This is the accessible text file for GAO report number GAO-07-39 
entitled 'Critical Infrastructure Protection: Progress Coordinating 
Government and Private Sector Efforts Varies by Sectors' 
Characteristics' which was released on November 15, 2006. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

Report to Congressional Requesters: 

United States Government Accountability Office: 

GAO: 

October 2006: 

Critical Infrastructure Protection: 

Progress Coordinating Government and Private Sector Efforts Varies by 
Sectors' Characteristics: 

Critical Infrastructure Protection Coordination Issues: 

GAO-07-39: 

GAO Highlights: 

Highlights of GAO-07-39, a report to congressional requesters 

Why GAO Did This Study: 

As Hurricane Katrina so forcefully demonstrated, the nation’s critical 
infrastructures and key resources have been vulnerable to a wide 
variety of threats. Because about 85 percent of the nation’s critical 
infrastructure is owned by the private sector, it is vital that the 
public and private sectors work together to protect these assets. The 
Department of Homeland Security (DHS) is responsible for coordinating a 
national protection strategy including formation of government and 
private sector councils as a collaborating tool. The councils, among 
other things, are to identify their most critical assets, assess the 
risks they face, and identify protective measures, in sector-specific 
plans that comply with DHS’s National Infrastructure Protection Plan 
(NIPP). 

GAO examined (1) the extent to which these councils have been 
established; (2) the key facilitating factors and challenges affecting 
the formation of the councils; and (3) the overall status of the plans 
and key facilitating factors and challenges encountered in developing 
them. GAO obtained information by reviewing key documents and 
conducting interviews with federal and private sector representatives. 

GAO is not making any recommendations at this time since prior 
recommendations are still being implemented. Continued monitoring will 
determine whether further recommendations are warranted. 

What GAO Found: 

All 17 critical infrastructure sectors have established their 
respective government councils, and nearly all sectors have initiated 
their voluntary private sector councils in response to the NIPP. 
However, council activities have varied due to council characteristics 
and level of maturity. For example, the public health and health-care 
sector is quite diverse and collaboration has been difficult as a 
result; on the other hand, the nuclear sector is quite homogenous and 
has a long history of collaboration. As a result, council activities 
have ranged from getting organized to refining infrastructure 
protection strategies. Ten sectors, such as banking and finance, had 
formed councils prior to development of the NIPP and had collaborated 
on plans for economic reasons, while others had formed councils more 
recently. As a result, the more mature councils could focus on 
strategic issues, such as recovering after disasters, while the newer 
councils were focusing on getting organized. 

Council members reported mixed views on what factors facilitated or 
challenged their formation. For example, long-standing working 
relationships with regulatory agencies and within sectors were 
frequently cited as the most helpful factor in establishing councils. 
Challenges most frequently cited included the lack of an effective 
relationship with DHS as well as private sector hesitancy to share 
information on vulnerabilities with the government or within the sector 
for fear the information would be released and open to competitors. 
GAO’s past work has shown that a lack of trust in DHS and fear that 
sensitive information would be released are recurring barriers to the 
private sector’s sharing information with the federal government, and 
GAO has made recommendations to help address these barriers. DHS has 
generally concurred with these recommendations and is in the process of 
implementing them. 

At the time of GAO’s review, all of the sectors were preparing plans, 
although these plans were at varying stages of completion—ranging from 
nearly complete to an outline. Nevertheless, all sectors expected to 
submit their plans to DHS by the December 2006 deadline. DHS’s 18-month 
delay in issuing the NIPP and the changing nature of DHS guidance on 
sector plans were cited as challenges to developing the plans. As of 
August 2006, collaboration between the sector and government councils 
on the plans, which is required by the NIPP, had yet to take place for 
some sectors. Issuing the NIPP and completing sector plans are only 
first steps to ensure critical infrastructure is protected. More 
remains to be done to ensure the adequate protection of our nation’s 
critical infrastructure. A number of sectors still need to identify 
their most critical assets across their sectors, assess their risks, 
and agree on protective measures. 

DHS, the Department of Health and Human Services, and the Environmental 
Protection Agency had no formal comments on the draft report but 
provided technical comments. 

[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-39]. 

To view the full product, including the scope and methodology, click on 
the link above. For more information, contact Eileen Larence at (202) 
512-8777 or LarenceE@gao.gov. 

[End of Section] 

Contents: 

Letter: 

Results in Brief: 

Background: 

Sectors Have Established Government and Sector Councils, Which are 
Generally Representative of their Sectors; Council Activities Have 
Varied Depending on Their Maturity and Other Characteristics: 

Good Prior Working Relationships, Willingness to Share Critical 
Information, and Sufficient Resources Are Key to Council Formation and 
Progress: 

Councils Delayed Their Work on Sector-Specific Plans until the NIPP Was 
Issued but Despite Challenges, Expect to Complete Plans by the End of 
December 2006: 

Concluding Observations: 

Appendix I: Key Federal Initiatives in Developing Critical 
Infrastructure Protection Policy, 1996 to Present: 

Appendix II: Government Sector Council Membership, by Sector as of 
August 2006: 

Appendix III: Sector Council Membership, by Sector as of August 2006: 

Appendix IV: GAO Contact and Staff Acknowledgments: 

Related GAO Products: 

Tables: 

Table 1: Operating ISACs, as of July 2006: 

Table 2: Critical Infrastructure Sectors and Designated Sector-Specific 
Agencies: 

Table 3: Status of Government Council and Sector Council Formation, as 
of August 2006: 

Figures: 

Figure 1: Key Challenges That Affected Establishing Government 
Councils: 

Figure 2: Key Challenges That Affected Establishing Sector Councils: 

Figure 3: Key Challenges to Developing Sector-Specific Plans, according 
to Government Council Representatives: 

Figure 4: Key Challenges to Developing Sector-Specific Plans, according 
to Sector Council Representatives: 

Abbreviations: 

DHS: Department of Homeland Security: 

FACA: Federal Advisory Committee Act: 

GMU: George Mason University: 

HHS: Department of Health and Human Services: 

HSIN: Homeland Security Information Network: 

HSIN-CS: Homeland Security Information Network Critical Sectors: 

HSPD-7: Homeland Security Presidential Directive 7: 

HSPD-9: Homeland Security Presidential Directive 9: 

ISAC: information sharing and analysis center: 

NIPP: National Infrastructure Protection Plan: 

PCII: protected critical infrastructure information: 

PCIS: Partnership for Critical Infrastructure Security: 

PDD-63: Presidential Decision Directive 63: 

TSA: Transportation Security Administration: 

[End of section] 

United States Government Accountability Office: 
Washington, DC 20548: 

October 16, 2006: 

The Honorable Tom Davis: 
Chairman: 
Committee on Government Reform: 
House of Representatives: 

The Honorable Todd Platts: 
Chairman: 
Subcommittee on Government Management, Finance and Accountability: 
Committee on Government Reform: 
House of Representatives: 

The Honorable Bennie G. Thompson: 
Ranking Minority Member: 
Committee on Homeland Security: 
House of Representatives: 

The Honorable Robert F. Bennett: 
United States Senate: 

The nation's critical infrastructures and key resources--including 
those cyber and physical assets essential to national security, 
national economic security, and national public health and safety--have 
been and continue to be vulnerable to a wide variety of threats. In 
2005, Hurricane Katrina devastated the Gulf Coast, damaging critical 
infrastructure such as oil platforms, pipelines and refineries; water 
mains; electric power lines; and cellular phone towers. The chaos 
resulting from this infrastructure damage disrupted the functioning of 
government and business alike and produced cascading effects far beyond 
the physical location of the storm. In 2004, authorities discovered 
detailed surveillance of the New York Stock Exchange and the Citigroup 
Center in the laptop computer of an Al Qaeda operative captured in 
Pakistan, part of a plan to target financial institutions in New York. 
Moreover, a series of coordinated suicide bombings in 2005 that struck 
London's public transportation system demonstrated how an attack on the 
transportation system could disrupt a city's transportation and mobile 
telecommunications infrastructure. Because the private sector owns 
approximately 85 percent of the nation's critical infrastructure--such 
as banking and financial institutions, telecommunications networks, and 
energy production and transmission facilities--it is vital that the 
public and private sectors form effective partnerships to successfully 
protect these assets. 

A key player in these partnerships is the Department of Homeland 
Security (DHS). The Homeland Security Act of 2002 created DHS and gave 
it wide-ranging responsibilities for leading and coordinating the 
overall national critical infrastructure protection effort.[Footnote 1] 
Among other requirements, the Homeland Security Act required DHS to 
develop a comprehensive national plan for securing the nation's 
critical infrastructures and recommend measures to protect key 
resources. Homeland Security Presidential Directive 7 (HSPD-7) further 
defines critical infrastructure protection responsibilities for DHS and 
those federal agencies given responsibility for particular industry 
sectors such as transportation, energy, and telecommunications, known 
as sector-specific agencies. Among other responsibilities, the 
Secretary of Homeland Security is to establish uniform policies, 
approaches, guidelines, and methodologies to help ensure that critical 
infrastructure within and across the 17 infrastructure sectors is 
protected,[Footnote 2] and is to use a risk management approach to 
coordinate protection efforts. This includes using risk assessments to 
set priorities for protective measures by the department, sector- 
specific agencies, tribal, state, and local government agencies and 
authorities with critical assets and resources in their jurisdiction, 
owners and operators of these assets, and other entities. 

Consistent with the Homeland Security Act, HSPD-7 required DHS to 
develop a comprehensive and integrated plan by December 2004 that 
outlines national goals, objectives, milestones, and key initiatives 
necessary to fulfilling these responsibilities. In response, DHS 
developed a National Infrastructure Protection Plan (NIPP) issued in 
June 2006. The NIPP is a base plan that is to serve as a road map for 
how DHS and other relevant stakeholders should use risk management 
principles to prioritize protection activities within and across 
sectors in an integrated, coordinated fashion. The NIPP also requires 
the individual sector-specific agencies to submit plans to DHS by the 
end of December 2006 detailing the application of the national plan's 
core elements to each of their respective sectors. These individual 
plans are to establish the means by which the sectors will identify 
critical assets within the sector, assess risks of terrorist attacks or 
other hazards on them, assess and prioritize those which have national 
significance, and develop protective measures for the sector. These 
plans are to be developed by the designated federal sector-specific 
agencies in coordination with relevant government and private-sector 
representatives and are, among other things, to address the unique 
characteristics and risks of each sector. DHS is to use these 
individual plans to evaluate whether any gaps exist in the protection 
of critical infrastructures on a national level and, if so, to work 
with the sectors to address them. While the NIPP establishes a deadline 
for the submission of these plans, DHS anticipates that the NIPP and 
sector-specific plans will continue to evolve as the critical 
infrastructures, threats against them, and strategies for protecting 
and responding to these threats and incidents evolve. 

The NIPP describes a partnership model as the primary means of 
coordinating government and private sector efforts to protect critical 
infrastructure. For each sector, the model requires formation of 
government coordinating councils (government councils)--comprised of 
federal, state, local, or tribal agencies with purview over critical 
assets--and encourages voluntary formation of sector coordinating 
councils (sector councils)--comprised of owner-operators of these 
critical assets (some of which may be state or local agencies) or their 
respective trade associations. These councils create the structure 
through which representative groups from all levels of government and 
the private sector are to collaborate in planning and implementing 
efforts to protect critical infrastructure. The sector councils are 
envisioned to be policy-related and to represent a primary point of 
contact for government to plan the entire range of infrastructure 
protection activities unique to the sector. These functions are 
distinct from those of the private sector's information sharing and 
analysis centers (ISACs) that were previously established to serve as 
mechanisms for gathering, analyzing, and disseminating information on 
infrastructure threats and vulnerabilities to and from private 
infrastructure sectors and the government but are not to serve as 
policy-making bodies. These councils also are to collaborate with the 
sector-specific agencies in the development and review of their 
respective individual sector plans. 

In response to your request to determine the extent to which DHS has 
developed a strategy to identify, prioritize, and coordinate the 
protection of critical infrastructure, including how the department 
intends to work with other federal departments and agencies, state and 
local governments, and the private sector to develop this strategy, our 
objectives were to: 

* determine the extent to which government and sector councils have 
been established for each sector and compare their general 
characteristics; 

* identify the key facilitating factors and challenges that critical 
infrastructure protection stakeholders encountered in establishing 
their respective councils; and: 

* ascertain the status of individual sector-specific plans and the key 
facilitating factors and challenges that critical infrastructure 
protection stakeholders encountered in developing their plans thus far. 

To address these objectives, we reviewed our prior work that focused on 
government and private sector critical infrastructure protection 
coordination efforts as well as related studies by others. (See 
"Related GAO Products" at the end of this report for a list of our 
prior work). We reviewed the interim, draft, and final versions of the 
NIPP as well as sector-specific plan guidance, to determine council 
roles and responsibilities and requirements for individual sector- 
specific plans. We also conducted structured interviews to determine 
the status of the government councils and individual sector-specific 
plans with designated representatives of each of the sector-specific 
agencies with critical infrastructure protection responsibility for the 
17 critical infrastructure sectors: DHS,[Footnote 3] the Department of 
Agriculture, the Department of Health and Human Services, the 
Department of Defense, the Department of Energy, the Department of the 
Interior, the Department of the Treasury, and the Environmental 
Protection Agency. We also conducted structured interviews with the 
chairs, co-chairs, or steering committee representatives of each of the 
14 sector councils[Footnote 4] that are part of the NIPP framework and 
a representative of the Rail Sector Coordinating Council to determine 
the status of the councils and the sector-specific plans. These 
officials also presented their views on the facilitating factors and 
barriers to creating and maintaining their respective councils and 
drafting sector-specific plans, but they did not necessarily represent 
the views of each member of the councils. For both the government and 
sector council contacts, the structured interviews solicited 
information including (1) the status of council formation, leadership, 
organization, and goals; (2) views on whether specific factors 
facilitated or impeded council formation; (3) the status of sector- 
specific plan development; and (4) views on whether specific factors 
facilitated or impeded plan development. We also spoke with the Deputy 
Director, Infrastructure Partnerships Division and the Director of the 
Infrastructure Programs Office within DHS's Office of Infrastructure 
Protection about the formation of the councils and the development of 
sector-specific plans.[Footnote 5] We conducted our work from October 
2005 through August 2006 in accordance with generally accepted 
government auditing standards. 

