Defense Critical Infrastructure: DOD's Risk Analysis of Its Critical Infrastructure Omits Highly Sensitive Assets
Highlights
The Department of Defense (DOD) relies on a global network of critical physical and cyber infrastructure to project, support, and sustain its forces and operations worldwide. The incapacitation, exploitation, or destruction of one or more of its assets would seriously damage DOD's ability to carry out its core missions. To identify and help assure the availability of this mission-critical infrastructure, in August 2005, DOD established the Defense Critical Infrastructure Program (DCIP), assigning overall responsibility for the program to the Assistant Secretary of Defense for Homeland Defense and Americas' Security Affairs (ASD[HD&ASA]). Since 2006, ASD(HD&ASA) has collaborated with the Joint Staff to compile a list of all DOD- and non-DOD-owned infrastructure essential to accomplish the National Defense Strategy. Each critical asset on the list must undergo a vulnerability assessment, which identifies weaknesses in relation to potential threats and suggests options to address those weaknesses. Data and material designated as Sensitive Compartmented Information (SCI) or associated with Special Access Programs (SAP) are among the nation's most valued and closely guarded assets, and DOD faces inherent challenges in incorporating them into DCIP. The number of individuals authorized to access SCI and SAPs is a relatively small subset of those authorized to access collateral-level classified information--that is, Confidential, Secret, or Top Secret information. Congress requested that GAO review a number of issues related to defense critical infrastructure. To date, GAO have issued two reports in response to that request. GAO's first report examined the extent to which DOD had developed a comprehensive management plan for DCIP and had identified, prioritized, and assessed defense critical infrastructure. GAO's second report examined DOD's efforts to implement a risk management approach for critical assets in the Defense Industrial Base Defense Sector. As part of GAO's ongoing work on DOD's critical infrastructure protection efforts, this report focuses on challenges DOD faces in incorporating critical SCI and SAP assets into DCIP. Specifically, this report evaluates the extent to which DOD is (1) identifying and prioritizing critical SCI and SAP assets in DCIP and (2) assessing critical SCI and SAP assets for vulnerabilities in a comprehensive manner consistent with that used by DCIP for collateral-level assets.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Defense | To ensure that DOD adequately identifies, prioritizes, and assesses critical SCI and SAP infrastructure, the Secretary of Defense should direct ASD(HD&ASA) to develop a process to identify, prioritize, and assess all critical SCI and SAP assets in a manner consistent with DCIP standards. As one option, ASD(HD&ASA) could partner with the Defense Intelligence Agency and the SAP Central Office to compile separate lists of, and to perform mission-based, all-hazards vulnerabilities assessments on, critical SCI and SAP assets. |
Closed – Implemented
DOD partially concurred with GAO's recommendation to develop a process to identify, prioritize, and assess all critical sensitive compartmented information (SCI) and special access program (SAP) assets in a manner consistent with Defense Critical Infrastructure Program (DCIP) standards. Subsequently, according to DOD, the Intelligence, Surveillance, and Reconnaissance Sector (ISR) generated a list of SCI assets that would be reviewed and prioritized following the DCIP assessment process and included in a classified database of critical assets. Additionally, in April 2009, the DCIP Office and the Director, Special Access Program Central Office (SAPCO), agreed that the latter will ensure that SAPs are properly evaluated for potential critical assets that are then identified, prioritized, and assessed in accordance with DCIP policy guidance. This agreement has been codified in a memorandum. By including SCI and SAP infrastructure, DOD's processes for soliciting critical asset information should result in the consistent and comprehensive identification and prioritization of all critical infrastructure.
|
| Department of Defense | To ensure that DOD adequately identifies, prioritizes, and assesses critical SCI and SAP infrastructure, the Secretary of Defense should direct ASD(HD&ASA) to amend the DCIP Security Classification Guide to explicitly address the treatment of SCI and SAP information on critical asset lists. |
Closed – Implemented
DOD concurred with GAO's recommendation to amend the Defense Critical Infrastructure Program (DCIP) Security Classification Guide to explicitly address the treatment of sensitive compartmented information (SCI) and special access program (SAP) information on critical asset lists. On February 15, 2011, the DCIP Office issued its updated DCIP Security Classification Manual, which provides specific guidance addressing SCI and SAP information on critical asset lists. As a result of issuing this guidance, DOD will be in a better position to fully identify its critical assets and make informed risk-management decisions about potentially serious risks to core defense missions.
|