Computer Security:

DEA Is Not Adequately Protecting Sensitive Drug Enforcement Data

IMTEC-92-83: Published: Sep 22, 1992. Publicly Released: Sep 30, 1992.

Additional Materials:


Howard G. Rhile, Jr
(202) 512-6418


Office of Public Affairs
(202) 512-4800

Pursuant to a congressional request, GAO assessed the adequacy of the Drug Enforcement Administration's (DEA) computer security, focusing on: (1) DEA compliance with laws and requirements for protecting sensitive computer information; and (2) Department of Justice (DOJ) oversight of DEA compliance with computer security requirements.

GAO found that: (1) DEA has not identified all of its computer systems processing sensitive data nor completed security plans for those systems; (2) DEA has not performed risk analyses to identify and minimize security threats and has not effectively monitored and enforced computer security; (3) DEA has not fully tested and implemented contingency plans for computer systems; (4) computer security awareness training is ineffective and its guidance is either inadequate or poorly communicated; (5) DEA routinely processes sensitive data on microcomputers that lack such fundamental security controls password protection, audit trails for detecting unauthorized access, limited-access controls, and equipment protection; (6) DEA personnel frequently shared passwords or left them, as well as computers, diskettes, and documents containing sensitive information, unattended and easily accessible, and personnel with incomplete or unfavorable background checks were allowed to work unescorted in such areas; (7) DEA cannot conduct an accurate inventory of the several thousand microcomputers that its employees use; and (8) DOJ is taking a more active oversight role and has implemented mandatory computer security training throughout DEA and has begun to perform compliance reviews at DEA offices.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: DEA has submitted an action plan responsive to the GAO recommendations.

    Recommendation: The Attorney General should direct the Administrator, DEA, to establish and implement an agencywide computer security program as required by DOJ and other federal directives. As part of this program, DEA should ensure that all sensitive computer systems are properly identified and that security plans are prepared and implemented for each of these systems. To adequately protect its sensitive computer systems and facilities, DEA should also ensure that thorough risk analyses are conducted for all sensitive computer systems and any identified weaknesses are corrected, contingency plans are tested and implemented, and all employees are made aware of federal and agency computer security requirements and how to fulfill them.

    Agency Affected: Department of Justice

  2. Status: Closed - Implemented

    Comments: DEA has made computer security a top priority, established a training curriculum, trained over 7,000 employees, and implemented a number of other activities to respond to this recommendation.

    Recommendation: The Attorney General should direct the Administrator, DEA, to strengthen DEA monitoring and oversight of computer security. Specifically, DEA should issue clear and specific requirements for designated security officers to follow in monitoring and enforcing computer security. Also, the Office of Security Programs should train its staff in computer security and conduct more thorough security surveys that effectively identify and correct vulnerabilities.

    Agency Affected: Department of Justice

  3. Status: Closed - Implemented

    Comments: DEA has contracted out to: (1) identify each sensitive system; and (2) perform risk analyses and vulnerability assessments. DEA is also doing a number of other things to enhance security.

    Recommendation: The Attorney General should direct the Administrator, DEA, to ensure that computer security weaknesses identified in this report are corrected and that similar weaknesses do not exist elsewhere. At a minimum, DEA needs to: (1) control access to areas where sensitive data are processed and stored; (2) adequately protect computer data, including the establishment of safeguards to restrict data access to individuals having a right to know; (3) collect and review computer audit trail information to detect improper access to and use of sensitive computer data; and (4) ensure that computer equipment used to process and store sensitive information is properly accounted for and controlled. Moreover, DEA should take appropriate steps to ensure that sensitive data are removed from computer equipment released outside the agency for repair or disposal.

    Agency Affected: Department of Justice

  4. Status: Closed - Implemented

    Comments: On October 26, 1992, the DEA contractor identified and reported vulnerabilities. Risk analyses and vulnerability assessments have been conducted for major sensitive DEA systems. Weaknesses were reported in the Department of Justice's FY 1992 report.

    Recommendation: The Attorney General should direct the Administrator, DEA, to report the computer security deficiencies that GAO found as material internal control weaknesses under the Federal Managers' Financial Integrity Act.

    Agency Affected: Department of Justice

  5. Status: Closed - Implemented

    Comments: DEA has taken action to respond to this recommendation.

    Recommendation: The Attorney General should direct the DOJ Justice Management Division to work closely with DEA to ensure that the agency implements the above recommendations and complies with all federal and departmental computer security requirements.

    Agency Affected: Department of Justice


Explore the full database of GAO's Open Recommendations »

Sep 14, 2020

Sep 9, 2020

Sep 8, 2020

Aug 31, 2020

Aug 3, 2020

Jun 1, 2020

Mar 5, 2020

Feb 20, 2020

  • it icon, source: PhotoDisc

    Science & Tech Spotlight:

    GAO-20-379SP: Published: Feb 20, 2020. Publicly Released: Feb 20, 2020.

Dec 12, 2019

Looking for more? Browse all our products here