The Federal Bureau of Investigation's Implementation of the
Laboratory Information Management System
Audit Report 06-33
June 2006
Office of the Inspector General
The collection, preservation, and forensic analysis of physical evidence are often crucial to the successful investigation and prosecution of crimes. The Federal Bureau of Investigation’s (FBI) laboratory, located in Quantico, Virginia, is one of the largest and most comprehensive forensic laboratories in the world. The laboratory not only supports FBI investigations, but also provides forensic and technical services to federal, state, local, and foreign law enforcement agencies. The FBI’s laboratory annually conducts over one million examinations involving analyses of physical evidence ranging from blood and other biological materials to explosives, drugs, and firearms. Laboratory examiners also provide expert witness testimony on the results of forensic examinations. To keep a record of evidence provided to the laboratory for analysis, the FBI uses the Evidence Control System (ECS), created in 1978. The Laboratory Division converted this antiquated system to a database in 1998, but the ECS still has limited functionality. One FBI programmer developed the current version of ECS, and as new releases of database software become available, the database has been upgraded. The FBI currently uses Microsoft’s Access 2002 as the ECS database software. The ECS system represents an “in and out” tracking system. Evidence is entered into the system when it arrives at the laboratory, and the system documents: (1) the control number for the evidence, (2) when an analysis has been performed on the evidence, and (3) when the evidence leaves the laboratory. Except for this information in the ECS, the laboratory relies completely on paper documentation that follows a piece of evidence as it passes through the laboratory’s various sections. Each section of the laboratory enters data into its own computers. However, these files are immediately printed out and paper copies, rather than an electronic file, are relied on to track the evidence and the work performed. In addition, the data entered into a section’s individual computers are not linked to provide an overall management view of where the evidence is located, what analyses have been completed, or how long each step of the process is taking. One laboratory official described the current system as very limited, and stated that when evidence is returned to the originator, its departure from the laboratory is not always entered into the ECS. As a result, FBI managers are unable to identify with certainty the evidence contained in the laboratory at any point in time or its progress in being examined and analyzed. Moreover, another laboratory official stated that only one person is familiar with the ECS database, a programmer from the FBI’s Information Technology Operations Division (ITOD). The laboratory employee who created the original system has retired. The official also pointed out that despite available technology, the FBI continues to use a labor-intensive manual system. Each laboratory unit enters the same routine information, such as case number, date collected, and the submitting agency, for each item of evidence as it is passes from one unit to another for continued processing. In comparison to the laboratory’s limited database, modern commercial-off-the-shelf (COTS) laboratory information systems can provide many useful functions, including: the ability to track evidence throughout the analysis process; Internet capabilities that allow external agencies to review and request information about evidence they have submitted; extensive reporting, workload analysis, and responses to ad-hoc querying; on-line help; and data searching. Pre-acquisition Activities The FBI’s laboratory hired a contractor in 1998 to assist in the development of requirements for an information management system to replace the ECS. The contractor also evaluated COTS systems. However, the FBI’s Laboratory Division was unable to fund the project at that time. In 2002, the Laboratory Division reprogrammed funds to replace the ECS with a modern information system. The system requirements developed by the contractor in 1998 were updated and validated through Joint Application Development (JAD) sessions.8 JAD session participants included FBI personnel from the laboratory and other divisions. A contractor assisted with IT support and administrative tasks related to the proposed project, including facilitating and documenting the JAD sessions. The requirements resulting from the JAD sessions were then used in developing a Request for Proposal (RFP), issued in February 2003 to solicit bids for developing the new system. A firm-fixed-price contract with a base year and four additional 1-year option contracts was to provide the laboratory with:9
The statement of work explained that the new system would:
For example, if another laboratory needed any information on an item of evidence, FBI management would be able to log into the system, easily locate the evidence, and determine where the evidence was in the laboratory examination process and what needed to be completed. Laboratory managers would also be able to determine the length of time the evidence was at each stage of the testing and analysis. The FBI also required bidders’ products to support the many responsibilities associated with the operation of a large and modern forensic laboratory by providing a repository for laboratory data as well as tools for accessing, processing, analyzing (providing performance metrics), and reporting the data. The RFP included 200 requirements in 7 categories: (1) functional requirements, (2) external interface requirements, (3) performance requirements, (4) design constraints, (5) security and legality, (6) data base requirements, and (7) system support and maintenance. Examples of the RFP requirements include the identification and tracking of evidence, a web-browser interface, and full-time user support. The FBI received and began evaluating six responses to the RFP in early 2003. The Laboratory Division formed cost and technical committees to evaluate the proposals. The cost committee was comprised of personnel from the FBI’s Finance Division, and the technical committee was comprised of personnel from the Laboratory Division. The evaluations included an examination of each bidder’s costs based on the requirements listed in the RFP. The FBI’s technical review committee completed its evaluation of the bidders’ responses to the RFP in June 2003. The FBI rated JusticeTrax, Inc., of Mesa, Arizona, as the lowest cost, qualified bidder for its Laboratory Information Management System (LIMS).10 The technical committee rated JusticeTrax as follows.
