U.S. Department of Justice
Critical Infrastructure Protection
Report No. 01-01
Office of the Inspector General
Presidential Decision Directive (PDD) 63 requires the Department of Justice (Department) and other government departments and agencies to prepare plans for protecting their critical infrastructure. The infrastructure includes systems essential to the minimum operations of the economy and government, such as telecommunications, banking and finance, energy, and transportation. According to the National Plan for Information Systems Protection, the threat is that a group or nation hostile to the United States will seek to "inflict economic damage, disruption and death, and degradation of our defense response" by attacking our critical infrastructure. The plans ordered by PDD 63 are required to include an inventory of the Department's mission essential assets, an assessment of each asset's vulnerabilities, and plans to remediate those vulnerabilities. The National Plan for Information Systems Protection calls for Federal agencies and departments to complete the assessment of information systems vulnerabilities and adopt a multi-year funding plan to remedy the vulnerabilities by December 2000.
Our audit focussed on the adequacy of the Department's planning and assessment activities for protecting its critical computer-based infrastructure. Over 20 Inspectors General conducted similar audits of their own agencies as part of an effort sponsored by the President's Council on Integrity and Efficiency.
We found that the Department submitted its initial critical infrastructure protection plan to the Critical Infrastructure Assurance Office as required, and the Department revised its initial plan according to comments received from the Expert Review Team created by PDD 63. The most recent version of the critical infrastructure protection plan provided to us is a draft of the Department's Initial Operating Capability version of the critical infrastructure protection plan, dated May 19, 2000. As of that date, however, the Department had not yet: (1) adequately identified all of its mission essential assets, (2) assessed the vulnerabilities of each of its systems, (3) developed remedial action plans for identified vulnerabilities, and (4) developed a multi-year funding plan for reducing vulnerabilities. As a result, the Department's ability to perform certain vital missions is at risk from terrorist attacks or similar threats.
Specifically, the Department's identification of mission essential assets did not meet the intent of PDD 63 because it did not include personnel, interdependencies, and a complete list of facilities. Further, the methodology used did not link the mission essential infrastructure to those Department missions absolutely necessary to national security, national economic security, or the continuity of government services, and it did not document the criteria used to select each asset.
Additionally, the Department decided not to fund an adequate vulnerability assessment for inclusion in the draft Initial Operating Capability plan. The vulnerability assessment included in the draft plan differed from the assessment planned in the previous version, which was based on a framework sponsored by the Critical Infrastructure Assurance Office and reviewed by the Expert Review Team, two organizations outside of the Department with responsibility for implementing PDD 63. The revised vulnerability assessment was based on a review of past audits, compliance reviews, and assessments. As a result, the Department has not developed an inventory of flaws or omissions in controls (vulnerabilities) that may affect the integrity, confidentiality, accountability, and/or availability of resources that are essential to critical assets. Department officials said that vulnerability assessments will be performed as part of a certification and accreditation process ordered by the Assistant Attorney General for Administration. However, Department officials do not expect the certification and accreditation process, including independent verification and validation, to be completed until March 31, 2001.
Since an inventory of vulnerabilities has not been developed, there are also no remedial plans or funding plans to address the Department's vulnerabilities. Department officials expect the Department's FY 2003 budget submission to be the first funding plan to fully address the cost of remediating the Department's cyber vulnerabilities.
Our audit objectives, scope, and methodology appear in Appendix IV. The details of our work are contained in the Findings and Recommendations section of the report.