Critical Infrastructure Protection:
An Implementation Strategy Could Advance DHS's Coordination of Resilience Efforts across Ports and Other Infrastructure
GAO-13-11: Published: Oct 25, 2012. Publicly Released: Oct 25, 2012.
What GAO Found
The Department of Homeland Security (DHS) is developing a resilience policy, but an implementation strategy is a key next step that could help strengthen DHS resilience efforts. DHS defines resilience as the ability to resist, absorb, recover from, or adapt to adversity, and some high-level documents currently promote resilience as a key national goal. Specifically, two key White House documents emphasize resilience on a national level--the 2011 Presidential Policy Directive 8 and the 2012 National Strategy for Global Supply Chain Security. Since 2009, DHS has emphasized the concept of resilience and is currently in the process of developing a resilience policy, the initial steps of which have included creating two internal entities--the Resilience Integration Team and the Office of Resilience Policy (ORP). According to ORP officials, they saw a need to establish a policy that provides component agencies with a single, consistent, departmentwide understanding of resilience that clarifies and consolidates resilience concepts from high-level guiding documents, and helps components understand how their activities address DHS's proposed resilience objectives. ORP officials hope to have an approved policy in place later this year. However, DHS officials stated that currently there are no plans to develop an implementation strategy for this policy. An implementation strategy that defines goals, objectives, and activities; identifies resource needs; and lays out milestones is a key step that could help ensure that DHS components adopt the policy consistently and in a timely manner. For example, an implementation strategy with goals and objectives could provide ORP with a more complete picture of how DHS components are implementing this policy.
The Coast Guard and the Office of Infrastructure Protection (IP) work with stakeholders to address some aspects of critical infrastructure resilience, but they could take additional collaborative actions to promote portwide resilience. The Coast Guard is port focused and works with owners and operators of assets, such as vessels and port facilities, to assess and enhance various aspects of critical infrastructure resilience in ports--such as security protection, port recovery, and risk analysis efforts. In contrast, IP, through its Regional Resiliency Assessment Program (RRAP), conducts assessments with a broader regional focus, but is not port specific. An RRAP assessment is conducted to assess vulnerability to help improve resilience and allow for an analysis of infrastructure "clusters" and systems in various regions--for example, a regional transportation and energy corridor. The Coast Guard and IP have collaborated on some RRAP assessments, but there may be opportunities for further collaboration to conduct port-focused resilience assessments. For example, IP and the Coast Guard could collaborate to leverage existing expertise and tools--such as the RRAP approach--to develop assessments of the overall resilience of specific port areas. Having relevant agencies collaborate and leverage one another's resources to conduct joint portwide resilience assessments could further all stakeholders' understanding of interdependencies with other port partners, and help determine where to focus scarce resources to enhance resilience for port areas.
Why GAO Did This Study
U.S. ports are part of an economic engine handling more than $700 billion in merchandise annually, and a disruption to port operations could have a widespread impact on the global economy. DHS has broad responsibility for protection and resilience of critical infrastructure. Within DHS, the Coast Guard is responsible for the maritime environment, and port safety and security, and IP works to enhance critical infrastructure resilience. Recognizing the importance of the continuity of operations in critical infrastructure sectors, DHS has taken initial steps to emphasize the concept of resilience. GAO was asked to review port resilience efforts. This report addresses the extent to which (1) DHS has provided a road map or plan for guiding resilience efforts, and (2) the Coast Guard and IP are working with port stakeholders and each other to enhance port resilience. To address these objectives, GAO analyzed key legislation and DHS documents and guidance. GAO conducted site visits to three ports, selected based on geography, industries, and potential threats; GAO also interviewed DHS officials and industry stakeholders. Information from site visits cannot be generalized to all ports, but provides insights.
What GAO Recommends
GAO recommends that DHS develop an implementation strategy for its resilience policy and that the Coast Guard and IP identify opportunities to collaborate to leverage existing tools and resources to assess port resilience. DHS concurred with GAO's recommendations.
For more information, contact Stephen Caldwell at (202) 512-9610 or email@example.com.
Recommendations for Executive Action
Comments: In the 60-day letter provided in January 2013, DHS indicated that the Resilience Integration Team (RIT) was developing a draft implementation plan to be circulated among relevant stakeholders for review. On 10/30/13, we notified DHS that we would like to see a copy of the resilience policy implementation plan (if developed), or any other related documentation if the plan is still in development. We were informed later that day that a draft plan had been developed, and DHS needed to confirm its status. In May of 2015, we were told again that a draft plan had been developed but never finalized. As of August 2015, DHS's Policy Office is looking into the status of plan development. We await their response. DHS response still pending as of 10/4/16.
Recommendation: To better ensure consistent implementation of and accountability for DHS's resilience policy, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to develop an implementation strategy for this new policy that identifies the following characteristics and others that may be deemed appropriate: (1) steps needed to achieve results, by developing priorities, milestones, and performance measures; (2) responsible entities, their roles compared with those of others, and mechanisms needed for successful coordination; and (3) sources and types of resources and investments associated with the strategy, and where those resources and investments should be targeted.
Agency Affected: Department of Homeland Security
Comments: In September 2013, the Coast Guard and Office of Infrastructure Protection (IP) reported to GAO that the two components have cooperatively formed a plan of action to increase collaboration relative to the resilience of ports. This plan of action includes working together to develop information sharing practices, dissemination of IP's Regional Resiliency Assessment Program (RRAP) reports with a port or maritime nexus to the Coast Guard, and encouraging greater field collaboration by having IP issue direction to field Protective Security Advisors to reinforce the need to coordinate closely with the Coast Guard on port/maritime resilience matters. On 10/30/13, we informed DHS that we would like to review documentation that supports the steps taken for these various action plan items, such as copies of information sharing plans, a listing of RRAP reports that IP has provided to Coast Guard including the context in which those reports were provided, and communications with Protective Security Advisors regarding greater collaboration with Coast Guard. On 11/27/13, IP sent copies of e-mails that communicated efforts to increase collaboration between IP and Coast Guard, including lists of RRAPs shared between the two. On 1/14/14, Coast Guard sent us a list of RRAPs that it was (and in some cases was not) involved in preparing, along with a memorandum of understanding between Coast Guard and IP regarding information sharing in support of the marine transportation system. We requested a meeting with Coast Guard officials to discuss their level of involvement in RRAP preparation. We have since been in contact with Coast Guard officials (in April and October of 2014) who have indicated that IP interaction on RRAPs has been sparse beyond the initial contact phase. On 8/27/15, we reached out to the IP audit liaison to request a meeting to discuss more details on their RRAP interaction with Coast Guard. In July 2016, DHS reported to GAO a number of ongoing efforts to increase collaboration and information sharing, including a recent proposal by DHS to change its Protected Critical Infrastructure Information (PCII) program through a proposed rule, the creation of a workgroup focused on enhancing integration and coordination of vulnerability assessment efforts, and the sharing of vulnerability assessment questions and information on secure network portals such as the Infrastructure Protection Gateway (IP Gateway). However, in May 2016 Coast Guard officials told us that DHS IP and Coast Guard vulnerability assessments vary in scope based on statutory requirements, programmatic goals, jurisdictions, and rules for data classification. They further stated that these variations limit the extent to which each program can collaborate and that collaborative port-wide assessments are not currently feasible. Moreover, DHS IP and Coast Guard have not provided documentation showing the extent to which collaboration and information sharing has taken place, or why it is not currently feasible. As a result, the extent to which IP and the Coast Guard are sharing actual assessment data is unclear. Presidential Policy Directive/PPD-21, the National Infrastructure Protection Plan, and the National Preparedness directive all call for DHS to seek opportunities for collaboration with appropriate agencies to carry out critical infrastructure missions. Given that DHS and component actions to identify opportunities to collaborate and improve information sharing are ongoing, such as the PCII rulemaking, and that it is unclear what opportunities have been used to leverage existing tools and resources, such as vulnerability assessments. As a result, the recommendation will remain open as of 9/28/2016 pending GAO's review of any additional documentation from DHS and/or components to corroborate that actions have been implemented, and upon receipt, we will reconsider its status at a later time.
Recommendation: To allow for more efficient efforts to assess portwide resilience, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection and the Commandant of the Coast Guard to look for opportunities to collaborate to leverage existing tools and resources to conduct assessments of portwide resilience. In developing this approach, DHS should consider the use of data gathered through IP's voluntary assessments of port area critical infrastructure or regional RRAP assessments--taking into consideration the need to protect information collected voluntarily--as well as Coast Guard data gathered through its MSRAM assessments, and other tools used by the Coast Guard.
Agency Affected: Department of Homeland Security