Information Sharing
DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information Gao ID: GAO-06-383 April 17, 2006A wide array of cyber and physical assets is critical to America's national security, economic well-being, and public health and safety. Information related to threats, vulnerabilities, incidents, and security techniques is instrumental to guarding these critical infrastructures against attacks and mitigating the impact of attacks that may occur. The ability to share security-related information can unify the efforts of federal, state, and local government as well as the private sector, as appropriate, in preventing and minimizing terrorist attacks. The Critical Infrastructure Information Act of 2002 was enacted to encourage nonfederal entities to voluntarily share critical infrastructure information and established protections for it. The Department of Homeland Security (DHS) has a lead role in implementing the act. GAO was asked to determine (1) the status of DHS's efforts to implement the act and (2) the challenges it faces in carrying out the act.
DHS has issued interim operating procedures and created a Program Office to administer the critical infrastructure protection program called for by the Critical Infrastructure Information Act. The interim procedures designate the responsibilities and authority of the Program Manager, and establish requirements related to accepting, protecting, sharing, and using critical infrastructure information as required by the act. The Program Office has begun to accept and safeguard critical infrastructure information submitted voluntarily by infrastructure owners and is sharing it with other DHS entities and, on a limited basis, with other government entities. For example, as of January 2006, the Program Office had received about 290 submissions of critical infrastructure information from various sectors. The Program Office also has initiated outreach efforts to publicize the program to the public and private sectors. In addition, it has trained approximately 750 potential users in DHS and other federal, state, and local government entities how to handle protected critical infrastructure information. This training is a prerequisite to being allowed to view the information. The Program Office has also trained at least 16 federal and state officials how to establish programs in their own entities so they can receive protected critical infrastructure information from DHS and then be authorized to store and share it. DHS faces challenges that impede the private sector's willingness to share sensitive information. Key challenges include defining specific government needs for critical infrastructure information, determining how the information will be used, assuring the private sector that the information will be protected and who will be authorized to have access to the information, and demonstrating to critical infrastructure owners the benefits of sharing the information. If DHS were able to surmount these challenges, it and other government users may begin to overcome the lack of trust that critical infrastructure owners have in the government's ability to use and protect their sensitive information.
RecommendationsOur recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director: Team: Phone:GAO-06-383, Information Sharing: DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information
This is the accessible text file for GAO report number GAO-06-383
entitled 'Information Sharing: DHS Should Take Steps to Encourage More
Widespread Use of Its Program to Protect Share Critical Infrastructure
Information' which was released on May 17, 2006.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as part
of a longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
April 2006:
Information Sharing:
DHS Should Take Steps to Encourage More Widespread Use of Its Program
to Protect and Share Critical Infrastructure Information:
GAO-06-383:
GAO Highlights:
Highlights of GAO-06-383, a report to congressional requesters.
Why GAO Did This Study:
A wide array of cyber and physical assets is critical to America‘s
national security, economic well-being, and public health and safety.
Information related to threats, vulnerabilities, incidents, and
security techniques is instrumental to guarding these critical
infrastructures against attacks and mitigating the impact of attacks
that may occur. The ability to share security-related information can
unify the efforts of federal, state, and local government as well as
the private sector, as appropriate, in preventing and minimizing
terrorist attacks. The Critical Infrastructure Information Act of 2002
was enacted to encourage nonfederal entities to voluntarily share
critical infrastructure information and established protections for it.
The Department of Homeland Security (DHS) has a lead role in
implementing the act. GAO was asked to determine (1) the status of
DHS‘s efforts to implement the act and (2) the challenges it faces in
carrying out the act.
What GAO Found:
DHS has issued interim operating procedures and created a Program
Office to administer the critical infrastructure protection program
called for by the Critical Infrastructure Information Act. The interim
procedures designate the responsibilities and authority of the Program
Manager, and establish requirements related to accepting, protecting,
sharing, and using critical infrastructure information as required by
the act. The Program Office has begun to accept and safeguard critical
infrastructure information submitted voluntarily by infrastructure
owners and is sharing it with other DHS entities and, on a limited
basis, with other government entities. For example, as of January 2006,
the Program Office had received about 290 submissions of critical
infrastructure information from various sectors. The Program Office
also has initiated outreach efforts to publicize the program to the
public and private sectors. In addition, it has trained approximately
750 potential users in DHS and other federal, state, and local
government entities how to handle protected critical infrastructure
information. This training is a prerequisite to being allowed to view
the information. The Program Office has also trained at least 16
federal and state officials how to establish programs in their own
entities so they can receive protected critical infrastructure
information from DHS and then be authorized to store and share it. DHS
faces challenges that impede the private sector‘s willingness to share
sensitive information. Key challenges include:
* defining specific government needs for critical infrastructure
information,
* determining how the information will be used,
* assuring the private sector that the information will be protected
and who will be authorized to have access to the information, and
* demonstrating to critical infrastructure owners the benefits of
sharing the information. If DHS were able to surmount these challenges,
it and other government users may begin to overcome the lack of trust
that critical infrastructure owners have in the government‘s ability to
use and protect their sensitive information.
What GAO Recommends:
GAO is recommending that the Secretary of Homeland Security, among
other things, better define DHS‘s and other federal agencies‘ critical
infrastructure information needs, and explain how DHS and the other
agencies will use the information received from the private sector. In
oral comments on a draft of this report, DHS concurred with our
findings and recommendations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-06-383].
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Dave Powner at 202-512-
9286, Pownerd@gao.gov or Eileen Larence at 202-512-6510,
Larencee@gao.gov.
[End of Section]
Contents:
Letter:
Results in Brief:
Background:
As Required by the CII Act, DHS Has Established Procedures, Organized a
Program Office, and Received and Shared Information:
DHS Faces Challenges in Implementing the CII Act:
Conclusions:
Recommendations for Executive Action:
Agency Comments:
Appendixes:
Appendix I: Objectives, Scope, and Methodology:
Appendix II: Procedures for Processing CII and Accrediting Entities:
Processing CII:
Accrediting Entities to Receive PCII:
Appendix III: GAO Contacts and Staff Acknowledgments:
Figures Figures:
Figure 1: Efforts Related to CII Act Implementation:
Figure 2: Diagram of the PCII Submission, Validation, and Sharing
Process:
Figure 3: Accreditation Program:
Abbreviations:
CII: critical infrastructure information:
DHS: Department of Homeland Security:
FEMA: Federal Emergency Management Agency:
ISAO: Information Sharing and Analysis Organization:
MOA: memorandum of agreement:
NCSD: National Cyber Security Division:
NIPP: National Infrastructure Protection Plan:
NSA: National Security Agency:
OMB: Office of Management and Budget:
PCII: protected critical infrastructure information:
PCIIMS: protected critical infrastructure information management
system:
Letter:
April 17, 2006:
The Honorable Tom Davis:
Chairman, Committee on Government Reform:
House of Representatives:
The Honorable Todd Platts:
Chairman, Subcommittee on Government Management, Finance, and
Accountability:
Committee on Government Reform House of Representatives:
The Honorable Robert Bennett:
United States Senate:
Information about threats, vulnerabilities, and incidents is a crucial
tool in fighting terrorism and protecting the nation's critical
infrastructures--those cyber and physical assets essential to national
security, national economic security, and national public health and
safety. Because the private sector owns a large percentage of the
nation's critical infrastructure--such as banking and financial
institutions, telecommunications networks, and energy production and
transmission facilities--public/private partnerships are crucial for
successful critical infrastructure protection. The ability to share
security-related information can unify the efforts of federal, state,
and local governments as well as the private sector, as appropriate, to
prevent and minimize terrorist attacks.
We have reported previously on critical success factors and challenges
in the information-sharing relationships between public and private
entities for critical infrastructure protection.[Footnote 1] In
addition, in January 2005, we designated information sharing to improve
homeland security, including critical infrastructure protection, as a
governmentwide high-risk area because, while receiving increased
attention, the issue still poses significant challenges.[Footnote 2]
The Homeland Security Act of 2002 created the Department of Homeland
Security (DHS) and gave it wide-ranging responsibilities for critical
infrastructure protection. Among other things, the Homeland Security
Act required DHS to develop a comprehensive national plan for securing
the nation's critical infrastructures; recommend measures to protect
key infrastructures; and access, receive, analyze, and disseminate, as
appropriate, information on terrorist threats to these assets.
The Critical Infrastructure Information (CII) Act of 2002 was enacted
into law as part of the Homeland Security Act. The CII Act required
that DHS establish procedures for the receipt, care, and storage of CII
voluntarily submitted to the government.[Footnote 3] The act was
intended to encourage infrastructure owners to voluntarily share
sensitive information, including vulnerability assessments and security
methods, by providing rigorous protection mechanisms to ensure that the
information would not be inappropriately released and used. The act
authorized the federal government to use the information to issue
advisories, alerts, and warnings regarding threats to critical
infrastructures that the private sector and others could use to enhance
protection measures.
In response to your request, our objectives were to determine (1) the
status of DHS's efforts to implement the CII Act and (2) the challenges
it faces in carrying out the act. To determine the status of DHS's
efforts, we analyzed the relevant laws and interim procedures[Footnote
4] that DHS issued in 2004 laying out the structure and processes for
the program, and public comments on the interim procedures. We also
reviewed related strategies, policies, procedures, controls, and tools
used for the receipt, care, and storage of CII, and interviewed key DHS
officials such as the Protected CII Program Manager. We compared what
was expected under the CII Act with what had been accomplished by DHS.
To determine the challenges in implementing the act, we analyzed and
reviewed reports by private sector advisory councils and critical
infrastructure protection experts and held interviews with
representatives from DHS, federal agencies, state and local
governments, private sector entities, and public interest groups. We
also relied on prior GAO work on information sharing between federal
and nonfederal entities. Appendix I provides additional details on our
objectives, scope, and methodology. Our work was conducted from May
2005 to February 2006 in accordance with generally accepted government
auditing standards.
Results in Brief:
DHS has issued interim operating procedures and created a Program
Office to administer the critical infrastructure protection program
called for by the CII Act. The interim procedures designate the
responsibilities and authority of the Program Manager and establish
requirements related to accepting, protecting, sharing, and using CII
as required by the act. The Program Office has begun to accept and
safeguard information submitted voluntarily by infrastructure owners
and is sharing it with other DHS entities and, on a limited basis, with
other government entities. The Program Office has been designating
information that it determines to meet the act's requirements as
"protected CII." For example, as of January 2006, the Program Office
had received about 290 submissions of CII from various sectors. The
Program Office has also initiated outreach efforts to publicize the
program to the public and private sectors. In addition, it has trained
approximately 750 potential users in DHS and other federal, state, and
local government entities how to handle protected critical
infrastructure information (PCII). This training is a prerequisite to
being allowed to view the information. The Program Office has also
trained at least 16 federal and state officials how to establish
programs in their own entities so they can receive PCII from DHS and
then be authorized to store and share it.
DHS faces a number of challenges that impede the private sector's
willingness to share sensitive information. These challenges include
defining specific government needs for CII, determining how the
information will be used, assuring the private sector that the
information will be protected and who will be authorized to have access
to it, and demonstrating to critical infrastructure owners the benefits
of sharing the information. For example, DHS has not defined its
specific needs nor has it determined how it will use information
submitted under the program. In addition, DHS has not yet used the
information to issue any advisories, alerts, or warnings. This lack of
specificity and use has impeded the willingness of potential submitters
to provide their sensitive information to DHS. If DHS were able to
surmount these challenges, it and other government users may begin to
overcome the lack of trust that critical infrastructure owners have in
the government's ability to use and protect their sensitive
information.
To encourage more individuals, private sector entities, and state and
local governments that own the critical infrastructure to submit
information under the program so that more entities will have access to
the information they may need to protect these assets, we are
recommending that the Secretary of Homeland Security take a number of
actions, including better defining the CII needs of the department and
other federal agencies with critical infrastructure responsibilities,
defining how DHS and the other agencies will use the information
received from the private sector, and expanding efforts to use
incentives to encourage more users.
In oral comments on a draft of this report, an audit liaison official
from the DHS Departmental GAO/OIG Liaison Office stated that DHS
concurred with our findings and recommendations. DHS officials (as well
as others who were cited in this report) also provided technical
corrections that we have incorporated in this report as appropriate.
Background:
Information sharing is an important part of activities that enhance the
security of our nation's cyber and physical public and private
infrastructures. Federal law and policy related to critical
infrastructure protection activities recognize the importance of
sharing information about threats, vulnerabilities, and incidents and
call for related initiatives. Federal agencies and the private sector
have jointly attempted to implement these initiatives for a number of
years. The CII Act provides a mechanism to encourage nonfederal
entities to voluntarily share sensitive information pertaining to the
security and vulnerabilities of their critical infrastructure assets
with the federal government, and for that information to be shared with
the appropriate federal, state, and local governments for the purposes
of analyzing threats and vulnerabilities and issuing alerts and
warnings.
Federal Law and Policy Call for Improved Information Sharing:
Since 2002, legislation, national strategies, and executive directives
have specified actions to improve information sharing for homeland
security:
* The Homeland Security Act of 2002[Footnote 5] created DHS and
assigned it critical infrastructure protection responsibilities,
including (1) developing a comprehensive national plan for securing the
key resources and critical infrastructures of the United States; (2)
recommending measures to protect the key resources and critical
infrastructures of the United States in coordination with other groups;
(3) accessing, receiving, and analyzing law enforcement, intelligence,
and other threat and incident information to identify and assess the
nature and scope of terrorist threats; and (4) disseminating, as
appropriate, information to assist in the deterrence, prevention, and
preemption of or response to terrorist attacks. In addition, it
included specific mechanisms intended to improve information sharing,
including the CII Act (discussed in the next section) and the Homeland
Security Information Sharing Act.[Footnote 6]
* In 2002 and 2003, the White House's National Strategy for Homeland
Security and its implementing strategies, the National Strategy to
Secure Cyberspace and the National Strategy for the Physical Protection
of Critical Infrastructures and Key Assets, also highlighted federal
actions to promote two-way information-sharing mechanisms.[Footnote 7]
* Issued in December 2003, Homeland Security Presidential Directive 7
established a national policy for federal departments and agencies to
identify and prioritize U.S. critical infrastructure and key resources
and to protect them from terrorist attack. It defined roles and
responsibilities for DHS and agencies with critical infrastructure
protection responsibilities to coordinate activities and to encourage
the development of information sharing and analysis mechanisms and to
support coordinating mechanisms. It required that DHS (1) produce a
national infrastructure protection plan (NIPP) summarizing initiatives
for sharing information, including providing threat warning data to
state and local governments and the private sector, and (2) establish
the appropriate systems, mechanisms, and procedures to share homeland
security information with other federal departments and agencies, state
and local governments, and the private sector in a timely manner.
* In January 2006, the draft NIPP recognized the importance of an
information-sharing network and policies and protocols for vetting and
disseminating information among both government and private sector
partners.[Footnote 8] It identified 17 critical infrastructure sectors,
with sector-specific agencies for each--agriculture and food; public
health and healthcare; drinking water and wastewater treatment systems;
energy (except nuclear power facilities); banking and finance; national
monuments and icons; defense industrial base; chemical; commercial
facilities; dams; emergency services; commercial nuclear reactors,
materials, and waste; information technology; telecommunications;
postal and shipping; transportation systems; and government facilities.
In addition, the draft NIPP stated that a final PCII rule is expected
in 2006. It also required that, upon signing the letter of agreement
with DHS regarding critical infrastructure protection responsibilities,
sector-specific agencies would commit to protecting critical
infrastructure data according to the Protected Critical Infrastructure
Information Program and to sharing NIPP-related information as
appropriate. However, at the time of our review, DHS was uncertain when
the final NIPP would be released.
CII Act Establishes Protection for Voluntarily Submitted Critical
Infrastructure Information to Encourage Sharing:
The CII Act was enacted into law as Title II, Subtitle B, of the
Homeland Security Act. According to the act, CII is information that is
related to the security of critical infrastructure or protected systems
and that is not customarily in the public domain. Such information
includes (1) actual, potential, or threatened interference with, attack
on, or incapacitation of critical infrastructure or protected systems
by either physical or computer-based attack; (2) the ability of any
critical infrastructure or protected system to resist such
interference, compromise, or incapacitation; or (3) any planned or past
operational problem or solution regarding critical infrastructure or
protected systems. To qualify for protections under the act, CII must
be voluntarily[Footnote 9] submitted to DHS by an individual, entity,
or information sharing and analysis organization.[Footnote 10] In
addition, CII submissions must be accompanied by a written or oral
"Express Statement" that states the information is voluntarily
submitted in expectation that it will be protected from disclosure
under the act. Voluntary submissions under the act cannot be an
alternative for compliance with other laws, such as the requirement to
submit data on a facility's emissions under the Clean Air Act. The CII
Act does not apply to information obtained independently through such
other laws or regulations.
Under the CII Act, voluntarily shared CII that meets the above
requirements receives protections that include:
* exemption from public disclosure under the Freedom of Information
Act;[Footnote 11]
* exemption from disclosure under state and local laws requiring
release of information or records; and:
* restrictions on sharing and use, such as restricting state officials
from sharing with other state officials or using the information in
civil actions.
The CII Act also imposes penalties for any federal employee who
knowingly and inappropriately discloses CII submissions. The possible
penalties include fines, imprisonment for not more than 1 year, or
both, and the loss of office or employment.
Key responsibilities assigned to DHS under the act are as follows:
1. A requirement for the Secretary of DHS to establish, in consultation
with appropriate representatives of the National Security Council and
the Office of Science and Technology Policy, uniform procedures for the
receipt, care, and storage of voluntary CII submissions to the
government. The act also specifies that the procedures include
mechanisms for:
* acknowledging the receipt of the voluntarily submitted CII;
* maintaining the identification of this information as voluntarily
submitted to the government under the act;
* caring for and storing such information; and:
* protecting and maintaining the confidentiality of the identity of the
person or entity that submitted information, or the information itself
if it is proprietary, is business-sensitive, relates specifically to
the submitting person or entity, or is otherwise not appropriately in
the public domain.
2. An authorization for either the President or the Secretary of
Homeland Security to designate a critical infrastructure protection
program within DHS to receive CII.
3. An authorization for DHS to share the information within the federal
government and with state and local governments, and that the federal
government may use the information to issue advisories, alerts, and
warnings using PCII as long as the identity of the source of the
information and proprietary, business-sensitive, or information related
specifically to a submitting entity is protected from disclosure.
As Required by the CII Act, DHS Has Established Procedures, Organized a
Program Office, and Received and Shared Information:
In February 2004, DHS issued an interim rule that established
procedures, as required by the CII Act, and created a Program Office to
administer the program. The office has developed and maintained
processes for accepting, protecting, and sharing CII; received about
290 submissions from critical infrastructure owners; begun some
outreach with potential submitters to increase information flow; shared
PCII on a limited basis with users in DHS and several other federal
entities; and trained approximately 750 potential users at DHS, other
federal, state, and local government entities and, at least 16 state
and local officials how to establish their own programs.
DHS Has Established Procedures as Required by the CII Act:
DHS has issued procedures for the receipt, care, and storage of CII, as
required by the CII Act. In doing so, DHS first issued a proposed rule
on April 15, 2003, and solicited public comment on its provisions.
After consideration of the comments received on the proposed rule, DHS
issued an interim rule that was effective at the time of release on
February 20, 2004.[Footnote 12] In the interim rule, DHS invited
additional comments, stating that it would consider issuing
supplemental regulations. DHS received 32 sets of comments on the
interim rule from a wide variety of organizations and individuals that
raised concerns and offered suggestions and recommendations about
various aspects of the program. Currently, the Program Office is
operating under the interim rule.
The interim rule includes mechanisms specified by the act regarding:
* acknowledging to the submitter that the Program Office has received
the voluntarily submitted CII;
* maintaining the identification of this information as voluntarily
submitted to the government under the act;
* receiving, handling, storing, and properly marking information as
PCII, including reviewing submitted information, determining that it
meets the requirements for protection (a process known as validation),
and protecting it;
* safeguarding and maintaining the confidentiality of the submitter of
the information, but permitting the sharing of the information, as
determined by the Program Manager; and:
* protecting and maintaining the confidentiality of the information, so
as to permit (1) the sharing of it within the federal government and
with state and local governments and (2) the issuance of notices and
warnings related to the protection of critical infrastructure and
protected systems, in such a manner as to protect from public
disclosure the identity of the submitting person or entity or
information that is proprietary, is business-sensitive, relates
specifically to the submitting person or entity, and is otherwise not
appropriately in the public domain.
To accomplish these requirements, the interim rule established
authorities regarding the sharing of protected information with
federal, state, and local governments. Under the rule, the Program
Manager has the authority to decide what protected information to
provide to trained federal, state, or local government employees for
purposes that include analysis, warning, asset recovery,
reconstitution, and studies of the interdependence of critical
infrastructure sectors. For example, the information might be provided
if it is needed to study how the banking and finance sector depends on
the security of the telecommunications sector so that backup systems
can be developed in advance of an incident. In addition, the interim
rule states that the Program Manager can share information for other
purposes, including the identification, analysis, prevention,
preemption, or disruption of terrorist threats to the homeland.
Under the rule, the Program Manager is responsible for administering
the program, including (1) reviewing submissions to determine if they
meet the requirements for protection--referred to as validation, (2)
promulgating directives to operate the program, and (3) preparing
training materials as appropriate for the proper treatment of PCII. The
Program Manager is also required to establish procedures to ensure that
any federal, state, or local entity that wants to use the information
appoints one or more employees fully familiar with the procedures as
PCII officers. These officers are required to oversee the handling,
use, secure sharing, and storage of the information within their
respective entity; prevent unauthorized access to the information; and
coordinate with the Program Manager.
DHS Has Organized a Program Office, as Authorized by the CII Act:
In February 2004, DHS established a Program Office to receive CII.
During the course of our review, DHS reorganized and this office is now
under the Preparedness Directorate, Office of Infrastructure
Protection, and Infrastructure Partnership Division. The Program Office
is led by the Program Manager and includes a combination of full-time
federal and contractor employees. It is organized into four branches
that, among other things, (1) develop and maintain applicable processes
for information systems and networks, (2) receive submissions, (3)
communicate with submitters about the status of their submission, (4)
train users and entities that want to establish their own programs for
handling the information, and (5) share PCII.
At the Program Office's establishment, it published an initial,
internal procedures manual describing the activities to implement the
provisions of the act and the interim rule and providing guidance for
administration of the program. The manual describes the process that
(1) the submitters from the private sector and others are to use to
send the information to DHS and (2) the Program Office is to use to
validate that submitted CII meets the act's requirements for
protection. The manual also describes the process for sharing PCII with
authorized users within DHS, other federal entities, and state and
local governments.
The Program Office Has Received and Validated Submissions and Initiated
Efforts to Increase Submissions:
The CII Act specifies that DHS receive all submissions of CII. Once
received by the Program Office, the CII submission enters a validation
process for determining whether it qualifies for protection under the
act. If the qualifications are met, the submission is marked PCII and
is to be provided the protections in the act. If the qualifications are
not met, the submission is rejected and destroyed. Appendix II
discusses these processes in more detail.
As of January 2006, the Program Office had received 289 submissions, of
which 266 were validated as PCII, 8 were in the process of being
validated, 14 were rejected, and 1 was withdrawn. The validated
submissions include risk and vulnerability assessments about individual
infrastructure assets from a variety of critical infrastructure
sectors, such as the energy, agriculture and food, banking and finance,
and chemical sectors. In addition, entities have submitted data on
their operations and on security methods used to protect their assets.
According to program officials, submissions were rejected or withdrawn
generally because they did not meet the program's requirements, such as
not being submitted with an Express Statement or not being CII as
defined in the law, even after the Program Office contacted the
submitters for additional information to try to resolve this problem.
To manage the submissions, the Program Office developed, as directed in
the interim rule, and is using the Protected Critical Infrastructure
Information Management System (PCIIMS)--an electronic database that
tracks the receipt and storage of CII submissions, according to program
officials. For each submission, the system allows reviewing officials
to record the date of receipt, name of the submitter, description of
the information received, manner of acknowledgment, tracking number,
and validation status. Once a submission is validated as PCII, the
information is placed on a secured electronic storage device within the
Program Office. Staff in the Program Office reported that they are also
working on an updated version of the management system that is expected
to streamline and automate the validation process, reducing the time
needed to determine if submissions qualify for protection.
To increase submissions, the Program Office has initiated outreach
efforts to publicize the PCII program to the public and private
sectors. As part of its outreach efforts, the Program Office launched a
public Web site in March 2004, presenting program facts and answers to
frequently asked questions. In addition, the Program Office prepared
over 2,300 fact sheets and about 4,000 brochures that it distributed to
public and private stakeholders. It also activated e-mail and telephone
help lines to respond to inquiries or comments. To promote the PCII
program to private industry, the Program Office has discussed the
program in over 30 articles in trade publications, briefed
infrastructure sector representatives and participated in industry
conferences and seminars, and provided presentation kits that DHS
analysts use to explain the program to potential submitters.
In addition, the Program Office implemented an e-submissions process in
August 2005 to make submissions easier. According to the Program
Office, the benefits to e-submissions include increased transaction
speed, improved record-keeping efficiency, increased participation, and
improved security. Submitted files are encrypted in transit to prevent
access by anyone except Program Office staff and are stored in a stand-
alone database maintained at a secure location.
The Program Office is also collaborating with other information sharing
and collection efforts to make submission of CII easier. For example,
the Program Office gave DHS's National Cyber Security Division (NCSD)
limited authority to receive recurring submissions. At the time of our
review, NCSD had not used the authority; however, according to NCSD
officials, the validation authority is a positive step because it
provides a private sector entity with an additional method to share
information with them. In addition, the Center for Food Safety and
Applied Nutrition within the Department of Health and Human Service's
Food and Drug Administration, is partnering with the Program Office.
The center plans to ask a number of dairy facilities to share CII on
the safety of the nation's milk supply. The information will be
submitted to the Program Office to be validated and will then be made
available to the Food and Drug Administration for safety analyses. In
New York, the Risk Analysis and Management for Critical Asset
Protection program--developed in a public/private sector partnership
for DHS by the American Society of Mechanical Engineers as a
methodology for performing risk assessments--is offering a method to
electronically submit CII to the Program Office for protection. Using
the program, infrastructure asset owners will be able to submit results
about the security of their facilities to DHS.
The Program Office Has Begun to Share PCII, Trained about 750 Users,
and Established a Mechanism to Initiate PCII Programs at Other
Entities:
As the CII Act authorizes, DHS has begun to share PCII with users. For
example, according to NCSD officials, the Program Office received
information that it later shared with them. They said that this
information was important to investigating a cyber-related incident,
but it would not have been provided by the infrastructure owners
without CII Act protections. In addition, the Federal Emergency
Management Agency (FEMA) received one piece of information from the
Program Office. Agency officials said they learned about the
information while in discussions with officials from a state who told
them that they would not share the information unless it could be
protected. On the basis of this requirement, FEMA requested the state
to submit the information to the Program Office and had FEMA officials
trained in the use and handling of PCII. According to a FEMA official,
this information led to the development of generic best practices
related to dam security that were presented at a workshop. Also, a few
other federal agencies have used the information. For example, in
February 2005, at the request of NCSD, the National Security Agency
(NSA) became the first non-DHS federal agency to receive PCII. This
information was used to assist in the research of a cyber-related
incident and did not result in any public alerts. In addition,
officials from the Nuclear Regulatory Commission reported that they had
reviewed one PCII report.
Prior to allowing federal, state, or local government users access to
the information, the Program Office trains them to ensure that users
have a clear understanding of how to handle and safeguard PCII and how
to access the information on an as-needed basis, according to program
officials. The Program Office began user training sessions in February
2004 and established a Web-based training program in November 2004. At
the time of our review, approximately 650 individuals from within DHS,
including contract personnel, had been trained, along with 110
individuals from other federal, state, and local agencies.
The Program Office also accredits federal, state, and local agency PCII
programs. Only accredited entities can receive and store this
information. Accreditation ensures that an entity is qualified to
manage its own program for handling, using, sharing, and safeguarding
PCII, including applicable databases and systems. After determining its
need for PCII, an entity must complete the following steps to earn
accreditation: (1) appoint a program officer and at least one deputy
program officer, both of whom must complete a 3-day course about the
use and handling of PCII and pass a certification examination; (2)
provide a senior official with the authority to represent the entity
and enter into a memorandum of agreement (MOA) with the Program Office;
and (3) pass an accreditation review by the Program Office.
Since July 2005, when the PCII Accreditation Program began, the Program
Office has trained at least 16 federal and state officials who serve or
will serve as program officers or deputy program officers for their
respective agencies, according to program officials. Not all of the
federal and state entities represented by the 16 officers and deputies
have completed the accreditation process. According to program
officials, as of January 2006, two entities were fully accredited--
Maryland and the Food and Drug Administration's Center for Food Safety
and Applied Nutrition. In addition, Arizona, California, and
Massachusetts were in the process of being accredited, and other
federal entities and states had initiated discussions with the Program
Office about becoming accredited. Regarding additional federal
agencies, the Nuclear Regulatory Commission is participating in the
accreditation process. In addition, according to the Department of
Agriculture's Director of Homeland Security and information technology
staff, the Department of Agriculture will establish a PCII program,
which will require them to become accredited. (See app. II for a more
detailed description of the accreditation process.)
According to the Program Manager, the Program Office is most interested
in accrediting entities that have lead roles in critical infrastructure
protection--such as the Departments of Agriculture, Energy, and the
Treasury. However, the Program Manager noted that accreditation is
voluntary and some of these agencies may not be interested. In
addition, according to the Program Manager, the Program Office will
continue to accredit other entities, such as states and other federal
agencies, that express an interest in PCII.
Figure 1 summarizes the efforts related to implementation of the CII
Act.
Figure 1: Efforts Related to CII Act Implementation:
[See PDF for image]
[End of figure]
DHS Faces Challenges in Implementing the CII Act:
DHS faces challenges in implementing the CII Act through the PCII
program. These challenges include better defining specific government
needs for CII, determining how the information will be used, assuring
the private sector that the information will be protected and who will
be authorized to have access to it, and demonstrating to critical
infrastructure owners the benefits of sharing the information. By
overcoming these challenges, DHS and other users may make strides
toward reducing critical infrastructure owners' lack of trust in the
government's ability to use and protect their sensitive information.
Defining specific government needs: The act broadly defines what CII
can be voluntarily submitted to the government for protection, and the
interim rule reiterates the same broad definitions for use by the
Program Office in its implementation of the act. However, DHS has not
defined the specific information--such as industry-specific
vulnerabilities and interdependencies--needed under the program, nor
has it comprehensively worked with other federal agencies with critical
infrastructure responsibilities to find out what they need. The lack of
specificity on the part of DHS in clearly communicating to the private
sector what information is needed has impeded the willingness of
potential submitters to provide their sensitive information to DHS. The
Program Manager and other program officials said that until the
potential users of PCII within DHS and other federal agencies with
critical infrastructure responsibilities have fully identified their
information needs, the private sector will not know what to submit.
An official representing the chemical infrastructure sector agreed that
infrastructure owners need to know what kind of information is required
so they can provide meaningful submissions. In October 2005, the
National Infrastructure Advisory Council also made the point that when
requesting information, the government must clarify why they need the
information. In addition, defining the needs for information requiring
protection is what drives potential users to participate in the
program. For example, Maryland and California initiated the
accreditation process because, according to responsible officials, they
had defined specific information needs that required protection.
Determining how information will be used: The act broadly defines how
PCII may be shared with other government entities and used to issue
advisories, alerts, and warnings. The interim rule provides procedures
on how information will be shared with other entities for the same
broad uses. However, potential users within DHS have not specified how
they will use the information. In addition, DHS has not yet used the
information to issue any advisories, alerts, or warnings, according to
DHS officials. An Infrastructure Partnership Division official also
said that until more information is submitted under the program, it
will be difficult for DHS to determine how it will use the information.
In October 2005, the National Infrastructure Advisory Council stated
that the private sector might be more willing to share information if
"when requesting information, the government clarified how they will
use it." In addition, an official representing the chemical
infrastructure sector agreed that entities would be more likely to
submit CII if they knew how it would be used. We have also reported in
the past that uncertainty about how the information would be used and
who it would be shared with posed a barrier to critical infrastructure
sectors sharing information with the government.[Footnote 13]
The Program Office faces the challenge of building a demand for PCII
among potential users of the information by demonstrating how it will
help users achieve their critical infrastructure missions. Without
identifying a specific use for PCII, entities are often reluctant to
commit the necessary effort toward accreditation. For example,
according to an NSA official who used PCII once, while there was value
to having the information his office had already used, its use did not
impact his office's final conclusions on the investigation they were
conducting or result in any analytical or warning products being
issued. Because the use for the information was considered an isolated
case, NSA does not plan to establish an accredited PCII program.
In addition, FEMA officials who also used PCII once, noted that PCII
they had received was valuable in developing security-related best
practices that FEMA presented at a workshop. However, they have no
current plans to establish a formally accredited program because they
are uncertain how they will use the information in the future. Also, as
previously discussed, user participation in the PCII program is
completely voluntary, even for agencies that have particular
responsibilities for a critical infrastructure sector. Nonetheless, the
Program Office is attempting to train enough users and help other
government entities establish programs so that there is a critical mass
of users to help make the program viable.
Other DHS officials stated that their own use of PCII had been purely
incidental. For example, DHS's Office of Intelligence and Analysis has
not found PCII to be essential for its operations largely because its
emphasis is on analyzing and responding to immediate threats, while
PCII is information relating to vulnerabilities. At this early stage of
the program's maturity, an official said PCII is not viewed by the
Intelligence and Analysis analysts as providing better or more relevant
information than that which they receive on a daily basis from the
intelligence community and the many other sources used to identify
threats. On the other hand, the Deputy Director of the Infrastructure
Partnership Division stated that analysts within the division could
find PCII very useful to their mission. In addition, DHS officials
believe that as more PCII becomes available, they will use it in their
new Homeland Infrastructure Threat and Risk Analysis Center--a national
center for the integration, analysis, and sharing of information
related to the threat of terrorist attacks on critical infrastructure.
Assuring the private sector that the information will be protected and
who will be authorized to have access to it: To implement the
protection requirements in the act, the interim rule establishes
procedures for marking, safeguarding, and sharing the information. In
addition, the Program Office has established (1) the training program
to equip authorized users with knowledge of how to safeguard the
information and (2) the PCII Accreditation Program to ensure that other
organizations have processes and policies to promote the safeguarding
of the information.
However, potential submitters often continue to be reluctant to provide
their sensitive information because they are not certain that their
information will be fully protected. They fear that the information
could be inadequately protected, used for future legal or regulatory
action, or inadvertently released. For example, as follows, specific
provisions in the law and rule impact perceptions that the submitted
information will not be protected, according to DHS, other federal
agencies, and the private sector:
* Originator control: Under the rule, the Program Manager has the
authority to decide what PCII to provide to federal, state, or local
government employees for approved purposes; the originator of the
critical information cannot control how the submission is shared at the
federal level. According to an official representing a multisector
organization, infrastructure sector entities are hesitant to share
information because of its sensitivity, without having control over who
has access to it. According to the Program Manager, the Program Office
is considering a method that they believe would meet the act's intent-
-that is, submitters would identify at the time of submission what
users they believe should or should not be able to receive the
information. Under this method, the Program Office would contact the
submitter if a need arose for another entity to use the information.
According to DHS, this method has been used for some PCII submissions.
However, this method has not yet been instituted.
* Direct submissions: To receive protection, all submissions must be
received by DHS directly from the original submitter. For example, the
Department of Defense cannot receive information from members of the
defense industrial base and protect it as PCII or forward it to DHS to
be labeled and protected. However, in commenting on the interim rule,
one federal agency, as well as four infrastructure sector
organizations, expressed interest in being able to directly receive or
submit this information because of existing relationships. For example,
an official representing a multisector organization stated that private
and public critical infrastructure entities have already built
relationships with each other over many years and have sufficient trust
to share information with each other. According to the Program Manager,
the issue of direct submission will have to be addressed at some point;
however, at this early stage in the program, it is not worth the risk
of having PCII inappropriately released by an agency, because any
mistake would undermine the entire effort to build trust.
* Legal precedents: According to the Program Manager, there have been
no court cases addressing the CII Act. According to the Program Office
and the Homeland Security Advisory Council report, until the courts
uphold the protections, the private sector will frequently be hesitant
to use the program.
In addition, potential submitters of CII have been hesitant to provide
their sensitive information because they are not certain how
information would be protected under the final rule. As of January
2006, DHS had not issued a final rule, as planned. DHS had established
April 2005, June 2005, and August 2005 as deadlines for the rule to be
issued, but it missed these time frames. The Program Manager and other
program officials reported that the draft final rule had been
undergoing legal review within DHS since the summer of 2005 and would
go to the Office of Management and Budget (OMB) for interagency review
before becoming final. However, they could not predict when this would
occur and did not have any target deadlines established. In addition,
the Program Manager and other program officials were uncertain what
changes, if any, would be made to the rule during legal and interagency
review.
We have reported in the past that the uncertainty about how information
would be protected by federal agencies was a barrier to critical
infrastructure sectors sharing information with the federal government.
For example, in May 2005, we reported that critical infrastructure
entities did not openly share cybersecurity information with DHS, in
large part, because they were concerned that the potential release of
sensitive information could increase the threat to the respective
entity.[Footnote 14] Also, in April 2004, we testified that the
reluctance by information-sharing organizations to share information
had focused on concerns over potential government release of that
information, among other things.[Footnote 15]
In addition, the Program Office has been challenged to implement a
program that will provide protection to CII consistently across
federal, state, and local government entities while adhering to the
scope of the act and the interim rule. Some of the challenges that DHS,
states, and private sector entities identified were as follows:
* Sharing PCII with and among the state and local governments: Under
the act, state officials are not allowed to directly share PCII with
officials in other states, unless the Program Office gets written
consent from the person or entity submitting the information. This is a
challenge that limits sharing when state officials meet and when a
state official knows that information could be useful to another state
official to address a vulnerability or threat. The Program Office is
considering resolving this issue by having submitters grant written
approval for this type of sharing when they submit CII--similar to how
the issue of originator control could be handled.
* Penalties for inappropriate disclosure are limited to federal
employees: The act imposes criminal and administrative penalties for
federal employees that disclose PCII; however, those penalties do not
apply to contractors or state and local officials, who could face
significantly less penalty for disclosure. The variation of penalties
could impact the level of protection. For example, contractors are not
subject to criminal penalties and contract termination serves as a
deterrent to mishandling the information. For states, the Program
Office has suggested that these issues can be resolved through a MOA
between the state entity and the Program Office that would stipulate
state laws are to be used to prosecute violators. According to the
Program Office, this arrangement was made under the memorandum signed
with Maryland and California.
Demonstrating benefits to critical infrastructure owners of sharing the
information: DHS and other interested federal agencies have not clearly
demonstrated to the potential CII submitters the benefit of sharing
their sensitive information; therefore, potential submitters may not be
willing to take the risk of inappropriate use and release. Federal,
state, and private sector officials stated that some of the benefits
that potential submitters expect to receive include improved reaction
by first responders; improved intelligence and strategic analyses of
threat information; and improved performance of services, such as
vulnerability analyses for small entities unable to afford their own
efforts. However, at the time of our review, DHS's emphasis was on
analyzing and responding to immediate threats, rather than on combining
threat and vulnerability information into strategic analyses.
Our prior work has shown that the federal government lacks the
analytical processes that would provide the sorts of benefits sought by
infrastructure owners.[Footnote 16] We reported that further efforts
are needed to address the critical challenges of improving the federal
government's capabilities to analyze incident, threat, and
vulnerability information obtained from numerous sources. We also
reported that improvements are needed in the federal sharing of
appropriate, timely, and useful warnings and other information
concerning cyber and physical threats to federal entities, state and
local governments, and the private sector.
Our prior work has also identified demonstrating benefits as a
challenge to the federal government. In April 2004, we testified that
in white papers, the Information Sharing and Analysis Center Council
emphasized that perhaps the greatest barriers to information sharing
stem from practical and business considerations, and that the benefits
of sharing information are often difficult to discern, while the risks
and costs of sharing are direct and foreseeable.[Footnote 17] In
addition, in May 2005, we reported that even when organizations within
infrastructure sectors shared information with DHS, the entities did
not consistently receive useful information in return.[Footnote 18]
Overcoming these challenges could help to encourage more submissions,
which in turn would provide the opportunity for the government to
provide benefits back to the private sector submitters, thereby
creating a virtuous cycle that builds on itself until a critical mass
of users and submitters is reached and the program becomes self-
sustaining. This would help to address the lack of trust in the
government that the private sector has consistently identified as a
reason to limit information sharing. The Program Manager and other DHS
officials acknowledged the need to establish trusted relationships
between the CII submitters and the information users in federal, state,
and local governments.
Conclusions:
DHS has made progress in implementing the CII Act by establishing
procedures and creating a Program Office to administer the program.
However, DHS is still in the early stages of its efforts to expand the
submission and use of PCII and will have to overcome major challenges
for its program to be viable. This effort includes issuing a final
rule, as DHS has planned to do, so that potential submitters will know
how the program will operate. Further, although DHS has a lead
responsibility for federal critical infrastructure protection efforts,
its planning efforts to date have not articulated what specific
information it and other federal agencies with critical infrastructure
responsibilities need and how the information will be used. Without
this knowledge, the private sector will continue to be hesitant to
provide information to DHS. The Program Office is aware of changes it
could make to the program that might increase submissions of CII and
provide incentives to users, such as providing clarity regarding how
the information will be protected, establishing some level of
originator control, allowing direct submissions, and providing a
mechanism for state-to-state sharing. However, to date, these options
and initiatives have not been aggressively pursued. If DHS were able to
surmount these challenges, it and other government users may begin to
overcome the lack of trust critical infrastructure owners have in the
government's ability to use and protect their sensitive information.
Recommendations for Executive Action:
In order for DHS to address the challenges to the PCII program--
defining specific needs, determining how and who uses the information,
assuring submitters that the information will be protected, and
demonstrating benefits to critical infrastructure owners--we recommend
that the Secretary of Homeland Security take the following four
actions:
* In the short term, establish a specific deadline in the near future
for releasing the final rule to OMB and for interagency review so that
potential submitters have more assurance about how their sensitive
information will be protected.
* Concurrently, consistent with other infrastructure planning efforts
such as the NIPP,
* define and communicate to the private sector what CII DHS and federal
entities need to fulfill their critical infrastructure responsibilities
and how federal, state, and local entities are expected to use the
information submitted under the program;
* determine whether creating mechanisms, such as providing originator
control and direct submissions to federal agencies other than DHS,
would increase submissions; and:
* expand efforts to use incentives to encourage more users, such as
mechanisms for state-to-state sharing.
We are not making new recommendations regarding improving the
effectiveness of DHS's information-sharing efforts at this time because
our previous recommendations, including performance of a national
threat assessment and establishment of a strategic analysis capability
for computer-based threats, have not yet been fully implemented.
Agency Comments:
We received oral comments on a draft of this report. An audit liaison
official from the DHS Departmental GAO/OIG Liaison Office stated that
DHS concurred with our findings and recommendations, based on the
comments received from officials from the Preparedness Directorate,
including the Program Office; the Transportation Security
Administration; DHS's General Counsel; and others.
In addition, the DHS Departmental GAO/OIG Liaison Office provided
technical corrections that it received from the Preparedness
Directorate, including the Program Office; DHS's General Counsel; and
others. We also received technical corrections from other officials who
were cited in our report. We have incorporated the DHS and other
technical corrections in this report as appropriate.
As agreed with your offices, unless you publicly announce the contents
of this report earlier, we plan no further distribution until 30 days
from the date of this letter. At that time, we will send copies of this
report to interested congressional committees, the Secretary of
Homeland Security, and other interested parties. We will also make
copies available to others upon request. In addition, this report will
be available at no charge on the GAO Web site at [Hyperlink,
http://www.gao.gov].
If you or your staffs have any questions concerning this report, please
contact either Dave Powner at 202-512-9286 or pownerd@gao.gov, or
Eileen Larence at 202-512-6510 or larencee@gao.gov. Contact points for
our Offices of Congressional Relations and Public Affairs may be found
on the last page of this report. Other GAO staff who contributed to
this report are listed in appendix III.
Signed by:
David A. Powner:
Director, Information Technology Management Issues:
Signed by:
Eileen Regen Larence:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: Objectives, Scope, and Methodology:
In response to your request that we review the implementation of the
Critical Infrastructure Information (CII) Act of 2002, we determined
(1) the status of the Department of Homeland Security's (DHS)
implementation efforts and (2) the challenges DHS faces in implementing
the act.
To assess the current state of CII Act implementation, we analyzed the
CII Act and the Procedures for Handling Critical Infrastructure
Information: Interim Rule, the procedures that DHS issued in February
2004, and related public comments.[Footnote 19] In order to understand
DHS's efforts to establish a Protected Critical Infrastructure
Information (PCII) Program to accept and protect CII, we gathered and
analyzed relevant strategies, policies, and procedures, including the
PCII Information Program Management Directive (draft); the PCII Program
Procedures Manual, Configuration Management Plan, Mission Needs
Statement, Concept of Operations for Management (draft), and Systems
Risk Assessment. We held interviews with key officials from DHS's
Preparedness Directorate and Intelligence and Analysis Office
(formerly, the Information Analysis and Infrastructure Protection
Directorate, which included the Disclosure Office, the Infrastructure
Coordination Division, and the Information Analysis Division). We
observed controls and tools used for the receipt, care, and storage of
PCII, as outlined in the Program Office's manuals. In addition, we
interviewed officials from the Program Office, including the Program
Manager and representatives from each of the office's four branches
(Management, Communications, Operations, and Systems). We compared what
was expected under the CII Act with what had been accomplished by DHS.
Further, we interviewed key officials from DHS units in the Federal
Emergency Management Agency and the Transportation Security
Administration. We also held interviews with representatives from
entities that could potentially submit CII, including infrastructure
sector entities and public interest groups, such as the Partnership for
Critical Infrastructure Security, the American Chemistry Council, the
American Petroleum Institute, and the Edison Electric Institute. We
also held interviews with representatives from entities that had used
PCII, including federal, state, and local organizations, such as the
Department of Defense, National Security Agency, Department of
Agriculture, Federal Reserve System, Nuclear Regulatory Commission,
Maryland Emergency Management Agency, and California Office of Homeland
Security.
To determine the challenges to implementing the CII Act, we analyzed
reports by private sector advisory councils and critical infrastructure
protection experts that have identified related challenges. We also
interviewed officials knowledgeable about public/private information
sharing and about the act from DHS, federal agencies, state and local
governments, private sector entities, and public interest groups. In
addition, we relied on prior GAO work on information sharing between
federal and nonfederal entities.
Our work was conducted from May 2005 to February 2006 in accordance
with generally accepted government auditing standards.
[End of section]
Appendix II: Procedures for Processing CII and Accrediting Entities:
Processing CII:
The CII Act requires DHS to establish uniform procedures for the
receipt, care, and storage of CII that is voluntarily submitted to DHS.
In February 2004, the Program Office implemented a process to review
CII and began accepting voluntarily submitted information to determine
if it qualifies for protection. For this explanation, the process is
divided into three steps: submission, validation, and sharing. Figure 2
summarizes the Program Office's process.
Figure 2: Diagram of the PCII Submission, Validation, and Sharing
Process:
[See PDF for image]
[End of figure]
Step 1: Submission:
The CII Act requires all submissions of CII to be submitted to DHS for
protection under the act. Submission to DHS means any voluntary
transmittal of CII to the DHS PCII Program Office. CII that is not
submitted to DHS does not qualify for protection. Based on the Program
Office's process, the submission requirements include the following:
* Sources expected to submit CII to DHS for consideration for
protection, or validation, are those with direct knowledge about the
security of a critical infrastructure element, and include, but are not
limited to, Information Sharing and Analysis Organizations
(ISAO),[Footnote 20] private sector entities, state and local
governments, and foreign governments and companies.
* Federal agencies may not independently submit private sector
information for PCII protection, unless they are working together in
partnership with a private sector entity or the agency is part of an
ISAO.
* Submissions must be accompanied by an Express Statement and a
Certification Statement before they can be validated as PCII. According
to the CII Act, only those submissions that are accompanied by an
Express Statement will have the presumption of protection under the
act.
* An Express Statement indicates that the information is voluntarily
submitted to the federal government with the expectation that it will
be protected under the CII Act. A Certification Statement states that
the information is voluntarily submitted, is required or is not
required to be submitted to the federal government, and is not
customarily in the public domain.
* The Program Office accepts submissions electronically through a
secure Internet portal or through physical materials, such as floppy
disks, video tapes, audio tapes, facsimiles, or letters.
Step 2: Validation:
Validation is the process for determining whether a submission with an
Express Statement qualifies for protection under the CII Act and,
therefore, will be protected as provided by the act. The Program
Manager will establish time frames for completing the validation
process to ensure effective, efficient, and timely validation
determinations. On the basis of a review of the information submitted,
the Program Manager or designated representative makes an initial
determination regarding whether the information qualifies for
protection.
Program Office procedures require that submissions be acknowledged and
tracked throughout the validation process. If the submission is
received with both an Express Statement and a Certification Statement,
it will be processed without delay.
Information received without an Express Statement will be destroyed
immediately, and the submitter will be asked to resubmit. Submissions
received with an Express Statement, but without a complete
Certification Statement, will be presumed to be CII and will be
processed. However, the submitter will be contacted to provide a
Certification Statement.
When information is submitted with an Express Statement, the Protected
Critical Infrastructure Information Management System (PCIIMS) will
assign it a unique tracking number, which will be used in all future
communications with the submitter and for recording the current status
of submitted information.
The Program Office must acknowledge receipt of submitted information in
writing within 30 calendar days of its receipt. Acknowledgment of
receipt means only that the information has been received by the
Program Office and is accompanied by an Express Statement.
If the submission is accompanied by both an Express Statement and a
Certification Statement, and the Program Office determines that the
information meets the definition of CII, then:
* the information will be validated as PCII;
* the PCIIMS will be updated to indicate that the information qualifies
for protection under the CII Act;
* the submitter will be notified of the decision, and:
* the validated PCII will be made available to authorized users.
If the initial review determines that the information submitted does
not meet the requirements for protection under the CII Act, the Program
Office must:
* inform the submitter that the initial determination is that the
submission does not meet the requirements to be PCII;
* request the submitter to provide a complete Certification Statement
and/or provide additional information within 30 days of the submitter's
receipt of the Program Office's request;
* give the submitter the opportunity to withdraw the submission before
reevaluation; and:
* consider any additional information provided in making the final
validation determination; whenever possible, the final review will be
performed by the same staff member who performed the initial review.
Newly validated PCII is added to the PCII Submissions Catalog, which is
a list of all available PCII information prepared in a non-PCII format
so that it can be easily shared. For each submission, the PCII
Submissions Catalog contains its tracking number, date of submission,
description of submission, and number of pages.
Step 3: Sharing:
A copy of the PCII Submission Catalog is provided to all PCII officers
for distribution at their discretion to users and analysts for their
review. If after reviewing the catalog the users want to request PCII,
they may do so through their entity's PCII officer.
The Program Office is authorized to provide access to PCII when it
determines that this access supports a lawful and authorized government
purpose as specified in the CII Act. The Program Office may provide
PCII to federal government departments and agencies and to state and
local government entities that have executed the standard memorandum of
agreement (MOA) with the Program Manager and have met the requirements
of the PCII Accreditation Program.
Before accessing and storing PCII, organizations or entities must be
accredited and have a PCII officer to supervise strict compliance with
procedures. Before individual users can access PCII, they must be
trained in the proper use, handling, and safeguarding of PCII.
Authorized users can request access to PCII on a need-to-know basis.
However, users outside of DHS do not have the authority to store PCII
until their agency is accredited. In cases where the user is from an
entity that is not accredited, the Program Office and the user make
arrangements for the user to access the information at the Program
Office.
If access is granted, the information is downloaded from the Program
Office's secure storage to a paper copy or compact disk. It is then
either hand delivered to the user or loaded to another secure system
and accessed by the user through a controlled folder on the secure
system.
The Program Office is responsible for tracking PCII to the state or
local government entity to which it was initially provided. The
officially designated PCII officer of each government entity is
responsible for sharing and tracking PCII under their control.
Federal government entities may share PCII in their possession provided
they verify that the recipient entity has been accredited by the
Program Office to receive PCII and will maintain a tracking mechanism
that provides a record of what PCII they provided to whom and when they
provided it.
State and local governments receiving PCII are not authorized to share
PCII with entities external to their governmental entity, unless they
obtain the express approval of Program Manager and the explicit written
consent of the submitter.
Authorized recipients may use PCII for:
* securing the critical infrastructure and protected systems;
* analysis of potential threats and vulnerabilities;
* warning of imminent attack;
* studying the interdependency between critical infrastructure sectors;
* recovery and reconstitution of damaged infrastructures; or:
* another information purpose, including, without limitation, the
identification, analysis, prevention, preemption, and/or disruption of
terrorist threats to our homeland.
Accrediting Entities to Receive PCII:
Before federal, state, or local government entities can access and
store PCII, they must have executed a MOA with the Program Office and
have met the requirements of the PCII Accreditation Program. At the
time of our review, the Program Office was updating its February 2004
procedures manual with guidance on its accreditation process. The
accreditation process was established to ensure that each entity and
user has a clear understanding of how to initiate and manage their
entities' program and adequate policies, procedures, secure systems,
and databases for handling, using, sharing, and safeguarding PCII. The
Program Office's Operations Branch is responsible for managing the
process, and the Communications Branch is responsible for outreach and
training activities in support of the process. Figure 3 outlines the
key steps in the accreditation process.
Figure 3: Accreditation Program:
[See PDF for image]
[End of figure]
The following are key steps in the accreditation process.
* After a government entity or other accreditation candidate determines
its need for PCII, the entity requests an application from the Program
Office and nominates a PCII officer and deputy. Any nonfederal
government employee who is nominated to be a PCII officer or deputy
must sign a nondisclosure agreement concerning PCII.
* The Program Office appoints the nominated PCII officer and deputy for
the candidate entity after they complete a 3-day training course and
pass a certification examination.
* A senior official with the authority to represent the candidate
entity enters into a MOA with DHS. The MOA (1) constitutes an
entitywide obligation and an executive-level commitment to achieving
and maintaining PCII accreditation and (2) sets forth the
responsibilities and obligations of the PCII officer and deputy as well
as the requirements for handling, using, sharing, and safeguarding PCII
throughout the federal, state, or local entity.
* The PCII officer completes a self-assessment of how well the entity's
policies, procedures, and oversight measures comply with the minimum
requirements and procedures set forth in the accreditation guide. The
Program Office reviews the self-assessment and works with the
accreditation candidate's PCII officer to address any needs for further
development activities.
* Once the PCII officer has submitted a self-assessment and addresses
any immediate issue, a site assessment team visits the offices and
facilities of the accreditation candidate to determine its ability to
comply with the requirements set forth in the PCII procedures manual.
* The Program Office accredits the government entity after all needs
identified by the assessments are addressed. The PCII officer must
submit an annual report to the Program Office to keep the office
appraised of any developments in the participant's PCII program. A
fully accredited entity must be reaccredited every 3 years. In
addition, the Program Office may also elect to conduct a site visit of
an accredited entity at any time to ensure that the minimum
requirements are continually being met or to respond to requests for
consultation or guidance from the entity.
[End of section]
Appendix III: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
David Powner, (202) 512-9286 or pownerd@gao.gov Eileen Larence (202)
512-6510 or larencee@gao.gov:
Staff Acknowledgments:
In addition to the persons named above, R. Rochelle Burns, Neil
Doherty, Michael Gilmore, Steve Gosewehr, Barbarol James, Victoria
Miller, Susan Quinlan, Nik Rapelje, and Amos Tevelow made key
contributions to this report.
(310493):
FOOTNOTES
[1] GAO, Critical Infrastructure Protection: Improving Information
Sharing with Infrastructure Sectors, GAO-04-780 (Washington, D.C.: July
9, 2004); and Information Sharing: Practices That Can Benefit Critical
Infrastructure Protection, GAO-02-24 (Washington, D.C.: Oct. 15, 2001).
[2] GAO, High-Risk Series: An Update, GAO-05-207 (Washington, D.C.:
January 2005). GAO uses the high-risk designation to draw attention to
the challenges associated with the economy, efficiency, and
effectiveness of government programs and operations in need of broad-
based transformation.
[3] CII is information that is related to the security of critical
infrastructure or protected systems and that is not customarily in the
public domain. Once the information is received by DHS and determined
to meet the requirements of the act, it is designated as "protected
CII."
[4] DHS published a notice of proposed rulemaking in the Federal
Register in April 2003, and an interim rule that established procedures
that were immediately effective on February 20, 2004. In the interim
rule, DHS also stated that it would continue to consider public
comments for 3 months and would determine whether supplemental
regulations were needed. The act required the procedures to be
established not later than 90 days after the date of enactment or on or
about February 25, 2003.
[5] Pub. L. No. 107-296 (Nov. 25, 2002).
[6] The Homeland Security Information Sharing Act requires procedures
for facilitating homeland security information sharing and establishes
authorities to share different types of information, such as grand jury
information; electronic, wire, and oral interception information; and
foreign intelligence information (Subtitle I, Title VIII, Homeland
Security Act).
[7] The White House, National Strategy for Homeland Security (July
2002); National Strategy to Secure Cyberspace (February 2003); and
National Strategy for the Physical Protection of Critical
Infrastructures and Key Assets (February 2003).
[8] Department of Homeland Security, National Infrastructure Protection
Plan: Base Plan (Washington, D.C.: January 2006).
[9] The CII Act defines "voluntary" as the submittal of CII in the
absence of DHS's exercise of legal authority to compel access to or
submission of such information (Sec. 212 (7)(A)).
[10] The CII Act defines an "information sharing and analysis
organization" as any entity or collaboration created or employed by
public or private sector organizations for the purposes of, among other
things, (1) gathering and analyzing CII; (2) communicating or
disclosing CII to help protect critical infrastructure; and (3)
voluntarily disseminating CII to its members; state, local, and federal
governments; or other entities (Sec. 212 (5)).
[11] The Freedom of Information Act (5 U.S.C. § 552) establishes the
public's legal right of access to government information but also
enables the government to withhold certain information from public
release.
[12] Department of Homeland Security, Procedures for Handling Critical
Infrastructure Information: Interim Rule (69 FR 8074) (Feb. 20, 2004).
[13] GAO, Critical Infrastructure Protection: Department of Homeland
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities,
GAO-05-434 (Washington, D.C.: May 26, 2005).
[14] GAO-05-434.
[15] GAO, Critical Infrastructure Protection: Establishing Effective
Information Sharing with Infrastructure Sectors, GAO-04-669T
(Washington, D.C.: Apr. 21, 2004).
[16] GAO-04-780.
[17] GAO-04-699T.
[18] GAO-05-434.
[19] The Procedures for Handling Critical Infrastructure Information:
Interim Rule requires the PCII Program Manager to develop and use an
electronic database, to be known as the Protected Critical
Infrastructure Information Management System, to record the receipt,
acknowledgment, validation, storage, dissemination, and destruction of
PCII.
[20] An ISAO is any formal or informal entity or collaboration created
or employed by public or private sector organizations for the purposes
of, among other things, (1) gathering and analyzing CII to protect
against or mitigate an attack; (2) communicating or disclosing CII for
such purposes; and (3) voluntarily disseminating CII to its members,
federal, state, or local governments; or any other appropriate
entities.
GAO's Mission:
The Government Accountability Office, the investigative arm of
Congress, exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. Government Accountability Office
441 G Street NW, Room LM
Washington, D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm
E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director,
NelliganJ@gao.gov
(202) 512-4800
U.S. Government Accountability Office,
441 G Street NW, Room 7149
Washington, D.C. 20548:
