This is the accessible text file for GAO report number GAO-11-537R entitled 'Critical Infrastructure Protection: DHS Has Taken Action Designed to Identify and Address Overlaps and Gaps in Critical Infrastructure Security Activities' which was released on June 20, 2011. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. GAO-11-537R: United States Government Accountability Office: Washington, DC 20548: May 19, 2011: The Honorable Bennie G. Thompson: Ranking Member: Committee on Homeland Security: House of Representatives: The Honorable Sheila Jackson-Lee: Ranking Member: Subcommittee on Transportation Security: House of Representatives: Subject: Critical Infrastructure Protection: DHS Has Taken Action Designed to Identify and Address Overlaps and Gaps in Critical Infrastructure Security Activities: This letter formally transmits the enclosed briefing in response to your request to review the Department of Homeland Security's framework [Footnote 1] for securing critical infrastructure and key resources (CIKR),[Footnote 2] and subsequent agency comments. As such, this correspondence provides information on: (1) how DHS coordinates with CIKR stakeholders to identify overlaps and gaps in CIKR security activities across all sectors,[Footnote 3] (2) how DHS addresses these potential overlaps in CIKR security activities, and (3) how DHS addresses CIKR security gaps. To conduct this work, among other things, we selected a non-random sample of nine sectors with a mix of regulations related to security to obtain stakeholders views on working with DHS to identify and address overlaps and gaps in CIKR activities; reviewed applicable laws and regulations, DHS documents such as the National Infrastructure Protection Plan, and pertinent GAO reports; and interviewed DHS officials in the Office of Infrastructure Protection (IP) in the National Protection and Programs Directorate and officials representing the sectors we selected. While the results of these efforts are not generalizable to all CIKR sectors, stakeholders, and activities, they provided valuable insights into CIKR partner perspectives across a range of CIKR. In summary we found: * DHS coordinates with CIKR stakeholders, including other federal regulatory authorities, through information-sharing mechanisms, such as council meetings, and other efforts to identify overlaps and gaps in CIKR security activities. * DHS is taking action to address overlapping security activities by clarifying roles and responsibilities for CIKR security activities with agencies that have regulatory oversight, such as the Nuclear Regulatory Commission, through coordination mechanisms, including memorandums of understanding and working groups. * DHS works to address gaps in infrastructure security by developing and distributing tools such as guides that promote common security activities; conducting voluntary training and security exercises to enhance security capabilities; providing information on resources available to security partners; and, as appropriate, conducting site vulnerability assessments and security surveys at both public and privately owned facilities that voluntarily participate in such efforts. For additional information on the results of our work, please see enclosure I, the briefing we provided your offices on May 12, 2011. We are not making any recommendations for congressional consideration or agency action. In commenting on a draft of this report, DHS agreed with the report's findings. DHS's comments are reprinted in enclosure II. DHS also provided technical comments on the enclosed briefing, which we incorporated as appropriate. This concludes the first phase of our work on CIKR security activities. As agreed with your offices, we will continue our work in this area by reviewing DHS's voluntary programs and its efforts to measure the effectiveness of these programs. We will report the results in 2012. Also, unless you publicly announce the contents of this correspondence earlier, we plan no further distribution until 30 days from the correspondence's date. At that time, we will send copies of the correspondence to interested congressional committees and other interested parties. In addition, the report will be available at no charge on GAO's Web site at [hyperlink, http:///www.gao.gov]. Should you or your staff have questions concerning this report or wish to discuss the matter further, please contact me at (202) 512-8777 or caldwells@gao.gov. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report were John Mortin, Assistant Director; Labony Chakraborty; Andrew Curry; Tony DeFrank; Michele Fejfar; Thomas Lombardi; Kendal Robinson; and Luis Rodriguez. Signed by: Stephen L. Caldwell: Director, Homeland Security and Justice Issues: Enclosures (2): [End of section] Enclosure I: Critical Infrastructure Protection: DHS Has Taken Action Designed to Identify and Address Overlaps and Gaps in Critical Infrastructure Security Activities: Briefing to Congressional Requesters: May 12, 2011: Overview: * Introduction; * Objectives; * Scope and Methodology; * Results in Brief; * Background; * Findings; * Agency Comments; * Related GAO Products. Introduction: The protection and resilience of the critical infrastructure in the United States is essential to the Nation's security, maintaining public health and safety, and promoting the Nation's economic vitality. The Department of Homeland Security (DHS), as appropriate, uses a voluntary public-private partnership approach to enhance the protection of the nation's critical infrastructure and key resources (CIKR).[Footnote 4] There are 18 CIKR sectors—such as Chemical, Transportation, and Energy– each having a Sector Specific Agency (SSA). SSAs are the federal agencies responsible for coordinating CIKR protection efforts with the public and private stakeholders in their respective sectors. Within DHS, the Office of Infrastructure Protection (IP) in the National Protection and Programs Directorate (NPPD) is responsible for CIKR protection. While other entities may possess and exercise regulatory authority over CIKR to address security,[Footnote 5] IP generally relies on voluntary efforts to secure CIKR due to its limited authority to directly regulate most CIKR. In this role, IP coordinates with CIKR stakeholders including other federal agencies, state and local government agencies and authorities, the private sector, and other entities, such as the Federal Senior Leadership Council, which is made up of federal agencies with a role in implementing CIKR security. Objectives: Members of Congress raised questions about potential overlaps and gaps [Footnote 6] in CIKR security measures. You requested that we review the DHS framework for securing CIKR.[Footnote 7] Therefore, our objectives were to identify actions DHS has taken to: (1) coordinate with CIKR stakeholders, including federal regulatory authorities, to identify overlaps and gaps in CIKR security activities; (2) address overlapping activities to improve coordination of CIKR security; and; (3) address CIKR security gaps. Scope and Methodology: To conduct this work, we: * reviewed applicable laws and regulations; DHS documents, such as the National Infrastructure Protection Plan (NIPP)—DHS's national plan for coordinating the protection of the nation's CIKR; and pertinent GAO reports;[Footnote 8] * selected a non-random sample of nine sectors with a mix of regulations related to security to obtain stakeholders views on working with DHS to identify and address overlaps and gaps in CIKR security activities—we also selected sectors where DHS IP, other DHS components and non-DHS agencies are the sector SSA. The results are not generalizable but provided insights on SSA activities across a range of CIKR;[Footnote 9] * interviewed DHS officials in the Office of Infrastructure Protection in the NPPD, representatives from 9 of 18 SSAs from the sectors we selected to review, and representatives from the Federal Energy Regulatory Commission and the NRC as their activities related to sectors we selected to review; * discussed the NIPP framework and CIKR regulations with three state homeland security offices (California, New Jersey, and Virginia). We selected these states because they have extensive CIKR and different levels of security regulation. The results of these discussions are not generalizable to all state homeland security offices but provided perspectives about the NIPP framework and CIKR regulations (at all levels of government) across a range of CIKR. We also met with officials from one private sector company and one industry trade association with activities related to our sample of SSAs, to understand whether overlapping activities hinder the NIPP framework. The results are not generalizable, but provided insights on some industry perspectives. To ensure the accuracy of the information in these slides, we obtained formal agency comments on the contents of this briefing. We conducted this performance audit from August 2010 through May 2011 [Footnote 10] in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on our audit objectives. Results in Brief: DHS coordinates with CIKR stakeholders, including other federal regulatory authorities, through information-sharing mechanisms, such as council meetings, and other efforts to identify overlaps and gaps in CIKR security activities. DHS is taking action to address overlapping security activities by clarifying roles and responsibilities for CIKR security activities with agencies that have regulatory oversight such as the NRC through coordination mechanisms, including Memoranda of Understanding and working groups. DHS works to address gaps in infrastructure security by developing and distributing security tools, such as guides that promote common security activities; conducting voluntary training and security exercises to enhance security capabilities; providing information on resources available to security partners; and by conducting site vulnerability assessments and security surveys at both public and privately-owned facilities that voluntarily participate in such efforts. Background: The Homeland Security Act of 2002 created DHS and gave the department wide-ranging responsibilities for, among other things, leading and coordinating national CIKR protection efforts.[Footnote 11] For example, the act required DHS to (1) develop a comprehensive national plan for securing the nation's CIKR and (2) recommend measures necessary to protect CIKR in coordination with other agencies of the federal government and in cooperation with state and local government agencies and authorities, the private sector, and other entities. HSPD-7 further defined critical infrastructure protection responsibilities for DHS and SSAs. HSPD-7 directed DHS to, among other things, establish uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across CIKR sectors.[Footnote 12] Table 1 reflects the SSAs responsible for coordinating CIKR protection efforts with the public and private stakeholders in these sectors. Table 1: CIKR Sectors and SSAs: Sector-Specific Agency: Department of Agriculture; Food and Drug Administration (HHS); CIKR Sector: Agriculture and Food. Sector-Specific Agency: Department of Defense; CIKR Sector: Defense Industrial Base. Sector-Specific Agency: Department of Energy; CIKR Sector: Energy. Sector-Specific Agency: Department of Health and Human Services; CIKR Sector: Healthcare and Public Health. Sector-Specific Agency: Department of the Interior; CIKR Sector: National Monuments and Icons. Sector-Specific Agency: Department of the Treasury; CIKR Sector: Banking and Finance. Sector-Specific Agency: Environmental Protection Agency: CIKR Sector: Water. Sector-Specific Agency: Department of Homeland Security: Office of Infrastructure Protection; CIKR Sector: Chemical; Commercial Facilities; Critical Manufacturing; Dams; Emergency Services; Nuclear Reactors, Materials, and Waste. Sector-Specific Agency: Department of Homeland Security: Office of Cybersecutity and Communications; CIKR Sector: Communications; Information Technology. Sector-Specific Agency: Transportation Security Administration; CIKR Sector: Postal and Shipping. Sector-Specific Agency: Transportation Security Administration and U.S. Coast Guard; CIKR Sector: Transportation Systems; Maritime Transportation Mode (subsector). Sector-Specific Agency: Federal Protective Service; CIKR Sector: Government Facilities. Sector-Specific Agency: Department of Education; CIKR Sector: Educational Facilities (subsector). Source: GAO analysis of 2009 National Infrastructure Protection Plan. [End of table] The National Infrastructure Protection Plan (NIPP_) is the national plan for coordinating the protection of the nation's CIKR. First issued in 2006, and updated in 2009, the NIPP provides the overarching approach for integrating the nation's CIKR protection initiatives into a single national effort, sets forth a comprehensive risk management framework, and defines roles and responsibilities for infrastructure partners. The NIPP framework overlaps with existing security practices and federal and state laws and regulations.[Footnote 13] * The NIPP reflects DHS's voluntary public-private partnership approach, and according to DHS, where appropriate, leverages existing regulatory frameworks. For example, according to agency officials, DHS recognizes that the commercial facilities and the critical manufacturing sectors may not be subject to federal or state laws and regulations related to security while there are a few sectors that are subject to specific security-related laws and regulations, such as the chemical, transportation, and nuclear sectors.[Footnote 14] Objective One: To Identify Infrastructure Security Overlaps and Gaps DHS Coordinates With CIKR Partners: DHS leverages existing regulatory frameworks, where applicable, to implement the NIPP with its security partners within and across the 18 sectors and identify CIKR security overlaps and gaps to enhance and supplement existing sector regulations. To do so, DHS: * coordinates through designated Federal government SSAs for each of the CIKR sectors to identify security overlaps and gaps as they implement the NIPP framework. For example, documents provided by one DHS SSA demonstrate how DHS coordinated with a federal regulator for the sector via official correspondence and urged consideration of the merits of both greater regulation and the enhancement of existing regulation to address security gaps and improve security in the sector; * coordinates with state officials with responsibility for CIKR efforts to facilitate the NIPP partnership. Officials with responsibility for CIKR efforts from three states, in addition to officials from the nine SSAs we visited, said that they had not identified state laws or regulations that overlap with or hinder the implementation of the NIPP; and; * coordinates with other security partners to identify cross-sector overlaps and gaps through meetings with various councils including the Government Cross-Sector Council, the Federal Senior Leadership Council, the State, Local, Tribal, and Territorial Government Coordinating Council, and sector Government Coordinating Councils. (see figure 1) Figure 1. CIKR Sector Partnership Model: [Refer to PDF for image: illustration] CIKR National infrastructure: DHS: Owners and operators: Sector-specific agencies; Regional Consortium Coordinating Council[C]: Private sector: CIKIR Cross-Sector Council[A] (representing the sector coordinating councils). Public sector: Government Cross-Sector Council[B]: * Federal Senior Leadership Council; * State, Local, Tribal, and Territorial Government Coordinating Council. Leadership coordinating council[D]; Government coordinating council[E]. Source: GAO analysis of the 2009 National Infrastructure Protection Plan. [A] Cross-sector issues and interdependencies are addressed among the Sector Coordinating Councils (SCCs) through the CIKR Cross-Sector Council, which comprises the leadership of each of the SCCs. [B] Cross-sector issues and interdependencies between the Government Coordinating Councils (GCCs) will be addressed through the Government Cross-Sector Council, which comprises two subcouncils—-the NIPP Federal Senior Leadership Council (NIPP FSLC) and the State, Local, Tribal, and Territorial Government Coordinating Council (SLTIGCC). The objective of the NIPP FSLC is to facilitate enhanced communications and coordination between and among Federal departments and agencies with a role in implementing the NIPP and HSPD-7. The SLTIGCC serves as a forum to ensure that state, local, and tribal homeland security partners are fully integrated as active participants in national CIKR protection efforts and to provide an organizational structure to coordinate across jurisdictions on state and local government-level CIKR protection guidance, strategies, and programs. [C] The Regional Consortium Coordinating Council (RCCC) brings together representatives of regional partnerships, groupings, and governance bodies to enable CIKR protection coordination among CIKR partners within and across geographical areas and sectors. [D] The Sector Coordinating Councils (SCCs) are self-organized, self- run, and self-governed, with a spokesperson designated by the sector membership. Specific membership will vary from sector to sector, reflecting the unique composition of each sector; however, membership should be representative of a broad base of owners, operators, associations, and other entities—both large and small—within a sector. [E] The Government Coordinating Council (GCC) comprises representatives from across various levels of government (Federal, state, local, or tribal) as appropriate to the operations of each individual sector. [End of figure] Objective Two: To Address Overlaps in CIKR Security Activities DHS Works with Partners: DHS is taking action to address overlapping security activities by clarifying roles and responsibilities for CIKR security activities and working with regulators to improve coordination of or harmonize CIKR activities. IP officials identified CFATS as the primary overlapping regulatory regime with potentially duplicative activities that they are addressing. Pursuant to the statute authorizing DHS to promulgate CFATS, certain facilities are not subject to CFATS, and DHS has taken additional actions to implement Memoranda of Understanding or Agreement to avoid overlap and duplication. * For example, at facilities where both CFATS and regulations implemented pursuant to MTSA may be applicable, two DHS components— NPPD and the U.S. Coast Guard—have been working together to clarify which facilities or parts of facilities are regulated by whom and avoid potentially overlapping efforts. In addition, there may be maritime facilities where part of the facility is subject to MTSA regulations while another part of the facility is subject to CFATS. According to officials from NPPD and the U.S. Coast Guard, the agencies established a joint CFATS-MTSA working group to review regulations across the two statutes, compare assessment efforts to secure the facilities, and where appropriate, implement methods to harmonize CFATS and MTSA regulations—through a joint action memo or other agreement. According to agency officials, efforts are also underway to examine the different treatment of regional planning efforts and cybersecurity requirements across the regulations. Coast Guard officials stated that they are currently developing timelines and specific action items for completing these efforts. * Where CFATS overlaps with NRC authority, DHS officials reported collaborating with NRC officials to clarify which facilities are regulated by whom and avoid overlapping efforts. * Since CFATS took effect in 2007, IP has reduced some voluntary programs[Footnote 15] on chemical facilities to avoid overlapping activities in the sector. For example, the number of voluntary site assessments conducted by IP on chemical facilities that voluntarily participated in the assessment decreased from nine to one assessment from 2008 to 2010. DHS officials also reported they have identified opportunities to collaborate with other federal agencies and evaluate how CFATS could apply to facilities or substances not currently subject to CFATS. * For example, DHS reported working closely with the Environmental Protection Agency to begin discussing how CFATS could be applied to water and wastewater treatment facilities, should they become subject to CFATS security regulations. According to DHS, DHS is also coordinating with Federal entities such as the Bureau of Alcohol, Tobacco, Firearms and Explosives; Federal Bureau of Investigation; and U.S. Department of Agriculture to determine the best way to implement its regulatory authority over sales and transfers of ammonium nitrate.[Footnote 16] DHS officials stated that they are working to enhance the security of ammonium nitrate while avoiding placing any duplicative requirements on the regulated community. Objective Three: To Address Gaps in CIKR Security DHS Develops Resources and Conducts Voluntary Assessments: To address CIKR security gaps, DHS: * develops and distributes security tools, such as guides that promote common security activities; conducts voluntary training and security exercises to enhance security capabilities; and provides information on resources available to security partners from the 18 sectors through various efforts, including the Protective Security Advisor (PSA) Program. PSAs are DHS's protection specialists assigned as CIKR security coordinators between DHS and the protective community at the state, local, and private sector levels and are responsible for sharing risk information and coordinating DHS's voluntary programs: - For example, according to IP, in coordination with and at the request of the Director of Security, National Association for Stock Car Auto Racing (NASCAR), the SSA and NASCAR staff worked together to develop a security tool—a template and guidance for developing emergency response plans—for NASCAR events; * conducts site vulnerability assessments and security surveys at and across facilities from the 18 sectors that voluntarily participate in these efforts, such as Site Assistance Visits (SAVs), and Enhanced Critical Infrastructure Protection (ECIP) security surveys, and uses these assessments to develop and disseminate information on steps owners and operators can take to protect their facilities to various stakeholders, generally on a need-to-know basis; - SAVs are facility vulnerability assessments that can last up to three days focused on identifying security gaps and providing options to enhance protective measures to CIKR owners and operators. According to DHS, DHS conducted 192 SAVs in fiscal year 2009 and 217 SAVs in fiscal year 2010; - ECIP security surveys are half-to-full day surveys conducted to assess overall facility security and increase security awareness. Protective measures are surveyed using a web-based Infrastructure Security Tool and presented to CIKR owners and operators in a way that allows them to see how their facility's security measures compare against similar facilities in the same sector or subsector. According to DHS, it conducted 989 ECIPs in fiscal year 2009 and 835 ECIPs in fiscal year 2010; * According to DHS officials, the total number of SAVs and ECIPs both in the aggregate and by sector varies from year-to-year depending on the risk to facilities, state and local priorities, threat levels, DHS priorities, exercises, and the number and type of planned significant national events.[Footnote 17] In addition, since these efforts are voluntary, they depend on the interest and cooperation of facility owners and operators. Generally, however, in recent years, DHS has conducted fewer voluntary facility assessments on CIKR in sectors subject to more regulation, such as the chemical and nuclear sectors, and more activities in the commercial facilities sector, which is subject to less regulation; * We are beginning additional work on DHS's voluntary programs and its efforts to measure the effectiveness of its voluntary programs in enhancing CIKR protection and resilience and will report the final results in 2012. Agency Comments: The Department of Homeland Security reviewed a draft of this briefing and said that it concurred with the overall findings and conclusions of the briefing. We also received technical comments from DHS officials and incorporated them as appropriate. GAO Contact and Staff Acknowledgments: GAO Contact: Stephen L. Caldwell, (202) 512-8777 or CaldwellS@gao.gov. Staff Acknowledgments: In addition to the contact named above, John F. Mortin, Assistant Director, and Anthony J. DeFrank, Analyst-in-Charge, managed this assignment with assistance from Andrew M. Curry, Luis E. Rodriguez, and Kendal B. Robinson. Michele C. Fejfar provided assistance with design and methodology. Thomas F. Lombardi provided legal support and Labony Chakraborty provided assistance in slide preparation. Related GAO Products: Critical Infrastructure Protection and Resiliency: Critical Infrastructure Protection: DHS Efforts to Assess and Promote Resilient Are Evolving but Program Management Could Be Strengthened. [hyperlink, http://www.gao.gov/products/GA0-10-772]. Washington, D.C.: September-23, 2010. Critical Infrastructure Protection: Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience. [hyperlink, http://www.gao.gov/products/GA0-10-296]. Washington, D.C.: March 5, 2010. The Department of Homeland Security's (DHS) Critical Infrastructure Protection Cost-Benefit Report. [hyperlink, http://www.gao.gov/products/GAO-09-654R]. Washington, D.C.: June 26, 2009. Information Technology: Federal Laws, Regulations, and Mandatory Standards to Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors. [hyperlink, http://www.gao.gov/products/GAO-08-1075R]. Washington, D.C.: September 16, 2008. Risk Management Strengthening the Use of Risk Management Principles in Homeland Security. [hyperlink, http://www.gao.gov/products/GAO-08-904T]. Washington, D.C.: Jun-25, 2008. Critical Infrastructure: Sector Plans Complete and Sector Councils Evolving. [hyperlink, http://www.gao.gov/products/GAO-07-1075T]. Washington, D.C.: July 12, 2007. Critical Infrastructure Protection: Sector Plans and Sector Councils Continue to Evolve. [hyperlink, http://www.gao.gov/products/GAO-07-706]. Washington, D.C.: July 10, 2007. Critical Infrastructure: Challenges Remain in Protecting Key Sectors. [hyperlink, http://www.gao.gov/products/GAO-07-626T]. Washington, D.C.: March 20, 2007. Homeland Security: Progress Has Been Made to Address the Vulnerabilities Exposed by 9/11, but Continued Federal Action Is Needed to Further Mitigate Security Risks. [hyperlink, http://www.gao.gov/products/GAO-07-375]. Washington, D.C.: January 24, 2007. Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics. [hyperlink, http://www.gao.gov/products/GAO-07-39]. Washington, D.C.: October 16, 2006. Information Sharing: DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information. [hyperlink, http://www.gao.gov/products/GAO-06-383]. Washington, D.C.: Apr 17, 2006. Risk Management. Further Refinements Needed to Assess Risks and Prioritize Protective Measures at Ports and Other Critical Infrastructure. [hyperlink, http://www.gao.gov/products/GAO-06-91]. Washington, D.C.: Dec 15, 2005. Protection of Chemical and Water Infrastructure: Federal Requirements, Actions of Selected Facilities, and Remaining Challenges. [hyperlink, http://www.gao.gov/products/GAO-05-327]. Washington, D.C.: March 28, 2005. Homeland Security: Agency Plans, Implementation, and Challenges Regarding the National Strategy for Homeland Security. [hyperlink, http://www.gao.gov/products/GAO-05-33]. Washington, D.C.: January 14, 2005. [End of section] GAO on the Web: Web site: [hyperlink, http://www.gao.gov/] Contact: Ralph Dawn, Managing Director, Congressional Relations, dawnr@gao.gov, (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548 Chuck Young, Managing Director, Public Affairs, voungc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: Copyright: This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. [End of Enclosure I] Enclosure II: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: May 5, 2011: Mr. Stephen L. Caldwell: Director, Homeland Security and Justice Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, DC 20548: Dear Mr. Caldwell: Re: Draft Report GAO-11-537R, Critical Infrastructure Protection: DHS Has Taken Action Designed to Identify and Address Overlaps and Gaps in Critical Infrastructure Security Activities: The Department of Homeland Security (DHS), specifically the National Protection and Programs Directorate and U.S. Coast Guard, appreciates the opportunity to review and comment on the U,S. Government Accountability Office's (GAO's) subject draft report. The draft report contains no recommendations; however, we appreciate the recognition that the Department: * coordinates with Critical Infrastructure and Key Resources (CIKR) stakeholders, including other federal regulatory authorities, through information-sharing mechanisms; * is taking action to address overlapping security activities by clarifying roles and responsibilities for CIKR security activities with agencies with regulatory oversight through various coordination mechanisms; and; * works to address gaps in infrastructure security by developing and distributing tools that promote common security activities, and takes other steps including providing information on resources available to security partners and conducting vulnerability assessments at public and privately owned facilities that voluntarily participate. As part of the continuous improvement feedback loop in the National Infrastructure Protection Plan's risk management framework, the annual assessment of progress feeds into the identification of opportunities for improvement and guides future risk management activities, The Department's continual work to address overlaps and gaps is an important part of our efforts to ensure that we enhance the protection and resilience of our Nation's critical infrastructure. DHS concurs with the overall findings and conclusions of the draft report. Technical comments have been submitted under separate cover. Thank you for the opportunity to comment on this draft report. We look forward to working with you on future Homeland Security issues. Sincerely, Jim H. Crumpacker: Director: Departmental GAO/OIG Liaison Office: [End of Enclosure II] Footnotes: [1] The National Infrastructure Protection Plan (NIPP) is the national plan for coordinating the protection of the nation's critical infrastructure. For the purposes of this briefing, the framework also includes applicable regulations and security practices developed and/or adopted by CIKR stakeholders, such as federal, state, or local governments or industry trade associations. [2] Critical infrastructure includes systems and assets so vital to the United States that their incapacity or destruction would have a debilitating impact on national security. Key resources are resources essential to the minimal operations of the economy and government. [3] Consistent with the Homeland Security Act of 2002, Pub. L. No. 107- 296, 116 Stat. 2135, as amended, and Homeland Security Presidential Directive/HSPD-7 (Dec. 17, 2003), DHS uses a voluntary public-private partnership approach, as appropriate, to enhance the protection of the CIKR. There are 18 CIKR sectors, each of which is assigned a sector- specific agency (SSA). SSAs are federal agencies responsible for coordinating critical infrastructure protection efforts with the public and private stakeholders in their respective sectors. [4] Consistent with the Homeland Security Act of 2002, Pub. L No. 107- 296, 116 Stat. 2135, as amended, and Homeland Security Presidential Directive/HSPD-7 (Dec. 17, 2003), DHS uses a voluntary public-private partnership approach, as appropriate, to enhance the protection of the CIKR. Critical infrastructure includes systems and assets so vital to the United States that their incapacity or destruction would have a debilitating impact on national security while key resources are resources essential to the minimal operations of the economy and government. See Pub. L No. 107-296, § 2(4), (9), 116 Stat. at 2140-41, Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001, Pub. L No. 107-56, § 1016(e), 115 Stat. 272, 400-02 (codified at 42 U.S.C. § 5195c), and HSPD-7, § 6(a), (b). [5] For example, the Nuclear Regulatory Commission (NRC) regulates nuclear facilities. [6] DHS uses the term 'Vulnerability' rather than "gaps" when referring to areas in need of improved security. [7] Our review did not focus on cybersecurity in critical infrastructure as this is addressed in other GAO work. For example: see GAO, Information Technology: Federal Laws, Regulations, and Mandator), Standards to Securing Private Sector Information Technology Systems and Data in Critical Infrastructure Sectors, [hyperlink, http://www.gao.gov/products/GAO-08-1075R] (Washington, D.C.: September 16, 2008). [8] See the related products list on page 20 of this briefing. [9] We selected and met with representatives from the Chemical, Commercial Facilities, Critical Manufacturing, Dams, Emergency Services, Energy, Nuclear, Transportation, and Water sectors—-a sample with a mix of regulations related to security. [10] This concludes the first phase of our work. As agreed with your office, we will continue our work in this area with a review of DHS's voluntary programs and its efforts to measure the effectiveness of these programs and will report the final results in 2012. [11] See Pub. L No. 107-296, § 201, 116 Stat. at 2145-46 (codified as amended at 6 U.S.C. § 121). [12] HSPD-7, § 14. [13] For the purposes of this briefing, a sector's security framework also includes laws, regulations, and security practices developed and adopted by sector stakeholders, such as federal and state governments, and industry trade associations. [14] For example, the Chemical Facilities Anti-Terrorism Standards (CFATS), promulgated by DHS pursuant to the Department of Homeland Security Appropriations Act, 2007, Pub. L No. 109-295, § 550, 120 Stat. 1355, 1388-89 (2006), impose requirements on high risk chemical facilities in the U.S. to enhance the security of the United States by lowering the risk posed by those chemical facilities. See 67 Fed. Reg. 17.688 Apr. 9, 2007) (codified as amended at 6 C.F.R. pt. 27). Consistent with the fiscal year 2007 DHS appropriations act, CFATS do not apply to facilities regulated pursuant to the Maritime Transportation Security Act (MTSA) of 2002, facilities owned or operated by the Departments of Defense or Energy, facilities subject to regulation by the NRC, and federally regulated public water systems and water treatment facilities. [15] Voluntary programs, including these assessments, will be discussed in more detail later in this briefing. [16] See Dept. of Homeland Security Appropriations Act, 2008, Pub. L No. 110-161, Div. E, § 563, 121 Stat. 2042, 2083-90 (2007). [17] Significant national events may include a major sporting event or political conventions, which may impact what facilities and sectors are approached for activities. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: