Defense Biometrics:

DOD Can Better Conform to Standards and Share Biometric Information with Federal Agencies

GAO-11-276: Published: Mar 31, 2011. Publicly Released: May 2, 2011.

Additional Materials:

Contact:

Brian J. Lepore
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Biometrics technologies that collect and facilitate the sharing of fingerprint records, and other identity data, are important to national security and federal agencies recognize the need to share such information. The Department of Defense (DOD) plans to spend $3.5 billion for fiscal years 2007 to 2015 on biometrics. GAO was asked to examine the extent to which DOD has (1) adopted standards and taken actions to facilitate the collection of biometrics that are interoperable with other key federal agencies, and (2) shares biometric information across key federal agencies. To address these objectives, GAO reviewed documents including those related to standards for collection, storage, and sharing of biometrics; visited selected facilities that analyze and store such information; and interviewed key federal officials.

DOD has adopted a standard for the collection of biometric information to facilitate sharing of that information with other federal agencies. DOD recognized the importance of interoperability and directed adherence to internationally accepted biometric standards. DOD applied adopted standards in some but not all of its collection devices. Specifically, a collection device used primarily by the Army does not meet DOD adopted standards. As a result, DOD is unable to automatically transmit biometric information collected to federal agencies, such as the Federal Bureau of Investigation (FBI). For example, this device is responsible for 13 percent of the records maintained by DOD--the largest number of submissions collected by a handheld device, according to DOD. Further, this constitutes approximately 630,000 DOD biometric records that cannot be searched automatically against FBI's approximately 94 million. DOD has not taken certain actions that would likely improve its adherence to standards, all of which are based on criteria from the Standard for Program Management, the National Science and Technology Council, and the Office of Management and Budget guidance, respectively. First, DOD does not have an effective process, procedure, or timeline for implementing updated standards. Second, DOD does not routinely test at sufficient levels of detail for conformance to these standards. Third, DOD has not fully defined roles and responsibilities specifying accountability needed to ensure its collection devices meet new and updated standards. DOD is sharing its biometric information and has an agreement to share biometric information with the Department of Justice, which allows for direct connectivity and the automated sharing of biometric information between their biometric systems. DOD's ability to optimize sharing is limited by not having a finalized sharing agreement with DHS, and its capacity to process biometric information. Currently, DOD and DHS do not have a finalized agreement in place to allow direct connectivity between their biometric systems. DOD is working with DHS to develop a memorandum of understanding to share biometric information now scheduled for completion in May 2011; however, without the agreement, it is unclear whether direct connectivity will be established between DOD and DHS, which affects response times to search queries. Further, agencies' biometric systems have varying system capacities based on their mission needs, which affects their ability to similarly process each other's queries for biometric information. As a result, DOD and other agency officials have expressed concern that DOD's biometric system may be unable to meet the search demands from their other biometric systems over the long-term. DOD officials do not believe that they need to match other agencies' biometric system capacities because they do not anticipate receiving the same number of queries given differences in mission. However, the advancements other agencies make in their biometric systems may continue to overwhelm DOD's efforts as it works to identify its long-term biometric system capability needs and associated costs. To improve DOD's ability to collect and share information, GAO recommends that DOD implement processes for updating and testing biometric collection devices to adopted standards; fully define and clarify the roles and responsibilities for all biometric stakeholders; finalize an agreement with the Department of Homeland Security (DHS); and identify its long-term biometric system capability needs. DOD agreed with all of GAO's recommendations.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In August 2015, the Defense Forensics and Biometrics Agency (DFBA) told GAO that in order to address system conformance, it has enacted the procedure of requiring systems to complete independent standards conformance testing, and present documentation to DFBA before DFBA authorizes that system to submit records to the DOD Automated Biometric Identification System (ABIS). This ensures that all new collection systems conform to a common biometric standard and maintain biometric interoperability. U.S. Special Operations Command's BioSled platform is the most recent example of this type of testing. DOD officials added that the DOD authoritative database, and all enduring biometric collection devices in operation today, meet a common biometric standard for interoperability: Electronic Biometric Transmission Specification 1.2. This includes the DOD Automated Biometric Identification System (ABIS 1.2); the Navy/Marine Corps Identity Dominance System (IDS); the Special Operations Command current (SEEK II) and future (BioSled) devices; and, the Army's SEEK II. DOD officials said that legacy systems that did not satisfactorily meet the common biometric data standard have been retired, in large part due to their lack of interoperability. DOD officials believe that the elimination of non-compliant systems from the DOD inventory, and the DFBA process to enforce a common biometric data standard at the collection device and database levels, should enable improved interoperability through a common data standard. We believe these efforts show substantial progress on the part of DOD and address the intent of our recommendation.

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including DOD's Biometric Identity Management Agency (BIMA), U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to implement a process for updating collection devices to adopted standards to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards.

    Agency Affected: Department of Defense

  2. Status: Closed - Implemented

    Comments: In response to GAO's report, the Defense Forensics and Biometrics Agency, as the Executive Manager for DOD Biometrics, now requires the Services to provide documentation of independent biometric standards conformance testing before allowing the devices to submit records to the DOD Automated Biometric Identification System (ABIS). DOD provided GAO with documentation regarding the recent conformance testing of the SOCOM BioSled, performed by the U.S. Army Armament Research, Development and Engineering Center (ARDEC), as well as a copy of the Electronic Biometric Transmission Specification Conformance Evaluation Procedure, and the test results/approvals for the Navy and Marine Corps Identity Dominance System and the SEEK II. We believe these efforts show substantial progress on the part of DOD and address the intent of the recommendation.

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to implement a process for testing collection devices at a sufficiently detailed level to help ensure that all DOD systems related to biometrics, including collection devices, conform to adopted standards.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: In response to GAO's recommendation, DOD is updating DOD Directive 8521.01E "Defense Biometrics," which will establish policy, assign responsibilities, and describe procedures for DOD biometrics. The draft is complete, and the department anticipates the directive will be signed in the fall of 2015. This addresses the intent of the recommendation.

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to more fully define and further clarify the roles and responsibilities needed to achieve DOD's biometric program and objectives for all stakeholders that include ensuring collection devices conform to adopted standards.

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: On February 14, 2011, we provided DOD a draft of this report and comment. In response to our draft recommendation, and while the report was under review, DOD finalized an agreement with DHS regarding biometric sharing on March 2, 2011.

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to complete the memorandum of agreement with the Department of Homeland Security regarding the sharing of biometric information as appropriate and consistent with U.S. laws and regulations and international agreements, as well as information-sharing environment efforts.

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: In response to GAO's recommendation, DOD officials stated in August 2015 that DOD's Automated Biometric Identification System (ABIS) and the Department of Homeland Security's (DHS) IDENT have nearly reached the point of maximum integration, given fiscal limitations. DOD updates and provides the biometrically enabled watch list (BEWL) daily and supports full searches from high-priority probes from DHS. DOD believes these two steps provide a reasonable level of coverage for recognizing known malign agents, or discovering those most likely to be malign. DOD officials also stated that the department has recently developed prototype software tools to improve data sharing, such as the BEWL Dissemination and Management System (BDMS) to automate watch list development. DOD reported that this greatly improves the speed at which customized BEWLs can be created. DOD also deployed the Best Biometric Image (BBI) tool, which improves the quality of images and records. DOD believes these software tools have greatly improved the quality and speed of watch list dissemination, and therefore, data sharing between the two departments. Further, DOD officials said that DOD and DHS have coordinated an updated Memorandum of Agreement on biometric data sharing. Once signed, this document will permit the bulk transfer of data between the two systems. One outcome of this is to place almost all DOD data in DHS IDENT, making DOD data matchable to DHS encounters. DOD officials believe that this will greatly increase interoperability with only modest cost increases. DOD officials expect the MOA to be signed into action around October. Finally, DOD officials anticipate that the DOD Analysis of Alternatives will be complete by September 30, 2015, and an initial, internal report will be provided to the Army by October 30, 2015. Taken together, we believe these actions represent significant DOD steps to share biometrics data with other federal agencies, specifically the Department of Homeland Security and address the intent of the recommendation.

    Recommendation: To improve DOD's ability to collect and help ensure that federal agencies are sharing biometric information on individuals who pose a threat to national security to the fullest extent possible, the Secretary of Defense should direct the Under Secretary of Defense for Acquisition, Technology, and Logistics, as the Principal Staff Assistant responsible for the oversight of DOD biometrics, in collaboration with other key federal agencies and internal DOD stakeholders, including BIMA, U.S. Army, U.S. Navy, U.S. Marines, and U.S. Air Force, to identify its long-term biometric system capability needs, including the technological capacity and associated costs needed to support both the warfighter and to facilitate sharing of biometric information across federal agencies, and take steps to meet those capability needs, as appropriate and consistent with U.S. laws and regulations, international agreements, and available resources.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Sep 3, 2015

Aug 27, 2015

Aug 26, 2015

Aug 12, 2015

Aug 11, 2015

Jul 31, 2015

Jul 30, 2015

Jul 27, 2015

Jul 23, 2015

Jul 21, 2015

Looking for more? Browse all our products here