Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure
Report No. 04-05
Office of the Inspector General
6. FOLLOW-UP ON THE PRIOR OIG AUDIT OF DEPARTMENT CRITICAL INFRASTRUCTURE PLANNING FOR THE PROTECTION OF COMPUTER BASED INFRASTRUCTURE
In our November 2000 report on "Department Critical Infrastructure Protection - Planning for the Protection of Computer Based Infrastructure," we found that the Department had not yet: 1) identified all of its mission-essential assets, 2) assessed the vulnerabilities of each of its systems, 3) developed remedial action plans for identified vulnerabilities, or 4) developed a multi-year funding plan for reducing vulnerabilities. During this current audit, we tested follow-up actions taken regarding these recommendations. We found that that the IMSS had completed some of the required corrective actions, but further work is required regarding the MEI inventory, plans to address weaknesses identified in vulnerability assessments, and development of a multi-year funding plan for the remediation of vulnerabilities.
PDD 63 required that the Department and other government departments and agencies prepare plans for protecting their critical infrastructure. The plans required the determination of the Department's minimum essential infrastructure, an assessment of each asset's vulnerabilities, and plans to remediate those vulnerabilities. Our prior audit focused on the adequacy of the Department's planning and assessment activities for protecting its critical computer-based infrastructure.
In our November 2000 report, we recommended that the Assistant Attorney General for Administration:
In October 2000, JMD concurred with our findings and recommendations, and agreed to implement the appropriate corrective actions. During our current audit, we tested the extent to which the recommended corrective actions have been completed.
The Department revalidated its MEI in December 2002. We found that the Department utilized the CIAO's definition of MEI and a set of modified surveys to validate the MEI. Agency MEI was defined as "the framework of critical organizations, personnel, systems, and facilities that are absolutely required in order to provide the inputs and outputs necessary to support core processes. Core processes are those that are essential to accomplishing the organization's core missions as they relate to national security, national economic security, or continuity of government services."
For each asset included in the December 2002 revalidated MEI, the IMSS provided appropriate links to the criteria and strategic goals contained in the Department's strategic plan revised as of November 2001.
The IMSS established and documented the selection criteria and procedures used in developing the December 2002 revalidated MEI. The IMSS also worked with the components in revising the MEI inventory and coordinated its activities with the CIAO. However, as noted in Finding 3 of this report, we are concerned that neither the IMSS nor the Department components considered the dependency of other government programs on the Department's IT systems, and whether critical exchanges of information were occurring. As a result, Department IT systems that exchanged critical information with external entities may not have been identified and considered adequately for protection under the CIP program.
In March 2002, the Department completed a vulnerability assessment for assets contained in the January 2001 MEI inventory. However, as discussed in Finding 1 of this report, vulnerability assessments have not been completed for assets newly added to the MEI and the assets of the ATF.
Finding 1 of this report details our significant concerns regarding the management of a risk mitigation program, and we provide eight recommendations regarding improvement of this program.
As noted in Finding 1 of this report, as part of the March 2002 Vulnerability Assessment, the Department prepared a multi-year funding plan. The Plan identifies that the Department is expected to have spent $128 million in FY 2003 to improve IT security. However, the plan is not linked to the identified vulnerabilities and is not useful in identifying whether the funding amounts presented are adequate to remediate IT systemic vulnerabilities.