Skip to main content

Critical Infrastructure Protection: OMB Leadership Needed to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets

GAO-10-148 Published: Oct 15, 2009. Publicly Released: Nov 16, 2009.
Jump To:
Skip to Highlights

Highlights

Because the nation's critical infrastructure relies on information technology systems and data, the security of those assets is critical to ensuring national security and public safety. In 2003, the President directed federal agencies to (1) develop plans for the protection of their computer-related (cyber) critical infrastructure assets and (2) submit them for approval to the Office of Management and Budget (OMB) by July 31, 2004. To help agencies do this, OMB issued guidance with 19 criteria deemed essential for effective cyber critical infrastructure protection planning that were required to be included in the plans. GAO was asked to determine (1) the extent to which agencies developed their plans and whether they submitted them to OMB by the deadline and (2) whether the plans met criteria in OMB's guidance. To do this, GAO reviewed plans from 24 agencies, many of which own and operate key government cyber and other critical infrastructure; reviewed OMB documentation; interviewed officials; and compared submitted plans to relevant criteria.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should provide leadership and oversight in directing federal cyber critical infrastructure planning efforts and make them a management priority by directing the federal agencies to expeditiously update their plans to fully address OMB's cyber critical infrastructure planning requirements.
Closed – Not Implemented
On February 12, 2013, Presidential Policy Directive 21 revoked HSPD-7 that required federal agencies to develop cyber-related critical infrastructure protection plans. We periodically requested OMB to provide an update to this recommendation and how the revocation affected the implementation of this recommendation. Efforts to obtain updated information from OMB on the status of this report's recommendations were not successful. Research of OMB policies and publicly available documentation did not provide any evidence of actions taken to address this recommendation. Although PPD 21 states that agencies are responsible for having plans that address the protection of their critical infrastructure as part of national continuity planning efforts, the directive does not direct agencies to update their cyber-related critical infrastructure protection plans. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, also released in February 2013, does not provide such direction either.
Office of Management and Budget The Director of OMB should provide leadership and oversight in directing federal cyber critical infrastructure planning efforts and make them a management priority by following up, as appropriate, to see that agencies are making sure updated plans fully meet OMB requirements and are being effectively implemented. At a minimum, this should include having agency heads report to OMB when updated plans have been completed and that the plans fully meet OMB requirements and are being effectively implemented.
Closed – Not Implemented
On February 12, 2013, Presidential Policy Directive 21 revoked HSPD-7 that required federal agencies to develop cyber-related critical infrastructure protection plans. We periodically requested OMB to provide an update to this recommendation and how the revocation affected the implementation of this recommendation. Efforts to obtain updated information from OMB on the status of this report's recommendations were not successful. Research of OMB policies and publicly available documentation did not provide any evidence of actions taken to address this recommendation. Although PPD 21 states that agencies are responsible for having plans that address the protection of their critical infrastructure as part of national continuity planning efforts, the directive does not direct agencies to update their cyber-related critical infrastructure protection plans. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, also released in February 2013, does not provide such direction either.

Full Report

Office of Public Affairs

Topics

Computer securityCritical infrastructureDocumentationEmployeesFederal agenciesIndependent agenciesInformation security managementInformation systemsInformation technologyRegulatory agenciesReporting requirementsRisk managementStrategic information systems planningStrategic planning