Defense Infrastructure: Management Actions Needed to Ensure	 
Effectiveness of DOD's Risk Management Approach for the Defense  
Industrial Base (31-AUG-07, GAO-07-1077).			 
                                                                 
The U.S. military relies on the defense industrial base (DIB) to 
meet requirements to fulfill the National Military Strategy. The 
potential destruction, incapacitation, or exploitation of	 
critical DIB assets by attack, crime, technological failure,	 
natural disaster, or man-made catastrophe could jeopardize the	 
success of U.S. military operations. GAO was asked to review the 
Department of Defense's (DOD) Defense Critical Infrastructure	 
Program and has already reported that DOD has not developed a	 
comprehensive management plan for its implementation. This, the  
second GAO report, has (1) determined the status of DOD's efforts
to develop and implement a risk management approach to ensure the
availability of DIB assets, and (2) identified challenges DOD	 
faces in its approach to risk management. GAO analyzed plans,	 
guidance, and other documents on identifying, prioritizing, and  
assessing critical domestic and foreign DIB assets and held	 
discussions with DOD and contractor officials.			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-07-1077					        
    ACCNO:   A75490						        
  TITLE:     Defense Infrastructure: Management Actions Needed to     
Ensure Effectiveness of DOD's Risk Management Approach for the	 
Defense Industrial Base 					 
     DATE:   08/31/2007 
  SUBJECT:   Critical infrastructure protection 		 
	     Defense industry					 
	     Defense procurement				 
	     Department of Defense contractors			 
	     Military procurement				 
	     Risk assessment					 
	     Risk management					 
	     Strategic planning 				 
	     Program implementation				 
	     Defense Critical Infrastructure Program		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-07-1077

   

     * [1]Results in Brief
     * [2]Background
     * [3]DOD Has Begun Developing and Implementing a Risk Management

          * [4]DCMA Has Taken Steps to Identify Critical Assets
          * [5]DCMA Has Been Developing an Asset Prioritization Model
          * [6]DCMA Has Established a Standardized Vulnerability Assessment
          * [7]ASD(HD&ASA) Has Been Developing a Remediation Guide

     * [8]DOD Will Need to Address Several Key Challenges in Implement

          * [9]Critical Asset List Does Not Yet Have Comprehensive Mission-
          * [10]DCMA's Prioritization Model Has Not Yet Been Reviewed and Do

               * [11]Model Has Not Yet Had External Technical Review
               * [12]Needed Contractor-Specific Data Are Missing
               * [13]Model Does Not Yet Incorporate Comprehensive Threat
                 Informat

          * [14]Vulnerability Assessments Are Being Conducted without Benefi
          * [15]DCMA Does Not Yet Have a Plan for Assessing Foreign DIB Crit

     * [16]Conclusions
     * [17]Recommendations for Executive Action
     * [18]Agency Comments and Our Evaluation
     * [19]GAO Contact
     * [20]Acknowledgments
     * [21]GAO's Mission
     * [22]Obtaining Copies of GAO Reports and Testimony

          * [23]Order by Mail or Phone

     * [24]To Report Fraud, Waste, and Abuse in Federal Programs
     * [25]Congressional Relations
     * [26]Public Affairs

Report to Congressional Requesters

United States Government Accountability Office

GAO

August 2007

DEFENSE INFRASTRUCTURE

Management Actions Needed to Ensure Effectiveness of DOD's Risk Management
Approach for the Defense Industrial Base

GAO-07-1077

Contents

Letter 1

Results in Brief 5
Background 8
DOD Has Begun Developing and Implementing a Risk Management Approach to
Ensure the Availability of the DIB 11
DOD Will Need to Address Several Key Challenges in Implementing Its DIB
Risk Management Approach 18
Conclusions 26
Recommendations for Executive Action 26
Agency Comments and Our Evaluation 27
Appendix I Scope and Methodology 30
Appendix II Comments from the Department of Defense 33
Appendix III GAO Contact and Staff Acknowledgments 37

Tables

Table 1: A Summary of DOD's Efforts in Identifying and Assessing Critical
DIB Assets as of June 1, 2007 12
Table 2: DCMA Criteria Used to Identify Important and Critical DIB Assets
13
Table 3: DCMA's Asset Prioritization Model Factors, Weighting Factors, and
Factor Classification 13
Table 4: Assessments Planned during Fiscal Years 2007 to 2012 16

Figure

Figure 1: Operations and Maintenance Funding for DIB Activities for Fiscal
Years 2004 to 2007 and Programmed Funding for Fiscal Years 2008 to 2013 10

Abbreviations

ASD-HD Assistant Secretary of Defense for Homeland Defense
ASD(HD&ASA) Assistant Secretary of Defense for Homeland Defense and
  Americas' Security Affairs
CBRNE Chemical/biological/radiological/nuclear/explosive
CIP-MAA Critical Infrastructure Program--Mission Assurance Assessment
DCIP Defense Critical Infrastructure Program
DCMA Defense Contract Management Agency
DHS Department of Homeland Security
DIA Defense Intelligence Agency
DIB Defense Industrial Base
DOD Department of Defense
DSS Defense Security Service
DTRA Defense Threat Reduction Agency
FBI Federal Bureau of Investigation
HSPD-7 Homeland Security Presidential Directive 7
MSA Metropolitan Statistical Area
OSD Office of the Secretary of Defense
PCII Protected Critical Infrastructure Information
USD(AT&L) Undersecretary of Defense for Acquisition, Technology, and
Logistics
USD(P) Under Secretary of Defense for Policy

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

United States Government Accountability Office
Washington, DC 20548

August 31, 2007

The Honorable Solomon P. Ortiz
Chairman
The Honorable Jo Ann Davis
Ranking Member
Subcommittee on Readiness Committee on Armed Services
House of Representatives

The Honorable W. Todd Akin
House of Representatives

The U.S. military relies on the defense industrial base (DIB) to meet
military requirements to fulfill the National Military Strategy. The DIB
is the government and private-sector worldwide industrial complex with
capabilities to perform research and development and design, produce, and
maintain military weapons systems, subsystems, components, and parts. The
DIB comprises hundreds of thousands of industrial sites, and the
preponderance of the DIB is privately owned and includes businesses of all
sizes. The potential destruction, incapacitation, or exploitation of
critical DIB assets by terrorist attack, criminal activity, technological
failure, natural disaster, or man-made catastrophe could jeopardize the
success of U.S. military operations. For example, reliance on a single
source contractor having the unique capability to make an industrial part
or material critical to a mission could significantly affect warfighter
operations if that material were not available because of a flood at the
site of the manufacturing facility.

Homeland Security Presidential Directive 7 (HSPD-7),^1 issued in December
2003, designates the Secretary of the Department of Homeland Security
(DHS) as the principal federal official to lead, integrate, and coordinate
the implementation of efforts among the federal departments and agencies,
state and local governments, and the private sector to protect the
nation's critical infrastructure and key resources.

^1Homeland Security Presidential Directive 7 (Washington D.C., Dec. 17,
2003).

In addition, the Homeland Security Act of 2002 and HSPD-7 directed DHS to
produce a national plan for critical infrastructure and key resources
protection. DHS issued the National Infrastructure Protection Plan on June
30, 2006. This plan provides the framework for developing, implementing,
and maintaining a coordinated national effort. The plan also identifies 17
infrastructure and key asset sectors, and it designates one or more lead
federal agencies--referred to as "sector-specific agencies"--for each
sector. For example, DHS is the sector-specific agency for 10 of the 17
sectors, including information technology, transportation, and chemicals;
the Department of Health and Human Services is the sector-specific agency
for public health and healthcare; and the Department of Defense (DOD) is
the sector-specific agency for the DIB. Sector-specific agencies are
responsible for, among other things, collaborating with all relevant
federal, state, and local governments and the private sector; encouraging
risk management strategies; and conducting or facilitating vulnerability
assessments of their sector.

The cornerstone of the National Infrastructure Protection Plan is its
risk-management framework, which establishes priorities based on risk and
calls for protection and business continuity initiatives that provide the
greatest mitigation of risk. The National Infrastructure Protection Plan
also requires each of the sector-specific lead agencies to submit a plan
outlining its approach, following guidance established by DHS, by December
2006.

Within DOD, the Office of the Assistant Secretary of Defense for Homeland
Defense and Americas' Security Affairs (ASD[HD&ASA]), serves as the
principal civilian advisor to the Secretary of Defense on the
identification, prioritization, and protection of DOD's defense critical
infrastructure.^2 DOD Directive 3020.40, issued in August 2005, updates
DOD policy and assigns responsibilities for DOD's Defense Critical
Infrastructure Program (DCIP), incorporating guidance from HSPD-7. This
directive assigns defense sector lead agents for 10 sectors within the
DCIP, 1 of which is the DIB.^3 For DOD's efforts relating to the DIB as
critical infrastructure, the Under Secretary of Defense for Acquisition,
Technology, and Logistics (USD[AT&L]), in coordination with the Under
Secretary of Defense for Policy (USD[P]), integrates DCIP policies with
acquisition, technology, and logistics policy guidance; identifies
vulnerabilities in technologies relied upon by DOD critical infrastructure
and develops countermeasures; and provides coordination, guidance, and
monitoring. The Defense Contract Management Agency (DCMA) is designated
the sector lead agent for the DIB.

^2The Office of the Under Secretary of Defense for Policy was reorganized
in December 2006. This reorganization included, among other things, the
Office of the Assistant Secretary of Defense for Homeland Defense being
renamed the Office of the Assistant Secretary of Defense for Homeland
Defense and Americas' Security Affairs. Hereafter, this office is referred
to by its current name.

^3The 10 defense sectors are defense industrial base; financial services;
global information grid; intelligence, surveillance, and reconnaissance;
space; health affairs; logistics; personnel; public works; and
transportation.

