Skip to Highlights

GAO discussed the National Crime Information Center (NCIC), focusing on: (1) its internal controls to prevent misuse of NCIC information; and (2) the Federal Bureau of Investigation's (FBI) and state assessments of NCIC misuse. GAO noted that: (1) NCIC is extremely vulnerable to misuse, particularly by individuals with authorized access, due to its organizational structure and control weaknesses in some state systems that access NCIC; (2) control weaknesses in one state system expose the entire network to misuse; (3) NCIC system upgrades address the system's vulnerability, but their effectiveness could be limited by capability and implementation limitations; (4) the NCIC security policy is too broad, contains minimum requirements, and does not require specific access controls; (5) FBI and states do not systematically maintain records on NCIC misuse because they are not required to; (6) instances of intentional and unintentional misuse have occurred; and (7) most individuals have not been prosecuted for NCIC misuse due to the lack of applicable federal and state laws.

Skip to Recommendations


Matter for Congressional Consideration

Matter Status Comments
Congress should enact legislation with strong criminal sanctions specifically directed at the misuse of NCIC. Such legislation should be aimed at: (1) deterring individuals contemplating misusing NCIC; and (2) facilitating and encouraging the prosecution of individuals who have misused NCIC.
Closed - Not Implemented
While various bills responsive to the recommendation have been introduced since the testimony was published, most bills were broad in scope and not NCIC-specific, and none were passed. Also, the interested subcommittees were dissolved as part of the restructuring of congressional committees. Therefore, GAO is closing this recommendation.

Recommendations for Executive Action

Agency Affected Recommendation Status
Federal Bureau of Investigation In view of the GAO findings and the NCIC 2000 implementation, the Director, FBI, and NCIC Advisory Policy Board should reevaluate the security specifications set forth in the NCIC security policy, particularly in the area of accountability. Recognizing the potential cost and implementation concerns involved, at a minimum, FBI and the NCIC Advisory Policy Board should amend the security policy to endorse and encourage state and local user agencies' enhancing their security features, such as increasing user accountability through identification, authentication, and audit, to meet the C2 security rating.
Closed - Implemented
In its response to the recommendation, the Department of Justice (DOJ) indicated that all NCIC policy is subject to continuous review. Within this context, NCIC APB issued correspondence to state Control Terminal Agencies and local terminal agencies emphasizing the continual need to enhance security in the area of user accountability. The DOJ response also indicated that implementation of NCIC 2000's security features is expected to further enhance security. However, state and local funding limitations may not allow full and immediate implementation of the security features. These features are expected to be implemented as funding permits. The NCIC APB action partially responds to the recommendation by "encouraging" participating agencies to enhance their security features. However, there is not further action planned to amend the NCIC security policy.

Full Report