April 5, 2019 —
We determined whether DoD Components assigned responsibilities for counterintelligence (CI) support and managed the Integrated Management Group to protect defense critical infrastructure.
The Department of Homeland Security defines critical infrastructure as “essential services that underpin American society,” such as energy systems, banking and finance systems, chemical facilities, the DoD Information Network, and nuclear power systems. Critical infrastructure is defined as assets so vital that their exploitation, incapacitation, or destruction would have a debilitating effect on national security, the U.S. economy, public health or safety, or any combination thereof. According to Homeland Security Presidential Directive (HSPD)-7, although it is not possible to eliminate all vulnerabilities to critical infrastructure and key resources throughout the country, improvements in security can mitigate, neutralize, or prevent the impact of adversarial attacks on critical infrastructure. HSPD-7 required Federal departments and agencies to identify, prioritize, and coordinate the protection of critical infrastructure and key resources in order to prevent, deter, and mitigate the effects of deliberate efforts to destroy, incapacitate, or exploit them. Presidential Policy Directive (PPD)-21, superseded HSPD‑7, and requires the DoD to continue efforts to meet requirements established by HSPD-7.
The DoD issued DoD Directive 3020.40, “Defense Critical Infrastructure Program,” August 19, 2005, implementing DoD support to critical infrastructure through the Defense Critical Infrastructure Program (DCIP), a DoD risk management program that sought to ensure the availability of networked assets—interconnected assets that rely on each other to provide a service—critical to DoD missions.
DoD Directive 3020.40 first introduced the concept of defense infrastructure sector lead agents (DISLAs), who were responsible for the identification, prioritization, and protection of essential DoD services and infrastructure within 10 defined infrastructure sectors, such as space, transportation, and intelligence.
In 2016, the DoD updated DoD Directive 3020.40 and changed DCIP to a line of effort under the Mission Assurance Program. According to DoD Directive 3020.40, the mission assurance program is designed to sustain programming, resources, functions, and activities supporting responsibilities formerly under DCIP. DoD Directive 3020.40 states that mission assurance is the DoD-wide process to identify, assess, manage, and monitor the risks to strategic missions. However, the 2016 DoD Directive 3020.40 does not reference requirements for DoD sectors or DISLAs.
In addition, DoD Instruction 5240.19, “Counterintelligence Support to the Defense Critical Infrastructure Program (DCIP),” January 21, 2014, requires DoD CI components to assign CI support to the DoD sectors and their corresponding DISLAs within the purview of previously established Defense sectors of responsibility. DoD Instruction 5240.19 requires that CI activities be conducted in accordance with DoD Directive 3020.40 and DoD Directive 5243.01, “Under Secretary of Defense for Intelligence (USD[I]),” October 24, 2014, and that CI organizations provide comprehensive and timely reporting of foreign intelligence entity threats, incidents, events, and trends to essential DoD services and infrastructure and the DoD Components.
USD(I) did not assign responsibilities for CI coverage of critical assets and facilities previously managed by DISLAs. This occurred because, although DISLA positions were eliminated by DoD Directive 3020.40 in 2016, USD(I) has not yet updated DoD Instruction 5240.19 to assign CI responsibilities that were previously aligned to support DISLAs and t heir corresponding sectors. As a result, DoD CI support provided through efforts such as threat awareness briefings, CI inquiries, and support to the DoD foreign visitors program may not consistently identify CI threats to essential DoD services and infrastructure. Without current and clear guidance, it is difficult for DoD Components to provide consistent and comprehensive CI support to essential DoD services and infrastructure.
In addition, from 2015 to 2018, the Defense Intelligence Agency (DIA) did not manage the Integrated Management Group to support CI functional management and integration of CI support, as required by DoD Instruction 5240.19. According to DIA officials, this occurred because attempts to reinvigorate the Integrated Management Group were hampered by limited personnel. As a result, the DoD may not be adequately integrating and coordinating CI support for essential DoD services and infrastructure, which could result in duplicative CI efforts or insufficient CI coverage to these assets.
We recommend that the Director for Defense Intelligence (Intelligence and Security), Office of the Under Secretary of Defense for Intelligence, revise all applicable DoD policies to ensure the protection of essential DoD services and infrastructure.
We recommend that the Director of the Office of Community Coordination, Defense Intelligence Agency, reestablish and appoint a chair and deputy chair to the Defense Critical Infrastructure Line of Effort Integrated Management Group as required by DoD Instruction 5240.19, to enhance counterintelligence functional management and integration of counterintelligence support to the essential DoD services and infrastructure line of effort, as required by DoD Instruction 5240.19.
Management Comments and Our Response
The Director for Defense Intelligence (Intelligence and Security), Office of the Under Secretary of Defense for Intelligence, agreed with the recommendation, stating that DoD counterintelligence policy will be rewritten by April 2020 to reflect the changes to DoD Directive 3020.40 and DoD Instruction 3020.45, to ensure that counterintelligence responsibilities are aligned to critical asset owners. We consider this recommendation resolved but open. We will close this recommendation once we receive and review the updated policy.
Management comments received by the Director of the Office of Community Coordination, Defense Intelligence Agency, agreed with the recommendation, stating that an Integrated Management Group chair was appointed in August 2018, and that a volunteer from the Integrated Management Group members will be requested to serve as the deputy chair during the March 28, 2019, Integrated Management Group meeting. Therefore, the recommendation is resolved but will remain open until we receive appointment letters for the Integrated Management Group chair and deputy chair, along with Integrated Management Group meeting minutes.
This report is a result of Project No. D2018-DISPA2-0096.000.