Skip navigation

Office of the Inspector General - Audit of the DOJ's Handling of Known or Suspected Terrorists, 2017

Download original document:
Brief thumbnail
This text is machine-read, and may contain errors. Check the original document to verify accuracy.
Audit of the Department of Justice's
Handling of Known or Suspected
Terrorists Admitted into the Federal
Witness Security Program

Audit Division 17-34

REDACTED - FOR PUBLIC RELEASE

September 2017

U//LES//SSI
(~)

AUDIT OF THE DEPARTMENT OF JUSTICE'S HANDLING OF
KNOWN OR SUSPECTED TERRORISTS ADMITTED INTO THE
FEDERAL WITNESS SECURITY PROGRAM
(U) EXECUTIVE SUMMARY

(U) The federal Witness Security Program (WITSEC Program) was established
to provide for the security, health, and safety of government witnesses whose lives
are at risk as a result of their testimony against organized crime members, drug
traffickers, terrorists, and other major criminals. 1 Since the WITSEC Program's
inception in 1971, more than 8,700 witnesses and over 9,900 family members and
other associates of witnesses have been admitted into the WITSEC Program.
Within this population, there are known or suspected terrorists (KSTs) who have
agreed to cooperate in major terrorism investigations and prosecutions, including
the 1993 World Trade Center bombing, the 1995 Alfred P. Murrah Federal Building
attack in Oklahoma City, the 1998 East Africa Embassy bombings, a 2007 plot to
bomb John F. Kennedy Airport, and a 2009 plot to bomb the New York City subway
system.
(U) In May 2013, the Department of Justice (Department) Office of the
Inspector General (OIG) issued an interim report on the Department's handling of
KSTs admitted into the USMS WITSEC Program. The report included
16 recommendations to the Office of the Deputy Attorney General to improve
information sharing among entities responsible for the WITSEC Program and reduce
the risk to the public when admitting KSTs into the WITSEC Program. As we
described in that report, we found that the Department had not identified all KSTs

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
admitted into the WITSEC Program; lacked adequate and appropriate oversight of
these individuals; did not ensure that the identities of KSTs admitted into the
WITSEC Program were placed on the government's consolidated terrorist watchlist,
as appropriate; and did not appropriately share information with the Federal Bureau
of Investigation (FBI) and other national security stakeholders, thus preventing
these stakeholders from taking necessary precautions with respect to, and properly
monitoring, these individuals.
(U) In this report, we follow up on findings in our May 2013 report to
determine whether the corrective actions taken by the FBI, USMS, and OEO
sufficiently addressed the risks we identified. Specifically, our objectives for this
audit were to evaluate the Department's: (1) handling of KSTs admitted to the
WITSEC Program; (2) practices for watchlisting and the processing of encounters
with this group of WITSEC Program participants; and (3) procedures for mitigating
risks to the public through restrictions placed on this high-risk group of WITSEC
Program participants. We determined that since November 2015, OEO and the FBI
admitted two new KSTs into the WITSEC Program, and in doing so followed their
protocols and appropriately coordinated with each other and the USMS. However,
we also concluded that while the FBI, USMS, and OEO have developed new policies
and procedures to address the issues we identified in our May 2013 review, they
have not sufficiently and appropriately implemented all of them. Additionally, we
remain concerned that the Department has not ensured that KST information has
been appropriately shared with relevant national security stakeholders, and that
those responsible for monitoring these individuals have the information they need
to do so effectively.

(U/ /l=ES) Identifying and Sharing Information on KSTs in the WITSEC
Program
(U//!:e&) Our May 2013 report included several recommendations to improve
the identification of KSTs in the WITSEC Program and the sharing of related
information with national security stakeholders. In response to our 2013 report,
the USMS and OEO manually reviewed more than WITSEC Program case files
to identify all potential KSTs that had been admitted into the WITSEC Program in
order to ensure that their information had been appropriately shared with national
se~ Specifically, the USMS and OEO performed separate reviews
o f - WITSEC Program case files to determine which cases
involved facts indicating a potential nexus to terrorism. The USMS identified.
individuals meeting this description and shared their true name and identifying
information with OEO. 2 Based on its secondary review of the USM S's results and its
primary review o f - case files, OEO determined that a total of. individuals
should be passed to the FBI for possible inclusion on the consolidated
2

(U) A witness true identity refers to the name the witness had when he or she was
admitted to the WITSEC Program.
(U) The full version of this report contains inf~rmation that the Department considered to be
law enforcmeent sensitive and sensitive security information, and therefore could not be publicly
released. To create this public version of the report, the Office of the Inspector General redacted
(blacked out) portions of the full report.

ii

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

terrorist watchlist. The FBI subsequently added. of these individuals to the
consolidated terrorist watchlist.
(U//be&) We found several deficiencies in the process OEO followed in
analyzing these case files and in sharing information with the FBI. Specifically, we
believe, and the FBI agrees, that OEO should have shared the information with
national security stakeholders for all -individuals identified by the USMS, rather
than conducting its own secondary review. If OEO had passed along all of the case
file information that the USMS identified from its case file review, the FBI's
counterterrorism experts - not just OEO - would have had the opportunity to
evaluate whether any of the individuals were KSTs. Under the process used,
that did not happen for a majority of the individuals. We also found that neither
OEO nor the FBI was able to provide evidence of a consistent application of the
criteria each used for its reviews, and both lacked adequate support for their
respective determinations.
(U//tE6) In addition, OEO's sharing of information with the FBI was often
marked by delay and the FBI's assessments of that information were inadequately
documented. Of particular concern, we found that although the USMS began
identifying to OEO individuals it believed had a potential nexus to terrorism in
November 2013, OEO did not begin sending that information to the FBI for possible
watchlisting until March 2014, and we found delays of weeks or months in OEO's
handling of many of the individuals the USMS identified in late 2013 and early
2014. We believe that OEO should have reviewed and shared the case files
identified by the USMS with the FBI in a timelier manner. We also attempted to
determine what actions the FBI took to assess the information it received about
potential KSTs who were admitted into the WITSEC Program. However, due to the
FBI's inadequate documentation, we were unable to confirm that the FBI
appropriately conducted all necessary checks of these individuals,
and that it appropriately identified an~KSTs.
(U//t:E6) Due to our concerns, and after obtaining additional guidance from
the FBI and the Department's National Security Division, OEO performed another
review of the cases, as well as. additional cases with which OEO had
individuals who had a
concerns, andliTt'imately shared with the FBI another
otential nexus to terrorism. The FBI com leted
checks on these
individuals and
also completed checks
ovided b OEO ~ not
a ready watchlisted
. After completing
these assessments, t e FBI determined that
individuals are KSTs, and added
them to the consolidated terrorist watchlist. As of November 2016, counting those
KSTs identified during our May 2013 report, the FBI, OEO, and USMS have
identified. KSTs who were previous.!,Ladmitted into the WITSEC Program. As of
November 2016, the FBI had located. of these. KSTs, and were in the process
of verifying the location of the remaining individuals.

I

iii

REDACTED - FOR PUBLIC RELEASE

U//LE5//551

. In addition, in response
steps to ensure that changes
authorized notifications in the future, but an FBI o 1cial tol
not been fully incorporated into the FBI's protocols.

it has taken
will not disrupt
us those changes have

{U) Counterterrorism Controls
(U//te&) We reviewed WITSEC Program KST case files to determine
if the files contained identifying information that had not been shared with national
security stakeholders. We found. identifying pieces of information, or
"identifiers," that the FBI should or could have identified, shared, and included in
the consolidated terrorist watchlist, as well as the National Counterterrorism
Center's (NCTC) classified repository of international terrorist information. Without
these identifiers, the watchlist records are incomplete, thus limiting the information
available to screeners at both the NCTC and Terrorist Screening Center (TSC) when
their staff manage, in real time, an encounter with a KST at an airport, U.S. border,
or traffic stop by local law enforcement. Based on the results of our review of these
files, we believe that the FBI should conduct a similar review of the remaining
WITSEC Program KST case files to ensure that all identifiers are identified,
shared, and included in the watchlist. In February 2017, the FBI officials told us but we have not yet confirmed - that the FBI has completed this review and added
additional identifiers to the watchlist.

I

(U//te&) In our May 2013 report, we found that. KST WITSEC Program
participants who should have been on the Trans ortation Security Administration's
times
(TSA's) No Fly List had flown
commercial aviation,

iv

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

(U) WITSEC Program Administration
(U//~) We identified several concerns about the administration of the
WITSEC Program. For example, the USMS does not have a sufficient system to
track the identit documents rovided to or collected from WITSEC Pro ram

We also identified issues with how participants are
terminated rom t e WITSEC Program. For example, despite four termination
requests in 9 months from the USMS, OEO delayed the termination of a WITSEC
Program participant who had allegedly sexually assaulted five individuals in an 8year period, including three minors. We found this delay very troubling.
(U) In this report, we make 8 new recommendations to the USMS, FBI, and
OEO to further improve sharing of information on KST WITSEC Program
participants with national security stakeholders and ensure that there are
appropriate controls over KSTs in the WITSEC Program. In addressing these
recommendations, the Department will better mitigate the risks posed by KSTs in
the WITSEC Program.

v

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) AUDIT OF THE DEPARTMENT OF JUSTICE'S
HANDLING OF KNOWN OR SUSPECTED TERRORISTS
ADMITTED INTO THE FEDERAL WITNESS SECURITY
PROGRAM
(U) TABLE OF CONTENTS
(U) INTRODUCTION ...................................................................................... 1
(U) OIG Audit Approach ........................................................................ 2
(U) FINDINGS AND RECOMMENDATIONS ......................................................... 4
(U) The Department's Efforts to Identify KSTs in the WITSEC Program ........ 4
(U) USMS's and OEO's Manual Review of WITSEC Case Files ............. 5
(U) Not All KSTs Were Identified During the Manual Review .............. 7
(U) OEO's Untimely Sharing of Terrorism Information with the
NJTTF .............................................................................8
(U) Sharing of WITSEC Program Information with the FBI ............... 10
(U) The FBI's Vetting of Terrorism Information and Handling of KSTs
in the WITS EC Program .............................................................. 12
(U/t:EG) KSTs 68 and 69 Arrested on
Nearly 5
Months After Their Information was Provided to the NJTTF
for Possible Watchlisting .................................................... 13
(U) The FBI's Unsupported and Incomplete Vetting of WITSEC
Information ...................................................................... 13
(U) Incomplete Watchlist Records ................................................. 16
(U) Encounters of Known or Suspected Terrorists .......................... 18
(U) Processing, Tracking, and Locating KSTs in the WITSEC Program ....... 22
(U)TheUSMS'sTracking of WITSEC Program Participant's
Identity Documents .......................................................... 22
(U Physical Location of KSTs ........................................................ 24
(U) Pre-Admittance Requirements ............................................... 24

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

(U) KSTs Admitted to the WITSEC Program ................................... 27
(U) Post Admittance Requirements .............................................. 27

(U//teS)

................................................................. 29

(U) Issues with Terminating a KST for Criminal Misconduct ...................... 29
(U) Conclusion .................................................................................. 32
(U) Recommendations ................. ....................................................... 32
(U) STATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS .................... 35
(U) STATEMENT ON INTERNAL CONTROLS ..................................................... 36
APPENDIX 1: (U) AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY .................. 37
APPENDIX 2: (U) RECOMMENDATIONS FROM THE MAY 2013 INTERIM REPORT
ON THE DEPARTMENT OF JUSTICE'S HANDLING OF KNOWN OR SUSPECTED
TERRORISTS ADMITTED INTO THE FEDERAL WITNESS SECURITY
PROGRAM ......................................................................................... 39

APPENDIX 3: (U) BACKGROUND ON THE WITSEC PROGAM AND
CONSOLIDATED TERRORIST WATCHLIST .............................................. 41
APPENDIX 4: (U) PRIOR OIG REPORTS ISSUED ON THE WITSEC PROGRAM, THE
WATCHLIST PROCESS, AND THE TERRORIST SCREENING CENTER ........... 45
APPENDIX 5: (U) THE DEPARTMENT OF JUSTICE'S RESPONSE TO
THE DRAFT REPORT .................... . ...................................................... 47
APPENDIX 6: (U) OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND
SUMMARY OF ACTIONS NECESSARY TO CLOSE THE REPORT .................... 53

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

(U) AUDIT OF THE DEPARTMENT OF JUSTICE'S
HANDLING OF KNOWN OR SUSPECTED TERRORISTS ADMITTED
INTO THE FEDERAL WITNESS SECURITY PROGRAM
(U) INTRODUCTION
(U) The primary goal of the federal Witness Security Program (WITSEC
Program) is to provide for the security, health, and safety of government witnesses
whose lives are at risk as a result of their testimony against organized crime
members, drug traffickers, terrorists, and other major criminals. 1 The WITSEC
Program is administered through three Department entities: (1) the Criminal
Division's Office of Enforcement Operations (OEO) oversees the WITSEC Program
and authorizes witness participation in the WITSEC Program, (2) the United States
Marshals Service (USMS) is responsible for the protection of active WITSEC
participants who are not incarcerated, and (3) the Federal Bureau of Prisons (BOP)
protects WITS EC participants while they are incarcerated in federal facilities. 2 Since
the WITSEC Program's inception in 1971, more than 8,700 witnesses, and over
9,900 family members and other associates of witnesses, have been admitted into
the WITSEC Program. 3
1
(U) The WITSEC Program was authorized by the Organized Crime Control Act of 1970 and
amended by the Comprehensive Crime Control Act of 1984. Pub. L. No. 91-452 (1970) and
Pub. L. No. 98-473 (1984), respectively.

2

(U) The BOP's management of its portion of the WITSEC Program is not addressed in this

report.
3 (U) OEO and USMS officials have stated that the total number of participants in the WITSEC
Program is unknown. The numbers provided here are both agencies' best estimates.

1

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) In May 2013, the Department of Justice (Department) Office of the
Inspector General (OIG) issued a report on the Department's handling of known or
suspected terrorists (KSTs) who were admitted into the WITSEC Program. 4 In that
report, we found that the Department: (1) had not ensured that the identities of
KSTs admitted into the WITSEC Program were placed on the government's
consolidated terrorist watchlist as appropriate, (2) did not definitively know the
total number of KSTs admitted into the WITSEC Program, (3) did not know the
current location of all identified KSTs, and (4) had not ensured that information
potentially relevant to national security was shared appropriately with the Federal
Bureau of Investigation (FBI) and other national security stakeholders. Based on
the Department's decision to admit and not share information for KSTs in the
WITSEC Program with national security stakeholders, we found that proper national
security precautions had not been put in place and that appropriate monitoring of
these individuals did not occur. Therefore, we made 16 recommendations to the
Office of the Deputy Attorney General to improve information sharing within the
Department and to reduce the risk to the public when admitting KSTs into the
WITSEC Program and handling them, both during and after their WITSEC Program
participation.
(U) OIG Audit Approach

(U) The Department established policies and procedures to address each of
the recommendations in our 2013 report. The purpose of this audit was to
determine whether the Department's policies and procedures sufficiently addressed
the risks we identified at that time. Specifically, our audit objectives were to
evaluate the Department's: (1) handling of KSTs admitted to the WITSEC Program;
(2) practices for watchlisting and the processing of encounters with this group of
WITSEC Program participants; and (3) procedures for mitigating risks to the public
through restrictions placed on this high-risk group of WITSEC Program participants.
The results of our review are detailed in the Findings and Recommendations section
of this report. See Appendix 1 for further discussion of the audit objectives, scope,
4

(U) U.S. Department of Justice Office of the Inspector General, Interim Report on the
Department of Justice's Handling of Known or Suspected Terrorists Admitted into the Federal Witness
Security Program, Report 13-23 (May 2013). See Appendix 2 for the list of 16 recommendations
issued as part of the May 2013 report.
(U//bES) The 2015 U.S. government's Watchlisting Guidance defines that a "known terrorist"
is "an individual who has been (a) arrested, charged by information, or indicted for, or convicted of, a
crime related to terrorism or terrorist activities ... [or] (b) identified as a terrorist or member of a
terrorist or anization ... ,"and it states that

2

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
and methodology. See Appendix 3 for background on both the consolidated
terrorist watchlist and the WITSEC Program.

3

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) FINDINGS AND RECOMMENDATIONS
(U//te&) While the FBI, USMS, and OEO have developed new policies
and procedures to address the issues we identified in our May 2013
review, they have not all been sufficiently and appropriately
implemented. For example, we found several deficiencies with the
USMS' and OEO's review of case files and documentation in WITSEC
Program files, including that not all individuals having a potential
nexus to terrorism were referred by OEO to the FBI's National Joint
Terrorism Task Force (NJTTF) for watchlist consideration; and those
that were referred were not always referred in a timely manner. We
also found that the FBI insufficiently documented its assessments of
individuals identified by the USMS and OEO as possible KSTs in the
WITSEC Program. Based on the evidence available, we believe that
the FBI likel did not perform the assessment
, as required, whic raises
questions a out the adequacy o the FBI's assessments themselves.
In addition, we determined that hundreds of KST-related identifiers
were not provided by the NJTTF to the Terrorist Screening Center
(TSC) and National Counterterrorism Center (NCTC), causin the
consolidated terrorist watchlist records to be incom lete.

(U) As a result of these and other findings described below, we
remain concerned that the USMS and OEO have not appropriately
shared information about KSTs in the WITSEC Program with relevant
national security stakeholders and ensured that those responsible for
monitoring these individuals have the information they need to do so
effectively.
(U) The Department's Efforts to Identify KSTs in the WITSEC Program

(U//te&) As we noted in our May 2013 report, the Department performed a
review of WITSEC Program participant's criminal histories and, as of July 2, 2012,
had identified
KSTs who had been admitted to the WITSEC Program. In
response to our recommendations in that report, the Department manually
reviewed all WITSEC Program case files for any previously unidentified KSTs in the
WITSEC Program. After discussing this audit's findings with the FBI, USMS and
OEO officials, OEO performed another round of review of certain high risk
individuals
identified an additional
individuals with a potential nexus to
terrorism who had been admitted to the WITSEC Program. As o f - ,
the FBI had reviewed the
individuals' backgrounds and added~

II

Ill

II

II

4

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
individuals to the consolidated terrorist watchlist. In total, after accounting for the
admittance of additional KSTs to the WITSEC Program and the identification of
additional KSTs who needed to be added to the consolidated terrorist watchlist,
5
there were
KSTs WITSEC Pro ram articipants as of

(U) USMS's and OEO's Manual Review of WITSEC Case Files
(U//teS) As a result of
review of their WITSEC
Program case files to
identify individuals with a
potential nexus to
terrorism who had been
admitted to the WITSEC
Program. 6 Based on
OEO's review of its case
files, OEO determined that
of those WITSEC
Program participants had a
potential nexus to
terrorism and shared this
information with the FBI.
These files were not
reviewed by the USMS or
any other entity prior to
being shared with the FBI.
We found that OEO
consistently applied the
terrorism criteria to the
information in our sample
of case files.

11

(U//teS) For the
case files that the USMS

our May 2013 report, the USMS and OEO performed a
(U/ /l:ES) The Department's Efforts to Identify KSTs
Admitted to the WITSEC Program Through a Manual
Review of its Case Files
(U//l:E&) The USMS and OEO reviewed more than case
files and identified. individuals as having a potentra'Tiiexus to
terrorism.

•

(U//l:ES) OEO reviewed approximately- case
files and identified. individuals.

•

(U//l:ES) The USMS reviewed alioximately . .
case files and identified
individuals. OEO
reviewed the. individuals agreeing with the USMS
on • .

(U//l:ES) OEO also identified. more individuals with a
potential nexus to terrorism as part of a second review
of these
undertaken as a result of this audit. individuals were determined by OEO 'tO""h'a'Ve a potential nexus
to terrorism, and. were shared with the FBI out of an
abundance of caution.
(U//l:ES) In total, OEO shared with the FBI information on
individuals whom OEO and the USMS had not
d during our May 2013 review. The FBI added . .
•
individuals to the consolidated terrorist watchlist.
-

5

REDACTED - FOR PUBLIC RELEASE

U//LE6//661
reviewed, which were not included in OEO's case file review, its methodology was to
identify and provide to OEO any case or individual that was connected to terrorism,
however remotely. To accomplish this, the USMS assessed the underlying case
facts to determine if the individual had a potential nexus to terrorism as defined in
18 U.S.C. §2331. 7 The USMS conducted this analysis after receiving training from
OEO intended to ensure that the two organizations were consistently applying the
definitions of international and domestic terrorism. Between November 2013 and
March 2014, the USMS identified and provided to OEO information on
•
individuals who were admitted into the WITSEC Program because the USMS
determined that either their criminal history or the case facts had a potential nexus
to terrorism.
(U//keS) OEO officials told us that they felt the USMS was overly cautious
and too inclusive in its identification of cases or individuals that had a link to
terrorism or a crime that ~t be considered terrorism. Therefore, OEO performed
a secondary review of the cases identified by the USMS. OEO stated that its
secondary review was conducted to determine whether: (1) each individual's
potential nexus to terrorism was consistent with the legal definitions of international
and domestic terrorism and (2) to disclose the information as a ropriate to the
NJTTF for watchlist consideration.

(U//keS) To illustrate the type of cases lacking a potential nexus to terrorism
and therefore not shared with the FBI, OEO provided to us an exam le of a case
where the individual committed a crime that
but OEO noted that any ot er state would have identi 1ed it as
assault and battery, which would not be considered as having a potential nexus to
7
(U) 18 U.S.C. §2331 defines international terrorism as activities with the following
characteristics: (1) involve violent acts dangerous to human life that violate federal law or state law;
(2) appear to be intended (i) to intimidate or coerce a civilian population, (ii) to influence the policy of
a government by intimidation or coercion, (iii) to affect the conduct of a government by mass
destruction, assassination, or kidnapping; and (3) occur primarily outside the territorial jurisdiction of
the U.S., or transcend national boundaries in terms of the means by which they are accomplished, the
persons they appear intended to intimidate or coerce, or the locale in which their perpetrators operate
or seek asylum. The definition of domestic terrorism provided in 18 U.S.C. §2331 is the same as
above with the exception of part 3, which states (3) occur primarily within the territorial jurisdiction of
the U.S.

6

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
terrorism. To document its review process and decisions as to why each
individual's history did or did not satisfy the definition of terrorism, OEO personnel
made notes on a standardized cover page, corresponding to an individual in each
case file. We selected and reviewed a judgmental sample o f . cover pages where
OEO determined the individual's information should not be passed to national
security stakeholders because the case or the individual's criminal history lacked a
potential nexus to terrorism. We found that OEO's notes and record keeping were
inconsistent and in many instances too brief for us to understand the basis for
OEO's determination. For example, some reviewers attempted to describe on the
cover sheet the decision process, while others merely noted that the file was not a
"T" (for "Terrorism") case, without further explanation.
(U//-l::E6) During our audit, we identified another !liITSEC Program
participant case files that had not been reviewed because
case files had been
case file did not
archived and e i t h e r - could not locate• case file or
contain enough information to make a potentialnexus to terrorism determination.
OEO subsequently reviewed these files, which resulted in the identification and
sharing of one more individual whom OEO determined had a potential nexus to
terrorism.

I

(U//-l::E6) Ultimately, the FBI added WITSEC Program participants to the
consolidated terrorist watchlist. In addition, after reviewing our findings the FBI
decided to reassess its findings for. WITSEC Program participants that the FBI did
not initially place on the consolidated terrorist watch list, as well as. other
individuals that OEO, upon reconsideration, determined to have a potential nexus to
terrorism. As discussed in the FBI Vetting of Terrorism Information Section of this
report, those reassessments identified. more KSTs who had been admitted to the
WITSEC Program.
(U) Not All KSTs Were Identified During the Manual Review

(U//tE6) To further assess OEO's review process on the case files that were
not passed to the FBI, we selected a judgmental sample o f . cases for closer
examination. Specifically, we compared information within the
cases to the
statutory definition of terrorism in 18 U.S.C. §2331. We found that of the
individuals' case files contained information indicating a potential nexus to
terrorism.

II

II

I

(U//tE6) We discussed these• individuals with OEO officials who told us
that even though OEO erred on the Side of caution when making decisions to refer
WITSEC Program participant's records to the FBI for possible watchlistin2'.l,t did not
believe that forwardin these
individuals was warranted. However,.
OEO require that OEO share information with the
FBI on all individua s in the WITSEC Program with a potential nexus to terrorism.
After we discussed these. individuals with the FBI, the FBI requested that the

7

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
individuals be shared with them. The FBI also expressed concern that OEO might
not have shared with the FBI information on all WITSEC Progra~hat
have had a potential nexus to terrorism. We believe that OEO, - ' should have authorized the USMS to provide the FBI with this information.
Mer"We discussed with OEO officials the particulars of the
individuals that were
not shared with the FBI and we conveyed the FBI's concern to OEO officials, OEO
immediately authorized the USMS to share the information on the• individuals
with the FBI. Ultimately, the FBI determined that neither individual're uired
inclusion on the consolidated terrorist watchlist because

II

(U) Based on the results of our sample review and OEO's lack of supporting
documentation for its review of the case files provided by the USMS, we are
concerned that OEO did not forward information to the FBI on all cases where an
individual had a potential nexus to terrorism. This failure deprived the FBI from
considering whether individuals with a potential nexus to terrorism should be added
to the consolidated terrorist watchlist.
(U//bES) In March 2016, we discussed this finding with OEO officials. OEO
officials stated that based on the OIG's concerns, it undertook a thorough
secondary review o f . cases that were fla.ii:d by the USMS as having a potential
nexus to terrorism, as well as an additional~ cases, which OEO analysts had
designated as "cases in need of further review.' Prior to performing this review,
OEO officials stated that they obtained extensive instruction in the identification of
terrorism information from the FBI and DOJ National Security Division officials.
After performing this review, OEO shared information on. individuals between
April 2016 and July 2016 who had a otential nexus to terrorism. In September
2016, the NJTITF completed the
checks on these individuals and
determined that. do not meet t e criteria or watchlisting. The TSC added the
o t h e r - to the consolidated terrorist watch list. 9
(U) OEO's Untimely Sharing of Terrorism Information with the NJTTF

(U) The WITSEC Program statute states that the Attorney General shall
establish an accurate, efficient, and effective system of records concerning the
criminal history of persons provided protection through the WITSEC Program in

---

------

-------

8

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
order to facilitate the sharing of WITSEC Program information, as appropriate, with
the Department's law enforcement partners. Delays in the review of potential KSTs
by the NJTTF and other national security stakeholders - particularly those
individuals who had already been identified by the USMS as having a potential
nexus to terrorism - are contrary to the language and purpose of the law, policies,
and procedures governing the WITSEC Program, and unnecessarily exposes the
nation to an increased security risk.
{U//te6) One exam le of delay that we identified during our review
WITSEC Pro ram artici ant who had been known to
concerned KST 70
the FBI since the

{U//te6) We found that the delay in forwardin
FBI was not the only such delay b OEO.

The USMS sent the first batch of
individuals
~eluded KST 70) to OEO o n - ' but it was not until - , that the NJTTF received i~O on any of the individuals in
this first batch, and KST 70's information was not provided u n t i l - ' after
KST 70's and after the FBI requested the information. For many of the
batches, it took OEO more than 6 weeks to complete its review, and for some
batches it took much longer.

9

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) Table 1
(U/ /~) USMS Identified Individuals in the WITSEC Program
With a Potential Nexus to Terrorism
Being Shared with the FBI

Batch
Number

1
2
3
4
5
6
7
8
9
10
11
12
13

Date(s)
the
USMS
Sent the
Names
toOEO

Number of
Individuals
Identified
by the
USMS

11 21 13
11 29 13
12 05/13
12/12/13

•
••
•
•

I

12/19/13
01/09/14
01/16 14

I
I
I

01/23/14
01/30/14
02/06/14
02 18 14

I
I

I

a

14 .'.,.,
15 '
16
b
TOTAL
{U//t:ES) Batch number 1 included KST 70 .

b

{U//t:ES)

•

02/20/14
02/28/14
03/06/14
03 13 14
03/21 14

Date(s) OEO Sent
the Names to the
NJTTF

Number of
Days It
TookOEO
to
Complete
Its Review

03 19 14 to 05 08 14
03 19 14 to 05 08 14
03/19 14
05/08 14
03/19/14 and
05 08 14
03 19 14
04 21 14
03/27/14 and
05 08 14
03/19/14 and
04/21 14
03/19/14 and
04 21 14
03 19 14
03/19/14 and
05/08 14
04/21/14 and
05 19 14
03 19 14 to 05 19/14
05 19 14
05/19 14

118 to 168
110 to 160
104
147
90 and 140
69
95
63 and 105
48 and 81
41 and 74
29
27 and 77
52 and 80
13 to 74
67
59

was also passed to the NJTTF on May 8, 2014.

(U) Source: The USMS and OEO

(U) We believe that OEO should have reviewed and shared the case files
identified by the USMS with the FBI in a timelier manner, particularly in light of the
fact that, for each of those individuals, the USMS had specifically reached the
conclusion that its cases had a potential nexus to terrorism.
(U) Sharing of WITSEC Program Information with the FBI

(U//LESHSSI) In our May 2013 report we recommended that the Office of the
Deputy Attorney General ensure that OEO authorize the USMS to disclose, and that
the USMS disclose to the FBI, identification and other necessary information on KSTs
10

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
in the WITSEC Pro ram. We also recommended that

At the time of that report, the Department had identified
who were in the WITSEC Program as of July 2012, which was the most current
information available at the time. During this audit we found that, based on our prior
report's recommendations, OEO authorized the USMS to share information with the
FBI on all. of these KSTs. The FBI subsequently performed threat assessments on
all of the individuals and
most of them. 10
In a ition, the USMS stated that it verified the
physica ocation of a
KSTs. For the
KSTs identified since this current audit
began who were previously admitted into the WITSEC Program, the FBI stated that
were admitted only to the BOP WITSEC Program, individuals have passed away,
and individuals are incarcerated because of new crimes they have committed. As
of November 2016, the FBI is in the process of verifying the location of the remaining

Ill

I

I

-·

(U//tES) In our 2013 review, we reported that the USMS, FBI, and OEO had
been working since December 2010 on a formal protocol
KSTs in the WITSEC Program who
, but that the protocol was not comp eted until the
nt audit, we reviewed the im lementation of this
. We found that

11

(U) Some of the individuals had already been placed on the watchlist by other

entities.

11

REDACTED - FOR PUBLIC RELEASE

I

U//LE&//&&I

(U//~)

when the

When we discussed this situation with OEO, an official told us that
rotocols were developed, the FBI stated the were oin to include,

(U) The FBI's Vetting of Terrorism Information and Handling of KSTs in the
WITSEC Program
(U//L~S/ISSI) In our May 2013 report, we recommended that the
Department develop a mechanism for the FBI to review KST WITSEC Program
participant case files for information that demonstrates a potential nexus to
terrorism. Between March 2013 and January 2016, OEO passed relevant
information for a total of
individuals
) to the NJTTF as part of
review.
OEO also provided the NJTTF access tot e entire case 1le
- · After the NJTTF's review, two of the individuals (KST 68 and KST 69)
were added to the consolidated terrorist watchlist. 13
12
(U//hES) KST 70's identi
passed to the NJTTF. KST 70's
KST 70's

r May 2013 audit, OEO inventoried all the KSTs in t~ Program
and
, for tracking purposes. We have used the same - - system
here and throughout the report to refer to all KSTs.

12

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U//~) KSTs 68 and 69 Arrested on Nearly 5 Months After Their
Information was Provided to the NJTT~chlisting

to the USMS and OEO, KST 68 and KST 69,

However, it was not until a er their arrest an
approximately 6 months after OEO initially referred the two individuals to the
NJTTF, that KST 68 and KST 69 were added to the consolidated terrorist watchlist.
On several occasions we asked the FBI to explain the reasons for the delay, but as
of December 2016 we had only received a timeline of what transpired but no
explanation for the delay.
(U) The FBI's Unsupported and Incomplete Vetting of WITSEC Information

. We reviewed the NJTTF's process to determine: (1) if the NJTTF

-

------

-------

---

---------

-

----

13

REDACTED - FOR PUBLIC RELEASE

-

U//LE&//&&1
reviewed the KST documentation and made a determination on the necessity of a
threat assessment for all individuals that OEO and the USMS shared with them and
(2) whether the NJTTF assessed the risk to the public.
(U//t:ES) Given the arrest of KST 68 and KST 69,
. NJTTF officials told us that they believe the NJTTF pe armed a
check of each of the other individuals that OEO assed to the FBI
that a threat assessment was unnecessary.
the current NJTTF personnel could not provide a de mitive
check or some other assessment was
answer as to whether a
performed for each of the individuals, and former NJTTF personnel could not
remember w h a t - steps were performed. Additionally, we found that the
NJTTF did not m~cient documentation to support the determination that
each of the individuals was not: (1) a known terrorist that should be watchlisted
based on prior criminal history or (2) potentially involved in terrorist activity and
appropriately considered a suspected terrorist. Without adequate supporting
documentation, controls over the NJTTF review process were significantly weakened
because the analysis performed could not be properly checked by supervisors, and
important records will not be available should the need for additional investigations
of the individuals later arise.
(U//t:e&) We also reviewed a judgmental sample of.of the individuals
passed to the NJTTF to assess whether the facts in the caseftle, which included the
individual's past criminal history, indicated a potential nexus to terrorism. We
concluded that the facts i n . of the case files appeared to indicate a potential
nexus to terrorism. However, due to insufficient supporting documentation, we
were unable to determine why the NJTTF did not pass the information to the TSC.
The relevant facts from these. case files included:

(U//~) In December 2015, NJTTF, TSC, and OEO officials jointly
reviewed these. individuals' criminal histories and the case files associated with
each of them. These officials determined that the WITSEC-provided identities for
the. individuals did not present an ongoing threat to national security because

14

REDACTED - FOR PUBLIC RELEASE

U//LE5//551

, we found that
these KSTs' infor~vided to t e NJTTF whi e they were in the
WITSEC P r o g r a m - ' and as such they were not assessed at the
proper time by the NJTTF for inclusion on the watchlist. Had the information been
provided more promptly and the determination been made to place these
individuals on the consolidated terrorist watchlist, additional information about
these individuals may have been obtained through any subsequent encounters,
thus aiding investigative and national security efforts.
(U//LE51/551) The failure of the FBI to appropriately document the
assessments and reviews upon which KST determinations are made hinders the
effectiveness of the WITSEC Pro ram.

. In
addition, we believe that the NJTTF's actions may not be consistent with the
requirements of Homeland Security Presidential Directive number 6 (HSPD-6) to
identify all individuals that should be shared with the TSC for possible
watchlisting. 15 If any of the individuals are determined to be KSTs, then certain
security procedures are set in motion by the USMS to mitigate the risk to the
public. Based on our findings and not including the. individuals discussed above
- ' t h e FBI performed a new documented
check on
~ovided by OEO. The
check determined that an
additional. individuals are KSTs and they were added to the consolidated terrorist
15
(U//LES//SSI) HSPD-6 states "the heads of executive departments and agencies shall, to
the extent permitted by law, provide to the [National Counterterrorism Center (NCTC)] on an ongoing
basis all appropriate terrorist information in their possession, custody, or control." Terrorism
information is specifically defined as " ... information about individuals known or appropriately
suspected to be or have been engaged in conduct constituting, in preparation for, in aid of, or related
to terrorism."

15

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
watchlist. We therefore recommend that the FBI establish policy to require
documentation and maintenance of support for its KST determinations on WITSEC
Program participants.
(U) Incomplete Watchlist Records
(U//-l:ES) Our May 2013 report recommended that the Department ascertain
the identity, as well as other necessary information, on KSTs in the WITS EC
Program and evaluate its practices and formalize procedures for the sharing of KST
WITSEC Program participants' identity information with DOJ national security
stakeholders. Further, we recommended that the TSC receive the new,
overnment-provided identities of all KSTs

{U//FOUO) The effectiveness of the consolidated terrorist watchlist as a law
enforcement and intelligence gathering tool is de endent on the com leteness
and accuracy of the records it contains.

{U//-l:ES) During our previous review, the NJTTF was provided full access to
the WITSEC case files, and spent over a week reviewing the files. Although
theraiS"'iittle documentation to demonstrate the purpose or results of the NJTTF's
review, based on the information available to us, it appears that the review was
conducted so that the FBI could perform threat assessments on the. KSTs
identified in our prior report, and not for the purpose of identifying additional
information from the files that should be provided to the TSC.
(U//LES//SSI) We base this conclusion, in part, on the ·results of our review
of a judgmental sample of. of the. KSTs identified in the May 2013 report. We

16

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
reviewed these case files to determine if they contained identifying information that
fell into. of the. categories of identifiers and found. identifiers that were
not included in the consolidated terrorist watchlist records. Table 2 reflects the
breakdown of the. i~entifiers we found, by category.

(U) Table 2
(U/ /LES//SSI) Identifiers Contained in USMS Records and
Not Provided to the TSC at the Conclusion of the NJTTF's Reviewa

---

----

-------

--

-

- - - - ---

- - - - - - ----------

(U) Source: -Case Files

(U//LES//SSI) When we discussed with USMS and OEO officials the
omission of these identifiers from the consolidated terrorist watchlist, they agreed
that the relevant identifiers should have been shared, and they subsequently
provided the information to the TSC for potential inclusion in the watchlist. The
TSC determined that each identifier fell into one of
TSC defined

A TSC o 1cia stated that a o t e
identi 1ers that cou d be attributed to the individuals in the cases
in our sample have now been added to the watchlist. However, because the value
to the watchlist record f o r - is limited to questionable, the TSC
determined that these ide~e added if they received a
nomination form from the NJTTF.
(U//t:EG) Given the watch list policy, the NJTTF should have provided all of
the identifiers on all KSTs in the WITSEC Program to the TSC. These identifiers
include information that is useful to counterterrorism personnel to quickly and

17

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
accurately identify KSTs during an encounter, and avoid the temporary
misidentification of innocent individuals as KSTs during encounters.

Our review of the
KST records re erenced above also assessed whether
any identifiers were missing from•· We found that the same identifiers for
international terrorists contained in the
case files that had
not been added to the consolidated terrorist watc list also ad not been added t o .
for each individual. Because this information was not added to the
consoli
terrorist watchlist record, the consolidated terrorist watchlist and the
NCTC's
complete, thus limiting the usefulness to national
security stakeholders.
(U//.f::ES) Our review clearly demonstrated that additional identifiers of value
to the watchlist are likely to be found in the
WITSEC case files, and
in February 2017, the FBI stated that they have extracted
from the WITSEC case files for KSTs in the WITSEC Program and have
added them to the consolidated terrorist watchlist. We therefore recommend that

(U) Encounters of Known or Suspected Terrorists

In Ju y 2016, a TSC 0 1cial provided statistical
information that the TSC ~s encounters per day on average, and
processed approximately- per year between 2013 and 2015.

17

(U) TIDE is the U.S. government's central and shared repository of information on
international terrorist identities. It is used by the intelligence community as one list for the
consolidation of classified information on known or suspected international terrorists. A sub-set
of sensitive but unclassified information in TIDE feeds into the one consolidated unclassified
known or suspected terrorist watchlist, the Terrorist Screening Database (TSDB). The TSDB
contains information on all terrorists, both international and domestic.

18

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) Figure 1
(U/ /LES//SSI) KST Interim Encounter Process
For WITSEC Program Participants

(U) Source: Terrorist Screening Center

(U//FOUO) As shown in Figure 1, encounters occur when a watchlisted
individual is encountered by local, state, federal, or tribal law enforcement,
homeland security, or other screening personnel, and the individual's identity
matches an identity on the consolidated terrorist watchlist. For example, if a
watchlisted individual is encountered crossing the border or obtaining a U.S.
Passport or Visa, law enforcement personnel are notified that this individual's
identity information matches the identity record on the consolidated terrorist
watchlist. When information on a potential encounter is provided to the TSC, TSC
personnel determine whether certain actions should be taken, including whether
law enforcement should be notified, and whether information obtained during the
encounter should be added in the consolidated terrorist watchlist record for this
individual. During these encounters, key information is often obtained that may be
useful to law enforcement and screening personnel, and it is often reported to other
databases, such as the FBI's Known or Suspected Terrorist File in the

19

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
National Criminal Information Center (NCIC), which is used by local, state, tribal,
and other screening agencies to identify KSTs during encounters.
{U//teS) Part of the national security infrastructure to reduce the risk of
terrorist attacks is to place KSTs that are a threat to commercial aviation on the
Transportation Security Administration's No Fly and Selectee Lists. KSTs on the No
Fly List are denied flying within United States airspace and KSTs on the Selectee
List have to go through additional screening at the air ort before boarding their
flight. In our May 2013 interim report, we found that
of the
KSTs who should
times
have been on the No Fly List had flown

(U//-l:ES) In the current audit, we reviewed encounters for all of the KSTs
that have been admitted into the WITSEC Program between the issuance of our
interim report in May 2013 and November 2015. We found that, according to TSC
encounter records, KSTs in the WITSEC Pro ram have been encountered a total of
times. As shown in Table 3,

20

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) Table 3
(U/ /bES) Types of Encounters of KSTs
Admitted into the WITSEC Program
May 15, 2013 to November 5, 2015

(U) Source: TSC Encounter Records

encounters involved. KSTs admitted into the
KSTs who were on the No Fly List were denied boarding or
were taken. times, and the - KSTs who were
on the Selectees list were flagged for additional screening. times. 8

WITSEC Pro ram.

. Whatever the nature of the encounter, the abi ity to
identify the KST and timely share such critical information among national security
stakeholders decreases the risk of harm to the public, and to the law enforcement
official or screener involved in the encounter.
(U//te£.) Ensuring that any additional identifiers obtained during encounters
are added to the WITSEC case files is also crucial to the appropriate
management of the WITSEC program. We determined that encounter records were
shared timely and accurately with the USMS, and that the stored this
information in its system.

-·

is (U//tES)

21
REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) Processing, Tracking, and Locating KSTs in the WITSEC Program

To evaluate the Department's process, we
se ected or review a ju gmenta sample of. KSTs admitted to the WITSEC
Program who have received a new government identity, KST 70's case,
recently admitted KSTs, and
individuals with a potential nexus to terrorism with
which the USMS had concerns.

II

II

(U) The USMS's Tracking of WITSEC Program Participant's Identity Documents

{U//tES) We found that the USMS does not have a sufficient system to keep
track of the identity documentation rovided to or collected from WITSEC Pro ram
artici ants.
. Nor is there a separate
accounting or identi 1cation documents when the recipient leaves the WITSEC
Program or passes away. In addition, until December 2013, the USMS did not
~e that USMS Inspectors complete a form to acknowledge the receipt o f identification documentation collected from Program participants.
(U//tES) KST 70 is an example of the need
to have a system
that tracks identity documents. During our review, it came to our attention that
KST 70 used both KST 70's true identity and new identity f o r - years after
KST 70 was removed from the WITSEC Program. We found that KST 70 was never
formally issued a new identity, which, according to the USMS, w~
name chan e
. However, ~ovided a - - - drivers license, and in KST 70's new name.
When KST 70 was removed from the WITSEC Program-' the USMS should
have requested that KST 70 return all new-name documents. But based on records, it is unknown if KST 70 was asked to return or in fact returned any
documents. It was not until., when the USMS again requested that KST 70
return all new name documents, that the~eived KST 70's
. This
is the only new identity information t h a t - records reflect being returned by
KST 70.
(U//tES) By retaining these documents, KST 70 was able to use both
identities for years. For example, KST 70 was receiving
benefits in KST 70's new name while receiving retirem
70's true name. 19 KST 70 should have been receiving both the
retirement benefits in KST 70's true name, because the new name
19

(U) We did not attempt to determine the amount of benefits KST 70 received as part
of this audit.

22

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
was never a legal name. We also found that KST 70 was able to use KST 70's
drivers' license to help obtain additional identifications in KST 70's
new name, including a
driver's license. In fact, KST 70 checked into a
hotel the night before t e
with t h a t - driver's license. We
find it very concerning that KST 70 was allowed to use both identities for such a
long period of time.

(U//t:Eb) This lack of document oversight and the lack of an effective
mechanism to ensure that WITSEC Program-issued identity documents are returned
upon request increase the risk that WITSEC Program participants will have access
to and use of multi le identities. We recommend that

(U//t:Eb) OEO officials acknowledged the concern about WITSEC Program
participants retainin identification documents they should not have, and they
updated the
. However, we believe
additional steps are warranted to mitigate t e risk to the Department and the
23

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
public of WITSEC Pro ram participants havin
documents.

access to these identification

(U) Physical Location of KSTs
(U//-l::ES) In our May 2013 interim report, we recommended that the Office of
the Deputy Attorney General ensure that the USMS and FBI verify the physical
locations of all KSTs previously admitted into the WITSEC Program. The
Department verified the location of all the KSTs identified in the May 2013 report.
As previously stated, additional KSTs were si!bse uently admitted and identified,
of these additional KSTs. It is
and the FBI is still in the process of locating
important that the FBI locate these individua s and take appropriate ste s to
miti ate any otential securit threat. Therefore, we recommend that

(U) Pre-Admittance Requirements
(U//"=ES) In our May 2013 interim report, we recommended that the Office of
the Deputy Attorney General determine the appropriate inclusion of DOJ national
security stakeholders in decisions and processes for admitting and monitoring KST
WITSEC Program participants. We also recommended that the USMS develop, with
input from OEO and the FBI, a process to accurately identi all KSTs when the
enter the WITSEC Pro ram. Our recommendation

(U//he6) On July 26, 2013, OEO and the USMS finalized its protocols to
enhance oversight necessary to evaluate, screen, and monitor KSTs admitted to the
WITSEC Program. These protocols require that,
, all
individuals sponsored to the WITSEC Program are compare against t e
consolidated terrorist watchlist to ascertain whether the individual is already

24

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
considered a KST. 20 We found that prior to admittance OEO has been running
names for newly sponsored individuals against the consolidated terrorist watchlist.
OEO officials stated that in order to help process potential terrorism information
timely, it was in the process of hiring a management consultant to establish
stronger management controls. However, based on budget restraints, OEO
informed the OIG in February 2017 that it will be using internal staff to update its
system.
(U//tEb) The protocols also require that OEO provide to the NJTTF
information on KST WITSEC Program participants. In practice, OEO has also been
providing the NJTTF with information on individuals with a potential nexus to
terrorism so that the NJTTF can use this information in assessing whether the
individuals in question should be considered a KST. Additionally, the protocols
require that OEO request and review a detailed risk assessment from the FBI
, and solicit input from the
Department's National Security Division regar ing WITSEC Program suitability of
any watchlisted individual prior to making a decision to admit the individual into the
WITSEC Program. In November 2015 OEO informed us that since the issuance of
our interim report, only. individuals with a potential terrorism nexus have been
admitted to the WITSEC Program. For these• individuals, we found that OEO
and the USMS shared information with nationTsecurity stakeholders as required;
however, as described below, the NJTTF did not properly vet the WITSEC Program
participants in accordance with the Department's protocol.

Ill

(U) Foreign Government Hacker - Potential Nexus to Terrorism

(U//tEb) We reviewed the case file for this WITSEC Program
participant to determine whether OEO was in compliance with its pre-admittance
protocols for all new Program participants and its informal process for individuals
with a potential nexus to terrorism. We found that, in October 2013, OEO and the
20

(U//l:ES) Specifically, as part of the suitability for the WITSEC Program evaluation process,
OEO runs the identity information for each individual against the consolidated terrorist watchlist and
- - - · Once approved for admittance,
runs the identity of the individual against the
~ terrorist watchlist and
in updated information on the participant's
status

25

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
USMS obtained the WITSEC Program threat and risk assessments completed by the
sponsoring ~ March 2014, the USMS ran the individual's identities
against the and against the consolidated terrorist watchlist and found
that he was not in either database. At the same time, based on the belief that this
individual had a potential nexus to terrorism, the USMS provided the WITSEC
Pro ram participant's information to both the TSC and NJTTF, -

.Basedo~

determined that the participant·
owever, we found that the NJTTF
could not provide evidence of a
check or documentation reflecting
that the assessment was performed, as required by FBI protocol.
(U) A Gang Member - Potential Nexus to Terrorism
(U//-beS) I n . 2015, an individual with a potential nexus to terrorism was
admitted to the WITSEC Pro ram and disclosed to NJTTF for review.

(U//tES) In early 2015, while processing this participant's admittance
information, the USMS identified the potential nexus to terrorism. On April 21,
2015, the USMS provided information on this individual to the NJTTF for review and
determination as to whether the individual should be nominated to the consolidated
terrorist watchlist. An NJTTF official told us that the NJTTF did not nominate this
individual to the consolidated terrorist watchlist because,
, the NJTTF considere t e
in ividua 's terrorist nexus to have been e ective y severed. However, there was
no evidence in the records we reviewed that the NJTTF performed a
check and documented it, as required by FBI policy.
(U//kES) We believe the processing of these. individuals represent
examples of situations where the USMS and OEO properly shared information on
individuals with a potential nexus to terrorism with national security stakeholders.
However, we found no documentation to suggest that the NJTTF followed the FBI's
protocol for vetting WITSEC Program participants with a potential nexus to
21

(U) During admission to the WITSEC Program, the threat assessment evaluates the threat
to the witness for cooperating with the federal government. This threat assessment is different from
the threat assessment performed by the FBI to determine if a person is a threat to national security.
The risk assessment reports on potential risks to the public caused by the witness' enrollment in the
WITSEC Program.

26

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
terrorism, although we note that in August 2016, FBI officials told us that it
performed a n o t h e r - check in
and determined
neither individual s~to the consolidated terrorist watchlist. After we
discussed this issue with OEO and the FBI, OEO created a detailed checklist to be
used during the vetting process in order to identify a potential WITSEC Program
participant's nexus to terrorism. The FBI also required that the NJTIF document its
decisions on whether a WITSEC Program participant should or should not be
nominated to the consolidated terrorist watchlist.
(U) KSTs Admitted to the WITSEC Program

(U//tES) F o r - of the KSTs OEO has admitted to the WIT~am
since November 2015, we found that OEO and the FBI followed i t s - : (1)
OEO shared these individuals' information with the NJTIF, (2) OEO requested and
reviewed detailed risk assessments from the FBI
, and (3) OEO solicited input from the Department's
National Security Division regarding WITSEC Program suitability of any watchlisted
individual prior to making a decision to admit the individual into the WITSEC
Program. We also reviewed the admission process for these individuals to
determine whether the USMS had develo ed a process to involve DOJ national
securit stakeholders in determinin

(U) Post Admittance Requirements

(U//tES) In our May 2013 interim report, we recommended that the Office
of the Deputy Attorney General ensure that the USMS completes the development
of protocols to require USMS Inspectors to meet regularly with and maintain upto-date information on active WITSEC Pro ram participants who are also KSTs.
Additionally, we recommended that

(U//te&) We reviewed the protocols developed in response to our
recommendations and found that the protocols require that~
stakeholders, including the USMS, FBI, TSC, and OEO, m e e t - to
review the KST's admittance into the WITSEC program. Additionally, the protocols
require that the USMS conduct com uter indices checks

27

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

(U//~) We discussed the implementation of these~s with OEO,
USMS, TSC, and NJTTF personnel. We were told that the meetings are
occurring as required. Participants advised that the meetings facilitated a greater
amount of sharin than might have occurred had they not met in person. We also
reviewed the
case files containin documentation related to the indices checks,
, and
reports. We""foUri'dthat
the USMS was pe orming indices c eeks
or all• i"ud mentally
selected partici ants, where required. We a so oun t at for the
individuals
for whom
were required, the USMS pe ormed the
checks as re~ the remaining
individuals, we found that the USMS did
not perform checks because, consistent with the policies, the USMS
waived the monitoring requirement for these individuals because the WITSEC
Program participant posed a danger to the USMS personnel. However, the USMS
still ran the individual's names against

II

28

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U//l::e-G)

(U//-l::ES) In our May 2013 interim report, we recommended that the
Department ensure that OEO authorizes the USMS to inform, and ensure the USMS
does inform, the FBI whenever a KSTll, voluntarily leaves the WITSEC Pro ram,
is relocated, or is removed from the WITSEC Pro ram.

(U) Issues with Terminating a KST for Criminal Misconduct

. During our work on the May 2013 report, we were tol
a been charged with inappropriate communications with a minor. During this
audit, we followed up on that information and discovered that KST 12 has been
charged with or accused of sexual assault-related crimes six times since enterin
the WITS EC Pro ram.

-

(U//l:::E6) The alleged sexual assaults all occurred during

•

(U//be6)
, a 22-year-old accused KST 12 of inappropriate
touching and making inappropriate comments
The accusation was made to a local police department, but we found no
evidence that the USMS was made aware of this allegation at the time.
. As described in the last bullet,
allegation was brought to the USMS's attention a different police department investigated a similar allegation
against KST 12. USMS documentation shared with us during this audit noted

29

REDACTED - FOR PUBLIC RELEASE

U//LE&//&&I
that local police determined that they did not have sufficient evidence to
investigate this allegation.
•

(U//te&)
, KST 12 allegedly inappro riatel touched and made
. Since she
inappropriate comments to a 16-year-old
felt uncomfortable with KST 12, she brought a rien wit
er
, and KST 12 allegedly made inappropriate comments to the
friend. Neither the 16-year-old victim nor the friend reported the incidents
to the local police at the time. As described in the last bullet, these
allegations came to the USMS's a t t e n t i o n - , when during a
local police department's investigation of ~on against KST 12
by a woman, who was 16 at the time of the assault, came forward as a
witness. USMS documentation shared with us during this audit noted that the
local police determined they did not have sufficient evidence to investigate
these allegations.

•

(U//tES)
, a 17-year-old accused KST 12 of ina
touching and making inappropriate comments
criminal char es were pursued in this case.
KST 12's
allegation in
reviewed, the
the allegation

•

(U//tES) - , KST 12 made inappropriate sexual contact and
comment~d. Durin its investi ation, the local police
department

alleg i
time,
In turn, the etective investigating KST 12 made the USMS aware of the
other allegations mentioned above. According to USMS documentation, 23

(U//te&) OIG did not interview the USMS employee because

30

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

. During the
prosecution resu ting from this a egation, four of the six women described
above a reed to testify a a inst KST 12, and KST 12 ultimately pied uilty

I

(U//~)

From a public safety standpoint, the failure of the USMS to notify
OEO and have subsequent communication with local law enforcement about this
individual after being made aware of the incident is concerning. An OEO
official told us that the
allegation was the first alle ation for KST 12
for which it had been
EO was notified

e

I

.
.';

.

.
.

.

.

.

(U//l::eG) After the allegation, the USMS proposed termination from the
WITSEC Program for KST 12 on four separate occasions within a 9 month
timeframe before receivin approval from OEO to terminate

31

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

(U) Conclusion
(U//ke6) Since our May 2013 review, the FBI, USMS, and OEO have created
policies and procedures to address known risks posed by KSTs admitted into the
WITSEC Pro ram. We found that some of these new policies have been effective.

(U//~)

However, not all of these policies and procedures have proven
sufficient to address the risks sought to be mitigated, nor has the implementation
been as effective as originally anticipated. We identified weaknesses in the
implementation of the policies and procedures created to improve information
sharin amon national security stakeholders.

(U) Recommendations
(U) We recommend that:

32

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

33

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

34

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) STATEMENT ON COMPLIANCE
WITH LAWS AND REGULATIONS
(U) As required by the Government Auditing Standards, we tested, as
appropriate given our audit scope and objectives, selected transactions, records,
procedures, and practices, to obtain a reasonable assurance that the USMS's, FBI's,
and OEO's management complied with federal laws and regulations, for which
noncompliance, in our judgment, could have a material effect on the results of our
audit. The USMS's, FBI's, and OEO's, management is responsible for ensuring
compliance with applicable federal laws and regulations. In planning our audit, we
identified the following laws and regulations that concern the operations of the
auditees and that were significant within the context of the audit objectives:
•

(U) Organized Crime Control Act of 1970,

•

(U) Comprehensive Crime Control Act of 1984,

•

(U) 28 C.F.R. § 0.85 (1969),

•

(U) Homeland Security Presidential Directive 6, and

•

(U) Executive Order 13388 on Further Strengthening the Sharing of
Terrorism Information to Protect Americans.

(U) Our audit included examining, on a test basis, the USMS's, FBI's, and
OEO's compliance with the aforementioned laws and regulations that could have a
material effect on the USMS's, FBI's, and OEO's operations. We did so by
interviewing operational staff and supervisors, requesting and reviewing OEO,
USMS, and FBI WITSEC and KST records, evaluating oversight procedures, and
assessing relevant internal policies and practices. Nothing came to our attention
that caused us to believe that the USMS, FBI, or OEO was not in compliance with
the aforementioned laws and regulations.

35

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
(U) STATEMENT ON INTERNAL CONTROLS
(U) As required by the Government Auditing Standards, we tested as
appropriate, internal controls significant within the context of our audit objectives.
A deficiency in an internal control exists when the design or operation of a control
does not allow management or employees, in the normal course of performing their
assigned functions, to timely prevent or detect: (1) impairments to the
effectiveness and efficiency of operations, (2) misstatements in financial or
performance information, or (3) violations of laws and regulations. Our evaluation
of the USMS's, FBI's, and OEO's internal controls was not made for the purpose of
providing assurance on its internal control structure as a whole. The USMS, FBI,
and OEO are responsible for the establishment and maintenance of internal
controls.
(U//~)

As noted in the Findings and Recommendations Section of this
report, we identified deficiencies in the USMS's, FBI's, and OEO's, internal controls
that are significant within the context of the audit objectives and based upon the
audit work performed that we believe adversely affect the Department's ability to
ensure that the handling of KSTs admitted into the WITSEC Program effectively
address risks to the public. In performance audits, a deficiency in internal control
exists when the design or operation of a control does not prevent or detect and
correct noncompliance with provisions of laws or regulations on a timely basis. Our
fieldwork suggested that the process of reviewing case files to identify further KSTs
in the WITSEC Pro ram and the process of notifying FBI
of KSTsconstitute controls that were not properly designed
and ed to de 1ciencies that were significant in this audit. In addition, the USMS's
management and oversight for tracking documentation provided to and received
from individuals in the process of being admitted and while participating in the
WITSEC Program reflects poor internal controls.
(U) Because we are not expressing an opinion on the USMS's, FBI's, and
OEO's internal control structures as a whole, this statement is intended solely for
the information and use of the Department. The restriction is not intended to limit
the distribution of the report, which is a matter of public record. However, we are
limiting the distribution of this report because it contains sensitive information that
must be appropriately controlled. 24

24

(U) A redacted copy of this report with sensitive information removed will be made
available publicly.

36

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
APPENDIX 1
(U) AUDIT OBJECTIVES, SCOPE, AND METHODOLOGY
(U) Audit Objectives
(U) The objectives of the audit were to evaluate the Department's: (1)
handling of KSTs admitted to the WITSEC Program; (2) practices for watchlisting and the processing of encounters with this group of WITSEC Program
participants; and (3) procedures for mitigating risks to the public through
restrictions placed on this high-risk group of Program participants.

(U) Scope and Methodology
(U) We conducted this performance audit in accordance with generally
accepted government auditing standards. Those standards require that we plan
and perform the audit to obtain sufficient, appropriate evidence to provide a
reasonable basis for our findings and conclusions based on our audit objectives.
We believe that the evidence obtained provides a reasonable basis for our findings
and conclusions based on our audit objectives.
(U//tES) Our audit scope is from May 2013, when we issued the interim
report on this topic, through 2015. To accomplish our objectives, we performed
fieldwork at agencies, within the Department, tasked with handling KSTs admitted
to the WITSEC program. Specifically, we conducted interviews with officials and
reviewed standard operating procedures at OEO and USMS headquarters, the NJTTF
and TSC of the FBI, and the NCTC to determine whether these agencies adhered to
established internal controls in managing risks posed by these WITSEC Program
participants. A judgmental sampling design was applied to capture numerous
aspects of the WITSEC case files, TSDB records, and records. This nonstatistical sample design does not allow projection of the test results to the
population.

and completeness of
records to case files
• · Our testing consisted of
KST WITSEC Program pa~dgmentally
selected from a list of. KSTs on a list OEO provided to u s - . Our
judgmental selection was based on whether or not a KST WITSEC Pro ram
articipant:

37

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

(U//tES) To assess the implementation of rotocols on handling this group of
WITSEC Program participants
, . e·udgmentally selected.
and interviewed availab e o 1cia s rom t e
FBI and USMS-.
Our judgmental selection was generally based on the istory of geographic
WITSEC KSTs that we reviewed for TSDB accuracy and
movements of the
completeness.

II

(U) To evaluate the Department's efforts of identifying any other WITSEC
Program participants who might be KSTs, we obtained case file review records
maintained by the USMS, NJTTF, and OEO. We reviewed these records to
determine how the USMS and OEO assessed and referred appropriate WITSEC
Program participants to the NJTTF for consideration of watchlisting, as well as the
NJTTF's decision on such referrals. We judgmentally selected 46 case files to
review OEO's decision not to share the individual's information with the NJTTF.

38

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
APPENDIX 2
(U) RECOMMENDATIONS FROM THE MAY 2013 INTERIM REPORT
ON THE DEPARTMENT OF JUSTICE'S
HANDLING OF KNOWN OR SUSPECTED TERRORISTS
ADMITTED INTO THE
FEDERAL WITNESS SECURITY PROGRAM
(U) In our May 2013 report, we recommended to the Office of the Deputy
Attorney General that it:
•

(U) Evaluate current practices and formalize procedures for the enhanced
sharing of identity information with DOJ national security stakeholders for
known or suspected terrorists in the WITSEC Program, in light of any legal
structures.

•

(U) Ensure that OEO and the USMS compare the true names of all WITSEC
Program participants and their dependants that have been admitted into the
WITSEC Program against the consolidated terrorist watchlist .

•

•

(U//tES) Ensure that OEO authorizes the USMS to provide to the TSC the
new, overnment- rovided identities of all known or sus ected terrorists,

•

•

(U) Ensure that OEO authorizes the USMS to disclose and that the USMS
discloses to the FBI identification and other necessary information on known
or suspected terrorists in the WITSEC Program.

•

(U) Ensure that the USMS and FBI coordinate to verify the current physical
location of all known or suspected terrorists who have been admitted into the
WITSEC Program.
.

39

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

•

(U) Determine the appropriate inclusion of DOJ national security stakeholders
in decisions and processes for admitting and monitoring WITSEC Program
participants who are considered to be known or suspected terrorists .

.

'

~

~ · (U) Ensure that the USMS completes the development of protocols to require
~

USMS Inspectors to meet regularly with and maintain up-to-date information
~ on active WITSEC Program participants who are also known or suspected
· ·terrorists.

'

;.

•

(U) Develop a mechanism for the FBI to review known or suspected terrorist
WITSEC Program participant case files for information that demonstrates a
potential nexus to terrorism.

•

(U//~)

Ensure that OEO authorizes the USMS to inform and ensure the
USMS does inform the FBI whenever a known or suspected terrorist.,
voluntarily leaves the WITSEC Program, is relocated, or is removed from the
WITSEC Program.

40

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
APPENDIX 3
(U) BACKGROUND ON THE WITSEC PROGRAM
AND CONSOLIDATED TERRORIST WATCHLIST
(U) WITSEC Program and Watchlist Background
(U) The WITSEC Program was authorized by the Organized Crime Control Act
of 1970 and amended by the Comprehensive Crime Control Act of 1984,
Pub. L. No. 91-452 (1970), and Pub. L. No. 98-473 (1984), respectively. The
WITSEC Program provides for the security, health, and safety of government
witnesses who are at risk of harm as a result of their testimony against organized
crime members, drug traffickers, terrorists, and other major criminals. The
WITSEC Program is administered through three Department entities: (1) OEO
oversees the WITSEC Program and authorizes witnesses into the WITSEC Program,
(2) the USMS is responsible for the protection of active WITSEC Program
participants who are not incarcerated, and (3) the Federal Bureau of Prisons (BOP)
protects WITSEC Program participants while they are incarcerated in federal
facilities.
(U) The Organized Crime Control Act of 1970, amended by the
Comprehensive Crime Control Act of 1984, (the Act) states that the Attorney
General is authorized to provide for the relocation and protection of potential
witnesses, and their family members, who are involved in an official proceeding
concerning an organized crime activity or other serious offense. The Act also states
that the Attorney General shall take actions to protect the health, safety, and
welfare of WITSEC Program participants, including their psychological well-being
and social adjustment. Among other measures, the Act authorizes the Attorney
General to: (1) provide suitable documents to enable the WITSEC Program
participant to establish a new identity, (2) provide housing for the WITSEC Program
participant, (3) provide to the WITSEC Program participant financial assistance to
meet basic living expenses, ( 4) assist the WITS EC Program participant in obtaining
employment, and (5) provide other services necessary to assist the WITSEC
Program participant in becoming self-sustaining.

41

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

(U//teS) The Attorney General has delegated to the Director of OEO the
authori to decide who is admitted to the WITSEC Pro ram,

(U) The Act requires the Attorney General to enter into a Memorandum of
Understanding (MOU) with individuals participating in the WITSEC Program. As
described in the Act, individuals admitted into the WITSEC Program must agree to
certain requirements that are incorporated in the MOU, including: (1) not
committing any crime, (2) taking all necessary steps to avoid detection of their
participation in the WITSEC Program, (3) regularly informing the USMS of their
current address, and ( 4) not traveling without USMS approval. If an individual
substantially breaches the terms of the MOU or provides false information to
authorities concerning the circumstances under which the participant was provided
protection, the Act authorizes the Attorney General to remove that individual from
the WITSEC Program. As the Attorney General's designee, the Director of OEO
makes this determination to remove an individual from the WITSEC Program after

26

{U//l:ES) 18 U.S.C. § 3521 authorizes the Attorney General to delegate the responsibility
initially to authorize witness relocation and protection only to the Deputy Attorney General, Associate
Attorney General, any Assistant Attorney General in charge of the Criminal Division or National
Security Division of the Department of Justice, Assistant Attorney General in charge of the Civil Rights
Division of the Department of Justice (insofar as the delegation relates to a criminal civil rights case),
and to one other officer or employee of the Department of Justice. The most recent delegation of this
authority was made to the Director of OEO on March 18, 2011. We were provided documentation that
this delegation was made to OEO since at least 1984.

42

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
considering the severity of the breach along with the importance of the witness's
testimony .

•

•
•
•

(U) Terrorist Watchlist Nomination Process
(U) According to the President's National Strategy for Counterterrorism
issued in June 2011, the primary goal of the nation's counterterrorism efforts is to
identify suspected terrorists and prevent them from harming U.S. citizens both at
home and abroad. An essential element of these efforts is the maintenance of a
consolidated terrorist watchlist that contains a complete and accurate record of the
names and identifying information of KSTs. The Terrorist Screening Center (TSC),
which is a multiagency entity managed by the FBI, is responsible for maintaining
the government's consolidated watchlist of KSTs.
(U) The Department's watchlist nomination process is centralized through
the FBI, which is the sole agency in the Department responsible for nominating to
the watch list the Department's information on KSTs. 28 The TSC shares watch list
information with other agencies by exporting or sending data "downstream" to
frontline screening databases, such as the Transportation Security

28

(U) The Deputy Attorney General informed" ... all components [of the Department of
Justice] to provide the FBl with all domestic and international terrorism information or terrorist
identifiers so that the FBI can make appropriate nominations to the consolidated terrorist watchlist."
Deputy Attorney General, Department of Justice, memorandum for the heads of Department
components, Department of Justice Protocol Regarding Terrorist Watchlist Nominations, October 3,
2008.

43

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
Administration's (TSA) No Fly and Selectee Lists and Secure Flight Program; the
Department of State's Consular Lookout and Support System passport and visa
modules; the FBI's NCIC system's Known or Suspected Terrorist File; the U.S.
Customs and Border Patrol's (CBP) Treasury Enforcement Communications System
database; and select foreign governments.
(U) The consolidated terrorist watchlist information is utilized by law
enforcement, screening, and intelligence officials across the country and around the
world. These agencies use the watchlist information to take appropriate action when
encountering a KST, including prohibiting them from boarding a commercial aircraft if
the individual is on the TSA's No Fly List or subjecting the individual to increased
examination of questioning if crossing the border or when stopped by local law
enforcement for a traffic violation. 29
(U) The consolidated terrorist watchlist should include the most current and
complete information known to the government on KSTs. If the government has
information about an individual who is a threat to national security, that
individual's information should be included on the consolidated terrorist watchlist to
ensure that the individual is appropriately handled by law enforcement, screening,
and intelligence officials. Even a single omission of a KST from the watchlist could
create an opportunity for an individual to evade detection and commit terrorist
attacks .

...

29

(U) "Encounter" means local, state, tribal, or federal law enforcement and homeland
security screeners have come across a KST during normal job duties (e.g. traffic stops, checking of
airplane manifests, or evaluating an application for a U.S. passport or visa).

44

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
APPENDIX 4
(U) PRIOR OIG REPORTS ISSUED ON THE
WITSEC PROGRAM, THE WATCHLIST PROCESS, AND
THE TERRORIST SCREENING CENTER
(U) The Department of Justice, Office of the Inspector General has issued
several reports over the years on the government's Witness Security Program, the
Department's watchlist process, and the Terrorist Screening Center. Those reports
are:
1.

(U) U.S. Department of Justice Office of the Inspector General, Admission
into the Department of Justice's Witness Security Program by the Criminal
Division, Audit Report 93-24 (September 1993).

2.

(U) U.S. Department of Justice Office of the Inspector General, United
States Marshals Service's Responsibilities Under the Witness Security
Program, Audit Report 94-7 (November 1993).

3.

(U) U.S. Department of Justice Office of the Inspector General, The Federal
Witness Security Program, Criminal Division, Audit Report 02-05 (January
2002).

4.

(U) U.S. Department of Justice Office of the Inspector General, United
States Marshals Service Administration of the Witness Security Program,
Audit Report 05-10 (March 2005).

5.

(U) U.S. Department of Justice Office of the Inspector General, Review of
the Terrorist Screening Center, Audit Report 05-27 (June 2005).

6.

(U) U.S. Department of Justice Office of the Inspector General, Review of
the Terrorist Screening Center's Efforts to Support the Secure Flight
Program, Audit Report 05-34 (August 2005).

7.

(U) U.S. Department of Justice Office of the Inspector General, Follow-up
Audit of the Terrorist Screening Center, Audit Report 07-41 (September
2007).

8.

(U) U.S. Department of Justice Office of the Inspector General, Audit of the
Department of Justice Terrorist Watchlist Nomination Processes, Audit
Report 08-16 (March 2008).

9.

(U) U.S. Department of Justice Office of the Inspector General, The Federal
Bureau of Prisons Witness Security Program, Audit Report 09-01 (October
2008).

45

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
10. (U) U.S. Department of Justice Office of the Inspector General, The Federal
Bureau of Investigation's Terrorist Watchlist Nomination Practices, Audit
Report 09-25 (May 2009).
11. (U) U.S. Department of Justice Office of the Inspector General, The
Department of Justice's Handling of Known or Suspected Terrorists
Admitted into the Federal Witness Security Program, Audit Report 13-23
(May 2013).
12. (U) U.S. Department of Justice Office of the Inspector General, The Federal
Bureau of Investigation's Management of Terrorist Watchlist Nominations,
Audit Report 14-16 (March 2014).
13. (U) U.S. Department of Justice Office of the Inspector General, Review of
Termination and Appeals Notice to Witness Security Inmate Participants,
Evaluation and Inspections Report I-2014-005 (August 2014).
14. (U) U.S. Department of Justice Office of the Inspector General, The
Department of Justice's Handling of Sex Offenders in the Federal Witness
Security Program, Audit Report 15-10 (March 2015).

46

REDACTED - FOR PUBLIC RELEASE

APPENDIX 5
THE DEPARTMENT OF JUSTICE'S RESPONSE
TO THE DRAFT REPORT
U.S. Department of Justice
Office of the Deputy Attorney General
Office of the Deputy Attorney General

Washington, D.C. 20530

May 5, 2017
U//LES LIMITED OFFICIAL USE ONLY
MEMORANDUM
To:

Michael E. Horowitz
Inspector General
U.S. Department of Justice

Through:

Jason R. Malmstrom
Assistant Inspector General for Audit

From:

Armando 0. Bonilla
Senior Counsel to the Deputy Attorney General

Subject:

Response to Draft Audit Report entitled Department ofJustice's Handling of
Known or Suspected Terrorists Admitted into the Federal Witness Security
Program (April 21, 2017)

(U) The Department appreciates the opportunity to respond to the Office of the
Inspector General's draft audit report entitled Department ofJustice's Handling ofKnown or
Suspected Terrorists Admitted into the Federal Witness Security Program (OIG Audit Report).
The collaborative audit process has prompted significant improvements in the Federal Witness
Security Program (WitSec Program or Program).
(U) Created by Congress over 40 years ago as part of the Organized Crime Control Act
of 1970 to combat organized crime syndicates, the Program has played a crucial role in
the protection of witnesses to violent crime, and has enabled federal investigators and
prosecutors to bring to justice some of the world's most dangerous criminals. See Pub. L. No.
91-452, §§ 501-04, 84 Stat. 922, 933-34 (1970) (current version codified at 18 U.S.C. §§
3521-28). The Program successfully has protected an estimated 18,300 participants - including
innocent victim-witnesses and cooperating defendants and their dependents - from intimidation
and retribution. This vital and effective prosecution tool allows the government to protect
witnesses whose assistance is necessary as part of criminal investigations and whose testimony
is critical to securing convictions in United States courts of law, military tribunals, and foreign
prosecutions.
U//LES Lil\llTED OFFICIAL USE ONLY

47

REDACTED - FOR PUBLIC RELEASE

U//LES LU\HTED OFFICIAL USE ONLY
(U) Over the last 20 plus years, as the government has devoted significant resources to
the prosecution of terrorism cases, the WitSec Program necessarily has included a small number
of former known or suspected terrorists and their family members, as well as innocent victims
and eyewitnesses. These witnesses have provided invaluable assistance to the United States
and foreign governments in identifying and dismantling terrorist organizations and in disrupting
terror plots. Among other investigations and prosecutions, Program participants have provided
essential cooperation and testimony regarding the 1993 World Trade Center bombing and Blind
Sheik prosecutions, the 1995 bombing of the Alfred P. Murrah Federal Building in Oklahoma
City, the 1998 East Africa Embassy bombings, the 2000 Millennium terror plot, the 2007 plot
to bomb the John F. Kennedy International Airport, and the 2009 New York City subway
suicide-bomb plot. As these cases show, the WitSec Program has been a key law enforcement
tool in securing cooperation from those witnesses who are necessary to the successful
prosecution of cases that are integral to the government's counter-terrorism mission and to the
security of the United States.

(U) The Department has considered the eight recommendations reflected in the draft
OIG Report. As detailed below, the Department concurs with all eight recommendations and
has made continued progress in implementing the policies and procedures necessary to warrant
closure. At this time, the Department requests that the OIG close Recommendation Nos. 3-6,
and 8. We will continue to provide updates on our progress on the remaining resolved
recommendations.

(U/f,£.8) The Department concurs with this recommendation. The FBI concurs with
OIG's assessment that documentation of these investigations was insufficient.

2

U//LES

LI~HTED

OFFICL\L USE ONLY

48

REDACTED - FOR PUBLIC RELEASE

(Ul±:H8) The Department concurs with this recommendation.

the Department recommends that this recommendation be closed.

4.

(Ul±:H8) Th~concurs with this recommendation. On
USMS
Assistant Director issued a
to all Division personnel directing
adherence to the above-referenced recommendations,

3

U//LES LIMITED OFFICIAL USE ONLY

49
REDACTED - FOR PUBLIC RELEASE

(U/±,H8) A copy of the
has been provided to the OIG
Audit Team contemporaneously with the su nussion of this response. Accordingly, the
Department requests that this recommendation be closed.

5.

4

U//LES Lll\HTED OFFICIAi.. USE ONLY

50
REDACTED - FOR PUBLIC RELEASE

U//LES LIMITED OFFICIAL USE ONLY
(U) Accordingly, the Department requests that this recommendation be closed.

6.

(U/bHS) See response to Recommendation 5.

(U/tH8) The De artment concurs with this recommendation. The FBI has located all
watchlisted
Witnesses to the extent lawfull authorized with
exce tion.

5

U//LES Lll\41TEI> OFFICIAL USE ONLY

51
REDACTED - FOR PUBLIC RELEASE

(U) Accordingly, the Department requests that this recommendation be closed.

1

(U/f,HS.) This recommendation appears to be derived from the termination ofKST 12. As
noted in the OIG Audit Report, the USMS proposed termination of this witness on four separate
occasions within a nine-month period, but the Director of the Program did not terminate KST
12 until it was evident that the witness had engaged in conduct that established a substantial
breach of the MOU. See J.S. v. T'Kach, 714 F.3d 99 at 108 (2d Cir. 2013) (recognizing that
Congress explicitly required the Director of the Program to "find a substantial breach of the
participant's MOU [and to] rovide notice to the erson involved of the termination and the
reasons for termination." .

6

U//LES LU\llTEI> OFFICIAL USE ONLY

52
REDACTED - FOR PUBLIC RELEASE

APPENDIX 6
U//LES//SSI
(U) OFFICE OF THE INSPECTOR GENERAL
ANALYSIS AND SUMMARY OF ACTIONS
NECESSARY TO CLOSE THE REPORT
(U) The OIG provided a draft of this audit report to the Department. The
Department's response is incorporated in Appendix 5 of this final report. The
following provides the OIG analysis of the Department's response and summary of
actions necessary to close the report.

Recommendations for the Department:

CU) Resolved. The Department concurred with our recommendation. In
its response, the Department stated tha

(U) This recommendation can be closed when we receive documentation that the

(U) Resolved. The Department concurred with our recommendation. In
its response, the Department stated tha

53

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
This recommendation can be closed when we receive evidence from -

(U)Resolved. The Department concurred with our recommendation.

Based on this in ormation, the Department requested that
this recommendation be closed.
This recommendation can be closed when we receive evidence that

4. (U/ /YB)

54

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI
, memorandum, which required WITSEC officials to

r

Based on this information, the Department requested that this
recommendation be closed.
We learned during the audit that the

(U)Resolved. The Department concurred with our recommendation. In
its response, the Department stated that th

Based on this
information, the Department requested that this recommendation be closed.

55

REDACTED - FOR PUBLIC RELEASE

U//LE&//&&I

(U)This recommendation can be closed when we receive evidence that the -

(U) Resolved. The Department concurred with our recommendation
and in respose to this recommendation referred to its response for
Recommendation 5. Specifically, the Department refers to the

(U)As a result, this recommendation can be closed when the Department
provides evidence that the

56

REDACTED - FOR PUBLIC RELEASE

U//LES//SSI

(U)This recommendation can be closed when we receive evidence from the
Department that all
KSTs have been located and the corresponding
have been notified o f -

(U)Resolved. The Department concurred with our recommendation.

57

REDACTED - FOR PUBLIC RELEASE

U//LE&//&&I

(U)Nevertheless, during the audit we reviewed

58

REDACTED - FOR PUBLIC RELEASE

The Department of Justice Office of the Inspector General
(DOJ OIG) is a statutorily created independent entity
whose mission is to detect and deter waste, fraud,
abuse, and misconduct in the Department of Justice, and
to promote economy and efficiency in the Department's
operations. Information may be reported to the DOJ
OIG's hotline at www.justice.gov/oig/hotline or
(800) 869-4499.

Office of the Inspector General
U.S. Department of Justice
www.justice.gov/oig

REDACTED - FOR PUBLIC RELEASE