Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Evolve

In 2005, Hurricane Katrina devastated the Gulf Coast, damaging critical infrastructure, such as oil platforms, pipelines, and refineries; water mains; electric power lines; and cellular phone towers. The infrastructure damage and resulting chaos disrupted government and business functions alike, producing cascading effects far beyond the physical location of the storm. Our nation's critical infrastructures and key resources--including those cyber and physical assets essential to national security, national economic security, and national public health and safety--continue to be vulnerable to a wide variety of threats. Because the private sector owns approximately 85 percent of the nation's critical infrastructure and key resources--banking and financial institutions, telecommunications networks, and energy production and transmission facilities, among others--it is vital that the public and private sectors form effective partnerships to successfully protect these assets. The Homeland Security Act of 2002 created the Department of Homeland Security (DHS), giving the department wide-ranging responsibilities for leading and coordinating the overall national critical infrastructure protection effort. The act required DHS to (1) develop a comprehensive national plan for securing the nation's critical infrastructures and key resources and (2) recommend measures to protect critical infrastructure and key resources. Homeland Security Presidential Directive 7 (HSPD-7) further defined critical infrastructure protection responsibilities for DHS and those federal agencies--known as sector-specific agencies--responsible for particular industry sectors, such as transportation, energy, and communications. Under HSPD-7, DHS is to establish uniform policies, approaches, guidelines, and methodologies to help ensure that critical infrastructure within and across the 17 infrastructure sectors is protected. In response, DHS developed the National Infrastructure Protection Plan (NIPP). Issued in June 2006, the NIPP is a base plan that is to serve as a road map for how DHS and other relevant stakeholders, such as owners and operators of key critical infrastructure, should use risk management principles to prioritize protection activities within and across sectors in an integrated, coordinated fashion. The NIPP also requires that sector-specific agencies develop annual reports that discuss the sectors' status in implementing the plans. To protect critical infrastructure, the NIPP describes a partnership model as the primary means of coordinating government and private efforts. This report discusses (1) the extent to which the sector-specific plans meet NIPP and DHS requirements, (2) the government and sector coordinating council members' views on the value of the plans and DHS's review process, and (3) the key success factors and challenges that sector representatives reported they encountered in establishing and maintaining their councils.