Inspector General’s List of the Most Serious
Management Challenges and Responses
November 5, 2003
MEMORANDUM FOR THE ATTORNEY GENERAL
THE ACTING DEPUTY ATTORNEY GENERAL
FROM: GLENN A. FINE
INSPECTOR GENERAL
SUBJECT: Top Management Challenges
Attached to this memorandum is the Office of the Inspector General’s (OIG) 2003 list of top management challenges facing the Department of Justice (Department). We have prepared similar lists since 1998, initially in response to Congressional requests. By statute, this list is now required to be included in the Department’s annual Performance and Accountability Report.
The Challenges are not presented in order of priority – we believe that all are critical management issues facing the Department. However, as with last year’s list, it is clear to us that the top challenge facing the Department is its ongoing response to the threat of terrorism. Several other top challenges are closely related to and impact directly on the Department’s counterterrorism efforts.
Eight of the challenges from last year’s list remain. They are long-standing, difficult challenges that will not be solved quickly or easily. Two challenges from last year’s list have been removed and replaced by two other challenges. We removed “Detention Space” because the responsibility for obtaining adequate and cost-efficient detention space for many immigration detainees has been transferred to the Department of Homeland Security, which now must address this difficult challenge. We also have removed “Department of Justice Reorganizations” from the list because a large part of that challenge was accomplished by the Department when it smoothly assimilated the Bureau of Alcohol, Tobacco, Firearms and Explosives into the Department while transferring the Immigration and Naturalization Service out of the Department.
In their place, we have added two new challenges: “Reducing the Supply of and Demand for Illegal Drugs” and “Security of Classified Information and Critical Infrastructure.” The first is a critical issue for the Department – to reduce the supply of illegal drugs coming into this country, the diversion of legal drugs for illicit use, and the demand for drugs. These multi-faceted problems have an enormous impact on law enforcement, health, and social issues in this country.
The other new challenge, “Security of Classified Information and Critical Infrastructure, “ is related to but different from the counterterorrism challenge. Maintaining the security of classified information, while at the same time ensuring that such information is shared appropriately among law enforcement and intelligence agencies that have a need to know, is a difficult but critical task for the Department, particularly after the September 11 terrorist attacks.
We hope that this list and the accompanying analysis will assist Department managers in developing strategies to address the top management challenges facing the Department. We look forward to continuing to work with the Department to address these important issues.
Attachment
Top Management Challenges in the Department of Justice: 2003
Within the Department, the focus on counterterrorism has been clearly articulated and consistently stressed. The Department’s Strategic Plan for 2001-2006 makes clear this is the top priority and notes the challenges facing the Department as it seeks to effectively manage its counterterrorism programs while coordinating with other intelligence agencies and law enforcement entities, both federal and local. In addition, the infusion of billions of dollars to help fund the Department’s expanded counterterrorism efforts require managers to ensure that these funds are spent in an effective manner.
For its part, the OIG continues to audit and evaluate Department programs and operations that relate to counterterrorism and follow up on previous reviews to ensure that Department components take timely actions and address identified deficiencies. For example, in September 2002 the OIG issued an audit (OIG Report #02-38) that assessed the FBI’s management of aspects of its counterterrorism program from 1995 through April 2002. The OIG review found that the FBI had never performed a formal comprehensive assessment of the risk of the terrorist threat facing the United States. We concluded that such an assessment would be useful not only to define the nature, likelihood, and severity of the threat, but also to identify intelligence gaps and determine appropriate levels of resources to effectively combat terrorism. Further, although the FBI had developed an elaborate, multilayered strategic planning system, the FBI did not perform and incorporate into its planning system a comprehensive assessment of the threat of terrorist attacks on United States soil.
Since our audit was issued, the FBI has issued its national-level threat and risk assessment, which includes to some extent an assessment of the chemical and biological agents most likely to be used in a terrorist attack. We recommended that the FBI separately assess the threat and risk of all categories of weapons of mass destruction using intelligence information and a multidisciplinary team of subject-matter experts. To date, the FBI has not fully complied with our recommendation but has made progress recently by completing a draft of a separate threat assessment of chemical and biological agents. In addition, the FBI reports that it has improved its hiring and use of intelligence analysts, and we are evaluating this issue as part of an ongoing audit. The FBI also reports that it nearly has completed revising its strategic plan, in accordance with our recommendation, which is intended to conform to the Department’s strategic plan and its emphasis on preventing terrorism. As part of our follow-up work on these issues, we will review the FBI’s updated strategic plan when it is completed.
The FBI also reported that it continues its efforts to close the gap between counterterrorism planning and operations through performance measures and standards and by holding managers accountable. All FBI divisions are now required to submit annual program plans with specific measures that will be used to gauge both program and field office performance. Once the plans are final, the FBI will develop a complete set of performance measures. During fiscal year (FY) 2004, the FBI intends to establish an integrated management system that more clearly links planning, performance, and accountability. We will continue to monitor these efforts.
While the Department appropriately is focusing significant efforts and resources to prevent acts of terrorism, its attention also is needed to prepare to respond to terrorist acts and other critical incidents should they occur. In 1996, the Department implemented the Crisis Management Coordinator Program (CMC Program), under which each United States Attorney’s Office (USAO) was directed to designate a Crisis Management Coordinator to develop a critical incident response plan (Plan) and make other preparations to ensure that the USAOs were ready to respond to a critical incident, including acts of terrorism or natural disasters. To assess the Department’s implementation of the CMC Program, the OIG is examining whether the USAOs have acted to improve their ability to respond quickly and appropriately to critical incidents by developing comprehensive plans and by training staff to carry out those plans. Our findings indicate that most USAOs have not fully implemented effective response plans.
In a separate ongoing review, the OIG is examining a variety of terrorism-related task forces to determine how their law enforcement and intelligence functions support the Department’s efforts to detect, deter, and disrupt terrorism. Specifically, this review is evaluating the purpose, priorities, accomplishments, and functioning of the Anti-Terrorism Task Forces (ATTF), the FBI’s Joint Terrorism Task Forces and Foreign Terrorist Tracking Task Force, and the Deputy Attorney General’s National Security Coordination Council.
Because the FBI plays such a central role in the Department’s counterterrorism strategy, the OIG continues to expend significant resources to review FBI programs and operations, many of which affect its counterterrorism missions. For example, in September 2003, the OIG released an audit of the FBI’s Casework and Human Resource Allocation (OIG Report #03-37). In summary, this review found that prior to the September 11, 2001, terrorist attacks the FBI devoted significantly more special agent resources to traditional law enforcement activities, such as white-collar crime, organized crime, drugs, and violent crime, than it did to terrorism-related programs. The OIG is following up on this audit with an examination of the FBI’s efforts to reprioritize and refocus its investigative resources on counterterrorism-related issues in the aftermath of the September 11 terrorist attacks. In this review, the OIG will seek to identify the operational changes in the FBI resulting from this reprioritization effort, including the types of offenses that the FBI is no longer investigating at pre-September 11 levels. We plan to survey federal, state, and local law enforcement agencies regarding the impact on their operations of the FBI’s reprioritization.
Two additional ongoing OIG reviews focus on the FBI’s efforts to meet other aspects of its varied counterterrorism-related challenges. First, because much information relevant to counterterrorism and counterintelligence is in languages other than English, the OIG is examining the extent and causes of FBI translation backlogs and the FBI’s efforts to hire additional translators. This review will evaluate whether FBI procedures ensure appropriate prioritization of translation work, accurate and timely translations of pertinent information, and proper security of sensitive information.
Second, the OIG is reviewing the FBI’s hiring and training of intelligence analysts and reports officers. Our 2002 counterterrorism audit identified concerns about the FBI’s intelligence capability and recommended that the agency improve its intelligence analysis capabilities. The current audit is evaluating how effectively the FBI recruits and trains the various categories of intelligence analysts and reports officers in support of the FBI’s counterterrorism mission. Looking ahead, the OIG plans to examine additional facets of the FBI’s counterterrorism initiatives, including its role in conducting counterterrorism exercises.
As noted above, the reprioritization of the Department’s counterterrorism priority has resulted in significantly increased Department funding for counterterrorism efforts. A challenge for the Department is to ensure that the increased funding is used economically, effectively, and for its intended purposes. In one review completed this year, the OIG conducted a follow-up audit of the Department’s Counterterrorism Fund (Fund), which was created by Congress in 1995 after the bombing of the Murrah Federal Building in Oklahoma City, Oklahoma, to assist Department components with the unanticipated costs of responding to and preventing acts of terrorism. Since its creation, Congress has appropriated more than $360 million to the Fund. Originally established to provide reimbursement solely to Department components, since 1996 more than $167 million from the Fund has supported counterterrorism initiatives of non-Department agencies, including other federal agencies and state and local governments. Past terrorism events for which Department components received reimbursement include the Oklahoma City bombing, the U.S. embassy bombings in Africa, and the September 11, 2001, terrorist attacks.
The OIG’s follow-up audit (OIG Report #03-33) reviewed Fund expenditures from 1998 through 2002 and found that the Department’s Justice Management Division (JMD), the entity that administers the Fund, has improved its management of the Fund since the OIG’s original audit in 1999. However, the follow-up audit recommended that JMD implement additional improvements to the claims review process to ensure that adequate resources are available for emergency situations resulting from acts of terrorism. We also tested more than $38 million in Fund expenditures during the audit and identified over $3 million in questioned costs. These costs included expenses unrelated to approved counterterrorism initiatives, expenses for which the component could not provide supporting documentation, and expenses that were denied or billed erroneously.
A somewhat different but related challenge for the Department in responding to the heightened terrorism threat is to use its law enforcement and intelligence-gathering authorities without inappropriately affecting the civil rights and civil liberties of individuals. Section 1001 of the USA PATRIOT Act (Patriot Act) directs the Department’s Inspector General to “receive and review” allegations of civil rights and civil liberties abuses by Department employees and report to Congress every six months about these responsibilities under Section 1001.
In furtherance of its responsibilities under Section 1001, the OIG issued a special report on June 2, 2003, that examined the treatment of 762 aliens held on immigration charges in connection with the investigation of the September 11 terrorist attacks. The OIG examined the treatment of these detainees, including their processing, bond decisions, the timing of their removal from the United States or their release from custody, their access to counsel, and their conditions of confinement. The OIG’s 198-page report focused in particular on detainees held at the BOP’s Metropolitan Detention Center (MDC) in Brooklyn, New York, and at the Passaic County Jail (Passaic) in Paterson, New Jersey, a county facility under contract with the INS to house federal immigration detainees.
As our report pointed out, the Department was faced with unprecedented challenges responding to the attacks, including the chaos caused by the attacks and the possibility of follow-up attacks. Yet, while recognizing these difficulties and challenges, we found significant problems in the way the Department handled the September 11 detainees. Among the report’s findings:
The OIG report made 21 recommendations to the FBI, BOP, and the DHS’s Bureau of Immigration and Customs Enforcement. The recommendations dealt with issues such as developing uniform arrest and detainee classification policies, improving information-sharing among federal agencies on detainee issues, improving the FBI clearance process, clarifying procedures for processing detainee cases, revising BOP procedures for confining aliens arrested on immigration charges who are suspected of having ties to terrorism, and improving oversight of detainees housed in contract facilities. The OIG has received and analyzed responses to the recommendations, and has requested additional information on some of the recommendations. In general, we found that the agencies agreed with the recommendations and are taking steps to implement them.
Finally, in addition to directing the Inspector General to receive and review allegations of civil rights and civil liberties abuses by Department employees, Section 1001 of the Patriot Act directs the OIG to publicize how people can contact the OIG to file a complaint and requires the OIG to submit a semiannual report to Congress discussing its implementation of these responsibilities. In July 2003, the OIG issued its third Section 1001 report summarizing its activities from December 16, 2002, through June 15, 2003. The report described the status of OIG and Department investigations of alleged civil rights and civil liberties abuses by Department employees. In addition, the report highlighted several OIG reviews undertaken in furtherance of its Section 1001 responsibilities.
In the year ahead, the OIG will continue to evaluate how effectively the Department is meeting aspects of its varied counterterrorism challenge through OIG audits, inspections, and special reviews, as well as through the OIG’s semiannual reports to Congress required under Section 1001 of the Patriot Act.
Since then, the Attorney General, the FBI Director, Members of Congress, the Secretary of DHS, and other officials have consistently and repeatedly stressed the critical importance of sharing information to help prevent future acts of terrorism. This is a difficult challenge, given the multitude of federal and state entities that have or need access to intelligence and law enforcement information as well as the sensitive nature of much of the information. Even within the Department, getting information to the right individuals and entities so that they can use it effectively is an ongoing challenge. But the Department’s ability to share law enforcement and intelligence information is critical to its capacity – and the capacity of other federal, state, and local governments – to prevent, mitigate, and respond to terrorist attacks. Moreover, while emphasizing timely sharing of intelligence and law enforcement information, the Department has to balance that with maintaining the security of sensitive information and limiting that information to those with a “need to know,” as we discuss below in management challenge 9.
In a review that reflected the importance of sharing intelligence and law enforcement information, in December 2002 the Senate Select Committee on Intelligence and the House Permanent Select Committee on Intelligence released the results of its Joint Inquiry into the activities of the U.S. Intelligence Community in connection with the September 11 terrorist attacks. The 832-page report, much of it declassified and publicly released in July 2003, presents the Joint Inquiry’s findings and conclusions. One of these findings was that prior to September 11 2001, information was not shared sufficiently.
The Joint Inquiry report concluded that information sharing is a problem not only across the intelligence community, but also within individual agencies and between the intelligence community and law enforcement agencies. Among the report’s recommendations was that the FBI should increase the exchange of counterterrorism-related information between the FBI and other federal, state, and local agencies. The Joint Inquiry also recommended that the Attorney General and the FBI Director take action to ensure that the FBI better disseminate the results of searches and surveillances authorized under the Foreign Intelligence Surveillance Act to appropriate personnel within the FBI and throughout the intelligence community.
As a variety of OIG reviews also have shown, the Department’s challenge in this area is formidable. While the Department has made significant strides in this area, especially in its coordination with state and local law enforcement agencies, much critical work remains, including ensuring adequate sharing of information between the Department and the newly created DHS.
For example, in the OIG’s 2002 report on the FBI’s counterterrorism program (OIG Report #02-38), we recommended that the FBI develop criteria for evaluating and prioritizing incoming threat information. The FBI receives a constant flow of information about possible terrorist threats and, consequently, faces an enormous challenge in deciding what information requires what type of response. Among the weaknesses we noted during our audit were the lack of criteria for initially evaluating and prioritizing incoming threat information and the lack of a protocol for when to notify higher levels of FBI management, other units and field offices, and other agencies in the law enforcement and intelligence communities. We also found that the FBI’s ability to process intelligence information is hampered by its lack of an experienced, trained corps of professional intelligence analysts for both tactical and strategic threat analysis.
Since issuance of our audit, the FBI has made improvements to its training process for intelligence analysts. In addition, it hired a new Executive Assistant Director for Intelligence from the National Security Agency who has embarked on substantial improvements to the intelligence processes with the FBI.
The OIG’s June 2003 review of the treatment of September 11 detainees also identified certain weaknesses in Department information sharing. This report recommended that federal immigration authorities work closely with the Department and the FBI to develop a more effective process for sharing information during future national emergencies that involve alien detainees. As part of its ongoing follow-up work with respect to this review, the OIG has requested specific information regarding the status of information-sharing mechanisms between the Department and the DHS.
An August 2003 OIG special review that examined the FBI’s performance in deterring, detecting, and investigating the espionage activities of former FBI agent Robert Hanssen made additional recommendations to enhance information sharing. The OIG review concluded that Hanssen escaped detection not because he was extraordinarily clever in his espionage, but because of long-standing systemic problems in the FBI’s counterintelligence program and a deeply flawed FBI internal security program. In this review, the OIG discussed the need for improved coordination and information sharing within the Department related to counterintelligence investigations. Specifically, the OIG recommended that the Department’s Criminal Division should be a full participant in FBI counterintelligence investigations.
In an ongoing review, the OIG is examining the FBI’s progress in addressing deficiencies in its intelligence-sharing capabilities identified by the FBI, Congress, the OIG, and others subsequent to the September 11 attacks. This audit will determine the extent to which the FBI has identified impediments to the sharing of counterintelligence and other information, the extent to which the FBI has improved its ability to share intelligence information internally, with the Department, with the intelligence community, and with state and local law enforcement agencies, and the extent to which the FBI is providing useful threat and intelligence information to intelligence and law enforcement agencies.
In another ongoing review, the OIG is examining the FBI’s handling of intelligence information that it had prior to the September 11 attacks. This review is examining aspects of the FBI’s ability to process and share intelligence information. Among the issues we are reviewing at the request of the FBI Director is how the FBI handled an electronic communication written by its Phoenix Division in July 2001 regarding Islamic extremists attending civil aviation schools in Arizona.
In an example of the critical need to share information across agencies, the OIG has examined the status of the Department’s efforts to integrate the FBI’s and former INS’s automated fingerprint systems. A March 2000 OIG special report (“The Rafael Resendez-Ramirez Case: A Review of the INS’s Actions and the Operation of its IDENT Automated Fingerprint Identification System”) highlighted the failure of the FBI and INS to integrate automated fingerprint systems. We noted the importance of expeditiously combining the FBI’s Integrated Automated Fingerprint Identification System (IAFIS) with the INS’s Automated Biometric Identification System (IDENT) to enable the fingerprint systems to share information. A follow-up OIG review in December 2001 (OIG Report #I-2002-003) concluded that integration of IDENT and IAFIS had proceeded slowly and remains years away.
In the most recent review of these integration efforts, issued in June 2003, the OIG found that integration is still progressing slowly (OIG Report #I-2003-005). A fully integrated IDENT/IAFIS system would provide immigration employees with immediate information on whether a person they apprehend or detain is wanted by the FBI or has a record in the FBI’s Criminal Master File. Similarly, linking IDENT and IAFIS would provide state and local law enforcement agencies with valuable immigration information as part of a response from a single FBI criminal history search request. The lack of an integrated automated fingerprint system hinders the Department, the DHS, and state and local law enforcement agencies from sharing valuable immigration and law enforcement information about detained or apprehended persons. Our recent review found that the IDENT/IAFIS integration project is at least two years behind schedule.
According to JMD officials, the deployment date has been delayed until at least December 2003 because the INS staff and contractors working on the project were redirected in June 2002 to a competing priority. We found that despite the mounting delays, JMD did not prepare a revised schedule for completing the integration of IDENT and IAFIS. Moreover, the integration project may be at risk of further delay because JMD did not plan for continuing its stewardship of the project after the INS transferred to the DHS and now relies on informal working relationships with the DHS for system planning and implementation. The continued delays create additional risks to public safety and national security.
Finally, an ongoing OIG review of the operation of the FBI’s Legal Attaché program is examining aspects of information sharing on an international level. Among other issues, the OIG is assessing the Attaché program’s effectiveness in establishing liaisons with foreign law enforcement agencies.
In the past, OIG reviews have found numerous deficiencies with the FBI’s IT program, including outdated infrastructures, fragmented management, ineffective systems, and inadequate training. These deficiencies can severely impede the FBI’s ability to effectively accomplish its mission because the FBI must be able to use its IT systems to rapidly identify and disseminate pertinent intelligence information to the law enforcement community. Since FY 2002, the Department listed the FBI’s management of IT as a material weakness.
A December 2002 OIG audit of the FBI’s management of its IT investments (OIG Report #03-09) found that the FBI has not effectively managed its IT investments because it has not fully implemented a series of critical management processes. Specifically, the audit found that the FBI: 1) did not have fully functioning IT investment boards that are engaged in all phases of IT investment management; 2) had not followed a disciplined process of tracking and overseeing each project’s cost and schedule milestones; 3) failed to document a complete inventory of existing IT systems and projects and did not consistently identify the business needs for each IT project; and 4) did not have a fully established process for selecting new IT project proposals that considered both existing IT projects and new projects. FBI officials acknowledged to the OIG that prior to March 2002, individual FBI divisions determined their IT needs in a “stovepipe” without knowledge of the business needs and priorities of the FBI as a whole.
The OIG audit also concluded that because the FBI had not fully implemented the critical processes associated with effective IT investment management, it had spent hundreds of millions of dollars on IT projects without adequate assurance that these projects would meet their intended goals. In addition, the FBI did not have adequate assurance that its IT projects were being developed on schedule and within established budgets.
In the same audit, the OIG found that the FBI is making strides toward correcting these deficiencies. For example, the OIG found that since March 2002, when it began pilot testing a new IT investment management process, the FBI has made measurable progress towards implementing key practices necessary for an effective IT management system, especially in the area of selecting new IT projects. At the beginning of the OIG audit in January 2002, the FBI was executing only 4 of the 38 required “key practices” for building an IT investment foundation. By June 2002, the FBI was executing 14 of the 38 key practices. As part of its audit, the OIG offered 30 specific recom-mendations for actions the FBI should take to improve its IT investment management.
Following through and correcting previously cited deficiencies takes dedicated resources and agency commitment. In a September 2003 OIG audit, the OIG examined the FBI’s implementation of various IT recommendations (OIG Report #03-36). We found that while the FBI has implemented many of the recommendations in prior OIG reports (93 out of 148), it still needs to take additional significant actions to ensure that the IT program effectively supports the FBI’s mission. For example, until recently the FBI lacked an effective system of management controls to ensure that OIG recommendations were implemented. However, the FBI Director has committed the FBI to enhancing its internal controls to ensure that OIG recommendations are implemented in a timely and consistent manner. To this end, the FBI recently developed a system to facilitate the tracking and implementation of recommendations for improvement. In addition, the FBI expects that its IT modernization efforts will correct many of the deficiencies identified over the years by the OIG.
Due to the importance of sound information systems planning and implementation across all Department components, the OIG plans to conduct additional reviews on IT throughout the Department. This fiscal year, the OIG plans to audit the Drug Enforcement Administration’s (DEA) IT investment management process. As part of this review, the OIG will examine the DEA’s strategic planning and performance measurement activities related to IT management. In addition, we also plan to audit JMD’s implementation of IT investment management processes.
Since FY 2001, the OIG has performed security assessments and penetration testing of Department computer systems as mandated initially by the Government Information Security Reform Act (GISRA) and, as of December 2002, by the Federal Information Security Management Act (FISMA). The FISMA directs the OIG to perform an annual independent evaluation of the Department’s information security program and practices and report the results to the Office of Management and Budget (OMB).
In meeting these responsibilities, the OIG has conducted 22 computer security audits of Department IT systems over the past 3 years. For FY 2003, we selected five mission-critical Department computer systems – three classified systems and two sensitive but unclassified systems – to review. In addition, we reviewed the Department’s oversight initiatives with respect to computer security. Overall, we concluded that the Department’s IT security program requires additional improvement at both the Department and component levels, particularly in program oversight and vulnerability management to protect computer systems and reduce the number of vulnerabilities within the Department’s IT systems. While we noted progress in certain areas, continued improvements are needed to help reduce the total number of vulnerabilities within the Department’s IT systems.
Without effective IT system security oversight and security management controls, system vulnerabilities may not be identified or tracked properly and corrective action plans may not be implemented in a timely and effective manner. Consequently, the underlying data within these IT systems may not be reliable and data manipulation may go undetected. In light of our audit results, we also remain concerned that the Department’s functions have not been centralized sufficiently to provide the vigorous enforcement oversight – supported by a substantial, technically proficient work force – that the Department needs.
In July 2003, in a separate audit we examined SENTRY, the BOP’s primary mission support database that processes over 1 million transactions each day (OIG Report #03-25). The system tracks critical information on more than 165,000 inmates in federal prisons including inmate location, medical history, behavior history, and release data. Our audit assessed the system’s application controls and examined whether SENTRY data are valid, properly authorized, and completely and accurately processed. The audit identified weaknesses in 4 of the 27 control areas that we tested: supervisory reviews, audit logs, access controls, and computer matching of transaction data. We concluded that these weaknesses occurred because BOP management did not fully develop, document, or enforce BOP policies in accordance with current Department policies and procedures.
Our past audits have reported progress in the Department’s oversight of computer security, particularly with the restructuring of the Chief Information Officer (CIO) position and initiatives undertaken by the new CIO. However, many of the deficiencies identified by the OIG in its recent GISRA and FISMA reviews revealed repeated deficiencies from prior reviews. For example, our audits of the Department’s systems in FY 2001 and 2002 revealed vulnerabilities in the management, operational, and technical controls that protect each system and its data from unauthorized use, loss, or modification. Of these three control areas, the vulnerabilities noted in technical controls are the most significant because these controls are used to prevent unauthorized access to system resources by restricting, controlling, and monitoring system access.
Additionally, our FY 2002 consolidated audit of the Department’s computer security management procedures (OIG Report #03-19) identified inconsistencies in the oversight of computer security that we attributed to the bifurcation of responsibility between the JMD’s Security and Emergency Planning Staff and its Information Management and Security Staff. We found security reviews of the Department’s systems conducted by these offices were uneven or inadequate and major systems and applications lacked elementary protections that the Department’s accreditation process is intended to ensure are in place.
Our consolidated report made nine recommendations, including that:
Finally, the OIG’s review of the Hanssen case, described above in challenge 2, identified serious security flaws in the FBI’s Automated Case Support (ACS) computer system. This review found that Hanssen had improperly used the ACS system to track some of the FBI’s most sensitive espionage investigations, including the investigation that was looking for him. The OIG found that access restrictions to the ACS system are subject to override by FBI Headquarters employees who, like Hanssen, may have no need to know about sensitive operations the access restrictions are designed to protect. In addition, the system is prone to human error, with documents concerning highly sensitive operations, such as the Hanssen investigation, being made available to many users because of improper uploading or inadequate restriction codes. We found that the ACS system’s audit function, mandated by Department regulations and a principal tool against unauthorized usage, was rarely used before Hanssen’s arrest. The FBI is implementing a new automated case system known as the Virtual Case File (VCF), a computerized database that will maintain information on FBI investigations in electronic case files. In developing and implementing VCF, it is vital for the FBI to rectify the types of security flaws in the ACS system identified by the OIG and others.
However, important challenges remain. Antiquated and ineffective automated accounting systems and decentralized financial management threaten the Department’s ability to maintain its unqualified opinion. For example, because of these deficient systems, problems related to financial accounting and reporting in FY 2002 were overcome only by significant year-end manual efforts. Many tasks had to be performed manually because the Department lacks automated systems to readily support ongoing accounting operations, financial statement preparation, and the audit process. Such manual efforts compromise the Department’s ability to prepare financial statements that are timely and in accordance with generally accepted accounting principles, and which provide Department managers information on an ongoing basis to allow them to more effectively manage Department programs.
In order to meet the accelerated reporting deadlines for the FY 2003 and FY 2004 financial statement audits, the Department has significant hurdles to overcome because of its continued dependence on these manual efforts. During FY 2003, quarterly financial statements were due 45 days after the close of a quarter, and for FY 2004 the Performance and Accountability Report is due by November 15, 2004 – nearly 2½ months earlier than the current OMB reporting deadline.
To succeed within the expedited time frames, the Department must move away from manual processes to prepare financial statements more timely and, in turn, auditors must be able to test and rely upon internal control processes throughout the year. Recent interim audit tests performed for the FY 2003 audit were discouraging, given that many components failed portions of the testing. While additional year-end testing and manual efforts to fix problems is possible for the FY 2003 audits, it will not be possible in FY 2004 because component audits need to be completed within 14 days of the end of the fiscal year in order to meet the OMB’s accelerated deadlines.
In addition, we continue to find that component financial and other automated systems are not integrated and do not readily support the production of financial statements and other required financial reporting. In FY 2002, the Department initiated the Unified Financial Management System (UFMS) project to replace the seven major accounting systems currently used throughout the Department in an effort to address these deficiencies. Currently, none of the Department’s accounting systems are integrated. Consequently, production of Department-wide information must be done manually or by duplicative inputting of data from one system into another.
In fact, several of the older systems in use by Department components predate the current accounting requirements and do not support the production of timely, relevant information that is needed for preparing financial statements or performing accrual accounting transactions. For example, property transactions in several components are entered twice into separate accounting and property systems – systems that need to be periodically reconciled, often manually and sometimes line-by-line.
As another example, the U.S. Marshals Service (USMS) continues to use two different major accounting systems. The older of the two systems, the Financial Management System, is used by staff in USMS field offices and was scheduled to be replaced approximately 5 years ago by STARS, the Headquarters’ accounting system. However, efforts to implement the STARS system throughout the USMS were halted in 1998 due to difficulties encountered in implementing STARS at Headquarters. While the USMS has been able to develop a linkage between these two systems in order to be compliant with the Standard General Ledger requirements and have more timely access to detailed field office information, this patch is not a desired solution. The USMS financial systems still do not include key financial data related to property and procurement, and consequently the USMS has to perform manual data calls for this information to ensure that the financial statements are complete.
When fully implemented, the Department’s UFMS will replace the majority of Department financial systems with a single, integrated, user-friendly system. We believe such a uniform system is necessary to help address many of the Department’s longstanding weaknesses. However, some of the challenges that may arise as a result of the Department’s transition to the UFMS include: 1) unexpected funding shortfalls and competing initiatives; 2) implementing the system without disrupting daily operations; and 3) hiring and training staff qualified to operate the new system.
As a result of the Department’s reliance on manual processes and multiple, ineffective financial systems, its capability to provide current, timely, and accurate financial information to managers remains limited. The Department also continues to utilize extraordinary efforts to obtain audit opinions and satisfy financial reporting requirements. It will be difficult for the Department to maintain a clean audit opinion for FY 2004 and future years and meet the expedited reporting dates unless it modernizes and streamlines its financial management systems.
To assist the Department in meeting this challenge, an August 2003 OIG audit (OIG Report #03-27) examined the two offices primarily responsible for managing the Department’s grant programs – the Office of Justice Programs (OJP) and the Office of Community Oriented Policing Services (COPS) – to identify activities that could be streamlined to increase efficiency.
The OJP has experienced dramatic growth since it was established in 1984. Its funding programs are divided into two main categories: formula grants and discretionary grants. Formula grants are awarded to state and local governments based on a predetermined formula using, for example, a jurisdiction’s crime rate or population. States are generally required to pass through a significant portion of formula awards to local agencies and organizations in the form of sub grants. Discretionary grants are awarded on a competitive basis to public and private agencies and private non-profit organizations. However, certain discretionary programs are awarded on a noncompetitive basis, consistent with congressional earmarks.
The COPS Office was established in 1994 as a result of the Violent Crime Control and Law Enforcement Act of 1994. The single largest component of the 1994 Crime Act – the Public Safety Partnership and Community Policing Act of 1994 – authorized $8.8 billion over 6 years to fund additional community oriented policing officers and to advance community policing nationwide, and COPS continued to receive annual appropriations from FY 1995 – 2003 totaling approximately $11.3 billion. To implement the COPS grant program, the Attorney General created the COPS Office as a separate office from OJP.
Our audit determined that the Department’s federal financial assistance programs are fragmented, resulting in reduced efficiency and increased costs to award and administer federal financial assistance funds to state and local agencies. We found structural overlap between OJP and the COPS Office, overlap in grant programs between the COPS Office and OJP, lack of on-line grant application processing in the COPS Office, overlap in OJP’s organization structure, and inefficiencies in OJP’s automated grant management systems. We also found overlap between the types of grants awarded by the COPS Office and OJP. For example, the COPS Universal Hiring Program grants and Making Officer Redeployment Effective grants are sometimes duplicative of grants awarded by OJP under the Local Law Enforcement Block Grants program. Yet, both COPS and OJP officials told us that no formal communication procedures exist between the two agencies to ensure that grantees do not receive funds for similar purposes from both agencies.
We found that COPS had not developed a capability to receive grant applications on-line and to download the application information directly into its grant management system. Instead, grantees must submit applications on paper and COPS must manually input the data into its tracking system.
In addition, the audit found that OJP did not have a fully effective automated system to manage its federal financial assistance funds and, in fact, we found that OJP had more than 70 automated application systems in place. Some of these systems were developed by the individual components within OJP, and they duplicate information in other OJP systems. Despite having more than 70 automated systems to help manage its federal financial assistance funds, OJP still relied primarily on a manual system for processing grants.
Our report contains eight recommendations to improve the Department’s grant-making activities, including taking steps to enhance coordination between COPS and OJP to eliminate duplication of effort and ensure that awards are not made to the same grantee for similar purposes. OJP agreed with our recommendations and is in the process of implementing corrective actions. Although the COPS Office took exception to some of the information and conclusions in the report, it agreed with the recommendations directed to it and is in the process of implementing corrective actions. Specifically, the COPS Office, as well as OJP, agreed to coordinate and exchange information about grant programs to ensure duplicative awards are not made to the same grantee by both agencies. In addition, the COPS Office agreed to continue to develop an on-line application system for COPS grants. Further, OJP is working to implement, by the end of December 2003, an enhanced grant management system with modules that will expand the system to manage grants from beginning to end.
In other reviews over the years, the OIG has devoted considerable attention to auditing individual Department grant programs to examine grantee compliance. For example, more than 375 OIG audits of COPS grants have resulted in significant dollar-related findings. In FY 2002, our audits of COPS grant recipients identified more than $11 million in questioned costs and more than $3 million in funds to better use. In the first six months of FY 2003, our audits had even greater dollar-related findings – more than $17 million in questioned costs and more than $11 million in funds to better use. In light of these findings and because of the large amounts of money earmarked for this program, the OIG will continue its program to audit COPS grants.
In addition to reviewing COPS grants, the OIG audits other types of Department grant programs. For example, the OIG currently is auditing OJP training and technical assistance grants. This review includes both an internal audit that will evaluate the OJP’s efforts to award and monitor the training and technical assistance grants, and a series of external grant audits that will examine compliance by recipients with the terms of the grants.
The OIG also audits activities of the organizations that receive funding from the Department. The OIG’s workplan for FY 2004 includes internal audits of several broad categories of OJP programs and grants, including grants for DNA backlog reduction, victims’ services, and assistance to tribal governments. The OIG also intends to evaluate OJP’s oversight of the grants and to perform individual audits testing grantees’ compliance with the terms of the grant. For example, the OIG plans to initiate an audit of Antiterrorism and Emergency Assistance Program grants issued by OJP’s Office for Victims of Crime. In conjunction with this internal audit, the OIG intends to conduct a number of individual audits of grant recipients.
OIG audits generally have found that the performance measures need improvement. Many are not focused on outcomes or are not quantifiable and verifiable. For example, in an audit completed in September 2003, the OIG reviewed the DEA’s implementation of the GPRA (OIG Report #03-35). We found that the DEA had developed a strategic goal and objectives that were consistent with the Department’s strategic goals and objectives, but the DEA’s strategic goal and objectives were not definitive enough to allow for an assessment of whether they were being achieved. In addition, even though the DEA had established performance indicators for all of its budget decision units, it had not established:
As a result of these deficiencies, the ability of the DEA, the Department, Congress, and the public to assess the effectiveness of the DEA’s performance is diminished. We made seven recommendations to the DEA, including that it establish a strategic goal and objectives that are quantitative, directly measurable, or assessment-based; and establish specific criteria for determining what constitutes a priority target organization and a disrupted or dismantled priority target organization. The DEA concurred with our recommendations and stated that its new draft FY 2003-2008 Strategic Plan includes a general long-term goal and four specific strategic goals with two- and five-year quantitative, time-specific objectives. The DEA also has prepared definitions and specific criteria for what constitutes a priority target organization and a disrupted/dismantled organization. The DEA stated that the definitions and criteria are under review and will be included in a new Priority Target Handbook. The DEA plans to complete these actions by November 2003.
Reporting verifiable performance-based accomplishments also is critical to the Department’s planning and priority setting. In an ongoing review of the U.S. Attorneys’ Offices (USAOs) Critical Incident Response Plans (Plans), described above in the first management challenge, the OIG found that the Department overstated the degree of implementation of the USAOs’ crisis response planning in the Department’s Annual Performance Report for FY 2001 by suggesting a much higher performance level than actually was achieved. Providing accurate and verifiable performance data is a critical component of performance-based management.
For example, in January 2003, as part of its Major Management Challenges and Program Risks series, the General Accounting Office expressed its concern about the Department’s ability to attract and retain qualified special agents, intelligence analysts, and language professionals (GAO Report #03-105) due to the demand for employees with language skills throughout government, especially proficiency in Middle Eastern and Asian languages. The GAO recommended that the FBI look to sharing language resources with other agencies as a way of meeting its needs for language services.
In October 2003 the OIG initiated an audit of the FBI’s hiring, training, and staffing of intelligence analysts and reports officers to ensure that these critical positions are being staffed in a timely manner with qualified personnel. The review will examine: 1) how analyst and reports officer hiring requirements and qualifications were established; 2) progress made toward meeting the hiring goals and retaining the personnel; 3) progress made toward establishing a comprehensive training program and meeting the training goals; and 4) how analysts and reports officers are staffed and utilized to support the FBI’s counterterrorism mission.
The National Commission on Terrorism in its report Countering the Changing Threat of International Terrorism stated that, “All U.S. Government agencies face a drastic shortage of linguists to translate raw data into useful information. This shortage has a direct impact on counterterrorism efforts.” Indeed, shortly after the September 11 attacks, the FBI issued a public call for Middle Eastern and Central Asian linguists. In the past, at the FBI shortages of linguists have resulted in thousands of hours of audiotapes and pages of written material not being reviewed or translated in a timely manner. To examine this issue, the OIG has initiated an audit of the FBI Language Services program to review. The objectives of the audit are to determine the extent and causes of any FBI translation backlog; evaluate whether FBI procedures ensure appropriate prioritization of work, accurate and timely translations of pertinent information, and proper security of sensitive information; and assess the FBI’s efforts to hire additional translators.
In another area, our ongoing audit work in the financial management area continues to find that several Department components lack adequate staff to perform many of the tasks needed to produce financial statements. Consequently, the Department continues to rely heavily on the use of contractors to prepare financial statements which, in addition to affecting the expense associated with producing the statements, contributes to diminishing the institutional knowledge and expertise. In addition, Department components have difficulty recruiting and retaining highly qualified information technology specialists who are knowledgeable about the latest hardware and software. As a result, the components have found it difficult to address some of the IT issues identified in the financial statement audits.
In 2003, the OIG continued to examine another important aspect of the Department’s efforts to successfully manage human capital – its ability to develop fair and consistent methods of addressing allegations of employee misconduct. In FY 2001, the OIG completed a review of the disciplinary system of the USMS (OIG Report I-2001-011) – the first in a series of reviews of components’ disciplinary systems. Our review of the USMS found misconduct cases where the consistency of the discipline or the degree of discipline imposed raised serious concerns, and the reasons for the final discipline decisions were not adequately documented. In addition, we found significant periods of unexplained elapsed time that appeared to prolong case adjudication. We made 12 recommendations to help the USMS improve its disciplinary system.
Most recently, the OIG examined the process by which the DEA identifies, refers, and investigates employee misconduct and imposes and enforces disciplinary actions in response to substantiated allegations of employee misconduct. The review evaluated the DEA’s compliance with procedures for reporting allegations of misconduct to its Office of Professional Responsibility as well as the timeliness of the process from the referral of allegations to the implementation of disciplinary actions. The review also examined the appropriateness and consistency of disciplinary actions. We found that the DEA’s system for investigating employee misconduct generally functioned well in that its investigations generally appeared to be thorough and well documented, and provided a sound basis for making disciplinary decisions.
However, we found problems in various cases that revealed weaknesses in DEA’s disciplinary system. These weaknesses included inadequate guidance and dual mitigation which resulted in penalties that appear to be too lenient; the improper consideration of external factors by Board members and a Deciding Official when making disciplinary decisions; a failure to adequately document disciplinary decisions by the Board and Deciding Officials; a failure of DEA management to monitor the timeliness of the disciplinary process; and a lack of management oversight over the Deciding Officials. We made eight recommendations to help the DEA ensure that its disciplinary decisions are reasonable, free of inappropriate external influences, well documented, and timely.
For example, in April 1997 the OIG issued a classified report examining the FBI’s performance in uncovering the espionage activities of former Central Intelligence Agency (CIA) Directorate of Operations officer Aldrich Ames. The review found that throughout nearly the entire 9-year period of Ames’ espionage, the FBI devoted inadequate attention to determining the cause of the sudden, unprecedented, and catastrophic losses suffered by both the FBI and the CIA in their Soviet intelligence programs. One of the recommendations made by the OIG in the report focused on the FBI’s inability to provide the OIG review team with a definitive answer concerning the distribution of various top secret documents. Given the sensitive nature of such documents, the OIG recommended that the FBI develop and maintain a better record-keeping system for tracking dissemination of its documents.
Six years later, the OIG released its review of the Hanssen case, which found this and other recommendations from the Ames matter had not been sufficiently implemented. Our Hanssen review found that over the course of more than 20 years, former FBI supervisory special agent Robert Philip Hanssen compromised some of this nation’s most important counterintelligence and military secrets, including the identities of dozens of human sources, at least three of whom were executed. Hanssen’s espionage began in November 1979 – three years after he joined the FBI – and continued intermittently until his arrest in February 2001, just two months before his mandatory retirement date.
In August 2003, the OIG released the results of its review of the FBI’s performance in deterring, detecting, and investigating Hanssen’s espionage activities. The OIG’s 674-page report, classified at the Top Secret/Codeword level, revealed that there was little deterrence to espionage at the FBI during Hanssen’s 25-year career. The FBI did not employ basic personnel security techniques – such as counterintelligence polygraph examinations and financial disclosure reviews – and the one background reinvestigation Hanssen underwent during his career was not thorough.
The FBI’s information security program likewise offered little deterrence to Hanssen’s espionage. Because of inadequate document security, Hanssen felt comfortable removing hundreds of pages of classified documents from FBI offices, including numbered original Top Secret documents. In addition, inadequate computer security permitted Hanssen to conduct thousands of searches on the FBI’s computer system for references to his own name, address, and drop and signal sites to see if he was under suspicion and to search for information concerning the FBI’s most sensitive counterintelligence cases. The computer system’s audit function, mandated by Department regulation and a principal tool against unauthorized use as well as espionage, was rarely used before Hanssen’s arrest.
The OIG found that Hanssen escaped detection not because he was extraordinarily clever and crafty, but because of long-standing systemic problems in the FBI’s counterintelligence program and a deeply flawed internal security program. The OIG made 21 recommendations to help the FBI improve its internal security and enhance its ability to deter and detect espionage in its midst and protect sensitive information. For example, the OIG recommended that the FBI create and implement programs enabling it to account for and track hard copy documents and electronic media containing sensitive information to prevent the unauthorized removal of sensitive information from FBI facilities. In addition, we recommended that the FBI implement measures to improve computer security, including an audit program to detect and give notice of unauthorized access to sensitive cases on a real-time basis and procedures to enforce the “need to know” principle in the context of usage of FBI computers.
We also recommended that the FBI consider enhanced security measures to protect its information from misuse or compromise, including more frequent polygraph examinations, more frequent and thorough background reinvestigations, and more detailed financial disclosures for employees who enjoy unusually broad access to sensitive information. In response to these security-related recommendations, the FBI reported that it has initiated a financial disclosure program and expanded the pool of counterintelligence-focused polygraph examinations. In addition, the FBI reported taking a number of steps to improve background investigations, including automating the collection of information acquired during background investigations.
However, we found that many of the changes that the FBI says it is implementing are either ongoing or still in the planning stages. Moreover, some of the FBI’s responses do not address the core concern underlying our recommendations. For others, we are closely examining the FBI’s response and plan to request additional information and monitor the FBI’s ongoing changes.
In another review recently initiated at the request of the FBI Director, the OIG began examining the FBI’s controls over safeguarding classified information and preventing espionage in its China program. This review stems from the indictment of a former FBI Agent in Los Angeles on charges of gross negligence in handling classified information. The OIG review will, among other issues, examine allegations that the agent improperly removed classified information from FBI offices and allowed a Chinese informant access to sensitive and classified information. The informant was indicted on charges of obtaining, copying, and retaining U.S. national defense documents without authorization.
With respect to critical infrastructure, the OIG has conducted several reviews of the Department’s efforts to protect its critical infrastructure in the event of a terrorist attack or other threats. Presidential Decision Directive 63 requires the Department and other government departments and agencies to prepare plans for protecting their critical infrastructure. The plans must include an inventory of mission-essential assets, a vulnerability assessment of each asset, and steps to remediate the vulnerabilities. Issued by the President, the National Plan for Information Systems Protection calls for a similar assessment of information system vulnerabilities and the adoption of a multi-year funding plan.
In an audit issued in November 2001 – Departmental Critical Infrastructure Protection Planning for the Protection of Physical Infrastructure (OIG Report #02-01) – the OIG concluded that the Department had not adequately planned for the protection of critical physical assets. Specifically, the Department had not 1) adequately identified all of its mission-essential physical assets, 2) assessed the vulnerabilities of each of its physical assets, 3) developed remedial plans for identified vulnerabilities, and 4) developed a multi-year funding plan for reducing vulnerabilities. We concluded that, as a result, the Department’s ability to perform vital missions is at risk from terrorist attacks or similar threats. We recommended that the Department properly inventory its critical physical assets, complete vulnerability assessments, and develop remedial plans to address the weaknesses identified. After initially disagreeing with our recommendations, the Department has now embarked upon, but has not yet completed, an appropriate inventory of its critical physical assets.
In an OIG audit completed in October 2003, we examined the adequacy of the Department’s efforts to protect its critical computer-based infrastructure. We found that the Department has not achieved “full operating capability” – that is, the ability to protect critical infrastructures from intentional acts that would significantly diminish the ability to perform essential national security missions and ensure general public health and safety. The audit concluded that the Department needs to complete critical infrastructure protection efforts in risk mitigation, emergency management, and interagency coordination. Among the recommendations we made to help improve the Department’s efforts to manage critical infrastructure protection are that the Department should:
The Department needs to focus on these and other related issues as it seeks to strike the appropriate balance between sharing intelligence and law enforcement information with a wider audience to meet its counterterrorism challenge while at the same time protecting the security of that information.
It also is widely recognized that enforcement alone to reduce the supply of illegal drugs and diversion of legal drugs is only part of the challenge, and that federal efforts to reduce the demand for drugs also are necessary.
During the past two years, the OIG has completed several reviews that highlight the difficulties facing the Department in attempting to address these challenges.
In addition to the millions of users of illegal narcotics, the illegal diversion of prescription drugs for non-medical purposes is a growing and staggering problem. According to the Substance Abuse and Mental Health Services Agency, emergency rooms across the country recorded a 163 percent increase in the number of visits tied to the abuse of prescription drugs between 1995 and 2002. Furthermore, prescription drugs are now a factor in one-fourth of all drug overdose deaths reported in the United States. The DEA Administrator, in a speech to the American Pain Society in March 2002, noted that the number of people who abuse controlled pharmaceuticals each year approximately equals the number who abuse cocaine – 2 to 4 percent of the U.S. population.
Therefore, an important and growing challenge to the Department is to reduce the diversion of controlled pharmaceuticals. Diversion occurs when legally produced pharmaceuticals are illegally obtained for non-medical use. Diversion commonly involves physicians or pharmacists selling prescriptions to drug dealers or abusers, employees stealing from drug inventories or pharmacies, individuals improperly obtaining multiple prescriptions from different doctors or over the Internet, and individuals forging prescriptions. Within the DEA, the Office of Diversion Control is responsible for overseeing the distribution system for controlled pharmaceuticals and regulated chemicals, and for preventing the diversion of those substances.
