Critical Infrastructure Assurance Program, … Infrastructure Assurance Program, Department of ......
19
U.S. Department of the Interior Office of Inspector General Advisory Letter Critical Infrastructure Assurance Program, Department of the Interior Report No. 00-I-704 September 2000
Transcript of Critical Infrastructure Assurance Program, … Infrastructure Assurance Program, Department of ......
U.S. Department of the InteriorOffice of Inspector General
Advisory Letter
Critical Infrastructure Assurance Program,Department of the Interior
Report No. 00-I-704September 2000
2Threats can be external (from outside the organization) or internal (from employees or contractors). Threats also are natural (earthquakes or hurricanes), accidental (equipment failure or operator errors), orintentional (terrorists, hackers, or malicious employees).
2
completion in the fall of 2000. We found that the Department had adequately identified thecritical assets and submitted its Critical Infrastructure Protection Plan (CIPP) to the NationalCritical Assurance Office for review by an Expert Review Team (ERT). The Department has taken or plans to take the actions necessary to incorporatethe ERT’s suggested improvements.
We also found, that the Department had not documented the results of the periodic reviewsregarding its threat environment.2 The Departmental Manual (375 DM 19.8) states:
Each bureau will conduct periodic reviews of its Information Technology (IT)security program to determine its effectiveness and to re-certify the adequacy ofthe installed security safeguards. These reviews may use existing reports, suchas those prepared for risk analyses, IT certifications, Privacy Act inspections,Departmental Management Control Evaluations, and Inspector General audits.The results of these reviews should serve as a basis for the annual bureau ITsecurity Plan.
Departmental IT officials told us that these reviews were performed for each bureau but werenot documented. We believe that the review process should have included written notificationsto bureaus concerning the review, analysis, assessments, implementation of corrective actions,and results of the review. In that regard, without adequate documentation of the reviewprocess, there was no accountability for the actions taken.
Recommendations
We recommend that the Department’s Chief Information Officer (CIO):
1. Ensure that the Department establishes and implements a requirement to document theperiodic threat review process that includes written notifications to bureaus concerning thereview, analysis, assessments, and implementation of corrective actions.
2. Ensure that the CIPP is resubmitted to the ERT for approval.
Assistant Secretary for Policy, Management, and Budget Response and OIG Reply
3
In the September 27, 2000 response (Appendix 2) to the draft report from the AssistantSecretary for Policy, Management and Budget (AS/PMB), the AS/PMB concurred with therecommendations. The AS/PMB further stated that the CIO will, by December 15, 2000,ensure that the Department establishes and implements a requirement to document the periodicthreat review process that includes written notifications to bureaus concerning the review,analysis, assessments, and implementation of corrective actions (Recommendation 1). It furtherstated that by December 15, 2000, the requirement to document the periodic threat reviewprocess will be included in the Department's Critical Infrastructure Protection Plan andsubmitted to the National Critical Assurance Office for review by the ERT (Recommendation2).
Based on the response, we consider both recommendations resolved but not implemented(Appendix 3). Accordingly, the unimplemented recommendation will be referred to your Office of Financial Management for tracking of implementation.
Scope of Review
Our review was conducted as part of a Governmentwide four-phase PCIE review onimplementation of PDD-63. To accomplish our review, we conducted interviews with theCritical Infrastructure Assurance Officer and his staff, the CIO, and other IT officials to obtaininformation concerning the critical infrastructures and planning processes used by theDepartment. The four phases will review the adequacy of:
# Agency planning and assessment activities for protecting critical physical and cyber-based infrastructures (Phase I).
# Agency implementation activities for protecting cyber-based infrastructures (Phase 2).# Agency planning and assessment activities for protecting critical non-cyber
infrastructures (Phase 3).# Agency implementation activities for protecting critical non-cyber infrastructures.
(Phase 4).
The results of our review of the Departmental cyber-based planning efforts under Phase 1 andthe review steps that were developed by the PCIE working group are detailed in Appendix 1. The results of the review will also be sent to the PCIE working group for inclusion in agovernmentwide report concerning the security of Federal critical infrastructures.
Background
Advances in information technology have resulted in increasing the automation and interlinkingof physical and cyber-based infrastructures and have created new vulnerabilities to intentional
4
or unintentional infrastructure attacks from human error, weather, and equipment failure thatcould significantly harm the Nation’s economy and military capability.
PDD-63, which was signed on May 22, 1998, ordered the strengthening of the Nation’sdefense against terrorist acts, weapons of mass destruction, and assaults on criticalinfrastructures that would diminish the ability of the Federal Government to protect the nationalsecurity and ensure general public health and safety; of the state and local governments tomaintain order and deliver minimum essential public services; and of the private sector to ensurethe orderly functioning of the economy and the delivery of essential telecommunications, energy,financial, and transportation services. PDD-63 further directs the Federal Government toeliminate any significant vulnerability to both physical and cyber attacks on its criticalinfrastructures by May 22, 2003.
The Department’s CIPP identified Hoover Dam, Shasta Dam, Grand Coulee Dam, and theMain Interior Building and the Bureau of Reclamation’s Supervisory Control and DataAcquisition computer system supporting dam operations as national critical infrastructures.
Since this letter’s recommendations are considered resolved, no further response to the Officeof Inspector General is required ( see Appendix 3).
This advisory letter will be listed in our semiannual report to Congress, as required by Section5(a) of the Inspector General Act (5 U.S.C. app.3).
5
SCHEDULE OF REVIEW RESULTS
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
A.1 Has agency completed itsCritical Infrastructure Protection Plan(CIPP)?
X
A.2 If the agency does not plan tocomplete a CIPP, is it because it isnot a Phase I/II agency subject toPresidential Decision Directive (PDD)63?
X
A.3 Identify agency's cyber-basedassets that may be subject to PDD63. Does agency managementagree that any of the assets shouldbe subject to PDD 63?
X
A.4 For agencies that haveprepared a CIPP, did the CriticalInfrastructure Coordination Groupsponsor the required "expert reviewprocess" for the CIPP? If an ExpertReview Team (ERT) review was notperformed, then determine the"cause" and continue the remainingsteps.
X
A.5 If the Critical InfrastructureCoordination Group completed theexpert review and found the CIPP tobe deficient, has the agency takenadequate remedial action(s)?
X The Departmentincorporated many ofthe Expert ReviewTeam's suggestedimprovements and hasmade further revisionsduring our audit.
N/A Jul-00 N/A N/A Ensure that the CIPP isresubmitted to the ERT forapproval.
A.6 Did the CIPP require theappointment of a Chief InfrastructureAssurance Officer (CIAO), who willhave overall responsibility forprotecting the agency's criticalinfrastructure?
X
A.7 Has the agency appointed aCIAO? X
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
6
A.8 Does the CIPP require theagency to identify its cyber-basedMission Essential Infrastructure(MEI)?
X
A.9 Does the CIPP identify amilestone for identifying itscyber-based MEI?
X The identification ofcyber-based MEI wascompleted prior todeveloping the CIPP.
N/A N/A N/A N/A N/A
A.10 Does the agency CIPP requirean evaluation of new assets todetermine whether they should beincluded in its MEI?
X
A.11 Does the CIPP require theagency to perform vulnerabilityassessments of its cyber-basedMEI?
X
A.12 Does the CIPP require periodicupdates of the assessments? X
A.13 Does the CIPP identifymilestones for completing thevulnerability assessments?
X
A.14 Does the CIPP require riskmitigation relative to potential damagestemming from each vulnerability?
X
A.15 Does the CIPP provide forperiodic testing and reevaluation ofrisk mitigation steps (policies,procedures, and controls) byagency management?
X
A.16 Does the CIPP provide amilestone for taking steps to mitigaterisks?
X
A.17 Does the CIPP requireestablishment of an emergencymanagement program?
X
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
7
A.18. If the answer to A.17 is yes,does the CIPP specify that theemergency management programincludes:a) Incorporation of indications andwarnings?
X
b) Incident collection, reporting, andanalysis? X
c) Response and continuity ofoperation plans? X
d) A system for responding tosignificant infrastructure attackswhile the attacks are under way,with the goal of isolating andminimizing damage?
