BACK


U. S. DEPARTMENT OF JUSTICE

Corrective Action Report

Issue and Milestone Schedule

Date of Submission
First Quarter Update:
Second Quarter Update:
Third Quarter Update:
End of Year Report: 10/21/02

Issue Title

Computer Security Implementation

Issue ID

Organization
Department

Date First
Initiated

10/01/02

Original Target for Completion

12/30/04

Current Target for Completion

12/30/04

Actual Date of Completion

Issue Type (Organization Rating)


Material Weakness

Source Title

Date of Source Report

Issue Type (DOJ Rating)

Material Weakness

Issue Description

Financial and Security Act audits and reviews conducted by the Department's Inspector General and independent verification and validation (IV&V) reviews, penetration testing, self assessments, and certifications and accreditations continue to identify weaknesses in both classified systems and sensitive but unclassified (SBU) systems.  Specific concerns include issues with management, operational, and technical controls that protect each system and the data stored on it from unauthorized use, loss, or modification.  Because technical controls prevent unauthorized system access, the Department's OIG concluded that the vulnerabilities noted in those areas were most significant.  The most common vulnerability was with security standards and procedures, and password and logon management.  Due to insufficient common standards and inadequate Department oversight, components have been given broad abilities to implement controls and too much latitude in establishing system settings.  Additionally, vulnerabilities identified are more voluminous in the Department's legacy networks and infrastructures.

What We Will Do About It

To address repeatable weaknesses in the Department's implementation of computer security controls, the Chief Information Officer (CIO) released the Department's Information Technology Strategic Plan in July 2002.  The plan outlines how the Department is strengthening and refocusing its information technology (IT) program to meet the Department's new counterterrorism mission and support the achievement of its strategic goals.  Under the auspices of the Department CIO, an Information Security Staff will be created and managed by a senior executive with the responsibility for implementing the Department's IT security program through the development of standards, procedures, and guidance to ensure compliance with applicable Department, federal, and national security policies and directives and industry best practices.  In addition, this Staff will ensure that component classified and SBU systems have implemented the appropriate IT security controls and shall be responsible for ensuring that components identify corrective plans of action and milestones when the security controls are not met and for monitoring of these corrective action plans.   In the past year, the Department has made significant progress in strengthening the Department's IT Security Program and in implementing the requirements of the Security Act.  These accomplishments include:

•                    Appointing a CIO with a broad mandate to provide Departmentwide leadership
                     in the IT arena, including security;
•                    Developing an IT Strategic Plan that sets forth a vision and specific initiatives
                     for enhancing information security;
•                    Continuing implementation and refinement of a departmental system for tracking
                     all IT security weaknesses and corrective actions;
•                    Integrating security fully into other IT management processes, such as
                     capital planning;
•                    Developing the Department's Security Act Report, which includes
                     individual assessments of over 150 systems;
•                    Awarding a contract for IV&V of component IT system security controls
                     and initiating several tasks against the contract; |
•                    Initiating a project to define requirements for a Departmentwide public
                     key infrastructure (PKI) program; and
•                    Initiating a project to define requirements for a Departmentwide
                     security architecture. 

Milestones

Original Target Date

Current Target Date

Actual Date of Completion

1.  Establish a centralized Information Security Staff, reporting directly to the Department CIO, with responsibility for ensuring the appropriate security controls are implemented in the Department's classified and SBU systems. 

12/02

01/03

 

2.  Develop minimum IT security standards for implementation of security controls for the Department's classified and SBU systems.  12 standards have been identified.

01/03

01/03

 

3.  Develop and document the Department's IT security architecture at a high level that will be integrated into the Department's enterprise architecture.   The high level IT security architecture will provide for increased information sharing and will include boundary protection requirements, network requirements, and PKI architecture.

09/03
(version 1.0)

09/03
(version 1.0)

 

4.  Plan, design and deploy a Departmentwide PKI.

Establish a Project Management Office to manage the program and to coordinate with component initiatives.

03/03
(PKI plan, design, and requirements)

12/03 (pilot)

12/04 (deployment)

03/03
(PKI plan, design, and requirements)

12/03 (pilot)

12/04 (deployment)

 

5.  Increase oversight and monitoring by enhancing and deploying to components the Security Management and Reporting Tool (SMART) that tracks all known vulnerabilities, weaknesses, and corrective actions.

Expand oversight activities to include classified systems.

02/03

03/03

02/03

03/03

 

6.  Develop and begin implementing a Departmentwide (with the exception of the FBI) web-based security awareness training tool.

01/03

01/03

 

7.  Identify common solutions and automated tools to monitor security compliance of network and system parameters and identify vulnerabilities.

09/03

12/04 (implement)

09/03

12/04 (implement)

 

How We Will Know It Is Fixed

By continuing to evolve the IT security program and meet the CIO's IT strategic initiatives, we will be able to effectively implement IT security controls, reduce the number of vulnerabilities and repeat OIG findings, provide for greater trust of the Department's systems, and further enable information sharing and collaboration.