In September 2002, the OIG issued a review of the DEA’s investigative response to the diversion of controlled pharmaceuticals (OIG Report #I-2002-010). Our review found that the DEA’s enforcement efforts did not adequately address the problem of controlled pharmaceutical diversion. Despite the widespread problem of pharmaceutical abuse, the DEA dedicated only 10 percent of its field investigator positions to diversion investigations. In addition, we found that since 1990 the number of diversion investigators as a percentage of total DEA investigators decreased by 3 percent. While the DEA has traditionally focused the majority of its resources on disrupting illicit drug trafficking operations, we concluded that it is critical for the DEA to devote more resources to counteract the widespread problem of controlled pharmaceutical diversion.
We also found the DEA failed to provide sufficient DEA special agents to assist diversion investigators in conducting investigations of controlled pharmaceutical diversion. Diversion investigators lack law enforcement authority and therefore must request either DEA special agents or local law enforcement officers to perform essential activities such as conducting surveillance, issuing search warrants, managing confidential informants, and performing undercover drug purchases. We found that difficulties in obtaining law enforcement assistance caused delays in developing cases for prosecution. The quality of investigations also has suffered because of the need to use investigators external to the diversion control program who lack experience in conducting controlled pharmaceutical investigations, which often requires establishing the criminal intent of doctors, pharmacists, and other medical professionals. DEA officials acknowledged these problems and over the past 25 years have proposed solutions ranging from vesting diversion investigators with criminal investigative authority to assigning special agents to diversion units on a full-time basis. However, as of October 2003 the DEA still has not implemented an effective solution. The DEA advised the OIG that the reclassification of diversion investigators to special agents requires more discussion before a decision is made.
In addition, our review found that the DEA provides minimal intelligence support to its diversion investigators, instead focusing its intelligence efforts on developing and analyzing intelligence information on illicit drug trafficking. The one potential intelligence resource currently available to diversion investigators is the Automation of Reports and Consolidated Orders System (ARCOS). The ARCOS contains information on the inventories, acquisitions, and dispositions of certain controlled pharmaceuticals, as reported quarterly by manufacturers and distributors. These quarterly reports show transactions for broad categories of controlled pharmaceuticals but not specific drugs. ARCOS details the flow of DEA-controlled pharmaceuticals from their point of manufacture through commercial distribution channels to the sale or distribution to dispensing or retail outlets (such as pharmacies, health care practitioners, and hospitals). However, diversion investigators told the OIG that ARCOS reports are limited in their value as an intelligence resource because of problems of completeness, accuracy, and timeliness. Diversion staff at Headquarters and in DEA field offices also told the OIG that they do not have the adequate resources to analyze and develop ARCOS data into useful intelligence products.
With regard to reducing the supply of illegal drugs, in September 2003 the OIG issued an audit examining the DEA’s performance measures assessing its impact on reducing the supply of illegal drugs. The audit entitled, “The DEA’s Implementation of the Government Performance and Results Act” (GPRA) (OIG Report #03-35), concluded that the DEA failed to meet key aspects of the GPRA and noted that while the DEA developed a strategic goal and objectives that were consistent with the Department’s, the DEA’s strategic goal and objectives were not definitive enough to allow for an assessment of whether they are being achieved.
For example, even though the DEA had established performance indicators for all of its budget decision units, it had not established:
As a result of these deficiencies, the ability of the Department, Congress, and the public to assess the effectiveness of the DEA’s performance in reducing the supply of illegal drugs was diminished. We recommended, among other things, that the DEA establish a strategic goal and objectives that are quantitative, directly measurable, or assessment-based and develop specific criteria for determining what constitutes a priority target organization and a disrupted or dismantled priority target organization. The DEA concurred with our recommendations and is updating its strategic plan. The new strategic plan will include, according to the DEA, one general long-term goal and four strategic goals with quantitative, time-specific objectives that will address the OIG’s recommendations.
In FY 2004, the OIG will continue to examine other supply-reduction aspects of this challenge by reviewing the operations of the High Intensity Drug Trafficking Area Task Forces, a program designed to help federal, state, and local law enforcement organizations invest in infrastructure and joint initiatives to confront drug-trafficking organizations. The objectives of the audit will be to determine the relationship between DEA’s mission and the Office of National Drug Control Policy’s mission for the High Intensity Drug Trafficking Area (HIDTA) program; DEA’s overall relationship to the HIDTA program; the efficiency and cost effectiveness of HIDTA’s delivery of funds to federal, state, and local law enforcement agencies; and the impact on agencies that participate in HIDTA task forces as a result of changes in law enforcement priorities in response to the events of September 11, 2001.
Attempting to reduce the supply of drugs alone will not solve the problem of illegal use of drugs; reducing the demand for illegal drugs is a critical component of the strategy to reduce drug abuse in the United States. In a February 2003 audit, the OIG examined the Department’s drug demand reduction activities, one of the objectives identified in the DEA’s current Strategic Plan. While early federal drug control efforts concentrated primarily on enforcement, federal drug demand reduction efforts today include drug abuse education, prevention, treatment, research, rehabilitation, drug-free workplace programs, and drug testing.
The OIG reviewed the Department’s drug demand reduction activities to: 1) identify all Department programs that related to drug demand reduction, quantify the total obligations for each program, and verify that financial information provided to the ONDCP was prepared appropriately; 2) determine whether the Department’s performance measures are adequate to determine the success of its programs; 3) identify whether Department drug demand reduction activities were duplicative and whether Department components were coordinating drug demand reduction efforts; and 4) review the DEA activities and funding dedicated to drug demand reduction. During its audit, the OIG examined drug demand reduction programs in the BOP, COPS, OJP, and the DEA.
The ONDCP reported that the total federal drug demand reduction budget for FY 2001 was $5.9 billion, of which the Department reported spending $336 million for 19 drug demand reduction programs administered by the DEA, BOP, COPS, and OJP. Our audit of the Department’s drug demand efforts found that the Department’s report to the ONDCP did not accurately reflect its drug demand reduction activities, overstating by more than 50 percent the Department’s actual funding of drug demand reduction programs. We identified 10 programs with total reported obligations of $223 million that were not directly related to drug demand reduction. As a result, the Department’s obligations directly related to drug demand reduction for the remaining Department programs were actually $163 million, not the $336 million reported in FY 2001.
The OIG audit also found that the performance indicators did not adequately measure the effectiveness of the Department’s drug demand reduction programs. Further, the DEA did not establish any performance indicators for its drug demand reduction programs, even though drug demand reduction is one of the DEA’s strategic objectives.
In addition, we found that the Department had not established a formalized mechanism for sharing drug demand reduction program information among its components.
Finally, we found that the DEA spent only $3 million on drug demand reduction efforts in FY 2001 – two-tenths of one percent of its $1.4 billion budget. The DEA’s drug demand reduction efforts were largely conducted by its Demand Reduction Section, which consisted of 8 headquarters staff and 27 Demand Reduction Coordinators located in DEA field offices or other operational offices. The OIG’s audit questioned the impact the DEA can achieve on reducing the demand for drugs with such a small percentage of its funding devoted to this effort. In response to this concern, the DEA indicated that it is completing an evaluation to determine the impact of the drug demand reduction program.
Within the past year, the OIG also has focused on efforts by components other than the DEA to reduce drug supply and demand. In January 2003, the OIG issued an evaluation of the BOP’s drug interdiction activities (OIG Report #I-2003-002). Drug use by federal inmates represents a serious health and prison management problem. Drugs are in every prison. Moreover, while the BOP’s national rate for positive inmate drug tests in 2001 was 1.94 percent, the statistics vary widely among BOP facilities. For example, the high-security U.S. Penitentiary in Beaumont, Texas, posted a positive inmate drug test rate of 7.84 percent. In addition, 50 federal inmates have died from drug overdoses since 1997 and the BOP has recorded more than 1,100 “drug finds” in its institutions since 2000.
We determined that visitors, BOP staff, and the mail are the three primary ways drugs enter BOP institutions. The OIG concluded that the BOP fails to search visitors adequately, and that most of the BOP institutions we visited have an insufficient number of cameras, monitors, and staff to adequately supervise inmate-visiting sessions. In addition, the OIG concluded that the BOP has not taken sufficient measures to prevent drug smuggling by its staff. The report noted that interdiction activities common in many state correctional systems – such as random searches of staff or their property, or conducting random drug tests of staff – currently are not used by the BOP.
The OIG also concluded that an insufficient number of BOP inmates receive drug treatment to reduce their demand for drugs – a critical component of the BOP’s drug interdiction strategy – partly because the BOP underestimates and inadequately tracks inmates’ treatment needs. The BOP has estimated that 34 percent of all federal inmates need drug treatment. However, the OIG review determined that this figure is outdated and under represents the number of BOP inmates who need drug treatment.
In addition, the report concluded that the BOP does not provide adequate non-residential drug treatment in BOP facilities due to insufficient staffing, lack of policy guidance, and lack of incentives for inmates to seek such drug treatment. Even though the BOP states that non-residential treatment is a major component of its strategy to reduce inmates’ demand for drugs, non-residential treatment was limited or not available at five of the institutions visited by the OIG.
The OIG report made 15 recommendations to help improve the BOP’s efforts to prevent drugs from entering its institutions, including implementing “pat” searches of visitors; investing in additional cameras, monitors, and ion spectrometry technology to detect drugs; implementing policies to restrict the size and content of property that staff bring into institutions; implementing a policy regarding searching staff and their property when they enter BOP institutions; implementing random drug testing for staff; and implementing additional non-residential treatment programs for inmates in the general population. The BOP agreed with many of the recommendations, and is in the process of implementing various corrective actions.
In sum, reducing the supply of illegal drugs, reducing the diversion
of legal prescription drugs for illegal use, and reducing the demand
for legal drugs are critical ongoing challenges for the Department.
Responses to the Office of the Inspector General’s List of the Ten Most Serious Management Challenges
1. Counterterrorism
The Department must manage its counterterrorism programs while coordinating
with other intelligence agencies and law enforcement entities, as well as
ensure that the CT funds are spent in an effective manner.
Issue 1.1: As of September 2002, the FBI had not performed and incorporated into its planning system a comprehensive assessment of the threat of terrorist attacks on United States soil. Such an assessment would be useful to define the nature, likelihood, and severity of the threat, as well as to identify intelligence gaps and determine appropriate levels of resources to effectively prevent and combat terrorism.
Action: The FBI completed a comprehensive national assessment of the terrorist threat to the US homeland based on comprehensive intelligence. The national threat assessment, “The Terrorist Threat to the U.S. Homeland: An FBI Assessment” was distributed beginning 12/18/02. Terrorist groups were prioritized in tiers by their intent to harm the U.S. homeland, their links to al Qaeda, and their capabilities. The prioritization of groups does not mean that those lower-tiered groups are necessarily less threatening. Each threat to the U.S. must be investigated, and each is considered significant until proven otherwise. In addition, the FBI’s Counterterrorism Division had each field office complete a field threat assessment. The Field Threat Assessment complements the national threat assessment by assessing the risk of the threat facing the United States on a field division level. Each field division reported the terrorist presence, and the methods/operations in use by terrorists and/or their supporters in their respective areas. These two assessments along with the FBI’s Annual Field Office Report will assist the FBI in identifying the nature, likelihood, and severity of the threat, as well as to identify intelligence gaps, and assist in determining appropriate levels of resources to effectively prevent and combat terrorism.
Issue 1.2: The Department needs to prepare to respond to terrorist acts and other critical incidents, as well as focus its efforts and resources to prevent acts of terrorism. Most U.S. Attorneys= Offices have not fully implemented effective response programs under the Crisis Management Coordinator (CMC) Program, implemented in 1996.
Action: EOUSA, Counterterrorism Section (CTS), and the United States Attorneys’ Offices (USAOs) have undertaken extensive and comprehensive joint efforts during the past 2 years to enhance the Department’s overall ability to respond to critical incidents. Legal training provided to United States Attorneys (USAs) and Assistant United States Attorneys (AUSAs), many of whom were CMCs, on crisis response responsibilities in terrorism incidents include EOUSA co-sponsored training with the Centers for Disease Control in April 2003 on responding to chemical or biological incidents; Department training for prosecutors and investigators on the USA PATRIOT Act and other changes in law relative to intelligence and law enforcement techniques and information sharing; and a broad array of training provided by EOUSA’s Office of Legal Education and JTN broadcasts to USAOs and Department attorneys. In addition, CTS and EOUSA have scheduled crisis response training at the National Advocacy Center in March 2004. Other actions include a January 2003 antiterrorism conference for USAs, co-sponsored by CTS and EOUSA, in which a portion was devoted to a crisis response exercise; a March 2003 CMC-specific video-conference; and updated and specific guidance in the May 2003 revised “Guide to Developing a Model Crisis Response Plan” provided to USAOs. As a result, numerous USAOs are revising their plans.. Organizationally, CTS has reorganized its operations to include a Policy, Legislation, and Planning group to provide focus on crisis response issues and planning; and the Department has requested that the CMC Program and the Antiterrorism Advisory Council (ATAC) Program in the USAOs be merged and/or realigned to allow the CMC to operate under the ATAC in each district and to work closely with the District Office Security Managers to coordinate efforts on crisis response planning.
Issue 1.3: Prior to 9-11, the FBI devoted significantly more special agent resources to traditional law enforcement activities than it did to terrorism-related programs. Since 9-11, the FBI has reprioritized and refocused its investigative resources on counterterrorism-related issues, and this impacts other federal, state, and local law enforcement agencies.
Action: Since 9/11/2001, the FBI has shifted 671 field agents from field criminal investigations to augment counterterrorism-related investigations, implement critical security improvements, and support the training of new agents. These 671 agents were reallocated primarily from FBI drug investigations (553 agents moved), although some were shifted from white collar and violent crimes programs (59 from each program). Although the reallocation of criminal investigative resources is expected to have a significant impact upon white collar crime investigations (e.g., financial institution fraud) and support of state and local law enforcement in violent crime investigations, so far FBI drug investigations have felt the most immediate effects. Even though the performance goals of dismantling high-priority drug-trafficking organizations (i.e., CPOT-linked organizations) are on-track, dismantlements of other significant drug-trafficking organizations in FY 2003 were short of the targets set prior to the reallocation. The original FY 2003 target for dismantling non-CPOT-linked drug-trafficking organizations was 160 organizations; the FBI achieved 87 dismantlements of non-CPOT-linked drug-trafficking organizations in that time period. There is no doubt that the reallocation of agents from drug investigations impacted upon the FBI’s accomplishments in FY 2003.
Issue 1.4: Much information relevant to counterterrorism and counterintelligence is in languages other than English. The FBI must ensure appropriate prioritization of translation work, accurate and timely translations of pertinent information, and proper security of sensitive information to avoid continued translation backlogs.
Action: The FBI’s Foreign Language Program (FLP) centrally coordinates over 1,200 translators with operational division managers. This ensures its finite translator base is strategically aligned with priorities set on a national level. Monthly performance measures and reporting requirements have been instituted to identify translation performance gaps, to keep appropriate FBIHQ and field office managers informed of any translation deficiencies, and to benefit the FLP’s workforce and budget planning. A comprehensive control system has been instituted to evaluate translation outputs for quality and security assurance. Each of these areas will be regularly evaluated and improved in FY 2004 and beyond by applying lessons learned.
Issue 1.5: The FBI needs to enhance its intelligence analysis capability.
Action: The FBI has established an Executive Assistant Director for Intelligence (EAD-I), an Office of Intelligence and Intelligence Program. Under the direction of the EAD-I, the “Human Talent for Intelligence Production Concept of Operations” was developed and approved. This CONOPS is the framework for the career development of the FBI’s analytical cadre from recruitment to retirement. Based on this document, recruitment strategies for FY 2004 are in development, standardized minimum qualification requirements have been established and implemented, and one Intelligence Analyst position with a clear career path and functions has been established. The Office of Intelligence is working with the Training Division’s College of Analytical Studies on enhancing the Basic Intelligence Analysts Course and identifying other appropriate training opportunities for Intelligence Analysts.
Issue 1.6: The Department must ensure that its increased funding for counterterrorism is used economically, effectively, and for its intended purposes. The Department’s Counterterrorism Fund, created by Congress in 1995 after the bombing of the Murrah Federal Building in Oklahoma City and originally established to provide reimbursement solely to Department components, has, since 1996, used $167 million from the Fund to support counterterrorism initiatives of non-DOJ agencies. Although JMD has improved its management of the Fund, additional improvements to the claims review process are needed.
Action: The Department has made every effort to ensure the AG’s Counterterrorism Funds is used for its intended purposes. Any funds used to support CT efforts of non-DOJ agencies are either approved through the notification processes approved by OMB and the Hill or earmarked in a conference bill. JMD will continue to examine ways to enhance its oversight of the CTF.
Issue 1.7: The Department, in responding to the heightened terrorism threat, must use its law enforcement and intelligence-gathering authorities without inappropriately affecting the civil rights and civil liberties of individuals. A June 2003 OIG report recommended developing uniform arrest and detainee classification policies, improving information-sharing among federal agencies on detainee issues, improving the FBI clearance process, clarifying procedures for processing detainee cases, revising BOP procedures for confining aliens arrested on immigration charges who are suspected of having ties to terrorism, and improving oversight of detainees housed in contract facilities.
Action: The Department is committed to safeguarding the civil rights and civil liberties of all individuals. The Department’s responses to the Inspector General’s (IG) recommendations are outlined in the Department’s written submissions to the IG dated July 21, 2003, and November 20, 2003.
2. Sharing of Intelligence and Law Enforcement
Information
To help prevent acts of terrorism, the Department must share information
with multiple entities in a timely manner while maintaining the security of
sensitive information and limiting that information to those with a “need
to know.”
Issue 2.1: The FBI lacks criteria for initially evaluating and prioritizing incoming threat information and lacks a protocol for when to notify higher levels of management, other units and field offices, and other agencies.
Action: The FBI concurs with the recommendation to develop criteria for evaluating and prioritizing incoming threat information and is working to improve its threat management capabilities. On 12/02/02, the CID established the 24/7 Counterterrorism Watch (CT Watch) for this purpose. A threat, as defined by PDD-39, and the Attorney General’s Guidelines, is any indication of planned violence against U.S. persons or facilities, including any persons or facilities located in the U.S. or damage to the U.S. national security or infrastructure. A threat can originate from individuals, terrorist groups, or other criminal elements. Threats are received and handled by several components of the FBI’s National Threat Center Section. These include the CT Watch, the Threat Monitoring Unit, the Strategic Information Operations Center (SIOC), and the Terrorism Watch and Warning Unit. All of these entities are purposefully integrated into the Section to ensure all threats, regardless of source and manner of communication, are appropriately reviewed, prioritized, and addressed. The CT Watch is the recipient of all terrorist-related threat and suspicious activity reporting for the FBI. It is the FBI’s 24-hour global command center for terrorism prevention operations. As the FBI’s “Threat Central,” it is the focal point for the receipt, preliminary analysis, and immediate assignment for action of all international and domestic terrorism threats, ensuring timely alert to FBI and DOJ executives, other government leaders/agencies, and field offices/Joint Terrorism Task Forces (JTTFs). The Threat Monitoring Unit has personnel assigned to the CT Watch and maintains the responsibility of tracking all threat and suspicious activity, in conjunction with the CT Watch. Details regarding criteria for evaluating threat and suspicious activity were detailed in an FBI memorandum to the IG earlier this year in response to the OIG’s report, “A Review of the FBI’s Counterterrorism Program: Threat Assessment, Strategic Planning, and Resource Management.”
Issue 2.2: The FBI’s ability to process intelligence information is hampered by its lack of an experienced, trained corps of professional intelligence analysts for both tactical and strategic threat analysis.
Action: The FBI has made improvements to its training process for intelligence analysts. Also, it has hired a new EAD-I who has embarked on substantial improvements to the intelligence processes with the FBI.
Issue 2.3: Long-standing systemic problems in the FBI’s counterintelligence program and a flawed internal security program that resulted in the Robert Hanssen espionage activities emphasized the need for improved coordination and information sharing within the Department.
Action: The FBI’s Security and Counterintelligence divisions are strengthening their cooperative relationship with the establishment of several initiatives. The FBI’s Counterintelligence Division (CD) created the Counterespionage Section which is organized by country and issue. Within this section the internal penetration unit is tasked with strictly investigating all anomalies, Section 811 referrals, and any other allegations that the FBI has been penetrated by a foreign intelligence service. The FBI Security Division made 11 Section 811 referrals to CD in 2002. The divisions also revised policy for handling Recruitments in Place and defectors; developed a prototype to capture clearance-related information and sharing the information for investigative needs; expanded the requirement for counterintelligence-focused polygraph examinations; ensured that counterintelligence and counterespionage programs are nationally driven, centralized, and managed at the Headquarters level; and implemented a comprehensive security education and awareness training program.
Issue 2.4: The lack of an integrated automated fingerprint system hinders the Department, DHS, and state and local law enforcement agencies from sharing valuable immigration and law enforcement information about detained or apprehended persons.
Action: IDENT/IAFIS workstations enabling DHS to conduct checks of IAFIS within 10 minutes have been deployed to more than 100 DHS field sites. DHS has plans to continue extensive deployment of this capability during FY 2004. Included in the 100 sites that are currently operational are 41 “metrics” sites from which data is being collected to estimate the DOJ and DHS operational impacts of improved identification capabilities at the border. Data collection and analysis will continue through FY 2004, leading to projections of “downstream” impacts and decisions as to how best continue the integration effort, including how DHS apprehension data can be shared with other federal, state and local law enforcement. At this time, DHS is intending to use the IDENT system as an initial foundation for its new US VISIT Program. JMD and FBI are working with DHS to determine the impact of that program on the future of IAFIS and the integration project.
3. IT Systems Planning and Implementation
Employees rely on complex and often interrelated IT systems to meet challenges
ranging from sifting through thousands of leads in a criminal investigation
to developing annual financial statements.
Issue 3.1: The FBI must be able to use its IT systems to rapidly identify and disseminate pertinent intelligence information to the law enforcement community. Deficiencies in the FBI’s IT program, including outdated infrastructures, fragmented management, ineffective systems, and inadequate training can impede the FBI’s ability to meet this goal. To effectively manage its IT investments, and avoid “stovepipe” systems, the FBI must implement critical management processes. This has led to spending hundreds of millions of dollars on IT projects without adequate assurance that these projects would meet their intended goals.
Action: The FBI’s new Investment Management Program (IMP) is in place. IMP policies and procedures are available on the FBI intranet and have been communicated to all FBI divisions through briefings with each Assistant Director. Building on the lessons learned from the “select phase” pilot in FY 2003 and the tenets of the General Accounting Office ITIM Framework, the FBI is extending investment management key practices to the “control phase.” The first executive Program Management Review was completed in November 2003, and will be held each quarter. Plans for training FBI employees in key practices, such as writing effective business cases, conducting cost/benefit analyses, and applying earned value management are planned to begin in December 2003. Closer partnership with the Finance Division will drive more effective prioritization and management of the FBI’s IT portfolio and all projects, whether IT or not, with life cycle costs of $10 million or more. The FBI is also working closely with the Justice Management Division to align its IMP process with the DOJ ITIM process for all phases (select, control, and evaluate). The Department and the FBI are committed to the development, implementation, and maintenance of solid enterprise architecture (EA) programs. Within the FBI, EA plays an important role in effectively managing large and complex modernization programs. Furthermore, the FBI and JMD are developing a detailed work plan for addressing EA throughout the FBI. As evidence of the improved processes, 17 of 30 open OIG recommendations from the 2002 ITIM audit have been closed.
4. Computer Systems Security
DOJ’s IT security program requires additional improvement at both
the Department and component levels, particularly in program oversight and
vulnerability management, to protect computer systems and reduce the number
of vulnerabilities within the Department’s IT systems.
Issue 4.1: The Department’s functions have not been centralized sufficiently to provide the vigorous enforcement oversight B supported by a substantial, technically proficient work force B that the Department needs.
Action: In May 2003, the CIO restructured the Department IT Security Program to assume responsibility for policy and oversight of IT security. An updated policy has been developed and is awaiting signature by the AAG/A to reflect this centralization of IT security. A Deputy CIO position, with direct responsibility for IT security, was filled in June 2003. The CIO realigned internal resources to identify additional positions to support the Deputy CIO and the IT Security Staff. This represents an increase of 100% over the original staffing level. Aggressive recruiting is underway to identify a technically proficient workforce to meet the Department’s needs.
Issue 4.2: Vulnerabilities exist in the management, operational, and technical controls that protect each departmental system from unauthorized use, loss, or modification.
Action: The IT Security Council (ITSC) and seven Project Management Teams were designated to carry out key activities and manage implementation of 17 individual IT security standards. The teams are currently establishing independent test cases, schedules, and metrics for each of 230 management, operational, and technical risk control objectives and implementing a web-based Automated Security Evaluation and Remediation Tracking (ASSERT) system to support updating of independent test cases, managerial oversight of corrective action plans and FISMA reporting.
Issue 4.3: There are inconsistencies in the oversight of computer security due to the bifurcation of responsibility between the JMD Security and Emergency Planning Staff and the JMD Information Management and Security Staff.
Action: In an effort to eliminate the bifurcation of responsibilities between JMD staffs, the CIO restructured the Department IT Security Program to assume responsibility for oversight of computer security. An updated policy has been developed and is awaiting signature by the AAG/A to reflect these changes in the program. Oversight Responsibility for National Security Systems transitioned to the CIO in revised DOJ Order 2640.2E (release pending).
Issue 4.4: Weaknesses in SENTRY, BOP’s primary mission support database, occurred because BOP management did not fully develop, document, or enforce BOP policies in accordance with current Department policies and procedures.
Action: BOP recognizes the weaknesses identified in four of the 27 Federal Information System Controls Audit Manual control areas tested. Although these areas are not considered major weaknesses and the SENTRY system is assessed as low risk, BOP and the Department (Office of the CIO) continue to work collaboratively to correct the areas. By ensuring even low risk assessments are given appropriate reviews, BOP and the Department establish assurances that security vulnerabilities will not impair BOP’s ability to fully ensure the integrity, confidentiality, and availability of data contained in SENTRY. In addition to the weaknesses identified, BOP will enforce the BOP Policy Standards and existing access control policy, update the SENTRY System Security Guide and provide the Information Security Officer with the exception reports from the system audit logs.
Issue 4.5: The FBI’s Automated Case Support (ACS) system has security flaws, discovered during the review of the Hanssen case. These include the ability to override access restrictions to ACS, improper uploading of documents or inadequate restriction codes, rare use of the audit function.
Action: The FBI Information Assurance Program is providing active certification support to the Trilogy/Virtual Case File (VCF) Program to include the Beta Test of the Local Area Network (LAN) and the development of New Agents= training. The Certification Unit provides the security consultation services to deliver the assurance of confidentiality, integrity, and availability through the security certification process which monitors the implementation of security policy and the remediation of the vulnerabilities identified in the ACS and related legacy systems and networks.
5. Financial Management
Antiquated and ineffective automated accounting systems and decentralized
financial management threaten the Department’s ability to maintain its
unqualified opinion.
Issue 5.1: The Department lacks automated systems to readily support ongoing accounting operations, financial statement preparation, and the audit process. Its capability to provide current, timely, and accurate financial information to managers remains limited. It will be difficult for the Department to maintain a clean audit opinion for FY 2004 and future years and meet the expedited reporting dates unless it modernizes and streamlines its financial management systems.
Action: DOJ is planning a major systems replacement project which will provide a single Unified Financial Management System across the agency, and which will support timely access to key financial and selected performance data for leadership decision making. The first step in this process is the implementation of the Hyperion Financial Management (HFM) tool to facilitate the preparation of the FY 2004 individual and consolidated financial statements. DOJ accelerated the FY 2003 deadline for submitting the audited financial statements to the Office of Management and Budget by 30 days. During March 2003, DOJ issued the FY 2004 financial statement preparation time line designed to meet the accelerated November 15th deadline and the accelerated quarterly reporting deadlines. DOJ has also implemented revisions to internal business practices to improve quarterly accounting data and accelerate quarter and year-end closeouts.
Issue 5.2: Problems related to financial accounting and reporting in FY 2002 were overcome only by significant year-end manual efforts. This will not be possible for FY 2004 because component audits must be completed within 14 days of the end of the fiscal year.
Action: Senior managers are performing ongoing financial reviews and program evaluations. Financial oversights reports are available and offices are encouraged to monitor expenditures and allotments on a monthly basis to improve the integrity of the accounting data.
Issue 5.3: Component financial and other automated systems are not integrated and do not readily support the production of financial statements and other required financial reports. Consequently, production of Departmentwide information must be done manually or by duplicate inputting of data.
Action: In FY 2002, the Department initiated the Unified Financial Management System (UFMS) project to replace the seven major accounting systems used throughout the Department. Key milestones in completing the implementation of the UFMS project include the award of the Commercial Off-the-Shelf Software (COTS) contract in the 2nd quarter of FY 2004, the award of the Integration and Implementation (I&I) contract and completion of the product acceptance testing in the 4th quarter of FY 2004.
Issue 5.4: Several of the older systems used by components predate the current accounting requirements and do not support the production of timely, relevant information that is needed for preparing financial statements or performing accrual accounting transactions.
Action: The objective of the UFMS Program is to significantly improve DOJ-wide financial management and program performance reporting by making financial reporting more timely, relevant and accessible and to re-engineer DOJ business practices to move away from the widely different and outdated systems and practices, adopting uniform business practices.
6. Grant Management
The size, diversity, and complexity of DOJ’s grant programs result
in challenging management demands.
Issue 6.1: The Department’s federal financial assistance programs are fragmented, resulting in reduced efficiency and increased costs to award and administer federal financial assistance funds to state and local agencies.
Action: Funds from both COPS and OJP assist
state, local, and tribal law enforcement. COPS grants are unique because
every grant dollar awarded by the COPS Office must, by statute, be used
to advance community oriented policing, a strategy credited with reducing
crime and the fear associated with crime and with building trust between
law enforcement and citizens. In addition, funds under the COPS Office
hiring programs support 3 years of officer salaries to advance community
policing. In contrast, while a grantee can choose to use OJP LLEBG funds
to support community policing activities if the grantee so desires, it
is not a requirement that recipients of LLEBG funds must engage in community
oriented policing. In addition, LLEBG grants are 1-year grants. Potential
grantees are selected for awards from different pools, under different
funding criteria. All state, local, federally recognized tribal, and public
law enforcement agencies, as well as jurisdictions serving special populations
(e.g., transit, university, public housing, schools, and natural resources),
are eligible to apply directly to the COPS Office for funding. In addition,
jurisdictions wishing to establish new police agencies are eligible to
apply for COPS hiring and technology grants.
OJP began an internal reorganization in FY 2001 intended to streamline
its functions. OJP merged programs and staffs of the Corrections Program
Office and the Drug Courts Program Office into the Bureau of Justice Assistance
to consolidate overlapping functions, reduce management redundancy, and
improve coordination and communication. An Office of the Chief Information
Officer (OCIO) was created to address important mission-critical systems
and the need for an agency-wide grants management system and management
information system. OJP merged the Office of Congressional and Public
Affairs and other information dissemination functions into one office.
OJP will merge the programs, functions, and staff of the Executive Office
for Weed and Seed and the American Indian/Alaska Native Affairs Desk into
the Community Capacity Development Office. Also, OJP plans to merge several
administrative and support functions into the Office of Management and
Administration. Collectively, these actions will move OJP toward greater
centralization of management and improved communication and coordination
across organizations and programs.
Issue 6.2: There are overlaps between OJP and the COPS Office, and no formal communication procedures exist between them to ensure that grantees do not receive funds for similar purposes from both agencies
Action: Prior to the audit, the COPS Office and OJP already had a practice of informally coordinating with each other on a variety of other matters. Accordingly, in furtherance of this practice of mutual collaboration and coordination, both offices agree to formalize their coordination by, first, comparing program descriptions as soon as they become available in the fiscal year to identify programs that contain the same allowable uses and, second, if necessary as a result of the first step, ensuring that the relevant program managers from each office coordinate on a case-by-case basis to guarantee that duplicate awards are not made to the same grantee for the same purpose.
Issue 6.3: COPS has not developed a capability to receive grant applications on-line and to download the information directly into its grant management system. Grantees must submit applications on paper and COPS must manually input the data into its tracking system.
Action: To allow agencies to apply for COPS funding at Grants.gov, COPS is identifying the agency specific data not used on standard grant forms so that COPS grant application forms can be available for applicant submission. (Target date of 5/1/2004.) COPS will be compliant with OMB directive of 11/7/2003 that all grant funding opportunities be posted at the eFind portion of Grants.gov using the standard OMB approved template. With assistance of the Business Practices Group, COPS will begin implementation of a single grant application package for all grant programs based on the SF 424 which will allow for easier integration with Grants.gov.
Issue 6.4: OJP does not have a fully effective automated system to manage its federal financial assistance funds and has multiple automated application systems in place. Despite having these automated systems to help manage its funds, OJP still relies primarily on a manual system for processing grants.
Action: In continuing to respond to the President’s goal to improve the delivery of government services to citizens, OJP’s Grants Management System (GMS) has become a more streamlined, Web-based tool that makes processing grants easier and faster. The system provides automated support throughout the grant life cycle for OJP staff, grant applicants and grantees. This support includes applicant registration, application submission and review, award approval and distribution, payment, monitoring, closeout, and decision support. By using GMS, the award process, which took an average of 3 months to complete under the old paper-based system, now averages 3 weeks to complete. In FY 2003, 96 percent of OJP grants were administered through a centralized paperless system.
7. Performance-Based Management
The Department must ensure, through performance-based management, that
its programs are achieving their intended purposes.
Issue 7.1: Many performance measures are not focused on outcomes or are not quantifiable and verifiable. This is a critical component of performance-based management. Also, performance-based accomplishments are necessary to the Department’s planning and priority setting.
Action: In tandem with the revision to the strategic plan, the Department developed long-term outcome oriented performance measures and targets. These measures were approved by OMB and many were included in related program PART evaluations.
Issue 7.2: Deficiencies in DEA’s performance measures diminish the ability of the DEA, the Department, Congress, and the public to assess the effectiveness of the DEA’s performance.
Action: In its new Strategic Plan, reviewed favorably by DOJ and OMB, DEA established strategic goals and objectives that are quantitative and directly measurable. Goals for disrupting and dismantling Priority Target Organizations (PTOs) are based on a trend analysis of actual performance results, and these trend analyses will continue each quarter on a routine basis. The Priority Target Activity and Resource Reporting System (PTARRS) has acceptable controls for the Domestic Enforcement DU indicator, and now includes the International Enforcement indicators as well. DEA is consolidating reporting capabilities of several already existing Diversion Control systems, and procedures and controls are in place to verify the performance data reported. Work continues on an impact assessment methodology (using several existing DEA systems) which will support reporting on reduction in drug availability, and include appropriate controls for data verification. DEA was one of the agencies reviewed during 2002 by OMB with its Program Assessment Rating Tool (PART) for implementation of the GPRA program. In January 2003, DEA developed an action plan for improvement. Progress has been so significant that DEA’s current PART score from OMB is 59% (using the FY 2005 version of the tool) a 127% improvement. The increase in the strategic planning section was from 1% to 9% out of a possible 10% weighted score. DEA’s budget requests (FY 2004 and 2005) are explicitly tied to accomplishment of the annual and long-term goals, and resources needs are presented in a complete and transparent manner in the budget. DEA has also improved its collection of performance information, and used it to manage the program and improve performance, as well as to collaborate and coordinate effectively with related programs, such as the Bureau of Immigration and Customs Enforcement, as well as the HIDTA and OCDETF programs. With regard to strong financial management practices, DEA is on track to receive a good audit opinion again this year. Concerning the overall FY 2005 assessment, OMB has indicated they recognize DEA’s diligence and progress in more than doubling its PART score. Accordingly, OMB gave favorable consideration to DEA’s FY 2005 OMB budget request.
8. Human Capital
All DOJ components must hire, train, and retain adequate personnel to
handle the myriad duties of the Department. The increasing technical and sophisticated
nature of the Department’s work, coupled with the competition for qualified
employees increases this challenge. This challenge negatively affects other
management challenges, including countering terrorism.
