Critical Infrastructure Protection:

DHS Could Better Manage Security Surveys and Vulnerability Assessments

GAO-12-378, May 31, 2012

Additional Materials:

Contact:

Stephen L. Caldwell
(202) 512-8777
caldwells@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Homeland Security (DHS) has conducted about 2,800 security surveys and vulnerability assessments on critical infrastructure and key resources (CIKR). DHS directs its protective security advisors to contact owners and operators of high-priority CIKR to offer to conduct surveys and assessments. However, DHS is not positioned to track the extent to which these are performed at high-priority CIKR because of inconsistencies between the databases used to identify these assets and those used to identify surveys and assessments conducted. GAO compared the two databases and found that of the 2,195 security surveys and 655 vulnerability assessments conducted for fiscal years 2009 through 2011, 135 surveys and 44 assessments matched and another 106 surveys and 23 assessments were potential matches for high-priority facilities. GAO could not match additional high-priority facilities because of inconsistencies in the way data were recorded in the two databases, for example, assets with the same company name had different addresses or an asset at one address had different names. DHS officials acknowledged that the data did not match and have begun to take actions to improve the collection and organization of the data. However, DHS does not have milestones and timelines for completing these efforts consistent with standards for project management. By developing a plan with time frames and milestones consistent with these standards DHS would be better positioned to provide a more complete picture of its progress.

DHS shares the results of security surveys and vulnerability assessments with asset owners or operators but faces challenges doing so. A GAO analysis of DHS data from fiscal year 2011 showed that DHS was late meeting its (1) 30-day time frame—as required by DHS guidance—for delivering the results of its security surveys 60 percent of the time and (2) 60-day time frame—expected by DHS managers for delivering the results of its vulnerability assessments—in 84 percent of the instances. DHS officials acknowledged the late delivery of survey and assessment results and said they are working to improve processes and protocols. However, DHS has not established a plan with time frames and milestones for managing this effort consistent with the standards for project management. Also, the National Infrastructure Protection Plan (NIPP), which emphasizes partnering and voluntary information sharing, states that CIKR partners need to be provided with timely and relevant information that they can use to make decisions. Developing a plan with time frames and milestones for improving timeliness could help DHS provide asset owners and operators with the timely information they need to consider security enhancements.

DHS uses a follow-up tool to assess the results of security surveys and assessments performed at CIKR assets, and are considering upgrades to the tool. However, DHS could better measure results and improve program management by capturing additional information. For example, key information, such as why certain improvements were or were not made by asset owners and operators that have received security surveys, could help DHS improve its efforts. Further, information on barriers to making improvements—such as the cost of security enhancements—could help DHS better understand asset owners and operators’ rationale in making decisions and thereby help improve its programs. Taking steps to gather additional information could help keep DHS better informed for making decisions in managing its programs.

Why GAO Did This Study

Natural disasters, such as Hurricane Katrina, and terrorist attacks, such as the 2005 bombings in London, highlight the importance of protecting CIKR—assets and systems vital to the economy or health of the nation. DHS issued the NIPP in June 2006 (updated in 2009) to provide the approach for integrating the nation’s CIKR. Because the private sector owns most of the nation’s CIKR—for example, energy production facilities—DHS encourages asset owners and operators to voluntarily participate in surveys or vulnerability assessments of existing security measures at those assets. This includes nationally significant CIKR that DHS designates as high priority. In response to a request, this report assesses the extent to which DHS has (1) taken action to conduct surveys and assessments among high–priority CIKR, (2) shared the results of these surveys and assessments with asset owners or operators, and (3) assessed the effectiveness of surveys and assessments and identified actions taken, if any, to improve them. GAO, among other things, reviewed laws, analyzed data identifying high-priority assets and activities performed from fiscal years 2009 through 2011, and interviewed DHS officials.

What GAO Recommends

GAO recommends that, among other things, DHS develop plans for its efforts to improve the collection and organization of data and the timeliness of survey and assessment results, and gather and act upon additional information from asset owners and operators about why improvements were or were not made. DHS concurred with the recommendations.

For more information, contact Stephen L. Caldwell at (202) 512-8777 or caldwells@gao.gov.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: To better ensure that DHS’s efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should consider the feasibility of expanding the follow-up program to gather and act upon data, as appropriate, on (1) security enhancements that are ongoing and planned that are attributable to DHS security surveys and vulnerability assessments and (2) factors, such as cost and perceptions of threat, that influence asset owner and operator decisions to make, or not make, enhancements based on the results of DHS security surveys and vulnerability assessments.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To better ensure that DHS’s efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop a road map with time frames and specific milestones for reviewing the information it gathers from asset owners and operators to determine if follow-up visits should remain at 180 days for security surveys and whether additional follow-ups are appropriate at intervals beyond the follow-ups initially performed.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To better ensure that DHS’s efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should revise its plans to include when and how sector-specific agencies (SSAs) will be engaged in designing, testing, and implementing DHS’s web-based tool to address and mitigate any SSA concerns that may arise before the tool is finalized.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To better ensure that DHS’s efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop time frames and specific milestones for managing DHS’s efforts to ensure the timely delivery of the results of security surveys and vulnerability assessments to asset owners and operators.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To better ensure that DHS’s efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should design and implement a mechanism for systematically assessing why owners and operators of high-priority assets decline to participate and a develop a road map, with time frames and milestones, for completing this effort.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To better ensure that DHS’s efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should institutionalize realistic performance goals for appropriate levels of participation in security surveys and vulnerability assessments by high-priority assets to measure how well DHS is achieving its goals.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

    Recommendation: To better ensure that DHS’s efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop plans with milestones and time frames to resolve issues associated with data inconsistencies and matching data on the list of high-priority assets with data used to track the conduct of security surveys and vulnerability assessment.

    Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection

    Status: Review Pending

    Comments: When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.