X
e) Notification to OIG criminalinvestigators of infrastructureattacks?
X Although the CIPP didnot include arequirement to notify theOIG, the DepartmentalManual (375 DM 19.9,B(2)) requires thenotification.
N/A N/A N/A N/A N/A
A.19 Does the CIPP requireestablishment of a system forquickly reconstituting minimumrequired capabilities following asuccessful infrastructure attack?
X Although the CIPP didnot include arequirement to establisha system for quicklyreconstituting minimumrequired capabilitiesfollowing a successfulinfrastructure attack, itwas required by theDepartmental Manual(375 DM 19.4, H and K)to do so.
N/A N/A N/A N/A N/A
A.20 Does the CIPP identify amilestone for establishing theemergency management program?
X
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
8
A.21 Does the CIPP require areview of existing policies andprocedures to determine whetherthe agency should revise them toreflect PDD 63 requirements?
X Departmental officialsimplemented arequirement for areview that ensuresthat PDD 63requirements arefollowed. In addition,this review is requiredby the DepartmentalManual (375 DM 19.4,C).
N/A N/A N/A N/A N/A
A.22 Does the CIPP identify amilestone for reviewing existingpolicies and procedures?
X During our review,Department officialsimplemented arequirement for annualmilestones.
N/A Jul-00 N/A N/A N/A
A.23. Does the CIPP require theagency to ensure that securityplanning procedures are beingincorporated into the basic design ofnew programs that include criticalinfrastructures, including provisionsfor:
a) Risk management andassessments?
X Although the CIPP didnot include arequirement to ensurethat security planningprocedures were beingincorporated into thebasic design of newprograms that includecritical infrastructures,this is required by theDepartmental Manual(375 DM 19.4,B).
N/A N/A N/A N/A N/A
b) Security plans for IT systems? Xc) Security for command, control,and communications? X
d) Identification of classified orsensitive information? X
e) Awareness and trainingmeasures to be taken for eachprogram?
X
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
9
A.24 Does the CIPP identify amilestone for establishingprocedures to ensure that theagency incorporates securityplanning into the basic design ofnew programs?
X Although the CIPP didnot identify a milestonefor establishingprocedures to ensurethat the agencyincorporates securityplanning into the basicdesign of newprograms, it is requiredby the DepartmentalManual (375 DM 19.4,B).
N/A N/A N/A N/A N/A
A.25 Does the CIPP require theagency to incorporate its CIPfunctions into its strategic planningand performance measurementframeworks?
X The Department's CIPPdoes not require theagency to includeCritical InfrastructurePlanning functions in itsstrategic plan. This isbecause only one(BOR) of the eightbureaus is directlyinvolved with CriticalInfrastructure and thenonly in a small part of itsoverall program. Thestrategic planconcentrates on themajor Departmentalgoals for protecting theenvironment, preservingnatural and culturalresources, providingrecreation, conductingscientific studies, andmeeting responsibilitiesto American Indians.
N/A N/A N/A N/A N/A
A.26 Does the CIPP identify amilestone for incorporating its criticalinfrastructure protection functionsinto its strategic planning andperformance measurementframeworks?
X See response to A.25. N/A N/A N/A N/A N/A
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
10
A.27 Does the CIPP requireagencies to identify resource andorganizational requirements forimplementing PDD 63?
X
A.28 Does the CIPP identify amilestone for identifying resourceand organizational requirements forimplementing PDD 63?
X The milestone will beestablished pending thecompletion of thevulnerabilityassessment work thatis in progress.
N/A Sep-00 $270,000 N/A N/A
A.29 Does the CIPP require theagency to establish a program toensure that it has the personnel andskills necessary to implement asound infrastructure protectionprogram?
X
A.30 Does the CIPP identify amilestone for establishing a programthat would ensure that the agencyhas the personnel and skillsnecessary to implement a soundinfrastructure protection program?
X
A.31 Does the CIPP require theagency to establish effective CIPcoordination with other applicableentities (foreign, state, and localgovernments and industry)?
X
A.32 Does the CIPP identify amilestone for establishing effectiveCIP coordination with otherapplicable entities (foreign, state,and local governments andindustry)?
X
A.33 Are the agency's plans for thecontinuous / periodic review of itsthreat environment: a) Adequate?
X
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
11
b) Being implemented by theagency? X The Departmental
Manual (375 DM 19.8)requires the Office ofInformation ResourcesManagement to conductperiodic reviews.Departmental IT officialstold us that thesereviews wereperformed for eachbureau but were notdocumented. Webelieve that the reviewprocess should haveincluded writtennotifications to bureausconcerning the review,analysis, assessments,and implementation ofcorrective actions andresults of the review.
We believe thatwithout adequatedocumentation ofthe reviewprocess, there is alack ofaccountability forthe actions taken.
Ensure that the Departmentestablishes and implementsa requirement to documentthe periodic threat reviewprocess that includeswritten notifications tobureaus concerning thereview, analysis,assessments, andimplementation ofcorrective actions.
B.1. Has the agency identified thefollowing cyber-based MEI:
a) People? (Staff, management,security, and executives necessaryto plan, organize, acquire, deliver,support, and monitor mission-relatedservices, information systems, andfacilities, including the groups andindividuals external to theorganization involved in thefulfillment of the organization'smission.)
X
b) Technology? (All hardware andsoftware, connectivity,countermeasures, and/orsafeguards that are utilized insupport of the core process.)
X
c) Applications? (All applicationsystems, internal and external,utilized in support of the coreprocess.)
X
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
12
d) Data? (All data, electronic / hardcopy, and information required tosupport the core process. Thesedata include numbers, characters,images, or other methods ofrecording in a form that can beassessed by a human or input into acomputer, stored and processedthere, or transmitted on somedigital/communications channel.)
X
e) Facilities? (All facilities requiredto support the core processes,including the resources to houseand support information technologyresources, and the other resourceelements defined above in questionB.1.)
X
B.2a Were the criteria used toidentify DOI’s MEI consistent with thecriteria used by the CIAO to identifyagency MEI? (See page 1, footnote1, for CIAO definition of agency MEI.)
X
B.2b Did the agency use the CIAOinfrastructure asset evaluationsurvey to identify its MEI assets?
X The CIPP was preparedin June 1999, whichwas before theeffective date of thecriteria (January 2000).
N/A N/A N/A N/A N/A
B.3 Evaluate the adequacy of theagency's efforts to identify MEI andMEI interdependencies withapplicable Federal agencies, stateand local government activities, andindustry:
a) Has the agency identified assetsconsistent with the MEI as defined inquestion B.2?
X
b) Did the agency use the results ofits Year 2000 (Y2K) work inidentifying the MEI?
X
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
13
c) Did the asset identificationprocess include a determination ofits estimated replacement costs,planned life cycle, and potentialimpact to the agency if the asset isrendered unusable?
X
d) Has the agency establishedmilestones for identifying andreviewing its MEI?
X
e) Is the agency meeting itsmilestones? X
C.1 Has the agency performed anddocumented an initial vulnerabilityassessment and developedredemption plans for its MEI?
X Pending the completionof the vulnerabilityassessment work thatis in progress.
N/A Sep-00 See A. 28 N/A N/A
C.2 Did the vulnerabilityassessments address the threattype and magnitude of the threat, thesource of the threats, existingprotection measures, the probabilityof occurrence, damage that couldresult from a successful attack, andthe likelihood of success if such anattack occurred?
X Pending the completionof the vulnerabilityassessment work thatis in progress.
N/A N/A N/A N/A N/A
C.3 Did the redemption plansaddress the vulnerabilities foundduring the assessment?
X Pending the completionof the vulnerabilityassessment work thatis in progress.
N/A Oct-00 N/A N/A N/A
C.4 Has the agency determined thelevel of protection currently in placefor its MEI?
X Pending the completionof the vulnerabilityassessment work thatis in progress.
N/A Aug-00 N/A N/A N/A
C.5 Has the agency identified theactions that must be taken before itcan achieve a reasonable level ofprotection for its MEI?
X Pending the completionof the vulnerabilityassessment work thatis in progress.
N/A Aug-00 N/A N/A N/A
C.6 If the answer to C. 5 is yes,has the agency developed a relatedimplementation plan and mechanismto monitor such implementation?
X Pending the completionof the vulnerabilityassessment work thatis in progress.
N/A Oct-00 N/A N/A N/A
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
14
C.7 Has the agency delegatedresponsibility for vulnerabilityassessments to the agency CIO?
X
C.8 Has the agency adopted amulti-year funding plan thataddresses the identified threats?
X BOR has identifiedestimated fundingneeds for Its security-related issues. Thesewill need furtherrefinement once resultsof Sandia NationalLaboratory (SNL)recommendations havebeen evaluated.
N/A Oct-00 N/A N/A N/A
C.9 Has the agency reflected thecost of implementing a multi-yearvulnerability redemption plan in its FY2001 budget submission to theOffice of Management and Budget?
X Estimated adjustmentsto the FY 2001 budgethave been made.Determination of moreprecise requirementswill result from theevaluation of the SNLrecommendations.
N/A Sep-00 N/A N/A N/A
C.10 Did the vulnerabilityassessments query national threatguidance for international, domestic,and state-sponsoredterrorism/information warfare (e.g.,from the Department of Defense,FBI, NSA, and other Federal andstate agencies)?
X Pending the completionof the vulnerabilityassessment work thatis in progress.
N/A Sep-00 N/A N/A N/A
C.11 Has the agency prioritized thethreats according to their relativeimportance?
X Pending the completionof the vulnerabilityassessment work thatis in progress.
N/A Sep-00 N/A N/A N/A
C.12 Has the agency assessed thevulnerability of its MEI to possiblefailures that could result frominterdependencies with applicableFederal agencies, state and localgovernment activities, and privatesector providers oftelecommunications, electricalpower, and other infrastructureservices?
X
Review Step(a)(b)
Yes(c)
No(d)
N/A(e)
Cause If "No" Answer in
Column (d)(f)
Effect (g)
EstimatedDate of
Resolution(h)
EstimatedCost of
Resolution(i)
Estimate is in Agency
CIP Budget(j)
Recommendation(k)
15
C.13 Do the processes used toidentify and reflect new threats tothe agency's MEI appear adequate?
X
C.14 Do the results of thevulnerability assessmentsnecessitate revisions to agencypolicies that govern the managementand protection of agency MEI?
X The preparation ofsecurity policies andprocedures arecurrently ongoing, alongwith the vulnerabilityassessment.
N/A Sep-00 N/A N/A N/A
C.15 Did the results of the ERTcoincide with answers derived fromquestions A.1 through C.14?
X
APPENDIX 3
16
STATUS OF EVALUATION REPORT RECOMMENDATIONS
RecommendationReference
1 and 2
Status
Resolved; notimplemented
Action Required
No further response to response to the Office ofInspector General is required. Therecommendations will be referred to your Officeof Financial Management for tracking ofimplementation.
ILLEGAL OR WASTEFUL ACTIVITIES SHOULD BE REPORTED TO THE OFFICE OF INSPECTOR GENERAL
Internet Complaint Form Address http://www.oig.doi.gov/hotline_form.html Within the Continental United States U.S. Department of the Interior Our 24-hour Office of Inspector General Telephone HOTLINE 1849 C Street, N.W. 1-800-424-5081 or Mail Stop 5341 - MIB (202) 208-5300 Washington, D.C. 20240-0001
TDD for hearing impaired (202) 208-2420
Outside the Continental United States Caribbean Region U.S. Department of the Interior (703) 235-9221 Office of Inspector General Eastern Division - Investigations 4040 Fairfax Drive Suite 303 Arlington, Virginia 22203 Pacific Region U.S. Department of the Interior (671) 647-6060 Office of Inspector General Guam Field Pacific Office 415 Chalan San Antonio Baltej Pavilion, Suite 306 Agana, Guam 96911
HHHHOOOOTTTTLLLLIIIINNNNEEEE U.S. Department of the Interior Office of Inspector General 1849 C Street, NW Mail Stop 5341- MIB Washington, D.C. 20240-0001 Toll Free Number
1-800-424-5081 Commercial Numbers
(202) 208-5300 TDD (202) 208-2420
