BACK


U. S. DEPARTMENT OF JUSTICE

Corrective Action Report

Issue and Milestone Schedule

Date of Submission
First Quarter Update:
Second Quarter Update:
Third Quarter Update:
End of Year Report: 11/15/02

Issue Title

Computer Security

Issue ID

1991-0098

Organization

Department

Date First
Initiated

09/30/85

Original Target for Completion

09/30/91

Current Target for Completion

02/15/02

Actual Date of Completion

03/29/02
(CLOSED)

Issue Type (Organization Rating)


Material Weakness

Source Title

Date of Source Report

Issue Type (DOJ Rating)

Material Weakness

Issue Description

The Department of Justice (Department) is increasingly dependent on automated information systems and their interconnections to achieve its mission and meet the needs of the citizens it serves.  Since the Department's computer systems and networks now collect, process, store, and transmit most of the sensitive and classified information used in almost every aspect of the Department, controls must be in place to ensure the availability, integrity, and confidentiality of this information and the reliability of the computer systems and networks.  The Justice Management Division (JMD) has responsibility and authority for establishing policy and providing direction and oversight to components with regard to information technology (IT) security.

Computer security has been designated a material weakness since 1991 and continues to be a major focus of senior management attention.

What We Will Do About It

This issue is CLOSED

JMD is responsible for the Department's IT security program and provides policy, guidance, direction, and oversight activities across the Department.  During the past 12 months, JMD has taken a number of actions that not only reflect the commitment of present management to correcting past deficiencies, but also establish a solid foundation for sustained future progress.  For example:

  • Under the leadership of the Attorney Genera's office, JMD has begun an IT strategic planning effort that will, in part, establish the foundation for a departmental security architecture.  This effort is consistent with the management goals announced by the Attorney General on November 8, 2001.
  • In July 2001, JMD issued a new IT security policy that sets strong Departmentwide standards for component security programs and system security controls.

  • JMD has continued to conduct an aggressive program of penetration tests and independent assessments and to carefully follow up on the results.  This effort provided the foundation for several components to begin conducting regular penetration testing on their systems, thus enhancing the overall security of these systems. 

  • Components certified and accredited 83% of Department systems by July 2001.  While neither perfect nor complete, this effort enabled the Department to identify weaknesses more systematically and identify and monitor corrective actions.  The Federal Bureau of Investigation (FBI) was unable to complete its certification and accreditation (C&A) activities; however, the Department Chief Information Officer (CIO) and the FBI have agreed to a schedule and JMD will continue to monitor their progress.

  • JMD has established a database that will assist in tracking and remedying security weaknesses system by system.  This database is a single repository of findings and corrective actions identified through C&A activities, audits, penetration testing, and other reviews.

  • JMD has integrated security with the Department's capital planning and investment controls processes.  This integration has occurred both formally, through the issuance of new policy and guidance, and in practice, through the inclusion of security as an explicit agenda item in internal discussions of IT plans, performance, and funding.

  • JMD has identified a list of critical IT, personnel, and physical assets that support the Department's critical infrastructure in support of Presidential Decision Directive-63.  This list includes the asset name, location, description, and strategic goal supported; potential impact of loss; and interdependencies.  Using the vulnerability reports and independent assessment developed through the C&A activities, JMD completed the critical infrastructure planning vulnerability analysis and is currently finalizing the remedial plan for corrective action.

     
  • On 3/29/02, the Acting Assistant Attorney General for Administration signed a memo to the Inspector General transmitting the report, which includes corrective actions for systems which do not have controls in place.

Milestones

Original Target Date

Current Target Date

Actual Date of Completion

1.  The Department will identify its critical infrastructure assets, perform the required vulnerability assessment on those assets, and develop a corrective action plan for any asset that does not have satisfactory protections in place.

05/31/01

02/15/02

03/29/02

2.  Components will certify and accredit their information technology systems.  The CIO will establish and track FBI progress.

12/31/00

07/01/01

07/01/01

3. JMD/Information Management and Security Staff (IMSS) will establish and operate an Independent Verification and Validation (IV&V) program that will review component C&A activities.  JMD will implement an enhanced IV&V program to incorporate classified systems.

12/31/00

12/31/01

(Revised
to include classified systems)

12/31/01

4.  JMD/IMSS will develop and implement IT security policy for sensitive but unclassified computer systems and networks.

01/01/98

03/01/01

07/12/01

5.  JMD/SEPS will develop and implement IT security policy for national security information (classified) computer systems and networks.

03/31/01

03/31/01

07/12/01

How We Will Know It Is Fixed

Department components will have established computer security programs and will have implemented Department policy and guidance.

All Department component systems will continue to be properly certified and accredited and selected major systems and networks will undergo IV&V.

Computer security planning will be integrated into the system development life cycle.

Penetration testing and Inspector General and General Accounting Office audits will not discover significant numbers of weak technical controls or non-compliance with computer security policy.

The CIO has determined that the Department's critical infrastructure planning is adequate.