Recognizing that it is not feasible to protect its entire infrastructure
against every possible threat, the umbrella DCIP pursues a risk-management
approach to prioritize resources and operational requirements in its DIB
efforts. As we have previously reported,^4 risk management is a
systematic, analytical process to consider the likelihood that a threat
will harm critical assets and then to identify actions to reduce the risk
and mitigate the potential consequences of the threat. While risk
generally cannot be eliminated, it can be reduced by taking actions such
as establishing backup systems to protect against or reduce the effect of
an incident. DOD's risk management approach is based on assessments of
threats, vulnerabilities, and criticality, and requires DCMA to identify
and prioritize its most critical assets, assess vulnerabilities, and
identify remediation requirements. At the same time, DOD is identifying
its mission-essential tasks. It expects this identification to help
clarify the criticality of key assets for accomplishing its missions.

You asked that we review a number of issues related to DOD's DCIP. To
address them, we committed to issuing two reports in response to your
request. Our first report, issued in May 2007, examined the extent to
which DOD has developed a comprehensive management plan and the actions
needed to guide its efforts to identify, prioritize, and assess non-DIB
sectors in its critical infrastructure under DCIP. ^5 We found that DOD
had taken some important steps to implement DCIP, but it had not developed
a comprehensive management plan containing key elements, including the
development and issuance of guidance, the coordination of stakeholders'
efforts, and the identification of resource requirements and sources to
guide its efforts.^6 We recommended that DOD develop and implement such a
plan and, among other things, assist the defense sector lead agents in
identifying, prioritizing, and funding the DCIP, including developing
funding requirements through the regular budgeting process. DOD concurred
with all of our recommendations.

^4GAO, Homeland Security: Key Elements of a Risk Management Approach,
[27]GAO-02-150T (Washington, D.C.: Oct. 12, 2001); Defense Infrastructure:
Actions Needed to Guide DOD's Efforts to Identify, Prioritize, and Assess
Its Critical Infrastructure, [28]GAO-07-461 (Washington, D.C.: May 24,
2007).

^5 [29]GAO-07-461 .

For this second report, we (1) determined the status of DOD's efforts to
develop and implement a risk management approach to ensure the
availability of DIB assets to support mission-essential tasks; and (2)
identified challenges DOD faces in its approach to risk management in the
DIB sector.

To examine the status of DOD's efforts to develop and implement a risk
management approach, we reviewed the DIB sector-specific and sector
assurance plans and other studies; and discussed with DOD officials the
requirements for a risk management plan for the DIB and the status of
DOD's implementation of the approach. We also reviewed and discussed
information on DCMA's efforts to identify, assess, and remediate critical
DIB assets; the criteria DCMA established and used to identify important
DIB assets and critical DIB assets; the asset prioritization model and the
factors used to rank order the critical assets; the standardized mission
assurance assessment process for critical DIB assets; and the remediation
planning guidance for the DCIP generally, including the guidance being
developed for the DIB. We also examined standards developed for
vulnerability assessments to be done at contractor facilities and met with
the National Guard Bureau and one of the state National Guard teams that
conducts DIB sector vulnerability assessments.

To examine the challenges faced by DOD in developing and implementing its
approach, we compared the policies for identifying mission-essential tasks
and related defense critical assets with DCMA's approach to identifying a
critical DIB asset list; and examined the development and use of DCMA's
asset prioritization model, including requirements for models to undergo
external technical review and methods used to obtain contractor-specific
data as needed input into the model. We reviewed and discussed with each
of the services their DCIP efforts related to the DIB, including their
responses to DCMA regarding its requests for the services to update the
important and critical DIB asset lists. Also, we discussed with several
DOD intelligence agency officials the threats to the DIB and the
availability of specific threat information to DCMA. We discussed with
DCMA officials the challenges that they have encountered as they have
begun working with private sector contractors; and efforts to encourage
private-sector DIB contractors to participate in the program. We also
spoke with a non-probability sample of DIB contractor officials and asked
them generally about their willingness to participate in the program. We
discussed with DOD officials and these contractor officials the
availability of data on foreign contractors. Their comments are not
generalizable to a larger population. Lastly, we determined the extent to
which DCMA has identified metrics with time frames for completing
development of the risk-based management process. A more thorough
description of our scope and methodology is provided in appendix I. We
conducted our work between August 2006 and June 2007 in accordance with
generally accepted government auditing standards.

^6See, for example, GAO, Military Readiness: Navy's Fleet Response Plan
Would Benefit from a Comprehensive Management Approach and Rigorous
Testing, [30]GAO-06-84 (Washington, D.C.: Nov. 22, 2005); as well as GAO,
Standards for Internal Control in the Federal Government,
[31]GAO/AIMD-00-21.3.1 (Washington, D.C.: November 1999), which emphasizes
the importance of such a plan to guide program implementation.

Results in Brief

DOD has developed and begun implementing a risk management approach, as
called for in the National Infrastructure Protection Plan, to ensure the
availability of critical DIB assets needed to support mission essential
tasks, though implementation is still in an early stage. The approach
comprises two plans. First, the DIB sector assurance plan, issued in May
2005 and updated in May 2007, outlines an approach for identifying
vulnerabilities, risks, and effect on business; implementing remediation
and mitigation strategies; and managing consequences to ensure continuity
of operations. Second, the DIB sector-specific plan, submitted in December
2006, outlines DOD's approach to executing its sector-specific
responsibilities, follows guidance established by DHS, and complements
other DOD critical infrastructure policy. It focuses efforts on assets,
systems, networks, and functions that, if damaged, would result in
unacceptable consequences to the DOD mission, national economic security,
public health and safety, or public confidence. The sector assurance plan
provides a coordinated strategy for managing risk at DIB critical asset
sites located throughout the world and describes a risk management
approach and plans for the DIB. It focuses on steps to (1) identify a
critical asset list; (2) prioritize the critical assets on that list; (3)
perform vulnerability assessments on high-priority critical assets; and
(4) encourage contractors' actions to remediate or mitigate adverse
effects found during these assessments, as appropriate, to ensure
continuity of business operations. In implementing the sector assurance
plan, DCMA has taken actions in each of these four areas. It has developed
a process to identify the most important DIB assets and to narrow this
list to those it considers critical using a tiered approach that enables
identification of important capabilities and critical assets from the
hundreds of thousands of entities constituting the DIB. It has developed
an asset prioritization model for determining a criticality score and
ranking critical assets, thus providing a mechanism for allocating the
resources available to those critical assets assessed to be most
vulnerable. It has established a standardized mission assurance
vulnerability assessment process for critical DIB assets and, as of June
1, 2007, had completed eight assessments for which reports had been
issued. Lessons learned from these assessments have been incorporated into
training for the assessments scheduled for fiscal year 2007. Concurrently,
ASD(HD&ASA) has been developing a remediation planning guide for the DCIP.
The planning guide calls for an effective plan of action and milestones
focusing on a remediation strategy to be developed as soon as feasible
following the risk assessment. The planning guide includes a chapter
focused on DIB remediation, but states that the remediation measures for
the DIB focus on facilitating relationships and sharing information to
implement the appropriate level of protection and does not suggest any
time frames because of the voluntary nature of the DIB participation in
the DCIP.

DOD faces several key challenges in implementing its DIB risk management
approach and will need to address them to ensure that its approach is
sound and its progress can be measured. First, DCMA is not currently
obtaining comprehensive information from all of the combatant commands and
services needed to develop a critical asset list that is linked to DOD's
mission-essential tasks. Second, DCMA's prioritization model has not yet
undergone external technical review, lacks needed contractor-specific
data, and lacks comprehensive threat information. Third, DCMA is
conducting its vulnerability assessments of contractors without regard for
their prioritization rankings. Fourth, DOD lacks a plan for identifying
and addressing challenges in assessing vulnerabilities in foreign DIB
critical assets. More specifically:

           o Both the 2006 DIB critical asset list and the list in
           development for 2007 do not reflect data from all the combatant
           commands and services using mission-essential task information.
           The DOD risk management approach calls for identifying DIB assets
           critical to supporting combatant commanders' mission-essential
           tasks that would result in DOD-wide mission failure if the asset
           were to be damaged, degraded, or destroyed. DOD has not
           established a plan with targets and time frames for identifying
           all of the mission-essential tasks for all of the services.
           o Our analysis of the model revealed that weighting factors were
           selected and much of the input data were determined according to
           subjective decisions made with only limited review. Furthermore,
           the model does not distinguish between contractors who are marked
           as high risk by default for lack of data, and those for whom data
           exist and corroborate that designation. DOD collects open-source
           and in-house statistical data on contractor operations, but it
           lacks some needed contractor-specific information from the DIB
           contractors on their operations for use in the model. DCMA has
           undertaken two surveys to obtain these needed data and is planning
           a third survey. However, these collection efforts did not receive
           high response rates, and they yielded problematic data quality.
           Currently, DCMA lacks a detailed plan for improving response rates
           and data quality in its next survey. In addition, DCMA does not
           yet receive or have procedures to obtain comprehensive threat
           information from appropriate intelligence agencies, including DHS,
           the Federal Bureau of Investigation (FBI), and others, needed to
           enable it to accurately prioritize DIB assets. The absence of
           threat information from the appropriate intelligence agencies
           undermines the utility of the index score for prioritizing
           contractors.
           o DCMA is conducting its vulnerability assessments on critical DIB
           assets according to contractor accessibility and security
           clearance status, without regard for those assets' respective
           prioritization model rankings. The DOD risk management approach
           calls for DCMA to schedule and conduct its vulnerability
           assessments on the critical DIB assets based upon their respective
           rankings as validated in the asset prioritization model.
           o DCMA has not yet established a plan to address the potential
           challenges inherent in obtaining data from and assessing
           vulnerabilities of critical foreign contractors. In order to do
           so, DCMA needs to coordinate with other agencies, such as the
           Department of State, to develop strategies to better ensure that
           foreign contractor vulnerabilities can be identified and
           addressed. DCMA has not conducted any vulnerability assessments of
           foreign contractors, but has begun to take steps in examining this
           issue.

           This report makes recommendations that DOD take specific actions
           to implement its risk management framework by: (1) developing a
           comprehensive DIB critical asset list that includes the services'
           mission-essential task information as well as data based on
           current DCMA criteria; (2) ensuring that its asset prioritization
           model is reliable by obtaining external technical review, needed
           contractor-specific data, and comprehensive threat information;
           (3) conducting vulnerability assessments of critical contractors
           based on their rankings according to the asset prioritization
           model; and (4) preparing a plan to collaborate with appropriate
           agencies to develop options to better ensure that foreign
           contractor vulnerabilities can be identified and addressed. In
           written comments on the draft report, DOD partially concurred with
           all of our recommendations. In its response, DOD cited actions it
           planned to take that are generally responsive to our
           recommendations. DOD also provided us with technical comments,
           which we incorporated in the report, as appropriate. DOD's
           response is reprinted in appendix II.
			  
			  Background

           According to DOD's Strategy for Homeland Defense and Civil
           Support, dated June 2005, without the important contributions of
           the private sector, DOD cannot effectively execute its core
           defense missions. Private industry manufacturers provide the
           majority of equipment, materials, services, and weapons for the
           U.S. armed forces. The President designated DOD as the
           sector-specific agency for the DIB. In this role, DOD is
           responsible for collaborating with all relevant federal
           departments and agencies, state and local governments, and the
           private sector; encouraging risk management strategies; and
           conducting or facilitating vulnerability assessments of the DIB as
           set forth in HSPD-7.

           In executing these responsibilities, the Secretary of Defense
           requires a network of organizations with diverse roles and
           missions. Key participants in the network include the following:

           o The Undersecretary of Defense for Acquisition, Technology, and
           Logistics, USD(AT&L), who is responsible for, among other things,
           integrating DCIP policies into acquisition, procurement, and
           installation policy guidance and for coordinating with ASD(HD&ASA)
           to ensure DCIP-related guidance is developed and implemented, and
           that system providers remediate vulnerabilities identified prior
           to system fielding or deployment.
           o ASD(HD&ASA), which serves as the principal civilian advisor to
           the Secretary of Defense on the identification, prioritization,
           and protection of DOD's critical infrastructure. ASD(HD&ASA)
           assigned responsibility for the DCIP, including DIB
           sector-specific agency responsibilities, to the Director for
           Critical Infrastructure Protection under the Deputy Assistant
           Secretary of Defense for Crisis Management and Defense Support to
           Civil Authorities. The DCIP office provides policy, program
           oversight, integration, and coordination of activities.
           o DCMA, which is the defense sector lead agent responsible for the
           coordination and oversight of DCIP matters pertaining to the DIB
           because of DCMA's established working relationship with DIB
           owners/operators. DCMA responsibilities include planning and
           coordinating with all DOD components and private-sector partners
           that own or operate elements of the DIB.
           o Private-sector owners, operators, and organizations; and other
           federal departments and agencies, including DHS, the FBI, and the
           Departments of Energy, Commerce, the Treasury, and State. It also
           includes state and local agencies, international organizations,
           and foreign countries.

           Under Homeland Security Presidential Directive 7, federal
           departments and agencies are to identify, prioritize, and
           coordinate the protection of critical infrastructure and key
           resources in order to prevent, deter, and mitigate the effects of
           deliberate efforts to destroy, incapacitate, or exploit the
           infrastructure and resources; and they are to work with state and
           local governments and the private sector to accomplish this
           objective. Sector-specific agencies, among other things, are to
           encourage risk management strategies to protect against and
           mitigate the effect of attacks against critical infrastructure and
           key resources.

           DOD's risk management approach is based on assessing threats,
           vulnerabilities, criticalities, and the ability to respond to
           incidents. Threat assessments identify and evaluate potential
           threats on the basis of capabilities, intentions, and past
           activities. Vulnerability assessments identify potential
           weaknesses that may be exploited and recommend options to address
           those weaknesses. Criticality assessments evaluate and prioritize
           contractors on the basis of their importance to mission success.
           These assessments help prioritize limited resources and thus, if
           implemented properly, would reduce the expense of resources on
           lower-priority contractors. DOD's risk management approach also
           includes an assessment of the ability to respond to, and recover
           from, an incident.

           ASD(HD&ASA) officials said it provided research and development
           funding for program development in fiscal years 2005 and 2006 of
           $550,000 and $675,000, respectively. It did not provide research
           and development funding to DCMA in 2007 and said it did not intend
           to provide any during the period of fiscal years 2008 to 2013.
           They said that for operations and maintenance, DOD funded the
           program at about $1.1 million and $1.0 million in fiscal years
           2004 and 2005, respectively; and $2.5 million and $2.0 million in
           fiscal years 2006 and 2007, respectively. DOD plans to increase
           operations and maintenance funding to about $8.3 million in fiscal
           year 2008, about $9.4 million in 2009, and about $10.1 million in
           2010 before decreasing it to about $8.8-$8.7 million in subsequent
           fiscal years through fiscal year 2013. In January 2007, the Joint
           Requirements Oversight Council, chaired by the Vice Chairman of
           the Joint Chiefs of Staff, approved the National Guard Critical
           Infrastructure Program--Mission Assurance Assessment (CIP-MAA)
           capability for the DIB. The council agreed that the services will
           provide funding to meet the requirements for fiscal years
           2008-2013, and it endorsed the National Guard as the overall lead
           agency to implement the CIP-MAA. The operations and maintenance
           funding is summarized in figure 1.

           Figure 1: Operations and Maintenance Funding for DIB Activities
           for Fiscal Years 2004 to 2007 and Programmed Funding for Fiscal
           Years 2008 to 2013
			  
			  DOD Has Begun Developing and Implementing a Risk Management Approach
			  to Ensure the Availability of the DIB

           DOD has begun developing and implementing a risk management
           approach to ensure the availability of DIB assets needed to
           support mission-essential tasks, though implementation is still at
           an early stage. The approach comprises two plans. First, the DIB
           sector assurance plan, issued in May 2005 and updated in May 2007,
           outlines an approach for identifying vulnerabilities, risks, and
           effect on business; implementing remediation and mitigation
           strategies; and managing consequences to ensure continuity of
           operations.^7 Second, the DIB sector-specific plan, submitted in
           December 2006, outlines DOD's approach to executing its
           sector-specific responsibilities, follows guidance established by
           DHS, and complements other DOD critical infrastructure policy.^8
           It focuses efforts on assets, systems, networks, and functions
           that, if damaged, would result in unacceptable consequences to the
           DOD mission, national economic security, public health and safety,
           or public confidence. The sector assurance plan provides a
           coordinated strategy for managing risk at DIB critical asset sites
           located throughout the world and describes a risk management
           approach and plans for the DIB. It focuses on steps to (1)
           identify a critical asset list; (2) prioritize the critical assets
           on that list; (3) perform vulnerability assessments on
           high-priority critical assets; and (4) encourage contractors'
           actions to remediate or mitigate adverse effects found during
           these assessments, as appropriate, to ensure continuity of
           business operations.

           DOD depends on the DIB to accomplish its work in support of
           military missions. The absence or unavailability of some assets
           designated as critical DIB assets, and the products and services
           these assets produce, could cause military mission failure. To
           identify DIB critical assets, DCMA industrial analysts and other
           DOD personnel compiled a list of approximately 900 important
           defense contractor assets, and then narrowed this number by using
           another set of criteria. DCMA has also developed an asset
           prioritization model for determining a criticality score and
           ranking critical assets, from highest to lowest risk. It has
           established a standardized mission assurance vulnerability
           assessment process for critical DIB assets, and as of June 1,
           2007, had completed and issued reports for eight assessments and
           had three other assessments in process. ASD(HD&ASA) is developing
           guidance to provide a standardized process for determining,
           planning, and implementing remediation actions for DOD personnel
           involved in remediating risks and supporting overall DOD mission
           assurance. Table 1 provides a summary of the current number of
           important and critical DIB assets identified and the number of
           contractors assessed.
			  
^7DOD, Assistant Secretary of Defense for Homeland Defense (ASD [HD&ASA]),
Defense Industrial Base (DIB) Defense Infrastructure Sector Assurance Plan
(DISAP) (Washington, D.C., May 2, 2005); DOD, Defense Industrial Base
Defense Sector Assurance Plan (Washington, D.C., May 14, 2007).

^8DOD, Sector Specific Plan for the Defense Industrial Base (Washington,
D.C., Dec. 27, 2006).

           Table 1: A Summary of DOD's Efforts in Identifying and Assessing
           Critical DIB Assets as of June 1, 2007
			  
                                     Critical contractors
DIB assets Important contractors Domestic Foreign Total 
Identified                   900      194       9   203 
Assessed^a                              8       0     8 

           Source: GAO analysis of DCMA data.

           aThe number of contractors assessed does not include 5 that were
           completed prior to DCMA's pilot program being established.
			  
			  DCMA Has Taken Steps to Identify Critical Assets

           DCMA has developed a process to identify the most important DIB
           assets and to narrow this list to those it considers critical
           using a tiered approach that enables identification of important
           capabilities and critical assets from the hundreds of thousands of
           entities constituting the DIB. The collection of data on each
           entity within the DIB was considered neither practical nor an
           effective use of limited resources, so DCMA focused on reducing
           the magnitude of assets to a manageable number through the use of
           government DIB subject-matter experts. DCMA has developed a
           process to identify the most important DIB assets and to narrow
           this list to those it considers critical. The criteria used for
           both lists are shown below in table 2.
			  
Table 2: DCMA Criteria Used to Identify Important and Critical DIB Assets

"Important" if they satisfy one or    "Critical" if they satisfy one or    
more of the following criteria:       more of the following criteria:      
o They are a sole source.             o They are a prime or subcontractor  
                                         single source with unique technology 
o They use obsolete/enabling/emerging or industrial capability that could  
technology.                           significantly affect warfighter      
                                         operations due to nonavailability of 
o They require a long lead time.      material.                            
                                                                              
o They lack surge production.         o They are a prime contractor with   
                                         capabilities that support numerous   
o They have a significant cost        programs or industries.              
escalation.                                                                
                                         o They are a single source           
                                         subcontractor with a long            
                                         requalification time that supports   
                                         numerous programs across the         
                                         services.                            
                                                                              
                                         o They are an essential advanced     
                                         technology source.                   

Source: DCMA.

The critical asset list is reviewed, updated, and approved annually. DCMA
identifies potential assets meeting the criteria, and the military
services and defense agencies then validate and update the list. DCMA
reviews and validates the updated list and prioritizes it using the asset
priority model. DCMA then coordinates with senior acquisition executives
and submits the revised critical asset list for approval to the Deputy
Under Secretary of Defense for Industrial Policy, USD(AT&L), and
ASD(HD&ASA).

DCMA Has Been Developing an Asset Prioritization Model

DCMA has been developing an asset prioritization model for determining a
criticality score and ranking critical assets from highest to lowest risk.
This model is to provide a mechanism for DCMA to allocate limited
resources to those critical DIB assets assessed to be most vulnerable: the
higher the score, the higher the priority of the asset for vulnerability
assessment and possible remediation/mitigation actions. The model uses 16
weighted factors that are aggregated to assign a vulnerability score to
each asset. These factors are broadly classified into mission (5),
economic (4), threat (5), and other (2), as shown below in table 3.

Table 3: DCMA's Asset Prioritization Model Factors, Weighting Factors, and
Factor Classification

                                                      Weighting  Factor         
Model factors                                        factors  classification 
Affect multiple programs                                  16  Mission        
Affect current warfighting capabilities                   15  Mission        
Effect on projected warfighting capabilities              14  Mission        
Corporate financial risk                                  13  Economic       
Site economic viability                                   12  Economic       
Recovery plan                                             11  Mission        
Reconstitution--time                                      10  Mission        
Reconstitution--cost                                       9  Economic       
Threat--known external threats to facility                 8  Threat         
Known security issues                                      7  Threat         
Disaster risk--metric                                      6  Threat         
Chemical/biological/radiological/nuclear/explosive         5  Threat         
(CBRNE) collateral damage                                                    
Populated area                                             4  Threat         
Site employment as percent of county or                    3  Economic       
Metropolitan Statistical Area (MSA)                                          
DCIP awareness visit follow-up                             2  Other          
Vulnerability assessment of CIP-MAA                        1  Other          
completed/scheduled                                                          

Source: DCMA.

Data for the determination of these factors are collected from DCMA
surveys and analysis, supplemented by various commercial and government
sources, including the Defense Logistics Agency, the military services,
and the combatant commands. If there are missing data for a given item,
DCMA's rule is to default to a high-risk score, as this is the most
conservative assumption.

For threat data currently obtained by DCMA, the model includes an
assessment of current, potential, and technologically feasible threats to
assets from hostile parties as well as from natural or accidental
disasters inherent to the asset or its location. Hostile threat
information is collected by the Counter Intelligence Field Activity office
from various intelligence sources and then summarized in a threat
assessment document for specific sites during the prioritization process,
and in a detailed threat assessment prior to conducting an actual National
Guard assessment of a site. The Counter Intelligence Field Activity has
also established an arrayed threats data system as the DIB sector's
primary method for obtaining threat-related information.

DCMA Has Established a Standardized Vulnerability Assessment Process

DCMA has established a standardized mission assurance vulnerability
assessment process for critical DIB assets. As of June 1, 2007, it had
completed and issued eight assessment reports. Lessons learned from
earlier assessments have been incorporated into training for the
assessments scheduled for fiscal year 2007.

The current approach for performing assessments has evolved from earlier
efforts designed to protect the mission of the asset from a broad spectrum
of threats. The approach calls for multidisciplinary teams to conduct
performance-based assessments to identify vulnerabilities of critical
missions and recommend ways to mitigate those vulnerabilities. DOD found
these efforts to be effective, but costly and time consuming. It developed
a set of standards to conduct vulnerability assessments, building on other
vulnerability assessment methods DOD has used. Working through DCMA and
the National Guard Bureau, DOD has established a standardized mission
assurance assessment for application to critical DIB assets. These
assessments consider effect, vulnerability, and threat/hazard from natural
disaster, technological failure, human error, criminal activity, or
terrorist attack. To perform assessments, DCMA partners with the Defense
Security Service (DSS), the Counter Intelligence Field Activity, the
Defense Intelligence Agency (DIA), and appropriate federal, state, and
local law enforcement to identify and characterize all hazard threats to
key assets, and uses benchmarks and standards to ensure consistency within
the DIB and the broader DCIP community.

The assessment process typically involves (1) using the critical asset
list to select the DIB contractor candidate for assessment; (2) notifying
the selected DIB asset to schedule the vulnerability assessment; (3)
conducting a preassessment briefing with the contractor; (4) scheduling
the assessment; (5) negotiating a memorandum of agreement with the
contractor to coordinate the terms of the assessment; (6) performing the
assessment, which is designed to assess vulnerability to a broad spectrum
of threats; (7) providing an outbriefing; and (8) writing a final
vulnerability assessment report.

The process for conducting vulnerability assessments on critical DIB
contractors is early in implementation and only 8 of the planned 203 have
been completed, with reports issued, as of June 1, 2007. DCMA estimated
that conducting assessments on all critical DIB assets will take several
years. Between fiscal years 2003 and 2006, DOD considered and evaluated
different approaches that might be used in conducting on-site
vulnerability assessments. For example, five assessments of different
types were done by different DOD groups prior to fiscal year 2006. With
the benefit of the earlier assessments, DCMA in fiscal year 2006 developed
a pilot project that included six vulnerability assessments and used the
information gained to develop an approach for conducting on-site
vulnerability assessments at all critical DIB asset locations. DCMA had
settled on a methodology for outreach to contractors, a standardized
approach for conducting on-site vulnerability assessments,^9 and training
for National Guard teams to conduct these assessments. DCMA is planning a
number of improvements as a result of lessons learned from the six pilot
project assessments. For example, DCMA officials said they planned to
update the existing benchmarks, develop additional benchmarks for security
operations and emergency management, and determine the final report format
to use for future assessments. In addition, DCMA officials said that, as a
result of the pilot assessments, they plan to change the process on future
assessments. For example, rather than a single visit to the contractor to
perform the entire assessment, they intend to conduct an advance site
visit to identify key officials, gather information, and perform
preliminary analyses on manufacturing and infrastructure. They said this
will allow more time for up-front analysis and alleviate the workload and
reduce the hours needed at the time of the assessment visit.

In fiscal year 2007, DCMA planned to have National Guard teams conduct 19
vulnerability assessments and then to increase its pace to complete these
vulnerability assessments at a rate of 50 per year. However, it has
changed this goal for 2007, and even at the rates planned it would take 6
years, or until 2012, to complete the initial vulnerability assessments on
the 203 critical DIB contractors identified in 2006, as shown in table 4.

Table 4: Assessments Planned during Fiscal Years 2007 to 2012

Fiscal year                             2007 2008 2009 2010 2011 2012 
Assessments planned as of November 2006   19   50   50   50   20   20 
Revised plan as of May 2007^a             14   21   21   50   50   50 

Source: DCMA.

aDCMA is planning that after completing the initial assessments, DIB
assets would be reassessed every 3 years.

^9This approach uses benchmarks involving a series of questions
determining the degree to which specific standards have been met. As an
example, one benchmark identifies dependency on supporting foundational
infrastructure networks, such as electricity, natural gas, or petroleum.
The series of questions determines, among other things, whether the asset
requires electricity, natural gas, or petroleum to operate. If the asset
does require one of these, the contractor must provide a description, and
must then assess whether the benchmark for each of these networks is met.

ASD(HD&ASA) Has Been Developing a Remediation Guide

ASD(HD&ASA) has been developing the DOD Remediation Planning Guide for the
DCIP remediation process in order to provide a standardized process for
determining, planning, and implementing remediation actions for DOD
personnel involved in remediating risks and supporting overall DOD mission
assurance.^10 The planning guide encompasses: (1) DOD-owned assets that
support the National Military Strategy; (2) non-DOD-owned assets that
support the National Military Strategy (i.e., government-owned
infrastructure, commercial-owned infrastructure, and the defense
industrial base); and (3) non-DOD-owned assets that are so vital to the
nation that their incapacitation, exploitation, or destruction could have
a debilitating effect on the security or economic well-being of the nation
or could negatively affect national prestige, morale, and confidence.

Because proper remediation lessens the negative effect of an event, it
makes sense in many cases to strengthen, through a reduction of risk,
those assets critical to DOD missions. When unacceptable levels of risk
are identified, an asset owner should seek to remediate them in a
prioritized fashion based on their overall risk to DOD. This planning
guide identifies and discusses specific actions that are essential to
remediation strategy development and implementation. The planning guide
calls for an effective plan of action and milestones focusing on a
remediation strategy to be developed as soon as feasible following the
risk assessment. The planning guide provides the basic steps for an
effective plan and suggested time frames: (1) confirm ownership and
prioritize risk as soon as possible after completion of assessment; (2)
analyze options and determine the best approach within 30 days after a
risk assessment is completed; (3) develop the remediation plan as soon as
practicable, but not later than 60 days after the risk assessment; (4)
implement the remediation plan within 2-4 weeks following remediation plan
approval; (5) keep appropriate officials informed at plan commencement and
within 2-4 weeks of remediation plan completion; and (6) execute follow-up
actions no more than 3 years after risk assessment.

The planning guide also includes a chapter focused on DIB remediation. It
states that the remediation measures for the DIB focus on facilitating
relationships and sharing information to implement the appropriate level
of protection. The chapter referring to the DIB is designed to assist
asset owners, operators, and DOD managers in determining whether a
remediation action is justified and required. The DIB sector remediation
process includes a step-by-step approach for analyzing issues and making
judgments. It describes a remediation process that will help preserve
privately owned DIB critical asset capabilities. ASD(HD&ASA) officials
told us it was designed in a general way without suggested time frames
because of the voluntary nature of the DIB participation in the DCIP.

^10DOD, Defense Critical Infrastructure Program, DOD Remediation Planning
Guide, Version 1.0 (Apr. 20, 2007).

DOD Will Need to Address Several Key Challenges in Implementing Its DIB Risk
Management Approach

DOD faces several key challenges in implementing its DIB risk management
approach and will need to address them to ensure that its approach is
sound and its progress can be measured. First, the critical asset list
used by DCMA does not incorporate comprehensive, mission-essential task
information from the military services. Second, the prioritization model
used by DCMA has not yet undergone external technical review and lacks
both contractor-specific data and comprehensive threat information. Third,
DCMA is not scheduling and conducting its vulnerability assessments in
accordance with the asset rankings in its prioritization model. Fourth,
DOD lacks a plan for identifying and addressing challenges in assessing
vulnerabilities of critical foreign contractors.

Critical Asset List Does Not Yet Have Comprehensive Mission-Essential Task
Information

DCMA is not currently obtaining comprehensive information from all of the
combatant commands and services needed to develop a critical asset list
that is linked to DOD's mission-essential tasks. Both the 2006 DIB
critical asset list and the list in development for 2007 do not reflect
data from all the combatant commands and services using mission-essential
task information. The DOD risk management approach calls for identifying
DIB assets critical to supporting combatant commanders' mission-essential
tasks that would result in DOD-wide mission failure if the asset were to
be damaged, degraded, or destroyed. According to DCMA and the services,
DCMA and the Army and Navy provided most of the data for the 2006 critical
asset list, but the Air Force did not provide input for the list. In
responding to DCMA's request for the 2007 critical asset list, the Air
Force limited its participation to the review and validation of DIB
critical assets identified and compiled by DCMA, which used DCMA's
methodology only. This service has made no independent submission of
DIB-like assets to DCMA. DCMA officials told us they were aware of the
need to link DIB assets to mission-essential tasks. The DIB sector
assurance plan calls for identifying assets critical to supporting
combatant commanders' mission-essential tasks that would result in
DOD-wide mission failure if the asset were to be damaged, degraded, or
destroyed, and DCMA says it plans to continue to collaborate and
strengthen relationships with the combatant commands and other DOD
organizations in identifying DIB assets and systems supporting their
critical missions.

According to OSD officials, the services are still working on identifying
the mission-essential tasks and the defense critical assets that support
these tasks, including DIB defense critical assets. The method for
identifying critical DIB assets has evolved, and refinements are
continuing. Thus far, a plan with targets and time frames has not been
established for identifying all of the mission-essential tasks for all of
the services.

DCMA's Prioritization Model Has Not Yet Been Reviewed and Does Not Yet Have
Contractor-Specific Data or Comprehensive Threat Information

The asset prioritization model has not undergone external technical
review. Further, some needed contractor-specific data were missing for a
number of the critical assets. Additionally, the absence of comprehensive
threat data undermines the utility of the index score for prioritizing
contractors.

  Model Has Not Yet Had External Technical Review

Our review of the asset prioritization model revealed that weighting
factors were selected and much of the input data were determined according
to subjective decisions made with only limited review. According to the
DCMA official who developed the model, the subjectivity involved in
assigning the precise values of the weights in the model is the most
controversial aspect of the model. Cross-disciplinary collaboration and
peer review are, in our opinion as well as that of DOD officials with whom
we spoke, important means of validating modeling strategies. As of the
time of our review, DCMA had not had its model independently reviewed.

The model, created in September 2004, has undergone a number of
refinements, and more are planned. According to the DCMA staff member who
developed the model, he is the only individual who fully understands the
model and all submodels and is responsible for assigning factor risk
scores to each asset. Future initiatives for refining the model include
(1) developing submodels in 2007, (2) addressing issues regarding data
absence and data obsolescence in 2008, (3) developing guidance for others
on how to use the model (no established target date), and (4) moving from
a spreadsheet format to a Web-based application (no established target
date). Without independent formal review of its asset prioritization
model, DCMA cannot be assured that the model is valid and suitable for its
intended purpose.

  Needed Contractor-Specific Data Are Missing

Our review of the model also revealed that contractor-specific data were
missing for a number of the critical assets. DCMA collects open-source and
in-house statistical data on contractor operations, but it lacks some
needed contractor-specific information from the DIB contractors on their
operations for use in the model. DCMA has undertaken two surveys to obtain
these needed data and is planning a third survey, but these efforts depend
on contractors' willingness to provide business sensitive information and
they have thus far not been fully successful.

The model does not distinguish between assets marked as high risk by
default for lack of data and those for whom data corroborate the high-risk
designation. Our review of the asset prioritization model found that DIB
contractors with similar entries based on missing data for several factors
may not be differentiated one from another; it was not always apparent
whether some contractors were identified as high risk because of an
unavailability of data or the presence of data that justified the
identification. The ability to distinguish between high scores due to risk
and high scores due to missing data has important implications for
resource allocation, for data collection and assessment, and for risk
remediation. Additionally, prioritization of data collection should focus
on those items that are most mission-critical and have the highest weight
in the model's scores.

DCMA has conducted two surveys, called industrial capabilities
assessments, to obtain contractor-specific information on DIB assets, but
both of these efforts have met with limited response rates. DCMA officials
said this was due at least partly to contractors' reluctance to provide
information. In 2004 DCMA sent a questionnaire to obtain additional
information from DIB contractors. DCMA had requested this information
using a cover letter to the companies signed by the Assistant Secretary of
Defense for Homeland Defense (ASD-HD) and coordinated with DCMA officials
in the field. DCMA officials said that these steps were taken to help
ensure a greater response to the survey. Nevertheless, of those
responding, some of the survey forms were incomplete and some of the data
provided were determined to be unreliable. In 2005, DCMA sent a revised
questionnaire, but it was not administered with the same level of
discipline used in the first one. For example, it did not use DOD on-site
personnel to help ensure high response rates, and only 30 percent of those
surveyed responded. Again, responses were incomplete and some of the data
were not considered reliable. DOD officials said that contractors were
more reluctant to provide certain types of data, such as financial,
disaster planning, reconstitution, and especially forecast data. DCMA did
not conduct a survey in 2006.

DCMA is planning another effort in fiscal year 2007 to send out a revised
capabilities-assessment questionnaire to DIB contractors. DCMA officials
are in the process of revising and expanding on the assessment to be sent
to contractors to more specifically address critical infrastructure
protection. Once DCMA has finalized the critical asset list for 2007, it
is planning to conduct a new industrial capabilities survey. However, it
will take several months for DIB critical contractors to receive, fill
out, and return the industrial capabilities survey; and DCMA has not
identified specific steps to ensure that this survey receives a high
response rate with quality information.

  Model Does Not Yet Incorporate Comprehensive Threat Information

Our review of DOD's asset prioritization model also revealed a lack of
comprehensive threat information. DOD officials told us that
intelligence-gathering agencies currently provide information to DCMA
through ad hoc agreements, as opposed to a more formalized arrangement.
The collection and analysis of DIB-related intelligence information has
evolved over time between such agencies as DSS, Counter Intelligence Field
Activity, and DCMA. According to DCMA as well other DOD officials, DCMA
does not receive comprehensive threat information from the appropriate
intelligence agencies to enable it to accurately prioritize DIB assets.
These intelligence agencies include the National Counterterrorism Center,
DHS's Office of Intelligence and Analysis and its Homeland Infrastructure
Threat and Risk Analysis Center, the FBI, and others. While DCMA obtains
information for prioritization from the Counter Intelligence Field
Activity, DCMA does not routinely obtain full threat information from
these other intelligence agencies. The absence of comprehensive threat
data undermines the utility of the index score for prioritizing
contractors. Until DCMA develops and implements procedures for obtaining
the threat data needed, it cannot rely on the outputs of its asset
prioritization model.

Vulnerability Assessments Are Being Conducted without Benefit of Asset
Prioritization Rankings

DCMA is conducting its vulnerability assessments on critical DIB assets
according to contractor accessibility and without regard for those assets'
respective prioritization model rankings. According to DCMA, one purpose
of the prioritization model is to rank critical assets and to use this
order to prioritize assessments. DCMA should schedule and conduct its
vulnerability assessments on the critical DIB assets based upon their
respective rankings as validated in the asset prioritization model.
Furthermore, DOD has not established targets or time frames for resolving
this issue.

The assessments to be performed should be identified from a comprehensive
critical asset list that has been ranked based on a reliable asset
prioritization model. However, DCMA has not used the rankings from its
asset prioritization model to schedule outreach visits or on-site
vulnerability assessments. According to DCMA officials, a high score on
the model should result in DCMA's contacting the contractor to conduct a
vulnerability assessment. However, they said that coordinating on-site
assessments is complicated and highly sensitive. DCMA officials say that
lack of facility security clearances complicates their efforts to get DIB
contractors to participate in DOD's risk management program because DCMA
cannot inform uncleared contractors that they are on the classified
critical asset list or discuss with them vulnerabilities found at their
facilities. Consequently, officials have devoted outreach efforts, first,
to those contractors at facilities having the necessary security
clearances, and next, to those that DCMA officials believe would be most
amenable to undergoing an assessment. About 52 percent of the DIB
facilities identified as critical lack security clearances for the
facility or any of its personnel, and thus cannot receive vulnerability
assessments or discuss needed remediation actions. DSS officials told us
that, though they recognized that many critical contractors did not have
facility security clearances, DSS lacks the resources needed to
preemptively clear all critical DIB facilities.

In further explaining why they have not followed the prioritization
ranking in conducting assessments, DCMA officials said that because
private-sector DIB contractors' participation in the program is voluntary,
DCMA must rely on the contractors' willingness to cooperate and provide
information. According to DCMA officials, some DIB contractors have had
concerns about sharing information that they consider proprietary, and
about the possibility of incurring additional costs and liabilities to
correct any vulnerabilities identified as part of this program as a result
of sharing this information. These concerns regarding sharing information
with DOD were echoed by some of the DIB contractors with whom we spoke,
for a variety of reasons. For example, when asked about his willingness to
share certain information with DOD, one DIB contractor we spoke with said
that he was concerned that information that he deemed proprietary or
potentially damaging to the company could somehow be released or
disclosed, and he was unsure how DOD would protect such information.
Furthermore, DOD officials noted that some significant DIB contractors are
involved in classified, special access programs that could involve
military mission-essential tasks and as a result may not be allowed or
willing to share certain types of information. They also noted that there
is no similar effort to identify critical DIB assets from the classified
special access program perspective. Consequently, some significant
critical DIB assets may not currently be included as part of the program.

DCMA officials told us that, in order to overcome resistance from those
DIB contractors that may be reluctant to share information and participate
in the program, they have developed tactics that in some cases have been
successful in promoting greater voluntary participation. For example, in
at least one case, DCMA requested that a high-level DOD official reach out
to the contractor directly and make the informational request. Also, DCMA
officials told us that they develop memoranda of agreement with
contractors that delineate what the on-site assessment will entail, what
the assessment team and the company are agreeing to do, and the manner in
which the contractor's information will be used and protected. DCMA
officials told us that while these steps have resulted in progress, they
have also been time-consuming and have affected the sequence according to
which critical DIB contractors have been scheduled for assessment.

The program, and DCMA's outreach and educational efforts in eliciting
contractor information, continue to evolve. For example, the
sector-specific plan states that DOD plans to develop an accreditation
plan for identifying and certifying Protected Critical Infrastructure
Information (PCII) under DHS's PCII program. The PCII program was
established by DHS pursuant to the Critical Infrastructure Information Act
of 2002.^11 The act provides that critical infrastructure information^12
that is voluntarily submitted to DHS^13 for use by DHS regarding the
security of critical infrastructure and protected systems, analysis,
warning, interdependency study, recovery, reconstitution, or other
informational purpose, when accompanied by an express statement, shall
receive various protections, including exemption from disclosure under the
Freedom of Information Act.^14 If such information is validated by DHS as
PCII, then the information can only be shared with authorized users.^15
Before accessing and storing PCII, organizations or entities must be
accredited and have a PCII officer. Authorized users can request access to
PCII on a need-to-know basis, but users outside of DHS do not have the
authority to store PCII until their agency is accredited. However, the
lack of accreditation does not otherwise prevent entities from sharing
information directly with DOD.

^11The Critical Infrastructure Information Act was enacted as Title II,
Subtitle B of the Homeland Security Act of 2002. Pub. L. No. 107-296
(2002).

^12"Critical infrastructure information" is defined at Section 212 of Pub.
L. No. 107-296 (2002).

^13DHS's final rule implementing the Critical Infrastructure Information
Act identifies procedures for indirect submissions to DHS through DHS
field representatives and other federal agencies.

^145 U.S.C. S 552.

However, we noted in our April 2006 report that nonfederal entities
continued to be reluctant to provide their sensitive information to DHS
because they were not certain that their information will be fully
protected, used for future legal or regulatory action, or inadvertently
released.^16 Since our April report, DHS published on September 1, 2006,
its final rule implementing the act, but we have not examined whether
nonfederal entities are more willing to provide sensitive information to
DHS under the act at this time, or DOD's cost to apply for, receive, and
maintain accreditation. However, one of the DIB contractors we interviewed
mentioned generally that while some advances have been made in information
protection, such as the establishment of the PCII program, the contractor
continues to be concerned that the program has yet to demonstrate that it
can provide good security for contractor-provided information, and remains
wary about damage from public or competitor disclosure.

DCMA officials also pursued new legislation and additional provisions for
the Defense Federal Acquisition Regulation in order to, in their view,
potentially increase industry participation, but these changes were
ultimately not enacted. For example, DCMA officials had drafted a
legislative proposal that stated that "critical supplier assessments and
company specific assessments developed under the Defense Critical
Infrastructure Program, evaluating the security of Defense Critical
Suppliers, shall not be disclosed under the Freedom of Information
Act."^17 However, DCMA officials told us that the legislative proposal was
ultimately not approved to be included in the DOD legislative proposals
that are sent to the Congress for consideration and there are no current
plans within DOD to pursue this legislation. In addition, DCMA officials
also pursued the addition of clauses to the Defense Federal Acquisition
Regulation. The language that was proposed would have included several
provisions pertaining to the critical infrastructure of the defense
industrial base, such as stating that the contractor shall be responsible
for the overall organizational physical protection and security of its own
critical infrastructures; have in place a comprehensive security plan
relating to overall plant and facility security designed to protect its
critical infrastructures; that the government shall be permitted to
conduct or facilitate vulnerability and mission assurance assessments
under the DCIP. However, these changes were ultimately not submitted to
the Defense Acquisition Regulation Council.^18

^15For more information on the procedures by which PCII may be shared, see
DHS's Procedures for Handling Critical Infrastructure Information, 6
C.F.R. 29.

^16GAO, Information Sharing: DHS Should Take Steps to Encourage More
Widespread Use of Its Program to Protect and Share Critical Infrastructure
Information, [32]GAO-06-383 (Washington, D.C.: Apr. 17, 2006).

^17The Freedom of Information Act, codified at 5 U.S.C. 552, states that
agencies shall make available certain documents for public inspection and
copying. However, there are exemptions to this requirement. For example,
FOIA does not apply to matters that are "trade secrets and commercial or
financial information obtained from a person and privileged or
confidential."

DCMA Does Not Yet Have a Plan for Assessing Foreign DIB Critical Assets

DCMA has not established a plan to deal with the potential challenges
inherent in assessing vulnerabilities of foreign contractors. In order to
do so, DCMA needs to coordinate with other agencies, such as the
Department of State, to develop strategies to better ensure that foreign
contractor vulnerabilities can be identified and addressed. DCMA has not
conducted any assessments of foreign contractors.

The critical asset list identifies nine foreign contractors. DCMA planned
to conduct a pilot assessment on one of these contractors in 2006, but did
not do so, according to DCMA officials, because procedures are not yet in
place for assessing foreign suppliers of products manufactured overseas.
The DIB sector-specific plan recognizes the challenge involved when DIB
assets are located in foreign countries, and states that where DIB assets
are located in foreign countries many of the plan's proposed activities
could be perceived as U.S. government intrusion into sovereign areas of
the host country, particularly with respect to threats and
vulnerabilities. The plan also recognizes that DOD and the DIB Sector
Coordinating Council must ensure that DIB protection activities are
coordinated with U.S. embassies and host governments; that where pertinent
treaties exist, activities should conform to them; and that a strategy
needs to be developed for an action plan in foreign countries with DIB
assets.

^18The Defense Acquisition Regulations Council establishes operating
procedures for the Defense Acquisition Regulation System to facilitate
development and processing of procurement and contracting policy,
procedures, clauses, and forms, for approval by the Director of Defense
Procurement.

Conclusions

DOD is in the process of implementing a risk management approach to
identify, prioritize, evaluate, and remediate threats, vulnerabilities,
and risks to critical DIB assets, including those DIB assets that are
critical to achieving DOD's mission-essential tasks. Several key
challenges to the implementation of this program need to be addressed in
order for DOD to be able to ensure that its approach is sound. First, in
identifying and prioritizing critical DIB assets, DOD is not currently
incorporating data reflecting mission-essential task information from all
of the services. Second, in order for DOD's asset prioritization model to
be reliable, the model would benefit from appropriate external technical
review, and it also lacks selected contractor-specific data that need to
be provided by DIB contractors, as well as comprehensive threat
information from the appropriate intelligence agencies. Without a
comprehensive list of critical assets and a reliable asset prioritization
model, DOD cannot ensure that it has identified the most important DIB
critical assets, as is necessary for carrying out the National Military
Strategy. Third, DOD is currently scheduling and conducting assessments
based on contractor amenability and security clearance status, rather than
on the rankings assigned to critical DIB assets according to its asset
prioritization model. Unless DOD assesses assets based on their rankings
determined by a reliable asset prioritization model, DOD will not be in a
sound position to know that it is assessing the most critical DIB assets
or making the best use of limited resources. Fourth, DOD has not yet
developed a plan for identifying and addressing potential challenges in
assessing vulnerabilities of critical foreign DIB contractors. As a
result, vulnerabilities in these critical foreign contractors can
potentially threaten their availability to DOD. Until all of these issues
are addressed, DOD will lack the visibility it needs over critical DIB
asset vulnerabilities, will be unable to encourage critical DIB
contractors to take needed remediation actions, and will be unable to make
informed decisions regarding limited resources.

Recommendations for Executive Action

To manage the complete development of the risk management approach to
better ensure its effectiveness we recommend the Secretary of Defense
direct the ASD(HD&ASA) to develop a management framework that includes
targets and time frames and undertakes the following steps:

           o Obtain comprehensive data from all the combatant commands and
           services based on mission-essential task information, and
           incorporate these data with those set forth in DCMA guidance, to
           develop a comprehensive list of the critical DIB assets.
           o Improve the reliability of its asset prioritization model by

                        o obtaining the appropriate external technical
                        review;
                        o developing a detailed plan for improving response
                        rate and data quality from DIB contractors in
                        conducting its next capabilities survey, to ensure
                        that DCMA obtains contractor-specific data needed for
                        establishing priorities; and
                        o identifying and developing procedures for obtaining
                        comprehensive threat information from the appropriate
                        intelligence agencies, including DHS, the FBI, and
                        others to use as model inputs to prioritize DIB
                        assets and conduct vulnerability assessments.

           o Schedule and conduct vulnerability assessments on the critical
           DIB assets based on their respective rankings as validated in the
           asset prioritization model, to ensure that the most critical DIB
           assets are assessed in a timely manner and DOD maximizes its use
           of limited resources.
           o Prepare a plan to collaborate with the Department of State and
           other agencies, as appropriate, to develop options to identify and
           address potential challenges in assessing vulnerabilities of
           critical foreign contractors.
			  
			  Agency Comments and Our Evaluation

           In written comments on a draft of this report, DOD partially
           concurred with all four recommendations. In its response, DOD
           cited actions it planned to take that are generally responsive to
           our recommendations. DOD also provided us with technical comments,
           which we incorporated in the report, as appropriate. DOD's
           response is reprinted in appendix II.

           DOD partially concurred with our recommendation to develop a
           management framework that includes targets and time frames and to
           obtain comprehensive data from all the combatant commands and
           services based on mission-essential task information. DOD stated
           that DCMA is aware of the need to link DIB assets to
           mission-essential tasks and that ASD(HD&ASA) has developed a draft
           DOD instruction to formalize this process. DOD also said that DCMA
           is incorporating this framework into its process for critical
           asset identification and that ASD(HD&ASA) is developing a DCIP
           program plan that will address targets and time frames for
           achieving these goals. DOD commented that this plan should be
           completed by the first quarter of fiscal year 2008.

           DOD partially concurred with our recommendation to improve the
           reliability of its asset prioritization model by obtaining the
           appropriate external technical review, needed contractor specific
           data, and comprehensive threat information from the appropriate
           intelligence agencies and stated that DCMA had coordinated the
           review of the asset prioritization model with the DOD Modeling and
           Simulation Office, the Canadian Department of National Defense,
           and various DOD activities. However, at the time of our review,
           DCMA had not yet coordinated the review of the asset
           prioritization model with these offices, and other feedback on the
           model was informal and undocumented. We found that the model has
           had a number of refinements over the years and that there are
           fundamental processes that have not been reviewed. We believe that
           DOD is responsive to our recommendation in its comment that DCMA
           is open to further technical review of the APM and will work with
           ASD(HD&ASA) to identify credible and capable subject matter
           experts to support this effort, and we would stress the need to
           develop targets and time frames for completing these actions. DOD
           also commented that developing a detailed plan may improve the
           contractor response rate and data quality; but noted that
           participation by industry to provide information is voluntary and
           contractors continue to be concerned with the release of certain
           types of data, such as financial, disaster planning,
           reconstitution, and especially forecast data. We agree that
           contractor participation is voluntary but there are strategies
           available to DCMA to improve response rates. As noted in our
           report, DCMA response rates declined when the process lacked a
           coordinated plan. DOD also stated that a draft DOD Instruction
           3020.nn identifies the intelligence agencies that DCMA will work
           with to obtain threat and hazard information on DIB critical
           assets. However, we found that the draft instruction only
           identified the Under Secretary of Defense for Intelligence to
           secure support from other DOD activities and does not reference
           securing support from agencies we note in the report such as DHS
           and the FBI. As noted in DCMA's May 2007 sector assurance plan,
           barriers in the area of threat assessment information and sharing
           information still require management attention.

           DOD partially concurred with our recommendation to schedule and
           conduct vulnerability assessments on the critical DIB assets based
           on their respective rankings as validated in the asset
           prioritization model, and noted a number of factors that exist
           that may prevent scheduling assessments in accordance with the
           model's numerical ranking. For example, DOD noted if a contractor
           on the list is reluctant at first or refuses to participate, it
           should move to the next contractor on the list, while
           simultaneously negotiating with the first contractor to gain its
           participation. DOD also noted that the list is dynamic and may
           change year-to-year. In addition, DOD may accept the vulnerability
           assessments performed internally by the contractor providing the
           company meets established requirements and standards. We believe
           that the approach described by DOD acknowledges the intent of our
           recommendation to conduct assessments on the basis of those deemed
           most critical. We recognize that there will be reasons to conduct
           assessments out of order, and would expect that those decisions
           will be documented.

           DOD partially concurred with our recommendation to prepare a plan
           to collaborate with the Department of State and other agencies, as
           appropriate, to develop options to identify and address potential
           challenges in assessing vulnerabilities in foreign critical DIB
           assets. DOD stated that DCMA efforts to date have focused
           primarily on Continental United States assets as they constitute
           95 percent of the assets on the critical asset list and that the
           DIB sector specific plan recognizes the challenges involved when
           DIB assets are located in foreign countries. DOD further stated
           that DCMA will continue to work with ASD(HD&ASA) in laying out a
           framework to both address the issue and to work in collaboration
           with other government agencies, including the Department of State.

           As agreed with your offices, we are sending copies of this report
           to the Chairman and Ranking Member of the Senate and House
           Committees on Appropriations, Senate and House Committees on Armed
           Services, and other interested congressional parties. We also are
           sending copies of this report to the Secretary of Defense; the
           Secretary of Homeland Security; the Director, Office of Management
           and Budget; and the Chairman of the Joint Chiefs of Staff. We will
           make copies available to others upon request. In addition, this
           report will be available at no charge on the GAO Web site at
           [33]http://www.gao.gov .

           If you or your staff have any questions concerning this report,
           please contact me at (202) 512-5431 or by e-mail at
           [34][email protected] . Contact points for our Offices of
           Congressional Relations and Public Affairs may be found on the
           last page of this report. GAO staff who made major contributions
           to this report are listed in appendix III.

           Davi M. D'Agostino
			  Director, Defense Capabilities and Management
			  
			  Appendix I: Scope and Methodology

           To conduct our review of the Department of Defense's (DOD) defense
           industrial base (DIB) program, we obtained relevant documentation
           and interviewed officials from the following DOD organizations:^1

           o Office of the Secretary of Defense (OSD)

                        o Under Secretary of Defense for Personnel and
                        Readiness, Information Technology Division;
                        o Under Secretary of Defense for Acquisition,
                        Technology, and Logistics, Office of the Deputy Under
                        Secretary of Defense for Industrial Policy;
                        o Under Secretary of Defense for Intelligence,
                        Counterintelligence & Security, Physical Security
                        Programs;

                                     o DOD Counterintelligence Field
                                     Activity, Critical Infrastructure
                                     Protection Program Management
                                     Directorate;

                        o Assistant Secretary of Defense for Homeland Defense
                        and Americas' Security Affairs (ASD[HD&ASA]),
                        Critical Infrastructure Protection Office;
                        o Assistant Secretary of Defense for Networks and
                        Information Integration, Information Management &
                        Technology Directorate;

           o Joint Staff, Directorate for Operations, Antiterrorism and
           Homeland Defense
           o Defense Threat Reduction Agency (DTRA), Combat Support
           Assessments Division
           o Military Services

                        o Department of the Army, Asymmetric Warfare Office,
                        Critical Infrastructure Risk Management Branch;
                        o Department of the Navy

                                     o Office of the Chief Information
                                     Officer;
                                     o Mission Assurance Division, Naval
                                     Surface Warfare Center, Dahlgren
                                     Division, Dahlgren, Virginia;
                                     o Headquarters, U.S. Marine Corps,
                                     Security Division, Critical
                                     Infrastructure Protection Office;

                        o Department of the Air Force, Air, Space and
                        Information Operations, Plans, and Requirements,
                        Homeland Defense Division;

           o Headquarters, Defense Intelligence Agency, Office for Critical
           Infrastructure Protection & Homeland Security/Defense;
           o Headquarters, Defense Information Systems Agency, Critical
           Infrastructure Protection Team;
           o Headquarters, U.S. Strategic Command, Mission Assurance
           Division, Offutt Air Force Base, Nebraska

^1DOD organizations are located in the Washington, D.C., metropolitan area
unless indicated otherwise.

           To examine the status of DOD's efforts to develop and implement a
           risk management approach, we reviewed Homeland Security
           Presidential Directive 7, the Homeland Security Act of 2002, and
           the National Infrastructure Protection Plan as they relate to the
           DIB sector-specific and sector assurance plans, as well as other
           studies conducted by GAO, the Congressional Research Service, and
           the DOD Inspector General concerning risk management and defense
           critical infrastructure. We discussed with DOD officials the
           requirements for a risk management plan for the DIB and the status
           of the approach's implementation. We also reviewed and discussed
           information and data on the Defense Contract Management Agency's
           (DCMA) efforts to identify, assess, and remediate critical DIB
           assets. Specifically, we evaluated the basis for the criteria DCMA
           established and used to identify important and critical DIB
           assets; the ways in which these criteria were used by each of the
           services to help identify important and critical DIB assets; and
           the ways in which foreign contractors were being identified. We
           evaluated information concerning the development of the asset
           prioritization model, the factors used to rank order the critical
           assets, the refinements that have been made and planned as the
           model matures, and the outcomes produced by applying the model to
           the fiscal year 2006 critical asset list. We reviewed the
           standardized mission assurance assessment process for critical DIB
           assets, the development of standards to be used, the training for
           teams to conduct assessments, the reports on six pilot
           vulnerability assessments performed in fiscal years 2006 and 2007,
           and lessons learned to be incorporated in future assessments. We
           reviewed the remediation planning guidance DOD is developing for
           the Defense Critical Infrastructure Program (DCIP) generally, and
           we compared the overall guidance to that being developed for the
           DIB. We also met with the National Guard Bureau and one of the
           state National Guard teams that conducts DIB sector vulnerability
           assessments.

