Critical Infrastructure Protection:

DHS Could Better Manage Security Surveys and Vulnerability Assessments

GAO-12-378: Published: May 31, 2012. Publicly Released: Jun 29, 2012.

Additional Materials:

Contact:

Stephen L. Caldwell
(202) 512-8777
caldwells@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Homeland Security (DHS) has conducted about 2,800 security surveys and vulnerability assessments on critical infrastructure and key resources (CIKR). DHS directs its protective security advisors to contact owners and operators of high-priority CIKR to offer to conduct surveys and assessments. However, DHS is not positioned to track the extent to which these are performed at high-priority CIKR because of inconsistencies between the databases used to identify these assets and those used to identify surveys and assessments conducted. GAO compared the two databases and found that of the 2,195 security surveys and 655 vulnerability assessments conducted for fiscal years 2009 through 2011, 135 surveys and 44 assessments matched and another 106 surveys and 23 assessments were potential matches for high-priority facilities. GAO could not match additional high-priority facilities because of inconsistencies in the way data were recorded in the two databases, for example, assets with the same company name had different addresses or an asset at one address had different names. DHS officials acknowledged that the data did not match and have begun to take actions to improve the collection and organization of the data. However, DHS does not have milestones and timelines for completing these efforts consistent with standards for project management. By developing a plan with time frames and milestones consistent with these standards DHS would be better positioned to provide a more complete picture of its progress.

DHS shares the results of security surveys and vulnerability assessments with asset owners or operators but faces challenges doing so. A GAO analysis of DHS data from fiscal year 2011 showed that DHS was late meeting its (1) 30-day time frame—as required by DHS guidance—for delivering the results of its security surveys 60 percent of the time and (2) 60-day time frame—expected by DHS managers for delivering the results of its vulnerability assessments—in 84 percent of the instances. DHS officials acknowledged the late delivery of survey and assessment results and said they are working to improve processes and protocols. However, DHS has not established a plan with time frames and milestones for managing this effort consistent with the standards for project management. Also, the National Infrastructure Protection Plan (NIPP), which emphasizes partnering and voluntary information sharing, states that CIKR partners need to be provided with timely and relevant information that they can use to make decisions. Developing a plan with time frames and milestones for improving timeliness could help DHS provide asset owners and operators with the timely information they need to consider security enhancements.

DHS uses a follow-up tool to assess the results of security surveys and assessments performed at CIKR assets, and are considering upgrades to the tool. However, DHS could better measure results and improve program management by capturing additional information. For example, key information, such as why certain improvements were or were not made by asset owners and operators that have received security surveys, could help DHS improve its efforts. Further, information on barriers to making improvements—such as the cost of security enhancements—could help DHS better understand asset owners and operators’ rationale in making decisions and thereby help improve its programs. Taking steps to gather additional information could help keep DHS better informed for making decisions in managing its programs.

Why GAO Did This Study

Natural disasters, such as Hurricane Katrina, and terrorist attacks, such as the 2005 bombings in London, highlight the importance of protecting CIKR—assets and systems vital to the economy or health of the nation. DHS issued the NIPP in June 2006 (updated in 2009) to provide the approach for integrating the nation’s CIKR. Because the private sector owns most of the nation’s CIKR—for example, energy production facilities—DHS encourages asset owners and operators to voluntarily participate in surveys or vulnerability assessments of existing security measures at those assets. This includes nationally significant CIKR that DHS designates as high priority. In response to a request, this report assesses the extent to which DHS has (1) taken action to conduct surveys and assessments among high–priority CIKR, (2) shared the results of these surveys and assessments with asset owners or operators, and (3) assessed the effectiveness of surveys and assessments and identified actions taken, if any, to improve them. GAO, among other things, reviewed laws, analyzed data identifying high-priority assets and activities performed from fiscal years 2009 through 2011, and interviewed DHS officials.

What GAO Recommends

GAO recommends that, among other things, DHS develop plans for its efforts to improve the collection and organization of data and the timeliness of survey and assessment results, and gather and act upon additional information from asset owners and operators about why improvements were or were not made. DHS concurred with the recommendations.

For more information, contact Stephen L. Caldwell at (202) 512-8777 or caldwells@gao.gov.

Recommendations for Executive Action

  1. Status: Open

    Comments: In September 2013, DHS IP provided the following update. In June 2013, PSCD updated the 180-day and 365-day follow-up questions to more accurately capture all improvements to resilience (i.e., to include tracking of those that are ongoing and planned that are attributable to surveys and assessments). This update will be implemented during the next IST version update roll-out (typically January of each year). PSCD is still considering how the follow-up questions could be updated to capture factors influencing owner and operator decisions to make or not make enhancements, as suggested by the GAO. PSCD has determined such an update to be feasible, but the details of how it would be accomplished are still being resolved.

    Recommendation: To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should consider the feasibility of expanding the follow-up program to gather and act upon data, as appropriate, on (1) security enhancements that are ongoing and planned that are attributable to DHS security surveys and vulnerability assessments and (2) factors, such as cost and perceptions of threat, that influence asset owner and operator decisions to make, or not make, enhancements based on the results of DHS security surveys and vulnerability assessments.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

  2. Status: Open

    Comments: In September 2013, DHS provided an update that stated IP addressed this issue in 2010 and 2011 with the assignment of unique numerical identifiers to each asset in the Linking Encrypted Network System (LENS) assessment database and the National Critical Infrastructure Prioritization Program (NCIPP) lists. We agree these are positive steps; however, to fully address the recommendation, we believe DHS should develop a plan with time frames and milestones that specify how the steps it says it is taking address the data inconsistencies we cited, and demonstrate the results--how many high-priority assets received security surveys, vulnerability assessments, or both in a given year--of that effort. By doing so, DHS would be better positioned to provide a more complete picture of its approach for developing and completing these tasks. It would also provide DHS managers and other decision makers with insights into (1) IP's overall progress in completing these tasks and (2) a basis for determining what, if any, additional actions need to be taken.

    Recommendation: To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop plans with milestones and time frames to resolve issues associated with data inconsistencies and matching data on the list of high-priority assets with data used to track the conduct of security surveys and vulnerability assessment.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

  3. Status: Open

    Comments: In September 2013, DHS Office of Infrastructure Protection (IP) provided the following update. IP annually establishes metrics related to the total number of vulnerability assessments and security surveys that will be conducted, to include a percentage of surveys and assessments on high priority (leveled) assets. IP reports on these metrics annually through the National Annual Report (NAR). IP is in the process of establishing additional metrics for all projects as part of the Balanced Scorecard Initiative and GPRA. This initiative recently began and work is ongoing, and it would be premature to provide the metrics in development at this time.

    Recommendation: To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should institutionalize realistic performance goals for appropriate levels of participation in security surveys and vulnerability assessments by high-priority assets to measure how well DHS is achieving its goals.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

  4. Status: Open

    Comments: In September 2013, DHS Office of Infrastructure Protection (IP) provided the following update. An automated tracking system will also be developed to capture the reasons why owners and operators refuse Infrastructure Survey Tools (ISTs) and the Enhanced Critical Infrastructure Program (ECIP) Standard Operating Procedure will be updated to document the use of the new tool. The design of the tracking system for refusals was completed by June 2013, and will be implemented pending approval of funding (by end of 2013).

    Recommendation: To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should design and implement a mechanism for systematically assessing why owners and operators of high-priority assets decline to participate and a develop a road map, with time frames and milestones, for completing this effort.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

  5. Status: Open

    Comments: In September 2013, DHS IP sent the following update: The deployment of the Web-based dashboards in February 2013 is ensuring more timely delivery of the dashboards to owners and operators. The transition to Web-based delivery eliminates delays associated with the past practice of in-person delivery of the dashboards on DVD by PSAs (e.g., availability of owners and operators, scheduling conflicts). However, GAO staff in the field have heard from asset owners and operators as well as protective security advisors (PSAs) that there have been delays in the delivery of dashboards in recent months.

    Recommendation: To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop time frames and specific milestones for managing DHS's efforts to ensure the timely delivery of the results of security surveys and vulnerability assessments to asset owners and operators.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

  6. Status: Open

    Comments: In September 2013, DHS provided the following update. The concept for sector-level view of assessment data has been proposed, and the requirements/feasibility of such a dashboard will be explored following completion of the owner and operator and State-level Web-based dashboards. When those are both complete, IP will meet with the SSAs to discuss developing a dashboard that they could use for their own risk management initiatives. Beyond the transition to a Web-based system for owner and operator dashboards, we do not have established milestones because they would be premature at this point.

    Recommendation: To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should revise its plans to include when and how sector-specific agencies (SSAs) will be engaged in designing, testing, and implementing DHS's web-based tool to address and mitigate any SSA concerns that may arise before the tool is finalized.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

  7. Status: Open

    Comments: In September 2013, DHS IP provided the following update. In February 2013, IP finished analyzing and comparing the Site Assistance Visit 365-day and Enhanced Critical Infrastructure Protection Survey 180-day follow-up results. In April 2013, IP decided that no modifications will be made to the timelines for follow-ups at this time.

    Recommendation: To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop a road map with time frames and specific milestones for reviewing the information it gathers from asset owners and operators to determine if follow-up visits should remain at 180 days for security surveys and whether additional follow-ups are appropriate at intervals beyond the follow-ups initially performed.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

 

Explore the full database of GAO's Open Recommendations »

Nov 6, 2014

Oct 14, 2014

Sep 30, 2014

Sep 24, 2014

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Sep 9, 2014

Looking for more? Browse all our products here