Critical Infrastructure Protection

Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics Gao ID: GAO-07-39 October 16, 2006

As Hurricane Katrina so forcefully demonstrated, the nation's critical infrastructures and key resources have been vulnerable to a wide variety of threats. Because about 85 percent of the nation's critical infrastructure is owned by the private sector, it is vital that the public and private sectors work together to protect these assets. The Department of Homeland Security (DHS) is responsible for coordinating a national protection strategy including formation of government and private sector councils as a collaborating tool. The councils, among other things, are to identify their most critical assets, assess the risks they face, and identify protective measures, in sector-specific plans that comply with DHS's National Infrastructure Protection Plan (NIPP). GAO examined (1) the extent to which these councils have been established; (2) the key facilitating factors and challenges affecting the formation of the councils; and (3) the overall status of the plans and key facilitating factors and challenges encountered in developing them. GAO obtained information by reviewing key documents and conducting interviews with federal and private sector representatives. GAO is not making any recommendations at this time since prior recommendations are still being implemented. Continued monitoring will determine whether further recommendations are warranted.

All 17 critical infrastructure sectors have established their respective government councils, and nearly all sectors have initiated their voluntary private sector councils in response to the NIPP. However, council activities have varied due to council characteristics and level of maturity. For example, the public health and health-care sector is quite diverse and collaboration has been difficult as a result; on the other hand, the nuclear sector is quite homogenous and has a long history of collaboration. As a result, council activities have ranged from getting organized to refining infrastructure protection strategies. Ten sectors, such as banking and finance, had formed councils prior to development of the NIPP and had collaborated on plans for economic reasons, while others had formed councils more recently. As a result, the more mature councils could focus on strategic issues, such as recovering after disasters, while the newer councils were focusing on getting organized. Council members reported mixed views on what factors facilitated or challenged their formation. For example, long-standing working relationships with regulatory agencies and within sectors were frequently cited as the most helpful factor in establishing councils. Challenges most frequently cited included the lack of an effective relationship with DHS as well as private sector hesitancy to share information on vulnerabilities with the government or within the sector for fear the information would be released and open to competitors. GAO's past work has shown that a lack of trust in DHS and fear that sensitive information would be released are recurring barriers to the private sector's sharing information with the federal government, and GAO has made recommendations to help address these barriers. DHS has generally concurred with these recommendations and is in the process of implementing them. At the time of GAO's review, all of the sectors were preparing plans, although these plans were at varying stages of completion--ranging from nearly complete to an outline. Nevertheless, all sectors expected to submit their plans to DHS by the December 2006 deadline. DHS's 18-month delay in issuing the NIPP and the changing nature of DHS guidance on sector plans were cited as challenges to developing the plans. As of August 2006, collaboration between the sector and government councils on the plans, which is required by the NIPP, had yet to take place for some sectors. Issuing the NIPP and completing sector plans are only first steps to ensure critical infrastructure is protected. More remains to be done to ensure the adequate protection of our nation's critical infrastructure. A number of sectors still need to identify their most critical assets across their sectors, assess their risks, and agree on protective measures. DHS, the Department of Health and Human Services, and the Environmental Protection Agency had no formal comments on the draft report but provided technical comments.

GAO-07-39, Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics This is the accessible text file for GAO report number GAO-07-39 entitled 'Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics' which was released on November 15, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to Congressional Requesters: United States Government Accountability Office: GAO: October 2006: Critical Infrastructure Protection: Progress Coordinating Government and Private Sector Efforts Varies by Sectors' Characteristics: Critical Infrastructure Protection Coordination Issues: GAO-07-39: GAO Highlights: Highlights of GAO-07-39, a report to congressional requesters Why GAO Did This Study: As Hurricane Katrina so forcefully demonstrated, the nation‘s critical infrastructures and key resources have been vulnerable to a wide variety of threats. Because about 85 percent of the nation‘s critical infrastructure is owned by the private sector, it is vital that the public and private sectors work together to protect these assets. The Department of Homeland Security (DHS) is responsible for coordinating a national protection strategy including formation of government and private sector councils as a collaborating tool. The councils, among other things, are to identify their most critical assets, assess the risks they face, and identify protective measures, in sector-specific plans that comply with DHS‘s National Infrastructure Protection Plan (NIPP). GAO examined (1) the extent to which these councils have been established; (2) the key facilitating factors and challenges affecting the formation of the councils; and (3) the overall status of the plans and key facilitating factors and challenges encountered in developing them. GAO obtained information by reviewing key documents and conducting interviews with federal and private sector representatives. GAO is not making any recommendations at this time since prior recommendations are still being implemented. Continued monitoring will determine whether further recommendations are warranted. What GAO Found: All 17 critical infrastructure sectors have established their respective government councils, and nearly all sectors have initiated their voluntary private sector councils in response to the NIPP. However, council activities have varied due to council characteristics and level of maturity. For example, the public health and health-care sector is quite diverse and collaboration has been difficult as a result; on the other hand, the nuclear sector is quite homogenous and has a long history of collaboration. As a result, council activities have ranged from getting organized to refining infrastructure protection strategies. Ten sectors, such as banking and finance, had formed councils prior to development of the NIPP and had collaborated on plans for economic reasons, while others had formed councils more recently. As a result, the more mature councils could focus on strategic issues, such as recovering after disasters, while the newer councils were focusing on getting organized. Council members reported mixed views on what factors facilitated or challenged their formation. For example, long-standing working relationships with regulatory agencies and within sectors were frequently cited as the most helpful factor in establishing councils. Challenges most frequently cited included the lack of an effective relationship with DHS as well as private sector hesitancy to share information on vulnerabilities with the government or within the sector for fear the information would be released and open to competitors. GAO‘s past work has shown that a lack of trust in DHS and fear that sensitive information would be released are recurring barriers to the private sector‘s sharing information with the federal government, and GAO has made recommendations to help address these barriers. DHS has generally concurred with these recommendations and is in the process of implementing them. At the time of GAO‘s review, all of the sectors were preparing plans, although these plans were at varying stages of completion”ranging from nearly complete to an outline. Nevertheless, all sectors expected to submit their plans to DHS by the December 2006 deadline. DHS‘s 18-month delay in issuing the NIPP and the changing nature of DHS guidance on sector plans were cited as challenges to developing the plans. As of August 2006, collaboration between the sector and government councils on the plans, which is required by the NIPP, had yet to take place for some sectors. Issuing the NIPP and completing sector plans are only first steps to ensure critical infrastructure is protected. More remains to be done to ensure the adequate protection of our nation‘s critical infrastructure. A number of sectors still need to identify their most critical assets across their sectors, assess their risks, and agree on protective measures. DHS, the Department of Health and Human Services, and the Environmental Protection Agency had no formal comments on the draft report but provided technical comments. [Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-07-39]. To view the full product, including the scope and methodology, click on the link above. For more information, contact Eileen Larence at (202) 512-8777 or LarenceE@gao.gov. [End of Section] Contents: Letter: Results in Brief: Background: Sectors Have Established Government and Sector Councils, Which are Generally Representative of their Sectors; Council Activities Have Varied Depending on Their Maturity and Other Characteristics: Good Prior Working Relationships, Willingness to Share Critical Information, and Sufficient Resources Are Key to Council Formation and Progress: Councils Delayed Their Work on Sector-Specific Plans until the NIPP Was Issued but Despite Challenges, Expect to Complete Plans by the End of December 2006: Concluding Observations: Appendix I: Key Federal Initiatives in Developing Critical Infrastructure Protection Policy, 1996 to Present: Appendix II: Government Sector Council Membership, by Sector as of August 2006: Appendix III: Sector Council Membership, by Sector as of August 2006: Appendix IV: GAO Contact and Staff Acknowledgments: Related GAO Products: Tables: Table 1: Operating ISACs, as of July 2006: Table 2: Critical Infrastructure Sectors and Designated Sector-Specific Agencies: Table 3: Status of Government Council and Sector Council Formation, as of August 2006: Figures: Figure 1: Key Challenges That Affected Establishing Government Councils: Figure 2: Key Challenges That Affected Establishing Sector Councils: Figure 3: Key Challenges to Developing Sector-Specific Plans, according to Government Council Representatives: Figure 4: Key Challenges to Developing Sector-Specific Plans, according to Sector Council Representatives: Abbreviations: DHS: Department of Homeland Security: FACA: Federal Advisory Committee Act: GMU: George Mason University: HHS: Department of Health and Human Services: HSIN: Homeland Security Information Network: HSIN-CS: Homeland Security Information Network Critical Sectors: HSPD-7: Homeland Security Presidential Directive 7: HSPD-9: Homeland Security Presidential Directive 9: ISAC: information sharing and analysis center: NIPP: National Infrastructure Protection Plan: PCII: protected critical infrastructure information: PCIS: Partnership for Critical Infrastructure Security: PDD-63: Presidential Decision Directive 63: TSA: Transportation Security Administration: [End of section] United States Government Accountability Office: Washington, DC 20548: October 16, 2006: The Honorable Tom Davis: Chairman: Committee on Government Reform: House of Representatives: The Honorable Todd Platts: Chairman: Subcommittee on Government Management, Finance and Accountability: Committee on Government Reform: House of Representatives: The Honorable Bennie G. Thompson: Ranking Minority Member: Committee on Homeland Security: House of Representatives: The Honorable Robert F. Bennett: United States Senate: The nation's critical infrastructures and key resources--including those cyber and physical assets essential to national security, national economic security, and national public health and safety--have been and continue to be vulnerable to a wide variety of threats. In 2005, Hurricane Katrina devastated the Gulf Coast, damaging critical infrastructure such as oil platforms, pipelines and refineries; water mains; electric power lines; and cellular phone towers. The chaos resulting from this infrastructure damage disrupted the functioning of government and business alike and produced cascading effects far beyond the physical location of the storm. In 2004, authorities discovered detailed surveillance of the New York Stock Exchange and the Citigroup Center in the laptop computer of an Al Qaeda operative captured in Pakistan, part of a plan to target financial institutions in New York. Moreover, a series of coordinated suicide bombings in 2005 that struck London's public transportation system demonstrated how an attack on the transportation system could disrupt a city's transportation and mobile telecommunications infrastructure. Because the private sector owns approximately 85 percent of the nation's critical infrastructure--such as banking and financial institutions, telecommunications networks, and energy production and transmission facilities--it is vital that the public and private sectors form effective partnerships to successfully protect these assets. A key player in these partnerships is the Department of Homeland Security (DHS). The Homeland Security Act of 2002 created DHS and gave it wide-ranging responsibilities for leading and coordinating the overall national critical infrastructure protection effort.[Footnote 1] Among other requirements, the Homeland Security Act required DHS to develop a comprehensive national plan for securing the nation's critical infrastructures and recommend measures to protect key resources. Homeland Security Presidential Directive 7 (HSPD-7) further defines critical infrastructure protection responsibilities for DHS and those federal agencies given responsibility for particular industry sectors such as transportation, energy, and telecommunications, known as sector-specific agencies. Among other responsibilities, the Secretary of Homeland Security is to establish uniform policies, approaches, guidelines, and methodologies to help ensure that critical infrastructure within and across the 17 infrastructure sectors is protected,[Footnote 2] and is to use a risk management approach to coordinate protection efforts. This includes using risk assessments to set priorities for protective measures by the department, sector- specific agencies, tribal, state, and local government agencies and authorities with critical assets and resources in their jurisdiction, owners and operators of these assets, and other entities. Consistent with the Homeland Security Act, HSPD-7 required DHS to develop a comprehensive and integrated plan by December 2004 that outlines national goals, objectives, milestones, and key initiatives necessary to fulfilling these responsibilities. In response, DHS developed a National Infrastructure Protection Plan (NIPP) issued in June 2006. The NIPP is a base plan that is to serve as a road map for how DHS and other relevant stakeholders should use risk management principles to prioritize protection activities within and across sectors in an integrated, coordinated fashion. The NIPP also requires the individual sector-specific agencies to submit plans to DHS by the end of December 2006 detailing the application of the national plan's core elements to each of their respective sectors. These individual plans are to establish the means by which the sectors will identify critical assets within the sector, assess risks of terrorist attacks or other hazards on them, assess and prioritize those which have national significance, and develop protective measures for the sector. These plans are to be developed by the designated federal sector-specific agencies in coordination with relevant government and private-sector representatives and are, among other things, to address the unique characteristics and risks of each sector. DHS is to use these individual plans to evaluate whether any gaps exist in the protection of critical infrastructures on a national level and, if so, to work with the sectors to address them. While the NIPP establishes a deadline for the submission of these plans, DHS anticipates that the NIPP and sector-specific plans will continue to evolve as the critical infrastructures, threats against them, and strategies for protecting and responding to these threats and incidents evolve. The NIPP describes a partnership model as the primary means of coordinating government and private sector efforts to protect critical infrastructure. For each sector, the model requires formation of government coordinating councils (government councils)--comprised of federal, state, local, or tribal agencies with purview over critical assets--and encourages voluntary formation of sector coordinating councils (sector councils)--comprised of owner-operators of these critical assets (some of which may be state or local agencies) or their respective trade associations. These councils create the structure through which representative groups from all levels of government and the private sector are to collaborate in planning and implementing efforts to protect critical infrastructure. The sector councils are envisioned to be policy-related and to represent a primary point of contact for government to plan the entire range of infrastructure protection activities unique to the sector. These functions are distinct from those of the private sector's information sharing and analysis centers (ISACs) that were previously established to serve as mechanisms for gathering, analyzing, and disseminating information on infrastructure threats and vulnerabilities to and from private infrastructure sectors and the government but are not to serve as policy-making bodies. These councils also are to collaborate with the sector-specific agencies in the development and review of their respective individual sector plans. In response to your request to determine the extent to which DHS has developed a strategy to identify, prioritize, and coordinate the protection of critical infrastructure, including how the department intends to work with other federal departments and agencies, state and local governments, and the private sector to develop this strategy, our objectives were to: * determine the extent to which government and sector councils have been established for each sector and compare their general characteristics; * identify the key facilitating factors and challenges that critical infrastructure protection stakeholders encountered in establishing their respective councils; and: * ascertain the status of individual sector-specific plans and the key facilitating factors and challenges that critical infrastructure protection stakeholders encountered in developing their plans thus far. To address these objectives, we reviewed our prior work that focused on government and private sector critical infrastructure protection coordination efforts as well as related studies by others. (See "Related GAO Products" at the end of this report for a list of our prior work). We reviewed the interim, draft, and final versions of the NIPP as well as sector-specific plan guidance, to determine council roles and responsibilities and requirements for individual sector- specific plans. We also conducted structured interviews to determine the status of the government councils and individual sector-specific plans with designated representatives of each of the sector-specific agencies with critical infrastructure protection responsibility for the 17 critical infrastructure sectors: DHS,[Footnote 3] the Department of Agriculture, the Department of Health and Human Services, the Department of Defense, the Department of Energy, the Department of the Interior, the Department of the Treasury, and the Environmental Protection Agency. We also conducted structured interviews with the chairs, co-chairs, or steering committee representatives of each of the 14 sector councils[Footnote 4] that are part of the NIPP framework and a representative of the Rail Sector Coordinating Council to determine the status of the councils and the sector-specific plans. These officials also presented their views on the facilitating factors and barriers to creating and maintaining their respective councils and drafting sector-specific plans, but they did not necessarily represent the views of each member of the councils. For both the government and sector council contacts, the structured interviews solicited information including (1) the status of council formation, leadership, organization, and goals; (2) views on whether specific factors facilitated or impeded council formation; (3) the status of sector- specific plan development; and (4) views on whether specific factors facilitated or impeded plan development. We also spoke with the Deputy Director, Infrastructure Partnerships Division and the Director of the Infrastructure Programs Office within DHS's Office of Infrastructure Protection about the formation of the councils and the development of sector-specific plans.[Footnote 5] We conducted our work from October 2005 through August 2006 in accordance with generally accepted government auditing standards. Results in Brief: Each of the infrastructure sectors has established government councils, and voluntary sector councils have been formed in response to the recommended NIPP partnership model for all sectors except transportation systems. The characteristics and levels of maturity vary significantly across the sectors. For example, the public health and healthcare sector is quite diverse and collaboration has been difficult as a result; on the other hand, the nuclear sector is quite homogenous and has a long history of collaboration. As a result, council activities have ranged from getting organized to refining their infrastructure protection strategies. To develop effective protection plans, it is important that council membership represent these unique and varied interests, and we found this generally to be true for most of the councils. For example, members of the drinking water and water treatment systems sector council included the American Water Works Association as well as local entities, such as the City of Portland Bureau of Environmental Services. According to representatives from several sector councils, these councils are not intended to replace the information sharing functions provided by the information sharing and analysis centers, and two of the centers are members of their respective sector councils. The age and maturity of the councils also varied. Ten sectors had formed councils prior to the development of the NIPP model because they were already collaborating on protective measures, while the remaining sectors had formed councils more recently. The more mature councils, including banking and finance and telecommunications, were able to focus on strategic activities, such as developing plans on how to resume operations as soon as possible after a disaster. In contrast, the newer councils--including public health and healthcare and commercial facilities--were still focusing on identifying key stakeholders and members, developing charters, and getting organized. The transportation systems sector had yet to form a sector council and, as of August 2006, Transportation Security Administration officials said they were working with contractors to help each transportation mode establish its own sector council. According to DHS officials, once the modes are organized the transportation systems sector council will be formed. Representatives of the councils most frequently cited prior long- standing working relationships and effective information sharing within their sector as well as access to contractor resources through DHS as key in establishment of a number of the councils. Conversely, the lack of an effective relationship with DHS, private sector hesitancy to provide sensitive information on infrastructure vulnerabilities to the government or within the sector, and the lack of prior relationships with federal agencies or within the sector were the most frequently cited challenges to developing other councils. In terms of facilitating factors, sectors that had been regulated by federal agencies for years, such as the banking and finance sector, reported developing long- standing and trusted working relationships both with the federal agencies and within the sectors, which facilitated council development. These sectors also recognized the need to share information in order to collaborate on protection efforts. Our past work has also identified trusted working relationships and effective information sharing as critical factors for successful public-private partnerships, and we have made recommendations in these areas that DHS generally agreed with, but has yet to fully implement.[Footnote 6] Another key facilitating factor was having access to resources and technical assistance from DHS contractors, filling resource and skill gaps some sectors had in establishing and operating their councils. For example, one of the contractors provided guidance on lessons learned in how other sector councils were organized that representatives of the emergency services and the telecommunications councils said were very helpful. In terms of challenges, some government and sector councils cited high turnover of some DHS staff and the staff's lack of understanding about infrastructure operations as hindering council formation. While DHS officials reported that staff turnover should not affect the formation of sector councils, the officials said that this turnover could hinder the establishment of trusted working relationships. Representatives from various sectors also noted, as has our past work, that some in the private sector are reluctant to share sensitive infrastructure information with the federal government for fear the information might be publicly disclosed or make them subject to litigation for failure to disclose their vulnerabilities. To address this concern about public disclosure of sensitive information and to enhance information sharing, in March 2006 DHS created the Critical Infrastructure Partnership Advisory Council--open to members of all councils--that is exempt from the Federal Advisory Committee Act,[Footnote 7] but it is too soon to determine if this council has promoted more sharing. As of August 2006, each of the 17 sector-specific agencies was in the process of preparing a sector-specific plan to demonstrate how that sector will comply with the NIPP. However, the sectors were at varying stages of completion in developing their plans, ranging from almost complete to having only completed an outline. For example, the chemical and nuclear sectors said their plans were nearing completion while the commercial facilities sector said its plan was still in outline form. Some in the private sector said collaboration between the sector council and the government council on the plans had yet to take place. Despite these differences, all the sectors expected to submit initial plans to DHS by the December 2006 deadline. Like the NIPP, these plans are only a first step; they are to lay out how the sector will identify its most critical assets and resources and what methodologies each will use to assess the risks posed to it, but DHS guidance does not require the plans to address how the sector is actually assessing risk and protecting its most critical assets. Council members cited as a key facilitating factor the existence of prior plans that they could update to satisfy NIPP requirements. For example, the energy sector had developed a protection plan in anticipation of the Year 2000 ("Y2K") computer threat, and that process was beneficial in developing its sector-specific plan for the NIPP. Two other frequently cited factors that helped with developing plans, as well as developing the councils themselves, were when sectors had pre-existing relationships with federal agencies or within the sector and access to contractor support through DHS. The most frequently cited challenges included the lack of a final NIPP that outlined stable requirements for the plans as well as the changing nature of DHS guidance on how to develop the plans. For example, DHS revised its initial 2004-plan guidance after a year with new requirements including how the sectors will collaborate with DHS on risk assessment processes. DHS then issued additional guidance in 2006 that required the plans to have a new chapter describing how sector- specific agencies are to manage and coordinate their responsibilities. Several council members said it was frustrating to have to update their protection plans in response to changes from the interim, the draft, and the final NIPP, even though DHS made some of these changes in response to industry comments. For example, DHS incorporated changes in the final NIPP in response to comments that it should better recognize the need to focus on both protecting against and recovering from a disaster. Finally, several cited the heterogeneous characteristics of some sectors, such as the different industries that make up the agriculture and food sector, as making collaboration and consensus on their plans a challenge. While DHS has made progress with some critical infrastructure challenges, until it addresses our already outstanding recommendations, it will have difficulty achieving results in its role as a federal focal point for critical infrastructure. Because our findings in this report echo many of those in our previous reports and are covered by previous recommendations to DHS that have yet to be fully implemented, we are not making any new recommendations at this time. Continued monitoring will determine whether further recommendations are warranted. DHS, the Department of Health and Human Services, and the Environmental Protection Agency had no formal comments on the draft report, but they provided technical comments that we used to clarify the report as appropriate. Background: Critical Infrastructure Protection Policy Has Emphasized Government and Private Sector Coordination: The protection of the nation's critical infrastructure against natural and man-made catastrophic events has been a concern of the federal government for over a decade. Several federal policies address the importance of coordination between the government and the private sector in critical infrastructure protection. For example, in May 1998, Presidential Decision Directive 63 (PDD-63) established critical infrastructure protection as a national goal and presented a strategy for cooperative efforts by the government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government. Among other things, this directive designated government agencies to coordinate and support critical infrastructure protection efforts and identified lead federal agencies to work with coordinators in eight infrastructure sectors and five areas called special functions at the time. The directive also encouraged development of information sharing and analysis centers (ISACs) to serve as mechanisms for gathering, analyzing, and disseminating information on infrastructure threats and vulnerabilities to and from private infrastructure sectors and the federal government. (See table 1 for a list of functional ISACs). Table 1: Operating ISACs, as of July 2006: Sector: Agriculture and food; ISAC: Food; ISAC Established: Feb. 2002. Sector: Banking and finance; ISAC: Financial Services; ISAC Established: Oct. 1999. Sector: Chemical; ISAC: Chemical; ISAC Established: April 2002. Sector: Commercial facilities; ISAC: Real Estate; ISAC Established: Feb. 2003. Sector: Drinking water and water treatment systems; ISAC: Water; ISAC Established: Dec. 2002. Sector: Emergency services; ISAC: Emergency Management and Response; ISAC Established: Oct. 2000. Sector: Energy; ISAC: Electric; Energy; ISAC Established: Oct. 2000; Nov. 2001. Sector: Government facilities; ISAC: Multi-State; ISAC Established: Jan. 2003. Sector: Information technology; ISAC: IT Research & Education Network; ISAC Established: Dec. 2000 Feb. 2003. Sector: Telecommunications; ISAC: National Coordinating Center for Telecommunications; ISAC Established: Jan. 2000. Sector: Transportation systems; ISAC: Public Transit Surface Transportation (rail) Highway Maritime; ISAC Established: Jan. 2003 May 2002 Mar. 2003 Feb. 2003. Source: Government council and sector council representatives and prior GAO reports. Note: The following critical sectors do not have ISACs: dams; defense industrial base; national monuments and icons; commercial nuclear reactors, materials, and waste; postal and shipping; and public health and healthcare. [End of table] In December 2003, Homeland Security Presidential Directive 7 (HSPD-7) was issued, superseding PDD-63. HSPD-7 defined responsibilities for DHS, federal agencies that are responsible for addressing specific critical infrastructure sectors--sector-specific agencies,--and other departments and agencies. HSPD-7 instructs these sector-specific agencies to identify, prioritize, and coordinate the protection of critical infrastructure to prevent, deter, and mitigate the effects of attacks. HSPD-7 makes DHS responsible for, among other things, coordinating national critical infrastructure protection efforts and establishing uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors. HSPD-7 requires DHS to (1) produce a national plan summarizing initiatives for sharing information, including providing threat warning data to state and local governments and the private sector and (2) establish the appropriate systems, mechanisms, and procedures to share homeland security information (including information on critical infrastructure protection such as threat-warning data) with other federal departments and agencies, state and local governments, and the private sector in a timely manner. According to the NIPP, additional DHS responsibilities regarding critical infrastructure protection include developing and implementing comprehensive risk management programs and methodologies; developing cross-sector and cross-jurisdictional protection guidance; recommending risk management and performance criteria and metrics within and across sectors; and establishing structures to enhance the close cooperation between the private sector and government at all levels. (For additional key federal initiatives related to critical infrastructure protection, see app. I). Sector-Specific Agencies Are to Coordinate Protection Efforts and Develop Plans: HSPD-7 designated sector-specific agencies for each of the critical infrastructure sectors. These federal agencies are responsible for infrastructure protection activities in their assigned sectors, which include coordinating and collaborating with relevant federal agencies, state and local governments, and the private sector to carry out sector protection responsibilities. These activities also include facilitating the sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices. HSPD-7 also requires that these agencies submit an annual report to DHS on their efforts to identify, prioritize, and coordinate the protection of critical infrastructures in their respective sectors. DHS serves as the sector-specific agency for ten of the sectors: information technology; telecommunications; transportation systems; chemical; emergency services; commercial nuclear reactors, material, and waste; postal and shipping; dams; government facilities; and commercial facilities. (See table 2 for a list of each sector-specific agency and a brief description of each sector). Table 2: Critical Infrastructure Sectors and Designated Sector-Specific Agencies: Sector-specific agency: Dept. of Agriculture[A], Dept. Of Health and Human Services, Food and Drug Administration[B]; Sector: Agriculture & food; Description: Provides for the fundamental need for food. The infrastructure includes supply chains for feed and crop production. Carries out the postharvesting of the food supply, including processing and retail sales. Sector-specific agency: Dept. of Defense; Sector: Defense industrial base; Description: Supplies the military with the means to protect the nation by producing weapons, aircraft, and ships and providing essential services, including information technology and supply and maintenance. Sector-specific agency: Dept. of Energy; Sector: Energy; Description: Provides the electric power used by all sectors and the refining, storage, and distribution of oil and gas. The sector is divided into electricity and oil and natural gas. Sector-specific agency: Dept. of Health and Human Services; Sector: Public health and healthcare; Description: Mitigates the risk of disasters and attacks and also provides recovery assistance if an attack occurs. The sector consists of health departments, clinics, and hospitals. Sector-specific agency: Dept. of the Interior; Sector: National monuments and icons; Description: Memorializes or represents monuments, physical structures, objects, or geographical sites that are widely recognized to represent the nation's heritage, traditions, or values, or widely recognized to represent important national cultural, religious, historical, or political significance. Sector-specific agency: Dept. of the Treasury; Sector: Banking and finance; Description: Provides the financial infrastructure of the nation. This sector consists of commercial banks, insurance companies, mutual funds, government-sponsored enterprises, pension funds, and other financial institutions that carry out transactions. Sector-specific agency: Environmental Protection Agency; Sector: Drinking water and water treatment systems; Description: Provides sources of safe drinking water from more than 53,000 community water systems and properly treated wastewater from more than 16,000 publicly owned treatment works. Sector-specific agency: Dept. of Homeland Security: Office of Infrastructure Protection; Sector: Chemical; Description: Transforms natural raw materials into commonly used products benefiting society's health, safety, and productivity. The chemical sector produces more than 70,000 products that are essential to automobiles, pharmaceuticals, food supply, electronics, water treatment, health, construction, and other necessities. Sector-specific agency: Dept. of Homeland Security: Office of Infrastructure Protection; Sector: Commercial facilities; Description: Includes prominent commercial centers, office buildings, sports stadiums, theme parks, and other sites where large numbers of people congregate to pursue business activities, conduct personal commercial transactions, or enjoy recreational pastimes. Sector-specific agency: Dept. of Homeland Security: Office of Infrastructure Protection; Sector: Dams; Description: Manages water retention structures, including levees, more than 77,000 conventional dams, navigation locks, canals (excluding channels), and similar structures, including larger and nationally symbolic dams that are major components of other critical infrastructures that provide electricity and water. Sector-specific agency: Dept. of Homeland Security: Office of Infrastructure Protection; Sector: Emergency services; Description: Saves lives and property from accidents and disaster. This sector includes fire, rescue, emergency medical services, and law enforcement organizations. Sector-specific agency: Dept. of Homeland Security: Office of Infrastructure Protection; Sector: Commercial nuclear reactors, materials, and waste; Description: Provides nuclear power, which accounts for approximately 20% of the nation's electrical generating capacity. The sector includes commercial nuclear reactors and non-power nuclear reactors used for research, testing, and training; nuclear materials used in medical, industrial, and academic settings; nuclear fuel fabrication facilities; the decommissioning of reactors; and the transportation, storage, and disposal of nuclear materials and waste. Sector-specific agency: Dept. of Homeland Security: Office of Cyber Security and Telecommunications; Sector: Information technology; Description: Produces information technology and includes hardware manufacturers, software developers, and service providers, as well as the internet as a key resource. Sector-specific agency: Dept. of Homeland Security: Office of Cyber Security and Telecommunications; Sector: Telecommunications; Description: Provides wired, wireless, and satellite communications to meet the needs of businesses and governments. Sector-specific agency: Dept. of Homeland Security: Transportation Security Administration; Sector: Postal and shipping; Description: Delivers private and commercial letters, packages, and bulk assets. The U.S. Postal Service and other carriers provide the services of this sector. Sector-specific agency: Transportation Security Administration and U.S. Coast Guard; Sector: Transportation systems; Description: Enables movement of people and assets that are vital to our economy, mobility, and security with the use of aviation, ships, rail, pipelines, highways, trucks, buses, and mass transit. Sector-specific agency: Immigration and Customs Enforcement, Federal Protective Service; Sector: Government facilities; Description: Ensures continuity of functions for facilities owned and leased by the government, including all federal, state, territorial, local, and tribal government facilities located in the U.S. and abroad. Source: NIPP, Homeland Security Presidential Directive 7, and the National Strategy for Homeland Security. [A] The Department of Agriculture is responsible for food (including meat, poultry, and eggs) and agriculture. [B] The Department of Health and Human Services, Food and Drug Administration is responsible for food other than meat, poultry, and egg products. [End of table] Under the NIPP, the sector-specific agencies are also responsible for developing individual plans for their sectors. These plans are to support the NIPP by identifying the specific protective activities and information-sharing mechanisms and protocols that each sector will be using for its protection efforts. Specifically, these plans are to be tailored to address the unique characteristics and risks of each sector and are to, among other things, (1) define the security roles and responsibilities of members of the sector; (2) establish the methods that members will use to interact and share information related to protection of critical infrastructure; (3) describe how the sector will identify its critical assets; and (4) identify the approaches the sector will take to assess risks and develop programs to protect these assets. DHS is to use these individual plans to evaluate whether any gaps exist in the protection of critical infrastructures on a national level and, if so, to work with the sectors to address them. Each sector- specific agency is to collaborate with its respective government and sector councils to develop these plans, and each is to submit its plan to DHS within 180 days of issuance of the NIPP (by the end of December 2006). NIPP Relies on a Partnership Model for Coordination of Protection Efforts: DHS published an Interim NIPP in February 2005 that was intended to provide the framework for a coordinated national approach to address the full range of physical, cyber, and human threats and vulnerabilities that pose risks to the nation's critical infrastructure. DHS released subsequent drafts of the NIPP for comment in November 2005 and January 2006 before it released a final NIPP in June 2006. The NIPP relies on a sector partnership model as the primary means of coordinating government and private sector critical infrastructure protection efforts. Under this model, each sector has both a government council and a sector council to address sector- specific planning and coordination. Each council is to work in tandem to create the context, framework, and support for coordination and information-sharing activities required to implement and sustain that sector's critical infrastructure protection efforts. The council framework allows for the involvement of representatives from all levels of government and the private sector, so that collaboration and information-sharing can occur to assess events accurately, formulate risk assessments, and determine appropriate protective measures. The government councils are to coordinate strategies, activities, policy, and communications across government entities within each sector. Each government council is to be comprised of representatives across various levels of government (i.e., federal, state, local, and tribal) as appropriate to the security needs of each individual sector. In addition, a representative from the sector-specific agency is to chair the council and is to provide cross-sector coordination with each of the member governments. Each council is also co-chaired by the DHS Assistant Secretary for Infrastructure Protection or a designee. Sector councils are encouraged under the NIPP model to be the principal entities for coordinating with the government on a wide range of critical infrastructure protection activities and issues. Under the model, critical asset owners and operators are encouraged to be involved in the creation of sector councils that are self-organized, self-run, and self-governed, with a spokesperson designated by the sector membership.[Footnote 8] Specific membership can vary from sector to sector, but should be representative of a broad base of owners, operators, associations, and other entities--both large and small-- within the sector. The NIPP also identified cross-sector entities that are to promote coordination, communications, and the sharing of key practices across sectors. On the government side, the Government Cross-Sector Council is comprised of two subcouncils: (1) the NIPP Federal Senior Leadership Council, comprised of representatives of each of the sector-specific agencies, that is to enhance communication and coordination between and among these agencies and (2) the State, Local, and Tribal Government Coordinating Council--comprised of state, local, and tribal homeland security advisors--that is to serve as a forum for coordination across these jurisdictions on protection guidance, strategies, and programs. On the private sector side, the Partnership for Critical Infrastructure Security (PCIS), comprised of one or more members and alternates from each of the sector councils, is to, among other things, provide senior- level, cross-sector strategic coordination through partnership with DHS and the sector-specific agencies and to identify and disseminate protection best practices across the sectors. Sectors Have Established Government and Sector Councils, Which are Generally Representative of their Sectors; Council Activities Have Varied Depending on Their Maturity and Other Characteristics: All of the sectors have established government councils, and voluntary sector councils under the NIPP model have been formed for all sectors except transportation systems. These councils were formed as early as 2002 to as recently as 2006. The nature of the 17 sectors varies and council membership reflects this diversity. The government councils are generally comprised of representatives from various federal agencies with regulatory or other interests in the sector as well as some state and local officials with purview over the sectors. In addition, members of the sector councils are generally representative of the asset owners and operators within the sectors. Because some of the councils are newer than others, council activities vary based on the council's maturity and other characteristics, with some younger councils focusing on establishing council charters while more mature councils focused on developing protection strategies. Some Councils Formed in Response to the NIPP, While Others Formed Earlier Because of Increased Vulnerabilities: Each of the 17 critical infrastructure sectors has established its government council, and sector councils have been formed for all sectors except transportation systems.[Footnote 9] While seven sectors did not form either a government council or sector council prior to the drafting of the NIPP, ten of the sectors had formed at least one of these councils prior to DHS's drafting of the NIPP. These sectors said they recognized the need to collaborate to address risks and vulnerabilities that could result in economic consequences for their sectors. The sectors with pre-existing councils are generally using them to serve as the councils laid out in the NIPP model. For example, prior to the development of the NIPP, DHS and the Department of Agriculture established a government coordinating council for the agriculture and food sector to coordinate efforts to protect against agroterrorism. Also, prior to NIPP development, DHS helped the agriculture and food sector establish a sector council to facilitate the flow of alerts, plans, and other information between federal and state governments and private infrastructure groups. The transportation systems sector had yet to form a sector council, and, at the time of our review, Transportation Security Administration officials said they were working with contractors to help each transportation mode establish its own sector council. TSA officials attributed the delay to the heterogeneous nature of the Transportation sector--ranging from aviation to shipping to trucking. (See table 3 for the status of government and sector council formation by sector). Table 3: Status of Government Council and Sector Council Formation, as of August 2006: Sector: Agriculture and food; Government council formed: 2003; Sector council formed: June 2004. Sector: Banking and finance; Government council formed: January 2002; Sector council formed: June 2002. Sector: Chemical; Government council formed: March 2005; Sector council formed: June 2004. Sector: Commercial facilities; Government council formed: Summer 2005; Sector council formed: Fall 2005. Sector: Commercial nuclear reactors, materials, and waste; Government council formed: October 2004; Sector council formed: September 2004. Sector: Dams; Government council formed: January 2005; Sector council formed: May 2005. Sector: Defense industrial base; Government council formed: July 2006; Sector council formed: August 2006. Sector: Drinking water and water treatment systems; Government council formed: April 2005; Sector council formed: September 2004. Sector: Emergency services; Government council formed: April 2005; Sector council formed: July 2003. Sector: Energy[A]; Government council formed: Spring 2004; Sector council formed: June 2004. Sector: Government facilities; Government council formed: November 2005; Sector council formed: Not applicable[B]. Sector: Information technology; Government council formed: April 2005; Sector council formed: January 2006. Sector: National monuments and icons; Government council formed: September 2005; Sector council formed: Not applicable[B]. Sector: Postal and shipping; Government council formed: July 2005; Sector council formed: December 2004. Sector: Public health and healthcare; Government council formed: Pre- 2005; Sector council formed: Initiated in 2003, reorganized in 2006. Sector: Telecommunications; Government council formed: May 2005; Sector council formed: May 2005. Sector: Transportation systems; Government council formed: January 2006; Sector council formed: Not formed. Source: Government council and sector council representatives. [A] The energy sector includes the production, refining, storage, and distribution of oil, gas, and electric power, except for commercial nuclear power facilities. [B] There is no private sector component to this sector. [End of table] Council Leaders Believe That Their Memberships Are Generally Representative of Government Agencies with Purview over the Sectors and Are Generally Representative of Asset Owners and Operators: The composition, scope, and nature of the 17 sectors themselves vary significantly, and the memberships of their government and sector councils reflect this diversity. The enormity and complexity of the nation's critical infrastructure require council membership to be as representative as possible of the entities that make up the respective sector and that are responsible for or have some role in protecting them. As such, council leaders--government sector representatives and private council chairs--believe that their membership is generally representative of their sectors. In terms of government councils, members are generally comprised of representatives from various federal agencies with regulatory or other interests in the sectors (see app. II for government council membership by sector). For example, the chemical sector government council membership includes officials with DHS; the Bureau of Alcohol, Tobacco, Firearms and Explosives; the Department of Commerce; the Department of Justice; the Department of Transportation; and the Environmental Protection Agency. This is because each entity has an interest in some form in the chemical sector. As permitted in the NIPP model, some government councils also include officials from state and local governments with jurisdiction over entities in the sector. An example of this is the dams sector, in which its government council includes not only federal officials with purview over the sector but also state officials from the California Department of Water Resources; the New Jersey Department of Environmental Protection; the Ohio Department of Natural Resources; the Virginia Department of Conservation and Recreation; and the Washington Department of Ecology. These states represent the other states and all local governments in their regions. According to agency representatives for each of the government councils, the memberships may change over time if needed-- for example, if knowledge of new threats would require the involvement of additional government entities. Sector council membership varies, reflecting the unique composition of entities within each, but is generally representative of a broad base of owners, operators, and associations--both large and small--within a sector (see app. III for sector council membership by sector). For example, members of the drinking water and water treatment systems sector council include national organizations such as the American Water Works Association and the Association of Metropolitan Water Agencies and also members of these associations that are representatives of local entities including Breezy Hill Water and Sewer Company and the City of Portland Bureau of Environmental Services. In addition, the commercial facilities sector council includes more than 200 representatives of individual companies spanning 8 different subsectors, including public assembly facilities; sports leagues; resorts; lodging; outdoor events facilities; entertainment and media; real estate; and retail. According to sector council representatives, memberships generally represent the majority of private industries within each sector. This provides the councils opportunities to build the relationships needed to help ensure critical infrastructure protection efforts are comprehensive. The two exceptions are the transportation systems sector council and the public health and healthcare sector council. According to government and sector representatives, because the transportation systems sector has yet to establish a council, memberships are yet to be determined. Because of the vast number of business entities within the private sector that are very diverse in their interests, it has been difficult for the public health and healthcare sector council to engage a mix of critical asset owners that everyone considers representative. There are a large number of public health and healthcare organizations involved in the sector that do consider themselves representative of the market. According to DHS's Director of the Infrastructure Programs Office within the Office of Infrastructure Protection, owners and operators are necessary members of the council because they have the responsibility to invest time, money, and other resources to secure their critical assets and are held responsible by their customers and by the public they serve to respond and recover when their operations are disrupted. Recently, a new public health and healthcare chair of the sector council has been designated and is working to solidify the council's structure and membership. While these efforts may help, it is unclear how soon this will happen. While Newer Councils Are Just Forming, More Mature Councils Are Addressing Long-Term Strategies: Council activities have varied based on the maturity of the councils. Because some of the councils are newer than others, council meetings have addressed a range of topics from agreeing on a council charter to developing industry standards and guidelines for business continuity in the event of a disaster or incident. For example, the commercial facilities government council, which formed in 2005, has held meetings to address operational issues--such as agreeing on a charter, learning what issues are important to the sector, learning about risk management tools, and beginning work on the sector-specific plan. Councils that are more mature have been able to move beyond these activities to address more strategic issues. For example, the banking and finance sector council, which formed in 2002, focused its efforts most recently on strengthening the financial system's ability to continue to function in the event of a disaster or incident (known as "resilience"); identifying a structured and coordinated approach to testing sector resilience; and promoting appropriate industry standards and guidelines for business continuity and resilience. Sector councils are not intended to replace the information sharing functions provided by the ISACs. For those sectors that had established ISACs prior to the development of the NIPP, the sectors may continue to rely on them for operational and tactical capabilities for information sharing, such as threat alerts, and, in some cases, support for incident response activities. In contrast, sector councils are to serve as strategy and policy-making bodies for critical infrastructure protection. The NIPP also supports the continued use of ISACs by those sectors that have established them, but notes that each sector has the ability to implement a tailored information sharing solution that may include existing ISACs or other methods, such as trade associations, security organizations, or infrastructurewide or corporate operations centers. In fact, the ISACs for the banking and finance sector as well as the information technology sector are members of their respective sector councils. Many sectors are exploring a relatively new DHS information sharing mechanism, the Homeland Security Information Network (HSIN). This network, in particular the portal for critical infrastructure protection called Critical Sectors (HSIN-CS), is a suite of tools that sector councils can use for information sharing, coordination, and communication about alerts, incidents, and planning efforts within the sector. At the time of our review, according to DHS's Director of the Infrastructure Programs Office within the Office of Infrastructure Protection, DHS had created access portals for all 17 sectors and 6 sector councils had signed formal memorandums of understanding with DHS to use the system, declaring the councils' intent to implement access and use for their entire sector. Once HSIN- CS is fully deployed, some sectors may use it instead of developing separate ISACs or as a supplement to an existing ISAC. Good Prior Working Relationships, Willingness to Share Critical Information, and Sufficient Resources Are Key to Council Formation and Progress: Government and sector council representatives most commonly cited long- standing working relationships between entities within their respective sectors and with the federal agencies that regulate them, the recognition among some sector entities of the need to share infrastructure information with the government and within the sector, and operational support from DHS contractors as factors that facilitated council formation. However, these representatives also most commonly identified several key factors that posed challenges to forming some of the councils, including (1) difficulty establishing partnerships with DHS because of issues including high turnover of its staff and DHS staff who lacked knowledge about the sector to which they were assigned; (2) hesitancy to provide sensitive information or industry vulnerabilities to the government due to concerns that the information might be publicly disclosed; and (3) lack of long-standing working relationships within the sector or with federal agencies. Recognizing the Need to Work Together, Share Information, and Obtain Support Were Most Common Factors That Helped Facilitate Council Development: One of the factors assisting the formation of many of the government and sector councils was the existence of long-standing working relationships within the sectors and with the federal agencies that regulate them. As noted earlier in this report, ten of the sectors had formed either a government council or sector council that addressed critical infrastructure protection issues prior to DHS's development of the NIPP. These sectors generally had ready-made councils in terms of the NIPP model, compared to sectors that did not have prior relationships. In addition, according to government and sector council representatives, sectors in which the industries have been highly regulated by the federal government--such as the banking and finance sector as well as the commercial nuclear sector--were already used to dealing with the federal government on many issues. Therefore, forming a relationship between the government and the private sector and within the sector was not very difficult. For example, the banking and finance sector has had a functional equivalent of both the government and sector councils since 2002 as well as an ISAC since 1999. Government and sector council representatives reported that members of both councils have developed long-standing and trusted working relationships between respective members of each council and across the two councils and an effective means of information sharing via their ISAC. As we reported in 2001, developing trusted relationships among their members was one of four key factors critical to the success of information sharing organizations in addressing cyber infrastructure threats.[Footnote 10] We reported that trust was critical to overcome members' reluctance to disclose their weaknesses, vulnerabilities, and other confidential or proprietary business information, but that trust had to be built over time and through personal relationships. The private sector's recognition of the need to share information with the government about security threats, infrastructure vulnerabilities, and protective measures also helped with council formation, according to representatives of government and sector councils in 15 of the sectors. This recognition dates back to PDD-63 with the formation of the ISACs between 1999 and 2003 and continues today. As we reported in July 2004, the private sector recognized the need to share information with the federal government and many sectors voluntarily created ISACs to provide an appropriate system to do so.[Footnote 11] Information sharing can communicate both actionable information on threats and incidents as well as information about the overall protection status of critical assets so that owners and operators, federal agencies, states, localities, tribal governments, and others can assess risks, make appropriate security investments, and take effective and efficient protective actions. Government and sector representatives generally see the formation of the councils as another step to improve information sharing between the federal government and the private sector that can ultimately lead to more efficient and effective investments by owners and operators as they protect their infrastructure. The availability of DHS contractors that provided administrative and other assistance to the government and sector councils was a third facilitating factor cited by representatives of 13 government and 5 sector councils. DHS entered into contracts with the following three organizations[Footnote 12] to provide administrative and other assistance to help fill resource and skill gaps for the councils: * DHS contracted with VSE Corporation, an engineering and technical support services firm, in September 2005. Under this contract, Energetics, a subcontractor, was to provide support to any of the sectors that requested assistance in developing a common vision for their sector-specific plans. Under this same contract, Meridian Institute, a subcontractor to Energetics, was to provide support to any sector councils that requested help to convene their councils and to build consensus on a governance structure. This contract also supported development of reports and studies related to the partnership model and information sharing with the sectors. According to the most currently available data, VSE-Energetics was provided $3 million for September 2005 to September 2006. * DHS contracted with SRA International, Inc., in January 2004 to provide "secretariat" support to the government councils. This support was to include meeting planning, logistics, minutes, record keeping, and administrative support. This contract also supported the National Infrastructure Advisory Council, a presidential advisory committee, with administrative, research, and technical writing support. A number of study and analysis efforts were also supported under this contract. SRA was provided $7.8 million from January 2004 to August 2006. * DHS contracted with George Mason University (GMU) in October 2004 to provide administrative and other support to the Partnership for Critical Infrastructure Security (PCIS) and those sector councils that request support. GMU was provided $2.2 million for October 2004 to December 2006. The council representatives generally viewed these contractors as invaluable in providing administrative, meeting-arrangement, and meeting-facilitation services to the councils. For example, DHS's contract with GMU was to provide meeting-planning, facilitation and logistics support, develop materials, record and produce minutes, deliver progress reports, and support development of governance documents, if requested by the sector councils. Representatives of the emergency services sector council and the telecommunications sector council commended the services GMU provided for being very helpful, including guidance GMU's staff provided on lessons learned from how other sector councils were organized. Difficulties in Developing Partnerships with DHS, Concerns about Sharing Information, and the Lack of Long-standing Working Relationships Were the Most Common Challenges to the Formation of Some Councils: While not all government and sector council representatives cited any particular challenges to forming their councils, those who did mentioned several key factors that included (1) difficulty establishing partnerships with DHS because of issues including high turnover of its staff and lack of staff knowledgeable about their sector; (2) hesitancy to provide sensitive information or industry vulnerabilities to the government or to other sector representatives due to concerns that it might be publicly disclosed; and (3) lack of long-standing working relationships within the sector or a close association with federal agencies. (See figures 1 and 2 for information on the number of councils that listed key factors that posed challenges for government and sector councils, respectively). Figure 1: Key Challenges That Affected Establishing Government Councils: [See PDF for image] Source: GAO analysis. Note: Values do not add to 17 because council representatives may have indicated more than one challenge. [End of figure] Figure 2: Key Challenges That Affected Establishing Sector Councils: [See PDF for image] Source: GAO analysis. Note: Values do not add to 15 because the 14 council representatives and the rail sector representative may have indicated more than one challenge. [End of figure] Representatives of Eleven Councils Cited Establishing Partnerships with DHS as a Challenge in Forming Councils: Council representatives with three government and eight sector councils reported that they experienced problems forming their councils due to a number of challenges establishing partnerships with DHS.[Footnote 13] Specifically, these reported challenges included high turnover of staff, poor communications with councils, staff who were unfamiliar with the sector and did not understand how it works, shifting priorities that affected council activities, and minimal support for council strategies. DHS acknowledged that its recent reorganization has resulted in staff turnover, but according to DHS's Director of the Infrastructure Programs Office within the Office of Infrastructure Protection, this should not have affected formation of the councils. According to this official, DHS has taken a consistent approach to implement the partnership model, and the individual person in a particular staff position does not matter because the DHS implementation guidance is consistent. However, the director acknowledged that continuing staff turnover could affect the eventual success of the government-private sector partnerships because they will be dependent on the actual interactions between the sector-specific agency representatives and the sector council members and the trust they develop. Continuity of government staff is a key ingredient in developing trusted relationships with the private sector. We and others have similarly reported on DHS's struggles to achieve organizational stability and to provide infrastructure expertise across all sectors in the past as well as in our most recent work on Internet security issues. For example, in May 2005, we reported that DHS faced a number of challenges that impeded its ability to fully address its cybersecurity critical infrastructure protection responsibilities, including achieving organizational stability and establishing effective partnerships with stakeholders.[Footnote 14] Specifically, we reported that DHS continued to have difficulties in developing partnerships, as called for in federal policy, with other federal agencies, state and local governments, and the private sector. We recommended that DHS engage appropriate stakeholders to prioritize key cybersecurity responsibilities as well as identify performance measures and milestones for fulfilling them. DHS concurred with our recommendation to engage stakeholders in prioritizing its key cybersecurity responsibilities, noting that continued and expanded stakeholder involvement is critical. However, DHS did not agree that the challenges it experienced prevented it from achieving significant results in improving the nation's cybersecurity posture. In addition, DHS did not concur with our recommendations to (1) develop a prioritized list of key activities for addressing the underlying challenges and (2) identify performance measures and milestones for fulfilling its prioritized responsibilities and for performing activities to address its challenges and track organizational progress. Nonetheless, in its strategic plan for cybersecurity, DHS acknowledges that it needs to establish performance measures and milestones and to collect performance data for its key initiatives. More recently, in March 2006, the Council on Foreign Relations, in a study of private sector efforts to protect critical infrastructure, reported that DHS was still struggling with many issues that prevented the full cooperation of the private sector in terms of improving homeland security and protecting critical infrastructure.[Footnote 15] For example, the council noted that DHS suffered from high management turnover, poor quality management, and a shortage of experienced personnel as factors that contributed to the difficulty in improving relationships with the private sector. Finally, in June 2006, we reported that DHS faced similar challenges that impeded its ability to protect the Internet infrastructure, including organizational and leadership changes at the department.[Footnote 16] Representatives for about a Third of Councils Expressed Concerns about Sharing Sensitive Information about Infrastructure Vulnerabilities with the Government and with Other Sector Members: Representatives with six government and five sector councils noted that the private sector continues to be hesitant to provide sensitive information regarding vulnerabilities to the government as well as with other sector members due to concerns that, among other things, it might be publicly disclosed. For example, these representatives were concerned that the items discussed, such as information about specific vulnerabilities, might be subject to public disclosure under the Federal Advisory Committee Act and thereby be available to competitors or potentially make the council members subject to litigation for failure to publicly disclose any known threats or vulnerabilities.[Footnote 17] This issue continues to be a longstanding concern and one that contributed to our designating homeland security information sharing as a high-risk issue in January 2005.[Footnote 18] We reported then that the ability to share security-related information is critical and necessary because it can unify the efforts of federal, state, and local government agencies and the private sector in preventing or minimizing terrorist attacks. In March 2006, we reported that more than 4 years after September 11, the nation still lacked governmentwide policies and processes to help agencies integrate a myriad of ongoing efforts to improve the sharing of terrorism-related information that is critical to protecting our homeland.[Footnote 19] More recently, in April 2006, we reported that DHS continued to face challenges that impeded the private sector's willingness to share sensitive security information with the government.[Footnote 20] In this report, we assessed the status of DHS efforts to implement the protected critical infrastructure information (PCII) program created pursuant to the Homeland Security Act. This program was specifically designed to establish procedures for the receipt, care, and storage of critical infrastructure information voluntarily submitted to the government. We found that while DHS created the program office, structure, and guidance, few private sector entities were using the program. Challenges DHS faced included being able to assure the private sector that such information will be protected and specifying who will be authorized to have access to the information, as well as to demonstrate to critical infrastructure owners the benefits of sharing the information. We concluded that if DHS were able to surmount these challenges, it and other government users may begin to overcome the lack of trust that critical infrastructure owners have in the government's ability to use and protect their sensitive information. We recommended that DHS better define its critical infrastructure information needs and better explain how this information will be used. DHS concurred with our recommendations and in September 2006 issued a final rule that established procedures governing the receipt, validation, handling, storage, marking, and use of critical infrastructure information voluntarily submitted to DHS. To help address council concerns about sharing sensitive security information, DHS in March 2006 created the Critical Infrastructure Partnership Advisory Council, open to members of each of the government and sector councils. The purpose of the Advisory Council is to facilitate interactions between government representatives and private sector owners and operators of critical assets. To accomplish this goal, DHS exempted council proceedings from requirements of the Federal Advisory Committee Act. However, it is too soon to determine whether the council has helped facilitate information sharing. Several Council Representatives Cited a Lack of Prior Working Relationships as a Challenge to Council Formation: Four government and four sector council representatives stated that the lack of prior working relationships either within their sector or with the federal government created challenges in forming their respective councils. For example, the public health and healthcare sector struggled with creating a sector council that represented the interests of the sector because it is comprised of thousands of entities that are not largely involved with each other in daily activities.[Footnote 21] According to the sector-specific agency representative of the Department of Health and Human Services (HHS), historically, there was relatively little collaboration on critical infrastructure protection- related issues among sector members. Some individual members, such as pharmaceutical companies, do have vigorous critical infrastructure protection programs to address their company's challenges. The official also noted that many other companies work cooperatively to evaluate cybersecurity requirements. However, the official said by and large, such initiatives are unique to specific industries, are not applicable to the entire sector, and are geared to specific business objectives (e.g., prevention of industrial espionage). The official indicated that most sector members have few strong, continuing incentives to collaborate with one another in understanding and resolving critical infrastructure protection-related issues. Despite these reported challenges, the public health and healthcare sector has been able to form a sector council that is in the early stages of organization. The commercial facilities sector, which also involves varied and often unrelated stakeholders nationwide, similarly reported that the disparities among stakeholders made forming a council challenging. This sector encompasses owners and operators of stadiums, raceways, casinos, and office buildings, that have not previously worked together. In addition, the industries comprising the commercial facilities sector did not function as a sector prior to the NIPP and did not have any prior association with the federal government. As a result, this sector council has been concentrating its efforts on identifying key stakeholders and agreeing on the scope of the council and its membership. The council has established eight subcouncils to allow the disparate members to organize in a meaningful way. Because approximately 85 percent of the nation's critical infrastructure is owned by the private sector, developing trusted partnerships between the federal government and the private sector across all sectors is critical to ensure the protection of these assets, as we reported in 2001 and in a number of subsequent reports on critical infrastructure protection issues. Councils Delayed Their Work on Sector-Specific Plans until the NIPP Was Issued but Despite Challenges, Expect to Complete Plans by the End of December 2006: Each of the 17 sectors is preparing sector-specific plans. Sector- specific agencies anticipate that all plans will be finalized by the end of December 2006, as required by the NIPP, but some sectors were farther along than others as of August 2006. Representatives from both the government and sector councils cited factors that have facilitated the development of their plans--similar to those that facilitated development of their councils--most commonly citing pre-existing plans; historical relationships between the federal government and the private sector or across the private sector; and contractor support. Sector representatives most commonly reported that key challenges in drafting their plans were the lack of a final NIPP, which caused some sectors to delay work on their plans, the changing nature of DHS guidance on how to develop the plans, and the diverse make-up of sector membership. Sector-Specific Agencies Believe They Will Complete Plans on Time: Sector-specific agency representatives believe they will meet the deadline to complete their plans by December 2006.[Footnote 22] DHS requires these plans to contain definitions of the processes the sectors will use to identify their most critical assets and resources as well as the methodologies they will use to assess risks, but not information on the specific protective measures that will be utilized by each sector. Nevertheless, as of August 2006, some sectors reported being further along in developing a plan than others, and some private council representatives said collaboration between the private council and the government council on the plans had yet to take place. For example, representatives of the chemical and nuclear sectors anticipated completing their plans before the December deadline. However, while TSA officials reported that they had drafted an overall plan, they had only begun drafting plans for each transportation mode such as aviation, rail, and ports, as of August 2006. Additionally, the overall plan had yet to be shared with the private sector at the time of our review. Moreover, the commercial facilities sector-specific agency representative said that as of May 2006, the agency had only developed a plan outline because it was still conducting outreach with the sector council and other relevant government councils. Nevertheless, the sector co-chair said the sector should be able to meet the December 2006 deadline. The NIPP requires agencies to coordinate the development of plans in collaboration with their security partners represented by government and sector councils and provide documentation of such collaboration. To date, the level of collaboration between sector-specific agencies and the sector councils in developing the sector-specific plans has varied- -ranging from soliciting stakeholder comments on a draft to jointly developing the plan.[Footnote 23] For example, the Department of Agriculture and the Food and Drug Administration are initiating a draft agriculture and food plan and plan to provide it to a working group of government and sector council representatives to add relevant information and comments, while representatives of the energy sector council are working with the Department of Energy to draft the energy plan. Despite the consistent belief among the sectors that they will be able to provide their plans to DHS by the December 2006 deadline, the extent to which some of the sector-specific agencies that are responsible for the less developed and organized sectors are going to be able to achieve the required collaboration is uncertain since effective relationships within the sectors and with federal agencies had yet to be established, which is a crucial step. Pre-existing Plans, Collaboration, and Contractor Support Were Factors Most Commonly Cited as Facilitating Development of Sector-Specific Plans: Representatives from both sector-specific agencies and sector councils identified a number of factors that have helped in the development of their plans. The most common factors included having (1) pre-existing plans, (2) pre-existing relationships between the government and the private sector, and (3) assistance from DHS officials and contractors. Sector representatives from the agriculture and food, banking and finance, chemical, and energy sectors said their sectors had already developed protection plans prior to the interim NIPP published in February 2005 because they had recognized the economic value in planning for an attack. These representatives said they were able to revise their previous plans to serve as the plans called for in the NIPP. For example, the Department of Energy, with input from the sector, had developed a protection plan in anticipation of the Year 2000 ("Y2K") computer threat; Department of Energy officials noted that both this plan and the relationships established by its development have been beneficial in developing the protection plan for the energy sector. Likewise, HHS and U.S. Department of Agriculture representatives said that the agriculture and food plan will follow and document infrastructure protection practices that the sector was already doing as a result of Homeland Security Presidential Directive 9 (HSPD-9)--which established a national policy to defend the agriculture and food system against terrorist attacks, major disasters, and other emergencies--and will be based on a previous plan developed in 2004 in response to the directive. Similarly, the banking and finance sector council, which worked closely with the Department of Treasury, has had a critical infrastructure protection plan in place for the banking and finance sector since 2003 and planned to use it, along with other strategies, to fit the format required by the NIPP. Representatives from 13 government and 10 sector councils agreed that having prior relationships--either formally between the federal government and the private sector based on regulatory requirements, or informally within and across industries--facilitated sector-specific plan development. For example, a nuclear sector representative said that its regulator, the Nuclear Regulatory Commission, had already laid out clear guidelines for security and threat response that facilitated developing the sector's plan. Representatives from the Transportation Security Administration (TSA) and the banking and finance government council also said that previous regulatory relationships with their sectors helped with plan development. The TSA official said that the flow of information and coordination between the federal government and the transportation industry occurred continually and that these existing networks would also assist in plan development. Sectors with operating ISACs--such as the telecommunications and information technology sectors--found them to have assisted in developing sector- specific plans because of their longer involvement in public-private information sharing. The drinking water and wastewater sector council representative said that its long-standing culture of sharing information and decades of work with the Environmental Protection Agency helped with plan development. In addition, according to officials on the telecommunications sector council's steering committee, communications companies, electric power suppliers, and information technology providers have a history of working together to ensure the continuity of services during potentially disrupting events. This history facilitated cooperation and coordination in developing the sector-specific plans. Representatives from seven sector-specific agencies and five sector councils said that assistance from DHS officials or DHS contractors was also a factor that helped with plan development. In addition to the contractor assistance identified above, DHS entered into the following contract to provide support for the development of the NIPP and the sector-specific plans: * DHS contracted with ICF International, a professional services consulting firm, in January 2004. Under this contract, ICF International was to support the development of the guidance for the sector-specific plans, conduct technical assistance sessions for sector- specific agencies to facilitate plan development, and provide subject matter experts to each of the 17 sectors to support drafting and review of each sector's plan. According to DHS, ICF International was provided $11.2 million for work performed from January 2004 through December 2006. Representatives from the national monuments and icons and the government facilities sectors said that DHS officials have been accessible and responsive to questions regarding plan guidance. In addition, five sector representatives cited the help provided through DHS's contract with the George Mason University's Critical Infrastructure Protection program as being useful in understanding the plan guidance and in facilitating sector communication. These and other sector representatives said that the DHS-provided contractor assistance also helped in the development of their plans. By having access to these contractors, sectors were able to access additional support when needed for plan development activities such as research and drafting. For example, DHS contract staff assisted the Department of the Interior and DHS's Chemical and Nuclear Preparedness and Protection Division in drafting the plans for the national monuments and icons and emergency services sectors, respectively. Representatives from the chemical, emergency services, nuclear, and telecommunications sector councils said that contractors hired by DHS were helpful as resources providing research or drafting services. The Lack of a Final NIPP, Changing Guidance, and Other Challenges Impeded Progress on Some Sector-Specific Plans: The most common key challenges sector representatives reported as having contributed to delays in the development of their plans included (1) the lack of a final NIPP, (2) changing DHS guidance, and (3) the diverse makeup of sector membership. Representatives from seven government councils and six private councils did not report any major challenges to plan development. Figures 3 and 4 summarize the key challenges in developing plans cited by council representatives. Figure 3: Key Challenges to Developing Sector-Specific Plans, according to Government Council Representatives: [See PDF for image] Source: GAO analysis. Note: Values do not add to 17 because council representatives may have indicated more than one challenge. [End of figure] Figure 4: Key Challenges to Developing Sector-Specific Plans, according to Sector Council Representatives: [See PDF for image] Source: GAO analysis. Note: Values do not add to 15 because the 14 council representatives and the rail sector representative may have indicated more than one challenge. [End of figure] Representatives from six government councils and six sector councils said that the lack of a final NIPP contributed to delays in developing their sector plans. Furthermore, representatives with three sectors specifically stated that they suspended revisions to their sector plans primarily because they wanted to be sure the plans followed the requirements in the final NIPP and to minimize revisions. The sector- specific agencies are required to complete their plans and submit them to DHS 180 days from the final issuance date of the NIPP. Since DHS issued the final NIPP in June 2006, the agencies have until the end of December 2006 to submit their plans. According to DHS, sectors had begun drafting their sector-specific plans following the issuance of initial sector-specific plan guidance in April 2004. After DHS issued the interim NIPP in February 2005, it continued to refine the NIPP based on stakeholder comments and also issued revised sector-specific plan guidance. For example, DHS revised its 2004 plan guidance a year later with new requirements including how the sector will collaborate with DHS on risk assessment processes as well as how it will identify the types of protective measures most applicable to the sector. DHS then issued additional guidance in 2006 that required the plans to have a new chapter describing how sector-specific agencies are to manage and coordinate their responsibilities. These changes required some sectors- -such as dams, emergency services, and information technology--to make significant revisions to their draft plans. Representatives from these sectors expressed frustration with having to spend extra time and effort making changes to the format and content of their plans each time DHS issued new guidance. Therefore, they decided to wait until final guidance was issued based on the final, approved NIPP. However, some sectors found the changes in the NIPP and plan guidance to be improvements over prior versions that helped them prepare their plans. For example, representatives from the emergency services sector said that guidance became more specific and, thus, more helpful over time, and representatives from the national monuments and icons sector said that the DHS guidance has been useful. Representatives from five sectors also reported that DHS incorporated changes to address their concerns. For example, representatives from the information technology, public health, energy, telecommunications, and transportation systems sectors, among others, had commented that the NIPP should emphasize resiliency rather than protection. According to some of these representatives, it is impossible and cost-prohibitive to try to protect every asset from every possible threat. Instead, industries in these sectors prefer to invest resources in protecting the most critical assets with the highest risk of damage or destruction and to plan for recovering quickly from an event. Representatives from the telecommunications sector added that resiliency is especially important for interdependent industries in restoring services such as communications, power, the flow of medical supplies, and transportation as soon as possible. DHS incorporated this concept of resiliency into the final NIPP to address these concerns. As in establishing their councils, in developing their sector-specific plans, officials from three government councils and five sector councils said that their sectors were made up of a number of disparate stakeholders, making agreement on a plan more difficult. For example, as noted earlier, the commercial facilities sector is comprised of eight different subsectors of business entities that have historically had few prior working relationships. According to the government council representative, the magnitude of the diversity among these subsectors has slowed the process of developing a plan so that the sector only had an outline of its plan as of May 2006. Similarly, government and private council representatives of the agriculture and food sector indicated that the diversity of industries included in this sector such as farms, food processing plants, and restaurants, each of which has differing infrastructure protection needs, has made developing a plan more difficult. Concluding Observations: Critical infrastructure protection is vital to our national security, economic vitality and public health. Significant damage to critical infrastructure and key resources could disrupt the functioning of business and government alike, underscoring the need for the private and public sectors to take a coordinated approach to critical infrastructure protection. While DHS is to be commended for its efforts to incorporate private sector comments into the final NIPP, the 18- month delay in issuing that document and changing DHS planning guidance have slowed down the progress of some sectors in developing specific plans to protect sectors. As a result, some less mature sectors were still in the outline phase of developing their sector-specific plans at the time of our review, leaving much to do and not a lot of time left to do it before the December deadline. In addition, some private council representatives said collaboration between the private council and the government council on the plans, which is required by the NIPP, had yet to take place. Not only is this collaboration required by the NIPP, but also the ability of the private sector to achieve the goals of HSPD-7 and the National Strategy for Homeland Security depends on it. The extent to which some of the sector-specific agencies that are responsible for the less developed councils and plans are going to be able to achieve this collaboration is uncertain since neither had yet established effective relationships, a crucial step. In addition, both the NIPP and the sector plans only represent a first step toward ensuring sufficient protection of critical infrastructure. The NIPP lays out guidance for critical infrastructure protection planning and risk assessments, yet the sector plans must only demonstrate how the sectors will identify their critical assets, plan for infrastructure protection, and assess risk across their infrastructure base, not identify critical assets and assess risk levels. Conducting these identifications and assessments will be the next step under the NIPP guidelines. The inability to share information critical to homeland security and infrastructure protection continues to pose a significant risk to the nation. This report, as well as our past work, demonstrates that many private sector partners do not trust the government enough yet to share information on their security vulnerabilities. DHS's creation of the Critical Infrastructure Partnership Advisory Council in March 2006 may help alleviate private sector concerns about the sharing of sensitive security information, but it is too soon to determine whether the council has helped facilitate information sharing. Similarly, developing successful working relationships continues to be an important issue for DHS. Our previous work, dating back to 2001, shows that the establishment of trusted relationships is vital to the success of information sharing and critical infrastructure protection efforts. Given the long-term relationships that are necessary for the successful implementation of the NIPP, factors that impact these relationships, such as continuing staff turnover, could affect the eventual success of the government-private sector partnerships. Because our findings in this report echo many of those in our previous reports and are covered by previous recommendations to DHS that have yet to be fully implemented, we are not making any new recommendations at this time. Continued monitoring will determine whether further recommendations are warranted. As agreed with your offices, unless you publicly announce its contents earlier, we plan no further distribution of this report until 30 days after its issue date. At that time, we will provide copies of this report to appropriate departments and interested congressional committees. We will also make copies available to others upon request. In addition, the report will be available at no charge on GAO's Web site [Hyperlink, http://www.gao.gov]. If you or your staff have any questions about this report, please contact me at (202) 512-8777 or at larencee@gao.gov. Key contributors to this report are listed in appendix IV. Signed by: Eileen R. Larence: Director, Homeland Security and Justice Issues: [End of section] Appendix I: Key Federal Initiatives in Developing Critical Infrastructure Protection Policy, 1996 to Present: Policy action: Executive Order 13010; Date: July 1996; Key elements: Established the President's Commission on Critical Infrastructure Protection to study the nation's vulnerabilities to both cyber and physical threats; Identified the need for the government and the private sector to work together to establish a strategy for protecting critical infrastructures from physical and cyber threats and assuring their continued operation. Policy action: Presidential Decision Directive 63; Date: May 1998; Key elements: Established CIP as a national goal and presented a strategy for cooperative efforts by government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government; Designated government agencies to coordinate and support CIP efforts; Identified lead federal agencies to work with coordinators in eight infrastructure sectors and five special functions; Encouraged the development of information-sharing and analysis centers; Required every federal department and agency to be responsible for protecting its own critical infrastructures, including both cyber-based and physical assets; Superseded by HSPD-7 (see details on HSPD-7 below). Policy action: National Plan for Information Systems Protection[A]; Date: Jan. 2000; Key elements: Provided a vision and framework for the federal government to prevent, detect, and respond to attacks on the nation's critical cyber-based infrastructure and to reduce existing vulnerabilities via federal computer security and information technology requirements. Policy action: Executive Order 13228; Date: Oct. 2001; Key elements: Established the Office of Homeland Security, within the Executive Office of the President, to develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks; Established the Homeland Security Council to advise and assist the President with all aspects of homeland security and to ensure the coordination of homeland security-related activities of executive departments and agencies and effective development and implementation of homeland security policies. Policy action: Executive Order 13231; Date: Oct. 2001; Key elements: Established the President's Critical Infrastructure Protection Board to coordinate cyber-related federal efforts and programs associated with protecting our nation's critical infrastructures and to recommend policies and coordinating programs for protecting CIP-related information systems. Policy action: National Strategy for Homeland Security[B]; Date: July 2002; Key elements: Identified the protection of critical infrastructures and key assets as a critical mission area for homeland security; Expanded the number of critical infrastructures from the 8 (identified in Presidential Decision Directive 63) to 13 and identified lead federal agencies for each; Specified 8 major initiatives for CIP, one of which specifically calls for the development of the National Infrastructure Protection Plan. Policy action: Homeland Security Act of 2002[C]; Date: Nov. 2002; Key elements: Created the Department of Homeland Security and assigned it the following CIP responsibilities: (1) developing a comprehensive national plan for securing the key resources and critical infrastructures of the United States; (2) recommending measures to protect the key resources and critical infrastructures of the United States in coordination with other entities; and (3) disseminating, as appropriate, information to assist in the deterrence, prevention, and preemption of or response to terrorist attacks. Policy action: The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets[D]; Date: Feb. 2003; Key elements: Provided a statement of national policy to remain committed to protecting critical infrastructures and key assets from physical attacks; Built on Presidential Decision Directive 63 with its sector- based approach and called for expanding the capabilities of information sharing and analysis centers; Outlined three key objectives: (1) identifying and assuring the protection of the most critical assets, systems, and functions; (2) assuring the protection of infrastructures that face an imminent threat; and (3) pursuing collaborative measures and initiatives to assure the protection of other potential targets. Policy action: Executive Order 13286; Date: Feb. 2003; Key elements: Amended Executive Order 13231 but generally maintained the same national policy statement regarding the protection against disruption of information systems for critical infrastructures; Designated the National Infrastructure Advisory Council to continue to provide the President with advice on the security of information systems for critical infrastructures supporting other sectors of the economy through the Secretary of Homeland Security. Policy action: Homeland Security Presidential Directive 7; Date: Dec. 2003; Key elements: Superseded Presidential Decision Directive 63 and established a national policy for federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources and to protect them from terrorist attack; Defined roles and responsibilities for the Department of Homeland Security and sector- specific agencies to work with sectors to coordinate CIP activities; Established a CIP Policy Coordinating Committee to advise the Homeland Security Council on interagency CIP issues. Source: GAO analysis of documents listed above. [A] The White House, Defending America's Cyberspace: National Plan for Information Systems Protection: Version 1.0: An Invitation to Dialogue (Washington, D.C.: January 2000). [B] The White House, Office of Homeland Security, National Strategy for Homeland Security. [C] Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 (2002). [D] The White House, The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. [End of table] [End of section] Appendix II: Government Sector Council Membership, by Sector as of August 2006: Sector: Agriculture and food; Government council members: Association of State and Territorial Health Officials; Intertribal Agriculture Council; National Assembly of State Chief Livestock Health Officials; National Association of County and City Health Officials; National Association of State Departments of Agriculture; US Dept. of Agriculture; US Dept. of Defense; US Dept. of Health and Human Services; US Dept. of Homeland Security; US Environmental Protection Agency; Ex Officio Members; Association of Food and Drug Officials; US Dept. of Commerce; US Dept. of Justice; US Dept. of the Interior. Sector: Banking and finance; Government council members: Commodity Futures Trading Commission; Conference of State Bank Supervisors; Farm Credit Administration; Federal Deposit Insurance Corporation; Federal Housing Finance Board; Federal Reserve Bank of New York; Federal Reserve Board; National Association of Insurance Commissioners; National Association of State Credit Union Supervisors; National Credit Union Administration; North American Securities Administration Association; Office of Federal Housing Enterprise Oversight; Office of the Comptroller of the Currency; Office of Thrift Supervision; Securities and Exchange Commission; Securities Investor Protection Corporation; US Dept. of Treasury. Sector: Chemical; Government council members: US Dept. of Commerce; Bureau of Industry and Security; US Dept. of Homeland Security; Preparedness Directorate, National Cyber Security Division; Preparedness Directorate, Office of Infrastructure Protection; Science and Technology Directorate; Transportation Security Administration; US Coast Guard; US Dept. of Justice; Bureau of Alcohol, Tobacco, Firearms and Explosives; Federal Bureau of Investigation; US Dept. of Transportation; Federal Railroad Administration; Federal Motor Carrier Safety Administration; Pipeline and Hazardous Materials Safety Administration; US Environmental Protection Agency; Office of Emergency Management; Water Security Division. Sector: Commercial facilities; Government council members: National Endowment for the Arts; US Dept. of Commerce; US Dept. of Education; US Dept. of Homeland Security; Immigration and Customs Enforcement's Federal Protective Service; Office of Infrastructure Protection, Risk Management Division; Private Sector Office; US Dept. of Housing and Urban Development; US Dept. of the Interior; US Environmental Protection Agency; US General Services Administration; US Secret Service; Ex Officio Members; US Dept. of Health and Human Services; US Dept. of Justice. Sector: Commercial nuclear reactors, materials, and waste; Government council members: Nuclear Regulatory Commission; US Dept. of Defense; US Dept. of Energy; US Dept. of Homeland Security; Office of Infrastructure Protection, Chemical & Nuclear Preparedness and Protection Division; Science and Technology Directorate; US Coast Guard; US Dept. of Justice; Federal Bureau of Investigation; US Environmental Protection Agency. Sector: Dams; Government council members: Federal Energy Regulatory Commission; State of California, Department of Water Resources; State of New Jersey, Department of Environmental Protection; State of Ohio, Department of Natural Resources; State of Virginia, Department of Conservation and Recreation; State of Washington, Department of Ecology; Tennessee Valley Authority ; US Dept. of Agriculture, Natural Resources Conservation Service; US Dept. of Defense, US Army Corps of Engineers; US Dept. of Homeland Security; Office of Infrastructure Protection, Risk Management Division; US Dept. of Labor, Mine Safety and Health Administration; US Dept. of State, International Boundary and Water Commission; US Dept. of the Interior, Bureau of Reclamation; US Environmental Protection Agency. Sector: Defense industrial base; Government council members: US Dept. of Defense; Assistant Secretary of Defense (Homeland Defense); Director, Defense Critical Infrastructure Program; Deputy Under Secretary of Defense (Industrial Policy); Director, Defense Procurement & Acquisition Policy; Deputy Under Secretary of Defense (International Technology Security); Director, Technology Assessments; Director, Defense Contract Management Agency; Director, Industrial Analysis Center; Deputy Under Secretary of Defense (Personnel & Readiness); Director, Readiness Programming and Assessment; Deputy Chief Information Officer; Office of the DASD for Information Management and Technology; Director, Architecture & Interoperability; Director, National Guard Bureau; Director, NGB-J3; US Dept. of Homeland Security; Office of the Assistant Secretary of Homeland Security (Infrastructure Protection); US Dept. of Treasury; Committee on Foreign Investment in the United States; Office of Critical Infrastructure Protection & Compliance Policy; US Dept. of Justice; Federal Bureau of Investigation; US Dept. of Commerce; Office of Strategic Industries and Economic Security, Bureau of Industry and Security. Sector: Drinking water and water treatment systems; Government council members: Association of State and Interstate Water Pollution Control Administrators; Association of State Drinking Water Administrators; US Army Corps of Engineers; US Dept. of Agriculture; Natural Resources Conservation Service; US Dept. of Defense; US Dept. of Health and Human Services; US Dept. of Homeland Security; Information Analysis and Infrastructure Protection/Information Coordination Division; US Dept. of State; US Dept. of the Interior; Bureau of Reclamation; US Environmental Protection Agency. Sector: Emergency services; Government council members: American Red Cross; US Dept. of Health and Human Services; US Dept. of Homeland Security; Border & Transportation Security; Office of Infrastructure Protection, Chemical & Nuclear Preparedness and Protection Division; Federal Emergency Management Agency; Fire Administration; Immigration Customs & Enforcement; Office of Infrastructure Protection, Infrastructure Partnerships Division; Infrastructure Programs Office; Office of Grants & Training; Office of Public Health Emergency Preparedness; Science and Technology Directorate; Office of State and Local Government Coordination; Office of Infrastructure Protection, Risk Management Division; US Coast Guard; US Dept. of Transportation; National Highway Traffic Safety Administration; US Secret Service. Sector: Energy; Government council members: Federal Energy Regulatory Commission; National Association of Regulatory Utility Commissioners; National Association of State Energy Officials; US Dept. of Agriculture; Rural Utility Service; US Dept. of Defense; US Army Corps of Engineers; US Dept. of Energy; Office of Infrastructure Security and Energy Restoration; Western Area Power Administration; US Dept. of Homeland Security; Infrastructure Partnerships Division; Office of Infrastructure Protection, Risk Management Division; Transportation Security Administration; US Coast Guard; US Dept. of the Interior; Minerals Management Service; US Dept. of State; International Boundary and Water Commission; US Dept. of Transportation; Research & Special Programs Administration; Maritime Administration; US Environmental Protection Agency. Sector: Government facilities; Government council members: US Capitol Police Intelligence Section; US Department of Agriculture; Office of Facility Security; US Department of Commerce; Anti-Terrorism Division; US Department of Defense; Office of the Assistant Secretary of Defense, Homeland Defense,; Critical Infrastructure Protection; Office of Installations Requirements and Management; Air National Guard; US Department of Education; US Department of Energy; Office of the Deputy Under Secretary for Counterterrorism; US Department of Health and Human Services; Departmentwide Security; US Department of Homeland Security; Preparedness Directorate; Office of Infrastructure Protection; Risk Management Division; Infrastructure Partnerships Division; National Cyber Security Division; Science and Technology Directorate; Federal Emergency Management Administration; US Coast Guard; US Secret Service; Customs and Border Protection; Immigration and Customs Enforcement; US Department of Justice; US Marshals Service, Judicial Security Division, Judicial Security Systems; FBI, Special Advisor to the DHS G&T, Office of Law Enforcement Coordination; US Department of Labor; Director of Security; US Department of State; Bureau of Resources Management, Intelligence, Resources, and Planning, and; Critical Infrastructure Protection; US Department of the Interior; Law Enforcement and Security; National Park Service; US Department of the Treasury; Critical Infrastructure Physical Security, Cyber Security; US Department of Transportation; Federal Aviation Administration, Security and Hazardous Materials, Internal; Security Division; US Department of Veterans Affairs; Office of Security and Law Enforcement; US Postal Inspection Service; Administrative Offices of the US Courts- Court Security Office; Architect of the Capital; Environmental Protection Agency; Federal Facilities Council; General Services Administration; Interagency Security Committee; National Aeronautical and Space Administration; National Archives and Records Administration; National Center for State Courts; Office of Personnel Management; Social Security Administration. Sector: Information technology; Government council members: Director of National Intelligence; Metropolitan Information Exchange; National Association of State Chief Information Officers; National Institute of Standards and Technology; Office of Management and Budget; US Dept. of Commerce; US Dept. of Defense; US Dept. of Homeland Security; US Dept. of Justice; US Dept. of State; US Dept. of the Treasury. Sector: National monuments and icons; Government council members: National Archives and Records Administration; Smithsonian Institute; US Capitol Police; US Dept. of Defense; US Dept. of Homeland Security; Immigration and Customs Enforcement, Office of Federal Protective Service; US Dept. of the Interior; National Park Service; US Park Police; US Secret Service. Sector: Postal and shipping; Government council members: US Dept. of Defense; US Dept. of Health and Human Services; Office of Public Health Emergency Preparedness; Food and Drug Administration; US Dept. of Homeland Security; Customs and Border Protection; Preparedness Directorate; Science and Technology Directorate; US Dept. of Justice. Sector: Public health and healthcare; Government council members: American Red Cross; Association of Public Health Laboratories; Association of State and Territorial Health Officials; District of Columbia Department of Health; Federal Emergency Management Administration; General Services Administration; Indian Health Service Tribal Council; National Association of County and City Health Officials; US Dept. of Agriculture; US Dept. of Defense; US Dept. of Health and Human Services; US Dept. of Homeland Security; US Dept. of Transportation; US Dept. of Veterans Affairs; US Environmental Protection Agency; US Postal Service; White House Office of Science and Technology Policy. Sector: Telecommunications; Government council members: Federal Communications Commission; US Dept. of Commerce; National Telecommunications and Information Administration; US Dept. of Defense; Office of the Secretary of Defense, Networks and Information Integration; US Dept. of Homeland Security; National Communication System; Preparedness Directorate, National Cyber Security Division; US Dept. of Justice; US General Services Administration. Sector: Transportation systems; Government council members: US Dept. of Defense; US Dept. of Energy; US Dept. of Homeland Security; Infrastructure Partnerships Division; Transportation Security Administration; US Coast Guard; US Dept. of Transportation. Source: Government council representatives and DHS. [End of table] [End of section] Appendix III: Sector Council Membership, by Sector as of August 2006: Sector: Agriculture and food; Sector council members: Agricultural Retailers Association; American Farm Bureau Federation; CF Industries, Inc; CropLife America; Food Marketing Institute; Food Products Association; International Association of Refrigerated Warehouses; International Dairy Foods Association; International Food Service Distributors Association; International In-flight Food Service Association; International Warehouse Logistics Association; McCormick & Company, Inc; National Association of Convenience Stores; National Cattlemen's Beef Association; National Corn Growers Association; National Food Service Security Council; National Milk Producers Federation; National Pork Producers Association; National Restaurant Association; National Retail Federation; TD Enterprises; United Fresh Fruit & Vegetable Association. Sector: Banking and finance; Sector council members: American Bankers Association; American Council of Life Insurers; American Insurance Association; American Society for Industrial Security International; America's Community Bankers; BAI; BITS/The Financial Services Roundtable; Chicago Mercantile Exchange; ChicagoFIRST, LLC; CLS Group; Consumer Bankers Association; Credit Union National Association; Fannie Mae; Financial Information Forum; Futures Industry Association; Independent Community Bankers of America; Investment Company Institute; Managed Funds Association; NACHA--The Electronic Payments Association; National Association of Federal Credit Unions; National Association of Securities Dealers; New York Board of Trade; Securities Industry Association; Securities Industry Automation Corporation; The Bond Market Association; The Clearing House; The Depository Trust & Clearing Corporation; The NASDAQ Stock Market, Inc; The Options Clearing Corporation; VISA USA Inc. Sector: Chemical; Sector council members: American Chemistry Council; American Forest & Paper Association; Agriculture Retailers Association; Chemical Producers & Distributors Association; Chlorine Chemistry Council; Compressed Gas Association; Crop Life America; Independent Liquid Terminals Association; Dupont; Institute of Makers of Explosives; International Institute of Ammonia Refrigeration; National Association of Chemical Distributors; National Paint & Coatings Association; National Petrochemical & Refiners Association; Synthetic Organic Chemical Manufacturers Association; The Adhesive and Sealant Council; The Chlorine Institute; The Fertilizer Institute; The Society of the Plastics Industry, Inc. Sector: Commercial facilities; Sector council members: The council is comprised of 30 individuals who represent the eight subcouncils. These subcouncils currently incorporate over 200 members. Coordination across subcouncils happens at the council level. Subcouncils are: Public Assembly Facilities; Sports Leagues; Resorts; Lodging; Outdoor Event Facilities; Entertainment and Media; Real Estate; and Retail. Sector: Commercial nuclear reactors, materials, and waste; Sector council members: Arizona Public Service Company; Constellation Energy Generation Group; Dominion Energy; Dominion Generation; Entergy Operations; Excelon Generation Company, LLC; General Electric Energy Nuclear Energy; National Institute of Standards and Technology; Nuclear Energy Institute; Southern Nuclear Company; USEC Inc. Sector: Dams; Sector council members: Allegheny Energy; Ameren Services Company; American Electric Power; Association of State Dam Safety Officials; AVISTA Utilities; Canadian Dam Association; Chelan County; CMS Energy; Dominion Resources; Duke Energy Corporation; Exelon Corporation; National Hydropower Association; National Mining Association; New York City, Department of Environmental Protection; New York Power Authority; Pacific Gas & Electric Company; PPL Corporation; Scana Corporation; South Carolina Public Service Authority; Southern California Edison; Southern Company Generation; TransCanada; United States Society of Dams; Xcel Energy Corporation. Sector: Defense industrial base; Sector council members: Aerospace Industries Association; American Society for Industrial Security; Armed Forces Communications and Electronics Association; Contractor Secret Asset Programs Security Working Group; Industrial Security Working Group; National Classification Management Society; National Defense Industrial Association. Sector: Drinking water and water treatment systems; Sector council members: The council consists of two owner/operator representatives, along with one non-voting association staff member, from each of the eight water associations; Alexandria Sanitation Authority; American Water; American Water Works Association; American Water Works Association Research Foundation; Association of Metropolitan Water Agencies; Bean Blossom Patricksburg Water Corporation; Boston Water and Sewer Commission; Breezy Hill Water and Sewer Company; City of Portland Bureau of Environmental Services; City of Richmond, Department of Public Utilities; Columbus Water Works; East Bay Municipal Utility District; Fairfax Water; Greenville Water System; Los Angeles Department of Water and Power; Manchester Water Works; National Association of Clean Water Agencies; National Association of Water Companies; National Rural Water Association; New York City Department of Environmental Protection; Pima County Wastewater Management Department; United Water; Water Environment Federation; Water Environment Research Foundation. Sector: Emergency services; Sector council members: International Association of Chiefs of Police; International Association of Emergency Managers; International Association of Fire Chiefs; National Association of State EMS Officials; National Emergency Management Association; National Sheriff's Association. Sector: Energy; Sector council members: American Gas Association; American Petroleum Institute; American Public Gas Association; Anadarko Canada Corp; Anadarko Petroleum Corporation; Arizona Public Service Company; Association of Oil Pipe Lines; BP; Canadian Association of Petroleum Producers; Chevron Corporation; ConocoPhillips; Domestic Petroleum Council; Dominion Resources Inc; Edison Chouest Offshore, LLC; El Paso Corp; Energy ISAC; Exelon Corporation; ExxonMobil; Gas Processors Association; Independent Electricity System Operator, Ontario Canada; Independent Liquid Terminals Association; Independent Petroleum Association of America; International Association of Drilling Contractors; Interstate Natural Gas Association of America; Leffler Energy; Marathon Petroleum Company, LLC; National Association of Convenience Stores; National Ocean Industries Association; National Petrochemical & Refiners Association; National Propane Gas Association; National Rural Electric Cooperative Association; New York Independent System Operator; Newfoundland Ocean Industries Association; NiSource, Inc; North American Electric Reliability Council; Offshore Marine Service Association; Offshore Operators Committee; Petroleum Marketers Association of America; Reliability First Corporation; Rowan Companies, Inc; Shell Oil Company; Shipley Stores, LLC; Society of Independent Gasoline Marketers of America; Southern Company Services, Inc; U.S. Oil & Gas Association; Valero Energy Corporation; Western States Petroleum Association. Sector: Government facilities; Sector council members: Not applicable[A]. Sector: Information technology; Sector council members: Bell Security Solutions Inc; BellSouth Corporation; Center for Internet Security; Cisco Systems, Inc; Citadel Security Software, Inc; Computer and Communications Industry Association; CA, Inc; Computer Sciences Corporation; Computing Technology Industry Association; Cyber Security Industry Alliance; Electronic Industries Alliance; Entrust, Inc; EWA Information & Infrastructure Technologies, Inc; IBM Corporation; Information Systems Security Association; Information Technology - Information Sharing & Analysis Center; Information Technology Association of America; Intel Corporation; International Security, Trust, and Privacy Alliance; International Systems Security Engineering Association; Internet Security Alliance; Internet Security Systems; KMPG LLC; Lockheed Martin; McAfee, Inc; Microsoft Corporation; NTT America; R&H Security Consulting LLC; Seagate Technology; Symantec Corporation; U.S. Internet Service Provider Association; Unisys Corporation; VeriSign; Verizon. Sector: National monuments and icons; Sector council members: Not applicable[A]. Sector: Postal and shipping; Sector council members: DHL; FedEx Corp; United Parcel Service; US Postal Service. Sector: Public health and healthcare; Sector council members: AABB (formerly the American Association of Blood Banks); Advanced Medical Technology Association (AdvaMed); Aiken Regional Medical Centers; Air Force Medical Support Agency, Medical Logistics Division; American Association of Colleges of Nursing; American Association of Occupational Health Nurses, Inc; American College of Occupational & Environmental Medicine; American Hospital Association; American Industrial Hygiene Association; American Medical Association; American Medical Depot; American Nurses Association; American Red Cross; Association for Healthcare Resources & Materials Management; Association of State and Territorial Directors of Nursing; Association of State and Territorial Health Officials; BASF Corporation; Baylor Healthcare System; Biotechnology Industry Organization; BlueCross BlueShield Association; California Hospital Association; Cedars-Sinai Hospital; Chamber of Commerce Manhattan Beach; Childrens Hospital Los Angeles; Columbia University School of Nursing; Concentra, Inc; Cremation Association of North America; Cumberland Plateau Health District, Buchanan, Dickenson, Russell and Tazewell County Health Departments; Dartmouth Hitchcock Medical Center; DST Output; Duke University Medical Center; Eli Lilly; ER One Institutes for Innovation in Medicine/Institute for Medical Informatics, Washington Hospital Center; Exponent, Inc; ExxonMobil; Florida Department of Health/Office of Public Health Nursing; Florida Hospital Association; Greater NY [City] Hospital Association; Health Industry Distributors Association; Health Information and Management Systems Society; Healthways, Inc; HemoSense, Inc; Henry Schein, Inc; Hill-Rom; Honeywell International; Hospital Association of Southern California; ICFA - International Cemetery & Funeral Association; ICTM/Intercet, Ltd; INOVA Health System; International Chemical Workers Union Council/United Food and Commercial Workers; International Coalition for Mass Casualty Education; James B. Haggin Memorial Hospital; John Deere Harvester Works; Johns Hopkins University/Johns Hopkins Health System; Johnson & Johnson Health Care Systems; Joint Council on Accreditation of Healthcare Organizations; Kaiser Permanente/TPMG Executive Offices; Kent & O'Connor; LA Biomedical Research; LabCorp; Los Angeles Chamber of Commerce; McKesson; MedStar Health, Washington National Medical Center; Memorial Sloan Kettering Cancer Center; Metropolitan Chicago Hospital Council; Nassau County, NY Office of Emergency Management; National Association of County and City Health Officials; National Council of State Boards of Nursing; National Defense University/ Information Resources Management College; National Funeral Directors and Mortuary Association; National Funeral Directors Association; Nevada Hospital Association; Occidental Chemical Corporation; Oschner Foundation Hospital; Owens & Minor; Pfizer; Pharmaceutical Research and Manufacturers of America; PSE&G (Exelon Electric & Gas); Quest Diagnostics; Samaritan Health Services; The George Washington University Medical Center; The Regence Group; The Regional Medical Center, Cook and Associates; United States Army Medical Research Institute of Chemical Defense; University of Illinois at Chicago, School of Public Health; University of North Carolina, School of Public Health; University of Pittsburgh Medical Center; Vanderbilt School of Nursing; Vanderbilt University; Vanderbilt University Medical Center; VerdaSee Solutions, Inc. Sector: Telecommunications; Sector council members: Americom; AT&T; BellSouth; Boeing; Cellular Telecommunications & Internet Association; Cincinnati Bell; Cingular Wireless; Cisco Systems; Computer Sciences Corporation; Internet Security Alliance; Intrado; Level 3 Communications; Lucent Technologies; McLeodUSA; Qwest Communications; Rural Cellular Association; Satellite Industry Association; Savvis; Sprint-Nextel; Telecommunications Industry Association; U.S. Internet Service Provider Association; United Telecom Council; USTelecom Association; VeriSign; Verizon. Sector: Transportation systems; Sector council members: Council not yet developed. Source: Sector council representatives and DHS. [A] There is no private sector component to this sector. [End of table] [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Eileen R. Larence (202) 512-8777: Staff Acknowledgments: In addition to those named above, R.E. Canjar, William Carrigg, Michael Gilmore, Thomas Lombardi, Linda Miller, Dave Powner, Susan H. Quinlan, Nik Rapelje, Deena D. Richart, and E. Jerry Seigler made key contributions to this report. [End of section] Related GAO Products: Critical Infrastructure Protection: DHS Leadership Needed to Enhance Cybersecurity. GAO-06-1087T. Washington, D.C.: Sept. 13, 2006. Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan. GAO-06-672. Washington, D.C.: June 16, 2006. Information Sharing: DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information. GAO-06-383. Washington, D.C.: April 17, 2006. Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information. GAO-06-385. Washington, D.C.: March 17, 2006. Homeland Security: DHS Is Taking Steps to Enhance Security at Chemical Facilities, but Additional Authority Is Needed. GAO-06-150. Washington, D.C.: January 27, 2006. Passenger Rail Security: Enhanced Federal Leadership Needed to Prioritize and Guide Security Efforts. GAO-05-851. Washington, D.C.: September 9, 2005. Critical Infrastructure Protection: Challenges in Addressing Cybersecurity. GAO-05-827T. Washington, D.C.: July 19, 2005. Homeland Security: Actions Needed to Better Protect National Icons and Federal Office Buildings from Terrorism. GAO-05-790. Washington, D.C.: June 24, 2005. Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities. GAO-05- 434. Washington, D.C.: May 26, 2005. Protection of Chemical and Water Infrastructure: Federal Requirements, Actions of Selected Facilities, and Remaining Challenges. GAO-05-327. Washington, D.C.: March 28, 2005. High-Risk Series: An Update. GAO-05-207. Washington, D.C.: January 1, 2005. Homeland Security: Further Actions Needed to Coordinate Federal Agencies' Facility Protection Efforts and Promote Key Practices. GAO- 05-49. Washington, D.C.: November 30, 2004. Financial Market Preparedness: Improvements Made, but More Action Needed to Prepare for Wide-Scale Disasters. GAO-04-984. Washington, D.C.: September 27, 2004. Public Key Infrastructure: Examples of Risks and Internal Control Objectives Associated with Certification Authorities. GAO-04-1023R. Washington, D.C.: August 10, 2004. Critical Infrastructure Protection: Improving Information Sharing with Infrastructure Sectors. GAO-04-780. Washington, D.C.: July 9, 2004. Technology Assessment: Cybersecurity for Critical Infrastructure Protection. GAO-04-321. Washington, D.C.: May 28, 2004. Critical Infrastructure Protection: Establishing Effective Information Sharing with Infrastructure Sectors. GAO-04-699T. Washington, D.C.: April 21, 2004. Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. GAO-04-628T. Washington, D.C.: March 30, 2004. Water Infrastructure: Comprehensive Asset Management Has Potential to Help Utilities Better Identify Needs and Plan Future Investments. GAO- 04-461. Washington, D.C.: March 19, 2004. Critical Infrastructure Protection: Challenges and Efforts to Secure Control Systems. GAO-04-354. Washington, D.C.: March 15, 2004. Information Security: Status of Federal Public Key Infrastructure Activities at Major Federal Departments and Agencies. GAO-04-157. Washington, D.C.: December 15, 2003. Posthearing Questions from the September 17, 2003, Hearing on Implications of Power Blackouts for the Nation's Cybersecurity and Critical Infrastructure Protection: The Electric Grid, Critical Interdependencies, Vulnerabilities, and Readiness". GAO-04-300R. Washington, D.C.: December 8, 2003. Critical Infrastructure Protection: Challenges in Securing Control Systems. GAO-04-140T. Washington, D.C.: October 1, 2003. Transportation Security Research: Coordination Needed in Selecting and Implementing Infrastructure Vulnerability Assessments. GAO-03-502. Washington, D.C.: May 1, 2003. Critical Infrastructure Protection: Challenges for Selected Agencies and Industry Sectors. GAO-03-233. Washington, D.C.: February 28, 2003. Potential Terrorist Attacks: More Actions Needed to Better Prepare Critical Financial Markets. GAO-03-468T. Washington, D.C.: February 12, 2003. Critical Infrastructure Protection: Efforts of the Financial Services Sector to Address Cyber Threats. GAO-03-173. Washington, D.C.: January 30, 2003. Critical Infrastructure Protection: Significant Challenges Need to Be Addressed. GAO-02-961T. Washington, D.C.: July 24, 2002. Critical Infrastructure Protection: Federal Efforts Require a More Coordinated and Comprehensive Approach for Protecting Information Systems. GAO-02-474. Washington, D.C.: July 15, 2002. Critical Infrastructure Protection: Significant Homeland Security Challenges Need to Be Addressed. GAO-02-918T. Washington, D.C.: July 9, 2002. Information Sharing: Practices That Can Benefit Critical Infrastructure Protection. GAO-02-24. Washington, D.C.: October 15, 2001. Critical Infrastructure Protection: Significant Challenges in Safeguarding Government and Privately Controlled Systems from Computer- Based Attacks. GAO-01-1168T. Washington, D.C.: September 26, 2001. Combating Terrorism: Selected Challenges and Related Recommendations. GAO-01-822. Washington, D.C.: September 20, 2001. Critical Infrastructure Protection: Significant Challenges in Protecting Federal Systems and Developing Analysis and Warning Capabilities. GAO-01-1132T. Washington, D.C.: September 12, 2001. FOOTNOTES [1] Pub. L. No. 107-296, 116 Stat. 2135 (2002). [2] These critical infrastructure and key resource sectors include: agriculture and food; banking and finance; chemical; commercial facilities; commercial nuclear reactors, materials and waste; dams; defense industrial base; drinking water and water treatment systems; emergency services; energy; government facilities; information technology; national monuments and icons; postal and shipping; public health and healthcare; telecommunications; and transportation systems. Critical infrastructure are systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, national economic security, and national public health or safety, or any combination of those matters. Key resources are publicly or privately controlled resources essential to minimal operations of the economy or government, including individual targets whose destruction would not endanger vital systems but could create a local disaster or profoundly damage the nation's morale or confidence. For purposes of this report, we will use the term critical infrastructure to also include key resources. [3] DHS is the sector-specific agency for ten sectors: information technology; telecommunications; transportation systems; chemical; emergency services; commercial nuclear reactors, material, and waste; postal and shipping; dams; government facilities; and commercial facilities. [4] The government facilities sector and the national monuments and icons sector do not have sector councils because they have no private sector components. [5] DHS's Office of Infrastructure Protection is to identify and assess current and future threats to the nation's physical and informational infrastructure and to issue warnings to prevent damage to the infrastructure that supports community and economic life. It is also responsible for oversight of NIPP development and implementation of the partnership model. [6] See GAO, Information Sharing: Practices That Can Benefit Critical Infrastructure Protection. GAO-02-24 (Washington, D.C.: Oct.15, 2001); Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, GAO-05- 434 (Washington, D.C.: May 26, 2005); and Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/ Private Recovery Plan, GAO-06-672 (Washington, D.C.: June 16, 2006). [7] The Federal Advisory Committee Act (FACA) (codified at 5 U.S.C. app. 2) was enacted, in part, to control the advisory committee process and to open to public scrutiny the manner in which government agencies obtain advice from private individuals and groups. See 648 F. Supp. 1353, 1358-59 (D.D.C. 1986). Pursuant to authority conferred by the Homeland Security Act, 6 U.S.C. � 451, DHS established the Critical Infrastructure Partnership Advisory Council as a FACA exempt body to support the free flow of information and the need for regular, interactive discussions concerning threats and vulnerabilities. See 71 Fed. Reg. 14,930 (Mar. 24, 2006). [8] Owners and operators of these assets include private sector entities and, in some cases, state and local governments. [9] There is no private sector component for the government facilities sector or the national monuments and icons sector, so these sectors established government councils but not private sector councils. [10] GAO, Information Sharing: Practices That Can Benefit Critical Infrastructure Protection, GAO-02-24 (Washington, D.C.: Oct.15, 2001). [11] GAO, Critical Infrastructure Protection: Improving Information Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July 9, 2004). [12] According to DHS officials within its Office of Infrastructure Protection, as of July 2006, it was in the process of re-bidding the support services for all councils. [13] As noted earlier, DHS serves as the sector-specific agency for ten of the sectors: information technology; telecommunications; transportation systems; chemical; emergency services; commercial nuclear reactors, materials, and waste; postal and shipping; dams; government facilities; and commercial facilities. In addition, each government council is co-chaired by a DHS representative. [14] GAO, Critical Infrastructure Protection: Department of Homeland Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, GAO-05-434 (Washington, D.C.: May 26, 2005). [15] Council on Foreign Relations, Neglected Defense: Mobilizing the Private Sector to Support Homeland Security, CSR Number 13 (New York, N.Y.: March 2006). [16] GAO, Internet Infrastructure: DHS Faces Challenges in Developing a Joint Public/Private Recovery Plan, GAO-06-672 (Washington, D.C.: June 16, 2006). [17] The Federal Advisory Committee Act (codified at 5 U.S.C. app. 2) was enacted, in part, to control the advisory committee process and to open to public scrutiny the manner in which government agencies obtain advice from private individuals and groups. See 648 F. Supp. 1353, 1358- 59 (D.D.C. 1986). [18] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.: January 2005). Since 1990, we have periodically reported on government operations that we have identified as "high-risk." In January 2005, we designated information sharing for homeland security as a governmentwide high-risk area because, although information sharing was receiving increased attention, this area still faced significant challenges. [19] GAO, Information Sharing: The Federal Government Needs to Establish Policies and Processes for Sharing Terrorism-Related and Sensitive but Unclassified Information, GAO-06-385 (Washington, D.C.: March 17, 2006). [20] GAO, Information Sharing: DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information, GAO-06-383 (Washington, D.C.: Apr.17, 2006). [21] According to Department of Health and Human Services officials, there are thousands of entities that could be considered stakeholders in the sector. On the public side of the public health and healthcare sector stakeholders include three cabinet level departments (the Department of Health and Human Services, the Department of Defense, and the Department of Veterans Affairs), 57 state and territorial authorities, 3,066 counties, and approximately 10,000 municipalities. On the private side (roughly 92 percent of the total sector), stakeholders are far more numerous. For example, there are over 6,500 hospitals, over 492,000 ambulatory healthcare facilities, and nearly 70,000 nursing and residential care facilities. [22] DHS has delegated plan preparation responsibilities among several of its component agencies for the 10 sectors for which DHS is the designated sector-specific agency. Specifically, DHS's Office of Infrastructure Protection is the sector-specific agency for the chemical; commercial facilities; dams; emergency services; and commercial nuclear reactors, materials, and waster sectors. The Office of Cyber Security and Telecommunications is the sector-specific agency for the information technology and telecommunications sectors. The Transportation Security Administration (TSA) is the sector-specific agency for the postal and shipping sector and jointly shares responsibility for transportation systems with the U.S. Coast Guard. The Federal Protective Service is responsible for the government facilities sector. [23] Two sectors, government facilities and national monuments and icons, do not have private sector councils. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: