Corrective Action Report Issue and Milestone Schedule |
Date of Submission | |||||
First Quarter Update: | ||||||
Second Quarter Update: | ||||||
Third Quarter Update: | ||||||
End of Year Report: 11/15/02 | ||||||
Issue Title |
Issue ID |
Organization |
||||
Date First 09/30/85 |
Original Target for Completion 09/30/91 |
Current Target for Completion 02/15/02 |
Actual Date of Completion 03/29/02 |
Issue Type (Organization Rating) |
||
Source Title |
Date of Source Report |
Issue Type (DOJ Rating) Material Weakness |
||||
Issue Description The Department of Justice (Department) is increasingly dependent on automated information systems and their interconnections to achieve its mission and meet the needs of the citizens it serves. Since the Department's computer systems and networks now collect, process, store, and transmit most of the sensitive and classified information used in almost every aspect of the Department, controls must be in place to ensure the availability, integrity, and confidentiality of this information and the reliability of the computer systems and networks. The Justice Management Division (JMD) has responsibility and authority for establishing policy and providing direction and oversight to components with regard to information technology (IT) security. Computer security has been designated a material weakness since 1991 and continues to be a major focus of senior management attention. |
||||||
What We Will Do About It This issue is CLOSED JMD is responsible for the Department's IT security program and provides policy, guidance, direction, and oversight activities across the Department. During the past 12 months, JMD has taken a number of actions that not only reflect the commitment of present management to correcting past deficiencies, but also establish a solid foundation for sustained future progress. For example:
|
||||||
|
Milestones |
Original Target Date |
Current Target Date |
Actual Date of Completion |
1. The Department will identify its critical infrastructure assets, perform the required vulnerability assessment on those assets, and develop a corrective action plan for any asset that does not have satisfactory protections in place. |
05/31/01 |
02/15/02 |
03/29/02 |
2. Components will certify and accredit their information technology systems. The CIO will establish and track FBI progress. |
12/31/00 |
07/01/01 |
07/01/01 |
3. JMD/Information Management and Security Staff (IMSS) will establish and operate an Independent Verification and Validation (IV&V) program that will review component C&A activities. JMD will implement an enhanced IV&V program to incorporate classified systems. |
12/31/00 |
12/31/01 (Revised |
12/31/01 |
4. JMD/IMSS will develop and implement IT security policy for sensitive but unclassified computer systems and networks. |
01/01/98 |
03/01/01 |
07/12/01 |
5. JMD/SEPS will develop and implement IT security policy for national security information (classified) computer systems and networks. |
03/31/01 |
03/31/01 |
07/12/01 |
How We Will Know It Is Fixed Department components will have established computer security programs and will have implemented Department policy and guidance. All Department component systems will continue to be properly certified and accredited and selected major systems and networks will undergo IV&V. Computer security planning will be integrated into the system development life cycle. Penetration testing and Inspector General and General Accounting Office audits will not discover significant numbers of weak technical controls or non-compliance with computer security policy. The CIO has determined that the Department's critical infrastructure planning is adequate. |