Skip to main content

Critical Infrastructure Protection: Challenges for Selected Agencies and Industry Sectors

GAO-03-233 Published: Feb 28, 2003. Publicly Released: Apr 02, 2003.
Jump To:
Skip to Highlights

Highlights

The explosive growth of computer interconnectivity is transforming the workings of our nation, its government, and its critical infrastructures. But with the enormous benefits of this interconnectivity comes a threat: both physical and cyber assets are potentially vulnerable to computer-based attack. In response, Presidential Decision Directive 63 (PDD 63, May 1998) called for a range of actions to improve the nation's ability to detect and respond to serious infrastructure attacks. For specific agencies under the Committee on Energy and Commerce's jurisdiction and for private-sector organizations for which these agencies have responsibilities, GAO was asked, among other things, to assess their progress and challenges in undertaking critical infrastructure protection (CIP) activities.

Federal efforts to protect our nation's critical public and private infrastructures have had mixed progress. GAO examined four specific agencies--the Departments of Health and Human Services (HHS), Energy, and Commerce, and the Environmental Protection Agency (EPA)--and found that the agencies have made progress in implementing several PDD 63 requirements, such as appointing chief information assurance officers and preparing initial CIP plans. However, none of the agencies has fully implemented all requirements, including the fundamental processes of identifying agency assets that are critical to the nation and determining their dependencies on other public and private assets, as well as assessing these assets' vulnerabilities. In addition, although most agencies have tentatively identified their critical assets, these efforts could take years to complete given the current pace and estimated time and resource needs. GAO also examined private-sector groups known as Information Sharing and Analysis Centers (ISACs) for five specific industry sectors--information technology, telecommunications, energy, electricity, and water supply. PDD 63 suggested voluntary ISAC creation to, among other things, serve as mechanisms for information sharing between infrastructure sectors and the government. In response, ISACs have been established and are serving as clearinghouses for their sectors to share information. For other suggested activities, such as establishing baseline statistics on computer security incidents, progress is mixed. Both the agencies and the ISACs identified challenges and obstacles to undertaking CIP activities. Agency-identified challenges included coordinating security efforts for critical assets with the General Services Administration, which may often be responsible for protecting agency facilities that house critical assets. The ISACs identified obstacles to information sharing, both between the sectors and the government and within the sectors. In particular, they noted concerns that information reported to the government could be subject to public release under the Freedom of Information Act.

Recommendations

Recommendations for Executive Action

Agency Affected Recommendation Status
Department of Commerce To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of the Environmental Protection Agency (EPA) should direct their respective Chief Information Officers (CIO) and chief infrastructure assurance officers to work together, as appropriate, to coordinate with the Critical Infrastructure Assurance Office (CIAO) to set milestones to complete their Project Matrix analyses that will identify each agency's critical cyber, physical, and other assets and the dependencies of these assets on other government operations and privately owned critical infrastructures.
Closed – Implemented
Subsequent to the release of our February 2003 report, the Critical Infrastructure Assurance Office (CIAO) was relocated from the Department of Commerce (DOC) to the Department of Homeland Security (DHS)in March 2003. In December 2003, Homeland Security Presidential Directive 7 (HSPD-7) was issued and instructed federal departments and agencies to prepare plans for protecting physical and cyber critical infrastructure and key resources. To comply with our recommendation and the requirements of HSPD-7, DOC has prepared, and routinely updates, an inventory of its critical infrastructure and key resources (CI/KR), which include cyber, physical and human capital that support the Department's Priority Mission Essential Functions (PMEF) as defined in the Homeland Security Deputies Committee memorandum dated January 4, 2005. The Department's PMEFs are declared to be in direct support of the National Essential Functions (NEF), which includes a subset of government functions (i.e., interdependencies) that are necessary to lead and sustain the country during an emergency and therefore, must be supported through department and agency continuity capabilities.
Department of Energy To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of the Environmental Protection Agency (EPA) should direct their respective Chief Information Officers (CIO) and chief infrastructure assurance officers to work together, as appropriate, to coordinate with the Critical Infrastructure Assurance Office (CIAO) to set milestones to complete their Project Matrix analyses that will identify each agency's critical cyber, physical, and other assets and the dependencies of these assets on other government operations and privately owned critical infrastructures.
Closed – Implemented
DOE coordinated with the CIAO to set milestones for Project Matrix and issued a Project Matrix report in FY2003. In June 2004, DOE updated its list of mission critical infrastructure. As a component of this process, DOE developed and implemented an analytical approach for identifying and prioritizing DOE Assets. In March 2005, DOE updated its "Response to Homeland Security Presidential Directive 7 (HSPD-7)" that identified high level Department critical infrastructure and key resources and discussed future plans for protecting those assets.
Department of Health and Human Services To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of the Environmental Protection Agency (EPA) should direct their respective Chief Information Officers (CIO) and chief infrastructure assurance officers to work together, as appropriate, to coordinate with the Critical Infrastructure Assurance Office (CIAO) to set milestones to complete their Project Matrix analyses that will identify each agency's critical cyber, physical, and other assets and the dependencies of these assets on other government operations and privately owned critical infrastructures.
Closed – Not Implemented
We requested that agency officials provide us with the current status of their efforts to implement this recommendation. The agency did not respond to our request for an update.
Environmental Protection Agency To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of the Environmental Protection Agency (EPA) should direct their respective Chief Information Officers (CIO) and chief infrastructure assurance officers to work together, as appropriate, to coordinate with the Critical Infrastructure Assurance Office (CIAO) to set milestones to complete their Project Matrix analyses that will identify each agency's critical cyber, physical, and other assets and the dependencies of these assets on other government operations and privately owned critical infrastructures.
Closed – Implemented
EPA completed a Project Matrix analysis in February 2004 in which the agency identified 19 Critical Infrastructure/Key Resources (CI/KR). In September 2005, EPA completed another Project Matrix analysis which became the Interdependency Analysis. This document detailed the dependencies for each CI/KR asset on other government operations and privately owned critical infrastructure.
Department of Commerce To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to require, concurrently with the identification of critical assets and their dependencies, that vulnerability assessments be conducted or updated where warranted, to appropriately consider (1) the specific assets identified as critical national assets and their dependencies, (2) both cyber and physical vulnerabilities of these assets, and (3) changes in the threat environment, particularly as reflected by recent terrorist activity and in warnings by the Office of Homeland Security and National Infrastructure Protection Center (NIPC).
Closed – Implemented
The Department of Commerce (DOC) has over 700 DOC facilities nationwide and conducts numerous Anti-Terrorism Risk Assessments of selected facilities each year, and each year dedicates part of its schedule toward facilities that contain DOC critical infrastructure. The Department then prioritizes the risks and recommended countermeasures DOC-wide, and actively follows up with the bureaus to obtain funding in order to reduce the highest risks and reduce the overall risk indexes to the critical infrastructure assets and DOC. The Commerce Chief Information Office and the Office of Security have jointly inventoried critical infrastructure/key resources managed and supported within DOC. In addition, the two organizations have teamed to conduct Anti-Terrorism Risk Assessments of all DOC managed and owned critical infrastructure/key resources. The process to conduct Anti-Terrorism Risk Assessments of Commerce critical infrastructure/key resources include a recurring two year cycle of assessment with an on-site inspection of both physical and cyber assets in year one and self-assessments completed by the facility director in year two. In both instances, reports are generated to show potential weakness and area of attention.
Department of Energy To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to require, concurrently with the identification of critical assets and their dependencies, that vulnerability assessments be conducted or updated where warranted, to appropriately consider (1) the specific assets identified as critical national assets and their dependencies, (2) both cyber and physical vulnerabilities of these assets, and (3) changes in the threat environment, particularly as reflected by recent terrorist activity and in warnings by the Office of Homeland Security and National Infrastructure Protection Center (NIPC).
Closed – Implemented
The Department of Energy issued an order, DOE Order 205.1, in December 2006 on Cyber Security Management. This order defines the Department's program for protecting all DOE cyber information and information systems in order to implement the requirements of Homeland Security Presidential Directive 7 (HSPD-7) to maintain national security and ensure DOE business operations proceed without security events such as interruption or compromise. It establishes the Cyber Security Management (CSM) structure for ensuring the protection of information and information systems and assigns the responsibility and accountability for determining, assessing, and documenting program-unique threats and risks (i.e., risk and vulnerability assessments), including those presented in the Departmental Cyber Security Threat Statement and Risk Assessment.
Department of Health and Human Services To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to require, concurrently with the identification of critical assets and their dependencies, that vulnerability assessments be conducted or updated where warranted, to appropriately consider (1) the specific assets identified as critical national assets and their dependencies, (2) both cyber and physical vulnerabilities of these assets, and (3) changes in the threat environment, particularly as reflected by recent terrorist activity and in warnings by the Office of Homeland Security and National Infrastructure Protection Center (NIPC).
Closed – Not Implemented
We requested that agency officials provide us with the current status of their efforts to implement this recommendation. The agency did not respond to our request for an update.
Environmental Protection Agency To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to require, concurrently with the identification of critical assets and their dependencies, that vulnerability assessments be conducted or updated where warranted, to appropriately consider (1) the specific assets identified as critical national assets and their dependencies, (2) both cyber and physical vulnerabilities of these assets, and (3) changes in the threat environment, particularly as reflected by recent terrorist activity and in warnings by the Office of Homeland Security and National Infrastructure Protection Center (NIPC).
Closed – Implemented
Officials in EPA's Office of Environmental Information (OEI) and Office of Administration and Resources Management (OARM) stated that the agency regularly conducts vulnerability assessments of its physical and cyber assets. Specifically, for all facilities in which EPA personnel work, the agency conducts recurring vulnerability assessments. In addition, all of the agency's designated CI facilities have individual Vulnerability Assessment Reports.
Department of Commerce To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to ensure that agency continuity-of-operations plans are prepared or updated to incorporate critical assets, and, according to the CIAO criterion, that they provide for the reconstitution of these assets within 72 hours of a successful infrastructure attack or disruption.
Closed – Implemented
As stated earlier, the Critical Infrastructure Assurance Office (CIAO) was relocated from the Department of Commerce (DOC) to the Department of Homeland Security (DHS)in March 2003. However, to comply with DHS criteria, the Department of Commerce (DOC)tracks each of it critical infrastructure/key resource assets to ensure that required "time to accomplish Priority Mission Essential Function" metrics are attainable. The time to reconstruct these mission essential functions under control of the Department is less than 72 hours. In addition, each respective DOC Bureau is required to conduct routine (annual at a minimum) continuity of operations plan and disaster recovery exercises to verify that viable controls have been put in place to ensure sustainability of critical infrastructure/key resource assets.
Department of Energy To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to ensure that agency continuity-of-operations plans are prepared or updated to incorporate critical assets, and, according to the CIAO criterion, that they provide for the reconstitution of these assets within 72 hours of a successful infrastructure attack or disruption.
Closed – Implemented
The Department has created contingency plans for 100% of the systems identified as critical infrastructure as of September 2005, according to the Department's Audit History Report. As part of the Department's quarterly reporting to the Office of Management and Budget and to Departmental Management, Program Offices and their sites are required to report the status of and maintain continuity-of-operations plans (COOP) for their critical assets; routinely test their COOP, and provide test results to the Office of the Chief Information Officer/Office of Cyber Security.
Department of Health and Human Services To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to ensure that agency continuity-of-operations plans are prepared or updated to incorporate critical assets, and, according to the CIAO criterion, that they provide for the reconstitution of these assets within 72 hours of a successful infrastructure attack or disruption.
Closed – Not Implemented
We requested that agency officials provide us with the current status of their efforts to implement this recommendation. The agency did not respond to our request for an update.
Environmental Protection Agency To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to ensure that agency continuity-of-operations plans are prepared or updated to incorporate critical assets, and, according to the CIAO criterion, that they provide for the reconstitution of these assets within 72 hours of a successful infrastructure attack or disruption.
Closed – Not Implemented
Officials in EPA's Office of Solid Waste and Emergency Response (OSWER) stated that the agency conducts an annual review of the COOP plans which is updated as appropriate (revisions do not necessarily result in changes to the plans). The latest up-date was completed in December 2005. However, in no section of the COOP plan provided by EPA officials does the agency make reference to the CI/KR assets referenced in the Interdependency Analysis.
Department of Commerce To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to ensure that remediation plans for correcting identified critical asset vulnerabilities are developed, specifying corrective actions and the time lines, responsibilities, and funding for their implementation; and that cyber-related actions are also reflected in the agency's information security corrective-action plans, and that updates are reported to the Office of Management and Budget.
Closed – Implemented
Detailed responses to ensure that remediation plans for correcting identified critical asset vulnerabilities are developed, specifying corrective actions, time lines and responsibilities. DOC has prepared remediation plans for correcting any identified critical infrastructure/key resource vulnerabilities for physical assets through the Anti-Terrorism Risk Assessment process and in the cyber space using system and program level Plans of Actions and Milestones (POA&M) per FISMA guidance.
Department of Energy To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to ensure that remediation plans for correcting identified critical asset vulnerabilities are developed, specifying corrective actions and the time lines, responsibilities, and funding for their implementation; and that cyber-related actions are also reflected in the agency's information security corrective-action plans, and that updates are reported to the Office of Management and Budget.
Closed – Implemented
The Department of Energy indicated that cyber security weaknesses are reported and managed through the agency's Plan of Action and Milestone (POA&M)report and performance metrics processes. Activity is ongoing to monitor remediation plans for correcting cyber-related critical asset vulnerabilities through DOE's POA&M database to assure that corrective actions are specified with timelines and responsibilities.
Department of Health and Human Services To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to ensure that remediation plans for correcting identified critical asset vulnerabilities are developed, specifying corrective actions and the time lines, responsibilities, and funding for their implementation; and that cyber-related actions are also reflected in the agency's information security corrective-action plans, and that updates are reported to the Office of Management and Budget.
Closed – Not Implemented
We requested that agency officials provide us with the current status of their efforts to implement this recommendation. The agency did not respond to our request for an update.
Environmental Protection Agency To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to ensure that remediation plans for correcting identified critical asset vulnerabilities are developed, specifying corrective actions and the time lines, responsibilities, and funding for their implementation; and that cyber-related actions are also reflected in the agency's information security corrective-action plans, and that updates are reported to the Office of Management and Budget.
Closed – Implemented
Officials in EPA's Office of Environmental Information (OEI) stated that EPA developed and implemented a comprehensive security weakness monitoring and tracking system for cyber systems, ASSERT. This system tracks the status of plans of action and milestones supporting corrective action plans. It also contains information on schedules, resources and lines of responsibility.
Department of Commerce To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to routinely track and monitor the status of vulnerability assessments, corrective actions, and other security efforts related to critical assets, such as the development of continuity-of-operations plans; and provide an annual status update to help support budget requests and other reporting requirements, such as those of the Government Performance and Results Act and the Federal Information Security Management Act.
Closed – Implemented
The Department of Commerce indicated that to routinely track and monitor the status of vulnerability assessments and corrective actions, teams conduct routine on-site assessments of each critical infrastructure asset. Once potential vulnerabilities are identified, countermeasures are recommended to mitigate each vunlnerability. All recommended countermeasures are provided with estimated costs and in priority of importance to achieve deterrence, detection, delay and response with the goal of preventing an adversary from access to critical information. If the facility managers are only able to obtain partial funding for the entire list of security enhancements, they may be forced to reduce the risk using a phased security enhancement plan. Prior to assessment teams conducting risk assessments of critical infrastructure sites, Office of Security staff complete a threat assessment of the facility and surrounding area that give the assessment team an overview of past and present threats. Additional assessments are conducted of critical infrastructure sites identified during the initial visit as having numerous vulnerabilities or of sites having only one vulnerability that is of such magnitude as to require immediate countermeasure implementation. A reassessment may be needed to ensure the vulnerability is successfully mitigated. Upon completion of the anti-terrorism risk assessment, an overall risk level is determined and assigned to the critical infrastructure/key resource asset. The Anti-Terrorism Division will assess, prioritize and follow-up on all countermeasures identified to mitigate vulnerabilities at Department of Commerce critical infrastructure facilities. An in-brief and out-brief are conducted during each assessment. A draft report is provided at the out-brief and a final written report is sent through Department of Commerce channels, normally within 45 days of the site visit. The final report provides the customer an unclassified threat assessment, a review of all in place security countermeasures, and any recommended countermeasures and their estimated costs.
Department of Energy To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to routinely track and monitor the status of vulnerability assessments, corrective actions, and other security efforts related to critical assets, such as the development of continuity-of-operations plans; and provide an annual status update to help support budget requests and other reporting requirements, such as those of the Government Performance and Results Act and the Federal Information Security Management Act.
Closed – Implemented
The Department of Energy is monitoring remediation plans for correcting cyber related critical asset vulnerabilities through its Plan of Action and Milestone (POA&M) database to assure that corrective actions are specified with timelines and responsibilities.
Department of Health and Human Services To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to routinely track and monitor the status of vulnerability assessments, corrective actions, and other security efforts related to critical assets, such as the development of continuity-of-operations plans; and provide an annual status update to help support budget requests and other reporting requirements, such as those of the Government Performance and Results Act and the Federal Information Security Management Act.
Closed – Not Implemented
We requested that agency officials provide us with the current status of their efforts to implement this recommendation. The agency did not respond to our request for an update.
Environmental Protection Agency To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to routinely track and monitor the status of vulnerability assessments, corrective actions, and other security efforts related to critical assets, such as the development of continuity-of-operations plans; and provide an annual status update to help support budget requests and other reporting requirements, such as those of the Government Performance and Results Act and the Federal Information Security Management Act.
Closed – Implemented
Officials in EPA's Office of Solid Waste and Emergency Response stated that the agency has developed a system to track the status of all COOP plans. The plans are evaluated yearly against set criteria, which enable management to determine where gaps exist. The status, the plans and any other pertinent documentation are stored electronically. Further, OSWER officials stated that EPA does seek opportunities to incorporate COOP needs into the budgetary process.
Department of Commerce To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to formally apprise the General Services Administration when facilities or buildings for which it has protective responsibilities house agency-critical assets identified through the Project Matrix process.
Closed – Implemented
The Department of Commerce indicated that its Office of Security works closely with the General Services Administration (GSA) to determine whether any GSA managed facility or building houses agency critical assets. The Department uses the Phased Facility Security Program Development Handbook as a foundation document to ensure that all Commerce critical infrastructure/key resource facilities and buildings receive adequate and sustainable security and associated controls.
Department of Energy To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to formally apprise the General Services Administration when facilities or buildings for which it has protective responsibilities house agency-critical assets identified through the Project Matrix process.
Closed – Implemented
There are no General Services Administration (GSA) facilities or building, directly protected by the GSA, which house Department of Energy critical assets identified through the Project Matrix process. There are buildings where the Federal Protective Service is responsible for overarching security concerns, but generally where the Department of Energy occupies a GSA building, the day-to-day facility protection responsibilities are delegated to, and administered by the Department.
Department of Health and Human Services To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to formally apprise the General Services Administration when facilities or buildings for which it has protective responsibilities house agency-critical assets identified through the Project Matrix process.
Closed – Not Implemented
We requested that agency officials provide us with the current status of their efforts to implement this recommendation. The agency did not respond to our request for an update.
Environmental Protection Agency To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to formally apprise the General Services Administration when facilities or buildings for which it has protective responsibilities house agency-critical assets identified through the Project Matrix process.
Closed – Implemented
Officials in the Office of Administration and Resources Management stated that EPA has five facilities that they recognize as CI. Further, three of the five facilities are agency owned; the other two leased and owned by GSA. The Officials stated that EPA will apprise GSA regarding the Critical Infrastructure designation of the two GSA owned/leased facilities, and will similarly advise as appropriate for any future GSA leases that the Agency may enter into.
Department of Commerce To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to use Project Matrix plans and results to help prioritize and prepare budget justifications for resources needed to identify and protect the agency's own critical infrastructures.
Closed – Implemented
To help prioritize and prepare budget justifications for resources, the Department of Commerce indicated that everyone completing each anti-terrorism risk assessment, a list of vulnerabilities and appropriate security countermeasures to mitigate the identified vulnerabilities are briefed to the facility representatives and included in the follow-on written report. A draft report is provided to the facility manager at the out-briefing and a final report is sent through Department of Commerce channels to the bureau within 45 days of the assessment. The results of each final report are entered into an Office of Security database that creates a cumulative list of countermeasures for all critical infrastructure/key resource facilities. This list is updated and monitored by the Office of Security Anti-Terrorism Division Physical Security Office. To ensure prioritization of efforts on a nationwide basis and measure overall program effectiveness, the Office of Security employs a GPRA compliant risk assessment approach. With this methodology, a risk index is calculated for each facility surveyed to provide an outcome-based performance measure focused on documenting the nation-wide reduction of the risk to Department assets. Each facility surveyed is prioritized in descending index order based upon their documented criticality, threat and vulnerability. Summing the values of the facilities with the highest risk-indices then yields a nationwide composite threat index of facilities. Over time, an evaluation of the percentage change in the composite threat index indicates program accomplishment, in essence a documented reduction of the overall risk.
Department of Energy To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to use Project Matrix plans and results to help prioritize and prepare budget justifications for resources needed to identify and protect the agency's own critical infrastructures.
Closed – Implemented
The Department of Energy uses a risk-based approach as required by the Office of Management and Budget to prepare its budget justifications for resources needed to identify and protect the Department's IT resources including its critical infrastructure.
Department of Health and Human Services To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to use Project Matrix plans and results to help prioritize and prepare budget justifications for resources needed to identify and protect the agency's own critical infrastructures.
Closed – Not Implemented
We requested that agency officials provide us with the current status of their efforts to implement this recommendation. The agency did not respond to our request for an update.
Environmental Protection Agency To (1) help ensure the identification and adequate protection of critical agency cyber-based and physical assets and (2) reinforce management's commitment to prioritize the protection of critical infrastructure throughout agencies, the Secretaries of Commerce, Energy, and Health and Human Services and the Administrator of EPA should direct their respective CIOs and chief infrastructure assurance officers to work together, as appropriate, to use Project Matrix plans and results to help prioritize and prepare budget justifications for resources needed to identify and protect the agency's own critical infrastructures.
Closed – Implemented
Officials in the Office of Solid Waste and Emergency Response stated that CI/KR assets identified in the 2004 Project Matrix Analysis help prioritize and prepare budget justification for resources. Specifically, the agency provided GAO with a matrix of CIP milestones, which had been derived from the critical functions and services that had been aligned to specific CI/KR in the Interdependency Analysis. For example, the milestone for "Improvement in Mobile Labs and Storage of Assets" correlated directly to the third item listed in the Interdependency Analysis schedule of actions table.
Directorate of Information Analysis and Infrastructure Protection To help ensure that private-sector information sharing and analysis centers (ISAC) continue efforts to improve their critical infrastructure protection (CIP) activities, the Secretary of Energy, the Secretary of Commerce, and the Administrator of EPA, through their lead agency responsibilities for the energy, electricity, information, communication, and water industry sectors, should assess the need for grants, tax incentives, regulation, or other public policy tools to encourage increased private-sector CIP activities and greater sharing of intelligence and incident information between the sectors and the federal government. After lead agency responsibilities for the information and telecommunications sector are transitioned to the Department of Homeland Security, the Secretary of that department would become responsible for that sector.
Closed – Implemented
In 2006, the Department of Homeland Security released the National Infrastructure Protection Plan (NIPP). The NIPP provides the framework for the cooperation that is needed to develop, implement, and maintain a coordinated national effort that brings together government at all levels, the private sector, and nongovernmental organizations and international allies. The NIPP discusses the need to identify incentives to encourage the enhancement of security related activities within privately owned critical infrastructure. The NIPP also requires the development of sector-specific plans that were released in May 2007. The plans related to the information and telecommunications sector include a discussion about incentives to encourage voluntary completion of vulnerability assessments.
Department of Commerce To help ensure that private-sector information sharing and analysis centers (ISAC) continue efforts to improve their critical infrastructure protection (CIP) activities, the Secretary of Energy, the Secretary of Commerce, and the Administrator of EPA, through their lead agency responsibilities for the energy, electricity, information, communication, and water industry sectors, should assess the need for grants, tax incentives, regulation, or other public policy tools to encourage increased private-sector CIP activities and greater sharing of intelligence and incident information between the sectors and the federal government. After lead agency responsibilities for the information and telecommunications sector are transitioned to the Department of Homeland Security, the Secretary of that department would become responsible for that sector.
Closed – Implemented
To improve CIP activities and greater sharing of intelligence and incident information between the sectors and federal government, the National Telecommunications and Information Administration coordinates CIP initiatives both inside government and with industry to enhance intelligence sharing and incident information among organizations. Domestic activities include participating in the following: an Economic Security Working Group; Continuity of Business Summits; FCC's Network Reliability and Interoperability Council's focus group on cyber security, and the National Security Telecommunications Advisory Council's Industry Executive Subcommittee. International activities include playing a key leadership role in developing and carrying out efforts to increase capacity in developing countries.
Department of Energy To help ensure that private-sector information sharing and analysis centers (ISAC) continue efforts to improve their critical infrastructure protection (CIP) activities, the Secretary of Energy, the Secretary of Commerce, and the Administrator of EPA, through their lead agency responsibilities for the energy, electricity, information, communication, and water industry sectors, should assess the need for grants, tax incentives, regulation, or other public policy tools to encourage increased private-sector CIP activities and greater sharing of intelligence and incident information between the sectors and the federal government. After lead agency responsibilities for the information and telecommunications sector are transitioned to the Department of Homeland Security, the Secretary of that department would become responsible for that sector.
Closed – Implemented
In April 2004, we testified on efforts to establish effective information sharing with the infrastructure sectors, including the Department of Energy's (DOE) efforts with the energy sector. Regarding incentives, DOE has provided grant funds to the energy information sharing and analysis center to assist entities to be members.
Environmental Protection Agency To help ensure that private-sector information sharing and analysis centers (ISAC) continue efforts to improve their critical infrastructure protection (CIP) activities, the Secretary of Energy, the Secretary of Commerce, and the Administrator of EPA, through their lead agency responsibilities for the energy, electricity, information, communication, and water industry sectors, should assess the need for grants, tax incentives, regulation, or other public policy tools to encourage increased private-sector CIP activities and greater sharing of intelligence and incident information between the sectors and the federal government. After lead agency responsibilities for the information and telecommunications sector are transitioned to the Department of Homeland Security, the Secretary of that department would become responsible for that sector.
Closed – Implemented
Officials in EPA's Office of Water (OW) stated that the agency is the Sector Specific Agency for Drinking Water and Wastewater Treatment systems only. Further, since 2001, EPA has funded the Water Information Sharing and Analysis Center (ISAC) which provides a secure web-based environment for information sharing and dissemination for the water sector. The WaterISAC receives and shares intelligence and incident information. Currently, 16,000 water sector organizations utilize the free WaterISAC Basic service and 500 drinking water and wastewater utilities are paid subscribers to WaterISAC Pro, which provides enhanced collaboration and information sharing tools.
Directorate of Information Analysis and Infrastructure Protection To assist the administration in establishing CIP priorities for all major federal agencies, critical infrastructure sectors, and the Department of Homeland Security, the Director of CIAO should determine the status of, and identify additional actions needed to improve the federal government's efforts and progress in implementing, federal CIP policy, including identifying the federal government's critical assets, completing vulnerability assessments for these assets, remedying identified vulnerabilities, and incorporating these assets into continuity of operations plans.
Closed – Implemented
In 2006, the Department of Homeland Security released the National Infrastructure Protection Plan (NIPP). The NIPP provides the framework for the cooperation that is needed to develop, implement, and maintain a coordinated national effort that brings together government at all levels, the private sector, and nongovernmental organizations and international allies. The NIPP and Sector Specific Plans (SSP) provide the mechanisms for identifying critical assets, systems, networks, and functions; understanding threats; assessing vulnerabilities and consequences; prioritizing protection initiatives and investments based on costs and benefits so that they are applied where they offer the greatest mitigation of risk; and enhancing information-sharing mechanisms and protective measures within and across critical infrastructure/key resource sectors.
Directorate of Information Analysis and Infrastructure Protection To assist the administration in establishing CIP priorities for all major federal agencies, critical infrastructure sectors, and the Department of Homeland Security, the Director of NIPC should determine the status and identify additional actions needed to improve the quality and quantity of information being provided by ISACs, and of plans made by the new department's Information Analysis and Infrastructure Protection directorate and the ISACs to enhance the current information-sharing process.
Closed – Implemented
In the 2006 National Infrastructure Protection Plan (NIPP), DHS outlined a clear description of the roles and responsibilities of the department, the information sharing and analysis centers, the sector coordinators, and the sector-specific agencies and actions designed to address information-sharing challenges. Specifically, the NIPP detailed DHS' network approach to information sharing. The new method is to provide DHS with the ability to share information with government and private sector security partners both vertically and horizontally, as well as enhance the capability for decentralized decision-making and actions.

Full Report

Media Inquiries

Sarah Kaczmarek
Managing Director
Office of Public Affairs

Topics

Computer industryComputer network protocolsComputer networksComputer securityComputer security incidentsCritical infrastructure protectionFederal computer incident response capabilityHomeland securityInformation technologyWater pipelines