Print this page

Homeland security/Law enforcement > 9. Vulnerability Assessments of Critical Infrastructure

The Department of Homeland Security could mitigate potential duplication or gaps by consistently capturing and maintaining data from overlapping vulnerability assessments of critical infrastructure and improving data sharing and coordination among the offices and components involved with these assessments.

Why This Area Is Important

The extensive damage and long recovery from disasters like Hurricanes Katrina and Sandy, as well as the terrorist attacks of September 11, 2001, highlight the vulnerability of critical infrastructure to various hazards.[1] Over the last several years, at least five Department of Homeland Security (DHS) offices and components have undertaken a mix of regulatory and voluntary activities to assess critical infrastructure assets and systems for vulnerabilities that could render them susceptible to threats and hazards.[2] Given the number of offices and components conducting or requiring vulnerability assessments of critical infrastructure, the potential exists for duplication or overlap between and among the various efforts. 



[1]Critical infrastructure includes assets and systems, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

[2]These five DHS offices and components include the U.S. Coast Guard, the Federal Protective Service, the Transportation Security Administration (TSA), the Infrastructure Security Compliance Division (ISCD), and the Protective Security Coordination Division (PSCD). ISCD and PSCD are both within DHS’s Office of Infrastructure Protection which leads and coordinates national programs and policies on critical infrastructure issues. According to DHS, a vulnerability assessment is a process for identifying physical features or operational attributes that render an entity, asset, system, network, or geographic area open to exploitation or susceptible to a given hazard that has the potential to harm life, information, operations, the environment, or property.

What GAO Found

In its September 2014 report, GAO found that DHS offices and components were not consistently capturing and maintaining data on their vulnerability assessment activities in a way that allows DHS to readily identify potential duplication or overlap among activities conducted. As a result, DHS is not positioned to track its activities to determine whether its assessment efforts are potentially duplicative or leave gaps among the critical infrastructure assessed. According to the National Infrastructure Protection Plan (NIPP), managing risk entails data interoperability standards to enable an efficient information exchange through defined data standards and requirements.[1] Among other things, these standards are to include a foundation for an information-sharing environment that has common data requirements.

GAO’s analysis of DHS vulnerability assessment data showed that, from October 2010 to September 2013, DHS offices and components conducted more than 5,300 assessments covering various types of assets and systems.  In addition to DHS-led assessments, as many as 7,600 asset owners and operators were required to perform self-assessments to comply with security-related regulatory regimes. The table below shows the extent to which DHS offices or components conducted or required vulnerability assessments across the various sectors.

Overlap across Sectors where Department of Homeland Security (DHS) Offices and Components Conduct Vulnerability Assessments or Required Asset Owners/Operators to Conduct Vulnerability Assessments, Fiscal Years 2011-2013

Critical infrastructure sector

DHS office or component

Coast Guard

Federal Protective Service

Infrastructure Security Compliance Division

Protective Security Coordination Division

Transportation Security Administration

Chemical

 

 

Commercial facilities

 

Communications

 

 

 

Critical manufacturing

 

 

Dams

 

 

 

Emergency services

 

 

 

Information technology

 

 

Nuclear reactors, materials & waste

 

 

 

 

Food & agriculture

 

Defense industrial base

 

Energy

Healthcare & public health

 

 

 

Financial services

 

 

Water & wastewater systems

 

 

Government facilities

Transportation systems

 

Source: GAO analysis of DHS data. | GAO-15-404SP

The analysis of the data and information from DHS officials also showed that DHS assessment activities of different offices and components overlapped across several critical infrastructure sectors during the 3-year period. For example, as the previous table shows, six critical infrastructure sectors were ones in which at least four of the five offices and components conducted or required vulnerability assessments. The potential for overlap or duplication was also confirmed to GAO anecdotally by Coast Guard, the Protective Security Coordination Division (PSCD), and Transportation Security Administration (TSA) field personnel who reported observing what they called federal fatigue, or a perceived weariness among critical infrastructure owners and operators who had been repeatedly approached or required by multiple federal agencies and DHS offices and components to participate in or complete assessments. DHS officials expressed concern that this “fatigue” may diminish future cooperation from asset owners and operators.

To determine whether DHS had conducted or required vulnerability assessments at the same assets or systems within those sectors, GAO compared records of assessment-related activities based on name and location, as no unique numeric identifiers were available. This analysis showed that the various data sets DHS offices and components used did not share common formats or defined data standards that would enable identification of matches across data sets. DHS officials acknowledged that DHS-wide interoperability standards do not exist for them to follow that would facilitate comparisons among the different data sets. Across the sets of data from the various offices and components, asset names and addresses generally were not entered in a standardized way or were not available in some cases. In addition, some records showed assets that were listed at the same address in more than one DHS data set but did not have names that matched. Similarly, some company names appeared to be the same or similar on multiple DHS data sets but were listed at different street addresses, on different streets, or had post office boxes instead of physical addresses. In some cases, company or asset names were missing altogether.

GAO determined that without consistent assessment data across DHS offices and components on the names and addresses of assets already assessed, DHS could not reasonably ensure that it could identify potential overlap or duplication in coverage of its vulnerability assessment activities. In addition, DHS is not fully positioned to track its activities to better ensure effective risk management across the spectrum of assets and systems as called for by the NIPP.

In addition to the lack of consistent data on assessments, GAO reported in September 2014 that DHS lacks department-wide processes to facilitate data sharing and coordination, as appropriate, among the various offices and components that conduct or require vulnerability assessments. The NIPP calls for standardized processes to promote integration and coordination of information sharing through, among other things, jointly developed standard operating procedures. However, GAO found that while different components within DHS use various data systems to maintain their assessment-related data, the offices and components have no process for sharing the data for assessments that they conduct, as appropriate.

For example, DHS’s Office of Infrastructure Protection has a system that stores the results of surveys and assessments conducted by its PSCD personnel, while TSA has a separate system that serves as a centralized online repository of TSA’s information. However, access to each others’ systems is limited or restricted, and there is no other mechanism that consolidates and maintains basic information on the assessment activities of each office or component, such as the names and addresses of assets assessed. DHS reports that it is in the early stages of addressing this issue, according to DHS’s comments on GAO’s September 2014 report. For example, one DHS component is developing a secure system to serve as a single interface through which certain mission partners enter and retrieve vulnerability assessment information.

In addition, GAO found that DHS lacks a department-wide process to facilitate coordination among the various offices and components involved in vulnerability assessment activities. DHS officials stated that they generally rely on field-based personnel to inform their counterparts at other offices and components about planned assessment activities and share information as needed on what assets may have already been assessed. For example, PSCD officials stated that they send e-mail notifications to partners advising them of planned assessments and may also alert DHS counterparts depending on assets covered and their areas of responsibility. Likewise, Coast Guard officials reported that locally based area maritime security committee meetings provide a forum for Coast Guard field personnel to share information about planned and completed assessment-related activities with other DHS components, as needed.[2] However, absent field-based coordination or sharing activities such as these, it is unclear whether all facilities in a particular geographic area or sector are covered.

Not having processes for sharing information or coordinating on assessments or consistent data standards and requirements can affect DHS offices’ and components’ ability to identify potential overlap or duplication in their assessment activities. For example, even if consistent data standards and requirements were in place, the lack of a process for facilitating the sharing of assessment data among offices and components can hinder DHS’s ability to analyze what facilities have or have not been assessed because officials using one set of data are not readily able to access and compare the data of other offices and components. Similarly, having a process for sharing assessment data but not having consistent data standards and requirements would likewise hinder DHS’s ability to maximize the use of data already collected, as one office’s or component’s data may not be compatible with another. 

Consequently, without consistent data standards and requirements and processes for DHS offices and components to share data and coordinate with each other in their critical infrastructure vulnerability assessment activities, DHS cannot provide reasonable assurance that it can identify potential overlap, duplication, or gaps in coverage. This could ultimately affect DHS’s ability to work with its partners to enhance national critical infrastructure security and resilience, consistent with the NIPP.



[1]DHS, 2013 National Infrastructure Protection Plan, Partnering for Critical Infrastructure Security and Resilience (Washington, D.C.: December 2013). The NIPP provides the overarching approach for integrating the nation’s critical infrastructure security and resilience activities into a single national effort.

[2]The area maritime security committees are authorized by section 102 of the Maritime Transportation Security Act of 2002, as codified at 46 U.S.C. § 70112(a)(2) and implemented at 33 C.F.R. pt. 103. Typically composed of members from federal, state, and local law enforcement agencies; maritime industry and labor organizations; and other port stakeholders, these committees are responsible for, among other things, identifying critical infrastructure and operations, identifying risks, and providing advice to the Coast Guard for developing the associated area maritime security plan.

Actions Needed

To promote efficiency and effectiveness in activities to advance critical infrastructure security and resilience, GAO recommended in September 2014 that the Secretary of Homeland Security direct the Under Secretary for the National Protection and Programs Directorate to work with other DHS offices and components to

  • develop an approach to ensure that vulnerability data gathered on critical infrastructure assets and systems are consistently collected and maintained across DHS to facilitate the identification of potential duplication and gaps in critical infrastructure coverage, and
  • develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage.

Estimating potential cost savings is difficult because of the lack of consistent assessment data to determine the extent of actual duplication or overlap that currently exists in carrying out these various assessment activities. Moreover, some of the agencies could not separate out the costs of the vulnerability assessments from other activities. However, implementing these recommendations could enhance the ability of DHS offices and components to identify and minimize any potential duplication or gaps that exist in assessment coverage.

How GAO Conducted Its Work

The information contained in this analysis is based on findings from products listed in the related GAO products section. To determine the extent to which the same critical infrastructure was assessed by different entities within DHS, GAO obtained and analyzed data for the October 2010 to September 2013 time period on the assessments conducted by each DHS office or component using their respective tools and methods and the facilities regulated under the Maritime Transportation Security Act of 2002 and Chemical Facilities Anti-Terrorism Standards. For its analysis GAO used a statistical software program and manual data matching to compare data on over 25,000 assessment-related activities. To determine how DHS offices and components share information and coordinate with each other on vulnerability assessments of critical infrastructure, GAO collected and analyzed documentation from DHS offices and components on their processes; procedures; and systems for gathering, storing, sharing, and using information collected during assessments of critical infrastructure. GAO also interviewed officials from DHS offices and components involved in conducting assessments of critical infrastructure.

Table 6 in appendix V lists the various assessment tools and methods used or required by DHS offices and components that GAO identified that might have similar or overlapping objectives, provide similar services, or be fragmented across government missions. Overlap and fragmentation might not necessarily lead to actual duplication, and some degree of overlap and duplication may be justified.

Agency Comments & GAO Contact

In commenting on the September 2014 report on which this analysis is based, DHS concurred with GAO’s recommendations and indicated it planned to take steps to respond to them. Specifically, DHS noted that a sub-Interagency Policy Committee of the National Security Council was taking steps to identify what policies and guidance are needed to support the identification of information that could be shared across the critical infrastructure protection community. DHS anticipates this guidance will provide departments and agencies with a common approach to critical infrastructure data and information. DHS also noted it plans to build upon ongoing internal initiatives such as developing a single assessment methodology with a strategic integrated approach as well as use one of its information systems as a means for mission partners across DHS and others to share and identify what facilities have been assessed. As part of this effort, DHS stated it also plans to convene stakeholders across DHS to assess current data collection efforts and develop and implement coordination plans.

GAO provided a draft of this report section to DHS for review and comment. DHS provided no additional comments.

For additional information about this area, contact Chris Currie at (404) 679-1875 or curriec@gao.gov.

 

Explore Other Areas

There are no further Duplication areas under this mission.

  • Currently Viewing: 9. Vulnerability Assessments of Critical Infrastructure