Critical Infrastructure Protection:

Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies

GAO-08-113: Published: Oct 31, 2007. Publicly Released: Oct 31, 2007.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The nation's critical infrastructure sectors--such as public health, energy, water, and transportation--rely on computerized information and systems to provide services to the public. To fulfill the requirement for a comprehensive plan, including cyber aspects, the Department of Homeland Security (DHS) issued a national plan in June 2006 for the sectors to use as a road map to enhance the protection of critical infrastructure. Lead federal agencies, referred to as sector-specific agencies, are responsible for coordinating critical infrastructure protection efforts, such as the development of plans that are specific to each sector. In this context, GAO was asked to determine if these sector-specific plans address key aspects of cyber security, including cyber assets, key vulnerabilities, vulnerability reduction efforts, and recovery plans. To accomplish this, GAO analyzed each sector-specific plan against criteria that were developed on the basis of DHS guidance.

The extent to which the sectors addressed aspects of cyber security in their sector-specific plans varied; none of the plans fully addressed all 30 cyber security-related criteria. Several sector plans--including the information technology and telecommunications sectors--fully addressed many of the criteria, while others--such as agriculture and food and commercial facilities--were less comprehensive. The following figure summarizes the extent to which each plan addressed the 30 criteria. In addition to the variations in the extent to which the plans covered aspects of cyber security, there was also variance among the plans in the extent to which certain criteria were addressed. For example, all plans fully addressed identifying a sector governance structure for research and development, but fewer than half of the plans fully addressed describing any incentives used to encourage voluntary performance of risk assessments. The varying degrees to which each plan addressed the cyber security-related criteria can be attributed in part to the varying levels of maturity in the different sectors. DHS acknowledges the shortcomings in the plans, and officials stated that the sector-specific plans represent only the early efforts by the sectors to develop their respective plans. Nevertheless, until the plans fully address key cyber elements, stakeholders within the infrastructure sectors may not adequately identify, prioritize, and protect their critical assets. As the plans are updated, it will be important that DHS work with the sector representatives to ensure that the areas not sufficiently addressed are covered. Otherwise, the plans will remain incomplete and sector efforts will not be sufficient to enhance the protection of their computer-reliant assets.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendation for Executive Action

    Recommendation: To assist the sectors in securing their cyber infrastructure, the Secretary of Homeland Security should direct the Assistant Secretary for Infrastructure Protection and the Assistant Secretary for Cybersecurity and Communications to request that by September 2008, the sector-specific agencies' plans address the cyber-related criteria that were only partially addressed or not addressed at all.

    Agency Affected: Department of Homeland Security

    Status: Closed - Implemented

    Comments: In response, DHS developed a corrective action plan (dated February 4, 2008) to implement this recommendation. The plan stated that the department is to (1) develop and provide to the sector-specific agencies guidance on the cyber elements to be incorporated in sector plans and (2) work with the sectors to achieve this aim. Specifically, the plan tasked DHS's National Cyber Security Division with developing guidance on the cyber elements to be included in updated sector specific plans and annual reports. As part of carrying out these efforts, DHS notified the sector-specific agencies of the cyber planning weaknesses identified in the GAO report and requested that the agencies address them by September 2008. DHS also offered to meet with the agencies to discuss and assist in addressing missing cyber elements and related issues. Further, in 2009, DHS released guidance that requested the agencies to fully address cyber-related elements as part of updating their sector specific plans.

    Jul 29, 2014

    Jul 24, 2014

    Jul 16, 2014

    Jun 27, 2014

    Jun 24, 2014

    Jun 23, 2014

    Jun 18, 2014

    Looking for more? Browse all our products here