Critical Infrastructure Protection: DHS Action Needed to Enhance Integration and Coordination of Vulnerability Assessment Efforts [Reissued on September 17, 2014]
Highlights
What GAO Found
During fiscal years 2011 to 2013, various Department of Homeland Security (DHS) offices and components conducted or required thousands of vulnerability assessments of critical infrastructure (CI), but DHS is not positioned to integrate them in order to identify priorities. Although the Homeland Security Act of 2002 and the National Infrastructure Protection Plan (NIPP) call for DHS to integrate CI vulnerability assessments to identify priorities, the department cannot do so because of variation in the areas to be assessed for vulnerability included in the various tools and methods used by DHS. GAO analysis of 10 of these assessment tools and methods found that they consistently included some areas, such as perimeter security, but other areas, such as cybersecurity, were not consistently included in the 10 tools and methods. Also, GAO's analysis and discussions with DHS officials showed that DHS's assessments vary in their length and detail of information collected, and DHS has not established guidance on what areas should be included in a vulnerability assessment, such as vulnerabilities to all-hazards as called for in the NIPP. DHS's Office of Infrastructure Protection (IP) has recognized the challenge of having different approaches and has begun to take action to harmonize them. However, of the 10 assessment tools and methods GAO analyzed, IP's harmonization effort includes two voluntary IP assessment tools and none of the other 8 tools and methods GAO analyzed that are used by other DHS offices and components. By reviewing the tools and methods to identify the areas of vulnerability and level of detail that DHS considers necessary, and establishing guidance for DHS offices and components regarding which areas to include in their assessments, DHS would be better positioned to integrate assessments to enable comparisons and determine priorities between and across CI sectors.
DHS offices and components have not consistently captured and maintained data on vulnerability assessment activities in a way that allows DHS to identify potential duplication or overlap in coverage among vulnerability assessment activities they have conducted or required. As a result, DHS is not positioned to track its activities to determine whether its assessment efforts are potentially duplicative or leave gaps among the CI assessed and thereby better ensure effective risk management across the spectrum of assets and systems, as called for by the NIPP. Developing an approach to collect data consistently would facilitate DHS's identification of potential duplication or overlap in CI coverage. Having consistent data would also better position DHS to minimize the fatigue CI owners expressed experiencing from participation in multiple assessments.
DHS is not positioned to manage an integrated and coordinated government-wide approach for assessments as called for in the NIPP because it does not have sufficient information about the assessment tools and methods conducted or offered by federal entities external to DHS with CI responsibilities, such as the Environmental Protection Agency, which oversees critical infrastructure activities related to water and wastewater systems. Consequently, opportunities exist for DHS to work with other federal entities to develop guidance as necessary to ensure consistency. Doing so would better position DHS and other federal entities with CI responsibilities to promote an integrated and coordinated approach for conducting vulnerability assessments of CI, as called for in the Homeland Security Act of 2002, presidential directives, and the NIPP.
Why GAO Did This Study
Damage from natural disasters like Hurricane Sandy in 2012 highlights the vulnerability of the nation's CI. CI includes assets and systems whose destruction would have a debilitating effect on security, national economic security, or national public health or safety. The private sector owns the majority of the nation's CI, and multiple federal entities, including DHS, are involved in assessing its vulnerabilities. These assessments can identify factors that render an asset or facility susceptible to threats and hazards. GAO was asked to review how federal entities assess vulnerabilities.
This report examines the extent to which DHS is positioned to (1) integrate DHS vulnerability assessments to identify priorities, (2) identify duplication and gaps within its coverage, and (3) manage an integrated and coordinated government-wide assessment approach. GAO reviewed CI laws, regulations, data from fiscal years 2011-2013, and other related documentation, as well as interviewed officials at DHS, other agencies, and a private CI association.
Reissued on September 17, 2014
Recommendations
GAO recommends that DHS identify the areas assessed for vulnerability most important for integrating and comparing results, establish guidance for DHS offices and components to incorporate these areas into their assessments, ensure that assessment data are consistently collected, and work with other federal entities to develop guidance for what areas to include in vulnerability assessments, among other things. DHS concurred with these recommendations.
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Department of Homeland Security | Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop an approach to ensure that vulnerability data gathered on CI assets and systems are consistently collected and maintained across DHS to facilitate the identification of potential duplication and gaps in CI coverage. | DHS reported completing several steps to better ensure that vulnerability data gathered on critical infrastructure are consistently collected and maintained across DHS components that conduct or require vulnerability assessments, as GAO recommended. For example, DHS reported in August 2015 that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a vulnerability assessment working group composed of a variety of federal stakeholders, both within and outside DHS to help enhance overall integration and coordination of vulnerability assessment efforts. In addition, DHS reported that it had reviewed the vulnerability... assessment tools used by its offices and components to start identifying the appropriate level of guidance to provide to DHS offices and components on eliminating gaps or duplication in methods. In December 2015, DHS noted that in addition to these actions, IP was evaluating the potential for having all DHS components implementing IP's infrastructure data standards as an approach for consistently collecting and maintaining infrastructure data to reduce duplication and gaps in coverage. In July 2016, DHS reported that IP had agreement with the other DHS components on adopting IP's data standards to unambiguously identify a facility by name, location and contact POC and contact information. By taking these steps, DHS will now be better positioned to identify potential duplication and gaps in critical infrastructure coverage. As a result of DHS's actions, we are closing this recommendation as implemented.
View More |
| Department of Homeland Security | Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, PPD-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to develop and implement ways that DHS can facilitate data sharing and coordination of vulnerability assessments to minimize the risk of potential duplication or gaps in coverage. | DHS has taken action to implement GAO's recommendation to develop a department-wide process to facilitate data sharing and coordination among the various DHS components that conduct or require vulnerability assessments. In August 2015, DHS first reported that its Office of Infrastructure Protection (IP) and the Sector Outreach and Programs Division Innovation Center had formed a working group of federal stakeholders, both within and outside DHS, to enhance overall integration and coordination of vulnerability assessment efforts. In December 2015, DHS stated that IP was conducting pilot projects to expand access to its IP Gateway portal system that houses infrastructure data and...
|
| Department of Homeland Security | Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to identify key CI security-related assessment tools and methods used or offered by SSAs and other federal agencies. | In February 2015, DHS's Office of Infrastructure Protection (IP) senior officials from Sector-Specific Agencies (SSAs) and other federal departments and agencies with a role in critical infrastructure security and resilience, proposed the implementation of a collaborative approach to catalog existing vulnerability assessment tools and methodologies, summarize their key characteristics, and identify any potential opportunities for increased coordination. As part of this approach, the SSAs and other agencies were asked to provide IP with the questions used to conduct their vulnerability assessments and descriptions of their vulnerability assessment tools and methods. To analyze the...
|
| Department of Homeland Security | Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to analyze the key CI security-related assessment tools and methods offered by sector-specific agencies (SSA) and other federal agencies to determine the areas they capture. | According to an update from DHS in December 2017, based on the initial inventory of vulnerability assessments and identification of a representative set of vulnerability assessment methodologies as a result of efforts to implement our recommendation above, its Office of Infrastructure Protection (IP) conducted an analysis of the information collected to identify the differences and commonalities among the various assessment tools and methodologies used by DHS, Sector-Specific Agencies (SSAs), and other federal departments and agencies. DHS also reported that it conducted additional working sessions with selected representatives from the corresponding SSAs and federal agencies to gather...
|
| Department of Homeland Security | Regarding SSAs and other federal departments or agencies external to DHS with CI security-related responsibilities that offer or conduct vulnerability assessment tools and methods and building on our recommendation that DHS review its own vulnerability assessments, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate to work with SSAs and other federal agencies that have CI security responsibilities to develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS, SSAs, and other CI partners in an integrated and coordinated manner, among and across sectors, where appropriate. | We found that DHS was not positioned to manage an integrated and coordinated government-wide approach for CI vulnerability assessments because it did not have sufficient information about the assessment tools and methods conducted or offered by federal entities external to DHS with CI responsibilities, such as the Environmental Protection Agency, which oversees critical infrastructure activities related to water and wastewater systems. Consequently, opportunities existed for DHS to work with other federal entities to develop guidance as necessary to ensure consistency. Doing so would better position DHS and other federal entities with CI responsibilities to promote an integrated and...
|
| Department of Homeland Security | Within DHS, to promote efficiency and harmonize the various assessments to advance security and resilience across the spectrum of CI in a manner consistent with the Homeland Security Act of 2002, Presidential Policy Directive (PPD)-21, and the NIPP, the Secretary of Homeland Security should direct the Under Secretary for the National Protection and Programs Directorate work with other DHS offices and components to review DHS's vulnerability assessments to identify the most important areas to be assessed, consistent with PPD-21 and the NIPP, and determine the areas and level of detail that are necessary for DHS to integrate assessments and enable comparisons, and establish guidance for DHS offices and components to ensure that these areas and level of detail are included, as appropriate, in their assessments. | We found that DHS offices and components did not have common areas among their vulnerability assessment tools, thereby making integration of assessment data difficult. As a result, we recommended that NPPD work with other DHS offices and components to review DHS's vulnerability assessments to identify the most important areas to be assessed and establish guidance for those entities to ensure that these areas are included, as appropriate, in their assessments. As of September 2016, NPPD established a Cross-Sector Integration and Innovation Center in conjunction with the Office of Infrastructure Protection, and designed, created, and launched a Cross-Agency Vulnerability Assessment Working...
|