Results in Brief: 

Each of the infrastructure sectors has established government councils, 
and voluntary sector councils have been formed in response to the 
recommended NIPP partnership model for all sectors except 
transportation systems. The characteristics and levels of maturity vary 
significantly across the sectors. For example, the public health and 
healthcare sector is quite diverse and collaboration has been difficult 
as a result; on the other hand, the nuclear sector is quite homogenous 
and has a long history of collaboration. As a result, council 
activities have ranged from getting organized to refining their 
infrastructure protection strategies. To develop effective protection 
plans, it is important that council membership represent these unique 
and varied interests, and we found this generally to be true for most 
of the councils. For example, members of the drinking water and water 
treatment systems sector council included the American Water Works 
Association as well as local entities, such as the City of Portland 
Bureau of Environmental Services. According to representatives from 
several sector councils, these councils are not intended to replace the 
information sharing functions provided by the information sharing and 
analysis centers, and two of the centers are members of their 
respective sector councils. The age and maturity of the councils also 
varied. Ten sectors had formed councils prior to the development of the 
NIPP model because they were already collaborating on protective 
measures, while the remaining sectors had formed councils more 
recently. The more mature councils, including banking and finance and 
telecommunications, were able to focus on strategic activities, such as 
developing plans on how to resume operations as soon as possible after 
a disaster. In contrast, the newer councils--including public health 
and healthcare and commercial facilities--were still focusing on 
identifying key stakeholders and members, developing charters, and 
getting organized. The transportation systems sector had yet to form a 
sector council and, as of August 2006, Transportation Security 
Administration officials said they were working with contractors to 
help each transportation mode establish its own sector council. 
According to DHS officials, once the modes are organized the 
transportation systems sector council will be formed. 

Representatives of the councils most frequently cited prior long- 
standing working relationships and effective information sharing within 
their sector as well as access to contractor resources through DHS as 
key in establishment of a number of the councils. Conversely, the lack 
of an effective relationship with DHS, private sector hesitancy to 
provide sensitive information on infrastructure vulnerabilities to the 
government or within the sector, and the lack of prior relationships 
with federal agencies or within the sector were the most frequently 
cited challenges to developing other councils. In terms of facilitating 
factors, sectors that had been regulated by federal agencies for years, 
such as the banking and finance sector, reported developing long- 
standing and trusted working relationships both with the federal 
agencies and within the sectors, which facilitated council development. 
These sectors also recognized the need to share information in order to 
collaborate on protection efforts. Our past work has also identified 
trusted working relationships and effective information sharing as 
critical factors for successful public-private partnerships, and we 
have made recommendations in these areas that DHS generally agreed 
with, but has yet to fully implement.[Footnote 6] Another key 
facilitating factor was having access to resources and technical 
assistance from DHS contractors, filling resource and skill gaps some 
sectors had in establishing and operating their councils. For example, 
one of the contractors provided guidance on lessons learned in how 
other sector councils were organized that representatives of the 
emergency services and the telecommunications councils said were very 
helpful. In terms of challenges, some government and sector councils 
cited high turnover of some DHS staff and the staff's lack of 
understanding about infrastructure operations as hindering council 
formation. While DHS officials reported that staff turnover should not 
affect the formation of sector councils, the officials said that this 
turnover could hinder the establishment of trusted working 
relationships. Representatives from various sectors also noted, as has 
our past work, that some in the private sector are reluctant to share 
sensitive infrastructure information with the federal government for 
fear the information might be publicly disclosed or make them subject 
to litigation for failure to disclose their vulnerabilities. To address 
this concern about public disclosure of sensitive information and to 
enhance information sharing, in March 2006 DHS created the Critical 
Infrastructure Partnership Advisory Council--open to members of all 
councils--that is exempt from the Federal Advisory Committee 
Act,[Footnote 7] but it is too soon to determine if this council has 
promoted more sharing. 

As of August 2006, each of the 17 sector-specific agencies was in the 
process of preparing a sector-specific plan to demonstrate how that 
sector will comply with the NIPP. However, the sectors were at varying 
stages of completion in developing their plans, ranging from almost 
complete to having only completed an outline. For example, the chemical 
and nuclear sectors said their plans were nearing completion while the 
commercial facilities sector said its plan was still in outline form. 
Some in the private sector said collaboration between the sector 
council and the government council on the plans had yet to take place. 
Despite these differences, all the sectors expected to submit initial 
plans to DHS by the December 2006 deadline. Like the NIPP, these plans 
are only a first step; they are to lay out how the sector will identify 
its most critical assets and resources and what methodologies each will 
use to assess the risks posed to it, but DHS guidance does not require 
the plans to address how the sector is actually assessing risk and 
protecting its most critical assets. Council members cited as a key 
facilitating factor the existence of prior plans that they could update 
to satisfy NIPP requirements. For example, the energy sector had 
developed a protection plan in anticipation of the Year 2000 ("Y2K") 
computer threat, and that process was beneficial in developing its 
sector-specific plan for the NIPP. Two other frequently cited factors 
that helped with developing plans, as well as developing the councils 
themselves, were when sectors had pre-existing relationships with 
federal agencies or within the sector and access to contractor support 
through DHS. The most frequently cited challenges included the lack of 
a final NIPP that outlined stable requirements for the plans as well as 
the changing nature of DHS guidance on how to develop the plans. For 
example, DHS revised its initial 2004-plan guidance after a year with 
new requirements including how the sectors will collaborate with DHS on 
risk assessment processes. DHS then issued additional guidance in 2006 
that required the plans to have a new chapter describing how sector- 
specific agencies are to manage and coordinate their responsibilities. 
Several council members said it was frustrating to have to update their 
protection plans in response to changes from the interim, the draft, 
and the final NIPP, even though DHS made some of these changes in 
response to industry comments. For example, DHS incorporated changes in 
the final NIPP in response to comments that it should better recognize 
the need to focus on both protecting against and recovering from a 
disaster. Finally, several cited the heterogeneous characteristics of 
some sectors, such as the different industries that make up the 
agriculture and food sector, as making collaboration and consensus on 
their plans a challenge. While DHS has made progress with some critical 
infrastructure challenges, until it addresses our already outstanding 
recommendations, it will have difficulty achieving results in its role 
as a federal focal point for critical infrastructure. Because our 
findings in this report echo many of those in our previous reports and 
are covered by previous recommendations to DHS that have yet to be 
fully implemented, we are not making any new recommendations at this 
time. Continued monitoring will determine whether further 
recommendations are warranted. 

DHS, the Department of Health and Human Services, and the Environmental 
Protection Agency had no formal comments on the draft report, but they 
provided technical comments that we used to clarify the report as 
appropriate. 

Background: 

Critical Infrastructure Protection Policy Has Emphasized Government and 
Private Sector Coordination: 

The protection of the nation's critical infrastructure against natural 
and man-made catastrophic events has been a concern of the federal 
government for over a decade. Several federal policies address the 
importance of coordination between the government and the private 
sector in critical infrastructure protection. For example, in May 1998, 
Presidential Decision Directive 63 (PDD-63) established critical 
infrastructure protection as a national goal and presented a strategy 
for cooperative efforts by the government and the private sector to 
protect the physical and cyber-based systems essential to the minimum 
operations of the economy and the government. Among other things, this 
directive designated government agencies to coordinate and support 
critical infrastructure protection efforts and identified lead federal 
agencies to work with coordinators in eight infrastructure sectors and 
five areas called special functions at the time. The directive also 
encouraged development of information sharing and analysis centers 
(ISACs) to serve as mechanisms for gathering, analyzing, and 
disseminating information on infrastructure threats and vulnerabilities 
to and from private infrastructure sectors and the federal government. 
(See table 1 for a list of functional ISACs). 

Table 1: Operating ISACs, as of July 2006: 

Sector: Agriculture and food; 
ISAC: Food; 
ISAC Established: Feb. 2002. 

Sector: Banking and finance; 
ISAC: Financial Services; 
ISAC Established: Oct. 1999. 

Sector: Chemical; 
ISAC: Chemical; 
ISAC Established: April 2002. 

Sector: Commercial facilities; 
ISAC: Real Estate; 
ISAC Established: Feb. 2003. 

Sector: Drinking water and water treatment systems; 
ISAC: Water; 
ISAC Established: Dec. 2002. 

Sector: Emergency services; 
ISAC: Emergency Management and Response; 
ISAC Established: Oct. 2000. 

Sector: Energy; 
ISAC: Electric; Energy; 
ISAC Established: Oct. 2000; Nov. 2001. 

Sector: Government facilities; 
ISAC: Multi-State; 
ISAC Established: Jan. 2003. 

Sector: Information technology; 
ISAC: IT Research & Education Network; 
ISAC Established: Dec. 2000 Feb. 2003. 

Sector: Telecommunications; 
ISAC: National Coordinating Center for Telecommunications; 
ISAC Established: Jan. 2000. 

Sector: Transportation systems; 
ISAC: Public Transit Surface Transportation (rail) Highway Maritime; 
ISAC Established: Jan. 2003 May 2002 Mar. 2003 Feb. 2003. 

Source: Government council and sector council representatives and prior 
GAO reports. 

Note: The following critical sectors do not have ISACs: dams; defense 
industrial base; national monuments and icons; commercial nuclear 
reactors, materials, and waste; postal and shipping; and public health 
and healthcare. 

[End of table] 

In December 2003, Homeland Security Presidential Directive 7 (HSPD-7) 
was issued, superseding PDD-63. HSPD-7 defined responsibilities for 
DHS, federal agencies that are responsible for addressing specific 
critical infrastructure sectors--sector-specific agencies,--and other 
departments and agencies. HSPD-7 instructs these sector-specific 
agencies to identify, prioritize, and coordinate the protection of 
critical infrastructure to prevent, deter, and mitigate the effects of 
attacks. HSPD-7 makes DHS responsible for, among other things, 
coordinating national critical infrastructure protection efforts and 
establishing uniform policies, approaches, guidelines, and 
methodologies for integrating federal infrastructure protection and 
risk management activities within and across sectors. HSPD-7 requires 
DHS to (1) produce a national plan summarizing initiatives for sharing 
information, including providing threat warning data to state and local 
governments and the private sector and (2) establish the appropriate 
systems, mechanisms, and procedures to share homeland security 
information (including information on critical infrastructure 
protection such as threat-warning data) with other federal departments 
and agencies, state and local governments, and the private sector in a 
timely manner. According to the NIPP, additional DHS responsibilities 
regarding critical infrastructure protection include developing and 
implementing comprehensive risk management programs and methodologies; 
developing cross-sector and cross-jurisdictional protection guidance; 
recommending risk management and performance criteria and metrics 
within and across sectors; and establishing structures to enhance the 
close cooperation between the private sector and government at all 
levels. (For additional key federal initiatives related to critical 
infrastructure protection, see app. I). 

Sector-Specific Agencies Are to Coordinate Protection Efforts and 
Develop Plans: 

HSPD-7 designated sector-specific agencies for each of the critical 
infrastructure sectors. These federal agencies are responsible for 
infrastructure protection activities in their assigned sectors, which 
include coordinating and collaborating with relevant federal agencies, 
state and local governments, and the private sector to carry out sector 
protection responsibilities. These activities also include facilitating 
the sharing of information about physical and cyber threats, 
vulnerabilities, incidents, potential protective measures, and best 
practices. HSPD-7 also requires that these agencies submit an annual 
report to DHS on their efforts to identify, prioritize, and coordinate 
the protection of critical infrastructures in their respective sectors. 
DHS serves as the sector-specific agency for ten of the sectors: 
information technology; telecommunications; transportation systems; 
chemical; emergency services; commercial nuclear reactors, material, 
and waste; postal and shipping; dams; government facilities; and 
commercial facilities. (See table 2 for a list of each sector-specific 
agency and a brief description of each sector). 

Table 2: Critical Infrastructure Sectors and Designated Sector-Specific 
Agencies: 

Sector-specific agency: Dept. of Agriculture[A], Dept. Of Health and 
Human Services, Food and Drug Administration[B]; 
Sector: Agriculture & food; 
Description: Provides for the fundamental need for food. The 
infrastructure includes supply chains for feed and crop production. 
Carries out the postharvesting of the food supply, including processing 
and retail sales. 

Sector-specific agency: Dept. of Defense; 
Sector: Defense industrial base; 
Description: Supplies the military with the means to protect the nation 
by producing weapons, aircraft, and ships and providing essential 
services, including information technology and supply and maintenance. 

Sector-specific agency: Dept. of Energy; 
Sector: Energy; 
Description: Provides the electric power used by all sectors and the 
refining, storage, and distribution of oil and gas. The sector is 
divided into electricity and oil and natural gas. 

Sector-specific agency: Dept. of Health and Human Services; 
Sector: Public health and healthcare; 
Description: Mitigates the risk of disasters and attacks and also 
provides recovery assistance if an attack occurs. The sector consists 
of health departments, clinics, and hospitals. 

Sector-specific agency: Dept. of the Interior; 
Sector: National monuments and icons; 
Description: Memorializes or represents monuments, physical structures, 
objects, or geographical sites that are widely recognized to represent 
the nation's heritage, traditions, or values, or widely recognized to 
represent important national cultural, religious, historical, or 
political significance. 

Sector-specific agency: Dept. of the Treasury; 
Sector: Banking and finance; 
Description: Provides the financial infrastructure of the nation. This 
sector consists of commercial banks, insurance companies, mutual funds, 
government-sponsored enterprises, pension funds, and other financial 
institutions that carry out transactions. 

Sector-specific agency: Environmental Protection Agency; 
Sector: Drinking water and water treatment systems; 
Description: Provides sources of safe drinking water from more than 
53,000 community water systems and properly treated wastewater from 
more than 16,000 publicly owned treatment works. 

Sector-specific agency: Dept. of Homeland Security: Office of 
Infrastructure Protection; 
Sector: Chemical; 
Description: Transforms natural raw materials into commonly used 
products benefiting society's health, safety, and productivity. The 
chemical sector produces more than 70,000 products that are essential 
to automobiles, pharmaceuticals, food supply, electronics, water 
treatment, health, construction, and other necessities. 

Sector-specific agency: Dept. of Homeland Security: Office of 
Infrastructure Protection; 
Sector: Commercial facilities; 
Description: Includes prominent commercial centers, office buildings, 
sports stadiums, theme parks, and other sites where large numbers of 
people congregate to pursue business activities, conduct personal 
commercial transactions, or enjoy recreational pastimes. 

Sector-specific agency: Dept. of Homeland Security: Office of 
Infrastructure Protection; 
Sector: Dams; 
Description: Manages water retention structures, including levees, more 
than 77,000 conventional dams, navigation locks, canals (excluding 
channels), and similar structures, including larger and nationally 
symbolic dams that are major components of other critical 
infrastructures that provide electricity and water. 

Sector-specific agency: Dept. of Homeland Security: Office of 
Infrastructure Protection; 
Sector: Emergency services; 
Description: Saves lives and property from accidents and disaster. This 
sector includes fire, rescue, emergency medical services, and law 
enforcement organizations. 

Sector-specific agency: Dept. of Homeland Security: Office of 
Infrastructure Protection; 
Sector: Commercial nuclear reactors, materials, and waste; 
Description: Provides nuclear power, which accounts for approximately 
20% of the nation's electrical generating capacity. The sector includes 
commercial nuclear reactors and non-power nuclear reactors used for 
research, testing, and training; nuclear materials used in medical, 
industrial, and academic settings; nuclear fuel fabrication facilities; 
the decommissioning of reactors; and the transportation, storage, and 
disposal of nuclear materials and waste. 

Sector-specific agency: Dept. of Homeland Security: Office of Cyber 
Security and Telecommunications; 
Sector: Information technology; 
Description: Produces information technology and includes hardware 
manufacturers, software developers, and service providers, as well as 
the internet as a key resource. 

Sector-specific agency: Dept. of Homeland Security: Office of Cyber 
Security and Telecommunications; 
Sector: Telecommunications; 
Description: Provides wired, wireless, and satellite communications to 
meet the needs of businesses and governments. 

Sector-specific agency: Dept. of Homeland Security: Transportation 
Security Administration; 
Sector: Postal and shipping; 
Description: Delivers private and commercial letters, packages, and 
bulk assets. The U.S. Postal Service and other carriers provide the 
services of this sector. 

Sector-specific agency: Transportation Security Administration and U.S. 
Coast Guard; 
Sector: Transportation systems; 
Description: Enables movement of people and assets that are vital to 
our economy, mobility, and security with the use of aviation, ships, 
rail, pipelines, highways, trucks, buses, and mass transit. 

Sector-specific agency: Immigration and Customs Enforcement, Federal 
Protective Service; 
Sector: Government facilities; 
Description: Ensures continuity of functions for facilities owned and 
leased by the government, including all federal, state, territorial, 
local, and tribal government facilities located in the U.S. and abroad. 

Source: NIPP, Homeland Security Presidential Directive 7, and the 
National Strategy for Homeland Security. 

[A] The Department of Agriculture is responsible for food (including 
meat, poultry, and eggs) and agriculture. 

[B] The Department of Health and Human Services, Food and Drug 
Administration is responsible for food other than meat, poultry, and 
egg products. 

[End of table] 

Under the NIPP, the sector-specific agencies are also responsible for 
developing individual plans for their sectors. These plans are to 
support the NIPP by identifying the specific protective activities and 
information-sharing mechanisms and protocols that each sector will be 
using for its protection efforts. Specifically, these plans are to be 
tailored to address the unique characteristics and risks of each sector 
and are to, among other things, (1) define the security roles and 
responsibilities of members of the sector; (2) establish the methods 
that members will use to interact and share information related to 
protection of critical infrastructure; (3) describe how the sector will 
identify its critical assets; and (4) identify the approaches the 
sector will take to assess risks and develop programs to protect these 
assets. DHS is to use these individual plans to evaluate whether any 
gaps exist in the protection of critical infrastructures on a national 
level and, if so, to work with the sectors to address them. Each sector-
specific agency is to collaborate with its respective government and 
sector councils to develop these plans, and each is to submit its plan 
to DHS within 180 days of issuance of the NIPP (by the end of December 
2006). 

NIPP Relies on a Partnership Model for Coordination of Protection 
Efforts: 

DHS published an Interim NIPP in February 2005 that was intended to 
provide the framework for a coordinated national approach to address 
the full range of physical, cyber, and human threats and 
vulnerabilities that pose risks to the nation's critical 
infrastructure. DHS released subsequent drafts of the NIPP for comment 
in November 2005 and January 2006 before it released a final NIPP in 
June 2006. The NIPP relies on a sector partnership model as the primary 
means of coordinating government and private sector critical 
infrastructure protection efforts. Under this model, each sector has 
both a government council and a sector council to address sector- 
specific planning and coordination. Each council is to work in tandem 
to create the context, framework, and support for coordination and 
information-sharing activities required to implement and sustain that 
sector's critical infrastructure protection efforts. The council 
framework allows for the involvement of representatives from all levels 
of government and the private sector, so that collaboration and 
information-sharing can occur to assess events accurately, formulate 
risk assessments, and determine appropriate protective measures. 

The government councils are to coordinate strategies, activities, 
policy, and communications across government entities within each 
sector. Each government council is to be comprised of representatives 
across various levels of government (i.e., federal, state, local, and 
tribal) as appropriate to the security needs of each individual sector. 
In addition, a representative from the sector-specific agency is to 
chair the council and is to provide cross-sector coordination with each 
of the member governments. Each council is also co-chaired by the DHS 
Assistant Secretary for Infrastructure Protection or a designee. 

Sector councils are encouraged under the NIPP model to be the principal 
entities for coordinating with the government on a wide range of 
critical infrastructure protection activities and issues. Under the 
model, critical asset owners and operators are encouraged to be 
involved in the creation of sector councils that are self-organized, 
self-run, and self-governed, with a spokesperson designated by the 
sector membership.[Footnote 8] Specific membership can vary from sector 
to sector, but should be representative of a broad base of owners, 
operators, associations, and other entities--both large and small-- 
within the sector. 

The NIPP also identified cross-sector entities that are to promote 
coordination, communications, and the sharing of key practices across 
sectors. On the government side, the Government Cross-Sector Council is 
comprised of two subcouncils: (1) the NIPP Federal Senior Leadership 
Council, comprised of representatives of each of the sector-specific 
agencies, that is to enhance communication and coordination between and 
among these agencies and (2) the State, Local, and Tribal Government 
Coordinating Council--comprised of state, local, and tribal homeland 
security advisors--that is to serve as a forum for coordination across 
these jurisdictions on protection guidance, strategies, and programs. 
On the private sector side, the Partnership for Critical Infrastructure 
Security (PCIS), comprised of one or more members and alternates from 
each of the sector councils, is to, among other things, provide senior- 
level, cross-sector strategic coordination through partnership with DHS 
and the sector-specific agencies and to identify and disseminate 
protection best practices across the sectors. 

Sectors Have Established Government and Sector Councils, Which are 
Generally Representative of their Sectors; Council Activities Have 
Varied Depending on Their Maturity and Other Characteristics: 

All of the sectors have established government councils, and voluntary 
sector councils under the NIPP model have been formed for all sectors 
except transportation systems. These councils were formed as early as 
2002 to as recently as 2006. The nature of the 17 sectors varies and 
council membership reflects this diversity. The government councils are 
generally comprised of representatives from various federal agencies 
with regulatory or other interests in the sector as well as some state 
and local officials with purview over the sectors. In addition, members 
of the sector councils are generally representative of the asset owners 
and operators within the sectors. Because some of the councils are 
newer than others, council activities vary based on the council's 
maturity and other characteristics, with some younger councils focusing 
on establishing council charters while more mature councils focused on 
developing protection strategies. 

Some Councils Formed in Response to the NIPP, While Others Formed 
Earlier Because of Increased Vulnerabilities: 

Each of the 17 critical infrastructure sectors has established its 
government council, and sector councils have been formed for all 
sectors except transportation systems.[Footnote 9] While seven sectors 
did not form either a government council or sector council prior to the 
drafting of the NIPP, ten of the sectors had formed at least one of 
these councils prior to DHS's drafting of the NIPP. These sectors said 
they recognized the need to collaborate to address risks and 
vulnerabilities that could result in economic consequences for their 
sectors. The sectors with pre-existing councils are generally using 
them to serve as the councils laid out in the NIPP model. For example, 
prior to the development of the NIPP, DHS and the Department of 
Agriculture established a government coordinating council for the 
agriculture and food sector to coordinate efforts to protect against 
agroterrorism. Also, prior to NIPP development, DHS helped the 
agriculture and food sector establish a sector council to facilitate 
the flow of alerts, plans, and other information between federal and 
state governments and private infrastructure groups. The transportation 
systems sector had yet to form a sector council, and, at the time of 
our review, Transportation Security Administration officials said they 
were working with contractors to help each transportation mode 
establish its own sector council. TSA officials attributed the delay to 
the heterogeneous nature of the Transportation sector--ranging from 
aviation to shipping to trucking. (See table 3 for the status of 
government and sector council formation by sector). 

Table 3: Status of Government Council and Sector Council Formation, as 
of August 2006: 

Sector: Agriculture and food; 
Government council formed: 2003; 
Sector council formed: June 2004. 

Sector: Banking and finance; 
Government council formed: January 2002; 
Sector council formed: June 2002. 

Sector: Chemical; 
Government council formed: March 2005; 
Sector council formed: June 2004. 

Sector: Commercial facilities; 
Government council formed: Summer 2005; 
Sector council formed: Fall 2005. 

Sector: Commercial nuclear reactors, materials, and waste; 
Government council formed: October 2004; 
Sector council formed: September 2004. 

Sector: Dams; 
Government council formed: January 2005; 
Sector council formed: May 2005. 

Sector: Defense industrial base; 
Government council formed: July 2006; 
Sector council formed: August 2006. 

Sector: Drinking water and water treatment systems; 
Government council formed: April 2005; 
Sector council formed: September 2004. 

Sector: Emergency services; 
Government council formed: April 2005; 
Sector council formed: July 2003. 

Sector: Energy[A]; 
Government council formed: Spring 2004; 
Sector council formed: June 2004. 

Sector: Government facilities; 
Government council formed: November 2005; 
Sector council formed: Not applicable[B]. 

Sector: Information technology; 
Government council formed: April 2005; 
Sector council formed: January 2006. 

Sector: National monuments and icons; 
Government council formed: September 2005; 
Sector council formed: Not applicable[B]. 

Sector: Postal and shipping; 
Government council formed: July 2005; 
Sector council formed: December 2004. 

Sector: Public health and healthcare; 
Government council formed: Pre- 2005; 
Sector council formed: Initiated in 2003, reorganized in 2006. 

Sector: Telecommunications; 
Government council formed: May 2005; 
Sector council formed: May 2005. 

Sector: Transportation systems; 
Government council formed: January 2006; 
Sector council formed: Not formed. 

Source: Government council and sector council representatives. 

[A] The energy sector includes the production, refining, storage, and 
distribution of oil, gas, and electric power, except for commercial 
nuclear power facilities. 

[B] There is no private sector component to this sector. 

[End of table] 

Council Leaders Believe That Their Memberships Are Generally 
Representative of Government Agencies with Purview over the Sectors and 
Are Generally Representative of Asset Owners and Operators: 

The composition, scope, and nature of the 17 sectors themselves vary 
significantly, and the memberships of their government and sector 
councils reflect this diversity. The enormity and complexity of the 
nation's critical infrastructure require council membership to be as 
representative as possible of the entities that make up the respective 
sector and that are responsible for or have some role in protecting 
them. As such, council leaders--government sector representatives and 
private council chairs--believe that their membership is generally 
representative of their sectors. In terms of government councils, 
members are generally comprised of representatives from various federal 
agencies with regulatory or other interests in the sectors (see app. II 
for government council membership by sector). For example, the chemical 
sector government council membership includes officials with DHS; the 
Bureau of Alcohol, Tobacco, Firearms and Explosives; the Department of 
Commerce; the Department of Justice; the Department of Transportation; 
and the Environmental Protection Agency. This is because each entity 
has an interest in some form in the chemical sector. As permitted in 
the NIPP model, some government councils also include officials from 
state and local governments with jurisdiction over entities in the 
sector. An example of this is the dams sector, in which its government 
council includes not only federal officials with purview over the 
sector but also state officials from the California Department of Water 
Resources; the New Jersey Department of Environmental Protection; the 
Ohio Department of Natural Resources; the Virginia Department of 
Conservation and Recreation; and the Washington Department of Ecology. 
These states represent the other states and all local governments in 
their regions. According to agency representatives for each of the 
government councils, the memberships may change over time if needed-- 
for example, if knowledge of new threats would require the involvement 
of additional government entities. 

Sector council membership varies, reflecting the unique composition of 
entities within each, but is generally representative of a broad base 
of owners, operators, and associations--both large and small--within a 
sector (see app. III for sector council membership by sector). For 
example, members of the drinking water and water treatment systems 
sector council include national organizations such as the American 
Water Works Association and the Association of Metropolitan Water 
Agencies and also members of these associations that are 
representatives of local entities including Breezy Hill Water and Sewer 
Company and the City of Portland Bureau of Environmental Services. In 
addition, the commercial facilities sector council includes more than 
200 representatives of individual companies spanning 8 different 
subsectors, including public assembly facilities; sports leagues; 
resorts; lodging; outdoor events facilities; entertainment and media; 
real estate; and retail. According to sector council representatives, 
memberships generally represent the majority of private industries 
within each sector. This provides the councils opportunities to build 
the relationships needed to help ensure critical infrastructure 
protection efforts are comprehensive. The two exceptions are the 
transportation systems sector council and the public health and 
healthcare sector council. According to government and sector 
representatives, because the transportation systems sector has yet to 
establish a council, memberships are yet to be determined. Because of 
the vast number of business entities within the private sector that are 
very diverse in their interests, it has been difficult for the public 
health and healthcare sector council to engage a mix of critical asset 
owners that everyone considers representative. There are a large number 
of public health and healthcare organizations involved in the sector 
that do consider themselves representative of the market. According to 
DHS's Director of the Infrastructure Programs Office within the Office 
of Infrastructure Protection, owners and operators are necessary 
members of the council because they have the responsibility to invest 
time, money, and other resources to secure their critical assets and 
are held responsible by their customers and by the public they serve to 
respond and recover when their operations are disrupted. Recently, a 
new public health and healthcare chair of the sector council has been 
designated and is working to solidify the council's structure and 
membership. While these efforts may help, it is unclear how soon this 
will happen. 

While Newer Councils Are Just Forming, More Mature Councils Are 
Addressing Long-Term Strategies: 

Council activities have varied based on the maturity of the councils. 
Because some of the councils are newer than others, council meetings 
have addressed a range of topics from agreeing on a council charter to 
developing industry standards and guidelines for business continuity in 
the event of a disaster or incident. For example, the commercial 
facilities government council, which formed in 2005, has held meetings 
to address operational issues--such as agreeing on a charter, learning 
what issues are important to the sector, learning about risk management 
tools, and beginning work on the sector-specific plan. Councils that 
are more mature have been able to move beyond these activities to 
address more strategic issues. For example, the banking and finance 
sector council, which formed in 2002, focused its efforts most recently 
on strengthening the financial system's ability to continue to function 
in the event of a disaster or incident (known as "resilience"); 
identifying a structured and coordinated approach to testing sector 
resilience; and promoting appropriate industry standards and guidelines 
for business continuity and resilience. 

Sector councils are not intended to replace the information sharing 
functions provided by the ISACs. For those sectors that had established 
ISACs prior to the development of the NIPP, the sectors may continue to 
rely on them for operational and tactical capabilities for information 
sharing, such as threat alerts, and, in some cases, support for 
incident response activities. In contrast, sector councils are to serve 
as strategy and policy-making bodies for critical infrastructure 
protection. The NIPP also supports the continued use of ISACs by those 
sectors that have established them, but notes that each sector has the 
ability to implement a tailored information sharing solution that may 
include existing ISACs or other methods, such as trade associations, 
security organizations, or infrastructurewide or corporate operations 
centers. In fact, the ISACs for the banking and finance sector as well 
as the information technology sector are members of their respective 
sector councils. Many sectors are exploring a relatively new DHS 
information sharing mechanism, the Homeland Security Information 
Network (HSIN). This network, in particular the portal for critical 
infrastructure protection called Critical Sectors (HSIN-CS), is a suite 
of tools that sector councils can use for information sharing, 
coordination, and communication about alerts, incidents, and planning 
efforts within the sector. At the time of our review, according to 
DHS's Director of the Infrastructure Programs Office within the Office 
of Infrastructure Protection, DHS had created access portals for all 17 
sectors and 6 sector councils had signed formal memorandums of 
understanding with DHS to use the system, declaring the councils' 
intent to implement access and use for their entire sector. Once HSIN- 
CS is fully deployed, some sectors may use it instead of developing 
separate ISACs or as a supplement to an existing ISAC. 

Good Prior Working Relationships, Willingness to Share Critical 
Information, and Sufficient Resources Are Key to Council Formation and 
Progress: 

Government and sector council representatives most commonly cited long- 
standing working relationships between entities within their respective 
sectors and with the federal agencies that regulate them, the 
recognition among some sector entities of the need to share 
infrastructure information with the government and within the sector, 
and operational support from DHS contractors as factors that 
facilitated council formation. However, these representatives also most 
commonly identified several key factors that posed challenges to 
forming some of the councils, including (1) difficulty establishing 
partnerships with DHS because of issues including high turnover of its 
staff and DHS staff who lacked knowledge about the sector to which they 
were assigned; (2) hesitancy to provide sensitive information or 
industry vulnerabilities to the government due to concerns that the 
information might be publicly disclosed; and (3) lack of long-standing 
working relationships within the sector or with federal agencies. 

Recognizing the Need to Work Together, Share Information, and Obtain 
Support Were Most Common Factors That Helped Facilitate Council 
Development: 

One of the factors assisting the formation of many of the government 
and sector councils was the existence of long-standing working 
relationships within the sectors and with the federal agencies that 
regulate them. As noted earlier in this report, ten of the sectors had 
formed either a government council or sector council that addressed 
critical infrastructure protection issues prior to DHS's development of 
the NIPP. These sectors generally had ready-made councils in terms of 
the NIPP model, compared to sectors that did not have prior 
relationships. In addition, according to government and sector council 
representatives, sectors in which the industries have been highly 
regulated by the federal government--such as the banking and finance 
sector as well as the commercial nuclear sector--were already used to 
dealing with the federal government on many issues. Therefore, forming 
a relationship between the government and the private sector and within 
the sector was not very difficult. For example, the banking and finance 
sector has had a functional equivalent of both the government and 
sector councils since 2002 as well as an ISAC since 1999. Government 
and sector council representatives reported that members of both 
councils have developed long-standing and trusted working relationships 
between respective members of each council and across the two councils 
and an effective means of information sharing via their ISAC. As we 
reported in 2001, developing trusted relationships among their members 
was one of four key factors critical to the success of information 
sharing organizations in addressing cyber infrastructure 
threats.[Footnote 10] We reported that trust was critical to overcome 
members' reluctance to disclose their weaknesses, vulnerabilities, and 
other confidential or proprietary business information, but that trust 
had to be built over time and through personal relationships. 

The private sector's recognition of the need to share information with 
the government about security threats, infrastructure vulnerabilities, 
and protective measures also helped with council formation, according 
to representatives of government and sector councils in 15 of the 
sectors. This recognition dates back to PDD-63 with the formation of 
the ISACs between 1999 and 2003 and continues today. As we reported in 
July 2004, the private sector recognized the need to share information 
with the federal government and many sectors voluntarily created ISACs 
to provide an appropriate system to do so.[Footnote 11] Information 
sharing can communicate both actionable information on threats and 
incidents as well as information about the overall protection status of 
critical assets so that owners and operators, federal agencies, states, 
localities, tribal governments, and others can assess risks, make 
appropriate security investments, and take effective and efficient 
protective actions. Government and sector representatives generally see 
the formation of the councils as another step to improve information 
sharing between the federal government and the private sector that can 
ultimately lead to more efficient and effective investments by owners 
and operators as they protect their infrastructure. 

The availability of DHS contractors that provided administrative and 
other assistance to the government and sector councils was a third 
facilitating factor cited by representatives of 13 government and 5 
sector councils. DHS entered into contracts with the following three 
organizations[Footnote 12] to provide administrative and other 
assistance to help fill resource and skill gaps for the councils: 

* DHS contracted with VSE Corporation, an engineering and technical 
support services firm, in September 2005. Under this contract, 
Energetics, a subcontractor, was to provide support to any of the 
sectors that requested assistance in developing a common vision for 
their sector-specific plans. Under this same contract, Meridian 
Institute, a subcontractor to Energetics, was to provide support to any 
sector councils that requested help to convene their councils and to 
build consensus on a governance structure. This contract also supported 
development of reports and studies related to the partnership model and 
information sharing with the sectors. According to the most currently 
available data, VSE-Energetics was provided $3 million for September 
2005 to September 2006. 

* DHS contracted with SRA International, Inc., in January 2004 to 
provide "secretariat" support to the government councils. This support 
was to include meeting planning, logistics, minutes, record keeping, 
and administrative support. This contract also supported the National 
Infrastructure Advisory Council, a presidential advisory committee, 
with administrative, research, and technical writing support. A number 
of study and analysis efforts were also supported under this contract. 
SRA was provided $7.8 million from January 2004 to August 2006. 

* DHS contracted with George Mason University (GMU) in October 2004 to 
provide administrative and other support to the Partnership for 
Critical Infrastructure Security (PCIS) and those sector councils that 
request support. GMU was provided $2.2 million for October 2004 to 
December 2006. 

The council representatives generally viewed these contractors as 
invaluable in providing administrative, meeting-arrangement, and 
meeting-facilitation services to the councils. For example, DHS's 
contract with GMU was to provide meeting-planning, facilitation and 
logistics support, develop materials, record and produce minutes, 
deliver progress reports, and support development of governance 
documents, if requested by the sector councils. Representatives of the 
emergency services sector council and the telecommunications sector 
council commended the services GMU provided for being very helpful, 
including guidance GMU's staff provided on lessons learned from how 
other sector councils were organized. 

Difficulties in Developing Partnerships with DHS, Concerns about 
Sharing Information, and the Lack of Long-standing Working 
Relationships Were the Most Common Challenges to the Formation of Some 
Councils: 

While not all government and sector council representatives cited any 
particular challenges to forming their councils, those who did 
mentioned several key factors that included (1) difficulty establishing 
partnerships with DHS because of issues including high turnover of its 
staff and lack of staff knowledgeable about their sector; (2) hesitancy 
to provide sensitive information or industry vulnerabilities to the 
government or to other sector representatives due to concerns that it 
might be publicly disclosed; and (3) lack of long-standing working 
relationships within the sector or a close association with federal 
agencies. (See figures 1 and 2 for information on the number of 
councils that listed key factors that posed challenges for government 
and sector councils, respectively). 

Figure 1: Key Challenges That Affected Establishing Government 
Councils: 

[See PDF for image] 

Source: GAO analysis. 

Note: Values do not add to 17 because council representatives may have 
indicated more than one challenge. 

[End of figure] 

Figure 2: Key Challenges That Affected Establishing Sector Councils: 

[See PDF for image] 

Source: GAO analysis. 

Note: Values do not add to 15 because the 14 council representatives 
and the rail sector representative may have indicated more than one 
challenge. 

[End of figure] 

Representatives of Eleven Councils Cited Establishing Partnerships with 
DHS as a Challenge in Forming Councils: 

Council representatives with three government and eight sector councils 
reported that they experienced problems forming their councils due to a 
number of challenges establishing partnerships with DHS.[Footnote 13] 
Specifically, these reported challenges included high turnover of 
staff, poor communications with councils, staff who were unfamiliar 
with the sector and did not understand how it works, shifting 
priorities that affected council activities, and minimal support for 
council strategies. DHS acknowledged that its recent reorganization has 
resulted in staff turnover, but according to DHS's Director of the 
Infrastructure Programs Office within the Office of Infrastructure 
Protection, this should not have affected formation of the councils. 
According to this official, DHS has taken a consistent approach to 
implement the partnership model, and the individual person in a 
particular staff position does not matter because the DHS 
implementation guidance is consistent. However, the director 
acknowledged that continuing staff turnover could affect the eventual 
success of the government-private sector partnerships because they will 
be dependent on the actual interactions between the sector-specific 
agency representatives and the sector council members and the trust 
they develop. Continuity of government staff is a key ingredient in 
developing trusted relationships with the private sector. 

We and others have similarly reported on DHS's struggles to achieve 
organizational stability and to provide infrastructure expertise across 
all sectors in the past as well as in our most recent work on Internet 
security issues. For example, in May 2005, we reported that DHS faced a 
number of challenges that impeded its ability to fully address its 
cybersecurity critical infrastructure protection responsibilities, 
including achieving organizational stability and establishing effective 
partnerships with stakeholders.[Footnote 14] Specifically, we reported 
that DHS continued to have difficulties in developing partnerships, as 
called for in federal policy, with other federal agencies, state and 
local governments, and the private sector. We recommended that DHS 
engage appropriate stakeholders to prioritize key cybersecurity 
responsibilities as well as identify performance measures and 
milestones for fulfilling them. DHS concurred with our recommendation 
to engage stakeholders in prioritizing its key cybersecurity 
responsibilities, noting that continued and expanded stakeholder 
involvement is critical. However, DHS did not agree that the challenges 
it experienced prevented it from achieving significant results in 
improving the nation's cybersecurity posture. In addition, DHS did not 
concur with our recommendations to (1) develop a prioritized list of 
key activities for addressing the underlying challenges and (2) 
identify performance measures and milestones for fulfilling its 
prioritized responsibilities and for performing activities to address 
its challenges and track organizational progress. Nonetheless, in its 
strategic plan for cybersecurity, DHS acknowledges that it needs to 
establish performance measures and milestones and to collect 
performance data for its key initiatives. More recently, in March 2006, 
the Council on Foreign Relations, in a study of private sector efforts 
to protect critical infrastructure, reported that DHS was still 
struggling with many issues that prevented the full cooperation of the 
private sector in terms of improving homeland security and protecting 
critical infrastructure.[Footnote 15] For example, the council noted 
that DHS suffered from high management turnover, poor quality 
management, and a shortage of experienced personnel as factors that 
contributed to the difficulty in improving relationships with the 
private sector. Finally, in June 2006, we reported that DHS faced 
similar challenges that impeded its ability to protect the Internet 
infrastructure, including organizational and leadership changes at the 
department.[Footnote 16] 

Representatives for about a Third of Councils Expressed Concerns about 
Sharing Sensitive Information about Infrastructure Vulnerabilities with 
the Government and with Other Sector Members: 

Representatives with six government and five sector councils noted that 
the private sector continues to be hesitant to provide sensitive 
information regarding vulnerabilities to the government as well as with 
other sector members due to concerns that, among other things, it might 
be publicly disclosed. For example, these representatives were 
concerned that the items discussed, such as information about specific 
vulnerabilities, might be subject to public disclosure under the 
Federal Advisory Committee Act and thereby be available to competitors 
or potentially make the council members subject to litigation for 
failure to publicly disclose any known threats or 
vulnerabilities.[Footnote 17] 

This issue continues to be a longstanding concern and one that 
contributed to our designating homeland security information sharing as 
a high-risk issue in January 2005.[Footnote 18] We reported then that 
the ability to share security-related information is critical and 
necessary because it can unify the efforts of federal, state, and local 
government agencies and the private sector in preventing or minimizing 
terrorist attacks. In March 2006, we reported that more than 4 years 
after September 11, the nation still lacked governmentwide policies and 
processes to help agencies integrate a myriad of ongoing efforts to 
improve the sharing of terrorism-related information that is critical 
to protecting our homeland.[Footnote 19] 

More recently, in April 2006, we reported that DHS continued to face 
challenges that impeded the private sector's willingness to share 
sensitive security information with the government.[Footnote 20] In 
this report, we assessed the status of DHS efforts to implement the 
protected critical infrastructure information (PCII) program created 
pursuant to the Homeland Security Act. This program was specifically 
designed to establish procedures for the receipt, care, and storage of 
critical infrastructure information voluntarily submitted to the 
government. We found that while DHS created the program office, 
structure, and guidance, few private sector entities were using the 
program. Challenges DHS faced included being able to assure the private 
sector that such information will be protected and specifying who will 
be authorized to have access to the information, as well as to 
demonstrate to critical infrastructure owners the benefits of sharing 
the information. We concluded that if DHS were able to surmount these 
challenges, it and other government users may begin to overcome the 
lack of trust that critical infrastructure owners have in the 
government's ability to use and protect their sensitive information. We 
recommended that DHS better define its critical infrastructure 
information needs and better explain how this information will be used. 
DHS concurred with our recommendations and in September 2006 issued a 
final rule that established procedures governing the receipt, 
validation, handling, storage, marking, and use of critical 
infrastructure information voluntarily submitted to DHS. 

To help address council concerns about sharing sensitive security 
information, DHS in March 2006 created the Critical Infrastructure 
Partnership Advisory Council, open to members of each of the government 
and sector councils. The purpose of the Advisory Council is to 
facilitate interactions between government representatives and private 
sector owners and operators of critical assets. To accomplish this 
goal, DHS exempted council proceedings from requirements of the Federal 
Advisory Committee Act. However, it is too soon to determine whether 
the council has helped facilitate information sharing. 

Several Council Representatives Cited a Lack of Prior Working 
Relationships as a Challenge to Council Formation: 

Four government and four sector council representatives stated that the 
lack of prior working relationships either within their sector or with 
the federal government created challenges in forming their respective 
councils. For example, the public health and healthcare sector 
struggled with creating a sector council that represented the interests 
of the sector because it is comprised of thousands of entities that are 
not largely involved with each other in daily activities.[Footnote 21] 
According to the sector-specific agency representative of the 
Department of Health and Human Services (HHS), historically, there was 
relatively little collaboration on critical infrastructure protection- 
related issues among sector members. Some individual members, such as 
pharmaceutical companies, do have vigorous critical infrastructure 
protection programs to address their company's challenges. The official 
also noted that many other companies work cooperatively to evaluate 
cybersecurity requirements. However, the official said by and large, 
such initiatives are unique to specific industries, are not applicable 
to the entire sector, and are geared to specific business objectives 
(e.g., prevention of industrial espionage). The official indicated that 
most sector members have few strong, continuing incentives to 
collaborate with one another in understanding and resolving critical 
infrastructure protection-related issues. Despite these reported 
challenges, the public health and healthcare sector has been able to 
form a sector council that is in the early stages of organization. 

