Defense Critical Infrastructure
DOD's Risk Analysis of Its Critical Infrastructure Omits Highly Sensitive Assets Gao ID: GAO-08-373R April 2, 2008The Department of Defense (DOD) relies on a global network of critical physical and cyber infrastructure to project, support, and sustain its forces and operations worldwide. The incapacitation, exploitation, or destruction of one or more of its assets would seriously damage DOD's ability to carry out its core missions. To identify and help assure the availability of this mission-critical infrastructure, in August 2005, DOD established the Defense Critical Infrastructure Program (DCIP), assigning overall responsibility for the program to the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]). Since 2006, ASD(HD&ASA) has collaborated with the Joint Staff to compile a list of all DOD- and non-DOD-owned infrastructure essential to accomplish the National Defense Strategy. Each critical asset on the list must undergo a vulnerability assessment, which identifies weaknesses in relation to potential threats and suggests options to address those weaknesses. Data and material designated as Sensitive Compartmented Information (SCI) or associated with Special Access Programs (SAP) are among the nation's most valued and closely guarded assets, and DOD faces inherent challenges in incorporating them into DCIP. The number of individuals authorized to access SCI and SAPs is a relatively small subset of those authorized to access collateral-level classified information--that is, Confidential, Secret, or Top Secret information. Congress requested that GAO review a number of issues related to defense critical infrastructure. To date, GAO have issued two reports in response to that request. GAO's first report examined the extent to which DOD had developed a comprehensive management plan for DCIP and had identified, prioritized, and assessed defense critical infrastructure. GAO's second report examined DOD's efforts to implement a risk management approach for critical assets in the Defense Industrial Base Defense Sector. As part of GAO's ongoing work on DOD's critical infrastructure protection efforts, this report focuses on challenges DOD faces in incorporating critical SCI and SAP assets into DCIP. Specifically, this report evaluates the extent to which DOD is (1) identifying and prioritizing critical SCI and SAP assets in DCIP and (2) assessing critical SCI and SAP assets for vulnerabilities in a comprehensive manner consistent with that used by DCIP for collateral-level assets.
Although DOD Directive 3020.40 calls for the identification and prioritization of all defense critical infrastructure, DOD has not taken adequate steps to ensure that highly sensitive critical assets associated with SCI and SAPs are accounted for, either through DCIP or a comparable process. The Joint Staff has tasked DOD organizations to submit lists of critical assets classified at the collateral level only--in part, to facilitate vetting and sharing critical asset lists across the department. As a consequence, some DOD organizations have omitted SCI and SAP assets from their submissions. For example, the Defense Intelligence Agency--the DOD lead agent for the Intelligence, Surveillance, and Reconnaissance Defense Sector--has not forwarded to the Joint Staff a list of over 80 assets it has identified as critical, because neither the Joint Staff nor ASD(HD&ASA) has fully incorporated provisions for including SCI data into DCIP. Although ASD(HD&ASA) and Joint Staff officials have initiated some actions to increase their access to SCI--for example, by requesting additional SCI clearances for staff and pursuing means to store and share SCI data--these actions are not likely to resolve information-sharing problems across the department because many officials in other DCIP organizations may still lack access to SCI. Additionally, DOD officials told us that stringent "need to know" requirements for SAP information will likely prevent ASD(HD&ASA) and other DCIP officials from obtaining greater access to information on SAP assets in the foreseeable future. By excluding SCI and SAP infrastructure, DOD's processes for soliciting critical asset information do not result in consistent and comprehensive identification and prioritization of all critical infrastructure. Yet ASD(HD&ASA) has not pursued alternative approaches, such as partnering with other DOD organizations that have greater SCI and SAP access, to develop parallel identification and prioritization processes. Unless critical SCI and SAP assets are identified and prioritized, DOD will lack sufficient information to assure the availability of the department's most critical assets. DOD guidance requires all critical infrastructure to be assessed for vulnerabilities using DCIP standards and benchmarks, but because SCI and SAP assets have not been reported as critical, they do not receive these assessments. Should any unreported critical SCI assets be reported under DCIP, the Defense Threat Reduction Agency has personnel who possess SCI clearances, and therefore could assess those assets. However, because of the greater access restrictions placed on SAP data, Defense Threat Reduction Agency officials are unlikely to gain access to the highly sensitive information needed to assess SAP assets. Separately from DCIP, the Defense Intelligence Agency assesses the vulnerabilities of SCI and SAP assets. However, those assessments are intended to support information and physical security rather than mission assurance. Accordingly, they do not include certain key elements of the assessments administered under DCIP, such as a mission-based orientation and an all-hazards analysis. Because of these fundamental differences, the Defense Intelligence Agency's assessments of SCI and SAP assets cannot substitute for the mission-based, all-hazards vulnerability assessments required by DCIP. As a result, DOD lacks a consistent process for assessing its collateral and its more sensitive critical assets. Without using a consistent vulnerability assessment process for all its critical assets, including SCI and SAP assets, DOD cannot effectively analyze the comparative value of risk reduction actions.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-08-373R, Defense Critical Infrastructure: DOD's Risk Analysis of Its Critical Infrastructure Omits Highly Sensitive Assets
This is the accessible text file for GAO report number GAO-08-373R
entitled 'Defense Critical Infrastructure: DOD's Risk Analysis of Its
Critical Infrastructure Omits Highly Sensitive Assets' which was
released on April 3, 2008.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
United States Government Accountability Office:
Washington, DC 20548:
April 2, 2008:
The Honorable Solomon P. Ortiz:
Chairman:
The Honorable J. Randy Forbes:
Ranking Member:
Subcommittee on Readiness:
Committee on Armed Services:
House of Representatives:
The Honorable William T. Akin:
House of Representatives:
Subject: Defense Critical Infrastructure: DOD's Risk Analysis of Its
Critical Infrastructure Omits Highly Sensitive Assets:
The Department of Defense (DOD) relies on a global network of critical
physical and cyber infrastructure to project, support, and sustain its
forces and operations worldwide. The incapacitation, exploitation, or
destruction of one or more of its assets would seriously damage DOD's
ability to carry out its core missions. To identify and help assure the
availability of this mission-critical infrastructure, in August 2005,
DOD established the Defense Critical Infrastructure Program (DCIP),
assigning overall responsibility for the program to the Assistant
Secretary of Defense for Homeland Defense and Americas' Security
Affairs (ASD[HD&ASA]).[Footnote 1]
Since 2006, ASD(HD&ASA) has collaborated with the Joint Staff to
compile a list of all DOD-and non-DOD-owned infrastructure essential to
accomplish the National Defense Strategy.[Footnote 2] Each critical
asset on the list must undergo a vulnerability assessment, which
identifies weaknesses in relation to potential threats and suggests
options to address those weaknesses.
Data and material designated as Sensitive Compartmented Information
(SCI)[Footnote 3] or associated with Special Access Programs
(SAP)[Footnote 4] are among the nation's most valued and closely
guarded assets, and DOD faces inherent challenges in incorporating them
into DCIP. The number of individuals authorized to access SCI and SAPs
is a relatively small subset of those authorized to access collateral-
level classified information--that is, Confidential, Secret, or Top
Secret information. The relationship between collateral, SCI, and SAP
designations is depicted in figure 1.
Figure 1: Relationship between Collateral, SCI, and SAP Designations:
[See PDF for image]
This figure is an illustration of the relationship between Collateral,
SCI, and SAP designations, utilizing a series of concentric half-
circles. The core of the concentric half-circles is designated as
confidential. The next half-circle is designated secret, and the outer
half-circle is designated top secret. Within each designation there are
collateral and non-collateral designations, as well. Both SAP's and SCI
are illustrated as non-collateral, secret and top secret.
Source: GAO analysis.
Note: The areas shown here represent categories of national security
information. All classified information is Confidential, Secret, or Top
Secret. Information classified at these levels but not subject to any
additional safeguarding and access requirements is collateral
information. Some information that is classified Secret or Top Secret
also falls under an SCI or SAP designation; that information then
becomes non-collateral. The relative size of each area is illustrative
only.
[End of figure]
You requested that we review a number of issues related to defense
critical infrastructure. To date, we have issued two reports in
response to that request. Our first report[Footnote 5] examined the
extent to which DOD had developed a comprehensive management plan for
DCIP and had identified, prioritized, and assessed defense critical
infrastructure. Our second report[Footnote 6] examined DOD's efforts to
implement a risk management approach for critical assets in the Defense
Industrial Base Defense Sector. As agreed with your offices, we plan to
issue reports later this year that examine actions DOD has taken to
assure the availability of its critical infrastructure in the
Transportation; Space; Intelligence, Surveillance, and Reconnaissance;
Global Information Grid; and Public Works Defense Sectors.
As part of our ongoing work on DOD's critical infrastructure protection
efforts, this report focuses on challenges DOD faces in incorporating
critical SCI and SAP assets into DCIP. Specifically, this report
evaluates the extent to which DOD is (1) identifying and prioritizing
critical SCI and SAP assets in DCIP and (2) assessing critical SCI and
SAP assets for vulnerabilities in a comprehensive manner consistent
with that used by DCIP for collateral-level assets.
To determine the extent to which DOD is identifying and prioritizing
critical SCI and SAP assets in DCIP and assessing them for
vulnerabilities using DCIP criteria, we reviewed guidance, critical
asset lists, planning documents, and other relevant documentation, and
we interviewed officials from the following DOD organizations: the
Office of the ASD(HD&ASA), the Joint Staff Deputy Directorate for
Antiterrorism and Homeland Defense, the Office of the Under Secretary
of Defense for Intelligence, the DOD Special Access Program Central
Office, the Defense Intelligence Agency, the Defense Contract
Management Agency, and the nine geographic and functional combatant
commands.[Footnote 7] We conducted this performance audit from
September 2007 through February 2008 in accordance with generally
accepted government auditing standards. Those standards require that we
plan and perform the audit to obtain sufficient, appropriate evidence
to provide a reasonable basis for our findings and conclusions based on
our audit objectives. We believe that the evidence obtained provides a
reasonable basis for our findings and conclusions based on our audit
objectives.
Results in Brief:
Although DOD Directive 3020.40 calls for the identification and
prioritization of all defense critical infrastructure, DOD has not
taken adequate steps to ensure that highly sensitive critical assets
associated with SCI and SAPs are accounted for, either through DCIP or
a comparable process. The Joint Staff has tasked DOD organizations to
submit lists of critical assets classified at the collateral level
only--in part, to facilitate vetting and sharing critical asset lists
across the department. As a consequence, some DOD organizations have
omitted SCI and SAP assets from their submissions. For example, the
Defense Intelligence Agency--the DOD lead agent for the Intelligence,
Surveillance, and Reconnaissance Defense Sector--has not forwarded to
the Joint Staff a list of over 80 assets it has identified as critical,
because neither the Joint Staff nor ASD(HD&ASA) has fully incorporated
provisions for including SCI data into DCIP. Although ASD(HD&ASA) and
Joint Staff officials have initiated some actions to increase their
access to SCI--for example, by requesting additional SCI clearances for
staff and pursuing means to store and share SCI data--these actions are
not likely to resolve information-sharing problems across the
department because many officials in other DCIP organizations may still
lack access to SCI. Additionally, DOD officials told us that stringent
"need to know" requirements for SAP information will likely prevent
ASD(HD&ASA) and other DCIP officials from obtaining greater access to
information on SAP assets in the foreseeable future. By excluding SCI
and SAP infrastructure, DOD's processes for soliciting critical asset
information do not result in consistent and comprehensive
identification and prioritization of all critical infrastructure. Yet
ASD(HD&ASA) has not pursued alternative approaches, such as partnering
with other DOD organizations that have greater SCI and SAP access, to
develop parallel identification and prioritization processes. Unless
critical SCI and SAP assets are identified and prioritized, DOD will
lack sufficient information to assure the availability of the
department's most critical assets.
DOD guidance requires all critical infrastructure to be assessed for
vulnerabilities using DCIP standards and benchmarks, but because SCI
and SAP assets have not been reported as critical, they do not receive
these assessments. Should any unreported critical SCI assets be
reported under DCIP, the Defense Threat Reduction Agency has personnel
who possess SCI clearances, and therefore could assess those assets.
However, because of the greater access restrictions placed on SAP data,
Defense Threat Reduction Agency officials are unlikely to gain access
to the highly sensitive information needed to assess SAP assets.
Separately from DCIP, the Defense Intelligence Agency assesses the
vulnerabilities of SCI and SAP assets. However, those assessments are
intended to support information and physical security rather than
mission assurance. Accordingly, they do not include certain key
elements of the assessments administered under DCIP, such as a mission-
based orientation and an all-hazards analysis. The guidance the Defense
Intelligence Agency uses to assess SCI and SAP assets focuses on the
need to secure information from unauthorized disclosure rather than on
the need to maintain continuity of mission-essential functions, and it
emphasizes human threats, such as terrorism, rather than all potential
hazards. Because of these fundamental differences, the Defense
Intelligence Agency's assessments of SCI and SAP assets cannot
substitute for the mission-based, all-hazards vulnerability
assessments required by DCIP. As a result, DOD lacks a consistent
process for assessing its collateral and its more sensitive critical
assets. Without using a consistent vulnerability assessment process for
all its critical assets, including SCI and SAP assets, DOD cannot
effectively analyze the comparative value of risk reduction actions.
We are recommending that ASD(HD&ASA) develop a process to identify,
prioritize, and assess critical SCI and SAP assets in a manner
consistent with DCIP, and amend its DCIP security classification
guidance to specifically address how SCI and SAP critical
infrastructure information should be treated.
In written comments on a draft of this report, DOD generally agreed
with our recommendations. DOD's comments are discussed in more detail
at the end of this report and are reproduced in full in enclosure I.
DOD also provided us with technical comments, which have been
incorporated where appropriate.
Background:
Recognizing that it is neither practical nor feasible to protect its
entire infrastructure against every possible threat, DOD is pursuing a
risk management approach to help direct limited resources to higher-
priority, higher-risk assets. DOD's risk management approach is based
on assessing criticality, threat, vulnerability, and the ability to
respond to incidents. Criticality assessments evaluate and prioritize
assets on the basis of their importance to mission success. Threat
assessments identify and evaluate potential threats to critical assets
before they materialize, on the basis of capabilities, intentions, and
past events. Vulnerability assessments analyze weaknesses in relation
to identified threats and suggest options to address those weaknesses.
DOD's risk management approach also includes an assessment of the
ability to respond to, and recover from, an incident.
In response to the guidance contained in Homeland Security Presidential
Directive 7,[Footnote 8] DOD formalized its critical infrastructure
efforts on August 19, 2005, by issuing DOD Directive 3020.40, Defense
Critical Infrastructure Program (DCIP), which established the program
and assigned overall responsibility to ASD(HD&ASA). DOD Directive
3020.40 requires, among other things, that ASD(HD&ASA) develop and
ensure implementation of DCIP policy and program guidance for the
identification, prioritization, and protection of defense critical
infrastructure.
Pursuant to DOD Directive 3020.40, DOD has defined 10 virtual,
functionally-based defense sectors comprising the critical
infrastructure that crosses traditional organizational boundaries, and
it has appointed a lead agent for each sector. The 10 defense sectors
and their corresponding lead agents are listed in table 1.
Table 1: Defense Infrastructure Sectors and Corresponding Lead Agents:
Defense infrastructure sector: Defense Industrial Base;
Defense infrastructure sector lead agent: Defense Contract Management
Agency.
Defense infrastructure sector: Financial Services;
Defense infrastructure sector lead agent: Defense Finance and
Accounting Service.
Defense infrastructure sector: Global Information Grid;
Defense infrastructure sector lead agent: Defense Information Systems
Agency.
Defense infrastructure sector: Health Affairs;
Defense infrastructure sector lead agent: Assistant Secretary of
Defense for Health Affairs.
Defense infrastructure sector: Intelligence, Surveillance, and
Reconnaissance;
Defense infrastructure sector lead agent: Defense Intelligence Agency.
Defense infrastructure sector: Logistics;
Defense infrastructure sector lead agent: Defense Logistics Agency.
Defense infrastructure sector: Personnel;
Defense infrastructure sector lead agent: Under Secretary of Defense
for Personnel and Readiness.
Defense infrastructure sector: Public Works;
Defense infrastructure sector lead agent: U.S. Army Corps of Engineers.
Defense infrastructure sector: Space;
Defense infrastructure sector lead agent: U.S. Strategic Command.
Defense infrastructure sector: Transportation;
Defense infrastructure sector lead agent: U.S. Transportation Command.
Source: GAO analysis of DOD data.
[End of table]
ASD(HD&ASA) and the Joint Staff have tasked the combatant commands,
military services, field activities, defense agencies, and defense
infrastructure sector lead agents with nominating infrastructure
necessary to accomplish the goals specified in the National Defense
Strategy. The combatant commands, in collaboration with the Joint
Staff, identify and prioritize DOD missions that are the basis for
determining infrastructure criticality. The military services, as the
principal owners of DOD infrastructure, identify and link
infrastructure to specific combatant command mission requirements.
Defense infrastructure sector lead agents address the interdependencies
among infrastructure that cross organizational boundaries, and evaluate
the cascading effects of degraded or lost infrastructure on other
infrastructure assets. Assets nominated by the combatant commands and
services have been assembled into a consolidated draft critical asset
list, which ASD(HD&ASA) will use as the basis for a final list. The
Joint Staff plans to send the latest iteration of the draft list to
ASD(HD&ASA) in April 2008. ASD(HD&ASA) officials told us they expect to
approve and issue a final critical asset list within 90 days of
receiving a final draft list from the Joint Staff, which will include
assets nominated by the defense infrastructure sector lead agents.
According to DCIP guidance,[Footnote 9] all defense critical assets
must undergo vulnerability assessments. These assessments, performed
primarily by the Defense Threat Reduction Agency or by asset owners
themselves, follow a set of standards and benchmarks developed and
maintained by ASD(HD&ASA).[Footnote 10] DCIP assessments use a mission-
assurance approach; that is, they discern what weaknesses, if any,
threaten an asset's continued availability to support its associated
defense missions. This mission-based analysis, according to DCIP
standards and benchmarks,[Footnote 11] requires assessment teams to
consider an exhaustive set of potential hazards, including chemical,
biological, radiological, nuclear, and explosive events;
electromagnetic pulse; sabotage; projectile impact; cyber threats;
arson; earthquakes, hurricanes, fire, and other natural disasters or
weather events; collocated construction or digging activities; work
stoppage or strike; and wildlife activity. DCIP's mission-assurance,
all-hazards approach mirrors risk management strategies developed by
the Department of Homeland Security, with the intention of providing a
sound and systematic basis for deciding whether and how to accept,
reduce, or offset risk to DOD's most mission-critical infrastructure.
DOD Has Not Included SCI and SAP Assets in Its Identification and
Prioritization of Critical Infrastructure:
Although DOD Directive 3020.40 calls for the identification and
prioritization of all defense critical infrastructure and the
development of policies that promote information sharing while properly
safeguarding sensitive data, DOD has not taken adequate steps to
account for critical infrastructure associated with SCI and SAPs,
either through DCIP or an alternative approach. DOD organizations have
submitted critical assets at the collateral level only, because the
instructions they received did not address SCI or SAP assets. Moreover,
key ASD(HD&ASA) officials involved with DCIP are not authorized to
access SCI and SAP data, even if such data were submitted to them.
DOD Organizations Have Not Reported SCI and SAP Critical Assets:
The Joint Staff, in preparing the critical asset list on behalf of
ASD(HD&ASA), gave written instructions to DOD organizations on how to
submit critical assets at the Secret or Top Secret levels; however,
these instructions did not address how to submit critical SCI or SAP
assets. The DCIP Security Classification Guide[Footnote 12]--which
describes what information related to critical infrastructure meets the
standards of Confidential, Secret, or Top Secret at the collateral
level--also does not specifically address SCI or SAP data related to
critical infrastructure. The Joint Staff instructions and the guide do
not rule out the designation of some critical asset information as SCI
or SAP, but officials from two DOD organizations told us that the lack
of explicit guidance on how to treat SCI and SAP data caused them not
to fully report their critical assets. The Defense Intelligence Agency,
the lead agent for the Intelligence, Surveillance, and Reconnaissance
Defense Sector, has compiled a list of over 80 assets nominated by both
the Defense Intelligence Agency and by the National Security Agency,
the National Reconnaissance Office, the National Geospatial-
Intelligence Agency, the military service intelligence activities, and
the combatant command intelligence staffs. Defense Intelligence Agency
officials told us that they have not forwarded the list to the Joint
Staff because provisions for including SCI data have not been fully
incorporated into DCIP. Similarly, officials at the Defense Contract
Management Agency, the lead agent for the Defense Industrial Base
Defense Sector, told us they have not reported any critical assets
associated with SAPs because they believe that DCIP policies do not
require them to do so. DCIP policies make no such exception for SAP
infrastructure, but the lack of explicit guidance concerning SCI and
SAPs has led DOD organizations not to report some SCI and SAP assets as
critical.
In further explaining why the DOD critical asset list has been kept at
the collateral level, Joint Staff and ASD(HD&ASA) officials stated that
highly classified information would be difficult to share among all
relevant DCIP stakeholders because of the limited number of individuals
who have access to SCI and SAPs. The stringent access controls on SCI
and SAP information would significantly restrict ASD(HD&ASA)'s ability
to distribute among DCIP organizations any critical asset list that
includes SCI or SAP infrastructure. Nevertheless, until DOD develops
the means to identify and prioritize critical SCI and SAP assets, it
cannot assure the availability of all critical defense infrastructure
in a consistent and comprehensive way.
During the course of our review, the Joint Staff issued new
instructions to DOD organizations, requesting them to submit their
lists of critical SCI assets. Joint Staff officials told us that they
have had discussions with the Defense Intelligence Agency about
obtaining its SCI-level list of critical intelligence, surveillance,
and reconnaissance infrastructure. These actions represent important
initial steps toward identifying and prioritizing critical SCI
infrastructure; however, they remain in their initial phases only.
Joint Staff officials acknowledged that DOD has not taken similar
actions to begin accounting for SAP infrastructure.
Key ASD(HD&ASA) Officials Are Not Authorized to Access SCI or SAP Data:
A related barrier to including SCI and SAP assets in the DOD critical
asset list is DCIP officials' lack of authority to access information
pertaining to these highly sensitive programs. At the time of our
review, key ASD(HD&ASA) personnel involved with DCIP were not
authorized to handle SCI data. Similarly, ASD(HD&ASA) personnel had not
been granted access to any SAPs, and did not expect to gain access in
the foreseeable future. DOD policy[Footnote 13] imposes a stringent
standard for meeting the "need to know" criterion: to handle SAP
information an individual must "materially and directly contribute" to
the individual SAP to which he or she requests access. DOD officials
responsible for setting departmental SAP policy told us that
ASD(HD&ASA) staff would almost certainly not qualify to access SAP
information for the purpose of identifying and prioritizing defense
critical infrastructure. For the same reason, according to an Air Force
headquarters official responsible for SAPs, defense industrial base
firms involved in SAPs would be reluctant to discuss their potential
critical assets with the Defense Contract Management Agency or other
DCIP officials.[Footnote 14]
ASD(HD&ASA) officials are aware of these issues and have taken some
steps to resolve them. They have requested SCI clearances for
additional personnel, have identified a computer terminal belonging to
another DOD organization that could be used to transmit and receive SCI
data, and have requested a computer authorized to store and process SCI
data. Once ASD(HD&ASA) is able to handle and store SCI data, it will
have access to the Intelligence, Surveillance, and Reconnaissance
Defense Sector's critical asset list.
However, ASD(HD&ASA) has not taken similar actions to address its lack
of access to SAPs. At the time of our review, ASD(HD&ASA) officials had
limited coordination with DOD's SAP Central Office, the primary point-
of-contact on all issues involving defense SAPs, and limited
coordination with other defense organizations to discern what amount of
critical infrastructure might reside in those programs. DOD officials
responsible for SAP policy told us that most defense SAPs involve
acquisition programs. The Defense Contract Management Agency, which is
tasked with analyzing acquisition infrastructure, has compiled a
sector-specific list of critical assets, but its list contains no SAP
infrastructure. Defense Contract Management Agency officials
acknowledged the need to identify critical SAP assets, but told us they
had no plan for doing so.
Moreover, actions taken by ASD(HD&ASA) officials to increase their own
SCI and SAP access will not be sufficient to address information-
sharing problems across other DOD organizations with key roles in DCIP.
For example, draft DCIP guidance[Footnote 15] calls for the military
services, combatant commands, field activities, defense agencies,
defense infrastructure sector lead agents, and other DOD organizations
to review and validate the draft critical asset list once it has been
compiled. But DOD officials told us that many DCIP personnel at these
organizations are unlikely to be granted SCI or SAP access, denying
them the authorization required to validate any critical asset list
that includes SCI or SAP infrastructure.
Although DOD Directive 3020.40 tasks ASD(HD&ASA) with developing
policies to promote information sharing while safeguarding sensitive
data from disclosure, it has not pursued potential means of balancing
these competing needs in the case of SCI and SAP infrastructure. For
example, ASD(HD&ASA) has not explored the option of partnering with the
Defense Intelligence Agency or the SAP Central Office to develop
parallel identification and prioritization processes. These two
organizations, or other DOD entities with the necessary access, could
compile and maintain separate critical asset lists for SCI and SAP
infrastructure, using standards consistent with those currently applied
to collateral assets under DCIP. Such an approach could potentially
fulfill DOD requirements for comprehensive risk management while
respecting the extraordinary sensitivity of SCI and SAP data; to date,
however, DOD has not taken steps to pursue either this or similar
options. Unless DOD revises or supplements its identification and
prioritization process to resolve information-sharing problems, the
omission of SCI and SAP assets will continue to limit DOD's awareness
of its critical infrastructure.
SCI and SAP Vulnerability Assessments Are Not Consistent with Those
Performed on Collateral-Level Assets:
Although DOD guidance requires that all critical infrastructure be
assessed for vulnerabilities using DCIP standards and benchmarks, SCI
and SAP assets have not received DCIP assessments because they have not
been reported as critical. The Defense Intelligence Agency operates a
separate program for assessing SCI and SAP assets--critical and
otherwise--but because its assessments are designed to focus on
information security rather than mission assurance, they do not include
certain key elements of those required for critical assets reported
under DCIP. The Defense Intelligence Agency's guidelines for SCI and
SAP assessments do not employ a mission-based analysis, nor do they
require consideration of all potential hazards--whereas these two
criteria are integral to the DCIP vulnerability assessments conducted
on collateral-level assets. Should DCIP identify any of the critical
SCI assets that are currently unidentified, the Defense Threat
Reduction Agency would be able to assess those assets, as it has
personnel who possess SCI clearances. However, Defense Threat Reduction
Agency officials told us that because of the greater access
restrictions placed on SAP data, they are unlikely to gain access to
the highly sensitive, mission-related information needed to perform
vulnerability assessments on SAP assets.
SCI and SAP Vulnerability Assessments Do Not Include Key Risk
Management Elements:
The significant differences in vulnerability assessments performed on
SCI and SAP assets, as compared with those performed on collateral-
level assets, impede DOD's ability to assure the availability of highly
sensitive defense critical infrastructure. Table 2 compares DCIP
assessment policies with those used for SCI and SAP assets.
Table 2: Comparison of DCIP, SCI, and SAP Vulnerability Assessment
Policies:
Attribute: Periodic assessment is required;
DCIP: Mission assurance assessments: [Check];
SCI: Information and physical security assessments: [Check];
SAP: Information and physical security assessments: [Check].
Attribute: Assets are prioritized according to criticality;
DCIP:
Mission assurance assessments: [Check];
SCI: Information and physical security assessments: [Empty];
SAP: Information and physical security assessments: [Empty].
Attribute: Assessment focuses on combatant command missions;
DCIP:
Mission assurance assessments: [Check];
SCI: Information and physical security assessments: [Empty];
SAP: Information and physical security assessments: [Empty].
Attribute: Assessment addresses all hazards;
DCIP: Mission assurance assessments: [Check];
SCI: Information and physical security assessments: [Empty];
SAP: Information and physical security assessments: [Empty].
Attribute: Assessment has departmentwide visibility;
DCIP: Mission assurance assessments: [Check];
SCI: Information and physical security assessments: [Empty];
SAP: Information and physical security assessments: [Empty].
Attribute: Assessment includes plans for redundancy;
DCIP: Mission assurance assessments: [Check];
SCI: Information and physical security assessments: [Empty];
SAP: Information and physical security assessments: [Empty].
Attribute: Risk remediation actions must be reported;
DCIP: Mission assurance assessments: [Check];
SCI: Information and physical security assessments: [Empty];
SAP: Information and physical security assessments: [Empty].
Source: GAO analysis of DOD data.
[End of table]
While DCIP risk management policies call for a mission-based, all-
hazards approach for DOD's critical assets, the SCI Administrative
Security Manual[Footnote 16]--DOD's primary guide for protecting SCI
and SAP data and material[Footnote 17]--takes a contrasting approach
that emphasizes the protection of information from unauthorized access.
Specifically, the annual inspections of SCI and SAP facilities,
conducted by program managers and the Defense Intelligence Agency,
focus on information security rather than on mission assurance, and on
human threats rather than on all potential hazards. These inspections
are required to determine, for example, whether facilities regularly
obtain threat assessments from a supporting law enforcement agency or
counterintelligence office, but they are not required to verify the
existence of threat assessments for natural disasters, accidents,
public works or mechanical failure, or other diverse hazards. The
manual also requires facilities to develop emergency action plans that
outline policies, responsibilities, and procedures for protecting SCI
and SAP material during emergencies. While these emergency action plans
must consider a broad array of potential threats, they address only
post-incident planning, and they do not discuss preventive measures,
such as hardening facilities or enhancing redundancy. Unlike DCIP's
critical asset policy, moreover, SCI and SAP policy contains no
requirement that asset owners or operators report to ASD(HD&ASA) or
another body the actions they have taken, as a result of vulnerability
assessments, to assure the availability of their assets. These
fundamental differences prevent DOD from applying consistent and
comprehensive risk management across all of its critical assets.
DCIP Assessments Are Feasible for SCI, but Unlikely for SAP Assets:
Performing an infrastructure vulnerability assessment requires an
understanding of the asset's mission and operating characteristics,
which in the case of SCI or SAP assets is available only to authorized
individuals. The Defense Threat Reduction Agency has assessment staff
who possess SCI clearances, which has enabled it to perform non-DCIP
assessments of SCI assets in the past. Therefore, it could also assess
vulnerabilities of SCI assets as part of DCIP, should any unidentified
SCI assets be identified as critical under the program. Officials at
the Defense Intelligence Agency told us that its SCI facility
inspection teams currently do not coordinate with the Defense Threat
Reduction Agency's DCIP assessment teams, but could feasibly do so.
Conversely, there have been no cases where Defense Threat Reduction
Agency staff have been granted access to a SAP for the purpose of a
vulnerability assessment, according to officials at the agency. Even if
gaining access were possible, it might not be feasible. DOD officials
responsible for SAP policy told us that the department operates more
than 100 SAPs at any given time; vulnerability assessment staff would
have to satisfy the individual access requirements of each SAP with
critical infrastructure. Unless DOD develops a process for assessing
SAP infrastructure that can satisfy DCIP standards and benchmarks while
respecting the extraordinary sensitivity of SAP information, DOD will
continue to lack sufficient information to make sound risk management
decisions concerning critical SAP assets.
Conclusions:
DOD has taken significant steps toward identifying, prioritizing, and
assessing vulnerabilities of the DOD-and non-DOD-owned infrastructure
it relies on to plan, mobilize, deploy, execute, and sustain U.S.
military operations globally. Having a complete list of prioritized and
assessed critical infrastructure will enable DOD to target limited
resources to its most mission-critical assets at highest risk. However,
DOD's current practice of limiting its data collection and analysis to
collateral-level infrastructure has resulted in the exclusion of an
undetermined number of critical SCI and SAP assets from the
department's list of critical infrastructure. This exclusion creates
risk management challenges, impeding DOD's ability to make informed
decisions about potentially serious risks to core defense missions.
Until DOD devises an integrated approach to identify, prioritize, and
assess all of its critical infrastructure--collateral, SCI, and SAP
assets--or develops parallel approaches that use mission-based, all-
hazards criteria, DOD will lack the full awareness needed to assure
mission success.
Recommendations for Executive Action:
To ensure that DOD adequately identifies, prioritizes, and assesses
critical SCI and SAP infrastructure, we recommend that the Secretary of
Defense direct ASD(HD&ASA) to take the following two actions:
* Develop a process to identify, prioritize, and assess all critical
SCI and SAP assets in a manner consistent with DCIP standards. As one
option, ASD(HD&ASA) could partner with the Defense Intelligence Agency
and the SAP Central Office to compile separate lists of, and to perform
mission-based, all-hazards vulnerabilities assessments on, critical
SCI and SAP assets.
* Amend the DCIP Security Classification Guide to explicitly address
the treatment of SCI and SAP information on critical asset lists.
Agency Comments:
In written comments on a draft of this report, DOD concurred with one
recommendation and partially concurred with the other. DOD's comments
are reproduced in full in enclosure I. DOD also provided us with
technical comments, which we incorporated where appropriate.
DOD partially concurred with our recommendation to develop a process to
identify, prioritize, and assess all critical SCI and SAP assets in a
manner consistent with DCIP standards. In its comments, ASD(HD&ASA)
stated that it has begun working with its counterparts in the Defense
Intelligence Agency and the SAP Central Office to formalize such a
process. ASD(HD&ASA) also indicated that it plans to work with the
Defense Threat Reduction Agency and the Defense Intelligence Agency on
methodologies for assessing SCI assets. We believe that these two
coordination efforts are necessary initial steps toward comprehensive
risk management of DOD's highly sensitive critical infrastructure, and
are consistent with the intent of our recommendation. Regardless of
what approach it ultimately devises, as we recommended, DOD should
ensure that it identifies and prioritizes all mission-critical SCI and
SAP assets, and that it employs a mission-based, all-hazards analysis
in assessing the assets' vulnerabilities.
DOD concurred with our recommendation to amend the DCIP Security
Classification Guide to explicitly address the treatment of SCI and SAP
information on critical asset lists. In collaboration with the Defense
Intelligence Agency and the SAP Central Office, ASD(HD&ASA) will issue
interim guidance on this subject, and subsequently incorporate that
guidance into a new DOD manual to supersede the Classification Guide.
As agreed with your offices, we are sending copies of this report to
the Chairmen and Ranking Members of the Senate and House Committees on
Appropriations, Senate and House Committees on Armed Services, and
other interested congressional parties. We also are sending copies of
this report to the Secretary of Defense; the Secretary of Homeland
Security; the Director, Office of Management and Budget; and the
Chairman of the Joint Chiefs of Staff. We will also make copies
available to others upon request. In addition, this report will be
available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staff have any questions concerning this report, please
contact me at (202) 512-5431 or by e-mail at dagostinod@gao.gov.
Contact points for our Offices of Congressional Relations and Public
Affairs may be found on the last page of this report. GAO staff who
made key contributions to this report are listed in enclosure II.
Signed by:
Davi M. D'Agostino:
Director:
Defense Capabilities and Management:
Enclosures - 2:
[End of correspondence]
Enclosure I:
Comments from the Department of Defense:
Assistant Secretary Of Defense:
Homeland Defense:
2600 Defense Pentagon:
Washington, DC 20301-2600:
Ms. Davi M. D'Agostino:
Director, Defense Capabilities and Management:
U.S. Government Accountability Office:
441 G Street, N.W.
Washington, DC 20548:
March 27, 2008:
Dear Ms. D'Agostino:
This is the Department of Defense (DOD) response to the GAO draft
report, GAO-08-373R, "Defense Critical Infrastructure: DOD's Risk
Analysis of Its Critical Infrastructure Omits Highly Sensitive Assets,"
dated February 28, 2008 (GAO Code 351157). DOD concurs with comment on
both recommendations in the report. Our response to your
recommendations is attached.
Our point of contact for this action is Mr. Antwane Johnson, Office of
the Assistant Secretary of Defense for Homeland Defense and Americas'
Security Affairs (OASD (HD&ASA)), (703) 602-5730, Extension 143 or
Antwane.Johnson@osd.mil.
Sincerely,
Signed by:
Paul McHale:
Attachment: As stated:
GAO Draft Report – Dated February 28, 2008:
GAO CODE 351157/GAO-08-373R:
"Defense Critical Infrastructure: DOD's Risk Analysis of Its Critical
Infrastructure Omits Highly Sensitive Assets"
Department Of Defense Comments To The Recommendations:
Recommendation 1: The GAO recommends that the Secretary of Defense
direct the Assistant Secretary of Defense for Homeland Defense and
Americas' Security Affairs (ASD(HD&ASA) to develop a process to
identify, prioritize, and assess all critical Sensitive Compartmented
Information (SCI) and Special Access Program (SAP) assets in a manner
consistent with the Defense Critical Infrastructure Program (DCIP)
standards. As one option, ASD(HD&ASA) could partner with the Defense
Intelligence Agency and the SAP Central Office to compile separate
lists of, and to perform mission-based, all-hazards vulnerabilities
assessments on, critical SCI and SAP assets.
DOD Response: Partially concur with comment. The DCIP Office is working
with its counterparts in the Defense Intelligence Agency and the SAP
Central Office to formalize a process that ensures that all critical
Sensitive Compartmented Information (SCI) and Special Access Program
(SAP) assets are identified, prioritized, and assessed by DOD as part
of a comprehensive approach to risk management.
The Intelligence, Surveillance, and Reconnaissance (ISR) Sector, an
oversight body reporting to the Director, Defense Intelligence Agency
(DIA), has developed a list of SCI assets. The list of over 80 SCI
assets was developed, coordinated, and approved by the membership of
the ISR Sector Working Group, which includes the national agencies
(National Security Agency (NSA), National Reconnaissance Office (NRO),
and National Geospatial Intelligence Agency (NGA)), DIA, the Service
intelligence activities, and Combatant Command J2 staffs. This
aggregate list of prioritized SCI assets, classified at the TS/SCI
level, is being managed by DIA.
As acknowledged by GAO, the Defense Threat Reduction Agency (DTRA) has
an assessment staff who possess SCI clearances. DTRA has conducted
Baseline Survivability Assessments (BSAs) and Full Spectrum
Survivability Vulnerability Assessments (FSIVAs) at a variety of ISR
Sector SCI assets including, among others, the national and defense
intelligence agencies, the National Military Joint Intelligence Center
(NMJIC), and several of the Command Headquarters, including their
Intelligence Staff (J2). The DCIP Office will coordinate with DTRA and
the ISR Sector regarding assessment methodologies.
Recommendation 2: The GAO recommends that the Secretary of Defense
direct the Assistant Secretary of Defense for Homeland Defense and
Americas' Security Affairs (ASD(HD&ASA) to amend the DCIP Security
Classification Guide to explicitly address the treatment of Sensitive
Compartmented Information and Special Access Program information on
critical asset lists.
DOD Response: Concur with comment. The DCIP Office, in collaboration
with the DIA and the SAP Central Office will develop processes and
procedures to explicitly address the treatment of Sensitive
Compartmented Information and Special Access Program information on
critical asset lists. OASD(HD&ASA) will issue interim guidance
regarding the handling of SCI and SAP information on critical assets.
This guidance will then be incorporated into a new DOD manual that will
supersede the DCIP Security Classification Guide.
[End of enclosure 1]
Enclosure II:
GAO Contact and Staff Acknowledgments:
GAO Contact:
Davi M. D'Agostino, (202) 512-5431 or dagostinod@gao.gov:
Acknowledgments:
In addition to the contact named above, Mark A. Pross, Assistant
Director; Jonathan K. Bateman; Katherine S. Lenane; Danielle S.
Pakdaman; Terry L. Richardson; Marc J. Schwartz; and Cheryl A. Weissman
made key contributions to this report.
[End of enclosure 2]
Footnotes:
[1] Earlier programs analogous to DCIP can be traced back to 1998.
ASD(HD&ASA) has been responsible for developing and ensuring
implementation of critical infrastructure protection policy and program
guidance since September 2003.
[2] Department of Defense, The National Defense Strategy of the United
States of America (Washington, D.C.: March 2005). The National Defense
Strategy outlines DOD's approach to the defense of the nation and its
interests, establishing four strategic objectives: (1) secure the
United States from direct attack, (2) secure strategic access and
retain global freedom of action, (3) strengthen alliances and
partnerships, and (4) establish favorable security conditions.
[3] SCI is classified information concerning or derived from
intelligence sources, methods, or analytical processes that is required
to be handled within formal access control systems established by the
Director of National Intelligence.
[4] Executive Order 12958 states that a SAP shall be established only
when the program is required by statute or upon a specific finding that
the vulnerability of, or threat to, specific information is
exceptional, and the normal criteria for determining eligibility for
access to information classified at the same level is insufficient to
protect the information from unauthorized disclosure. SAPs impose
safeguarding and access requirements exceeding those normally required
for collateral information at the same level of classification.
Collateral-level information is information identified as national
security information (Confidential, Secret, or Top Secret) but not
subject to enhanced security protection required for SCI or SAP
information.
[5] GAO, Defense Infrastructure: Actions Needed to Guide DOD's Efforts
to Identify, Prioritize, and Assess Its Critical Infrastructure, GAO-
07-461 (Washington, D.C.: May 24, 2007).
[6] GAO, Defense Infrastructure: Management Actions Needed to Ensure
Effectiveness of DOD's Risk Management Approach for the Defense
Industrial Base, GAO-07-1077 (Washington, D.C.: Aug. 31, 2007).
[7] The geographic combatant commands are the U.S. Central Command,
U.S. European Command, U.S. Northern Command, U.S. Pacific Command, and
U.S. Southern Command. (A sixth geographic combatant command, the U.S.
Africa Command, remains subordinate to the European Command and,
therefore, was not examined separately for this report.) The functional
combatant commands are the U.S. Joint Forces Command, U.S. Special
Operations Command, U.S. Strategic Command, and U.S. Transportation
Command.
[8] Homeland Security Presidential Directive 7, issued in December
2003, requires, among other things, that all federal departments and
agencies identify, prioritize, and coordinate the protection of
critical infrastructure and key resources from terrorist attacks. DCIP
encompasses the full spectrum of threats--ranging from terrorist
attacks to natural disasters and catastrophic accidents--that can
adversely affect critical defense infrastructure.
[9] Draft DOD Instruction 3020.nn Defense Critical Infrastructure
Program (DCIP) Management, undated.
[10] In addition to the Defense Threat Reduction Agency and asset
owners, the Defense Contract Management Agency and the National Guard
also conduct DCIP assessments on defense industrial base assets using
the same methodology.
[11] ASD(HD&ASA), Defense Critical Infrastructure Program Assessment
Standards and Benchmarks (May 30, 2006).
[12] ASD(HD&ASA), Defense Critical Infrastructure Program (DCIP)
Security Classification Guide (May 15, 2007) (For Official Use Only).
[13] DOD, Department of Defense Overprint to the National Industrial
Security Program Operating Manual Supplement (April 1, 2004). Executive
Order 12958, as amended, calls for agency heads to establish and
maintain systems of accounting for the SAPs created under their
authority.
[14] GAO-07-1077.
[15] ASD(HD&ASA), Critical Asset Identification Process (draft)
(September 1, 2007).
[16] DOD 5105.21-M-1, Sensitive Compartmented Information
Administrative Security Manual, Defense Intelligence Agency (August 3,
1998) (For Official Use Only).
[17] DOD officials responsible for SAP policy told us that SCI security
standards, including the SCI Administrative Security Manual, are used
to determine the baseline measures required to safeguard SAPs. The
standards are then supplemented by measures described in the program
security guides of each individual SAP.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office:
441 G Street NW, Room LM:
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548:
