Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure
Report No. 04-05
Office of the Inspector General
The Department of Justice (Department) and other government departments and agencies are required to prepare and implement plans for protecting critical infrastructure. The infrastructure includes systems essential to the minimum operations of the economy and government, such as telecommunications, banking and finance, energy, and transportation. According to the Critical Infrastructure Assurance Office's (CIAO) National Plan for Information Systems Protection, the threat is that a group or nation hostile to the United States will seek to "inflict economic damage, disruption and death, and degradation of our defense response" by attacking our critical infrastructure.1 Critical infrastructure protection plans are required to include an inventory of the Department's mission-essential assets, an assessment of each asset's vulnerabilities, and plans to remediate those vulnerabilities.
In May 1998, Presidential Decision Directive 63 (PDD 63) required all federal agencies to achieve and maintain the ability to protect the nation's critical infrastructures from intentional acts that would significantly diminish their ability to perform essential national security missions and ensure general public health and safety. Achieving and maintaining this ability is referred to as "full operating capability." PDD 63 required the Department to reach full operating capability by May 2003.
The National Plan for Information Systems Protection, Version 1.0, issued by the CIAO in 2000, describes full operating capability as the ability to ensure that any interruption or manipulation of critical functions is ". . . brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States." Further, the Draft Critical Infrastructure Protection (CIP) Plan indicates that full operating capability for the Department is comprised of:
The Department of Justice Office of the Inspector General (OIG) previously audited the adequacy of the Department's planning and assessment activities for protecting its critical computer-based infrastructure. Over 20 Inspectors General conducted similar audits of their own agencies as part of an effort sponsored by the President's Council on Integrity and Efficiency (PCIE). Our November 2000 report noted that the Department had submitted its initial critical infrastructure protection plan to the CIAO as required, and the Department had revised its initial plan according to comments received from an Expert Review Team. However, we concluded that the Department had not yet: 1) adequately identified all of its mission-essential assets, 2) assessed the vulnerabilities of each of its assets, 3) developed remedial action plans for identified vulnerabilities, and 4) developed a multi-year funding plan for reducing vulnerabilities. As a result, the Department's ability to perform certain vital missions was at risk from terrorist attacks or similar threats.
Our current audit of critical infrastructure protection is a continuation of the executive branch-wide effort by the PCIE. We, along with other OIGs, who are conducting similar audits, focused on the adequacy of implementation activities for protecting critical computer-based infrastructures. Specifically, we reviewed Department activities in the areas of: risk mitigation; emergency management; interagency coordination; resource and organization requirements; the recruitment, education of Information Technology (IT) personnel; and computer security awareness. In addition, we reviewed follow-up activities undertaken with regard to the recommendations of our November 2000 report and found that the Department has made progress in the implementation of its CIP Plans, but much significant work remains to be done.
Within the Department, the Justice Management Division (JMD) develops, promulgates, and reviews implementation of departmentwide policies, standards, and procedures for the management of automated information processing resources. Within JMD, the Chief Information Officer (CIO) has oversight responsibility for CIP for the Department. Within the Office of the CIO, the Information Technology Security Staff (ITSS) has primary responsibility for critical infrastructure planning and implementation.3
In May 2003, the CIO reorganized the information resource management function. At that time, the ITSS was established, and it is now responsible for developing and implementing policies and procedures for information systems security programs. Prior to the reorganization, these functions were managed by the Information Management and Security Staff (IMSS). Upon its establishment, the ITSS retained the prior staff and oversight responsibilities of the IMSS. The ITSS also gained responsibility from JMD Computer Services Staff (CSS) for managing the Department of Justice Computer Emergency Response Team (DOJCERT). The DOJCERT assists component organizations with incident handling and resolution, and it is the centralized reporting entity for the Department. All components are required to report computer security incidents to the DOJCERT and the DOJCERT issues any necessary alerts to components and external agencies.
Within the Department, critical infrastructure protection is a shared responsibility between JMD and the various component organizations. Each component is responsible for identifying its MEI, assessing vulnerabilities, developing remediation and funding plans, and ensuring the implementation of the plans. JMD is responsible for coordinating the departmentwide effort and ensuring that the components comply with applicable requirements.
The Department is required to conduct vulnerability assessments to identify risks to its critical infrastructure. After the vulnerability assessments, remedial action plans are required to mitigate the exploitation of risks until the vulnerabilities are eliminated or reduced to an acceptable level. The remedial action plans should be system specific and should identify the vulnerability, responsible office, mission impact, mitigation action, long-term correction, and estimated costs and milestones for corrective measures.
JMD completed a vulnerability assessment in March 2002. JMD reviewed the management controls developed to implement the Department's CIP program and evaluated the controls against requirements contained in reports and other documents from the General Accounting Office, the National Critical Infrastructure Assurance Office, and the General Services Administration. The JMD review identified the following four individual vulnerabilities associated with the program.
As previously mentioned, the National Plan for Information Systems Protection, Version 1.0, issued by the CIAO describes full operating capability as the ability to ensure that any interruption or manipulation of critical functions is "brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States." Several items remain to be completed before the Department can reach full operating capability. In July 2002, IMSS officials indicated that mitigation action for all program vulnerabilities was progressing on target and would be completed on schedule. However, we found that the IMSS did not effectively manage the mitigation actions because it did not provide components sufficient time to provide required data to revalidate the MEI.
Another item we found that prevented the Department from reaching full operating capability was that project plans were not developed to ensure full operating capability by May 2003. In April 2003, we updated our assessment of progress by the IMSS/ITSS and found that project plans had been completed and included in the revised draft CIP Plan. However, those plans did not include completion dates for all tasks, and 54 of 73 tasks were not completed by May 2003. However, in our judgment four key tasks prevent the Department from achieving full operating capability. The four tasks are:
As a result of these tasks not being completed timely, the Department has less than adequate assurance that critical IT asset vulnerabilities will be mitigated adequately or timely.
The Department's April 1999 CIP Plan established the critical elements for an effective emergency management program and charged a CIP Task Force with its implementation.5 The Department's emergency management program, as envisioned in the CIP Plan, was to incorporate the elements of Indications and Warnings; Incident Collection, Reporting, and Analysis; and Response and Contingency Plans.
Regarding Indications and Warnings, the plan intended to establish an effective and secure mechanism for: a) receiving threat indication and warning information from the intelligence community and law enforcement agencies concerning the critical infrastructure of the Department and the nation, and b) disseminating this information in a timely manner to appropriate Department components. The IMSS was to ensure the existence of secure, effective, and timely communication channels for passing threat information from internal and external organizations to Department components at both headquarters and field locations charged with the protection of the Department's critical infrastructure assets.
Regarding Incident Collection, Reporting, and Analysis, the Plan intended to define and establish an effective and secure mechanism for collecting, reporting, and analyzing incident information about actual and potential attacks on the Department's critical infrastructure assets. The established method should have ensured that information generated from computer security incidents was received from Department components and disseminated throughout the Department and to other intelligence and law enforcement agencies, as appropriate, in a timely manner.
Regarding Response and Contingency Plans, the Plan intended to define and establish sound response and contingency plans to ensure the Department's critical infrastructure assets could be restored to the minimum operational effectiveness necessary to support the Department's missions should these critical infrastructure assets be subjected to successful attack. Response plans identify actions for responding to a significant infrastructure attack while the attack is underway. Contingency plans identify actions required to rebuild or restore an infrastructure after it has been damaged. The CIP Plan required that response and contingency plans should be prepared, reviewed, and approved by Department officials, and be exercised on a periodic basis to ensure that the plans can be effectively implemented.
The CIP Plan also established several intermediate milestones for implementing the three essential elements of the Department's emergency management program. Full implementation of the program was to occur no later than September 28, 1999.
Although the April 1999 CIP Plan contained a comprehensive blueprint and milestones for an effective, centrally managed Department emergency management program, we found that such a program was not fully implemented. Many of the critical emergency management program elements relating to indications and warnings, incident collection, reporting and analysis, and response and contingency planning were neither established nor operating.
Communication channels were established for passing threat information, but the IMSS did not determine whether the channels were secure, effective, and provided timely information as required by the CIP Plan. Additionally, the IMSS did not verify whether effective liaisons with the FBI's National Infrastructure Protection Center or the Strategic Information Operations Center were established and ongoing. Unless all indication and warning elements are in place, the Department does not have the assurance that communication channels for sharing vulnerabilities are secure and that components are receiving timely information to better equip it to respond to computer security incidents.6
Detailed procedures for the components to follow in reporting computer security incidents were developed by the CSS, but the IMSS could not substantiate whether the procedures were implemented and were being followed by components. According to the IMSS staff, tabulated summaries on the number and type of incidents are reported each month. However, the IMSS could not provide tabulated summaries regarding the nature, frequency, category, and remediation of prior Department computer security incidents or possible trends and potential systemic weaknesses based on analyses of prior incidents. Although there is no specific requirement that the IMSS maintain documentation for these activities, without such documentation the Department does not have assurance that additional procedures for collecting and analyzing incidents as required by the CIP Plan were developed and are in place.
We also found that detailed response procedures for computer security incidents had been established, but the IMSS had not ensured that the procedures were implemented and were being followed. Specifically, the IMSS did not verify whether components had developed, implemented, and maintained internal incident response procedures and whether components had identified appropriate individuals responsible for reporting incidents to the DOJCERT.
Department Order 2640.2D requires components to develop and test contingency plans as well as site plans detailing responses to emergencies for IT facilities, but the IMSS staff could not provide support that components had done so.
The CIP Task Force was responsible for developing and implementing the CIP Plan, including the emergency management program, but the Task Force ceased operating during calendar year 2000 and has had no further involvement in implementation activities. IMSS officials told the OIG that other activities are operating within the Department to mitigate the activities not performed by the CIP Task Force. As noted previously, we found weaknesses in the Department's emergency management. As a result, the Department has less than adequate assurance that it can effectively respond to computer attacks and security incidents.
There are two primary objectives for establishing effective interagency coordination relating to CIP. First, the CIP Plan requires the Department to establish and maintain effective liaisons with entities proposing and promulgating security measures and plans relating to CIP. Doing so ensures that the Department receives the most up-to-date information for protecting its critical IT asset systems. Second, the CIP Plan requires the Department to establish and maintain effective liaisons with all entities for which Department IT systems either receive or provide critical data supporting national security, national economic security, and/or crucial public health and safety activities. All Department IT systems either receiving or providing such information must be identified and included in the Department's MEI as critical IT assets and receive the special protection afforded under the CIP program.
Although the CIP Plan contained comprehensive requirements for implementing an effective interagency coordination program, as detailed below, such a program has not been established within the Department. IMSS officials did not ensure that components' headquarters and field offices developed lists of current federal and interagency liaisons and memoranda of understanding associated with CIP. The Department did not establish a method for ensuring coordination between the various Department entities and liaisons with outside organizations related to critical infrastructure protection. Components did not forward to the IMSS lists of liaisons and relationships. Consequently, the centralized database of liaisons and relationships was not created and maintained, nor was any entity within the Department serving as the focal point for all liaisons and relationships pertaining to CIP. A working group, or other means of communication, was not established to ensure that information is effectively shared between Department components having interagency relationships and liaisons.
Without such a program for interagency coordination, the Department cannot ensure that information will be accessible from Department assets when needed.
Resource and Organizational Requirements
The Department's CIP Plan required identification of the resources and organization necessary to protect critical assets. This was to be accomplished largely through the efforts of the CIP Task Force. Although we found that the CIP Task Force did not fully carry out the responsibilities in this area of the CIP Plan, the Department has undertaken some efforts to ensure its resource and organizational requirements are adequately identified. However, full implementation of the CIP Plan has not been achieved. Studies contracted for by JMD done in lieu of studies by the CIP Task Force have not assessed the linkage between budgetary and personnel shortfalls and the Department's critical infrastructure weaknesses. We concluded that completion of this activity is crucial to the Department's efforts to ensure that its resource and organization requirements have been met.
Recruiting, Educating, and Awareness
The Department's 1999 CIP Plan recognized the need to recruit, retain, and educate both Department and contractor personnel in the areas of physical and information security. The Plan called for the completion of various programs to ensure that these needs were met. Some of these programs have been fully accomplished. For example, on April 15, 2003, the Department implemented a departmentwide initiative to provide computer security awareness training. However, we found that the recruitment and retention program called for in the Plan was not fully implemented and, as a consequence, the Department lacks assurance that it has been able to attract and retain the best possible CIP staff.
Follow-up on Prior Audit
In our November 2000 report on "Department Critical Infrastructure Protection - Planning for the Protection of Computer Based Infrastructure," we found that the Department had not yet: 1) identified all of its mission-essential assets, 2) assessed the vulnerabilities of each critical asset, 3) developed remedial action plans for identified vulnerabilities, or 4) developed a multi-year funding plan for reducing vulnerabilities. During this current audit, we tested follow-up actions taken regarding these recommendations. We found that the IMSS had completed some of the required corrective actions. However, further work is required regarding the MEI inventory, plans to address weaknesses identified in vulnerability assessments, and development of a multi-year funding plan for the remediation of vulnerabilities.
By May 2003 all federal agencies were required to achieve and maintain the ability to protect our nation's critical infrastructures from intentional acts that would significantly diminish their ability to perform essential national security missions and ensure general public health and safety. While the Department has activities planned and in-progress to help it reach this full operating capability, some of those plans lack completion dates. Absent those dates, there is no assurance that the Department will ever reach full operating capability. As described above, the Department did not reach full operating capability by May 2003 as required, and as a consequence the Department's critical infrastructures remain at risk.
Our Report contains 26 recommendations to help improve the Department's efforts to manage critical infrastructure protection. These include recommending that the Department: