Finding #1 Establishing a Risk Mitigation Program
1. Develop a tracking system for risk mitigation activities for classified MEI systems.
Response: JMD plans to use the Automated Security Self-Evaluation and Remedial Tracking (ASSERT) tool to track activities required to accredit an IT system. ASSERT provides for the tracking of individual vulnerabilities and mitigating actions. ASSERT will be installed on the standalone personal computer currently used to host the Security Management and Reporting Tool (SMART) classified database. The projected implementation date for ASSERT is March 2004.
2. Develop a multi-year finding plan based on resources required to mitigate vulnerabilities as identified in revised POA&Ms.
Response: JMD will not be able to identify all the Department's critical assets until the completion of Step 2 of Project Matrix, which is projected for March 2004. ASSERT is projected for implementation to track vulnerabilities, mitigation actions, and resources for classified and unclassified systems also by March 2004. However, it may take up to 60 days to populate ASSERT with the vulnerabilities, mitigating actions, and required resources for critical assets. Additionally, the mitigation plans for the critical IT systems are projected to be completed by June 2004. Therefore, the projected date to complete a multi-year funding plan for critical assets is August 2004.
3. Revise the current process used to monitor components' progress in mitigating critical IT vulnerabilities to a clear component-by-component summary of progress in mitigating vulnerabilities.
Response: The implementation of ASSERT will enable ITSS to monitor components' progress in mitigating IT vulnerabilities on a component-by-component basis. ASSERT is projected to be implemented by March 2004.
4. Monitor and document, at least quarterly, the status of certification and accreditation for critical IT systems.
Response: The ITSS is requesting funds for FY 04 to establish a "help desk" dedicated to assisting and tracking the development of certification and accreditation document by components for IT systems. The "help desk" is projected to be implemented by December 2003, and will monitor and document the status of certification and accreditation for critical IT systems.
5. Ensure components submit proper completed POA&M in accordance with OMB guidance. For the use described by the JMD staff, at a minimum, the component's POA&Ms should:
- clearly address the vulnerabilities identified in the Department Vulnerability assessment;
- include the source of the vulnerabilities so readers can refer back to the Department Vulnerability Assessment to obtain additional information;
- describe the performance measures used to track progress in mitigating weaknesses, and
- identify resources required for implementing risk mitigation activities for each identified vulnerability.
Response: The implementation of the ASSERT tool will ensure the components submit POA&Ms in accordance with 0MB guidance. The ASSERT tool will be modified, if required, to include fields for identified vulnerabilities, the source of the vulnerabilities, performance measures to track progress in mitigating vulnerabilities, and resources required. In addition to the vulnerabilities identified in the Department Vulnerability Assessment, the system-specific POA&Ms will track all vulnerabilities, such as those identified during testing or auditing. The ASSERT tool is projected to be implemented in March 2004.
6. Conduct vulnerability assessments and develop risk mitigation plans for assets newly added to the MEI.
Response: The Department completed Step 1 of Project Matrix in September 2003, and has initiated Step 2. Step 2 is the identification of interdependencies of the IT systems, facilities, and personnel that are necessary for the operation of the nationally critical functions, services, and products. Step 2 is projected to be completed by March 2004. ITSS will review the vulnerability assessment of the IT systems that were added to the list to ensure they meet the requirements of PDD-63. ITSS will also assist the components in developing risk mitigation plans. The vulnerability assessments and risk mitigation plans for critical IT systems that are not adequate will be completed by June 2004.
7. Determine the critical assets within the ATF and perform vulnerability assessments, develop risk mitigation plans, and a multi-year funding plan for those assets.
Response: ATF was included in Step I of Project Matrix, and did not have any nationally critical functions, services, or products. This recommendation was completed in September 2003 ,hen the final Step 1 report for Project Matrix was issued.
8. Develop a work plan, with milestone dates for key activities, for attaining full operational capability for the critical infrastructure protection at the earliest possible date.
Response: Part of attaining a full operational capability was the relocation of the DOJCERT to ITSS, which was completed in FY 03. This allows the Department to share attack warning and information in a timely manner. ITSS will develop a work plan for attaining full operational capability by February 2004. Some of the milestones that will be included are the identification of critical assets and interdependencies based on the completion of Step 2 of Project Matrix, the review of vulnerability assessments for completeness and the development of mitigation plans, and the development of contingency plans for critical assets. ITSS has developed standards for risk mitigation, contingency planning, and incident response. The standards are currently under review and are projected to be finalized by December 2003. Additionally, ITSS project teams are developing templates for contingency plans and risk assessments to supplement the standards.
Finding #2 Establishing an Emergencv Management Program
9. Define standards for secure, timely, and effective communication channels for passing indications and warning information and ensure those standards are implemented and operating.
