Critical Infrastructure Protection:
An Implementation Strategy Could Advance DHS's Coordination of Resilience Efforts across Ports and Other Infrastructure
GAO-13-11: Published: Oct 25, 2012. Publicly Released: Oct 25, 2012.
What GAO Found
The Department of Homeland Security (DHS) is developing a resilience policy, but an implementation strategy is a key next step that could help strengthen DHS resilience efforts. DHS defines resilience as the ability to resist, absorb, recover from, or adapt to adversity, and some high-level documents currently promote resilience as a key national goal. Specifically, two key White House documents emphasize resilience on a national level--the 2011 Presidential Policy Directive 8 and the 2012 National Strategy for Global Supply Chain Security. Since 2009, DHS has emphasized the concept of resilience and is currently in the process of developing a resilience policy, the initial steps of which have included creating two internal entities--the Resilience Integration Team and the Office of Resilience Policy (ORP). According to ORP officials, they saw a need to establish a policy that provides component agencies with a single, consistent, departmentwide understanding of resilience that clarifies and consolidates resilience concepts from high-level guiding documents, and helps components understand how their activities address DHS's proposed resilience objectives. ORP officials hope to have an approved policy in place later this year. However, DHS officials stated that currently there are no plans to develop an implementation strategy for this policy. An implementation strategy that defines goals, objectives, and activities; identifies resource needs; and lays out milestones is a key step that could help ensure that DHS components adopt the policy consistently and in a timely manner. For example, an implementation strategy with goals and objectives could provide ORP with a more complete picture of how DHS components are implementing this policy.
The Coast Guard and the Office of Infrastructure Protection (IP) work with stakeholders to address some aspects of critical infrastructure resilience, but they could take additional collaborative actions to promote portwide resilience. The Coast Guard is port focused and works with owners and operators of assets, such as vessels and port facilities, to assess and enhance various aspects of critical infrastructure resilience in ports--such as security protection, port recovery, and risk analysis efforts. In contrast, IP, through its Regional Resiliency Assessment Program (RRAP), conducts assessments with a broader regional focus, but is not port specific. An RRAP assessment is conducted to assess vulnerability to help improve resilience and allow for an analysis of infrastructure "clusters" and systems in various regions--for example, a regional transportation and energy corridor. The Coast Guard and IP have collaborated on some RRAP assessments, but there may be opportunities for further collaboration to conduct port-focused resilience assessments. For example, IP and the Coast Guard could collaborate to leverage existing expertise and tools--such as the RRAP approach--to develop assessments of the overall resilience of specific port areas. Having relevant agencies collaborate and leverage one another's resources to conduct joint portwide resilience assessments could further all stakeholders' understanding of interdependencies with other port partners, and help determine where to focus scarce resources to enhance resilience for port areas.
Why GAO Did This Study
U.S. ports are part of an economic engine handling more than $700 billion in merchandise annually, and a disruption to port operations could have a widespread impact on the global economy. DHS has broad responsibility for protection and resilience of critical infrastructure. Within DHS, the Coast Guard is responsible for the maritime environment, and port safety and security, and IP works to enhance critical infrastructure resilience. Recognizing the importance of the continuity of operations in critical infrastructure sectors, DHS has taken initial steps to emphasize the concept of resilience. GAO was asked to review port resilience efforts. This report addresses the extent to which (1) DHS has provided a road map or plan for guiding resilience efforts, and (2) the Coast Guard and IP are working with port stakeholders and each other to enhance port resilience. To address these objectives, GAO analyzed key legislation and DHS documents and guidance. GAO conducted site visits to three ports, selected based on geography, industries, and potential threats; GAO also interviewed DHS officials and industry stakeholders. Information from site visits cannot be generalized to all ports, but provides insights.
What GAO Recommends
GAO recommends that DHS develop an implementation strategy for its resilience policy and that the Coast Guard and IP identify opportunities to collaborate to leverage existing tools and resources to assess port resilience. DHS concurred with GAO's recommendations.
For more information, contact Stephen Caldwell at (202) 512-9610 or firstname.lastname@example.org.
Recommendations for Executive Action
Comments: In the 60-day letter provided in January 2013, DHS indicated that the Resilience Integration Team (RIT) was developing a draft implementation plan to be circulated among relevant stakeholders for review. On 10/30/13, we notified DHS that we would like to see a copy of the resilience policy implementation plan (if developed), or any other related documentation if the plan is still in development. We were informed later that day that a draft plan had been developed, and DHS needed to confirm its status. In May of 2015, we were told again that a draft plan had been developed but never finalized. As of August 2015, DHS's Policy Office is looking into the status of plan development. We await their response. DHS response still pending as of 10/4/16.
Recommendation: To better ensure consistent implementation of and accountability for DHS's resilience policy, the Secretary of Homeland Security should direct the Assistant Secretary for Policy to develop an implementation strategy for this new policy that identifies the following characteristics and others that may be deemed appropriate: (1) steps needed to achieve results, by developing priorities, milestones, and performance measures; (2) responsible entities, their roles compared with those of others, and mechanisms needed for successful coordination; and (3) sources and types of resources and investments associated with the strategy, and where those resources and investments should be targeted.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: In October 2012, we reported on Coast Guard and Office of Infrastructure Protection (IP), within the Department of Homeland Security(DHS), efforts to address some aspects of critical infrastructure resilience. During the course of our review we found that they could take additional collaborative actions to promote portwide resilience. Specifically, IP and the Coast Guard could collaborate to leverage existing expertise and tools such as IP's Regional Resiliency Assessment Program (RRAP) to develop assessments of the overall resilience of specific port areas. We reported that the Coast Guard and IP have collaborated on some RRAP assessments, but there may be opportunities for further collaboration to conduct port-focused resilience assessments. We recommended that the Coast Guard and IP identify opportunities to collaborate to leverage existing tools and resources to assess port resilience, and the agencies agreed. DHS first reported in September 2013 that the Coast Guard and IP had cooperatively formed a plan of action to increase collaboration relative to the resilience of ports. This plan of action included working together to develop information sharing practices, dissemination of RRAP reports with a port or maritime nexus to the Coast Guard, and encouraging greater field collaboration by having IP issue direction to field Protective Security Advisors to reinforce the need to coordinate closely with the Coast Guard on port/maritime resilience matters. Between September 2013 and July 2016, IP and Coast Guard provided us with examples of communications between them intended to increase their collaboration, including coordination of some RRAPs. In April 2017, we obtained and reviewed some additional documentation from DHS to corroborate that actions have been implemented in response to our recommendation. These include metrics, such as the frequency of information sharing related to certain assessments; guidance documents for IP Gateway information sharing; records of activities where PSAs and Coast Guard officials collaborated; and details of an ongoing and coordinated RRAP related to cyber technologies in the maritime environment. As a result, this recommendation is closed as implemented.
Recommendation: To allow for more efficient efforts to assess portwide resilience, the Secretary of Homeland Security should direct the Assistant Secretary of Infrastructure Protection and the Commandant of the Coast Guard to look for opportunities to collaborate to leverage existing tools and resources to conduct assessments of portwide resilience. In developing this approach, DHS should consider the use of data gathered through IP's voluntary assessments of port area critical infrastructure or regional RRAP assessments--taking into consideration the need to protect information collected voluntarily--as well as Coast Guard data gathered through its MSRAM assessments, and other tools used by the Coast Guard.
Agency Affected: Department of Homeland Security