Skip to main content

Critical Infrastructure Protection: DHS Efforts to Assess and Promote Resiliency Are Evolving but Program Management Could Be Strengthened

GAO-10-772 Published: Sep 23, 2010. Publicly Released: Oct 25, 2010.
Jump To:
Skip to Highlights

Highlights

According to the Department of Homeland Security (DHS), protecting and ensuring the resiliency (the ability to resist, absorb, recover from, or successfully adapt to adversity or changing conditions) of critical infrastructure and key resources (CIKR) is essential to the nation's security. By law, DHS is to lead and coordinate efforts to protect several thousand CIKR assets deemed vital to the nation's security, public health, and economy. In 2006, DHS created the National Infrastructure Protection Plan (NIPP) to outline the approach for integrating CIKR and increased its emphasis on resiliency in its 2009 update. GAO was asked to assess the extent to which DHS (1) has incorporated resiliency into the programs it uses to work with asset owners and operators and (2) is positioned to disseminate information it gathers on resiliency practices to asset owners and operators. GAO reviewed DHS documents, such as the NIPP, and interviewed DHS officials and 15 owners and operators of assets selected on the basis of geographic diversity. The results of these interviews are not generalizable but provide insights.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Directorate of Information Analysis and Infrastructure Protection To better ensure that DHS's efforts to incorporate resiliency into its overall CIKR protection efforts are effective and completed in a timely and consistent fashion, the Assistant Secretary for Infrastructure Protection should develop performance measures to assess the extent to which asset owners and operators are taking actions to resolve resiliency gaps identified during the various vulnerability assessments.
Closed – Implemented
In 2010, we reported that DHS had increased its emphasis on critical infrastructure resiliency in the National Infrastructure Protection Plan (NIPP) in response to concerns that DHS was placing emphasis on protection rather than resilience. Consistent with these changes, DHS had also taken actions to increase its emphasis on resilience in the programs and tools it uses to assess vulnerability and risk that are designed to help owners and operators identify resiliency characteristics and gaps. We reported that these actions continue to evolve and could be improved through the development of performance measures to assess the extent to which asset owners and operators are taking actions in response to the various vulnerability assessments. DHS concurred with the recommendation and, in its 60-day status update on efforts to implement the recommendations, reported that performance measures related to assessing the impact of Office of Infrastructure Protection (IP) assessments on improving the protection and resilience of critical infrastructure had been developed. In November 2013, DHS informed us that IP developed performance metrics to determine the percent of facilities that planned, started, or implemented at least one security enhancement that raises the facility's Protective Measure Index (PMI) or Resilience Index (RI) score after receiving an Infrastructure Protection vulnerability assessment or survey. As of August 2014, 89.5 percent (154 of 172) of organizations that received the results of the ECIP Security Survey or SAV during the second quarter of fiscal year 2014 responded they "Agree" or "Strongly Agree" in response to the performance metric "My organization is likely to integrate the information provided by the ECIP Security Survey or SAV into its future security or resilience enhancements." Officials noted that they are also in discussions to finalize and approve new metrics in fiscal year 2014. These actions satisfy the intent of our recommendation.
Directorate of Information Analysis and Infrastructure Protection To better ensure that DHS's efforts to incorporate resiliency into its overall CIKR protection efforts are effective and completed in a timely and consistent fashion, the Assistant Secretary for Infrastructure Protection should update PSA guidance that discusses the role PSAs play during interactions with asset owners and operators with regard to resiliency, which could include how PSAs work with them to emphasize how resiliency strategies could help them mitigate vulnerabilities and strengthen their security posture and provide suggestions for enhancing resiliency at particular facilities.
Closed – Implemented
In 2010 we reported that DHS had increased its emphasis on critical infrastructure resiliency in the National Infrastructure Protection Plan (NIPP) in response to concerns that DHS was placing emphasis on protection rather than resilience. Recognizing that Protective Security Advisors (PSAs) serve as liaisons between DHS and security stakeholders, to include asset owners and operators, in local communities, we reported that although DHS had begun to train PSAs about resiliency and how it applies to the owners and operators they interact with, DHS had not updated PSAs' guidance that outlined their roles and responsibilities to reflect DHS' growing emphasis on resiliency. In response to our report, DHS reported that the PSA program is actively updating PSA program guidance to reflect the evolving concept of critical infrastructure resilience. In May 2011, DHS reported that they had developed information for deployed PSAs summarizing the process for restoring critical infrastructure operations. In addition, in May 2011, DHS reported that all 93 PSAs and a number of PSA Program headquarters support staff received two days of focused resiliency training during the April 2011 PSA Bi-annual Meeting. The training focused on the three key features of resilience: robustness, resourcefulness and recovery. This training also addressed the growing impact that interdependencies within critical infrastructure have on determining facility, sector, or regional resilience. According to DHS, this training provided PSAs with the knowledge and skills to communicate the key concepts of resilience and its importance to infrastructure security across the Nation to facility owners and operators.
Department of Homeland Security The Secretary of Homeland Security should assign responsibility to one or more organizations within DHS to determine the feasibility of overcoming barriers and developing an approach for disseminating information on resiliency practices to CIKR owners and operators within and across sectors.
Closed – Implemented
Related to its efforts to develop or update its programs designed to assess vulnerability of asset owners and operators, individual facilities, and groups of facilities, DHS has considered how it can disseminate information on resiliency and practices it gathers or plans to gather with asset owners and operators within and across sectors. However, it faces barriers in doing so because it would have to overcome perceptions that it is advancing or promoting standards that have to be adopted and concerns about sharing proprietary information. We recognize that DHS would face challenges disseminating information about resiliency practices within and across sectors. Nonetheless, as the primary federal agency responsible for coordinating and enhancing the protection and resilience of critical infrastructure across the spectrum of Critical Infrastructure and Key Resources (CIKR) sectors, DHS is uniquely positioned to disseminate this information. Recognizing that DHS would face challenges disseminating information about resiliency practices within and across sectors, especially since resiliency can mean different things to different sectors, we recommended that the Secretary of Homeland Security assign responsibility to one or more organizations within DHS to determine the feasibility of overcoming barriers and developing an approach for disseminating information on resiliency practices to CIKR owners and operators within and across sectors. Initially, DHS did not concur with the recommendation, but agreed to expand the distribution of resiliency products to CIKR stakeholders. However, in April 2010, the DHS Office of Policy created a Resilience Integration Team (RIT) composed of representatives of various DHS components and intended to develop new resilience initiatives. In March 2012, DHS formed an Office of Resiliency Policy (ORP) to coordinate and promulgate resiliency strategies throughout the Department. Officials representing ORP stated that, among other things, the RIT is designed to disseminate resilience concepts and is developing a resilience STAR program--a voluntary certification program intended to provide incentives to convey resiliency standards and practices to make buildings and homes more resilient. According to ORP officials, DHS would like to expand the Resiliency Star program to other industry sectors and intends to introduce pilot projects that would identify resilience criteria that could be used for the program. The Director of the Office of Resilience Policy stated that he believes that the RIT would be in a good position to take the lead on developing an approach for disseminating resilience information consistent with our recommendation. In November 2013, DHS reported that as DHS's collection of data and knowledge has grown through assessments and other activities, DHS has begun to expand the distribution of resilience products to critical infrastructure partners. These documents are to provide information on characteristics of critical infrastructure resilience. These documents are part of DHS's Infrastructure Protection Report Series (IPRS), a series of reports designed to help public and and private sector partners develop a foundation of knowledge on critical infrastructure protection issues. The IPRS provided information on common characteristics and vulnerabilities of critical infrastructure, common industry protective measures, and potential indicators of terrorist activity. To date, DHS has published one IPRS Resilience Series Report, focusing on Business Continuity. Five More Resilience Reports are planned or being drafted that follow the leveled components of the RMI. Five Resilience Series papers are in development: RMI Overview, Resource Mitigation, Preparedness, Awareness, and Planning. We have received and reviewed the Business Continuity IPRS and believe it addresses our recommendation. This recommendation is closed-implemented.

Full Report

Office of Public Affairs

Topics

AssetsCritical infrastructure protectionGovernment information disseminationHomeland securityInternal controlsPerformance measuresProgram managementRisk assessmentRisk factorsRisk managementStrategic planningAssessments