Critical Infrastructure Protection
Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience
Gao ID: GAO-10-296 March 5, 2010
According to the Department of Homeland Security (DHS), there are thousands of facilities in the United States that if destroyed by a disaster could cause casualties, economic losses, or disruptions to national security. The Homeland Security Act of 2002 gave DHS responsibility for leading and coordinating the nation's effort to protect critical infrastructure and key resources (CIKR). Homeland Security Presidential Directive 7 (HSPD-7) defined responsibilities for DHS and certain federal agencies--known as sector-specific agencies (SSAs)--that represent 18 industry sectors, such as energy. In accordance with the Homeland Security Act and HSPD-7, DHS issued the National Infrastructure Protection Plan (NIPP) in June 2006 to provide the approach for integrating the nation's CIKR. GAO was asked to study DHS's January 2009 revisions to the NIPP in light of a debate over whether DHS has emphasized protection--to deter threats, mitigate vulnerabilities, or minimize the consequences of disasters---rather than resilience---to resist, absorb, or successfully adapt, respond to, or recover from disasters. This report discusses (1) how the 2009 NIPP changed compared to the 2006 NIPP and (2) how DHS and SSAs addressed resiliency as part of their planning efforts. GAO compared the 2006 and 2009 NIPPs, analyzed documents, including NIPP Implementation Guides and sector- specific plans, and interviewed DHS and SSA officials from all 18 sectors about their process to identify potential revisions to the NIPP and address resiliency.
Compared to the 2006 NIPP, DHS's 2009 update to the NIPP incorporated various changes, including a greater emphasis on regional CIKR protection planning and updates to DHS's overall risk management framework, such as instructions for sectors to develop metrics to gauge how well programs reduced the risk to their sector. For example, in the 2006 NIPP, DHS encouraged stakeholders to address CIKR across sectors within and across geographic regions; by contrast, the 2009 NIPP called for regional coordination through the formation of a consortium of representatives from multiple regional organizations. DHS also enhanced its discussion of risk management methodologies in the 2009 NIPP. The 2006 NIPP listed the minimum requirements for conducting risk analyses, while the 2009 NIPP includes the use of a common risk assessment approach, including the core criteria for these analyses to allow the comparison of risk across sectors. DHS officials said that the changes highlighted in the 2009 NIPP were the result of knowledge gained and issues raised during discussions with partners and outside organizations like GAO. DHS has also issued guidance for SSAs to consider revisions to the NIPP when updating their sector-specific plans (SSPs). Fourteen of 18 SSA representatives that responded to our query said they used a process similar to DHS's to incorporate NIPP changes into their SSPs. They reported that they intend to discuss the expectations for the SSP with DHS, draft the SSP based on their knowledge of their sectors, and obtain input and feedback from stakeholders. DHS increased its emphasis on resiliency in the 2009 NIPP by discussing it with the same level of importance as protection. While the 2009 NIPP uses much of the same language as the 2006 NIPP to describe resiliency, the 2006 NIPP primarily treated resiliency as a subset of protection while the 2009 NIPP generally referred to resiliency alongside protection. For example, while the Managing Risk chapter of the 2006 NIPP has a section entitled "Characteristics of Effective Protection Programs," the same chapter in the 2009 NIPP has a section entitled, "Characteristics of Effective Protection Programs and Resiliency Strategies." DHS officials stated that these changes are not a major shift in policy; rather they are intended to raise awareness about resiliency as it applies within individual sectors. Furthermore, they stated that there is a greater emphasis on resilience in the 2009 NIPP to encourage more sector and cross-sector activities to address a broader spectrum of risks, such as cyber security. DHS officials also used guidance to encourage SSAs to devote more attention to resiliency. For example, in the 2009 guidance, SSAs are advised that in sectors where infrastructure resiliency is as or more important than physical security, they should focus on describing the resiliency measures and strategies being used by the sector. The 2010 updates to the SSPs are due to be released by DHS in mid-2010 and all sector representatives who responded to our questions said they will address the issue as is appropriate for their sectors. In commenting on a draft of this report, DHS reiterated its process for updating the NIPP and its views on resiliency.
GAO-10-296, Critical Infrastructure Protection: Update to National Infrastructure Protection Plan Includes Increased Emphasis on Risk Management and Resilience
This is the accessible text file for GAO report number GAO-10-296
entitled 'Critical Infrastructure Protection: Update to National
Infrastructure Protection Plan Includes Increased Emphasis on Risk
Management and Resilience' which was released on April 5, 2010.
This text file was formatted by the U.S. Government Accountability
Office (GAO) to be accessible to users with visual impairments, as
part of a longer term project to improve GAO products' accessibility.
Every attempt has been made to maintain the structural and data
integrity of the original printed product. Accessibility features,
such as text descriptions of tables, consecutively numbered footnotes
placed at the end of the file, and the text of agency comment letters,
are provided but may not exactly duplicate the presentation or format
of the printed version. The portable document format (PDF) file is an
exact electronic replica of the printed version. We welcome your
feedback. Please E-mail your comments regarding the contents or
accessibility features of this document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
United States Government Accountability Office:
GAO:
March 2010:
Critical Infrastructure Protection:
Update to National Infrastructure Protection Plan Includes Increased
Emphasis on Risk Management and Resilience:
GAO-10-296:
GAO Highlights:
Highlights of GAO-10-296, a report to congressional requesters.
Why GAO Did This Study:
According to the Department of Homeland Security (DHS), there are
thousands of facilities in the United States that if destroyed by a
disaster could cause casualties, economic losses, or disruptions to
national security. The Homeland Security Act of 2002 gave DHS
responsibility for leading and coordinating the nation‘s effort to
protect critical infrastructure and key resources (CIKR). Homeland
Security Presidential Directive 7 (HSPD-7) defined responsibilities
for DHS and certain federal agencies”known as sector-specific agencies
(SSAs)”that represent 18 industry sectors, such as energy. In
accordance with the Homeland Security Act and HSPD-7, DHS issued the
National Infrastructure Protection Plan (NIPP) in June 2006 to provide
the approach for integrating the nation‘s CIKR. GAO was asked to study
DHS‘s January 2009 revisions to the NIPP in light of a debate over
whether DHS has emphasized protection”-to deter threats, mitigate
vulnerabilities, or minimize the consequences of disasters--rather
than resilience--to resist, absorb, or successfully adapt, respond to,
or recover from disasters. This report discusses (1) how the 2009 NIPP
changed compared to the 2006 NIPP and (2) how DHS and SSAs addressed
resiliency as part of their planning efforts. GAO compared the 2006
and 2009 NIPPs, analyzed documents, including NIPP Implementation
Guides and sector-specific plans, and interviewed DHS and SSA
officials from all 18 sectors about their process to identify
potential revisions to the NIPP and address resiliency.
What GAO Found:
Compared to the 2006 NIPP, DHS‘s 2009 update to the NIPP incorporated
various changes, including a greater emphasis on regional CIKR
protection planning and updates to DHS‘s overall risk management
framework, such as instructions for sectors to develop metrics to
gauge how well programs reduced the risk to their sector. For example,
in the 2006 NIPP, DHS encouraged stakeholders to address CIKR across
sectors within and across geographic regions; by contrast, the 2009
NIPP called for regional coordination through the formation of a
consortium of representatives from multiple regional organizations.
DHS also enhanced its discussion of risk management methodologies in
the 2009 NIPP. The 2006 NIPP listed the minimum requirements for
conducting risk analyses, while the 2009 NIPP includes the use of a
common risk assessment approach, including the core criteria for these
analyses to allow the comparison of risk across sectors. DHS officials
said that the changes highlighted in the 2009 NIPP were the result of
knowledge gained and issues raised during discussions with partners
and outside organizations like GAO. DHS has also issued guidance for
SSAs to consider revisions to the NIPP when updating their sector-
specific plans (SSPs). Fourteen of 18 SSA representatives that
responded to our query said they used a process similar to DHS‘s to
incorporate NIPP changes into their SSPs. They reported that they
intend to discuss the expectations for the SSP with DHS, draft the SSP
based on their knowledge of their sectors, and obtain input and
feedback from stakeholders.
DHS increased its emphasis on resiliency in the 2009 NIPP by
discussing it with the same level of importance as protection. While
the 2009 NIPP uses much of the same language as the 2006 NIPP to
describe resiliency, the 2006 NIPP primarily treated resiliency as a
subset of protection while the 2009 NIPP generally referred to
resiliency alongside protection. For example, while the Managing Risk
chapter of the 2006 NIPP has a section entitled ’Characteristics of
Effective Protection Programs,“ the same chapter in the 2009 NIPP has
a section entitled, ’Characteristics of Effective Protection Programs
and Resiliency Strategies.“ DHS officials stated that these changes
are not a major shift in policy; rather they are intended to raise
awareness about resiliency as it applies within individual sectors.
Furthermore, they stated that there is a greater emphasis on
resilience in the 2009 NIPP to encourage more sector and cross-sector
activities to address a broader spectrum of risks, such as cyber
security. DHS officials also used guidance to encourage SSAs to devote
more attention to resiliency. For example, in the 2009 guidance, SSAs
are advised that in sectors where infrastructure resiliency is as or
more important than physical security, they should focus on describing
the resiliency measures and strategies being used by the sector. The
2010 updates to the SSPs are due to be released by DHS in mid-2010 and
all sector representatives who responded to our questions said they
will address the issue as is appropriate for their sectors. In
commenting on a draft of this report, DHS reiterated its process for
updating the NIPP and its views on resiliency.
View [hyperlink, http://www.gao.gov/products/GAO-10-296] or key
components. For more information, contact Stephen L. Caldwell at (202)
512-8777 or caldwells@gao.gov.
[End of section]
Contents:
Letter:
Background:
DHS Has Incorporated Changes into the 2009 NIPP that Reflect
Stakeholder Input and Sectors' Experience Protecting Critical
Infrastructure and an Increased Emphasis on Risk Management:
DHS Increased Its Emphasis on Resiliency in the 2009 NIPP and Directed
SSAs to Address Resiliency in Their Sector Plans:
Agency Comments:
Appendix I: The Concept of Resiliency:
Appendix II: Discussions of Resiliency in 2007 Sector-specific Plans:
Appendix III: Comments from the Department of Homeland Security:
Appendix IV: GAO Contacts and Acknowledgments:
GAO Products:
Related to Critical Infrastructure Protection:
Tables:
Table 1: SSAs and CIKR Sectors:
Table 2: Description of Changes Made from the 2006 NIPP to the 2009
NIPP:
Table 3: Sector Plan References to Resiliency:
Figures:
Figure 1: DHS Process to Update the NIPP:
Figure 2: Process for updating SSPs:
[End of section]
United States Government Accountability Office:
Washington, DC 20548:
March 5, 2010:
The Honorable Bennie G. Thompson:
Chairman:
Committee on Homeland Security:
House of Representatives:
The Honorable Sheila Jackson-Lee:
Chairwoman:
Subcommittee on Transportation Security and Infrastructure Protection:
Committee on Homeland Security:
House of Representatives:
According to the Department of Homeland Security (DHS), there are
thousands of facilities in the United States that if degraded or
destroyed by a manmade or natural disaster could cause some
combination of significant casualties, major economic losses, or
widespread and long-term disruptions to national well-being and
governance capacity. There are also networks and systems--including
cyber networks that support physical infrastructure--that are
vulnerable and valuable. Damages to these facilities, networks, and
systems and the economic impact of their destruction could easily run
into the billions of dollars.
The Homeland Security Act of 2002 created DHS and gave the department
wide-ranging responsibilities for, among other things, leading and
coordinating the overall national critical infrastructure protection
effort.[Footnote 1] For example, the act required DHS to (1) develop a
comprehensive national plan for securing the nation's critical
infrastructures and key resources (CIKR) and (2) recommend measures to
protect CIKR in coordination with other agencies of the federal
government and in cooperation with state and local government agencies
and authorities, the private sector, and other entities. Homeland
Security Presidential Directive 7 (HSPD-7) further defined critical
infrastructure protection responsibilities for DHS and those federal
agencies--known as sector-specific agencies (SSA)--responsible for
particular industry sectors, such as transportation, energy, and
communications.[Footnote 2] For example, the Department of the
Treasury as the SSA is responsible for the banking and finance sector
while the Department of Energy as the SSA is responsible for the
energy sector. HSPD-7 directed DHS to establish uniform policies,
approaches, guidelines, and methodologies for integrating federal
infrastructure protection and risk management activities within and
across 17 sectors. The directive also gave DHS the authority to
establish additional sectors and in 2008, DHS created an 18TH sector
for critical manufacturing. We placed the protection of the federal
government's information systems and the nation's critical
infrastructures on our high-risk list in 1997.[Footnote 3] We consider
this area high risk because federal agencies and our nation's critical
infrastructures--such as power distribution, water treatment and
supply, telecommunications, national defense, and emergency services--
rely extensively on computerized information systems and electronic
data to carry out their operations. The security of these systems and
data is essential to preventing disruptions in critical operations,
fraud, and inappropriate disclosure of sensitive information.
Protecting federal computer systems and the systems that support
critical infrastructures--referred to as cyber critical infrastructure
protection, or cyber CIP--is a continuing concern.
In accordance with the Homeland Security Act and in response to HSPD-
7, DHS issued, in June 2006, the first National Infrastructure
Protection Plan (NIPP), which provides the overarching approach for
integrating the nation's CIKR protection initiatives in a single
effort.[Footnote 4] DHS issued a revised NIPP in January 2009.
[Footnote 5] The NIPP sets forth a risk management framework and
details the roles and responsibilities of DHS, SSAs, and other
federal, state, regional, local, tribal, territorial, and private
sector partners, including how they should use risk management
principles to prioritize protection activities within and across
sectors.[Footnote 6] Within the NIPP framework, DHS has emphasized the
importance of collaboration and partnering with and among the various
partners and its reliance on voluntary information sharing between the
private sector and DHS.[Footnote 7] The NIPP provides the framework
for developing, implementing, and maintaining a coordinated national
effort to protect CIKR in the 18 sectors. Each of the CIKR sectors is
represented in the federal planning process by a sector-specific
agency; a government coordinating council to represent each sector's
interests among government agencies; and a sector coordinating
council[Footnote 8] that includes private sector representatives of
the sector.[Footnote 9] Each sector is responsible for developing
sector-specific plans (SSPs) and sector annual reports (SARs). In
2007, each SSA then operating published an SSP that mirrored and
applied the NIPP framework. SSPs are to be updated, like the NIPP,
every 3 years and the second iteration of SSPs is due in 2010.
[Footnote 10] In addition, beginning in 2006 each sector then
operating was to produce a SAR that is expected to focus on sector
goals, priorities, and SSP implementation.
Over the last several years, various stakeholders, including members
of Congress, academia, and the private sector have questioned DHS's
approach to critical infrastructure protection. CIKR partners in the
public and the private sector have expressed concerns that DHS has
placed most of its emphasis on protection--actions to deter the
threat, mitigate vulnerabilities, or minimize the consequences
associated with an attack or disaster--rather than resiliency--which,
according to DHS, is the ability to resist, absorb, recover from, or
successfully adapt to adversity or a change in conditions. In framing
the debate over this issue, the National Infrastructure Advisory
Council stated that:
"The challenge facing government is to maintain its role in protecting
critical infrastructures, while determining how best to encourage
market forces to improve the resilience of companies, provide
appropriate incentives and tools to help entire sectors become
resilient, and step in when market forces alone cannot produce the
level of infrastructure security needed to protect citizens,
communities, and essential economic systems."[Footnote 11]
Given the debate over DHS's emphasis on protection rather than
resilience, you asked us to study DHS's revisions to the NIPP and
efforts by DHS to address resiliency as part of its national planning
efforts. Specifically, this report addresses the following questions:
1. How has the 2009 NIPP changed compared to the 2006 NIPP and what
process was used to identify and incorporate these changes? and:
2. How have DHS and SSAs addressed the concept of critical
infrastructure resiliency as part of their national CIKR and sector-
specific planning efforts?
To describe the changes DHS has made to the NIPP since it was first
published in 2006 and the process used to identify and incorporate
these changes, we compared the 2006 and 2009 versions of the NIPP and
reviewed the changes that have occurred. We also interviewed DHS NIPP
Program Management Office (PMO) officials responsible for developing
and coordinating the NIPP revisions to discuss the process they used
to identify potential revisions and why changes were made. We analyzed
DHS's 2006 and 2009 SSP guidance that supports the NIPP to determine
what changes were made in the 2009 guidance which is designed to help
ensure that SSAs develop SSPs consistent with the 2009 NIPP.
Furthermore, we interviewed NIPP PMO officials about their efforts to
work with SSAs in developing plans and reports based on the guidance
provided and asked SSAs about the process they used to address changes
to the NIPP in their SSPs. We also interviewed SSA representatives for
all 18 critical infrastructure sectors and asked them how they planned
to address the changes to the NIPP in their 2010 SSPs.
To determine how DHS and the SSAs have addressed the concept of
critical infrastructure resiliency as part of their national CIKR
protection planning efforts, we collected and analyzed documentary and
testimonial evidence from DHS and SSAs. Specifically, we reviewed the
2006 and 2009 NIPP and the NIPP Implementation Guides to compare how
often and in what context the concept of resiliency was used between
those dates of publication. We limited our analysis to how often and
where resiliency-related terms--resilience, resiliency, resilient, and
continuity (business or operational continuity)--were used in the
plans and corresponding guidance. In commenting on our approach, DHS
said this is a reasonable set of terms for our analysis.[Footnote 12]
We also reviewed the sector-specific planning documents (e.g., SSPs )
of the sectors that were issued based on the 2006 NIPP Implementation
Guide and assessed how the concept of resiliency was addressed by the
individual sectors. Finally, we interviewed SSA officials for all 18
sectors to determine how they plan to address the concept of
resiliency in their 2010 SSPs.[Footnote 13]
We conducted this performance audit from August 2009 through February
2010 in accordance with generally accepted auditing standards. These
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe
that the evidence obtained provides a reasonable basis for our
findings and conclusions based on our objectives.
Background:
The NIPP provides the framework for developing, implementing, and
maintaining a coordinated national effort to bring together government
at all levels, the private sector, nongovernmental organizations, and
international partners to manage the risks to CIKR. In addition to the
Homeland Security Act, various statutes provide legal authority for
both cross-sector and sector-specific protection and resiliency
programs. For example, the Public Health Security and Bioterrorism
Preparedness and Response Act of 2002 was intended to improve the
ability of the United States to prevent, prepare for, and respond to
acts of bioterrorism and other public health emergencies and the
Pandemic and All-Hazards Preparedness Act addresses public health
security and all-hazards preparedness and response.[Footnote 14] Also,
the Cyber Security Research and Development Act of 2002 authorized
funding for the National Institute of Standards and Technology (NIST)
and the National Science Foundation to facilitate increased research
and development for computer and network security and to support
research fellowships and training.[Footnote 15] CIKR protection issues
are also covered under various presidential directives, including HSPD-
5 and HSPD-8. HSPD-5 calls for coordination among all levels of
government as well as between the government and the private sector
for domestic incident management, and HSPD-8 establishes policies to
strengthen national preparedness to prevent, detect, respond to, and
recover from threatened domestic terrorist attacks and other
emergencies.[Footnote 16] These separate authorities and directives
are tied together as part of the national approach for CIKR protection
through the unifying framework established in HSPD-7.
The NIPP outlines the roles and responsibilities of DHS and other
security partners--including other federal agencies, state,
territorial, local, and tribal governments, and private companies.
Within the NIPP framework, DHS is responsible for leading and
coordinating the overall national effort to enhance protection via 18
CIKR sectors. The NIPP is prepared by the NIPP Program Management
Office (PMO) within the Infrastructure Protection office of the
National Preparedness and Protection Directorate of DHS. The NIPP PMO
has the responsibility for coordinating and ensuring development,
implementation, and maintenance of the NIPP and the associated sector-
specific plans.
HSPD-7 and the NIPP assign responsibility for CIKR sectors to SSAs. As
an SSA, DHS has direct responsibility for leading, integrating, and
coordinating efforts of sector partners to protect 11 CIKR sectors.
The remaining sectors are coordinated by eight other federal agencies.
The NIPP depends on supporting SSPs for full implementation of this
framework within and across CIKR sectors. SSPs are developed by the
SSAs designated in HSPD-7 in close collaboration with sector partners,
including sector and government coordinating councils. These SSPs
contain the plan to identify and address the risks to CIKR specific to
each sector and are reviewed by DHS for adherence to DHS guidance
which follows the format of the NIPP. Table 1 lists the SSAs and their
sectors.
Table 1: SSAs and CIKR Sectors:
Sector-specific agency: Departments of Agriculture[A] and Food and
Drug Administration[B];
Critical infrastructure and key resource sector: Agriculture and Food.
Sector-specific agency: Department of Defense[C];
Critical infrastructure and key resource sector: Defense Industrial
Base.
Sector-specific agency: Department of Energy;
Critical infrastructure and key resource sector: Energy[D].
Sector-specific agency: Department of Health and Human Services;
Critical infrastructure and key resource sector: Healthcare and Public
Health.
Sector-specific agency: Department of the Interior;
Critical infrastructure and key resource sector: National Monuments
and Icons.
Sector-specific agency: Department of the Treasury;
Critical infrastructure and key resource sector: Banking and Finance.
Sector-specific agency: Environmental Protection Agency;
Critical infrastructure and key resource sector: Water[E].
Sector-specific agency: Department of Homeland Security;
Critical infrastructure and key resource sector: [Empty].
Sector-specific agency: Office of Infrastructure Protection;
Critical infrastructure and key resource sector: Commercial Facilities
Critical Manufacturing Emergency Services Nuclear Reactors, Materials,
and Waste Dams and Chemical Sectors.
Sector-specific agency: Office of Cyber Security and Communications;
Critical infrastructure and key resource sector: Information
Technology Communications Sectors.
Sector-specific agency: Transportation Security Administration;
Critical infrastructure and key resource sector: Postal and Shipping.
Sector-specific agency: Transportation Security Administration and
U.S. Coast Guard[F];
Critical infrastructure and key resource sector: Transportation
Systems[G].
Sector-specific agency: Federal Protective Service[H];
Critical infrastructure and key resource sector: Government
Facilities[I].
Source: 2009 National Infrastructure Protection Plan.
[A] The Department of Agriculture is responsible for agriculture and
food (meat, poultry, and egg products).
[B] The Food and Drug Administration is the part of the Department of
Health and Human Services that is responsible for food other than
meat, poultry, and egg products.
[C] Nothing in the NIPP impairs or otherwise affects the authority of
the Secretary of Defense over the Department of Defense (DoD),
including the chain of command for military forces from the President
as Commander in Chief, to the Secretary of Defense, to the commander
of military forces, or military command and control procedures.
[D] The Energy Sector includes the production, refining, storage, and
distribution of oil, gas, and electric power, except for commercial
nuclear power facilities.
[E] The Water Sector includes drinking water and wastewater systems.
[F] The U.S. Coast Guard is the SSA for the maritime transportation
mode within the Transportation System Sector.
[G] In accordance with HSPD-7, the Department of Transportation and
the Department of Homeland Security are to collaborate on all matters
relating to transportation security and transportation infrastructure
protection.
[H] As of October 2009, the Federal Protective Service transitioned
out of Immigration and Customs Enforcement (ICE) to the National
Protection and Programs Directorate.
[I] The Department of Education is the SSA for the Education
Facilities Subsector of the Government Facilities Sector.
[End of table]
The concept of resilience has gained particular importance and
application in a number of areas of federal CIKR planning. Both
Congress and executive branch agencies have addressed resilience in
relation to the importance of the recovery of the nation's critical
infrastructure from damage. In February 2006, the Task Force of the
Homeland Security Advisory Council defined resiliency as "the
capability of a system to maintain its functions and structure in the
face of internal and external change and to degrade gracefully when it
must."[Footnote 17] Later in 2006, the Department of Homeland
Security's National Infrastructure Protection Plan defined resilience
as "the capability of an asset, system, or network to maintain its
function during or to recover from a terrorist attack or other
incident."
In May 2007 the President issued Homeland Security Presidential
Directive 20--National Continuity Policy. This directive establishes a
comprehensive national policy on the continuity of federal government
structures and operations and a single National Continuity Coordinator
responsible for coordinating the development and implementation of
federal continuity policies. It also directs executive departments and
agencies to integrate continuity requirements into operations, and
provides guidance for state, local, territorial, and tribal
governments, and private sector organizations in order to ensure a
comprehensive and integrated national continuity program that will
enhance the credibility of our national security posture and enable a
more rapid and effective response to and recovery from a national
emergency. As part of Homeland Security Presidential Directive 20, the
Secretary of Homeland Security is directed to, among other things,
coordinate the implementation, execution, and assessment of continuity
operations and activities; develop, lead, and conduct a federal
continuity training and exercise program, which shall be incorporated
into the National Exercise Program; and develop and promulgate
continuity planning guidance to state, local, territorial, and tribal
governments, and private sector critical infrastructure owners and
operators.[Footnote 18] For additional discussion of the concept of
resiliency, see appendix 1.
DHS Has Incorporated Changes into the 2009 NIPP that Reflect
Stakeholder Input and Sectors' Experience Protecting Critical
Infrastructure and an Increased Emphasis on Risk Management:
DHS incorporated changes in the 2009 NIPP--including a greater
emphasis on CIKR regional planning and updates to DHS's overall risk
management framework--that NIPP PMO officials said are based on
stakeholder input and sectors' experiences performing critical
infrastructure protection. Based on DHS guidance, SSAs are expected to
address many of the changes to the NIPP in their SSPs, based on
consultation with sector partners. Table 2 provides an overview of key
changes to the NIPP.
Table 2: Description of Changes Made from the 2006 NIPP to the 2009
NIPP:
Type of change: Scope of critical infrastructure;
2006 NIPP: The 2006 NIPP defined processes and mechanisms used to
prioritize protection within 17 CIKR sectors;
Change to the 2009 NIPP: The 2009 NIPP continued to address CIKR
prioritization and introduced the Critical Manufacturing sector.
Type of change: Coordination;
2006 NIPP: The 2006 NIPP created the sector partnership model as the
primary organizational structure for coordinating CIKR efforts and
activities. The model encouraged Sector and Government Coordinating
Councils to work in tandem to create a coordinated national framework
for CIKR protection within and across sectors;
Change to the 2009 NIPP: The 2009 NIPP expanded the sector partnership
model to include Regional Consortium Coordinating Councils. These
councils are to coordinate physical security, cybersecurity, emergency
preparedness, and overall public-private continuity and resiliency in
one or more states, urban areas, or municipalities.
Type of change: Coordination;
2006 NIPP: The 2006 NIPP created a Web-based, information-sharing
network so that security partners can obtain, analyze, and share
information;
Change to the 2009 NIPP: The 2009 NIPP expanded information sharing at
the local level via State and Local Fusion Centers to include the
critical infrastructure protection mission. These fusion centers are
to develop capabilities to support a comprehensive understanding of
threats, local CIKR vulnerabilities, and potential consequences of
attacks on business operations within the private sector.
Type of change: Planning;
2006 NIPP: The 2006 NIPP created a risk management framework -
establishing the process for combining consequence, vulnerability, and
threat information to produce a comprehensive assessment of national
or sector-specific risk that drives CIKR protection activities;
Change to the 2009 NIPP: The 2009 NIPP highlighted updates to risk
methodologies and information-sharing mechanisms. The plan also
highlighted new outcome-focused performance measurement and reporting
processes to measure program performance.
Type of change: Planning;
2006 NIPP: The 2006 NIPP created a framework to enable education,
training, and exercise programs that allow people and organizations to
develop and maintain key CIKR protection expertise;
Change to the 2009 NIPP: The 2009 NIPP highlighted expanded CIKR
protection-related education, training, outreach, and exercise
programs. For example, one expanded program provides the framework for
the identification, development, and delivery of critical
infrastructure courses for the transportation industry.
Type of change: Planning;
2006 NIPP: The 2006 NIPP primarily focused on CIKR protection
strategies;
Change to the 2009 NIPP: The 2009 NIPP continued to focus on CIKR
protection but placed more emphasis on the concept of resilience. The
term resilience also appeared prominently throughout the NIPP.
Type of change: Supporting laws, strategies, and directives;
2006 NIPP: The 2006 NIPP provided information on a variety of
statutes, strategies, and directives applicable to CIKR protection;
Change to the 2009 NIPP: The 2009 NIPP provided updated information on
legislation, strategies, and directives applicable to CIKR protection.
Source: GAO analysis of the 2006 and 2009 National Infrastructure
Protection Plans.
[End of table]
DHS Changes to the 2009 NIPP Include Increased Emphasis on Regional
Planning and Risk Management:
DHS changes to the 2009 NIPP include increased emphasis on regional
planning and risk management and, according to PMO officials, these
changes are based on stakeholder input and sectors' experiences
performing critical infrastructure protection. The changes we
identified in the 2009 NIPP were generally foreshadowed in the 2007/
2008 NIPP Update provided to SSAs in 2008.[Footnote 19] While most of
the changes in the 2009 NIPP were minor and related to changes in
programs or activities that have occurred since the publication of the
2006 NIPP, several could have an impact on the sector planning process
and the development of SSPs. These included changes that placed a
greater emphasis on regional planning, coordination and information-
sharing across sectors; changes in how critical infrastructures are
identified and prioritized; developments in risk management to include
how threats, vulnerabilities, and consequences are assessed; and a
greater emphasis on cyber security and international interdependencies.
In contrast to the 2006 NIPP, DHS increased its emphasis on regional
planning, coordination and information-sharing in the 2009 NIPP. DHS
discussed the need for regional coordination in the 2006 NIPP and
encouraged stakeholders to address CIKR protection across sectors
within and across geographic regions. In the 2006 NIPP, regional
bodies were to be formed on an "as needed" basis. By contrast, the
2009 NIPP called for regional coordination through the formation of a
consortium of representatives from multiple regional organizations.
The 2009 NIPP states that this was done to help enhance the engagement
of regionally based partners and to leverage the CIKR protection
activities and resiliency strategies that they lead.
In comparison to the 2006 NIPP, DHS included a discussion of changes
in how critical infrastructures are identified and prioritized in the
2009 NIPP. Both the 2006 NIPP and the 2009 NIPP stated that CIKR
inventory lists were developed from multiple sources, including sector
inventories maintained by SSAs and government coordinating councils,
voluntary submissions from CIKR partners in the public or private
sector, and the results of studies conducted by various trade
associations, advocacy groups, and regulatory agencies. While the 2006
NIPP briefly discusses its efforts to determine which assets are
nationally critical, the 2009 NIPP includes a more detailed discussion
of the national CIKR prioritization program that places CIKR into
categories according to their importance, nationally or regionally.
Specifically, DHS prioritized assets using a tiered approach. Tier 1
or Tier 2 assets are those that if destroyed or disrupted could cause
significant casualties, major economic losses, or widespread and long-
term disruptions to national well-being and governance capacity.
According to DHS, the overwhelming majority of the assets and systems
identified through this effort are classified as Tier 2. Only a small
subset of assets meet the Tier 1 consequence threshold--those whose
loss or damage could result in major national or regional impacts
similar to the impacts of Hurricane Katrina or the September 11, 2001,
attacks.[Footnote 20]
DHS also provided a detailed discussion of risk management
methodologies in the 2009 NIPP, as compared to the 2006 NIPP. Whereas
the 2006 NIPP listed the baseline criteria--minimum requirements--for
conducting risk analyses to ensure they are credible and comparable,
the 2009 NIPP includes the use of a common risk assessment approach,
including the core criteria--updated requirements--for threat,
vulnerability, and consequence analyses designed to allow the
comparison of risk across sectors. For example, regarding consequence
assessments, the 2006 NIPP discusses the use of consequence screening
to help CIKR owners and operators determine whether it is necessary to
provide additional information to DHS or the SSA. Consequence
screening is an approach that allows CIKR owners and operators to
identify their projected level of consequence based on the nature of
their business, proximity to significant populations or other CIKR,
relative importance to the national economy or military capability,
and other similar factors. In contrast the 2009 NIPP includes a
discussion of consequence uncertainty where a range of outcomes is
possible. The 2009 NIPP states that where the range of outcomes is
large, greater detail may be required to calculate consequence and
inform decisionmaking. As part of this risk management discussion, DHS
has also made changes regarding how sectors are to measure the
performance of their CIKR programs. While both the 2006 and 2009 NIPP
discuss descriptive and process or output data, the 2009 NIPP included
additional discussion regarding the development of metrics that assess
how well programs reduced the risk to the sector.[Footnote 21] The
2009 NIPP also discusses changes made to the approach for conducting
these assessments. For example, whereas the 2006 NIPP focused on
facility vulnerability assessments, the 2009 NIPP discusses broader
assessment efforts, including DHS's efforts to conduct a systemwide
vulnerability assessment. To illustrate a systemwide vulnerability
assessment, DHS used the example of the California Water System
Comprehensive Review, a DHS-led assessment effort to identify critical
water system assets, analyze and track the gaps in protection, and
identify potential enhancements.
In addition, DHS included a greater emphasis on cyber security in the
2009 NIPP than it did in the 2006 NIPP. The 2006 NIPP identified cross-
sector cyber security as an area worthy of special consideration by
the sectors. In comparison, the 2009 NIPP lists the progress made and
new initiatives related to cyber security, including the development
of cross-sector cyber methodologies to identify systems or networks of
national significance; the addition of a cross-sector cyber security
working group and a public-private cross-sector program specifically
for cyber security. The 2009 NIPP also lists new responsibilities for
CIKR partners to conduct cyber security exercises to test the security
of these systems as well as the development of cyber security-specific
vulnerability assessments by DHS.
Furthermore, in contrast to the 2006 NIPP, DHS also expanded its
emphasis on international coordination and identified it as an area
warranting special consideration in the 2009 NIPP. Whereas the 2006
NIPP highlighted the importance of international coordination, the
2009 NIPP instructs the SSAs to identify foreign critical
infrastructure--whether American owned or foreign owned--of national
importance, and lists the procedures for doing so. The 2009 NIPP
discusses the importance of identifying and prioritizing
infrastructure located outside the United States that if disrupted or
destroyed would have a negative impact on the United States, lists
additional SSA responsibilities for international coordination, and
lists various international organizations that are assisting in the
implementation of international CIKR agreements. The 2009 NIPP also
highlights DHS's role in a 15-nation effort specific to cyber security.
NIPP PMO officials said that the changes highlighted in the 2009 NIPP
were the result of knowledge gained and issues raised during regularly
scheduled--bimonthly or quarterly--or specially called meetings with
security partners such as the Federal Senior Leadership Council, the
CIKR Cross-Sector Council, and other contacts with security partners
such as SSAs, sector coordinating councils, and government
coordinating councils.[Footnote 22] DHS said concerns on CIKR issues
were also elevated to DHS based on their inclusion in Sector CIKR
Protection Annual Reports, as well as from outside organizations like
GAO which NIPP PMO officials credited for the increased attention to
cyber security.[Footnote 23] NIPP PMO officials said DHS began an
effort to revise the NIPP in the Spring of 2008 and as part of this
process, DHS held discussions with infrastructure protection
components and senior leadership. Figure 1 shows the process DHS used
to update the NIPP for publication in 2009.
Figure 1: DHS Process to Update the NIPP:
[Refer to PDF for image: illustration]
Ongoing:
Federal Senior Leadership Council[A];
CIKR Cross Sector Council[A];
Government Coordinating Council;
Sector Coordinating Council;
Sector Annual Reports.
NIPP Update:
2006 NIPP:
2007/2008 NIPP Update:
NIPP Update process (Spring 2008):
* Discussion with Office of Infrastructure Protection (IP) components
plus senior leadership[B];
* Discussion with sector agencies, the Partnership for Critical
Infrastructure Security, and Government Coordinating Councils[C];
* Public review and comment in response to Federal Register notices;
* Additional reviews by Federal Senior Leadership and the CIKR Cross-
Sector Councils.
2009 NIPP:
* Review by the Homeland Security Council‘s Policy Coordination
Committee;
* Final review and approval by the Secretary of Homeland Security[D].
Source: GAO analysis of DHS information, Art Explosion clipart
(images).
[A] The Federal Senior Leadership Council is composed of
representatives of each of the sector-specific agencies to enhance
communication and coordination between and among these agencies. The
CIKR Cross-Sector Council is made up of representatives from each of
the SSAs to address issues that affect multiple sectors.
[B] The Office of Infrastructure Protection (IP) leads the coordinated
national program to reduce risks to the nation's CIKR posed by acts of
terrorism, and to strengthen national preparedness, timely response,
and rapid recovery in the event of an attack, natural disaster, or
other emergency.
[C] The Partnership for Critical Infrastructure Security coordinates
cross-sector initiatives to support CIKR protection by identifying
legislative issues that affect such initiatives and by raising
awareness of issues in CIKR protection.
[D] The Homeland Security Council Policy Coordinating Committee
coordinates the development and implementation of homeland security
policies by multiple departments and agencies throughout the federal
government, and coordinates those policies with state and local
government.
[End of figure]
NIPP PMO officials said that because they view NIPP updates as an
ongoing process, they will continue to reassess the NIPP and make
changes based on knowledge gained from the various partners and
stakeholders, as needed. For example, between the release of the 2006
and 2009 NIPP DHS issued the 2007/2008 NIPP Update. The 2007/2008 NIPP
Update contained references to changes that ultimately appeared in the
2009 NIPP, including the introduction of the system used to gather and
distribute information on critical infrastructure assets, the process
used to develop metrics to measure performance and progress in
critical infrastructure protection, and the emphasis on regional
coordination in the partnership model. The 2007/2008 NIPP Update also
included discussion of a training needs assessment DHS conducted which
was followed by the creation of the CIKR competency areas that define
CIKR training requirements in the 2009 NIPP.
DHS Guidance Calls for SSAs to Develop Plans and Reports That Consider
Specific Issues in the 2009 NIPP:
Following the publication of the 2009 NIPP, DHS issued guidance to the
SSAs designed to make them aware of the changes to the NIPP and to
discuss the issues DHS believed SSAs should consider for increased
attention when developing their SSPs and SARs.[Footnote 24] The
guidance provided section-by-section instructions that discussed how
SSAs were to update their plans and annual reports to be consistent
with the NIPP. For example, the 2010 SSP guidance stated that the NIPP
had increased emphasis on DHS's all-hazards approach to CIKR
protection planning and suggested that SSPs should place increased
emphasis on their approach to addressing all-hazards events when
updating their plans. The guidance also noted that SSAs should give
additional attention to topics such as cyber security and
international interdependencies. Regarding cyber security, the
guidance calls for SSAs to include goals or long-term objectives for
cyber security in their sector and explain their approach for
identifying their sector's cyber assets, systems, networks, and
functions; incorporating cyber elements into sector risk assessments;
and prioritizing cyber elements--such as communication and computer
networks--of the sector, among other things.
Fourteen of 18 SSA representatives generally described the process
they plan to use to incorporate these changes, which for the most part
mirrored DHS's process for revising the NIPP. According to the SSA
representatives, after reviewing the guidance provided by DHS, the
SSAs plan to employ internal teams or offices to draft the SSP
following DHS's format; the SSAs intend to provide the draft to key
stakeholders, such as the sector's government coordinating council and
sector coordinating council, who are to provide feedback and comments
on the draft via e-mail, individual and conference calls, and in-
person meetings; and the SSAs plan to make revisions and distribute
the draft to stakeholders for final review before submission to DHS.
See figure 2 for a description of this process.
Figure 2: Process for updating SSPs:
[Refer to PDF for image: illustration]
SSP guidance for 2010:
SSP instructions.
Sector process:
Sector drafting:
* Drafting by sector-specific agency;
* Review and revision by sector and government coordinating councils
and other stakeholders.
Submission process:
Submission to DHS:
* NIPP Program Management Office reviews draft against issued guidance;
* Revised SSPs submitted to Homeland Security Council Critical
Infrastructure Protection Interagency Policy Committee;
* Comments provided back to DHS and the appropriate SSA for
consideration.
SSP issued:
SSP issued in mid 2010.
Source: GAO analysis of DHS information.
[End of figure]
Four of 18 SSA representatives who responded to our inquiries
specifically described how changes to the 2009 NIPP either had already
been addressed in their 2007 SSPs or would be addressed in the 2010
SSPs. Regarding changes to risk assessment methodologies, for example,
the SSA representative for the Water sector stated that three risk
assessment tools are available to the Water sector. Furthermore,
according to this representative, DHS and its partners are working
collaboratively to ensure these existing assessment methodologies are
upgraded and revised by using consistent vulnerability, consequence,
and threat information, resulting in analysis of risk that is
comparable within the sector. The SSA representative said revisions to
these tools are to also address the features and elements of risk
assessments as identified in the NIPP. The Energy SSA representative
also described sector efforts in these areas, including in regional
coordination, training and education, international coordination, and
cyber security.
Those sector officials who did not offer specifics on how they expect
to address changes suggested by DHS either provided a general
statement of their efforts or said this was because the SSPs were
being drafted during our review. Four of the 18 SSA representatives
said they have contacted or plan to contact DHS about sector concerns
regarding the NIPP format or questions about the instructions
provided. For example, the SSA representative for the Healthcare and
Public Health sector told us that his agency planned to contact DHS to
discuss a change that is designed to make the SSP risk assessment
methodology consistent with the NIPP, but could be impractical for the
SSA to implement. The Healthcare sector representative said a single
risk assessment methodology would not be feasible for the Healthcare
and Public Health sector because it is composed of different kinds of
partners, such as emergency medical personnel, doctors, and hospitals
and is made up of systems--transportation, communication, personnel--
as opposed to other sectors which he said may be made up predominantly
of facilities. The SSA representative said this makes the use of a
single risk assessment methodology difficult for the Healthcare
sector. All 14 SSA representatives who responded with a description of
the SSP update process said they are taking extra actions to ensure
other stakeholder views are considered. For example, the Commercial
Facilities SSA said it plans to post a copy of its draft on the
Homeland Security Information Network to ensure that sector interests
are broadly represented in the review of the document.[Footnote 25]
Another example came from the Dams SSA official who said that his
office provided its draft to a dozen organizations and trade
associations outside its sector coordinating council and government
coordinating council including the American Society of Civil
Engineers, the National Dam Safety Review Board, and The
Infrastructure Security Partnership for review and comment.[Footnote
26]
SSAs also offered other comments on their efforts to address changes
to the NIPP--including changes to regional planning and risk
management--in their SSPs. Five of the 18 officials representing
different SSAs said that incorporation of these topics would not be
difficult. For example, officials representing the Chemical, Dam, and
the Emergency Services sectors SSAs said they did not foresee
difficulty incorporating the key focus areas from the 2009 NIPP into
their 2010 SSP rewrite. Representatives of the Commercial Facilities
and Critical Manufacturing sectors said that they found the DHS
guidance useful to their SSPs. The Water sector representative
discussed programs or activities that were ongoing or planned that
addressed each of the topics. For example, the Water sector SSA
representative said the Environmental Protection Agency, which is the
Water sector SSA, is working with DHS and other security partners to
ensure risk assessment methodologies are upgraded and refined to be
consistent with the NIPP to produce an analysis of risk that is
consistent within the sector. Officials representing the Banking and
Finance and Defense Industrial Base SSAs said it was premature to
discuss how the changes related to risk management, regional
coordination, performance measurement, and cyber security and
international interdependencies would affect their agencies' efforts
as the revision process was ongoing. The SSA official representing
both the Postal and Shipping sector and the Transportation sector said
that each change in the 2009 NIPP would be addressed according to its
unique characteristics for the sectors.[Footnote 27]
DHS Increased Its Emphasis on Resiliency in the 2009 NIPP and Directed
SSAs to Address Resiliency in Their Sector Plans:
Although DHS revised the NIPP to increase the use of the term
resilience and to highlight it as an important concept paired with
protection, the 2009 NIPP uses much of the same language as the 2006
NIPP to describe resiliency concepts and strategies. According to NIPP
PMO officials, the 2009 NIPP has been updated to recognize the
importance of resiliency and provide SSAs the requested flexibility to
incorporate resiliency within the context of their sectors.
DHS Increased Its Emphasis on Resiliency in the 2009 NIPP, but Used
Much of the Same Language as in the 2006 NIPP:
DHS increased its emphasis on resiliency in the 2009 NIPP by using the
term more frequently and generally treating it as a concept formally
paired with protection. Specifically, the 2006 NIPP used resiliency or
resiliency-related terms 93 times while the 2009 NIPP used resiliency-
related terms 183 times, about twice as often.[Footnote 28] More
importantly, whereas the 2006 NIPP primarily treated resiliency as a
subset of protection, the 2009 NIPP generally referred to resiliency
alongside protection. Both the 2006 and 2009 NIPPs include building
resilience in the definition of protection, but the 2009 NIPP
increased the profile of resilience by treating it as separate but
related to CIKR protection. For example, whereas the Managing Risk
chapter of the 2006 NIPP has a section entitled "Characteristics of
Effective Protection Programs," the same chapter in the 2009 NIPP has
a section entitled, "Characteristics of Effective Protection Programs
and Resiliency Strategies."
In addition, in contrast to the 2006 NIPP, the 2009 NIPP referred to
resiliency alongside protection in the introductory section of the
document. Whereas the introduction to the 2006 NIPP states that it
"...provides the mechanisms for—enhancing information-sharing
mechanisms and protective measures within and across CI/KR
sectors...," the introduction to the 2009 NIPP states that it
"...provides the mechanisms for—enhancing information-sharing
mechanisms and protection and resiliency within and across CIKR
sectors." Also, in comparison to the 2006 NIPP, the 2009 version of
the NIPP discusses resiliency more often in the "Authorities, Roles
and Responsibilities" chapter of the document. These differences
include a discussion on the expanded roles and responsibilities of key
partners, such as SSAs and state and local governments, in CIKR
planning with regard to resiliency. In this section of the 2006 NIPP,
resiliency was discussed almost exclusively with regard to private
sector owners and operators. NIPP PMO officials told us they wanted to
recognize resilience as an approach to risk management, but some
security partners did not see how they could or should influence the
resilience efforts of the private sector. These PMO officials said
with the release of the 2009 NIPP, they made a more concerted effort
to help security partners understand how they can promote both
protection and resilience.
NIPP PMO officials told us that changes related to resiliency in the
2009 NIPP were not intended to represent a major shift in policy;
rather they were intended to increase attention to and raise awareness
about resiliency as it applies within individual sectors. These
officials told us that the concept of resiliency was always included
in the NIPP. The 2006 NIPP addressed resilience and even talked about
it being one way to enhance protection. However, NIPP PMO officials
said that many partners interpret or use protection as synonymous with
physical protection. To ensure that all NIPP partners properly
understand the intent of the NIPP, the NIPP PMO has more explicitly
addressed the concept of resiliency in the 2009 NIPP. These officials
said that this more explicit emphasis on resilience in the 2009 NIPP
is expected to encourage more system-based sector and cross-sector
activities that address a broader spectrum of risks. This would
include, for example, increased attention to cyber security--which can
transcend different sectors--and discussion of the importance of
systems and networks within and among sectors as a means of fostering
resilience.
NIPP PMO officials also told us that the 2006 edition of the NIPP was
developed based on the requirements of HSPD-7, which did not include
an explicit emphasis on resiliency. They said that the 2009 NIPP was
developed taking into account concerns raised by stakeholders that the
2006 NIPP emphasized asset protection rather than resiliency. They
explained that, shortly after the 2006 NIPP was released, as the NIPP
risk management framework and the sector partnerships matured, some
stakeholders believed that the concept of continuity and resilience in
and of itself, was not articulated and addressed as clearly as needed
for their purposes. In addition, according to these officials, changes
in the 2009 NIPP were drawn from many sources, including members of
Congress and academic and policy groups, who also expressed increasing
interest in the concept of resiliency as a critical part of national
preparedness.
DHS Is Encouraging SSAs to Emphasize Resiliency in Their 2010 SSPs:
Although DHS provides SSAs flexibility when developing their SSPs,
given increased attention to resiliency in the 2009 NIPP, NIPP PMO
officials have encouraged SSAs to emphasize resiliency in guidance
provided to SSAs in updating SSPs. One key difference between the
guidance for developing the 2007 SSPs and the 2010 SSPs is the
inclusion of a resiliency term in many places where there is a
reference to protection or protection programs. For instance, Chapter
5 of the 2006 guidance is entitled "Develop and Implement Protective
Programs." By contrast, chapter 5 of the 2009 guidance is entitled
"Develop and Implement Protective Programs and Resiliency Strategies."
Related to this change, DHS has also included instructions for where--
and at times, how--resiliency is to be incorporated into 2010 SSPs.
For example, in the 2009 guidance set forth in Chapter 5, SSAs are
advised that in sectors for which infrastructure resiliency is as or
more important than physical security or hardening, their SSA chapter
on "Protection Program Implementation" should focus on describing the
resiliency measures and strategies being used by the sector.[Footnote
29] The guidance also provided examples of resiliency measures such as
building hazard resistance into initial facility design; designing and
developing self-healing and self-diagnosing cyber systems; and
incorporating smart materials and embedded sensors into new physical
and cyber networks.[Footnote 30] According to DHS officials in the
NIPP PMO, greater attention to interdependencies and cyber security in
the NIPP are resiliency-related considerations that reinforce the need
for SSAs to address systems- and network-based CIKR.
We did not examine the 2010 SSPs to determine the extent to which they
adhered to DHS's recent SSP guidance because SSPs were not complete at
the time of our review. However, we examined the 2007 SSPs prepared
based on 2006 guidance to ascertain the extent to which they contained
language about resiliency. Our review showed that 13 of the 17 SSPs
used the term resiliency or terms related to resiliency, such as
continuity of operations, in their vision statements, goals, or
objectives and 14 of 17 included resiliency in their risk management
discussions. Whereas the discussion of resiliency in the risk
management section was relatively limited in some SSPs, the discussion
about resiliency in others--particularly the banking and finance,
energy, communications, and postal and shipping and transportation
sectors--was relatively extensive. For example, the 2007 National
Monuments SSP mentions resilience in the Introduction, in reference to
national goals and in a discussion about the importance CIKR
protection has in making the nation more resilient. On the other hand,
the Banking and Finance and Communications SSPs discuss how resilient
these sectors are by design. For example:
* Banking and Finance Sector: The sector consists of many thousands of
depository institutions, securities and futures firms, insurance
companies, and other financial service companies, and supports a
number of exchanges and over-the-counter markets, all of which
contribute to the sector's resiliency because they provide a high
degree of redundancy across the sector. Thus, according to the SSP,
the competitive structure of the financial industry and the breadth of
the financial instruments provide a level of resiliency against attack
and other types of physical or cyber disruptions. The Banking and
Finance SSP goes further by listing publications related to resiliency
and business continuity planning and notes the Department of the
Treasury encourages security partners to develop, enhance, and test
business continuity plans. The SSP states that these plans are
designed to preemptively identify the core functions and capabilities
necessary to continue operations or resume operations after a
disruption. The Banking and Finance SSP also notes that there is an
annual test of business continuity planning by some members of the
sector.
* Communications Sector: Resiliency is achieved by the technology,
redundancy, and diversity employed in network design and by customers
who employ diverse and resilient primary and backup communications
capabilities, thereby increasing the availability of service to
customers and reducing the impact of outages. For example, according
to the Communications SSP, the network backbone remained intact on
September 11, 2001, and during the hurricanes of 2005 despite the
enormity of these incidents.
We interviewed SSA representatives about the extent to which they had
included a discussion of resiliency in their past SSPs, and their
plans to expand on their discussion of resilience in their 2010 SSPs.
Seventeen of the 18 SSA representatives who responded to our questions
told us they believe that they have already included the concept of
resiliency in their existing sector plans, although that term itself
may not have been used often. These SSA representatives also said that
they intend to further incorporate resiliency into their 2010 SSPs
where appropriate based on the characteristics of their sectors and
their understanding of DHS guidance. However, based on their comments,
it is likely that SSAs will not make significant changes to their SSPs
with regard to resiliency. For example:
* Banking and Finance Sector: The SSA representative said they are
reviewing the DHS guidance and working with DHS to coordinate
perspectives regarding resiliency and to ensure that it remains
central to their efforts regarding infrastructure issues. The Banking
and Finance SSA representative added that inasmuch as the Department
of the Treasury has long focused on the issue of resilience within the
financial services sector, any changes to the Banking and Finance SSP
concerning resiliency would be modest.
* Chemical Sector: The SSA representative said the sector has long
recognized that "resilient operations and effective loss prevention
are a part of managing risk. These concepts, when woven together,
support the umbrella of resiliency." The SSA representative said that
resiliency, in terms of prevention, protection, response, and recovery
along the preparedness spectrum was covered in the 2007 SSP and the
SSA anticipates highlighting and framing the discussion of these items
in terms of resiliency in the 2010 SSP update.
* Nuclear Sector: The SSA representative responded that, while
resiliency is an important goal for some aspects of the Nuclear
Sector, most Nuclear Sector programs focus on protection--physical
hardening, in additional to other protective strategies--as the
underlying goal because of the relatively serious consequences of a
successful attack on some nuclear sites. According to the SSA
representative, the draft 2010 Nuclear SSP highlights those areas
where resilience is most appropriate, while retaining the overall
focus on protection.
Finally, the SSA representative (a DHS TSA official) for the
Transportation and Postal and Shipping sectors said he did not think
that DHS merely wanted the SSAs to substitute the term resiliency
where the existing plan said "redundancy" or "recovery" and would need
to clarify the issue with DHS. For a discussion of resiliency in the
SSPs, see appendix II.
DHS officials in the NIPP PMO told us that the balance between
protection and resilience is unique to each sector and it must be
recognized that the degree to which any one SSP increases the emphasis
on resiliency will depend on the nature of the sector and the risks to
its CIKR. They also said they will rely on the sectors themselves to
determine the importance of resiliency in their plans. NIPP PMO
officials further stated that by emphasizing both protection and
resilience in the NIPP, the private sector better appreciates that the
NIPP gives them the flexibility to take actions and implement
strategies that are tailored to their risks and situation. DHS
officials said that they plan to provide additional guidance or
instruction regarding resiliency to any sectors that need additional
clarification, and, expect it to take time for resiliency to be fully
understood and incorporated across the sectors.
Agency Comments:
We requested comments on a draft of this report from the Secretary of
Homeland Security. In commenting on this draft DHS reiterated that it
incorporated changes into the NIPP that reflect stakeholder input and
the sectors' experience in protecting critical infrastructure. In
addition, DHS said it increased the emphasis on resilience in the 2009
NIPP and directed SSAs to address resilience in the revision of their
SSPs. DHS said the changes related to resilience in the 2009 NIPP were
not intended to represent a major shift in policy as the concept of
resilience was included in the 2006 NIPP. DHS said that the more
explicit emphasis on resilience in the 2009 NIPP is expected to
encourage more system-based sector and cross-sector activities that
address a broader spectrum of risks. DHS also provided technical
comments that we have incorporated as appropriate.
We also provided a draft of this report to SSAs representatives at the
Departments of Agriculture, Defense, Energy, Health and Human
Services, Interior, and Treasury and the Environmental Protection
Agency and asked them to comment on those areas of the report relevant
to their agencies. DOD, Health and Human Services and the
Environmental Protection Agency provided technical comments that we
have incorporated where appropriate.
As agreed with your office, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
after its issue date. At that time, we will send copies of this report
to the Secretary of Homeland Security, appropriate congressional
committees, and other interested parties. In addition, the report will
be available at no charge on the GAO Web site at [hyperlink,
http://www.gao.gov].
If you or your staff has any questions about this report or wish to
discuss the matter further, please contact me at (202) 512-8777 or
caldwells@gao.gov. Contact points for our Offices of Congressional
Relations and Public Affairs may be found on the last page of this
report. Major contributors to this report are listed in appendix IV.
Signed by:
Stephen L. Caldwell:
Director, Homeland Security and Justice Issues:
[End of section]
Appendix I: The Concept of Resiliency:
This appendix discusses how resiliency has been addressed in the
context of critical infrastructure and key resource (CIKR) protection
since 2006. The concept of resiliency has gained particular importance
and application in a number of areas of federal CIKR planning. Both
members of Congress and executive branch agencies have addressed
resiliency in relation to the importance of the recovery of the
nation's critical infrastructure from damage. Accordingly, most of the
current focus is on assets, systems, and networks rather than agencies
or organizations.
Part of the recent discussion over resiliency has focused on the
definition of the concept. In February 2006, the Report of the
Critical Infrastructure Task Force of the Homeland Security Advisory
Council defined resiliency as "the capability of a system to maintain
its functions and structure in the face of internal and external
change and to degrade gracefully when it must." Later in 2006, the
Department of Homeland Security's National Infrastructure Protection
Plan--again focusing on critical infrastructure, not agencies--defined
resilience as "the capability of an asset, system, or network to
maintain its function during or to recover from a terrorist attack or
other incident." In May 2008, the House Committee on Homeland Security
held a series of hearings focusing on resilience at which government
and private sector representatives, while agreeing on the importance
of the concept, presented a variety of definitions and interpretations
of resilience. Also, in April 2009, we reported that organizational
resiliency is based on 21 attributes particularly associated with
resilience and assigned them to five related categories. These
categories are emergency planning, organizational flexibility,
leadership, workforce commitment, and networked organizations.
[Footnote 31] Likewise, government and academic organizations have
discussed how resiliency can be achieved in different ways. Among
these are an organization's robustness (based on protection, for
example better security or the hardening of facilities); the
redundancy of primary systems (backups and overlap offering
alternatives if one system is damaged or destroyed); and the degree to
which flexibility can be built into the organization's culture (to
include continuous communications to assure awareness during a
disruption, distributed decision-making power so multiple employees
can take decisive action when needed, and being conditioned for
disruptions to improve response when necessary).
The concepts associated with resiliency, and related concepts--e.g.,
recovery and reconstitution and continuity of operations--have evolved
over the years. Homeland Security Presidential Directive-7 did not
contain specific references to resiliency, but it provided
instructions to federal agencies to create protection plans for the
facilities they own and operate to include "—contingency planning,
including the recovery and reconstitution of essential capabilities."
Also, in May 2007 the President issued Homeland Security Presidential
Directive 20 - National Continuity Policy. This directive establishes
a comprehensive national policy on the continuity of federal
government structures and operations and a single National Continuity
Coordinator responsible for coordinating the development and
implementation of federal continuity policies. It also establishes
"National Essential Functions," directs executive departments and
agencies to integrate continuity requirements into operations, and
provides guidance for state, local, territorial, and tribal
governments, and private sector organizations in order to ensure a
comprehensive and integrated national continuity program that is to
enhance the credibility of our national security posture and enable a
more rapid and effective response to and recovery from a national
emergency. As part of Homeland Security Presidential Directive 20, the
Secretary of Homeland Security is directed to, among other things,
coordinate the implementation, execution, and assessment of continuity
operations and activities; develop, lead, and conduct a federal
continuity training and exercise program, which shall be incorporated
into the National Exercise Program; and develop and promulgate
continuity planning guidance to state, local, territorial, and tribal
governments, and private sector critical infrastructure owners and
operators.
In August 2009 the Homeland Security Studies and Analysis Institute
released a report that examined the operational framework that could
be used by DHS and stakeholders at all levels, both public and
private, as a basis for incorporating resilience into our
infrastructure and society in order to make the nation safer.[Footnote
32] This framework approached resilience in terms of three mutually
reinforcing objectives: resistance, absorption, and restoration.
* Resistance is accomplished when the threat or hazard damage
potential is limited through interdiction, redirection, avoidance, or
neutralization efforts. The entire system experiences less damage than
would otherwise be the case.
* Absorption is accomplished when consequences of a damage-causing
event are mitigated. The system experiences damage, but maintains its
structure and key functions. It bends, but does not break.
* Restoration is accomplished when the system is rapidly reconstituted
and reset to its present status. Key functions are reestablished,
possibly at alternative sites or with substitute processes, and
possibly at an enhanced level of functionality.
Finally, the study includes funding profiles for the resistance,
absorption, and restoration objectives dependent upon whether the
facility or entity wants to put an emphasis on avoiding damage up
front (protection) or the ability to recover from damage quickly.
Most recently, the National Infrastructure Advisory Council issued a
report on critical infrastructure resilience in September 2009.
[Footnote 33] The study noted that protection and resilience are not
opposing concepts and represent complementary and necessary elements
of a comprehensive risk management strategy. It examined current
government policies and programs for resilience in CIKR sectors. It
also focused on identifying measures to achieve sector-and national-
level resilience, cross-sector and supply-chain-related issues as they
relate to resilience, and measures implemented by individual
enterprises. The NIAC made resilience-related recommendations to the
President through the DHS Secretary to improve government
coordination, clarify roles and responsibilities, and strengthen
public-private partnerships and to encourage resilience using market
incentives.
[End of section]
Appendix II: Discussions of Resiliency in 2007 Sector-specific Plans:
This appendix discusses how the Sector-specific Agencies (SSAs)
addressed resiliency in their 2007 Sector-specific Plans (SSPs) and
how the SSAs will address resiliency in their 2010 SSPs. All 17 SSAs
in place at the time the 2007 SSPs were developed incorporated
resiliency-related terms--resilient, resilience, resiliency, and
continuity planning--into their 2007 SSPs.1[Footnote 34] Specifically,
13 of the 17 SSPs used these terms in their vision statements, goals
or objectives, and 14 of the 17 used these terms in their risk
management plans.
Given the increased attention to resiliency in the 2009 National
Infrastructure Protection Plan (NIPP) NIPP, NIPP Program Management
Office (PMO) officials encouraged SSAs to devote more attention to
resiliency in their 2010 SSPs. Since the Department of Homeland
Security (DHS) does not expect these plans to be released until 2010,
we contacted representatives of the 18 SSAs2[Footnote 35] to gather
information on their plans to adhere to DHS's revised SSP guidance.
Representatives of 7 of the 18 sectors--Agriculture and Food,
Communications, Government Facilities, Healthcare and Public Health,
Information Technology (IT), Postal and Shipping, and Transportation--
responded that they intend to devote greater attention to resiliency,
and representatives of 10 of the 18 sectors--Banking and Finance,
Chemical, Commercial Facilities, Dams, Defense Industrial Base,
Emergency Services, Energy, National Monuments, Nuclear, and Water--
responded that they intend to devote the same amount of attention to
resiliency as in their 2007 SSPs. Finally, a representative of 1 of
the 18 sectors--Critical Manufacturing--responded that the sector's
first SSP, to be released in 2010, will describe the sector's strategy
to increase resiliency and prevent, deter, and mitigate any
disruptions caused by man-made threats or natural disasters.
The following table gives an overview of how resilience was referenced
in the 2007 SSPs and how sector representatives stated they will
address resiliency in their 2010 SSPs.
Table 3: Sector Plan References to Resiliency:
Sector: Agriculture and Food;
Resiliency overview: The 2007 Agriculture and Food SSP addressed
resiliency as a component of protection. For example, the Introduction
noted that protecting the Nation's Critical Infrastructure and Key
Resources (CIKR) makes the United States more resilient to terrorist
attacks and natural and man-made disasters. A sector representative
stated that the sector will integrate the concepts of resiliency and
protection in its 2010 SSP.
Sector: Banking and Finance;
Resiliency overview: The 2007 Banking and Finance SSP extensively
addressed resiliency. For example, the plan noted that resiliency is
built into sector risk management activities, which include
prioritization, participation in regional and national exercises,
research and development, and training. In addition, the plan noted
that the Treasury Department, the sector's SSA, encourages security
partners to develop business continuity plans, and determines the
success of the annual, industrywide business continuity planning test.
A sector representative stated that only modest changes to the 2010
plan are foreseen because the sector already focuses heavily on
resilience.
Sector: Chemical;
Resiliency overview: The 2007 Chemical SSP addressed resiliency as a
component of protection. For example, the plan noted that protection
can include a wide range of activities, such as building resiliency
and redundancy. A sector representative said that while resilience was
covered in the 2007 SSP's discussion of preparedness, the 2010 SSP
will reframe the discussion to highlight the term resiliency.
Sector: Commercial Facilities;
Resiliency overview: The 2007 Commercial Facilities SSP addressed
resiliency by focusing on continuity planning. Specifically, the plan
noted: (1) business continuity plans are often included in the public
sector's risk management processes; (2) state, local, and tribal
governments are responsible for the continuity of essential services
at commercial facilities under their jurisdiction; and (3) the owner
of a facility is responsible for the continuity of critical functions.
A sector representative noted that the sector has always stressed the
need to return to normalcy as quickly as possible after a disaster.
Sector: Communications;
Resiliency overview: The 2007 Communications SSP extensively addressed
resiliency. For example, the plan discussed how the sector mitigates
cascading effects of incidents by building resilient communications
systems and networks to ensure disruptions remain largely localized
and do not affect the national communications backbone. According to a
sector representative, the 2010 plan is expected to provide a
description of the sector's resiliency activities and explain how
government and industry are to work together to overcome emerging
challenges and impediments to risk reduction.
Sector: Critical Manufacturing;
Resiliency overview: The Critical Manufacturing sector was established
in 2008; therefore, it did not release a 2007 SSP. According to a
sector representative, the sector intends to issue a 2010 SSP, which
will explain the sector's strategy to increase resiliency and prevent,
deter, and mitigate any disruptions caused by man-made threats or
natural disasters.
Sector: Dams;
Resiliency overview: The 2007 Dams SSP addressed resiliency as a
component of protection. For example, the Introduction noted that
protecting the nation's CIKR makes the United States more resilient to
terrorist attacks and natural and man-made disasters. A sector
representative said resiliency, which the sector defines as
"contingency planning in the form of emergency action plans, response
plans, security plans and continuity of operations plans," has always
been and will continue to be incorporated into sector planning
efforts, including the 2010 SSP.
Sector: Defense Industrial Base;
Resiliency overview: The 2007 Defense Industrial Base (DIB) SSP
addressed resiliency. For example, the plan noted one of its goals was
to reduce the number of critical DIB assets whenever and wherever
possible within fiscal and legal constraints. A sector representative
said that the 2010 SSP will devote the same amount of attention to
resiliency as in the 2007 SSP.
Sector: Emergency Services;
Resiliency overview: The 2007 Emergency Services SSP addressed
resiliency as a component of protection. For example, the plan stated
that protection makes CIKR more resilient, and protection includes
building resiliency and redundancy. A sector representative did not
foresee issues updating the 2010 SSP because resiliency is already a
key feature in the Emergency Services sector.
Sector: Energy;
Resiliency overview: The 2007 Energy SSP addressed resiliency. For
example, the plan described the sector as resilient because
electricity flows freely along all available alternating current paths
in the network. These multiple paths provide resiliency to instantly
respond to both planned and unexpected equipment outages in the
system. A sector representative noted that the energy sector has
always embraced the necessity of resiliency and is engaged in a
variety of resiliency-related projects dealing with continuity of
business planning.
Sector: Government Facilities;
Resiliency overview: The 2007 Government Facilities SSP addressed
resiliency by focusing on continuity of government operations,
particularly in regard to planning, coordination and information
sharing. For example, the plan identified coordination, mechanisms and
recommended continuity actions that facilities can take to ensure the
continuity of essential operations, functions, and services. According
to a sector representative, the sector's focus on resilience has been
reinforced with the release of Homeland Security Presidential
Directive (HSPD) 20 and other federal directives.[Footnote 36]These
new policy frameworks have been used to enhance exercise programs that
focus on the continuity of government operations, leading to a more
resilient framework for the sector.
Sector: Healthcare and Public Health;
Resiliency overview: The Healthcare and Public Health SSP addressed
resiliency. For example, in an emergency, healthcare capabilities are
to be coordinated within the sector to ensure resiliency across other
CIKR sectors because these sectors rely on the healthcare sector for
their resiliency. According to an SSA representative, the 2010 SSP
will be more in-depth than the 2007 SSP in certain sections. For
example, the 2010 SSP will focus on workforce and supply network
resiliency because the Healthcare and Public Health sector is
generally made up of systems and networks.
Sector: Information Technology;
Resiliency overview: The 2007 Information Technology (IT) SSP
addressed resiliency. For example, the plan said that critical
functions must be resilient to threats, and the ability to respond to
crises promotes resilience. The plan also noted that resources are
needed to improve IT resilience and the National Cyber Security
Division must be ready with resources to contribute to improving
resilience when security investments are beyond the capability of the
private sector. According to a sector representative, the 2010 SSP is
expected to outline the sector's concept of resiliency by describing
the sector's risk management framework, which involves assessing risk,
prioritizing risk mitigation strategies, and informing sector
protective programs, research and development efforts. The
representative expects these activities will increase the resiliency
of IT sector functions.
Sector: National Monuments;
Resiliency overview: The 2007 National Monuments SSP addressed
resiliency as a component of protection. For example, the plan noted
that protection can include a wide range of activities, including
building resiliency and redundancy. A sector representative noted that
changes to the 2009 NIPP will not have an impact upon the sector's
2010 SSP because the sector focuses more on protection than on
resiliency.
Sector: Nuclear;
Resiliency overview: The 2007 Nuclear SSP addressed resiliency as a
component of protection. For example, the plan noted that resiliency
planning should be recognized as part of protection planning. A sector
representative said the draft 2010 SSP highlights areas where
resilience is appropriate, but retains its overall focus on protection.
Sector: Postal and Shipping;
Resiliency overview: The 2007 Postal and Shipping SSP addressed
resiliency by focusing on continuity planning. For example, the plan
noted sector continuity is important for daily economic and personal
transactions, so assets and systems are designed to ensure business
continuity even if individual assets are unable to provide services.
For the 2010 SSP, a sector representative said the sector needs to
broaden its risk mitigation activities by developing resiliency
targets and group resiliency programs to track how improving
resiliency reduces risk.
Sector: Transportation;
Resiliency overview: The 2007 Transportation SSP extensively addressed
resiliency. For example, the plan discussed surface transportation,
tunnel, freight, and pipeline programs that enhance the sector's
resiliency. For the 2010 SSP, a sector representative said the sector
needs to broaden its risk mitigation activities by developing
resiliency targets and group resiliency programs to track how
improving resiliency reduces risk.
Sector: Water;
Resiliency overview: The 2007 Water SSP addressed resiliency. For
example, the plan noted that research into architecture and systems
design will focus on continuity of service and resiliency for the
uninterrupted provision of safe water. A sector representative stated
that the Environmental Protection Agency, the Sector's SSA, will
continue to incorporate resilience into its 2010 SSP;
therefore, major revisions related to resilience will not be necessary.
Source: 2007 SSPs and interviews with sector representatives.
[End of table]
[End of section]
Appendix III: Comments from the Department of Homeland Security:
U.S. Department of Homeland Security:
Washington, DC 20528:
February 25, 2010:
Mr. Stephen L. Caldwell:
Director, Homeland Security and Justice:
U.S. Government Accountability Office:
441 G Street, NW:
Washington, DC 20548:
Dear Mr. Caldwell:
Re: Draft Report GAO-10-296, Critical Infrastructure Protection:
Update to National Infrastructure Protection Plan Includes Increased
Emphasis on Risk Management and Resilience (GAO Job Code 440818)
The Department of Homeland Security (DHS) appreciates the opportunity
to review and comment on the U.S. Government Accountability Office's
draft report referenced above. The report addresses (1) how the 2009
National Infrastructure Protection Plan (NIPP) changed compared to the
2006 NIPP and what process was used to identify and incorporate the
changes; and (2) how have DHS and sector specific agencies (SSAs)
addressed the concept of critical infrastructure resiliency as part of
our national critical infrastructure and key resources (CIKR) and
sector-specific planning efforts. These questions have largely been
addressed by summarizing and documenting DHS's approach to develop the
2009 NIPP and the related efforts by DHS and the SSAs to develop the
2010 Sector-Specific Plans (SSPs) that support the NIPP. The report
contains no recommendations and DHS appreciates the recognition of
efforts taken with respect to resiliency.
As noted in the draft report, DHS incorporated changes into the NIPP
that reflect stakeholder input and the sectors' experience in
protecting critical infrastructure. In addition, DHS increased the
emphasis on resilience in the 2009 NIPP and directed SSAs to address
resilience in the revision of their SSPs. Changes related to
resilience in the 2009 NIPP were not intended to represent a major
shift in policy; rather they were intended to increase attention to
and raise awareness about resilience as it applies within individual
sectors. The concept of resilience was included in the 2006 NIPP as
one of many different ways to enhance protection. However, by not
seeing resilience strategies in places where protective programs were
mentioned, some of the sector partners thought that approaching risk
management through increased resilience was not explicitly accepted
and promoted under the NIPP. The more explicit emphasis on resilience
in the 2009 NIPP is expected to encourage more system-based sector and
cross-sector activities that address a broader spectrum of risks.
Sincerely,
Signed by:
Jerald E. Levine:
Director:
Departmental GAO/OIG Audit Liaison Office:
[End of section]
Appendix IV: GAO Contacts and Acknowledgments:
GAO Contact:
Stephen L. Caldwell (202) 512-8777:
Acknowledgments:
In addition to the contact named above, John Mortin, Assistant
Director and Tony DeFrank, Analyst-in-Charge, managed this assignment
with assistance from Christy Bilardo and Landis Lindsey. Michele Fejar
and Steven Putansu assisted with design and methodology. Tracey King
and Thomas Lombardi provided legal support and Lara Kaskie provided
assistance in report preparation.
[End of section]
GAO Products Related to Critical Infrastructure Protection:
Critical Infrastructure Protection:
The Department of Homeland Security's (DHS) Critical Infrastructure
Protection Cost-Benefit Report. [hyperlink,
http://www.gao.gov/products/GAO-09-654R]. Washington, D.C.: June 26,
2009.
Influenza Pandemic: Opportunities Exist to Address Critical
Infrastructure Protection Challenges That Require Federal and Private
Sector Coordination. [hyperlink,
http://www.gao.gov/products/GAO-08-36]. Washington, D.C.: October 31,
2007.
Critical Infrastructure: Sector Plans Complete and Sector Councils
Evolving. [hyperlink, http://www.gao.gov/products/GAO-07-1075T].
Washington, D.C.: July 12, 2007.
Critical Infrastructure Protection: Sector Plans and Sector Councils
Continue to Evolve. [hyperlink,
http://www.gao.gov/products/GAO-07-706R]. Washington, D.C.: July 10,
2007.
Critical Infrastructure: Challenges Remain in Protecting Key Sectors.
[hyperlink, http://www.gao.gov/products/GAO-07-626T]. Washington,
D.C.: March 20, 2007.
Critical Infrastructure Protection: Progress Coordinating Government
and Private Sector Efforts Varies by Sectors' Characteristics.
[hyperlink, http://www.gao.gov/products/GAO-07-39]. Washington, D.C.:
October 16, 2006.
Critical Infrastructure Protection: Challenges for Selected Agencies
and Industry Sectors. [hyperlink,
http://www.gao.gov/products/GAO-03-233]. Washington, D.C.: February
28, 2003.
Critical Infrastructure Protection: Commercial Satellite Security
Should Be More Fully Addressed. [hyperlink,
http://www.gao.gov/products/GAO-02-781]. Washington, D.C.: August 30,
2002.
Cyber Security:
Critical Infrastructure Protection: Current Cyber Sector-Specific
Planning Approach Needs Reassessment. [hyperlink,
http://www.gao.gov/products/GAO-09-969]. Washington, D.C.: September
2009.
Cybersecurity: Continued Federal Efforts Are Needed to Protect
Critical Systems and Information. [hyperlink,
http://www.gao.gov/products/GAO-09-835T]. Washington, D.C.: June 25,
2009.
Information Security: Cyber Threats and Vulnerabilities Place Federal
Systems at Risk. [hyperlink, http://www.gao.gov/products/GAO-09-661T].
Washington, D.C.: May 5, 2009.
National Cybersecurity Strategy: Key Improvements Are Needed to
Strengthen the Nation's Posture. [hyperlink,
http://www.gao.gov/products/GAO-09-432T]. Washington, D.C.: March 10,
2009.
Critical Infrastructure Protection: DHS Needs to Better Address Its
Cybersecurity Responsibilities. [hyperlink,
http://www.gao.gov/products/GAO-08-1157T]. Washington, D.C.: September
16, 2008.
Critical Infrastructure Protection: DHS Needs to Fully Address Lessons
Learned from Its First Cyber Storm Exercise. [hyperlink,
http://www.gao.gov/products/GAO-08-825]. Washington, D.C.: September
9, 2008.
Cyber Analysis and Warning: DHS Faces Challenges in Establishing a
Comprehensive National Capability. [hyperlink,
http://www.gao.gov/products/GAO-08-588]. Washington, D.C.: July 31,
2008.
Critical Infrastructure Protection: Further Efforts Needed to
Integrate Planning for and Response to Disruptions on Converged Voice
and Data Networks. [hyperlink,
http://www.gao.gov/products/GAO-08-607]. Washington, D.C.: June 26,
2008.
Information Security: TVA Needs to Address Weaknesses in Control
Systems and Networks. [hyperlink,
http://www.gao.gov/products/GAO-08-526]. Washington, D.C.: May 21,
2008.
Critical Infrastructure Protection: Sector-Specific Plans' Coverage of
Key Cyber Security Elements Varies. [hyperlink,
http://www.gao.gov/products/GAO-08-64T]. Washington, D.C.: October 31,
2007.
Critical Infrastructure Protection: Sector-Specific Plans' Coverage of
Key Cyber Security Elements Varies. [hyperlink,
http://www.gao.gov/products/GAO-08-113]. Washington, D.C.: October 31,
2007.
Critical Infrastructure Protection: Multiple Efforts to Secure Control
Systems are Under Way, but Challenges Remain. [hyperlink,
http://www.gao.gov/products/GAO-07-1036]. Washington, D.C.: September
10, 2007.
Critical Infrastructure Protection: DHS Leadership Needed to Enhance
Cybersecurity. [hyperlink, http://www.gao.gov/products/GAO-06-1087T].
Washington, D.C.: September 13, 2006.
Critical Infrastructure Protection: Challenges in Addressing
Cybersecurity. [hyperlink, http://www.gao.gov/products/GAO-05-827T].
Washington, D.C.: July 19, 2005.
Critical Infrastructure Protection: Department of Homeland Security
Faces Challenges in Fulfilling Cybersecurity Responsibilities.
[hyperlink, http://www.gao.gov/products/GAO-05-434]. Washington, D.C.:
May 26, 2005.
Critical Infrastructure Protection: Improving Information Sharing with
Infrastructure Sectors. [hyperlink,
http://www.gao.gov/products/GAO-04-780]. Washington, D.C.: July 9,
2004.
Technology Assessment: Cybersecurity for Critical Infrastructure
Protection. [hyperlink, http://www.gao.gov/products/GAO-04-321].
Washington, D.C.: May 28, 2004.
Critical Infrastructure Protection: Establishing Effective Information
Sharing with Infrastructure Sectors. [hyperlink,
http://www.gao.gov/products/GAO-04-699T]. Washington, D.C.: April 21,
2004.
Critical Infrastructure Protection: Challenges and Efforts to Secure
Control Systems. [hyperlink, http://www.gao.gov/products/GAO-04-628T].
Washington, D.C.: March 30, 2004.
Critical Infrastructure Protection: Challenges and Efforts to Secure
Control Systems. [hyperlink, http://www.gao.gov/products/GAO-04-354].
Washington, D.C.: March 15, 2004.
Posthearing Questions from the September 17, 2003, Hearing on
"Implications of Power Blackouts for the Nation's Cybersecurity and
Critical Infrastructure Protection: The Electric Grid, Critical
Interdependencies, Vulnerabilities, and Readiness". [hyperlink,
http://www.gao.gov/products/GAO-04-300R]. Washington, D.C.: December
8, 2003.
Critical Infrastructure Protection: Challenges in Securing Control
Systems. [hyperlink, http://www.gao.gov/products/GAO-04-140T].
Washington, D.C.: October 1, 2003.
Critical Infrastructure Protection: Efforts of the Financial Services
Sector to Address Cyber Threats. [hyperlink,
http://www.gao.gov/products/GAO-03-173]. Washington, D.C.: January 30,
2003.
High-Risk Series: Protecting Information Systems Supporting the
Federal Government and the Nation's Critical Infrastructures.
[hyperlink, http://www.gao.gov/products/GAO-03-121]. Washington, D.C.:
January 1, 2003.
Critical Infrastructure Protection: Federal Efforts Require a More
Coordinated and Comprehensive Approach for Protecting Information
Systems. [hyperlink, http://www.gao.gov/products/GAO-02-474].
Washington, D.C.: July 15, 2002.
Critical Infrastructure Protection: Significant Challenges in
Safeguarding Government and Privately Controlled Systems from Computer-
Based Attacks. [hyperlink, http://www.gao.gov/products/GAO-01-1168T].
Washington, D.C.: September 26, 2001.
Critical Infrastructure Protection: Significant Challenges in
Protecting Federal Systems and Developing Analysis and Warning
Capabilities. [hyperlink, http://www.gao.gov/products/GAO-01-1132T].
Washington, D.C.: September 12, 2001.
Critical Infrastructure Protection: Significant Challenges in
Developing Analysis, Warning, and Response Capabilities. [hyperlink,
http://www.gao.gov/products/GAO-01-1005T]. Washington, D.C.: July 25,
2001.
Critical Infrastructure Protection: Significant Challenges in
Developing Analysis, Warning, and Response Capabilities. [hyperlink,
http://www.gao.gov/products/GAO-01-769T]. Washington, D.C.: May 22,
2001.
Critical Infrastructure Protection: Significant Challenges in
Developing National Capabilities. [hyperlink,
http://www.gao.gov/products/GAO-01-323]. Washington, D.C.: April 25,
2001.
Critical Infrastructure Protection: Challenges to Building a
Comprehensive Strategy for Information Sharing and Coordination.
[hyperlink, http://www.gao.gov/products/GAO/T-AIMD-00-268].
Washington, D.C.: July 26, 2000.
Critical Infrastructure Protection: Comments on the Proposed Cyber
Security Information Act of 2000. [hyperlink,
http://www.gao.gov/products/GAO/T-AIMD-00-229]. Washington, D.C.: June
22, 2000.
Critical Infrastructure Protection: "ILOVEYOU" Computer Virus
Highlights Need for Improved Alert and Coordination Capabilities.
[hyperlink, http://www.gao.gov/products/GAO/T-AIMD-00-181].
Washington, D.C.: May 18, 2000.
Critical Infrastructure Protection: National Plan for Information
Systems Protection. [hyperlink,
http://www.gao.gov/products/GAO/AIMD-00-90R]. Washington, D.C.:
February 11, 2000.
Critical Infrastructure Protection: Comments on the National Plan for
Information Systems Protection. [hyperlink,
http://www.gao.gov/products/GAO/T-AIMD-00-72]. Washington, D.C.:
February 1, 2000.
Critical Infrastructure Protection: Fundamental Improvements Needed to
Assure Security of Federal Operations. [hyperlink,
http://www.gao.gov/products/GAO/T-AIMD-00-7]. Washington, D.C.:
October 6, 1999.
Critical Infrastructure Protection: Comprehensive Strategy Can Draw on
Year 2000 Experiences. [hyperlink,
http://www.gao.gov/products/GAO/AIMD-00-1]. Washington, D.C.: October
1, 1999.
Defense Critical Infrastructure Protection:
Defense Critical Infrastructure: Actions Needed to Improve
Identification and Management of Electrical Power Risks and
Vulnerabilities to DoD Critical Assets. [hyperlink,
http://www.gao.gov/products/GAO-10-147]. Oct. 23, 2009.
Defense Critical Infrastructure: Actions Needed to Improve the
Consistency, Reliability, and Usefulness of DOD's Tier 1 Task Critical
Asset List. [hyperlink, http://www.gao.gov/products/GAO-09-740R].
Washington, D.C.: July 17, 2009.
Defense Critical Infrastructure: Developing Training Standards and an
Awareness of Existing Expertise Would Help DOD Assure the Availability
of Critical Infrastructure. [hyperlink,
http://www.gao.gov/products/GAO-09-42]. Washington, D.C.: October 30,
2008.
Defense Critical Infrastructure: Adherence to Guidance Would Improve
DOD's Approach to Identifying and Assuring the Availability of
Critical Transportation Assets. [hyperlink,
http://www.gao.gov/products/GAO-08-851]. Washington, D.C.: August 15,
2008.
Defense Critical Infrastructure: DOD's Risk Analysis of Its Critical
Infrastructure Omits Highly Sensitive Assets. [hyperlink,
http://www.gao.gov/products/GAO-08-373R]. Washington, D.C.: April 2,
2008.
Defense Infrastructure: Management Actions Needed to Ensure
Effectiveness of DOD's Risk Management Approach for the Defense
Industrial Base. [hyperlink, http://www.gao.gov/products/GAO-07-1077].
Washington, D.C.: August 31, 2007.
Defense Infrastructure: Actions Needed to Guide DOD's Efforts to
Identify, Prioritize, and Assess Its Critical Infrastructure.
[hyperlink, http://www.gao.gov/products/GAO-07-461]. Washington, D.C.:
May 24, 2007.
Electrical Power:
Electricity Restructuring: FERC Could Take Additional Steps to Analyze
Regional Transmission Organizations' Benefits and Performance.
[hyperlink, http://www.gao.gov/products/GAO-08-987]. Washington, D.C.:
September 22, 2008.
Department of Energy, Federal Energy Regulatory Commission: Mandatory
Reliability Standards for Critical Infrastructure Protection.
[hyperlink, http://www.gao.gov/products/GAO-08-493R]. Washington,
D.C.: February 21, 2008.
Electricity Restructuring: Key Challenges Remain. [hyperlink,
http://www.gao.gov/products/GAO-06-237]. Washington, D.C.: November
15, 2005.
Meeting Energy Demand in the 21st Century: Many Challenges and Key
Questions. [hyperlink, http://www.gao.gov/products/GAO-05-414T].
Washington, D.C.: March 16, 2005.
Electricity Restructuring: Action Needed to Address Emerging Gaps in
Federal Information Collection. [hyperlink,
http://www.gao.gov/products/GAO-03-586]. Washington, D.C.: June 30,
2003.
Restructured Electricity Markets: Three States' Experiences in Adding
Generating Capacity. [hyperlink,
http://www.gao.gov/products/GAO-02-427]. Washington, D.C.: May 24,
2002.
Energy Markets: Results of FERC Outage Study and Other Market Power
Studies. [hyperlink, http://www.gao.gov/products/GAO-01-1019T].
Washington, D.C.: August 2, 2001.
Other:
Combating Terrorism: Observations on National Strategies Related to
Terrorism. [hyperlink, http://www.gao.gov/products/GAO-03-519T].
Washington, D.C.: March 3, 2003.
Critical Infrastructure Protection: Significant Challenges Need to Be
Addressed. [hyperlink, http://www.gao.gov/products/GAO-02-961T].
Washington, D.C.: July 24, 2002.
Critical Infrastructure Protection: Significant Homeland Security
Challenges Need to Be Addressed. [hyperlink,
http://www.gao.gov/products/GAO-02-918T]. Washington, D.C.: July 9,
2002.
[End of section]
Footnotes:
[1] See generally Pub. L. No. 107-296, 116 Stat. 2135 (2002). Title II
of the Homeland Security Act, as amended, primarily addresses the
department's responsibilities for critical infrastructure protection.
[2] The 18 sectors are Agriculture and Food; Banking and Finance;
Chemical; Commercial Facilities; Communications; Critical
Manufacturing; Dams; Defense Industrial Base; Emergency Services;
Energy; Government Facilities; Information Technology; National
Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and
Shipping; Public Health and Healthcare; Transportation Systems and
Water.
[3] In 1990, we began a program to report on government operations
that it identified as "high risk." We periodically report on the
progress to address these high-risk areas, generally at the start of
each new Congress. For more information on the high-risk program
generally, and critical infrastructure protection in particular, see
High-Risk Series: An Update, GAO-09-271 (Washington, D.C.: January
2009). Cyber security is the prevention of damage to, unauthorized use
of, or exploitation of, and, if needed, the restoration of electronic
information and communications systems and the information contained
therein to ensure confidentiality, integrity, and availability.
[4] DHS, National Infrastructure Protection Plan (Washington, D.C.:
June 2006).
[5] DHS, National Infrastructure Protection Plan, Partnering to
Enhance Protection and Resiliency (Washington, D.C.: January 2009).
[6] According to DHS, the NIPP risk management framework is a planning
methodology that outlines the process for setting goals and
objectives, identifying assets, systems, and networks; assessing risk
based on consequences, vulnerabilities, and threats; implementing
protective programs and resiliency strategies; and measuring
performance, and taking corrective action.
[7] For more information, see GAO, The Department of Homeland
Security's (DHS) Critical Infrastructure Protection Cost-Benefit
Report, [hyperlink, http://www.gao.gov/products/GAO-09-654R]
(Washington, D.C.: June 2009). Our report discussed DHS's effort to
comply with a congressional mandate that directed it to complete an
analysis of whether DHS should require private sector entities to
provide it with existing information about their security measures and
vulnerabilities in order to improve the department's ability to
evaluate critical infrastructure protection nationwide. We reported
that, according to DHS, requiring private entities to provide
sensitive information to the department conflicts with the voluntary
information-sharing approach DHS was to pursue under the Homeland
Security Act.
[8] The Government Facilities and National Monuments and Icons Sectors
do not have Sector Coordinating Councils due to the fact that they are
uniquely governmental.
[9] The Government Coordinating Council comprises representatives
across various levels of government (federal, state, local, tribal,
and territorial) as appropriate to the risk and scope of each
individual sector. The sector coordinating council is the private
sector counterpart to the government coordinating councils. The
private sector councils are self-organized, self-run, and self-
governed organizations that are representative of a spectrum of key
stakeholders within a sector. Sector coordinating councils serve as
the government's principal point of entry into each sector for
developing and coordinating a wide range of CIKR protection activities
and issues.
[10] The SSPs provide the means by which the NIPP is implemented
across all sectors, as well as a national framework for each sector
that guides the development, implementation, and updating of state and
local homeland security strategies and CIKR protection programs. The
Critical Manufacturing sector will produce its first SSP in 2010. The
SARs articulate the progress of the sector's CIKR protection and
resiliency efforts, challenges, and needs to other sectors, government
agencies, CIKR partners, the Executive Office of the President, and
Congress.
[11] National Infrastructure Advisory Council, Critical Infrastructure
Resilience Final Report and Recommendations (Washington, D.C.: Sept.
8, 2009).
[12] NIPP PMO officials said the NIPP treats protection and resilience
as related concepts--not mutually exclusive ones, so strictly looking
at word counts will not identify all the changes. However, as noted
above and as agreed with DHS, our analysis took into account where and
in what context these terms were used.
[13] Not all sector representatives answered each question regarding
sector plans to address changes in the NIPP and the direction to
address resiliency in their 2010 sector-specific plans. Thus, when
discussing sector representative responses in this report, we identify
the number of sectors that responded.
[14] Pub. L. No. 107-188, 116 Stat. 594 (2002); Pub. L. No. 109-417,
120 Stat. 2831 (2006).
[15] Pub. L. No. 107-305, 116 Stat. 2367 (2002). Other statutes
include the Implementing Recommendations of the 9/11 Commission Act of
2007, Pub. L. No. 110-53, 121 Stat. 266 (2007); the Maritime
Transportation Security Act of 2002, Pub. L. No. 107-295, 116 Stat.
2064 (2002); the Aviation and Transportation Security Act of 2001,
Pub. L. No. 107-71, 115 Stat. 597 (2001); Energy Policy and
Conservation Act, Pub. L. No. 94-163, 89 Stat. 871 (1975); the
Critical Infrastructure Information Act, 6 U.S.C. §§ 131-34; and the
Federal Information Security Management Act, 44 U.S.C. §§ 3541-49.
[16] Other CIKR-related presidential directives include HSPD-3, which
addresses the Homeland Security Advisory System; HSPD-9, which
discusses the defense of U.S. Agriculture and Food; HSPD-10, which
addresses Biodefense for the 21st Century; HSPD-19, which deals with
Combating Terrorist Use of Explosives in the United States; HSPD-20,
which addresses National Continuity Policy; and HSPD-22, which
discusses Domestic Chemical Defense.
[17] The Homeland Security Advisory Council provides advice,
recommendations, and expertise to the government regarding protection
policy and activities.
[18] DHS coordinates the National Exercise Program which is designed
to ensure the nation's readiness to respond to terrorist and natural
disasters and to practice and evaluate protection plans and programs
put in place by the NIPP.
[19] The 2007/2008 NIPP Update was released in August 2008 and
captured changes to infrastructure protection that occurred since the
release of the 2006 NIPP.
[20] The process of identifying these nationally significant assets
and systems is conducted on an annual basis and relies heavily on the
insights and knowledge of a wide array of public and private sector
security partners. CIKR categorized as Tier 1 or Tier 2 as a result of
this annual process provide a common basis on which DHS and its
security partners can implement important CIKR protection programs and
initiatives, such as various grant programs, buffer zone protection
efforts, facility assessments and training, and other activities. DHS
has other tiered categories of infrastructure whose destruction or
disruption would not have a significant national or regional impact,
though local impacts could be substantial.
[21] Examples of descriptive data include the number of facilities in
a jurisdiction and the number of suppliers in an infrastructure
service provider's supply chain. Examples of process or output data
include the number of protective programs implemented in a fiscal year
and the percentage of sector organizations exchanging CIKR information.
[22] The NIPP Federal Senior Leadership Council is composed of
representatives of each of the sector-specific agencies to enhance
communication and coordination between and among these agencies. The
CIKR Cross-Sector Council is made up of representatives from each of
the SSAs to address issues that affect multiple sectors.
[23] See GAO, Critical Infrastructure Protection: Sector-Specific
Plans' Coverage of Key Cyber Security Elements Varies, [hyperlink,
http://www.gao.gov/products/GAO-08-64T] (Washington, D.C.: Oct. 31,
2007). GAO, Critical Infrastructure Protection: Current Cyber Sector-
Specific Planning Approach Needs Reassessment, [hyperlink,
http://www.gao.gov/products/GAO-09-969] (Washington, D.C.: September
2009).
[24] DHS's guidance are the 2009 Sector Critical Infrastructure and
Key Resources Protection: Annual Report Guidance (February 2009); the
Triennial Rewrite and Reissue of the 2010 Sector-Specific Plans:
Guidance for Sector-Specific Agencies and Other Sector Partners (March
2009); and the 2009 Sector Critical Infrastructure and Key Resources
Protection: NIPP Metric Guidance (February 2009).
[25] The Homeland Security Information Network (HSIN) is a national,
Web-based communications platform that allows: DHS; SSAs; state,
local, tribal, and territorial governmental entities; and other
partners to obtain, analyze, and share information. The Critical
Sectors element of HSIN is an information-sharing portal designed to
encourage communication and collaboration among all CIKR sectors and
the federal government. The content is tailored for each of the CIKR
sectors.
[26] The American Society of Civil Engineers represents more than
147,000 members of the civil engineering profession--the construction
of roads, bridges, and other infrastructure for public use--worldwide.
The National Dam Safety Review Board provides the Director of FEMA
with advice in setting national dam safety priorities and considers
the effects of national policy issues affecting dam safety. The
Infrastructure Security Partnership is a nonprofit partnership to be a
national asset facilitating dialogue on domestic infrastructure
security, offering sources of technical support and sources for
comment on public policy related to the security of the nation's built
environment.
[27] As shown in table 1, the SSA for the Transportation and the
Postal and Shipping sectors is the Transportation Security
Administration.
[28] As noted earlier, we counted the following resiliency-related
terms--resilience, resiliency, resilient, and continuity (business
continuity or operational continuity).
[29] The term "hardening" refers to making physical changes to a
facility or creating additional redundancies to enhance its protection.
[30] DHS has also made commensurate changes to its 2009 SAR guidance.
For example, the 2009 SAR guidance directs the SSAs to address
resiliency in most sections of their annual reports. In addition, SSAs
are asked to consider whether efforts to improve resiliency for the
sector should be considered as part of changes in policy, resources,
personnel, and facilities and states that resiliency activities should
be documented as part of the sector's path forward.
[31] [1] See IRS Management: IRS Practices Contribute to Its
Resilience, but Would Benefit from Additional Emergency Planning
Efforts, [hyperlink, http://www.gao.gov/products/GAO-09-418]
(Washington, D.C.: Apr. 9, 2009).
[32] [2] The Homeland Security Studies and Analysis Institute, Concept
Development: An Operational Framework for Resilience (Aug. 27, 2009).
[33] [3] The National Infrastructure Advisory Council (NIAC) is
primarily composed of private sector CIKR representatives and provides
the President with advice on the security of the 18 Critical
Infrastructure and Key Resource (CIKR) sectors and their information
systems. The NIAC also advises the lead federal agencies that have
critical infrastructure responsibilities and industry sector
coordinating mechanisms. The NIAC report, Critical Infrastructure
Resilience: Final Report and Recommendations, was published September
8, 2009.
[34] [1] We limited our analysis to how often and where resiliency-
related terms--resiliency, resilience, resilient, and continuity--were
used in these plans. In commenting on our approach, DHS said this was
a reasonable set of terms for our analysis.
[35] [2] DHS designated Critical Manufacturing as the 18th CIKR sector
in March 2008.
[End of section]
GAO's Mission:
The Government Accountability Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting
its constitutional responsibilities and to help improve the performance
and accountability of the federal government for the American people.
GAO examines the use of public funds; evaluates federal programs and
policies; and provides analyses, recommendations, and other assistance
to help Congress make informed oversight, policy, and funding
decisions. GAO's commitment to good government is reflected in its core
values of accountability, integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each
weekday, GAO posts newly released reports, testimony, and
correspondence on its Web site. To have GAO e-mail you a list of newly
posted products every afternoon, go to [hyperlink, http://www.gao.gov]
and select "E-mail Updates."
Order by Phone:
The price of each GAO publication reflects GAO‘s actual cost of
production and distribution and depends on the number of pages in the
publication and whether the publication is printed in color or black and
white. Pricing and ordering information is posted on GAO‘s Web site,
[hyperlink, http://www.gao.gov/ordering.htm].
Place orders by calling (202) 512-6000, toll free (866) 801-7077, or
TDD (202) 512-2537.
Orders may be paid for using American Express, Discover Card,
MasterCard, Visa, check, or money order. Call for additional
information.
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]:
E-mail: fraudnet@gao.gov:
Automated answering system: (800) 424-5454 or (202) 512-7470:
Congressional Relations:
Ralph Dawn, Managing Director, dawnr@gao.gov:
(202) 512-4400:
U.S. Government Accountability Office:
441 G Street NW, Room 7125:
Washington, D.C. 20548:
Public Affairs:
Chuck Young, Managing Director, youngc1@gao.gov:
(202) 512-4800:
U.S. Government Accountability Office:
441 G Street NW, Room 7149:
Washington, D.C. 20548: