Free Response to Motion - District Court of Federal Claims - federal

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 1 of 35

Exhibit 31

06/21/2007Case 1:06-cv-00945-FMA 13: 34 FAX 2022190559

Document 19-10 DOl

Filed 06/21/2007

Page 2 of 35
I4 0 02

IN THE UNITED STATES COURT OF FEDERAL CLAIMS

NAVAJO NATION, f.k.a. NAVAJO TRIBE OF INDIANS,

)
) )

Case NO.1 :06-cv-00945-L

)

Plaintiff .
v.

)

Judge Francis Allegra

)
) )

) )

DECLARATION OF

Lawrence K. Ruffn

UNITED STATES,

Defendant

) )
)

I, Lawr~nce K. Ruffn, as Chief Information Security Offcer (CISO), Cyber

Security Division. Ofce of the Chief Information Offcer, Department of the Intenor
(Interior), pursuant to 28 U.S.C. § 1746 do hereby declare and state:
1. I have held the position of Chief Information Security Offcer (CISO) in the Offce

of the Chief Information Offcer (OGIO) since April 3D, 2006. i previously was the

Deputy CISO, beginning May 15, 2005. I currently hold both the Certified Information
Systems Security Professional (CISSP) and Certifcation and Accreditation Professional
(CAP) certifications from the International

Information Systems Security Certification

Consortium (ISC). I have held.a variety of computer security-related positions with the
Federal Government over the past 24 years.
2. In my current position at aCiD, I am responsible for providing

management and leadership for the Cyber Security Division (CSD) within the Ofce of

~-"'.---._-~~-

-'---~'---'-----_.------_.-.-_.._-- -----

06/21/2007Case 1:06-cv-00945-FMA 13: 35 FAX 2022190559

Document 19-10 DOl

Filed 06/21/2007

Page 3 of 35
I4 003

the Chief Information Ofcer (CIa). I serve as the CIO's management advisor and
senior consultant regarding development. pub11cation, and implementation of

Departmental information technology security policies, standards and guidance, as well

as coordination of all aspects of the Department's information security protection

program, which directly supports all of DOl's information assurance objectives.

3. I am aware of the litigation filed by the Navajo Nation against the United
States on December 29, 2007. Navaio Nation f.k.a. Navajo Tribe of Indians v. United States of Amenca, No. 06-945L (C.F.C.), and I have reviewed the Plaintìfs motion for
the entry of a record retention order in this case and proposed order.
4. Interior is a large. decentralized agency with over 73,000 employees and

180,000 volunteers located at approximately 2,400 operating locations across the
United States, Puerto Rico., U.S. terrories, and elsewhere. As of the end of the Third

Quarter of the FY2007 FISMA reporting cycle. the cia had identified 164 certifed and
accredited information systems, including Major Applications (MAs) and General
Support Systems (GSSs), and

11 contractor systems, all of which support Interior's

various programs and missions, including but not limited to National Critical

InfrasIfucture, Indian Trust. Financial Management and Law Enforcement. The 175
information systems represent, in aggregate, approximately 75,000 end-user workstations; 6,500 servers using a variety of operating systems (i.e., hosting
applications and databases). 1,500 networking devices (i.e., routers/switches), and 560

databases.

2

.,"---~----~-,.--

._---"---,---

--------------~---------.-------- -

Case 1:06-cv-00945-FMA 06/21/2007 13: 35 FAX 2022190559

Document 19-10 DOl

Filed 06/21/2007

Page 4 of 35
I4 004

5. Enterprise risks are defined as known vulnerabilities and/or weaknesses in

an information system. Vulnerabilities in information systems are types of weaknesses

that may exist within a securi program or IT environment. Enterprise risks are
identified in IT securit programs or information systems with the goal of reducing those
risks to a level commensurate with the risks to information and information systems and

their associated confidentiality, integrity, and availability objective~ and security

requirements. Intèrior accomplishes enterprise risk management through Certifcation
and Accreditation (C&A) of its information systems and implementation of Plan of
Actions and Milestones (POA&M) processes, as prescribed for all federal agencies by
the Federal lnfommation Security Management Act (FISMA), 44 U.S.C. § 35, and by
adhering to OMB requirements and National

Institute of Standards and rechnology

(NISn standards.
6. In

2002, FISMA was enacted to provide a comprehensive framework to

secure federal govemment's information and IT resources. FISMA requires federal
agencies to implement security programs that protect information and information

. .

systems from unauthorized access, use, disclosure, disruption, modification, or

destruction. Specifically, FISMA requires that agencies are equipped with security
programs and other mechanisms to identìfy and assess risks and implement policies

and procedures to reduce those risks, test and evaluate security controls, plan for
continuity of operations, maintain subordinate plans for providing information security,
plan for security throughout th~ life cycle or information systems. plan corrective actions,

train employees and contractors, and detect, report. and respond to security incidents.

3

._-_._---_.~~...---

--._~---------~---~----------_."-_.

Case FAX 2022190559 06/21/200713: 351:06-cv-00945-FMA

Document 19-10 DOl

Filed 06/21/2007

Page 5 of 35
f4 005

7. FISMA and the Ofce of Management and Budget (OMS) require that

agencies adhere to the NIST standards and guidelines relating to IT security issued in

the form of Special Publications (SPs) or Fede.raJ Information Proc~ssing Standard

Publications (FIPS PUBS). NIST articulates, through a variety of standards, a Risk
Management Framework by which agencies are expected to implement IT security
programs that address and implement those standards, including, but not limited to,

C&A programs, processes, and procedures through which agencies identify and

implement appropriate securit controls based on the potential risk impact to information
and Information systems and to reduce vulnerabilties and weakneeses to a level

commensurate with those risks. The NIST standards recognize that it is not feasible to
eliminate all nsks to information or information systems, and does not require that

agencies do so. The NIST standards require; however, that any known risks be

suffciently docu;"ented, understood, and managed effciently a~d effeCtively.

8. FISMA also requires Inspector Generals (IGs) to carry out annual
independent evaluations of their agency's IT security programs. IG evaluations must
include testing of management, as well as operational and.technical controls of a representative subset of all information systems as specified in NIST pursuant to the
evaluation

criteria specified in NIST SP 800-53A. and through other forms of security

evaluations and tests. In addition, the evaluation must include an assessment of the
agency's compliance with FISMA.
9. In addition to the annual internal control reviews (ICRs) and security

testìng and evaluation (ST&E) conducted as part of the C&A processes once every

4

--_._-,-..--.-_._~

------,._- "

--_.._---~_.._._--~_.~.-._~--------_._- ----~-_.. --.--~----..-" "---- ----._...

Case 1:06-cv-00945-FMA
06/21/2007 13: 35 FAX 2022190559

Document 19-10
DOl

Filed 06/21/2007

Page 6 of 35
14 006

three years, or sooner in the event of a major change to a system, enterprise risks are

identified by Interior through. routine vuliierabilty scanning. Interior requires system
owners1 to create corrective action plans (using POA&Ms as described in 1I 12) for

identified weaknesses requiring further action to correct or mitigate associated risks.
Formal acceptance of all remai,ning risks that are not considered to be "negligible" or

non signifcant must be made by a senior level management offcial wno is a

Designated Approval Authority (OM). Those risks must be eliminated or reduced to a
level acceptable to the DAA.2 Newly identified POA&M weaknesses are analyzed as to
the seriousness, the time to mitigate, the resources avaìlable and the need to keep the

system running even with the vulnerability unmitigated or unremediated.
. 10. As part of identiing its enterprise risks, Interior issued OCIO Directive

2006-008 directing all bureaus and offces to adhere to particular NIST and FIPS Pubs standards in performing C&A for all information systems. C&A is the process by which
Interior identifies the information types within an Information system and documents

those types within the system security plan; selects and implements appropriate
security controls; assesses security controls for proper implementation and
effectiveness; receives authorization to operate (A

TO) by a DM following the DAA's

i A system owner, of

which there are multiple individuals within each bureau at Interior, is an agency

offcial responsible for the overall procurement. development, integration, modification, or operation and
maintenance of an information systm. 2 The authority to be a DM has been delegated to the Inspector General, the Solicitor, the Special
Trustee for the Ameiican I ndians, Assistant Secretary of Policy, Management and Budget. the Assistant Secretary for Fish and Wildlife and Park, the Assistant Secretary of Indian Affirs, the Assistant Secretary of Land and Minerals Management, and the Assistant Secretary of Water and Scieiice. Such delegated to the corresponding Deputy Assistant Secretaries and/or heads authorily may also be furter of bureaus/offces. See Secretarial Order 3255, Amendment NO.1 (attached hereto as Exhibit 1).

5

. --"~---_.--------~--._--_.-----_.------- --

Case 1:06-cv-00945-FMA
06/21/2007 13: 35 FAX 2022190559

Document 19-10
DOl

Filed 06/21/2007

Page 7 of 35
I4 007

determination of risk to Interior's organizational operations; and periodìcally assesses

selected securit controls.

11. Once a weakness is identifed. it is assessed by Interior as a "low,"
Kmoderate," or "high" risk fallowing standard risk assessment methodologies specified

by NIST for all federal agencies. Risk level detemminations for vulnerabilities in
information systems are determined by considering compens~ting and/or mitigating
controls. the existence of recognized threat sources and their respective motivations,

the likelihood of a threat source to exploit a given vulnerabilty or weakness, and the potential impact to the information or information system. Examples of "high" risk
weaknesses to an.information systern include unauthorized access to an information

system, issues with physiCÇI environment, virus detecton, particular patches being out
of date, and insuffcient technical support availabilit. Examples of "moderate" risk
weaknesses include having passwords that fail to expire, passwords are not changed at

least every ninety days, and partcular patches being out of date. Finally, examples of
"low" risk weaknesses are when applications do not lock out user after 15 minutes nonuse, building plumbing lines endanger system. and failure to ensure that training occurs.
12. In my opinion, and based on my experience working in various related

capacities for other agencies, the volume and types of weaknesses being tracked

through Interior's POA&M process are similar to that of any other organization having a
comparable size, scope, and Complexity to Interior's IT environment (e.g., 175 C&A

systems; and approximately 75,000 end-user workstations. 6,500 servers, 1,500

networking devices, and 560 databases). An information' system with a "high" risk
6

~.~-..-----_. --

... ----_.._-_.__.--~---~-_..---.--------_. -_..

06/21/2007 13: 35 PAX 2022190559

Case 1:06-cv-00945-FMA

Document 19-10
DOl

Filed 06/21/2007

Page 8 of 35
~OOB

weakness is typically allowed to continue to operate, but a corrective action plan must
be put in place as soon as possible to eliminate or reduce the risk to an acceptable
leveL. For inform~tion systems with "moderate" risk weaknesses, corrective actions are

needed and a plan must be developed to incorporate these actions within a reasonable

period of time. For information systems with "low" nsk weaknesses, the OM must
determine whether colTective actions are stil required or decide to accept the risk. Of
the weaknesses identifed in the first three quarters of OMB/FISMA'g 2007 reporting
cycle, approximately 20% were determined to be of high iisk.

13. Softare vendors continuously identif and rectify vulnerabilties in their
softare and provide security patches to Interior, which Interior applies to all of its

computers on a regular and on .an as-needed basis, prioritized based on the criticalit of
each vulnerabilit. In addition, Interior monitors continuously for additional

vulnerabilties thròugh frequent use of vulnerabilit scanners and by routinely
rescanning the systems to identif those vulnerabilties requiring additional security
patching. New weaknesses reported on POA&Ms reflect the results achieved from
Interior's continuous monitoring processes. As new weaknesses are discovered,
Interior constantly must repnoritize planned corrective actions based on risk levels and

available resources (Le., staff and budgetary). This does not imply, however, that all
"high" rjsks are' necessarily corrected before any "moderate" or "low" risk weaknesses,

as the time required to implement corrective actions vary depending on complexities

involved.

7

---~---._-

--~._--

-~-- -_._-----_.- ---~-..

-----_._._--....--_.

06/21/2007 13: 35 FAX 2022190559

Case 1:06-cv-00945-FMA

Document 19-10
DOl

Filed 06/21/2007

Page 9 of 35
I4009

14. Since FY05 Q3, on average, Interior is mitigating/correcting and closing
approximately 2~ percent of existing open POA&M )eaknesses from the start of each i
quarter. However, over that same period, Interior id~ntíffed 31 percent new POA&M

,i

weaknesses as compared to existing open POA&M weaknesses over previous quarters
i i

(Figure 1). Several factors account for the apparent increase ìn identified weaknesses, i I

including, but not limited to. increased security contr11 requirem.ents and evaluation
criteria; varying levels or regulatory oversìght; increa~ed rigQr in ST&Es during C&As;
i

and re-certifcation and re-accreditation activities. T~e continuing numbers of newly
identifed vulnerabilities and weaknesses discovered and reported In POA&Ms are a
testament to the continuous monitoring and significaht work being performed by both

¡

i

I

I.
I

the OIG and Interior's bureaus ànd offces in peiiomhng routine and increasingly more
robust security testing, evaluations, and assessments of the effectiveness of
management, operational. and technical security co~trols associated with IT securlty

. . Î.

i .
i .

programs and information systems. Thro'ugh these lrocesses, it Is Interior's goal to
proactively identify as many weaknesses as pOSSibl~ for the purpose of eliminating

and/or mitigating those risks to an acceptable level Jven before they have any negative

impact on Interior's information or information syste~s.

8

-- - --- ------_._~._-

--=--- - - ~ --

-~- -~ - -- ----.--------- --------- --- --

Case 1:06-cv-00945-FMA
06/21/2007 13: 35 FAX 202219055'9

Document 19-10
DO!

Filed 06/21/2007

Page 10 of 35
ff 010

..._'-POA&M Weaknesses
i I i

:1.. . .iöSJ1. .2111Q i .IS~3

,.. iI. . ~ ~~~.. .""..~! 0-L~!!- .''' - I ~_Uf. so: .''' ."" _. _......"-~ ~~ ~..0~.;'Q~~v~: ii~. "ó.; ~ l-o.. .~~"ô ~ . l- ..0'" ~~ ~ 6' i~
1sO L. n_ .. . . . . ~ 1702 .1. .. . __._.:
i i i i

_New

. Õppn-'.

- - Completed

, ."--

Figure 1 - POA&M Weakness Tr~nding Analysis
15. In fulflling their oversight responsibilties, agency inspector generals (IGs)

are required to evaluate agency compliance with FiS~A and submit their reports to
OMS annually. Interiots Offce of

the Inspector Gen~ral (OIG) FY2006 FISMA Report

I

(Report No_ NSM-EV-OIG-0002-2006) issued in seprmber 2006 indicated that "DOl
has made good progress in improving its system inventory. Plans of Actons and
i

Milestones (POA&M), and e~~unng security requir~ents are included in it contracts."
i

In addition, the report cited Interior .as making substë:ntial progress in the area of

. !

incident response, which includes remediation. The Ireport (Figure 2) identifes a

. I
i

number of IT securrt program improvements made ~y Interior. For example, Interior's
POA&M process has improved, bureaus have made! significant stride$ to implement

i

Inteiiots guidance, regarding identifying and mitigattg enterprise risks. The OIG's
report further affrms that Interior initiated a number bf efforts during FYOS. While many
of

the expected improvements were not expected to!be realized until fiscal year 2007,

i . !
!

I

because the re-certcation and re-accreditation of s~stems and in~ttutionalization of
other related policy and process improvements are lot scheduled to be completed untH

the end of FY2007, Interior is nevertheless already. ~ßaliZing benefits from its enterprise
9

_._---- ----- --- .~----- -.... ~---

! i .

--._..._----- --'~-.

Case 1:06-cv-00945-FMA 06/21/2007 13: 35 FAX 2022190559

Document 19-10 DOl

Filed 06/21/2007

Page 11 of 35

~oii

, ,
¡

1 i

risk management processes. I understand that the O,G expects to complete the FY07

annual FISMA evaluation report by late September or; early October 2007.
I 1 Pi 2005 ZOOS FISfIA Key lIeas

.i
.0

,

t"n"'nl,..n...c;r¡,ril .

No

..r.¡.~. .

P.nt1l1

F..
1:S"'llS(lftl~
, lVlM I 'i

n_
lK P..fPSot
9....1'f eo..t1l'o(
r.o,;

tt.~

i- -I_
...

l..~

29V~

i

f'J~"--

z..;
i

~Hn.~J
CG."" CMSO

."
zvoS

lØlK
;Z""

..

I

C~""T_
Ao s.., T... .,
'a'm
..

"...

¡

i I I

, .. P.._ 1-... lH
, __--r ..__.._~_,.-____.-..... ._ .... ...-_...--_______... - _. - _.._.. .11'
: I

~

"

---iw~.

..

Figure 2 - OIG FY2006 FlSMA Report
I

16. On February 27, 2006~ Interior issued oeio Directive 2006-007 to further
i I

improve risk management practices. The directive ìnpluded a robust POA&M process
i i

standard for reporting and managing remediation act~ities for vulnerabilties and

weaknesses associated with information systems an~ risks associated with securit of
information. To ensure weaknesses are not prematu'rely closed prior to their
i

. i .
i i !

satisfactory resolution, the process standard requires~ evidence of completion of

correctie actions to be rnaintained and certrfcations lof completion signed by

responsible staff with concurrenæ from responsible ~enior management offcials.
I

¡

i

i .
I.

Additionally, as noted earlier, Interior issued acia Directive 2006-008 on March 14,

, -

10

----- ---

----~------ ---

Case 1:06-cv-00945-FMA
06/21/2007 13: 36 FAX 2022190559

Document 19-10
DOl

Filed 06/21/2007

Page 12 of 35
I4 012

2006 requiring bureaus and offces to implement the ~ost current NIST IT security
i i

standards, Le., NIST 800-53A, in their execution of Intßrior's C&A processes. In
FY2006, Interior was an early adopter of the draft NISr SP 800-53A evaluation criteria,
I
¡

and issued OCIO Directive 2006-005 on January 31, ~006, ahead of NIST's final

release. The Directive revised annual.ICR guidance ~nd incorporated evaluation
I

criteria aligned with the NIST SP 800-53 familes of s~cuñty controls. These Directives
apply to all of Interior's 175 information systems.
i ! i

. i

i I

17. Interior has undertaken a number of maJPr initiatives to modernize and
i

consolidate its IT infrastructure, partcularly in the areÅs of financial management and
networking. These efforts are not just (limed at enh.a~Cing service delivery to the public,
impröving IT effciencies, and eliminating costly redun~anciesi but. i

also to enhance the

overall securi of Intenots information and informatidn systems. For example, Intenor
i

has implemented a web blocking capability to minimiz:e potential risks associated with
I

internal users downloading and installng mallcious cdde from the internet. Additionally,
projects

like the Enterpnse Services Network (ESN), which was implemented in 2Qo.5,.
i i

have contributed to Interior's abilty to move itself towards the centralization needed to

provide greater securi, improved effciency, and cost savings. ESN;s Interior's wide!

. i. I i .
11
¡

i

area network 0fAN) and provides interconnectívit a~d Internet connectivity for many of
Intenor's bureaus and offces. Through ESN. interiorihas consolidated multiple Internet

gateways, previously implemented by each bure~u ald/or offce, into a single gateway
i I

centrally managed by the Department. This has resuited in an increased hardening of
I i

Interior's Internet-facing perimeter network against pdtential threats. This hardening is

-_._- -- --.-._- -

Case 1:06-cv-00945-FMA
06/21/2007 13: 36 FAX 2022190559

Document 19-10
DOl

Filed 06/21/2007

Page 13 of 35
14013

accomplished through implementation of a standardíz~d and robust security
i

, i

I i 1

architecture, deployment of security infrstructure pro~ection devices, and consistent
implementation of securit

configuration standards on IESN managed devices. ESN

also contributes to an overall defense-ìn-depth strnteg~ providing multiple layers of

security controls aiding in the protection of bureau and offce information systems and
i I

resources. As recognized by the GIG, migrating to E~N has made Interior's bureaus
1 i

and offces appreciably more secure as compared to +hen they were independently
connected to the Internet.
I i

18. In addition to securing systems through the enterprise risk management

processe~ and C&A process, Interior deploys a variel of incident detection ånd
i I

prevention technologies as part of a defense-in-depthlstrategy to monitor, detect,
i

protect, and respond to potential incidènts resultng fr6m intruder attempts. These i
Intrusion Detection Systems and Intrusion prevention!systems (IDSIIPS) are
strategically positioned in various locations by bureau~ and offces within their network
i

infrastructures. Interior has also positioned a robust IDS/IPS architecture at the
!

perimeter of Interiots ESN that provides the W;de-Ar~a Network NVAN) that connects

some of Interiors bureaus/offces to the Internet. IDs!i and IPS sensors are configured
i I

to monitor network traffc in real-time to detect known lattack signatures and alert

securr personnel as part of Interior's íncidentmonitdrin9, detection, and response
I

, i

processes. iPS sensors are also capable of proactiv~iy blocking and preventing
,

potentially malicious network traffc without manual intervention. Interior's application
I

and database seivers and other networking devices are confgured to automatically log
12

.i

¡

I

__.__.____0

-------~~----~~-._---- -_...,----_.~--_.__. -- --_..

-06/21/2007 Case 1:06-cv-00945-FMA 13: 36 FAX 2022190559

Document 19-10 DOl

Filed 06/21/2007

Page 14 14 35 of I4 0

i I j

securi events/Other securit devices automatically;monitor those security event logs

and alert security administators about potential attacts. system compromises. system
misuse, and other types of related incidents. Potent.i~1 incidents requiring further
I . analysis and

investigation are reported by bureaus arid offces through the DOI-CIRC
i

(Computer Incident Response and Coordination) cen~er to the US-CERT and/or
Interior's OIG Cyber Crimes Investigation Unit fOIlOWi~9 Standard .Operating Procedures
i

(SOP) established by those organizations. These in~ident response capabilities are an
I

integral component of Intenor's continuous monitorin$ processes and, as indicated in .
I

the 2006 OIG report, Interior has also demonstrated signffcant improvements in this

area.

èRi~~
Lawrence K. Rufn Chief¡ Information Security Offcer
Cyber Security Division Offce of the Chief Information Offcer

st
Executed this..day of June, 2007

13

---------.-

---_._.~---_.._--------_. --

Case 1:06-cv-00945-FMA
06/21/2007 13: 36 FAX 2022190559
Dócument

Document 19-10
DOl
; i I I i I i I

Filed 06/21/2007

Page 15 of 35
~015

THE SECRETARY OF THE INTERIOR
WAIõHINGTCN

ORDER NO. 3255, Amendment No.1 (Amended material ilaJiciied)
i i SIGNATURE DATE: August

31, 2006

I !

Subject: Delegation of Authority for Certificarion and AcçreitaII~n of,lnfonnation Technology Systems
this Order is IO delegate authori~' io bureau;; and offces to carry out the necessar activities required for information technology (IT) sy~tem security certification and
Sec. 1 Purpose. The purpse of

I.

accreitation (C & A), including signing the accreditation decisioii lifJer accepting the residual risk to the bureau or offce. The ChiefInfonnation Offcer (CIO) was previously designated the DesignaIèd Approving Authority (DAA). This Order e-tends the DAA aumorjt). to bureaus and offces.
Sec.

Reorganization Plan No.3 of i 950(64 Sta.

2 AuthoritY. This Order is issued in accordance with the a~thority provided by Section 2 of 1262), as amended and!the Clinger-Cohen Act of 1966.
3 Delegation of Authority. The.authòrity to car out the ~esponsibilities of

the DAA is hereby delegated to the Inspector Generl, the SoHcítor, and the Speial T~st for Ameriean Jndians. This
Sec.

. i .
i I i

autority is also delegate to the Assistt Secreta - Policy, Management and Budget, the Assistat
Secreta for Fish and Wildlife and Parks, the AssiSSant Secretary 1 Indian Affirs, the AssiStt Secreta -

Land and Mineras Maagement, and the Asistt Secretar - Wa~er and Science.

Sec. 4 Limitations. The áutority delegate to the Assist sJreta - Policy, Mangemeiit an
Budget, the Assistt Secrear for Fish and Wildlife and Parks. thb Assistt Secret - Indian Affrs,

the Assistat Secre.- Land and Mineras Management, and the ))ssistat Secretar - Water and Science
may be furter delegated to Deputy Assistat Secretaries and/or he~ds ofbuTcaus/offces. This authQrity

may not be further delegated. ¡
Sec.

5

Responsibilties_

a. The DAA responsibilities include; planning and funding bf certifica.tion and accreditation activities; acceptance of security plans; signing bl.rcau or office acCreditation documents; grting fuH accreditation to bureau Or offce IT systems based on an acceptabi~ level of risk and denying accreditation because risks to an IT system are not acceptable.

I.

resources and IT security programs- ¡ .
I

b. The cia wil continue to be respo~sible for overall man~bemeni of

the Departent's IT

Sec. 6 Expiration Date. This Order is effective innmediately. I~ wiH remain in effect until its provisions

are converted to the Deparmental Manual or until it is amended, sppirseded, or revoked, whichever occurs fif5t. In the absence of any of the forego ingactions, ihe provisions of this Order wi II expire and be

considered obsolete On August 31,2007. i
i
¡

I

/sf!DIRK KEMPTHORNE Secretary of the Intenor i
S0#325 5A 1 8/31/06 Replaces S0#3255 6/30/04
I i

fùe://D:\Secretaral Order Regarding C.&A DAA Delegaton.him

6/1812007
___________._._____0_____"____ _______ __..__". "__

--~_.~.

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 16 of 35

Exhibit 32

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 17 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 18 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 19 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 20 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 21 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 22 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 23 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 24 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 25 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 26 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 27 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 28 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 29 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 30 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 31 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 32 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 33 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 34 of 35

Case 1:06-cv-00945-FMA

Document 19-10

Filed 06/21/2007

Page 35 of 35