Critical Infrastructure Protection:
DHS List of Priority Assets Needs to Be Validated and Reported to Congress
GAO-13-296: Published: Mar 25, 2013. Publicly Released: Mar 25, 2013.
What GAO Found
The Department of Homeland Security (DHS) has made several changes to its criteria for including assets on the National Critical Infrastructure Prioritization Program (NCIPP) list of the nation's highest-priority infrastructure, but has not identified the impact of these changes or validated its approach. In 2009, DHS changed the criteria to make the list entirely consequence based--that is, based on the effect of an event on public health and safety, and economic, psychological, and government mission impacts. Subsequent changes introduced specialized criteria for some sectors and assets. For example, infrastructure that has received a specific, credible threat, but otherwise does not meet NCIPP criteria, may be included on the list. DHS's changes to the NCIPP criteria have changed the composition of the NCIPP list, which has had an impact on users of the list, such as the Federal Emergency Management Agency. However, DHS has not reviewed the impact of changes on users nor validated its approach to developing the list. While the change to an entirely consequence-based list created a common approach to identify infrastructure and align the program with applicable laws and the National Infrastructure Protection Plan, recent criteria changes to accommodate certain sectors and assets represent a departure from this common approach, which could hinder DHS's ability to compare infrastructure across sectors. Program officials noted they would like to validate the NCIPP, but they have not yet submitted a proposal to DHS management. An independent peer review--a best practice in risk management--would better position DHS to reasonably assure that the NCIPP list identifies the nation's highest-priority infrastructure.
To develop the list, DHS has consulted with both states and sector specific agencies (SSA)--federal agencies responsible for protection and resiliency efforts among individual critical infrastructure sectors, such as energy, transportation, and dams. Since changing the NCIPP criteria in 2009, DHS has taken proactive steps to help states nominate assets to the list. These steps include providing on-site assistance, minimizing changes to the criteria, conducting outreach to encourage participation in an NCIPP working group (which includes SSAs), and providing explanations of why nominated assets do not make the list. DHS recognizes that states, in particular, face challenges--such as resource and budgetary constraints--associated with nominating assets, and has taken actions to address these challenges and reduce the burden on states.
GAO could not verify that DHS is meeting statutory requirements to report annually to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives on the NCIPP list. DHS officials prepared documents that generally contained information consistent with statutory reporting requirements, but they were uncertain whether they had been delivered to the committees because they do not have records to verify they were delivered. An approach to verify the delivery of the required reports, such as documenting or recording the transactions, would better position DHS to ensure that it is in compliance with its statutory reporting requirements and that it provides the committees with the information needed to perform oversight of the program.
Why GAO Did This Study
In October 2012, Hurricane Sandy caused widespread damage across multiple states and affected millions of people. Threats to critical infrastructure are not limited to natural disasters, as demonstrated by the terrorist attacks of September 11, 2001. Originally developed by DHS in 2006, and consistent with the Implementing Recommendations of the 9/11 Commission Act of 2007, the NCIPP identifies and prioritizes nationally significant critical infrastructure each year. However, Members of Congress and some state officials have raised questions about changes DHS has made to its approach for creating the list and the impact of these changes.
GAO was asked to review DHS management of the program. GAO assessed the extent to which DHS has (1) changed its criteria for developing the list, identified the impact, if any, of these changes, and validated its approach, (2) worked with states and SSAs to develop the list, and (3) reported to Congress on the NCIPP. GAO, among other things, reviewed laws, DHS policies and procedures; analyzed the lists from 2007 through 2012; and interviewed DHS, SSA, and state homeland security officials selected based on their involvement with the program and geographic diversity. The interviews are not generalizable but provide insights.
What GAO Recommends
GAO recommends that DHS commission an external peer review and develop an approach to verify that the annual reports are provided to the requisite committees of Congress. DHS concurred with the recommendations.
For more information, contact Stephen Caldwell at (202) 512-8777 or firstname.lastname@example.org.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In March 2013, we reported that DHS had made several changes to its criteria for including assets on the National Critical Infrastructure Prioritization Program (NCIPP) list of the nation's highest-priority critical infrastructure (CI), which resulted in changes in the composition of the list and impacted its users. We also reported that some of these changes could hinder DHS's ability to compare infrastructure across sectors and that a peer review would better position DHS to reasonably assure that the NCIPP list identifies the nation's highest priority CI. DHS concurred with our recommendation, and in November 2013, DHS commissioned a seven-member panel to review the NCIPP process. From November 2013 through January 2014, the panel reviewed the NCIPP process, guidance documentation, and process phases to provide an evaluation of the extent to which the process is comprehensive, reproducible, and defensible. The panel made 28 observations about NCIPP, to which DHS provided some responses. There is some disagreement among panel members regarding how well DHS has taken action that address the review panel observations. For example, review panel members expressed divergent views regarding the classification of the NCIPP list, publication protocols, and whether private sector owners of the assets, systems, and clusters should be notified of inclusion on the list. Some DHS responses also place additional responsibilities on states. DHS is, however, exploring options to streamline the process and limit the delay of dissemination among those who have a need-to-know. DHS's commissioning of a review panel satisfies the intent of our recommendation.
Recommendation: To better ensure that DHS's approach to identify and prioritize critical infrastructure is consistent with the National Infrastructure Protection Plan (NIPP) risk management framework and that DHS is positioned to provide reasonable assurance that protection and resiliency efforts and investments are focused on the nation's highest-priority critical infrastructure, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should commission an independent, external peer review of the program with clear project objectives for completing this effort.
Agency Affected: Department of Homeland Security: National Protection and Programs Directorate: Office of Infrastructure Protection
Status: Closed - Implemented
Comments: DHS Office of Legislative Affairs (OLA) developed a standard operating procedure (SOP) in April 2013 in response to this recommendation and coordinated with the National Protection and Programs Directorate (NPPD) Executive Secretariat to finalize the SOP in July 2013. In Addition, NPPD OLA created a SharePoint site, which includes a folder to track Congressional Reports. The 2011-2012 Title X Sec. 210 Report was subsequently delivered to Congress on August 6, 2013. NPPD has followed the same procedure for another NPPD authorization report.
Recommendation: To ensure that DHS is in compliance with its statutory reporting requirements and provides decision makers with the information necessary to perform program oversight, the Secretary of Homeland Security should develop an approach, such as documenting or recording the transaction, to verify the delivery of the statutorily required annual reports on the database and list to the requisite congressional committees.
Agency Affected: Department of Homeland Security