Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure
Report No. 04-05
Office of the Inspector General
1. ESTABLISHING A RISK MITIGATION PROGRAMOur audit found that the IMSS had not established an effective risk mitigation program.18 Regarding identified CIP program vulnerabilities, IMSS staff indicated that mitigation actions were progressing on schedule; however, we found that the IMSS did not effectively manage the mitigation actions in that project plans lacked key milestone dates and the IMSS did not provide components sufficient time to provide required data for the revalidation of the MEI. Regarding the mitigation of critical IT system vulnerabilities, we found that progress plans to ensure correction of identified security weaknesses were not adequately prepared by the components to allow effective monitoring by the IMSS. This problem occurred because of the short time given to the components to respond and because the components did not adequately respond to data requested by the IMSS for mitigation plans. As a result, the Department has less than adequate assurance that critical IT asset vulnerabilities will be mitigated adequately or timely.
The purpose of the vulnerability assessment is to provide the Department's Chief Infrastructure Assurance Officer with an overall assessment of the CIP program and the vulnerabilities associated with its critical IT system assets.19 The Department's critical IT assets as they relate to CIP are also referred to as the Department's MEI.
The vulnerability assessment identifies the risks and vulnerabilities to the Department's CIP program and its MEI systems and makes recommendations to mitigate the identified risks. In addition, the funding level associated with IT security for each MEI asset and the overall program funding level are identified. This allows the Department's CIO to make informed decisions in support of the Department's ability to execute its mission and goals as those decisions relate to critical infrastructure protection.
Upon completion of the vulnerability assessment, the Department components develop remedial action plans to mitigate the exploitation and the impact of any identified vulnerabilities against critical infrastructure assets until such time as the vulnerability can either be eliminated or reduced to an acceptable level. Remediation refers to those precautionary actions taken before undesirable events occur to reduce known deficiencies and weaknesses that could cause an outage or compromise a law enforcement infrastructure sector or critical asset. The precautions are applicable regardless of whether those events are acts of nature, technology, or through malicious intent. Remediation may include education and awareness, operational process or procedural change, system configuration changes, or system component changes.
The remedial action plan should be system specific and at a minimum contain the following information:
Initially, a CIP Task Force was scheduled to complete the Department Vulnerability Assessment by December 30, 1999, with approval by the Chief Infrastructure Assurance Officer on January 7, 2000.20 The IMSS staff could not explain why the CIP Task Force stopped convening during calendar year 2000, and the Task Force took no further action to complete the vulnerability assessments. JMD eventually completed the assessment in March 2002. The completed vulnerability assessment identified a total of 16 vulnerabilities, 4 of which pertained to the Department's overall CIP program, while the remaining 12 addressed risks in the 20 information technology systems identified in the Department's January 2001 MEI. For individual vulnerabilities, an associated risk rating and the mitigating action for eliminating the vulnerability or reducing the risk of the vulnerability to an acceptable level were identified.
Our audit work disclosed that the IMSS did not establish an effective Department risk mitigation program and that the IMSS's efforts to monitor mitigation actions were not effective. As a result, critical IT asset vulnerabilities may not be adequately or timely mitigated. The specific program and IT asset risk mitigation deficiencies we identified are discussed in the report sections that follow.
JMD completed a vulnerability assessment in March 2002. JMD reviewed the management controls developed to implement the Department's CIP program and evaluated the controls against requirements contained in reports and other documents from the GAO, the National Critical Infrastructure Assurance Office, and the General Services Administration (GSA). The JMD review identified four individual vulnerabilities associated with the program. The vulnerabilities are listed below and discussed in greater detail beginning in the following text.
Several items remain to be completed before the Department can reach full operating capability. In July 2002, IMSS officials indicated that mitigation action for all program vulnerabilities was progressing on target and would be completed on schedule. Our audit work initially found that the IMSS did not effectively manage the mitigation actions. Specifically, project plans were not developed and followed, and the IMSS did not provide components sufficient time to provide required data for the revalidation of the MEI.
