Critical Infrastructure Protection: DHS List of Priority Assets Needs to Be Validated and Reported to Congress

What GAO Found

The Department of Homeland Security (DHS) has made several changes to its criteria for including assets on the National Critical Infrastructure Prioritization Program (NCIPP) list of the nation's highest-priority infrastructure, but has not identified the impact of these changes or validated its approach. In 2009, DHS changed the criteria to make the list entirely consequence based--that is, based on the effect of an event on public health and safety, and economic, psychological, and government mission impacts. Subsequent changes introduced specialized criteria for some sectors and assets. For example, infrastructure that has received a specific, credible threat, but otherwise does not meet NCIPP criteria, may be included on the list. DHS's changes to the NCIPP criteria have changed the composition of the NCIPP list, which has had an impact on users of the list, such as the Federal Emergency Management Agency. However, DHS has not reviewed the impact of changes on users nor validated its approach to developing the list. While the change to an entirely consequence-based list created a common approach to identify infrastructure and align the program with applicable laws and the National Infrastructure Protection Plan, recent criteria changes to accommodate certain sectors and assets represent a departure from this common approach, which could hinder DHS's ability to compare infrastructure across sectors. Program officials noted they would like to validate the NCIPP, but they have not yet submitted a proposal to DHS management. An independent peer review--a best practice in risk management--would better position DHS to reasonably assure that the NCIPP list identifies the nation's highest-priority infrastructure.

To develop the list, DHS has consulted with both states and sector specific agencies (SSA)--federal agencies responsible for protection and resiliency efforts among individual critical infrastructure sectors, such as energy, transportation, and dams. Since changing the NCIPP criteria in 2009, DHS has taken proactive steps to help states nominate assets to the list. These steps include providing on-site assistance, minimizing changes to the criteria, conducting outreach to encourage participation in an NCIPP working group (which includes SSAs), and providing explanations of why nominated assets do not make the list. DHS recognizes that states, in particular, face challenges--such as resource and budgetary constraints--associated with nominating assets, and has taken actions to address these challenges and reduce the burden on states.

GAO could not verify that DHS is meeting statutory requirements to report annually to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security of the House of Representatives on the NCIPP list. DHS officials prepared documents that generally contained information consistent with statutory reporting requirements, but they were uncertain whether they had been delivered to the committees because they do not have records to verify they were delivered. An approach to verify the delivery of the required reports, such as documenting or recording the transactions, would better position DHS to ensure that it is in compliance with its statutory reporting requirements and that it provides the committees with the information needed to perform oversight of the program.

Why GAO Did This Study

In October 2012, Hurricane Sandy caused widespread damage across multiple states and affected millions of people. Threats to critical infrastructure are not limited to natural disasters, as demonstrated by the terrorist attacks of September 11, 2001. Originally developed by DHS in 2006, and consistent with the Implementing Recommendations of the 9/11 Commission Act of 2007, the NCIPP identifies and prioritizes nationally significant critical infrastructure each year. However, Members of Congress and some state officials have raised questions about changes DHS has made to its approach for creating the list and the impact of these changes.

GAO was asked to review DHS management of the program. GAO assessed the extent to which DHS has (1) changed its criteria for developing the list, identified the impact, if any, of these changes, and validated its approach, (2) worked with states and SSAs to develop the list, and (3) reported to Congress on the NCIPP. GAO, among other things, reviewed laws, DHS policies and procedures; analyzed the lists from 2007 through 2012; and interviewed DHS, SSA, and state homeland security officials selected based on their involvement with the program and geographic diversity. The interviews are not generalizable but provide insights.