Key Issues > Duplication & Cost Savings > GAO's Action Tracker > Vulnerability Assessments of Critical Infrastructure (2015-09)
justice icon, source: Comstock

Homeland Security/Law Enforcement: Vulnerability Assessments of Critical Infrastructure (2015-09)

The Department of Homeland Security could mitigate potential duplication or gaps by consistently capturing and maintaining data from overlapping vulnerability assessments of critical infrastructure and improving data sharing and coordination among the offices and components involved with these assessments.

Action:

The Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with other Department of Homeland Security (DHS) offices and components to develop an approach to ensure that vulnerability data gathered on critical infrastructure assets and systems are consistently collected and maintained across DHS to facilitate the identification of potential duplication and gaps in critical infrastructure coverage.

Progress:

DHS reported completing several steps to better ensure that vulnerability data gathered on critical infrastructure are consistently collected and maintained across DHS components that conduct or require vulnerability assessments, as GAO recommended in September 2014. For example, DHS reported in August 2015 that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a vulnerability assessment working group composed of a variety of federal stakeholders, both within and outside DHS, to help enhance overall integration and coordination of vulnerability assessment efforts. In addition, DHS reported that it had reviewed the vulnerability assessment tools used by its offices and components to start identifying the appropriate level of guidance to provide to DHS offices and components on eliminating gaps or duplication in methods. In December 2015, DHS noted that in addition to these actions, IP was evaluating the potential for having all DHS components implement IP’s infrastructure data standards as an approach for consistently collecting and maintaining infrastructure data to reduce duplication and gaps in coverage. In July 2016, DHS reported that IP had reached agreement with the other DHS components on adopting IP’s data standards to unambiguously identify a facility by name, location and contact POC and contact information. By taking these steps, DHS will now be better positioned to identify potential duplication and gaps in critical infrastructure coverage.

Implementing Entity:

Department of Homeland Security

Action:

The Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with other Department of Homeland Security (DHS) offices and components to develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage.

Progress:

As of December 2017, DHS had developed and implemented a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments, as GAO recommended in September 2014. In August 2015, DHS first reported that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a working group of federal stakeholders, both within and outside DHS, to enhance overall integration and coordination of vulnerability assessment efforts. In December 2015, DHS stated that IP was conducting pilot projects to expand access to its IP Gateway portal—IP’s system that houses infrastructure data and identifies facilities that have been assessed by IP and its state, local, territorial and tribal government stakeholders. 

In a July 2016 update, DHS reported that IP and DHS components had agreed on the most important areas for which assessment data should be collected and the format for its collection. DHS said this would enable the strategic comparison and prioritization of federal resources and expand access to its IP Gateway portal to those partners. DHS also noted in its update that IP had begun providing access to IP Gateway to the other components within DHS. In June 2017, DHS reported that the Coast Guard used IP Gateway to access assessment-related information, demonstrating the proof of concept for their approach to use IP Gateway as a means of sharing assessment information. In September 2017, DHS reported that it had tracked over 200 instances of use of IP Gateway across the department as of that time. By taking these steps, DHS is now better positioned to minimize the risk of potential duplication and gaps by its offices and components in the vulnerability assessments they conduct.

Implementing Entity:

Department of Homeland Security
  • portrait of
    • Christopher P. Currie
    • Director, Homeland Security and Justice
    • curriec@gao.gov
    • (404) 679-1875