Critical Infrastructure Protection:
DHS Efforts to Assess and Promote Resiliency Are Evolving but Program Management Could Be Strengthened
GAO-10-772: Published: Sep 23, 2010. Publicly Released: Oct 25, 2010.
According to the Department of Homeland Security (DHS), protecting and ensuring the resiliency (the ability to resist, absorb, recover from, or successfully adapt to adversity or changing conditions) of critical infrastructure and key resources (CIKR) is essential to the nation's security. By law, DHS is to lead and coordinate efforts to protect several thousand CIKR assets deemed vital to the nation's security, public health, and economy. In 2006, DHS created the National Infrastructure Protection Plan (NIPP) to outline the approach for integrating CIKR and increased its emphasis on resiliency in its 2009 update. GAO was asked to assess the extent to which DHS (1) has incorporated resiliency into the programs it uses to work with asset owners and operators and (2) is positioned to disseminate information it gathers on resiliency practices to asset owners and operators. GAO reviewed DHS documents, such as the NIPP, and interviewed DHS officials and 15 owners and operators of assets selected on the basis of geographic diversity. The results of these interviews are not generalizable but provide insights.
DHS's efforts to incorporate resiliency into the programs it uses to work with asset owners and operators is evolving but program management could be strengthened. Specifically, DHS is developing or updating programs to assess vulnerability and risk at CIKR facilities and within groups of related infrastructure, regions, and systems to place greater emphasis on resiliency. However, DHS has not taken commensurate efforts to measure asset owners' and operators' actions to address resiliency gaps. DHS operates its Protective Security Advisor Program, which deploys critical infrastructure protection and security specialists, called Protective Security Advisors (PSA), to assist asset owners and operators on CIKR protection strategies, and has provided guidelines to PSAs on key job tasks such as how to establish relationships between asset owners and operators and DHS, federal, state, and local officials. DHS has provided training to PSAs on resiliency topics, but has not updated PSA guidelines to articulate the role of PSAs with regard to resiliency issues, or how PSAs are to promote resiliency strategies and practices to asset owners and operators. A senior DHS official described plans to update PSA guidelines and the intent to outline this plan in October 2010, but did not provide information on what changes would be made to articulate PSA roles and responsibility with regard to resiliency. By developing measures to assess the extent to which asset owners and operators are addressing resiliency gaps and updating PSA guidance, DHS would be better positioned to manage its efforts to help asset owners and operators enhance their resiliency. DHS faces barriers disseminating information about resiliency practices across the spectrum of asset owners and operators. DHS shares information on potential protective measures with asset owners and operators and others including state and local officials (generally on a case-by-case basis) after it has completed vulnerability assessments at CIKR facilities. DHS officials told GAO that they have considered ways to disseminate information that they collect or plan to collect with regard to resiliency. However, DHS faces barriers sharing information about resiliency strategies. For example, given the voluntary nature of the CIKR partnership, DHS officials stated that DHS should not be viewed as identifying and promoting practices which could be construed by CIKR partners to be standards. Also, according to DHS officials, the need for and the emphasis on resiliency can vary across different types of facilities depending on the nature of the facility. For example, an oil refinery is inherently different than a government office building. DHS's efforts to emphasize resiliency when developing or updating the programs it uses to work with owners and operators creates an opportunity for DHS to position itself to disseminate information about resiliency practices within and across the spectrum of asset owners and operators. By determining the feasibility of overcoming barriers and developing an approach for disseminating information on resiliency practices within and across sectors, DHS could better position itself to help asset owners and operators consider and adopt resiliency strategies. GAO recommends that DHS develop resiliency performance measures, update PSA guidelines, and determine the feasibility of developing an approach to disseminate resiliency information. DHS is taking action to implement two recommendations and is internally considering the third.
- Review Pending
- Closed - implemented
- Closed - not implemented
Recommendations for Executive Action
Recommendation: To better ensure that DHS's efforts to incorporate resiliency into its overall CIKR protection efforts are effective and completed in a timely and consistent fashion, the Assistant Secretary for Infrastructure Protection should develop performance measures to assess the extent to which asset owners and operators are taking actions to resolve resiliency gaps identified during the various vulnerability assessments.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Comments: In 2010, we reported that DHS had increased its emphasis on critical infrastructure resiliency in the National Infrastructure Protection Plan (NIPP) in response to concerns that DHS was placing emphasis on protection rather than resilience. Consistent with these changes, DHS had also taken actions to increase its emphasis on resilience in the programs and tools it uses to assess vulnerability and risk that are designed to help owners and operators identify resiliency characteristics and gaps. We reported that these actions continue to evolve and could be improved through the development of performance measures to assess the extent to which asset owners and operators are taking actions in response to the various vulnerability assessments. DHS concurred with the recommendation and, in its 60-day status update on efforts to implement the recommendations, reported that performance measures related to assessing the impact of Office of Infrastructure Protection (IP) assessments on improving the protection and resilience of critical infrastructure had been developed. In fiscal year 2011, DHS reported that IP had incorporated performance metrics into follow-up activities to document improvements made to enhance security and resilience. Specifically, DHS reported that all facilities that participate in voluntary Enhanced Critical Infrastructure Protection (ECIP) security surveys receive a 180-day follow-up interview to document improvements that have been made to enhance security and improve resilience as a result of the ECIP security survey. In addition, ECIP survey methodology has been incorporated into Site Assistance Visits (SAVs), which now incorporate a 365-day follow-up process through which owners and operators document improvements made to enhance security and resilience. Participation in the follow-up interviews, which are conducted over the telephone, is voluntary. Follow-up data seeks to capture how IP surveys and assessments are assisting owners and operators in improving security and resilience at their facilities, but it is unclear how resilience data is being collected and used. While data and results from some follow-up activities are available, the updated assessment methodology for some assessments, which was released in January 2011, has not yet resulted in analyzable results. In November 2013, DHS provided the following update: IP developed performance metrics to determine the percent of facilities that planned, started, or implemented at least one security enhancement that raises the facility's Protective Measure Index (PMI) or Resilience Index (RI) score after receiving an Infrastructure Protection vulnerability assessment or survey. The measure shows the percent of facilities that have enhanced their security or resilience after receiving an IP vulnerability assessment or survey. Implementation expected first quarter, Fiscal Year 2014. We need a report on these results to close the recommendation.
Recommendation: To better ensure that DHS's efforts to incorporate resiliency into its overall CIKR protection efforts are effective and completed in a timely and consistent fashion, the Assistant Secretary for Infrastructure Protection should update PSA guidance that discusses the role PSAs play during interactions with asset owners and operators with regard to resiliency, which could include how PSAs work with them to emphasize how resiliency strategies could help them mitigate vulnerabilities and strengthen their security posture and provide suggestions for enhancing resiliency at particular facilities.
Agency Affected: Department of Homeland Security: Directorate of Information Analysis and Infrastructure Protection
Status: Closed - Implemented
Comments: In 2010 we reported that DHS had increased its emphasis on critical infrastructure resiliency in the National Infrastructure Protection Plan (NIPP) in response to concerns that DHS was placing emphasis on protection rather than resilience. Recognizing that Protective Security Advisors (PSAs) serve as liaisons between DHS and security stakeholders, to include asset owners and operators, in local communities, we reported that although DHS had begun to train PSAs about resiliency and how it applies to the owners and operators they interact with, DHS had not updated PSAs' guidance that outlined their roles and responsibilities to reflect DHS' growing emphasis on resiliency. In response to our report, DHS reported that the PSA program is actively updating PSA program guidance to reflect the evolving concept of critical infrastructure resilience. In May 2011, DHS reported that they had developed information for deployed PSAs summarizing the process for restoring critical infrastructure operations. In addition, in May 2011, DHS reported that all 93 PSAs and a number of PSA Program headquarters support staff received two days of focused resiliency training during the April 2011 PSA Bi-annual Meeting. The training focused on the three key features of resilience: robustness, resourcefulness and recovery. This training also addressed the growing impact that interdependencies within critical infrastructure have on determining facility, sector, or regional resilience. According to DHS, this training provided PSAs with the knowledge and skills to communicate the key concepts of resilience and its importance to infrastructure security across the Nation to facility owners and operators.
Recommendation: The Secretary of Homeland Security should assign responsibility to one or more organizations within DHS to determine the feasibility of overcoming barriers and developing an approach for disseminating information on resiliency practices to CIKR owners and operators within and across sectors.
Agency Affected: Department of Homeland Security
Status: Closed - Implemented
Comments: Related to its efforts to develop or update its programs designed to assess vulnerability of asset owners and operators, individual facilities, and groups of facilities, DHS has considered how it can disseminate information on resiliency and practices it gathers or plans to gather with asset owners and operators within and across sectors. However, it faces barriers in doing so because it would have to overcome perceptions that it is advancing or promoting standards that have to be adopted and concerns about sharing proprietary information. We recognize that DHS would face challenges disseminating information about resiliency practices within and across sectors. Nonetheless, as the primary federal agency responsible for coordinating and enhancing the protection and resilience of critical infrastructure across the spectrum of Critical Infrastructure and Key Resources (CIKR) sectors, DHS is uniquely positioned to disseminate this information. Recognizing that DHS would face challenges disseminating information about resiliency practices within and across sectors, especially since resiliency can mean different things to different sectors, we recommended that the Secretary of Homeland Security assign responsibility to one or more organizations within DHS to determine the feasibility of overcoming barriers and developing an approach for disseminating information on resiliency practices to CIKR owners and operators within and across sectors. Initially, DHS did not concur with the recommendation, but agreed to expand the distribution of resiliency products to CIKR stakeholders. However, in April 2010, the DHS Office of Policy created a Resilience Integration Team (RIT) composed of representatives of various DHS components and intended to develop new resilience initiatives. In March 2012, DHS formed an Office of Resiliency Policy (ORP) to coordinate and promulgate resiliency strategies throughout the Department. Officials representing ORP stated that, among other things, the RIT is designed to disseminate resilience concepts and is developing a resilience STAR program--a voluntary certification program intended to provide incentives to convey resiliency standards and practices to make buildings and homes more resilient. According to ORP officials, DHS would like to expand the Resiliency Star program to other industry sectors and intends to introduce pilot projects that would identify resilience criteria that could be used for the program. The Director of the Office of Resilience Policy stated that he believes that the RIT would be in a good position to take the lead on developing an approach for disseminating resilience information consistent with our recommendation. In November 2013, DHS reported that as DHS's collection of data and knowledge has grown through assessments and other activities, DHS has begun to expand the distribution of resilience products to critical infrastructure partners. These documents are to provide information on characteristics of critical infrastructure resilience. These documents are part of DHS's Infrastructure Protection Report Series (IPRS), a series of reports designed to help public and and private sector partners develop a foundation of knowledge on critical infrastructure protection issues. The IPRS provided information on common characteristics and vulnerabilities of critical infrastructure, common industry protective measures, and potential indicators of terrorist activity. To date, DHS has published one IPRS Resilience Series Report, focusing on Business Continuity. Five More Resilience Reports are planned or being drafted that follow the leveled components of the RMI. Five Resilience Series papers are in development: RMI Overview, Resource Mitigation, Preparedness, Awareness, and Planning. We have received and reviewed the Business Continuity IPRS and believe it addresses our recommendation. This recommendation is closed-implemented.