Department Critical Infrastructure Protection Implementing Plans to Protect Cyber-Based Infrastructure
Report No. 04-05
Office of the Inspector General
3. ESTABLISHING AN EFFECTIVE INTERAGENCY COORDINATION PROGRAM
The Department has not implemented an interagency coordination program, as required by the CIP plan. The Department's CIP Plan requires Department components to develop a list of liaison and interagency relationships for the CIP Task Force to develop and maintain a database of those relationships. The CIP Task Force, tasked with the development and maintenance of the interagency coordination database, was disbanded in 2000 without developing the database or addressing any of the CIP elements. Additionally, the Department has not determined the support its assets provide to other federal agencies and entities. This was caused in part because the IMSS did not require complete information from Department components in determining the Department's MEI. Without taking these steps, the Department cannot ensure effective coordination links exist and that information will be accessible from Department assets when needed.
There are two primary objectives for establishing effective interagency coordination relating to CIP. First, the CIP Plan requires the Department to establish and maintain effective liaisons with entities proposing and promulgating security measures and plans relating to CIP. Doing so ensures that the Department receives and is aware of the most up-to-date information for protecting its critical IT asset systems.
Second, the CIAO's "Practices for Securing Critical Information Assets" provides guidance for the Department to identify and characterize the level to which Department assets provide support to other government agencies. As part of that process, the Department should establish and maintain effective liaisons with all entities for which Department IT systems either receive or provide critical data supporting national security, national economic security, and crucial public health and safety activities. All Department IT systems either receiving or providing such information must be identified and included in the Department's MEI as critical IT assets and receive the special protection afforded under the CIP program.
Establishing and maintaining effective interagency coordination in protecting the Department's critical IT asset systems is essential. The Assistant Attorney General for Administration, in approving the April 1999 Department's CIP Plan, recognized the importance of interagency coordination by stating in the plan that, "In general, we believe the quickest and most effective way to achieve a much higher level of protection from the threats to our critical infrastructure is through the sector structures in partnership with the owners, operators and appropriate government agencies."
The April 1999 CIP Plan addressed the need for cooperation with the various federal, state, and local agencies involved in the protection of the critical infrastructure as it pertained to Department operations. The CIP Plan addressed this need by defining and establishing the specific liaisons necessary for the Department to implement a sound CIP program. Liaisons were to be established at the national level between program elements located at Headquarters and their appropriate counterparts, as well as at the state and local levels for Department field offices. The CIP Plan established the following requirements.
Although the CIP Plan contained comprehensive requirements for implementing an effective interagency coordination program, as detailed below, such a program was never established within the Department.
A primary reason for the lack of an interagency coordination program is that the CIP Task Force charged with serving as the focal point and maintaining the needed database did not address any of the CIP elements related to interagency coordination. The Task Force last met during calendar year 2000 and no longer exists. There were two reasons why the interagency coordination program as envisioned by the CIP Plan had not been implemented.
First, IMSS officials maintained that in developing the Department's MEI for IT assets, no Department IT system either received critical data from external entities or provided data to external entities supporting national security, national economic security, and crucial public health and safety activities. Second, IMSS officials maintained that ongoing activities within Department components effectively monitored interagency activity. For these reasons, IMSS officials believe that there was no need to implement a vigorous interagency coordination program as called for in the CIP Plan.
However, we concluded that: a) the IMSS did not properly determine whether critical exchanges of information were ongoing between Department components and other entities, and b) ongoing activities within Department components did not adequately compensate for the lack of an effective interagency coordination program as required by the CIP Plan.
(1) IMSS Did Not Properly Determine Whether Critical Exchanges of Information Were Ongoing Between Department Components and Other Entities
In identifying critical IT systems, guidance published by the CIAO states that federal agencies were initially required to develop an inventory of all candidate IT systems. To identify the critical IT systems from the list of candidates, agencies could complete an Infrastructure Asset Evaluation Survey. This survey, developed by the CIAO, identifies seven "goals" and specific functions within each goal that are characteristic of goals and functions performed by critical IT systems. The goals identified in the survey were:
Although there is no hard and fast rule for determining what is or is not a critical IT system, in general the more goals an IT system supports - and the more significant functions the system performs within each goal - the more important the IT system is. The more important the IT system is, the higher the chances that the system will be identified as a critical asset.
We determined that the IMSS did not follow CIAO guidance in identifying its critical IT assets. IMSS officials did not require components to develop initial inventories of critical IT assets based on the Infrastructure Asset Evaluation Surveys of all candidate systems. Instead, components were requested early in calendar year 2000 to develop their inventories based on a four-tiered Impact Level Rating Scheme as described in the following chart.
Impact Level Rating Scheme
This approach provided little assurance that candidate IT systems were adequately evaluated against the more comprehensive seven goals and the corresponding functions within each goal identified in the Infrastructure Asset Evaluation Survey. For example, unlike the Infrastructure Asset Evaluation Survey, the Impact Level Rating Scheme did not require components to consider dependency of other government programs on the Department's IT systems and whether critical information exchanges were occurring.
It was only after components had already developed their initial inventories of critical IT assets that the IMSS provided components with the Infrastructure Asset Evaluation Surveys. For each critical IT system identified, components were instructed to complete the survey for only one of the seven goals identified in the survey. The survey goal selected for completion was to be determined by the primary goal actually supported by each critical IT system.
We identified two significant deficiencies with this approach. First, the purpose of the surveys was to identify critical IT systems from a list of candidate systems. Using the surveys on an already existing list of critical IT systems selected under a less comprehensive methodology was of questionable benefit. Second, IT systems may possess several goals characteristic of a critical IT system. Requiring components to complete a survey for only one of the seven goals risks overlooking other goals that may, upon closer analysis, elevate IT systems to critical status.
The net effect of these weaknesses in identifying the Department's critical IT systems is that neither the IMSS nor the Department components considered the dependency of other government programs on the Department's IT systems, and whether critical exchanges of information were occurring. As a result, Department IT systems that exchanged critical information may not have been identified and considered for protection under the CIP program.
Evidence that such exchanges of critical information may be occurring was documented in a November 13, 2001, memorandum to Department CIOs. In that memorandum, the Acting Assistant Attorney General for Administration stated:
The recent attacks of September 11, 2001, on the United States underscore the critical need for the Department of Justice to take an aggressive role in preventing aliens who engage in or support terrorist activity from entering the United States . . .
Information technology is a tool that can be used to fight terrorism through improved information sharing with other federal agencies. Through information sharing the overall investigative and intelligence analysis capabilities of the federal government can be enhanced . . . Towards this end, I have initiated an effort within JMD to summarize the current information exchanges between the Department, the Department of State, and the United States Customs Service.
A draft diagram and a description of the information flows as currently understood by JMD have been prepared. This diagram and the associated narrative provide an overview of the structured information exchanges between four Department components, the Department of State, and the United States Customs Service.
The diagram provided by the Acting Assistant Attorney General is presented in Appendix 9. Although the draft diagram showed 19 FBI, DEA, and INS IT systems involved in information exchanges with the Department of State and the United States Customs Service, only 4 of these IT systems were identified by the Department as being critical in the January 2001 inventory and 2 were identified as being critical in the December 2002 inventory.39 Information Management and Security Staff officials indicated that the Department received no critical information from external entities and indicated that if Department information is critical to the mission of the external entities, then the external entity representative should contact a Department representative. We previously noted in this report that liaisons had not been identified to facilitate the communication needed in this regard.
Among the remaining 17 systems not identified in either Department inventory are the FBI's National Instant Criminal Background Check System (NICS) and Automated Case Support (ACS) System, and the DEA's Narcotics and Dangerous Drugs Information System (NADDIS) as described below. We are not concluding that these are critical systems, but we believe that these systems provide important information to external entities. Without an assessment made in concert with external entities, the Department cannot ensure that its assets critical to the mission of other agencies have been adequately identified.
(2) Ongoing Activities Within Department Components Did Not Adequately Compensate for the Lack of an Effective Interagency Coordination Program.
The Department participates in two groups that have the potential to compensate for the lack of an effective interagency coordination program. These groups are the Information Technology Security Officers Working Group (ITSOWG) and the Computer Crime and Intellectual Property Section (CCIPS).
The ITSOWG is composed of the designated computer security officers or representatives from each of the components and JMD for the purposes of:
A JMD official also meets periodically with a working group managed by the CCIPS of the Department's Criminal Division to establish uniform policy within the Department on computer crime issues. The CCIPS group advises federal prosecutors and law enforcement agents, comments upon and proposes legislation, coordinates international efforts to combat computer crime, litigates cases, and trains law enforcement groups.
Neither the ITSOWG nor the CCIPS group specifically addresses CIP issues. Absent a working group or other means of communication, the Department cannot ensure that information between components is effectively shared and CIP issues are addressed.
According to IMSS staff, the IMSS partially identified the IT support provided by other agencies and its support to other agencies by developing a detailed analysis of systems and interrelations including the direction of the data flow. However, the IMSS's analysis does not provide all the data elements required by the CIP Plan, including organizations involved, Department representative, reason for liaison, Department obligations, special considerations, and the primary mission of the outside organization.
The Department's CIP Plan addressed the critical need for cooperation with the various agencies involved in the protection of the critical infrastructure. The CIP Plan defined and established the specific liaisons necessary for the Department to implement a sound CIP program. However, an effective interagency coordination program was not established because the Department did not: 1) ensure that components developed lists of current liaisons and memoranda of understanding associated with CIP; 2) establish a method for ensuring coordination between the various Department entities and liaisons with outside organizations; 3) create and maintain a centralized database of liaisons and relationships, or establish an entity within the Department to serve as the focal point for all liaisons and relationships pertaining to CIP; and 4) establish a working group, or other means of communication, to ensure that information is effectively shared between Department components having interagency relationships and liaisons.
These problems resulted in part from the CIP Task Force's cessation of operation in 2000. In addition, the IMSS did not adequately determine whether critical exchanges of information were ongoing between Department components and other entities, and it did not initiate another method of compensating for the interagency coordination program called for in the CIP Plan.
Without an effective program for interagency coordination, the Department cannot ensure effective coordination links exist and that information will be accessible from Department assets when needed.
We recommend that the Assistant Attorney General for Administration: