Critical Infrastructure Protection:
Comments on the National Plan for Information Systems Protection
T-AIMD-00-72, Feb 1, 2000
Pursuant to a congressional request, GAO discussed the National Plan for Information Systems Protection, focusing on: (1) a detailed overview of the plan; (2) opportunities for sharpening the plan's proposals for improving the federal government's security programs; and (3) the challenges facing the government in building the public-private partnerships necessary for comprehensive infrastructure protections.
GAO noted that: (1) the National Plan for Information Systems Protection is intended as a first major element of a more comprehensive effort to protect the nation's information systems and critical assets from future attacks; (2) this preliminary version focuses largely on federal efforts being undertaken to protect the nation's critical cyber-based infrastructures; (3) subsequent versions are to address a broader range of concerns, including the specific role industry and state and local governments will play in protecting physical and cyber-based infrastructures from deliberate attack as well as international aspects of critical infrastructure protection; (4) the end goal of this process is to develop a comprehensive national strategy for infrastructure assurance as envisioned by Presidential Decision Directive 63; (5) making the federal government a model of good information security is essential to the plan's success; (6) recent audits conducted by GAO and agency inspectors general show that 22 of the largest federal agencies have significant computer security weaknesses, ranging from poor controls over access to sensitive systems and data, to poor control over software development and changes, and nonexistent or weak continuity of service plans; (7) agencies have not established security management programs to ensure that controls, once implemented properly, are effective on an ongoing basis; (8) GAO also observed that other crosscutting actions--ranging from clarifying the roles and responsibilities of the many entities involved in information security, to strengthening oversight, to securing adequate technical expertise and funding--were needed in seven key areas to provide greater assurance that critical infrastructure objectives can be met; (9) the second facet of the plan focuses on developing a public-private partnership to protect the nation's infrastructure; and (10) in doing so, the plan proposes developing mechanisms and improving incentives for the private sector to cooperate voluntarily with the federal government, as well as with state and local governments, to work together to provide for the common defense of the infrastructure.