Response: The ITSS has developed a standard for incident response which is projected to be finalized by January 2004. The standard will include the requirements for secure, timely, and effective communication channels.
10. Ensure that effective liaisons are established with the DHS's FedCIRC and the FBI'S Strategic Information Operations Center and NIPC.
Response: The DOJCERT currently reports incidents and conducts liaison with the FedCIRC and the NTPC. The DOJCERT, through the Cyber Defense Operations Project Team, will contact the FBI and obtain a point of contact for incident response-related actions in the Strategic Information Operations Center by November 2003.
11. Ensure that components are in compliance with procedures for reporting incidents.
Response: The ITSS has developed a standard for incident reporting and is developing a template for incident response plans. Compliance with the standard and template will be ensured by the DOJCERT and Cyber Defense Operations Project Team reviewing the components incident response plans and reports and providing recommendations, as required. Also, the ITSS C&A "help desk" will provide assistance to the components in developing their incident response procedures and plans. The incident response reporting standard is projected to be finalized and the "help desk" implemented by December 2003. Additionally, test cases for reporting incidents are projected to be completed by February 2004 and will be used to verify reporting of incidents.
12. Ensure the data regarding department-wide computer attacks and security incidents are collected and summarized according to the nature, frequency, category, and remediation actions taken and that analyses are performed to identify potential trends and systemic weaknesses.
Response: The technical standard and template for incident response plans requires components to report incidents that meet a certain criteria to the DOJCERT and provide the report format and reporting time requirements. The technical standard and template are projected to be completed by December 2003. The DOJCERT currently conducts analysis of the incidents and provides reports on the nature, frequency, category and remediation actions taken and performs analysis to identify potential trends and systemic weaknesses. Additionally, the DOJCERT reporting and analysis processes will be evaluated on a periodic basis by ITSS using test cases developed from FedCIRC reporting requirements. The test cases are projected to be completed by February 2004.
13. Verify that incident data is provided to: a) the NIPC as part of the National Critical Infrastructure Indications and Warnings System, b) the budget processes to support andjust~fy future CIP resource expenditures.
Response: The DOJCERT currently reports to the NIPC. The DOJCERT reporting process will be verified using the test cases described in recommendation 12. Based on incidents reports and analysis provided by DOJCERT, the ITSS will develop a list of vulnerabilities of the critical IT assets. ITSS will then review the Exhibit 300's for the critical IT systems and ensure the incident-related vulnerabilities are addressed. ITSS will initiate this process during the next submission of Exhibit 300's.
14. Verify that components have developed implemented and maintained internal incident response procedures and have identified appropriate individuals for reporting incidents to the DOJCERT.
Response: Currently, three components will have critical IT assets as a result of Project Matrix; the Bureau of Prisons, the Federal Bureau of Investigation, and the U.S. Marshal Service. The DOJCERT, Cyber Defense Project Team, and C&A "help desk" will provide assistance to the three components in developing their internal incident response procedures in the form of standards, templates, and document review with comments. ITSS will maintain a copy of the internal response procedures when they have been completed. Additionally, test cases verifying incident response procedures are projected to be completed by February 2004.
15. Ensure periodic testing of response plans.
Response: The Cyber Defense Operations Project Team is developing an incident response plan template, which will be completed by November 2003. Components are projected to develop and test incident response plans by June 2004. The DOJCERT and Cyber Defense Operations Project Team will assist the components in testing incident response plans.
16. Develop contingency plans for all critical iT assets.
Response: All the Department's critical IT assets will not be identified until the conclusion of Step 2 of Project Matrix, which is projected for March 2004. However, as critical IT assets are identified during Step 2, ITSS will review the certification and accreditation documents to determine if the system has a contingency plan. If it does not, assistance in developing a contingency plan for the IT system will be a priority for the C&A help desk. Since Step 2 of Project Matrix will be completed in March 2004, contingency plans for all critical IT assets are projected to be completed by July 2004.
17. Ensure that documentation is maintained supporting the existence or development of contingency plans for all critical infrastructure assets.
Response: ITSS will review the contingency plans of critical IT assets as they are identified during Step 2 of Project Matrix. A spreadsheet will be developed and maintained by ITSS listing the status of the contingency plan (completed, under development), the date of the plan, when last tested, and comments regarding the completeness of the plan. The spreadsheet will be updated on a quarterly basis, or sooner if the. contingency plans are modified. The spreadsheet will be developed by November 2003. The contingency plans will be reviewed and the spreadsheet updated as critical IT assets are identified during Step 2 of Project Matrix.
18. Verify contingency plans address all required elements as identified by Department Order 2640.2D.
Response: DOJ Order 2640.2E, which will replace DOJ Order 2640.2D, is awaiting signature. The requirements for contingency plans identified by DOJ Order 2640.2E will be included in the contingency plan standard and template. Additionally, contingency plans for critical IT systems will be reviewed by the C&A help desk. Test cases to verify that contingency plans contain the required elements are being developed and are projected to be completed by April 2004. Since all critical IT assets will not be identified until the completion of Step 2 of Project Matrix in March 2004, verification that all contingency plans contain the required elements using the test cases is projected for August 2004.
19. Obtain appropriate approvals for all contingency plans by component and JMSS officials.
Response: ITSS is currently developing a template for contingency plans. The template will include a signature page for the component approving officials and ITSS will track the validation through the ASSERT Tool. The template is projected to be completed by February 2004.
20. Test contingency plans periodically as required by Department Order 2640.2D.
Response: DOJ Order 2640.2E, which will replace DOJ Order 2640.2D, is awaiting signature. The testing of contingency plans for critical IT systems as required by DOJ Order 2640.2D or 2640.2E will be monitored by the ITSS. However, contingency plans for all critical IT systems will not be completed until November 2004, and a schedule for testing of contingency plans for all critical IT systems be developed by January 2005.
Finding # 3 Establishing an Effective Interagency Coordination Program
21. Compile a list of relationships and contacts with other federal agencies and other entities (foreign, state, and local agencies and the private sector).
Response: The components will be requested to review their service level agreements with other federal agencies and entities and provide the points of contact (with telephone numbers and email addresses), type of relationship, (supporting or supported), and summary of relationship. This information will be maintained in the database described in recommendation 23. ITSS will request the information from the components by November 15, 2003, and request they provide the information to ITSS by January 15, 2004.
22. Contact external entities to determine whether any Department assets are critical to their missions.
Response: The components will be requested to review their service level agreements (SLAs) or Memorandums of Understanding/ Memorandums of Agreement (MOU/ MOA) and contact other agencies that indicate the support provided by the Department is critical to their operation. Additionally, Step 2 of Project Matrix will identify agencies that have critical assets that are connected to Department systems. The components will be requested to review their SLAs and MOU/MOAs and provide the information to ITSS by January 15, 2004. The information on external entities will be maintained in the database described in recommendation 23.
23. Develop and maintain a database to track liaison and interagency relationships.
Response: ITSS will develop and maintain a database to track liaison and interagency relationships for critical IT systems. The database will be implemented by June 2004. The database will be populated and maintained as relationships with other agencies are established. Step 2 of Project Matrix will identify interdependencies of the Department's IT critical assets, and will probably result in the majority of the interagency relationships.
24. Establish a working group to address CIP issues.
Response: The Chief Information Officer established the Department's Information Technology Security Council (ITSC) in September 2003. The ITSC is comprised of IT security personnel from the components and is chaired by the Chief Information Security Officer, who is also the Director of ITSS. The ITSC will be used to address C1P issues. Sub-groups to address specific PDD-63 related problems will established, as required.
Finding #4 Meeting Department Resource and Organizational Requirements
25. Complete an assessment of the linkage between budgetary and personnel shortfalls and the Department's critical infrastructure weaknesses.
Response: The completion of Project Matrix will result in a significant modification to the critical infrastructure asset list and consequently to the Department's critical infrastructure weaknesses. Project Matrix is projected to be completed by March 2004. An assessment of the linkage between budgetary and personnel shortfall and the Department's revised critical infrastructure weaknesses will be completed by December 2004.
Finding #5 Establishing Effective Recruiting, Educating. and Awareness Programs
26. Establish a personnel recruitment and retention program as envisioned in the CIP Plan.
Response: As part of its personnel recruitment and retention effort, ITSS has recently hired an individual from the Cyber Corps program, and is in the process of hiring another. The Cyber Corps is a program where graduates of a four-year academic program work for the government in return for their tuition. Both of the Cyber Corps individuals will be part of the ITSS and their duties will support parts of the critical infrastructure program, such as developing templates for risk assessments. Additionally, as part of its retention program of security professionals, ITSS sponsors the Departments seminars and testing for the Certified Information System Security Professional (CISSP) program. Five individuals from the ITSS attended the CISSP seminars and testing in FY 03. The CISSP seminars and testing hosted by ITSS trained approximately 80 IT security personnel in the Department during FY 03. The personnel and retention program as envisioned in the 1999 CIP Plan has been modified to recognize the problems of recruiting and retaining IT security professionals in a shrinking pool of qualified individuals applying for Federal positions. The current program is to provide training to current employees in the necessary skills and recruit from traditional as well as non-traditional sources such as the Cyber Corps and Presidential Appointment Interns. A formal training and retention plan is being developed by the IT Security Employee Services Project Team, which is projected for completion by September 2004.