The Department of Homeland Security's (DHS) Critical Infrastructure Protection Cost-Benefit Report
GAO-09-654R: Published: Jun 26, 2009. Publicly Released: Jun 26, 2009.
Additional Materials:
- Full Report:
- Accessible Text:
Contact:
(202) 512-9610
contact@gao.gov
Office of Public Affairs
(202) 512-4800
youngc1@gao.gov
In 2005, Hurricane Katrina devastated the Gulf Coast, damaging critical infrastructure, such as oil platforms, pipelines, and refineries; water mains; electric power lines; and cellular phone towers. The infrastructure damage and resulting chaos disrupted government and business functions alike, producing cascading effects far beyond the physical location of the storm. Threats against critical infrastructure are not limited to natural disasters. For example, in 2005, suicide bombers struck London's public transportation system, disrupting the city's transportation and mobile telecommunications infrastructure. In March 2007, we reported that our nation's critical infrastructures and key resources (CIKR)--systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters--continue to be vulnerable to a wide variety of threats. According to DHS, because the private sector owns approximately 85 percent of the nation's CIKR--banking and financial institutions, telecommunications networks, and energy production and transmission facilities, among others--it is vital that the public and private sectors work together to protect these assets. The Homeland Security Act of 2002 created DHS and gave the department wide-ranging responsibilities for, among other things, leading and coordinating the overall national critical infrastructure protection effort. For example, the act required DHS to (1) develop a comprehensive national plan for securing the nation's CIKR and (2) recommend measures to protect CIKR in coordination with other agencies of the federal government and in cooperation with state and local government agencies and authorities, the private sector, and other entities. Homeland Security Presidential Directive 7 (HSPD-7) further defined critical infrastructure protection responsibilities for DHS and those federal agencies--known as sector-specific agencies (SSA)--responsible for particular industry sectors, such as transportation, energy, and communications. HSPD-7 directed DHS to establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across CIKR sectors. The Conference Report accompanying the Department of Homeland Security Appropriations Act, 2005, directed DHS to complete an analysis on whether the department should require private sector entities to provide DHS with existing information about their security measures and vulnerabilities in order to improve the department's ability to evaluate critical infrastructure protection nationwide. This direction was consistent with concerns raised by the House Appropriations Committee about DHS's progress conducting vulnerability assessments for critical infrastructure facilities generally, and security measures at chemical facilities in particular.
DHS used two contractors to complete the cost-benefit report at a cost of about $3.4 million. In August 2005, the first contractor developed a draft proposal that discussed the scope of the information required to complete the report and the security and vulnerability information currently available to DHS. It also proposed surveying the public and private sectors to collect information on the costs anbenefits of providing vulnerability assessment and security information to DHS. DHofficials said that DHS rejected this approach because DHS was involved in developing a public-private partnership structure and officials believed that doingsurvey on possible regulatory costs would have adversely affected the partnershipbuilding process. DHS officials also said that the Paperwork Reduction Act (PRA)--which requires agency requests for information to undergo internal and OffManagement and Budget review and approval and includes, among other requirements, public comment periods for the proposed information-gathering method--could have resulted in some delays in gathering data for the report, but it was not the primary reason for rejecting the proposed survey approach. DHS subsequently tasked the second contractor to complete the report using a different methodology, and according to DHS, this contractor produced a draft report in December 2005. This contractor compiled publicly available information on the costs and benefits to the public and private sectors of requiring vulnerability and security information be provided to DHS. Although the second contractor's report discussed potential public and private sector costs and benefits, it did not articulate which of these costs and benefits were most important, nor did it conclude whether the costs exceeded the benefits, or vice a versa, with regard to potential requirements for the private sector to provide information on vulnerabilities and existing security measures. DHS took receipt of the second contractor's report and, according to DHS officials, continued to revise it throughout the following year to incorporate information from the final NIPP and it's supporting sector specific plans. In addition to a discussion of potential costs and benefits, DHS's final report, dated June 2007, includes a general discussion of critical infrastructure risk management and associated information needs, an overview of the existing regulatory environment for each of the CIKR sectors, and the availability of security information and its utility to security partners, such as CIKR owners and operators. DHS officials told us that they believe the final report was useful because it provided insights on different regulatory approaches across sectors and used appendixes to present more detailed regulatory overviews of three sectors--the chemical sector, the electricity sub sector of the energy sector, and the food and agriculture sector. They added that some sectors used this information to help write sector specific plans (SSPs) that are to augment the NIPP and detail the application of the NIPP framework to each CIKR sector. Nonetheless, DHS officials said that they believe that the report is outdated because DHS's CIKR program has evolved and matured since the report was originally completed, including DHS's efforts to promote and achieve voluntary information sharing between DHS and the private sector. Regarding the latter, DHS officials stated that they believe that the type of report directed by the Conference Report--that DHS analyze whether private sector entities should be required to provide information to the department--conflicts with the partnering/voluntary information-sharing approach DHS was already mandated to pursue under the Homeland Security Act.
Jan 21, 2021
-
Chemical Security:
Overlapping Programs Could Better Collaborate to Share Information and Identify Potential Security GapsGAO-21-12: Published: Jan 21, 2021. Publicly Released: Jan 21, 2021.
Jan 19, 2021
-
DHS Annual Assessment:
Most Acquisition Programs Are Meeting Goals but Data Provided to Congress Lacks Context Needed For Effective OversightGAO-21-175: Published: Jan 19, 2021. Publicly Released: Jan 19, 2021.
Dec 16, 2020
-
Coast Guard:
Actions Needed to Improve National Vessel Documentation Center OperationsGAO-21-100: Published: Dec 16, 2020. Publicly Released: Dec 16, 2020.
Nov 23, 2020
-
Southwest Border:
Information on Federal Agencies' Process for Acquiring Private Land for BarriersGAO-21-114: Published: Nov 17, 2020. Publicly Released: Nov 23, 2020.
Nov 12, 2020
-
Coast Guard Acquisitions:
Opportunities Exist to Reduce Risk for the Offshore Patrol Cutter ProgramGAO-21-9: Published: Oct 28, 2020. Publicly Released: Nov 12, 2020.
Oct 29, 2020
-
TSA Acquisitions:
TSA Needs to Establish Metrics and Evaluate Third Party Testing Outcomes for Screening TechnologiesGAO-21-50: Published: Oct 29, 2020. Publicly Released: Oct 29, 2020.
Oct 20, 2020
-
Homeland Security Acquisitions:
DHS Has Opportunities to Improve Its Component Acquisition OversightGAO-21-77: Published: Oct 20, 2020. Publicly Released: Oct 20, 2020.
Sep 30, 2020
-
Disaster Assistance:
Additional Actions Needed to Strengthen FEMA's Individuals and Households ProgramGAO-20-503: Published: Sep 30, 2020. Publicly Released: Sep 30, 2020. -
Supplemental Material for GAO-20-503:
FEMA Individuals and Households Program Applicant Data 2016 – 2018GAO-20-675SP: Published: Sep 30, 2020. Publicly Released: Sep 30, 2020. -
Supplemental Material for GAO-20-503:
Select Disaster Profiles for FEMA's Individuals and Households Program 2016-2018GAO-20-674SP: Published: Sep 30, 2020. Publicly Released: Sep 30, 2020.
Looking for more? Browse all our products here