This is the accessible text file for GAO report number GAO-09-654R 
entitled 'The Department of Homeland Security's (DHS) Critical 
Infrastructure Protection Cost-Benefit Report' which was released on 
June 26, 2009. 

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to Webmaster@gao.gov. 

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately. 

GAO-09-654R: 

United States Government Accountability Office: 
Washington, DC 20548: 

June 26, 2009: 

The Honorable Robert C. Byrd:
Chairman:
The Honorable George Voinovich:
Ranking Member:
Committee on Appropriations:
Subcommittee on Homeland Security:
United States Senate: 

The Honorable David E. Price:
Chairman:
The Honorable Harold Rogers:
Ranking Member:
Committee on Appropriations:
Subcommittee on Homeland Security:
House of Representatives: 

Subject: The Department of Homeland Security's (DHS) Critical 
Infrastructure Protection Cost-Benefit Report: 

In 2005, Hurricane Katrina devastated the Gulf Coast, damaging critical 
infrastructure, such as oil platforms, pipelines, and refineries; water 
mains; electric power lines; and cellular phone towers. The 
infrastructure damage and resulting chaos disrupted government and 
business functions alike, producing cascading effects far beyond the 
physical location of the storm. Threats against critical infrastructure 
are not limited to natural disasters. For example, in 2005, suicide 
bombers struck London's public transportation system, disrupting the 
city's transportation and mobile telecommunications infrastructure. In 
March 2007, we reported that our nation's critical infrastructures and 
key resources (CIKR)--systems and assets, whether physical or virtual, 
so vital to the United States that their incapacity or destruction 
would have a debilitating impact on national security, national 
economic security, national public health or safety, or any combination 
of those matters--continue to be vulnerable to a wide variety of 
threats.[Footnote 1] According to DHS, because the private sector owns 
approximately 85 percent of the nation's CIKR--banking and financial 
institutions, telecommunications networks, and energy production and 
transmission facilities, among others--it is vital that the public and 
private sectors work together to protect these assets. 

The Homeland Security Act of 2002 created DHS and gave the department 
wide-ranging responsibilities for, among other things, leading and 
coordinating the overall national critical infrastructure protection 
effort.[Footnote 2] For example, the act required DHS to (1) develop a 
comprehensive national plan for securing the nation's CIKR and (2) 
recommend measures to protect CIKR in coordination with other agencies 
of the federal government and in cooperation with state and local 
government agencies and authorities, the private sector, and other 
entities. Homeland Security Presidential Directive 7 (HSPD-7) further 
defined critical infrastructure protection responsibilities for DHS and 
those federal agencies--known as sector-specific agencies (SSA)-- 
responsible for particular industry sectors, such as transportation, 
energy, and communications. HSPD-7 directed DHS to establish uniform 
policies, approaches, guidelines, and methodologies for integrating 
federal infrastructure protection and risk management activities within 
and across CIKR sectors.[Footnote 3] Also, in accordance with the 
Homeland Security Act and in response to HSPD-7, DHS issued, in June 
2006, the National Infrastructure Protection Plan (NIPP), which 
provides the overarching approach for integrating the nation's many 
CIKR protection initiatives into a single national effort. The NIPP 
sets forth a comprehensive risk management framework and clearly 
defined roles and responsibilities for DHS, SSAs, and other federal, 
state, regional, local, tribal, territorial, and private sector 
partners implementing the NIPP.[Footnote 4] Within this framework DHS 
has emphasized the importance of collaboration and partnering with CIKR 
stakeholders, and relies on voluntary information sharing between the 
private sector and DHS to better protect and ensure the resiliency of 
CIKR in the United States. 

The Conference Report accompanying the Department of Homeland Security 
Appropriations Act, 2005, directed DHS to complete an analysis on 
whether the department should require private sector entities to 
provide DHS with existing information about their security measures and 
vulnerabilities in order to improve the department's ability to 
evaluate critical infrastructure protection nationwide.[Footnote 5] 
This direction was consistent with concerns raised by the House 
Appropriations Committee about DHS's progress conducting vulnerability 
assessments for critical infrastructure facilities generally, and 
security measures at chemical facilities in particular. The analysis 
was to include all critical infrastructure, including chemical plants; 
the costs to the private sector for implementing such a requirement; 
the benefits of obtaining the information; and costs to DHS's 
Information Analysis and Infrastructure Protection (IAIP) (presently 
the Office of Infrastructure Protection (IP)) to implement this 
requirement.[Footnote 6] The Conference Report further directed us to 
review the quality of the analysis and report to the House and Senate 
Committees on Appropriations within 3 months after completion of the 
analysis. DHS provided us a copy of the report on February 23, 2009. 
According to DHS, the report was completed in 2005 and information was 
subsequently updated in June 2007.[Footnote 7] However, based on 
discussions with your staff and IP officials, the report was never 
delivered to the Senate and House Appropriation Committees. As agreed 
with your staff in March 2009, due to the age of DHS's report, this 
correspondence summarizes DHS's approach for preparing its report and 
documents the results of our efforts in order to fulfill our 
responsibility as directed in Conference Report 108-774. 

To determine DHS's approach for preparing the report, we reviewed the 
cost-benefit report and met with DHS officials in IP to better 
understand how the report was prepared and why it was prepared in that 
manner. We also compared it to Office of Management and Budget (OMB) 
Circular A-4 which provides criteria federal agencies are to use when 
performing a regulatory analysis. Specifically, the circular, which is 
based on best practices, is designed to standardize the way benefits 
and costs of federal regulatory actions are measured and reported to 
(1) help learn if the benefits of a proposed action are likely to 
justify the costs, and (2) discover which of the possible alternatives 
is the most cost-effective. Among other things, the circular stipulates 
that the regulatory analysis include a quantitative analysis of costs 
and benefits.[Footnote 8] In unusual cases where there is no quantified 
information on either benefits or costs, the circular allows agencies 
to do a qualitative analysis and suggests that professional judgment be 
used to highlight those costs and benefits believed to be the most 
important. In either case, the circular calls for agencies to compare 
the benefits with the costs in the regulatory analysis. 

We conducted this performance audit from February 2009 to June 2009 in 
accordance with generally accepted government auditing standards. Those 
standards require that we plan and perform the audit to obtain 
sufficient, appropriate evidence to provide a reasonable basis for our 
findings and conclusions based on our audit objectives. We believe that 
the evidence obtained provides a reasonable basis for our findings and 
conclusions based on our audit objectives. 

Results: 

DHS used two contractors to complete the cost-benefit report at a cost 
of about $3.4 million.[Footnote 9] In August 2005, the first contractor 
developed a draft proposal that discussed the scope of the information 
required to complete the report and the security and vulnerability 
information currently available to DHS. It also proposed surveying the 
public and private sectors to collect information on the costs and 
benefits of providing vulnerability assessment and security information 
to DHS. DHS officials said that DHS rejected this approach because DHS 
was involved in developing a public-private partnership structure and 
officials believed that doing a survey on possible regulatory costs 
would have adversely affected the partnership building process. DHS 
officials also said that the Paperwork Reduction Act (PRA)--which 
requires agency requests for information to undergo internal and Office 
of Management and Budget review and approval and includes, among other 
requirements, public comment periods for the proposed information-
gathering method[Footnote 10]--could have resulted in some delays in 
gathering data for the report, but it was not the primary reason for 
rejecting the proposed survey approach. 

DHS subsequently tasked the second contractor to complete the report 
using a different methodology, and according to DHS, this contractor 
produced a draft report in December 2005. This contractor compiled 
publicly available information on the costs and benefits to the public 
and private sectors of requiring vulnerability and security information 
be provided to DHS. Although the second contractor's report discussed 
potential public and private sector costs and benefits, it did not 
articulate which of these costs and benefits were most important, nor 
did it conclude whether the costs exceeded the benefits, or vice a 
versa, with regard to potential requirements for the private sector to 
provide information on vulnerabilities and existing security measures. 
Circular A-4 states that the objective of cost-benefit analysis is to 
produce a measure of the difference between benefits and costs and that 
when costs and benefits are based on a qualitative analysis, those 
deemed to be the most important are to be highlighted. DHS took receipt 
of the second contractor's report and, according to DHS officials, 
continued to revise it throughout the following year to incorporate 
information from the final NIPP and it's supporting sector specific 
plans.[Footnote 11] In addition to a discussion of potential costs and 
benefits, DHS's final report, dated June 2007, includes a general 
discussion of critical infrastructure risk management and associated 
information needs, an overview of the existing regulatory environment 
for each of the CIKR sectors, and the availability of security 
information and its utility to security partners, such as CIKR owners 
and operators.[Footnote 12] DHS officials said that they did not 
perform a cost-benefit analysis consistent with Circular A-4 because at 
the time they were required to do the report, they did not have 
quantifiable data to do such an analysis. They further explained that 
DHS was developing the report while DHS's Information Analysis and 
Infrastructure Protection group (now IP) was in the process of being 
established and prior to DHS's development of an accepted framework for 
compiling security and vulnerability information and assessing risk. In 
the absence of this framework, the officials said that contractor staff 
was tasked to compile material from published unclassified sources on 
the existing regulatory structure in the 17 sectors and draft the 
report, which was reviewed by DHS staff. They also said that DHS 
updated the report in 2007 to account for changes that had taken place 
since 2005, including a statutory requirement that DHS issue 
regulations requiring vulnerability assessments for certain chemical 
facilities and the development and implementation of site security 
plans for those facilities.[Footnote 13] DHS officials also noted that 
the interim NIPP was available while the draft was being prepared and 
it was used to help guide the development of the final report. 

DHS officials told us that they believe the final report was useful 
because it provided insights on different regulatory approaches across 
sectors and used appendixes to present more detailed regulatory 
overviews of three sectors--the chemical sector, the electricity sub 
sector of the energy sector, and the food and agriculture sector. They 
added that some sectors used this information to help write sector 
specific plans (SSPs) that are to augment the NIPP and detail the 
application of the NIPP framework to each CIKR sector.[Footnote 14] 
Nonetheless, DHS officials said that they believe that the report is 
outdated because DHS's CIKR program has evolved and matured since the 
report was originally completed, including DHS's efforts to promote and 
achieve voluntary information sharing between DHS and the private 
sector. Regarding the latter, DHS officials stated that they believe 
that the type of report directed by the Conference Report--that DHS 
analyze whether private sector entities should be required to provide 
information to the department--conflicts with the partnering/voluntary 
information-sharing approach DHS was already mandated to pursue under 
the Homeland Security Act.[Footnote 15] 

In February 2009, DHS provided us with a separate document referred to 
as the Executive Summary: Update of the Cost Benefit Report. This 
document included an elaboration of how DHS's partnering arrangement 
has evolved since the 2005 report was undertaken. This evolution 
occurred via the formation and continued maturation of the SSA concept, 
where the federal departments and agencies identified in HSPD-7 as 
responsible for CIKR protection activities in specified CIKR sectors 
lead the coordination effort for CIKR protection in those sectors; the 
formation of government and sector coordinating councils (GCCs and 
SCCs);[Footnote 16] and the issuance of critical infrastructure 
protection planning documents, including the NIPP and SSPs. Officials 
identified several other mechanisms that have been developed to share 
CIKR information and improve critical information protection. These 
include the CIKR Information Sharing Environment that is designed to 
address the complex requirements of information sharing among diverse 
sectors having different characteristics such as ownership patterns, 
history of collaboration, types and extent of interdependencies, and 
regulatory requirements. According to DHS, the Infrastructure Analysis 
and Strategy Division and DHS's Homeland Infrastructure Threat and Risk 
Analysis Center (HITRAC)[Footnote 17] have undertaken activities to 
enhance the ability of the private sector to prevent, protect against, 
and respond to terrorist attacks and all-hazards incidents impacting 
CIKR. These activities include individual sector threat assessments and 
the development of a common risk model to be deployed across all 
sectors to evaluate risks associated with infrastructure 
security.[Footnote 18] We did not evaluate whether these actions are 
adequate to address the CIKR security and vulnerability concerns that 
led to the conference report language directing DHS to do the cost- 
benefit report. Such a study on our part would entail, among other 
things, a closer examination of the sources used by DHS to obtain cost 
and benefit information, including whether alternative sources or 
methods would yield more complete data, and discussions with 
representatives from some or all of the CIKR sectors to assess the 
completeness and appropriateness of the DHS approach--which is beyond 
the scope of this review. 

As discussed with your staff, because the DHS report is several years 
old and given DHS's evolving approach to CIKR partnering that it 
reports has improved CIKR information sharing and security, further 
analysis of the report would not be beneficial. Therefore, this 
correspondence represents the fulfillment of our responsibility as 
directed in Conference Report 108-774. 

Agency Comments and Our Evaluation: 

We requested comments on a draft of this report from the Secretary of 
Homeland Security. DHS provided written comments on June 17, 2009 which 
are summarized below and reprinted in Enclosure II. 

In its comments, DHS did not state whether it concurred with the 
contents of the draft report but emphasized that the primary basis for 
the approach taken in 2005 to develop the cost-benefit report was to 
assure that the Department's mandated public-private partnership 
building activity be performed without disruption. It said that a data 
collection effort to identify costs and benefits for a regulatory 
approach to collecting information from the private sector would have 
stopped this process with questionable success at acquiring the 
information. DHS added that the PRA was not the primary factor in the 
approach chosen as suggested in the draft report. We have revised 
language in the report to clarify that the PRA was, according to DHS, a 
contributing factor, not the primary factor, in making the decision 
about which approach to choose. Finally, DHS reiterated that the cost- 
benefit report has proved beneficial to DHS because it helped shape the 
development of the regulatory process put into place for selected 
chemical facilities and provided the basis for developing the current 
CIKR information sharing environment. DHS also provided technical 
comments which we have incorporated where appropriate. 

We will send copies of this correspondence to the Secretary of Homeland 
Security and interested congressional committees and subcommittees. We 
will also make copies available to others on request. In addition, this 
report will be available at no charge on GAO's Web site at [hyperlink, 
http://www.gao.gov]. 

If you or your staff has any questions about this report or wish to 
discuss the matter further, please contact me at (202) 512-8777 or 
caldwells@gao.gov. Contact points for our Offices of Congressional 
Relations and Public Affairs may be found on the last page of this 
report. In addition to the contact named above, John Mortin, Assistant 
Director and Tony DeFrank, Analyst-in-Charge, managed this assignment. 
Chuck Bausell assisted with design and methodology. Thomas Lombardi 
provided legal support and Katherine Davis provided assistance in 
report preparation. 

Sincerely, 

Signed by: 

Stephen L. Caldwell:
Director, Homeland Security and Justice Issues: 

Enclosures: 

[End of section] 

Enclosure I: 

Sector-Specific Agencies (SSAs), and Critical Infrastructure and Key 
Resource (CIKR) Sectors: 

The National Infrastructure Protection Plan (NIPP) provides a framework 
for organizing and managing risk to the U.S.'s CIKR. The NIPP outlines 
the roles and responsibilities of the Department of Homeland Security 
(DHS) and other security partners--including other federal agencies, 
state, territorial, local, and tribal governments, and private 
companies. Within the NIPP framework, DHS is responsible for leading 
and coordinating the overall national effort to enhance protection via 
18 CIKR sectors. The NIPP assigns responsibility for CIKR sectors to 
SSAs. As an SSA, DHS has direct responsibility for leading, 
integrating, and coordinating efforts of security partners to protect 
11 CIKR sectors. The remaining sectors are led by eight other federal 
agencies. The following lists the SSAs and their sectors. 

Sector Specific Agency: 

Sector Specific Agency: Departments of Agriculture[A] and Health and 
Human Services[B]; 
Critical Infrastructure and Key Resource Sector: Agriculture and Food. 

Sector Specific Agency: Department of Defense[C]; 
Critical Infrastructure and Key Resource Sector: Defense Industrial 
Base. 

Sector Specific Agency: Department of Energy; 
Critical Infrastructure and Key Resource Sector: Energy[D]. 

Sector Specific Agency: Department of Health and Human Services; 
Critical Infrastructure and Key Resource Sector: Healthcare and Public 
Health. 

Sector Specific Agency: Department of the Interior; 
Critical Infrastructure and Key Resource Sector: National Monuments and 
Icons. 

Sector Specific Agency: Department of the Treasury; 
Critical Infrastructure and Key Resource Sector: Banking and Finance. 

Sector Specific Agency: Environmental Protection Agency; 
Critical Infrastructure and Key Resource Sector: Water[E]. 

Sector Specific Agency: Department of Homeland Security: Office of 
Infrastructure Protection; 
Critical Infrastructure and Key Resource Sector: Commercial Facilities; 
Critical Manufacturing; Emergency Services; Nuclear Reactors, 
Materials, and Waste; Dams; and Chemical Sectors. 

Sector Specific Agency: Department of Homeland Security: Office of 
Cyber Security and Communications; 
Critical Infrastructure and Key Resource Sector: Information Technology 
and Communications Sectors. 

Sector Specific Agency: Department of Homeland Security: Transportation 
Security Administration; 
Critical Infrastructure and Key Resource Sector: Postal and Shipping. 

Sector Specific Agency: Department of Homeland Security: Transportation 
Security Administration and U. S. Coast Guard[F]; 
Critical Infrastructure and Key Resource Sector: Transportation 
Systems[G]. 

Sector Specific Agency: Department of Homeland Security: Immigration 
and Customs Enforcement, Federal Protective Service; 
Critical Infrastructure and Key Resource Sector: Government 
Facilities[H]. 

Source: 2009 National Infrastructure Protection Plan: 

[A] The Department of Agriculture is responsible for agriculture and 
food (meat, poultry, and egg products). 

[B] The Department of Health and Human Services is responsible for food 
other than meat, poultry, and egg products. 

[C] Nothing in the NIPP impairs or otherwise affects the authority of 
the Secretary of Defense over the Department of Defense (DoD), 
including the chain of command for military forces from the President 
as Commander in Chief, to the Secretary of Defense, to the commander of 
military forces, or military command and control procedures. 

[D] The Energy Sector includes the production, refining, storage, and 
distribution of oil, gas, and electric power, except for commercial 
nuclear power facilities. 

[E] The Water Sector includes drinking water and wastewater systems. 

[F] The U.S. Coast Guard is the SSA for the maritime transportation 
mode. 

[G] In accordance with HSPD-7, the Department of Transportation and the 
Department of Homeland Security will collaborate on all matters 
relating to transportation security and transportation infrastructure 
protection. 

[H] The Department of Education is the SSA for the Education Facilities 
Subsector of the Government Facilities Sector. 

[End of table] 

[End of section] 

Enclosure II: Comments from the Department of Homeland Security: 

U.S. Department of Homeland Security: 
Washington, DC 20528: 

June 17, 2009: 

Mr. Stephen L. Caldwell: 
Director, Homeland Security and Justice Issues: 
U.S. Government Accountability Office: 
441 G Street, NW: 
Washington, DC 20548: 

Dear Mr. Caldwell: 

Re: Draft Report GAO-09-654R, The Department of Homeland Security's 
Critical Infrastructure Protection Cost-Benefit Report (GAO Job Code 
440794): 

Thank you for the opportunity to review and comment on the draft report 
referenced above. Department of Homeland Security (DHS) officials 
recognize the short timeframe your team had to fulfill responsibilities 
under the Conference Report 108-774 reporting requirement on the costs 
and benefits of mandating private sector security measure and 
vulnerability reporting that accompanied the Department of Homeland 
Security Appropriations Act, 2005. National Protection and Programs 
Directorate (NPPD) officials appreciated your team's professionalism in 
conducting this review in an efficient a way as possible to collect the
information needed. 

The draft report contains no recommendations but summarizes and 
documents DHS's approach to developing this report. NPPD officials 
separately provided specific technical comments as suggestions for 
enhancing the draft report's clarity and accuracy. Officials 
reemphasize that the primary basis for the approach taken in 2005 to 
develop the Cost-Benefit Report was to assure that the Department's 
mandated public-private partnership building activity be performed 
without disruption. A data collection effort to identify costs/benefits 
for a regulatory approach to collecting information from private sector 
would have stopped the process with questionable success at acquiring 
the information. The Paperwork Reduction Act was a factor but not the 
primary factor as the draft suggests. 

The draft report describes the information sharing programs that NPPD 
staff discussed with the U.S. Government Accountability Office (GAO) 
team that have evolved from a public-private partnership foundation 
since 2005. Information from the Cost-Benefit Report helped to shape 
the development of the regulatory process that was put in place for 
selected chemical facilities and the development and implementation of 
site security plans for those facilities. In addition, the framework 
laid out in the Cost-Benefit report provided the basis for the 
development of the current Critical Infrastructure and Key Resource 
(CIKR) Information Sharing Environment described in the draft report. 
This CIKR Environment has since been adopted as the primary private 
sector component of the National Information Sharing Environment by the 
Program Manager of the Information Sharing Environment, the Federal 
Office established under the 2002 Intelligence Reform and Terrorist 
Prevention Act to improve information sharing across the Federal 
government and with its security stakeholders. Consequently, the effort 
to develop the Cost-Study Report has proved beneficial. 

Sincerely, 

Signed by: 

Jerald E. Levine: 
Director: 
Departmental GAO/OIG Audit Liaison Office: 

[End of section] 

Footnotes: 

[1] GAO, Critical Infrastructure: Sector Plans Complete and Sector 
Councils Evolving, [hyperlink, 
http://www.gao.gov/products/GAO-07-1075T] (Washington, D.C.: July 12, 
2007); and National Cybersecurity Strategy: Key Improvements are Needed 
to Strengthen the Nation's Posture, [hyperlink, 
http://www.gao.gov/products/GAO-09-432T] (Washington, D.C.: Mar. 10, 
2009). 

[2] See generally Pub. L. No. 107-296, 116 Stat. 2135 (2002). Title II 
of the Homeland Security Act, as amended, primarily addresses the 
department's responsibilities for critical infrastructure protection. 

[3] The 17 sectors identified pursuant to HSPD-7 are the agriculture 
and food sector; the banking and finance sector; the chemical sector; 
the commercial facilities sector; the commercial nuclear reactors, 
materials, and waste sector; the communications sector; the dams 
sector; the defense industrial base sector; the drinking water and 
water treatment systems sector; the emergency services sector; the 
energy sector; the government facilities sector; the information 
technology sector; the national monuments and icons sector; the postal 
and shipping sector; the public health and health care sector; and the 
transportation systems sector. DHS created the critical manufacturing 
sector as an 18TH sector in 2008. Enclosure I discusses how the 
National Infrastructure Protection Plan (NIPP) provides the framework 
for organizing and managing risk to the U.S.'s CIKR and shows how the 
NIPP assigns responsibility for CIKR sectors to SSAs. 

[4] DHS issued a revised NIPP in 2009. 

[5] See H.R. Conf. Rep. No. 108-774, at 75-76 (Oct. 9, 2004) 
(accompanying H.R. 4567, the DHS Appropriations Bill, 2005, and enacted 
as Public Law 108-334, 118 Stat. 1298 (2004)). The Conference Report 
did not specify a date for submission. 

[6] As a result of a subsequent DHS reorganization, the applicable 
mission of the Under Secretary for IAIP now resides with the Under 
Secretary for National Protection and Programs. Although the Conference 
Report specifically directed IAIP to conduct this analysis, we have 
generalized this direction to the Department due to its subsequent 
reorganization. 