The commercial facilities sector, which also involves varied and often 
unrelated stakeholders nationwide, similarly reported that the 
disparities among stakeholders made forming a council challenging. This 
sector encompasses owners and operators of stadiums, raceways, casinos, 
and office buildings, that have not previously worked together. In 
addition, the industries comprising the commercial facilities sector 
did not function as a sector prior to the NIPP and did not have any 
prior association with the federal government. As a result, this sector 
council has been concentrating its efforts on identifying key 
stakeholders and agreeing on the scope of the council and its 
membership. The council has established eight subcouncils to allow the 
disparate members to organize in a meaningful way. Because 
approximately 85 percent of the nation's critical infrastructure is 
owned by the private sector, developing trusted partnerships between 
the federal government and the private sector across all sectors is 
critical to ensure the protection of these assets, as we reported in 
2001 and in a number of subsequent reports on critical infrastructure 
protection issues. 

Councils Delayed Their Work on Sector-Specific Plans until the NIPP Was 
Issued but Despite Challenges, Expect to Complete Plans by the End of 
December 2006: 

Each of the 17 sectors is preparing sector-specific plans. Sector- 
specific agencies anticipate that all plans will be finalized by the 
end of December 2006, as required by the NIPP, but some sectors were 
farther along than others as of August 2006. Representatives from both 
the government and sector councils cited factors that have facilitated 
the development of their plans--similar to those that facilitated 
development of their councils--most commonly citing pre-existing plans; 
historical relationships between the federal government and the private 
sector or across the private sector; and contractor support. Sector 
representatives most commonly reported that key challenges in drafting 
their plans were the lack of a final NIPP, which caused some sectors to 
delay work on their plans, the changing nature of DHS guidance on how 
to develop the plans, and the diverse make-up of sector membership. 

Sector-Specific Agencies Believe They Will Complete Plans on Time: 

Sector-specific agency representatives believe they will meet the 
deadline to complete their plans by December 2006.[Footnote 22] DHS 
requires these plans to contain definitions of the processes the 
sectors will use to identify their most critical assets and resources 
as well as the methodologies they will use to assess risks, but not 
information on the specific protective measures that will be utilized 
by each sector. Nevertheless, as of August 2006, some sectors reported 
being further along in developing a plan than others, and some private 
council representatives said collaboration between the private council 
and the government council on the plans had yet to take place. For 
example, representatives of the chemical and nuclear sectors 
anticipated completing their plans before the December deadline. 
However, while TSA officials reported that they had drafted an overall 
plan, they had only begun drafting plans for each transportation mode 
such as aviation, rail, and ports, as of August 2006. Additionally, the 
overall plan had yet to be shared with the private sector at the time 
of our review. Moreover, the commercial facilities sector-specific 
agency representative said that as of May 2006, the agency had only 
developed a plan outline because it was still conducting outreach with 
the sector council and other relevant government councils. 
Nevertheless, the sector co-chair said the sector should be able to 
meet the December 2006 deadline. 

The NIPP requires agencies to coordinate the development of plans in 
collaboration with their security partners represented by government 
and sector councils and provide documentation of such collaboration. To 
date, the level of collaboration between sector-specific agencies and 
the sector councils in developing the sector-specific plans has varied-
-ranging from soliciting stakeholder comments on a draft to jointly 
developing the plan.[Footnote 23] For example, the Department of 
Agriculture and the Food and Drug Administration are initiating a draft 
agriculture and food plan and plan to provide it to a working group of 
government and sector council representatives to add relevant 
information and comments, while representatives of the energy sector 
council are working with the Department of Energy to draft the energy 
plan. Despite the consistent belief among the sectors that they will be 
able to provide their plans to DHS by the December 2006 deadline, the 
extent to which some of the sector-specific agencies that are 
responsible for the less developed and organized sectors are going to 
be able to achieve the required collaboration is uncertain since 
effective relationships within the sectors and with federal agencies 
had yet to be established, which is a crucial step. 

Pre-existing Plans, Collaboration, and Contractor Support Were Factors 
Most Commonly Cited as Facilitating Development of Sector-Specific 
Plans: 

Representatives from both sector-specific agencies and sector councils 
identified a number of factors that have helped in the development of 
their plans. The most common factors included having (1) pre-existing 
plans, (2) pre-existing relationships between the government and the 
private sector, and (3) assistance from DHS officials and contractors. 
Sector representatives from the agriculture and food, banking and 
finance, chemical, and energy sectors said their sectors had already 
developed protection plans prior to the interim NIPP published in 
February 2005 because they had recognized the economic value in 
planning for an attack. These representatives said they were able to 
revise their previous plans to serve as the plans called for in the 
NIPP. For example, the Department of Energy, with input from the 
sector, had developed a protection plan in anticipation of the Year 
2000 ("Y2K") computer threat; Department of Energy officials noted that 
both this plan and the relationships established by its development 
have been beneficial in developing the protection plan for the energy 
sector. Likewise, HHS and U.S. Department of Agriculture 
representatives said that the agriculture and food plan will follow and 
document infrastructure protection practices that the sector was 
already doing as a result of Homeland Security Presidential Directive 9 
(HSPD-9)--which established a national policy to defend the agriculture 
and food system against terrorist attacks, major disasters, and other 
emergencies--and will be based on a previous plan developed in 2004 in 
response to the directive. Similarly, the banking and finance sector 
council, which worked closely with the Department of Treasury, has had 
a critical infrastructure protection plan in place for the banking and 
finance sector since 2003 and planned to use it, along with other 
strategies, to fit the format required by the NIPP. 

Representatives from 13 government and 10 sector councils agreed that 
having prior relationships--either formally between the federal 
government and the private sector based on regulatory requirements, or 
informally within and across industries--facilitated sector-specific 
plan development. For example, a nuclear sector representative said 
that its regulator, the Nuclear Regulatory Commission, had already laid 
out clear guidelines for security and threat response that facilitated 
developing the sector's plan. Representatives from the Transportation 
Security Administration (TSA) and the banking and finance government 
council also said that previous regulatory relationships with their 
sectors helped with plan development. The TSA official said that the 
flow of information and coordination between the federal government and 
the transportation industry occurred continually and that these 
existing networks would also assist in plan development. Sectors with 
operating ISACs--such as the telecommunications and information 
technology sectors--found them to have assisted in developing sector- 
specific plans because of their longer involvement in public-private 
information sharing. The drinking water and wastewater sector council 
representative said that its long-standing culture of sharing 
information and decades of work with the Environmental Protection 
Agency helped with plan development. In addition, according to 
officials on the telecommunications sector council's steering 
committee, communications companies, electric power suppliers, and 
information technology providers have a history of working together to 
ensure the continuity of services during potentially disrupting events. 
This history facilitated cooperation and coordination in developing the 
sector-specific plans. 

Representatives from seven sector-specific agencies and five sector 
councils said that assistance from DHS officials or DHS contractors was 
also a factor that helped with plan development. In addition to the 
contractor assistance identified above, DHS entered into the following 
contract to provide support for the development of the NIPP and the 
sector-specific plans: 

* DHS contracted with ICF International, a professional services 
consulting firm, in January 2004. Under this contract, ICF 
International was to support the development of the guidance for the 
sector-specific plans, conduct technical assistance sessions for sector-
specific agencies to facilitate plan development, and provide subject 
matter experts to each of the 17 sectors to support drafting and review 
of each sector's plan. According to DHS, ICF International was provided 
$11.2 million for work performed from January 2004 through December 
2006. 

Representatives from the national monuments and icons and the 
government facilities sectors said that DHS officials have been 
accessible and responsive to questions regarding plan guidance. In 
addition, five sector representatives cited the help provided through 
DHS's contract with the George Mason University's Critical 
Infrastructure Protection program as being useful in understanding the 
plan guidance and in facilitating sector communication. These and other 
sector representatives said that the DHS-provided contractor assistance 
also helped in the development of their plans. By having access to 
these contractors, sectors were able to access additional support when 
needed for plan development activities such as research and drafting. 
For example, DHS contract staff assisted the Department of the Interior 
and DHS's Chemical and Nuclear Preparedness and Protection Division in 
drafting the plans for the national monuments and icons and emergency 
services sectors, respectively. Representatives from the chemical, 
emergency services, nuclear, and telecommunications sector councils 
said that contractors hired by DHS were helpful as resources providing 
research or drafting services. 

The Lack of a Final NIPP, Changing Guidance, and Other Challenges 
Impeded Progress on Some Sector-Specific Plans: 

The most common key challenges sector representatives reported as 
having contributed to delays in the development of their plans included 
(1) the lack of a final NIPP, (2) changing DHS guidance, and (3) the 
diverse makeup of sector membership. Representatives from seven 
government councils and six private councils did not report any major 
challenges to plan development. Figures 3 and 4 summarize the key 
challenges in developing plans cited by council representatives. 

Figure 3: Key Challenges to Developing Sector-Specific Plans, according 
to Government Council Representatives: 

[See PDF for image] 

Source: GAO analysis. 

Note: Values do not add to 17 because council representatives may have 
indicated more than one challenge. 

[End of figure] 

Figure 4: Key Challenges to Developing Sector-Specific Plans, according 
to Sector Council Representatives: 

[See PDF for image] 

Source: GAO analysis. 

Note: Values do not add to 15 because the 14 council representatives 
and the rail sector representative may have indicated more than one 
challenge. 

[End of figure] 

Representatives from six government councils and six sector councils 
said that the lack of a final NIPP contributed to delays in developing 
their sector plans. Furthermore, representatives with three sectors 
specifically stated that they suspended revisions to their sector plans 
primarily because they wanted to be sure the plans followed the 
requirements in the final NIPP and to minimize revisions. The sector- 
specific agencies are required to complete their plans and submit them 
to DHS 180 days from the final issuance date of the NIPP. Since DHS 
issued the final NIPP in June 2006, the agencies have until the end of 
December 2006 to submit their plans. According to DHS, sectors had 
begun drafting their sector-specific plans following the issuance of 
initial sector-specific plan guidance in April 2004. After DHS issued 
the interim NIPP in February 2005, it continued to refine the NIPP 
based on stakeholder comments and also issued revised sector-specific 
plan guidance. For example, DHS revised its 2004 plan guidance a year 
later with new requirements including how the sector will collaborate 
with DHS on risk assessment processes as well as how it will identify 
the types of protective measures most applicable to the sector. DHS 
then issued additional guidance in 2006 that required the plans to have 
a new chapter describing how sector-specific agencies are to manage and 
coordinate their responsibilities. These changes required some sectors-
-such as dams, emergency services, and information technology--to make 
significant revisions to their draft plans. Representatives from these 
sectors expressed frustration with having to spend extra time and 
effort making changes to the format and content of their plans each 
time DHS issued new guidance. Therefore, they decided to wait until 
final guidance was issued based on the final, approved NIPP. 

However, some sectors found the changes in the NIPP and plan guidance 
to be improvements over prior versions that helped them prepare their 
plans. For example, representatives from the emergency services sector 
said that guidance became more specific and, thus, more helpful over 
time, and representatives from the national monuments and icons sector 
said that the DHS guidance has been useful. Representatives from five 
sectors also reported that DHS incorporated changes to address their 
concerns. For example, representatives from the information technology, 
public health, energy, telecommunications, and transportation systems 
sectors, among others, had commented that the NIPP should emphasize 
resiliency rather than protection. According to some of these 
representatives, it is impossible and cost-prohibitive to try to 
protect every asset from every possible threat. Instead, industries in 
these sectors prefer to invest resources in protecting the most 
critical assets with the highest risk of damage or destruction and to 
plan for recovering quickly from an event. Representatives from the 
telecommunications sector added that resiliency is especially important 
for interdependent industries in restoring services such as 
communications, power, the flow of medical supplies, and transportation 
as soon as possible. DHS incorporated this concept of resiliency into 
the final NIPP to address these concerns. 

As in establishing their councils, in developing their sector-specific 
plans, officials from three government councils and five sector 
councils said that their sectors were made up of a number of disparate 
stakeholders, making agreement on a plan more difficult. For example, 
as noted earlier, the commercial facilities sector is comprised of 
eight different subsectors of business entities that have historically 
had few prior working relationships. According to the government 
council representative, the magnitude of the diversity among these 
subsectors has slowed the process of developing a plan so that the 
sector only had an outline of its plan as of May 2006. Similarly, 
government and private council representatives of the agriculture and 
food sector indicated that the diversity of industries included in this 
sector such as farms, food processing plants, and restaurants, each of 
which has differing infrastructure protection needs, has made 
developing a plan more difficult. 

Concluding Observations: 

Critical infrastructure protection is vital to our national security, 
economic vitality and public health. Significant damage to critical 
infrastructure and key resources could disrupt the functioning of 
business and government alike, underscoring the need for the private 
and public sectors to take a coordinated approach to critical 
infrastructure protection. While DHS is to be commended for its efforts 
to incorporate private sector comments into the final NIPP, the 18- 
month delay in issuing that document and changing DHS planning guidance 
have slowed down the progress of some sectors in developing specific 
plans to protect sectors. As a result, some less mature sectors were 
still in the outline phase of developing their sector-specific plans at 
the time of our review, leaving much to do and not a lot of time left 
to do it before the December deadline. In addition, some private 
council representatives said collaboration between the private council 
and the government council on the plans, which is required by the NIPP, 
had yet to take place. Not only is this collaboration required by the 
NIPP, but also the ability of the private sector to achieve the goals 
of HSPD-7 and the National Strategy for Homeland Security depends on 
it. The extent to which some of the sector-specific agencies that are 
responsible for the less developed councils and plans are going to be 
able to achieve this collaboration is uncertain since neither had yet 
established effective relationships, a crucial step. In addition, both 
the NIPP and the sector plans only represent a first step toward 
ensuring sufficient protection of critical infrastructure. The NIPP 
lays out guidance for critical infrastructure protection planning and 
risk assessments, yet the sector plans must only demonstrate how the 
sectors will identify their critical assets, plan for infrastructure 
protection, and assess risk across their infrastructure base, not 
identify critical assets and assess risk levels. Conducting these 
identifications and assessments will be the next step under the NIPP 
guidelines. 

The inability to share information critical to homeland security and 
infrastructure protection continues to pose a significant risk to the 
nation. This report, as well as our past work, demonstrates that many 
private sector partners do not trust the government enough yet to share 
information on their security vulnerabilities. DHS's creation of the 
Critical Infrastructure Partnership Advisory Council in March 2006 may 
help alleviate private sector concerns about the sharing of sensitive 
security information, but it is too soon to determine whether the 
council has helped facilitate information sharing. Similarly, 
developing successful working relationships continues to be an 
important issue for DHS. Our previous work, dating back to 2001, shows 
that the establishment of trusted relationships is vital to the success 
of information sharing and critical infrastructure protection efforts. 
Given the long-term relationships that are necessary for the successful 
implementation of the NIPP, factors that impact these relationships, 
such as continuing staff turnover, could affect the eventual success of 
the government-private sector partnerships. Because our findings in 
this report echo many of those in our previous reports and are covered 
by previous recommendations to DHS that have yet to be fully 
implemented, we are not making any new recommendations at this time. 
Continued monitoring will determine whether further recommendations are 
warranted. 

As agreed with your offices, unless you publicly announce its contents 
earlier, we plan no further distribution of this report until 30 days 
after its issue date. At that time, we will provide copies of this 
report to appropriate departments and interested congressional 
committees. We will also make copies available to others upon request. 
In addition, the report will be available at no charge on GAO's Web 
site [Hyperlink, http://www.gao.gov]. 

If you or your staff have any questions about this report, please 
contact me at (202) 512-8777 or at larencee@gao.gov. Key contributors 
to this report are listed in appendix IV. 

Signed by: 

Eileen R. Larence: 
Director, Homeland Security and Justice Issues: 

[End of section] 

Appendix I: Key Federal Initiatives in Developing Critical 
Infrastructure Protection Policy, 1996 to Present: 

Policy action: Executive Order 13010; 
Date: July 1996; 
Key elements: Established the President's Commission on Critical 
Infrastructure Protection to study the nation's vulnerabilities to both 
cyber and physical threats; Identified the need for the government and 
the private sector to work together to establish a strategy for 
protecting critical infrastructures from physical and cyber threats and 
assuring their continued operation. 

Policy action: Presidential Decision Directive 63; 
Date: May 1998; 
Key elements: Established CIP as a national goal and presented a 
strategy for cooperative efforts by government and the private sector 
to protect the physical and cyber-based systems essential to the 
minimum operations of the economy and the government; Designated 
government agencies to coordinate and support CIP efforts; Identified 
lead federal agencies to work with coordinators in eight infrastructure 
sectors and five special functions; Encouraged the development of 
information-sharing and analysis centers; Required every federal 
department and agency to be responsible for protecting its own critical 
infrastructures, including both cyber-based and physical assets; 
Superseded by HSPD-7 (see details on HSPD-7 below). 

Policy action: National Plan for Information Systems Protection[A]; 
Date: Jan. 2000; 
Key elements: Provided a vision and framework for the federal 
government to prevent, detect, and respond to attacks on the nation's 
critical cyber-based infrastructure and to reduce existing 
vulnerabilities via federal computer security and information 
technology requirements. 

Policy action: Executive Order 13228; 
Date: Oct. 2001; 
Key elements: Established the Office of Homeland Security, within the 
Executive Office of the President, to develop and coordinate the 
implementation of a comprehensive national strategy to secure the 
United States from terrorist threats or attacks; Established the 
Homeland Security Council to advise and assist the President with all 
aspects of homeland security and to ensure the coordination of homeland 
security-related activities of executive departments and agencies and 
effective development and implementation of homeland security policies. 

Policy action: Executive Order 13231; 
Date: Oct. 2001; 
Key elements: Established the President's Critical Infrastructure 
Protection Board to coordinate cyber-related federal efforts and 
programs associated with protecting our nation's critical 
infrastructures and to recommend policies and coordinating programs for 
protecting CIP-related information systems. 

Policy action: National Strategy for Homeland Security[B]; 
Date: July 2002; 
Key elements: Identified the protection of critical infrastructures and 
key assets as a critical mission area for homeland security; Expanded 
the number of critical infrastructures from the 8 (identified in 
Presidential Decision Directive 63) to 13 and identified lead federal 
agencies for each; Specified 8 major initiatives for CIP, one of which 
specifically calls for the development of the National Infrastructure 
Protection Plan. 

Policy action: Homeland Security Act of 2002[C]; 
Date: Nov. 2002; 
Key elements: Created the Department of Homeland Security and assigned 
it the following CIP responsibilities: (1) developing a comprehensive 
national plan for securing the key resources and critical 
infrastructures of the United States; (2) recommending measures to 
protect the key resources and critical infrastructures of the United 
States in coordination with other entities; and (3) disseminating, as 
appropriate, information to assist in the deterrence, prevention, and 
preemption of or response to terrorist attacks. 

Policy action: The National Strategy for the Physical Protection of 
Critical Infrastructures and Key Assets[D]; 
Date: Feb. 2003; 
Key elements: Provided a statement of national policy to remain 
committed to protecting critical infrastructures and key assets from 
physical attacks; Built on Presidential Decision Directive 63 with its 
sector- based approach and called for expanding the capabilities of 
information sharing and analysis centers; Outlined three key 
objectives: (1) identifying and assuring the protection of the most 
critical assets, systems, and functions; (2) assuring the protection of 
infrastructures that face an imminent threat; and (3) pursuing 
collaborative measures and initiatives to assure the protection of 
other potential targets. 

Policy action: Executive Order 13286; 
Date: Feb. 2003; 
Key elements: Amended Executive Order 13231 but generally maintained 
the same national policy statement regarding the protection against 
disruption of information systems for critical infrastructures; 
Designated the National Infrastructure Advisory Council to continue to 
provide the President with advice on the security of information 
systems for critical infrastructures supporting other sectors of the 
economy through the Secretary of Homeland Security. 

Policy action: Homeland Security Presidential Directive 7; 
Date: Dec. 2003; 
Key elements: Superseded Presidential Decision Directive 63 and 
established a national policy for federal departments and agencies to 
identify and prioritize U.S. critical infrastructure and key resources 
and to protect them from terrorist attack; Defined roles and 
responsibilities for the Department of Homeland Security and sector- 
specific agencies to work with sectors to coordinate CIP activities; 
Established a CIP Policy Coordinating Committee to advise the Homeland 
Security Council on interagency CIP issues. 

Source: GAO analysis of documents listed above. 

[A] The White House, Defending America's Cyberspace: National Plan for 
Information Systems Protection: Version 1.0: An Invitation to Dialogue 
(Washington, D.C.: January 2000). 

[B] The White House, Office of Homeland Security, National Strategy for 
Homeland Security. 

[C] Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 
(2002). 

[D] The White House, The National Strategy for the Physical Protection 
of Critical Infrastructures and Key Assets. 

[End of table] 

[End of section] 

Appendix II: Government Sector Council Membership, by Sector as of 
August 2006: 

Sector: Agriculture and food; 
Government council members: Association of State and Territorial Health 
Officials; Intertribal Agriculture Council; National Assembly of State 
Chief Livestock Health Officials; National Association of County and 
City Health Officials; National Association of State Departments of 
Agriculture; US Dept. of Agriculture; US Dept. of Defense; US Dept. of 
Health and Human Services; US Dept. of Homeland Security; US 
Environmental Protection Agency; Ex Officio Members;  Association of 
Food and Drug Officials; US Dept. of Commerce; US Dept. of Justice; US 
Dept. of the Interior. 

Sector: Banking and finance; 
Government council members: Commodity Futures Trading Commission; 
Conference of State Bank Supervisors; Farm Credit Administration; 
Federal Deposit Insurance Corporation; Federal Housing Finance Board; 
Federal Reserve Bank of New York; Federal Reserve Board; National 
Association of Insurance Commissioners; National Association of State 
Credit Union Supervisors; National Credit Union Administration; North 
American Securities Administration Association; Office of Federal 
Housing Enterprise Oversight; Office of the Comptroller of the 
Currency; Office of Thrift Supervision; Securities and Exchange 
Commission; Securities Investor Protection Corporation; US Dept. of 
Treasury. 

Sector: Chemical; 
Government council members: US Dept. of Commerce; Bureau of Industry 
and Security; US Dept. of Homeland Security; Preparedness Directorate, 
National Cyber Security Division; Preparedness Directorate, Office of 
Infrastructure Protection; Science and Technology Directorate; 
Transportation Security Administration; US Coast Guard; US Dept. of 
Justice; Bureau of Alcohol, Tobacco, Firearms and Explosives; Federal 
Bureau of Investigation; US Dept. of Transportation; Federal Railroad 
Administration; Federal Motor Carrier Safety Administration; Pipeline 
and Hazardous Materials Safety Administration; US Environmental 
Protection Agency; Office of Emergency Management; Water Security 
Division. 

Sector: Commercial facilities; 
Government council members: National Endowment for the Arts; US Dept. 
of Commerce; US Dept. of Education; US Dept. of Homeland Security; 
Immigration and Customs Enforcement's Federal Protective Service; 
Office of Infrastructure Protection, Risk Management Division; Private 
Sector Office; US Dept. of Housing and Urban Development; US Dept. of 
the Interior; US Environmental Protection Agency; US General Services 
Administration; US Secret Service; Ex Officio Members; US Dept. of 
Health and Human Services; US Dept. of Justice. 

Sector: Commercial nuclear reactors, materials, and waste; 
Government council members: Nuclear Regulatory Commission; US Dept. of 
Defense; US Dept. of Energy; US Dept. of Homeland Security; Office of 
Infrastructure Protection, Chemical & Nuclear Preparedness and 
Protection Division; Science and Technology Directorate; US Coast 
Guard; US Dept. of Justice; Federal Bureau of Investigation; US 
Environmental Protection Agency. 

Sector: Dams; 
Government council members: Federal Energy Regulatory Commission; State 
of California, Department of Water Resources; State of New Jersey, 
Department of Environmental Protection; State of Ohio, Department of 
Natural Resources; State of Virginia, Department of Conservation and 
Recreation; State of Washington, Department of Ecology; Tennessee 
Valley Authority ; US Dept. of Agriculture, Natural Resources 
Conservation Service; US Dept. of Defense, US Army Corps of Engineers; 
US Dept. of Homeland Security; Office of Infrastructure Protection, 
Risk Management Division; US Dept. of Labor, Mine Safety and Health 
Administration; US Dept. of State, International Boundary and Water 
Commission; US Dept. of the Interior, Bureau of Reclamation; US 
Environmental Protection Agency. 

Sector: Defense industrial base; 
Government council members: US Dept. of Defense; Assistant Secretary of 
Defense (Homeland Defense); Director, Defense Critical Infrastructure 
Program; Deputy Under Secretary of Defense (Industrial Policy); 
Director, Defense Procurement & Acquisition Policy; Deputy Under 
Secretary of Defense (International Technology Security); Director, 
Technology Assessments; Director, Defense Contract Management Agency; 
Director, Industrial Analysis Center; Deputy Under Secretary of Defense 
(Personnel & Readiness); Director, Readiness Programming and 
Assessment; Deputy Chief Information Officer; Office of the DASD for 
Information Management and Technology; Director, Architecture & 
Interoperability; Director, National Guard Bureau; Director, NGB-J3; US 
Dept. of Homeland Security; Office of the Assistant Secretary of 
Homeland Security (Infrastructure Protection); US Dept. of Treasury; 
Committee on Foreign Investment in the United States; Office of 
Critical Infrastructure Protection & Compliance Policy; US Dept. of 
Justice; Federal Bureau of Investigation; US Dept. of Commerce; Office 
of Strategic Industries and Economic Security, Bureau of Industry and 
Security. 

Sector: Drinking water and water treatment systems; 
Government council members: Association of State and Interstate Water 
Pollution Control Administrators; Association of State Drinking Water 
Administrators; US Army Corps of Engineers; US Dept. of Agriculture; 
Natural Resources Conservation Service; US Dept. of Defense; US Dept. 
of Health and Human Services; US Dept. of Homeland Security; 
Information Analysis and Infrastructure Protection/Information 
Coordination Division; US Dept. of State; US Dept. of the Interior; 
Bureau of Reclamation; US Environmental Protection Agency. 

Sector: Emergency services; 
Government council members: American Red Cross; US Dept. of Health and 
Human Services; US Dept. of Homeland Security; Border & Transportation 
Security; Office of Infrastructure Protection, Chemical & Nuclear 
Preparedness and Protection Division; Federal Emergency Management 
Agency; Fire Administration; Immigration Customs & Enforcement; Office 
of Infrastructure Protection, Infrastructure Partnerships Division; 
Infrastructure Programs Office; Office of Grants & Training; Office of 
Public Health Emergency Preparedness; Science and Technology 
Directorate; Office of State and Local Government Coordination; Office 
of Infrastructure Protection, Risk Management Division; US Coast Guard; 
US Dept. of Transportation; National Highway Traffic Safety 
Administration; US Secret Service. 

Sector: Energy; 
Government council members: Federal Energy Regulatory Commission; 
National Association of Regulatory Utility Commissioners; National 
Association of State Energy Officials; US Dept. of Agriculture; Rural 
Utility Service; US Dept. of Defense; US Army Corps of Engineers; US 
Dept. of Energy; Office of Infrastructure Security and Energy 
Restoration; Western Area Power Administration; US Dept. of Homeland 
Security; Infrastructure Partnerships Division; Office of 
Infrastructure Protection, Risk Management Division; Transportation 
Security Administration; US Coast Guard; US Dept. of the Interior; 
Minerals Management Service; US Dept. of State; International Boundary 
and Water Commission; US Dept. of Transportation; Research & Special 
Programs Administration; Maritime Administration; US Environmental 
Protection Agency. 

Sector: Government facilities; 
Government council members: US Capitol Police Intelligence Section; US 
Department of Agriculture; Office of Facility Security; US Department 
of Commerce; Anti-Terrorism Division; US Department of Defense; Office 
of the Assistant Secretary of Defense, Homeland Defense,; Critical 
Infrastructure Protection; Office of Installations Requirements and 
Management; Air National Guard; US Department of Education; US 
Department of Energy; Office of the Deputy Under Secretary for 
Counterterrorism; US Department of Health and Human Services; 
Departmentwide Security; US Department of Homeland Security; 
Preparedness Directorate; Office of Infrastructure Protection; Risk 
Management Division; Infrastructure Partnerships Division; National 
Cyber Security Division; Science and Technology Directorate; Federal 
Emergency Management Administration; US Coast Guard; US Secret Service; 
Customs and Border Protection; Immigration and Customs Enforcement; US 
Department of Justice; US Marshals Service, Judicial Security Division, 
Judicial Security Systems; FBI, Special Advisor to the DHS G&T, Office 
of Law Enforcement Coordination; US Department of Labor; Director of 
Security; US Department of State; Bureau of Resources Management, 
Intelligence, Resources, and Planning, and; Critical Infrastructure 
Protection; US Department of the Interior; Law Enforcement and 
Security; National Park Service; US Department of the Treasury; 
Critical Infrastructure Physical Security, Cyber Security; US 
Department of Transportation; Federal Aviation Administration, Security 
and Hazardous Materials, Internal; Security Division; US Department of 
Veterans Affairs; Office of Security and Law Enforcement; US Postal 
Inspection Service; Administrative Offices of the US Courts- Court 
Security Office; Architect of the Capital; Environmental Protection 
Agency; Federal Facilities Council; General Services Administration; 
Interagency Security Committee; National Aeronautical and Space 
Administration; National Archives and Records Administration; National 
Center for State Courts; Office of Personnel Management; Social 
Security Administration. 

Sector: Information technology; 
Government council members: Director of National Intelligence; 
Metropolitan Information Exchange; National Association of State Chief 
Information Officers; National Institute of Standards and Technology; 
Office of Management and Budget; US Dept. of Commerce; US Dept. of 
Defense; US Dept. of Homeland Security; US Dept. of Justice; US Dept. 
of State; US Dept. of the Treasury. 

Sector: National monuments and icons; 
Government council members: National Archives and Records 
Administration; Smithsonian Institute; US Capitol Police; US Dept. of 
Defense; US Dept. of Homeland Security; Immigration and Customs 
Enforcement, Office of Federal Protective Service; US Dept. of the 
Interior; National Park Service; US Park Police; US Secret Service. 

Sector: Postal and shipping; 
Government council members: US Dept. of Defense; US Dept. of Health and 
Human Services; Office of Public Health Emergency Preparedness; Food 
and Drug Administration; US Dept. of Homeland Security; Customs and 
Border Protection; Preparedness Directorate; Science and Technology 
Directorate; US Dept. of Justice. 

Sector: Public health and healthcare; Government council members: 
American Red Cross; Association of Public Health Laboratories; 
Association of State and Territorial Health Officials; District of 
Columbia Department of Health; Federal Emergency Management 
Administration; General Services Administration; Indian Health Service 
Tribal Council; National Association of County and City Health 
Officials; US Dept. of Agriculture; US Dept. of Defense; US Dept. of 
Health and Human Services; US Dept. of Homeland Security; US Dept. of 
Transportation; US Dept. of Veterans Affairs; US Environmental 
Protection Agency; US Postal Service; White House Office of Science and 
Technology Policy. 

Sector: Telecommunications; 
Government council members: Federal Communications Commission; US Dept. 
of Commerce; National Telecommunications and Information 
Administration; US Dept. of Defense; Office of the Secretary of 
Defense, Networks and Information Integration; US Dept. of Homeland 
Security; National Communication System; Preparedness Directorate, 
National Cyber Security Division; US Dept. of Justice; US General 
Services Administration. 

Sector: Transportation systems; 
Government council members: US Dept. of Defense; US Dept. of Energy; US 
Dept. of Homeland Security; Infrastructure Partnerships Division; 
Transportation Security Administration; US Coast Guard; US Dept. of 
Transportation. 

Source: Government council representatives and DHS. 

[End of table] 

[End of section] 

Appendix III: Sector Council Membership, by Sector as of August 2006: 

Sector: Agriculture and food; 
Sector council members: Agricultural Retailers Association; American 
Farm Bureau Federation; CF Industries, Inc; CropLife America; Food 
Marketing Institute; Food Products Association; International 
Association of Refrigerated Warehouses; International Dairy Foods 
Association; International Food Service Distributors Association; 
International In-flight Food Service Association; International 
Warehouse Logistics Association; McCormick & Company, Inc; National 
Association of Convenience Stores; National Cattlemen's Beef 
Association; National Corn Growers Association; National Food Service 
Security Council; National Milk Producers Federation; National Pork 
Producers Association; National Restaurant Association; National Retail 
Federation; TD Enterprises; United Fresh Fruit & Vegetable Association. 

Sector: Banking and finance; 
Sector council members: American Bankers Association; American Council 
of Life Insurers; American Insurance Association; American Society for 
Industrial Security International; America's Community Bankers; BAI; 
BITS/The Financial Services Roundtable; Chicago Mercantile Exchange; 
ChicagoFIRST, LLC; CLS Group; Consumer Bankers Association; Credit 
Union National Association; Fannie Mae; Financial Information Forum; 
Futures Industry Association; Independent Community Bankers of America; 
Investment Company Institute; Managed Funds Association; NACHA--The 
Electronic Payments Association; National Association of Federal Credit 
Unions; National Association of Securities Dealers; New York Board of 
Trade; Securities Industry Association; Securities Industry Automation 
Corporation; The Bond Market Association; The Clearing House; The 
Depository Trust & Clearing Corporation; The NASDAQ Stock Market, Inc; 
The Options Clearing Corporation; VISA USA Inc. 

Sector: Chemical; 
Sector council members: American Chemistry Council; American Forest & 
Paper Association; Agriculture Retailers Association; Chemical 
Producers & Distributors Association; Chlorine Chemistry Council; 
Compressed Gas Association; Crop Life America; Independent Liquid 
Terminals Association; Dupont; Institute of Makers of Explosives; 
International Institute of Ammonia Refrigeration; National Association 
of Chemical Distributors; National Paint & Coatings Association; 
National Petrochemical & Refiners Association; Synthetic Organic 
Chemical Manufacturers Association; The Adhesive and Sealant Council; 
The Chlorine Institute; The Fertilizer Institute; The Society of the 
Plastics Industry, Inc. 

Sector: Commercial facilities; 
Sector council members: The council is comprised of 30 individuals who 
represent the eight subcouncils. These subcouncils currently 
incorporate over 200 members. Coordination across subcouncils happens 
at the council level. Subcouncils are: Public Assembly Facilities; 
Sports Leagues; Resorts; Lodging; Outdoor Event Facilities; 
Entertainment and Media; Real Estate; and Retail. 

Sector: Commercial nuclear reactors, materials, and waste; 
Sector council members: Arizona Public Service Company; Constellation 
Energy Generation Group; Dominion Energy; Dominion Generation; Entergy 
Operations; Excelon Generation Company, LLC; General Electric Energy 
Nuclear Energy; National Institute of Standards and Technology; Nuclear 
Energy Institute; Southern Nuclear Company; USEC Inc. 

Sector: Dams; 
Sector council members: Allegheny Energy; Ameren Services Company; 
American Electric Power; Association of State Dam Safety Officials; 
AVISTA Utilities; Canadian Dam Association; Chelan County; CMS Energy; 
Dominion Resources; Duke Energy Corporation; Exelon Corporation; 
National Hydropower Association; National Mining Association; New York 
City, Department of Environmental Protection; New York Power Authority; 
Pacific Gas & Electric Company; PPL Corporation; Scana Corporation; 
South Carolina Public Service Authority; Southern California Edison; 
Southern Company Generation; TransCanada; United States Society of 
Dams; Xcel Energy Corporation. 

Sector: Defense industrial base; 
Sector council members: Aerospace Industries Association; American 
Society for Industrial Security; Armed Forces Communications and 
Electronics Association; Contractor Secret Asset Programs Security 
Working Group; Industrial Security Working Group; National 
Classification Management Society; National Defense Industrial 
Association. 

Sector: Drinking water and water treatment systems; 
Sector council members: The council consists of two owner/operator 
representatives, along with one non-voting association staff member, 
from each of the eight water associations; Alexandria Sanitation 
Authority; American Water; American Water Works Association; American 
Water Works Association Research Foundation; Association of 
Metropolitan Water Agencies; Bean Blossom Patricksburg Water 
Corporation; Boston Water and Sewer Commission; Breezy Hill Water and 
Sewer Company; City of Portland Bureau of Environmental Services; City 
of Richmond, Department of Public Utilities; Columbus Water Works; East 
Bay Municipal Utility District; Fairfax Water; Greenville Water System; 
Los Angeles Department of Water and Power; Manchester Water Works; 
National Association of Clean Water Agencies; National Association of 
Water Companies; National Rural Water Association; New York City 
Department of Environmental Protection; Pima County Wastewater 
Management Department; United Water; Water Environment Federation; 
Water Environment Research Foundation. 

Sector: Emergency services; 
Sector council members: International Association of Chiefs of Police; 
International Association of Emergency Managers; International 
Association of Fire Chiefs; National Association of State EMS 
Officials; National Emergency Management Association; National 
Sheriff's Association. 

Sector: Energy; 
Sector council members: American Gas Association; American Petroleum 
Institute; American Public Gas Association; Anadarko Canada Corp; 
Anadarko Petroleum Corporation; Arizona Public Service Company; 
Association of Oil Pipe Lines; BP; Canadian Association of Petroleum 
Producers; Chevron Corporation; ConocoPhillips; Domestic Petroleum 
Council; Dominion Resources Inc; Edison Chouest Offshore, LLC; El Paso 
Corp; Energy ISAC; Exelon Corporation; ExxonMobil; Gas Processors 
Association; Independent Electricity System Operator, Ontario Canada; 
Independent Liquid Terminals Association; Independent Petroleum 
Association of America; International Association of Drilling 
Contractors; Interstate Natural Gas Association of America; Leffler 
Energy; Marathon Petroleum Company, LLC; National Association of 
Convenience Stores; National Ocean Industries Association; National 
Petrochemical & Refiners Association; National Propane Gas Association; 
National Rural Electric Cooperative Association; New York Independent 
System Operator; Newfoundland Ocean Industries Association; NiSource, 
Inc; North American Electric Reliability Council; Offshore Marine 
Service Association; Offshore Operators Committee; Petroleum Marketers 
Association of America; Reliability First Corporation; Rowan Companies, 
Inc; Shell Oil Company; Shipley Stores, LLC; Society of Independent 
Gasoline Marketers of America; Southern Company Services, Inc; U.S. Oil 
& Gas Association; Valero Energy Corporation; Western States Petroleum 
Association. 

Sector: Government facilities; 
Sector council members: Not applicable[A]. 

Sector: Information technology; 
Sector council members: Bell Security Solutions Inc; BellSouth 
Corporation; Center for Internet Security; Cisco Systems, Inc; Citadel 
Security Software, Inc; Computer and Communications Industry 
Association; CA, Inc; Computer Sciences Corporation; Computing 
Technology Industry Association; Cyber Security Industry Alliance; 
Electronic Industries Alliance; Entrust, Inc; EWA Information & 
Infrastructure Technologies, Inc; IBM Corporation; Information Systems 
Security Association; Information Technology - Information Sharing & 
Analysis Center; Information Technology Association of America; Intel 
Corporation; International Security, Trust, and Privacy Alliance; 
International Systems Security Engineering Association; Internet 
Security Alliance; Internet Security Systems; KMPG LLC; Lockheed 
Martin; McAfee, Inc; Microsoft Corporation; NTT America; R&H Security 
Consulting LLC; Seagate Technology; Symantec Corporation; U.S. Internet 
Service Provider Association; Unisys Corporation; VeriSign; Verizon. 

Sector: National monuments and icons; 
Sector council members: Not applicable[A]. 

Sector: Postal and shipping; 
Sector council members: DHL; FedEx Corp; United Parcel Service; US 
Postal Service. 

Sector: Public health and healthcare; 
Sector council members: AABB (formerly the American Association of 
Blood Banks); Advanced Medical Technology Association (AdvaMed); Aiken 
Regional Medical Centers; Air Force Medical Support Agency, Medical 
Logistics Division; American Association of Colleges of Nursing; 
American Association of Occupational Health Nurses, Inc; American 
College of Occupational & Environmental Medicine; American Hospital 
Association; American Industrial Hygiene Association; American Medical 
Association; American Medical Depot; American Nurses Association; 
American Red Cross; Association for Healthcare Resources & Materials 
Management; Association of State and Territorial Directors of Nursing; 
Association of State and Territorial Health Officials; BASF 
Corporation; Baylor Healthcare System; Biotechnology Industry 
Organization; BlueCross BlueShield Association; California Hospital 
Association; Cedars-Sinai Hospital; Chamber of Commerce Manhattan 
Beach; Childrens Hospital Los Angeles; Columbia University School of 
Nursing; Concentra, Inc; Cremation Association of North America; 
Cumberland Plateau Health District, Buchanan, Dickenson, Russell and 
Tazewell County Health Departments; Dartmouth Hitchcock Medical Center; 
DST Output; Duke University Medical Center; Eli Lilly; ER One 
Institutes for Innovation in Medicine/Institute for Medical 
Informatics, Washington Hospital Center; Exponent, Inc; ExxonMobil; 
Florida Department of Health/Office of Public Health Nursing; Florida 
Hospital Association; Greater NY [City] Hospital Association; Health 
Industry Distributors Association; Health Information and Management 
Systems Society; Healthways, Inc; HemoSense, Inc; Henry Schein, Inc; 
Hill-Rom; Honeywell International; Hospital Association of Southern 
California; ICFA - International Cemetery & Funeral Association; 
ICTM/Intercet, Ltd; INOVA Health System; International Chemical Workers 
Union Council/United Food and Commercial Workers; International 
Coalition for Mass Casualty Education; James B. Haggin Memorial 
Hospital; John Deere Harvester Works; Johns Hopkins University/Johns 
Hopkins Health System; Johnson & Johnson Health Care Systems; Joint 
Council on Accreditation of Healthcare Organizations; Kaiser 
Permanente/TPMG Executive Offices; Kent & O'Connor; LA Biomedical 
Research; LabCorp; Los Angeles Chamber of Commerce; McKesson; MedStar 
Health, Washington National Medical Center; Memorial Sloan Kettering 
Cancer Center; Metropolitan Chicago Hospital Council; Nassau County, NY 
Office of Emergency Management; National Association of County and City 
Health Officials; National Council of State Boards of Nursing; National 
Defense University/ Information Resources Management College; National 
Funeral Directors and Mortuary Association; National Funeral Directors 
Association; Nevada Hospital Association; Occidental Chemical 
Corporation; Oschner Foundation Hospital; Owens & Minor; Pfizer; 
Pharmaceutical Research and Manufacturers of America; PSE&G (Exelon 
Electric & Gas); Quest Diagnostics; Samaritan Health Services; The 
George Washington University Medical Center; The Regence Group; The 
Regional Medical Center, Cook and Associates; United States Army 
Medical Research Institute of Chemical Defense; University of Illinois 
at Chicago, School of Public Health; University of North Carolina, 
School of Public Health; University of Pittsburgh Medical Center; 
Vanderbilt School of Nursing; Vanderbilt University; Vanderbilt 
University Medical Center; VerdaSee Solutions, Inc. 

Sector: Telecommunications; 
Sector council members: Americom; AT&T; BellSouth; Boeing; Cellular 
Telecommunications & Internet Association; Cincinnati Bell; Cingular 
Wireless; Cisco Systems; Computer Sciences Corporation; Internet 
Security Alliance; Intrado; Level 3 Communications; Lucent 
Technologies; McLeodUSA; Qwest Communications; Rural Cellular 
Association; Satellite Industry Association; Savvis; Sprint-Nextel; 
Telecommunications Industry Association; U.S. Internet Service Provider 
Association; United Telecom Council; USTelecom Association; VeriSign; 
Verizon. 

Sector: Transportation systems; 
Sector council members: Council not yet developed. 

Source: Sector council representatives and DHS. 

[A] There is no private sector component to this sector. 

[End of table] 

[End of section] 

Appendix IV: GAO Contact and Staff Acknowledgments: 

GAO Contact: 

Eileen R. Larence (202) 512-8777: 

Staff Acknowledgments: 

In addition to those named above, R.E. Canjar, William Carrigg, Michael 
Gilmore, Thomas Lombardi, Linda Miller, Dave Powner, Susan H. Quinlan, 
Nik Rapelje, Deena D. Richart, and E. Jerry Seigler made key 
contributions to this report. 

[End of section] 

Related GAO Products: 

Critical Infrastructure Protection: DHS Leadership Needed to Enhance 
Cybersecurity. GAO-06-1087T. Washington, D.C.: Sept. 13, 2006. 

Internet Infrastructure: DHS Faces Challenges in Developing a Joint 
Public/Private Recovery Plan. GAO-06-672. Washington, D.C.: June 16, 
2006. 

Information Sharing: DHS Should Take Steps to Encourage More Widespread 
Use of Its Program to Protect and Share Critical Infrastructure 
Information. GAO-06-383. Washington, D.C.: April 17, 2006. 

Information Sharing: The Federal Government Needs to Establish Policies 
and Processes for Sharing Terrorism-Related and Sensitive but 
Unclassified Information. GAO-06-385. Washington, D.C.: March 17, 2006. 

Homeland Security: DHS Is Taking Steps to Enhance Security at Chemical 
Facilities, but Additional Authority Is Needed. GAO-06-150. Washington, 
D.C.: January 27, 2006. 

Passenger Rail Security: Enhanced Federal Leadership Needed to 
Prioritize and Guide Security Efforts. GAO-05-851. Washington, D.C.: 
September 9, 2005. 

Critical Infrastructure Protection: Challenges in Addressing 
Cybersecurity. GAO-05-827T. Washington, D.C.: July 19, 2005. 

Homeland Security: Actions Needed to Better Protect National Icons and 
Federal Office Buildings from Terrorism. GAO-05-790. Washington, D.C.: 
June 24, 2005. 

Critical Infrastructure Protection: Department of Homeland Security 
Faces Challenges in Fulfilling Cybersecurity Responsibilities. GAO-05- 
434. Washington, D.C.: May 26, 2005. 

Protection of Chemical and Water Infrastructure: Federal Requirements, 
Actions of Selected Facilities, and Remaining Challenges. GAO-05-327. 
Washington, D.C.: March 28, 2005. 

High-Risk Series: An Update. GAO-05-207. Washington, D.C.: January 1, 
2005. 

Homeland Security: Further Actions Needed to Coordinate Federal 
Agencies' Facility Protection Efforts and Promote Key Practices. GAO- 
05-49. Washington, D.C.: November 30, 2004. 

Financial Market Preparedness: Improvements Made, but More Action 
Needed to Prepare for Wide-Scale Disasters. GAO-04-984. Washington, 
D.C.: September 27, 2004. 

Public Key Infrastructure: Examples of Risks and Internal Control 
Objectives Associated with Certification Authorities. GAO-04-1023R. 
Washington, D.C.: August 10, 2004. 

Critical Infrastructure Protection: Improving Information Sharing with 
Infrastructure Sectors. GAO-04-780. Washington, D.C.: July 9, 2004. 

Technology Assessment: Cybersecurity for Critical Infrastructure 
Protection. GAO-04-321. Washington, D.C.: May 28, 2004. 

Critical Infrastructure Protection: Establishing Effective Information 
Sharing with Infrastructure Sectors. GAO-04-699T. Washington, D.C.: 
April 21, 2004. 

Critical Infrastructure Protection: Challenges and Efforts to Secure 
Control Systems. GAO-04-628T. Washington, D.C.: March 30, 2004. 

Water Infrastructure: Comprehensive Asset Management Has Potential to 
Help Utilities Better Identify Needs and Plan Future Investments. GAO- 
04-461. Washington, D.C.: March 19, 2004. 

Critical Infrastructure Protection: Challenges and Efforts to Secure 
Control Systems. GAO-04-354. Washington, D.C.: March 15, 2004. 

Information Security: Status of Federal Public Key Infrastructure 
Activities at Major Federal Departments and Agencies. GAO-04-157. 
Washington, D.C.: December 15, 2003. 

Posthearing Questions from the September 17, 2003, Hearing on 
Implications of Power Blackouts for the Nation's Cybersecurity and 
Critical Infrastructure Protection: The Electric Grid, Critical 
Interdependencies, Vulnerabilities, and Readiness". GAO-04-300R. 
Washington, D.C.: December 8, 2003. 

Critical Infrastructure Protection: Challenges in Securing Control 
Systems. GAO-04-140T. Washington, D.C.: October 1, 2003. 

Transportation Security Research: Coordination Needed in Selecting and 
Implementing Infrastructure Vulnerability Assessments. GAO-03-502. 
Washington, D.C.: May 1, 2003. 

Critical Infrastructure Protection: Challenges for Selected Agencies 
and Industry Sectors. GAO-03-233. Washington, D.C.: February 28, 2003. 

Potential Terrorist Attacks: More Actions Needed to Better Prepare 
Critical Financial Markets. GAO-03-468T. Washington, D.C.: February 12, 
2003. 

Critical Infrastructure Protection: Efforts of the Financial Services 
Sector to Address Cyber Threats. GAO-03-173. Washington, D.C.: January 
30, 2003. 

Critical Infrastructure Protection: Significant Challenges Need to Be 
Addressed. GAO-02-961T. Washington, D.C.: July 24, 2002. 

Critical Infrastructure Protection: Federal Efforts Require a More 
Coordinated and Comprehensive Approach for Protecting Information 
Systems. GAO-02-474. Washington, D.C.: July 15, 2002. 

Critical Infrastructure Protection: Significant Homeland Security 
Challenges Need to Be Addressed. GAO-02-918T. Washington, D.C.: July 9, 
2002. 

Information Sharing: Practices That Can Benefit Critical Infrastructure 
Protection. GAO-02-24. Washington, D.C.: October 15, 2001. 

Critical Infrastructure Protection: Significant Challenges in 
Safeguarding Government and Privately Controlled Systems from Computer- 
Based Attacks. GAO-01-1168T. Washington, D.C.: September 26, 2001. 

Combating Terrorism: Selected Challenges and Related Recommendations. 
GAO-01-822. Washington, D.C.: September 20, 2001. 

Critical Infrastructure Protection: Significant Challenges in 
Protecting Federal Systems and Developing Analysis and Warning 
Capabilities. GAO-01-1132T. Washington, D.C.: September 12, 2001. 

FOOTNOTES 

[1] Pub. L. No. 107-296, 116 Stat. 2135 (2002). 

[2] These critical infrastructure and key resource sectors include: 
agriculture and food; banking and finance; chemical; commercial 
facilities; commercial nuclear reactors, materials and waste; dams; 
defense industrial base; drinking water and water treatment systems; 
emergency services; energy; government facilities; information 
technology; national monuments and icons; postal and shipping; public 
health and healthcare; telecommunications; and transportation systems. 
Critical infrastructure are systems and assets, whether physical or 
virtual, so vital to the United States that their incapacity or 
destruction would have a debilitating impact on national security, 
national economic security, and national public health or safety, or 
any combination of those matters. Key resources are publicly or 
privately controlled resources essential to minimal operations of the 
economy or government, including individual targets whose destruction 
would not endanger vital systems but could create a local disaster or 
profoundly damage the nation's morale or confidence. For purposes of 
this report, we will use the term critical infrastructure to also 
include key resources. 

[3] DHS is the sector-specific agency for ten sectors: information 
technology; telecommunications; transportation systems; chemical; 
emergency services; commercial nuclear reactors, material, and waste; 
postal and shipping; dams; government facilities; and commercial 
facilities. 

[4] The government facilities sector and the national monuments and 
icons sector do not have sector councils because they have no private 
sector components. 

[5] DHS's Office of Infrastructure Protection is to identify and assess 
current and future threats to the nation's physical and informational 
infrastructure and to issue warnings to prevent damage to the 
infrastructure that supports community and economic life. It is also 
responsible for oversight of NIPP development and implementation of the 
partnership model. 

[6] See GAO, Information Sharing: Practices That Can Benefit Critical 
Infrastructure Protection. GAO-02-24 (Washington, D.C.: Oct.15, 2001); 
Critical Infrastructure Protection: Department of Homeland Security 
Faces Challenges in Fulfilling Cybersecurity Responsibilities, GAO-05-
434 (Washington, D.C.: May 26, 2005); and Internet Infrastructure: DHS 
Faces Challenges in Developing a Joint Public/ Private Recovery Plan, 
GAO-06-672 (Washington, D.C.: June 16, 2006). 

[7] The Federal Advisory Committee Act (FACA) (codified at 5 U.S.C. 
app. 2) was enacted, in part, to control the advisory committee process 
and to open to public scrutiny the manner in which government agencies 
obtain advice from private individuals and groups. See 648 F. Supp. 
1353, 1358-59 (D.D.C. 1986). Pursuant to authority conferred by the 
Homeland Security Act, 6 U.S.C. § 451, DHS established the Critical 
Infrastructure Partnership Advisory Council as a FACA exempt body to 
support the free flow of information and the need for regular, 
interactive discussions concerning threats and vulnerabilities. See 71 
Fed. Reg. 14,930 (Mar. 24, 2006). 

[8] Owners and operators of these assets include private sector 
entities and, in some cases, state and local governments. 

[9] There is no private sector component for the government facilities 
sector or the national monuments and icons sector, so these sectors 
established government councils but not private sector councils. 

[10] GAO, Information Sharing: Practices That Can Benefit Critical 
Infrastructure Protection, GAO-02-24 (Washington, D.C.: Oct.15, 2001). 

[11] GAO, Critical Infrastructure Protection: Improving Information 
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July 
9, 2004). 

[12] According to DHS officials within its Office of Infrastructure 
Protection, as of July 2006, it was in the process of re-bidding the 
support services for all councils. 

[13] As noted earlier, DHS serves as the sector-specific agency for ten 
of the sectors: information technology; telecommunications; 
transportation systems; chemical; emergency services; commercial 
nuclear reactors, materials, and waste; postal and shipping; dams; 
government facilities; and commercial facilities. In addition, each 
government council is co-chaired by a DHS representative. 

[14] GAO, Critical Infrastructure Protection: Department of Homeland 
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, 
GAO-05-434 (Washington, D.C.: May 26, 2005). 

[15] Council on Foreign Relations, Neglected Defense: Mobilizing the 
Private Sector to Support Homeland Security, CSR Number 13 (New York, 
N.Y.: March 2006). 

[16] GAO, Internet Infrastructure: DHS Faces Challenges in Developing a 
Joint Public/Private Recovery Plan, GAO-06-672 (Washington, D.C.: June 
16, 2006). 

[17] The Federal Advisory Committee Act (codified at 5 U.S.C. app. 2) 
was enacted, in part, to control the advisory committee process and to 
open to public scrutiny the manner in which government agencies obtain 
advice from private individuals and groups. See 648 F. Supp. 1353, 1358-
59 (D.D.C. 1986). 

[18] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: 
January 2005). Since 1990, we have periodically reported on government 
operations that we have identified as "high-risk." In January 2005, we 
designated information sharing for homeland security as a 
governmentwide high-risk area because, although information sharing was 
receiving increased attention, this area still faced significant 
challenges. 

[19] GAO, Information Sharing: The Federal Government Needs to 
Establish Policies and Processes for Sharing Terrorism-Related and 
Sensitive but Unclassified Information, GAO-06-385 (Washington, D.C.: 
March 17, 2006). 

[20] GAO, Information Sharing: DHS Should Take Steps to Encourage More 
Widespread Use of Its Program to Protect and Share Critical 
Infrastructure Information, GAO-06-383 (Washington, D.C.: Apr.17, 
2006). 

[21] According to Department of Health and Human Services officials, 
there are thousands of entities that could be considered stakeholders 
in the sector. On the public side of the public health and healthcare 
sector stakeholders include three cabinet level departments (the 
Department of Health and Human Services, the Department of Defense, and 
the Department of Veterans Affairs), 57 state and territorial 
authorities, 3,066 counties, and approximately 10,000 municipalities. 
On the private side (roughly 92 percent of the total sector), 
stakeholders are far more numerous. For example, there are over 6,500 
hospitals, over 492,000 ambulatory healthcare facilities, and nearly 
70,000 nursing and residential care facilities. 

[22] DHS has delegated plan preparation responsibilities among several 
of its component agencies for the 10 sectors for which DHS is the 
designated sector-specific agency. Specifically, DHS's Office of 
Infrastructure Protection is the sector-specific agency for the 
chemical; commercial facilities; dams; emergency services; and 
commercial nuclear reactors, materials, and waster sectors. The Office 
of Cyber Security and Telecommunications is the sector-specific agency 
for the information technology and telecommunications sectors. The 
Transportation Security Administration (TSA) is the sector-specific 
agency for the postal and shipping sector and jointly shares 
responsibility for transportation systems with the U.S. Coast Guard. 
The Federal Protective Service is responsible for the government 
facilities sector. 

[23] Two sectors, government facilities and national monuments and 
icons, do not have private sector councils. 

GAO's Mission: 

The Government Accountability Office, the investigative arm of 
Congress, exists to support Congress in meeting its constitutional 
responsibilities and to help improve the performance and accountability 
of the federal government for the American people. GAO examines the use 
of public funds; evaluates federal programs and policies; and provides 
analyses, recommendations, and other assistance to help Congress make 
informed oversight, policy, and funding decisions. GAO's commitment to 
good government is reflected in its core values of accountability, 
integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains 
abstracts and full-text files of current reports and testimony and an 
expanding archive of older products. The Web site features a search 
engine to help you locate documents using key words and phrases. You 
can print these documents in their entirety, including charts and other 
graphics. 

Each day, GAO issues a list of newly released reports, testimony, and 
correspondence. GAO posts this list, known as "Today's Reports," on its 
Web site daily. The list contains links to the full-text document 
files. To have GAO e-mail this list to you every afternoon, go to 
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order 
GAO Products" heading. 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office 

441 G Street NW, Room LM 

Washington, D.C. 20548: 

To order by Phone: 

Voice: (202) 512-6000: 

TDD: (202) 512-2537: 

Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: www.gao.gov/fraudnet/fraudnet.htm 

E-mail: fraudnet@gao.gov 

Automated answering system: (800) 424-5454 or (202) 512-7470: 

Public Affairs: 

Jeff Nelligan, managing director, 

NelliganJ@gao.gov 

(202) 512-4800 

U.S. Government Accountability Office, 

441 G Street NW, Room 7149 

Washington, D.C. 20548: