Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 1 of 35
Exhibit 31
06/21/2007Case 1:06-cv-00945-FMA 13: 34 FAX 2022190559
Document 19-10 DOl
Filed 06/21/2007
Page 2 of 35
I4 0 02
IN THE UNITED STATES COURT OF FEDERAL CLAIMS
NAVAJO NATION, f.k.a. NAVAJO TRIBE OF INDIANS,
)
) )
Case NO.1 :06-cv-00945-L
)
Plaintiff .
v.
)
Judge Francis Allegra
)
) )
) )
DECLARATION OF
Lawrence K. Ruffn
UNITED STATES,
Defendant
) )
)
I, Lawr~nce K. Ruffn, as Chief Information Security Offcer (CISO), Cyber
Security Division. Ofce of the Chief Information Offcer, Department of the Intenor
(Interior), pursuant to 28 U.S.C. § 1746 do hereby declare and state:
1. I have held the position of Chief Information Security Offcer (CISO) in the Offce
of the Chief Information Offcer (OGIO) since April 3D, 2006. i previously was the
Deputy CISO, beginning May 15, 2005. I currently hold both the Certified Information
Systems Security Professional (CISSP) and Certifcation and Accreditation Professional
(CAP) certifications from the International
Information Systems Security Certification
Consortium (ISC). I have held.a variety of computer security-related positions with the
Federal Government over the past 24 years.
2. In my current position at aCiD, I am responsible for providing
management and leadership for the Cyber Security Division (CSD) within the Ofce of
~-"'.---._-~~-
-'---~'---'-----_.------_.-.-_.._-- -----
06/21/2007Case 1:06-cv-00945-FMA 13: 35 FAX 2022190559
Document 19-10 DOl
Filed 06/21/2007
Page 3 of 35
I4 003
the Chief Information Ofcer (CIa). I serve as the CIO's management advisor and
senior consultant regarding development. pub11cation, and implementation of
Departmental information technology security policies, standards and guidance, as well
as coordination of all aspects of the Department's information security protection
program, which directly supports all of DOl's information assurance objectives.
3. I am aware of the litigation filed by the Navajo Nation against the United
States on December 29, 2007. Navaio Nation f.k.a. Navajo Tribe of Indians v. United States of Amenca, No. 06-945L (C.F.C.), and I have reviewed the Plaintìfs motion for
the entry of a record retention order in this case and proposed order.
4. Interior is a large. decentralized agency with over 73,000 employees and
180,000 volunteers located at approximately 2,400 operating locations across the
United States, Puerto Rico., U.S. terrories, and elsewhere. As of the end of the Third
Quarter of the FY2007 FISMA reporting cycle. the cia had identified 164 certifed and
accredited information systems, including Major Applications (MAs) and General
Support Systems (GSSs), and
11 contractor systems, all of which support Interior's
various programs and missions, including but not limited to National Critical
InfrasIfucture, Indian Trust. Financial Management and Law Enforcement. The 175
information systems represent, in aggregate, approximately 75,000 end-user workstations; 6,500 servers using a variety of operating systems (i.e., hosting
applications and databases). 1,500 networking devices (i.e., routers/switches), and 560
databases.
2
.,"---~----~-,.--
._---"---,---
--------------~---------.-------- -
Case 1:06-cv-00945-FMA 06/21/2007 13: 35 FAX 2022190559
Document 19-10 DOl
Filed 06/21/2007
Page 4 of 35
I4 004
5. Enterprise risks are defined as known vulnerabilities and/or weaknesses in
an information system. Vulnerabilities in information systems are types of weaknesses
that may exist within a securi program or IT environment. Enterprise risks are
identified in IT securit programs or information systems with the goal of reducing those
risks to a level commensurate with the risks to information and information systems and
their associated confidentiality, integrity, and availability objective~ and security
requirements. Intèrior accomplishes enterprise risk management through Certifcation
and Accreditation (C&A) of its information systems and implementation of Plan of
Actions and Milestones (POA&M) processes, as prescribed for all federal agencies by
the Federal lnfommation Security Management Act (FISMA), 44 U.S.C. § 35, and by
adhering to OMB requirements and National
Institute of Standards and rechnology
(NISn standards.
6. In
2002, FISMA was enacted to provide a comprehensive framework to
secure federal govemment's information and IT resources. FISMA requires federal
agencies to implement security programs that protect information and information
. .
systems from unauthorized access, use, disclosure, disruption, modification, or
destruction. Specifically, FISMA requires that agencies are equipped with security
programs and other mechanisms to identìfy and assess risks and implement policies
and procedures to reduce those risks, test and evaluate security controls, plan for
continuity of operations, maintain subordinate plans for providing information security,
plan for security throughout th~ life cycle or information systems. plan corrective actions,
train employees and contractors, and detect, report. and respond to security incidents.
3
._-_._---_.~~...---
--._~---------~---~----------_."-_.
Case FAX 2022190559 06/21/200713: 351:06-cv-00945-FMA
Document 19-10 DOl
Filed 06/21/2007
Page 5 of 35
f4 005
7. FISMA and the Ofce of Management and Budget (OMS) require that
agencies adhere to the NIST standards and guidelines relating to IT security issued in
the form of Special Publications (SPs) or Fede.raJ Information Proc~ssing Standard
Publications (FIPS PUBS). NIST articulates, through a variety of standards, a Risk
Management Framework by which agencies are expected to implement IT security
programs that address and implement those standards, including, but not limited to,
C&A programs, processes, and procedures through which agencies identify and
implement appropriate securit controls based on the potential risk impact to information
and Information systems and to reduce vulnerabilties and weakneeses to a level
commensurate with those risks. The NIST standards recognize that it is not feasible to
eliminate all nsks to information or information systems, and does not require that
agencies do so. The NIST standards require; however, that any known risks be
suffciently docu;"ented, understood, and managed effciently a~d effeCtively.
8. FISMA also requires Inspector Generals (IGs) to carry out annual
independent evaluations of their agency's IT security programs. IG evaluations must
include testing of management, as well as operational and.technical controls of a representative subset of all information systems as specified in NIST pursuant to the
evaluation
criteria specified in NIST SP 800-53A. and through other forms of security
evaluations and tests. In addition, the evaluation must include an assessment of the
agency's compliance with FISMA.
9. In addition to the annual internal control reviews (ICRs) and security
testìng and evaluation (ST&E) conducted as part of the C&A processes once every
4
--_._-,-..--.-_._~
------,._- "
--_.._---~_.._._--~_.~.-._~--------_._- ----~-_.. --.--~----..-" "---- ----._...
Case 1:06-cv-00945-FMA
06/21/2007 13: 35 FAX 2022190559
Document 19-10
DOl
Filed 06/21/2007
Page 6 of 35
14 006
three years, or sooner in the event of a major change to a system, enterprise risks are
identified by Interior through. routine vuliierabilty scanning. Interior requires system
owners1 to create corrective action plans (using POA&Ms as described in 1I 12) for
identified weaknesses requiring further action to correct or mitigate associated risks.
Formal acceptance of all remai,ning risks that are not considered to be "negligible" or
non signifcant must be made by a senior level management offcial wno is a
Designated Approval Authority (OM). Those risks must be eliminated or reduced to a
level acceptable to the DAA.2 Newly identified POA&M weaknesses are analyzed as to
the seriousness, the time to mitigate, the resources avaìlable and the need to keep the
system running even with the vulnerability unmitigated or unremediated.
. 10. As part of identiing its enterprise risks, Interior issued OCIO Directive
2006-008 directing all bureaus and offces to adhere to particular NIST and FIPS Pubs standards in performing C&A for all information systems. C&A is the process by which
Interior identifies the information types within an Information system and documents
those types within the system security plan; selects and implements appropriate
security controls; assesses security controls for proper implementation and
effectiveness; receives authorization to operate (A
TO) by a DM following the DAA's
i A system owner, of
which there are multiple individuals within each bureau at Interior, is an agency
offcial responsible for the overall procurement. development, integration, modification, or operation and
maintenance of an information systm. 2 The authority to be a DM has been delegated to the Inspector General, the Solicitor, the Special
Trustee for the Ameiican I ndians, Assistant Secretary of Policy, Management and Budget. the Assistant Secretary for Fish and Wildlife and Park, the Assistant Secretary of Indian Affirs, the Assistant Secretary of Land and Minerals Management, and the Assistant Secretary of Water and Scieiice. Such delegated to the corresponding Deputy Assistant Secretaries and/or heads authorily may also be furter of bureaus/offces. See Secretarial Order 3255, Amendment NO.1 (attached hereto as Exhibit 1).
5
. --"~---_.--------~--._--_.-----_.------- --
Case 1:06-cv-00945-FMA
06/21/2007 13: 35 FAX 2022190559
Document 19-10
DOl
Filed 06/21/2007
Page 7 of 35
I4 007
determination of risk to Interior's organizational operations; and periodìcally assesses
selected securit controls.
11. Once a weakness is identifed. it is assessed by Interior as a "low,"
Kmoderate," or "high" risk fallowing standard risk assessment methodologies specified
by NIST for all federal agencies. Risk level detemminations for vulnerabilities in
information systems are determined by considering compens~ting and/or mitigating
controls. the existence of recognized threat sources and their respective motivations,
the likelihood of a threat source to exploit a given vulnerabilty or weakness, and the potential impact to the information or information system. Examples of "high" risk
weaknesses to an.information systern include unauthorized access to an information
system, issues with physiCÇI environment, virus detecton, particular patches being out
of date, and insuffcient technical support availabilit. Examples of "moderate" risk
weaknesses include having passwords that fail to expire, passwords are not changed at
least every ninety days, and partcular patches being out of date. Finally, examples of
"low" risk weaknesses are when applications do not lock out user after 15 minutes nonuse, building plumbing lines endanger system. and failure to ensure that training occurs.
12. In my opinion, and based on my experience working in various related
capacities for other agencies, the volume and types of weaknesses being tracked
through Interior's POA&M process are similar to that of any other organization having a
comparable size, scope, and Complexity to Interior's IT environment (e.g., 175 C&A
systems; and approximately 75,000 end-user workstations. 6,500 servers, 1,500
networking devices, and 560 databases). An information' system with a "high" risk
6
~.~-..-----_. --
... ----_.._-_.__.--~---~-_..---.--------_. -_..
06/21/2007 13: 35 PAX 2022190559
Case 1:06-cv-00945-FMA
Document 19-10
DOl
Filed 06/21/2007
Page 8 of 35
~OOB
weakness is typically allowed to continue to operate, but a corrective action plan must
be put in place as soon as possible to eliminate or reduce the risk to an acceptable
leveL. For inform~tion systems with "moderate" risk weaknesses, corrective actions are
needed and a plan must be developed to incorporate these actions within a reasonable
period of time. For information systems with "low" nsk weaknesses, the OM must
determine whether colTective actions are stil required or decide to accept the risk. Of
the weaknesses identifed in the first three quarters of OMB/FISMA'g 2007 reporting
cycle, approximately 20% were determined to be of high iisk.
13. Softare vendors continuously identif and rectify vulnerabilties in their
softare and provide security patches to Interior, which Interior applies to all of its
computers on a regular and on .an as-needed basis, prioritized based on the criticalit of
each vulnerabilit. In addition, Interior monitors continuously for additional
vulnerabilties thròugh frequent use of vulnerabilit scanners and by routinely
rescanning the systems to identif those vulnerabilties requiring additional security
patching. New weaknesses reported on POA&Ms reflect the results achieved from
Interior's continuous monitoring processes. As new weaknesses are discovered,
Interior constantly must repnoritize planned corrective actions based on risk levels and
available resources (Le., staff and budgetary). This does not imply, however, that all
"high" rjsks are' necessarily corrected before any "moderate" or "low" risk weaknesses,
as the time required to implement corrective actions vary depending on complexities
involved.
7
---~---._-
--~._--
-~-- -_._-----_.- ---~-..
-----_._._--....--_.
06/21/2007 13: 35 FAX 2022190559
Case 1:06-cv-00945-FMA
Document 19-10
DOl
Filed 06/21/2007
Page 9 of 35
I4009
14. Since FY05 Q3, on average, Interior is mitigating/correcting and closing
approximately 2~ percent of existing open POA&M )eaknesses from the start of each i
quarter. However, over that same period, Interior id~ntíffed 31 percent new POA&M
,i
weaknesses as compared to existing open POA&M weaknesses over previous quarters
i i
(Figure 1). Several factors account for the apparent increase ìn identified weaknesses, i I
including, but not limited to. increased security contr11 requirem.ents and evaluation
criteria; varying levels or regulatory oversìght; increa~ed rigQr in ST&Es during C&As;
i
and re-certifcation and re-accreditation activities. T~e continuing numbers of newly
identifed vulnerabilities and weaknesses discovered and reported In POA&Ms are a
testament to the continuous monitoring and significaht work being performed by both
¡
i
I
I.
I
the OIG and Interior's bureaus ànd offces in peiiomhng routine and increasingly more
robust security testing, evaluations, and assessments of the effectiveness of
management, operational. and technical security co~trols associated with IT securlty
. . Î.
i .
i .
programs and information systems. Thro'ugh these lrocesses, it Is Interior's goal to
proactively identify as many weaknesses as pOSSibl~ for the purpose of eliminating
and/or mitigating those risks to an acceptable level Jven before they have any negative
impact on Interior's information or information syste~s.
8
-- - --- ------_._~._-
--=--- - - ~ --
-~- -~ - -- ----.--------- --------- --- --
Case 1:06-cv-00945-FMA
06/21/2007 13: 35 FAX 202219055'9
Document 19-10
DO!
Filed 06/21/2007
Page 10 of 35
ff 010
..._'-POA&M Weaknesses
i I i
:1.. . .iöSJ1. .2111Q i .IS~3
,.. iI. . ~ ~~~.. .""..~! 0-L~!!- .''' - I ~_Uf. so: .''' ."" _. _......"-~ ~~ ~..0~.;'Q~~v~: ii~. "ó.; ~ l-o.. .~~"ô ~ . l- ..0'" ~~ ~ 6' i~
1sO L. n_ .. . . . . ~ 1702 .1. .. . __._.:
i i i i
_New
. Õppn-'.
- - Completed
, ."--
Figure 1 - POA&M Weakness Tr~nding Analysis
15. In fulflling their oversight responsibilties, agency inspector generals (IGs)
are required to evaluate agency compliance with FiS~A and submit their reports to
OMS annually. Interiots Offce of
the Inspector Gen~ral (OIG) FY2006 FISMA Report
I
(Report No_ NSM-EV-OIG-0002-2006) issued in seprmber 2006 indicated that "DOl
has made good progress in improving its system inventory. Plans of Actons and
i
Milestones (POA&M), and e~~unng security requir~ents are included in it contracts."
i
In addition, the report cited Interior .as making substë:ntial progress in the area of
. !
incident response, which includes remediation. The Ireport (Figure 2) identifes a
. I
i
number of IT securrt program improvements made ~y Interior. For example, Interior's
POA&M process has improved, bureaus have made! significant stride$ to implement
i
Inteiiots guidance, regarding identifying and mitigattg enterprise risks. The OIG's
report further affrms that Interior initiated a number bf efforts during FYOS. While many
of
the expected improvements were not expected to!be realized until fiscal year 2007,
i . !
!
I
because the re-certcation and re-accreditation of s~stems and in~ttutionalization of
other related policy and process improvements are lot scheduled to be completed untH
the end of FY2007, Interior is nevertheless already. ~ßaliZing benefits from its enterprise
9
_._---- ----- --- .~----- -.... ~---
! i .
--._..._----- --'~-.
Case 1:06-cv-00945-FMA 06/21/2007 13: 35 FAX 2022190559
Document 19-10 DOl
Filed 06/21/2007
Page 11 of 35
~oii
, ,
¡
1 i
risk management processes. I understand that the O,G expects to complete the FY07
annual FISMA evaluation report by late September or; early October 2007.
I 1 Pi 2005 ZOOS FISfIA Key lIeas
.i
.0
,
t"n"'nl,..n...c;r¡,ril .
No
..r.¡.~. .
P.nt1l1
F..
1:S"'llS(lftl~
, lVlM I 'i
n_
lK P..fPSot
9....1'f eo..t1l'o(
r.o,;
tt.~
i- -I_
...
l..~
29V~
i
f'J~"--
z..;
i
~Hn.~J
CG."" CMSO
."
zvoS
lØlK
;Z""
..
I
C~""T_
Ao s.., T... .,
'a'm
..
"...
¡
i I I
, .. P.._ 1-... lH
, __--r ..__.._~_,.-____.-..... ._ .... ...-_...--_______... - _. - _.._.. .11'
: I
~
"
---iw~.
..
Figure 2 - OIG FY2006 FlSMA Report
I
16. On February 27, 2006~ Interior issued oeio Directive 2006-007 to further
i I
improve risk management practices. The directive ìnpluded a robust POA&M process
i i
standard for reporting and managing remediation act~ities for vulnerabilties and
weaknesses associated with information systems an~ risks associated with securit of
information. To ensure weaknesses are not prematu'rely closed prior to their
i
. i .
i i !
satisfactory resolution, the process standard requires~ evidence of completion of
correctie actions to be rnaintained and certrfcations lof completion signed by
responsible staff with concurrenæ from responsible ~enior management offcials.
I
¡
i
i .
I.
Additionally, as noted earlier, Interior issued acia Directive 2006-008 on March 14,
, -
10
----- ---
----~------ ---
Case 1:06-cv-00945-FMA
06/21/2007 13: 36 FAX 2022190559
Document 19-10
DOl
Filed 06/21/2007
Page 12 of 35
I4 012
2006 requiring bureaus and offces to implement the ~ost current NIST IT security
i i
standards, Le., NIST 800-53A, in their execution of Intßrior's C&A processes. In
FY2006, Interior was an early adopter of the draft NISr SP 800-53A evaluation criteria,
I
¡
and issued OCIO Directive 2006-005 on January 31, ~006, ahead of NIST's final
release. The Directive revised annual.ICR guidance ~nd incorporated evaluation
I
criteria aligned with the NIST SP 800-53 familes of s~cuñty controls. These Directives
apply to all of Interior's 175 information systems.
i ! i
. i
i I
17. Interior has undertaken a number of maJPr initiatives to modernize and
i
consolidate its IT infrastructure, partcularly in the areÅs of financial management and
networking. These efforts are not just (limed at enh.a~Cing service delivery to the public,
impröving IT effciencies, and eliminating costly redun~anciesi but. i
also to enhance the
overall securi of Intenots information and informatidn systems. For example, Intenor
i
has implemented a web blocking capability to minimiz:e potential risks associated with
I
internal users downloading and installng mallcious cdde from the internet. Additionally,
projects
like the Enterpnse Services Network (ESN), which was implemented in 2Qo.5,.
i i
have contributed to Interior's abilty to move itself towards the centralization needed to
provide greater securi, improved effciency, and cost savings. ESN;s Interior's wide!
. i. I i .
11
¡
i
area network 0fAN) and provides interconnectívit a~d Internet connectivity for many of
Intenor's bureaus and offces. Through ESN. interiorihas consolidated multiple Internet
gateways, previously implemented by each bure~u ald/or offce, into a single gateway
i I
centrally managed by the Department. This has resuited in an increased hardening of
I i
Interior's Internet-facing perimeter network against pdtential threats. This hardening is
-_._- -- --.-._- -
Case 1:06-cv-00945-FMA
06/21/2007 13: 36 FAX 2022190559
Document 19-10
DOl
Filed 06/21/2007
Page 13 of 35
14013
accomplished through implementation of a standardíz~d and robust security
i
, i
I i 1
architecture, deployment of security infrstructure pro~ection devices, and consistent
implementation of securit
configuration standards on IESN managed devices. ESN
also contributes to an overall defense-ìn-depth strnteg~ providing multiple layers of
security controls aiding in the protection of bureau and offce information systems and
i I
resources. As recognized by the GIG, migrating to E~N has made Interior's bureaus
1 i
and offces appreciably more secure as compared to +hen they were independently
connected to the Internet.
I i
18. In addition to securing systems through the enterprise risk management
processe~ and C&A process, Interior deploys a variel of incident detection ånd
i I
prevention technologies as part of a defense-in-depthlstrategy to monitor, detect,
i
protect, and respond to potential incidènts resultng fr6m intruder attempts. These i
Intrusion Detection Systems and Intrusion prevention!systems (IDSIIPS) are
strategically positioned in various locations by bureau~ and offces within their network
i
infrastructures. Interior has also positioned a robust IDS/IPS architecture at the
!
perimeter of Interiots ESN that provides the W;de-Ar~a Network NVAN) that connects
some of Interiors bureaus/offces to the Internet. IDs!i and IPS sensors are configured
i I
to monitor network traffc in real-time to detect known lattack signatures and alert
securr personnel as part of Interior's íncidentmonitdrin9, detection, and response
I
, i
processes. iPS sensors are also capable of proactiv~iy blocking and preventing
,
potentially malicious network traffc without manual intervention. Interior's application
I
and database seivers and other networking devices are confgured to automatically log
12
.i
¡
I
__.__.____0
-------~~----~~-._---- -_...,----_.~--_.__. -- --_..
-06/21/2007 Case 1:06-cv-00945-FMA 13: 36 FAX 2022190559
Document 19-10 DOl
Filed 06/21/2007
Page 14 14 35 of I4 0
i I j
securi events/Other securit devices automatically;monitor those security event logs
and alert security administators about potential attacts. system compromises. system
misuse, and other types of related incidents. Potent.i~1 incidents requiring further
I . analysis and
investigation are reported by bureaus arid offces through the DOI-CIRC
i
(Computer Incident Response and Coordination) cen~er to the US-CERT and/or
Interior's OIG Cyber Crimes Investigation Unit fOIlOWi~9 Standard .Operating Procedures
i
(SOP) established by those organizations. These in~ident response capabilities are an
I
integral component of Intenor's continuous monitorin$ processes and, as indicated in .
I
the 2006 OIG report, Interior has also demonstrated signffcant improvements in this
area.
èRi~~
Lawrence K. Rufn Chief¡ Information Security Offcer
Cyber Security Division Offce of the Chief Information Offcer
st
Executed this..day of June, 2007
13
---------.-
---_._.~---_.._--------_. --
Case 1:06-cv-00945-FMA
06/21/2007 13: 36 FAX 2022190559
Dócument
Document 19-10
DOl
; i I I i I i I
Filed 06/21/2007
Page 15 of 35
~015
THE SECRETARY OF THE INTERIOR
WAIõHINGTCN
ORDER NO. 3255, Amendment No.1 (Amended material ilaJiciied)
i i SIGNATURE DATE: August
31, 2006
I !
Subject: Delegation of Authority for Certificarion and AcçreitaII~n of,lnfonnation Technology Systems
this Order is IO delegate authori~' io bureau;; and offces to carry out the necessar activities required for information technology (IT) sy~tem security certification and
Sec. 1 Purpose. The purpse of
I.
accreitation (C & A), including signing the accreditation decisioii lifJer accepting the residual risk to the bureau or offce. The ChiefInfonnation Offcer (CIO) was previously designated the DesignaIèd Approving Authority (DAA). This Order e-tends the DAA aumorjt). to bureaus and offces.
Sec.
Reorganization Plan No.3 of i 950(64 Sta.
2 AuthoritY. This Order is issued in accordance with the a~thority provided by Section 2 of 1262), as amended and!the Clinger-Cohen Act of 1966.
3 Delegation of Authority. The.authòrity to car out the ~esponsibilities of
the DAA is hereby delegated to the Inspector Generl, the SoHcítor, and the Speial T~st for Ameriean Jndians. This
Sec.
. i .
i I i
autority is also delegate to the Assistt Secreta - Policy, Management and Budget, the Assistat
Secreta for Fish and Wildlife and Parks, the AssiSSant Secretary 1 Indian Affirs, the AssiStt Secreta -
Land and Mineras Maagement, and the Asistt Secretar - Wa~er and Science.
Sec. 4 Limitations. The áutority delegate to the Assist sJreta - Policy, Mangemeiit an
Budget, the Assistt Secrear for Fish and Wildlife and Parks. thb Assistt Secret - Indian Affrs,
the Assistat Secre.- Land and Mineras Management, and the ))ssistat Secretar - Water and Science
may be furter delegated to Deputy Assistat Secretaries and/or he~ds ofbuTcaus/offces. This authQrity
may not be further delegated. ¡
Sec.
5
Responsibilties_
a. The DAA responsibilities include; planning and funding bf certifica.tion and accreditation activities; acceptance of security plans; signing bl.rcau or office acCreditation documents; grting fuH accreditation to bureau Or offce IT systems based on an acceptabi~ level of risk and denying accreditation because risks to an IT system are not acceptable.
I.
resources and IT security programs- ¡ .
I
b. The cia wil continue to be respo~sible for overall man~bemeni of
the Departent's IT
Sec. 6 Expiration Date. This Order is effective innmediately. I~ wiH remain in effect until its provisions
are converted to the Deparmental Manual or until it is amended, sppirseded, or revoked, whichever occurs fif5t. In the absence of any of the forego ingactions, ihe provisions of this Order wi II expire and be
considered obsolete On August 31,2007. i
i
¡
I
/sf!DIRK KEMPTHORNE Secretary of the Intenor i
S0#325 5A 1 8/31/06 Replaces S0#3255 6/30/04
I i
fùe://D:\Secretaral Order Regarding C.&A DAA Delegaton.him
6/1812007
___________._._____0_____"____ _______ __..__". "__
--~_.~.
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 16 of 35
Exhibit 32
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 17 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 18 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 19 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 20 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 21 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 22 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 23 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 24 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 25 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 26 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 27 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 28 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 29 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 30 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 31 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 32 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 33 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 34 of 35
Case 1:06-cv-00945-FMA
Document 19-10
Filed 06/21/2007
Page 35 of 35