[7] Report to Congress: Mandatory Information Sharing for the 
Protection of Critical Infrastructure and Key Resources: The Costs and 
Benefits of Requiring Information from the Private Sector on Security 
Measures and Vulnerabilities, Department of Homeland Security, the 
Office of Infrastructure Protection (IP), Partnership and Outreach 
Division, (June 2007). This report has been designated For Official Use 
Only (FOUO). 

[8] According OMB Circular A-4, a quantitative analysis of costs and 
benefits would require that benefits and costs be expressed in monetary 
or physical units, if possible, so that the regulatory alternative that 
maximizes net benefits (the difference between benefits and costs) can 
be identified. 

[9] DHS officials told us that, based on available records, the first 
contractor, MITRE, received over $558,000 and the second contractor, 
Energetics, received more than $2.8 million for work related to the 
cost-benefit report. 

[10] The purpose of the Paperwork Reduction Act , among other things, 
is to minimize the paperwork burden for individuals, small businesses, 
and educational and nonprofit institutions, federal contractors, and 
state, local and tribal governments, and other persons resulting from 
the collection of information by or for the federal government. See 31 
U.S.C. § 3501. For a more complete discussion, see GAO, Paperwork 
Reduction Act: New Approaches Can Strengthen Information Collection and 
Reduce Burden, GAO-06-477T (Washington, D.C.: Mar. 8, 2006). 

[11] DHS officials told us that the document was last revised in June 
2007. They said that they continued to coordinate the review of the 
last version of the report within DHS but no further versions were 
developed. 

[12] DHS's report also contains appendices that cover a variety of 
topics, including the issue of liability as relates to information 
sharing, for example, the damages the owner of a CIKR facility may face 
if it did not address identified vulnerabilities if an incident 
occurred; the applicability of different regulatory structures to 
critical infrastructure protection; and various approaches to the 
conduct of cost-benefit analysis. 

[13] See Pub. L. No. 109-295, § 550, 121 Stat. 1355, 1388-89 (2006). 

[14] Sector Specific Plans are to be developed by the sector specific 
agencies in collaboration with other sector partners. 

[15] See Pub. L. No. 107-296, § 214, 116 Stat. at 2152-55. See also 71 
Fed. Reg. 52,262 (Sept. 1, 2006) (establishing uniform procedures for 
the voluntary sharing of critical infrastructure information with DHS) 
(codified at 6 C.F.R. pt. 29). 

[16] The GCC comprises representatives across various levels of 
government (federal, state, local, tribal, and territorial) as 
appropriate to the security and operational landscape of each 
individual sector. The SCC is the private sector counterpart to the 
GCC. These councils are self-organized, self-run, and self-governed 
organizations that are representative of a spectrum of key stakeholders 
within a sector. SCCs serve as the government's principal point of 
entry into each sector for developing and coordinating a wide range of 
CIKR protection activities and issues. 

[17] According to DHS, HITRAC is a joint infrastructure intelligence 
fusion center that combines the expertise of IP's Infrastructure 
Analysis and Strategy Division with that of the Office of Intelligence 
and Analysis in the Critical Infrastructure Threat Analysis Division. 
DHS officials said that HITRAC is to manage a range of analytic 
activities of Federal, State, local, and private sector decision-makers 
by integrating a variety of models, methodologies, and analytic 
techniques. 

[18] GAO has conducted evaluations of risk modeling, for example, see 
Highway Infrastructure: Federal Efforts to Strengthen Security Should 
be Better Coordinated and Targeted on the Nation's Most Critical 
Highway Infrastructure, [hyperlink, 
http://www.gao.gov/products/GAO-09-57], (Washington, D.C.: January 
2009) and Emergency Transit Assistance: Federal Funding for Recent 
Disasters and Options for the Future, [hyperlink, 
http://www.gao.gov/products/GAO-08-243], (Washington, D.C.: February 
2008). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "E-mail Updates." 

Order by Phone: 

The price of each GAO publication reflects GAO’s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO’s Web site, 
[hyperlink, http://www.gao.gov/ordering.htm]. 

Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537. 

Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional 
information. 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: fraudnet@gao.gov: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Ralph Dawn, Managing Director, dawnr@gao.gov: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, youngc1@gao.gov: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: