Defense Critical Infrastructure:
DOD's Risk Analysis of Its Critical Infrastructure Omits Highly Sensitive Assets
GAO-08-373R: Published: Apr 2, 2008. Publicly Released: Apr 2, 2008.
The Department of Defense (DOD) relies on a global network of critical physical and cyber infrastructure to project, support, and sustain its forces and operations worldwide. The incapacitation, exploitation, or destruction of one or more of its assets would seriously damage DOD's ability to carry out its core missions. To identify and help assure the availability of this mission-critical infrastructure, in August 2005, DOD established the Defense Critical Infrastructure Program (DCIP), assigning overall responsibility for the program to the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]). Since 2006, ASD(HD&ASA) has collaborated with the Joint Staff to compile a list of all DOD- and non-DOD-owned infrastructure essential to accomplish the National Defense Strategy. Each critical asset on the list must undergo a vulnerability assessment, which identifies weaknesses in relation to potential threats and suggests options to address those weaknesses. Data and material designated as Sensitive Compartmented Information (SCI) or associated with Special Access Programs (SAP) are among the nation's most valued and closely guarded assets, and DOD faces inherent challenges in incorporating them into DCIP. The number of individuals authorized to access SCI and SAPs is a relatively small subset of those authorized to access collateral-level classified information--that is, Confidential, Secret, or Top Secret information. Congress requested that GAO review a number of issues related to defense critical infrastructure. To date, GAO have issued two reports in response to that request. GAO's first report examined the extent to which DOD had developed a comprehensive management plan for DCIP and had identified, prioritized, and assessed defense critical infrastructure. GAO's second report examined DOD's efforts to implement a risk management approach for critical assets in the Defense Industrial Base Defense Sector. As part of GAO's ongoing work on DOD's critical infrastructure protection efforts, this report focuses on challenges DOD faces in incorporating critical SCI and SAP assets into DCIP. Specifically, this report evaluates the extent to which DOD is (1) identifying and prioritizing critical SCI and SAP assets in DCIP and (2) assessing critical SCI and SAP assets for vulnerabilities in a comprehensive manner consistent with that used by DCIP for collateral-level assets.
Although DOD Directive 3020.40 calls for the identification and prioritization of all defense critical infrastructure, DOD has not taken adequate steps to ensure that highly sensitive critical assets associated with SCI and SAPs are accounted for, either through DCIP or a comparable process. The Joint Staff has tasked DOD organizations to submit lists of critical assets classified at the collateral level only--in part, to facilitate vetting and sharing critical asset lists across the department. As a consequence, some DOD organizations have omitted SCI and SAP assets from their submissions. For example, the Defense Intelligence Agency--the DOD lead agent for the Intelligence, Surveillance, and Reconnaissance Defense Sector--has not forwarded to the Joint Staff a list of over 80 assets it has identified as critical, because neither the Joint Staff nor ASD(HD&ASA) has fully incorporated provisions for including SCI data into DCIP. Although ASD(HD&ASA) and Joint Staff officials have initiated some actions to increase their access to SCI--for example, by requesting additional SCI clearances for staff and pursuing means to store and share SCI data--these actions are not likely to resolve information-sharing problems across the department because many officials in other DCIP organizations may still lack access to SCI. Additionally, DOD officials told us that stringent "need to know" requirements for SAP information will likely prevent ASD(HD&ASA) and other DCIP officials from obtaining greater access to information on SAP assets in the foreseeable future. By excluding SCI and SAP infrastructure, DOD's processes for soliciting critical asset information do not result in consistent and comprehensive identification and prioritization of all critical infrastructure. Yet ASD(HD&ASA) has not pursued alternative approaches, such as partnering with other DOD organizations that have greater SCI and SAP access, to develop parallel identification and prioritization processes. Unless critical SCI and SAP assets are identified and prioritized, DOD will lack sufficient information to assure the availability of the department's most critical assets. DOD guidance requires all critical infrastructure to be assessed for vulnerabilities using DCIP standards and benchmarks, but because SCI and SAP assets have not been reported as critical, they do not receive these assessments. Should any unreported critical SCI assets be reported under DCIP, the Defense Threat Reduction Agency has personnel who possess SCI clearances, and therefore could assess those assets. However, because of the greater access restrictions placed on SAP data, Defense Threat Reduction Agency officials are unlikely to gain access to the highly sensitive information needed to assess SAP assets. Separately from DCIP, the Defense Intelligence Agency assesses the vulnerabilities of SCI and SAP assets. However, those assessments are intended to support information and physical security rather than mission assurance. Accordingly, they do not include certain key elements of the assessments administered under DCIP, such as a mission-based orientation and an all-hazards analysis. Because of these fundamental differences, the Defense Intelligence Agency's assessments of SCI and SAP assets cannot substitute for the mission-based, all-hazards vulnerability assessments required by DCIP. As a result, DOD lacks a consistent process for assessing its collateral and its more sensitive critical assets. Without using a consistent vulnerability assessment process for all its critical assets, including SCI and SAP assets, DOD cannot effectively analyze the comparative value of risk reduction actions.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: DOD partially concurred with GAO's recommendation to develop a process to identify, prioritize, and assess all critical sensitive compartmented information (SCI) and special access program (SAP) assets in a manner consistent with Defense Critical Infrastructure Program (DCIP) standards. Subsequently, according to DOD, the Intelligence, Surveillance, and Reconnaissance Sector (ISR) generated a list of SCI assets that would be reviewed and prioritized following the DCIP assessment process and included in a classified database of critical assets. Additionally, in April 2009, the DCIP Office and the Director, Special Access Program Central Office (SAPCO), agreed that the latter will ensure that SAPs are properly evaluated for potential critical assets that are then identified, prioritized, and assessed in accordance with DCIP policy guidance. This agreement has been codified in a memorandum. By including SCI and SAP infrastructure, DOD's processes for soliciting critical asset information should result in the consistent and comprehensive identification and prioritization of all critical infrastructure.
Recommendation: To ensure that DOD adequately identifies, prioritizes, and assesses critical SCI and SAP infrastructure, the Secretary of Defense should direct ASD(HD&ASA) to develop a process to identify, prioritize, and assess all critical SCI and SAP assets in a manner consistent with DCIP standards. As one option, ASD(HD&ASA) could partner with the Defense Intelligence Agency and the SAP Central Office to compile separate lists of, and to perform mission-based, all-hazards vulnerabilities assessments on, critical SCI and SAP assets.
Agency Affected: Department of Defense
Status: Closed - Implemented
Comments: DOD concurred with GAO's recommendation to amend the Defense Critical Infrastructure Program (DCIP) Security Classification Guide to explicitly address the treatment of sensitive compartmented information (SCI) and special access program (SAP) information on critical asset lists. On February 15, 2011, the DCIP Office issued its updated DCIP Security Classification Manual, which provides specific guidance addressing SCI and SAP information on critical asset lists. As a result of issuing this guidance, DOD will be in a better position to fully identify its critical assets and make informed risk-management decisions about potentially serious risks to core defense missions.
Recommendation: To ensure that DOD adequately identifies, prioritizes, and assesses critical SCI and SAP infrastructure, the Secretary of Defense should direct ASD(HD&ASA) to amend the DCIP Security Classification Guide to explicitly address the treatment of SCI and SAP information on critical asset lists.
Agency Affected: Department of Defense