Departmental Critical Infrastructure Protection
Planning for the Protection of Physical Infrastructure
Report No. 02-01
Office of the Inspector General
Presidential Decision Directive (PDD) 63 requires the Department of Justice (the Department) and other government departments and agencies to prepare plans for protecting their critical infrastructure. This infrastructure includes personnel, facilities, and systems essential to the minimum operations of the economy and government. According to the National Plan for Information Systems Protection, the threat is that a group or nation hostile to the United States will seek to "inflict economic damage, disruption and death, and degradation of our defense response" by attacking our critical infrastructure. The plans ordered by PDD 63 are required to include a determination of the minimum essential infrastructure, an assessment of each asset's vulnerabilities, and plans to remediate those vulnerabilities.
This is our second in a series of reports on PDD 63. Our first audit focused on the planning for the protection of the computer-based critical infrastructure. This audit focused on the adequacy of the Department's planning and assessment activities for protecting its critical physical infrastructure. Over 20 Inspectors General conducted similar audits of their agencies as part of an effort sponsored by the President's Council on Integrity and Efficiency.
We found that the Department has not adequately planned for the protection of critical physical assets. The Department views PDD 63 primarily as a mandate to protect computer-related critical assets, and its efforts thus far have been aimed at identifying and assessing critical information technology (IT) systems and related facilities and personnel. However, critical infrastructures are those assets and systems -- physical and computer-based -- so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security, national economic security, and/or national public health and safety. These systems include, but are not limited to, telecommunications, energy, banking and finance, transportation, water systems, and emergency services. Because the Department has viewed PDD 63 as relating primarily to IT assets, the Department has not yet: (1) adequately identified all of its mission essential physical assets, (2) assessed the vulnerabilities of each of its physical assets, (3) developed remedial action plans for identified vulnerabilities, and (4) developed a multi-year funding plan for reducing vulnerabilities. As a result, the Department's ability to perform vital missions is at risk from terrorist attacks or similar threats.
As we reported in our prior report, Planning for the Protection of Critical Computer Based Infrastructure, the Department submitted its initial critical infrastructure protection plan to the Critical Infrastructure Assurance Office 1 as required. The Department revised the initial plan according to comments received from the Expert Review Team created by PDD 63. The most recent version of the critical infrastructure protection plan provided to us is the Department's Initial Operating Capability version of the critical infrastructure protection plan, dated April 24, 2000. The Department has supplemented that plan with a January 2001 inventory of critical IT assets, including related facilities and personnel.
Our audit objectives, scope, and methodology appear in Appendix IV. The details of our work are contained in the Findings and Recommendations section of the report.