Skip to main content

Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment

GAO-09-969 Published: Sep 24, 2009. Publicly Released: Oct 28, 2009.
Jump To:
Skip to Highlights

Highlights

The nation's critical infrastructure sectors (e.g., energy, banking) rely extensively on information technology systems. The Department of Homeland Security (DHS) issued guidance in 2006 that instructed lead federal agencies, referred to as sector-specific agencies, to develop plans for protecting the sector's critical cyber and other (physical) infrastructure. These agencies issued plans in 2007, but GAO found that none fully addressed all 30 cyber security-related criteria identified in DHS's guidance and recommended that the plans be updated to address it by September 2008. GAO was asked to determine the extent to which sector plans have been updated to fully address DHS's cyber security requirements and assess whether these plans and related reports provide for effective implementation. To do this, GAO analyzed documentation, interviewed officials, and compared sector plans and reports with DHS cyber criteria.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security The Secretary of Homeland Security, consistent with any direction from the Office of the Cybersecurity Coordinator, should assess whether the existing sector-specific planning process should continue to be the nation's approach to securing cyber and other critical infrastructure and, in doing so, consider whether proposed and other options would provide more effective results.
Closed – Implemented
In response to our recommendation, DHS determined that the existing sector-specific planning process, in conjunction with other related efforts planned and underway, should continue to be the nations' approach. The department undertook a review in 2009 that included meeting with key stakeholders to determine whether the existing sector-specific planning process was effective and should be continued. Based on these efforts, DHS, along with government and industry stakeholders, decided to continue the existing process, but to do so in conjunction with other critical infrastructure protection efforts. These efforts include, for example, DHS initiating and engaging in a cross-sector initiative to develop a risk management plan that is to be used, along with the sector specific plans, to address identified risk reduction opportunities for cyber and other infrastructure. In addition, DHS established and operates a Cross-Sector Cyber Security Working Group that has initiatives underway to improve cybersecurity information sharing among the different industry sectors and to develop methods to measure the effectiveness of sector cybersecurity efforts.
Department of Homeland Security If the existing approach is deemed to be the national approach, the Secretary should make it, including the cyber aspects, an agency priority and mange it accordingly. This should include collaborating closely with other sector-specific agencies to develop (1)sector-specific plans that fully address cyber-related criteria in the next release of the plans, and (2)sector annual reports that (i) include updated implementation actions and associated milestones and (ii) report progress against plan commitments and timelines.
Closed – Implemented
In response to our recommendation, DHS met and worked with the 9 sector specific agencies and the 18 critical infrastructure (CIP) sectors with the goal of making sure sector plans fully addressed the cyber-related criteria detailed in DHS's guidance. As a result, the updated sector plans issued in 2010 by the agencies in conjunction with their sector counterparts more thoroughly addressed DHS's cyber-related criteria. For example, the postal and shipping sector, which had fully addressed 21 of the 30 criteria in its earlier plan we reviewed, fully addressed the remaining 9 criteria in its 2010 plan. In addition, the water sector fully addressed the 6 criteria it had not in its earlier plan we reviewed. With regard to the sector annual reports (SARs), the sector specific agencies in conjunction with their sector counterparts developed and issued SARs in 2010 that included (1) updated implementation actions and associated milestones and (2) sector progress against the actions and milestones. For example, in its 2010 SAR, the nuclear sector reported how it had updated its implementation actions to include establishing a key action and milestones to improve cybersecurity across the sector. The sector also reported in its SAR the progress that it had made thus far with this and other key actions. In addition, the public health and healthcare sector reported in its 2010 SAR how it had updated its implementation actions to include the development of a 2010 strategic plan to strengthen the cybersecurity of the organizations involved in the sector and reported progress in doing so, including establishing a cybersecurity working group to facilitate, among other things, implementation of the strategic plan.

Full Report

Office of Public Affairs

Topics

Classified defense informationComputer securityCritical infrastructureCritical infrastructure protectionCyber securityEmployeesEvaluation criteriaFederal agenciesHomeland securityInformation technologyJoint venturesPrioritizingPublic relationsReports managementStrategic information systems planning