Critical Infrastructure Protection:

DHS Action Needed to Enhance Integration and Coordination of Vulnerability Assessment Efforts [Reissued on September 17, 2014]

GAO-14-507: Published: Sep 15, 2014. Publicly Released: Sep 15, 2014.

Additional Materials:

Contact:

Stephen Caldwell
(202) 512-8777
caldwells@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

During fiscal years 2011 to 2013, various Department of Homeland Security (DHS) offices and components conducted or required thousands of vulnerability assessments of critical infrastructure (CI), but DHS is not positioned to integrate them in order to identify priorities. Although the Homeland Security Act of 2002 and the National Infrastructure Protection Plan (NIPP) call for DHS to integrate CI vulnerability assessments to identify priorities, the department cannot do so because of variation in the areas to be assessed for vulnerability included in the various tools and methods used by DHS. GAO analysis of 10 of these assessment tools and methods found that they consistently included some areas, such as perimeter security, but other areas, such as cybersecurity, were not consistently included in the 10 tools and methods. Also, GAO's analysis and discussions with DHS officials showed that DHS's assessments vary in their length and detail of information collected, and DHS has not established guidance on what areas should be included in a vulnerability assessment, such as vulnerabilities to all-hazards as called for in the NIPP. DHS's Office of Infrastructure Protection (IP) has recognized the challenge of having different approaches and has begun to take action to harmonize them. However, of the 10 assessment tools and methods GAO analyzed, IP's harmonization effort includes two voluntary IP assessment tools and none of the other 8 tools and methods GAO analyzed that are used by other DHS offices and components. By reviewing the tools and methods to identify the areas of vulnerability and level of detail that DHS considers necessary, and establishing guidance for DHS offices and components regarding which areas to include in their assessments, DHS would be better positioned to integrate assessments to enable comparisons and determine priorities between and across CI sectors.

DHS offices and components have not consistently captured and maintained data on vulnerability assessment activities in a way that allows DHS to identify potential duplication or overlap in coverage among vulnerability assessment activities they have conducted or required. As a result, DHS is not positioned to track its activities to determine whether its assessment efforts are potentially duplicative or leave gaps among the CI assessed and thereby better ensure effective risk management across the spectrum of assets and systems, as called for by the NIPP. Developing an approach to collect data consistently would facilitate DHS's identification of potential duplication or overlap in CI coverage. Having consistent data would also better position DHS to minimize the fatigue CI owners expressed experiencing from participation in multiple assessments.

DHS is not positioned to manage an integrated and coordinated government-wide approach for assessments as called for in the NIPP because it does not have sufficient information about the assessment tools and methods conducted or offered by federal entities external to DHS with CI responsibilities, such as the Environmental Protection Agency, which oversees critical infrastructure activities related to water and wastewater systems. Consequently, opportunities exist for DHS to work with other federal entities to develop guidance as necessary to ensure consistency. Doing so would better position DHS and other federal entities with CI responsibilities to promote an integrated and coordinated approach for conducting vulnerability assessments of CI, as called for in the Homeland Security Act of 2002, presidential directives, and the NIPP.

Why GAO Did This Study

Damage from natural disasters like Hurricane Sandy in 2012 highlights the vulnerability of the nation's CI. CI includes assets and systems whose destruction would have a debilitating effect on security, national economic security, or national public health or safety. The private sector owns the majority of the nation's CI, and multiple federal entities, including DHS, are involved in assessing its vulnerabilities. These assessments can identify factors that render an asset or facility susceptible to threats and hazards. GAO was asked to review how federal entities assess vulnerabilities.

This report examines the extent to which DHS is positioned to (1) integrate DHS vulnerability assessments to identify priorities, (2) identify duplication and gaps within its coverage, and (3) manage an integrated and coordinated government-wide assessment approach. GAO reviewed CI laws, regulations, data from fiscal years 2011-2013, and other related documentation, as well as interviewed officials at DHS, other agencies, and a private CI association.

What GAO Recommends

GAO recommends that DHS identify the areas assessed for vulnerability most important for integrating and comparing results, establish guidance for DHS offices and components to incorporate these areas into their assessments, ensure that assessment data are consistently collected, and work with other federal entities to develop guidance for what areas to include in vulnerability assessments, among other things. DHS concurred with these recommendations.

For more information, contact Stephen Caldwell at (202) 512-8777 or caldwells@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: DHS reported completing several steps to better ensure that vulnerability data gathered on critical infrastructure are consistently collected and maintained across DHS components that conduct or require vulnerability assessments, as GAO recommended. For example, DHS reported in August 2015 that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a vulnerability assessment working group composed of a variety of federal stakeholders, both within and outside DHS to help enhance overall integration and coordination of vulnerability assessment efforts. In addition, DHS reported that it had reviewed the vulnerability assessment tools used by its offices and components to start identifying the appropriate level of guidance to provide to DHS offices and components on eliminating gaps or duplication in methods. In December 2015, DHS noted that in addition to these actions, IP was evaluating the potential for having all DHS components implementing IP's infrastructure data standards as an approach for consistently collecting and maintaining infrastructure data to reduce duplication and gaps in coverage. In July 2016, DHS reported that IP had agreement with the other DHS components on adopting IP's data standards to unambiguously identify a facility by name, location and contact POC and contact information. By taking these steps, DHS will now be better positioned to identify potential duplication and gaps in critical infrastructure coverage. As a result of DHS's actions, we are closing this recommendation as implemented.

    Recommendation: Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop an approach to ensure that vulnerability data gathered on CI assets and systems are consistently collected and maintained across DHS to facilitate the identification of potential duplication and gaps in CI coverage.

    Agency Affected: Department of Homeland Security

  2. Status: Closed - Implemented

    Comments: DHS has taken action to implement GAO's recommendation to develop a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments. In August 2015, DHS first reported that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a working group of federal stakeholders, both within and outside DHS, to enhance overall integration and coordination of vulnerability assessment efforts. In December 2015, DHS stated that IP was conducting pilot projects to expand access to its IP Gateway portal system that houses infrastructure data and identifies facilities that have been assessed by IP and its state, local, territorial and tribal government stakeholders. In a July 2016 update on its progress, DHS reported that IP and DHS components had agreed on the most important areas for which assessment data should be collected and the format for its collection. DHS said this would enable the strategic comparison and prioritization of federal resources and expand access to its IP Gateway portal to those partners. DHS also noted in its update that IP had begun providing access to IP Gateway to the other components within DHS. In September 2017, DHS reported that it had tracked over 200 instances of use of IP Gateway across the department as of that time. By taking these steps, DHS has developed a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments and is now better positioned to minimize the risk of potential duplication and gaps by its offices and components in the vulnerability assessments they conduct.

    Recommendation: Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage.

    Agency Affected: Department of Homeland Security

  3. Status: Closed - Implemented

    Comments: In February 2015, DHS's Office of Infrastructure Protection (IP) senior officials from Sector-Specific Agencies (SSAs) and other federal departments and agencies with a role in critical infrastructure security and resilience, proposed the implementation of a collaborative approach to catalog existing vulnerability assessment tools and methodologies, summarize their key characteristics, and identify any potential opportunities for increased coordination. As part of this approach, the SSAs and other agencies were asked to provide IP with the questions used to conduct their vulnerability assessments and descriptions of their vulnerability assessment tools and methods. To analyze the information collected, DHS reported that it established a technical team, comprised of subject-matter experts from the Institute for Defense Analyses (IDA). As a result of these efforts, the team compiled a catalogue of 50 different vulnerability assessment tools and methodologies from a variety of agencies including DHS, the Department of Defense, the Department of Energy, the Department of Transportation, the Environmental Protection Agency, the Federal Energy Regulatory Commission, the General Services Administration, and the Nuclear Regulatory Commission and covering a wide range of critical infrastructure sectors including Chemical, Dams, Energy, Food and Agriculture, Government Facilities, Nuclear Reactors Materials and Waste, Transportation Systems, and Water and Wastewater Systems. In December 2017, DHS reported that based on the analysis of existing information and additional interviews with selected subject-matter experts, of the 50 different assessment tools and methodologies identified, the technical team determined that seven were representative of the different vulnerability assessment approaches used across critical infrastructure sectors by DHS, SSAs, or other Federal agencies with critical infrastructure security-related responsibilities. As a result of these efforts, DHS now has a comprehensive catalog of assessment methodologies and identified a representative set of vulnerability assessment methodologies for critical infrastructure across sectors. Consequently, this recommendation is closed as implemented.

    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to identify key CI security-related assessment tools and methods used or offered by SSAs and other federal agencies.

    Agency Affected: Department of Homeland Security

  4. Status: Closed - Implemented

    Comments: According to an update from DHS in December 2017, based on the initial inventory of vulnerability assessments and identification of a representative set of vulnerability assessment methodologies as a result of efforts to implement our recommendation above, its Office of Infrastructure Protection (IP) conducted an analysis of the information collected to identify the differences and commonalities among the various assessment tools and methodologies used by DHS, Sector-Specific Agencies (SSAs), and other federal departments and agencies. DHS also reported that it conducted additional working sessions with selected representatives from the corresponding SSAs and federal agencies to gather more detailed information on specific aspects of their methodologies and to identify their key characteristics and distinguishing features. As part of this effort, the technical team developed a baseline of specific assessment areas (e.g., threat definition, security force, physical security, cybersecurity, resilience, and impacts) to facilitate the identification of topical areas included in the different vulnerability assessment tools and methodologies. According to DHS, the analysis of those assessments and methodologies and the development of the baseline of assessment areas enabled DHS to determine the areas the assessments and methodologies capture and can be used to identify any similarities, differences, overlaps, and gaps between them. Consequently, this recommendation is closed as implemented.

    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to analyze the key CI security-related assessment tools and methods offered by sector-specific agencies (SSA) and other federal agencies to determine the areas they capture.

    Agency Affected: Department of Homeland Security

  5. Status: Closed - Not Implemented

    Comments: We found that DHS was not positioned to manage an integrated and coordinated government-wide approach for CI vulnerability assessments because it did not have sufficient information about the assessment tools and methods conducted or offered by federal entities external to DHS with CI responsibilities, such as the Environmental Protection Agency, which oversees critical infrastructure activities related to water and wastewater systems. Consequently, opportunities existed for DHS to work with other federal entities to develop guidance as necessary to ensure consistency. Doing so would better position DHS and other federal entities with CI responsibilities to promote an integrated and coordinated approach for conducting vulnerability assessments of CI. DHS officials initially stated that provision of DHS guidance to other departments would be difficult because DHS cannot compel other agencies to take actions specified in DHS guidance. However, according to DHS's Cybersecurity and Infrastructure Security Agency (CISA) officials and based on documents we reviewed, CISA launched a working group with creation of vulnerability assessment guidance for use governmentwide as its primary objective. In June 2020, CISA provided us with a draft white paper produced by the working group that described general parameters for guidance to CI stakeholders that would potentially enable more integrated and coordinated vulnerability assessments. However, given the passage of time since we made the recommendation in 2014, and the remaining uncertainty about when and how DHS will address it, we are closing this recommendation as not implemented.

    Recommendation: Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS, SSAs, and other CI partners in an integrated and coordinated manner, among and across sectors, where appropriate.

    Agency Affected: Department of Homeland Security

  6. Status: Closed - Implemented

    Comments: We found that DHS offices and components did not have common areas among their vulnerability assessment tools, thereby making integration of assessment data difficult. As a result, we recommended that NPPD work with other DHS offices and components to review DHS's vulnerability assessments to identify the most important areas to be assessed and establish guidance for those entities to ensure that these areas are included, as appropriate, in their assessments. As of September 2016, NPPD established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and designed, created, and launched a Cross-Agency Vulnerability Assessment Working Group portal on the Homeland Security Information Network-Critical Infrastructure (HSIN-CI). The Working Group, consisting of members from multiple departments and agencies, agreed upon six common security areas and specified levels of detail for vulnerability assessments. Guidance for the common areas and the specified levels of detail was disseminated electronically to the DHS components for incorporation into their existing assessment tools at their next update, if not already included. The identification of common security areas and resulting guidance are consistent with our recommendation.

    Recommendation: Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, Presidential Policy Directive (PPD)-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to review DHS's vulnerability assessments to identify the most important areas to be assessed, consistent with PPD-21 and the NIPP, and determine the areas and level of detail that are necessary for DHS to integrate assessments and enable comparisons, and establish guidance for DHS offices and components to ensure that these areas and level of detail are included, as appropriate, in their assessments.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »