GAO discussed the National Crime Information Center (NCIC), focusing on: (1) its internal controls to prevent misuse of NCIC information; and (2) the Federal Bureau of Investigation's (FBI) and state assessments of NCIC misuse. GAO noted that: (1) NCIC is extremely vulnerable to misuse, particularly by individuals with authorized access, due to its organizational structure and control weaknesses in some state systems that access NCIC; (2) control weaknesses in one state system expose the entire network to misuse; (3) NCIC system upgrades address the system's vulnerability, but their effectiveness could be limited by capability and implementation limitations; (4) the NCIC security policy is too broad, contains minimum requirements, and does not require specific access controls; (5) FBI and states do not systematically maintain records on NCIC misuse because they are not required to; (6) instances of intentional and unintentional misuse have occurred; and (7) most individuals have not been prosecuted for NCIC misuse due to the lack of applicable federal and state laws.
Matter for Congressional Consideration
|Congress should enact legislation with strong criminal sanctions specifically directed at the misuse of NCIC. Such legislation should be aimed at: (1) deterring individuals contemplating misusing NCIC; and (2) facilitating and encouraging the prosecution of individuals who have misused NCIC.||While various bills responsive to the recommendation have been introduced since the testimony was published, most bills were broad in scope and not NCIC-specific, and none were passed. Also, the interested subcommittees were dissolved as part of the restructuring of congressional committees. Therefore, GAO is closing this recommendation.|
Recommendations for Executive Action
|Federal Bureau of Investigation||In view of the GAO findings and the NCIC 2000 implementation, the Director, FBI, and NCIC Advisory Policy Board should reevaluate the security specifications set forth in the NCIC security policy, particularly in the area of accountability. Recognizing the potential cost and implementation concerns involved, at a minimum, FBI and the NCIC Advisory Policy Board should amend the security policy to endorse and encourage state and local user agencies' enhancing their security features, such as increasing user accountability through identification, authentication, and audit, to meet the C2 security rating.|