Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure
Report No. 04-05
Office of the Inspector General
2. ESTABLISHING AN EMERGENCY MANAGEMENT PROGRAM
Although the April 1999 CIP Plan contained a comprehensive blueprint and milestones for an effective, centrally managed Department emergency management program, such a program has not been fully implemented. Many of the critical emergency management program elements relating to indications and warnings, incident collection, reporting and analysis, and response and contingency planning were neither established nor operating. Although the CIP Task Force was responsible for developing and implementing the CIP Plan, including the emergency management program, the Task Force ceased operating during calendar year 2000 and had no further involvement in implementation activities. As a result, the Department has less than adequate assurance that it can effectively respond to computer attacks and security incidents.
The April 1999 CIP Plan established the critical elements for an effective emergency management program and tasked the CIP Task Force (CIPTF) with its implementation. The CIPTF had members in 9 law enforcement entities, 5 litigating divisions, and 12 other entities. See Appendix 10 for Department entities that had CIPTF members. The Department's emergency management program, as envisioned in the CIP Plan, was to incorporate the following three elements.
The CIP Plan also established several intermediate milestones for implementing the three essential elements of the Department emergency management program. Full implementation of the program was to occur no later than September 28, 1999.
Although the CIP Plan contained a comprehensive blueprint and milestones for an effective, centrally managed Department emergency management program, such a program was never fully established. Officials of the IMSS indicated that the CIP Task Force, tasked with implementing the emergency management program, last met during calendar year 2000 and was no longer in existence. In response to our inquiries, those IMSS officials could not provide an explanation as to why no further effort was made to implement the plan.
Officials of the IMSS also stated that although the emergency management program as envisioned in the CIP Plan had not been implemented, most of the elements of an effective emergency management program were nevertheless in place and operating throughout the various Department components. However, in evaluating the Department's response capabilities to computer security incidents, we found that many of the four critical emergency management program elements relating to 1) indications and warnings, 2) incident collection, reporting and analysis, 3) response plans and 4) contingency planning were neither established nor operating. Our specific observations follow.
(1) Indications and Warnings
The IMSS did not ensure that this element of the emergency management program was fully implemented. According to JMD officials, communication channels were established for passing threat information from internal and external organizations to Department components at both headquarters and field locations charged with protecting the Department's critical infrastructure assets. Specifically, the DOJCERT is the Department's central point for receiving and disseminating indications and warnings.30 Within the DOJCERT, a contractor operates the Department's-Information Sharing and Analysis Center and provides a departmentwide mechanism for sharing vulnerabilities to better prepare the Department for responding to cyber attacks. Additionally, the DOJCERT has implemented an intranet web page that includes a search capability for previously distributed indication and warning bulletins, and an Internet web page for information purposes.
Although communication channels were established for passing threat information, the IMSS did not determine whether the channels were secure, effective, and provided timely information as required by the CIP Plan. Additionally, the IMSS did not verify whether effective liaisons with the FBI's NIPC or the SIOC were established and ongoing. See Finding 3 for more details concerning liaisons not being adequately identified. Unless all indication and warning elements are in place, the Department does not have the assurance that communication channels for sharing vulnerabilities are secure and that components are receiving timely information to better equip them to respond to computer security incidents.
(2) Incident Collection, Reporting, and Analysis
The IMSS did not ensure that this element of the emergency management program was fully implemented. Although detailed procedures for components to follow when reporting computer security incidents were developed, the IMSS did not verify that these procedures were implemented and being followed, nor did the IMSS ensure that security incident data was being collected and analyzed.
The JMD CSS developed the June 27, 2002, Standards, Guidelines, and Standard Operating Procedures for the DOJCERT (Department Manual TP-001). This directive was developed in response to an increase in computer attacks and contains detailed procedures for effective handling and reporting of computer security incidents. Department Manual TP-001 identifies and defines the following nine computer security incident categories.
Because incidents may have many possible consequences ranging from slight to catastrophic, Department Manual TP-001 outlines five priorities to consider when evaluating and dealing with computer security incidents.
The Department Manual TP-001 also contains detailed reporting requirements for components to follow in reporting computer security incidents. For incidents involving SBU systems, components are required to provide the DOJCERT a verbal report within one working day after an incident has occurred. Within five working days, a written preliminary incident report, containing as much information as possible, is to be submitted. Within ten working days of the resolution of an incident, a written formal report is to be submitted, and in cases where incident resolution is expected to take more than 30 days, a status report is to be submitted to the DOJCERT every 10 days. For incidents involving NSI, components follow the same reporting requirements with the exception that the reports are provided to the Department Security Officer rather than to the DOJCERT.
Although detailed procedures were developed by the CSS for components to follow in reporting computer security incidents, the IMSS could not substantiate whether the procedures were implemented and were being followed. According to IMSS staff, tabulated summaries on the number and type of incidents are reported each month. However, the IMSS could not provide tabulated summaries regarding the nature, frequency, category, and remediation of prior Department computer security incidents or possible trends and potential systemic weaknesses based on analyses of prior incidents. In addition, the IMSS did not verify whether additional procedures for collecting and analyzing incidents as required by the CIP Plan were developed and in place. We asked the IMSS for an explanation why no verification of additional procedures occurred but the IMSS officials provided no response. Although there is no specific requirement that the IMSS maintain documentation for these activities, absent such documentation, the Department does not have the assurance that additional procedures for collecting and analyzing incidents as required by the CIP Plan were developed and in place.
Absent the documentation described above, the IMSS will have little assurance that it is developing effective countermeasures from prior attacks and providing this knowledge to components to enhance response capabilities.
(3) Response Plans
We determined that the IMSS did not fully implement this element of the emergency management program. Although requirements had been established for developing, implementing, and testing incident response procedures, the IMSS did not verify whether the procedures were in place and operating.
Department Manual TP-001 requires each Department component to: a) develop, implement, and maintain internal incident response procedures, and b) identify an appropriate individual responsible for reporting incidents to the DOJCERT. The Manual also provides the minimum level of procedures for component incident response programs and specifies that the response procedures should be documented by each component and submitted to the DOJCERT to be kept on file.
In addition to developing Department Manual TP-001, JMD CSS also developed the June 17, 2002, DOJCERT Procedures Manual, which outlines CSS Service Center and DOJCERT procedures for responding to Department computer security incidents.31 In responding to an incident, the CSS Service Center assigns a number to the incident and completes an incident report form that is forwarded to an incident manager then to the DOJCERT program manager for investigation and resolution.32
Upon notification of the incident, the DOJCERT Program Manager performs an initial assessment by: a) reviewing the incident report to determine the severity of the problem; b) locating sources and organizing steps for solutions; c) determining who should be notified and involved in working the solution; d) determining whether a Security Alert needs to be broadcast;33 and e) determining whether the FBI, NIPC, Federal Computer Incident Response Center (FedCIRC) or SEPS need to be notified.34 After completing the initial assessment, the Program Manager then initiates the solution identified during the assessment process and updates the ticket management system with information about the implemented solution and the incident response process.
Although detailed response procedures for computer security incidents had been established, the IMSS had not ensured that the procedures were implemented and being followed. Specifically, the IMSS did not verify whether components had developed, implemented, and maintained internal incident response procedures and whether components had identified appropriate individuals responsible for reporting incidents to the DOJCERT. Although there is no specific requirement that the IMSS maintain documentation for these activities, absent such documentation the Department does not have assurance that response procedures are effective.
In May 2003, we sought any changes in these procedures. Information and Management Security Staff indicated that they were able to provide summary information on computer incidents, but as of June 6, 2003, no documentation had been provided.
In a 2002 review of the FBI's Automated Case Support System pursuant to the GISRA, OIG auditors determined that the FBI is not following the incident response requirements outlined in Department Manual TP-001.35 Specifically, personnel had not been formally trained to identify and handle incidents and the incident response procedures had not been centralized or implemented across the FBI. This condition occurred because the FBI had not yet developed incident response procedures that meet the requirements of the DOJCERT or trained employees in the incident response procedures and requirements. As a result, the FBI increased its risk of having incidents occur without its knowledge or proper follow-up. Had the IMSS verified implementation of the DOJCERT requirement, such lapses in complying with incident response requirements could have been avoided.
Additionally, although the CIP Plan requires periodic testing of response plans, such testing had not been conducted. Information Management and Security Staff officials maintained that response plans were in fact tested during the last major incident involving a computer worm; however, a response during a single actual incident does not constitute complete testing of the response plans because some aspects of the plan may not be involved in the response to a single live incident.36 The IMSS officials added that testing was also unnecessary because they frequently received component warnings from the DOJCERT. They reasoned they could only receive such warnings if the response plans were working. We disagree with this reasoning because a single incident may test some aspects of a response plan while a complete test would check all aspects of the response plans. Testing of response plans is crucial to identifying weaknesses prior to the occurrence of an actual incident.
(4) Contingency Plans
We determined that the IMSS did not fully implement this element of the emergency management program. Although requirements had been established requiring components to develop and periodically test contingency plans, we found that the majority had not done so.
On July 12, 2001, the JMD Information Management and Security Office issued the Department Order 2640.2D, requiring components to develop contingency plans for: a) continuing missions in the event IT systems become unavailable, and b) recovering IT systems in event of loss or failure. In complying with the Department Order, components must ensure that contingency plans:
The Department Order also requires components to: a) test contingency resumption plans annually or as soon as possible after a significant change to the environment that would alter the in-place assessed risk, and b) develop and maintain site plans detailing responses to emergencies for IT facilities.
Although the Department Order required components to develop and test contingency plans as well as site plans detailing responses to emergencies for IT facilities, the IMSS could not provide support that components had done so. We noted the following deficiencies.
Although the CIP Task Force was charged with developing and implementing the Emergency Management program, the Task Force never did so. Information Management and Security Staff officials stated that the Task Force last met during calendar year 2000 and was no longer in existence. They added that the Task Force's primary responsibility when it did meet was to work on Year 2000 conformity issues.38 According to an IMSS official, once the Year 2000 conformity issues were resolved, the task force no longer convened. In response to our inquiries, IMSS officials could provide no explanation as to why no further effort was made to implement the plan.
Further, the IMSS officials stated that although the emergency management program as envisioned in the CIP Plan had not been implemented, they believed that most of the elements of an effective emergency management program were nevertheless in place and operating throughout the various Department components. We do not agree with this assessment because several of these elements are not adequately operating. Unless a centralized effort is made to verify that the various component parts of the CIP Plan are in place and operating, the Department will have little assurance that it can effectively respond to emergency computer security incidents.
Although the CIP Plan contained a comprehensive blueprint and milestones for creating an effective emergency management program by September 1999, such a program was not fully implemented as demonstrated in the following table.
Implementation of the Department's Emergency Management Program
to Protect Critical Infrastructure IT Systems
In evaluating the Department's response capabilities to computer security incidents, we found that many critical elements related to indications and warnings, incident collection, reporting and analysis, and response and contingency planning were neither established nor operating. We agree that other elements are operating, but not adequately for a successful emergency management program. Until the critical elements of an effective emergency management program are in place and operating, the Department will have less than adequate assurance that it can effectively respond to attacks to its critical infrastructure technology systems.
We recommend that the Assistant Attorney General for Administration: