We have audited the Department's implementation of plans to protect its cyber-based infrastructure. We reviewed the Department's efforts to mitigate risks identified from vulnerability assessment; manage emergencies; coordinate with other agencies; meet its resource and organizational requirements; and assess recruitment, education, and awareness efforts.

In connection with the audit, and as required by Government Auditing Standards, we reviewed program activities and records to obtain reasonable assurance about the Department's compliance with laws and regulations that, if not complied with, we believe could have a material effect on program operations. Compliance with laws and regulations applicable to the Department's critical infrastructure planning is the responsibility of the Justice Management Division.

Our audit included examining, on a test basis, evidence about laws and regulations. Specifically, we conducted our tests against the relevant portions of:

• Presidential Decision Directive 63, The Clinton Administration's Policy on Critical Infrastructure Protection, dated May 22, 1998;

• Practices for Securing Critical Information Assets, Critical Infrastructure Assurance Office, dated January 2000;

• Department of Justice Order 2640.2D, Information Technology Security, approved July 12, 2001; and

• The Government Performance and Results Act of 1993.

Except for those issues cited in the Findings and Recommendations section of the report, our tests indicated that, for those items reviewed, the Department was in compliance with the laws and regulations referred to above. With respect to those transactions not tested, nothing came to our attention that caused us to believe that Department management was not in compliance with the laws and regulations cited above.