Skip to Highlights
Highlights

A wide array of cyber and physical assets is critical to America's national security, economic well-being, and public health and safety. Information related to threats, vulnerabilities, incidents, and security techniques is instrumental to guarding these critical infrastructures against attacks and mitigating the impact of attacks that may occur. The ability to share security-related information can unify the efforts of federal, state, and local government as well as the private sector, as appropriate, in preventing and minimizing terrorist attacks. The Critical Infrastructure Information Act of 2002 was enacted to encourage nonfederal entities to voluntarily share critical infrastructure information and established protections for it. The Department of Homeland Security (DHS) has a lead role in implementing the act. GAO was asked to determine (1) the status of DHS's efforts to implement the act and (2) the challenges it faces in carrying out the act.

Skip to Recommendations

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Homeland Security 1. In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, in the short term, establish a specific deadline in the near future for releasing the final rule to the Office of Management and Budget and for interagency review so that potential submitters have more assurance about how their sensitive information will be protected.
Closed - Implemented
On September 1, 2006, the Department of Homeland Security issued "Procedures for Handling Critical Infrastructure Information; Final Rule" in the Federal Register.
Department of Homeland Security 2. In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, define and communicate to the private sector what critical information infrastructure DHS and federal entities need to fulfill their critical infrastructure responsibilities and how federal, state, and local entities are expected to use the information submitted under the program.
Closed - Implemented
To communicate to the private sector the Department of Homeland Security's (DHS) protected critical infrastructure information (PCII)needs and expected use, the Office of Infrastructure Protection/PCII Program has made available, through its public website, answers to frequently asked questions that defines the type of information collected and what it is used for. In addition, the public website explains how PCII will be accessed, handled, and used by Federal, state and local government employees and their contractors.
Department of Homeland Security 3. In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, determine whether creating mechanisms, such as providing originator control and direct submissions to federal agencies other than DHS, would increase submissions.
Closed - Implemented
As outlined in the "Procedures for Handling Critical Infrastructure Information--Final Rule" issued September 1, 2006, DHS has taken the following steps to increase submissions: 1) Allowing the submission of Critical Infrastructure Information (CII) to other Federal agencies or indirect submissions, providing greater intake capability, and greater convenience for submitters, and 2) categorical inclusion of classes of Protected CII, allowing for presumptive validation and more certainty for submitters. The Final Rule identifies procedures for indirect submissions to DHS through DHS field representatives and other Federal Agencies. Federal agencies other than DHS may be designated to receive CII on behalf of DHS, but only the PCII Program Manager is authorized to make the decision to validate a submission as PCII. The Final Rule also invests the PCII Program Manager with the authority and flexibility to designate certain types of infrastructure information as presumptively valid PCII to accelerate the validation process. The PCII Program Manager may establish categories of information for which PCII status will automatically apply.
Department of Homeland Security 4. In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, expand efforts to use incentives to encourage more users, such as mechanisms for state-to-state sharing.
Closed - Implemented
DHS has taken steps to encourage more users to participate by allowing State and local government officials to share PCII with other parties already authorized to receive such information by the PCII Program Manager. The PCII Program Office has developed an accreditation program as a means to share PCII with eligible government entities. The accreditation program has been designed to ensure the proper handling, use, dissemination, and safeguarding of PCII by government users. A State or local entity can become authorized to receive PCII once its accreditation process has been initiated. The PCII Program Office has already accredited Maryland, Arizona, California, and Massachusetts to receive PCII and is currently working with several other states to become accredited. Once they are fully accredited, the changes made in the Final Rule will facilitate information sharing amongst these entities, should they want to share PCII.

Full Report