Critical Infrastructure Protection:
Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience
GAO-10-296: Published: Mar 5, 2010. Publicly Released: Apr 5, 2010.
According to the Department of Homeland Security (DHS), there are thousands of facilities in the United States that if destroyed by a disaster could cause casualties, economic losses, or disruptions to national security. The Homeland Security Act of 2002 gave DHS responsibility for leading and coordinating the nation's effort to protect critical infrastructure and key resources (CIKR). Homeland Security Presidential Directive 7 (HSPD-7) defined responsibilities for DHS and certain federal agencies--known as sector-specific agencies (SSAs)--that represent 18 industry sectors, such as energy. In accordance with the Homeland Security Act and HSPD-7, DHS issued the National Infrastructure Protection Plan (NIPP) in June 2006 to provide the approach for integrating the nation's CIKR. GAO was asked to study DHS's January 2009 revisions to the NIPP in light of a debate over whether DHS has emphasized protection--to deter threats, mitigate vulnerabilities, or minimize the consequences of disasters---rather than resilience---to resist, absorb, or successfully adapt, respond to, or recover from disasters. This report discusses (1) how the 2009 NIPP changed compared to the 2006 NIPP and (2) how DHS and SSAs addressed resiliency as part of their planning efforts. GAO compared the 2006 and 2009 NIPPs, analyzed documents, including NIPP Implementation Guides and sector- specific plans, and interviewed DHS and SSA officials from all 18 sectors about their process to identify potential revisions to the NIPP and address resiliency.
Compared to the 2006 NIPP, DHS's 2009 update to the NIPP incorporated various changes, including a greater emphasis on regional CIKR protection planning and updates to DHS's overall risk management framework, such as instructions for sectors to develop metrics to gauge how well programs reduced the risk to their sector. For example, in the 2006 NIPP, DHS encouraged stakeholders to address CIKR across sectors within and across geographic regions; by contrast, the 2009 NIPP called for regional coordination through the formation of a consortium of representatives from multiple regional organizations. DHS also enhanced its discussion of risk management methodologies in the 2009 NIPP. The 2006 NIPP listed the minimum requirements for conducting risk analyses, while the 2009 NIPP includes the use of a common risk assessment approach, including the core criteria for these analyses to allow the comparison of risk across sectors. DHS officials said that the changes highlighted in the 2009 NIPP were the result of knowledge gained and issues raised during discussions with partners and outside organizations like GAO. DHS has also issued guidance for SSAs to consider revisions to the NIPP when updating their sector-specific plans (SSPs). Fourteen of 18 SSA representatives that responded to our query said they used a process similar to DHS's to incorporate NIPP changes into their SSPs. They reported that they intend to discuss the expectations for the SSP with DHS, draft the SSP based on their knowledge of their sectors, and obtain input and feedback from stakeholders. DHS increased its emphasis on resiliency in the 2009 NIPP by discussing it with the same level of importance as protection. While the 2009 NIPP uses much of the same language as the 2006 NIPP to describe resiliency, the 2006 NIPP primarily treated resiliency as a subset of protection while the 2009 NIPP generally referred to resiliency alongside protection. For example, while the Managing Risk chapter of the 2006 NIPP has a section entitled "Characteristics of Effective Protection Programs," the same chapter in the 2009 NIPP has a section entitled, "Characteristics of Effective Protection Programs and Resiliency Strategies." DHS officials stated that these changes are not a major shift in policy; rather they are intended to raise awareness about resiliency as it applies within individual sectors. Furthermore, they stated that there is a greater emphasis on resilience in the 2009 NIPP to encourage more sector and cross-sector activities to address a broader spectrum of risks, such as cyber security. DHS officials also used guidance to encourage SSAs to devote more attention to resiliency. For example, in the 2009 guidance, SSAs are advised that in sectors where infrastructure resiliency is as or more important than physical security, they should focus on describing the resiliency measures and strategies being used by the sector. The 2010 updates to the SSPs are due to be released by DHS in mid-2010 and all sector representatives who responded to our questions said they will address the issue as is appropriate for their sectors. In commenting on a draft of this report, DHS reiterated its process for updating the NIPP and its views on resiliency.