The FBI’s evaluation of the JusticeTrax proposal cited some strengths but also areas of risk. Examples of JusticeTrax’s strengths were: (1) It had a mature COTS system used by organizations with missions similar to the FBI’s, including the Royal Canadian Mounted Police Forensic Services Laboratory; and (2) LIMS was already integrated with bar-code scanner and printers that could be provided for testing within 15 days and for implementation within 45. Although the committee assessed LIMS as meeting the laboratory’s mission- critical needs, the evaluation also identified two key risks in addition to an ambitious delivery schedule: (1) because JusticeTrax is based in Arizona, it needed to hire employees to work on the project in Virginia, train them, and have them obtain security clearances within the timeframe proposed; and (2) the JusticeTrax product required significant customization of its software to meet the FBI’s requirements such as security standards, migrating data from the ECS, and providing the capability to issue alerts and notices. Another concern was that JusticeTrax did not have the capability to provide web-browser connectivity immediately, but instead proposed converting its LIMS product to a web-based application in early 2004. JusticeTrax LIMS Product Selected Based on its evaluation of the six proposals received in response to its RFP, the FBI awarded JusticeTrax a $4.3 million contract in September 2003 to customize its LIMS product for the FBI’s laboratory.11 The award included a base year of $1.6 million and 4 additional 1-year option contracts. The base year was September 2003 to September 2004. Rather than developing a separate contract document that included all of the RFP requirements for the information system, the FBI adopted JusticeTrax’s response to the RFP as the contract by attaching a signature page to the proposal. This proposal covered all the FBI’s LIMS requirements, which included weak and generally worded security requirements. According to JusticeTrax’s proposed project plan, the basic LIMS installation, training, and deployment were to be completed in December 2003, or 90 days after the contract award. The full LIMS implementation — including customization, enhancements, and testing — was to be completed in February 2004, or 5 months after the contract award. The additional option year contracts were to provide future enhancements such as software updates and maintenance of the LIMS product. The Office of the Inspector General (OIG) and the Government Accountability Office (GAO) each issued reports in 2002 recommending that the FBI establish an Information Technology Investment Management (ITIM) process to guide the development of its IT investments and avoid investing in IT that does not support its mission (see Appendix 3 for a listing of the reports related to the FBI’s IT management.)12 In response to these recommendations, the FBI established a Life Cycle Management Directive (LCMD) in 2004, the year after the FBI awarded the LIMS contract. The LCMD established policies and guidance applicable to all FBI IT programs and projects covering all elements of an IT system’s life cycle including planning, acquisition, development, testing, and operations and maintenance. Using the LCMD in the development of IT projects should enhance the FBI’s ability to manage IT programs and projects, leverage technology, build institutional knowledge, and ensure development is based on industry and government best practices. The LCMD also included certification and accreditation testing to ensure adequacy of IT systems security. (The LCMD is further explained in Appendix 4.) In addition to an ITIM process, the FBI continues to work on an Enterprise Architecture to further ensure that investments are made in an enterprise-wide decision.13 In May 2004, the OIG issued a report entitled The FBI DNA Laboratory: A Review of Protocol and Practice Vulnerabilities. This report discussed certain vulnerabilities in the FBI’s DNA laboratory. One of the vulnerabilities led to a recommendation for an information management system. Given the benefits of evidence tracking and chain-of-custody documentation, the report noted that successful implementation of such a system should be one of the laboratory’s top administrative priorities. Footnotes
|
« Previous | Table of Contents | Next » |