Defense Infrastructure
Actions Needed to Guide DOD's Efforts to Identify, Prioritize, and Assess Its Critical Infrastructure Gao ID: GAO-07-461 May 24, 2007The Department of Defense (DOD) relies on a network of DOD and non-DOD infrastructure assets in the United States and abroad so critical that its unavailability could hinder DOD's ability to project, support, and sustain its forces and operations worldwide. DOD established the Defense Critical Infrastructure Program (DCIP) to identify and assure the availability of mission-critical infrastructure. GAO was asked to evaluate the extent to which DOD has (1) developed a comprehensive management plan to implement DCIP and (2) identified, prioritized, and assessed its critical infrastructure. GAO analyzed relevant DCIP documents and guidance and met with officials from more than 30 DOD organizations that have DCIP responsibilities, and with Department of Homeland Security (DHS) officials involved in protecting critical infrastructure.
While DOD has taken important steps to implement DCIP, it has not developed a comprehensive management plan to guide its efforts. GAO's prior work has shown the importance of developing a plan that incorporates sound management practices, such as issuing guidance, coordinating stakeholders' efforts, and identifying resource requirements and sources. Most of DOD's DCIP guidance and policies are either newly issued or in draft form, leading some DOD components to rely on other, better-defined programs, such as the antiterrorism program, to implement DCIP. Although DOD issued a DCIP directive in August 2005, the lead office responsible for DCIP lacks a chartering directive that defines important roles, responsibilities, and relationships with other DOD organizations and missions. DOD has created several information sharing and coordination mechanisms; however, additional measures could be taken. Also, DOD's reliance on supplemental appropriations to fund DCIP makes it difficult to effectively plan future resource needs. Until DOD completes a comprehensive DCIP management plan, its ability to implement DCIP will be challenged. DOD estimates that it has identified about 25 percent of the critical infrastructure it owns, and expects to identify the remaining 75 percent by the end of fiscal year 2009. In contrast, DOD has identified significantly less of the critical infrastructure that it does not own, and does not have a target date for its completion. Among the non-DOD-owned critical infrastructure that has been identified are some 200 assets belonging to private sector companies that comprise the defense industrial base--the focus of another report we plan to issue later this year. DOD estimates that about 85 percent of its mission-critical infrastructure assets are owned by non-DOD entities, such as the private sector; state, local, and tribal governments; and foreign governments. DOD has conducted vulnerability assessments on some DOD-owned infrastructure. While these assessments can provide useful information about specific assets, until DOD identifies and prioritizes all of the critical infrastructure it owns, assessment results have limited value for deciding where to target funding investments. For the most part, DOD cannot assess assets it does not own, and DOD has not coordinated with DHS to include them among DHS's assessments of the nation's critical infrastructure. DOD has delayed coordinating the assessment of non-DOD-owned infrastructure located abroad while it focuses on identifying the critical infrastructure that it does own. Regarding current and future DCIP funding levels, they do not include the cost to remediate vulnerabilities that are identified through the assessments. When DOD identifies, prioritizes, and assesses its critical infrastructure, and includes remediation in its funding requirements, its ability to perform risk-based decision making and target funding to priority needs will be improved.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-07-461, Defense Infrastructure: Actions Needed to Guide DOD's Efforts to Identify, Prioritize, and Assess Its Critical Infrastructure
This is the accessible text file for GAO report number GAO-07-461
entitled 'Defense Infrastructure: Actions Needed to Guide DOD's Efforts
to Identify, Prioritize, and Assess Its Critical Infrastructure' which
was released on May 24, 2007.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
May 2007:
Defense Infrastructure:
Actions Needed to Guide DOD's Efforts to Identify, Prioritize, and
Assess Its Critical Infrastructure:
GAO-07-461:
GAO Highlights:
Highlights of GAO-07-461, a report to congressional requesters
Why GAO Did This Study:
The Department of Defense (DOD) relies on a network of DOD and non-DOD
infrastructure assets in the United States and abroad so critical that
its unavailability could hinder DOD‘s ability to project, support, and
sustain its forces and operations worldwide. DOD established the
Defense Critical Infrastructure Program (DCIP) to identify and assure
the availability of mission-critical infrastructure. GAO was asked to
evaluate the extent to which DOD has (1) developed a comprehensive
management plan to implement DCIP and (2) identified, prioritized, and
assessed its critical infrastructure. GAO analyzed relevant DCIP
documents and guidance and met with officials from more than 30 DOD
organizations that have DCIP responsibilities, and with Department of
Homeland Security (DHS) officials involved in protecting critical
infrastructure.
What GAO Found:
While DOD has taken important steps to implement DCIP, it has not
developed a comprehensive management plan to guide its efforts. GAO‘s
prior work has shown the importance of developing a plan that
incorporates sound management practices, such as issuing guidance,
coordinating stakeholders‘ efforts, and identifying resource
requirements and sources. Most of DOD‘s DCIP guidance and policies are
either newly issued or in draft form, leading some DOD components to
rely on other, better-defined programs, such as the antiterrorism
program, to implement DCIP. Although DOD issued a DCIP directive in
August 2005, the lead office responsible for DCIP lacks a chartering
directive that defines important roles, responsibilities, and
relationships with other DOD organizations and missions. DOD has
created several information sharing and coordination mechanisms;
however, additional measures could be taken. Also, DOD‘s reliance on
supplemental appropriations to fund DCIP makes it difficult to
effectively plan future resource needs. Until DOD completes a
comprehensive DCIP management plan, its ability to implement DCIP will
be challenged.
DOD estimates that it has identified about 25 percent of the critical
infrastructure it owns, and expects to identify the remaining 75
percent by the end of fiscal year 2009. In contrast, DOD has identified
significantly less of the critical infrastructure that it does not own,
and does not have a target date for its completion. Among the non-DOD-
owned critical infrastructure that has been identified are some 200
assets belonging to private sector companies that comprise the defense
industrial base”the focus of another report we plan to issue later this
year. DOD estimates that about 85 percent of its mission-critical
infrastructure assets are owned by non-DOD entities, such as the
private sector; state, local, and tribal governments; and foreign
governments. DOD has conducted vulnerability assessments on some DOD-
owned infrastructure. While these assessments can provide useful
information about specific assets, until DOD identifies and prioritizes
all of the critical infrastructure it owns, assessment results have
limited value for deciding where to target funding investments. For the
most part, DOD cannot assess assets it does not own, and DOD has not
coordinated with DHS to include them among DHS‘s assessments of the
nation‘s critical infrastructure. DOD has delayed coordinating the
assessment of non-DOD-owned infrastructure located abroad while it
focuses on identifying the critical infrastructure that it does own.
Regarding current and future DCIP funding levels, they do not include
the cost to remediate vulnerabilities that are identified through the
assessments. When DOD identifies, prioritizes, and assesses its
critical infrastructure, and includes remediation in its funding
requirements, its ability to perform risk-based decision making and
target funding to priority needs will be improved.
What GAO Recommends:
GAO recommends DOD take several actions to improve the efficiency and
effectiveness of DCIP operations. Actions include developing a
comprehensive management plan; issuing a chartering directive defining
the relationship between the directorates responsible for DCIP and
antiterrorism missions; and identifying non-DOD-owned critical
infrastructure for DHS to consider in its assessments. DOD concurred
with all of GAO‘s recommendations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-461].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Davi M. D'Agostino at
(202) 512-5431 or dagostinod@gao.gov.
[End of section]
Contents:
Letter:
Results in Brief:
Background:
DOD Has Taken Important Steps to Implement DCIP but Needs a
Comprehensive Management Plan to Guide Its Efforts:
DOD Estimates That It Has Identified about 25 Percent of the Critical
Infrastructure It Owns, and Most of the Non-DOD-Owned Critical
Infrastructure Remains Unidentified:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendix I: Scope and Methodology:
Appendix II: Comments from the Department of Defense:
Appendix III: GAO Contact and Staff Acknowledgments:
Tables:
Table 1: Status of DCIP Guidance and Policies as of May 2007:
Table 2: Defense and Federal-Level Critical Infrastructure Sector
Counterparts:
Table 3: DOD-Owned Infrastructure Provisionally Identified as Critical:
Figures:
Figure 1: Notional Depiction of Infrastructure Available to DOD:
Figure 2: Representative Types of Critical Infrastructure:
Figure 3: Key DOD DCIP Organizations:
Figure 4: Total DCIP Funding by Military Service and COCOM, Fiscal
Years 2004 to 2007:
Figure 5: Total DCIP Funding by Defense Sector, Fiscal Years 2004 to
2007:
Figure 6: DCIP Funding for Fiscal Years 2004 to 2013:
Figure 7: Allocation of Critical Infrastructure DOD Owns and Does Not
Own:
Abbreviations:
ASD(HD&ASA): Assistant Secretary of Defense for Homeland Defense and
Americas' Security Affairs:
COCOM: Combatant Command:
DCIP: Defense Critical Infrastructure Program:
DHS: Department of Homeland Security:
DOD: Department of Defense:
DTRA: Defense Threat Reduction Agency:
PCII: Protected Critical Infrastructure Information:
United States Government Accountability Office:
Washington, DC 20548:
May 24, 2007:
The Honorable Solomon P. Ortiz:
Chairman:
The Honorable Jo Ann Davis:
Ranking Member:
Subcommittee on Readiness:
Committee on Armed Services:
House of Representatives:
The Honorable W. Todd Akin:
House of Representatives:
The Department of Defense (DOD) relies on a network of physical and
cyber infrastructure so critical that its incapacitation, exploitation,
or destruction could have a debilitating effect on DOD's ability to
project, support, and sustain its forces and operations worldwide. This
defense critical infrastructure consists of DOD and non-DOD assets
located within and outside the United States (see fig. 1). According to
DOD, about 85 percent of the infrastructure it relies on is owned by
non-DOD entities.[Footnote 1] Because of its importance to DOD
operations, defense infrastructure represents an attractive target to
adversaries; but it is also vulnerable to natural disasters and
accidents. DOD has recognized and emphasized the importance of ensuring
the availability of critical infrastructure in the most recent versions
of the National Military Strategy[Footnote 2] and the Quadrennial
Defense Review Report.[Footnote 3]
Figure 1: Notional Depiction of Infrastructure Available to DOD:
[See PDF for image]
Source: GAO analysis of DOD information.
[End of figure]
Homeland Security Presidential Directive 7,[Footnote 4] issued in
December 2003, designates the Secretary of the Department of Homeland
Security (DHS) as the principal federal official responsible for
leading, integrating, and coordinating the overall national effort to
protect the nation's critical infrastructure and key resources. The
Homeland Security Act of 2002[Footnote 5] and the Presidential
Directive also direct DHS to produce a national plan for critical
infrastructure and key resources protection, and on June 30, 2006, DHS
issued the National Infrastructure Protection Plan. This plan provides
an overarching approach for protecting critical infrastructure and key
resources against terrorist attacks, major disasters, and other
emergencies. The cornerstone of the National Infrastructure Protection
Plan is its risk-management framework to establish priorities based on
risk, and determine protection and business continuity initiatives that
provide the greatest mitigation of risk. The National Infrastructure
Protection Plan identifies 17 infrastructure and key resources sectors,
and designates one or more lead federal agencies--referred to as a
sector-specific agency--for each sector. For example, the Departments
of Defense and Energy are the sector-specific agencies for the Defense
Industrial Base and the Energy sectors, respectively. DHS is the sector-
specific agency for 10 of the 17 sectors. Sector-specific agencies are
responsible for, among other things, coordinating with all relevant
federal, state, and local governments and the private sector;
encouraging risk management strategies; and conducting or facilitating
vulnerability assessments of their sector.
Homeland Security Presidential Directive 7 also requires all federal
departments and agencies to identify, prioritize, and coordinate the
protection of critical infrastructure and key resources from terrorist
attacks. The Office of the Assistant Secretary of Defense for Homeland
Defense and Americas' Security Affairs (ASD[HD&ASA]), within the Office
of the Under Secretary of Defense for Policy, serves as the principal
civilian advisor to the Secretary of Defense on the identification,
prioritization, and protection of DOD's critical
infrastructure.[Footnote 6] DOD established the Defense Critical
Infrastructure Program (DCIP) to identify and assure the availability
of mission-critical infrastructure. DCIP encompasses the full spectrum
of threats--ranging from terrorist attacks to natural disasters and
catastrophic accidents--that can adversely affect critical
infrastructure. Earlier programs analogous to DCIP can be traced back
to 1998. ASD(HD&ASA) has been responsible for developing and ensuring
implementation of critical infrastructure protection policy and program
guidance activities since September 2003. Within DOD, several
organizations play a role in DCIP, including the combatant commands
(COCOM) and the military services. DOD also identified 10 virtual,
functionally-based defense sectors to consider critical infrastructure
that cross traditional organizational boundaries. The 10 defense
sectors are financial services; global information grid; intelligence,
surveillance, and reconnaissance; space; health affairs; logistics;
personnel; public works; transportation; and the defense industrial
base. Over the last 4 fiscal years (2004 to 2007), DOD has spent about
$160 million on DCIP.
In our recent report on DOD's collective protection for military
forces,[Footnote 7] we discussed DOD's collective protection management
problems, including fragmented policies and operating concepts among
the varied programs and organizations involved. DOD has been unable to
reach consensus on what criteria to use to identify its most critical
facilities. As we reported, these management problems make it difficult
for DOD to balance competing needs and prudently allocate funding
resources for collective protection improvements. We recommended, among
other things, that DOD provide clearer, more consistent policies to
guide the funding of collective protection and other installation
preparedness activities.
As you requested, we have begun a body of work reviewing actions DOD
has taken to identify, protect, and otherwise assure the availability
of infrastructure necessary to sustain its operations. This initial
report focuses on key organizational, structural, and programmatic
aspects of DCIP. Specifically, this report evaluates the extent to
which DOD has (1) developed a comprehensive management plan to
implement DCIP and (2) identified, prioritized, and assessed its
critical infrastructure. We plan to issue additional products of
interest to you, including a report later this year that examines the
defense industrial base. Accordingly, this report does not address the
Defense Industrial Base defense sector, unless indicated otherwise.
To evaluate the extent to which DOD has developed a comprehensive
management plan to implement DCIP, we reviewed and analyzed relevant
DCIP guidance, met with key officials responsible for DCIP from the
military services, the COCOMs (hereafter referred to in this report as
"DOD components"), and the defense sector lead agents; several offices
within the Office of the Secretary of Defense; and the Joint Staff's
Directorate for Antiterrorism and Homeland Defense. In addition, we
reviewed and analyzed pertinent funding data from the past 4 fiscal
years, met with the Office of the Under Secretary of Defense
(Comptroller)/Chief Financial Officer to discuss the budgeting process,
and interviewed officials responsible for determining funding
requirements for the program. To evaluate the extent to which DOD has
identified, prioritized, and assessed its critical infrastructure, we
reviewed and analyzed relevant DCIP guidance including the DCIP
Assessment Standards and Benchmark[Footnote 8]s and DCIP Criticality
Process Guidance Document.[Footnote 9] We interviewed DOD officials
responsible for critical infrastructure and reviewed DOD's critical
infrastructure vulnerability assessment process. We also met with
Defense Threat Reduction Agency (DTRA) officials involved in
implementing infrastructure vulnerability assessments.
We conducted our work between June 2006 and May 2007 in accordance with
generally accepted government auditing standards. A more thorough
description of our scope and methodology is provided in appendix I.
Results in Brief:
While DOD has taken some important steps to implement DCIP, it has not
developed a comprehensive management plan to guide its efforts. Our
prior work,[Footnote 10] as well as the Standards for Internal Control
in the Federal Government,[Footnote 11] emphasizes the importance of
such a plan and management controls, respectively, to guide program
implementation. Accordingly, this plan should include key elements,
such as developing and issuing guidance, coordinating stakeholders'
efforts, and identifying resource requirements and sources. DOD's most
recent effort to protect critical infrastructure began in September
2003 and, as of May 2007, most of DOD's DCIP guidance was either newly
issued or still in draft form. In the absence of finalized guidance,
DOD components have been pursuing varying approaches to DCIP. For
example, some components have relied on established programs, such as
the antiterrorism program, to implement DCIP, even though antiterrorism
has not been formally linked to DCIP. Although DOD issued a DCIP
directive in August 2005, the lead office--ASD(HD&ASA)--lacks a
chartering directive that defines important roles, responsibilities,
and relationships with other DOD organizations and missions. In March
2003, the Deputy Secretary of Defense required the Director of
Administration and Management within the Office of the Secretary of
Defense to, among other things, define the relationship between the
Directorates for HD&ASA and Special Operations and Low-Intensity
Conflict and Interdependent Capabilities regarding several matters,
including antiterrorism missions, in a chartering directive. However,
as of May 2007, more than 4 years later, this task has not been
accomplished. Similarly, because DOD's strategy on tracking and
monitoring critical infrastructure was not issued until 2006,
components have been collecting different information on their
infrastructure, which, over the long term, could complicate information
sharing and analysis across the DOD components and sector lead agents.
To facilitate communication among stakeholders, DOD has established
several information sharing and coordination mechanisms to promote a
common approach to common issues, such as sponsoring the Homeland
Infrastructure Foundation Level Database Working Group. The Working
Group is a coalition of federal, state, and local government
organizations, and private companies that are involved in collecting
and mapping geographic information related to homeland defense.
Existing DCIP guidance emphasizes information sharing and collaboration
with relevant government and private-sector entities. However, we found
that three of the five defense sector lead agents that have a federal-
level counterpart do not routinely share information with their
corresponding federal-level critical infrastructure sector counterparts
due to the immaturity of the program.[Footnote 12] DCIP has received
about $160 million in funding from fiscal years 2004 to 2007.[Footnote
13] However, the DOD components and sector lead agents have received
only $68.5 million during the same 4-year period, of which $14.3
million (about 21 percent of the component and sector lead agents'
combined funding) has come from supplemental appropriations. Our prior
work has shown that relying on supplemental appropriations is not an
effective means for decision makers to plan for future years resource
needs, weigh priorities, and assess budget trade-offs. Until DOD
completes a comprehensive management plan to implement DCIP, which
includes issuing remaining guidance and fully identifying funding
requirements, its ability to implement DCIP will be challenged. We are
making recommendations that DOD develop and implement a comprehensive
management plan to guide DCIP implementation. This plan would establish
timelines for finalizing and issuing DCIP guidance; assist the defense
sector lead agents in identifying and including DCIP funding through
the regular budgeting process; and determine funding levels and sources
to avoid reliance on supplemental appropriations. We also are
recommending that DOD issue a chartering directive that would, among
other things, clarify the relationship between the department's DCIP
and antiterrorism missions.
DOD estimates that it has identified about 25 percent of the critical
infrastructure it owns, and DOD officials expect to finish identifying
the remaining infrastructure assets that it controls (estimated to be
about 15 percent of the total) by the fiscal year 2008-2009 time frame.
The remainder of its mission-critical infrastructure (estimated to be
about 85 percent of the total) is owned by non-DOD entities and
considerably less of this infrastructure has been identified. DOD has
not set a target date for identifying all of its non-DOD-owned critical
infrastructure. DOD has determined that a small portion of the non-DOD-
owned infrastructure--about 200 assets--that belongs to the defense
industrial base defense sector is mission critical. Existing guidance
requires various DOD components and sector lead agents to carry out the
coordinated identification and assessment of critical infrastructure.