We assessed the April 2003 draft CIP plan for project plans. We found that while the IMSS/ITSS had completed project plans, those plans did not include milestone dates by which tasks were to be completed. Those plans did not include completion dates for all tasks, and 54 of 73 tasks were not completed by May 2003. However, in our judgment four key tasks prevent the Department from achieving full operating capability. The four tasks are:
(1) Program Vulnerability #1: Outdated CIP Plan
The March 2002 Vulnerability Assessment discussed the outdated CIP Plan as follows.
The Department's CIP Plan presents the broad direction for the Department's critical infrastructure assurance and provides the longer-range goals, strategies, and performance indicators by which to measure progress toward implementing a viable CIP program. Intended as a "living document," the CIP Plan provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the Department's physical and cyber security controls. The Department's initial CIP Plan was prepared by JMD in November 1998. The Plan was revised in April 1999 to address comments of prior reviews of the CIP program.
The March 2002 Vulnerability Assessment identified that the CIP Plan needed updating to incorporate the next phases of the protection strategy and the Department's new strategic plan. The IMSS staff informed us that the task of updating the Plan was assigned to a contractor. The contractor serves as an information technology security consultant to JMD and senior Department managers. Some of the tasks performed by the contractor relating to the Department's vulnerability assessment include providing general IT support to the IMSS, developing a comprehensive vulnerability assessment methodology, and researching and reporting on various methods of performing follow-up actions to ensure vulnerabilities or other issues identified during the performance of vulnerability assessments have been corrected. The contractor also performs other duties not related to the vulnerability assessment such as assisting in data entry for the SMART database.
According to the March 2002 Vulnerability Assessment, the estimated completion date for updating the Plan was December 2002. A Draft CIP Plan was completed April 21, 2003, and finalization was pending comments requested on the plan from the Department of Homeland Security (DHS). IMSS officials indicated that they delayed completion of the new CIP Plan to incorporate guidance from the DHS's most recent draft of the National Strategy to Secure Cyberspace.
(2) Program Vulnerability #2: Revalidating MEI Assets after Events of September 11, 2001
The March 2002 Vulnerability Assessment discussed revalidating MEI assets as follows.
Crucial to developing and implementing a CIP Plan is the identification of critical infrastructure assets. Within the Department, the critical infrastructure is comprised of the computer systems, physical assets, and personnel necessary for the Department to carry out its law enforcement and counterterrorism duties. In identifying the Department's critical computer systems, the CIP Task Force focused on internal and external critical infrastructure components that are needed to protect or support safety and health, law enforcement and national security, the Department's litigation function, the administration of justice, and the Department's business functions. Once the Department's critical infrastructure assets were identified, the assets were listed in a consolidated MEI inventory.
The Department's MEI inventory was identified in a joint effort between the components, SEPS, and IMSS using criteria based on guidance from the CIAO. The identification of the Department's minimum essential infrastructure was completed and formally approved by the Assistant Attorney General for Administration on January 16, 2001. The completed inventory is comprised of three sections: 1) critical IT assets, 2) critical physical assets, and 3) critical personnel assets. Prior to the INS transfer to the DHS in March 2003, the MEI included 20 systems in the DEA, FBI, INS, and JMD.
Subsequent to the events of September 11, 2001, some requirements for critical systems have been revised, and two components (the FBI and INS) have identified additional systems that have not been assessed relative to CIP activities. In view of these developments, JMD identified this as a program vulnerability in its March 2002 Vulnerability Assessment.
According to the March 2002 Vulnerability Assessment, the estimated completion date for revalidating MEI assets was November 2002. The IMSS staff indicated that progress toward the completion date was satisfactory, and that components had a November 1, 2002, suspense date for submitting their updated MEIs to JMD. On October 7, 2002, we asked the IMSS staff for a copy of the memorandum to the components establishing the November 1, 2002, suspense date. The Assistant Director of IMSS responded by saying that the memorandum had not been sent and that the draft was still on his desk. According to the contractor status reports, the contractor had completed the draft by August 12, 2002. The IMSS staff said the memorandum hadn't been mailed because of a shortage of staff. Although the memorandum was eventually sent to the components on October 11, 2002, this was hardly sufficient time for the components to update their MEIs and respond by the November 1, 2002, suspense date.
The revalidated MEI was completed in December 2002. Both the old and new MEI are contained in Appendix 5 of this report. Eight assets were removed from the January 2001 MEI and an additional nine assets were added. A description of the MEI assets is contained in Appendix 6. The assets removed from the MEI were:
The INS assets were removed in anticipation of the transfer of the INS to the DHS. The FBI assets were removed based on a determination that the loss of those assets for 72 hours would not impede the Department from performing its critical infrastructure protection duties.
The assets added to the MEI were:
These assets were added to the MEI based on the revised requirements for identifying critical systems.
(3) Program Vulnerability #3: Risk of Not Meeting Full Operating Capability by May 2003.
The March 2002 Vulnerability Assessment discussed the risk of not meeting full operating capability as follows.
By May 2003 all federal agencies were to achieve and maintain "full operating capability" to protect our nation's critical infrastructures from intentional acts that would significantly diminish its abilities to perform essential national security missions and ensure general public health and safety. According to the Department's March 2002 Vulnerability Assessment, the estimated completion date for achieving full operating capability was the same as the deadline identified in PDD 63, May 2003.
Officials of the IMSS indicated that there are four main aspects to attaining full operating capability:
The National Plan for Information Systems Protection, Version 1.0, issued by the CIAO, describes full operating capability as the ability to ensure that any interruption or manipulation of critical functions is "brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States." The Draft CIP Plan indicates that full operating capability for the Department is comprised of:
In April and May 2003, we sought to update the Department's status in achieving full operating capability. In addressing vulnerabilities identified for the MEI, we noted that the incorporation of vulnerabilities into the SMART database for tracking purposes was incomplete since the database was not set up to track vulnerabilities for classified systems. In assessing the Department's ability to reconstitute and recover assets after an attack, we noted that there were no dates provided for the development of contingency plans for components without plans nor were dates provided for the revision of inadequate plans. Additionally, no further guidance was provided to require testing of the contingency plans. Generally, the IMSS staff could not provide the status of this effort, schedules, or milestone dates for completing the effort.
The Department did not reach full operating capability by May 2003 as required. However, the Department has activities planned and in progress to help it reach full operating capability. Some of those plans lack dates for completion. Absent those dates, there is no assurance that the Department will complete those activities timely or reach full operating capability.
(4) Program Vulnerability #4: Seven MEI Systems Have Not Been Independently Evaluated
The March 2002 Vulnerability Assessment discussed independent evaluation of MEI systems as follows.
Department of Justice Order 2640.2D requires components to ensure the C&A of all systems under their operational control prior to being placed into operation. Until an IT system is certified and accredited, no operational data can be used for any purpose, including testing in pilot systems if live data is used or if the pilot system is connected to a Department network.
For each classified system and for each SBU system the C&A includes:
Once a Department component completes the C&A and its documentation, the C&A is submitted to JMD for the IV&V process that is contracted out to one of four contractors.
The March 2002 Vulnerability Assessment identified that of the 20 mission-essential information systems in the Department, 7 had not received an IV&V as part of the C&A process. We found that the accuracy of IMSS's documented support of its monitoring efforts was questionable. An initial status was documented in the March 2002 Vulnerability Assessment, and again in an undated document that we were told was prepared in October 2002. In the March 2002 Vulnerability Assessment, the FBI's IAFIS and NCIC 2000 systems were both reported as undergoing IV&V process; however, in the previously mentioned undated document, both systems were reported as still undergoing the initial certification and accreditation by the FBI's Security Division. As of May 2003, IAFIS and NCIC 2000 had not undergone the IV&V process. Independent Verification and Validation is a requirement of the certification and accreditation process.
Further, the ATF transferred to the Department from the Department of Treasury in January 2003. According to IMSS staff, ATF systems had received interim certification, and full certification and accreditation of these systems was expected to be completed by September 30, 2003. Critical assets from the ATF had yet to be identified. As a consequence, a vulnerability assessment, risk mitigation plans, and multi-year funding plans had not been developed for critical assets of the ATF.
Information Management and Security Staff officials were unable to provide information on vulnerability assessments for the nine newly added assets from non-ATF components to the MEI. According to IMSS officials, their queries to components were not answered.
(1) Background on Critical IT Asset Vulnerabilities
As previously stated, the March 2002 Vulnerability Assessment identified 12 categories of vulnerabilities among the 20 IT systems comprising the Department's mission-essential inventory. Sources used to identify the 12 information technology vulnerabilities included vulnerability assessments submitted with the C&A packages, OIG system audits, penetration testing, and results from the Department's IV&V program.24 Based on guidance from the GSA, the vulnerability assessments focused on common attack methods and publicly available cyber-attack methods. As established in the CIP Plan, highly esoteric threats and attack methods are to be deferred to the long-range implementation of the CIP program.
Several of the vulnerabilities could potentially allow great harm to the Department's ability to perform its essential national security missions and maintain order. JMD prioritized the vulnerabilities according to the potential effect each was assessed to have on critical IT systems. Listed below are the 12 IT asset vulnerabilities, which are further discussed in Appendix 8:
(2) Processes Used by the IMSS to Monitor Mitigation of the Critical IT Asset Vulnerabilities
For the IMSS to track and manage components' efforts to close security performance gaps, components need to document and report security weaknesses and progress of mitigation actions. Accordingly, in August 2002, the IMSS notified each component to develop Plans of Actions and Milestones (POA&Ms) to ensure identified security weaknesses are corrected. All Department officials would use the POA&MS as the authoritative agency management mechanism to prioritize, track, and manage all agency efforts to close security performance gaps.
Because the Department's POA&M was initially due to the Office of Management and Budget (OMB) by October 1, 2002, the IMSS requested the components to submit individual system and component summary POA&Ms to the IMSS by September 13, 2002. In developing the POA&Ms, components were requested to identify all security weaknesses; indicate how weaknesses were identified (for example, CFO audits, penetration testing, and self assessment); show corrective actions; estimate completion dates; and identify resources required to remediate the IT system weaknesses. Once the POA&Ms were received from components, IMSS staff would then begin entering the data into the SMART database system.
We were told by IMSS officials that they use the SMART database system to monitor the status of the 12 IT asset vulnerabilities. The SMART system is a set of user interface, database management, and business intelligence tools designed to assist the Department CIO and program managers, as well as the security administrators, in identifying, controlling, and monitoring the performance of a component IT security program and its IT systems. During FY 2003, the SMART system is gradually becoming available to security analysts, administrators, and managers in all Department components.
Data pertaining to remediating IT asset vulnerabilities is entered into the SMART system as it is received from the components. Data entered includes all vulnerabilities identified, corrective actions taken or planned, estimated completion dates, resources required to initiate corrective actions in terms of time and dollars, and status (whether the corrective actions are closed or open). Certain data entry fields such as estimated completion dates, resources required, and actions closed are locked once the data is entered.
For SBU computer systems, IMSS officials indicated they had been entering component IT asset vulnerability data into the SMART system since April 2001. An IMSS official indicated that the POA&Ms have been received and entered into the SMART system, but IMSS officials did not provide all of the documentation that was requested regarding this effort. Specifically, IMSS officials did not provide the POA&M from the FBI or SMART data for systems for which the IMSS is tracking risk mitigation activity. Additionally, beginning in January 2003 components were required to provide the IMSS with quarterly updates on risk mitigation activities. Data from these updates were also to be entered in the SMART system. IMSS staff indicated that quarterly updates were being received and entered into the SMART system, but again did not provide documentation that we requested regarding this effort.
For classified computer systems, IMSS staff indicated that a tracking system is being developed into which classified vulnerability data will be entered. The system was expected to be ready for use by July 30, 2003. Twenty nine percent (6 of 21) of the assets are classified systems. The IMSS was unable to explain how tracking currently occurs for classified systems but described the current process as "weak."
Absent the requested documentation for tracking SBU systems and the stated weakness in tracking classified systems, we could not verify that mitigation of vulnerabilities is being properly monitored.
(3) Significant Weaknesses in the IMSS Monitoring of Mitigation Activities for Critical IT Asset Vulnerabilities
We identified the following significant weaknesses regarding the IMSS's efforts to monitor mitigation actions for the 12 critical IT asset vulnerabilities.
(a) POA&Ms Were Not Properly Completed by Components
The August 29, 2002, notification requiring components to develop POA&Ms also contained detailed preparation instructions. As stated in the notification, each component was required to prepare individual system and component summary POA&Ms describing all known IT security weaknesses. At the system level, components were to indicate the source of each weakness, corrective actions, and estimated completion dates.25 Component summaries were required to include a cross-system summary of weaknesses, steps components were taking to correct weaknesses, and completion dates. Components were also required to describe the performance measures that would be used to track progress in mitigating weaknesses.
We evaluated the POA&Ms submitted by the DEA, INS, and JMD, three of the four components with critical IT systems identified in the 2001 MEI. We did not evaluate the POA&Ms submitted by the FBI. We initially requested the FBI information in October 2002. The FBI, at that time, had not provided data to the IMSS because the FBI was undergoing an intensive C&A of a portion of its systems. We updated our audit information in May 2003. Information Management and Security Staff officials indicated that the FBI had provided the IMSS with POA&Ms. We requested the FBI's POA&Ms from the IMSS, but the information had not been provided as of the date of our draft report.
In the 2002 "Summary of the OIG Fiscal Year 2002 Evaluation of the Department of Justice Information Security Program and Practices Pursuant to the Government Information Security Reform Act" report submitted to the OMB, OIG auditors concluded that the Department had not performed timely and effective oversight to ensure implementation of Department security policies. This weakness was evidenced by the components' failure to implement corrective actions in their systems' environment.
Of the POA&Ms we evaluated, none were properly completed or fully usable for tracking mitigation actions for critical IT system weaknesses. Our specific concerns are noted below.
Weaknesses in the POA&Ms appear to result in part from some problems with the Vulnerability Assessment on which the POA&Ms are based. The Vulnerability Assessment does not clearly identify the specific critical IT asset vulnerabilities needing mitigation, and the document contains some internal inconsistencies that could cause problems in preparation of the POA&Ms.
(b) POA&Ms Did Not Adequately Identify Required Resources for Implementing Risk Mitigation Activities
Based on the results of Vulnerability Assessments and the subsequent mitigation and response plans, there is the possibility that additional resources may need to be identified, developed, or procured to ensure the protection of the Department's critical infrastructure.
JMD's initial effort to identify budgeted resources to improve IT security for mission-essential systems is documented in the March 2002 Vulnerability Assessment. Section 5 of the assessment contains the multi-year funding plan that projects the Department will spend approximately $314.5 million in FYs 2002 through 2004 to improve IT security. The funding details are contained in the table on the following page. We noted multimillion-dollar discrepancies in the totals submitted for the FBI, which the IMSS staff acknowledged as a math error. We corrected the table to include the Trilogy amounts in the FBI totals.26
Multi-Year IT Security Funding Plan
(FYs 2002 through 2004)
Although the multi-year funding plan was an initial attempt to identify resources budgeted to improve IT security for mission-essential systems, it did not specifically identify whether sufficient resources were budgeted to remediate the vulnerabilities identified in the March 2002 Vulnerability Assessment. The plan was not linked to the identified vulnerabilities and is not useful in identifying whether the funding amounts presented are adequate to remediate IT systemic vulnerabilities. Accordingly, in the August 29, 2002, notification requiring components to develop POA&Ms, the IMSS also requested that components identify the resources required to mitigate vulnerabilities.
Of the three component POA&Ms that we reviewed, none adequately identified resources required to mitigate vulnerabilities.
We discussed with the IMSS staff these problems with the POA&Ms and asked why their review of the documents did not identify the problems. We were told by the IMSS staff that their review of the POA&Ms consisted of identification of security and planning issues. An IMSS analyst determines whether the planning and funding is adequate to remediate the identified weakness. If it is not, then the IMSS analyst will work with the component's representative to develop adequate plans. Information Management and Security Staff indicated that the INS probably included the $9.3 million funding requirement in its Exhibit 300 for a new system and not to mitigate weaknesses in an older system.27
(c) Process Used to Monitor Components' Progress in Mitigating IT Asset Vulnerabilities Was Ineffective
The IMSS was responsible for monitoring components' progress in mitigating IT asset vulnerabilities by performing quarterly comparison of Exhibit 300s to data stored in the SMART database. The intent of these comparisons is to determine whether actions to mitigate vulnerabilities have been funded and whether mitigating actions are ongoing.
We identified several shortcomings with this process. First, such a comparison may not be effective in that the Exhibit 300s do not provide a sufficient level of detail regarding resources budgeted to mitigate vulnerabilities associated with critical systems. The Exhibit 300s provide a narrative of corrective action but do not consistently associate costs of mitigating specific vulnerabilities. For example, the FBI's Exhibit 300 included an estimate of $569,123 for security costs of the NCIC 2000 system. The FBI's narrative explains that it will cover an audit log server system, additional intrusion detection capability, and a separate Intrusion Detection System (IDS) management network segment that collects firewall and IDS system log files. The FBI's Exhibit 300 does not provide a separate costing for the audit log server system from the additional intrusion detection capability.
At the time of our audit, the Department had not had adequate time to complete vulnerability assessments, risk mitigation plans, or multi-year funding plans for most of the assets newly added to the MEI. While the Department has efforts underway in each of the areas identified above, effective oversight is necessary if the Department is to provide adequate protection of its critical assets.
Second, such a comparison is unnecessary since components are required to identify in the POA&Ms whether required resources were identified and funded. However, the POA&Ms do not appear to be useful for this purpose.
Third, the comparison process was not summarized or documented; consequently, the IMSS was unable to show how much progress components had made in mitigating critical IT system vulnerabilities. The POA&Ms require follow-up guidance from the IMSS to be effective as a risk mitigation monitoring tool.
Through the efforts of the IMSS, the Department has made some progress in establishing and managing a risk mitigation program. The IMSS has accomplished:
Despite this progress, significant problems remain in the Department's management of the risk mitigation program. The major weaknesses that remain are identified below.
The Department has not had adequate time to make a vulnerability assessment or risk mitigation plans for assets newly added to the MEI and for assets transferred from the ATF. While the Department has efforts underway in each of the areas identified above, effective oversight is necessary if the Department is to provide adequate protection of its critical assets.
Our audit work disclosed that the IMSS did not establish an effective Department risk mitigation program and that the IMSS's efforts to monitor mitigation actions were not effective. Regarding the four program vulnerabilities, IMSS officials indicated that mitigation actions were progressing on schedule. However, we initially found that the IMSS did not effectively manage the mitigation actions in that project plans were developed but lacked key milestone dates for completion, and the IMSS did not allow components sufficient time to provide required data.
Regarding the mitigation of the 12 critical IT asset vulnerabilities, we found that the POA&Ms, which were required to ensure the correction of identified security weaknesses, were inadequately prepared by components. None of the POA&Ms identified required resources for implementing risk mitigation activities. Additionally, the process used by the IMSS to monitor components' overall progress in mitigating vulnerabilities was ineffective.
These problems occurred, in part, because IMSS officials did not evaluate the effectiveness of their many risk mitigation-monitoring activities. Although IMSS officials were fully aware of the PDD 63 requirement for achieving full operating capability by May 2003, the Department has not met this requirement. In its revised CIP Plan, key activities are identified but some do not include milestone dates for completion. Further, although the IMSS required components to prepare and submit risk mitigation plans, a thorough review would have disclosed that the plans contained several deficiencies. Although the IMSS was expending considerable resources to enter data from the component risk mitigation plans into its SMART database system, the process used to assess components' progress in mitigating critical risks was ineffective. Also, no system was established for monitoring risk mitigation of classified systems.
As a result of these deficiencies, the Department has not achieved the mandated "full operating capability" and has less than adequate assurance that critical IT asset vulnerabilities will be adequately or timely mitigated.
We recommend that the Assistant Attorney General for Administration: