According to the Department of Homeland Security (DHS), protecting and ensuring the resiliency (the ability to resist, absorb, recover from, or successfully adapt to adversity or changing conditions) of critical infrastructure and key resources (CIKR) is essential to the nation's security. By law, DHS is to lead and coordinate efforts to protect several thousand CIKR assets deemed vital to the nation's security, public health, and economy. In 2006, DHS created the National Infrastructure Protection Plan (NIPP) to outline the approach for integrating CIKR and increased its emphasis on resiliency in its 2009 update. GAO was asked to assess the extent to which DHS (1) has incorporated resiliency into the programs it uses to work with asset owners and operators and (2) is positioned to disseminate information it gathers on resiliency practices to asset owners and operators. GAO reviewed DHS documents, such as the NIPP, and interviewed DHS officials and 15 owners and operators of assets selected on the basis of geographic diversity. The results of these interviews are not generalizable but provide insights.
Recommendations for Executive Action
|Directorate of Information Analysis and Infrastructure Protection||1. To better ensure that DHS's efforts to incorporate resiliency into its overall CIKR protection efforts are effective and completed in a timely and consistent fashion, the Assistant Secretary for Infrastructure Protection should develop performance measures to assess the extent to which asset owners and operators are taking actions to resolve resiliency gaps identified during the various vulnerability assessments.|
|Directorate of Information Analysis and Infrastructure Protection||2. To better ensure that DHS's efforts to incorporate resiliency into its overall CIKR protection efforts are effective and completed in a timely and consistent fashion, the Assistant Secretary for Infrastructure Protection should update PSA guidance that discusses the role PSAs play during interactions with asset owners and operators with regard to resiliency, which could include how PSAs work with them to emphasize how resiliency strategies could help them mitigate vulnerabilities and strengthen their security posture and provide suggestions for enhancing resiliency at particular facilities.|
|Department of Homeland Security||3. The Secretary of Homeland Security should assign responsibility to one or more organizations within DHS to determine the feasibility of overcoming barriers and developing an approach for disseminating information on resiliency practices to CIKR owners and operators within and across sectors.|