           To examine the challenges faced by DOD in developing and
           implementing its approach, we assessed the extent to which key
           steps in the planned approach have been implemented. We compared
           DCIP policies for identifying mission-essential tasks and related
           defense critical assets with DCMA's criteria for identifying a
           critical DIB asset; and we discussed reasons for the differences
           with OSD, ASD(HD&ASA), DCMA, and the services. We assessed the
           development and use of DCMA's asset prioritization model,
           including discussions with DCMA and OSD about the requirements for
           models used within DOD to undergo external technical review and to
           incorporate all the needed data in order to ensure the model's
           validity and suitability. We reviewed methods DCMA has used
           previously to obtain contractor-specific data, as well as methods
           planned for future efforts, to ensure that DCMA will obtain more
           complete information. We discussed with DCMA and DOD intelligence
           agency officials the threats to the DIB and the availability of
           specific threat information to DCMA. We compared the assessments
           being conducted with the rankings of the critical DIB contractors
           in the asset priority model, and we discussed with DCMA officials
           why they have not followed the rankings and the challenges that
           they have encountered as they have begun working with
           private-sector contractors. We reviewed DCMA's efforts to
           encourage reluctant private-sector DIB contractors to participate
           in the program, including potential changes suggested for the
           Defense Federal Acquisition Regulation that were ultimately not
           enacted. We also reviewed DCMA's current efforts to work with DHS
           to develop an accreditation approach for identifying and
           certifying Protected Critical Infrastructure Information, and
           steps taken by DCMA to overcome resistance. We spoke with a
           non-probability sample of DIB contractor officials generally about
           their willingness to participate in the program and the reasons
           for their respective views, and we discussed with DOD officials
           and these contractor officials the availability of data concerning
           foreign contractors. Their comments are not generalizable to a
           larger population. Lastly, we determined the extent to which DCMA
           has identified metrics with time frames for completing development
           of the risk-based management process. We conducted our work
           between August 2006 and June 2007 in accordance with generally
           accepted government auditing standards.
			  
			  Appendix II: Comments from the Department of Defense
			  
			  Appendix III: GAO Contact and Staff Acknowledgments
			  
			  GAO Contact

           Davi M. D'Agostino, (202) 512-5431 or [35][email protected]
			  
			  Acknowledgments

           In addition to the contact named above, Harold Reich, Assistant
           Director; Aisha Cabrer; Colin Chambers; Lionel Cooper; Kate
           Lenane; Anna Maria Ortiz; Terry Richardson; Matthew Sakrekoff; and
           Cheryl Weissman also made key contributions to this report.
			  
			  GAO's Mission

           The Government Accountability Office, the audit, evaluation and
           investigative arm of Congress, exists to support Congress in
           meeting its constitutional responsibilities and to help improve
           the performance and accountability of the federal government for
           the American people. GAO examines the use of public funds;
           evaluates federal programs and policies; and provides analyses,
           recommendations, and other assistance to help Congress make
           informed oversight, policy, and funding decisions. GAO's
           commitment to good government is reflected in its core values of
           accountability, integrity, and reliability.
			  
			  Obtaining Copies of GAO Reports and Testimony

           The fastest and easiest way to obtain copies of GAO documents at
           no cost is through GAO's Web site ( [36]www.gao.gov ). Each
           weekday, GAO posts newly released reports, testimony, and
           correspondence on its Web site. To have GAO e-mail you a list of
           newly posted products every afternoon, go to [37]www.gao.gov and
           select "Subscribe to Updates."
			  
			  Order by Mail or Phone

           The first copy of each printed report is free. Additional copies
           are $2 each. A check or money order should be made out to the
           Superintendent of Documents. GAO also accepts VISA and Mastercard.
           Orders for 100 or more copies mailed to a single address are
           discounted 25 percent. Orders should be sent to:

           U.S. Government Accountability Office 441 G Street NW, Room LM
           Washington, D.C. 20548

           To order by Phone: Voice: (202) 512-6000
			  TDD: (202) 512-2537
			  Fax: (202) 512-6061
			  
			  To Report Fraud, Waste, and Abuse in Federal Programs

           Contact:

           Web site: [38]www.gao.gov/fraudnet/fraudnet.htm
			  E-mail: [39][email protected]
			  Automated answering system: (800) 424-5454 or (202) 512-7470
			  
			  Congressional Relations

           Gloria Jarmon, Managing Director, [40][email protected] (202)
           512-4400 U.S. Government Accountability Office, 441 G Street NW,
           Room 7125 Washington, D.C. 20548
			  
			  Public Affairs

           Paul Anderson, Managing Director, [41][email protected] (202)
           512-4800 U.S. Government Accountability Office, 441 G Street NW,
           Room 7149 Washington, D.C. 20548

(350881)

Public Affairs

[42]www.gao.gov/cgi-bin/getrpt?GAO-07-1077 .

To view the full product, including the scope
and methodology, click on the link above.

For more information, contact Davi M. D'Agostino, (202) 512-5431 or
[email protected].

Highlights of [43]GAO-07-1077 , a report to congressional requesters

August 2007

DEFENSE INFRASTRUCTURE

Management Actions Needed to Ensure Effectiveness of DOD's Risk Management
Approach for the Defense Industrial Base

The U.S. military relies on the defense industrial base (DIB) to meet
requirements to fulfill the National Military Strategy. The potential
destruction, incapacitation, or exploitation of critical DIB assets by
attack, crime, technological failure, natural disaster, or man-made
catastrophe could jeopardize the success of U.S. military operations. GAO
was asked to review the Department of Defense's (DOD) Defense Critical
Infrastructure Program and has already reported that DOD has not developed
a comprehensive management plan for its implementation. This, the second
GAO report, has (1) determined the status of DOD's efforts to develop and
implement a risk management approach to ensure the availability of DIB
assets, and (2) identified challenges DOD faces in its approach to risk
management. GAO analyzed plans, guidance, and other documents on
identifying, prioritizing, and assessing critical domestic and foreign DIB
assets and held discussions with DOD and contractor officials.

[44]What GAO Recommends

GAO recommends that DOD take specific actions to implement its risk
management framework. DOD partially concurred with all of GAO's
recommendations. DOD's comments cited actions it planned to take that are
generally responsive to our recommendations.

DOD has begun developingand implementing a risk management approach to
ensure the availability of DIB assets needed to support mission-essential
tasks, though implementation is still at an early stage. Its sector
assurance and sector-specific plans focus on steps to identify a list of
critical assets that, if damaged, would result in unacceptable
consequences; prioritize those critical assets based on a risk assessment
process; perform vulnerability assessments on high-priority critical
assets, and encourage contractors' actions to remediate or mitigate
adverse effects found during these assessments, as appropriate, to ensure
continuity of business. The Defense Contract Management Agency, the
executing agency for the DIB, has developed a process to identify the most
important DIB assets and to narrow this list to those it considers
critical. It has also developed an asset prioritization model for
determining a criticality score and ranking critical assets, and it has
established a standardized mission assurance vulnerability assessment
process for critical DIB assets.

DOD faces several key challenges in implementing its DIB risk management
approach. Overall, DOD's methodology for identifying critical DIB assets
is evolving, and DOD lacks targets and time frames for completing
development of key program elements that are needed for its risk
management approach. Without them, DOD cannot measure its progress toward
ensuring that DIB assets supporting critical DOD missions are properly
identified and prioritized. The specific challenges are as follows: First,
DOD is not fully incorporating the military services' mission-essential
task information (i.e., listings of assets whose damage, degradation, or
destruction would result in DOD-wide mission failure) in compiling its
critical asset list. Second, GAO's analysis of DOD's prioritization model
shows that weighting factors were selected and data determined according
to subjective decisions and limited review, and that needed
contractor-specific data were lacking, as was comprehensive threat
information, thus undermining the utility of the index score for
prioritizing contractors. Without these comprehensive data and a reliable
asset prioritization model, DOD will not be in a sound position to know
that it has identified the most important and critical assets, as called
for in the National Military Strategy. Third, with regard to scheduling
and conducting assessments of critical DIB assets, DOD is currently doing
so based on contractor amenability and security clearance status without
regard for assets' priority rankings, and thus cannot ensure that the most
critical DIB contractors are assessed. Fourth, DOD lacks a plan for
developing options to work with the Department of State and other
appropriate agencies to identify and address potential challenges in
assessing vulnerabilities in foreign critical DIB assets. Until all these
challenges are addressed, DOD will lack the visibility it needs over
critical DIB asset vulnerabilities, will be unable to encourage critical
DIB contractors to take needed remediation actions, and will be unable to
make informed decisions regarding limited resources.

References

Visible links
  27. ://www.gao.gov/cgi-bin/getrpt?GAO-02-150T
  28. http://www.gao.gov/cgi-bin/getrpt?GAO-07-461
  29. http://www.gao.gov/cgi-bin/getrpt?GAO-07-461
  30. http://www.gao.gov/cgi-bin/getrpt?GAO-06-84
  31. http://www.gao.gov/cgi-bin/getrpt?GAO/AIMD-00-21.3.1
  32. http://www.gao.gov/cgi-bin/getrpt?GAO-06-383
  33. http://www.gao.gov/
  34. mailto:[email protected]
  35. mailto:[email protected]
  36. http://www.gao.gov/
  37. http://www.gao.gov/
  38. http://www.gao.gov/fraudnet/fraudnet.htm
  39. mailto:[email protected]
  40. mailto:[email protected]
  41. mailto:[email protected]
  42. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1077
  43. http://www.gao.gov/cgi-bin/getrpt?GAO-07-1077
*** End of document. ***