This is the accessible text file for GAO report number GAO-10-148 entitled 'Critical Infrastructure Protection: OMB Leadership Needed to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets' which was released on November 16, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: October 2009: Critical Infrastructure Protection: OMB Leadership Needed to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets: GAO-10-148: GAO Highlights: Highlights of GAO-10-148, a report to congressional requesters. Why GAO Did This Study: Because the nation’s critical infrastructure relies on information technology systems and data, the security of those assets is critical to ensuring national security and public safety. In 2003, the President directed federal agencies to (1) develop plans for the protection of their computer-related (cyber) critical infrastructure assets and (2) submit them for approval to the Office of Management and Budget (OMB) by July 31, 2004. To help agencies do this, OMB issued guidance with 19 criteria deemed essential for effective cyber critical infrastructure protection planning that were required to be included in the plans. GAO was asked to determine (1) the extent to which agencies developed their plans and whether they submitted them to OMB by the deadline and (2) whether the plans met criteria in OMB’s guidance. To do this, GAO reviewed plans from 24 agencies, many of which own and operate key government cyber and other critical infrastructure; reviewed OMB documentation; interviewed officials; and compared submitted plans to relevant criteria. What GAO Found: Key federal agencies developed and submitted cyber critical infrastructure protection plans or related documentation to OMB in response to the President’s direction (Homeland Security Presidential Directive 7) and associated OMB guidance. Specifically, of the 24 agencies, 18 submitted plans, while the remaining 6, as allowed by the guidance, provided documentation in lieu of plans stating that they neither owned nor operated any of the nation’s cyber critical infrastructure. The agencies submitted their plans and documentation to OMB by the July 31, 2004, deadline. Agencies’ plans, in large part, did not fully address the 19 cyber and related requirements specified in OMB’s guidance. Specifically, only 4 of the 18 plans fully addressed all the criteria. While the other 14 plans fully addressed at least 8 or more criteria, they only partially addressed or did not address others—such as prioritizing key assets and documenting a strategy to protect them—that are essential for effectively planning for the protection of cyber assets. Since the development of these plans, 8 agencies whose plans did not fully meet OMB’s criteria have engaged in other critical infrastructure protection planning and related efforts that addressed some, but not all, of their shortfalls. The shortfalls in meeting OMB’s guidance are attributable, in part, to OMB not making these plans a priority and managing them as such by, for example, following up on a regular basis to assess whether agencies are updating their plans to fully address the requirements and are effectively implementing them. When agencies submitted their initial plans, OMB reviewed and provided feedback on their adequacy, but did not follow up to verify that agencies had revised their plans to incorporate OMB feedback or to determine whether planning was being implemented and institutionalized. OMB attributed this to its attention being focused on other competing issues. In addition, OMB did not direct agencies to periodically update their plans. Without more sustained leadership, management, and oversight in this area, there is an increased risk that federal agencies individually, and the federal government collectively, will not effectively identify, prioritize, and protect their critical cyber assets, leaving them vulnerable to efforts to destroy, incapacitate, or exploit them. What GAO Recommends: GAO is recommending that OMB (1) direct agencies to update cyber plans to fully address OMB requirements and (2) follow up to see that agencies make sure plans meet requirements and are being implemented. In commenting on a draft of this report, OMB agreed with the first recommendation; it agreed with the second after GAO revised it to better clarify OMB and agency follow up responsibilities. View [hyperlink, http://www.gao.gov/products/GAO-10-148] or key components. For more information, contact Dave Powner at (202) 512-9286 or pownerd@gao.gov. [End of section] Contents: Letter: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Briefing to Staff of Congressional Committees: Appendix II: GAO Contact and Staff Acknowledgments: Abbreviations: CIP: critical infrastructure protection DOD Department of Defense: DOE: Department of Energy: DOI: Department of Interior: DOJ: Department of Justice: DOT: Department of Transportation: EPA: Environmental Protection Agency: FISMA: Federal Information Security Management Act: HHS: Health and Human Services HSPD-7Homeland Security Presidential Directive 7: IT: information technology: NASA: National Aeronautics and Space Administration: OMB: Office of Management and Budget: OPM: Office of Personnel Management: SBA: Small Business Administration: SSA: Social Security Administration: VA: Department of Veterans Affairs: [End of section] United States Government Accountability Office: Washington, DC 20548: October 15, 2009: The Honorable Yvette D. Clarke: Chairwoman: Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology: Committee on Homeland Security: House of Representatives: The Honorable Sheila Jackson-Lee: Chairwoman: Subcommittee on Transportation Security and Infrastructure Protection: Committee on Homeland Security: House of Representatives: The Honorable James R. Langevin: House of Representatives: Because the nation's critical infrastructure[Footnote 1] relies extensively on computerized information technology (IT) systems and electronic data, the security of those systems and data is essential to our nation's security, economy, and public health and safety. Providing continuity of government requires ensuring the safety of the government's own critical computer-related (cyber) infrastructure and assets that are essential to support key missions and services. To address increasing threats to the cyber infrastructure and assets of the federal government, the President, in December 2003, issued Homeland Security Presidential Directive 7 (HSPD-7), which called for federal departments and agencies to identify, prioritize, and protect the United States' critical infrastructure and key resources[Footnote 2] (hereafter referred to as "critical infrastructure"). Specifically, HSPD-7 required, among other things, that federal departments and agencies develop and submit to the Office of Management and Budget (OMB) for approval, plans for protecting the cyber and other (e.g., physical) critical infrastructure that they own or operate. HSPD-7 also required that these plans (1) address identification, prioritization, protection, and contingency planning, including recovery of essential capabilities and (2) be submitted to OMB by July 31, 2004. To aid federal agencies in this effort, OMB issued a memorandum in June 2004 (referred to as M-04-15), instructing agencies on how these plans were to be developed. The directive also included 19 criteria OMB deemed essential for preparing an effective cyber critical infrastructure protection (CIP) plan that were required to be included in the plans. While these plans are key to protecting federally owned or operated critical infrastructure, OMB stated that another goal of the plans was to initiate and, ultimately, institutionalize cyber CIP planning across the federal government. This report responds to your request that we determine (1) the extent to which federal agencies have developed plans for protecting their cyber critical infrastructure and whether they have submitted them to OMB, as required by HSPD-7, and (2) whether the submitted plans met the criteria in OMB's instructions and related guidance. To carry out these objectives we, among other things, requested and reviewed the cyber critical infrastructure plans and related documentation of 24 major executive branch agencies,[Footnote 3] reviewed OMB documentation, and interviewed OMB officials. We compared the plans against the 19 cyber- related criteria contained in OMB's M-04-15 memorandum to determine whether they fully addressed, partially addressed, or did not address the criteria. We interviewed agency officials to verify our understanding of their plans and to validate the accuracy of our analysis; in cases where agencies stated that they owned no nationally critical cyber infrastructure, we reviewed documentation submitted to OMB in lieu of a plan to assess its reasonableness. We performed this performance audit in the Washington, D.C., metropolitan area from October 2008 to September 2009, in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. On September 3, 2009, we briefed your staffs on the results of our review. This report summarizes and transmits the (1) presentation slides we used to brief the staff and (2) recommendations to the Director of OMB that are part of those slides. The full briefing materials, including details on our scope and methodology, are reprinted as appendix I. In summary, we made the following major points: * Major federal agencies developed and submitted cyber CIP plans or related documentation to OMB in response to HSPD-7 and associated OMB instructions. Specifically, of the 24 major agencies, 18 submitted plans; the remaining 6, as allowed by the directives, provided documentation in lieu of plans, stating that they neither owned nor operated any of the nation's cyber critical infrastructure. The agencies submitted their plans and documentation to OMB by the July 31, 2004, deadline. * Agencies' initial plans largely did not fully address the 19 cyber and related requirements specified in OMB's instructions. Specifically, only 4 of the 18 plans fully addressed all the criteria. While the other 14 plans fully addressed at least 8 or more criteria, they only partially addressed or did not address others--such as prioritizing key assets and documenting a strategy to protect them--that are essential to effectively plan for the protection of cyber assets. In addition, the agencies have not updated their plans since 2004. However, 8 agencies whose plans did not fully meet OMB's criteria have engaged in other CIP planning and related efforts that addressed some, but not all, of their shortfalls. * The shortfalls in meeting OMB's guidance are attributable, in part, to the fact that OMB has not made these plans a priority and managed them as such by, for example, following up on a regular basis to assess whether agencies have updated their plans to fully address OMB requirements and are effectively implementing them. When agencies submitted their initial plans, OMB reviewed them and provided feedback on their adequacy, but did not follow up to verify that agencies had revised their plans to incorporate OMB feedback or to determine whether planning was being implemented and institutionalized. OMB attributed this to its attention being focused on other, competing issues. In addition, OMB did not direct agencies to periodically update their plans. Conclusions: The major federal agencies' 2004 cyber CIP plans were an initial step toward the goals of (1) securing and protecting critical infrastructure and assets vital to carrying out the government's mission-critical operations and (2) implementing and institutionalizing cyber CIP planning governmentwide. While none of the 2004 plans have since been updated, subsequent cyber CIP planning efforts by one-third of the agencies have yielded additional steps toward these goals. However, continuing shortfalls in these planning efforts highlight that more remains to be done to ensure cyber CIP plans are developed in a comprehensive manner. These shortfalls are attributable, in part, to OMB not making these plans a priority, including not effectively overseeing agencies' efforts to make sure OMB requirements are addressed in agency plans and the plans are being implemented. Without more sustained leadership, management, and oversight in this area, there is an increased risk that federal agencies individually, and the federal government collectively, will not, among other things, effectively identify, prioritize, and protect their cyber critical assets, thus leaving them potentially vulnerable to deliberate efforts to destroy, incapacitate, or exploit them. Recommendations for Executive Action: We are recommending that the Director of OMB provide leadership and oversight in directing federal cyber critical infrastructure planning efforts and make them a management priority by: * directing the federal agencies to expeditiously update their plans to fully address OMB's cyber critical infrastructure planning requirements, and: * following up, as appropriate, to see that agencies are making sure updated plans fully meet OMB requirements and are being effectively implemented. At a minimum, this should include having agency heads report to OMB when updated plans have been completed and that the plans fully meet OMB requirements and are being effectively implemented. Agency Comments and Our Evaluation: In oral comments on a draft of this report--which were provided by the Lead Information Technology Policy Analyst from the Office of E- Government and Information Technology--OMB agreed with our findings and first recommendation and discussed issuing a clarifying memorandum to direct agencies to update their plans. With regard to our second recommendation, OMB agreed with it in principle but expressed concern that the recommendation (as worded in the draft) would be interpreted to mean that OMB is solely responsible for following up when it is a key responsibility of the agencies to follow up to make sure their plans are effectively updated and implemented. We concur that agencies have a key role to play in updating and implementing these plans due to their intimate knowledge of their respective cyber CIP environments and, therefore, know how best to secure and protect them. To better clarify OMB and agency responsibilities, we slightly revised the second recommendation, and OMB agreed with it as reworded. This revision does not change the fact that OMB, as discussed in this report and in our presentation slides, also has an important role to play in periodically following up with the agencies to, among other things, assess the status and progress of their cyber CIP planning efforts. As we agreed with your offices, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time we will send copies of this report to interested congressional committees, OMB, and other interested parties. We will also make copies available to others on request. In addition, the report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov]. If you or your staffs have questions about matters discussed in this report, please contact me at (202) 512-9286 or pownerd@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. GAO staff who made key contributions to this report are listed in appendix II. Signed by: David A. Powner: Director, Information Technology Management Issues: [End of section] Appendix I: Briefing to Staff of Congressional Committees: Critical Infrastructure Protection: OMB Leadership Needed to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets: Briefing for Staff Members of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology: House Committee on Homeland Security and the Subcommittee on Transportation Security and Infrastructure Protection: House Committee on Homeland Security: August 27, 2009: Outline of Briefing: Introduction: Objectives, Scope, and Methodology: Results in Brief: Background: Results: Objective 1: Objective 2: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Introduction: Because the nation's critical infrastructure[Footnote 4] relies extensively on computerized information technology (IT) systems and electronic data, the security of those systems and information is essential to our nation’s security, economy, and public health and safety. Providing continuity of government requires ensuring the safety of the government’s own cyber infrastructure and assets that are essential to supporting key missions and services. In particular, the cyber infrastructure and assets of the federal government are under an increasing threat. U.S. intelligence officials have stated publicly that, as the government continues to move to network operations, the threat to these systems will continue to grow. These officials have also commented that nation-states and criminals target federal and other sectors’ IT networks to gain commercial competitive advantage and terrorist groups have expressed the desire to do the same as a means of attacking the United States. To address these threats, the President, in December 2003, issued Homeland Security Presidential Directive 7 (HSPD-7), which called for federal departments and agencies to identify, prioritize, and protect the United States’ critical infrastructure and key resources[Footnote 5] (hereinafter referred to as “critical infrastructure”). Specifically, HSPD-7 required, among other things, that federal departments and agencies develop and submit to the Office of Management and Budget (OMB) plans for protecting the cyber and other (e.g., physical) critical infrastructure that they own or operate. The presidential directive also required that these plans: (1) address identification, prioritization, protection, and contingency planning, including recovery of essential capabilities and; (2) be submitted to OMB by July 31, 2004. To aid federal agencies in this effort, OMB issued a memorandum in June 2004 (referred to as Memorandum M-04-15) instructing agencies on how these plans were to be developed; the directive also included 19 cyber and related criteria to be addressed that OMB deemed essential to preparing an effective cyber protection plan. Objectives, Scope, and Methodology: As requested, our objectives were to determine: * the extent to which federal agencies have developed plans for protecting their cyber critical infrastructure and whether they have submitted them to OMB as required by HSPD-7, and; * whether the submitted plans met the criteria in OMB’s instructions and related guidance. For objective 1, we contacted 24 major executive branch departments and agencies[Footnote 6] to request their cyber critical infrastructure protection (CIP) plans submitted to comply with HSPD-7 and OMB memorandum M-04-15. We focused on these agencies because they own and operate key cyber and other critical infrastructure essential to carrying out the government’s mission-critical functions. We also reviewed OMB documentation and interviewed OMB officials to confirm which federal agencies had submitted CIP plans as required. For objective 2, we analyzed OMB’s M-04-15 memorandum and identified the 19 cyber and related criteria that agencies were to use in developing their plans. These criteria, taken as a whole, called for the agencies to address the following key topics: whether the agencies had (1) existing capabilities, including dedicated human capital and funding resources, to protect their cyber critical infrastructure assets, (2) a prioritized inventory of such assets, and (3) a documented strategy to protect them. (See slides 19-20 for the 19 criteria organized by these key topics.) We then analyzed the plans of the 24 major agencies using the 19 criteria to determine whether there were variances. If there were, we reviewed documentation and interviewed appropriate agency officials to identify causes and any impacts. In analyzing the plans against the 19 criteria, we used the following categories to describe the extent to which the plans addressed each criterion: * fully addressed: the plan specifically addressed the criterion; * partially addressed: the plan addressed some but not all parts of the criterion; * not addressed: the plan did not specifically address the criterion. Further, we also interviewed responsible agency officials to, among other things, verify our understanding of their cyber and related plans and to validate the accuracy of our analyses of the extent to which the criteria had been addressed in the plans. For agencies stating that they owned no nationally critical cyber infrastructure, we reviewed documentation they submitted to OMB (in lieu of a report) to assess its reasonableness. We conducted this performance audit in the Washington, D.C., metropolitan area from October 2008 to June 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Results in Brief: Major federal agencies developed and submitted cyber critical infrastructure protection plans or related documentation to OMB in response to HSPD-7 and associated OMB instructions. Specifically, of the 24 major agencies,18 submitted such plans; the remaining 6, as allowed by the directives, provided documentation—in lieu of a detailed plan—stating that they neither owned nor operated any of the nation’s cyber critical infrastructure. The agencies submitted their plans and documentation to OMB by the July 31, 2004, deadline specified in the directives. In developing their initial plans, the agencies in large part did not fully address the 19 cyber and related requirements specified in OMB’s instructions. Specifically, only 4 of the 18 plans submitted to OMB fully addressed all criteria. In addition, while the other 14 plans fully addressed at least 8 or more criteria, they only partially addressed or did not address at all other criteria—such as including a prioritized inventory of cyber critical infrastructure assets and a documented strategy to protect them—that are essential to effectively planning for the protection of cyber assets. For example, four agencies did not include a cyber critical infrastructure asset inventory, and eight did address whether they had a cyber protection strategy. Since the development of these plans, eight agencies—whose plans did not fully meet OMB requirements—have engaged in other CIP planning and related efforts that addressed some but not all of their OMB requirement shortfalls. The shortfalls in meeting OMB’s requirements are attributable in part to the fact that OMB has not made these plans a priority and managed them as such by, for example, following up on a regular basis to assess whether agencies are updating their plans to fully address the requirements and are effectively implementing them. OMB attributed this to its attention being focused on other competing issues. When agencies submitted their initial plans, OMB reviewed and provided feedback on the adequacy of the plans but did not follow up to verify that the agencies had revised the plans to incorporate OMB’s feedback or to determine whether the planning was being implemented and institutionalized. Until these shortfalls are fully addressed, there is an increased risk that the federal government will not effectively identify, prioritize, and protect its cyber critical assets, leaving them potentially vulnerable to deliberate efforts to destroy, incapacitate, or exploit them. To address this risk, it is essential that OMB provide sustained leadership, management, and oversight in this area. Accordingly, we are recommending that the Director of OMB, among other things, provide this level of management effort in directing federal cyber critical infrastructure planning and make such planning a priority by (1) directing the agencies to update their cyber plans to fully address OMB requirements and (2) following up as appropriate to make sure updated plans meet requirements and that the plans are being effectively implemented. In oral comments on a draft of this briefing, OMB officials, including the Lead Information Technology Policy Analyst from the Office of E- Government and Information Technology, agreed with our findings and first recommendation and discussed issuing a clarifying memorandum to direct agencies to update their plans. With regard to our second recommendation, these officials said that it was ultimately the responsibility of the agencies to follow up to make sure plans are updated and implemented. We agree that the agencies have a key role to play in these planning efforts. We also believe OMB plays an important and unique role in that it is responsible for reviewing and approving agency plans across the entire federal government. To do this effectively, OMB should periodically follow up with the agencies to assess status and progress of cyber CIP planning efforts. Background: Increased Vulnerabilities Could Expose Federal Systems to Attack: As federal IT systems increase their connectivity with other networks and the Internet and as their system capabilities continue to increase, these systems will become increasingly vulnerable. For example, we reported[Footnote 7] in 2008 that the National Vulnerability Database, the U.S. government repository of standards-based vulnerability management data, had gathered information on the growing problem, including the following: * About 29,000 security vulnerabilities or software defects exist that can be directly used by a hacker to gain access to a system or network. * On average, close to 18 new vulnerabilities are added to the database each day. * More than 13,000 software products contain security vulnerabilities. These vulnerabilities become particularly significant when considering the ease of obtaining and using hacking tools, the steady advances in the sophistication and effectiveness of attack technology, and the emergence of new and more destructive attacks. Thus, protecting federal IT systems and the systems that support critical infrastructures has never been more important. Background: Past GAO Work: We have previously reported[Footnote 8] on agency efforts to protect their IT systems, including meeting Federal Information Security Management Act (FISMA)[Footnote 9] requirements and requirements for federal continuity of operations planning. We found that federal agencies have made progress in strengthening information security, as required by FISMA. However, most agencies continue to experience significant deficiencies that jeopardize the confidentiality, integrity, and availability of their systems and information. A primary reason for these problems is that agencies have not fully institutionalized comprehensive security management programs. We recently highlighted these issues in our 2009 High Risk report. [Footnote 10] In December 2003, the President issued HSPD-7, which called for federal departments and agencies to identify, prioritize, and protect the United States’ critical infrastructure and key resources.[Footnote 11] Specifically, HSPD-7 required, among other things, that federal departments and agencies develop and submit to OMB plans for protecting the cyber and other (e.g., physical) critical infrastructure that they own or operate. The presidential directive also required that these plans (1) address identification, prioritization, protection, and contingency planning, including recovery of essential capabilities and (2) be submitted to OMB by July 31, 2004. To help in the development of the plans, OMB issued a directive (Memorandum 04-15, dated June 17, 2004 and signed by OMB’s director) that instructed the departments and agencies on how the plans were to be developed and reiterated the July 31, 2004, deadline for plan submission to OMB. The memorandum also stated that agencies that determined that they did not have cyber and other critical infrastructures were still required to report this to OMB by the specified dateline. While these plans are key to protecting federally owned or operated critical infrastructure, they are also intended to be an important input for the Department of Homeland Security (DHS) to use in developing the National Infrastructure Protection Plan, a plan DHS first developed in 2006 to establish national priorities, goals, and requirements for CIP. The National Infrastructure Protection Plan was to then outline the methodology for determining which government facilities are priorities for protection. Further, OMB officials stated that another goal of these plans was to initiate, and ultimately institutionalize, cyber CIP planning across the federal government. Results: Objective 1: All major federal agencies developed and submitted cyber CIP plans or related documents to OMB. The 24 major agencies developed and submitted cyber CIP plans or related documents in response to HSPD-7 and OMB requirements. The agencies submitted their plans and documentation to OMB by the July 31, 2004, deadline specified in these directives. The following 18 agencies submitted plans to address protecting their cyber critical infrastructures: * Agriculture; * Commerce; * Defense; * Energy; * Environmental Protection Agency; * Health and Human Services; * Homeland Security; * Interior; * Justice; * Labor; * National Aeronautics and Space Administration; * Office of Personnel Management; * Small Business Administration; * Social Security Administration; * State; * Transportation; * Treasury; * Veterans Affairs. These remaining 6 agencies submitted documentation (e.g., memorandum) stating that they neither owned nor operated cyber infrastructure critical to the nation: * Education; * General Services Administration; * Housing and Urban Development; * National Science Foundation; * Nuclear Regulatory Commission; * U.S. Agency for International Development. In reviewing the documentation submitted by these agencies, it appears the agencies’ statements that they had no cyber critical infrastructures are reasonable based on the evidence they provided. Results: Objective 2: Initial agency plans in large part did not fully address OMB’s cyber CIP planning requirements, and while subsequent agency planning efforts addressed some requirement shortfalls, they did not address others essential to effective planning. In instructing the departments and agencies on how their plans were to be developed, OMB’s directive specified 19 cyber and related CIP planning requirements essential to each agency in developing its plan. Taken collectively, these criteria called for agencies to address the following key topics: whether they had (1) existing capabilities, including dedicated human capital and funding resources, to protect their cyber critical infrastructure assets; (2) a prioritized inventory of such cyber assets; and (3) a documented long-term strategy to protect them, including metrics to measure cyber program performance. The 19 criteria, grouped by key topic area, are described on the following slides. Once completed, these plans were intended to be a blueprint for how agencies are to protect their cyber and other critical infrastructure, serve as input into the National Infrastructure Protection Plan, and initiate cyber CIP planning across the federal government. OMB Memorandum 04-15 cyber and related CIP planning criteria: Addressing existing capabilities for protecting federal cyber critical infrastructure: * Summarize primary functions of the agency that rely on cyber critical infrastructure assets; * Summarize the agency’s management structure, including the management responsible for the security of cyber critical infrastructure assets; * Summarize locations and assets that support the primary functions; * Describe the agency's current capabilities for identification of federally owned or operated cyber critical infrastructure assets; * Describe the agency's current capabilities for assessments of cyber vulnerabilities and interdependencies; * Describe the agency's current capabilities for prioritization of federal cyber assets; * Describe the agency's current capabilities for adequately protecting cyber critical infrastructure assets; * Summarize the agency’s capability to respond to and recover from events that impair the ability to perform mission critical functions at or using federal cyber critical infrastructure assets; * Summarize the agency’s ability to identify gaps in carrying out any of the activities discussed above; * Describe the agency’s process for determining budget and personnel requirements for cyber critical infrastructure activities; * Describe the agency’s process for ensuring independent oversight of cyber CIP programs; * Describe any corrective actions identified for cyber-related issues and if follow-on actions were taken; * Determine whether corrective actions for IT systems considered critical infrastructure were included in FISMA plans of action and milestones. Identifying prioritized list of the agency’s cyber-related critical infrastructure: * Include a prioritized list of the agency’s cyber-related infrastructure assets. Developing a long-term protective strategy: * Describe the agency’s long-term protective strategy to protect the cyber critical infrastructure identified in the plan; * Describe performance metrics for the CIP program; * Describe the status of major initiatives that are underway or planned for addressing cyber-related deficiencies; * Describe milestones for the initiatives described and target dates for completing each milestone; * Discuss any specific management, technical, or operational challenges with regard to implementation of the plan. Of the 18 plans submitted to OMB stating that the agency owned or operated cyber critical infrastructure, * 4 agencies fully addressed all of the 19 criteria; they are the Department of Energy, the Environmental Protection Agency, the Social Security Administration, and the Department of State; and; * 14 fully addressed some criteria and only partially or did not address others. The 14 are shown in table 1, along with the number of criteria their plans fully addressed, partially addressed, or did not address at all. Table 1: Agencies Whose Initial Plans Fully Addressed Some Criteria and Only Partially Addressed or Did Not Address Others at All: Agency: Agriculture; Fully addressed[A]: 18; Partially addressed[B]: 1; Not addressed[C]: 0. Agency: Commerce; Fully addressed[A]: 15; Partially addressed[B]: 1; Not addressed[C]: 3. Agency: Defense; Fully addressed[A]: 17; Partially addressed[B]: 0; Not addressed[C]: 2. Agency: Health and Human Services; Fully addressed[A]: 8; Partially addressed[B]: 0; Not addressed[C]: 11. Agency: Homeland Security; Fully addressed[A]: 17; Partially addressed[B]: 0; Not addressed[C]: 2. Agency: Interior; Fully addressed[A]: 16; Partially addressed[B]: 1; Not addressed[C]: 2. Agency: Justice; Fully addressed[A]: 14; Partially addressed[B]: 0; Not addressed[C]: 5. Agency: Labor; Fully addressed[A]: 12; Partially addressed[B]: 0; Not addressed[C]: 7. Agency: National Aeronautics and Space Administration; Fully addressed[A]: 18; Partially addressed[B]: 0; Not addressed[C]: 1. Agency: Office of Personnel Management; Fully addressed[A]: 17; Partially addressed[B]: 1; Not addressed[C]: 1. Agency: Small Business Administration; Fully addressed[A]: 9; Partially addressed[B]: 0; Not addressed[C]: 10. Agency: Transportation; Fully addressed[A]: 17; Partially addressed[B]: 0; Not addressed[C]: 2. Agency: Treasury; Fully addressed[A]: 18; Partially addressed[B]: 0; Not addressed[C]: 1. Agency: Veterans Affairs Fully addressed[A]: 10; Partially addressed[B]: 2; Not addressed[C]: 7. [A] Fully addressed – the plan specifically addressed the criterion. [B] Partially addressed – the plan addressed some but not all parts of the criterion. [C] Not addressed – the plan did not specifically address the criterion. [End of table] Specifically, while each of the 14 agencies fully addressed at least 8 or more criteria (for example, Health and Human Services plan fully addressed 8, and Agriculture’s addressed nearly all, with 18), they also only partially addressed or did not address other criteria essential to effectively planning for the protection of cyber assets. For example, 8 agencies did not address the requirement to describe the agency's long-term strategy to protect its cyber critical infrastructure. These agencies were the Departments of Commerce, Health and Human Services, the Interior, Justice, Labor, and Veterans Affairs, the Office of Personnel Management, and the Small Business Administration. Having such a strategy is important because it establishes, among other things, agencywide direction on improving the state of cyber protection, what that future state is to be, and how and when the agency is to get there. Without such a strategy, there is increased risk that critical cyber assets may be left unprotected and thus vulnerable to threats such as unauthorized access, theft, or sabotage. In addition, the requirement to provide a summary of the agency’s mission-supporting cyber assets and their locations was only partially addressed by 2 agencies (the Department of the Interior and the Office of Personnel Management) and not addressed at all by 4 (the Departments of Homeland Security, Health and Human Services, and Transportation and the National Aeronautics and Space Administration). The 2 that only partially addressed the requirement did so in that they provided the locations of their assets but did not identify the specific assets at the locations. Fully addressing this requirement is important because locating cyber assets is a key step in identifying and prioritizing assets to be protected. Without it, there is risk that not all critical cyber assets will be considered and incorporated into agency protective plans and thus will be left vulnerable to attack. Further, 6 agencies did not address the requirement to summarize whether they had the ability to identify gaps in recovering from mission-impairing events. The 6 agencies were the Departments of Commerce, Health and Human Services, Labor, and Veterans Affairs, the National Aeronautics and Space Administration, and the Small Business Administration. Having and documenting this capability is important because it serves as an indicator that agencies are proactively identifying and managing potential risks to their cyber and other assets that could impact agency operations. Without this, there is a risk that agencies are not prepared to recover cyber assets in the event of an attack. Moreover, 5 agencies—the Departments of Health and Human Services, Justice, Labor, and Veterans Affairs, and the Small Business Administration—did not identify whether they had metrics to measure how well their cyber CIP program was performing as called for by the criteria. Having such metrics is important because they provide a basis for improving program activities and reallocating resources as needed. Without them, agencies face the risk that cyber CIP program deficiencies may not be identified and addressed, leaving cyber assets vulnerable to attack. Furthermore, 4 agencies—the Departments of Homeland Security, Health and Human Services, Transportation, and Veterans Affairs—did not address the requirement to provide a prioritized list of the agency’s cyber critical infrastructure assets. Having and documenting such a list is essential to identifying the critical cyber assets, determining protection priorities, and implementing protection mechanisms. Without it, agencies’ cyber CIP programs may not adequately protect all critical cyber assets. Our complete analysis of the criteria and the number of agencies that partially addressed or did not address them (as well as those requirements that were fully addressed) is in attachment 1. Our analysis of how each agency’s plan compared to the 19 criteria is in attachment 2. These shortfalls in meeting OMB’s cyber and related CIP planning requirements are attributable in part to OMB not making these plans a priority and managing them as such. Specifically, officials from OMB’s Office of E-Government and Information Technology stated that when the agencies’ submitted their initial plans, the office reviewed and provided feedback on the adequacy of the plans but did not follow up to verify that the agencies had revised the plans to incorporate OMB’s findings or to see whether CIP planning was being implemented and institutionalized. In addition, according to the officials, when OMB issued its guidance, it did not require agencies to periodically update their plans, leaving it up to the agencies’ discretion as to when and how to update the plans; consequently, the agencies in large part have not updated their plans since 2004. The officials also stated that the lack of follow up on the state of these plans, including assessing whether they had been updated, was due to their attention being focused on other competing issues. In addition, they said that, since the initial plans, they believed the agencies had engaged in other CIP- related planning efforts that largely addressed the requirement shortfalls. Our analysis below shows that the agencies did engage in subsequent planning efforts that addressed some but not all essential requirement shortfalls. Specifically, since the initial plans, the following eight agencies— whose plans did not fully meet OMB requirements—have engaged in other CIP planning efforts and related activities (e.g., developing IT security program management plans, establishing corrective action tracking systems) that addressed some but not all of their OMB requirement shortfalls: * In its 2004 plan, the Department of Commerce did not fully address 4 cyber CIP planning requirements, including summarizing its capability to respond to and recover from events that impair performance or use of its cyber assets. However, in 2005, the department developed another CIP plan which fully addressed this criterion. Despite this, the department’s 2005 plan did not fully address the 3 other criteria for which shortfalls were identified in its 2004 plan. These were: - summarizing its ability to identify response and recovery gaps, - describing its process for determining budget and personnel requirements for cyber activities, and, - describing its long-term protective strategy for protecting cyber assets. * With regard to Health and Human Services, it did not address 11 requirements in its 2004 plan, including a summary of its ability to identify response and recovery gaps, the agency’s process for ensuring independent oversight over its CIP program, a prioritized list of the agency’s cyber-related critical infrastructure, the agency’s long-term protective strategy, a description of major initiatives for addressing cyber-related deficiencies, and milestones for these initiatives. However, in 2005 and 2008, the agency developed other plans—both entitled Secure One HHS Critical Infrastructure Protection Plan—that included these requirements, increasing the number of fully addressed requirements to 13. Consequently, the agency has yet to fully address the 6 other requirements, including describing performance metrics for the agency’s CIP program and challenges to implementing the CIP plan. * The Department of the Interior’s 2004 plan did not fully address 3 requirements, including (1) providing a summary of locations and assets supporting primary functions, (2) describing the department’s process to identify and track corrective actions for the cyber CIP program, and (3) describing a long-term protective strategy. Since then, the department has addressed two of these (e.g., it implemented an automated tool to track cyber security efforts and developed a long- term cyber asset protection strategy) but still has not addressed the third. * In the Department of Justice’s 2004 plan, the department did not fully address 5 of OMB’s requirements—namely, it did not describe: - the agency’s long term protective strategy, - performance metrics for the agency’s CIP program, - the major initiatives for addressing cyber-related deficiencies, - milestones for these initiatives, and, - challenges to implementation of the plan. Since then, the department, via other planning efforts (e.g., its IT Security Program Management Plan), has addressed all but the last requirement. * In its 2004 plan, the National Aeronautics and Space Administration fully addressed all but the requirements to summarize (1) the locations and assets supporting primary functions and (2) the agency’s ability to identify performance gaps in incident response and recovery activities. An updated addendum to the CIP plan met the first requirement. However, the second requirement remains unaddressed. * The Small Business Administration’s 2004 plan did not fully address 10 requirements; however, in 2005, the agency addressed one of the missing requirements (i.e., determining whether corrective actions for IT systems considered critical infrastructure were included in FISMA plans of action and milestones) as part of other CIP planning efforts. However, these efforts did not fully address the 9 other criteria shortfalls identified in the agency’s 2004 plan, such as describing the agency’s ability to protect its cyber-related critical assets and its long-term protective strategy. * Although the Department of Transportation’s 2004 plan fully addressed 17 of the 19 requirements, it did not address the requirements to summarize the locations and assets that support the primary functions and include a prioritized list of the agency’s cyber-related infrastructure assets. In 2008, the department developed a FISMA report that provided a summary of the location and assets supporting the primary functions; however, the requirement to provide a prioritized list of the agency’s cyber-related infrastructure assets was not addressed. * In its 2004 plan, the Department of Veterans Affairs fully addressed 10 OMB requirements but did not address others such as providing: - a description of the department’s capabilities for identifying, assessing vulnerabilities for, and prioritizing its cyber CIP assets; - a summary of its ability to identify performance gaps in incident response and recovery activities; - a description of its long-term protective strategy; - CIP program performance metrics; - milestones for major cyber initiatives; and; - a discussion of challenges to implementing the plan. In a December 2008 update of the plan and related documentation, the department addressed 3 of the above requirements (i.e., performance metrics, milestones, and plan implementation challenges) but has yet to address the others. The above recent efforts are steps in the right direction, but until all the plans have been updated to fully address the OMB criteria, there is an increased risk that the federal government will not have effectively identified, prioritized, and protected its cyber critical assets, leaving them potentially vulnerable to deliberate efforts to destroy, incapacitate, or exploit them. This also raises questions about the usefulness of these partially-completed plans as input into the National Infrastructure Protection Plan and as a tool for initiating and institutionalizing cyber CIP planning governmentwide. Conclusions: The major federal agencies’ 2004 cyber CIP plans were an initial step toward the goals of (1) securing and protecting critical infrastructure and assets vital to carrying out the government’s mission-critical operations and (2) implementing and institutionalizing cyber planning governmentwide. While none of the 2004 plans have since been updated, subsequent cyber CIP planning efforts by a third of the agencies have yielded additional steps toward these goals. However, continuing shortfalls in these planning efforts highlight that more remains to be done to ensure cyber CIP plans are developed in a comprehensive manner. These shortfalls are attributable in part to OMB not making these plans a priority, including not effectively overseeing agencies’ efforts to make sure OMB requirements are addressed in agency plans and the plans are being implemented. Without more sustained leadership, management, and oversight in this area, there is an increased risk that federal agencies individually, and the federal government collectively, will not, among other things, effectively identify, prioritize, and protect their cyber critical assets, thus leaving them potentially vulnerable to deliberate efforts to destroy, incapacitate, or exploit them. Recommendations for Executive Action: Accordingly, we recommend that the Director of the Office of Management and Budget provide leadership and oversight in directing federal cyber critical infrastructure planning efforts and make them a management priority by: * directing the agencies to expeditiously update their plans to fully address the office’s cyber critical infrastructure planning requirements, and; * following up with the agencies as appropriate to make sure updated plans fully meet OMB requirements and are being effectively implemented. At a minimum, this should include having agency heads report to OMB when updated plans have been completed and that the plans fully meet OMB requirements and are being effectively implemented. Agency Comments and Our Evaluation: In oral comments on a draft of this briefing, OMB officials, including the Lead Information Technology Policy Analyst from the Office of E- Government and Information Technology, agreed with our findings and first recommendation and discussed issuing a clarifying memorandum to direct agencies to update their plans. With regard to our second recommendation, these officials said that it was ultimately the responsibility of the agencies to follow up to make sure plans are effectively updated and implemented. We concur that agencies have a key role to play in updating and implementing these plans due to their knowledge of their cyber CIP environments and, therefore, know how best to secure and protect them. This notwithstanding, as previously discussed, OMB has an important role of reviewing and approving agency plans across the entire federal government to ensure that they are consistently developed, updated, and implemented. To do this effectively, OMB should periodically follow up with the agencies to assess the status and progress of cyber CIP planning efforts. Attachment 1: Overall Summary Analysis of Criteria and the 2004 Plans: The following table illustrates the number of plans that fully, partially, and did not address each criterion (organized by key topic area). Addressing existing capabilities for protecting federal cyber critical infrastructure: Criteria by key topic area: Summarize primary functions of the agency that rely on cyber critical infrastructure assets; No. of plans that fully addressed: 18; No. of plans that partially addressed: 0; No. of plans that did not address: 0. Criteria by key topic area: Summarize the agency’s management structure, including the management responsible for the security of cyber critical assets; No. of plans that fully addressed: 18; No. of plans that partially addressed: 0; No. of plans that did not address: 0. Criteria by key topic area: Summarize locations and assets that support the primary functions; No. of plans that fully addressed: 12; No. of plans that partially addressed: 2; No. of plans that did not address: 4. Criteria by key topic area: Describe the agency's current capabilities for identification of federally owned or operated cyber critical infrastructure assets; No. of plans that fully addressed: 17; No. of plans that partially addressed: 1; No. of plans that did not address: 0. Criteria by key topic area: Describe the agency's current capabilities for assessments of cyber vulnerabilities and interdependencies; No. of plans that fully addressed: 17; No. of plans that partially addressed: 1; No. of plans that did not address: 0. Criteria by key topic area: Describe the agency's current capabilities for prioritization of federal cyber assets; No. of plans that fully addressed: 15; No. of plans that partially addressed: 1; No. of plans that did not address: 2. Criteria by key topic area: Describe the agency's current capabilities for adequately protecting cyber critical infrastructure assets; No. of plans that fully addressed: 17; No. of plans that partially addressed: 0; No. of plans that did not address: 1. Criteria by key topic area: Summarize the agency’s capability to respond to and recover from events that impair the ability to perform mission critical functions at or using federal cyber critical infrastructure assets; No. of plans that fully addressed: 17; No. of plans that partially addressed: 0; No. of plans that did not address: 1. Criteria by key topic area: Summarize the agency’s ability to identify gaps in carrying out any of the activities discussed above; No. of plans that fully addressed: 12; No. of plans that partially addressed: 0; No. of plans that did not address: 6. Criteria by key topic area: Describe the agency’s process for determining budget and personnel requirements for cyber critical infrastructure activities; No. of plans that fully addressed: 16; No. of plans that partially addressed: 1; No. of plans that did not address: 1. Criteria by key topic area: Describe the agency’s process for ensuring independent oversight of cyber CIP programs; No. of plans that fully addressed: 14; No. of plans that partially addressed: 0; No. of plans that did not address: 4. Criteria by key topic area: Describe any corrective actions identified for cyber-related issues and if follow-on actions were taken; No. of plans that fully addressed: 13; No. of plans that partially addressed: 0; No. of plans that did not address: 5. Criteria by key topic area: Determine whether corrective actions for IT systems considered critical infrastructure were included in Federal Information Security Management Act (FISMA) plans of action and milestones; No. of plans that fully addressed: 14; No. of plans that partially addressed: 0; No. of plans that did not address: 4. Prioritized list of the agency’s cyber-related critical infrastructure: Criteria by key topic area: Include a prioritized list of the agency’s cyber-related critical infrastructure; No. of plans that fully addressed: 14; No. of plans that partially addressed: 0; No. of plans that did not address: 4. Developing a long-term protective strategy: Criteria by key topic area: Describe the agency's long-term protective strategy to protect the cyber critical infrastructure identified in the plan; No. of plans that fully addressed: 10; No. of plans that partially addressed: 0; No. of plans that did not address: 8. Criteria by key topic area: Describe performance metrics for the CIP program; No. of plans that fully addressed: 13; No. of plans that partially addressed: 0; No. of plans that did not address: 5. Criteria by key topic area: Describe the status of major initiatives that are underway or planned for addressing cyber-related deficiencies; No. of plans that fully addressed: 16; No. of plans that partially addressed: 0; No. of plans that did not address: 2. Criteria by key topic area: Describe milestones for the initiatives described and target dates for completing each milestone; No. of plans that fully addressed: 15; No. of plans that partially addressed: 0; No. of plans that did not address: 3. Criteria by key topic area: Discuss any specific management, technical, or operational challenges with regard to implementation of the plan; No. of plans that fully addressed: 13; No. of plans that partially addressed: 0; No. of plans that did not address: 5. Source: GAO analysis of agency plans. [End of table] Attachment 2: Criteria Met by 2004 Cyber CIP Plans of Major Federal Agencies: Agriculture–Justice: Addressing existing capabilities for protecting federal cyber critical infrastructure: Criteria (by key topic area): Summarize primary functions of the agency that rely on cyber critical infrastructure assets; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: fully addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Summarize the agency’s management structure, including the management responsible for the security of cyber critical assets; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: fully addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Summarize the locations and assets that support the primary functions; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: not addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: partially[A] addressed; DOJ: fully addressed. Criteria (by key topic area): Describe the agency's current capabilities for identification of federally owned or operated cyber critical infrastructure assets; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: fully addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Describe the agency's current capabilities for assessments of cyber vulnerabilities and interdependencies; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: fully addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Describe the agency's current capabilities for prioritization of federal cyber assets; USDA: partially[B] addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: fully addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Describe the agency's current capabilities for adequately protecting cyber critical infrastructure assets; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: fully addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Summarize the agency’s capability to respond to and recover from events that impair the ability to perform mission critical functions at or using federal cyber critical infrastructure assets; USDA: fully addressed; DOC: not addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: fully addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Summarize the agency’s ability to identify gaps in carrying out any of the activities discussed above; USDA: fully addressed; DOC: not addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Describe the agency’s process for determining budget and personnel requirements for cyber critical infrastructure activities; USDA: fully addressed; DOC: partially[C] addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: fully addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Describe the agency’s process for ensuring independent oversight of cyber CIP programs; USDA: fully addressed; DOC: fully addressed; DOD: not addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: fully addressed; DOJ: fully addressed. Criteria (by key topic area): Describe any corrective actions identified for cyber-related issues and if follow-on actions were taken; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: not addressed; DOJ: fully addressed. Criteria (by key topic area): Determine whether corrective actions for IT systems considered critical infrastructure were included in Federal Information Security Management Act (FISMA) plans of action and milestones; USDA: fully addressed; DOC: fully addressed; DOD: not addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: fully addressed; DOJ: fully addressed. Prioritized list of agency-owned or operated critical infrastructure: Criteria (by key topic area): Include a prioritized list of the agency’s cyber-related critical infrastructure; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: not addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: fully addressed; DOJ: fully addressed. Long-term protective strategy: Criteria (by key topic area): Describe the agency's long-term protective strategy to protect the cyber critical infrastructure identified in the plan; USDA: fully addressed; DOC: not addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: not addressed; DOJ: not addressed. Criteria (by key topic area): Describe the performance metrics for the CIP program; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: fully addressed; DOJ: not addressed. Criteria (by key topic area): Describe the status of major initiatives that are underway or planned for addressing cyber-related deficiencies; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: fully addressed; DOJ: not addressed. Criteria (by key topic area): Describe the milestones for the initiatives described and target dates for completing each milestone; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: fully addressed; DOJ: not addressed. Criteria (by key topic area): Discuss any specific management, technical, or operational challenges with regard to implementation of the plan; USDA: fully addressed; DOC: fully addressed; DOD: fully addressed; DHS: fully addressed; DOE: fully addressed; EPA: fully addressed; HHS: not addressed; DOI: fully addressed; DOJ: not addressed. Labor–Veterans Affairs: Addressing existing capabilities for protecting federal cyber critical infrastructure: Criteria (by key topic area): Summarize primary functions of the agency that rely on cyber critical infrastructure assets; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: fully addressed. Criteria (by key topic area): Summarize the agency’s management structure, including the management responsible for the security of cyber critical assets; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: fully addressed. Criteria (by key topic area): Summarize the locations and assets that support the primary functions; Labor: fully addressed; NASA: not addressed; OPM: partially addressed[D]; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: not addressed; Treasury: fully addressed; VA: fully addressed. Criteria (by key topic area): Describe the agency's current capabilities for identification of federally owned or operated cyber critical infrastructure assets; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: partially addressed[E]. Criteria (by key topic area): Describe the agency's current capabilities for assessments of cyber vulnerabilities and interdependencies; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: partially addressed[F]. Criteria (by key topic area): Describe the agency's current capabilities for prioritization of federal cyber assets; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: not addressed. Criteria (by key topic area): Describe the agency's current capabilities for adequately protecting cyber critical infrastructure assets; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: fully addressed. Criteria (by key topic area): Criteria (by key topic area): Summarize the capability to respond to and recover from events that impair the ability to perform mission critical functions at or using federal cyber critical infrastructure assets; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: fully addressed. Criteria (by key topic area): Summarize the ability to identify gaps in carrying out any of the activities discussed above; Labor: not addressed; NASA: not addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: not addressed. Criteria (by key topic area): Describe the agency’s process for determining budget and personnel requirements for cyber critical infrastructure activities; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: fully addressed. Criteria (by key topic area): Describe the agency’s process for ensuring independent oversight of cyber CIP programs; Labor: not addressed; NASA: fully addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: fully addressed. Criteria (by key topic area): Describe any corrective actions identified for cyber-related issues and if follow-on actions were taken; Labor: not addressed; NASA: fully addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: not addressed; VA: fully addressed. Criteria (by key topic area): Determine whether corrective actions for IT systems considered critical infrastructure were included in Federal Information Security Management Act (FISMA) plans of action and milestones; Labor: not addressed; NASA: fully addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: fully addressed. Prioritized list of agency-owned or operated critical infrastructure: Criteria (by key topic area): Include a prioritized list of agency cyber-related critical infrastructure; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: not addressed; Treasury: fully addressed; VA: not addressed. Long-term protective strategy: Criteria (by key topic area): Describe the agency's long-term protective strategy to protect the cyber critical infrastructure identified in the plan; Labor: not addressed; NASA: fully addressed; OPM: not addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: not addressed. Criteria (by key topic area): Describe the performance metrics for the CIP program; Labor: not addressed; NASA: fully addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: not addressed. Criteria (by key topic area): Describe the status of major initiatives that are underway or planned for addressing cyber-related deficiencies; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: fully addressed. Criteria (by key topic area): Describe the milestones for the initiatives described and target dates for completing each milestone; Labor: fully addressed; NASA: fully addressed; OPM: fully addressed; SBA: fully addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: not addressed. Criteria (by key topic area): Discuss any specific management, technical, or operational challenges with regard to implementation of the plan; Labor: not addressed; NASA: fully addressed; OPM: fully addressed; SBA: not addressed; SSA: fully addressed; State: fully addressed; DOT: fully addressed; Treasury: fully addressed; VA: not addressed. Note: Agency abbreviations as follows: Agriculture (USDA), Defense (DOD), Homeland Security (DHS), Energy (DOE), Environmental Protection Agency (EPA), Health and Human Services (HHS), Interior (DOI), and Justice (DOJ). [A] The Department of the Interior’s plan discussed the function and locations but did not identify the assets. [B] The Department of Agriculture’s plan described a process but did not address whether the department had prioritized its cyber assets. [C] The Department of Commerce’s plan identified special funding but did not provide an overall process for determining resources. [D] The Office of Personnel Management’s plan summarized the locations but did not identify the specific assets. [E] The Department of Veterans Affairs’ plan described the department’s capability to identify assets but did not state how the process included cyber assets. [F] The Department of Veterans Affairs’ plan described departmental capability to perform vulnerability assessments but did not specify how the process included cyber assets. Source: GAO analysis of agency plans. [End of table] [End of section] Appendix II: GAO Contact and Staff Acknowledgments: GAO Contact: David A. Powner, (202) 512-9286 or pownerd@gao.gov: Staff Acknowledgments: In addition to the individual named above, key contributions were made to this report by Gary N. Mountjoy, Assistant Director; Nabajyoti Barkakati; Scott F. Borre; Neil J. Doherty; Michael W. Gilmore; Barbarol J. James; Kenneth A. Johnson; Kush K. Malhotra; and Lee A. McCracken. [End of section] Footnotes: [1] Critical infrastructure means IT and non-IT systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these. [2] Key resources are publicly or privately controlled resources essential to the minimal operations of the economy and government (e.g., nuclear power plants, and certain dams, government facilities, and commercial facilities). [3] These are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency; General Services Administration; National Aeronautics and Space Administration; National Science Foundation; Nuclear Regulatory Commission; Office of Personnel Management; Small Business Administration; Social Security Administration; and the U.S. Agency for International Development. [4] Critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of these matters. [5] Key resources are publicly or privately controlled resources essential to the minimal operations of the economy and government. Examples include such facilities as nuclear power plants, dams, government facilities, and commercial facilities. [6] These are the Departments of Agriculture, Commerce, Defense, Education, Energy, Health and Human Services, Homeland Security, Housing and Urban Development, the Interior, Justice, Labor, State, Transportation, the Treasury, and Veterans Affairs; the Environmental Protection Agency, General Services Administration, National Aeronautics and Space Administration, National Science Foundation, Nuclear Regulatory Commission, Office of Personnel Management, Small Business Administration, Social Security Administration, and the U.S. Agency for International Development. [7] GAO, Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist, [hyperlink, http://www.gao.gov/products/GAO-08-571T] (Washington, DC.: March 12, 2008). [8] See, for example, GAO, Information Security: Agencies Continue to Report Progress, but Need to Mitigate Persistent Weaknesses, [hyperlink, http://www.gao.gov/products/GAO-09-546] (Washington, DC.: July 17, 2009); Information Security: Progress Reported, but Weaknesses at Federal Agencies Persist, [hyperlink, http://www.gao.gov/products/GAO-08-571T] (Washington, DC.: March 12, 2008); and Continuity of Operations: Selected Agencies Tested Various Capabilities during 2006 Governmentwide Exercise, [hyperlink, http://www.gao.gov/products/GAO-08-185] (Washington, D.C.: November 19, 2007). [9] Title III, E-Government Act of 2002, Pub. L. No. 107-347. [10] GAO, High-Risk Series, An Update, [hyperlink, http://www.gao.gov/products/GAO-09-271] (Washington, D.C.: January 2009). [11] Key resources are publicly or privately controlled resources essential to the minimal operations of the economy and government. Examples include such facilities as nuclear power plants, dams, government facilities, and commercial facilities. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: