[Advisory Letter on Department of the Interior Responses to Review Guide for Planning and Assessment Activities for Protecting Critical Non-Cyber Infrastructures]
[From the U.S. Government Printing Office, www.gpo.gov]

Report No. 2002-I-0012

Title: Advisory Letter on Department of the Interior Responses
       to Review Guide for Planning and Assessment Activities
       for Protecting Critical Non-Cyber Infrastructures

 
Date:  December 21, 2001

**********DISCLAIMER**********
This file contains an ASCII representation of an OIG report. No attempt has been made to display graphic images or illustrations. Some tables may be included, but may not resemble those in the printed version. A printed copy of this report may be obtained by referring to the PDF file or by calling the Office of Inspector General, Division of Acquisition and Management Operations at (202) 219-3841.
******************************

December 21, 2001

Advisory Letter

Memorandum

To:  Assistant Secretary for Policy, Management and Budget

From:  Elaine T. Weistock /signed/
Director, Quality Assurance and Audit Followup

Subject:  Advisory Letter on Department of the Interior Responses to Review Guide for Planning and Assessment Activities for Protecting Critical Non-Cyber Infrastructures (No. 2002-I-0012)

As requested by the President=s Council on Integrity and Efficiency (PCIE), we completed the PCIE=s review guide, which was designed to obtain information concerning the critical physical infrastructure and planning processes used by the Department of the Interior (DOI).  We conducted the review as part of a Governmentwide four-phase PCIE evaluation of Federal agency implementation of Presidential Decision Directive 63 (PDD-63).  The Directive called for a national effort to ensure the security of the Nation=s critical physical and cyber-based infrastructures.1 The four phases of the review include the following:  

  Agency planning and assessment activities for protecting critical cyber-based infrastructures (Phase I).
  Agency implementation activities for protecting cyber-based infrastructures (Phase 2).
  Agency planning and assessment activities for protecting critical non-cyber infrastructures (Phase 3).
  Agency implementation activities for protecting critical non-cyber infrastructures (Phase 4).

We also evaluated DOI=s implementation of the two recommendations contained in our Phase 1 advisory letter (No. 00-I-704), which was issued in September 2000.  The results of the review will be sent to the PCIE working group for inclusion in a Governmentwide report concerning the security of Federal Critical Infrastructures. (No. 2002-I-0012)

Background  

Advances in information technology have resulted in increasing the automation and interlinking of physical and cyber-based infrastructures and have created new vulnerabilities to intentional or unintentional infrastructure attacks from human error, weather, and equipment failure that could significantly harm the Nation=s economy and military capability.


PDD-63, signed on May 22, 1998, ordered the strengthening of the Nation=s defense against terrorist acts, weapons of mass destruction, and assaults on critical infrastructures that would diminish the ability of the Government to protect the national security and ensure general public health and safety; the state and local governments to maintain order and deliver minimum essential public services; and the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications, energy, financial, and transportation services.  PDD-63 directs the Government to eliminate any significant vulnerability to both physical and cyber attacks on its critical infrastructures by May 22, 2003.

DOI=s Critical Infrastructure Protection Plan (CIPP) identified Hoover Dam, Shasta Dam, Grand Coulee Dam, the Main Interior Building, and the Bureau of Reclamation=s Supervisory Control and Data Acquisition computer system supporting dam operations as national critical infrastructures.

Results of Review  

Based on its responses to the review guide, DOI has identified its critical assets, completed its initial vulnerability assessments, and resubmitted its CIPP to the Critical Infrastructure Assurance Office for review by an Expert Review Team (ERT).  Although PDD-63 did not require DOI to notify the Office of Inspector General=s (OIG) criminal investigations office of physical infrastructure attacks (see review step A19.e in Appendix 1), we consider it appropriate for DOI to notify the OIG when attacks on critical physical infrastructure have occurred.  Also, DOI has taken action to incorporate the ERT=s previously suggested improvements and to implement the two recommendations contained in our Phase I advisory letter.  The two recommendations pertained to the establishment and implementation of a requirement to document the periodic threat review process and the resubmission of the CIPP to the ERT for approval. 

The results of our review of DOI=s critical physical infrastructure protection planning efforts under Phase 3 and the review steps that were developed by the PCIE working group are detailed in Appendix 1.  

Recommendation

We recommend that DOI=s Critical Infrastructure Assurance Officer (CIAO) establish a policy requiring that the OIG be notified when attacks on DOI=s critical physical infrastructure assets occur. 

Assistant Secretary for Policy, Management, and Budget Response and OIG Reply  

In an August 14, 2001, response (Appendix 2) to the draft report, the Director, Office of Managing Risk and Public Safety (DOI=s CIAO), concurred  Awith the spirit of the recommendation that the OIG be notified when attacks on DOI=s critical physical infrastructure assets occur.@  The response further stated that the Apolicy can be effective immediately.@  The policy, however, was not prepared by the date we issued this final report.  Based on the response, we consider the recommendation resolved and we are requesting additional information (Appendix 3).

In accordance with the Departmental Manual (360 DM 5.3), please provide us with your written response by January 31, 2002, regarding the target date for issuing a policy that requires OIG notification when attacks occur on DOI=s critical physical infrastructure assets.  

The legislation, as amended, creating the OIG, requires semiannual reporting to Congress on all audit reports issued, actions taken to implement audit recommendations, and identification of each significant recommendation on which corrective action has not been taken.

This advisory letter will be listed in our semiannual report to the Congress, as required by Section 5(a) of the Inspector General Act (5 U.S.C. app.3).



Review Step

A.1  Has agency completed its Critical Infrastructure Protection Plan (CIPP)?  Yes.

A.2  If the agency does not plan to complete a CIPP, is it because it is not a Phase I/II agency subject to Presidential Decision Directive (PDD) 63 or among the agencies listed in the Critical Infrastructure Assurance Officer=s (CIAO) Project Matrix?  N/A.

A.3  If the answer to question A.2 is yes, then identify the agency=s physical assets that may be subject to PDD-63.  Does agency management agree that any of the assets should be subject to PDD-63?  N/A.

A.4  For agencies that have prepared a CIPP, did the Critical Infrastructure Coordination Group sponsor the required "expert review process" for the CIPP?  If an Expert Review Team (ERT) review was not performed, then determine the "cause" and continue with the remaining steps.  Yes.

A.5  If the Critical Infrastructure Coordination Group completed the expert review and found the CIPP deficient, has the agency taken adequate remedial action(s)?  Yes.

A.6  Does the CIPP require the appointment of a CIAO who will have overall responsibility for protecting the agency=s critical infrastructure?  Yes.

A.7  Has the agency appointed a CIAO?  Yes

A.8  Does the CIPP require the agency to identify its physical Mission Essential Infrastructure (MEI)?  Yes.

A.9  If the answer to question A.8 is yes, does the identification of assets include leased assets from the public or private sector?  No. DOI does not lease critical physical assets.

A.10  Does the CIPP identify a milestone for identifying its physical MEI?  Yes.

A.11  Does the agency CIPP require an evaluation of new assets to determine whether they should be included in its MEI?  Yes.

A.12  Does the CIPP require the agency to perform vulnerability assessments of its physical MEI?  Yes. 

A.13  Does the CIPP require periodic updates of the assessments?  Yes.

A.14  Does the CIPP identify milestones for completing the vulnerability assessments? Yes.

A.15  Does the CIPP require risk mitigation relative to potential damage stemming from each vulnerability?  Yes.

A.16  Does the CIPP provide for periodic testing and re-evaluation of risk mitigation steps (policies, procedures, and controls) by agency management? Yes.

A.17  Does the CIPP provide a milestone for taking steps to mitigate risks?  Yes.  

A.18  Does the CIPP require establishment of an emergency management program?  Yes.


A.19.a  If the answer to question A.18 is yes, does the CIPP specify that the emergency management program include the following: Yes.
Incorporation of indications and warnings?

A19.b  Incident collection, reporting, and analysis?   Yes.

A19.c  Response and continuity of operation plans?  Yes.

A19.d  A system for responding to significant infrastructure attacks  while the attacks are under way, with the goal of isolating and minimizing damage?  Yes.

A19.e  Notification to OIG criminal investigators of infrastructure attacks?  No.  DOI has existing linkages and close working relationships with Federal, state and local law enforcement agencies and intelligence sources.  Establish a policy requiring that the Office of Inspector General be notified when attacks occur on DOI=s critical physical infrastructure assets.

A19.f Criteria for determining if an incident should be reported to the National Infrastructure Protection Center (NIPC) or Federal Computer Incident Response Capability (FedCIRC)?  Yes.

A19.g Procedures for reporting a computer security- or infrastructure-related incident to the NIPC?  Yes. 

A.20  Does the CIPP require establishment of a system for quickly reconstituting minimum required capabilities following a successful infrastructure attack?  Yes.

A.21  Does the CIPP identify a milestone for establishing the emergency management program?  Yes.

A.22  Does the CIPP require a review of existing policies and procedures to determine whether the agency should revise them to reflect PDD-63 requirements?  Yes.  

A.23  Does the CIPP identify a milestone for reviewing existing policies and procedures?  Yes.

A.24  Does the CIPP require the agency to incorporate its CIP functions into its strategic planning and performance measurement frameworks?  No.  DOI=s CIPP does not require the agency to include CIP functions in its strategic plan.  This is because only certain assets of one (the Bureau of Reclamation) of the eight bureaus and the Main Interior Building are considered critical infrastructure.  These assets constitute a small portion of DOI=s overall infrastructure.  DOI=s strategic plan concentrates on DOI=s major programmatic goals, such as protecting the environment and preserving natural and cultural resources.

A.25  Does the CIPP identify a milestone for incorporating its critical infrastructure protection functions into its strategic planning and performance measurement frameworks?  No.  See response to question A.24.

A.26  Does the CIPP require agencies to identify resource and organizational requirements for implementing PDD-63?  Yes.

A.27  Does the CIPP identify a milestone for identifying resource and organizational requirements for implementing PDD-63?  Yes.

A.28  Does the CIPP require the agency to establish a program to ensure that it has the personnel and skills necessary to implement a sound infrastructure protection program?  Yes.


A.29  Does the CIPP identify a milestone for establishing a program that would ensure that the agency has the personnel and skills necessary to implement a sound infrastructure protection program?  Yes.

A.30  Does the CIPP require the agency to establish effective CIP coordination with other applicable entities (foreign, state, and local governments and industry)?  Yes.

A.31  Does the CIPP identify a milestone for establishing effective CIP coordination with other applicable entities (foreign, state, and local governments and industry)?  Yes.

A.32  Do the agency=s plans for the continuous periodic review of its threat environment appear adequate, and is the agency complying with these plans?  Yes.

B.1  Has the agency identified its physical (non-cyber-based) MEI?  Yes.

B.1a Does the physical MEI include staff and management, such as security management and executives, needed to plan, organize, acquire, deliver, support, and monitor mission- related services, information systems, and facilities)?  Yes.

B.1.b  Does the physical MEI include facilities (all facilities required to support the core processes, including these support information technology resources)?  Yes.

B.2.a  Evaluate the adequacy of the agency=s= efforts to identify MEI and MEI interdependencies with applicable Federal agencies, state and local government activities, and/or industry.  Has the agency identified critical, physical assets consistent with the criteria in footnote 1 of the Phase III review guide?  Yes.

B.2.b Has the agency identified interdependencies for its critical physical assets?  Yes.

B.2.c Did the agency use the CIAO infrastructure asset evaluation survey to identify its MEI assets?  No.  The critical physical infrastructure was identified and CIPP was prepared in June 1999, which was before the effective date of the criteria (January 2000).

B.2.d Did the asset identification process include a determination of the estimated replacement cost, planned life cycle, and potential impact to the agency if the asset is rendered unusable?  No.  The asset identification process included a determination of the potential impact of assets that are rendered unusable.  DOI officials said, however, that they did not consider it necessary to estimate the replacement cost and planned life cycle of assets that were rendered unusable.

B.2.e  Has the agency established milestones for identifying and reviewing its MEI?  Yes

B.2.f Is the agency meeting its milestones?  Yes. 

C.1  Has the agency performed and documented an initial vulnerability assessment and developed remediation plans for its MEI?  Yes.

C.2  Did the vulnerability assessments address the threat type and magnitude of the threat, the source of the threats, existing protection measures, the probability of occurrence, damage that could result from a successful attack, and the likelihood of success if such an attack occurred?    Yes. 

C.3  Did the remediation plans address the vulnerabilities found during the assessment?  Yes.

C.4  Has the agency determined the level of protection currently in place for its MEI?  Yes.


C.5  Has the agency identified the actions that must be taken before it can achieve a reasonable level of protection for its MEI?  Yes.

C.6  If your answer to number 5 is yes, then has the agency developed a related implementation plan and mechanism to monitor such implementation?  Yes.

C.7  Has the agency delegated responsibility for vulnerability assessments to the agency CIO or CIAO?   Yes.

C.8  Has the agency adopted a multi-year funding plan that addresses the identified threats?  Yes.

C.9  Has the agency reflected the cost of implementing a multi-year vulnerability remediation plan in its budget submissions to OMB?  Yes.

C.10  Did the vulnerability assessments query national threat guidance for international, domestic, and state-sponsored terrorism/information warfare (e.g., from the DoD, FBI, NSA, and other Federal and state agencies)?   Yes.

C.11  Has the agency prioritized the threats according to their relative importance?  Yes.

C.12  Has the agency assessed the vulnerability of its MEI to failures that could result from interdependencies with applicable Federal agency and state and local government activities and private sector providers of telecommunications, electrical power, and other infrastructure services?  Yes.

C.13  Do the processes used to identify and reflect new threats to the agency=s MEI appear adequate?  Yes.

C.14  Do the results of the vulnerability assessments necessitate revisions to agency policies that govern the management and protection of agency MEI? Yes.

C.15  Did the results of the ERT coincide with answers derived from questions A.1 through C.14?  Yes.



STATUS OF ADVISORY LETTER RECOMMENDATION


Recommendation: 1

Status:  Management concurs; additional information needed.

Action Required:  Provide a target date for issuance of a policy on notifying OIG when attacks occur on DOI=s critical physical infrastructure assets
1Critical infrastructures are those physical and cyber-based systems essential to the minimum operations of the economy and Government, including, but not limited to, telecommunications, energy, banking and finance, transportation, and water systems and emergency services, both Governmental and private.