[Advisory Letter on Critical Infrastructure Assurance Program, Department of the Interior]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 00-i-704

Title: Advisory Letter on Critical Infrastructure Assurance Program,
       Department of the Interior 

 
  Date:  September 29, 2000
  
  **********DISCLAIMER********** 
  This file contains an ASCII representation of an OIG report. No attempt has been made
  to display graphic images or illustrations. Some tables may be included, but may not
  resemble those in the printed version. A printed copy of this report may be obtained by
  referring to the PDF file or by calling the Office of Inspector General, Division of
  Acquisition and Management Operations at (202) 219-3841. 
   ****************************** 
  
  E-IN-OSS-010-00-R
  
  
  
  
  
  
  Advisory Letter
  
  Memorandum
  
  To:  Assistant Secretary for Policy, Management and Budget
  
  From:  Roger La Rouche
  Acting Assistant Inspector General for Audits
  
  Subject:  Advisory Letter on Critical Infrastructure Assurance Program, Department of
  the Interior  (No. 00-i-704)
  
  As requested by the President's Council on Integrity and Efficiency (PCIE), we reviewed
  the Department of the Interior's Critical Infrastructure Assurance Program.  This review
  is being conducted as part of a Governmentwide evaluation of Federal agency
  implementation of Presidential Decision Directive 63 (PDD-63), which called for a
  national effort to ensure the security of the Nation's critical physical and cyber-based
  infrastructures.  This letter presents the results of our review of Departmental actions
  under Phase 1 (cyber-based planning) of the four-phase PCIE review.  Our objective was
  to determine whether Departmental plans, asset identification efforts, and initial
  vulnerability assessments were adequate to protect critical Departmental infrastructures.  
  
  Results of Review
  
  We found that the Department has made significant progress toward implementing PDD-
  63 (see the Schedule of Review Results in the Appendix 1).  However, we did not make a
  determination regarding cyber vulnerability assessments because the assessments to
  identify vulnerabilities and recommend corrective actions are under way and are
  scheduled for completion in the fall of 2000.  We found that the Department had
  adequately identified the critical assets and submitted its Critical Infrastructure Protection
  Plan (CIPP) to the National Critical Assurance Office for review by an Expert Review
  Team (ERT).  The Department has taken or plans to take the actions necessary to
  incorporate the ERT's suggested improvements. 
  
  We also found, however, that the Department had not documented the results of the
  periodic reviews regarding its threat environment.  The Departmental Manual (375 DM
  19.8) states:
  
       Each bureau will conduct periodic reviews of its Information Technology
       (IT) security program to determine its effectiveness and to re-certify the
       adequacy of the installed security safeguards. These reviews may use
       existing reports, such as those prepared for risk analyses, IT certifications,
       Privacy Act inspections, Departmental Management Control Evaluations,
       and Inspector General audits. The results of these reviews should serve as
       a Basis for the annual bureau IT security Plan. 
       
  Departmental IT officials told us that these reviews were performed for each bureau but
  were not documented.  We believe that the review process should have included written
  notifications to bureaus concerning the review, analysis, assessments, implementation of
  corrective actions, and results of the review.  In that regard, without adequate
  documentation of the review process, there was no accountability for the actions taken.
  
  Recommendations                
  
  We recommend that the Department's Chief Information Officer (CIO):
  
     1.  Ensure that the Department establishes and implements a requirement to document
  the periodic threat review process that includes written notifications to bureaus
  concerning the review, analysis, assessments, and implementation of corrective actions.
  
     2.  Ensure that the CIPP is resubmitted to the ERT for approval.
  
  
  Assistant Secretary for Policy, Management, and Budget
  Response and OIG Reply  
  
  In the September 27, 2000, response (Appendix 2) to the draft report from the Assistant
  Secretary for Policy, Management, and Budget (AS/PMB) the AS/PMB stated that the
  CIO "has reviewed the [Advisory Letter] and concurs with the recommendations."  The
  response further stated that CIO will by December 15, 2000, ensure that the Department
  establishes and implements a requirement to document the periodic threat review process
  that includes written notifications to bureaus concerning the review, analysis,
  assessments, and implementation of corrective actions (Recommendation 1), and that by
  December 15, 2000, the requirement to document the periodic threat review process is
  included in the Department's Critical Infrastructure Protection Plan and submitted to the
  National Critical Assurance Office for review by the ERT (Recommendation 2).  Based
  on the response, we consider the recommendations resolved but not implemented
  (Appendix 3).  Accordingly, the unimplemented recommendation will be referred to the
  Office of Financial Management for tracking of implementation.
  
  Scope of Review   
  
  Our review was conducted as part of a Governmentwide four-phase PCIE review on
  implementation of PDD-63.  To accomplish our review, we conducted  interviews with
  the Critical Infrastructure Assurance Officer and his staff, the Chief Information Officer,
  and other IT officials to obtain information concerning the critical infrastructures and
  planning processes used by Department.  The four phases will review the adequacy of:  
  
          ï¿½ Agency planning and assessment activities for protecting critical physical and
       cyber-based infrastructures (Phase I).
          ï¿½ Agency implementation activities for protecting cyber-based infrastructures
       (Phase 2).
          ï¿½ Agency planning and assessment activities for protecting critical non-cyber
       infrastructures (Phase 3).
          ï¿½ Agency implementation activities for protecting critical non-cyber infrastructures. 
       (Phase 4).
      
  The results of our review of the Departmental cyber-based planning efforts under Phase 1
  and the review steps that were developed by the PCIE working group are detailed in the
  Appendix.  The results of the review will also be sent to the PCIE working group for
  inclusion in a governmentwide report concerning the security of Federal critical
  infrastructures.
  
  Background  
  
  Advances in information technology have resulted in increasing the automation and
  interlinking of physical and cyber-based infrastructures and have created new
  vulnerabilities to intentional or unintentional infrastructure attacks from human error,
  weather, and equipment failure that could significantly harm the Nation's economy and
  military capability.
  
  PDD-63, signed on May 22, 1998, ordered the strengthening of the Nation's defense
  against terrorist acts, weapons of mass destruction, and assaults on critical infrastructures
  that would diminish the ability of the Federal Government to protect the national security
  and ensure general public health and safety; the state and local governments to maintain
  order and deliver minimum essential public services; and the private sector to ensure the
  orderly functioning of the economy and the delivery of essential telecommunications,
  energy, financial and transportation services.  PDD-63 directs the United States to
  eliminate any significant vulnerability to both physical and cyber attacks on its critical
  infrastructures by May 22, 2003.
  
  The Department's CIPP identified Hoover Dam, Shasta Dam, Grand Coulee Dam, and
  the Main Interior Building and the Bureau of Reclamation's Supervisory Control and
  Data Acquisition computer system supporting dam operations as national critical
  infrastructures.
  
  In accordance with the Departmental Manual (360 DM 5.3), we are requesting a written
  response to this advisory letter by November 3, 2000.  
  
  Section 5(a) of the Inspector General Act (5 U.S.C. app.3) requires the Office of
  Inspector General to list this report in its semiannual report to the Congress.  In addition,
  the Office of Inspector General provides audit reports to the Congress.

SCHEDULE OF REVIEW RESULTS