Defense Infrastructure: Actions Needed to Guide DOD's Efforts to Identify, Prioritize, and Assess Its Critical Infrastructure

GAO-07-461 May 24, 2007
Highlights Page (PDF)   Full Report (PDF, 48 pages)   Accessible Text   Recommendations (HTML)

Summary

The Department of Defense (DOD) relies on a network of DOD and non-DOD infrastructure assets in the United States and abroad so critical that its unavailability could hinder DOD's ability to project, support, and sustain its forces and operations worldwide. DOD established the Defense Critical Infrastructure Program (DCIP) to identify and assure the availability of mission-critical infrastructure. GAO was asked to evaluate the extent to which DOD has (1) developed a comprehensive management plan to implement DCIP and (2) identified, prioritized, and assessed its critical infrastructure. GAO analyzed relevant DCIP documents and guidance and met with officials from more than 30 DOD organizations that have DCIP responsibilities, and with Department of Homeland Security (DHS) officials involved in protecting critical infrastructure.

While DOD has taken important steps to implement DCIP, it has not developed a comprehensive management plan to guide its efforts. GAO's prior work has shown the importance of developing a plan that incorporates sound management practices, such as issuing guidance, coordinating stakeholders' efforts, and identifying resource requirements and sources. Most of DOD's DCIP guidance and policies are either newly issued or in draft form, leading some DOD components to rely on other, better-defined programs, such as the antiterrorism program, to implement DCIP. Although DOD issued a DCIP directive in August 2005, the lead office responsible for DCIP lacks a chartering directive that defines important roles, responsibilities, and relationships with other DOD organizations and missions. DOD has created several information sharing and coordination mechanisms; however, additional measures could be taken. Also, DOD's reliance on supplemental appropriations to fund DCIP makes it difficult to effectively plan future resource needs. Until DOD completes a comprehensive DCIP management plan, its ability to implement DCIP will be challenged. DOD estimates that it has identified about 25 percent of the critical infrastructure it owns, and expects to identify the remaining 75 percent by the end of fiscal year 2009. In contrast, DOD has identified significantly less of the critical infrastructure that it does not own, and does not have a target date for its completion. Among the non-DOD-owned critical infrastructure that has been identified are some 200 assets belonging to private sector companies that comprise the defense industrial base--the focus of another report we plan to issue later this year. DOD estimates that about 85 percent of its mission-critical infrastructure assets are owned by non-DOD entities, such as the private sector; state, local, and tribal governments; and foreign governments. DOD has conducted vulnerability assessments on some DOD-owned infrastructure. While these assessments can provide useful information about specific assets, until DOD identifies and prioritizes all of the critical infrastructure it owns, assessment results have limited value for deciding where to target funding investments. For the most part, DOD cannot assess assets it does not own, and DOD has not coordinated with DHS to include them among DHS's assessments of the nation's critical infrastructure. DOD has delayed coordinating the assessment of non-DOD-owned infrastructure located abroad while it focuses on identifying the critical infrastructure that it does own. Regarding current and future DCIP funding levels, they do not include the cost to remediate vulnerabilities that are identified through the assessments. When DOD identifies, prioritizes, and assesses its critical infrastructure, and includes remediation in its funding requirements, its ability to perform risk-based decision making and target funding to priority needs will be improved.



Recommendations

Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Implemented" or "Not implemented" based on our follow up work.

Director:
Team:
Phone:
Davi M. Dagostino
Government Accountability Office: Defense Capabilities and Management
No phone on record


Recommendations for Executive Action


Recommendation: To guide DCIP implementation, the Secretary of Defense should direct the Assistant Secretary of Defense for Homeland Defense and America's Security Affairs (ASD[HD&ASA]) to develop and implement a comprehensive management plan that addresses guidance, coordination of stakeholders' efforts, and resources needed to implement DCIP. Such a plan should include establishing timelines for finalizing the DCIP Data Collection Essential Elements of Information Data Sets to enhance the likelihood that DOD components and sector lead agents will take a consistent approach in implementing DCIP.

Agency Affected: Department of Defense

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To implement the intent of the Deputy Secretary of Defense's memorandum Implementation Guidance Regarding the Office of the Assistant Secretary of Defense for Homeland Defense dated March 25, 2003, the Secretary of Defense should direct the Director of Administration and Management to issue a chartering directive to, among other things, define the relationship between the Directorates for HD&ASA and Special Operations and Low-Intensity Conflict and Interdependent Capabilities.

Agency Affected: Department of Defense

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: As part of this comprehensive management plan, to increase the likelihood that the defense sector lead agents are able to make effective budgetary decisions, the Secretary of Defense should direct ASD(HD&ASA) to assist the defense sector lead agents in identifying, prioritizing, and including DCIP funding requirements through the regular budgeting process beginning in fiscal year 2010.

Agency Affected: Department of Defense

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: As part of developing a comprehensive management plan for DCIP, the Secretary of Defense should direct ASD(HD&ASA), in coordination with the DOD components and sector lead agents, to determine funding levels and sources needed to avoid reliance on supplemental appropriations and identify funding for DCIP remediation.

Agency Affected: Department of Defense

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To increase the utility of vulnerability assessments, the Secretary of Defense should direct ASD(HD&ASA) to complete the identification and prioritization of critical infrastructure before increasing the number of infrastructure vulnerability assessments performed.

Agency Affected: Department of Defense

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To increase the utility of vulnerability assessments, the Secretary of Defense should direct ASD(HD&ASA) to adopt the practice of combining the defense critical infrastructure vulnerability assessment module with an existing assessment as the DOD-wide practice.

Agency Affected: Department of Defense

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To increase the utility of vulnerability assessments the Secretary of Defense should direct ASD(HD&ASA) to issue guidance and criteria for performing infrastructure vulnerability self-assessments.

Agency Affected: Department of Defense

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Recommendation: To increase the utility of vulnerability assessments, the Secretary of Defense should direct ASD(HD&ASA) to identify and prioritize domestic non-DOD-owned critical infrastructure for DHS to consider including among its assessments of the nation's critical infrastructure.

Agency Affected: Department of Defense

Status: In process

Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.