Processing Classified Information on Portable Computers in the Department of Justice
Audit Report 05-32
Office of the Inspector General
|This Office of the Inspector General audit examines the policies and practices in the Department of Justice (DOJ or Department) regarding classified information on portable computers. Our audit objectives were to: (1) review the Departmentís policies and practices concerning the storage of classified information on portable computers, and (2) determine whether more effective practices could be adopted by the Department to enhance the ability to process classified information on portable computers while adequately safeguarding the information.
To accomplish our objectives, we interviewed the Departmentís Deputy Chief Information Officer; the Assistant Director of the Security and Emergency Planning Staff (SEPS); and information technology (IT) security personnel from the Drug Enforcement Administration (DEA), the Federal Bureau of Investigation (FBI), and the Executive Office for United States Attorneys (EOUSA). In addition, we interviewed IT security personnel from the Central Intelligence Agency (CIA), the National Security Agency, the National Reconnaissance Office (within the Department of Defense), and the Department of Energy. We also analyzed both government-wide policy and DOJ policy as they relate to the processing of classified information on portable computers.
Three organizations have responsibility for developing government-wide policy related to the certification and accreditation of IT systems.1 The Federal Information Security Management Act (FISMA) delegates policy development and oversight to the National Institute of Standards and Technology (NIST) for information systems other than national security systems. Executive Order 13231, Critical Infrastructure Protection, requires the Committee on National Security Systems (CNSS) to develop policy over national security systems that store, process, or transmit classified information.2 In addition, Executive Orders 12333 and 12958 delegates to the CIA the responsibility for developing policy related to processing Sensitive Compartmented Information.3 Based on Executive Orders, the CNSS and the CIA are the ultimate authorities on how Classified National Security Information and Sensitive Compartmented Information are to be processed on computers within the DOJ and throughout the federal government. The policies developed by these organizations cover all IT systems, including portable computers.
DOJ Order 2640.2E establishes uniform policy, responsibilities, and authorities for the implementation and protection of the DOJís IT systems that store, process, or transmit classified and unclassified information. The Office of the Chief Information Officer and SEPS developed policy based on authority derived from DOJ Order 2640.2E.
The Departmentís Chief Information Officer issued 18 Information Technology Security Standards for DOJ systems that process classified and unclassified information. The 18th standard, titled Information Technology Security Standard, Management Controls, 1.6 Classified Laptop and Standalone Computers Security Policy (Standard 1.6), established uniform IT security management controls for classified laptop (portable) and standalone computers storing, processing, or transmitting National Security Information in the DOJ.
Policy issued by SEPS, titled the Security Program Operating Manual (SPOM), provides guidance for the safeguarding of classified information. The SPOM applies to classified information, the facilities authorized to store the information, security controls, and security clearance requirements for employees.
Our audit disclosed areas where improvements can be made to the current DOJ policy and practices relating to storing, processing, or transmitting classified information on portable computers. Specifically, we found Standard 1.6 includes inappropriate and confusing references and is incomplete in providing guidance and instructions. Further, we identified innovative practices to improve the use of portable computers for processing classified information while adequately safeguarding classified information.
We identified three areas of concern with DOJ policy Standard 1.6. First, although Standard 1.6 was written to address the processing of classified information, it uses references to policies that do not apply to portable or standalone computers that process, store, or transmit classified information. For example, Standard 1.6 refers to Office of Management and Budget Circular A-130, Revised, (Transmittal Memorandum No. 4; Subject: Management of Federal Information Resources); Federal Information Processing Standards Publication 197, Advanced Encryption Standard (FIPS 197); DOJ Order 2620.7, Control and Protection of Limited Official Use Information; 5 CFR Part 930, Training Requirement for the Computer Security Act; and 18 U.S.C. 2510, Electronic Communications Privacy Act. These documents relate to unclassified information. Policies for systems that process unclassified information have no authority over systems that store, process, or transmit classified information and, therefore, should be omitted from the guidance. Inclusion of inappropriate references in this Standard may confuse employees and lead to implementation of incorrect practices.
Second, Standard 1.6 does not address the systems that process Classified National Security Information and Sensitive Compartmented Information separately, as those systems are subject to policies that are derived from different authorities. Despite unique and specific guidance regarding Classified National Security Information and Sensitive Compartmented Information, stipulated by Presidential delegated government-wide authorities, Standard 1.6 does not differentiate between the two types of information or provide separate processing requirements for information classified under these distinct designations.
Third, we found that Standard 1.6 includes incomplete guidance and instructions. For example, it states that classified portable computers may not be connected to external systems, networks, or communication devices. However, the Deputy Chief Information Officer informed us that classified portable computers can be connected to classified networks if the approval to do so is documented in the security plan for the certification and accreditation of the network. Standard 1.6 needs to be updated to clarify this exception.
Another example of incomplete guidance and instructions in Standard 1.6 concerns two of its attachments. Attachment 2 (Security Acknowledgment Statement for System Administrators) is not referred to in the body of the policy; therefore its intended purpose and usage is unclear. Attachment 5 (Sample Classified Computer Usage Log) also is not referred to in the body of the policy and contains no instructions for its completion or the retention period for the log.
Increasing Efficiency When Processing Classified Information in Portable Computers
Our audit also identified several ways for the Department to more efficiently and economically store, process, and transmit classified information in portable computers.
Removable Hard Drives. Standard 1.6 allows for the use of portable computers with removable hard drives when processing classified information. However, it does not explicitly authorize the use of two hard drives, one for classified information and one for unclassified information, in a single portable computer. We asked officials from the EOUSA, DEA, and FBI: (1) if their agencies authorized the use of portable computers with removable hard drives, one to process classified and another to process unclassified on the same computer, and (2) if not, whether they would consider the feature worthwhile. Officials from all three agencies responded negatively to the first question. The responses to the second question varied between the agencies. EOUSA responded that the issue does come up and it would probably be worthwhile to pursue as long as users understand the applicable security requirements. The DEA responded that while the feature would have fiscal advantages, the risk of procedural errors such as forgetting to exchange removable hard drives for the appropriate type of information processing, could negate the utility of interchanging hard drives. The FBI responded that the feature could be worthwhile, but it would need to evaluate any proposed use of removable hard drives based on the operational need, technical configuration of the system, and other mitigating factors through the certification and accreditation process.
We also contacted agencies outside of the DOJ to discuss their policies with respect to removable hard drives.4 Except for the Department of Energy, these agencies process both classified and unclassified information by using portable computers with two separate removable hard drives ó one hard drive for processing classified information and the other for processing unclassified information.5
In our view, the use of removable hard drives is an area that the Department should consider.
Type Accreditations. The concept of type accreditations, defined by the Chief Information Officer in Standard 1.6 for portable and standalone computers, is an abbreviated accreditation process for classified portable and standalone computers that can be used in lieu of a full certification and accreditation process.6 The Chief Information Officer developed this approach to limit the unnecessary duplication of the full certification and accreditation requirements. However, Standard 1.6 does not document the process that DOJ components should use to request type accreditations for new computer configurations.
Encryption. Encryption of the hard drive is a safeguard required by the Committee on National Security Systems that can help protect classified information from unauthorized use if a portable computer or hard drive is lost or stolen. Encryption involves a set of mathematically expressed rules for rendering data unintelligible to an unauthorized user. Standard 1.6 does not explicitly require the use of the encryption standard specified by the Committee on National Security Systems.
Limited Data on Hard Drives. DOJ components can reduce the risk of unauthorized access to classified information while the portable computer is in transit by limiting the amount of classified information on the hard drive to the minimum amount of information necessary to accomplish the mission.
System Administrator Alerts. Connecting a classified computer to the Internet increases the risk that unauthorized users may access classified information. A computerís operating system can be programmed to send a message to the system administrator if the computer is connected to the Internet. This programming would allow a system administrator to take action to mitigate the potential threat to national security.
Tracking Device. Tracking devices, such as global positioning systems, could be used to track and locate computer equipment that is lost or stolen. If such devices were installed, a lost or stolen computer could more easily be located.
We made 12 recommendations to assist the Department in improving the storing, processing, and transmitting of classified information on portable computers. For example, we recommend a revision of Standard 1.6 in order to remove any references to statute, policy, or procedures that are not applicable to processing classified information, indicate what policy applies when classified portable computers are allowed to be connected to classified networks, and address systems that process Classified National Security Information independently from those that process Sensitive Compartmented Information.
We also recommend that the Department consider the use of removable hard drives for processing both classified and unclassified information on the same portable computer by using two separate removable hard drives. This would require that the hard drive become the classifiable device instead of the portable computer and that appropriate security safeguards be developed. Additional recommendations relate to the use of encryption, tracking devices, and the sending of alerts to systems administrators when classified devices are improperly connected to the Internet.