This is the accessible text file for GAO report number GAO-07-1077 
entitled 'Defense Infrastructure: Management Actions Needed to Ensure 
Effectiveness of DOD's Risk Management Approach for the Defense 
Industrial Base' which was released on August 31, 2007. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

August 2007: 

Defense Infrastructure: 

Management Actions Needed to Ensure Effectiveness of DOD's Risk 
Management Approach for the Defense Industrial Base: 

Defense Infrastructure: 

GAO-07-1077: 

GAO Highlights: 

Highlights of GAO-07-1077, a report to congressional requesters. 

Why GAO Did This Study: 

The U.S. military relies on the defense industrial base (DIB) to meet 
requirements to fulfill the National Military Strategy. The potential 
destruction, incapacitation, or exploitation of critical DIB assets by 
attack, crime, technological failure, natural disaster, or man-made 
catastrophe could jeopardize the success of U.S. military operations. 
GAO was asked to review the Department of Defenseís (DOD) Defense 
Critical Infrastructure Program and has already reported that DOD has 
not developed a comprehensive management plan for its implementation. 
This, the second GAO report, has (1) determined the status of DODís 
efforts to develop and implement a risk management approach to ensure 
the availability of DIB assets, and (2) identified challenges DOD faces 
in its approach to risk management. GAO analyzed plans, guidance, and 
other documents on identifying, prioritizing, and assessing critical 
domestic and foreign DIB assets and held discussions with DOD and 
contractor officials. 

What GAO Found: 

DOD has begun developing and implementing a risk management approach to 
ensure the availability of DIB assets needed to support mission-
essential tasks, though implementation is still at an early stage. Its 
sector assurance and sector-specific plans focus on steps to identify a 
list of critical assets that, if damaged, would result in unacceptable 
consequences; prioritize those critical assets based on a risk 
assessment process; perform vulnerability assessments on high-priority 
critical assets, and encourage contractorsí actions to remediate or 
mitigate adverse effects found during these assessments, as 
appropriate, to ensure continuity of business. The Defense Contract 
Management Agency, the executing agency for the DIB, has developed a 
process to identify the most important DIB assets and to narrow this 
list to those it considers critical. It has also developed an asset 
prioritization model for determining a criticality score and ranking 
critical assets, and it has established a standardized mission 
assurance vulnerability assessment process for critical DIB assets. 

DOD faces several key challenges in implementing its DIB risk 
management approach. Overall, DODís methodology for identifying 
critical DIB assets is evolving, and DOD lacks targets and time frames 
for completing development of key program elements that are needed for 
its risk management approach. Without them, DOD cannot measure its 
progress toward ensuring that DIB assets supporting critical DOD 
missions are properly identified and prioritized. The specific 
challenges are as follows: First, DOD is not fully incorporating the 
military servicesí mission-essential task information (i.e., listings 
of assets whose damage, degradation, or destruction would result in DOD-
wide mission failure) in compiling its critical asset list. Second, 
GAOís analysis of DODís prioritization model shows that weighting 
factors were selected and data determined according to subjective 
decisions and limited review, and that needed contractor-specific data 
were lacking, as was comprehensive threat information, thus undermining 
the utility of the index score for prioritizing contractors. Without 
these comprehensive data and a reliable asset prioritization model, DOD 
will not be in a sound position to know that it has identified the most 
important and critical assets, as called for in the National Military 
Strategy. Third, with regard to scheduling and conducting assessments 
of critical DIB assets, DOD is currently doing so based on contractor 
amenability and security clearance status without regard for assetsí 
priority rankings, and thus cannot ensure that the most critical DIB 
contractors are assessed. Fourth, DOD lacks a plan for developing 
options to work with the Department of State and other appropriate 
agencies to identify and address potential challenges in assessing 
vulnerabilities in foreign critical DIB assets. Until all these 
challenges are addressed, DOD will lack the visibility it needs over 
critical DIB asset vulnerabilities, will be unable to encourage 
critical DIB contractors to take needed remediation actions, and will 
be unable to make informed decisions regarding limited resources. 

What GAO Recommends: 

GAO recommends that DOD take specific actions to implement its risk 
management framework. DOD partially concurred with all of GAOís 
recommendations. DODís comments cited actions it planned to take that 
are generally responsive to our recommendations. 

[hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-1077]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Davi M. DíAgostino, (202) 
512-5431 or dagostino@gao.gov. 

[End of section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

DOD Has Begun Developing and Implementing a Risk Management Approach to 
Ensure the Availability of the DIB: 

DOD Will Need to Address Several Key Challenges in Implementing Its DIB 
Risk Management Approach: 

Conclusions: 

Recommendations for Executive Action: 

Agency Comments and Our Evaluation: 

Appendix I: Scope and Methodology: 

Appendix II: Comments from the Department of Defense: 

Appendix III: GAO Contact and Staff Acknowledgments: 

Tables: 

Table 1: A Summary of DOD's Efforts in Identifying and Assessing 
Critical DIB Assets as of June 1, 2007: 

Table 2: DCMA Criteria Used to Identify Important and Critical DIB 
Assets: 

Table 3: DCMA's Asset Prioritization Model Factors, Weighting Factors, 
and Factor Classification: 

Table 4: Assessments Planned during Fiscal Years 2007 to 2012: 

Figure: 

Figure 1: Operations and Maintenance Funding for DIB Activities for 
Fiscal Years 2004 to 2007 and Programmed Funding for Fiscal Years 2008 
to 2013: 

Abbreviations: 

ASD-HD: Assistant Secretary of Defense for Homeland Defense: 
ASD(HD&ASA): Assistant Secretary of Defense for Homeland Defense and 
Americas'Security Affairs: 
CBRNE: Chemical/biological/radiological/nuclear/explosive: 
CIP-MAA: Critical Infrastructure Program--Mission Assurance Assessment: 
DCIP: Defense Critical Infrastructure Program: 
DCMA: Defense Contract Management Agency: 
DHS: Department of Homeland Security: 
DIA: Defense Intelligence Agency: 
DIB: Defense Industrial Base: 
DOD: Department of Defense: 
DSS: Defense Security Service: 
DTRA: Defense Threat Reduction Agency: 
FBI: Federal Bureau of Investigation: 
HSPD-7: Homeland Security Presidential Directive 7: 
MSA: Metropolitan Statistical Area: 
OSD: Office of the Secretary of Defense: 
PCII: Protected Critical Infrastructure Information: 
USD(AT&L): Undersecretary of Defense for Acquisition, Technology, and 
Logistics: 
USD(P): Under Secretary of Defense for Policy: 

United States Government Accountability Office: 

Washington, DC 20548: 

August 31, 2007: 

The Honorable Solomon P. Ortiz: 
Chairman: 
The Honorable Jo Ann Davis: 
Ranking Member: 
Subcommittee on Readiness: Committee on Armed Services House of 
Representatives: 

The Honorable W. Todd Akin: 
House of Representatives: 

The U.S. military relies on the defense industrial base (DIB) to meet 
military requirements to fulfill the National Military Strategy. The 
DIB is the government and private-sector worldwide industrial complex 
with capabilities to perform research and development and design, 
produce, and maintain military weapons systems, subsystems, components, 
and parts. The DIB comprises hundreds of thousands of industrial sites, 
and the preponderance of the DIB is privately owned and includes 
businesses of all sizes. The potential destruction, incapacitation, or 
exploitation of critical DIB assets by terrorist attack, criminal 
activity, technological failure, natural disaster, or man-made 
catastrophe could jeopardize the success of U.S. military operations. 
For example, reliance on a single source contractor having the unique 
capability to make an industrial part or material critical to a mission 
could significantly affect warfighter operations if that material were 
not available because of a flood at the site of the manufacturing 
facility. 

Homeland Security Presidential Directive 7 (HSPD-7),[Footnote 1] issued 
in December 2003, designates the Secretary of the Department of 
Homeland Security (DHS) as the principal federal official to lead, 
integrate, and coordinate the implementation of efforts among the 
federal departments and agencies, state and local governments, and the 
private sector to protect the nation's critical infrastructure and key 
resources. 

In addition, the Homeland Security Act of 2002 and HSPD-7 directed DHS 
to produce a national plan for critical infrastructure and key 
resources protection. DHS issued the National Infrastructure Protection 
Plan on June 30, 2006. This plan provides the framework for developing, 
implementing, and maintaining a coordinated national effort. The plan 
also identifies 17 infrastructure and key asset sectors, and it 
designates one or more lead federal agencies--referred to as "sector- 
specific agencies"--for each sector. For example, DHS is the sector- 
specific agency for 10 of the 17 sectors, including information 
technology, transportation, and chemicals; the Department of Health and 
Human Services is the sector-specific agency for public health and 
healthcare; and the Department of Defense (DOD) is the sector-specific 
agency for the DIB. Sector-specific agencies are responsible for, among 
other things, collaborating with all relevant federal, state, and local 
governments and the private sector; encouraging risk management 
strategies; and conducting or facilitating vulnerability assessments of 
their sector. 

The cornerstone of the National Infrastructure Protection Plan is its 
risk-management framework, which establishes priorities based on risk 
and calls for protection and business continuity initiatives that 
provide the greatest mitigation of risk. The National Infrastructure 
Protection Plan also requires each of the sector-specific lead agencies 
to submit a plan outlining its approach, following guidance established 
by DHS, by December 2006. 

Within DOD, the Office of the Assistant Secretary of Defense for 
Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]), serves 
as the principal civilian advisor to the Secretary of Defense on the 
identification, prioritization, and protection of DOD's defense 
critical infrastructure.[Footnote 2] DOD Directive 3020.40, issued in 
August 2005, updates DOD policy and assigns responsibilities for DOD's 
Defense Critical Infrastructure Program (DCIP), incorporating guidance 
from HSPD-7. This directive assigns defense sector lead agents for 10 
sectors within the DCIP, 1 of which is the DIB.[Footnote 3] For DOD's 
efforts relating to the DIB as critical infrastructure, the Under 
Secretary of Defense for Acquisition, Technology, and Logistics 
(USD[AT&L]), in coordination with the Under Secretary of Defense for 
Policy (USD[P]), integrates DCIP policies with acquisition, technology, 
and logistics policy guidance; identifies vulnerabilities in 
technologies relied upon by DOD critical infrastructure and develops 
countermeasures; and provides coordination, guidance, and monitoring. 
The Defense Contract Management Agency (DCMA) is designated the sector 
lead agent for the DIB. 

Recognizing that it is not feasible to protect its entire 
infrastructure against every possible threat, the umbrella DCIP pursues 
a risk-management approach to prioritize resources and operational 
requirements in its DIB efforts. As we have previously 
reported,[Footnote 4] risk management is a systematic, analytical 
process to consider the likelihood that a threat will harm critical 
assets and then to identify actions to reduce the risk and mitigate the 
potential consequences of the threat. While risk generally cannot be 
eliminated, it can be reduced by taking actions such as establishing 
backup systems to protect against or reduce the effect of an incident. 
DOD's risk management approach is based on assessments of threats, 
vulnerabilities, and criticality, and requires DCMA to identify and 
prioritize its most critical assets, assess vulnerabilities, and 
identify remediation requirements. At the same time, DOD is identifying 
its mission-essential tasks. It expects this identification to help 
clarify the criticality of key assets for accomplishing its missions. 

You asked that we review a number of issues related to DOD's DCIP. To 
address them, we committed to issuing two reports in response to your 
request. Our first report, issued in May 2007, examined the extent to 
which DOD has developed a comprehensive management plan and the actions 
needed to guide its efforts to identify, prioritize, and assess non-DIB 
sectors in its critical infrastructure under DCIP. [Footnote 5] We 
found that DOD had taken some important steps to implement DCIP, but it 
had not developed a comprehensive management plan containing key 
elements, including the development and issuance of guidance, the 
coordination of stakeholders' efforts, and the identification of 
resource requirements and sources to guide its efforts.[Footnote 6] We 
recommended that DOD develop and implement such a plan and, among other 
things, assist the defense sector lead agents in identifying, 
prioritizing, and funding the DCIP, including developing funding 
requirements through the regular budgeting process. DOD concurred with 
all of our recommendations. 

For this second report, we (1) determined the status of DOD's efforts 
to develop and implement a risk management approach to ensure the 
availability of DIB assets to support mission-essential tasks; and (2) 
identified challenges DOD faces in its approach to risk management in 
the DIB sector. 

To examine the status of DOD's efforts to develop and implement a risk 
management approach, we reviewed the DIB sector-specific and sector 
assurance plans and other studies; and discussed with DOD officials the 
requirements for a risk management plan for the DIB and the status of 
DOD's implementation of the approach. We also reviewed and discussed 
information on DCMA's efforts to identify, assess, and remediate 
critical DIB assets; the criteria DCMA established and used to identify 
important DIB assets and critical DIB assets; the asset prioritization 
model and the factors used to rank order the critical assets; the 
standardized mission assurance assessment process for critical DIB 
assets; and the remediation planning guidance for the DCIP generally, 
including the guidance being developed for the DIB. We also examined 
standards developed for vulnerability assessments to be done at 
contractor facilities and met with the National Guard Bureau and one of 
the state National Guard teams that conducts DIB sector vulnerability 
assessments. 

To examine the challenges faced by DOD in developing and implementing 
its approach, we compared the policies for identifying mission- 
essential tasks and related defense critical assets with DCMA's 
approach to identifying a critical DIB asset list; and examined the 
development and use of DCMA's asset prioritization model, including 
requirements for models to undergo external technical review and 
methods used to obtain contractor-specific data as needed input into 
the model. We reviewed and discussed with each of the services their 
DCIP efforts related to the DIB, including their responses to DCMA 
regarding its requests for the services to update the important and 
critical DIB asset lists. Also, we discussed with several DOD 
intelligence agency officials the threats to the DIB and the 
availability of specific threat information to DCMA. We discussed with 
DCMA officials the challenges that they have encountered as they have 
begun working with private sector contractors; and efforts to encourage 
private-sector DIB contractors to participate in the program. We also 
spoke with a non-probability sample of DIB contractor officials and 
asked them generally about their willingness to participate in the 
program. We discussed with DOD officials and these contractor officials 
the availability of data on foreign contractors. Their comments are not 
generalizable to a larger population. Lastly, we determined the extent 
to which DCMA has identified metrics with time frames for completing 
development of the risk-based management process. A more thorough 
description of our scope and methodology is provided in appendix I. We 
conducted our work between August 2006 and June 2007 in accordance with 
generally accepted government auditing standards. 

Results in Brief: 

DOD has developed and begun implementing a risk management approach, as 
called for in the National Infrastructure Protection Plan, to ensure 
the availability of critical DIB assets needed to support mission 
essential tasks, though implementation is still in an early stage. The 
approach comprises two plans. First, the DIB sector assurance plan, 
issued in May 2005 and updated in May 2007, outlines an approach for 
identifying vulnerabilities, risks, and effect on business; 
implementing remediation and mitigation strategies; and managing 
consequences to ensure continuity of operations. Second, the DIB sector-
specific plan, submitted in December 2006, outlines DOD's approach to 
executing its sector-specific responsibilities, follows guidance 
established by DHS, and complements other DOD critical infrastructure 
policy. It focuses efforts on assets, systems, networks, and functions 
that, if damaged, would result in unacceptable consequences to the DOD 
mission, national economic security, public health and safety, or 
public confidence. The sector assurance plan provides a coordinated 
strategy for managing risk at DIB critical asset sites located 
throughout the world and describes a risk management approach and plans 
for the DIB. It focuses on steps to (1) identify a critical asset list; 
(2) prioritize the critical assets on that list; (3) perform 
vulnerability assessments on high-priority critical assets; and (4) 
encourage contractors' actions to remediate or mitigate adverse effects 
found during these assessments, as appropriate, to ensure continuity of 
business operations. In implementing the sector assurance plan, DCMA 
has taken actions in each of these four areas. It has developed a 
process to identify the most important DIB assets and to narrow this 
list to those it considers critical using a tiered approach that 
enables identification of important capabilities and critical assets 
from the hundreds of thousands of entities constituting the DIB. It has 
developed an asset prioritization model for determining a criticality 
score and ranking critical assets, thus providing a mechanism for 
allocating the resources available to those critical assets assessed to 
be most vulnerable. It has established a standardized mission assurance 
vulnerability assessment process for critical DIB assets and, as of 
June 1, 2007, had completed eight assessments for which reports had 
been issued. Lessons learned from these assessments have been 
incorporated into training for the assessments scheduled for fiscal 
year 2007. Concurrently, ASD(HD&ASA) has been developing a remediation 
planning guide for the DCIP. The planning guide calls for an effective 
plan of action and milestones focusing on a remediation strategy to be 
developed as soon as feasible following the risk assessment. The 
planning guide includes a chapter focused on DIB remediation, but 
states that the remediation measures for the DIB focus on facilitating 
relationships and sharing information to implement the appropriate 
level of protection and does not suggest any time frames because of the 
voluntary nature of the DIB participation in the DCIP. 

DOD faces several key challenges in implementing its DIB risk 
management approach and will need to address them to ensure that its 
approach is sound and its progress can be measured. First, DCMA is not 
currently obtaining comprehensive information from all of the combatant 
commands and services needed to develop a critical asset list that is 
linked to DOD's mission-essential tasks. Second, DCMA's prioritization 
model has not yet undergone external technical review, lacks needed 
contractor-specific data, and lacks comprehensive threat information. 
Third, DCMA is conducting its vulnerability assessments of contractors 
without regard for their prioritization rankings. Fourth, DOD lacks a 
plan for identifying and addressing challenges in assessing 
vulnerabilities in foreign DIB critical assets. More specifically: 

* Both the 2006 DIB critical asset list and the list in development for 
2007 do not reflect data from all the combatant commands and services 
using mission-essential task information. The DOD risk management 
approach calls for identifying DIB assets critical to supporting 
combatant commanders' mission-essential tasks that would result in DOD- 
wide mission failure if the asset were to be damaged, degraded, or 
destroyed. DOD has not established a plan with targets and time frames 
for identifying all of the mission-essential tasks for all of the 
services. 

* Our analysis of the model revealed that weighting factors were 
selected and much of the input data were determined according to 
subjective decisions made with only limited review. Furthermore, the 
model does not distinguish between contractors who are marked as high 
risk by default for lack of data, and those for whom data exist and 
corroborate that designation. DOD collects open-source and in-house 
statistical data on contractor operations, but it lacks some needed 
contractor-specific information from the DIB contractors on their 
operations for use in the model. DCMA has undertaken two surveys to 
obtain these needed data and is planning a third survey. However, these 
collection efforts did not receive high response rates, and they 
yielded problematic data quality. Currently, DCMA lacks a detailed plan 
for improving response rates and data quality in its next survey. In 
addition, DCMA does not yet receive or have procedures to obtain 
comprehensive threat information from appropriate intelligence 
agencies, including DHS, the Federal Bureau of Investigation (FBI), and 
others, needed to enable it to accurately prioritize DIB assets. The 
absence of threat information from the appropriate intelligence 
agencies undermines the utility of the index score for prioritizing 
contractors. 

* DCMA is conducting its vulnerability assessments on critical DIB 
assets according to contractor accessibility and security clearance 
status, without regard for those assets' respective prioritization 
model rankings. The DOD risk management approach calls for DCMA to 
schedule and conduct its vulnerability assessments on the critical DIB 
assets based upon their respective rankings as validated in the asset 
prioritization model. 

* DCMA has not yet established a plan to address the potential 
challenges inherent in obtaining data from and assessing 
vulnerabilities of critical foreign contractors. In order to do so, 
DCMA needs to coordinate with other agencies, such as the Department of 
State, to develop strategies to better ensure that foreign contractor 
vulnerabilities can be identified and addressed. DCMA has not conducted 
any vulnerability assessments of foreign contractors, but has begun to 
take steps in examining this issue. 

This report makes recommendations that DOD take specific actions to 
implement its risk management framework by: (1) developing a 
comprehensive DIB critical asset list that includes the services' 
mission-essential task information as well as data based on current 
DCMA criteria; (2) ensuring that its asset prioritization model is 
reliable by obtaining external technical review, needed contractor- 
specific data, and comprehensive threat information; (3) conducting 
vulnerability assessments of critical contractors based on their 
rankings according to the asset prioritization model; and (4) preparing 
a plan to collaborate with appropriate agencies to develop options to 
better ensure that foreign contractor vulnerabilities can be identified 
and addressed. In written comments on the draft report, DOD partially 
concurred with all of our recommendations. In its response, DOD cited 
actions it planned to take that are generally responsive to our 
recommendations. DOD also provided us with technical comments, which we 
incorporated in the report, as appropriate. DOD's response is reprinted 
in appendix II. 

Background: 

According to DOD's Strategy for Homeland Defense and Civil Support, 
dated June 2005, without the important contributions of the private 
sector, DOD cannot effectively execute its core defense missions. 
Private industry manufacturers provide the majority of equipment, 
materials, services, and weapons for the U.S. armed forces. The 
President designated DOD as the sector-specific agency for the DIB. In 
this role, DOD is responsible for collaborating with all relevant 
federal departments and agencies, state and local governments, and the 
private sector; encouraging risk management strategies; and conducting 
or facilitating vulnerability assessments of the DIB as set forth in 
HSPD-7. 

In executing these responsibilities, the Secretary of Defense requires 
a network of organizations with diverse roles and missions. Key 
participants in the network include the following: 

* The Undersecretary of Defense for Acquisition, Technology, and 
Logistics, USD(AT&L), who is responsible for, among other things, 
integrating DCIP policies into acquisition, procurement, and 
installation policy guidance and for coordinating with ASD(HD&ASA) to 
ensure DCIP-related guidance is developed and implemented, and that 
system providers remediate vulnerabilities identified prior to system 
fielding or deployment. 

* ASD(HD&ASA), which serves as the principal civilian advisor to the 
Secretary of Defense on the identification, prioritization, and 
protection of DOD's critical infrastructure. ASD(HD&ASA) assigned 
responsibility for the DCIP, including DIB sector-specific agency 
responsibilities, to the Director for Critical Infrastructure 
Protection under the Deputy Assistant Secretary of Defense for Crisis 
Management and Defense Support to Civil Authorities. The DCIP office 
provides policy, program oversight, integration, and coordination of 
activities. 

* DCMA, which is the defense sector lead agent responsible for the 
coordination and oversight of DCIP matters pertaining to the DIB 
because of DCMA's established working relationship with DIB owners/ 
operators. DCMA responsibilities include planning and coordinating with 
all DOD components and private-sector partners that own or operate 
elements of the DIB. 

* Private-sector owners, operators, and organizations; and other 
federal departments and agencies, including DHS, the FBI, and the 
Departments of Energy, Commerce, the Treasury, and State. It also 
includes state and local agencies, international organizations, and 
foreign countries. 

Under Homeland Security Presidential Directive 7, federal departments 
and agencies are to identify, prioritize, and coordinate the protection 
of critical infrastructure and key resources in order to prevent, 
deter, and mitigate the effects of deliberate efforts to destroy, 
incapacitate, or exploit the infrastructure and resources; and they are 
to work with state and local governments and the private sector to 
accomplish this objective. Sector-specific agencies, among other 
things, are to encourage risk management strategies to protect against 
and mitigate the effect of attacks against critical infrastructure and 
key resources. 

DOD's risk management approach is based on assessing threats, 
vulnerabilities, criticalities, and the ability to respond to 
incidents. Threat assessments identify and evaluate potential threats 
on the basis of capabilities, intentions, and past activities. 
Vulnerability assessments identify potential weaknesses that may be 
exploited and recommend options to address those weaknesses. 
Criticality assessments evaluate and prioritize contractors on the 
basis of their importance to mission success. These assessments help 
prioritize limited resources and thus, if implemented properly, would 
reduce the expense of resources on lower-priority contractors. DOD's 
risk management approach also includes an assessment of the ability to 
respond to, and recover from, an incident. 

ASD(HD&ASA) officials said it provided research and development funding 
for program development in fiscal years 2005 and 2006 of $550,000 and 
$675,000, respectively. It did not provide research and development 
funding to DCMA in 2007 and said it did not intend to provide any 
during the period of fiscal years 2008 to 2013. They said that for 
operations and maintenance, DOD funded the program at about $1.1 
million and $1.0 million in fiscal years 2004 and 2005, respectively; 
and $2.5 million and $2.0 million in fiscal years 2006 and 2007, 
respectively. DOD plans to increase operations and maintenance funding 
to about $8.3 million in fiscal year 2008, about $9.4 million in 2009, 
and about $10.1 million in 2010 before decreasing it to about $8.8-$8.7 
million in subsequent fiscal years through fiscal year 2013. In January 
2007, the Joint Requirements Oversight Council, chaired by the Vice 
Chairman of the Joint Chiefs of Staff, approved the National Guard 
Critical Infrastructure Program--Mission Assurance Assessment (CIP- 
MAA) capability for the DIB. The council agreed that the services will 
provide funding to meet the requirements for fiscal years 2008-2013, 
and it endorsed the National Guard as the overall lead agency to 
implement the CIP-MAA. The operations and maintenance funding is 
summarized in figure 1. 

Figure 1: Operations and Maintenance Funding for DIB Activities for 
Fiscal Years 2004 to 2007 and Programmed Funding for Fiscal Years 2008 
to 2013: 

[See PDF for image] 

Source: ASD(HD & ASA). 

[End of figure] 

DOD Has Begun Developing and Implementing a Risk Management Approach to 
Ensure the Availability of the DIB: 

DOD has begun developing and implementing a risk management approach to 
ensure the availability of DIB assets needed to support mission- 
essential tasks, though implementation is still at an early stage. The 
approach comprises two plans. First, the DIB sector assurance plan, 
issued in May 2005 and updated in May 2007, outlines an approach for 
identifying vulnerabilities, risks, and effect on business; 
implementing remediation and mitigation strategies; and managing 
consequences to ensure continuity of operations.[Footnote 7] Second, 
the DIB sector-specific plan, submitted in December 2006, outlines 
DOD's approach to executing its sector-specific responsibilities, 
follows guidance established by DHS, and complements other DOD critical 
infrastructure policy.[Footnote 8] It focuses efforts on assets, 
systems, networks, and functions that, if damaged, would result in 
unacceptable consequences to the DOD mission, national economic 
security, public health and safety, or public confidence. The sector 
assurance plan provides a coordinated strategy for managing risk at DIB 
critical asset sites located throughout the world and describes a risk 
management approach and plans for the DIB. It focuses on steps to (1) 
identify a critical asset list; (2) prioritize the critical assets on 
that list; (3) perform vulnerability assessments on high-priority 
critical assets; and (4) encourage contractors' actions to remediate or 
mitigate adverse effects found during these assessments, as 
appropriate, to ensure continuity of business operations. 

DOD depends on the DIB to accomplish its work in support of military 
missions. The absence or unavailability of some assets designated as 
critical DIB assets, and the products and services these assets 
produce, could cause military mission failure. To identify DIB critical 
assets, DCMA industrial analysts and other DOD personnel compiled a 
list of approximately 900 important defense contractor assets, and then 
narrowed this number by using another set of criteria. DCMA has also 
developed an asset prioritization model for determining a criticality 
score and ranking critical assets, from highest to lowest risk. It has 
established a standardized mission assurance vulnerability assessment 
process for critical DIB assets, and as of June 1, 2007, had completed 
and issued reports for eight assessments and had three other 
assessments in process. ASD(HD&ASA) is developing guidance to provide a 
standardized process for determining, planning, and implementing 
remediation actions for DOD personnel involved in remediating risks and 
supporting overall DOD mission assurance. Table 1 provides a summary of 
the current number of important and critical DIB assets identified and 
the number of contractors assessed. 

Table 1: A Summary of DOD's Efforts in Identifying and Assessing 
Critical DIB Assets as of June 1, 2007: 

DIB assets: Identified; 
Important contractors: 900; 
Critical contractors: Domestic: 194; 
Critical contractors: Foreign: 9; 
Critical contractors: Total: 203. 

DIB assets: Assessed [A]; 
Important contractors: [Empty]; 
Critical contractors: Domestic: 8; 
Critical contractors: Foreign: 0; 
Critical contractors: Total: 8. 

Source: GAO analysis of DCMA data. 

[A] The number of contractors assessed does not include 5 that were 
completed prior to DCMA's pilot program being established. 

[End of table] 

DCMA Has Taken Steps to Identify Critical Assets: 

DCMA has developed a process to identify the most important DIB assets 
and to narrow this list to those it considers critical using a tiered 
approach that enables identification of important capabilities and 
critical assets from the hundreds of thousands of entities constituting 
the DIB. The collection of data on each entity within the DIB was 
considered neither practical nor an effective use of limited resources, 
so DCMA focused on reducing the magnitude of assets to a manageable 
number through the use of government DIB subject-matter experts. DCMA 
has developed a process to identify the most important DIB assets and 
to narrow this list to those it considers critical. The criteria used 
for both lists are shown below in table 2. 

Table 2: DCMA Criteria Used to Identify Important and Critical DIB 
Assets: 

"Important" if they satisfy one or more of the following criteria:

* They are a sole source. 

* They use obsolete/enabling/emerging technology. 

* They require a long lead time. 

* They lack surge production. 

* They have a significant cost escalation; 

"Critical" if they satisfy one or more of the following criteria:
*  They are a prime or subcontractor single source with unique 
technology or industrial capability that could significantly affect 
warfighter operations due to nonavailability of material. 

* They are a prime contractor with capabilities that support numerous 
programs or industries. 

* They are a single source subcontractor with a long requalification 
time that supports numerous programs across the services; 

* They are an essential advanced technology source. 

Source: DCMA. 

[End of table] 

The critical asset list is reviewed, updated, and approved annually. 
DCMA identifies potential assets meeting the criteria, and the military 
services and defense agencies then validate and update the list. DCMA 
reviews and validates the updated list and prioritizes it using the 
asset priority model. DCMA then coordinates with senior acquisition 
executives and submits the revised critical asset list for approval to 
the Deputy Under Secretary of Defense for Industrial Policy, USD(AT&L), 
and ASD(HD&ASA). 

DCMA Has Been Developing an Asset Prioritization Model: 

DCMA has been developing an asset prioritization model for determining 
a criticality score and ranking critical assets from highest to lowest 
risk. This model is to provide a mechanism for DCMA to allocate limited 
resources to those critical DIB assets assessed to be most vulnerable: 
the higher the score, the higher the priority of the asset for 
vulnerability assessment and possible remediation/mitigation actions. 
The model uses 16 weighted factors that are aggregated to assign a 
vulnerability score to each asset. These factors are broadly classified 
into mission (5), economic (4), threat (5), and other (2), as shown 
below in table 3. 

Table 3: DCMA's Asset Prioritization Model Factors, Weighting Factors, 
and Factor Classification: 

Model factors: Affect multiple programs; 
Weighting factors: 16; 
Factor classification: Mission. 

Model factors: Affect current warfighting capabilities; 
Weighting factors: 15; 
Factor classification: Mission. 

Model factors: Effect on projected warfighting capabilities; 
Weighting factors: 14; 
Factor classification: Mission. 

Model factors: Corporate financial risk; 
Weighting factors: 13; 
Factor classification: Economic. 

Model factors: Site economic viability; 
Weighting factors: 12; 
Factor classification: Economic. 

Model factors: Recovery plan; 
Weighting factors: 11; 
Factor classification: Mission. 

Model factors: Reconstitution--time; 
Weighting factors: 10; 
Factor classification: Mission. 

Model factors: Reconstitution--cost; 
Weighting factors: 9; 
Factor classification: Economic. 

Model factors: Threat--known external threats to facility; 
Weighting factors: 8; 
Factor classification: Threat. 

Model factors: Known security issues; 
Weighting factors: 7; 
Factor classification: Threat. 

Model factors: Disaster risk--metric; 
Weighting factors: 6; 
Factor classification: Threat. 

Model factors: Chemical/biological/radiological/nuclear/explosive 
(CBRNE) collateral damage; 
Weighting factors: 5; 
Factor classification: Threat. 

Model factors: Populated area; 
Weighting factors: 4; 
Factor classification: Threat. 

Model factors: Site employment as percent of county or Metropolitan 
Statistical Area (MSA); 
Weighting factors: 3; 
Factor classification: Economic. 

Model factors: DCIP awareness visit follow-up; 
Weighting factors: 2; 
Factor classification: Other.
 
Model factors: Vulnerability assessment of CIP-MAA completed/ 
scheduled; 
Weighting factors: 1; 
Factor classification: Other. 

Source: DCMA. 

[End of table] 

Data for the determination of these factors are collected from DCMA 
surveys and analysis, supplemented by various commercial and government 
sources, including the Defense Logistics Agency, the military services, 
and the combatant commands. If there are missing data for a given item, 
DCMA's rule is to default to a high-risk score, as this is the most 
conservative assumption. 

For threat data currently obtained by DCMA, the model includes an 
assessment of current, potential, and technologically feasible threats 
to assets from hostile parties as well as from natural or accidental 
disasters inherent to the asset or its location. Hostile threat 
information is collected by the Counter Intelligence Field Activity 
office from various intelligence sources and then summarized in a 
threat assessment document for specific sites during the prioritization 
process, and in a detailed threat assessment prior to conducting an 
actual National Guard assessment of a site. The Counter Intelligence 
Field Activity has also established an arrayed threats data system as 
the DIB sector's primary method for obtaining threat-related 
information. 

DCMA Has Established a Standardized Vulnerability Assessment Process: 

DCMA has established a standardized mission assurance vulnerability 
assessment process for critical DIB assets. As of June 1, 2007, it had 
completed and issued eight assessment reports. Lessons learned from 
earlier assessments have been incorporated into training for the 
assessments scheduled for fiscal year 2007. 

The current approach for performing assessments has evolved from 
earlier efforts designed to protect the mission of the asset from a 
broad spectrum of threats. The approach calls for multidisciplinary 
teams to conduct performance-based assessments to identify 
vulnerabilities of critical missions and recommend ways to mitigate 
those vulnerabilities. DOD found these efforts to be effective, but 
costly and time consuming. It developed a set of standards to conduct 
vulnerability assessments, building on other vulnerability assessment 
methods DOD has used. Working through DCMA and the National Guard 
Bureau, DOD has established a standardized mission assurance assessment 
for application to critical DIB assets. These assessments consider 
effect, vulnerability, and threat/hazard from natural disaster, 
technological failure, human error, criminal activity, or terrorist 
attack. To perform assessments, DCMA partners with the Defense Security 
Service (DSS), the Counter Intelligence Field Activity, the Defense 
Intelligence Agency (DIA), and appropriate federal, state, and local 
law enforcement to identify and characterize all hazard threats to key 
assets, and uses benchmarks and standards to ensure consistency within 
the DIB and the broader DCIP community. 

The assessment process typically involves (1) using the critical asset 
list to select the DIB contractor candidate for assessment; (2) 
notifying the selected DIB asset to schedule the vulnerability 
assessment; (3) conducting a preassessment briefing with the 
contractor; (4) scheduling the assessment; (5) negotiating a memorandum 
of agreement with the contractor to coordinate the terms of the 
assessment; (6) performing the assessment, which is designed to assess 
vulnerability to a broad spectrum of threats; (7) providing an 
outbriefing; and (8) writing a final vulnerability assessment report. 

The process for conducting vulnerability assessments on critical DIB 
contractors is early in implementation and only 8 of the planned 203 
have been completed, with reports issued, as of June 1, 2007. DCMA 
estimated that conducting assessments on all critical DIB assets will 
take several years. Between fiscal years 2003 and 2006, DOD considered 
and evaluated different approaches that might be used in conducting on- 
site vulnerability assessments. For example, five assessments of 
different types were done by different DOD groups prior to fiscal year 
2006. With the benefit of the earlier assessments, DCMA in fiscal year 
2006 developed a pilot project that included six vulnerability 
assessments and used the information gained to develop an approach for 
conducting on-site vulnerability assessments at all critical DIB asset 
locations. DCMA had settled on a methodology for outreach to 
contractors, a standardized approach for conducting on-site 
vulnerability assessments,[Footnote 9] and training for National Guard 
teams to conduct these assessments. DCMA is planning a number of 
improvements as a result of lessons learned from the six pilot project 
assessments. For example, DCMA officials said they planned to update 
the existing benchmarks, develop additional benchmarks for security 
operations and emergency management, and determine the final report 
format to use for future assessments. In addition, DCMA officials said 
that, as a result of the pilot assessments, they plan to change the 
process on future assessments. For example, rather than a single visit 
to the contractor to perform the entire assessment, they intend to 
conduct an advance site visit to identify key officials, gather 
information, and perform preliminary analyses on manufacturing and 
infrastructure. They said this will allow more time for up-front 
analysis and alleviate the workload and reduce the hours needed at the 
time of the assessment visit. 

In fiscal year 2007, DCMA planned to have National Guard teams conduct 
19 vulnerability assessments and then to increase its pace to complete 
these vulnerability assessments at a rate of 50 per year. However, it 
has changed this goal for 2007, and even at the rates planned it would 
take 6 years, or until 2012, to complete the initial vulnerability 
assessments on the 203 critical DIB contractors identified in 2006, as 
shown in table 4. 

Table 4: Assessments Planned during Fiscal Years 2007 to 2012: 

Fiscal year: Assessments planned as of November 2006; 
2007: 19; 
2008: 50; 
2009: 50; 
2010: 50; 
2011: 20; 
2012: 20. 

Fiscal year: Revised plan as of May 2007[A]; 
2007: 14; 
2008: 21; 
2009: 21; 
2010: 50; 
2011: 50; 
2012: 50. 

Source: DCMA. 

[A] DCMA is planning that after completing the initial assessments, DIB 
assets would be reassessed every 3 years. 

[End of table] 

ASD(HD&ASA) Has Been Developing a Remediation Guide: 

ASD(HD&ASA) has been developing the DOD Remediation Planning Guide for 
the DCIP remediation process in order to provide a standardized process 
for determining, planning, and implementing remediation actions for DOD 
personnel involved in remediating risks and supporting overall DOD 
mission assurance.[Footnote 10] The planning guide encompasses: (1) DOD-
owned assets that support the National Military Strategy; (2) non- DOD-
owned assets that support the National Military Strategy (i.e., 
government-owned infrastructure, commercial-owned infrastructure, and 
the defense industrial base); and (3) non-DOD-owned assets that are so 
vital to the nation that their incapacitation, exploitation, or 
destruction could have a debilitating effect on the security or 
economic well-being of the nation or could negatively affect national 
prestige, morale, and confidence. 

Because proper remediation lessens the negative effect of an event, it 
makes sense in many cases to strengthen, through a reduction of risk, 
those assets critical to DOD missions. When unacceptable levels of risk 
are identified, an asset owner should seek to remediate them in a 
prioritized fashion based on their overall risk to DOD. This planning 
guide identifies and discusses specific actions that are essential to 
remediation strategy development and implementation. The planning guide 
calls for an effective plan of action and milestones focusing on a 
remediation strategy to be developed as soon as feasible following the 
risk assessment. The planning guide provides the basic steps for an 
effective plan and suggested time frames: (1) confirm ownership and 
prioritize risk as soon as possible after completion of assessment; (2) 
analyze options and determine the best approach within 30 days after a 
risk assessment is completed; (3) develop the remediation plan as soon 
as practicable, but not later than 60 days after the risk assessment; 
(4) implement the remediation plan within 2-4 weeks following 
remediation plan approval; (5) keep appropriate officials informed at 
plan commencement and within 2-4 weeks of remediation plan completion; 
and (6) execute follow-up actions no more than 3 years after risk 
assessment. 

The planning guide also includes a chapter focused on DIB remediation. 
It states that the remediation measures for the DIB focus on 
facilitating relationships and sharing information to implement the 
appropriate level of protection. The chapter referring to the DIB is 
designed to assist asset owners, operators, and DOD managers in 
determining whether a remediation action is justified and required. The 
DIB sector remediation process includes a step-by-step approach for 
analyzing issues and making judgments. It describes a remediation 
process that will help preserve privately owned DIB critical asset 
capabilities. ASD(HD&ASA) officials told us it was designed in a 
general way without suggested time frames because of the voluntary 
nature of the DIB participation in the DCIP. 

DOD Will Need to Address Several Key Challenges in Implementing Its DIB 
Risk Management Approach: 

DOD faces several key challenges in implementing its DIB risk 
management approach and will need to address them to ensure that its 
approach is sound and its progress can be measured. First, the critical 
asset list used by DCMA does not incorporate comprehensive, mission- 
essential task information from the military services. Second, the 
prioritization model used by DCMA has not yet undergone external 
technical review and lacks both contractor-specific data and 
comprehensive threat information. Third, DCMA is not scheduling and 
conducting its vulnerability assessments in accordance with the asset 
rankings in its prioritization model. Fourth, DOD lacks a plan for 
identifying and addressing challenges in assessing vulnerabilities of 
critical foreign contractors. 

Critical Asset List Does Not Yet Have Comprehensive Mission-Essential 
Task Information: 

DCMA is not currently obtaining comprehensive information from all of 
the combatant commands and services needed to develop a critical asset 
list that is linked to DOD's mission-essential tasks. Both the 2006 DIB 
critical asset list and the list in development for 2007 do not reflect 
data from all the combatant commands and services using mission- 
essential task information. The DOD risk management approach calls for 
identifying DIB assets critical to supporting combatant commanders' 
mission-essential tasks that would result in DOD-wide mission failure 
if the asset were to be damaged, degraded, or destroyed. According to 
DCMA and the services, DCMA and the Army and Navy provided most of the 
data for the 2006 critical asset list, but the Air Force did not 
provide input for the list. In responding to DCMA's request for the 
2007 critical asset list, the Air Force limited its participation to 
the review and validation of DIB critical assets identified and 
compiled by DCMA, which used DCMA's methodology only. This service has 
made no independent submission of DIB-like assets to DCMA. DCMA 
officials told us they were aware of the need to link DIB assets to 
mission-essential tasks. The DIB sector assurance plan calls for 
identifying assets critical to supporting combatant commanders' mission-
essential tasks that would result in DOD-wide mission failure if the 
asset were to be damaged, degraded, or destroyed, and DCMA says it 
plans to continue to collaborate and strengthen relationships with the 
combatant commands and other DOD organizations in identifying DIB 
assets and systems supporting their critical missions. 

According to OSD officials, the services are still working on 
identifying the mission-essential tasks and the defense critical assets 
that support these tasks, including DIB defense critical assets. The 
method for identifying critical DIB assets has evolved, and refinements 
are continuing. Thus far, a plan with targets and time frames has not 
been established for identifying all of the mission-essential tasks for 
all of the services. 

DCMA's Prioritization Model Has Not Yet Been Reviewed and Does Not Yet 
Have Contractor-Specific Data or Comprehensive Threat Information: 

The asset prioritization model has not undergone external technical 
review. Further, some needed contractor-specific data were missing for 
a number of the critical assets. Additionally, the absence of 
comprehensive threat data undermines the utility of the index score for 
prioritizing contractors. 

Model Has Not Yet Had External Technical Review: 

Our review of the asset prioritization model revealed that weighting 
factors were selected and much of the input data were determined 
according to subjective decisions made with only limited review. 
According to the DCMA official who developed the model, the 
subjectivity involved in assigning the precise values of the weights in 
the model is the most controversial aspect of the model. Cross- 
disciplinary collaboration and peer review are, in our opinion as well 
as that of DOD officials with whom we spoke, important means of 
validating modeling strategies. As of the time of our review, DCMA had 
not had its model independently reviewed. 

The model, created in September 2004, has undergone a number of 
refinements, and more are planned. According to the DCMA staff member 
who developed the model, he is the only individual who fully 
understands the model and all submodels and is responsible for 
assigning factor risk scores to each asset. Future initiatives for 
refining the model include (1) developing submodels in 2007, (2) 
addressing issues regarding data absence and data obsolescence in 2008, 
(3) developing guidance for others on how to use the model (no 
established target date), and (4) moving from a spreadsheet format to a 
Web-based application (no established target date). Without independent 
formal review of its asset prioritization model, DCMA cannot be assured 
that the model is valid and suitable for its intended purpose. 

Needed Contractor-Specific Data Are Missing: 

Our review of the model also revealed that contractor-specific data 
were missing for a number of the critical assets. DCMA collects open- 
source and in-house statistical data on contractor operations, but it 
lacks some needed contractor-specific information from the DIB 
contractors on their operations for use in the model. DCMA has 
undertaken two surveys to obtain these needed data and is planning a 
third survey, but these efforts depend on contractors' willingness to 
provide business sensitive information and they have thus far not been 
fully successful. 

The model does not distinguish between assets marked as high risk by 
default for lack of data and those for whom data corroborate the high- 
risk designation. Our review of the asset prioritization model found 
that DIB contractors with similar entries based on missing data for 
several factors may not be differentiated one from another; it was not 
always apparent whether some contractors were identified as high risk 
because of an unavailability of data or the presence of data that 
justified the identification. The ability to distinguish between high 
scores due to risk and high scores due to missing data has important 
implications for resource allocation, for data collection and 
assessment, and for risk remediation. Additionally, prioritization of 
data collection should focus on those items that are most mission- 
critical and have the highest weight in the model's scores. 

DCMA has conducted two surveys, called industrial capabilities 
assessments, to obtain contractor-specific information on DIB assets, 
but both of these efforts have met with limited response rates. DCMA 
officials said this was due at least partly to contractors' reluctance 
to provide information. In 2004 DCMA sent a questionnaire to obtain 
additional information from DIB contractors. DCMA had requested this 
information using a cover letter to the companies signed by the 
Assistant Secretary of Defense for Homeland Defense (ASD-HD) and 
coordinated with DCMA officials in the field. DCMA officials said that 
these steps were taken to help ensure a greater response to the survey. 
Nevertheless, of those responding, some of the survey forms were 
incomplete and some of the data provided were determined to be 
unreliable. In 2005, DCMA sent a revised questionnaire, but it was not 
administered with the same level of discipline used in the first one. 
For example, it did not use DOD on-site personnel to help ensure high 
response rates, and only 30 percent of those surveyed responded. Again, 
responses were incomplete and some of the data were not considered 
reliable. DOD officials said that contractors were more reluctant to 
provide certain types of data, such as financial, disaster planning, 
reconstitution, and especially forecast data. DCMA did not conduct a 
survey in 2006. 

DCMA is planning another effort in fiscal year 2007 to send out a 
revised capabilities-assessment questionnaire to DIB contractors. DCMA 
officials are in the process of revising and expanding on the 
assessment to be sent to contractors to more specifically address 
critical infrastructure protection. Once DCMA has finalized the 
critical asset list for 2007, it is planning to conduct a new 
industrial capabilities survey. However, it will take several months 
for DIB critical contractors to receive, fill out, and return the 
industrial capabilities survey; and DCMA has not identified specific 
steps to ensure that this survey receives a high response rate with 
quality information. 

Model Does Not Yet Incorporate Comprehensive Threat Information: 

Our review of DOD's asset prioritization model also revealed a lack of 
comprehensive threat information. DOD officials told us that 
intelligence-gathering agencies currently provide information to DCMA 
through ad hoc agreements, as opposed to a more formalized arrangement. 
The collection and analysis of DIB-related intelligence information has 
evolved over time between such agencies as DSS, Counter Intelligence 
Field Activity, and DCMA. According to DCMA as well other DOD 
officials, DCMA does not receive comprehensive threat information from 
the appropriate intelligence agencies to enable it to accurately 
prioritize DIB assets. These intelligence agencies include the National 
Counterterrorism Center, DHS's Office of Intelligence and Analysis and 
its Homeland Infrastructure Threat and Risk Analysis Center, the FBI, 
and others. While DCMA obtains information for prioritization from the 
Counter Intelligence Field Activity, DCMA does not routinely obtain 
full threat information from these other intelligence agencies. The 
absence of comprehensive threat data undermines the utility of the 
index score for prioritizing contractors. Until DCMA develops and 
implements procedures for obtaining the threat data needed, it cannot 
rely on the outputs of its asset prioritization model. 

Vulnerability Assessments Are Being Conducted without Benefit of Asset 
Prioritization Rankings: 

DCMA is conducting its vulnerability assessments on critical DIB assets 
according to contractor accessibility and without regard for those 
assets' respective prioritization model rankings. According to DCMA, 
one purpose of the prioritization model is to rank critical assets and 
to use this order to prioritize assessments. DCMA should schedule and 
conduct its vulnerability assessments on the critical DIB assets based 
upon their respective rankings as validated in the asset prioritization 
model. Furthermore, DOD has not established targets or time frames for 
resolving this issue. 

The assessments to be performed should be identified from a 
comprehensive critical asset list that has been ranked based on a 
reliable asset prioritization model. However, DCMA has not used the 
rankings from its asset prioritization model to schedule outreach 
visits or on-site vulnerability assessments. According to DCMA 
officials, a high score on the model should result in DCMA's contacting 
the contractor to conduct a vulnerability assessment. However, they 
said that coordinating on-site assessments is complicated and highly 
sensitive. DCMA officials say that lack of facility security clearances 
complicates their efforts to get DIB contractors to participate in 
DOD's risk management program because DCMA cannot inform uncleared 
contractors that they are on the classified critical asset list or 
discuss with them vulnerabilities found at their facilities. 
Consequently, officials have devoted outreach efforts, first, to those 
contractors at facilities having the necessary security clearances, and 
next, to those that DCMA officials believe would be most amenable to 
undergoing an assessment. About 52 percent of the DIB facilities 
identified as critical lack security clearances for the facility or any 
of its personnel, and thus cannot receive vulnerability assessments or 
discuss needed remediation actions. DSS officials told us that, though 
they recognized that many critical contractors did not have facility 
security clearances, DSS lacks the resources needed to preemptively 
clear all critical DIB facilities. 

In further explaining why they have not followed the prioritization 
ranking in conducting assessments, DCMA officials said that because 
private-sector DIB contractors' participation in the program is 
voluntary, DCMA must rely on the contractors' willingness to cooperate 
and provide information. According to DCMA officials, some DIB 
contractors have had concerns about sharing information that they 
consider proprietary, and about the possibility of incurring additional 
costs and liabilities to correct any vulnerabilities identified as part 
of this program as a result of sharing this information. These concerns 
regarding sharing information with DOD were echoed by some of the DIB 
contractors with whom we spoke, for a variety of reasons. For example, 
when asked about his willingness to share certain information with DOD, 
one DIB contractor we spoke with said that he was concerned that 
information that he deemed proprietary or potentially damaging to the 
company could somehow be released or disclosed, and he was unsure how 
DOD would protect such information. Furthermore, DOD officials noted 
that some significant DIB contractors are involved in classified, 
special access programs that could involve military mission-essential 
tasks and as a result may not be allowed or willing to share certain 
types of information. They also noted that there is no similar effort 
to identify critical DIB assets from the classified special access 
program perspective. Consequently, some significant critical DIB assets 
may not currently be included as part of the program. 

DCMA officials told us that, in order to overcome resistance from those 
DIB contractors that may be reluctant to share information and 
participate in the program, they have developed tactics that in some 
cases have been successful in promoting greater voluntary 
participation. For example, in at least one case, DCMA requested that a 
high-level DOD official reach out to the contractor directly and make 
the informational request. Also, DCMA officials told us that they 
develop memoranda of agreement with contractors that delineate what the 
on-site assessment will entail, what the assessment team and the 
company are agreeing to do, and the manner in which the contractor's 
information will be used and protected. DCMA officials told us that 
while these steps have resulted in progress, they have also been time- 
consuming and have affected the sequence according to which critical 
DIB contractors have been scheduled for assessment. 

The program, and DCMA's outreach and educational efforts in eliciting 
contractor information, continue to evolve. For example, the sector- 
specific plan states that DOD plans to develop an accreditation plan 
for identifying and certifying Protected Critical Infrastructure 
Information (PCII) under DHS's PCII program. The PCII program was 
established by DHS pursuant to the Critical Infrastructure Information 
Act of 2002.[Footnote 11] The act provides that critical infrastructure 
information[Footnote 12] that is voluntarily submitted to DHS[Footnote 
13] for use by DHS regarding the security of critical infrastructure 
and protected systems, analysis, warning, interdependency study, 
recovery, reconstitution, or other informational purpose, when 
accompanied by an express statement, shall receive various protections, 
including exemption from disclosure under the Freedom of Information 
Act.[Footnote 14] If such information is validated by DHS as PCII, then 
the information can only be shared with authorized users.[Footnote 15] 
Before accessing and storing PCII, organizations or entities must be 
accredited and have a PCII officer. Authorized users can request access 
to PCII on a need-to-know basis, but users outside of DHS do not have 
the authority to store PCII until their agency is accredited. However, 
the lack of accreditation does not otherwise prevent entities from 
sharing information directly with DOD. 

However, we noted in our April 2006 report that nonfederal entities 
continued to be reluctant to provide their sensitive information to DHS 
because they were not certain that their information will be fully 
protected, used for future legal or regulatory action, or inadvertently 
released.[Footnote 16] Since our April report, DHS published on 
September 1, 2006, its final rule implementing the act, but we have not 
examined whether nonfederal entities are more willing to provide 
sensitive information to DHS under the act at this time, or DOD's cost 
to apply for, receive, and maintain accreditation. However, one of the 
DIB contractors we interviewed mentioned generally that while some 
advances have been made in information protection, such as the 
establishment of the PCII program, the contractor continues to be 
concerned that the program has yet to demonstrate that it can provide 
good security for contractor-provided information, and remains wary 
about damage from public or competitor disclosure. 

DCMA officials also pursued new legislation and additional provisions 
for the Defense Federal Acquisition Regulation in order to, in their 
view, potentially increase industry participation, but these changes 
were ultimately not enacted. For example, DCMA officials had drafted a 
legislative proposal that stated that "critical supplier assessments 
and company specific assessments developed under the Defense Critical 
Infrastructure Program, evaluating the security of Defense Critical 
Suppliers, shall not be disclosed under the Freedom of Information 
Act."[Footnote 17] However, DCMA officials told us that the legislative 
proposal was ultimately not approved to be included in the DOD 
legislative proposals that are sent to the Congress for consideration 
and there are no current plans within DOD to pursue this legislation. 
In addition, DCMA officials also pursued the addition of clauses to the 
Defense Federal Acquisition Regulation. The language that was proposed 
would have included several provisions pertaining to the critical 
infrastructure of the defense industrial base, such as stating that the 
contractor shall be responsible for the overall organizational physical 
protection and security of its own critical infrastructures; have in 
place a comprehensive security plan relating to overall plant and 
facility security designed to protect its critical infrastructures; 
that the government shall be permitted to conduct or facilitate 
vulnerability and mission assurance assessments under the DCIP. 
However, these changes were ultimately not submitted to the Defense 
Acquisition Regulation Council.[Footnote 18] 

DCMA Does Not Yet Have a Plan for Assessing Foreign DIB Critical 
Assets: 

DCMA has not established a plan to deal with the potential challenges 
inherent in assessing vulnerabilities of foreign contractors. In order 
to do so, DCMA needs to coordinate with other agencies, such as the 
Department of State, to develop strategies to better ensure that 
foreign contractor vulnerabilities can be identified and addressed. 
DCMA has not conducted any assessments of foreign contractors. 

The critical asset list identifies nine foreign contractors. DCMA 
planned to conduct a pilot assessment on one of these contractors in 
2006, but did not do so, according to DCMA officials, because 
procedures are not yet in place for assessing foreign suppliers of 
products manufactured overseas. The DIB sector-specific plan recognizes 
the challenge involved when DIB assets are located in foreign 
countries, and states that where DIB assets are located in foreign 
countries many of the plan's proposed activities could be perceived as 
U.S. government intrusion into sovereign areas of the host country, 
particularly with respect to threats and vulnerabilities. The plan also 
recognizes that DOD and the DIB Sector Coordinating Council must ensure 
that DIB protection activities are coordinated with U.S. embassies and 
host governments; that where pertinent treaties exist, activities 
should conform to them; and that a strategy needs to be developed for 
an action plan in foreign countries with DIB assets. 

Conclusions: 

DOD is in the process of implementing a risk management approach to 
identify, prioritize, evaluate, and remediate threats, vulnerabilities, 
and risks to critical DIB assets, including those DIB assets that are 
critical to achieving DOD's mission-essential tasks. Several key 
challenges to the implementation of this program need to be addressed 
in order for DOD to be able to ensure that its approach is sound. 
First, in identifying and prioritizing critical DIB assets, DOD is not 
currently incorporating data reflecting mission-essential task 
information from all of the services. Second, in order for DOD's asset 
prioritization model to be reliable, the model would benefit from 
appropriate external technical review, and it also lacks selected 
contractor-specific data that need to be provided by DIB contractors, 
as well as comprehensive threat information from the appropriate 
intelligence agencies. Without a comprehensive list of critical assets 
and a reliable asset prioritization model, DOD cannot ensure that it 
has identified the most important DIB critical assets, as is necessary 
for carrying out the National Military Strategy. Third, DOD is 
currently scheduling and conducting assessments based on contractor 
amenability and security clearance status, rather than on the rankings 
assigned to critical DIB assets according to its asset prioritization 
model. Unless DOD assesses assets based on their rankings determined by 
a reliable asset prioritization model, DOD will not be in a sound 
position to know that it is assessing the most critical DIB assets or 
making the best use of limited resources. Fourth, DOD has not yet 
developed a plan for identifying and addressing potential challenges in 
assessing vulnerabilities of critical foreign DIB contractors. As a 
result, vulnerabilities in these critical foreign contractors can 
potentially threaten their availability to DOD. Until all of these 
issues are addressed, DOD will lack the visibility it needs over 
critical DIB asset vulnerabilities, will be unable to encourage 
critical DIB contractors to take needed remediation actions, and will 
be unable to make informed decisions regarding limited resources. 

Recommendations for Executive Action: 

To manage the complete development of the risk management approach to 
better ensure its effectiveness we recommend the Secretary of Defense 
direct the ASD(HD&ASA) to develop a management framework that includes 
targets and time frames and undertakes the following steps: 

* Obtain comprehensive data from all the combatant commands and 
services based on mission-essential task information, and incorporate 
these data with those set forth in DCMA guidance, to develop a 
comprehensive list of the critical DIB assets. 

* Improve the reliability of its asset prioritization model by: 

* obtaining the appropriate external technical review; 

* developing a detailed plan for improving response rate and data 
quality from DIB contractors in conducting its next capabilities 
survey, to ensure that DCMA obtains contractor-specific data needed for 
establishing priorities; and: 

* identifying and developing procedures for obtaining comprehensive 
threat information from the appropriate intelligence agencies, 
including DHS, the FBI, and others to use as model inputs to prioritize 
DIB assets and conduct vulnerability assessments. 

* Schedule and conduct vulnerability assessments on the critical DIB 
assets based on their respective rankings as validated in the asset 
prioritization model, to ensure that the most critical DIB assets are 
assessed in a timely manner and DOD maximizes its use of limited 
resources. 

* Prepare a plan to collaborate with the Department of State and other 
agencies, as appropriate, to develop options to identify and address 
potential challenges in assessing vulnerabilities of critical foreign 
contractors. 

Agency Comments and Our Evaluation: 

In written comments on a draft of this report, DOD partially concurred 
with all four recommendations. In its response, DOD cited actions it 
planned to take that are generally responsive to our recommendations. 
DOD also provided us with technical comments, which we incorporated in 
the report, as appropriate. DOD's response is reprinted in appendix II. 

DOD partially concurred with our recommendation to develop a management 
framework that includes targets and time frames and to obtain 
comprehensive data from all the combatant commands and services based 
on mission-essential task information. DOD stated that DCMA is aware of 
the need to link DIB assets to mission-essential tasks and that 
ASD(HD&ASA) has developed a draft DOD instruction to formalize this 
process. DOD also said that DCMA is incorporating this framework into 
its process for critical asset identification and that ASD(HD&ASA) is 
developing a DCIP program plan that will address targets and time 
frames for achieving these goals. DOD commented that this plan should 
be completed by the first quarter of fiscal year 2008. 

DOD partially concurred with our recommendation to improve the 
reliability of its asset prioritization model by obtaining the 
appropriate external technical review, needed contractor specific data, 
and comprehensive threat information from the appropriate intelligence 
agencies and stated that DCMA had coordinated the review of the asset 
prioritization model with the DOD Modeling and Simulation Office, the 
Canadian Department of National Defense, and various DOD activities. 
However, at the time of our review, DCMA had not yet coordinated the 
review of the asset prioritization model with these offices, and other 
feedback on the model was informal and undocumented. We found that the 
model has had a number of refinements over the years and that there are 
fundamental processes that have not been reviewed. We believe that DOD 
is responsive to our recommendation in its comment that DCMA is open to 
further technical review of the APM and will work with ASD(HD&ASA) to 
identify credible and capable subject matter experts to support this 
effort, and we would stress the need to develop targets and time frames 
for completing these actions. DOD also commented that developing a 
detailed plan may improve the contractor response rate and data 
quality; but noted that participation by industry to provide 
information is voluntary and contractors continue to be concerned with 
the release of certain types of data, such as financial, disaster 
planning, reconstitution, and especially forecast data. We agree that 
contractor participation is voluntary but there are strategies 
available to DCMA to improve response rates. As noted in our report, 
DCMA response rates declined when the process lacked a coordinated 
plan. DOD also stated that a draft DOD Instruction 3020.nn identifies 
the intelligence agencies that DCMA will work with to obtain threat and 
hazard information on DIB critical assets. However, we found that the 
draft instruction only identified the Under Secretary of Defense for 
Intelligence to secure support from other DOD activities and does not 
reference securing support from agencies we note in the report such as 
DHS and the FBI. As noted in DCMA's May 2007 sector assurance plan, 
barriers in the area of threat assessment information and sharing 
information still require management attention. 

DOD partially concurred with our recommendation to schedule and conduct 
vulnerability assessments on the critical DIB assets based on their 
respective rankings as validated in the asset prioritization model, and 
noted a number of factors that exist that may prevent scheduling 
assessments in accordance with the model's numerical ranking. For 
example, DOD noted if a contractor on the list is reluctant at first or 
refuses to participate, it should move to the next contractor on the 
list, while simultaneously negotiating with the first contractor to 
gain its participation. DOD also noted that the list is dynamic and may 
change year-to-year. In addition, DOD may accept the vulnerability 
assessments performed internally by the contractor providing the 
company meets established requirements and standards. We believe that 
the approach described by DOD acknowledges the intent of our 
recommendation to conduct assessments on the basis of those deemed most 
critical. We recognize that there will be reasons to conduct 
assessments out of order, and would expect that those decisions will be 
documented. 

DOD partially concurred with our recommendation to prepare a plan to 
collaborate with the Department of State and other agencies, as 
appropriate, to develop options to identify and address potential 
challenges in assessing vulnerabilities in foreign critical DIB assets. 
DOD stated that DCMA efforts to date have focused primarily on 
Continental United States assets as they constitute 95 percent of the 
assets on the critical asset list and that the DIB sector specific plan 
recognizes the challenges involved when DIB assets are located in 
foreign countries. DOD further stated that DCMA will continue to work 
with ASD(HD&ASA) in laying out a framework to both address the issue 
and to work in collaboration with other government agencies, including 
the Department of State. 

As agreed with your offices, we are sending copies of this report to 
the Chairman and Ranking Member of the Senate and House Committees on 
Appropriations, Senate and House Committees on Armed Services, and 
other interested congressional parties. We also are sending copies of 
this report to the Secretary of Defense; the Secretary of Homeland 
Security; the Director, Office of Management and Budget; and the 
Chairman of the Joint Chiefs of Staff. We will make copies available to 
others upon request. In addition, this report will be available at no 
charge on the GAO Web site at [hyperlink,http://www.gao.gov]. 

If you or your staff have any questions concerning this report, please 
contact me at (202) 512-5431 or by e-mail at dagostinod@gao.gov. 
Contact points for our Offices of Congressional Relations and Public 
Affairs may be found on the last page of this report. GAO staff who 
made major contributions to this report are listed in appendix III. 

Signed by: 

Davi M. D'Agostino: 
Director, Defense Capabilities and Management: 

[End of section] 

Appendix I: Scope and Methodology: 

To conduct our review of the Department of Defense's (DOD) defense 
industrial base (DIB) program, we obtained relevant documentation and 
interviewed officials from the following DOD organizations:[Footnote 
19] 

* Office of the Secretary of Defense (OSD): 

* Under Secretary of Defense for Personnel and Readiness, Information 
Technology Division; 

* Under Secretary of Defense for Acquisition, Technology, and 
Logistics, Office of the Deputy Under Secretary of Defense for 
Industrial Policy; 

* Under Secretary of Defense for Intelligence, Counterintelligence & 
Security, Physical Security Programs; 

* DOD Counterintelligence Field Activity, Critical Infrastructure 
Protection Program Management Directorate; 

* Assistant Secretary of Defense for Homeland Defense and Americas' 
Security Affairs (ASD[HD&ASA]), Critical Infrastructure Protection 
Office; 

* Assistant Secretary of Defense for Networks and Information 
Integration, Information Management & Technology Directorate; 

* Joint Staff, Directorate for Operations, Antiterrorism and Homeland 
Defense: 

* Defense Threat Reduction Agency (DTRA), Combat Support Assessments 
Division: 

* Military Services: 

* Department of the Army, Asymmetric Warfare Office, Critical 
Infrastructure Risk Management Branch; 

* Department of the Navy: 

* Office of the Chief Information Officer; 

* Mission Assurance Division, Naval Surface Warfare Center, Dahlgren 
Division, Dahlgren, Virginia; 

* Headquarters, U.S. Marine Corps, Security Division, Critical 
Infrastructure Protection Office; 

* Department of the Air Force, Air, Space and Information Operations, 
Plans, and Requirements, Homeland Defense Division; 

* Headquarters, Defense Intelligence Agency, Office for Critical 
Infrastructure Protection & Homeland Security/Defense; 

* Headquarters, Defense Information Systems Agency, Critical 
Infrastructure Protection Team; 

* Headquarters, U.S. Strategic Command, Mission Assurance Division, 
Offutt Air Force Base, Nebraska: 

To examine the status of DOD's efforts to develop and implement a risk 
management approach, we reviewed Homeland Security Presidential 
Directive 7, the Homeland Security Act of 2002, and the National 
Infrastructure Protection Plan as they relate to the DIB sector- 
specific and sector assurance plans, as well as other studies conducted 
by GAO, the Congressional Research Service, and the DOD Inspector 
General concerning risk management and defense critical infrastructure. 
We discussed with DOD officials the requirements for a risk management 
plan for the DIB and the status of the approach's implementation. We 
also reviewed and discussed information and data on the Defense 
Contract Management Agency's (DCMA) efforts to identify, assess, and 
remediate critical DIB assets. Specifically, we evaluated the basis for 
the criteria DCMA established and used to identify important and 
critical DIB assets; the ways in which these criteria were used by each 
of the services to help identify important and critical DIB assets; and 
the ways in which foreign contractors were being identified. We 
evaluated information concerning the development of the asset 
prioritization model, the factors used to rank order the critical 
assets, the refinements that have been made and planned as the model 
matures, and the outcomes produced by applying the model to the fiscal 
year 2006 critical asset list. We reviewed the standardized mission 
assurance assessment process for critical DIB assets, the development 
of standards to be used, the training for teams to conduct assessments, 
the reports on six pilot vulnerability assessments performed in fiscal 
years 2006 and 2007, and lessons learned to be incorporated in future 
assessments. We reviewed the remediation planning guidance DOD is 
developing for the Defense Critical Infrastructure Program (DCIP) 
generally, and we compared the overall guidance to that being developed 
for the DIB. We also met with the National Guard Bureau and one of the 
state National Guard teams that conducts DIB sector vulnerability 
assessments. 

To examine the challenges faced by DOD in developing and implementing 
its approach, we assessed the extent to which key steps in the planned 
approach have been implemented. We compared DCIP policies for 
identifying mission-essential tasks and related defense critical assets 
with DCMA's criteria for identifying a critical DIB asset; and we 
discussed reasons for the differences with OSD, ASD(HD&ASA), DCMA, and 
the services. We assessed the development and use of DCMA's asset 
prioritization model, including discussions with DCMA and OSD about the 
requirements for models used within DOD to undergo external technical 
review and to incorporate all the needed data in order to ensure the 
model's validity and suitability. We reviewed methods DCMA has used 
previously to obtain contractor-specific data, as well as methods 
planned for future efforts, to ensure that DCMA will obtain more 
complete information. We discussed with DCMA and DOD intelligence 
agency officials the threats to the DIB and the availability of 
specific threat information to DCMA. We compared the assessments being 
conducted with the rankings of the critical DIB contractors in the 
asset priority model, and we discussed with DCMA officials why they 
have not followed the rankings and the challenges that they have 
encountered as they have begun working with private-sector contractors. 
We reviewed DCMA's efforts to encourage reluctant private-sector DIB 
contractors to participate in the program, including potential changes 
suggested for the Defense Federal Acquisition Regulation that were 
ultimately not enacted. We also reviewed DCMA's current efforts to work 
with DHS to develop an accreditation approach for identifying and 
certifying Protected Critical Infrastructure Information, and steps 
taken by DCMA to overcome resistance. We spoke with a non-probability 
sample of DIB contractor officials generally about their willingness to 
participate in the program and the reasons for their respective views, 
and we discussed with DOD officials and these contractor officials the 
availability of data concerning foreign contractors. Their comments are 
not generalizable to a larger population. Lastly, we determined the 
extent to which DCMA has identified metrics with time frames for 
completing development of the risk-based management process. We 
conducted our work between August 2006 and June 2007 in accordance with 
generally accepted government auditing standards. 

[End of section] 

Appendix II: Comments from the Department of Defense: 

Assistant Secretary Of Defense: 
2600 Defense Pentagon: 
Washington. Dc 20301-2600: 

Homeland Defense: 

August 15, 2007 

Ms. Davi M. D'Agostino: 
Director, Defense Capabilities and Management: 
U.S. Government Accountability Office: 
441 G Street, N.W.: 
Washington, DC 20548: 

Dear Ms. D'Agostino:

This is the Department of Defense (DoD) response to the GAO draft 
report, GAO-07-1077, "Defense Infrastructure: Management Actions Needed 
to Ensure Effectiveness of DoD's Risk Management Approach for the 
Defense Industrial Base," dated July 13, 2007 (GAO Code 350881). DoD 
partially concurs with all four recommendations in the report. Our 
response is attached. Our point of contact for this action is Mr. 
William Bryan, OASD(HD&ASA), (703) 602-5730 ext. 143 or 
william.bryan@psd.mil. 

Sincerely, 

Signed by: 
Paul McHale: 

Enclosure: 
As stated: 

GAO Draft Report Ė Dated July 13, 2007: 
Gao Code 350881/gao-07-1077: 

"Defense Infrastructure: Management Actions Needed To Ensure  
Effectiveness Of Dod's Risk Management Approach For The Defense 
Industrial Base": 

Department Of Defense Response To The Recommendations: 

Recommendation 1: The GAO recommends that the Secretary of Defense 
direct the Assistant Secretary of Defense for Homeland Defense and 
Americas' Security Affairs to develop a management framework that 
includes targets and time frames and to obtain comprehensive data from 
all the Combatant Commands and Services based on mission essential task 
information, and incorporate these data with those set forth in Defense 
Contract Management Agency (DCMA) guidance, to develop a comprehensive 
list of the critical Defense Industrial Base (DIB) assets. 

DoD Response: Partially concur. Due to the large number of DIB assets, 
DCMA initially focused its criteria on those assets that were important 
because they were sole source, used obsolete or emerging technology, 
were long-lead time, lacked a surge production capability, or 
experienced significant unit cost escalation. DCMA is aware of the need 
to link DIB assets to mission essential tasks. The DIB Sector Assurance 
Plan calls for identifying assets critical to supporting combatant 
commanders' mission essential tasks. The method for identifying 
critical DIB assets has evolved and refinements are continuing. Office 
of the Assistant Secretary of Defense for Homeland Defense and 
Americas' Security Affairs (OASD (HD&ASA)) has been working with the 
Joint Staff, Combatant Commands, and the Services to identify their 
mission essential tasks and link them to critical assets. OASD (HD&ASA) 
has developed a draft DoD Instruction 3020.nn, "Defense Critical 
Infrastructure Program (DCIP) Management," which is currently out for 
formal staffing. This Instruction formalizes the DCIP process and 
procedures, outlined in the Criticality Process Guidance Document, for 
the identification of defense critical assets and linking them to 
Combatant Command and Service mission essential tasks. DCMA is 
incorporating this framework into their process for critical asset 
identification. OASD (HD&ASA) is developing a DCIP Program Plan which 
will address targets and timeframes for achieving these goals. This 
plan should be completed by first quarter FY 2008. 

Recommendation 2: The GAO recommended that the Secretary of Defense 
direct the Assistant Secretary of Defense for Homeland Defense and 
Americas' Security Affairs to improve the reliability of its asset 
prioritization model by: 

* obtaining the appropriate technical review; 

* developing a detailed plan for improving response rate and data 
quality from DIB contractors in conducting its next capabilities 
survey, to ensure that DCMA obtains contractor-specific data needed for 
establishing priorities; and

* identifying and developing procedures for obtaining comprehensive 
threat information from the appropriate intelligence agencies, 
including the Department of Homeland Security (DHS), the Federal Bureau 
of Investigation and others to use as model inputs to prioritize DIB 
assets and conduct vulnerability assessments. 

DoD Response: Partially concur. The Defense Contract Management Agency 
(DCMA) coordinated the review of the Asset Prioritization Model (APM) 
with the DoD Modeling and Simulation Office (MSO), the Canadian 
Department of National Defense (DND), and various DoD Activities such 
as the Army Industrial Base Activities. The APM was also addressed in 
the DIB Sector Specific Plan (SSP) and coordinated with the interagency 
through the Homeland Security Council. Comments received from these 
outside organizations were favorable to the overall structure and 
approach of the model. DCMA is open to further technical review of the 
APM and will work with OASD (HD&ASA) to identify credible and capable 
subject matter experts to support this effort. 

Developing a detailed plan may improve the contractor response rate and 
data quality; however participation by industry to provide information 
is voluntary. As the GAO stated in their report, contractors continue 
to be concerned with the release of certain types of data, such as 
financial, disaster planning, reconstitution, and especially forecast 
data. DCMA has made progress and continues to work on internal 
processes to support the collection of information on a routine basis 
and improve the quality of data and the response rates through 
collaboration with DCMA and industry. 

The draft DoD Instruction 3020.nn, "Defense Critical Infrastructure 
Program (DCIP) Management," identifies the intelligence agencies that 
DCMA will work with to obtain threat and hazard information on DIB 
critical assets. Additionally, an Office of the Under Secretary of 
Defense for Intelligence (OUSD (I)) draft DoD Instruction 5240.hh, 
"Counterintelligence Support to DCIP," discusses an in-depth structure 
and process for provision of counterintelligence support. 

Recommendation 3: The GAO recommended that the Secretary of Defense 
direct the Assistant Secretary of Defense for Homeland Defense and 
Americas' Security Affairs to schedule and conduct vulnerability 
assessments on the critical DIB assets based on their respective 
rankings as validated in the asset prioritization model, to ensure that 
the most critical DIB assets are assessed in a timely manner and DoD 
maximizes its use of limited resources. 

DoD Response: Partially concur. The assessment process typically 
involves using the critical asset list, as ranked by the Asset 
Prioritization Model (APM), to select the Defense Industrial Base (DIB) 
contractor candidate for an assessment. However, there are many reasons 
why the numeric sequence of the model will not be rigidly followed in 
practice. In an effort to better utilize limited resources, the Defense 
Contract Management Agency (DCMA) and the National Guard may elect to 
perform assessments for one or more contractors in the same geographic 
area. Additionally, this is a voluntary program and the (FBI),
contractors are under no obligation to comply with the request to have 
vulnerability assessments conducted at their sites. The contractors 
have to agree to have an assessment; and the assessment schedule cannot 
interfere with company production schedules. If a contractor on the 
list is reluctant at first or refuses to participate, the Department 
should move to the next contractor on the list, while simultaneously 
negotiating with the first contractor to gain their participation. 
Although time-consuming, this approach has proven to be effective. The 
list is dynamic and may change year-to-year. Finally, in some cases, 
the Department may accept the vulnerability assessments performed 
internally by the contractor providing the company meets established 
requirements and standards. 

Recommendation 4: The GAO recommended that the Secretary of Defense 
direct the Assistant Secretary of Defense for Homeland Defense and 
Americas' Security Affairs to prepare a plan to collaborate with 
Department of State and other agencies, as appropriate, to develop 
options to identify and address potential challenges in assessing 
vulnerabilities in foreign critical DIB assets. 

DoD Response: Partially concur. The Defense Industrial Base (DIB) 
Sector Specific Plan (SSP) recognizes the challenges involved when DIB 
assets are located in foreign countries. The plan also recognizes that 
DoD and the Sector Coordinating Council must ensure that DIB protection 
activities are coordinated with U.S. embassies and host nation 
governments; that where pertinent treaties exist, activities should 
conform to them; and that a strategy needs to be developed for an 
action plan in foreign countries with DIB assets. Industry is also 
working closely with the Defense Contract Management Agency (DCMA) to 
identify foreign suppliers of key components. To date, DCMA efforts 
have focused primarily on Continental United States (CONUS) assets as 
they constitute 95% of the assets on the list. DCMA will continue to 
work with the Office of the Assistant Secretary of Defense for Homeland 
Defense and Americas' Security Affairs (OASD (HD&ASA)) in laying out a 
framework to both address the issues and to work in collaboration with 
other government agencies. The State Department is an active 
participant in the DIB Government Coordinating Council and is prepared 
to provide assistance.

[End of section] 

Appendix III: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Davi M. D'Agostino, (202) 512-5431 or dagostinod@gao.gov: 

Acknowledgments: 

In addition to the contact named above, Harold Reich, Assistant 
Director; Aisha Cabrer; Colin Chambers; Lionel Cooper; Kate Lenane; 
Anna Maria Ortiz; Terry Richardson; Matthew Sakrekoff; and Cheryl 
Weissman also made key contributions to this report. 

Footnotes: 

[1] Homeland Security Presidential Directive 7 (Washington D.C., Dec. 
17, 2003). 

[2] The Office of the Under Secretary of Defense for Policy was 
reorganized in December 2006. This reorganization included, among other 
things, the Office of the Assistant Secretary of Defense for Homeland 
Defense being renamed the Office of the Assistant Secretary of Defense 
for Homeland Defense and Americas' Security Affairs. Hereafter, this 
office is referred to by its current name. 

[3] The 10 defense sectors are defense industrial base; financial 
services; global information grid; intelligence, surveillance, and 
reconnaissance; space; health affairs; logistics; personnel; public 
works; and transportation. 

[4] GAO, Homeland Security: Key Elements of a Risk Management Approach, 
GAO-02-150T (Washington, D.C.: Oct. 12, 2001); Defense Infrastructure: 
Actions Needed to Guide DOD's Efforts to Identify, Prioritize, and 
Assess Its Critical Infrastructure, GAO-07-461 (Washington, D.C.: May 
24, 2007). 

[5] GAO-07-461. 

[6] See, for example, GAO, Military Readiness: Navy's Fleet Response 
Plan Would Benefit from a Comprehensive Management Approach and 
Rigorous Testing, GAO-06-84 (Washington, D.C.: Nov. 22, 2005); as well 
as GAO, Standards for Internal Control in the Federal Government, GAO/ 
AIMD-00-21.3.1 (Washington, D.C.: November 1999), which emphasizes the 
importance of such a plan to guide program implementation. 

[7] DOD, Assistant Secretary of Defense for Homeland Defense (ASD 
[HD&ASA]), Defense Industrial Base (DIB) Defense Infrastructure Sector 
Assurance Plan (DISAP) (Washington, D.C., May 2, 2005); DOD, Defense 
Industrial Base Defense Sector Assurance Plan (Washington, D.C., May 
14, 2007). 

[8] DOD, Sector Specific Plan for the Defense Industrial Base 
(Washington, D.C., Dec. 27, 2006). 

[9] This approach uses benchmarks involving a series of questions 
determining the degree to which specific standards have been met. As an 
example, one benchmark identifies dependency on supporting foundational 
infrastructure networks, such as electricity, natural gas, or 
petroleum. The series of questions determines, among other things, 
whether the asset requires electricity, natural gas, or petroleum to 
operate. If the asset does require one of these, the contractor must 
provide a description, and must then assess whether the benchmark for 
each of these networks is met. 

[10] DOD, Defense Critical Infrastructure Program, DOD Remediation 
Planning Guide, Version 1.0 (Apr. 20, 2007). 

[11] The Critical Infrastructure Information Act was enacted as Title 
II, Subtitle B of the Homeland Security Act of 2002. Pub. L. No. 107- 
296 (2002). 

[12] "Critical infrastructure information" is defined at Section 212 of 
Pub. L. No. 107-296 (2002). 

[13] DHS's final rule implementing the Critical Infrastructure 
Information Act identifies procedures for indirect submissions to DHS 
through DHS field representatives and other federal agencies. 

[14] 5 U.S.C. ß 552. 

[15] For more information on the procedures by which PCII may be 
shared, see DHS's Procedures for Handling Critical Infrastructure 
Information, 6 C.F.R. 29. 

[16] GAO, Information Sharing: DHS Should Take Steps to Encourage More 
Widespread Use of Its Program to Protect and Share Critical 
Infrastructure Information, GAO-06-383 (Washington, D.C.: Apr. 17, 
2006). 

[17] The Freedom of Information Act, codified at 5 U.S.C. 552, states 
that agencies shall make available certain documents for public 
inspection and copying. However, there are exemptions to this 
requirement. For example, FOIA does not apply to matters that are 
"trade secrets and commercial or financial information obtained from a 
person and privileged or confidential." 

[18] The Defense Acquisition Regulations Council establishes operating 
procedures for the Defense Acquisition Regulation System to facilitate 
development and processing of procurement and contracting policy, 
procedures, clauses, and forms, for approval by the Director of Defense 
Procurement. 

[19] DOD organizations are located in the Washington, D.C., 
metropolitan area unless indicated otherwise. 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, JarmonG@gao.gov (202) 512-4400: 

U.S. Government Accountability Office, 441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Susan Becker, Acting Managing Director, Beckers@gao.gov (202) 512-4800: 

U.S. Government Accountability Office, 441 G Street NW, Room 7149: 
Washington, D.C. 20548: