Critical Infrastructure Protection: DHS Could Better Manage Security Surveys and Vulnerability Assessments
Highlights
What GAO Found
The Department of Homeland Security (DHS) has conducted about 2,800 security surveys and vulnerability assessments on critical infrastructure and key resources (CIKR). DHS directs its protective security advisors to contact owners and operators of high-priority CIKR to offer to conduct surveys and assessments. However, DHS is not positioned to track the extent to which these are performed at high-priority CIKR because of inconsistencies between the databases used to identify these assets and those used to identify surveys and assessments conducted. GAO compared the two databases and found that of the 2,195 security surveys and 655 vulnerability assessments conducted for fiscal years 2009 through 2011, 135 surveys and 44 assessments matched and another 106 surveys and 23 assessments were potential matches for high-priority facilities. GAO could not match additional high-priority facilities because of inconsistencies in the way data were recorded in the two databases, for example, assets with the same company name had different addresses or an asset at one address had different names. DHS officials acknowledged that the data did not match and have begun to take actions to improve the collection and organization of the data. However, DHS does not have milestones and timelines for completing these efforts consistent with standards for project management. By developing a plan with time frames and milestones consistent with these standards DHS would be better positioned to provide a more complete picture of its progress.
DHS shares the results of security surveys and vulnerability assessments with asset owners or operators but faces challenges doing so. A GAO analysis of DHS data from fiscal year 2011 showed that DHS was late meeting its (1) 30-day time frame—as required by DHS guidance—for delivering the results of its security surveys 60 percent of the time and (2) 60-day time frame—expected by DHS managers for delivering the results of its vulnerability assessments—in 84 percent of the instances. DHS officials acknowledged the late delivery of survey and assessment results and said they are working to improve processes and protocols. However, DHS has not established a plan with time frames and milestones for managing this effort consistent with the standards for project management. Also, the National Infrastructure Protection Plan (NIPP), which emphasizes partnering and voluntary information sharing, states that CIKR partners need to be provided with timely and relevant information that they can use to make decisions. Developing a plan with time frames and milestones for improving timeliness could help DHS provide asset owners and operators with the timely information they need to consider security enhancements.
DHS uses a follow-up tool to assess the results of security surveys and assessments performed at CIKR assets, and are considering upgrades to the tool. However, DHS could better measure results and improve program management by capturing additional information. For example, key information, such as why certain improvements were or were not made by asset owners and operators that have received security surveys, could help DHS improve its efforts. Further, information on barriers to making improvements—such as the cost of security enhancements—could help DHS better understand asset owners and operators’ rationale in making decisions and thereby help improve its programs. Taking steps to gather additional information could help keep DHS better informed for making decisions in managing its programs.
Why GAO Did This Study
Natural disasters, such as Hurricane Katrina, and terrorist attacks, such as the 2005 bombings in London, highlight the importance of protecting CIKR—assets and systems vital to the economy or health of the nation. DHS issued the NIPP in June 2006 (updated in 2009) to provide the approach for integrating the nation’s CIKR. Because the private sector owns most of the nation’s CIKR—for example, energy production facilities—DHS encourages asset owners and operators to voluntarily participate in surveys or vulnerability assessments of existing security measures at those assets. This includes nationally significant CIKR that DHS designates as high priority. In response to a request, this report assesses the extent to which DHS has (1) taken action to conduct surveys and assessments among high–priority CIKR, (2) shared the results of these surveys and assessments with asset owners or operators, and (3) assessed the effectiveness of surveys and assessments and identified actions taken, if any, to improve them. GAO, among other things, reviewed laws, analyzed data identifying high-priority assets and activities performed from fiscal years 2009 through 2011, and interviewed DHS officials.
Recommendations
GAO recommends that, among other things, DHS develop plans for its efforts to improve the collection and organization of data and the timeliness of survey and assessment results, and gather and act upon additional information from asset owners and operators about why improvements were or were not made. DHS concurred with the recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop plans with milestones and time frames to resolve issues associated with data inconsistencies and matching data on the list of high-priority assets with data used to track the conduct of security surveys and vulnerability assessment. |
Closed – Implemented
In May 2012, we reported that DHS, through its Protective Security Advisor (PSA) program had conducted about 2,800 voluntary security surveys and vulnerability assessments on critical infrastructure (CI), but that DHS was not positioned to track the extent to which these were performed on high-priority CI because of inconsistencies between the data used to identify high-priority assets and those used to identify surveys and assessments conducted. DHS officials acknowledged that the data did not match and began taking actions to improve the collection and organization of the data. As a result, recommended that DHS establish milestones and timeframes for resolving issues associated with data inconsistencies. In September 2013, DHS provided an update that IP had begun assigning unique numerical identifiers to each asset in the assessment database and to the list of high-priority CI to resolve data inconsistencies. In November 2014, DHS provided another update stating that automated scripts were established to confirm data completeness and applicability between the databases. In addition, in January 2015 DHS's National Protection and Programs Directorate provided its quarterly program review report from November 2014, which identified timeframes and milestones for identifying a set of standardized data requirements and information formats, data accessibility, and systems interoperability for the PSA program and the list of high-priority CI, among others. DHS's timeframes and milestones, and planned actions to standardize data requirements and information formats, are consistent with our recommendation.
|
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should institutionalize realistic performance goals for appropriate levels of participation in security surveys and vulnerability assessments by high-priority assets to measure how well DHS is achieving its goals. |
Closed – Implemented
In May 2012, we reported that DHS could better position itself to measure its progress in conducting voluntary security surveys and vulnerability assessments at high-priority critical infrastructure (CI). The deputy director of the program told us DHS had a goal of conducting 50 percent of these activities on high-priority CI, but this goal was not documented and based on our analysis of DHS data the goal was not realistic. We also reported that inconsistent data made it challenging to match surveys and assessments with high-priority CI. We recommended that DHS institutionalize realistic performance goals for the number of surveys and assessments to be conducted on high-priority CI, consistent with its efforts to improve its data. DHS agreed with our recommendation. In response, DHS established a program review process using data and information collected for the second and third quarters of fiscal year 2014 to ensure programs are working toward agreed upon goals and core capabilities articulated in budget planning guidance. In January 2015, DHS provided its final report for fiscal year 2014 showing its goals for the number completed surveys and assessments, including the number conducted on high-priority CI. DHS's actions are consistent with our recommendation.
|
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should design and implement a mechanism for systematically assessing why owners and operators of high-priority assets decline to participate and a develop a road map, with time frames and milestones, for completing this effort. |
Closed – Implemented
In May 2012, we reported that a number of factors could affect the number of DHS security surveys and vulnerability assessments of CI, including the voluntary nature of these specific activities and the availability of other assessments. We found that DHS could be better positioned to manage participation in these programs and recommended that DHS design and implement a mechanism to systematically collect data on the reasons why some CI owners and operators refuse to participate in the voluntary assessments. In June 2013 DHS developed a tracking system to capture survey declinations. Because DHS implemented the tracking system, officials noted that this negated the need to develop a roadmap, with timeframes and milestones, for completing the effort. In November 2014, DHS provided a snapshot of the tracking system in place that indicated reasons for survey declinations. These actions taken by DHS are consistent with the intent of our recommendation.
|
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop time frames and specific milestones for managing DHS's efforts to ensure the timely delivery of the results of security surveys and vulnerability assessments to asset owners and operators. |
Closed – Implemented
In May 2012, we reported that DHS shared some security survey and vulnerability assessment information with CI owners and operators that participated in these programs, among others, but faced challenges ensuring that this information was shared in a timely manner. We recommended that DHS develop time frames and specific milestones for managing efforts to ensure the timely delivery of the results of security surveys and vulnerability assessments to CI owners and operators. In March 2012 DHS began a review of its data and established timeframes and milestones for delivering the results of the surveys and assessments to CI owners and operators. In February 2013, DHS transitioned to a Web-based delivery, which attributed to reducing the number of overdue deliveries from 258 in July 2012 to 22 in September 2013 to zero by September 2014. These DHS actions are consistent with our recommendation.
|
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should revise its plans to include when and how sector-specific agencies (SSAs) will be engaged in designing, testing, and implementing DHS's web-based tool to address and mitigate any SSA concerns that may arise before the tool is finalized. |
Closed – Implemented
We found that DHS had taken some actions to solicit input from SSAs regarding its web-based tool, consistent with the NIPP, but could be better positioned to understand and address SSA information needs by working with them to design, test, and implement the web-based tool. We recommended that revise its plans to include when and how SSAs will be engaged in designing, testing, and implementing DHS' web-based tool to address and mitigate any SSA concerns that may arise before the tool is finalized. In response, in November 2014, DHS established a governance board charter whose membership is to include SSAs. Subsequently, in August 2015, DHS established a requirements development plan that includes consideration of stakeholder priorities. The plan calls for the governance board established by the charter to be the primary means to collaboratively prioritize and approve IP-wide IT mission needs for future investment. As a result, DHS has established plans to obtain input from stakeholders, including SSAs, in the development of some of its web-based tools, the implementation of which better positions DHS to address and mitigate SSA concerns and better understand and address their information needs. These actions are consistent with our recommendation.
|
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should develop a road map with time frames and specific milestones for reviewing the information it gathers from asset owners and operators to determine if follow-up visits should remain at 180 days for security surveys and whether additional follow-ups are appropriate at intervals beyond the follow-ups initially performed. |
Closed – Implemented
In May 2012, we reported that DHS could better measure security survey and vulnerability assessment results to improve program management, such as determining (1) the extent to which changes CI owners and operators make in response to participating in these activities have enhanced CI protection and resilience over time, or (2) why CI owners and operators do not make enhancements that could help mitigate vulnerabilities identified during the surveys and assessments. At that time, DHS reported conducting one-time 180-day follow-ups with CI owners and operators who participated in the surveys, and 365-day follow-ups for assessment participants to collect data on improvements being made as a result of these efforts. However, in interviews with CI owners and operators, we found that DHS could benefit from gathering data on improvements made over a longer period of time. We recommended that DHS develop a road map with time frames and specific milestones for reviewing the information it gathers from CI owners and operators which could better position DHS to track agency achievements. DHS concurred with our recommendation, but said they would not create a roadmap with time frames and specific milestones. Instead DHS agreed to analyze data collected during the 2012 calendar year, and use the results of their analysis to determine whether modifications to the follow-up intervals were required. In April 2013, DHS's analysis found that around 23 percent of assessment participants and 26 percent of survey participants reported a completed improvement during their follow-up. DHS subsequently decided that no modifications to the follow-up timelines would be made, but that DHS would collect some additional information by expanding the follow-up to capture improvements attributable to DHS that are not only completed, but are also in-process or planned. These DHS actions meet the intent of our recommendation.
|
| Directorate of Information Analysis and Infrastructure Protection | To better ensure that DHS's efforts to promote security surveys and vulnerability assessments among high-priority CIKR are aligned with institutional goals, that the information gathered through these surveys and assessments meet the needs of stakeholders, and that DHS is positioned to know how these surveys and assessments could be improved, the Assistant Secretary for Infrastructure Protection, Department of Homeland Security, should consider the feasibility of expanding the follow-up program to gather and act upon data, as appropriate, on (1) security enhancements that are ongoing and planned that are attributable to DHS security surveys and vulnerability assessments and (2) factors, such as cost and perceptions of threat, that influence asset owner and operator decisions to make, or not make, enhancements based on the results of DHS security surveys and vulnerability assessments. |
Closed – Implemented
In May 2012, we reported that DHS could be missing an opportunity to measure performance associated with planned and in-process enhancements that could be attributable to its voluntary security surveys and vulnerability assessments. As a result, we recommended that DHS determine whether to collect additional data on (1) security enhancements that are ongoing or planned are attributable to DHS surveys and assessments, and (2) factors, such as cost and perceptions of threat, that influence asset owners and operators to make, or not make, enhancements based on the results of surveys and assessments. DHS actions to address the recommendation include an update to its follow-up questions implemented in June 2013 to capture additional information on improvements attributable to DHS, including completed, in-process or planned measures, and questions to identify factors that influence CI owners and operators decisions to make or not make enhancements. Subsequently, in August 2014 after receiving the results of its follow-up questions, the Office of Infrastructure Protection (IP) established a policy to conduct quarterly reviews to, among other things, track IP programs and identify gaps and requirements for priorities. These DHS actions meet the intent of our recommendation.
|