Critical Infrastructure Protection:
National Plan for Information Systems Protection
AIMD-00-90R, Feb 11, 2000
Pursuant to a congressional request, GAO assessed national security legal authorities related to infrastructure protection, focusing on the administration's National Plan for Information Systems Protection.
GAO noted that: (1) the National Plan for Information Systems Protection is an important and positive step toward building the cyber-defense necessary to protect critical information assets and infrastructures; (2) it identifies risks associated with the nation's dependence on computer networks for critical services; (3) it recognizes the need for the federal government to take the lead in addressing critical infrastructure risks and to serve as a model for information security; (4) and, it outlines key concepts and general initiatives to assist in achieving these goals; (5) in doing this, the plan addresses many of the same points GAO raised in an October 1, 1999, report to Congress on critical infrastructure protection, including the need for improved standards, strengthened evaluations and oversight of agency performance, increased technical expertise, adequate funding, and improved detection and response capabilities; (6) however, GAO identified several opportunities for improvement as the plan is further developed as well as significant challenges that must be addressed to build the public-private partnership necessary for infrastructure protection; (7) in particular, GAO noted that the plan should place more emphasis on providing agencies the incentives and tools to implement the management controls necessary to assure comprehensive security programs, as opposed to its strong emphasis on implementing intrusion detection capabilities; (8) in addition, the plan relies heavily on existing legislation and requirements that, as a whole, are inadequate and have been poorly implemented by federal agencies; (9) specifically, the legislative framework focuses too much attention on individual system security versus taking an organizationwide perspective, oversimplifies risk considerations, and treats information security as a technical function rather than as an integral management function; (10) in discussing the challenge of building public-private partnerships, GAO noted that the plan proposes several initiatives that may have a significant impact on private sector and affected interest groups--such as the possibility of removing barriers that discourage private sector companies from sharing information with government about infrastructure protection issues; and (11) while the plan appropriately presented such proposals in broad terms, it is important to bear in mind that these and other proposed changes will require extensive public dialogue before they could or should be implemented.