Defense Infrastructure:

Actions Needed to Guide DOD's Efforts to Identify, Prioritize, and Assess Its Critical Infrastructure

GAO-07-461: Published: May 24, 2007. Publicly Released: May 24, 2007.

Additional Materials:

Contact:

Davi M. Dagostino
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Department of Defense (DOD) relies on a network of DOD and non-DOD infrastructure assets in the United States and abroad so critical that its unavailability could hinder DOD's ability to project, support, and sustain its forces and operations worldwide. DOD established the Defense Critical Infrastructure Program (DCIP) to identify and assure the availability of mission-critical infrastructure. GAO was asked to evaluate the extent to which DOD has (1) developed a comprehensive management plan to implement DCIP and (2) identified, prioritized, and assessed its critical infrastructure. GAO analyzed relevant DCIP documents and guidance and met with officials from more than 30 DOD organizations that have DCIP responsibilities, and with Department of Homeland Security (DHS) officials involved in protecting critical infrastructure.

While DOD has taken important steps to implement DCIP, it has not developed a comprehensive management plan to guide its efforts. GAO's prior work has shown the importance of developing a plan that incorporates sound management practices, such as issuing guidance, coordinating stakeholders' efforts, and identifying resource requirements and sources. Most of DOD's DCIP guidance and policies are either newly issued or in draft form, leading some DOD components to rely on other, better-defined programs, such as the antiterrorism program, to implement DCIP. Although DOD issued a DCIP directive in August 2005, the lead office responsible for DCIP lacks a chartering directive that defines important roles, responsibilities, and relationships with other DOD organizations and missions. DOD has created several information sharing and coordination mechanisms; however, additional measures could be taken. Also, DOD's reliance on supplemental appropriations to fund DCIP makes it difficult to effectively plan future resource needs. Until DOD completes a comprehensive DCIP management plan, its ability to implement DCIP will be challenged. DOD estimates that it has identified about 25 percent of the critical infrastructure it owns, and expects to identify the remaining 75 percent by the end of fiscal year 2009. In contrast, DOD has identified significantly less of the critical infrastructure that it does not own, and does not have a target date for its completion. Among the non-DOD-owned critical infrastructure that has been identified are some 200 assets belonging to private sector companies that comprise the defense industrial base--the focus of another report we plan to issue later this year. DOD estimates that about 85 percent of its mission-critical infrastructure assets are owned by non-DOD entities, such as the private sector; state, local, and tribal governments; and foreign governments. DOD has conducted vulnerability assessments on some DOD-owned infrastructure. While these assessments can provide useful information about specific assets, until DOD identifies and prioritizes all of the critical infrastructure it owns, assessment results have limited value for deciding where to target funding investments. For the most part, DOD cannot assess assets it does not own, and DOD has not coordinated with DHS to include them among DHS's assessments of the nation's critical infrastructure. DOD has delayed coordinating the assessment of non-DOD-owned infrastructure located abroad while it focuses on identifying the critical infrastructure that it does own. Regarding current and future DCIP funding levels, they do not include the cost to remediate vulnerabilities that are identified through the assessments. When DOD identifies, prioritizes, and assesses its critical infrastructure, and includes remediation in its funding requirements, its ability to perform risk-based decision making and target funding to priority needs will be improved.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: DOD concurred with GAO's recommendation to issue guidance and criteria for performing infrastructure vulnerability self-assessments. In August 2011, officials from the Office of the Assistance Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) provided GAO with a template of its critical asset self-assessment tool being used by critical asset owners--the military services. According to ASD(HD&ASA) officials, the tool was completed and released for use beginning in January 2011 using the Defense Critical Infrastructure Program Assessment Standards and Benchmarks guidance. The self-assessments contain a series of modules, including force protection, emergency management, commercial dependence on electrical power, and cyber security, which help to identify potential vulnerabilities to critical assets. As a result of developing a self-assessment tool with applicable guidance, DOD asset owners will be in a better position to evaluate the vulnerabilities and risk to DOD's critical infrastructure.

    Recommendation: To increase the utility of vulnerability assessments the Secretary of Defense should direct ASD(HD&ASA) to issue guidance and criteria for performing infrastructure vulnerability self-assessments.

    Agency Affected: Department of Defense

  2. Status: Closed - Not Implemented

    Comments: DOD concurred with GAO's recommendation to adopt the practice of combining the defense critical infrastructure vulnerability assessment module with an existing vulnerability assessment as the DOD-wide practice. Although the Defense Critical Infrastructure Program (DCIP) Office was leveraging existing assessments as our recommendation stated, the DCIP office was recently informed by the Joint Staff that this would no longer be possible because the overall process of combining the assessment was not working. DCIP Office officials also stated that while they had inquired about other assessments they could leverage, no other alternative could be found. As a result, the critical infrastructure assessments will be a stand-alone assessment conducted by the Mission Assurance Division.

    Recommendation: To increase the utility of vulnerability assessments, the Secretary of Defense should direct ASD(HD&ASA) to adopt the practice of combining the defense critical infrastructure vulnerability assessment module with an existing assessment as the DOD-wide practice.

    Agency Affected: Department of Defense

  3. Status: Closed - Implemented

    Comments: DOD concurred with GAO's recommendation to complete the identification and prioritization of critical infrastructure before increasing the number of infrastructure vulnerability assessments performed. Specifically, DOD agreed to identify and prioritize all DOD-owned critical infrastructure before increasing the number of assessments to codify the practice of combining the infrastructure assessment with an existing vulnerability assessment, thereby reducing the burden of multiple assessments on installation personnel and asset owners. On March 12, 2009, Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) officials stated that they (the Joint Staff under the auspices and oversight of ASD(HD&ASA)) are only conducting mission-based vulnerability assessments on Defense Critical Assets (DCA) and Tier 1 Task Critical Assets (TCA) and are not conducting such assessments on every installation or an entire installation on which a DCA or TCA is located. This action represents, as the recommendation states, a prioritization of critical infrastructure for assessments. Further, because the DCA and TCA lists will be continuously updated over time to reflect changing missions, a more detailed prioritization is not possible, since assets will change over time. We agree that DOD's approach and rationale meet the intent of our recommendation. As a result of DOD's prioritization efforts, the department will be able to more effectively target its financial resources to conducting vulnerability assessments for its most critical assets.

    Recommendation: To increase the utility of vulnerability assessments, the Secretary of Defense should direct ASD(HD&ASA) to complete the identification and prioritization of critical infrastructure before increasing the number of infrastructure vulnerability assessments performed.

    Agency Affected: Department of Defense

  4. Status: Closed - Implemented

    Comments: DOD concurred with GAO's recommendation to determine funding levels and sources needed to avoid reliance on supplemental appropriations and identify funding for the Defense Critical Infrastructure Program (DCIP) remediation. In December 2009, the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) responded to the DOD Inspector General stating that funding lines for the military services and combatant commands have been established and that none of the Defense Infrastructure Sector Lead Agents are reliant on supplemental appropriations. Defense Infrastructure Sector Lead Agents identify funding requirements, cost estimates, deliverables, and how the funding requests relate to the objectives or goals detailed in the DCIP strategy. As a result of utilizing a regular budget process to determine funding levels, the Defense Infrastructure Sector Lead Agents are now able to plan resourcing needs, weigh priorities, and assess budget trade-offs in order to successfully implement DCIP.

    Recommendation: As part of developing a comprehensive management plan for DCIP, the Secretary of Defense should direct ASD(HD&ASA), in coordination with the DOD components and sector lead agents, to determine funding levels and sources needed to avoid reliance on supplemental appropriations and identify funding for DCIP remediation.

    Agency Affected: Department of Defense

  5. Status: Closed - Implemented

    Comments: DOD concurred with GAO's recommendation to assist the Defense Infrastructure Sector Lead Agents in identifying, prioritizing, and including Defense Critical Infrastructure Program (DCIP) funding requirements through the regular budgeting process beginning in fiscal year 2010. In February 2010, Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) officials stated that two of the ten defense infrastructure sector lead agents are now receiving funding through the regular budget process with their executive agents. Further, these officials stated that two other sectors were in the process of establishing funding through their executive agents. However, ASD(HD&ASA) officials noted that because some executive agents were not able to guarantee DCIP funding levels, ASD(HD&ASA) would continue to fund these defense sectors though a regular budget process because it would provide greater stability in funding. ASD(HD&ASA) now distributes, annually, a request for requirements to the Defense Infrastructure Sector Lead Agents that serves as a baseline for annual funding. This annual requirements process requires the Defense Infrastructure Sector Lead Agents to identify funding requirements, cost estimates, deliverables, and how the funding requests relate to the objectives or goals detailed in the DCIP strategy. As a result of utilizing a regular budget process to determine funding levels, the Defense Infrastructure Sector Lead Agents are now able to plan resourcing needs, weigh priorities, and assess budget trade-offs in order to successfully implement DCIP.

    Recommendation: As part of this comprehensive management plan, to increase the likelihood that the defense sector lead agents are able to make effective budgetary decisions, the Secretary of Defense should direct ASD(HD&ASA) to assist the defense sector lead agents in identifying, prioritizing, and including DCIP funding requirements through the regular budgeting process beginning in fiscal year 2010.

    Agency Affected: Department of Defense

  6. Status: Closed - Implemented

    Comments: DOD concurred with GAO's recommendation to issue a chartering directive to, among other things, define the relationship between the Directorates of Homeland Defense and Americas' Security Affairs (HD&ASA) and Special Operations and Low-Intensity Conflict and Interdependent Capabilities (SO/LIC&IC). DOD noted a draft chartering directive had been prepared. On January 16, 2009, DOD issued Directive 5111.13, Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]), which established the position of the ASD(HD&ASA) with specific responsibilities and functions, relationships, and authorities. The chartering directive defines ASD(HD&ASA)'s coordination roles and responsibilities vis-a-vis ASD(SO/LIC&IC) as it relates to the Defense Critical Infrastructure Program (DCIP) and antiterrorism policy. As a result, the chartering directive identifies the relationship between DCIP and antiterrorism missions so that DOD components and defense sector lead agents are able to rely on the appropriate guidance to implement their critical infrastructure programs.

    Recommendation: To implement the intent of the Deputy Secretary of Defense's memorandum Implementation Guidance Regarding the Office of the Assistant Secretary of Defense for Homeland Defense dated March 25, 2003, the Secretary of Defense should direct the Director of Administration and Management to issue a chartering directive to, among other things, define the relationship between the Directorates for HD&ASA and Special Operations and Low-Intensity Conflict and Interdependent Capabilities.

    Agency Affected: Department of Defense

  7. Status: Closed - Implemented

    Comments: DOD concurred with GAO's recommendation to develop and implement a comprehensive management plan that addresses guidance, coordination of stakeholders' efforts, and resources needed to implement the Defense Critical Infrastructure Program (DCIP). Such a plan should include establishing timelines for finalizing the DCIP Data Collection Essential Elements of Information Data Sets to enhance the likelihood that DOD components and sector lead agents will take a consistent approach in implementing DCIP. On May 30, 2008, the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) issued the Defense Critical Infrastructure Program: Program Plan, FY 2008-2013, Version 1. The program plan serves as ASD(HD&ASA)'s comprehensive management plan and articulates how DOD intends to implement the Strategy for Defense Critical Infrastructure, issued in March 2008. To address the guidance component of GAO's recommendation, the program plan identifies all current program guidance, including a brief description of the guidance, its current status, publication dates, and any anticipated revisions with dates. Further, it identifies Baseline Elements of Information (formerly the Data Collection Essential Elements of Information Data Sets) as completed in May 2007. To address the coordination component of GAO's recommendation, the program plan contains a section on program implementation responsibilities, including fostering strategic partnerships and outreach. To address the DCIP resource component of GAO's recommendation, the program plan outlines how DCIP components are to request funding along with a timeline for the requesting process. As a result, ASD(HD&ASA)'s comprehensive management plan will guide the department's efforts in more effectively implementing an efficient critical infrastructure program.

    Recommendation: To guide DCIP implementation, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and America's Security Affairs (ASD[HD&ASA]) to develop and implement a comprehensive management plan that addresses guidance, coordination of stakeholders' efforts, and resources needed to implement DCIP. Such a plan should include establishing timelines for finalizing the DCIP Data Collection Essential Elements of Information Data Sets to enhance the likelihood that DOD components and sector lead agents will take a consistent approach in implementing DCIP.

    Agency Affected: Department of Defense

  8. Status: Closed - Implemented

    Comments: DOD concurred with GAO's recommendation to identify and prioritize domestic non-DOD-owned critical infrastructure for the Department of Homeland Security (DHS) to consider including among its assessments of the nation's critical infrastructure. On March 12, 2009, officials from the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) stated that with the exception of the Defense Industrial Base, DOD did not have any non-DOD-owned, domestic critical infrastructure on its critical asset list. Further, these officials noted that because they are the federal sector lead agency for the Defense Industrial Base, they annually coordinated their Defense Industrial Base critical asset list with DHS. On May 6, 2009, ASD(HD&ASA) provided GAO with a copy of their most recent transmission (April 7, 2009) to DHS of the Defense Industrial Base critical asset list. As a result of DOD's coordination with DHS, DOD will increase its awareness of vulnerabilities associated with infrastructure that it relies on but does not control.

    Recommendation: To increase the utility of vulnerability assessments, the Secretary of Defense should direct ASD(HD&ASA) to identify and prioritize domestic non-DOD-owned critical infrastructure for DHS to consider including among its assessments of the nation's critical infrastructure.

    Agency Affected: Department of Defense

 

Explore the full database of GAO's Open Recommendations »

Dec 19, 2014

Dec 16, 2014

Dec 12, 2014

Dec 11, 2014

Dec 1, 2014

Nov 21, 2014

Nov 20, 2014

Nov 19, 2014

Nov 18, 2014

Looking for more? Browse all our products here