This is the accessible text file for GAO report number GAO-08-1075R entitled 'Information Technology: Federal Laws, Regulations, and Mandatory Standards for Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors' which was released on September 16, 2008. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-08-1075R: United States Government Accountability Office: Washington, DC 20548: September 16, 2008: The Honorable James R. Langevin: Chairman: Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology: Committee on Homeland Security: House of Representatives: The Honorable Sheila Jackson-Lee: Chairwoman: Subcommittee on Transportation Security and Infrastructure Protection: Committee on Homeland Security: House of Representatives: Subject: Information Technology: Federal Laws, Regulations, and Mandatory Standards for Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors: Federal policy identifies 18 infrastructure sectors--such as banking and finance, energy, public health and healthcare, and telecommunications--that are critical to the nation's security, economy, public health, and safety.[Footnote 1] Because these sectors rely extensively on computerized information systems and electronic data, it is crucial that the security of these systems and data is maintained. Further, because most of these infrastructures are owned by the private sector, it is imperative that public and private entities work together to protect these assets. The federal government uses both voluntary partnerships with private industry and requirements in federal laws, regulations, and mandatory standards to assist in the security of privately owned information technology (IT) systems and data within critical infrastructure sectors. As agreed, our objectives were to (1) identify, for each critical infrastructure sector, the federal laws, regulations, and mandatory standards that pertain to securing that sector's privately owned IT systems and data and (2) identify enforcement mechanisms for each of the above laws, regulations, and mandatory standards. To accomplish these objectives, we solicited information from the federal agencies responsible for overseeing each critical infrastructure sector to identify the applicable requirements, as well as the mechanisms and authorities available to the government to enforce compliance with these requirements. On July 24, 2008, we presented a briefing to the staffs of the House Homeland Security Subcommittees on Transportation Security and Infrastructure Protection and Emerging Threats, Cybersecurity, and Science and Technology. This report briefly summarizes our findings and transmits the presentation slides we used to brief the staffs. The full briefing, including our scope and methodology, is reprinted in enclosure I. At Least 34 Federal Legal Requirements Exist within Critical Infrastructure Sectors for Securing Privately Owned IT Systems and Data: There are at least 34 federal laws, regulations, and mandatory standards that pertain to securing privately owned IT systems and data in our nation's critical infrastructure sectors. Figure 1 summarizes the number of federal laws, regulations, and mandatory standards, by critical infrastructure sector.[Footnote 2] Figure 1: Summary of Federal Legal Requirements for Securing Privately Owned IT Systems and Data within Critical Infrastructure Sectors: [See PDF for image] This figure is an illustration of federal legal requirements for securing privately owned IT systems and data within critical infrastructure sectors, as follows: Infrastructure sector: Agriculture and food; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Banking and finance; Number of applicable laws[A]: 0; Number of applicable regulations: 17; Number of applicable mandatory standards: 0. Infrastructure sector: Chemical; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Commercial facilities: Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Critical manufacturing; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Dams; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 8. Infrastructure sector: Defense industrial base; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Drinking water and water treatment systems; Number of applicable laws[A]: 1; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Emergency services; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Energy; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 8. Infrastructure sector: Government facilities; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Information technology; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: National monuments and icons; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Nuclear reactors, materials, and waste; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Postal and shipping; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Public health and healthcare; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Telecommunications; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Transportation systems; Number of applicable laws[A]: 0; Number of applicable regulations: 2; Number of applicable mandatory standards: 0. Infrastructure sector: Total; Number of applicable laws[A]: 1; Number of applicable regulations: 25; Number of applicable mandatory standards: 8[B]; Overall total: 34. [A] The number of applicable laws does not include the authorizing laws for the regulations and mandatory standards. [B] The dams and energy sectors share a common set of 8 mandatory standards that are applicable to both sectors, but these standards are counted only once in this total. Source: GAO analysis of agency-provided data, and review of the applicable sections in the U.S. Code and Code of Federal Regulations. [End of figure] As shown in the figure, of the 34, 1 is a law, 25 are regulations, and 8 are mandatory standards.[Footnote 3] These requirements pertain to 10 of the 18 critical infrastructure sectors, including the agriculture and food; energy; nuclear reactors, materials, and waste; and transportation systems sectors. For example, the drinking water and water treatment systems sector has 1 applicable law. In addition, the energy sector has 1 applicable regulation and 8 applicable mandatory standards. Eight sectors did not identify requirements that pertain to securing privately owned IT systems and data. They are: critical manufacturing, defense industrial base, emergency services, government facilities, information technology, national monuments and icons, postal and shipping, and telecommunications. A more detailed description by sector, including authorizing laws, regulatory citations, regulatory agencies, regulated entities, and the statutory and regulatory requirements, is provided in enclosure I. Federal Legal Requirements Contain Mechanisms for Enforcing Compliance: Each of the 34 federal legal requirements has at least one enforcement mechanism. These mechanisms include court injunctions, civil monetary penalties, criminal penalties, and administrative actions, such as license revocation and suspension. Typically, these mechanisms are what agencies use to enforce requirements in general, and are not necessarily specific to the requirements for securing privately owned IT systems and data. Examples of the sectors' enforcement mechanisms are as follows: * For banking and finance, the sector's 17 applicable regulations may be enforced through: - cease and desist orders; - civil monetary penalties; - criminal monetary penalties; - limitations on activities, functions, and operations; - registration revocations; and: - termination of bank deposit insurance. In particular, the enforcement mechanisms for several of the sector regulations provide the potential for a civil monetary penalty against an enterprise of up to $1 million per day that the enterprise is in violation, if it is found that the violation or conduct was done knowingly and caused, or would be likely to cause, a substantial loss to the enterprise. * For drinking water and water treatment, the sector's applicable law may be enforced through: - administrative orders, - civil monetary penalties, and: - court injunctions. Specifically, the law provides that a community water system in violation of the law could be fined up to $25,000 per violation. * For nuclear reactors, materials, and waste, the sector's applicable regulation may be enforced through: - court injunctions, - civil monetary penalties, - cease and desist orders, - license modification orders, - suspension orders, and: - revocation orders. This regulation provides that an entity that violates the regulation could be fined up to $100,000 per day per violation. A more detailed description by sector, including examples of enforcement mechanisms for each requirement, is provided in enclosure I. In commenting on a draft of the letter and the briefing, the sector- specific agencies agreed with our reporting of the information. We are sending copies of this report to interested congressional committees and other interested parties. We also will make copies available to others upon request. In addition, this report will be available at no charge on GAO's Web site at [hyperlink, http://www.gao.gov]. Should you or your staffs have any questions on matters discussed in this report, please contact Dave Powner at (202) 512-9286 or pownerd@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this correspondence. In addition to the individual named above, Gary Mountjoy (Assistant Director), Scott Borre, Neil Doherty, Michael Gilmore, Franklin Jackson, Emily Longcore, Lee McCracken, and Adam Vodraska made key contributions to this report. Signed by: David A. Powner: Director, Information Technology Management Issues: Enclosure: [End of section] Enclosure I: Slide presentation: Information Technology: Federal Laws, Regulations, and Mandatory Standards for Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors: Briefing for Staff Members of the Subcommittee on Emerging Threats, Cybersecurity, and Science and Technology, Committee on Homeland Security and the Subcommittee on Transportation Security and Infrastructure Protection, Committee on Homeland Security. July 24, 2008: Table of Contents: Introduction: Results in Brief: Background: Results: Objective 1 – Federal Laws, Regulations, and Mandatory Standards: Objective 2 – Enforcement Mechanisms: Agency Comments: Attachment 1: Objectives, Scope, and Methodology: Attachment 2: Detailed List and Description of Applicable Federal Laws, Regulations, and Mandatory Standards. [End of table of contents] Introduction: Federal policy identifies 18 infrastructure sectors as critical to the nation’s security, economy, public health, and safety. Because these critical infrastructure sectors—such as banking and finance, telecommunications, energy, and public health and healthcare—rely extensively on computerized information systems and electronic data, it is crucial that the security of those systems and data is maintained. Further, because most of the infrastructures are owned by private companies, it is imperative that public and private entities work together to protect these assets. The federal government uses both voluntary partnerships with private industry and requirements in federal laws, regulations, and mandatory standards to assist in the security of privately owned IT systems and data within critical infrastructure sectors. As agreed, our objectives were to: 1. identify, for each critical infrastructure sector, the federal laws, regulations, and mandatory standards that pertain to securing that sector’s privately owned information technology systems and data, and; 2. identify enforcement mechanisms for each of the above laws, regulations, and mandatory standards. For the purposes of this review, federal laws are defined as statutes enacted by the Congress of the United States that pertain to matters which are within the legislative authority delegated to the national government by the United States Constitution. Federal regulations are defined as the general and permanent rules published in the Federal Register by a federal department or agency. Federal mandatory standards are defined as requirements adopted by a federal department or agency with the legal authority to regulate the entities and/or activities that are the subject of the standards. To accomplish the first objective, we solicited information from the federal agencies responsible for overseeing each sector to identify the applicable requirements. We reviewed, among other things, sections of the United States Code, the Code of Federal Regulations, and federal mandatory standards identified by the agencies to confirm the requirements that were applicable in each sector. After reviewing each sector’s specific laws, regulations, and mandatory standards, we requested further clarification from the regulating agencies when we were unable to validate the applicability of the requirements. Where we could not reconcile our analysis with the agencies’ interpretations, we reported the characterizations of the federal agencies since they implement and enforce the requirements. There is a possibility that the agencies did not identify all applicable requirements and we did not conduct an independent search for applicable requirements. We did not include privately owned IT systems and data that are operated on behalf of a federal agency. In particular, our review did not include systems owned by contractors that are operated on behalf of federal agencies subject to governmentwide computer security and privacy requirements, such as the Federal Information Security Management Act of 2002, that require agencies (e.g. the Department of Defense) to ensure that contractors running agency IT systems meet federal information security requirements. To accomplish the second objective, federal agency officials responsible for enforcing the requirements identified in the first objective identified the mechanisms and authorities available to the agencies and others to enforce compliance with these requirements. The mechanisms and authorities identified are examples of the enforcement mechanisms available to the agencies, and do not necessarily constitute a complete list. We verified the information provided by the agencies by analyzing the applicable sections of the United States Code,Code of Federal Regulations, and other appropriate sources. Attachment I provides further details on our objectives, scope, and methodology. We performed our work at federal agencies in the Washington, D.C., metropolitan area from November 2007 to July 2008. We conducted this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on our audit objectives. Results in Brief: We identified 34 federal laws, regulations, and mandatory standards that pertain to securing privately owned IT systems and data in our nation’s critical infrastructure sectors.[Footnote 4] (Figure 1 summarizes, by critical infrastructure sector, the number of federal laws, regulations, and mandatory standards that have been identified by the federal agency officials responsible for overseeing each sector.) Figure 1: Summary of Federal Legal Requirements for Securing Privately Owned IT Systems and Data within Critical Infrastructure Sectors: [See PDF for image] This figure is an illustration of federal legal requirements for securing privately owned IT systems and data within critical infrastructure sectors, as follows: Infrastructure sector: Agriculture and food; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Banking and finance; Number of applicable laws[A]: 0; Number of applicable regulations: 17; Number of applicable mandatory standards: 0. Infrastructure sector: Chemical; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Commercial facilities: Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Critical manufacturing; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Dams; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 8. Infrastructure sector: Defense industrial base; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Drinking water and water treatment systems; Number of applicable laws[A]: 1; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Emergency services; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Energy; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 8. Infrastructure sector: Government facilities; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Information technology; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: National monuments and icons; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Nuclear reactors, materials, and waste; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Postal and shipping; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Public health and healthcare; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Telecommunications; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Transportation systems; Number of applicable laws[A]: 0; Number of applicable regulations: 2; Number of applicable mandatory standards: 0. Infrastructure sector: Total; Number of applicable laws[A]: 1; Number of applicable regulations: 25; Number of applicable mandatory standards: 8[B]; Overall total: 34. [A] The number of applicable laws does not include the authorizing laws for the regulations and mandatory standards. [B] The dams and energy sectors share a common set of 8 mandatory standards that are applicable to both sectors, but these standards are counted only once in this total. Source: GAO analysis of agency-provided data, and review of the applicable sections in the U.S. Code and Code of Federal Regulations. [End of figure] As shown in the figure, of the 34, 1 is a law, 25 are regulations, and 8 are mandatory standards. These requirements pertain to 10 of the 18 critical infrastructure sectors, including the nuclear reactors, materials, and waste and transportation systems sectors. For example, the drinking water and water treatment systems sector has one applicable law, and the energy sector has one applicable regulation and eight applicable mandatory standards. Eight sectors did not identify requirements that pertain to securing privately owned IT systems and data. These are critical manufacturing, defense industrial base, emergency services, government facilities, information technology, national monuments and icons, postal and shipping, and telecommunications. With regard to enforcement, each of the 34 requirements has at least one enforcement mechanism. These mechanisms include court injunctions, civil monetary penalties, criminal penalties, and administrative measures. Typically, these mechanisms are what agencies use to enforce requirements in general, and are not necessarily specific to the requirements for securing privately owned IT systems and data. In commenting on a draft of the briefing, the sector-specific agencies agreed with the information and provided technical comments, which we have incorporated into the briefing, as appropriate. Background: Critical infrastructure protection involves activities that enhance the cyber and physical security of the public and private infrastructures that are critical to national security, economic security, and public health and safety. Because a large percentage of the nation’s critical infrastructures is owned and operated by the private sector, public/private partnerships are crucial for successful critical infrastructure protection. Federal law and policies establish critical infrastructure protection as a national goal and describe a strategy for cooperative efforts by government and private entities to protect the physical and cyber-based systems that are essential to the minimum operations of the economy and the government. These include Homeland Security Presidential Directive 7 and the National Infrastructure Protection Plan. Homeland Security Presidential Directive 7: * established the Department of Homeland Security (DHS) as the principal federal agency to lead, integrate, and coordinate the implementation of efforts to protect critical infrastructures and key resources; and; * identified lead federal agencies, referred to as sector-specific agencies (including, but not limited to, DHS, the Department of the Treasury, and the Department of Health and Human Services), that are responsible for coordinating critical infrastructure protection efforts with the public and private stakeholders in their respective sectors. (See table 1 below for a list of each sector-specific agency and a brief description of each sector.) Table 1: Critical Infrastructure Sectors and Designated Sector-Specific Agencies: Sector: Agriculture and food; Description: Ensures the safety and security of food, animal feed, and food-producing animals; coordinates animal and plant disease and pest response; and provides nutritional assistance. Sector-specific agency: Dept. of Agriculture, Dept. of Health and Human Services, Food and Drug Administration. Sector: Banking and finance; Description: Provides the financial infrastructure of the nation. This sector consists of commercial banks, insurance companies, mutual funds, government-sponsored enterprises, pension funds, and other financial institutions that carry out transactions. Sector-specific agency: Department of the Treasury. Sector: Chemical; Description: Transforms natural raw materials into commonly used products benefiting society’s health, safety, and productivity. The chemical sector produces products that are essential to automobiles, pharmaceuticals, food supply, electronics, water treatment, health, construction, and other necessities. Sector-specific agency: Department of Homeland Security. Sector: Commercial facilities; Description: Includes prominent commercial centers, office buildings, sports stadiums, theme parks, and other sites where large numbers of people congregate to pursue business activities, conduct personal commercial transactions, or enjoy recreational pastimes. Sector-specific agency: Department of Homeland Security. Sector: Critical manufacturing; Description: Transforms materials into finished goods. The sector includes the manufacture of primary metals, machinery, electrical equipment, appliances, and components, and transportation equipment. Sector-specific agency: Department of Homeland Security. Sector: Dams; Description: Manages water retention structures, including levees, dams, navigation locks, canals (excluding channels), and similar structures, including larger and nationally symbolic dams that are major components of other critical infrastructures that provide electricity and water. Sector-specific agency: Department of Homeland Security. Sector: Defense industrial base; Description: Supplies the military with the means to protect the nation by producing weapons, aircraft, and ships and providing essential services, including information technology and supply and maintenance. Sector-specific agency: Department of Defense. Sector: Drinking water and water treatment systems; Description: Provides sources of safe drinking water from community water systems and properly treated wastewater from publicly owned treatment works. Sector-specific agency: Environmental Protection Agency. Sector: Emergency services; Description: Saves lives and property from accidents and disaster. This sector includes fire, rescue, emergency medical services, and law enforcement organizations. Sector-specific agency: Department of Homeland Security Sector: Energy; Description: Provides the electric power used by all sectors and the refining, storage, and distribution of oil and gas. The sector is divided into electricity and oil and natural gas. Sector-specific agency: Department of Energy. Sector: Government facilities; Description: Ensures continuity of functions for facilities owned and leased by the government, including all federal, state, territorial, local, and tribal government facilities located in the U.S. and abroad. Sector-specific agency: Department of Homeland Security. Sector: Information technology; Description: Produces information technology and includes hardware manufacturers, software developers, and service providers, as well as the Internet as a key resource. Sector-specific agency: Department of Homeland Security. Sector: National monuments and icons; Description: Maintains monuments, physical structures, objects, or geographical sites that are widely recognized to represent the nation’s heritage, traditions, or values, or widely recognized to represent important national cultural, religious, historical, or political significance. Sector-specific agency: Department of the Interior. Sector: Nuclear reactors, materials, and waste; Description: Provides nuclear power. The sector includes commercial nuclear reactors and non-power nuclear reactors used for research, testing, and training; nuclear materials used in medical, industrial, and academic settings; nuclear fuel fabrication facilities; the decommissioning of reactors; and the transportation, storage, and disposal of nuclear materials and waste. Sector-specific agency: Department of Homeland Security. Sector: Postal and shipping; Description: Delivers private and commercial letters, packages, and bulk assets. The U.S. Postal Service and other carriers provide the services of this sector. Sector-specific agency: Department of Homeland Security. Sector: Public health and healthcare; Description: Mitigates the risk of disasters and attacks and also provides recovery assistance if an attack occurs. The sector consists of health departments, clinics, and hospitals. Sector-specific agency: Department of Health and Human Services. Sector: Telecommunications; Description: Provides wired, wireless, and satellite communications to meet the needs of businesses and governments. Sector-specific agency: Department of Homeland Security. Sector: Transportation systems; Description: Enables movement of people and assets that are vital to our economy, mobility, and security with the use of aviation, ships, rail, pipelines, highways, trucks, buses, and mass transit. Sector-specific agency: Department of Homeland Security. Source: GAO, Progress Coordinating Government and Private Sector Efforts Varies by Sectors’ Characteristics, GAO-07-39 (Washington, D.C.: Oct. 16, 2006). [End of table] The National Infrastructure Protection Plan: * is a base plan that serves as a road map for how DHS and other relevant stakeholders should use risk management principles to prioritize protection activities within and across the sectors in an integrated, coordinated fashion; and; * requires each of the lead federal agencies associated with the 18 critical infrastructure sectors to develop plans to address how the sectors’ stakeholders would implement the national plan and how they would improve the security of their assets and functions. These plans are to, among other things, describe how the sector will identify and prioritize its critical assets, including cyber assets, and define approaches the sector will take to assess risks and develop programs to protect these assets. In October 2007, we reported that each critical infrastructure sector, to a varying degree, addressed key aspects of cyber security in its respective sector-specific plan.[Footnote 5] As a whole, the plans addressed certain key aspects more comprehensively than they did others. To assist the sectors in securing their cyber infrastructure, we recommended that the Secretary of Homeland Security request that, by September 2008, the sector-specific agencies develop plans that address all of the key aspects. Results: Objective 1: Federal Legal Requirements within Critical Infrastructure Sectors for Securing IT Systems and Data: We identified at least 34 applicable federal requirements for securing privately owned IT systems and data, consisting of 1 law, 25 regulations, and 8 mandatory standards that pertain to 10 critical infrastructure sectors. [Footnote 6,7] Specifically, these requirements and the sectors they apply in are as follows: * The one law applies in the drinking water and water treatment systems sector. * The 25 regulations apply in 8 sectors: - agriculture and food; - banking and finance; - chemical; - commercial; - energy; - nuclear reactors, materials, and waste; - public health and healthcare; and; - transportation systems. * The mandatory standards apply in the dams and energy sectors. Figure 2 summarizes, by critical infrastructure sector, the federal law, regulations, and mandatory standards that have been identified by the agency officials responsible for overseeing each sector as including requirements for private entities to secure their IT systems and data. Figure 2: Summary of Federal Legal Requirements for Securing Privately Owned IT Systems and Data within Critical Infrastructure Sectors: [See PDF for image] This figure is an illustration of federal legal requirements for securing privately owned IT systems and data within critical infrastructure sectors, as follows: Infrastructure sector: Agriculture and food; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Banking and finance; Number of applicable laws[A]: 0; Number of applicable regulations: 17; Number of applicable mandatory standards: 0. Infrastructure sector: Chemical; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Commercial facilities: Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Critical manufacturing; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Dams; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 8. Infrastructure sector: Defense industrial base; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Drinking water and water treatment systems; Number of applicable laws[A]: 1; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Emergency services; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Energy; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 8. Infrastructure sector: Government facilities; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Information technology; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: National monuments and icons; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Nuclear reactors, materials, and waste; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Postal and shipping; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Public health and healthcare; Number of applicable laws[A]: 0; Number of applicable regulations: 1; Number of applicable mandatory standards: 0. Infrastructure sector: Telecommunications; Number of applicable laws[A]: 0; Number of applicable regulations: 0; Number of applicable mandatory standards: 0. Infrastructure sector: Transportation systems; Number of applicable laws[A]: 0; Number of applicable regulations: 2; Number of applicable mandatory standards: 0. Infrastructure sector: Total; Number of applicable laws[A]: 1; Number of applicable regulations: 25; Number of applicable mandatory standards: 8[B]; Overall total: 34. [A] The number of applicable laws does not include the authorizing laws for the regulations and mandatory standards. [B] The dams and energy sectors share a common set of 8 mandatory standards that are applicable to both sectors, but these standards are counted only once in this total. Source: GAO analysis of agency-provided data, and review of the applicable sections in the U.S. Code and Code of Federal Regulations. [End of figure] Consequently, while 10 sectors have these requirements, 8 do not; those sectors are: * critical manufacturing; * defense industrial base; * emergency services; * government facilities; * information technology; * national monuments and icons; * postal and shipping, and; * telecommunications. The following slides briefly summarize the applicable law, regulations, and mandatory standards, and the sectors in which they apply. (A more detailed description by sector, including authorizing laws, regulatory citations, regulatory agencies, regulated entities, and the statutory and regulatory requirements, is provided in attachment 2.) Results: Objective 1: Law: Applicable law and corresponding sector: There is one law applicable to the drinking water and water treatment systems sector that pertains to securing the sector’s privately owned IT systems and data. The law is the Public Health Security and Bioterrorism Preparedness and Response Act of 2002,[Footnote 8] which required each community water system serving more than 3,300 people to conduct an assessment of its vulnerability to an intentional act meant to substantially disrupt its ability to provide a safe and reliable supply of drinking water.