Critical Infrastructure Protection:
Sector Plans and Sector Councils Continue to Evolve
GAO-07-706R: Published: Jul 10, 2007. Publicly Released: Jul 10, 2007.
In 2005, Hurricane Katrina devastated the Gulf Coast, damaging critical infrastructure, such as oil platforms, pipelines, and refineries; water mains; electric power lines; and cellular phone towers. The infrastructure damage and resulting chaos disrupted government and business functions alike, producing cascading effects far beyond the physical location of the storm. Our nation's critical infrastructures and key resources--including those cyber and physical assets essential to national security, national economic security, and national public health and safety--continue to be vulnerable to a wide variety of threats. Because the private sector owns approximately 85 percent of the nation's critical infrastructure and key resources--banking and financial institutions, telecommunications networks, and energy production and transmission facilities, among others--it is vital that the public and private sectors form effective partnerships to successfully protect these assets. The Homeland Security Act of 2002 created the Department of Homeland Security (DHS), giving the department wide-ranging responsibilities for leading and coordinating the overall national critical infrastructure protection effort. The act required DHS to (1) develop a comprehensive national plan for securing the nation's critical infrastructures and key resources and (2) recommend measures to protect critical infrastructure and key resources. Homeland Security Presidential Directive 7 (HSPD-7) further defined critical infrastructure protection responsibilities for DHS and those federal agencies--known as sector-specific agencies--responsible for particular industry sectors, such as transportation, energy, and communications. Under HSPD-7, DHS is to establish uniform policies, approaches, guidelines, and methodologies to help ensure that critical infrastructure within and across the 17 infrastructure sectors is protected. In response, DHS developed the National Infrastructure Protection Plan (NIPP). Issued in June 2006, the NIPP is a base plan that is to serve as a road map for how DHS and other relevant stakeholders, such as owners and operators of key critical infrastructure, should use risk management principles to prioritize protection activities within and across sectors in an integrated, coordinated fashion. The NIPP also requires that sector-specific agencies develop annual reports that discuss the sectors' status in implementing the plans. To protect critical infrastructure, the NIPP describes a partnership model as the primary means of coordinating government and private efforts. This report discusses (1) the extent to which the sector-specific plans meet NIPP and DHS requirements, (2) the government and sector coordinating council members' views on the value of the plans and DHS's review process, and (3) the key success factors and challenges that sector representatives reported they encountered in establishing and maintaining their councils.
Although the nine sector-specific plans we reviewed generally met NIPP requirements and DHS's sector-specific plan guidance, eight plans did not address incentives the sectors would use to encourage owners to conduct risk assessments and some plans were more comprehensive than others when discussing their physical, human, and cyber assets, systems, and functions. Most of the plans included the required elements of the NIPP risk management framework, such as security goals; and the methods the sectors expect to use to prioritize infrastructure as well as to develop and implement protective programs and assess threats, risks, and vulnerabilities. DHS's Office of Infrastructure Protection officials acknowledged the differences in how comprehensive the plans are, but said that these initial plans are only a first step and that they will work with the sectors to address differences in future updates. Given the disparity in the plans, however, it is unclear the extent to which DHS will be able to use them at this point to identify security gaps and critical interdependencies across the sectors in order to plan future protective measures. From reviewing these plans, it is also unclear how far along each sector actually is in identifying assets, setting priorities, and developing activities to protect key assets. DHS officials said that to determine this, they will need to review the sectors' annual progress reports, due in this month, that are to provide additional implementation information. Representatives of the government and sector coordinating councils had differing views regarding the value of sector-specific plans and DHS's review of those plans. While 10 of the 32 council representatives we interviewed reported that they saw the plans as useful for the sector, representatives of eight councils disagreed because they believed the plans either did not represent a partnership among the necessary key stakeholders, especially the private sector, or were not valuable because the sector had already done so much work on its own and had progressed beyond the plan. The officials said that they plan to refine the process as the sector- specific agencies gain more experience working with the private sector. As we reported last year,9 long-standing relationships were frequently cited as most helpful in establishing councils. Council representatives for 9 of the 32 councils continued to cite preexisting relationships as helping them in establishing and maintaining their sector councils, and two sectors noted that going through the process of establishing the councils had, in turn, improved relationships, while seven said achieving the necessary participation in the council is a continuing challenge. We previously recommended that, among other things, DHS better (1) define its critical infrastructure information needs and (2) explain how this information will be used to attract more users. In September 2006, DHS issued a final rule that established procedures governing the receipt, validation, handling, storage, marking, and use of critical-infrastructure information voluntarily submitted to DHS. DHS is in the process of implementing our additional recommendations.