Defense Infrastructure

The Department of Defense (DOD) relies on a network of DOD and non-DOD infrastructure assets in the United States and abroad so critical that its unavailability could hinder DOD's ability to project, support, and sustain its forces and operations worldwide. DOD established the Defense Critical Infrastructure Program (DCIP) to identify and assure the availability of mission-critical infrastructure. GAO was asked to evaluate the extent to which DOD has (1) developed a comprehensive management plan to implement DCIP and (2) identified, prioritized, and assessed its critical infrastructure. GAO analyzed relevant DCIP documents and guidance and met with officials from more than 30 DOD organizations that have DCIP responsibilities, and with Department of Homeland Security (DHS) officials involved in protecting critical infrastructure.

While DOD has taken important steps to implement DCIP, it has not developed a comprehensive management plan to guide its efforts. GAO's prior work has shown the importance of developing a plan that incorporates sound management practices, such as issuing guidance, coordinating stakeholders' efforts, and identifying resource requirements and sources. Most of DOD's DCIP guidance and policies are either newly issued or in draft form, leading some DOD components to rely on other, better-defined programs, such as the antiterrorism program, to implement DCIP. Although DOD issued a DCIP directive in August 2005, the lead office responsible for DCIP lacks a chartering directive that defines important roles, responsibilities, and relationships with other DOD organizations and missions. DOD has created several information sharing and coordination mechanisms; however, additional measures could be taken. Also, DOD's reliance on supplemental appropriations to fund DCIP makes it difficult to effectively plan future resource needs. Until DOD completes a comprehensive DCIP management plan, its ability to implement DCIP will be challenged. DOD estimates that it has identified about 25 percent of the critical infrastructure it owns, and expects to identify the remaining 75 percent by the end of fiscal year 2009. In contrast, DOD has identified significantly less of the critical infrastructure that it does not own, and does not have a target date for its completion. Among the non-DOD-owned critical infrastructure that has been identified are some 200 assets belonging to private sector companies that comprise the defense industrial base--the focus of another report we plan to issue later this year. DOD estimates that about 85 percent of its mission-critical infrastructure assets are owned by non-DOD entities, such as the private sector; state, local, and tribal governments; and foreign governments. DOD has conducted vulnerability assessments on some DOD-owned infrastructure. While these assessments can provide useful information about specific assets, until DOD identifies and prioritizes all of the critical infrastructure it owns, assessment results have limited value for deciding where to target funding investments. For the most part, DOD cannot assess assets it does not own, and DOD has not coordinated with DHS to include them among DHS's assessments of the nation's critical infrastructure. DOD has delayed coordinating the assessment of non-DOD-owned infrastructure located abroad while it focuses on identifying the critical infrastructure that it does own. Regarding current and future DCIP funding levels, they do not include the cost to remediate vulnerabilities that are identified through the assessments. When DOD identifies, prioritizes, and assesses its critical infrastructure, and includes remediation in its funding requirements, its ability to perform risk-based decision making and target funding to priority needs will be improved.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone: