Failures in the US Coast Guard’s (USCG) biometric system may be impeding the identification of suspected terrorists, aggravated felons and other individuals of interest, according to a recent audit by the Department of Homeland Security’s Office of Inspector General (IG).
The USCG, which is responsible for safeguarding the nation’s maritime interests, encounters thousands of aliens of unknown identity in the course of their operations. Federal law requires the USCG operate a program to identify unknown individuals in the maritime environment.
The USCG operates the Biometrics at Sea Systems (BASS) on 23 of its cutters to collect biometric data from those trying to enter the US illegally. The USCG then sends this information to DHS’s Automated Biometric Identification System (IDENT), a repository of biometric and biographic data used for national security, law enforcement, immigration and border management.
The BASS system is composed of a portable handheld device to capture fingerprints, a laptop, and an encrypted hard drive. In 2012, USCG piloted a program that updated the system from a 2-print fingerprint to a 10-print fingerprint capability.
In assessing the USCG’s biometric identification system, the IG found USCG did not routinely reconcile biometrics with IDENT. Since the Coast Guard did not maintain an independent count of the total number of biometrics sent to IDENT, it could not verify with certainty the number of biometrics stored in IDENT is complete.
The National Institute of Standards and Technology (NIST) said a regular reconciliation process is essential to ensuring the “integrity, accuracy and completeness of data.” However, USCG did not perform routine reconciliations to validate that the biometric data posted to IDENT was complete.
According to the USCG, they did not implement a regular reconciliation process because they were unsure of the owner of the biometric information sent from the cutters. Over the course of DHS OIG’s audit, it was determined that USCG owned the data.
“Consequently, USCG and other law enforcement agencies are hampered in their ability to properly identify whether intercepted persons are known or suspected terrorists, aggravated felons or individuals previously ordered to be deported or already deported from the United States,” the IG concluded.
NIST standards also require organizational officials update all security plans when significant changes occur. However, the IG found USCG failed to prepare a Security Impact Analysis when transitioning from the 2-fingerprint to the 10-fingerprint system. The Coast Guard also did not have updated security documentation for the BASS Interface Control Agreement and System Security Plan.
When transitioning to the 10-fingerprint system, the authorization for the system also wasn’t properly documented. The IG stated that, “Without a proper authorization process, USCG could not provide assurance that senior executive approved the change prior to implementation.
The IG determined “USCG could not provide assurance that it 1) identified and considered all threats and vulnerabilities, 2) identified the greatest risk, and 3) made appropriate decisions regarding which risks to accept and which to mitigate through security controls.”
The Inspector General discovered additional problems with USCG’s management of administrative passwords. The DHS Sensitive Systems Policy Directive 4300A requires DHS components protect information systems from unauthorized access by not sharing personal passwords and limiting the use of group passwords.
However, USCG allowed application programmers with unrestricted system access to share passwords—a control weakness that could have resulted in individuals making unauthorized changes to the system without being detected.
DHS’s Inspector General made seven recommendations to USCG including establishing a BASS aggregate control log to verify biometric transactions from the 23 cutters, and perform periodic reconciliation with IDENT. The IG also recommended updating security documents, eliminating the use of common passwords, and ensuring adherence to change of management policies.
USCG concurred with the recommendations.
