Defense Critical Infrastructure: DOD's Risk Analysis of Its Critical Infrastructure Omits Highly Sensitive Assets

To identify and help assure the availability of mission-critical infrastructure, in August 2005, DOD established the Defense Critical Infrastructure Program (DCIP), assigning overall responsibility for the program to the Assistant Secretary of Defense for Homeland Defense and Americas Security Affairs (ASD[HD&ASA]). Since 2006, ASD(HD&ASA) has collaborated with the Joint Staff to compile a list of all DOD- and non-DOD-owned infrastructure essential to accomplish the National Defense Strategy. Each critical asset on the list must undergo a vulnerability assessment. As part of our ongoing work, this report evaluates the extent to which DOD is (1) identifying and prioritizing critical Sensitive Compartmented Information (SCI) and Special Access Programs (SAP) assets in DCIP and (2) assessing critical SCI and SAP assets for vulnerabilities in a comprehensive manner consistent with that used by DCIP for collateral-level assets. We conducted this performance audit from September 2007 through February 2008 in accordance with generally accepted government auditing standards.