Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure
Report No. 04-05
Office of the Inspector General
4. MEETING DEPARTMENT RESOURCE AND ORGANIZATIONAL REQUIREMENTS
The Department's CIP Plan required the identification of resources and organization requirements necessary to protect critical assets. This was to be accomplished largely through the efforts of the CIP Task Force. Although the CIP Task Force ceased operating in 2000 and never fully carried out the responsibilities in this area of the Plan, the Department has undertaken some efforts to ensure its resource and organizational requirements are adequately determined. However, full implementation of the CIP Plan has not been achieved. Studies contracted for by JMD in lieu of CIP Task Force studies have not assessed the linkage between budgetary and personnel shortfalls and the Department's critical infrastructure weaknesses. Completion of this activity is crucial to the Department's efforts to ensure that its resource and organization requirements have been met.
The Department's 1999 CIP Plan provided that:
Based upon the results of the vulnerability assessments, subsequent mitigation and response plans, additional resources will have to be identified, developed, and/or procured to ensure the protection of the Department's critical infrastructure.
The purpose of this section [of the Plan] is to identify, develop, and/or procure the necessary resources to ensure the protection of the Department's critical infrastructure. Also, the section will determine and establish the appropriate organizational structure through which the protection of identified critical infrastructure assets will be implemented and sustained.
According to the Plan, the CIP Task Force or its follow-on was to begin a study to determine the appropriate organizational structure for implementing the actions called for under the Plan.
We found that the IMSS did not address the resource and organizational requirements in the April 2003 draft revision of the CIP Plan. The IMSS staff stated that there was no reason for the omission, but it is expected to be in the next CIP Plan. The CIP Plan is expected to be revised again after the Department completes its Project Matrix review.
The CIP Plan required the CIP Task Force to conduct a study in 1999 to determine the appropriate organizational structure for implementing the actions called for under the Plan. The study was to address issues such as organizational makeup (in terms of the appropriate program office representation), mission, responsibilities, intra-Department liaison, and reporting chain. The study was also to assess the linkage between budgetary and personnel shortfalls and the Department's critical infrastructure weaknesses in such areas as computer security, network security, network configuration control, aging security systems, and lack of technically qualified security professionals. However, the CIP Task Force did not accomplish the study referenced above and, as noted in Finding 1, staff of the IMSS was unable to explain why the Task Force stopped convening during calendar year 2000.
We sought to determine if the planned activities had been completed separately by JMD. JMD contracted for two studies to determine resource requirements. First, an August 7, 2000, "Operational Concept Document for Information Security Program" (Operational Concept Document) was intended to provide an assessment of the IT security program's focus and/or organization to better serve the continuously changing needs of its customer base. The resulting 17-page report discussed the critical elements necessary for a successful IT security program and presented a framework for the realignment of the Department's IT security organization. Regarding the organization for IT security, the report stated:
DOJ is comprised of many components with different focuses and interests. This very diversity accentuates the need to have an enterprise-wide Department of Justice IT security program that provides departmentwide policy, minimum-security requirements, standards, guidance, enforcement, and other value-added services to the components.
A more effective program organization would be a single organization, with a single program, where all IT is covered under a single policy, inspected against the same requirements, trained by a single training staff, subject to a single set of standards, required to undergo a consistent security process, and where all IT users have a single organization to contact for IT security assistance.
We compared the Operational Concept Document to the requirements of the CIP Plan. The Operational Concept Document met some, but not all, of the CIP Plan requirements. The Document briefly addressed organizational makeup, mission, responsibilities, and policy recommendations for computer and network security. It also presented a framework for the realignment of the Department IT security organization. However, the Operational Concept Document did not meet the plan requirements for a study of intra-Department liaisons, the reporting chain, responsibilities, and the linkage between budgetary and personnel shortfalls and critical infrastructure-specific weaknesses.
Recognizing the need for a more sophisticated study of resource needs, in light of the attacks of September 11, 2001, and the Department's crucial counterterrorism responsibilities, in July 2002 the Department contracted for an additional study, "The Information Technology Workforce Assessment" (Workforce Assessment).
In completing the Workforce Assessment, a contractor was engaged to work with the Office of the CIO to identify the additional workforce capability needs of a newly proposed CIO organization. The resulting 165-page report, dated October 15, 2002, provided assessments of human capital capabilities, human capital solutions, staffing capabilities gaps and gap-closing strategies, and an implementation plan.
We compared the Workforce Assessment to the study requirements contained in the 1999 CIP Plan as noted above. The Workforce Assessment met the plan requirements for study of organizational makeup, mission, responsibilities, intra-Department liaisons, and reporting chain. However, neither the Workforce Assessment nor the previously completed "Operational Concept Document for Information Security Program" provided an assessment of the linkage between budgetary and personnel shortfalls and the Department's critical infrastructure-specific weaknesses in such areas as computer security, network security, network configuration control, aging security systems, and lack of technically qualified security professionals. We asked the IMSS staff for an explanation as to why no assessment of linkages between budgetary and personnel shortfalls and the Department's critical infrastructure weaknesses was made but we received no response.
In summary, the October 2002 Workforce Assessment essentially completes the Department's planned 1999 activity to determine the appropriate organizational structure for implementing actions called for under the CIP Plan. Information Management and Security Staff officials indicated that they believed the CIP Plan requirement for organizational requirements was completed in FY 2000 with the preparation of the Operational Concept Document. While we agree that the Operational Concept Document met some of the plan requirements, it was not sufficiently detailed to provide Department officials with the support needed to effectively determine resource and organizational requirements. In addition, the Department still needs to complete an assessment of the linkage between budgetary and personnel shortfalls and the Department's critical infrastructure weaknesses. Completion of this activity is crucial to the Department's efforts to ensure that its resource and organization requirements can be met.
We recommend that the Assistant Attorney General for Administration: