Departmental Critical Infrastructure Protection
Planning for the Protection of Physical Infrastructure
Report No. 02-01
November 2001
Office of the Inspector General
The Department has not adequately identified its physical MEI. As a result, the inventory of the MEI is incomplete and the Department does not have a firm basis upon which to conduct a vulnerability assessment. The Department has not conducted a separate asset identification survey to identify those facilities that are critical to accomplishing its national and economic security missions. Instead, we found that the Department's physical MEI includes only those facilities that support critical IT systems. IMSS officials said that the physical assets identified as part of the Department's efforts to identify its critical computer-related assets represent the physical MEI. In our judgment, this assessment is inaccurate because the Department has critical facilities that do not house critical IT systems.
Under PDD 63, agencies are required to define and inventory assets that are critical to the operations of the government. The November 1998 Plan and the April 1999 Plan both included a similar methodology for identifying the Department's MEI. According to both plans, the result would be a rank ordered list of assets, including a brief description of the asset, location(s), specific mission-based criteria used to identify the asset, estimated replacement costs, planned life cycle, and a brief statement as to the potential impact of the asset not being available. The Expert Review Team suggested that the Department include a list of critical agency missions, a list of critical infrastructure assets (including physical facilities, information systems, and personnel) needed to accomplish those missions, and an analysis of why the assets are critical to accomplishing essential missions.
In January 2001, the Department completed an inventory of its computer-based MEI, including "systems, facilities and personnel that process, or support the processing of, both classified and unclassified data." The assets were selected based on the Department's strategic goals and the significance to the Department in "fulfilling its mission, providing critical national security or national economic security functions, or providing continuity of core government services." The survey identified a total of 120 assets related to the Department's critical IT systems: 20 information systems, 11 related facilities, and 89 related personnel. IMSS officials said that a separate survey of the Department's facilities to identify those critical physical assets not related to critical IT systems had not been performed.
In our judgment, the asset survey for critical IT systems did not identify all of the Department's critical physical assets. We noted that the Department's headquarters (Main Justice) and some components' headquarters are not listed as critical assets. Main Justice does not house any critical IT systems; however, it does house the Attorney General and other senior executives as well as components necessary to operate the Department under emergency conditions. Officials with SEPS said they were unaware that Main Justice and essential staff had not been included in the list of critical assets. IMSS officials told us that, based on discussion with us during the audit, the Justice Command Center 4 in Main Justice will be considered for inclusion in the MEI.
A complete inventory of the Department's MEI is important because the inventory will form the basis of a vulnerability assessment. According to the CIAO, a clearly defined MEI is one of the critical success factors in doing a vulnerability assessment. Without a clearly defined MEI, the Department cannot produce an accurate list of vulnerabilities classified by the core process at risk or illustrating interdependencies and potential impact.
According to SEPS officials, the Department and the General Services Administration (GSA) have undertaken various initiatives unrelated to PDD 63 that were designed to identify departmental facilities subject to attack. These officials indicated that the United States Marshals Service was tasked, because of its expertise with court security, with studying the vulnerability of federal office buildings, and recommended improvements to the GSA-managed building security programs. In addition, the Department contracted for vulnerability assessments of selected facilities and took steps to remediate deficiencies identified. However, the physical facilities covered by these efforts were not reflected in the MEI prepared for PDD 63 and may not include the complete physical MEI.
We recommend that the Assistant Attorney General for Administration:
The Department has not ensured that complete vulnerability assessments of all of its physical mission essential assets have been performed. The Department cannot complete vulnerability assessments of its critical physical assets because it has not identified all of its physical MEI. As a result, the Department has not developed a list of flaws or omissions in controls (vulnerabilities) that may affect the integrity, confidentiality, accountability, and availability of resources that are essential to critical assets.
PDD 63 requires each agency to conduct vulnerability assessments of those assets in its MEI. The April 2000 Initial Operating Capability version of the Critical Infrastructure Protection (CIP) plan indicated that the vulnerability assessments were to have been completed by March 2000. 5 The Department's November 1998 and April 1999 Plans both included a similar methodology for conducting vulnerability assessments of the Department's MEI. Both plans referred to a Vulnerability Assessment Framework created under contract for the CIAO. According to the Department's Plans, the vulnerability assessments would yield a report including: (1) a brief description of the asset, (2) potential threats, (3) existing protections, (4) vulnerabilities, (5) recommended corrective actions, and (6) a sensitivity rating. Both plans called for the Department's Critical Infrastructure Protection Task Force 6 to then summarize the vulnerabilities in a Departmental Vulnerability Assessment Report.
Despite the existence of a methodology for conducting the vulnerability assessments, the assessments have not been completed. IMSS officials said as part of the Department's ongoing certification and accreditation effort, a vulnerability assessment of the 11 facilities related to the Department's critical IT systems would be conducted. As of July 12, 2001, vulnerability assessments had been completed on only 4 facilities. However, as noted in our first finding, the Department has not identified all of its critical physical assets. As a result, vulnerability assessments of only those 11 facilities related to the Department's critical IT systems would not provide coverage for all of its critical physical assets.
The failure to assess vulnerabilities of physical assets leaves the Department's critical physical assets susceptible to disruption. Without a vulnerability assessment, the Department cannot identify and therefore is unable to mitigate weaknesses that may be exploited by an enemy. A disruption could endanger the lives of personnel required to make key decisions and limit the Department's ability to perform national security services as a result of the inability to process data, communicate with other governmental personnel, or use critical facilities.
We recommend that the Assistant Attorney General for Administration:
The Department has not developed plans to remediate weaknesses identified in the vulnerability assessments of its physical MEI. PDD 63 requires federal agencies to develop a plan to mitigate any weaknesses found during the vulnerability assessment. The remedial plan should include a multi-year funding plan, timelines for implementation, and an indication of who is responsible for implementation. Because the Department has yet to complete vulnerability assessments of all of its physical MEI, it does not know how much it will cost to remedy the vulnerabilities or how long it will take to implement the remedies. Absent effective remedial plans, physical assets may be susceptible to disruption, affecting national security and continuity of government services.
PDD 63 states that "based upon the vulnerability assessment, there shall be a recommended remedial plan. The plans shall identify timelines for implementation, responsibilities, and funding." According to an IMSS official, remedial plans should be completed by November 30, 2001.
Because the Department has yet to complete vulnerability assessments of all its physical MEI, it has not developed remedial plans to mitigate the vulnerabilities identified in the assessments. As a result, the Department does not know how much it will cost to remedy the vulnerabilities or when all the remedies will be completed. The Department's April 1999 Plan calls for the Department to develop system specific remedial plans to mitigate any vulnerabilities identified in the vulnerability assessments. At a minimum, the plans were to identify the: (1) responsible office, (2) vulnerability, (3) mission impact, (4) near term mitigation action, (5) long-term corrective measure, and (6) estimated costs and milestones for corrective measures. The system specific remedial plans were to be summarized into a Department-wide plan in which remediation efforts were to be tracked.
The Department's April 2000 Initial Operating Capability version of the Critical Infrastructure Protection plan includes an appendix titled "CIP Remedial Action Plan." It recommends that the Department Security Officer assume responsibility for implementing PDD 63 because the Department Security Officer is also responsible for implementing PDD 67.
The IMSS informed the Office of the Inspector General that it believed the shift in responsibility to the Department Security Officer would lead to a coordinated effort to implement these two PDDs. The Department plans to complete remedial plans by November 30, 2001. According to IMSS officials, this will allow the Department to start reflecting the cost of a multi-year remedial plan in its fiscal year (FY) 2003 budget submission to the Office of Management and Budget (OMB). By FY 2004, IMSS expects the Department's submission to fully reflect the cost of implementing the multi-year remedial plan.
We recommend that the Assistant Attorney General for Administration: