In its response to the draft report, JMD agreed with all of our audit recommendations. JMD's response to the draft audit report is included as Appendix 11 of this final report.

Recommendation number:

1. Resolved. This recommendation is resolved based on the JMD's plans to use the Automated Security Self-Evaluation and Remedial Tracking (ASSERT) tool to track activities to accredit IT systems. This recommendation can be closed after our review of documentation demonstrating that the ASSERT tool is being used to track risk mitigation activities for classified systems.

2. Resolved. This recommendation is resolved based on the JMD's plans to develop multi-year funding plans following the completion of Step 2 of Project Matrix and the implementation of the ASSERT tool to track vulnerabilities, mitigation actions and resources for classified and unclassified systems. This recommendation can be closed after our review of the multi-year funding plan linked to identified vulnerabilities for the critical assets.

3. Resolved. This recommendation is resolved based on the JMD's plans to use the ASSERT tool to monitor components' progress in mitigating IT vulnerabilities on a component-by-component basis. This recommendation can be closed after our review of documentation demonstrating that the ASSERT tool is being used to track IT vulnerabilities on a component-by-component basis.

4. Resolved. This recommendation is resolved based on the JMD's plans to establish a "help desk" dedicated to assisting and tracking the development of certification and accreditation documents by components for IT systems. This recommendation can be closed after our review of documentation demonstrating that the status of certification and accreditation for critical IT systems is being monitored at least quarterly.

5. Resolved. This recommendation is resolved based on the JMD's plans to use the ASSERT tool in accordance with OMB guidance and modify, if required to include fields for identified vulnerabilities, the source of the vulnerabilities, performance measures to track progress in mitigating vulnerabilities, and resources required. This recommendation can be closed after our review of documentation demonstrating that the ASSERT tool captures POA&M data and (1) clearly addresses the vulnerabilities identified from vulnerability assessments, (2) includes the source of the vulnerabilities, (3) describes the performance measures used to track progress in mitigating weaknesses, and (4) identifies resources required for implementing risk mitigation activities for each identified vulnerability.

6. Resolved. This recommendation is resolved based on the JMD's plans to review the vulnerability assessment of the IT systems that were added to the list to ensure they meet the requirements of PDD-63 and the ITSS's plans to assist the components in developing risk mitigation plans. This recommendation can be closed after our review of the vulnerability assessments and risk mitigation plans for assets newly added to the MEI or documentation indicating that those assets are no longer critical.

7. Resolved. This recommendation is resolved based on the JMD's statement that according to the results of Step 1 of Project Matrix, the ATF did not have any nationally critical functions, services, or products. This recommendation can be closed after our review of documentation for the results of Step 1 of Project Matrix demonstrating that ATF had no critical functions, services, or products.

8. Resolved. This recommendation is resolved based on the JMD's plans to develop a work plan for attaining full operational capability. This recommendation can be closed after our review of the plan for attaining full operational capability.

9. Resolved. This recommendation is resolved based on the JMD's statement that it has developed a draft standard for incident response, which includes requirements for secure, timely, and effective communication channels. This recommendation can be closed after our review of a copy of the final standard and documentation of its implementation.

10. Resolved. This recommendation is resolved based on the JMD's statements that it currently reports incidents and conducts liaison with the FedCIRC and the NIPC. Additionally, JMD indicated that the DOJCERT will contact the FBI and obtain a point of contact for incident response-related actions in the Strategic Information Operations Center. This recommendation can be closed after our review of a list of liaisons JMD established with FedCIRC, the NIPC, and the Strategic Information Operations Center. We also request for review a copy of the JMD's plans to ensure the effectiveness of the liaisons established.

11. Resolved. This recommendation is resolved based on the JMD's plans to have the DOJCERT and the Cyber Defense Operations Project Team review the components' incident response plans and reports. In addition, plans that the ITSS C&A "help desk" will provide assistance to the components in developing their incident response procedures and plans. Additionally, JMD intends to use test cases for reporting incidents to verify reporting of incidents. This recommendation can be closed after our review of documentation demonstrating the DOJCERT's and the Cyber Defense Operations Project Team's review of components incident response plans and reports.

12. Resolved. This recommendation is resolved based on the JMD's statement that DOJCERT currently conducts analysis of incidents and provides reports on the nature, frequency, category and remediation actions taken and performs analysis to identify potential trends and systemic weaknesses. This recommendation can be closed after our review of the final technical standard and template, the most recently completed examples of DOJCERT analysis and reports on incidents, and the most recently completed analysis of trends and weaknesses. We also would like to review the first evaluation by ITSS using test cases developed from FedCIRC reporting requirements.

13. Resolved. (a) This recommendation is resolved based on the JMD's statement and that JMD intends to verify DOJCERT's reporting process using test cases. This recommendation can be closed after our review of documentation demonstrating DOJCERT's reporting process resulting from test cases. (b) This recommendation is resolved based on the JMD's plans to use incidents reports and analysis provided by DOJCERT to develop a list of vulnerabilities of the critical IT assets. ITSS will review the Exhibit 300's for the critical IT systems and ensure that incident-related vulnerabilities are addressed. This recommendation can be closed after our review of evidence demonstrating that results of incident report and analysis provided by DOJCERT are used in the budget process to support and justify future CIP resource expenditures.

14. Resolved. This recommendation is resolved based on the JMD's plans for the DOJCERT, Cyber Defense Project Team, and C&A "help desk" to provide assistance to the components in developing their internal incident response procedures in the form of standards, template, and document review with comments. This recommendation can be closed after our review of documentation demonstrating that ITSS has copies of the internal response procedures and a list of appropriate individuals for reporting incidents to the DOJCERT.

15. Resolved. This recommendation is resolved based on the JMD's plans to develop an incident response plan template. In addition, the JMD plans for the DOJCERT and Cyber Defense Operations Project Team to assist the components in testing incident response plans. This recommendation can be closed after our review of documentation demonstrating tests of response plans.

16. Resolved. This recommendation is resolved based on the JMD's plans to review certification and accreditation documents to determine whether the system has a contingency plan, as critical assets are identified after the conclusion of Step 2 Project Matrix. This recommendation can be closed after our review of contingency plans for the critical systems.

17. Resolved. This recommendation is resolved based on the JMD's plans to review contingency plans as they are identified during Step 2 of Project Matrix, maintain a spreadsheet on the status of the contingency plans, and update the data quarterly. This recommendation can be closed after our review of documentation demonstrating quarterly monitoring of contingency planning.

18. Resolved. This recommendation is resolved based on the JMD's plans to replace DOJ Order 2640.2D with DOJ Order 2640.2E and include requirements of the new order in the contingency plan standard and template. Additionally, the JMD intends to have the contingency plans reviewed at the C&A "help desk" and to use test cases to verify that contingency plans contain the required elements. This recommendation can be closed after our review of documentation demonstrating that contingency plans for critical IT assets address all required elements.

19. Resolved. This recommendation is resolved based on the JMD's plans to develop a template for contingency plans. The template is expected to include a signature page for the component approving officials and ITSS will track the validation through the ASSERT tool. This recommendation can be closed after our review of documentation demonstrating that the contingency plans for the critical IT assets have been approved by the appropriate officials.

20. Resolved. This recommendation is resolved based on the JMD's plans to develop a schedule for the testing of contingency plans for all critical IT systems and to monitor those tests. This recommendation can be closed when receive documentation demonstrating that the contingency plans for the critical IT assets have been tested.

21. Resolved. This recommendation is resolved based on the JMD's plans to develop and maintain a database to track liaison and interagency relationships for critical IT systems. This recommendation can be closed after our review of documentation demonstrating that a database has been developed to track liaison and interagency relationships and has been populated.

22. Resolved. This recommendation is resolved based on the JMD's plans to request that components review their service level agreements or Memorandums of Understanding and contact other agencies that indicate the support provided by the Department is critical to their operation. Additionally, Step 2 of Project Matrix will identify agencies that have critical assets that are connected to Department's systems. This recommendation can be closed after our review of documentation demonstrating that the Department has identified which of its assets are critical to other agencies.

23. Resolved. This recommendation is resolved based on the JMD's plans to develop and maintain a database to track liaison and interagency relationships for critical IT systems. This recommendation can be closed after our review of documentation demonstrating that a database for tracking liaison and interagency relationships for critical IT systems have been developed and populated.

24. Resolved. This recommendation is resolved based on the JMD's statement that it has established the Department's Information Technology Security Council (ITSC). The ITSC will be used to address CIP issues. This recommendation can be closed after our review of documentation demonstrating that the ITSC is addressing CIP issues.

25. Resolved. This recommendation is resolved based on the JMD's plans to complete an assessment of the linkage between budgetary and personnel shortfall after the completion of Project Matrix and consequently to the Department's critical infrastructure weaknesses. This recommendation can be closed after our review of documentation demonstrating that JMD has completed an assessment of the linkages between budgetary and personnel shortfalls and critical infrastructure weaknesses.

26. Resolved. This recommendation is resolved based on the JMD's statement that it has hired an individual from the Cyber Corps Program and is in the process of hiring another. Both of the Cyber Corps individuals will be part of the ITSS and their duties will support parts of the critical infrastructure program, such as developing templates for risk assessments. Additionally, as part of its retention program of security professionals, ITSS sponsors the departments seminar and testing for the Certified Information System Security Professional program. A formal training and retention plan is being developed by the IT Security Employee Services Project Team. This recommendation can be closed after our review of a copy of the formal training and retention plan.