The Security Posture of the United States Coast Guard's Biometrics At Sea System Needs Improvements

The United States Coast Guard (USCG) operates the Biometrics at Sea System (BASS) to collect biometric data from interdicted aliens. The biometrics are sent to the Department of Homeland Security’s (DHS) Automated Biometric Identification System (IDENT) to identify potential persons of interest, including suspected terrorists. We audited BASS interface with IDENT, security roles and responsibilities, and change control management. We determined that USCG did not have a routine reconciliation process to ensure that all biometrics that it captured on the 23 cutters are maintained in IDENT. Not ensuring reconciliation between the total biometrics USCG submitted and the number stored in IDENT may impede future identification of suspected terrorists, aggravated felons, or other individuals of interest. USCG also allowed application programmers with unrestricted system access to share passwords. The control weakness may result in individuals making unauthorized changes to the system without detection. Further, we determined that the authorization for the transition from the 2-fingerprint to 10-fingerprint application system was not properly documented and security documentation had not been updated. Without a proper authorization process, USCG could not provide assurance that senior executives approved the change prior to implementation.