Departmental Critical Infrastructure Protection
Planning for the Protection of Physical Infrastructure
Report No. 02-01
Office of the Inspector General
OIG, AUDIT DIVISION ANALYSIS AND SUMMARY OF ACTIONS NECESSARY TO CLOSE REPORT
In its response to this audit, the JMD has substantially misinterpreted the requirements of PDD 63, which call for every department and agency of the federal government to develop a plan for protecting its cyber and physical infrastructure. In establishing a critical infrastructure protection plan, the Department is required to identify minimum essential infrastructure, assess the vulnerability of the infrastructure, and develop remedial and multi-year funding plans. Instead of addressing how it intends to meet PDD 63 requirements for protecting the Department's critical physical infrastructure from attack, the JMD discusses the Department's actions under a different directive, PDD 67, which addresses continuity of operations after an attack has already occurred. Our analysis of the JMD response and our summary of actions necessary to resolve the audit report follow.
In its response to the draft report, the JMD disagreed with the recommendation on the basis that the SEPS had identified the headquarters buildings of the Department (Main Justice) and the Federal Bureau of Investigation (FBI) as the only mission essential physical infrastructure. Also, in accordance with a Continuity of Operations Plan (COOP), a relocation facility would allow critical systems and personnel from these two building to continue to operate. The JMD stated that no further inventory of non-cyber assets is necessary and pointed out that the Department does not provide critical infrastructure systems to the public such as telecommunications, energy, or banking.
PDD 63 requires that "every department and agency shall develop a plan for protecting its own critical infrastructure, including but not limited to its cyber-based systems" (italics added). However, in developing its critical infrastructure protection plan, the Department limited its inventory of mission essential infrastructure to critical computer-related assets and disregarded physical assets. A SEPS assessment identifying Main Justice and the FBI headquarters as mission essential is but one-step toward the required comprehensive inventory of all critical physical assets and the vulnerability assessment of those assets. (The fact that a COOP facility is intended to allow the continuation of departmental functions, while important, does not pertain to the protection of critical assets from attack.) A methodical and documented inventory would ensure that all mission essential infrastructure is identified. Until all assets in addition to information technology assets are surveyed, there is no reasonable assurance that the inventory of mission essential infrastructure and related vulnerability assessment are complete and meet the requirements of PDD 63. PDD 63 does not restrict the requirement for a critical infrastructure protection plan to departments and agencies involved in providing direct services to the public such as telecommunications, energy, or banking. In our judgment, identifying and protecting all of the Department's critical infrastructure is necessary to maintain public confidence in our law enforcement and justice institutions in the event of a national emergency. A potential consequence to the Department of inadequate critical infrastructure planning could be a crippling of the Department's ability to meet its wide-ranging national law enforcement and justice missions, extending well beyond two headquarters buildings and related computer systems.
In its response to the draft report, the JMD disagreed with the recommendation on the basis that the Intelligence Community is responsible for assessing the vulnerability of the government's physical assets. Also, the JMD cited a contractor's vulnerability assessment of departmental facilities as well as efforts undertaken by the GSA and the U.S. Marshals Service (USMS) to assess and mitigate the vulnerability of federal offices buildings. Given such studies and the SEPS's monitoring of building security, the JMD stated that additional vulnerability assessments are unnecessary.
PDD 63 requires that each sector of the government that might be a target of infrastructure attack intended to significantly damage the United States must conduct a vulnerability assessment, to be updated periodically. PDD 63 does not assign to the Intelligence Community the responsibility for conducting a vulnerability assessment on behalf of the Department. However, information and expertise obtained outside the Department such as from the Intelligence Community, the GSA, other federal agencies, local law enforcement agencies, contractors, and any other source should be considered and incorporated as appropriate into the Department's vulnerability assessment. The fact that other agencies have conducted studies of various aspects of the Department's vulnerabilities does not obviate the PDD 63 requirement for the Department to formally assess the vulnerabilities of all mission essential infrastructure that the Department identified by completion of a comprehensive inventory.
In its response to the draft report, the JMD disagreed with the recommendation on the basis that the COOP plan, relocation facility, and activities of the SEPS constitute a remedial plan and its implementation. The JMD also pointed out that funding for the relocation facility is provided by departmental components.
The JMD is confusing the requirements of PDD 63 and PDD 67. The COOP plan, the relocation facility, and activities of the SEPS do not identify and address all specific mission essential vulnerabilities. Vulnerabilities must be assessed in accordance with PDD 63 before remedial plans can be developed. Further, the component-funded relocation facility established in response to PDD 67 is not related to protecting existing departmental infrastructure from attack, but rather to mitigating the operational consequences of an attack. A multi-year funding plan is required to address vulnerabilities that the Department is to identify through the assessment required by PDD 63.