Corrective Action Report Issue and Milestone Schedule |
Date of Submission | |||||
First Quarter Update: | ||||||
Second Quarter Update: | ||||||
Third Quarter Update: | ||||||
End of Year Report: 10/21/02 | ||||||
Issue Title |
Issue ID |
Organization |
||||
Date First 10/01/02 |
Original Target for Completion 12/30/04 |
Current Target for Completion 12/30/04 |
Actual Date of Completion |
Issue Type (Organization Rating) |
||
Source Title |
Date of Source Report |
Issue Type (DOJ Rating) Material Weakness |
||||
Issue Description Financial and Security Act audits and reviews conducted by the Department's Inspector General and independent verification and validation (IV&V) reviews, penetration testing, self assessments, and certifications and accreditations continue to identify weaknesses in both classified systems and sensitive but unclassified (SBU) systems. Specific concerns include issues with management, operational, and technical controls that protect each system and the data stored on it from unauthorized use, loss, or modification. Because technical controls prevent unauthorized system access, the Department's OIG concluded that the vulnerabilities noted in those areas were most significant. The most common vulnerability was with security standards and procedures, and password and logon management. Due to insufficient common standards and inadequate Department oversight, components have been given broad abilities to implement controls and too much latitude in establishing system settings. Additionally, vulnerabilities identified are more voluminous in the Department's legacy networks and infrastructures. |
||||||
What We Will Do About It To address repeatable weaknesses in the Department's implementation of computer security controls, the Chief Information Officer (CIO) released the Department's Information Technology Strategic Plan in July 2002. The plan outlines how the Department is strengthening and refocusing its information technology (IT) program to meet the Department's new counterterrorism mission and support the achievement of its strategic goals. Under the auspices of the Department CIO, an Information Security Staff will be created and managed by a senior executive with the responsibility for implementing the Department's IT security program through the development of standards, procedures, and guidance to ensure compliance with applicable Department, federal, and national security policies and directives and industry best practices. In addition, this Staff will ensure that component classified and SBU systems have implemented the appropriate IT security controls and shall be responsible for ensuring that components identify corrective plans of action and milestones when the security controls are not met and for monitoring of these corrective action plans. In the past year, the Department has made significant progress in strengthening the Department's IT Security Program and in implementing the requirements of the Security Act. These accomplishments include: |
||||||
•
Appointing a CIO with a broad mandate to provide Departmentwide leadership
in the IT arena, including security; • Developing an IT Strategic Plan that sets forth a vision and specific initiatives for enhancing information security; • Continuing implementation and refinement of a departmental system for tracking all IT security weaknesses and corrective actions; • Integrating security fully into other IT management processes, such as capital planning; • Developing the Department's Security Act Report, which includes individual assessments of over 150 systems; • Awarding a contract for IV&V of component IT system security controls and initiating several tasks against the contract; | • Initiating a project to define requirements for a Departmentwide public key infrastructure (PKI) program; and • Initiating a project to define requirements for a Departmentwide security architecture. |
Milestones |
Original Target Date |
Current Target Date |
Actual Date of Completion |
1. Establish a centralized Information Security Staff, reporting directly to the Department CIO, with responsibility for ensuring the appropriate security controls are implemented in the Department's classified and SBU systems. |
12/02 |
01/03 |
|
2. Develop minimum IT security standards for implementation of security controls for the Department's classified and SBU systems. 12 standards have been identified. |
01/03 |
01/03 |
|
3. Develop and document the Department's IT security architecture at a high level that will be integrated into the Department's enterprise architecture. The high level IT security architecture will provide for increased information sharing and will include boundary protection requirements, network requirements, and PKI architecture. |
09/03 |
09/03 |
|
4. Plan, design and deploy a Departmentwide PKI. Establish a Project Management Office to manage the program and to coordinate with component initiatives. |
03/03 12/03 (pilot) 12/04 (deployment) |
03/03 12/03 (pilot) 12/04 (deployment) |
|
5. Increase oversight and monitoring by enhancing and deploying to components the Security Management and Reporting Tool (SMART) that tracks all known vulnerabilities, weaknesses, and corrective actions. Expand oversight activities to include classified systems. |
02/03 03/03 |
02/03 03/03 |
|
6. Develop and begin implementing a Departmentwide (with the exception of the FBI) web-based security awareness training tool. |
01/03 |
01/03 |
|
7. Identify common solutions and automated tools to monitor security compliance of network and system parameters and identify vulnerabilities. |
09/03 12/04 (implement) |
09/03 12/04 (implement) |
|
How We Will Know It Is Fixed By continuing to evolve the IT security program and meet the CIO's IT strategic initiatives, we will be able to effectively implement IT security controls, reduce the number of vulnerabilities and repeat OIG findings, provide for greater trust of the Department's systems, and further enable information sharing and collaboration. |