Critical Infrastructure Protection:
Current Cyber Sector-Specific Planning Approach Needs Reassessment
GAO-09-969: Published: Sep 24, 2009. Publicly Released: Oct 28, 2009.
The nation's critical infrastructure sectors (e.g., energy, banking) rely extensively on information technology systems. The Department of Homeland Security (DHS) issued guidance in 2006 that instructed lead federal agencies, referred to as sector-specific agencies, to develop plans for protecting the sector's critical cyber and other (physical) infrastructure. These agencies issued plans in 2007, but GAO found that none fully addressed all 30 cyber security-related criteria identified in DHS's guidance and recommended that the plans be updated to address it by September 2008. GAO was asked to determine the extent to which sector plans have been updated to fully address DHS's cyber security requirements and assess whether these plans and related reports provide for effective implementation. To do this, GAO analyzed documentation, interviewed officials, and compared sector plans and reports with DHS cyber criteria.
Although DHS reported many efforts under way and planned to improve the cyber content of sector-specific plans, sector-specific agencies have yet to update their respective sector-specific plans to fully address key DHS cyber security criteria. For example, of the 17 sector-specific plans, only 9 have been updated. Of these 9 updates, just 3 addressed missing cyber criteria, and those 3 involved only a relatively small number (3 or fewer) of the criteria in question. Recently DHS issued guidance specifically requesting that the sectors address cyber criteria shortfalls in their 2010 sector-specific plan updates. Until the plans are issued, it is not clear whether they will fully address cyber requirements. Accordingly, the continuing lack of plans that fully address key cyber criteria has reduced the effectiveness of the existing sector planning approach and thus increases the risk that the nation's cyber assets have not been adequately identified, prioritized, and protected. Most sector-specific agencies developed and identified in their 2007 sector plans those actions--referred to by DHS as implementation actions--essential to carrying out the plans; however, since then, most agencies have not updated the actions and reported progress in implementing them as called for by DHS guidance. Specifically, in response to 2006 guidance that called for agencies to address three key implementation elements (action descriptions, completion milestones, and parties responsible), most sectors initially developed implementation actions that fully addressed the key elements. However, while 2008 guidance called for implementation actions to be updated and for sector reports to include progress reporting against implementation action milestone commitments, only five sectors updated their plans and reported on progress against implementation actions. DHS attributed this in part to the department not following up and working to ensure that all sector plans are fully developed and implemented in accordance with department guidance. The lack of complete updates and progress reports are further evidence that the sector planning process has not been effective and thus leaves the nation in the position of not knowing precisely where it stands in securing cyber critical infrastructures. Not following up to address these conditions also shows DHS is not making sector planning a priority. Further, recent studies by a presidential working group--which resulted in the President establishing the White House Office of Cybersecurity Coordinator--and an expert commission also identified shortfalls in the effectiveness of the current public-private partnership approach and related sector planning and offered options for improving the process. Such options include (1) prioritizing sectors to focus planning efforts on those with the most important cyber assets and (2) streamlining existing sectors to optimize their capacity to identify priorities and develop plans. Given this, it is essential that DHS and the to-be-appointed Cybersecurity Coordinator determine whether the current process as implemented should continue to be the national approach and thus worthy of further investment.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In response to our recommendation, DHS determined that the existing sector-specific planning process, in conjunction with other related efforts planned and underway, should continue to be the nations' approach. The department undertook a review in 2009 that included meeting with key stakeholders to determine whether the existing sector-specific planning process was effective and should be continued. Based on these efforts, DHS, along with government and industry stakeholders, decided to continue the existing process, but to do so in conjunction with other critical infrastructure protection efforts. These efforts include, for example, DHS initiating and engaging in a cross-sector initiative to develop a risk management plan that is to be used, along with the sector specific plans, to address identified risk reduction opportunities for cyber and other infrastructure. In addition, DHS established and operates a Cross-Sector Cyber Security Working Group that has initiatives underway to improve cybersecurity information sharing among the different industry sectors and to develop methods to measure the effectiveness of sector cybersecurity efforts.
Recommendation: The Secretary of Homeland Security, consistent with any direction from the Office of the Cybersecurity Coordinator, should assess whether the existing sector-specific planning process should continue to be the nation's approach to securing cyber and other critical infrastructure and, in doing so, consider whether proposed and other options would provide more effective results.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: In response to our recommendation, DHS met and worked with the 9 sector specific agencies and the 18 critical infrastructure (CIP) sectors with the goal of making sure sector plans fully addressed the cyber-related criteria detailed in DHS's guidance. As a result, the updated sector plans issued in 2010 by the agencies in conjunction with their sector counterparts more thoroughly addressed DHS's cyber-related criteria. For example, the postal and shipping sector, which had fully addressed 21 of the 30 criteria in its earlier plan we reviewed, fully addressed the remaining 9 criteria in its 2010 plan. In addition, the water sector fully addressed the 6 criteria it had not in its earlier plan we reviewed. With regard to the sector annual reports (SARs), the sector specific agencies in conjunction with their sector counterparts developed and issued SARs in 2010 that included (1) updated implementation actions and associated milestones and (2) sector progress against the actions and milestones. For example, in its 2010 SAR, the nuclear sector reported how it had updated its implementation actions to include establishing a key action and milestones to improve cybersecurity across the sector. The sector also reported in its SAR the progress that it had made thus far with this and other key actions. In addition, the public health and healthcare sector reported in its 2010 SAR how it had updated its implementation actions to include the development of a 2010 strategic plan to strengthen the cybersecurity of the organizations involved in the sector and reported progress in doing so, including establishing a cybersecurity working group to facilitate, among other things, implementation of the strategic plan.
Recommendation: If the existing approach is deemed to be the national approach, the Secretary should make it, including the cyber aspects, an agency priority and mange it accordingly. This should include collaborating closely with other sector-specific agencies to develop (1)sector-specific plans that fully address cyber-related criteria in the next release of the plans, and (2)sector annual reports that (i) include updated implementation actions and associated milestones and (ii) report progress against plan commitments and timelines.
Agency Affected: Department of Homeland Security