure. Each agency has its own version of an automated booking station, all of which:
During our audit, interfaces existed between the ABS and legacy systems at the ATF, BOP, USMS, and DHS. In each agency, the legacy system serves as the initial point of data entry. Data elements common to both are migrated from the legacy systems to the ABS. Agencies then enter any additional data elements required by JABS, and capture fingerprints and photographs.
After an agency creates a booking record, the ABS formats the data into a "package," and the information is transmitted to the Core JABS. A booking package is an electronic compilation of biographical, photographic, and fingerprint information on an offender that is created in a component's automated booking system. The packages are transmitted as attachments to e-mail messages. The BOP, DEA, USMS, and DHS send and receive JABS transactions through the agency's communications networks, as reflected in the diagram on page 5. FBI field offices use stand-alone booking stations with dial-up connections to the DOJ network to communicate with JABS.4 The ATF uses a version of JABS that had not been implemented during our site visits. This version sends transmissions through secure web connections.
Query Tool - The part of the diagram labeled Browser represents the JABS Query Tool. Booking records are stored in a central data repository that is available to authorized users for generating reports, and searching, downloading, and printing booking records. Users connect to the Query Tool using a web browser interface.
To achieve implementation of the nationwide JABS, the Department established a Board of Directors, an Advisory Group, and a Program Management Office. The current administrative structure for JABS is presented in the following organizational chart.
The JABS Organizational Structure
The Department's Deputy Assistant Attorney General for Information Resources Management, who is also the Chief Information Officer (CIO) for the Department, chairs the JABS Board of Directors. The CIO reports to the Assistant Attorney General for Administration, who heads the Justice Management Division. As the chair of this Board, the CIO is charged with facilitating consensus building among the participating components and functioning as the liaison between the Program Management Office and the Board.
The Board consists of senior level officials from the ATF, BOP, DEA, FBI, USMS, and DHS. It provides executive level policy and program guidance to the JABS Program Management Office, reviews and approves proposed changes to system requirements, and approves high-level documents, such as the JABS Systems Boundary Document, Concept of Operations, and System Design Document.
The JABS Advisory Group (JAG) consists of technical representatives appointed by the participating components. Members are expected to be thoroughly familiar with the system and have extensive knowledge of the booking process and associated technologies. The JAG is intended to ensure that communication occurs within participating components and that JABS meets user requirements and expectations. A subgroup of the JAG, the Security Working Group, consists of representatives from the BOP, DEA, FBI, and USMS. The members identify security requirements and solutions and perform reviews to ensure that JABS meets security standards. Both groups are chaired by members of the JABS Program Management Office.
The JABS Program Management Office is located within the CIO's Enterprise Solutions Staff. The Enterprise Solutions Staff manages and oversees critical information technology projects to meet cost, schedule, and performance goals. The Program Management Office functions as the system integrator for JABS, putting together components from different sources to build the system, with policy direction from the JABS Board of Directors. The Program Management Office also performs centralized monitoring and oversight, and provides a centralized budget function to ensure the deployment of both JABS and the component's automated booking capabilities. Specific responsibilities of the Program Management Office are to:
The Program Management Office consists of an Acting Program Manager and four full-time Department employees, although the staffing allocation for FY 2004 was 7 full-time staff equivalents. In addition, the Program Management Office contracts for the services of 19 full-time and 3 part-time staff. The Program Management Office, including contract staff, consists of individuals with expertise in areas including information technology and security, systems administration, law enforcement, project and financial management, and training.
The Program Management Office also coordinates services provided by the Justice Data Center. Core JABS operates on equipment housed at the Justice Data Center located in the Washington, D.C. metropolitan area (JDC-W). The Computer Services Staff at the JDC-W provides air conditioned space, physical security, and backup services, including offsite tape storage. The Network Service Center (NSC), which is part of the Telecommunications Services Staff of the JDC-W, monitors and resolves communications problems with the Department's communications network and serves as the first point of contact for user calls to a help desk. For problems not based in network communications, the NSC forwards trouble tickets to one of the JABS support contractors.
The Program Management Office has established four contracts to provide support for JABS development and operations. One contract supports 18 contract staff who provide administrative and operations support in developing and maintaining documents such as project management plans, budgets, risk management plans, configuration management plans, quality assurance plans, and user and system requirements. This contract also supports daily administrative activities, including status reporting, financial accounting services, deployment of booking stations, and user enrollment and training. The value of this contract is $1.8 million.
Technical system support is acquired through a $3.2 million contract with another firm that designed, developed, and maintains the current version of the Core JABS, provides operations support for the Core JABS at the JDC-W, and resolves trouble tickets forwarded by the NSC. The contractor also designed, developed, and provides operational and maintenance support for components' automated booking systems.
The JABS security program is supported through an $800,000 contract that provides technical support on security requirements, security plans, contingency plans, security test plans, and certification and accreditation documents. The contractor independently validates security designs developed by other contractors and conducts security testing to ensure compliance with federal, Departmental, and program security requirements.
The fourth contract requires the contractor to design, develop, and deploy a web-based architecture for the Core JABS to serve as the platform for future improvements. This will include providing a web browser-based booking station capability. This contract was initially valued at about $522,000, and was awarded to the same contractor that provides technical support for security issues.
All of the Department's law enforcement components participate in JABS to record bookings and the BOP records commitments to BOP facilities. A few users in other Department components have access to search the central database, including a U.S. Attorney's Office and the U.S. Probation Office.
Other federal law enforcement agencies are permitted to become JABS users also. As of September 2004, users from outside the Department of Justice included the Department of Homeland Security (DHS), the U.S. Army Military Police, and the National Institutes of Health Police.6 These other agencies perform very small numbers of transactions, with the exception of the DHS.
The DHS is the largest participating agency outside the Department. The DHS's Bureau of Customs and Border Protection (CBP) and Bureau of Immigration and Customs Enforcement (ICE) assumed the border and enforcement duties of the former INS on March 1, 2003. The JABS Program Management Office was initially responsible for providing equipment and services to the INS, as with other Department components. Beginning in July 2001, the JABS Program Management Office was no longer responsible for program services to the INS, as a separate program office assumed responsibility for coordinating services to the INS.7 The new program office was established to support a project specifically concerned with building capability for the INS and FBI to share fingerprint data (the IDENT/IAFIS integration project). Also, with the transfer of the INS to the DHS in March 2003, the DHS became responsible for funding its own equipment costs for JABS.
The JABS program evolved at roughly the same time as serious problems surfaced regarding the lack of integration between fingerprint systems operated by the INS and the FBI.8 The Department established a project to integrate the two systems, which were the INS's Automated Biometric Identification System (IDENT), based on 2 fingerprints, and the FBI's IAFIS, which uses 10 fingerprints. In September 2002, the INS began deploying its JABS-compatible ABS, which it called IDENT/IAFIS. Multiple versions of this ABS have added functionality incrementally, to the point at which the IDENT/IAFIS ABS has been integrated with the DHS legacy data system, ENFORCE. The DHS currently uses JABS as the link between border officials and the FBI's fingerprint identification services, which DHS representatives told us currently supports part of the IDENT/IAFIS project.
The JABS Program Management Office and participating agencies enter into Service Level Agreements defining their roles and responsibilities. As of September 2004, agreements had been established with the ATF, BOP, DEA, FBI, and USMS. According to these agreements, the Program Management Office is responsible for providing:
Responsibilities of the user agencies include:
Funding for JABS has been provided from congressional appropriations, the Department's Working Capital Fund, and the Asset Forfeiture Fund. Total funding for the nationwide project for FY 1999 through FY 2004 was about $82,670,000.
As originally conceived in 1998, JABS was anticipated to have total developmental costs of $160 million from FY 2000 through FY 2004. These costs were based on plans for a distributed architecture consisting of 94 local servers (one for each judicial district), connected to 6 regional servers, with redundancy provided by back-up servers. Each regional server would contain all the information for the individual servers in its region and would be used to submit fingerprint packages to IAFIS. However, this architecture was never implemented. The FY 2000 appropriation for the JABS program was significantly reduced from the FY 1999 level, and uncertainty regarding future funding contributed to a slow-down in progress. By the time the funding level was restored for FY 2001, the architecture had been redesigned to take advantage of technical advances on the Department's communications network and web technology that would support a central database. The revised centralized architecture permitted a significant reduction in current costs.
In September 1998, the OIG issued an audit of the Department's Joint Automated Booking System Laboratory (Report No. 98-28). The audit identified significant weaknesses in the management and planning for JABS. Specifically, the audit found that the Pilot Project did not meet its original schedule for completing its operational testing. As a result, two Department agencies, the DEA and USMS, developed their own automated booking stations. The audit also identified project management and security weaknesses that needed to be addressed to ensure they were not replicated in the nationwide system planned for development. Corrective action on the audit recommendations was completed in January 2000.
In March 1999 the OIG issued another audit report (Report Number 99-06), which focused on selected computer security controls in the JABS pilot system to determine whether those controls protected the system and its sensitive data from unauthorized use, loss, or modification. The audit found several system weaknesses, including significant lapses in security surrounding password usage, and dormant accounts that were still active after 180 days of non-use. This audit was closed in January 2000 based on the termination of the Pilot Project.