Moreover, DOD components are pursuing varying approaches in identifying
infrastructure critical to successfully carrying out its mission, which
could make it difficult for DOD to make informed prioritization
decisions and assess the effect of potential vulnerabilities across
components and sector lead agents. Officials from several DOD
components stated that a principal reason why the majority of critical
infrastructure remains to be identified is because of the lack of
timely guidance on identifying, prioritizing, and assessing critical
infrastructure. DOD has recently begun to finalize this guidance. As
DOD continues to identify its critical infrastructure, it also has been
conducting a limited number of vulnerability assessments on DOD-owned
assets. While these assessments can provide useful information about
specific assets, until DOD identifies and prioritizes all of the
critical infrastructure it owns, results have questionable value for
deciding where to target funding investments. In 2005, DOD incorporated
an infrastructure assessment module into its existing antiterrorism
vulnerability assessments, but has not made this approach a DOD-wide
practice. DOD plans to implement a self-assessment program that would
enable infrastructure owners to conduct additional vulnerability
assessments, but guidance has not yet been issued. With the exception
of critical infrastructure in the defense industrial base and
transportation infrastructure supporting seaports and airports, DOD is
not in a position to assess assets that it does not own; however, DOD
does not have a mechanism to flag domestic mission-critical
infrastructure for DHS to consider including among its assessments of
the nation's critical infrastructure. DOD has delayed coordinating the
assessment of non-DOD critical infrastructure located abroad while it
focuses on identifying the infrastructure that it owns. Regarding
current and future DCIP funding levels, including supplemental
appropriations, the funding levels do not include the resources needed
to remediate vulnerabilities that are identified through the
assessments. As stated previously, our prior work has shown the
importance of identifying all program costs to enable decision makers
to weigh competing priorities. When DOD components and sector lead
agents consistently identify, prioritize, and assess their critical
infrastructure, as well as include the remediation of vulnerabilities
in their funding requirements, DOD's ability to perform risk-based
decision making and target funding to priority needs will be improved.
We are recommending that DOD complete the identification and
prioritization of critical infrastructure before increasing the number
of infrastructure vulnerability assessments beyond current levels;
adopt the practice of combining the infrastructure vulnerability
assessment module with an existing assessment as the DOD-wide practice;
expedite the issuance of guidance and criteria for performing
infrastructure vulnerability self-assessments; flag domestic non-DOD-
owned mission-critical infrastructure for DHS to consider including
among its assessments of the nation's critical infrastructure; and
identify funding for DCIP remediation.
GAO provided a draft of this report to DOD and DHS in April 2007 for
their review and comment. In written comments on a draft of this
report, DOD concurred with all of our recommendations. DHS had no
comments. DOD also provided us with technical comments, which we
incorporated in the report, as appropriate. DOD's response is reprinted
in appendix II.
Background:
DOD recognizes that it is neither practical nor feasible to protect its
entire infrastructure against every possible threat and, similar to
DHS, it is pursuing a risk-management approach to prioritize resource
and operational requirements. Risk management is a systematic,
analytical process to determine the likelihood that a threat will harm
assets, and then to identify actions to reduce risk and mitigate the
consequences of the threat. While risk generally cannot be eliminated,
enhancing protection from threats or taking actions--such as
establishing backup systems or hardening infrastructure--to reduce the
effect of an incident can serve to significantly reduce risk.
DOD's risk-management approach is based on assessing threats,
vulnerabilities, criticalities, and the ability to respond to
incidents. Threat assessments identify and evaluate potential threats
on the basis of capabilities, intentions, and past activities before
they materialize. Vulnerability assessments identify weaknesses that
may be exploited by identified threats and suggest options that address
those weaknesses. For example, a vulnerability assessment might reveal
weaknesses in unprotected infrastructure, such as satellites, bridges,
and personnel records. Criticality assessments evaluate and prioritize
assets on the basis of their importance to mission success. For
example, certain power plants, computer networks, or population centers
might be identified as important to the operation of a mission-critical
seaport. These assessments help prioritize limited resources while
reducing the potential for expending resources on lower-priority
assets. DOD's risk-management approach also includes an assessment of
the ability to respond to, and recover from, an incident.
The amount of non-DOD infrastructure that DOD relies on to carry out
missions has not been identified; however, it is immense. To date, DHS
has identified about 80,000 items of non-DOD infrastructure, some of
which is also critical to DOD. Additionally, according to the Office of
the Deputy Under Secretary of Defense for Installations and
Environment, DOD owns more than 3,700 sites with more than half a
million real property assets worldwide that could also qualify as
critical infrastructure. The methodology DOD uses to identify critical
infrastructure involves linking DOD missions to supporting critical
infrastructure. Figure 2 shows three representative types of DOD-owned
and non-DOD-owned critical infrastructure.
Figure 2: Representative Types of Critical Infrastructure:
[See PDF for image]
Source: Department of Energy.
[End of figure]
In 1998, the Office of the Assistant Secretary of Defense for Command,
Control, Communications, and Intelligence was responsible for DOD's
critical infrastructure protection efforts; however, in September 2003,
the Deputy Secretary of Defense moved this program to the newly
established Office of the Assistant Secretary of Defense for Homeland
Defense. DOD's critical infrastructure efforts were formalized in
August 2005 with the issuance of DOD Directive 3020.40, which
established DCIP. On December 13, 2006, this office was renamed the
Office of the Assistant Secretary of Defense for Homeland Defense and
Americas' Security Affairs.
Shortly after the office became responsible for DOD's critical
infrastructure protection efforts in October 2003, ASD(HD&ASA)
established the Defense Program Office for Mission Assurance in
Dahlgren, Virginia, to manage the day-to-day activities of DCIP. The
Program Office--now a Mission Assurance Division--was responsible for
coordinating DCIP efforts across DOD components and sector lead agents,
developing training and exercise programs, overseeing the development
of analytical tools and standards to permit DOD-wide analyses, and
developing a comprehensive system to track and evaluate critical
infrastructure.
DOD organizations that have significant DCIP roles and responsibilities
are shown in figure 3.
Figure 3: Key DOD DCIP Organizations:
[See PDF for image]
Source: GAO analysis of DOD data.
[End of figure]
The COCOMs, in collaboration with the Joint Staff, identify and
prioritize DOD missions that are the basis for determining
infrastructure criticality. The military services, as the principal
owners of DOD infrastructure, identify and link infrastructure to
specific COCOM mission requirements. Defense sector lead agents address
the interdependencies among infrastructure that cross organizational
boundaries, and evaluate the cascading effects of degraded or lost
infrastructure on other infrastructure assets. Further, DOD officials
told us that DTRA performs infrastructure vulnerability assessments for
the Joint Staff in support of DCIP to determine single points of
failure from all hazards.
DOD Has Taken Important Steps to Implement DCIP but Needs a
Comprehensive Management Plan to Guide Its Efforts:
DOD has taken some important steps to implement DCIP; however, it has
not developed a comprehensive management plan to guide its efforts.
Although an ASD(HD&ASA) official told us they are preparing an outline
for a plan to implement DCIP, it is unclear the extent to which such a
plan will address key elements associated with sound management
practices, including issuing guidance, coordinating program
stakeholders' efforts, and identifying resource requirements. DOD has
been slow finalizing DCIP guidance and policies. As of May 2007, most
of DOD's DCIP guidance and policies were either newly issued or still
in draft, which has resulted in DOD's components pursuing varying
approaches to implement DCIP. DOD has taken steps to improve
information sharing and coordination within and outside of DOD.
Finally, through DOD's budget process, DCIP has received over $160
million from fiscal years 2004 to 2007. Of this amount, the components
and sector lead agents have received $68.6 million, of which about 21
percent is from supplemental appropriations. Our prior work has shown
that supplemental funding is not an effective means for decision makers
to effectively and efficiently plan for future years resource needs,
weigh priorities, and assess budget trade-offs.[Footnote 14] Until DOD
completes a comprehensive management plan to implement DCIP, which
includes issuing remaining DCIP guidance and fully identifying funding
requirements, its ability to implement DCIP will be challenged.
Most DCIP Guidance and Policies Are Newly Issued or Still in Draft:
While our prior work has shown that issuing timely guidance is a key
element of sound management, as of May 2007, the majority of DCIP
guidance and policies were either newly issued or still in draft form,
more than 3½ years after the Deputy Secretary of Defense assigned DCIP
to ASD(HD&ASA) in September 2003 (see table 1).
Table 1: Status of DCIP Guidance and Policies as of May 2007:
Guidance document: Critical Infrastructure Protection Security
Classification Guide;
Description: Establishes uniform criteria for classifying DCIP-related
information to prevent its unauthorized disclosure;
Status: Final, dated January 2003.
Guidance document: DOD Directive 3020.40, Defense Critical
Infrastructure Program (DCIP);
Description: Assigns responsibility for DCIP and incorporates guidance
from Homeland Security Presidential Directive 7;
Status: Final, dated August 19, 2005.
Guidance document: DCIP Assessment Standards and Benchmarks;
Description: Helps DOD components and sector lead agents determine
vulnerabilities of their critical infrastructure and supporting
foundational infrastructure;
Status: Final, dated June 9, 2006.
Guidance document: DCIP Geospatial Data Strategy;
Description: Provides a common and comprehensive foundation for
representing critical infrastructure geospatially;
Status: Final, dated September 13, 2006.
Guidance document: DCIP Criticality Process Guidance Document;
Description: Provides a framework for identifying and prioritizing
defense critical infrastructure;
Status: Final, dated December 21, 2006.
Guidance document: DCIP Data Collection Essential Elements of
Information Data Sets;
Description: Identifies required data elements DOD components and
sector lead agents are to obtain on their critical infrastructure;
Status: Draft, dated May 18, 2006.
Guidance document: DCIP Interim Implementation Guidance;
Description: Assigns responsibilities and prescribes DCIP procedures,
and provides guidance to DOD components and sector lead agents on
establishing their own critical infrastructure programs;
Status: Final, dated July 13, 2006.
Source: GAO analysis of DOD data.
[End of table]
In the absence of finalized guidance and policies, DOD components have
been pursuing varying approaches to implement their critical
infrastructure programs, a condition that has not changed markedly with
the issuance of several guidance documents in the past year. According
to officials responsible for the critical infrastructure programs from
several of the DOD components, they were either unaware that the
guidance had been finalized or had decided to continue the approach
they had previously adopted.
Although DOD issued a DCIP directive in August 2005, ASD(HD&ASA) lacks
a chartering directive that, among other things, clearly defines
important roles, responsibilities, and relationships with other DOD
organizations and missions--including the relationship between
ASD(HD&ASA) and the Assistant Secretary of Defense for Special
Operations and Low-Intensity Conflict and Interdependent Capabilities.
At present, responsibility for antiterrorism guidance resides with the
Assistant Secretary of Defense for Special Operations and Low-Intensity
Conflict and Interdependent Capabilities. A memorandum entitled
Implementation Guidance Regarding the Office of the Assistant Secretary
of Defense for Homeland Defense issued by the Deputy Secretary of
Defense in March 2003 required the Director of Administration and
Management within the Office of the Secretary of Defense to develop and
coordinate within 45 days a chartering DOD Directive that would define,
among other things, the relationship between ASD(HD&ASA) and the
Assistant Secretary of Defense for Special Operations and Low-Intensity
Conflict and Interdependent Capabilities. However, more than 4 years
later, this chartering DOD directive still has not been accomplished.
Currently, DCIP implementation is diffused among program stakeholders,
such as the COCOMs and the military services. As a consequence, some
components, such as the U.S. Northern Command and U.S. Special
Operations Command, leveraged DOD's antiterrorism guidance to develop
critical infrastructure programs, while other components, such as the
U.S. Strategic Command and U.S. European Command, have kept the two
programs separate. Until DOD addresses the need for a chartering
directive to properly identify the relationship between DCIP and the
antiterrorism program, and sets timelines for finalizing its remaining
guidance, it cannot be assured that components and sector lead agents
identify, prioritize, and assess their critical infrastructure in a
consistent manner. This lack of consistency could impair DOD's ability
to perform risk-based decision making across component lines over the
long term.
Although DOD Has Taken Steps to Facilitate Information Sharing and
Coordination, Additional Measures Could Be Taken:
Existing DCIP guidance emphasizes information sharing and collaboration
with relevant government and private-sector entities. While DOD has
taken steps to facilitate information sharing and coordination within
the department, as well as with other federal agencies and private
sector companies, we believe additional measures could be taken, such
as greater cooperation with federal-level counterparts on the
identification, prioritization, and assessment of critical
infrastructure. Since 2003, ASD(HD&ASA) has established and sponsored
several information sharing and coordination forums, such as the
Defense Infrastructure Sector Council and Critical Infrastructure
Program Integration Staff. The Defense Infrastructure Sector Council
provides a recurring forum for DCIP sector lead agents to share
information, identify common areas of interest, and leverage the
individual activities of each sector to eliminate duplication. The
Critical Infrastructure Program Integration Staff is comprised of
representatives from more than 30 DOD organizations. Additionally,
ASD(HD&ASA) maintains an Internet site that is used to post relevant
information, such as policies, available training, and announcement of
meetings and conferences. ASD(HD&ASA) also is a member of several
critical infrastructure forums whose membership extends beyond DOD,
such as the Homeland Infrastructure Foundation Level Database Working
Group, and several Critical Infrastructure Partnership Advisory Council
Committees, including those pertaining to communications, electricity,
and dams. In another effort to coordinate DOD components' and sector
lead agents' critical infrastructure protection practices, DOD
released, in September 2006, its DCIP Geospatial Data Strategy, which
lays out a standardized approach to depict geographically critical
infrastructure data.
Both DHS and DOD officials acknowledged the potential benefits of
increasing collaborative efforts, particularly with respect to critical
infrastructure identification, tracking, and assessing. To promote
clear and streamlined communication, ASD(HD&ASA) has directed DOD
components and sector lead agents to channel their interactions with
DHS through them. However, with the exception of the Health Affairs and
Financial Services defense sectors, there has been little to no
coordination between the defense sectors and their corresponding
federal-level critical infrastructure sector counterparts due to the
immaturity of the program. Table 2 shows the defense-level sectors that
are comparable to those at the federal level.
Table 2: Defense and Federal-Level Critical Infrastructure Sector
Counterparts:
Defense sector: Financial Services;
Federal-level sector: Banking and Finance.
Defense sector: Global Information Grid;
Federal-level sector: Information Technology; Telecommunications.
Defense sector: Health Affairs;
Federal-level sector: Public Health and Healthcare; Agriculture and
Food.
Defense sector: Public Works;
Federal-level sector: Dams; Drinking Water and Water Treatment.
Defense sector: Transportation;
Federal-level sector: Transportation Systems.
Defense sector: Defense Industrial Base;
Federal-level sector: Defense Industrial Base.
Defense sector: Intelligence, Surveillance, and Reconnaissance;
Logistics; Personnel; Space;
Federal-level sector: No identified federal-level sector counterparts.
Defense sector: No identified defense-sector counterparts;
Federal- level sector: Chemical; Commercial Facilities; Commercial
Nuclear Reactors, Materials, and Waste; Emergency Services; Energy;
Government Facilities; National Monuments and Icons; Postal and
Shipping.
Source: DOD and DHS data.
[End of table]
DOD components are collecting different data to track and monitor their
critical infrastructure to meet the needs of DCIP as well as their own,
which could impede information sharing and analysis over time, and
hinder DOD's ability to identify and prioritize critical infrastructure
across DOD components and sector lead agents. ASD(HD&ASA) guidance on
how DOD components and sector lead agents should track and monitor
their critical infrastructure is in various stages of development and
review. For example, in May 2006, ASD(HD&ASA) issued a draft version of
the DCIP Data Collection Essential Elements of Information Data Sets
requiring DOD components and sector lead agents to collect a common set
of data on their critical infrastructure. However, officials from
several of the COCOMs and defense sectors told us that they have not
incorporated the DCIP Data Collection Essential Elements of Information
Data Sets into their data collection efforts because the guidance has
not been finalized. These officials further stated that they are
following departmental guidance[Footnote 15] not specific to DCIP that
pertains to database interoperability and data sharing. During fiscal
year 2006, ASD(HD&ASA) tasked the Mission Assurance Division to develop
the capability to geospatially display DOD components' and sector lead
agents' critical infrastructure and interdependencies. The Mission
Assurance Division has received and modeled critical infrastructure
data from several defense sector lead agents, but according to division
officials, the combination of funding constraints and the components
and sector lead agents independently acquiring technical support for
their individual critical infrastructure programs, has limited its
utility.
In an effort to maximize the potential information DOD could receive
about critical infrastructure it does not own, DOD officials told us
that they plan to obtain Protected Critical Infrastructure Information
(PCII) accreditation from DHS. The PCII program was established by DHS
pursuant to the Critical Infrastructure Information Act of
2002.[Footnote 16] The act provides that critical infrastructure
information[Footnote 17] that is voluntarily submitted to DHS[Footnote
18] for use by DHS regarding the security of critical infrastructure
and protected systems, analysis, warning, interdependency study,
recovery, reconstitution, or other informational purpose, when
accompanied with an express statement, shall receive various
protections, including exemption from disclosure under the Freedom of
Information Act.[Footnote 19] If such information is validated by DHS
as PCII, then the information can only be shared with authorized
users.[Footnote 20] Before accessing and storing PCII, organizations or
entities must be accredited and have a PCII officer.[Footnote 21]
Authorized users can request access to PCII on a need-to-know basis,
but users outside of DHS do not have the authority to store PCII until
their agency is accredited. However, the lack of accreditation does not
otherwise prevent entities from sharing information directly with DOD.
For example, in the aftermath of September 11, 2001, the Association of
American Railroads began prioritizing railroad assets and
vulnerabilities--information that it shares with DOD--on the more than
30,000 miles of commercial rail line used to transport defense critical
assets.
DOD officials told us that DOD has not yet fully evaluated the costs
and benefits of accreditation for its purposes. We noted in our April
2006 report that nonfederal entities continued to be reluctant to
provide their sensitive information to DHS because they were not
certain that their information will be fully protected, used for future
legal or regulatory action, or inadvertently released. Since our April
report,[Footnote 22] DHS published on September 1, 2006, its final rule
implementing the act, but we have not examined whether nonfederal
entities are more willing to provide sensitive information to DHS under
the act at this time, or DOD's cost to apply for, receive, and maintain
accreditation. It is unclear to us, at this time, the extent to which
obtaining accreditation would be beneficial to DOD when weighed against
potential costs.
DOD Components and Sector Lead Agents Have Relied on Supplemental
Appropriations to Fund Their Critical Infrastructure Programs:
DCIP has received about $160 million from fiscal years 2004 to 2007,
through DOD's budget process. Of this amount, ASD(HD&ASA) received
approximately $86.8 million, while the Joint Staff received
approximately $5.3 million. The DOD components and sector lead agents,
which are responsible for identifying critical infrastructure, received
$68.5 million during the same 4-year period, of which $14.3 million
(about 21 percent of the component and sector lead agents' combined
funding) has come from supplemental appropriations. Figures 4 and 5
show how much DCIP funding was received by the components and sector
lead agents during fiscal years 2004 to 2007.
Figure 4: Total DCIP Funding by Military Service and COCOM, Fiscal
Years 2004 to 2007:
[See PDF for image]
Source: GAO analysis of DOD data.
[A] The Marine Corps and U.S. Pacific Command totals do not include
funding for fiscal year 2004 because these data were unavailable.
[End of figure]
Figure 5: Total DCIP Funding by Defense Sector, Fiscal Years 2004 to
2007:
[See PDF for image]
Source: GAO analysis of DOD data.
Note: The $6.8 million provided to the Defense Contract Management
Agency, the Defense Sector Lead Agent for the Defense Industrial Base,
is not included.
[End of figure]
The extent to which individual components and sector lead agents relied
on supplemental funding for their critical infrastructure programs
varied by fiscal year. In fiscal year 2005, for example, both the U.S.
Special Operations Command and the Health Affairs defense sector did
not receive any programmed funding and relied exclusively on
supplemental appropriations. The Defense Intelligence Agency, the lead
agent for the Intelligence, Surveillance, and Reconnaissance defense
sector, received 78 percent of its fiscal year 2005 critical
infrastructure funding from supplemental appropriations. Likewise, the
U.S. Northern Command received almost three-quarters (72 percent) of
its critical infrastructure funding from supplemental appropriations in
fiscal year 2006. Management control standards contained in the
Standards for Internal Control in the Federal Government and sound
management practices emphasize the importance of effective and
efficient resource use. Relying on supplemental funding to varying
degrees for their DCIP budget prevents the components and sector lead
agents from effectively planning future years' resource needs, weighing
priorities, and assessing budget trade-offs.
DCIP funding has been centralized in ASD(HD&ASA) since fiscal year
2004; however, beginning in fiscal year 2008, the military departments
will be required to fund service critical infrastructure programs as
well as the nine COCOM critical infrastructure programs. According to
DOD Directive 3020.40,[Footnote 23] the military departments and COCOMs
are required to provide resources for programs supporting DCIP. This
responsibility is reiterated and amplified in a memorandum[Footnote 24]
from the Principal Deputy Assistant Secretary of Defense for Homeland
Defense that instructs the military departments and the COCOMs to
include DCIP funding in their fiscal year 2008 to 2013 budget
submissions. ASD(HD&ASA) will continue to fund defense sector critical
infrastructure programs for fiscal years 2008 and 2009, and ASD(HD&ASA)
officials stated that they will work with the defense sector lead
agents to obtain funding through the lead agents' regular budget
process, beginning in fiscal year 2010. Including DCIP in the lead
agents' baseline budgets should reduce reliance on supplemental
appropriations to implement critical infrastructure responsibilities.
Overall DCIP funding received (fiscal years 2004 to 2007), and
requested (fiscal years 2008 to 2013) is shown in figure 6.
Figure 6: DCIP Funding for Fiscal Years 2004 to 2013:
[See PDF for image]
Source: GAO analysis of ASD(HD&ASA) data.
Note: Funding for the Defense Industrial Base defense sector is not
included.
[A] DCIP funding for fiscal year 2004 does not include funding for the
Marine Corps or the U.S. Pacific Command because these data were
unavailable.
[B] DCIP funding includes supplemental funding received in fiscal years
2005 and 2006.
[End of figure]
If DCIP is funded at requested levels in future years, then it will
represent a substantial increase over current actual funding levels.
However, in previous years, DCIP consistently has been funded at less
than the requested amounts. For example, in fiscal year 2005, the
military services collectively requested approximately $8 million in
DCIP funding from ASD(HD&ASA) and received $2.1 million. That year, the
military services also received an additional $2.3 million in
supplemental appropriations, raising their total funding in fiscal year
2005 to $4.4 million, which is approximately 55 percent of what was
requested. Even if DCIP funding is substantially increased, without a
comprehensive management plan in place, it is not clear that the funds
would be allocated to priority needs.
DOD Estimates That It Has Identified about 25 Percent of the Critical
Infrastructure It Owns, and Most of the Non-DOD-Owned Critical
Infrastructure Remains Unidentified:
DOD estimates that it has identified about 25 percent of the critical
infrastructure it owns, and expects to finish identifying the remaining
75 percent by the end of fiscal year 2009. DOD has identified
considerably less of its critical infrastructure owned by non-DOD
entities, and has not set a target date for its completion. A principal
reason why DOD has not identified a greater amount of its critical
infrastructure is the lack of timely DCIP guidance and policies, which
has resulted in DOD's components pursuing varying approaches in
identifying their critical infrastructure. DOD has been performing a
limited number of vulnerability assessments on DOD-owned
infrastructure; however, until DOD identifies and prioritizes all of
the critical infrastructure it owns, results have questionable value
for deciding where to target funding investments. Currently, DOD
includes the vulnerability assessment of DOD-owned infrastructure as a
module to an existing assessment. However, it has not formally adopted
this practice DOD-wide, which would reduce the burden on installation
personnel and asset owners. Moreover, DOD does not have a mechanism to
flag domestic mission-critical infrastructure for DHS to consider
including among its assessments of the nation's critical
infrastructure, and has delayed coordinating the assessments of non-DOD
critical infrastructure located abroad. DOD has not identified funding
to remediate vulnerabilities identified through the assessment process.
DOD Has Identified Some of Its Mission-Critical Infrastructure:
DOD estimates that it has identified about 25 percent of the critical
infrastructure it owns, and ASD(HD&ASA) officials anticipate
identifying all DOD-owned critical infrastructure (estimated to be
about 15 percent of the total) by the fiscal year 2008-2009 time frame.
DOD has identified considerably less critical infrastructure that it
does not own (estimated to be about 85 percent of the total), but that
it relies upon to perform its missions (see fig. 7).
Figure 7: Allocation of Critical Infrastructure DOD Owns and Does Not
Own:
[See PDF for image]
Source: GAO analysis of DOD data.
[End of figure]
Without knowing how much non-DOD-owned infrastructure is mission
critical, ASD(HD&ASA) officials were unable to estimate how much of the
non-DOD infrastructure has already been identified or a completion
date. DOD has determined that a small portion of the non-DOD
infrastructure--about 200 assets--that belongs to the defense
industrial base sector are mission critical.
The Mission Assurance Division developed a database to track and
geospatially display defense critical infrastructure both within the
United States and overseas, and its associated interdependencies.
According to Mission Assurance Division officials, the willingness of
DOD components to share their critical infrastructure information has
varied. For example, division officials told us that the defense
sectors have been more forthcoming than either the military services or
the COCOMs. Consequently, the database provides an incomplete view of
defense critical infrastructure, which significantly reduces DOD's
ability to analyze the importance of infrastructure across the
components and sector lead agents. ASD(HD&ASA) officials are aware that
several of the DOD components and sector lead agents have developed
databases to track their specific infrastructure. For example, the Air
Force, Marine Corps, Health Affairs sector, Space sector and Personnel
sector have each developed their own databases. According to
ASD(HD&ASA) officials, they are focusing on ensuring compatibility
among the databases rather than prescribing a central database. Until
DOD identifies the remaining portion of its critical infrastructure,
including the portion owned by non-DOD entities, it cannot accurately
prioritize and assess the risks associated with that infrastructure.
Table 3 shows the amount of infrastructure assets--rounded to the
nearest hundred--that the DOD components have provisionally identified
as critical as of December 2006. DOD officials cautioned that not all
of this information has been validated and is subject to change. For
example, some infrastructure may be counted more than once due to
components performing multiple missions or being assigned dual roles.
The numbers in table 3 are presented to provide an order of magnitude.
Table 3: DOD-Owned Infrastructure Provisionally Identified as Critical:
DOD component: Military services;
Critical infrastructure assets identified: 3,400.
DOD component: COCOMs[A];
Critical infrastructure assets identified: 900.
DOD component: Defense sector lead agents;
Critical infrastructure assets identified: 1,600.
DOD component: Total;
Critical infrastructure assets identified: 5,900.
Source: GAO's analysis of DOD data.
[A] The U.S. Strategic Command and the U.S. Transportation Command have
dual roles as combatant commands and defense sector lead agents. Their
identified critical infrastructure is included in the COCOM total.
[End of table]
According to the Standards for Internal Control in the Federal
Government, appropriate policies and procedures should exist with
respect to an agency's planning and implementation activities. The
length of time DOD has taken to issue DCIP guidance and policies has
resulted in components pursuing varying approaches in identifying and
prioritizing critical infrastructure, approaches that may not be
complementary. For example, Navy officials told us that, prior to 2004,
they were basing infrastructure criticality on its importance to
Operation Enduring Freedom, whereas Army officials indicated that they
are using wartime planning scenarios based on the 2006 Quadrennial
Defense Review to determine criticality. The COCOMs and the Joint Staff
are basing infrastructure criticality on its importance in
accomplishing individual COCOM mission requirements--an idea proposed
by the Mission Assurance Division. In 2003, the Mission Assurance
Division proposed linking infrastructure criticality with COCOM mission
requirements, and Joint Staff officials stated that a preliminary list
has been formulated and will undergo further review in 2007.
Furthermore, defense sector lead agents, such as Financial Services and
Personnel, are identifying all of their infrastructure regardless of
COCOM mission requirements. These variations in approaches used to
determine criticality exist because DOD's published policy, the DCIP
Criticality Process Guidance Document, which directs the components and
sector lead agents to use one set of criteria--COCOM mission
requirements--was not finalized until December 2006.
Vulnerability Assessments of DOD-Owned Infrastructure Have Limited
Value without Knowing Infrastructure Criticality, and DOD Would Benefit
from Formally Adopting a Departmentwide Practice, and Flagging Non-DOD-
Owned Infrastructure for DHS's Consideration:
DOD has begun conducting a limited number of infrastructure
vulnerability assessments on the infrastructure it owns. Between
calendar years 2004 and 2007, DTRA will have conducted approximately
361 antiterrorism vulnerability assessments, 45 (about 12 percent) of
which will include an assessment of critical infrastructure. Which
installations receive antiterrorism vulnerability assessments with a
module that focuses on critical infrastructure is based on perceived
infrastructure criticality, as determined by the Joint Staff in
coordination with the COCOMs, and to a lesser extent the military
services. However, we believe DOD cannot effectively target
infrastructure vulnerability assessments without first identifying and
prioritizing its mission-critical infrastructure. Depending on the
amount of infrastructure that DOD deems critical, it may not be able to
perform an on-site assessment of every DOD asset. To address this
limitation, ASD(HD&ASA) officials told us that they plan to implement a
self-assessment program that the military services--the infrastructure
owners--can conduct in lieu of or in between the scheduled
vulnerability assessments. DOD is in the process of developing a
vulnerability self-assessment handbook that would provide guidance on
how to conduct these assessments but, as of May 2007, a release date
had not been set.
To reduce the burden of multiple assessments on installation personnel
and asset owners, in 2005, DOD incorporated an all-hazards
infrastructure assessment module into its existing antiterrorism
vulnerability assessments. Including the vulnerability assessment of
DOD infrastructure in an established assessment program, such as the
one that exists for antiterrorism, has not been formally adopted as a
departmentwide practice. Unless this practice is adopted, it is
possible that infrastructure assessments could be conducted
independently, thereby increasing the burden on installation personnel
and asset owners that the modular approach alleviates. Beginning in
calendar year 2006, the Air Force piloted its own critical
infrastructure assessments at those Air Force installations not
receiving DTRA-led vulnerability assessments. The Air Force completed
two of these pilot critical infrastructure assessments in 2006, and has
nine additional assessments planned in 2007. Unlike the DTRA-led
assessments, the Air Force pilot assessments are based on risk rather
than vulnerabilities. We did not examine the quality or the sources of
the threat, asset criticality, and vulnerability data that the Air
Force is using to perform its risk assessments. We did not evaluate the
effectiveness of either the DTRA-led or Air Force assessments as part
of our review.
DOD is not in a position to address domestic, non-DOD, mission-critical
infrastructure, with the exception of defense industrial base assets
and transportation infrastructure supporting seaports and airports,
much less perform vulnerability assessments on them. DHS conducts on-
site vulnerability assessments of domestic non-DOD-owned critical
infrastructure and has developed a model that enables owners of private-
sector critical infrastructure to perform vulnerability self-
assessments. DOD currently does not have a mechanism to flag mission-
critical infrastructure for DHS to consider including among its
assessments of the nation's critical infrastructure. For example, if
DOD knew that DHS was planning to conduct a vulnerability assessment of
critical infrastructure in the Atlanta, Georgia, area, it could flag
for DHS's consideration privately-owned infrastructure that DOD deemed
critical--such as an electrical substation or a railroad junction.
Officials from both agencies expressed an interest in coordinating
vulnerability assessments of non-DOD-owned critical infrastructure. DOD
has delayed coordinating the assessments of non-DOD-owned
infrastructure located abroad because it has decided to focus on
identifying infrastructure that it owns. For example, U.S. European
Command and U.S. Central Command officials stated that they are
concentrating on identifying critical infrastructure located on their
installations. In addition, DTRA officials pointed out that gaining
access to relevant information about foreign-owned infrastructure is
more challenging than for infrastructure owned domestically.
DCIP Funding Requirements Do Not Include Remediation:
Future DCIP funding requests may be understated because current funding
levels, including supplemental appropriations, do not include the
resources that may be needed to remediate vulnerabilities. Our prior
work has shown the importance of identifying all program costs to
enable decision makers to weigh competing priorities. According to
critical infrastructure officials from several DOD components and
sector lead agents, there is insufficient funding to remediate
vulnerabilities identified through the assessment process. Remediation
in the form of added protective measures, backup systems, hardening
infrastructure against perceived threats, and building redundancy could
be costly. As a point of reference, the Joint Staff spent $233.7
million from fiscal years 2004 through 2007 to correct high-priority
antiterrorism vulnerabilities--more than the $160 million spent on all
DCIP activities over this same period.
Additionally, these antiterrorism remediation expenditures were for DOD-
owned assets only and do not reflect costs to remediate vulnerabilities
to infrastructure not owned by DOD. In 2000, the Congress directed the
Secretary of Defense to establish a loan guarantee program[Footnote 25]
that makes a maximum of $10 million loan principal guarantee available
each fiscal year for qualified commercial firms to improve the
protection of their critical infrastructure at their facilities or
refinance improvements previously made. Once DOD identifies the
critical infrastructure it relies on but does not own and its
associated vulnerabilities, this program could potentially be utilized
to help qualified commercial firms obtain funding for remediation.
Conclusions:
DOD depends on critical infrastructure to project, support, and sustain
its forces and operations worldwide, but its lack of a comprehensive
management plan to guide its efforts that addresses guidance,
coordination of program stakeholders' efforts, and resource
requirements, has prevented the department from effectively
implementing an efficient critical infrastructure program. ASD(HD&ASA)
has overseen DCIP since September 2003; however, because key DCIP
guidance has either recently been issued or remains in draft more than
3½ years later, DOD components have been pursuing different approaches
to fulfill their DCIP missions--approaches that are not optimally
coordinated and may conflict with each other or their federal-level
counterparts. Moreover, because the relationship between the
Directorates for HD&ASA and Special Operations and Low-Intensity
Conflict and Interdependent Capabilities regarding the DCIP and
antiterrorism missions remains undefined, some components are relying
on antiterrorism guidance to implement their critical infrastructure
programs while others take different approaches. Furthermore, some DCIP
funding for the components and sector lead agents has come from
supplemental appropriations, which, as we have reported previously, is
not a reliable means for decision makers to effectively and efficiently
assess resource needs. Until DOD develops a comprehensive management
plan for DCIP--that includes timelines for finalizing remaining
guidance and actions to improve information sharing, its ability to
implement DCIP will be challenged.
In addition, until DOD identifies and prioritizes what infrastructure
is critical, the utility of vulnerability assessments is limited in
targeting funding and investments and could lead to an inefficient use
of DOD resources. Combining the infrastructure vulnerability assessment
with an existing assessment, as DOD is currently doing on
infrastructure that it owns, has the added advantage of reducing the
burden of multiple assessments on installation personnel and asset
owners. However, because DOD has not formally adopted this modular
approach as a DOD-wide practice, the possibility exists that
infrastructure vulnerability could be assessed separately. Still, to
date, no DCIP funds have been spent on reducing vulnerabilities to
infrastructure. Remediation of risk identified in the assessment
process could be costly--possibly more than doubling current identified
funding requirements. Finally, by not coordinating with DHS on
vulnerability assessments of non-DOD domestic infrastructure, DOD is
missing an opportunity to increase awareness of matters affecting the
availability of assets that it relies on but does not control. When DOD
components and sector lead agents consistently identify, prioritize,
and assess their critical infrastructure, as well as including the
remediation of vulnerabilities in their funding requirements, DOD's
ability to perform risk-based decision making and target funding to
priority needs will be improved.
Recommendations for Executive Action:
* To guide DCIP implementation, we recommend that the Secretary of
Defense direct ASD(HD&ASA) to develop and implement a comprehensive
management plan that addresses guidance, coordination of stakeholders'
efforts, and resources needed to implement DCIP. Such a plan should
include establishing timelines for finalizing the DCIP Data Collection
Essential Elements of Information Data Sets to enhance the likelihood
that DOD components and sector lead agents will take a consistent
approach in implementing DCIP.
To implement the intent of the Deputy Secretary of Defense's memorandum
Implementation Guidance Regarding the Office of the Assistant Secretary
of Defense for Homeland Defense dated March 25, 2003, we recommend that
the Secretary of Defense direct the Director of Administration and
Management to issue a chartering directive to, among other things,
define the relationship between the Directorates for HD&ASA and Special
Operations and Low-Intensity Conflict and Interdependent Capabilities.
As part of this comprehensive management plan, to increase the
likelihood that the defense sector lead agents are able to make
effective budgetary decisions, we recommend that the Secretary of
Defense direct ASD(HD&ASA) to assist the defense sector lead agents in
identifying, prioritizing, and including DCIP funding requirements
through the regular budgeting process beginning in fiscal year 2010.
In addition, as part of developing a comprehensive management plan for
DCIP, we recommend that the Secretary of Defense direct ASD(HD&ASA), in
coordination with the DOD components and sector lead agents, to
determine funding levels and sources needed to avoid reliance on
supplemental appropriations and identify funding for DCIP remediation.
We further recommend that the Secretary of Defense direct ASD(HD&ASA)
to take the following actions to increase the utility of vulnerability
assessments:
* Complete the identification and prioritization of critical
infrastructure before increasing the number of infrastructure
vulnerability assessments performed.
* Adopt the practice of combining the defense critical infrastructure
vulnerability assessment module with an existing assessment as the DOD-
wide practice.
* Issue guidance and criteria for performing infrastructure
vulnerability self-assessments.
* Identify and prioritize domestic non-DOD-owned critical
infrastructure for DHS to consider including among its assessments of
the nation's critical infrastructure.
Agency Comments and Our Evaluation:
In written comments on a draft of this report, DOD concurred with all
of our recommendations. DOD also provided us with technical comments,
which we incorporated in the report, as appropriate. DOD's comments are
reprinted in appendix II. DHS also was provided with an opportunity to
comment on a draft of this report, but informed us that it had no
comments.
In its written comments, DOD stated that it expects to issue its DCIP
management plan by September 2007 and a chartering directive for
ASD(HD&ASA) by July 2007--guidance that we believe will contribute to a
more efficient and effective critical infrastructure program. Although
DOD did not describe the contents of the management plan, we encourage
the department to address points raised in our report--guidance,
coordination of stakeholders' efforts, and resource requirements. DOD
concurred with our recommendations pertaining to infrastructure
vulnerability assessments. Specifically, it agreed to identify and
prioritize all DOD-owned critical infrastructure before increasing the
number of assessments; to codify the practice of combining the
infrastructure assessment with an existing vulnerability assessment,
thereby reducing the burden of multiple assessments on installation
personnel and asset owners; and to issue self-assessment guidance and
criteria. In its comments, DOD stated that vulnerability assessments
are a valid tool to address risk and support risk management decisions,
and that delaying these assessments until all assets are identified--
projected in fiscal year 2009--is unadvisable. While we agree that
infrastructure vulnerability assessments can reveal exploitable
weaknesses, without evaluating the capabilities, intentions, or
probability of occurrence of human and natural threats, as well as the
importance of a particular asset to accomplishing the mission, reducing
vulnerabilities may result in little, if any, risk reduction. We agree
with the department that it should continue to perform infrastructure
vulnerability assessments, but believe that increasing the number of
assessments performed above current levels will have limited value
without considering threat and asset criticality. With respect to our
recommendation on vulnerability self-assessments, DOD's expectation
that installation personnel and asset owners have the expertise and
resources to apply standards and criteria that mirror what DTRA is
using to perform its DCIP vulnerability assessments may be unrealistic.
We believe that DOD's earlier approach of preparing a self-assessment
handbook tailored to meet a range of installation and asset
requirements and capabilities will likely result in more and higher-
quality self-assessments. DOD also agreed with our recommendation to
identify and prioritize non-DOD-owned domestic infrastructure for DHS
to consider including among its assessments of the nation's critical
infrastructure. We expect that this action will increase DOD's
awareness of vulnerabilities associated with infrastructure that it
relies on but does not control.
As agreed with your offices, we are sending copies of this report to
the Chairman and Ranking Member of the Senate and House Committees on
Appropriations, Senate and House Committees on Armed Services, and
other interested congressional parties. We also are sending copies of
this report to the Secretary of Defense; the Secretary of Homeland
Security; the Director, Office of Management and Budget; and the
Chairman of the Joint Chiefs of Staff. We will also make copies
available to others upon request. In addition, this report will be
available at no charge on the GAO Web site at http://www.gao.gov.
If you or your staff have any questions concerning this report, please
contact me at (202) 512-5431 or by e-mail at dagostinod@gao.gov.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. GAO staff who
made major contributions to this report are listed in appendix III.
Signed by:
Davi M. D'Agostino:
Director, Defense Capabilities and Management:
[End of section]
Appendix I: Scope and Methodology:
To conduct our review of the Department of Defense's (DOD) Defense
Critical Infrastructure Program (DCIP), we obtained relevant
documentation and interviewed officials from the following DOD
organizations:[Footnote 26]
Office of the Secretary of Defense:
* Under Secretary of Defense for Personnel and Readiness, Information
Technology Division;
* Under Secretary of Defense for Acquisition, Technology, and
Logistics, Office of the Deputy Under Secretary of Defense for
Industrial Policy;
* Under Secretary of Defense for Intelligence, Counterintelligence &
Security, Physical Security Programs;
- DOD Counterintelligence Field Activity, Critical Infrastructure
Protection Program Management Directorate;
* Under Secretary of Defense (Comptroller)/Chief Financial Officer;
* Deputy Under Secretary of Defense for Installations and Environment,
Business Enterprise Integration Directorate;
* Assistant Secretary of Defense for Homeland Defense and Americas'
Security Affairs (ASD[HD&ASA]), Critical Infrastructure Protection
Office;
* Assistant Secretary of Defense for Special Operations and Low-
Intensity Conflict and Interdependent Capabilities, Antiterrorism
Policy;
* Assistant Secretary of Defense for International Security Policy,
Deputy Assistant Secretary of Defense for Forces Policy, Office of
Space Policy;
* Assistant Secretary of Defense for Health Affairs, Force Health
Protection & Readiness; and:
* Assistant Secretary of Defense for Networks and Information
Integration, Information Management & Technology Directorate;
Joint Staff, Directorate for Operations, Antiterrorism and Homeland
Defense:
Defense Threat Reduction Agency (DTRA), Combat Support Assessments
Division:
Military Services:
* Department of the Army, Asymmetric Warfare Office, Critical
Infrastructure Risk Management Branch;
* Department of the Navy:
- Office of the Chief Information Officer;
- Mission Assurance Division, Naval Surface Warfare Center, Dahlgren
Division, Dahlgren, Virginia;
* Department of the Air Force, Air, Space and Information Operations,
Plans, and Requirements, Homeland Defense Division; and:
* Headquarters, U.S. Marine Corps, Security Division, Critical
Infrastructure Protection Office;
Combatant Commands:
* Headquarters, U.S. Central Command, Defense Critical Infrastructure
Program Office, MacDill Air Force Base, Florida;
* Headquarters, U.S. European Command, Critical Infrastructure
Protection Program Office, Patch Barracks, Germany;
* Headquarters, U.S. Joint Forces Command, Critical Infrastructure
Protection Office, Norfolk, Virginia;
* Headquarters, U.S. Northern Command, Force Protection/Mission
Assurance Division, Peterson Air Force Base, Colorado;
* Headquarters, U.S. Pacific Command, Critical Infrastructure
Protection Plans & Policy Office, Camp H.M. Smith, Hawaii;
* Headquarters, U.S. Southern Command, Joint Operations Support
Division, Miami, Florida;
* Headquarters, U.S. Special Operations Command, Mission Assurance
Division, MacDill Air Force Base, Florida;
* Headquarters, U.S. Strategic Command, Mission Assurance Division,
Offutt Air Force Base, Nebraska; and:
* Headquarters, U.S. Transportation Command, Critical Infrastructure
Program, Scott Air Force Base, Illinois;
Defense Sector Lead Agents:
* Headquarters, Defense Intelligence Agency, Office for Critical
Infrastructure Protection & Homeland Security/Defense;
* Headquarters, Defense Information Systems Agency, Critical
Infrastructure Protection Team;
* Headquarters, Defense Finance and Accounting Service, Critical
Infrastructure Protection Program Office, Indianapolis, Indiana;
* Headquarters, Defense Logistics Agency, Logistics Sector Critical
Infrastructure Protection Office;
* Headquarters, U.S. Army Corps of Engineers, Directorate of Military
Programs;
* Under Secretary of Defense for Personnel and Readiness, Information
Technology Division;
* Assistant Secretary of Defense for Health Affairs, Directorate of
Force Health Protection & Readiness;
* Headquarters, U.S. Transportation Command, Critical Infrastructure
Program, Operations Directorate, Scott Air Force Base, Illinois; and:
* Headquarters, U.S. Strategic Command, Mission Assurance Division,
Offutt Air Force Base, Nebraska.
To evaluate the extent to which DOD has developed a comprehensive
management plan to implement DCIP, we reviewed and analyzed policies,
assurance plans, strategies, handbooks, directives, and instructions,
and met with officials from each of the military services, combatant
commands (COCOM) (hereafter referred to as "DOD components"), and the
defense sector lead agents, as well as the Joint Staff. We compared
DOD's current approach to issuing guidance, stakeholder coordination,
and resource requirements to management control standards contained in
the Standards for Internal Control in the Federal Government. We also
attended the August 2006 DCIP tabletop exercise sponsored by the
Defense Intelligence Agency, and the October 2006 Homeland
Infrastructure Foundation Level Database Working Group meeting. We met
with representatives from ASD(HD&ASA), the Joint Staff, and several
offices within the Office of the Secretary of Defense assigned DCIP
responsibilities in DOD Directive 3020.40, Defense Critical
Infrastructure Protection (DCIP), as well as the Office of the
Assistant Secretary of Defense for Special Operations and Low-Intensity
Conflict and Interdependent Capabilities. Further, we met with
officials from the Department of Homeland Security's (DHS) Office of
Infrastructure Protection to discuss mechanisms to coordinate and share
critical infrastructure information with DOD.
To determine DCIP funding levels for fiscal years 2004 through 2013, we
met with officials from ASD(HD&ASA) and each of the DOD components and
sector lead agents, and analyzed actual and projected funding data. We
also met with an official from the Office of the Under Secretary of
Defense (Comptroller)/Chief Financial Officer familiar with DCIP.
Additionally, we obtained information from the Joint Staff on funds
expended to remediate high-priority antiterrorism vulnerabilities to
illustrate the potential cost of critical infrastructure remediation.
We found the data provided by DOD to be sufficiently reliable for
representing the nature and extent of DCIP funding.
To evaluate the extent to which DOD has identified, prioritized, and
assessed its critical infrastructure, we met with officials and
obtained relevant documentation from each of the DOD components, sector
lead agents, ASD(HD&ASA), the Joint Staff, and the Mission Assurance
Division. We examined various data collection instruments and databases
DOD components and sector lead agents are using to catalog, track, and
map infrastructure, including the Mission Assurance Division's
database, the Air Force's Critical Asset Management System, the Health
Affairs defense sector's Primary Health Assets Staging Tool, the
Personnel defense sector's Characterization and Dependency Analysis
Tool, and the Space defense sector's Strategic Mission Assurance Data
System. We also received a demonstration of DHS's National Asset
Database, which catalogs the nation's infrastructure. We did not verify
the accuracy of infrastructure provisionally identified as critical by
the DOD components and sector lead agents because the data is
incomplete and, has not been validated by the department. Further, we
did not verify the interoperability of these databases because it was
outside the scope of our review. We met with DTRA officials to obtain
information on the scope, conduct, and results of infrastructure
vulnerability assessments. We also met with Air Force officials to
discuss their infrastructure risk assessments. We did not evaluate the
effectiveness of either the DTRA-led or Air Force assessments as part
of our review.
Finally, to become familiar with prior work relevant to defense
critical infrastructure, we met in Arlington, Virginia, with officials
from the George Mason University School of Law's Critical
Infrastructure Protection Program and in Washington, D.C., with the
Congressional Research Service (Resources, Science, and Industry
Division and Foreign Affairs, Defense, and Trade Division).
We conducted our review from June 2006 through May 2007 in accordance
with generally accepted government auditing standards.
[End of section]
Appendix II: Comments from the Department of Defense:
ASSISTANT SECRETARY OF DEFENSE:
2600 DEFENSE PENTAGON:
WASHINGTON, DC 20301-2600:
May 1 5 2007:
Ms. Davi M. D'Agostino:
Director, Defense Capabilities and Management:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
Dear Ms. D'Agostino:
Enclosed is the Department of Defense (DoD) response to the GAO draft
report, GAO-07-461, "Defense Infrastructure: Actions Needed to Guide
DoD's Efforts to Identify, Prioritize, and Assess Its Critical
Infrastructure," dated April 12, 2007 (GAO Code 350877). DoD concurs
with comment to all six recommendations in the report.
Our point of contact for this action is Mr. William Bryan, DASD
(HD&ASA), (703) 602-5730 ext. 143 or William.bryan@osd.mil.
Sincerely,
Signed by:
Peter F. Verga:
Acting:
Enclosure:
As stated:
GAO Draft Report - Dated April 12, 2007 GAO Code 350877/GAO-07-461:
"Defense Infrastructure: Actions Needed to Guide DoD's Efforts to
Identify, Prioritize, and Assess Its Critical Infrastructure"
Department Of Defense Comments To The Recommendations:
Recommendation 1: The GAO recommends that the Secretary of Defense
direct the Office of the Assistant Secretary of Defense (Homeland
Defense and Americas' Security Affairs) to develop and implement a
comprehensive management plan that addresses guidance, coordination of
stakeholders' efforts, and resources needed to implement the Defense
Critical Infrastructure Program (DCIP). The plan should include the
following actions:
* Establish timelines for finalizing the following draft DCIP guidance
and policies:
- DCIP Data Collection Essential Elements of Information o DCIP Interim
Implementation Guidance:
- DCIP Integrated Risk Assessment Handbook:
* Assist the defense sector lead agents in identifying, prioritizing,
and including DCIP funding requirements through the regular budgeting
process beginning in FY 2010.
* In coordination with the DoD Components, determine funding levels and
sources needed to avoid reliance on supplemental appropriations and
identify funding for DCIP remediation.
DOD Response: Concur with comment. Development of a DCIP Program Plan
is underway and will be completed by September 2007. The DCIP Interim
Implementation Guidance document was published on July 13, 2006. The
DCIP Integrated Risk Assessment Handbook will not be published as a
separate document; however, sections of the document will be published
as appropriate. DCIP Data Collection Essential Elements of Information
are under review by the community and disposition will be determined
based on community comments. The DCIP Criticality Process Guidance
Document (CPGD) was published on December 21, 2006. The DCIP Assessment
Standards and Benchmarks was published on June 9, 2006. Other guidance
documents will be published as appropriate.
Recommendation 2: The GAO recommends that the Secretary of Defense
direct the Director of Administration and Management to issue a
chartering directive to, among other things, define the relationship
between the Directorates for Homeland Defense and Americas' Security
Affairs and Special Operations and Low-Intensity Conflict &
Interdependent Capabilities.
DOD Response: Concur. A chartering DoD directive has been drafted and
is undergoing coordination with the ASD (HD&ASA). Following that it
will be coordinated with the remainder of the Department beginning in
late May; coordination should be completed by the end of June.
Publication should be expected in July 2007.
Recommendation 3: The GAO recommends that the Secretary of Defense
direct the Office of the Assistant Secretary of Defense (Homeland
Defense and Americas' Security Affairs) to complete the identification
and prioritization of critical infrastructure before increasing the
number of infrastructure vulnerability assessments performed.
DOD Response: Concur with comment. While prioritization is dependent on
the completion of the identification process, assessment is not.
Vulnerability assessments are a valid tool for addressing risk and
support risk management decisions at all levels. Delaying vulnerability
assessments until all assets are identified is unnecessary and may
delay the identification of vulnerabilities and remediation activities.
Assessments can be conducted incrementally while the identification
process is underway. DoD components with existing infrastructure
assessment programs and resources should be allowed to continue efforts
in support of DoD's risk management approach. Additionally, an
infrastructure vulnerability self-assessment program should also be
allowed to progress. The identification and prioritization process is
underway and should be complete by 2009.
Recommendation 4: The GAO recommends that the Secretary of Defense
direct the Office of the Assistant Secretary of Defense (Homeland
Defense and Americas' Security Affairs) to adopt the practice of
combining the Defense Critical Infrastructure Vulnerability Assessment
module with an existing assessment as the DoD-wide practice.
DOD Response: Concur with comment. DCIP currently combines its Defense
Critical Infrastructure module with the Joint Staff Integrated
Vulnerability Assessments and encourages other organizations performing
assessments (e.g. Military Services, Agencies, etc.) to incorporate the
Defense Critical Infrastructure Program (DCIP) module into their
assessments. In addition, the issue of multiple DoD assessments is
being addressed in the Joint Capabilities and Integration Development
(JCID) process, lead by the Joint Staff (J34) that will recommend an
appropriate analysis and assessment capability for the Department.
Recommendation 5: The GAO recommends that the Secretary of Defense
direct the Office of the Assistant Secretary of Defense (Homeland
Defense and Americas' Security Affairs) to issue guidance and criteria
for performing infrastructure vulnerability self-assessments.
DOD Response: Concur. The Office of the Assistant Secretary of Defense
(Homeland Defense and Americas' Security Affairs) has published the
DCIP Assessment Standards and Benchmarks, version 1.0, on June 9, 2006
to provide guidance and criteria for performing infrastructure
vulnerability assessments. These standards and benchmarks would apply
to both onsite assessments as well as self assessments.
Recommendation 6: The GAO recommends that the Secretary of Defense
direct the Office of the Assistant Secretary of Defense (Homeland
Defense and Americas' Security Affairs) to identify and prioritize
domestic non-DoD-owned critical infrastructure for the Department of
Homeland Security to consider including among its assessments of the
nation's critical infrastructure.
DOD Response: Concur. Defense Critical Infrastructure Program is
working with the Department of Homeland Security on information sharing
procedures and safeguards.
[End of section]
Appendix III: GAO Contact and Staff Acknowledgments:
GAO Contact:
Davi M. D'Agostino, (202) 512-5431, or dagostinod@gao.gov:
Acknowledgments:
Mark A. Pross, Assistant Director; Burns D. Chamberlain; Alissa Czyz;
Michael Gilmore; Cody Goebel; James Krustapentus; Kate Lenane; Thomas
C. Murphy; Maria-Alaina Rambus; Terry Richardson; Jamie A. Roberts;
Marc Schwartz; and Tim Wilson made key contributions to this report.
FOOTNOTES
[1] We did not independently verify the accuracy of this estimate.
However, the estimate that non-DOD entities (i.e., private industry;
state, local, and tribal governments; and foreign governments) own and
operate approximately 85 percent of the nation's critical
infrastructure is consistent with national-level estimates and is cited
in several national strategies. See, for example, The White House, The
National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets (Washington, D.C.: February 2003) and
Office of Homeland Security, National Strategy for Homeland Security
(Washington, D.C.: July 2002).
[2] Department of Defense, Joint Chiefs of Staff, The National Military
Strategy of the United States of America: A Strategy for Today; A
Vision for Tomorrow (Washington, D.C.: 2004). The National Military
Strategy is the Joint Chiefs of Staff's document on the strategic
direction of the armed forces, which establishes three military
objectives: (1) protect the United States against external attacks and
aggression, (2) prevent conflict and surprise attack, and (3) prevail
against adversaries.
[3] Department of Defense, Quadrennial Defense Review Report
(Washington, D.C.: Feb. 6, 2006). The Quadrennial Defense Review is a
comprehensive internal review of DOD's forces, resources, and programs.
[4] Homeland Security Presidential Directive 7 (Washington D.C.: Dec.
17, 2003).
[5] Pub. L. No. 107-296, Nov. 25, 2002.
[6] The Office of the Under Secretary of Defense for Policy was
reorganized in December 2006. This reorganization included, among other
things, the Office of the Assistant Secretary of Defense for Homeland
Defense being renamed the Office of the Assistant Secretary of Defense
for Homeland Defense and Americas' Security Affairs. Hereafter, this
office is referred to by its current name.
[7] See GAO, Chemical and Biological Defense: Updated Intelligence,
Clear Guidance, and Consistent Priorities Needed to Guide Investments
in Collective Protection, GAO-07-113 (Washington, D.C.: Jan. 19, 2007).
[8] This guidance allows DOD components to determine vulnerabilities of
their critical infrastructure.
[9] This guidance provides a framework for identifying and prioritizing
defense critical infrastructure.
[10] See, for example, GAO, Military Readiness: Navy's Fleet Response
Plan Would Benefit from a Comprehensive Management Approach and
Rigorous Testing, GAO-06-84 (Washington, D.C.: Nov. 22, 2005).
[11] GAO, Standards for Internal Control in the Federal Government,
GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999).
[12] The Intelligence, Surveillance, and Reconnaissance; Logistics;
Personnel; and Space defense sectors do not have a federal-level
counterpart.
[13] The $160 million total does not include the $6.8 million provided
to the Defense Contract Management Agency, the lead agent for the
Defense Industrial Base defense sector during fiscal years 2004 to
2007. Further, the Marine Corps and the U.S. Pacific Command were
unable to provide funding data for fiscal year 2004 because these data
were unavailable.
[14] GAO has previously reported on DOD's overreliance on supplemental
appropriations. See GAO, Securing, Stabilizing, and Rebuilding Iraq:
Key Issues for Congressional Oversight, GAO-07-308SP (Washington, D.C.:
Jan. 9, 2006); GAO, Global War on Terrorism: Observations on Funding,
Costs, and Future Commitments, GAO-06-885T (Washington, D.C.: July 18,
2006); and GAO, Force Structure: Actions Needed to Improve Estimates
and Oversight of Costs for Transforming Army to a Modular Force, GAO-05-
926 (Washington, D.C.: Sept. 29, 2005).
[15] See, for example, DOD Directive 8100.1, Global Information Grid
(GIG) Overarching Policy (Washington, D.C.: Sept. 19, 2002) and DOD
Directive 8320.2, Data Sharing in a Net-Centric Department of Defense
(Washington, D.C.: Dec. 2, 2004).
[16] The Critical Infrastructure Information Act was enacted as Title
II, Subtitle B of the Homeland Security Act of 2002, Pub. L. No. 107-
296 (2002).
[17] "Critical infrastructure information" is defined at Section 212 of
Pub. L. No. 107-296 (2002).
[18] DHS's final rule implementing the Critical Infrastructure
Information Act identifies procedures for indirect submissions to DHS
through DHS field representatives and other federal agencies.
[19] 5 U.S.C. § 552.
[20] For more information on the procedures by which PCII may be
shared, see DHS's Procedures for Handling Critical Infrastructure
Information, 6 C.F.R. 29.
[21] For more information on the accreditation process, see app. II of
GAO, Information Sharing: DHS Should Take Steps to Encourage More
Widespread Use of Its Program to Protect and Share Critical
Infrastructure Information, GAO-06-383 (Washington, D.C.: Apr. 17,
2006).
[22] GAO-06-383.
[23] DOD Directive 3020.40 states that the COCOMs are to identify an
office of primary responsibility to establish, resource, and execute a
command program for matters pertaining to the identification,
prioritization, and protection of command mission essential tasks and
required capabilities, and the military services are to establish,
resource, and execute an organizational program supporting DCIP.
[24] See Memorandum on Defense Critical Infrastructure Program Funding
Responsibilities from the Principal Deputy Assistant Secretary of
Defense for Homeland Defense dated February 15, 2006.
[25] Pub. L. No. 106-398 § 1033 (2000), codified at 10 U.S.C. § 2541.
[26] DOD organizations are located in the Washington, D.C.,
metropolitan area unless indicated otherwise.
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site (www.gao.gov). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site.
To have GAO e-mail you a list of newly posted products every afternoon,
go to www.gao.gov and select "Subscribe to Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office 441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400 U.S.
Government Accountability Office, 441 G Street NW, Room 7125
Washington, D.C. 20548:
Public Affairs:
Paul Anderson, Managing Director, AndersonP1@gao.gov (202) 512-4800
U.S. Government Accountability Office, 441 G Street NW, Room 7149
Washington, D.C. 20548:
