Study: Feds Have Not Identified Vulnerable IT Assets
GAO report says at least four federal agencies have not completed 'fundamental' step of identifying their critical infrastructure assets.
More than four years after a receiving a presidential directive to determine if their networks were vulnerable to terrorist attacks, at least four federal agencies have not completed the processes of identifying critical agency assets and assessing their vulnerabilities, according to a General Accounting Office report released Wednesday.
The GAO report, ordered by the House Energy and Commerce Committee to measure the pace of the critical infrastructure protection efforts of the agencies under the committee's purview, examined the Department of Energy, the Department of Health and Human Services, the Department of Commerce and the Environmental Protection Agency.
"The agencies still have not completed the fundamental step of identifying their critical infrastructure assets and the operational dependencies of these vital assets on other public and private assets," the report states. "Once these assets and dependencies are identified, further steps will be necessary, such as conducting or updating vulnerability assessments, managing identified vulnerabilities, and ensuring that these assets are appropriately considered in planning for the continuity of essential agency operations."
The GAO says several of the agencies have "tentatively" identified or are "revisiting" their critical assets, and all four are working to complete the process. However, according to the report, agency estimates show that just to identify the dependencies for one critical asset could take hundreds of staff hours and six-seven months to complete.
The report further states that neither the administration nor the agencies have established specific deadlines or estimated the total resource requirements to complete the asset and dependency identification process, and "completing these tasks at the current pace could take years."
"It was disappointing to learn in an April 2001 oversight hearing by our committee that, three years after the issuance of a presidential directive in 1998, most federal agencies had failed to even identify their own critical assets," Energy and Commerce Committee Chairman Billy Tauzin and ranking member John Dingell said in a joint statement. "However, the events of September 11 have made the task of protecting vital assets even more urgent."
The statement added, "Today's GAO report reveals that, while progress has been made since that time, the current situation remains unacceptable -- and that much more work is necessary just to assess all of our critical asset dependencies and vulnerabilities, the basic pre-conditions for adequate protection."
Tauzin and Dingell said the Bush administration must move "quickly to heed" the GAO's recommendation to establish firm deadlines and resource plans to carry out the asset and dependency identification process.
"It has now been five years since these agencies were instructed to determine where their own critical systems were vulnerable and to develop the countermeasures necessary to assure that the most important functions of government would continue in the face of a terrorist attack," Tauzin and Dingell said. "These agencies should have completed these tasks long ago. We must move with all deliberate speed to ensure that the assets necessary to the effective functioning of our government and economic systems are protected to the extent reasonably possible."