Issue 8.1: The demand for employees with language skills throughout government, especially proficiency in Middle Eastern and Asian languages, affects the Department’s ability to attract and retain qualified special agents, intelligence analysts, and language professions.
Action: In September 2003, DOJ awarded a contract for a Department wide Workforce Analysis and Planning Initiative. The project will link workforce requirements to DOJ strategic goals, identify skill gaps (such as lack of language skills) by each occupational series, and recommend ways to fill identified gaps. The project is expected to be completed by July 2004. The FBIs National Recruiting Team targets diverse and specialty conferences, career fairs, and other meetings of those with the “most wanted” skill sets and backgrounds for Special Agent (SA) and other positions. Ongoing efforts include targeting foreign language departments within colleges and universities, and advertising on foreign language web-sites, newsletters and magazines. Field Offices implemented local advertising and recruitment strategies in FY 2003 and have been advised to immediately process SA linguists for testing. In August 2003, the FBI issued a press release announcing its immediate need for Agent applicants who possess a fluency in Middle Eastern languages and other languages critical to the FBI’s mission. The Bureau has also contracted with an advertising agency to develop a foreign language media plan for recruitment and marketing strategies. The FBI has aggressively recruited and processed several thousand translator applicants since October 1, 2000. During this period, it has more than doubled its complement of translators proficient in Middle Eastern and Asian languages. These efforts will continue through FY 2004 and beyond, consistent with the availability of additional funding, to ensure sufficient translator resources are available to meet growing translation demands in a wide array of languages.
Issue 8.2: Past FBI shortages of linguists have resulted in thousands of hours of audiotapes and pages of written material not being reviewed or translated in a timely manner.
Action: (See response to Issue 8.1 above..)
Issue 8.3: Several components lack adequate staff to perform many of the tasks needed to produce financial statements. Consequently, the Department continues to rely heavily on contractors to prepare financial statements which, in addition to affecting the expense associated with producing the statements, contributes to diminishing the institutional knowledge and expertise. Components have difficulty recruiting and retaining highly qualified IT specialists who are knowledgeable about the latest hardware and software. As a result the components have found it difficult to address some of the IT issues identified in the financial statement audits.
Action: The Department has established continuous milestones to improve job performance in the financial management area. These include financial management training programs, Financial Management Information System training for new employees, Department-wide training programs to all employees on applicable systems information and methodology. While several bureau staffs receive support and oversight from contractors to prepare the financial statements, the demands for personnel resources have also increased. Personnel resources are needed to meet the challenges of quarterly reporting and accelerated due dates. Management has been supportive by approving adequate resources to meet these challenges.
Issue 8.4: The Department lacks fair and consistent methods of addressing allegations of employee misconduct.
Action: In November 2000, the Department implemented a training program to help components achieve greater consistency and success through specific guidance on taking defensible disciplinary actions and applying relevant disciplinary factors effectively. This training has helped improved the Department’s ability to take action and successfully defend the actions it takes and litigates before third parties, such as the Merit Systems Protection Board. Since implementing the training, the Department ha improved its affirmance rate by 18.3%.
Issue 8.5: The discipline imposed by the USMS in addressing allegations of employee misconduct is inconsistent, and reasons for the discipline decisions are not adequately documented. There are periods of unexplained elapsed time that appear to prolong case adjudication.
Action: This was closed in March 2002. As a result of the OIG study, the USMS provided clear instructions to all USMS managers and the Discipline Panel regarding documentation requirements for misconduct cases. The Employee Relations team implemented new procedures for discipline actions involving suspensions and time lines for misconduct case adjudication, not to “drive the process,” but to ensure it moved along at the proper pace to ensure due diligence.
Issue 8.6: DEA’s disciplinary system has inadequate guidance and dual mitigation, resulting in penalties that appear to be too lenient; improper consideration of external factors by the Board and Deciding Officials when making disciplinary decisions; failure to adequately document disciplinary decisions by the Board and Deciding Officials; failure to monitor the timeliness of the process; and a lack of oversight over the Deciding Officials.
Action: DEA is awaiting the final draft of the OIG’s discipline audit and will provide formal comments once it is received. DEA’s Office of Chief Counsel disagreed with the working draft regarding the OIG’s interpretation of dual mitigation. Meanwhile, DEA is preparing an action plan to address the following: updating agency guidance; instituting a revised table of penalties to ensure that penalties are appropriate; reinforcing existing DEA policy to ensure that the Board of Professional Conduct and the Deciding Officials consider only the appropriate factors when making disciplinary decisions; implementing the personnel database that will monitor the timeliness of all phases of the discipline process (currently OPR tracks its performance for timeliness); and ensuring that the Deputy Administrator’s Office reinforces its oversight of the Deciding Officials.
9. Protecting the Security of DOJ Information
and Infrastructure
The Department needs to share intelligence and law enforcement information
with a wider audience, and, at the same time, protect the security of that
information. To do both, the Department must secure its buildings, computers,
and communications systems.
Issue 9.1: Throughout the years of Aldrich Ames= espionage, the FBI devoted inadequate attention to determining the causes of the sudden, unprecedented, and catastrophic losses suffered by both the FBI and the CIA. In particular, the FBI was unable to provide the OIG review team with a definitive answer concerning the distribution of various top secret documents. The OIG review of the Hanssen case found this and other recommendations from the Ames matter had not been sufficiently implemented. The FBI did not employ basic personnel security techniques. The FBI’s also had inadequate document security and computer security. The computer system’s audit function was rarely used.
Action: The FBI’s Security Division was created in December 2001. With the creation of this new infrastructure, the FBI has intensified its focus on security by introducing new programs. For example, the personnel security function has expanded its capabilities to protect the FBI against counterintelligence and counterterrorism threats. Specifically, the Security Division has expanded the polygraph program, initiated a financial disclosure program, created an analytical integration unit to offer enhanced analysis of complex cases, and adopted a more risk based approach to personnel security matters. In addition, the Security Division has appointed an Secure Compartmentalized Information (SCI) Program Manager who is focused on ensuring compliance with the FBI, DOJ, and Director, Central Intelligence Directives related to the creation, handling, and destruction of Top Secret/SCI materials. When necessary, the program manager enhances or revises FBI policy or guidance in order to comply with commonly accepted intelligence community standards. Finally, the FBI has established the Enterprise Security Operations Center (ESOC) with a mission to monitor and protect the FBI’s information systems from external attacks and insider misuse and assure the availability, confidentiality, and non-repudiation of FBI information through techniques such as near real time network monitoring, intrusion detection, and data auditing. ESOC IOC will implement the following capabilities: intrusion detection and network defense, monitoring advanced indications and warnings, Computer Incident Response Capability (CIRC), audit capability, storage, correlation, analysis, and data aggregation, reporting capability, vulnerability, and penetration assessments, e.g., Red Teaming, malicious code and virus protection, and incident re-creation and testing. The ESOC began monitoring the FBI’s most sensitive information system in October 2003.
Issue 9.2: The Department’s ability to perform vital missions is at risk from terrorist attacks or similar threats because it has not adequately planned for the protection of its critical physical assets.
Action: The Department has completed an inventory of its critical physical assets and is developing plans to strengthen vulnerabilities.
Issue 9.3: To strike the appropriate balance between sharing information and protecting the security of that information, the Department must achieve full operating capability, which is the ability to protect critical infrastructures from intentional acts that would significantly diminish the ability to perform essential national security missions and ensure general public health and safety.
Action: The Department has initiated an effort toward full operational capability. Included in this effort will be the identification of all critical assets, completion of key milestones for establishing interdependencies, review of vulnerability assessments, development of mitigation and contingency plans. The Department is intricately involved in the Department of Homeland Security Project Matrix. The Department completed Step 1 in September 2003 and started Step 2 in October. Step 2 involves identifying the infrastructure necessary to perform and provide each nationally critical function or service.
10. Reducing the Supply of and Demand for Drugs
The challenge with regard to reducing supply extends beyond illegal drugs
to reducing the diversion or misuse of legal drugs. And, reducing the supply
is only part of the challenge; efforts to reduce the demand for drugs also
are necessary.
Issue 10.1: The illegal diversion of prescription drugs for non-medical purposes is a growing and staggering problem. In order to counteract the widespread problem of controlled pharmaceutical diversion, it is critical for the DEA to devote more resources to it. A September 2002 OIG report found that the DEA dedicated only 10 percent of its field investigator positions to diversion investigations. DEA failed to provide sufficient DEA special agents to assist diversion investigators in conducting investigations of controlled pharmaceutical diversion. Diversion investigators lack law enforcement authority and therefore must request either DEA special agents or local law enforcement officers to perform essential activities. Difficulties in obtaining law enforcement assistance caused delays in developing cases for prosecution. The quality of investigations also has suffered because investigators external to the diversion control program lack experience in conducting controlled pharmaceutical investigations. DEA provides minimal intelligence support to its diversion investigators. The one potential intelligence resource available to diversion investigators is the Automation of Reports and Consolidated Orders System (ARCOS). It contains information on the inventories, acquisitions, and dispositions of certain controlled pharmaceuticals, as reported by manufacturers and distributors. However, diversion investigators told the OIG that ARCOS reports are limited in their value as an intelligence resource because of problems of completeness, accuracy, and timeliness. Also, diversion staff at headquarters indicated that they did not have the adequate resources to analyze and develop ARCOS data into useful intelligence products.
Action: To counteract the widespread problem of controlled pharmaceutical diversion and address difficulties in obtaining law enforcement assistance, DEA has submitted a proposal to, and is awaiting a response from, the Department to convert the Diversion Investigators (DI) to full law enforcement status. In its FY 2004 Budget Submission to Congress, DEA requested 100 new DI positions; in its FY 2005 Budget Submission to OMB, DEA requested an additional 2 new DI positions, and is awaiting “pass back.” DEA has dedicated specific resources to the re-engineering and modernization of ARCOS and the CSA program to develop and enhance a network with state and local enforcement and regulatory counterparts; establish a data warehouse of all diversion information for use by field investigators; maintain the Diversion Control Program (DCP) website, which is a major conduit for information to the regulated communities; and provide registrants with the ability to report mandated information through electronic data interchange. DEA has explored additional intelligence capabilities to support DIs, Special Agents, other law enforcement agencies, and the general public. DEA plans to update the Controlled Substances Information System (CSIS). Also, through the D-Commerce Initiative, DEA will continue to develop and deploy a close system for ordering and prescribing controlled substances to enable the safe electronic transmission of prescriptions and ordering of controlled substances.
Issue 10.2: An OIG audit found that the Department’s performance indicators did not adequately measure the effectiveness of its drug demand reduction programs. Further, DEA did not establish any performance indicators for its drug demand reduction programs. The Department had not established a formalized mechanism for sharing drug demand reduction program information among its components.
Action: DEA in coordination with the Department and OMB established a long-term performance target for the reduction in supply of illegal drugs in the United States. In addition, in July 2003, DEA implemented a quarterly reporting policy to authenticate the collection of data to support the pre-existing performance indicators in the DEA budget submission. These performance indicators measure the activity of DEA’s demand reduction activities.
Issue 10.3: Two-tenths of one percent of DEA’s $1.4 billion budget is a very small percentage of its funding to impact reducing the demand for drugs.
Action: DEA is conducting an evaluation of its program, including an analysis of use of resources and assessment of impact within affected communities. The report will be completed in January 2004.
Issue 10.4: Drug use by federal inmates is a serious health and prison management problem. In a January 2003 report, the OIG concluded that BOP fails to search visitors adequately; most BOP institutions (that the OIG visited) have an insufficient number of cameras, monitors, and staff to adequately supervise inmate-visiting sessions; and BOP has not taken sufficient measures to prevent drug smuggling by its staff.
Action: Policy revisions and internal auditing guidelines are being completed to address the issues identified in the OIG’s report.
Issue 10.5: An insufficient number of BOP inmates receive drug treatment to reduce their demand for drugs. BOP does not provide adequate non-residential drug treatment in BOP facilities due to insufficient staffing, lack of policy guidance, and lack of incentives for inmates to seek such drug treatment.
Action: BOP is in the process of implementing various corrective actions.