Defense Infrastructure

Management Actions Needed to Ensure Effectiveness of DOD's Risk Management Approach for the Defense Industrial Base Gao ID: GAO-07-1077 August 31, 2007

The U.S. military relies on the defense industrial base (DIB) to meet requirements to fulfill the National Military Strategy. The potential destruction, incapacitation, or exploitation of critical DIB assets by attack, crime, technological failure, natural disaster, or man-made catastrophe could jeopardize the success of U.S. military operations. GAO was asked to review the Department of Defense's (DOD) Defense Critical Infrastructure Program and has already reported that DOD has not developed a comprehensive management plan for its implementation. This, the second GAO report, has (1) determined the status of DOD's efforts to develop and implement a risk management approach to ensure the availability of DIB assets, and (2) identified challenges DOD faces in its approach to risk management. GAO analyzed plans, guidance, and other documents on identifying, prioritizing, and assessing critical domestic and foreign DIB assets and held discussions with DOD and contractor officials.

DOD has begun developing and implementing a risk management approach to ensure the availability of DIB assets needed to support mission-essential tasks, though implementation is still at an early stage. Its sector assurance and sector-specific plans focus on steps to identify a list of critical assets that, if damaged, would result in unacceptable consequences; prioritize those critical assets based on a risk assessment process; perform vulnerability assessments on high-priority critical assets, and encourage contractors' actions to remediate or mitigate adverse effects found during these assessments, as appropriate, to ensure continuity of business. The Defense Contract Management Agency, the executing agency for the DIB, has developed a process to identify the most important DIB assets and to narrow this list to those it considers critical. It has also developed an asset prioritization model for determining a criticality score and ranking critical assets, and it has established a standardized mission assurance vulnerability assessment process for critical DIB assets. DOD faces several key challenges in implementing its DIB risk management approach. Overall, DOD's methodology for identifying critical DIB assets is evolving, and DOD lacks targets and time frames for completing development of key program elements that are needed for its risk management approach. Without them, DOD cannot measure its progress toward ensuring that DIB assets supporting critical DOD missions are properly identified and prioritized. The specific challenges are as follows: First, DOD is not fully incorporating the military services' mission-essential task information (i.e., listings of assets whose damage, degradation, or destruction would result in DOD-wide mission failure) in compiling its critical asset list. Second, GAO's analysis of DOD's prioritization model shows that weighting factors were selected and data determined according to subjective decisions and limited review, and that needed contractor-specific data were lacking, as was comprehensive threat information, thus undermining the utility of the index score for prioritizing contractors. Without these comprehensive data and a reliable asset prioritization model, DOD will not be in a sound position to know that it has identified the most important and critical assets, as called for in the National Military Strategy. Third, with regard to scheduling and conducting assessments of critical DIB assets, DOD is currently doing so based on contractor amenability and security clearance status without regard for assets' priority rankings, and thus cannot ensure that the most critical DIB contractors are assessed. Fourth, DOD lacks a plan for developing options to work with the Department of State and other appropriate agencies to identify and address potential challenges in assessing vulnerabilities in foreign critical DIB assets. Until all these challenges are addressed, DOD will lack the visibility it needs over critical DIB asset vulnerabilities, will be unable to encourage critical DIB contractors to take needed remediation actions, and will be unable to make informed decisions regarding limited resources.

Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.

Director: Team: Phone:


The Justia Government Accountability Office site republishes public reports retrieved from the U.S. GAO These reports should not be considered official, and do not necessarily reflect the views of Justia.