Processing Classified Information on Portable Computers in the Department of Justice
Audit Report 05-32
Office of the Inspector General
Standard 1.6 contains the following categories of specific requirements for laptops and standalone computers that store, process, or transmit National Security Information:
Standard 1.6 also contains seven attachments: a security acknowledgement statement for authorized end-users, a security acknowledgement statement for system administrators, hardware and software configurations of classified laptop and standalone computers, a list of acronyms, a sample classified computer usage log, a sample classified computer maintenance log, and a classified laptop and standalone computer technical checklist (see Appendix III, pages 35-47 for specifics).
Our review of Standard 1.6 identified three primary areas of concern, discussed in greater detail below. Standard 1.6 uses references that apply to unclassified IT systems, does not address systems that process Classified National Security Information separately from systems that process Sensitive Compartmented Information, and provides incomplete guidance and instructions for several attachments.
Standard 1.6 uses references to policies that do not apply to portable or standalone computers that process, store, or transmit classified information (see Appendix III, page 29). The following five policy references used in Standard 1.6 do not apply to portable or standalone computers that process classified information:
We believe the references that do not apply to portable or standalone computers that process classified information should be removed. Also, any instructions provided in Standard 1.6 that were derived from those incorrect references should be deleted from the document. The Assistant Director of SEPS concurred with our position that unclassified references should not be used in standards for storing, processing, or transmitting classified information.
Standard 1.6 provides a uniform policy for portable and standalone computers that store, process, or transmit classified information (see Appendix III, page 25). However, there are two organizations outside the DOJ that have government-wide authority over the security of systems that store, process, or transmit classified information. The Committee on National Security Systems issued certification and accreditation policy for systems that process Classified National Security Information. Further, the CIA issued certification and accreditation policy for systems that process Sensitive Compartmented Information. Despite unique and specific guidance regarding Classified National Security Information and Sensitive Compartmented Information from these government-wide authorities, Standard 1.6 does not differentiate between the two or provide separate processing requirements for information classified under these distinct designations.
We believe that Standard 1.6 should address the systems that process Classified National Security Information and Sensitive Compartmented Information separately, because those systems are subject to policies developed by two separate government-wide authorities. SEPS, a voting member of the Committee on National Security Systems for the Department of Justice (see Appendix II, page 22), agrees with our position.
We found three areas, described below, where the guidance and instructions provided in Standard 1.6 are incomplete and therefore need revision.
Lack of Instructions for Network Connections. Section 3.1, states that, “No external systems, networks, or communications devices may be connected to classified laptop and standalone computers.” (See Appendix III, pages 30 and 31.) However, the Deputy Chief Information Officer informed us that classified portable computers can be connected to classified networks if the approval to do so is documented in the security plan for the certification and accreditation of the applicable network. Based on that information, Standard 1.6 is not accurate regarding Department policy on the connection of portable computers to external systems, networks, or communication devices. In our opinion, Standard 1.6 should not provide a blanket prohibition, but should indicate what policies apply when classified laptop computers are authorized to be connected to classified networks.
No Explanation of Security Configuration Tests. We asked the Deputy Chief Information Officer why Attachment 2, entitled “Security Acknowledgement Statement for System Administrators” (see Appendix III, pages 37-39), requires that the System Administrator “make the computer(s) available for reviews of the security configuration by independent testers” and “ensure that the Certification Agent (CA) or a CA appointed agent validates system security at least annually.” The Deputy Chief Information Officer stated that logistical and organizational issues concerning certification and independent testing are being negotiated. However, Attachment 2 is not referred to in the body of Standard 1.6. Therefore, the process for reviews of the security configuration by independent testers and a validation of system security by certification agents should be documented in the body of the policy.
No Instructions for Tracking Log. Attachment 5, “Sample Classified Computer Usage Log” (see Appendix III, page 44), has no instructions for completing the log. In addition, Standard 1.6 does not refer to the log or provide a retention period for the log. As written, either the end-user or the administrator must record every action taken on every document accessed, along with start and end times. As presented, we consider the log to be unduly burdensome and in need of revision. The Deputy Chief Information Officer explained that there is a need for a manual record of the total time an individual was logged onto the classified system. We understand the value of a tracking log, but the attachment will require modification in order to capture only the required information, and instructions will have to be prepared to inform the end-users and administrators about how to complete the log and for how long it should be retained. The Deputy Chief Information Officer indicated that this issue would be addressed in the next revision of Standard 1.6.
Standard 1.6 includes inaccurate and confusing references directed at unclassified systems, does not address systems that process Classified National Security Information separately from Sensitive Compartmented Information, and is incomplete in providing guidance and instructions. We believe that Standard 1.6 could be confusing to DOJ components and should be revised to correct these deficiencies.
We recommend that the Justice Management Division revise Standard 1.6 to:
We met with four DOJ components (DEA, FBI, EOUSA, and Justice Management Division) and four outside agencies (CIA, National Security Agency, National Reconnaissance Office, and the Department of Energy) to determine how they address the storage of classified information using portable computers and to determine whether more effective practices are available to enhance security. All of the agencies contacted, with the exception of the DEA, store and process some of their classified information on portable computers.
From discussions with those interviewed and our review of Standard 1.6 and the SPOM, we identified four security policy enhancements we believe the Department should consider for classified portable computers. The following sections describe those enhancements.
We asked officials from the EOUSA, DEA, and FBI: (1) if their agency authorized the use of portable computers with removable hard drives, one to process classified and another to process unclassified on the same computer, and (2) if not, whether they would consider the feature worthwhile. Officials from all three agencies responded negatively to the first question. The responses to the second question varied among the agencies. The EOUSA responded that the issue does come up and it would probably be worthwhile to pursue as long as users understand the applicable security requirements. The DEA responded that while the feature would have fiscal advantages, the risk of procedural errors such as forgetting to exchange removable hard drives for the appropriate type of processing, could negate the utility of interchanging hard drives.10 The FBI responded that the feature could be worthwhile, but it would need to evaluate any proposed use of removable hard drives based on the operational need, technical configuration of the system, and other mitigating factors through the certification and accreditation process.
Three of the four agencies we interviewed outside the DOJ process both classified and unclassified information on the same computer by using two separate removable hard drives — one hard drive for processing classified information and the other for processing unclassified information.11
We discussed the subject of removable hard drives with a major portable computer manufacturer who told us of at least two companies that sell 5-gigabyte (5,000 megabytes) removable hard drives. The drives are priced under $200 each. These drives are generally two inches wide by three inches long, weigh less than two ounces, and fit into any “Type II PC Card slot” in portable computers. As presented in the table below, we believe they have enough storage space for a multi-user operating system, application software, and a reasonable amount of space for processing classified information. The table illustrates one example of a portable computer’s software configuration we believe would meet the needs of many of the DOJ’s classified computer users. With the Chief Information Officer’s approval, 5-gigabyte removable hard drives could be used on the DOJ’s portable computers that process classified information. This computer configuration would allow both unclassified and classified information processing in the same portable computer.
Operating System and Application Software Minimum Requirements
Using removable hard drives offers advantages for portable computers. Without removable hard drives, a user may be required to carry two portable computers while on a traveling assignment — one for handling classified information, which requires it to be double-wrapped, and the other for processing unclassified information, connecting to the Internet, and viewing e-mail.12 With removable hard drives, the user would be required to double wrap only the classified hard drive instead of the entire portable computer. In our opinion, a double-wrapped classified removable hard drive is an effective security enhancement, as it is easier to conceal and is less conspicuous due to its smaller size compared to a portable computer.
Although Standard 1.6 approves of removable hard drives (Appendix III, page 41), it does not specifically authorize the use of dual classified and unclassified hard drives in the same portable computer. Without removable hard drives, users processing classified information on a portable computer must disconnect all of the attached peripheral devices and secure the entire computer in an approved security container when it is to be left unattended. In contrast, with a removable hard drive a DOJ employee merely has to remove the classified hard drive and secure it, not the computer shell.
In order to enhance security of the classified information when using removable hard drives, system administrators must define user profiles within the operating system for classified portable computers. For example, IT security personnel at the National Reconnaissance Office and National Security Agency told us that a multi-user operating system, such as Microsoft Windows 2000 or XP, allows system administrators to define computer users’ profiles and therefore restrict access to the computer’s input/output ports. Specifically, the access to the unclassified drive when the removable classified hard drive is in use can be controlled by the definition of the user’s profile. In addition, they also said that users’ profiles can allow access to Internet connections when the classified hard drive is not in use.
In our view, the use of removable hard drives that can process both unclassified and classified information in the same computer shell is an area that the Department should consider.
The concept of type accreditations, defined by the Chief Information Officer in Standard 1.6 for portable and standalone computers, is an abbreviated accreditation process for classified portable and standalone computers that can be used in lieu of a full certification and accreditation process (see Appendix III, page 30).13 The Chief Information Officer developed this approach to limit the unnecessary duplication of the full certification and accreditation requirements. The Department’s Assistant Director of SEPS stated that a type accreditation for classified portable and standalone computers is an acceptable procedure.
Standard 1.6, Attachment 3 (Hardware and Software Configurations of Classified Laptop and Standalone Computers), defines three specific types of computer configurations: classified laptop computers, classified standalone computers, and computers with removable hard drives (see Appendix III, pages 40-42). Each of the three specific types of computer configurations contains a list of recommended hardware configurations, mandatory hardware features, and software configurations.
We believe that Standard 1.6 should allow the DOJ components more flexibility in the design of portable and standalone computer systems. The Deputy Chief Information Officer informed us that flexibility is built into the type accreditation process. However, the process to obtain type accreditations for other configurations is not documented in Standard 1.6. A revised Standard 1.6 should document the process for DOJ components to follow when requesting computer configurations not specified in the Standard. Furthermore, Standard 1.6 should be written to allow the DOJ components flexibility to incorporate innovative safeguards that do not compromise security.
Additional effective safeguards for classified computers and hard drives may strengthen security by lowering the risk of unauthorized persons gaining access to classified information in the event a portable computer is lost or stolen.
For example, encryption of the hard drive is a safeguard that IT and security personnel believe can reasonably protect classified information from unauthorized use if a portable computer is lost or stolen.14 As discussed on page 8, the Chief Information Officer’s reference for encryption cites the Federal Information Processing Standard Publication 197 — Advanced Encryption Standard (Appendix III, page 29). Yet, FIPS 197 applies to unclassified systems, not classified systems, which is the focus of Standard 1.6. Further, the Committee on National Security Systems has a Presidential delegation for national security systems through Executive Order 13231. Therefore, we believe the Chief Information Officer should explicitly require the use of the encryption standard specified by the Committee on National Security Systems when defining DOJ standards.
In addition to encryption, we identified three security enhancements that the DOJ could use to protect classified information on portable computers. The following safeguards could help reduce the amount of damage or decrease the chances of unauthorized individuals gaining access to classified data in the event a portable computer or hard drive is lost or stolen:
We believe that these security enhancements identified by IT and security personnel should be considered by the Chief Information Officer when drafting policy for portable computers processing classified information.
Current Department policy, in Chapter 8, Section 8-203, of the SPOM, specifically states, “Classification Markings (Labels) must be displayed on all components of an IT system that have the potential for retaining classified information.” The IT and security staff we interviewed at the National Security Agency indicated that the shell of a portable computer does not retain any retrievable data after removal of the computer’s hard drive containing the operating system. The National Security Agency staff further said that once a computer is powered down, all data in the random access memory is gone and cannot be retrieved, effectively sanitizing the computer shell. In our opinion, Standard 1.6 should specify that the shell does not remain classified after the classified hard drive is removed.
Using removable hard drives on classified portable computers would require creating a new label for the shell to indicate that the computer might contain classified information, but is also cleared to process unclassified information. Therefore, the SPOM should be revised to describe the markings for this type of equipment. The Assistant Director of SEPS agreed with our position on labeling the portable computer shell and indicated that the change to the labeling requirement would occur during the next SPOM revision.
We recommend that the Justice Management Division: