The Department of Defense (DOD) relies on a global network of critical physical and cyber infrastructure to project, support, and sustain its forces and operations worldwide. The incapacitation, exploitation, or destruction of one or more of its assets would seriously damage DOD's ability to carry out its core missions. To identify and help assure the availability of this mission-critical infrastructure, in August 2005, DOD established the Defense Critical Infrastructure Program (DCIP), assigning overall responsibility for the program to the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]). Since 2006, ASD(HD&ASA) has collaborated with the Joint Staff to compile a list of all DOD- and non-DOD-owned infrastructure essential to accomplish the National Defense Strategy. Each critical asset on the list must undergo a vulnerability assessment, which identifies weaknesses in relation to potential threats and suggests options to address those weaknesses. Data and material designated as Sensitive Compartmented Information (SCI) or associated with Special Access Programs (SAP) are among the nation's most valued and closely guarded assets, and DOD faces inherent challenges in incorporating them into DCIP. The number of individuals authorized to access SCI and SAPs is a relatively small subset of those authorized to access collateral-level classified information--that is, Confidential, Secret, or Top Secret information. Congress requested that GAO review a number of issues related to defense critical infrastructure. To date, GAO have issued two reports in response to that request. GAO's first report examined the extent to which DOD had developed a comprehensive management plan for DCIP and had identified, prioritized, and assessed defense critical infrastructure. GAO's second report examined DOD's efforts to implement a risk management approach for critical assets in the Defense Industrial Base Defense Sector. As part of GAO's ongoing work on DOD's critical infrastructure protection efforts, this report focuses on challenges DOD faces in incorporating critical SCI and SAP assets into DCIP. Specifically, this report evaluates the extent to which DOD is (1) identifying and prioritizing critical SCI and SAP assets in DCIP and (2) assessing critical SCI and SAP assets for vulnerabilities in a comprehensive manner consistent with that used by DCIP for collateral-level assets.
Recommendations for Executive Action
|Department of Defense||1. To ensure that DOD adequately identifies, prioritizes, and assesses critical SCI and SAP infrastructure, the Secretary of Defense should direct ASD(HD&ASA) to develop a process to identify, prioritize, and assess all critical SCI and SAP assets in a manner consistent with DCIP standards. As one option, ASD(HD&ASA) could partner with the Defense Intelligence Agency and the SAP Central Office to compile separate lists of, and to perform mission-based, all-hazards vulnerabilities assessments on, critical SCI and SAP assets.|
|Department of Defense||2. To ensure that DOD adequately identifies, prioritizes, and assesses critical SCI and SAP infrastructure, the Secretary of Defense should direct ASD(HD&ASA) to amend the DCIP Security Classification Guide to explicitly address the treatment of SCI and SAP information on critical asset lists.|