Information Sharing:

DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information

GAO-06-383: Published: Apr 17, 2006. Publicly Released: May 17, 2006.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

A wide array of cyber and physical assets is critical to America's national security, economic well-being, and public health and safety. Information related to threats, vulnerabilities, incidents, and security techniques is instrumental to guarding these critical infrastructures against attacks and mitigating the impact of attacks that may occur. The ability to share security-related information can unify the efforts of federal, state, and local government as well as the private sector, as appropriate, in preventing and minimizing terrorist attacks. The Critical Infrastructure Information Act of 2002 was enacted to encourage nonfederal entities to voluntarily share critical infrastructure information and established protections for it. The Department of Homeland Security (DHS) has a lead role in implementing the act. GAO was asked to determine (1) the status of DHS's efforts to implement the act and (2) the challenges it faces in carrying out the act.

DHS has issued interim operating procedures and created a Program Office to administer the critical infrastructure protection program called for by the Critical Infrastructure Information Act. The interim procedures designate the responsibilities and authority of the Program Manager, and establish requirements related to accepting, protecting, sharing, and using critical infrastructure information as required by the act. The Program Office has begun to accept and safeguard critical infrastructure information submitted voluntarily by infrastructure owners and is sharing it with other DHS entities and, on a limited basis, with other government entities. For example, as of January 2006, the Program Office had received about 290 submissions of critical infrastructure information from various sectors. The Program Office also has initiated outreach efforts to publicize the program to the public and private sectors. In addition, it has trained approximately 750 potential users in DHS and other federal, state, and local government entities how to handle protected critical infrastructure information. This training is a prerequisite to being allowed to view the information. The Program Office has also trained at least 16 federal and state officials how to establish programs in their own entities so they can receive protected critical infrastructure information from DHS and then be authorized to store and share it. DHS faces challenges that impede the private sector's willingness to share sensitive information. Key challenges include defining specific government needs for critical infrastructure information, determining how the information will be used, assuring the private sector that the information will be protected and who will be authorized to have access to the information, and demonstrating to critical infrastructure owners the benefits of sharing the information. If DHS were able to surmount these challenges, it and other government users may begin to overcome the lack of trust that critical infrastructure owners have in the government's ability to use and protect their sensitive information.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, determine whether creating mechanisms, such as providing originator control and direct submissions to federal agencies other than DHS, would increase submissions.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: As outlined in the "Procedures for Handling Critical Infrastructure Information--Final Rule" issued September 1, 2006, DHS has taken the following steps to increase submissions: 1) Allowing the submission of Critical Infrastructure Information (CII) to other Federal agencies or indirect submissions, providing greater intake capability, and greater convenience for submitters, and 2) categorical inclusion of classes of Protected CII, allowing for presumptive validation and more certainty for submitters. The Final Rule identifies procedures for indirect submissions to DHS through DHS field representatives and other Federal Agencies. Federal agencies other than DHS may be designated to receive CII on behalf of DHS, but only the PCII Program Manager is authorized to make the decision to validate a submission as PCII. The Final Rule also invests the PCII Program Manager with the authority and flexibility to designate certain types of infrastructure information as presumptively valid PCII to accelerate the validation process. The PCII Program Manager may establish categories of information for which PCII status will automatically apply.

    Recommendation: In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, define and communicate to the private sector what critical information infrastructure DHS and federal entities need to fulfill their critical infrastructure responsibilities and how federal, state, and local entities are expected to use the information submitted under the program.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: To communicate to the private sector the Department of Homeland Security's (DHS) protected critical infrastructure information (PCII)needs and expected use, the Office of Infrastructure Protection/PCII Program has made available, through its public website, answers to frequently asked questions that defines the type of information collected and what it is used for. In addition, the public website explains how PCII will be accessed, handled, and used by Federal, state and local government employees and their contractors.

    Recommendation: In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, in the short term, establish a specific deadline in the near future for releasing the final rule to the Office of Management and Budget and for interagency review so that potential submitters have more assurance about how their sensitive information will be protected.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: On September 1, 2006, the Department of Homeland Security issued "Procedures for Handling Critical Infrastructure Information; Final Rule" in the Federal Register.

    Recommendation: In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, expand efforts to use incentives to encourage more users, such as mechanisms for state-to-state sharing.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: DHS has taken steps to encourage more users to participate by allowing State and local government officials to share PCII with other parties already authorized to receive such information by the PCII Program Manager. The PCII Program Office has developed an accreditation program as a means to share PCII with eligible government entities. The accreditation program has been designed to ensure the proper handling, use, dissemination, and safeguarding of PCII by government users. A State or local entity can become authorized to receive PCII once its accreditation process has been initiated. The PCII Program Office has already accredited Maryland, Arizona, California, and Massachusetts to receive PCII and is currently working with several other states to become accredited. Once they are fully accredited, the changes made in the Final Rule will facilitate information sharing amongst these entities, should they want to share PCII.

    Dec 5, 2013

    Sep 10, 2013

    Aug 22, 2013

    Jun 20, 2013

    May 9, 2013

    Apr 4, 2013

    Mar 13, 2013

    Feb 27, 2013

    Feb 21, 2013

    Looking for more? Browse all our products here