Return to the USDOJ/OIG Home Page
Return to the Table of Contents

Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure

Report No. 04-05
November 2003
Office of the Inspector General


Appendix 11
JMD's Response to the Draft Report

 



U.S. Department of Justice
 

  Washington, D.C. 20530


October 10, 2003
MEMORANDUM FOR GLENN A. FINE
Inspector General
FROM: Paul R. Corts (original signed)
Assistant Attorney General
   for Administration
SUBJECT: Response to Departmental Critical Infrastructure Protection
Implementing Plans to Protect Cyber-Based Infrastructure
Audit Report

The Justice Management Division (JMD) has reviewed the findings and recommendations in the Office of the Inspector General's (OIG) Draft Audit Report on the Department Critical Infrastructure Protection - Implementing Plans to Protect Cyber-Based Infrastructure. JMD concurs with the findings and agrees with the recommendations. Accordingly, we have made and continue to make improvements in the areas outlined in the audit.

During the 14 months of the audit, the Department's Chief Information Officer (CIO) initiated several actions that will better enable the Department to identify and protect it's critical cyber-based infrastructures, and mission critical systems. These actions include revamping the Department's dO position, including creating a Deputy ClO for Information Technology (IT) Security, reassignment of responsibility for classified system security, and initiating a Project Matrix Review with the newly formed Department of Homeland Security.

The Department originally developed it's Critical Infrastructure Protection - Implementing Plan in 1999 and identified it's "minimum essential infrastructure" (MEI), cyber-based assets in January 2001. Since that time the Department's missions have evolved with a stronger focus towards counter-terrorism and law enforcement information sharing. In addition, the Department's infrastructures have changed with the Immigration Naturalization Service (INS) migrating to the new Department of Homeland Security (DHS) and the Bureau of Alcohol, Tobacco, Firearms, and Explosives entering the Department.

To further develop and enhance the Department's abilities to implement the requirements of President (PDD) 63, the Department initiated a Project Matrix Review in March 2003 with the newly formed DHS. DHS has responsibility for implementing the National Strategy on Cyber Security, and the Critical Infrastructure Assurance Office with overall responsibility for PDD 63 is maintained within DHS. Phase I of the Project Matrix Review process, expected to be completed in October 2003, will identify those functions, services, and products, whose continuing availability is vital to the United States. Phase II of the process will complete an infrastructure analysis of the critical functions and identify all assets (including cyber-based) and links (interfaces between systems and agencies) The Project Matrix process will result in a modification to the minimum essential inventory/critical asset list. Due to the impact the loss of a critical information technology (IT) asset will have on the nation, the Information Technology and Security Staff (ITSS) will start reviewing contingency plans and other documentation of IT systems as they are tentatively identified during Step 2. In addition, the ITSS will update the Department's Critical Infrastructure Protection Plan to reflect the updated mission and organization of the Department.

The JMD currently has several initiatives underway to improve its information technology security program that will, or have, implemented some of the recommendations contained in the report. Recognizing the need for an automated process to track vulnerabilities and mitigation actions, the ITSS is reviewing the capabilities of the "Automated Security Self-Evaluation and Remediation Tracking" (ASSERT) tool. ASSERT is a web-enabled process based on the National Institute of Standards (NIST) Security Self-Assessment Guide for Information Technology Systems. When implemented by JMD, ASSERT will be used to track mitigation activities for IT systems, monitor progress by component on the resolution of vulnerabilities, and monitor the status of certification and accreditation status of IT systems. ASSERT is projected to be implemented by JMD by March 2004 and populated with the major systems by May 2004.

The Department is updating the IT security policy and developing standards to implement technical, operational, and management controls in IT systems. The updated IT security policy includes roles an responsibilities for IT security personnel and requirements from the Federal Information Security Management Act (FISMA). The updated policy will replace DOJ Order 2640.2D, "Information Technology Security". ITSS is also developing seventeen technical standards based on the seventeen security controls listed in the NIST Security Self-Assessment Guide for Information Technology Systems. This includes technical standards on contingency planning and incident response. The technicaI standards are currently being reviewed and projected to be finalized by January 2004.

Appendix A to this document lists the five findings and twenty-six recommendations from the draft audit report. Along with the twenty-six recommendations are JMD's response and the dates corrective actions will be implemented.










Appendix A

Finding #1 Establishing a Risk Mitigation Program

1. Develop a tracking system for risk mitigation activities for classified MEI systems.

Response: JMD plans to use the Automated Security Self-Evaluation and Remedial Tracking (ASSERT) tool to track activities required to accredit an IT system. ASSERT provides for the tracking of individual vulnerabilities and mitigating actions. ASSERT will be installed on the standalone personal computer currently used to host the Security Management and Reporting Tool (SMART) classified database. The projected implementation date for ASSERT is March 2004.

2. Develop a multi-year finding plan based on resources required to mitigate vulnerabilities as identified in revised POA&Ms.

Response: JMD will not be able to identify all the Department's critical assets until the completion of Step 2 of Project Matrix, which is projected for March 2004. ASSERT is projected for implementation to track vulnerabilities, mitigation actions, and resources for classified and unclassified systems also by March 2004. However, it may take up to 60 days to populate ASSERT with the vulnerabilities, mitigating actions, and required resources for critical assets. Additionally, the mitigation plans for the critical IT systems are projected to be completed by June 2004. Therefore, the projected date to complete a multi-year funding plan for critical assets is August 2004.

3. Revise the current process used to monitor components' progress in mitigating critical IT vulnerabilities to a clear component-by-component summary of progress in mitigating vulnerabilities.

Response: The implementation of ASSERT will enable ITSS to monitor components' progress in mitigating IT vulnerabilities on a component-by-component basis. ASSERT is projected to be implemented by March 2004.

4. Monitor and document, at least quarterly, the status of certification and accreditation for critical IT systems.

Response: The ITSS is requesting funds for FY 04 to establish a "help desk" dedicated to assisting and tracking the development of certification and accreditation document by components for IT systems. The "help desk" is projected to be implemented by December 2003, and will monitor and document the status of certification and accreditation for critical IT systems.

5. Ensure components submit proper completed POA&M in accordance with OMB guidance. For the use described by the JMD staff, at a minimum, the component's POA&Ms should:
  1. clearly address the vulnerabilities identified in the Department Vulnerability assessment;
  2. include the source of the vulnerabilities so readers can refer back to the Department Vulnerability Assessment to obtain additional information;
  3. describe the performance measures used to track progress in mitigating weaknesses, and
  4. identify resources required for implementing risk mitigation activities for each identified vulnerability.

Response: The implementation of the ASSERT tool will ensure the components submit POA&Ms in accordance with 0MB guidance. The ASSERT tool will be modified, if required, to include fields for identified vulnerabilities, the source of the vulnerabilities, performance measures to track progress in mitigating vulnerabilities, and resources required. In addition to the vulnerabilities identified in the Department Vulnerability Assessment, the system-specific POA&Ms will track all vulnerabilities, such as those identified during testing or auditing. The ASSERT tool is projected to be implemented in March 2004.

6. Conduct vulnerability assessments and develop risk mitigation plans for assets newly added to the MEI.

Response: The Department completed Step 1 of Project Matrix in September 2003, and has initiated Step 2. Step 2 is the identification of interdependencies of the IT systems, facilities, and personnel that are necessary for the operation of the nationally critical functions, services, and products. Step 2 is projected to be completed by March 2004. ITSS will review the vulnerability assessment of the IT systems that were added to the list to ensure they meet the requirements of PDD-63. ITSS will also assist the components in developing risk mitigation plans. The vulnerability assessments and risk mitigation plans for critical IT systems that are not adequate will be completed by June 2004.

7. Determine the critical assets within the ATF and perform vulnerability assessments, develop risk mitigation plans, and a multi-year funding plan for those assets.

Response: ATF was included in Step I of Project Matrix, and did not have any nationally critical functions, services, or products. This recommendation was completed in September 2003 ,hen the final Step 1 report for Project Matrix was issued.

8. Develop a work plan, with milestone dates for key activities, for attaining full operational capability for the critical infrastructure protection at the earliest possible date.

Response: Part of attaining a full operational capability was the relocation of the DOJCERT to ITSS, which was completed in FY 03. This allows the Department to share attack warning and information in a timely manner. ITSS will develop a work plan for attaining full operational capability by February 2004. Some of the milestones that will be included are the identification of critical assets and interdependencies based on the completion of Step 2 of Project Matrix, the review of vulnerability assessments for completeness and the development of mitigation plans, and the development of contingency plans for critical assets. ITSS has developed standards for risk mitigation, contingency planning, and incident response. The standards are currently under review and are projected to be finalized by December 2003. Additionally, ITSS project teams are developing templates for contingency plans and risk assessments to supplement the standards.

Finding #2 Establishing an Emergencv Management Program

9. Define standards for secure, timely, and effective communication channels for passing indications and warning information and ensure those standards are implemented and operating.

Response: The ITSS has developed a standard for incident response which is projected to be finalized by January 2004. The standard will include the requirements for secure, timely, and effective communication channels.

10. Ensure that effective liaisons are established with the DHS's FedCIRC and the FBI'S Strategic Information Operations Center and NIPC.

Response: The DOJCERT currently reports incidents and conducts liaison with the FedCIRC and the NTPC. The DOJCERT, through the Cyber Defense Operations Project Team, will contact the FBI and obtain a point of contact for incident response-related actions in the Strategic Information Operations Center by November 2003.

11. Ensure that components are in compliance with procedures for reporting incidents.

Response: The ITSS has developed a standard for incident reporting and is developing a template for incident response plans. Compliance with the standard and template will be ensured by the DOJCERT and Cyber Defense Operations Project Team reviewing the components incident response plans and reports and providing recommendations, as required. Also, the ITSS C&A "help desk" will provide assistance to the components in developing their incident response procedures and plans. The incident response reporting standard is projected to be finalized and the "help desk" implemented by December 2003. Additionally, test cases for reporting incidents are projected to be completed by February 2004 and will be used to verify reporting of incidents.

12. Ensure the data regarding department-wide computer attacks and security incidents are collected and summarized according to the nature, frequency, category, and remediation actions taken and that analyses are performed to identify potential trends and systemic weaknesses.

Response: The technical standard and template for incident response plans requires components to report incidents that meet a certain criteria to the DOJCERT and provide the report format and reporting time requirements. The technical standard and template are projected to be completed by December 2003. The DOJCERT currently conducts analysis of the incidents and provides reports on the nature, frequency, category and remediation actions taken and performs analysis to identify potential trends and systemic weaknesses. Additionally, the DOJCERT reporting and analysis processes will be evaluated on a periodic basis by ITSS using test cases developed from FedCIRC reporting requirements. The test cases are projected to be completed by February 2004.

13. Verify that incident data is provided to: a) the NIPC as part of the National Critical Infrastructure Indications and Warnings System, b) the budget processes to support andjust~fy future CIP resource expenditures.

Response: The DOJCERT currently reports to the NIPC. The DOJCERT reporting process will be verified using the test cases described in recommendation 12. Based on incidents reports and analysis provided by DOJCERT, the ITSS will develop a list of vulnerabilities of the critical IT assets. ITSS will then review the Exhibit 300's for the critical IT systems and ensure the incident-related vulnerabilities are addressed. ITSS will initiate this process during the next submission of Exhibit 300's.

14. Verify that components have developed implemented and maintained internal incident response procedures and have identified appropriate individuals for reporting incidents to the DOJCERT.

Response: Currently, three components will have critical IT assets as a result of Project Matrix; the Bureau of Prisons, the Federal Bureau of Investigation, and the U.S. Marshal Service. The DOJCERT, Cyber Defense Project Team, and C&A "help desk" will provide assistance to the three components in developing their internal incident response procedures in the form of standards, templates, and document review with comments. ITSS will maintain a copy of the internal response procedures when they have been completed. Additionally, test cases verifying incident response procedures are projected to be completed by February 2004.

15. Ensure periodic testing of response plans.

Response: The Cyber Defense Operations Project Team is developing an incident response plan template, which will be completed by November 2003. Components are projected to develop and test incident response plans by June 2004. The DOJCERT and Cyber Defense Operations Project Team will assist the components in testing incident response plans.

16. Develop contingency plans for all critical iT assets.

Response: All the Department's critical IT assets will not be identified until the conclusion of Step 2 of Project Matrix, which is projected for March 2004. However, as critical IT assets are identified during Step 2, ITSS will review the certification and accreditation documents to determine if the system has a contingency plan. If it does not, assistance in developing a contingency plan for the IT system will be a priority for the C&A help desk. Since Step 2 of Project Matrix will be completed in March 2004, contingency plans for all critical IT assets are projected to be completed by July 2004.

17. Ensure that documentation is maintained supporting the existence or development of contingency plans for all critical infrastructure assets.

Response: ITSS will review the contingency plans of critical IT assets as they are identified during Step 2 of Project Matrix. A spreadsheet will be developed and maintained by ITSS listing the status of the contingency plan (completed, under development), the date of the plan, when last tested, and comments regarding the completeness of the plan. The spreadsheet will be updated on a quarterly basis, or sooner if the. contingency plans are modified. The spreadsheet will be developed by November 2003. The contingency plans will be reviewed and the spreadsheet updated as critical IT assets are identified during Step 2 of Project Matrix.

18. Verify contingency plans address all required elements as identified by Department Order 2640.2D.

Response: DOJ Order 2640.2E, which will replace DOJ Order 2640.2D, is awaiting signature. The requirements for contingency plans identified by DOJ Order 2640.2E will be included in the contingency plan standard and template. Additionally, contingency plans for critical IT systems will be reviewed by the C&A help desk. Test cases to verify that contingency plans contain the required elements are being developed and are projected to be completed by April 2004. Since all critical IT assets will not be identified until the completion of Step 2 of Project Matrix in March 2004, verification that all contingency plans contain the required elements using the test cases is projected for August 2004.

19. Obtain appropriate approvals for all contingency plans by component and JMSS officials.

Response: ITSS is currently developing a template for contingency plans. The template will include a signature page for the component approving officials and ITSS will track the validation through the ASSERT Tool. The template is projected to be completed by February 2004.

20. Test contingency plans periodically as required by Department Order 2640.2D.

Response: DOJ Order 2640.2E, which will replace DOJ Order 2640.2D, is awaiting signature. The testing of contingency plans for critical IT systems as required by DOJ Order 2640.2D or 2640.2E will be monitored by the ITSS. However, contingency plans for all critical IT systems will not be completed until November 2004, and a schedule for testing of contingency plans for all critical IT systems be developed by January 2005.

Finding # 3 Establishing an Effective Interagency Coordination Program

21. Compile a list of relationships and contacts with other federal agencies and other entities (foreign, state, and local agencies and the private sector).

Response: The components will be requested to review their service level agreements with other federal agencies and entities and provide the points of contact (with telephone numbers and email addresses), type of relationship, (supporting or supported), and summary of relationship. This information will be maintained in the database described in recommendation 23. ITSS will request the information from the components by November 15, 2003, and request they provide the information to ITSS by January 15, 2004.

22. Contact external entities to determine whether any Department assets are critical to their missions.

Response: The components will be requested to review their service level agreements (SLAs) or Memorandums of Understanding/ Memorandums of Agreement (MOU/ MOA) and contact other agencies that indicate the support provided by the Department is critical to their operation. Additionally, Step 2 of Project Matrix will identify agencies that have critical assets that are connected to Department systems. The components will be requested to review their SLAs and MOU/MOAs and provide the information to ITSS by January 15, 2004. The information on external entities will be maintained in the database described in recommendation 23.

23. Develop and maintain a database to track liaison and interagency relationships.

Response: ITSS will develop and maintain a database to track liaison and interagency relationships for critical IT systems. The database will be implemented by June 2004. The database will be populated and maintained as relationships with other agencies are established. Step 2 of Project Matrix will identify interdependencies of the Department's IT critical assets, and will probably result in the majority of the interagency relationships.

24. Establish a working group to address CIP issues.

Response: The Chief Information Officer established the Department's Information Technology Security Council (ITSC) in September 2003. The ITSC is comprised of IT security personnel from the components and is chaired by the Chief Information Security Officer, who is also the Director of ITSS. The ITSC will be used to address C1P issues. Sub-groups to address specific PDD-63 related problems will established, as required.

Finding #4 Meeting Department Resource and Organizational Requirements

25. Complete an assessment of the linkage between budgetary and personnel shortfalls and the Department's critical infrastructure weaknesses.

Response: The completion of Project Matrix will result in a significant modification to the critical infrastructure asset list and consequently to the Department's critical infrastructure weaknesses. Project Matrix is projected to be completed by March 2004. An assessment of the linkage between budgetary and personnel shortfall and the Department's revised critical infrastructure weaknesses will be completed by December 2004.

Finding #5 Establishing Effective Recruiting, Educating. and Awareness Programs

26. Establish a personnel recruitment and retention program as envisioned in the CIP Plan.

Response: As part of its personnel recruitment and retention effort, ITSS has recently hired an individual from the Cyber Corps program, and is in the process of hiring another. The Cyber Corps is a program where graduates of a four-year academic program work for the government in return for their tuition. Both of the Cyber Corps individuals will be part of the ITSS and their duties will support parts of the critical infrastructure program, such as developing templates for risk assessments. Additionally, as part of its retention program of security professionals, ITSS sponsors the Departments seminars and testing for the Certified Information System Security Professional (CISSP) program. Five individuals from the ITSS attended the CISSP seminars and testing in FY 03. The CISSP seminars and testing hosted by ITSS trained approximately 80 IT security personnel in the Department during FY 03. The personnel and retention program as envisioned in the 1999 CIP Plan has been modified to recognize the problems of recruiting and retaining IT security professionals in a shrinking pool of qualified individuals applying for Federal positions. The current program is to provide training to current employees in the necessary skills and recruit from traditional as well as non-traditional sources such as the Cyber Corps and Presidential Appointment Interns. A formal training and retention plan is being developed by the IT Security Employee Services Project Team, which is projected for completion by September 2004.