Return to the USDOJ/OIG Home Page
Return to the Table of Contents

Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure

Report No. 04-05
November 2003
Office of the Inspector General


Findings and Recommendations

1. ESTABLISHING A RISK MITIGATION PROGRAM

Our audit found that the IMSS had not established an effective risk mitigation program.18 Regarding identified CIP program vulnerabilities, IMSS staff indicated that mitigation actions were progressing on schedule; however, we found that the IMSS did not effectively manage the mitigation actions in that project plans lacked key milestone dates and the IMSS did not provide components sufficient time to provide required data for the revalidation of the MEI. Regarding the mitigation of critical IT system vulnerabilities, we found that progress plans to ensure correction of identified security weaknesses were not adequately prepared by the components to allow effective monitoring by the IMSS. This problem occurred because of the short time given to the components to respond and because the components did not adequately respond to data requested by the IMSS for mitigation plans. As a result, the Department has less than adequate assurance that critical IT asset vulnerabilities will be mitigated adequately or timely.

A. Vulnerability Assessments and Risk Mitigation

The purpose of the vulnerability assessment is to provide the Department's Chief Infrastructure Assurance Officer with an overall assessment of the CIP program and the vulnerabilities associated with its critical IT system assets.19 The Department's critical IT assets as they relate to CIP are also referred to as the Department's MEI.

The vulnerability assessment identifies the risks and vulnerabilities to the Department's CIP program and its MEI systems and makes recommendations to mitigate the identified risks. In addition, the funding level associated with IT security for each MEI asset and the overall program funding level are identified. This allows the Department's CIO to make informed decisions in support of the Department's ability to execute its mission and goals as those decisions relate to critical infrastructure protection.

Upon completion of the vulnerability assessment, the Department components develop remedial action plans to mitigate the exploitation and the impact of any identified vulnerabilities against critical infrastructure assets until such time as the vulnerability can either be eliminated or reduced to an acceptable level. Remediation refers to those precautionary actions taken before undesirable events occur to reduce known deficiencies and weaknesses that could cause an outage or compromise a law enforcement infrastructure sector or critical asset. The precautions are applicable regardless of whether those events are acts of nature, technology, or through malicious intent. Remediation may include education and awareness, operational process or procedural change, system configuration changes, or system component changes.

The remedial action plan should be system specific and at a minimum contain the following information:

  • responsible office,
  • identification of vulnerability,
  • mission impact,
  • mitigation action,
  • long-term correction, and
  • estimated cost and milestones for recommended corrective measures.

Initially, a CIP Task Force was scheduled to complete the Department Vulnerability Assessment by December 30, 1999, with approval by the Chief Infrastructure Assurance Officer on January 7, 2000.20 The IMSS staff could not explain why the CIP Task Force stopped convening during calendar year 2000, and the Task Force took no further action to complete the vulnerability assessments. JMD eventually completed the assessment in March 2002. The completed vulnerability assessment identified a total of 16 vulnerabilities, 4 of which pertained to the Department's overall CIP program, while the remaining 12 addressed risks in the 20 information technology systems identified in the Department's January 2001 MEI. For individual vulnerabilities, an associated risk rating and the mitigating action for eliminating the vulnerability or reducing the risk of the vulnerability to an acceptable level were identified.

Our audit work disclosed that the IMSS did not establish an effective Department risk mitigation program and that the IMSS's efforts to monitor mitigation actions were not effective. As a result, critical IT asset vulnerabilities may not be adequately or timely mitigated. The specific program and IT asset risk mitigation deficiencies we identified are discussed in the report sections that follow.

B. Progress Toward Mitigating Program Vulnerabilities

JMD completed a vulnerability assessment in March 2002. JMD reviewed the management controls developed to implement the Department's CIP program and evaluated the controls against requirements contained in reports and other documents from the GAO, the National Critical Infrastructure Assurance Office, and the General Services Administration (GSA). The JMD review identified four individual vulnerabilities associated with the program. The vulnerabilities are listed below and discussed in greater detail beginning in the following text.

  1. The CIP Plan was out of date and needed to be updated to incorporate the implementation plan and the Department's new Strategic Plan.
  1. The inventory of mission-essential assets required revalidation by components after the events of September 11, 2001.
  1. JMD needed to address the risk of not meeting the full operating capability date of May 2003.
  1. Seven of the mission-essential systems required an independent evaluation.

Several items remain to be completed before the Department can reach full operating capability. In July 2002, IMSS officials indicated that mitigation action for all program vulnerabilities was progressing on target and would be completed on schedule. Our audit work initially found that the IMSS did not effectively manage the mitigation actions. Specifically, project plans were not developed and followed, and the IMSS did not provide components sufficient time to provide required data for the revalidation of the MEI.

We assessed the April 2003 draft CIP plan for project plans. We found that while the IMSS/ITSS had completed project plans, those plans did not include milestone dates by which tasks were to be completed. Those plans did not include completion dates for all tasks, and 54 of 73 tasks were not completed by May 2003. However, in our judgment four key tasks prevent the Department from achieving full operating capability. The four tasks are:

  • development of contingency plans for systems without plans or revision of inadequate plans (discussed in further detail in finding 2),
  • testing of the contingency plans (discussed in further detail in finding 2),
  • incorporation of vulnerabilities into the Security Management and Report Tool (SMART) database for tracking purposes (discussed later within this finding),21 and
  • development of a SMART database for classified systems (discussed later within this finding).

(1) Program Vulnerability #1: Outdated CIP Plan

The March 2002 Vulnerability Assessment discussed the outdated CIP Plan as follows.

Vulnerability: The CIP Plan is out of date and needs to be updated to incorporate the implementation plan and the Department's new Strategic Plan.
Threat: All threats could exploit this vulnerability.
Discussion: The current plan is over two years old and does not contain current information on the implementation of the Department's protection strategy. PDD 63 requires CIP Plans to be updated at least every two years. Justice Management Division has an informal implementation [plan] for the next phases of the protection strategy, but has not incorporated this plan into the overall Department CIP Plan.
Risk Rating: Low - Moderate
Mitigation Action: JMD will update the CIP Plan and will ensure it is in compliance with the new Executive Orders and other Federal guidance on CIP. In addition, the Plan will map the MEI assets to the Department's new Strategic Plan. Estimated completion: December 2002
Source: Justice Management Division's March 2002 Vulnerability Assessment

The Department's CIP Plan presents the broad direction for the Department's critical infrastructure assurance and provides the longer-range goals, strategies, and performance indicators by which to measure progress toward implementing a viable CIP program. Intended as a "living document," the CIP Plan provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the Department's physical and cyber security controls. The Department's initial CIP Plan was prepared by JMD in November 1998. The Plan was revised in April 1999 to address comments of prior reviews of the CIP program.

The March 2002 Vulnerability Assessment identified that the CIP Plan needed updating to incorporate the next phases of the protection strategy and the Department's new strategic plan. The IMSS staff informed us that the task of updating the Plan was assigned to a contractor. The contractor serves as an information technology security consultant to JMD and senior Department managers. Some of the tasks performed by the contractor relating to the Department's vulnerability assessment include providing general IT support to the IMSS, developing a comprehensive vulnerability assessment methodology, and researching and reporting on various methods of performing follow-up actions to ensure vulnerabilities or other issues identified during the performance of vulnerability assessments have been corrected. The contractor also performs other duties not related to the vulnerability assessment such as assisting in data entry for the SMART database.

According to the March 2002 Vulnerability Assessment, the estimated completion date for updating the Plan was December 2002. A Draft CIP Plan was completed April 21, 2003, and finalization was pending comments requested on the plan from the Department of Homeland Security (DHS). IMSS officials indicated that they delayed completion of the new CIP Plan to incorporate guidance from the DHS's most recent draft of the National Strategy to Secure Cyberspace.

(2) Program Vulnerability #2: Revalidating MEI Assets after Events of September 11, 2001

The March 2002 Vulnerability Assessment discussed revalidating MEI assets as follows.

Vulnerability: MEI assets should be revalidated after the events of September 11, 2001.
Threat: All threats could exploit this vulnerability.
Discussion: The Department's MEI assets were determined prior to the events of September 11, 2001. Although the Department did use the methodology as defined by the CIAO's office, the Department should revalidate the MEI inventory with the components and program managers to ensure all MEI assets are included and meet the CIAO's revised requirements. As an example, the CIAO introduced a 72-hour time requirement on the availability of an IT system; the system is not considered critical unless it's non-availability for 72 hours will prevent the Department from fulfilling its PDD 63 missions. Additionally, the INS and FBI have identified additional systems during the C&A process that have not been assessed relating to CIP activities.
Risk Rating: Moderate
Mitigation Action: JMD will explore the use of Project Matrix to assist the Department in revalidating the MEI systems and critical assets.22 If Project Matrix is not used, JMD, using contractor support, will revalidate the Department's MEI IT assets. Justice Management Division will use the same approved methodology for the revalidation as was used for the initial selection of MEI along with new guidance identified by the CIAO's office. Estimated completion: November 2002
Source: Justice Management Division's March 2002 Vulnerability Assessment

Crucial to developing and implementing a CIP Plan is the identification of critical infrastructure assets. Within the Department, the critical infrastructure is comprised of the computer systems, physical assets, and personnel necessary for the Department to carry out its law enforcement and counterterrorism duties. In identifying the Department's critical computer systems, the CIP Task Force focused on internal and external critical infrastructure components that are needed to protect or support safety and health, law enforcement and national security, the Department's litigation function, the administration of justice, and the Department's business functions. Once the Department's critical infrastructure assets were identified, the assets were listed in a consolidated MEI inventory.

The Department's MEI inventory was identified in a joint effort between the components, SEPS, and IMSS using criteria based on guidance from the CIAO. The identification of the Department's minimum essential infrastructure was completed and formally approved by the Assistant Attorney General for Administration on January 16, 2001. The completed inventory is comprised of three sections: 1) critical IT assets, 2) critical physical assets, and 3) critical personnel assets. Prior to the INS transfer to the DHS in March 2003, the MEI included 20 systems in the DEA, FBI, INS, and JMD.

Subsequent to the events of September 11, 2001, some requirements for critical systems have been revised, and two components (the FBI and INS) have identified additional systems that have not been assessed relative to CIP activities. In view of these developments, JMD identified this as a program vulnerability in its March 2002 Vulnerability Assessment.

According to the March 2002 Vulnerability Assessment, the estimated completion date for revalidating MEI assets was November 2002. The IMSS staff indicated that progress toward the completion date was satisfactory, and that components had a November 1, 2002, suspense date for submitting their updated MEIs to JMD. On October 7, 2002, we asked the IMSS staff for a copy of the memorandum to the components establishing the November 1, 2002, suspense date. The Assistant Director of IMSS responded by saying that the memorandum had not been sent and that the draft was still on his desk. According to the contractor status reports, the contractor had completed the draft by August 12, 2002. The IMSS staff said the memorandum hadn't been mailed because of a shortage of staff. Although the memorandum was eventually sent to the components on October 11, 2002, this was hardly sufficient time for the components to update their MEIs and respond by the November 1, 2002, suspense date.

The revalidated MEI was completed in December 2002. Both the old and new MEI are contained in Appendix 5 of this report. Eight assets were removed from the January 2001 MEI and an additional nine assets were added. A description of the MEI assets is contained in Appendix 6. The assets removed from the MEI were:

INS - Central Index System (CIS)
Enforcement Case Tracking System (ENFORCE)
Automated Biometric Identification System (IDENT)
Immigration and Naturalization Service's Integrated National Communications System (INSINC)
FBI - Criminal Justice Information System Wide Area Network (CJIS WAN)
InfraGard
Intelligence Information System Network (IISNET)
Secure Automated Messaging Network (SAMNET)

The INS assets were removed in anticipation of the transfer of the INS to the DHS. The FBI assets were removed based on a determination that the loss of those assets for 72 hours would not impede the Department from performing its critical infrastructure protection duties.

The assets added to the MEI were:

DEA - Centralized Data Intercept
Electronic File Room
Wide Area Network
GESCAN
Firebird nodes in Special Operations Division (SOD) and Command Center
FBI - Key Asset Database
Secure Radio System
Digital Storm Collection
JMD - Metropolitan Area Network (MAN)

These assets were added to the MEI based on the revised requirements for identifying critical systems.

(3) Program Vulnerability #3: Risk of Not Meeting Full Operating Capability by May 2003.

The March 2002 Vulnerability Assessment discussed the risk of not meeting full operating capability as follows.

Vulnerability: Risk of not meeting the Full Operating Capability date of May 2003.
Threat: All threats could exploit this vulnerability.
Discussion: PDD 63 requires that by May 2003 all Federal agencies achieve and maintain the ability to protect our nation's critical infrastructures from intentional acts that would significantly diminish its abilities to perform essential national security missions and ensure general public health and safety. This is referred to as "full operating capability" in PDD 63. Any interruptions of these functions must be brief, infrequent, manageable, and minimally detrimental to the welfare of the United States. To achieve the full operating capability, the Department needs to be able to participate in information/intelligence sharing, respond to attacks, or reconstitute systems after successful attacks.
Risk Rating: Moderate
Mitigation Action: JMD will Coordinate with the Department's computer emergency response team and components with MEI systems to ensure they have coordinated actions in the event of an attack. Justice Management Division will also coordinate with the components to ensure the contingency plans for critical IT assets are tested and kept up to date. The Department must address the vulnerabilities identified within the individual MEI system assets, and prioritize the vulnerabilities with greatest risks to the Department. Estimated completion: May 2003
Source: Justice Management Division's March 2002 Vulnerability Assessment

By May 2003 all federal agencies were to achieve and maintain "full operating capability" to protect our nation's critical infrastructures from intentional acts that would significantly diminish its abilities to perform essential national security missions and ensure general public health and safety. According to the Department's March 2002 Vulnerability Assessment, the estimated completion date for achieving full operating capability was the same as the deadline identified in PDD 63, May 2003.

Officials of the IMSS indicated that there are four main aspects to attaining full operating capability:

  • relocating the DOJCERT to the newly established ITSS,
  • integrating the Department's CIP Plan with the planning efforts of the National Infrastructure Protection Center (NIPC),23
  • increasing the reporting of incidents of infrastructure attacks (as of October 2002, only the FBI reported incidents involving SBU systems), and
  • completing an update to the CIP Plan.

The National Plan for Information Systems Protection, Version 1.0, issued by the CIAO, describes full operating capability as the ability to ensure that any interruption or manipulation of critical functions is "brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States." The Draft CIP Plan indicates that full operating capability for the Department is comprised of:

  • identifying the MEI and interdependencies and identifying and addressing their vulnerabilities,
  • detecting attacks and unauthorized intrusions,
  • sharing attack warning and information in a secure and timely manner, and
  • responding to attacks and reconstituting and recovering assets that were subject to attacks.

In April and May 2003, we sought to update the Department's status in achieving full operating capability. In addressing vulnerabilities identified for the MEI, we noted that the incorporation of vulnerabilities into the SMART database for tracking purposes was incomplete since the database was not set up to track vulnerabilities for classified systems. In assessing the Department's ability to reconstitute and recover assets after an attack, we noted that there were no dates provided for the development of contingency plans for components without plans nor were dates provided for the revision of inadequate plans. Additionally, no further guidance was provided to require testing of the contingency plans. Generally, the IMSS staff could not provide the status of this effort, schedules, or milestone dates for completing the effort.

The Department did not reach full operating capability by May 2003 as required. However, the Department has activities planned and in progress to help it reach full operating capability. Some of those plans lack dates for completion. Absent those dates, there is no assurance that the Department will complete those activities timely or reach full operating capability.

(4) Program Vulnerability #4: Seven MEI Systems Have Not Been Independently Evaluated

The March 2002 Vulnerability Assessment discussed independent evaluation of MEI systems as follows.

Vulnerability: Seven of the MEI systems have not been independently evaluated and contain unknown system vulnerabilities.
Threat: All threats could exploit this vulnerability.
Discussion: Of the 20 MEI systems, 7 have not received an independent evaluation. The current assessments rely only on the program manager's assessment.
Risk Rating: Low
Mitigation Action: JMD will conduct IV&V [independent verification and validation] or penetration testing for the systems that have not undergone any independent evaluation. Two of the FBI systems (SAMNET and InfraGard) will be evaluated by the FBI later this year [2002]. Three systems [DEA Model 204 (M204), Integrated Automated Fingerprint ID System (IAFIS), and National Crime Information Center System, (NCIC 2000)] are currently undergoing IV&V, and the final two systems (ENFORCE, IDENT) will be scheduled for review in late 2002 along with the two FBI systems. Estimated completion date: January 2003
Source: Justice Management Division's March 2002 Vulnerability Assessment

Department of Justice Order 2640.2D requires components to ensure the C&A of all systems under their operational control prior to being placed into operation. Until an IT system is certified and accredited, no operational data can be used for any purpose, including testing in pilot systems if live data is used or if the pilot system is connected to a Department network.

For each classified system and for each SBU system the C&A includes:

  • preparing a system security plan;
  • performing a risk analysis to identify security risks, determine their magnitude, and identify areas needing safeguarding;
  • conducting and documenting a system test and evaluation;
  • developing a security procedures guide;
  • preparing and testing a contingency plan;
  • preparing a summary of compliance with the security requirements and the statement of residual risk; and
  • preparing a security evaluation report with a recommendation as to whether or not to accredit the system based on documented residual risks.

Once a Department component completes the C&A and its documentation, the C&A is submitted to JMD for the IV&V process that is contracted out to one of four contractors.

The March 2002 Vulnerability Assessment identified that of the 20 mission-essential information systems in the Department, 7 had not received an IV&V as part of the C&A process. We found that the accuracy of IMSS's documented support of its monitoring efforts was questionable. An initial status was documented in the March 2002 Vulnerability Assessment, and again in an undated document that we were told was prepared in October 2002. In the March 2002 Vulnerability Assessment, the FBI's IAFIS and NCIC 2000 systems were both reported as undergoing IV&V process; however, in the previously mentioned undated document, both systems were reported as still undergoing the initial certification and accreditation by the FBI's Security Division. As of May 2003, IAFIS and NCIC 2000 had not undergone the IV&V process. Independent Verification and Validation is a requirement of the certification and accreditation process.

Further, the ATF transferred to the Department from the Department of Treasury in January 2003. According to IMSS staff, ATF systems had received interim certification, and full certification and accreditation of these systems was expected to be completed by September 30, 2003. Critical assets from the ATF had yet to be identified. As a consequence, a vulnerability assessment, risk mitigation plans, and multi-year funding plans had not been developed for critical assets of the ATF.

Information Management and Security Staff officials were unable to provide information on vulnerability assessments for the nine newly added assets from non-ATF components to the MEI. According to IMSS officials, their queries to components were not answered.

C. Progress Toward Mitigating Critical IT Asset Vulnerabilities

(1) Background on Critical IT Asset Vulnerabilities

As previously stated, the March 2002 Vulnerability Assessment identified 12 categories of vulnerabilities among the 20 IT systems comprising the Department's mission-essential inventory. Sources used to identify the 12 information technology vulnerabilities included vulnerability assessments submitted with the C&A packages, OIG system audits, penetration testing, and results from the Department's IV&V program.24 Based on guidance from the GSA, the vulnerability assessments focused on common attack methods and publicly available cyber-attack methods. As established in the CIP Plan, highly esoteric threats and attack methods are to be deferred to the long-range implementation of the CIP program.

Several of the vulnerabilities could potentially allow great harm to the Department's ability to perform its essential national security missions and maintain order. JMD prioritized the vulnerabilities according to the potential effect each was assessed to have on critical IT systems. Listed below are the 12 IT asset vulnerabilities, which are further discussed in Appendix 8:

  • lack of auditing features, audit trails, or policies and procedures;
  • improper or inadequate password protection, password aging, and construction;
  • lack of encryption;
  • software patches not installed for known vulnerabilities;
  • lack of, limited, or untested contingency plans;
  • lack of computer security incident response capability;
  • lack of access controls;
  • lack of configuration management;
  • lack of intrusion detection;
  • lack of or inadequate virus protection;
  • exploitable network services enabled; and
  • lack of warning banners.

(2) Processes Used by the IMSS to Monitor Mitigation of the Critical IT Asset Vulnerabilities

For the IMSS to track and manage components' efforts to close security performance gaps, components need to document and report security weaknesses and progress of mitigation actions. Accordingly, in August 2002, the IMSS notified each component to develop Plans of Actions and Milestones (POA&Ms) to ensure identified security weaknesses are corrected. All Department officials would use the POA&MS as the authoritative agency management mechanism to prioritize, track, and manage all agency efforts to close security performance gaps.

Because the Department's POA&M was initially due to the Office of Management and Budget (OMB) by October 1, 2002, the IMSS requested the components to submit individual system and component summary POA&Ms to the IMSS by September 13, 2002. In developing the POA&Ms, components were requested to identify all security weaknesses; indicate how weaknesses were identified (for example, CFO audits, penetration testing, and self assessment); show corrective actions; estimate completion dates; and identify resources required to remediate the IT system weaknesses. Once the POA&Ms were received from components, IMSS staff would then begin entering the data into the SMART database system.

We were told by IMSS officials that they use the SMART database system to monitor the status of the 12 IT asset vulnerabilities. The SMART system is a set of user interface, database management, and business intelligence tools designed to assist the Department CIO and program managers, as well as the security administrators, in identifying, controlling, and monitoring the performance of a component IT security program and its IT systems. During FY 2003, the SMART system is gradually becoming available to security analysts, administrators, and managers in all Department components.

Data pertaining to remediating IT asset vulnerabilities is entered into the SMART system as it is received from the components. Data entered includes all vulnerabilities identified, corrective actions taken or planned, estimated completion dates, resources required to initiate corrective actions in terms of time and dollars, and status (whether the corrective actions are closed or open). Certain data entry fields such as estimated completion dates, resources required, and actions closed are locked once the data is entered.

For SBU computer systems, IMSS officials indicated they had been entering component IT asset vulnerability data into the SMART system since April 2001. An IMSS official indicated that the POA&Ms have been received and entered into the SMART system, but IMSS officials did not provide all of the documentation that was requested regarding this effort. Specifically, IMSS officials did not provide the POA&M from the FBI or SMART data for systems for which the IMSS is tracking risk mitigation activity. Additionally, beginning in January 2003 components were required to provide the IMSS with quarterly updates on risk mitigation activities. Data from these updates were also to be entered in the SMART system. IMSS staff indicated that quarterly updates were being received and entered into the SMART system, but again did not provide documentation that we requested regarding this effort.

For classified computer systems, IMSS staff indicated that a tracking system is being developed into which classified vulnerability data will be entered. The system was expected to be ready for use by July 30, 2003. Twenty nine percent (6 of 21) of the assets are classified systems. The IMSS was unable to explain how tracking currently occurs for classified systems but described the current process as "weak."

Absent the requested documentation for tracking SBU systems and the stated weakness in tracking classified systems, we could not verify that mitigation of vulnerabilities is being properly monitored.

(3) Significant Weaknesses in the IMSS Monitoring of Mitigation Activities for Critical IT Asset Vulnerabilities

We identified the following significant weaknesses regarding the IMSS's efforts to monitor mitigation actions for the 12 critical IT asset vulnerabilities.

(a) POA&Ms Were Not Properly Completed by Components

The August 29, 2002, notification requiring components to develop POA&Ms also contained detailed preparation instructions. As stated in the notification, each component was required to prepare individual system and component summary POA&Ms describing all known IT security weaknesses. At the system level, components were to indicate the source of each weakness, corrective actions, and estimated completion dates.25 Component summaries were required to include a cross-system summary of weaknesses, steps components were taking to correct weaknesses, and completion dates. Components were also required to describe the performance measures that would be used to track progress in mitigating weaknesses.

We evaluated the POA&Ms submitted by the DEA, INS, and JMD, three of the four components with critical IT systems identified in the 2001 MEI. We did not evaluate the POA&Ms submitted by the FBI. We initially requested the FBI information in October 2002. The FBI, at that time, had not provided data to the IMSS because the FBI was undergoing an intensive C&A of a portion of its systems. We updated our audit information in May 2003. Information Management and Security Staff officials indicated that the FBI had provided the IMSS with POA&Ms. We requested the FBI's POA&Ms from the IMSS, but the information had not been provided as of the date of our draft report.

In the 2002 "Summary of the OIG Fiscal Year 2002 Evaluation of the Department of Justice Information Security Program and Practices Pursuant to the Government Information Security Reform Act" report submitted to the OMB, OIG auditors concluded that the Department had not performed timely and effective oversight to ensure implementation of Department security policies. This weakness was evidenced by the components' failure to implement corrective actions in their systems' environment.

Of the POA&Ms we evaluated, none were properly completed or fully usable for tracking mitigation actions for critical IT system weaknesses. Our specific concerns are noted below.

  • Of the 43 risk items identified in the vulnerability assessments for the DEA, INS, and JMD critical IT systems, only 20 risk items were addressed in the POA&M submissions. Consequently, mitigation actions for most of the vulnerabilities identified in the Department Vulnerability Assessment were not addressed by components. Although the POA&Ms are intended to reflect existing plans to correct IT weaknesses, it appears that there are no plans to correct 23 of the known weaknesses.
  • None of the components identified the source of weaknesses reported in POA&Ms. Consequently, we were unable to determine whether all sources of IT security weaknesses were considered by components in developing the POA&Ms.
  • None of the components described the performance measures that would be used to track progress in mitigating weaknesses as required in the August 29, 2002, notification.
  • JMD's POA&M was structured as a self-assessment questionnaire that, in our judgment, did not appear to us to be usable for monitoring mitigation actions.
  • The DEA's POA&M did not include planned corrective actions.

Weaknesses in the POA&Ms appear to result in part from some problems with the Vulnerability Assessment on which the POA&Ms are based. The Vulnerability Assessment does not clearly identify the specific critical IT asset vulnerabilities needing mitigation, and the document contains some internal inconsistencies that could cause problems in preparation of the POA&Ms.

(b) POA&Ms Did Not Adequately Identify Required Resources for Implementing Risk Mitigation Activities

Based on the results of Vulnerability Assessments and the subsequent mitigation and response plans, there is the possibility that additional resources may need to be identified, developed, or procured to ensure the protection of the Department's critical infrastructure.

JMD's initial effort to identify budgeted resources to improve IT security for mission-essential systems is documented in the March 2002 Vulnerability Assessment. Section 5 of the assessment contains the multi-year funding plan that projects the Department will spend approximately $314.5 million in FYs 2002 through 2004 to improve IT security. The funding details are contained in the table on the following page. We noted multimillion-dollar discrepancies in the totals submitted for the FBI, which the IMSS staff acknowledged as a math error. We corrected the table to include the Trilogy amounts in the FBI totals.26

Multi-Year IT Security Funding Plan
(FYs 2002 through 2004)
  FY 02 FY 03 FY 04
Justice Management Division      
Critical Infrastructure Protection $71,135 $123,366 $125,833
     Program Contract Support      
Justice Data Centers $2,302,200 $1,583,000 $1,617,330
Justice Consolidated Network $196,260 $200,000 $202,635
     Component Total by FY $2,569,595 $1,906,366 $1,945,798
       
Drug Enforcement Administration      
Information Security Initiative $2,879,000 $6,683,000 $6,843,000
El Paso Intelligence Center Information System $163,400 $477,000 $747,000
Mercury (See Note #1) $0 $0 $0
Merlin $385,700 $648,499 $1,512,634
Firebird $2,201,100 $18,053,400 $18,053,400
Model 204 Applications $809,400 $2,180,000 $2,230,000
     Component Total by FY $6,438,600 $28,041,899 $29,386,034
       
Federal Bureau of Investigation      
Information Assurance Initiative $58,573,000 $74,570,000 $39,981,000
Trilogy $13,214,520 $1,430,320 $2,901,760
Mainframes and Applications $574,294 $750,000 $759,924
Criminal Justice Information System (CJIS) WAN $193,800 $452,000 $452,000
InfraGard (See Note #2) $0 $0 $0
Integrated Automated Fingerprint Identification System (IAFIS) $408,910 $316,696 $316,210
National Crime Information Center 2000 (NCIC 2000) $268,690 $202,463 $207,750
Intelligence Information System (IISNET) (No Data provided)      
Secure Automated Messaging Network (SAMNET) $329,500 $436,000 $341,000
FBI Wide Area Network (FBI NET) $290,000 $290,000 $290,000
     Component Total by FY $73,852,714 $78,447,479 $45,249,644
       
Immigration and Naturalization Service      
Atlas Project $4,351,000 $17,998,000 $18,870,170
Central Index System (CIS) $259,500 $75,000 $45,000
Enforcement Case Tracking System (ENFORCE) $1,449,250 $985,525 $734,598
Automated Biometric Identification System (IDENT) $651,700 $646,500 $638,950
Wide Area Network (INSINC) (See Note #3) $0 $0 $0
     Component Total by FY $6,711,450 $19,705,025 $20,288,718
Total by FY $89,572,359 $128,100,769 $96,870,194
Total all FYs $314,543,322    
Notes #1 - Funding for Mercury is included in the funding for Merlin and the Information Assurance Initiative.
#2 - No funding information available.
#3 - Funding for INSINC is included in the funding for the Atlas Project .
Source: JMD's March 2002 Vulnerability Assessment as recalculated by the OIG

Although the multi-year funding plan was an initial attempt to identify resources budgeted to improve IT security for mission-essential systems, it did not specifically identify whether sufficient resources were budgeted to remediate the vulnerabilities identified in the March 2002 Vulnerability Assessment. The plan was not linked to the identified vulnerabilities and is not useful in identifying whether the funding amounts presented are adequate to remediate IT systemic vulnerabilities. Accordingly, in the August 29, 2002, notification requiring components to develop POA&Ms, the IMSS also requested that components identify the resources required to mitigate vulnerabilities.

Of the three component POA&Ms that we reviewed, none adequately identified resources required to mitigate vulnerabilities.

  • In its summary POA&M, the INS identified $9,350,703 in additional funding required to mitigate known IT system vulnerabilities. However, in each of its supporting system-level POA&Ms, the INS indicated that no additional resources would be required to mitigate vulnerabilities. This discrepancy was apparently undetected by the IMSS's review of the INS's POA&M.
  • The POA&M submitted by JMD did not address budgeted resources required to mitigate vulnerabilities.
  • The POA&M submitted by the DEA contained a column for recording resources required to mitigate vulnerabilities; however, most of the column was blank.

We discussed with the IMSS staff these problems with the POA&Ms and asked why their review of the documents did not identify the problems. We were told by the IMSS staff that their review of the POA&Ms consisted of identification of security and planning issues. An IMSS analyst determines whether the planning and funding is adequate to remediate the identified weakness. If it is not, then the IMSS analyst will work with the component's representative to develop adequate plans. Information Management and Security Staff indicated that the INS probably included the $9.3 million funding requirement in its Exhibit 300 for a new system and not to mitigate weaknesses in an older system.27

(c) Process Used to Monitor Components' Progress in Mitigating IT Asset Vulnerabilities Was Ineffective

The IMSS was responsible for monitoring components' progress in mitigating IT asset vulnerabilities by performing quarterly comparison of Exhibit 300s to data stored in the SMART database. The intent of these comparisons is to determine whether actions to mitigate vulnerabilities have been funded and whether mitigating actions are ongoing.

We identified several shortcomings with this process. First, such a comparison may not be effective in that the Exhibit 300s do not provide a sufficient level of detail regarding resources budgeted to mitigate vulnerabilities associated with critical systems. The Exhibit 300s provide a narrative of corrective action but do not consistently associate costs of mitigating specific vulnerabilities. For example, the FBI's Exhibit 300 included an estimate of $569,123 for security costs of the NCIC 2000 system. The FBI's narrative explains that it will cover an audit log server system, additional intrusion detection capability, and a separate Intrusion Detection System (IDS) management network segment that collects firewall and IDS system log files. The FBI's Exhibit 300 does not provide a separate costing for the audit log server system from the additional intrusion detection capability.

At the time of our audit, the Department had not had adequate time to complete vulnerability assessments, risk mitigation plans, or multi-year funding plans for most of the assets newly added to the MEI. While the Department has efforts underway in each of the areas identified above, effective oversight is necessary if the Department is to provide adequate protection of its critical assets.

Second, such a comparison is unnecessary since components are required to identify in the POA&Ms whether required resources were identified and funded. However, the POA&Ms do not appear to be useful for this purpose.

Third, the comparison process was not summarized or documented; consequently, the IMSS was unable to show how much progress components had made in mitigating critical IT system vulnerabilities. The POA&Ms require follow-up guidance from the IMSS to be effective as a risk mitigation monitoring tool.

D. Conclusions

Through the efforts of the IMSS, the Department has made some progress in establishing and managing a risk mitigation program. The IMSS has accomplished:

  • completion of vulnerability assessments,
  • development of risk mitigation plans (though none properly completed),
  • development of the SMART database to track risk mitigation for SBU systems,
  • completion of drafting a new CIP Plan, and
  • revalidation of MEI after September 11, 2001.

Despite this progress, significant problems remain in the Department's management of the risk mitigation program. The major weaknesses that remain are identified below.

  • Identification of critical assets from the ATF has yet to be completed.
  • Vulnerability assessments, risk mitigation plans, and a multi-year funding plan were not developed for assets newly added to the MEI and for those to be identified from the ATF.
  • The IMSS has not developed a system to track risk mitigation for classified systems.
  • Resources required to mitigate vulnerabilities were not adequately identified.
  • Plans of Actions and Milestones were not adequately completed by components.

The Department has not had adequate time to make a vulnerability assessment or risk mitigation plans for assets newly added to the MEI and for assets transferred from the ATF. While the Department has efforts underway in each of the areas identified above, effective oversight is necessary if the Department is to provide adequate protection of its critical assets.

Our audit work disclosed that the IMSS did not establish an effective Department risk mitigation program and that the IMSS's efforts to monitor mitigation actions were not effective. Regarding the four program vulnerabilities, IMSS officials indicated that mitigation actions were progressing on schedule. However, we initially found that the IMSS did not effectively manage the mitigation actions in that project plans were developed but lacked key milestone dates for completion, and the IMSS did not allow components sufficient time to provide required data.

Regarding the mitigation of the 12 critical IT asset vulnerabilities, we found that the POA&Ms, which were required to ensure the correction of identified security weaknesses, were inadequately prepared by components. None of the POA&Ms identified required resources for implementing risk mitigation activities. Additionally, the process used by the IMSS to monitor components' overall progress in mitigating vulnerabilities was ineffective.

These problems occurred, in part, because IMSS officials did not evaluate the effectiveness of their many risk mitigation-monitoring activities. Although IMSS officials were fully aware of the PDD 63 requirement for achieving full operating capability by May 2003, the Department has not met this requirement. In its revised CIP Plan, key activities are identified but some do not include milestone dates for completion. Further, although the IMSS required components to prepare and submit risk mitigation plans, a thorough review would have disclosed that the plans contained several deficiencies. Although the IMSS was expending considerable resources to enter data from the component risk mitigation plans into its SMART database system, the process used to assess components' progress in mitigating critical risks was ineffective. Also, no system was established for monitoring risk mitigation of classified systems.

As a result of these deficiencies, the Department has not achieved the mandated "full operating capability" and has less than adequate assurance that critical IT asset vulnerabilities will be adequately or timely mitigated.

E. Recommendations

We recommend that the Assistant Attorney General for Administration:

  1. Develop a tracking system for risk mitigation activities for classified MEI systems.
  1. Develop a multi-year funding plan based on resources required to mitigate vulnerabilities as identified in revised POA&Ms.
  1. Revise the current process used to monitor components' progress in mitigating critical IT vulnerabilities to a clear component-by-component summary.
  1. Monitor and document, at least quarterly, the status of certification and accreditation for critical IT systems.
  1. Ensure components submit POA&Ms completed in accordance with OMB guidance. At a minimum, the component's POA&Ms should: a) clearly address the vulnerabilities identified in the Department Vulnerability Assessment, b) include the source of the vulnerabilities so readers can refer back to the Department Vulnerability Assessment to obtain additional information, c) describe the performance measures used to track progress in mitigating weaknesses, and d) identify resources required for implementing risk mitigation activities for each identified vulnerability.
  1. Conduct vulnerability assessments and develop risk mitigation plans for assets newly added to the MEI.
  1. Determine the critical assets within the ATF and perform vulnerability assessments, develop risk mitigation plans, and a multi-year funding plan for those assets.
  1. Develop a work plan, with milestone dates for key activities, for attaining full operational capability for critical infrastructure protection at the earliest possible date.

Footnotes
  1. In May 2003, the CIO reorganized the information resource management function of the Office of the Chief Information Officer. The IMSS was renamed the Information Technology Security Staff (ITSS).
  2. The Chief Infrastructure Assurance Officer is responsible for the protection of all aspects of that department's critical infrastructure other than information assurance. The CIO is responsible for information assurance. PDD 63 requires these officials to establish procedures for obtaining expedient and valid authorities to allow vulnerability assessments to be performed on government computer and physical systems.
  3. The Department's April 1999 CIP Plan provided that "A Critical Infrastructure Protection Task Force (CIPTF) will be responsible for CIP Plan development and implementation within their respective components . . . ." The CIP Task Force was comprised of representatives from law enforcement, litigating divisions, and administrative offices. See Appendix 10 for a list of points of contact for the CIPTF.
  4. The SMART database is a set of user interface, database management, and business intelligence tools designed to assist the Department CIO and program managers as well as the security administrators in identifying, controlling, and monitoring the performance of a component IT security program and its systems.
  5. Project Matrix is the name given to a method developed by the CIAO to assist federal civilian departments and agencies to accomplish identification of critical functions and services and the assets and links necessary to perform that identification. Project Matrix provides an objective process to make the determination of national criticality by performing standardized, systematic evaluation of an organization's functions and services and giving each a criticality score.
  6. The National Infrastructure Protection Center serves as a national critical infrastructure threat assessment, warning, vulnerability, and law enforcement investigation and response entity.
  7. Penetration testing is security testing in which evaluators attempt to circumvent the security features of a system based on their understanding of the system design and implementation. The purpose of penetration testing is to identify methods of gaining access to a system by using common tools and techniques developed by hackers.
  8. IT security weaknesses were identified through audits, system security penetration tests, self-assessments, and vulnerability assessments.
  9. The Trilogy program is the FBI's 36-month program to upgrade the infrastructure technologies throughout the FBI. It consists of three components: 1) Network - which includes high-speed connections linking FBI offices; 2) Information Presentation - which is comprised of hardware and software within each office to link each employee at their desk to FBI systems; and 3) User Applications - which includes several user-specific software tools to enhance each agent's ability to organize, access, and analyze information.
  10. An Exhibit 300 is a capital asset plan that must be prepared for major projects and is submitted to the Department and OMB.