[Footnote 9] The vulnerability assessments were to include, but were not limited to, a review of electronic, computer, or other automated systems that are utilized by the public water system. The act also requires each community to prepare and/or revise and maintain an emergency response plan. Results: Objective 1: Regulations: Applicable regulations and corresponding eight sectors: There are 25 regulations, and they apply in 8 sectors as follows: * 1 in agriculture and food; * 17 in banking and finance; * 1 in chemical; * 1 in commercial facilities; * 1 in energy; * 1 in nuclear reactors, materials, and waste; * 1 in public health and healthcare; and; * 2 in transportation systems. One regulation applies in the agriculture and food sector: * It specifies the security requirements that electronic records and signatures must meet to qualify as equivalent to paper records and signatures, and requires implementation of controls to ensure the authenticity, integrity, confidentiality, and nonrepudiation of electronic records. Seventeen regulations apply in the banking and finance sector. Examples of requirements in these regulations include the following: * Eight regulations establish standards for developing and implementing administrative, technical, and physical safeguards to protect customer information. They require regulated financial institutions to, among other things, have a written information security program designed to (1) ensure the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of such information, and (3) protect against unauthorized access to or use of the information that would result in substantial harm or inconvenience to any customer. These regulations differ in which entities they apply to, and which agency has regulatory authority. * One regulation requires the identification, assessment, and mitigation of IT security risks. One regulation applies in the chemical sector: * It defines risk-based performance standards that chemical facilities must comply with if they have been determined to present a high risk. Each covered facility must select, develop in their site security plan, and implement risk-based measures designed to deter cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls. One regulation applies in the commercial sector: * It establishes IT internal control standards for gaming operations on Indian land, including ensuring that physical and logical security measures are implemented and adhered to by personnel. One regulation applies in the energy sector: * This regulation requires any organization that has an outstanding loan made or guaranteed by the Department of Agriculture’s Rural Utilities Service for the purpose of rural electrification, or that is seeking such financing, to perform a system security vulnerability and risk assessment, establish and maintain an Emergency Restoration Plan, and maintain records of the physical, cyber, and electrical condition and security of its electric system. One regulation applies in the nuclear reactors, materials, and waste sector: * It requires Nuclear Regulatory Commission licensees to design safeguards to defend against cyber attacks that could cause radiological sabotage. In addition, the commission issued orders that established requirements to meet this regulation, including requiring the development of a cyber security program at each nuclear plant. [Footnote 10] One regulation applies in the public health and healthcare sector: * It requires the implementation of physical and technical safeguards to help protect and control access to electronic protected health information. Two regulations apply in the transportation systems sector: * The first requires covered persons[Footnote 11] to protect information designated by the Department of Homeland Security’s Transportation Security Administration as “Sensitive Security Information” from unauthorized disclosure. * The second requires control systems, including computer-based control systems, of liquefied natural gas facilities to be surrounded by protective enclosures. Results: Objective 1: Mandatory Standards: Applicable mandatory standards and corresponding two sectors: Dams and energy sector entities are affected by the same eight mandatory standards that establish requirements intended to ensure the security of the electronic exchange of information used to support the reliability of the bulk power system. The requirements include: * establishing policies, plans, and procedures to safeguard physical and electronic access to control systems; * training personnel on security matters; * reporting security incidents; and; * preparing to recover from cyber incidents. Results: Objective 2: Federal Legal Requirements’ Enforcement Mechanisms: As shown in figure 3 below, there are multiple types of enforcement mechanisms for the 34 federal requirements applying in the corresponding 10 sectors. These types include court injunctions, civil monetary penalties, criminal penalties, and administrative measures. These mechanisms are typically those that an agency uses to enforce regulations in general, and are not necessarily specific to the requirements for securing privately owned IT systems and data. Figure 3: Examples of enforcement mechanisms for the Applicable Federal Legal Requirements: Type of enforcement mechanism: Administrative orders; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Applies; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Cease and desist orders; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Applies; Banking and finance, 12 CFR, Part 364: Applies; Banking and finance, 12 CFR, Part 570: Applies; Banking and finance, 12 CFR, Part 208: Applies; Banking and finance, 12 CFR, Part 225: Applies; Banking and finance, 12 CFR, Part 748: Applies; Banking and finance, 12 CFR, Part 248: Applies; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Applies; Banking and finance, 12 CFR, Part 565: Applies; Banking and finance, 12 CFR, Part 609: Applies; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Applies; Banking and finance, 17 CFR, Section 242.600: Applies; Banking and finance, 17 CFR, Section 240.6a1-6a4: Applies; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Applies; Banking and finance, 17 CFR, Section 240.19b4: Applies; Chemical: 6 CFR Part 27: Applies; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Applies; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Censure; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Applies; Banking and finance, 17 CFR, Section 242.301: Applies; Banking and finance, 17 CFR, Section 242.600: Applies; Banking and finance, 17 CFR, Section 240.6a1-6a4: Applies; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Applies; Banking and finance, 17 CFR, Section 240.19b4: Applies; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Civil or administrative action; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Applies; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Civil monetary penalty; Agriculture and food, 21 CFR Part 11: Applies; Banking and finance, 12 CFR, Part 30: Applies; Banking and finance, 12 CFR, Part 364: Applies; Banking and finance, 12 CFR, Part 570: Applies; Banking and finance, 12 CFR, Part 208: Applies; Banking and finance, 12 CFR, Part 225: Applies; Banking and finance, 12 CFR, Part 748: Applies; Banking and finance, 12 CFR, Part 248: Applies; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Applies; Banking and finance, 12 CFR, Part 565: Applies; Banking and finance, 12 CFR, Part 609: Applies; Banking and finance, 31 CFR, Part 103: Applies; Banking and finance, 17 CFR, Section 242.301: Applies; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Applies; Commercial facilities: 25 CFR Part 542: Applies; Dams: CIP 002-009: Applies; Drinking water and treatment systems: 42 U.S.C. 300i-2: Applies; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Applies; Nuclear reactors, materials and waste: 10 CFR 73: Applies; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Applies; Transportation systems: 49 CFR Part 193: Applies. Type of enforcement mechanism: Court injunction; Agriculture and food, 21 CFR Part 11: Applies; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Applies; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Applies; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Applies; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Criminal monetary penalty; Agriculture and food, 21 CFR Part 11: Applies; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Applies; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Applies; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Applies. Type of enforcement mechanism: Imprisonment; Agriculture and food, 21 CFR Part 11: Applies; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Applies; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Applies; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Applies. Type of enforcement mechanism: License modification order; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Applies; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Limitations on activities, functions, and operations; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Applies; Banking and finance, 17 CFR, Section 242.600: Applies; Banking and finance, 17 CFR, Section 240.6a1-6a4: Applies; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Applies; Banking and finance, 17 CFR, Section 240.19b4: Applies; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Applies; Dams: CIP 002-009: Applies; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Applies; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Modification or termination of contract; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Applies; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Personnel actions; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Applies; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Registration revocation; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Applies; Banking and finance, 17 CFR, Section 242.600: Applies; Banking and finance, 17 CFR, Section 240.6a1-6a4: Applies; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Applies; Banking and finance, 17 CFR, Section 240.19b4: Applies; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Release/non-release of loan funds; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Applies; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Revocation order; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Applies; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Suspension order; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Does not apply; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Does not apply; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Applies; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Type of enforcement mechanism: Termination of deposit insurance; Agriculture and food, 21 CFR Part 11: Does not apply; Banking and finance, 12 CFR, Part 30: Does not apply; Banking and finance, 12 CFR, Part 364: Applies; Banking and finance, 12 CFR, Part 570: Does not apply; Banking and finance, 12 CFR, Part 208: Does not apply; Banking and finance, 12 CFR, Part 225: Does not apply; Banking and finance, 12 CFR, Part 748: Applies; Banking and finance, 12 CFR, Part 248: Does not apply; Banking and finance, 12 CFR, Part 314: Does not apply; Banking and finance, 12 CFR, Part 1720: Does not apply; Banking and finance, 12 CFR, Part 565: Does not apply; Banking and finance, 12 CFR, Part 609: Does not apply; Banking and finance, 31 CFR, Part 103: Does not apply; Banking and finance, 17 CFR, Section 242.301: Does not apply; Banking and finance, 17 CFR, Section 242.600: Does not apply; Banking and finance, 17 CFR, Section 240.6a1-6a4: Does not apply; Banking and finance, 17 CFR, Sections 240.17a1, 17a3, 17a4: Does not apply; Banking and finance, 17 CFR, Section 240.19b4: Does not apply; Chemical: 6 CFR Part 27: Does not apply; Commercial facilities: 25 CFR Part 542: Does not apply; Dams: CIP 002-009: Does not apply; Drinking water and treatment systems: 42 U.S.C. 300i-2: Does not apply; Energy: 7 CFR Part 1730: Does not apply; Energy: CIP 002-009: Does not apply; Nuclear reactors, materials and waste: 10 CFR 73: Does not apply; Public health and healthcare: 45 CFR Part 164: Does not apply; Transportation systems: 49 CFR Part 1520: Does not apply; Transportation systems: 49 CFR Part 193: Does not apply. Source: GAO analysis of agency-provided data, and selected analysis of the applicable actions in the U.S. Code and Code of Federal Regulations. [End of figure] The following slides briefly describe, by the pertinent 10 critical infrastructure sectors, examples of enforcement mechanisms that federal agency officials responsible for overseeing each sector have identified as the means for enforcing the 34 applicable federal requirements. Results: Objective 2: Enforcement Mechanisms: Agriculture and food: The enforcement mechanisms for the sector’s one applicable regulation are the Food and Drug Administration’s general statutory enforcement mechanisms, including: * court injunction; * civil monetary penalty; * criminal monetary penalty, and; * imprisonment. For example, the statutory Enforcement authority that would be used in enforcing the agriculture and food sector’s regulation provides for a penalty of imprisonment for up to one year, a fine of up to $1,000, or both. Banking and finance: The enforcement mechanisms for the sector’s 17 applicable regulations include: * cease and desist orders; * civil monetary penalty; * criminal monetary penalty; * limitations on activities, functions, and operations; * registration revocation; and; * termination of deposit insurance. For example, the enforcement mechanisms for several of the sector regulations provide the potential for a civil monetary penalty against an enterprise of up to $1 million per day that the enterprise is in violation, if it is found that the violation or conduct was done knowingly and caused, or would be likely to cause, a substantial loss to the enterprise. Chemical: The enforcement mechanisms for the sector’s one applicable regulation include: * civil monetary penalty and; * cease and desist order. For example, a chemical facility can be fined up to $25,000 per day that it is in violation of the regulatory requirements. Commercial facilities: The enforcement mechanisms for the sector’s one applicable regulation include: civil monetary penalty; * limitations on activities, functions, and operations; and; * modification or termination of contract. For example, for any violation, the tribal operator of an Indian game or a management contractor engaged in gaming can be fined up to $25,000 per violation. Dams: The enforcement mechanisms for the sector’s eight applicable mandatory standards include: * civil monetary penalty and; * limitations on activities, functions, and operations. For example, each mandatory standard authorizes the North American Electric Reliability Corporation to place limitations on the activities, functions, and operations of a regulated entity that violates the standards by, for example, failing to perform a cyber vulnerability assessment at least annually. Drinking water and water treatment systems: The enforcement mechanisms for the sector’s law include: * administrative orders; * civil monetary penalty, and; * court injunction. For example, a community water system that did not conduct a system vulnerability assessment could be fined up to $25,000 per violation. Energy: The enforcement mechanisms for the sector’s one applicable regulation include the release/non-release of loan funds, and for the eight applicable mandatory standards include: * civil monetary penalty and; * limitations on activities, functions, and operations. For example, a borrower of loans from the Department of Energy’s Rural Utility Service may not receive loans if found in violation of the regulation. Nuclear reactors, materials, and waste: The enforcement mechanisms for the sector’s one applicable regulation include: * court injunction; * civil monetary penalty; * cease and desist order; * license modification order; * suspension order, and; * revocation order. For example, an entity that violates the regulation could be fined up to $100,000 per day per violation. Public health and healthcare: The enforcement mechanisms for the sector’s one applicable regulation include: * criminal monetary penalty and; * imprisonment. For example, a person who knowingly discloses individually identifiable health information, which is a violation of the underlying statute, may be fined up to $50,000, imprisoned for up to 1 year, or both. Transportation systems: The enforcement mechanisms for the sector’s two applicable regulations include: * civil monetary penalty; * criminal monetary penalty; * imprisonment, and; * personnel actions. For example, if person violates one of the regulations, the person can be fined up to $100,000 for each violation. Agency Comments: In commenting on a draft of the briefing, the sector-specific agencies agreed with the information and provided technical comments, which we have incorporated into the briefing, as appropriate. Attachment 1: Objectives, Scope, and Methodology: Our objectives were to: 1. identify, for each critical infrastructure sector, the federal laws, regulations, and mandatory standards that pertain to securing that sector’s privately owned information technology systems and data, and; 2. identify enforcement mechanisms for each of the above laws, regulations, and mandatory standards. To accomplish the first objective, we solicited information from the federal agencies responsible for overseeing each sector to identify the applicable requirements. A law, regulation, or mandatory standard pertains to securing a private entity’s information technology systems and data if it imposes a physical, administrative, or technical safeguard whose implementation would protect the security, confidentiality, or integrity of data or an IT system, or requires private entities to take certain security measures, such as conducting vulnerability or risk assessments, to identify security weaknesses in their IT systems. We did not include privately owned IT systems and data that are operated on behalf of an agency. In particular, our review did not include systems owned by contractors that are operated on behalf of federal agencies subject to governmentwide computer security and privacy requirements, such as the Federal Information Security Management Act of 2002, that require agencies (e.g. the Department of Defense) to ensure that contractors running agency IT systems meet federal information security requirements. We reviewed, among other things, sections of the United States Code, the Code of Federal Regulations, and federal mandatory standards to confirm the requirements that were applicable for each sector. After reviewing each sector’s specific laws, regulations, and mandatory standards, we requested clarification from the regulating agencies when we were unable to validate the applicability of the requirements. Where we could not reconcile our analysis with the agencies’ interpretations, we reported the characterizations of the federal agencies since they implement and enforce the requirements. To accomplish the second objective, federal agency officials responsible for enforcing the requirements identified in the first objective identified mechanisms and authorities available to the agencies and others to enforce compliance with these requirements. The mechanisms and authorities identified are examples of the enforcement mechanisms available to the agencies, and do not necessarily constitute a complete list. We verified the information provided by the agencies by analyzing the applicable sections of the United States Code,Code of Federal Regulations, and other appropriate sources. We performed our work at federal agencies in the Washington, D.C., metropolitan area from November 2007 to July 2008. We conducted this audit in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on our audit objectives. Attachment 2: Detailed List and Description of Federal Requirements for Securing IT Systems and Data by Sector: The following slides describe, by critical infrastructure sector, the federal laws, regulations, and mandatory standards that pertain to securing privately owned IT systems and data in each sector, as identified by the federal agencies responsible for overseeing each sector. Agriculture and Food Sector: Table 2: Applicable Regulation in the Agriculture and Food Sector: Regulations: 21 CFR Sections 11.10, 11.30, 11.200, 11.300; (Authorizing laws: 21 U.S.C. 321-393); Regulator: Food and Drug Administration (FDA); Regulated entity: FDA-regulated industries, including certain foods, drugs, biologics, medical devices, veterinary products, cosmetics, and radiation-emitting electronic products; Requirements: Specifies security requirements that must be implemented in order for electronic records and electronic signatures to qualify as equivalent to paper records and handwritten signatures. The regulated organizations must implement controls to ensure the authenticity, integrity, confidentiality, and non-repudiation of electronic records. Examples of enforcement mechanisms: Civil monetary penalty, court injunction, criminal monetary penalty, imprisonment; Enforcement authority: 21 U.S.C. 331, 21 U.S.C. 332, 21 U.S.C. 333. Source: Data provided by the FDA and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [End of table] Banking and Finance Sector: Table 3: Applicable regulations in the Banking and Finance Sector: Regulation: 12 CFR Part 30 App. B; (Authorizing laws: 15 U.S.C. 6801 and 6805(b) 15 U.S.C. 1681m(e) and 1681w 12 U.S.C. 1831p-1); Regulator: Office of the Comptroller of Currency; Regulated entity: National banks and federal branches of foreign banks and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisors). Requirements: Establish standards for developing and implementing administrative, technical, and physical safeguards to protect customer information. Require financial institutions to have a written information security program designed to (1) ensure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; (3) protect against unauthorized access to or use of such information that would result in substantial harm or inconvenience to any customer; and (4) ensure the proper disposal of customer and consumer information.[A] Examples of enforcement mechanisms: Civil monetary penalty, cease and desist orders. Administrative actions enforceable via judicial proceedings; Enforcement authority: 12 U.S.C. 1818(b), 1818(c), 1818(i); 12 U.S.C. 1831p-1. Regulation: 12 CFR Part 570 App. B; (Authorizing laws: 15 U.S.C. 6801 and 6805(b) 15 U.S.C. 1681m(e) and 1681w 12 U.S.C. 1831p-1); Regulator: Office of Thrift Supervision; Regulated entity: Savings associations whose deposits are FDIC-insured, their subsidiaries and other entities under OTS supervision (except brokers, dealers, persons providing insurance, investment companies, and investment advisors); Requirements: See requirements of first regulation. Examples of enforcement mechanisms: Civil monetary penalty, cease and desist orders; Enforcement authority: 12 CFR Sections 570.4 and 570.5, 12 U.S.C. 1464(d), 12 U.S.C.1818(a)(2), 1818(a)(8), 1818(b), 1818(c), 1818(i), 1831p-1. Regulation: 12 CFR Part 364 App. B; (Authorizing laws: 15 U.S.C. 6801 and 6805(b)); Regulator: Federal Deposit Insurance Corporation; Regulated entity: Insured state nonmember banks, insured state licensed branches of foreign banks, and any subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers). Requirements: See requirements on slide 47. Examples of enforcement mechanisms: Civil monetary penalty, cease and desist orders, termination of deposit insurance; Enforcement authority: 12 CFR Section 364 App. A, I, iv; 12 CFR Section 308.305; 12 U.S.C.1818(a)(2), 1818(a)(8), 1818(b), 1818(c), 1818(i), 1831p-1. Regulation: 17 CFR Section 248.30; (Authorizing laws: 15 U.S.C. 6801 and 6805(b) 15 U.S.C. 1681m(e) and 1681w 12 U.S.C. 1831p-1); Regulator: Securities and Exchange Commission; Regulated entity: Every broker, dealer, and investment company, and every investment adviser registered with the Securities and Exchange Commission. Requirements: See requirements of first regulation. Examples of enforcement mechanisms: Civil monetary penalty, cease and desist orders, civil injunctive orders; Enforcement authority: 15 U.S.C. 6805; 15 U.S.C. 78o, 78u, 78u-2, and 78u-3; 15 U.S.C. 80a-9 and 80a-41; 15 U.S.C. 80b-3 and 80b-9. Regulation: 12 CFR Part 225, App. F; (Authorizing laws: 15 U.S.C. 6801 and 6805(b) 15 U.S.C. 1681m(e) and 1681w 12 U.S.C. 1831p-1); Regulator: Federal Reserve Board; Regulated entity: Bank holding companies, including financial holding companies, and the U.S. operations of foreign banking organizations. Requirements: See requirements of first regulation. Examples of enforcement mechanisms: Civil monetary penalty, cease and desist orders; Enforcement authority: 12 U.S.C. 1818(b), 1818(c), 1818(i), and 1831p-1. Regulation: 12 CFR Section 208, App. D-2; (Authorizing laws: 15 U.S.C. 6801 and 6805(b) 15 U.S.C. 1681m(e) and 1681w 12 U.S.C. 1831p-1); Regulator: Federal Reserve Board; Regulated entity: State chartered banks that are members of the Federal Reserve System. 12 CFR Section 211.24: Offices of foreign banks 12 CFR Section 211.5: Edge Act corporations and agreement corporations. 12 CFR Section 222.83: State member banks, branches and agencies of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge Act corporations and agreement corporations. Requirements: See requirements of first regulation. Examples of enforcement mechanisms: Civil monetary penalty, cease and desist orders; Enforcement authority: 12 U.S.C. 1818(b), 1818(c), 1818(i), and 1831p-1. Regulation: 12 CFR Section 748.0; (Authorizing laws: 15 U.S.C. 6801 and 6805(b) 15 U.S.C. 1681m(e) and 1681w 12 U.S.C. 1751); Regulator: National Credit Union Administration; Regulated entity: Federally insured credit unions. Requirements: See requirements of first regulation. Examples of enforcement mechanisms: Civil monetary penalty, cease and desist orders, termination of deposit insurance; Enforcement authority: 12 CFR Section 747.0, 12 U.S.C. 1786. Regulation: 16 CFR Section 314.3, 314.4; (Authorizing laws: 15 U.S.C. 6801 and 6805(b)); Regulator: Federal Trade Commission; Regulated entity: All financial institutions over which the Federal Trade Commission has jurisdiction under the Gramm-Leach-Bliley Act. Requirements: Require financial institutions to develop, implement, and maintain a comprehensive written information security program that contains administrative, technical, and physical safeguards that are appropriate to the size and complexity of the entity, the nature and scope of its activities, and the sensitivity of any customer information these institutions handle. In addition, financial institutions are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information that they handle. Examples of enforcement mechanisms: Civil and administrative action. A wide range of remedies is available in either form; for example, courts may order restitution and disgorgement. Enforcement authority: 15 U.S.C. 45, 53(b), 6805(b). Regulation: 12 CFR Section 555.210; (Authorizing laws: 12 U.S.C. 1462a, 1463(a)(c) 1464(d), 1467(g)); Regulator: Office of Thrift Supervision; Regulated entity: Federal savings associations providing products and services through electronic means. Requirements: Sets forth requirements for Federal savings associations that provide products and services through electronic means. Requires these financial institutions to identify, assess, and mitigate risks, and prevent unauthorized access to information. Examples of enforcement mechanisms: Civil monetary penalty, cease and desist order; Enforcement authority: 12 U.S.C. 1818(b), 1818(j), 12 U.S.C. 1464(d), 12 U.S.C. 1831p-1. Regulation: 12 CFR Section 1720, App. C; (Authorizing law: 12 U.S.C. 4501 et seq); Regulator: Office of Federal Housing Enterprise Oversight; Regulated entity: Federal National Mortgage Association and the Federal Home Loan Mortgage Corporation, otherwise respectively known as Fannie Mae and Freddie Mac. Requirements: Contain policy guidance that establishes standards for Fannie Mae and Freddie Mac concerning administrative, technical, and physical safeguards to ensure the security, confidentiality, and integrity of information. Examples of enforcement mechanisms: Civil monetary penalty, cease and desist proceedings; Enforcement authority: 12 U.S.C. 4631(c) and (d), 12 U.S.C. 4636. Regulation: 31 CFR Sections 103.100, 103.110; (Authorizing law: 31 U.S.C. 5311 Note); Regulator: Department of the Treasury; Regulated entity: 31 CFR Section 103.100: Financial institutions described in 31 U.S.C. 5312(a)(2). 31 CFR Section 103.110: Financial institutions described in 31 U.S.C. 5312(a)(2) that are required to establish and maintain an anti-money-laundering program, or are treated as having satisfied the requirements of 31 U.S.C. 5318(h)(1). Requirements: Require each financial institution to maintain adequate procedures, as established in 15 U.S.C. 6801 and applicable regulations issued thereunder, to protect the security and confidentiality of requests from the Financial Crimes Enforcement Network for information under this section regarding terrorist activity or money laundering. Examples of enforcement mechanisms: Civil monetary penalty, criminal monetary penalty, court injunction; Enforcement authority: 31 U.S.C. 5320, 5321, 5322. Regulation: 17 CFR Section 242.301(b)(6); (Authorizing laws: 15 U.S.C. 78c, 78e, 78f, 78k-1, 78o, 78q(a), 78q(b), 78s(b), 78w(a), and 78mm.); Regulator: Securities and Exchange Commission; Regulated entity: Alternative trading systems that meet or exceed 20 percent of nationwide securities trading volume under Section 301(b)(6) of 17 CFR Section 242.300 et seq. Requirements: Requires alternative trading systems that meet or exceed 20 percent of nationwide securities trading volume to meet standards regarding capacity, security, and resiliency under the Automation Review Program. Examples of enforcement mechanisms: Civil monetary penalty, revocation of registration, censure, suspension or limitation of activities, cease-and-desist orders; Enforcement authority: 15 U.S.C. 78s(h), 15 U.S.C. 78u-3. Regulation: 17 CFR Sections 242.600 et seq. (Authorizing law: 15 U.S.C 78k-1); Regulator: Securities and Exchange Commission; Regulated entity: Exchanges, clearing agencies, and broker-dealers. Requirements: Authorizes the Commission to maintain fair and orderly markets and adopt rules to establish a national market system. Pursuant to Section 11A, the Commission adopted the Automation Review Policies, which establish a voluntary framework for the national securities exchanges and national securities associations to establish comprehensive planning and assessment programs to determine systems capacity and vulnerability. [B] Examples of enforcement mechanisms: Revocation or suspension of registration; censure; limitation of activities, functions, and operations; cease and desist orders; Enforcement authority: 15 U.S.C 78s(h), 17 CFR Section 240.19h-1, 15 U.S.C. 78u(C). Regulation: 17 CFR Sections 240.6a-1–6a-4; (Authorizing law: 15 U.S.C 78f); Regulator: Securities and Exchange Commission; Regulated entity: National securities exchanges; Requirements: Require exchanges to be so organized, and have the capacity to be able to carry out the purposes of the Exchange Act, and require exchanges to file reports with the Commission. Securities Exchange Commission officials stated that this includes requiring exchanges to maintain adequately secure IT systems to meet the Exchange Act requirements, and to maintain security of IT systems to ensure the accuracy of the reports filed with the Commission. Examples of enforcement mechanisms: Revocation or suspension of registration; censure; limitation of activities, functions, and operations; cease and desist orders; Enforcement authority: 15 U.S.C 78s(h), 17 CFR 240.19h- 1, 15 U.S.C. 78u(c). Regulation: 17 CFR Section 240.19b-4; (Authorizing law: 15 U.S.C 78s(b)); Regulator: Securities and Exchange Commission; Regulated entity: Exchanges and clearing agencies. Requirements: Requires the national securities exchange and national securities associations to file proposed rule changes with the commission. According to Securities and Exchange Commission officials, proposed rule changes filed under Section 19(b) of the Exchange Act and rules thereunder often contain information that relates directly to IT security,such as a description of a new trading system or trading algorithm. This information helps the Commission staff prevent disruptions to the nation’s securities markets by identifying potential system vulnerabilities. Examples of enforcement mechanisms: Revocation or suspension of registration; censure; limitation of activities, functions, and operations; cease and desist orders; Enforcement authority: 15 U.S.C 78s(h); 17 CFR Section 240.19h-1; 15 U.S.C. 78u(c). Regulation: 17 CFR Sections 240.17a-1, 17a-3, 17a-4; (Authorizing law: 15 U.S.C 78q-1); Regulator: Securities and Exchange Commission; Regulated entity: Every national securities exchange, national securities association, registered clearing agency, and the Municipal Securities Rulemaking Board, and every member of a national securities exchange who transacts a business in securities directly with others than members of a national securities exchange, and every broker or dealer who transacts a business in securities through the medium of any such member. Requirements: Establish requirements for all exchanges, clearing agencies, and broker-dealers to make and keep records of all documents, and provide these records to the Securities Exchange Commission during inspections and otherwise. Examples of enforcement mechanisms: Revocation or suspension of registration; censure; limitation of activities, functions, and operations; cease and desist orders; Enforcement authority: 15 U.S.C 78s(h); 17 CFR Section 240.19h-1; 15 U.S.C. 78u(c). Regulation: 12 CFR Sections 609.930, 609.940, 609.945; (Authorizing law: 12 U.S.C. 2001 et seq.); Regulator: Farm Credit Administration; Regulated entity: Farm Credit System Institutions, which include a network of cooperatively organized banks and associations that are owned and controlled by their borrowers. Requirements: Requires Farm Credit System institutions to adopt e- commerce policies and procedures to ensure the institution’s safety and soundness. These policies and procedures must address, when applicable, the security and integrity of System Institution and borrower data, and intrusion detection and management. Requires institutions’ internal systems and controls to provide reasonable assurances that System institutions will prevent and detect material deficiencies on a timely basis. Examples of enforcement mechanisms: Civil monetary penalty; cease and desist proceedings, including suspension or removal of directors or officers; and administrative actions enforceable via judicial proceedings; Enforcement authority: 12 U.S.C. 2261–2269; 12 CFR Part 622. Source: Data provided by the Board of Governors of the Federal Reserve System, the Department of the Treasury, the Federal Deposit Insurance Corporation, the Federal Trade Commission, the National Credit Union Administration, the Office of the Comptroller of the Currency, the Office of Federal Housing Enterprise Oversight, the Office of Thrift Supervision, the U.S. Securities and Exchange Commission, and the Farm Credit Administration; and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [A] According to agency officials, the Office of the Comptroller of Currency, the Office of Thrift Supervision, the Federal Deposit Insurance Corporation, and Board of Governors of the Federal Reserve System also may enforce standards set forth in supervisory guidance, such as the Information Security Handbooks issued under the auspices of the Federal Financial Institutions Examination Council, if the failure to comply with the guidance is an unsafe and unsound banking practice. [B] According to Security Exchange Commission officials, in addition to the previous two regulations, Sections 6(b)(1) and 11A(a)(1) of the Securities Exchange Act of 1934 authorize the Commission to maintain fair and orderly markets and ensure that exchanges are able to carry out the purposes of the Exchange Act. Pursuant to that authority, the Commission’s Division of Trading and Markets conducts an inspection program, the Automation Review Program, which focuses on, among other items, the IT security of the organized markets and clearing organizations. Under the Automation Review Program, the Division conducts inspections of the markets and clearing organizations to determine whether those organizations meet ever-evolving industry standards regarding IT security. [End of table] Chemical Sector: Table 4: Applicable Regulation in the Chemical Sector: Regulation: 6 CFR Sections 27.215, 27.225, 27.230, 27.235, 27.240, 27.245; (Authorizing law: Pub. L. No. 109-295, sec. 550); Regulator: Department of Homeland Security (DHS); Regulated entity: Chemical facilities determined by the Assistant Secretary for Infrastructure Protection, DHS, or his designee, to present high levels of security risk, or a facility that the Assistant Secretary has determined is presumptively high risk. Requirements: Require every covered facility to satisfy the risk-based performance standards identified in the regulation.[A] Each covered facility must select, develop in its site security plan, and implement, risk-based measures designed to deter cyber sabotage, including preventing unauthorized onsite or remote access to critical process controls, such as supervisory control and data acquisition systems, critical business systems, and other sensitive computerized systems. Examples of enforcement mechanisms: Order assessing civil monetary penalty, order to cease operation [B]. Enforcement authority: 6 CFR Section 27.300 Source: Data provided by DHS and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [A] According to DHS officials, these risk-based performance standards have not been finalized by DHS or submitted to the Office of Management and Budget for approval, and therefore are not yet enforceable. [B] To ensure compliance, the regulation also allows DHS to review and approve security vulnerability assessments and site security plans. DHS is also authorized to conduct inspections and audits. [End of table] Commercial Facilities Sector: Table 5: Applicable Regulation in the Commercial Facilities Sector: Regulation: 25 CFR Section 542.16; (Authorizing laws: 25 U.S.C. 2702, 2706); Regulator: National Indian Gaming Commission, Department of the Interior; Regulated entity: Gaming operations on Indian land. Requirements: Establishes information technology internal control standards for gaming operations on Indian land. It requires management to take an active role in ensuring that physical and logical security measures are implemented, maintained, and adhered to by personnel, and requires incompatible duties to be adequately segregated and monitored. Examples of enforcement mechanisms: Civil monetary penalty, temporary closure of game, permanent closure, modification or termination of any management contract; Enforcement authority: 25 U.S.C. 2713, 25 CFR Section 542.3[A]. Source: Data provided by DHS and the Federal Deposit Insurance Corporation, and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [A] The regulation also provides for Certified Public Accountant testing as well as Commission enforcement action (after notice to Tribe and Tribal gaming regulatory authority, and opportunity for corrective action). [End of table] Dams Sector: Table 6: Applicable Mandatory Standards in the Dams Sector: Mandatory Standard: Reliability Standards CIP 002–009 (Authorizing law: 16 U.S.C. 824o); Regulator: Federal Energy Regulatory Commission; Regulated entity: Reliability coordinators; balancing and interchange authorities; transmission service providers, owners, and operators; generator owners and operators; load serving entities; the North American Electric Reliability Corporation; and regional reliability organizations. Requirements: Establishes requirements to help ensure the security of the electronic exchange of information that is needed to support the reliability of the bulk power system, and to help prevent unauthorized physical or electronic access to critical cyber assets, The eight standards require certain users, owners, and operators of the bulk power system to establish policies, plans, and procedures to safeguard physical and electronic access to control systems; identify and protect critical cyber assets; train personnel on security matters; report security incidents; and be prepared to recover from a cyber incident. Examples of enforcement mechanisms: Civil monetary penalty, sanctions, and remedial actions, including limitations on activities,functions, and operations; Enforcement authority: 16 U.S.C. 824o and the North American Electric Reliability Corporation Rules of Procedure, Appendix 4B Sanction Guidelines as approved by the Federal Energy Regulatory Commission. Source: Data provided by DHS and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [End of table] Drinking Water and Water Treatment Systems Sector: Table 7: Applicable Law in the Drinking Water and Water Treatment Systems Sector: Laws: 42 U.S.C. 300i-2; Regulated entity: Community water systems serving more than 3,300 people. Requirements: Required each community water system to conduct an assessment of the vulnerability of its system to a terrorist attack or other intentional acts intended to substantially disrupt the ability of the system to provide a safe and reliable supply of drinking water. The law required these assessments to be submitted to the U.S. Environmental Protection Agency. The vulnerability assessments were to include, but were not limited to, a review of electronic, computer, or other automated systems which are utilized by the public water system. Required each regulated system to prepare or revise an emergency response plan based on the results of their vulnerability assessments. Each regulated system had to certify in writing to the Environmental Protection Agency that its emergency response plan was completed.[A] Examples of enforcement mechanisms: Civil monetary penalty, administrative orders, court injunction; Enforcement authority: 42 U.S.C. 300g-3. Source: Data provided by the Environmental Protection Agency and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [A] These assessments were to be completed by March 31, 2003, in the case of systems serving a population of 100,000 or more; December 31, 2003, in the case of systems serving a population of 50,000 or more but less than 100,000; or June 30, 2004, in the case of systems serving a population greater than 3,300 but less than 50,000. [End of table] Energy Sector: Table 8: Applicable Regulations in the Energy Sector: Regulation: 7 CFR Sections 1730.20, 1730.21, 1730.22, 1730.27, 1730.28; (Authorizing laws: 42 U.S.C. 5195c(e) 7 U.S.C. 901 et seq., 1921 et seq., 6941 et seq.); Regulator: U.S. Department of Agriculture’s Rural Utilities Service; Regulated entity: All electric borrowers,[A] including both distribution borrowers and power supply borrowers. Requirements: Requires each electric borrower to perform a system security vulnerability and risk assessment; establish and maintain an Emergency Restoration Plan; and maintain records of the physical, cyber, and electrical condition and security of its electric system. Examples of enforcement mechanisms: Release/non-release of loan funds pending verification of an Emergency Restoration Plan; Enforcement authority: 7 CFR Sections 1730.2, 1730.20, 1730.21, 1730.22, 1730.25, 1730.26. Source: Data provided by the Department of Agriculture; and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [A] A borrower is any organization that has an outstanding loan made or guaranteed by the Rural Utilities Service for rural electrification, or that is seeking such financing. [End of table] Energy Sector: Table 9: Applicable Mandatory Standards in the Energy Sector: Mandatory Standards: Reliability Standards CIP 002–009; (Authorizing law: 16 U.S.C. 824o); Regulator: Federal Energy Regulatory Commission; Regulated entity: Reliability coordinators; balancing and interchange authorities; transmission service providers, owners, and operators; generator owners and operators; load serving entities; the North American Electric Reliability Corporation; and regional reliability organizations. Requirements: These requirements are the same for the standards detailed in the dams sector. Examples of enforcement mechanisms: Civil monetary penalty, sanctions, and remedial actions, including limitations on activities, functions, and operations Enforcement authority: 16 U.S.C. 824o and the North American Electric Reliability Corporation Rules of Procedure, Appendix 4B Sanction Guidelines as approved by the Federal Energy Regulatory Commission. Source: Data provided by the Department of Energy, DHS, and the Department of Agriculture; and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [End of table] Nuclear Reactors, Materials, and Waste Sector: Table 10: Applicable Regulation in the Nuclear Reactors, Materials, and Waste Sector: Regulation: 10 CFR Section 73.1; (Authorizing laws: 42 U.S.C 10155, 10161); Regulator: Nuclear Regulatory Commission; Regulated entity: Entities authorized to conduct activities under a license issued by the Nuclear Regulatory Commission. Requirements: Requires licensees to design safeguards to defend against specified threats, including cyber attacks, that could cause radiological sabotage, and to prevent the theft or diversion of formula quantities of special nuclear material. Subsequent Nuclear Regulatory Commission orders revised the specified threats; added additional requirements, including requiring nuclear power plants to identify digital systems that are critical to the operation of the facility and to identify potential consequences to the facility if these systems are affected; and established requirements for the development of a cyber security program at each nuclear plant.[A] Examples of enforcement mechanisms: Civil monetary penalty, injunction or other court order, license modification order, suspension order, revocation order, cease and desist orders; Enforcement authority: 10 CFR Section 73.80, 73.81, Atomic Energy Act of 1954, as amended. Source: Data provided by DHS and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [A] According to Nuclear Regulatory Commission officials, new regulations that pertain to securing privately owned IT systems and data are in the rulemaking process. If promulgated, they are meant to revise 10 CFR 73.1. The regulations are intended to establish requirements for establishing a cyber security program, including performing a cyber-security assessment, incident response and recovery operations, implementing protective strategies, and implementing a cyber security and awareness training program. The Nuclear Regulatory Commission expects to present the proposed regulations to their Executive Board in September 2008, and the final rulemaking to occur in early 2009. [End of table] Public Health and Healthcare Sector: Table 11: Applicable Regulation in the Public Health and Healthcare Sector: Regulation: 45 CFR Sections 164.306, 164.310, 164.312, 164.314; (Authorizing Law: 42 U.S.C. 1320d-2); Regulator: Department of Health and Human Services; Regulated entity: Health plans, health care clearinghouses, and health care providers who transmit any health information in electronic form. Requirements: This regulation requires the implementation of physical and technical safeguards to help protect electronic protected health information and control access to it. Examples of enforcement mechanisms: Criminal monetary penalty, imprisonment; Enforcement authority: 42 U.S.C. 1320d-5, 1320d-6. Source: Data provided by the Department of Health and Human Services and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [End of table] Transportation Systems Sector: Table 12: Applicable Regulations in the Transportation Systems Sector: Regulation: 49 CFR Section 1520.9; (Authorizing law: 49 U.S.C. 114(s)); Regulator: Department of Homeland Security, Transportation Security Administration; Regulated entity: All covered persons[A] whom have access to Sensitive Security Information.[B] Requirements: Requires covered persons to take reasonable steps to safeguard Sensitive Security Information from unauthorized disclosure. Examples of enforcement mechanisms: Civil monetary penalty, personnel actions; Enforcement authority: 49 CFR Section 1520.17. Regulation: 49 CFR Section 193.2905; (Authorizing laws: 49 U.S.C. 60102, 60103); Regulator: Department of Transportation; Regulated entity: Liquefied natural gas facilities used in the transportation of gas by pipeline. Requirements: Requires control systems, including IT control systems, of liquefied natural gas facilities to be surrounded by a protective enclosure. Examples of enforcement mechanisms: Civil monetary penalty, criminal monetary penalty, imprisonment; Enforcement authority: 49 U.S.C. 60122, 60123. Source: Data provided by DHS and GAO review of the applicable sections in the U.S. Code and Code of Federal Regulations. [A] Covered persons include public and private sector employees including those employed by, contracted to, or acting for DHS or the Department of Transportation, owners and operators of maritime facilities, and airport and aircraft operators. [B] The regulation defines Sensitive Security Information as information obtained or developed in the conduct of security activities, and the disclosure of which the Transportation Security Administration has determined would (1) constitute an unwarranted invasion of privacy, (2) reveal trade secrets or privileged or confidential information, or (3) be detrimental to the security of transportation. [End of table] [End of section] Footnotes: [1] See, for example, Homeland Security Presidential Directive 7. [2] These requirements do not necessarily pertain to just critical IT systems and data. Further, these requirements do not necessarily apply to all of a sector's entities, require all of an entity's IT systems and data to be secure, or provide for comprehensive coverage of the polices and procedures necessary to ensure adequate security. Lastly, in the absence of a law, regulation, or mandatory standard in a particular sector there may be other mechanisms or motives for protecting privately owned IT systems and data. [3] We did not include the authorizing laws for the regulations and mandatory standards. [4] These requirements do not necessarily pertain [specifically? solely?] to critical infrastructure IT systems and data. [5] GAO, Critical Infrastructure Protection: Sector-Specific Plans’ Coverage of Key Cyber Security Elements Varies, [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-08-111] (Washington, D.C.: Oct. 31, 2007). [6] We did not include the authorizing laws for the regulations and mandatory standards unless the law specifically references cybersecurity. [7] These requirements do not necessarily pertain to critical infrastructure IT systems and data. Further, these requirements do not necessarily apply to all of a sector’s entities, require all of an entity’s IT systems and data to be secure, or provide for comprehensive coverage of the polices and procedures necessary to ensure adequate security. Lastly, in the absence of a law, regulation, or mandatory standard in a particular sector there may be other mechanisms or motives for protecting privately owned IT systems and data. [8] Section 401 of Title IV of the Public Health Security and Bioterrorism Preparedness and Response Act amends The Safe Drinking Water Act, which is title XIV of the Public Health Service Act. [9] These assessments were to be completed and certified to the Environmental Protection Agency administrator prior to March 31, 2003, in the case of systems serving a population of 100,000 or more; December 31, 2003, in the case of systems serving a population of 50,000or more but less than 100,000; or June 30, 2004, in the case of systems serving a population greater than 3,300 but less than 50,000. [10] Commission officials stated that another regulation is being developed that they anticipate will include requirements for establishing a cyber security program, performing cyber security assessments, establishing incident response and recovery operations, and implementing a cyber security and awareness training program. [11] Covered persons include, for example, those employed by, contracted to, or acting for DHS or the Department of Transportation, owners and operators of maritime facilities, and airport and aircraft operators. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office: 441 G Street NW, Room LM: Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: