Defense Infrastructure: Actions Needed to Guide DOD's Efforts to Identify, Prioritize, and Assess Its Critical Infrastructure

DOD concurred with GAO's recommendation to develop and implement a comprehensive management plan that addresses guidance, coordination of stakeholders' efforts, and resources needed to implement the Defense Critical Infrastructure Program (DCIP). Such a plan should include establishing timelines for finalizing the DCIP Data Collection Essential Elements of Information Data Sets to enhance the likelihood that DOD components and sector lead agents will take a consistent approach in implementing DCIP. On May 30, 2008, the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) issued the Defense Critical Infrastructure Program: Program Plan, FY 2008-2013, Version 1. The program plan serves as ASD(HD&ASA)'s comprehensive management plan and articulates how DOD intends to implement the Strategy for Defense Critical Infrastructure, issued in March 2008. To address the guidance component of GAO's recommendation, the program plan identifies all current program guidance, including a brief description of the guidance, its current status, publication dates, and any anticipated revisions with dates. Further, it identifies Baseline Elements of Information (formerly the Data Collection Essential Elements of Information Data Sets) as completed in May 2007. To address the coordination component of GAO's recommendation, the program plan contains a section on program implementation responsibilities, including fostering strategic partnerships and outreach. To address the DCIP resource component of GAO's recommendation, the program plan outlines how DCIP components are to request funding along with a timeline for the requesting process. As a result, ASD(HD&ASA)'s comprehensive management plan will guide the department's efforts in more effectively implementing an efficient critical infrastructure program.

DOD concurred with GAO's recommendation to issue a chartering directive to, among other things, define the relationship between the Directorates of Homeland Defense and Americas' Security Affairs (HD&ASA) and Special Operations and Low-Intensity Conflict and Interdependent Capabilities (SO/LIC&IC). DOD noted a draft chartering directive had been prepared. On January 16, 2009, DOD issued Directive 5111.13, Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]), which established the position of the ASD(HD&ASA) with specific responsibilities and functions, relationships, and authorities. The chartering directive defines ASD(HD&ASA)'s coordination roles and responsibilities vis-a-vis ASD(SO/LIC&IC) as it relates to the Defense Critical Infrastructure Program (DCIP) and antiterrorism policy. As a result, the chartering directive identifies the relationship between DCIP and antiterrorism missions so that DOD components and defense sector lead agents are able to rely on the appropriate guidance to implement their critical infrastructure programs.

DOD concurred with GAO's recommendation to assist the Defense Infrastructure Sector Lead Agents in identifying, prioritizing, and including Defense Critical Infrastructure Program (DCIP) funding requirements through the regular budgeting process beginning in fiscal year 2010. In February 2010, Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) officials stated that two of the ten defense infrastructure sector lead agents are now receiving funding through the regular budget process with their executive agents. Further, these officials stated that two other sectors were in the process of establishing funding through their executive agents. However, ASD(HD&ASA) officials noted that because some executive agents were not able to guarantee DCIP funding levels, ASD(HD&ASA) would continue to fund these defense sectors though a regular budget process because it would provide greater stability in funding. ASD(HD&ASA) now distributes, annually, a request for requirements to the Defense Infrastructure Sector Lead Agents that serves as a baseline for annual funding. This annual requirements process requires the Defense Infrastructure Sector Lead Agents to identify funding requirements, cost estimates, deliverables, and how the funding requests relate to the objectives or goals detailed in the DCIP strategy. As a result of utilizing a regular budget process to determine funding levels, the Defense Infrastructure Sector Lead Agents are now able to plan resourcing needs, weigh priorities, and assess budget trade-offs in order to successfully implement DCIP.

DOD concurred with GAO's recommendation to determine funding levels and sources needed to avoid reliance on supplemental appropriations and identify funding for the Defense Critical Infrastructure Program (DCIP) remediation. In December 2009, the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) responded to the DOD Inspector General stating that funding lines for the military services and combatant commands have been established and that none of the Defense Infrastructure Sector Lead Agents are reliant on supplemental appropriations. Defense Infrastructure Sector Lead Agents identify funding requirements, cost estimates, deliverables, and how the funding requests relate to the objectives or goals detailed in the DCIP strategy. As a result of utilizing a regular budget process to determine funding levels, the Defense Infrastructure Sector Lead Agents are now able to plan resourcing needs, weigh priorities, and assess budget trade-offs in order to successfully implement DCIP.

DOD concurred with GAO's recommendation to complete the identification and prioritization of critical infrastructure before increasing the number of infrastructure vulnerability assessments performed. Specifically, DOD agreed to identify and prioritize all DOD-owned critical infrastructure before increasing the number of assessments to codify the practice of combining the infrastructure assessment with an existing vulnerability assessment, thereby reducing the burden of multiple assessments on installation personnel and asset owners. On March 12, 2009, Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) officials stated that they (the Joint Staff under the auspices and oversight of ASD(HD&ASA)) are only conducting mission-based vulnerability assessments on Defense Critical Assets (DCA) and Tier 1 Task Critical Assets (TCA) and are not conducting such assessments on every installation or an entire installation on which a DCA or TCA is located. This action represents, as the recommendation states, a prioritization of critical infrastructure for assessments. Further, because the DCA and TCA lists will be continuously updated over time to reflect changing missions, a more detailed prioritization is not possible, since assets will change over time. We agree that DOD's approach and rationale meet the intent of our recommendation. As a result of DOD's prioritization efforts, the department will be able to more effectively target its financial resources to conducting vulnerability assessments for its most critical assets.

DOD concurred with GAO's recommendation to issue guidance and criteria for performing infrastructure vulnerability self-assessments. In August 2011, officials from the Office of the Assistance Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) provided GAO with a template of its critical asset self-assessment tool being used by critical asset owners--the military services. According to ASD(HD&ASA) officials, the tool was completed and released for use beginning in January 2011 using the Defense Critical Infrastructure Program Assessment Standards and Benchmarks guidance. The self-assessments contain a series of modules, including force protection, emergency management, commercial dependence on electrical power, and cyber security, which help to identify potential vulnerabilities to critical assets. As a result of developing a self-assessment tool with applicable guidance, DOD asset owners will be in a better position to evaluate the vulnerabilities and risk to DOD's critical infrastructure.

DOD concurred with GAO's recommendation to identify and prioritize domestic non-DOD-owned critical infrastructure for the Department of Homeland Security (DHS) to consider including among its assessments of the nation's critical infrastructure. On March 12, 2009, officials from the Office of the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]) stated that with the exception of the Defense Industrial Base, DOD did not have any non-DOD-owned, domestic critical infrastructure on its critical asset list. Further, these officials noted that because they are the federal sector lead agency for the Defense Industrial Base, they annually coordinated their Defense Industrial Base critical asset list with DHS. On May 6, 2009, ASD(HD&ASA) provided GAO with a copy of their most recent transmission (April 7, 2009) to DHS of the Defense Industrial Base critical asset list. As a result of DOD's coordination with DHS, DOD will increase its awareness of vulnerabilities associated with infrastructure that it relies on but does not control.