Critical Infrastructure Protection: DHS Efforts to Assess and Promote Resiliency Are Evolving but Program Management Could Be Strengthened
GAO-10-772
Published: Sep 23, 2010. Publicly Released: Oct 25, 2010.
Skip to Highlights
Highlights
According to the Department of Homeland Security (DHS), protecting and ensuring the resiliency (the ability to resist, absorb, recover from, or successfully adapt to adversity or changing conditions) of critical infrastructure and key resources (CIKR) is essential to the nation's security. By law, DHS is to lead and coordinate efforts to protect several thousand CIKR assets deemed vital to the nation's security, public health, and economy. In 2006, DHS created the National Infrastructure Protection Plan (NIPP) to outline the approach for integrating CIKR and increased its emphasis on resiliency in its 2009 update. GAO was asked to assess the extent to which DHS (1) has incorporated resiliency into the programs it uses to work with asset owners and operators and (2) is positioned to disseminate information it gathers on resiliency practices to asset owners and operators. GAO reviewed DHS documents, such as the NIPP, and interviewed DHS officials and 15 owners and operators of assets selected on the basis of geographic diversity. The results of these interviews are not generalizable but provide insights.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to incorporate resiliency into its overall CIKR protection efforts are effective and completed in a timely and consistent fashion, the Assistant Secretary for Infrastructure Protection should develop performance measures to assess the extent to which asset owners and operators are taking actions to resolve resiliency gaps identified during the various vulnerability assessments. | In 2010, we reported that DHS had increased its emphasis on critical infrastructure resiliency in the National Infrastructure Protection Plan (NIPP) in response to concerns that DHS was placing emphasis on protection rather than resilience. Consistent with these changes, DHS had also taken actions to increase its emphasis on resilience in the programs and tools it uses to assess vulnerability and risk that are designed to help owners and operators identify resiliency characteristics and gaps. We reported that these actions continue to evolve and could be improved through the development of performance measures to assess the extent to which asset owners and operators are taking actions in... response to the various vulnerability assessments. DHS concurred with the recommendation and, in its 60-day status update on efforts to implement the recommendations, reported that performance measures related to assessing the impact of Office of Infrastructure Protection (IP) assessments on improving the protection and resilience of critical infrastructure had been developed. In November 2013, DHS informed us that IP developed performance metrics to determine the percent of facilities that planned, started, or implemented at least one security enhancement that raises the facility's Protective Measure Index (PMI) or Resilience Index (RI) score after receiving an Infrastructure Protection vulnerability assessment or survey. As of August 2014, 89.5 percent (154 of 172) of organizations that received the results of the ECIP Security Survey or SAV during the second quarter of fiscal year 2014 responded they "Agree" or "Strongly Agree" in response to the performance metric "My organization is likely to integrate the information provided by the ECIP Security Survey or SAV into its future security or resilience enhancements." Officials noted that they are also in discussions to finalize and approve new metrics in fiscal year 2014. These actions satisfy the intent of our recommendation.
View More |
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to incorporate resiliency into its overall CIKR protection efforts are effective and completed in a timely and consistent fashion, the Assistant Secretary for Infrastructure Protection should update PSA guidance that discusses the role PSAs play during interactions with asset owners and operators with regard to resiliency, which could include how PSAs work with them to emphasize how resiliency strategies could help them mitigate vulnerabilities and strengthen their security posture and provide suggestions for enhancing resiliency at particular facilities. | In 2010 we reported that DHS had increased its emphasis on critical infrastructure resiliency in the National Infrastructure Protection Plan (NIPP) in response to concerns that DHS was placing emphasis on protection rather than resilience. Recognizing that Protective Security Advisors (PSAs) serve as liaisons between DHS and security stakeholders, to include asset owners and operators, in local communities, we reported that although DHS had begun to train PSAs about resiliency and how it applies to the owners and operators they interact with, DHS had not updated PSAs' guidance that outlined their roles and responsibilities to reflect DHS' growing emphasis on resiliency. In response to...
|
| Department of Homeland Security | The Secretary of Homeland Security should assign responsibility to one or more organizations within DHS to determine the feasibility of overcoming barriers and developing an approach for disseminating information on resiliency practices to CIKR owners and operators within and across sectors. | Related to its efforts to develop or update its programs designed to assess vulnerability of asset owners and operators, individual facilities, and groups of facilities, DHS has considered how it can disseminate information on resiliency and practices it gathers or plans to gather with asset owners and operators within and across sectors. However, it faces barriers in doing so because it would have to overcome perceptions that it is advancing or promoting standards that have to be adopted and concerns about sharing proprietary information. We recognize that DHS would face challenges disseminating information about resiliency practices within and across sectors. Nonetheless, as the...
|
Full Report
Public Inquiries
Topics
AssetsCritical infrastructure protectionGovernment information disseminationHomeland securityInternal controlsPerformance measuresProgram managementRisk assessmentRisk factorsRisk managementStrategic planningAssessments