FBI needs to do more to update IT

Core parts of the US Federal Bureau of Investigation's IT infrastructure remain vulnerable, despite changes and improvements made...

Core parts of the US Federal Bureau of Investigation's IT infrastructure remain vulnerable, despite changes and improvements made after the 11 September terrorist attacks.

An FBI information technology audit said that 11 "major internal control weaknesses" were found in a 1990 audit and were "still applicable 12 years later", including mainframe investigative systems that are "labour intensive, complex, untimely and non-user friendly". 

Although progress has been made in improving the security of investigative and administrative mainframe systems at FBI headquarters and at another data centre, additional security gaps remain.

"These repeated deficiencies indicate that, in the past, FBI management had not paid sufficient attention to improving its IT programme," the audit said. 

The report recommended that the FBI take three steps to make additional improvements, including the development of specific procedures to follow up on past audit recommendations and ensure that they are implemented to increase security and improve the resources available to FBI field agents.

The FBI was also asked to ensure that its new Automated Response and Compliance System database, which is used to track IT improvements and provide real-time status information to FBI executive managers, is kept up to date and can track needed improvements. 

FBI managers must also be held accountable for taking corrective actions in the future to make sure the work is completed, the report said. 

The audit raised concerns about the agency's IT security policies, procedures and standards; system and network backup and restoration controls; password and log-on management; system auditing management; and system patching. 

Those security vulnerabilities were labelled as "high-to-moderate risk" flaws in the security of the FBI's administrative and investigative mainframe computer systems. 

FBI spokesman Paul Bresson said the agency "agrees with many of the recommendations in the report. 

"Many of them, we're already working on," he said. "There are still deficiencies, but we have made significant progress over the years in upgrading our IT." 

The FBI has been working on an IT modernisation project called Trilogy for several years. That effort involves upgrading the FBI's hardware and software, networks and user applications.

The project now has a price tag of about $596m, up from an expected cost of $380m. A key part of the project is the creation of a web-based "virtual case file" management system, which will replace five existing investigative applications.

Todd R Weiss writes for Computerworld

Read more on IT risk management