Critical Infrastructure Protection:

OMB Leadership Needed to Strengthen Agency Planning Efforts to Protect Federal Cyber Assets

GAO-10-148: Published: Oct 15, 2009. Publicly Released: Nov 16, 2009.

Additional Materials:

Contact:

David A. Powner
(202) 512-3000
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Because the nation's critical infrastructure relies on information technology systems and data, the security of those assets is critical to ensuring national security and public safety. In 2003, the President directed federal agencies to (1) develop plans for the protection of their computer-related (cyber) critical infrastructure assets and (2) submit them for approval to the Office of Management and Budget (OMB) by July 31, 2004. To help agencies do this, OMB issued guidance with 19 criteria deemed essential for effective cyber critical infrastructure protection planning that were required to be included in the plans. GAO was asked to determine (1) the extent to which agencies developed their plans and whether they submitted them to OMB by the deadline and (2) whether the plans met criteria in OMB's guidance. To do this, GAO reviewed plans from 24 agencies, many of which own and operate key government cyber and other critical infrastructure; reviewed OMB documentation; interviewed officials; and compared submitted plans to relevant criteria.

Key federal agencies developed and submitted cyber critical infrastructure protection plans or related documentation to OMB in response to the President's direction (Homeland Security Presidential Directive 7) and associated OMB guidance. Specifically, of the 24 agencies, 18 submitted plans, while the remaining 6, as allowed by the guidance, provided documentation in lieu of plans stating that they neither owned nor operated any of the nation's cyber critical infrastructure. The agencies submitted their plans and documentation to OMB by the July 31, 2004, deadline. Agencies' plans, in large part, did not fully address the 19 cyber and related requirements specified in OMB's guidance. Specifically, only 4 of the 18 plans fully addressed all the criteria. While the other 14 plans fully addressed at least 8 or more criteria, they only partially addressed or did not address others--such as prioritizing key assets and documenting a strategy to protect them--that are essential for effectively planning for the protection of cyber assets. Since the development of these plans, 8 agencies whose plans did not fully meet OMB's criteria have engaged in other critical infrastructure protection planning and related efforts that addressed some, but not all, of their shortfalls. The shortfalls in meeting OMB's guidance are attributable, in part, to OMB not making these plans a priority and managing them as such by, for example, following up on a regular basis to assess whether agencies are updating their plans to fully address the requirements and are effectively implementing them. When agencies submitted their initial plans, OMB reviewed and provided feedback on their adequacy, but did not follow up to verify that agencies had revised their plans to incorporate OMB feedback or to determine whether planning was being implemented and institutionalized. OMB attributed this to its attention being focused on other competing issues. In addition, OMB did not direct agencies to periodically update their plans. Without more sustained leadership, management, and oversight in this area, there is an increased risk that federal agencies individually, and the federal government collectively, will not effectively identify, prioritize, and protect their critical cyber assets, leaving them vulnerable to efforts to destroy, incapacitate, or exploit them.

Recommendations for Executive Action

  1. Status: Closed - Not Implemented

    Comments: On February 12, 2013, Presidential Policy Directive 21 revoked HSPD-7 that required federal agencies to develop cyber-related critical infrastructure protection plans. We periodically requested OMB to provide an update to this recommendation and how the revocation affected the implementation of this recommendation. Efforts to obtain updated information from OMB on the status of this report's recommendations were not successful. Research of OMB policies and publicly available documentation did not provide any evidence of actions taken to address this recommendation. Although PPD 21 states that agencies are responsible for having plans that address the protection of their critical infrastructure as part of national continuity planning efforts, the directive does not direct agencies to update their cyber-related critical infrastructure protection plans. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, also released in February 2013, does not provide such direction either.

    Recommendation: The Director of OMB should provide leadership and oversight in directing federal cyber critical infrastructure planning efforts and make them a management priority by directing the federal agencies to expeditiously update their plans to fully address OMB's cyber critical infrastructure planning requirements.

    Agency Affected: Executive Office of the President: Office of Management and Budget

  2. Status: Closed - Not Implemented

    Comments: On February 12, 2013, Presidential Policy Directive 21 revoked HSPD-7 that required federal agencies to develop cyber-related critical infrastructure protection plans. We periodically requested OMB to provide an update to this recommendation and how the revocation affected the implementation of this recommendation. Efforts to obtain updated information from OMB on the status of this report's recommendations were not successful. Research of OMB policies and publicly available documentation did not provide any evidence of actions taken to address this recommendation. Although PPD 21 states that agencies are responsible for having plans that address the protection of their critical infrastructure as part of national continuity planning efforts, the directive does not direct agencies to update their cyber-related critical infrastructure protection plans. Executive Order 13636, Improving Critical Infrastructure Cybersecurity, also released in February 2013, does not provide such direction either.

    Recommendation: The Director of OMB should provide leadership and oversight in directing federal cyber critical infrastructure planning efforts and make them a management priority by following up, as appropriate, to see that agencies are making sure updated plans fully meet OMB requirements and are being effectively implemented. At a minimum, this should include having agency heads report to OMB when updated plans have been completed and that the plans fully meet OMB requirements and are being effectively implemented.

    Agency Affected: Executive Office of the President: Office of Management and Budget

 

Explore the full database of GAO's Open Recommendations »

Nov 6, 2014

Oct 14, 2014

Sep 30, 2014

Sep 24, 2014

Sep 18, 2014

Sep 17, 2014

Sep 10, 2014

Sep 9, 2014

Looking for more? Browse all our products here