[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] VALUE OF DHS'S VULNERABILITY ASSESSMENTS IN PROTECTING OUR NATION'S CRITICAL INFRASTRUCTURE ======================================================================= HEARING before the SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION __________ JULY 12, 2016 __________ Serial No. 114-81 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ ________ U.S. GOVERNMENT PUBLISHING OFFICE 25-264 PDF WASHINGTON : 2017 ____________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Publishing Office, Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800 Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001 COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island Chair Brian Higgins, New York Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania William R. Keating, Massachusetts Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey Scott Perry, Pennsylvania Filemon Vela, Texas Curt Clawson, Florida Bonnie Watson Coleman, New Jersey John Katko, New York Kathleen M. Rice, New York Will Hurd, Texas Norma J. Torres, California Earl L. ``Buddy'' Carter, Georgia Mark Walker, North Carolina Barry Loudermilk, Georgia Martha McSally, Arizona John Ratcliffe, Texas Daniel M. Donovan, Jr., New York Brendan P. Shields, Staff Director Joan V. O'Hara, General Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY TECHNOLOGIES John Ratcliffe, Texas, Chairman Peter T. King, New York Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania Loretta Sanchez, California Scott Perry, Pennsylvania Sheila Jackson Lee, Texas Curt Clawson, Florida James R. Langevin, Rhode Island Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Brett DeWitt, Subcommittee Staff Director Katie Rashid, Subcommittee Clerk Christopher Schepis, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable John Ratcliffe, a Representative in Congress From the State of Texas, and Chairman, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 1 Prepared Statement............................................. 3 The Honorable Cedric L. Richmond, a Representative in Congress From the State of Louisiana, and Ranking Member, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies: Oral Statement................................................. 4 Prepared Statement............................................. 5 Witnesses Mr. Chris P. Currie, Director, Homeland Security and Justice Issues, U.S. Government Accountability Office: Oral Statement................................................. 6 Prepared Statement............................................. 7 Mr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and Communications, National Protection and Programs Directorate, U.S. Department of Homeland Security: Oral Statement................................................. 17 Joint Prepared Statement....................................... 19 Ms. Caitlin Durkovich, Assistant Secretary, Office of Infrastructure Protection, National Protection and Programs Directorate, U.S. Department of Homeland Security: Oral Statement................................................. 25 Joint Prepared Statement....................................... 19 Mr. Marcus L. Brown, Homeland Security Advisor, Director of the Office of Homeland Security, Commonwealth of Pennsylvania: Oral Statement................................................. 27 Prepared Statement............................................. 29 Appendix Questions From Chairman John Ratcliffe for Chris P. Currie....... 43 Questions From Chairman John Ratcliffe for Andy Ozment........... 45 Questions From Ranking Member Cedric L. Richmond for Andy Ozment. 52 Questions From Chairman John Ratcliffe for Caitlin Durkovich..... 54 Questions From Chairman John Ratcliffe for Marcus Brown.......... 60 VALUE OF DHS'S VULNERABILITY ASSESSMENTS IN PROTECTING OUR NATION'S CRITICAL INFRASTRUCTURE ---------- Tuesday, July 12, 2016 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Washington, DC. The subcommittee met, pursuant to notice, at 10:02 a.m., in room 311, Cannon House Office Building, Hon. John Ratcliffe (Chairman of the subcommittee) presiding. Present: Representatives Ratcliffe, Perry, Donovan, Richmond, Sanchez, and Langevin. Also present: Representative Payne. Mr. Ratcliffe. The Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies will come to order. The subcommittee is meeting today to examine how the Department of Homeland Security is fulfilling its important mission of protecting our Nation's critical infrastructure. We look forward to examining DHS's capabilities and conducting physical and cybersecurity vulnerability assessments. The critical systems that are essential and central to our daily lives are targeted every day by terrorists, nation-States, and criminals. Taxpayer funds used to protect these systems must be invested wisely, and must add value for owners and operators. Because threats to critical infrastructure are numerous and diverse, we are interested in learning about the strategy that DHS efforts is being guided by in this area. I want to thank our panel of experts for joining us so Congress can better understand the work being done in this area and the value of DHS's vulnerability assessments in training. For 12 years, the primary mission of the Office of Infrastructure Protection's Protective Security Advisor Program has been the protection of our critical infrastructure. Protective Security Advisors, or PSAs, are regionally based in alignment with the 10 FEMA regions. PSAs execute their primary mission through the planning, coordination, and performance of security survey assessments and outreach activities to those critical infrastructure owners and operators that elect to participate in these voluntary programs. PSAs also support National Special Security Events, Special Event Activity Rating or SEAR level 1 and level 2 events and response to incidents. The mission I have just described is enormous. Because it is voluntary in nature, its success really hinges on stakeholder buy-in. Such buy-in requires strategic outreach and real value added for owners and operators of critical infrastructure. I'm interested in hearing what strategy is guiding this important program and what metrics DHS is using to track and increase such value. In 2014, DHS established the Critical Infrastructure Cyber Community Voluntary Program to help organizations address and improve their cybersecurity risk management. Additionally, DHS created the Cybersecurity Advisor Program, or CSA Program, to provide cybersecurity expertise and voluntary cybersecurity programs to critical infrastructure owners and operators. While the CSA Program is still in its infancy compared to the 12-year-old PSA Program, the CSA mission of assisting our Nation's critical infrastructure owners and operators in strengthening their cyber hygiene is critically important. With the passage of the Cybersecurity Act of 2015 last December, we have to ensure the CSA Program is also guided by a strategic plan and is well-positioned to effectively lead DHS's cyber engagement efforts for critical infrastructure. Last month, this committee unanimously passed the Cybersecurity and Infrastructure Protection Agency Act of 2016 to elevate the functions of our Nation's cybersecurity and critical infrastructure protection into an operational component within DHS. The legislation recognizes the unique expertise required of both cyber and physical aspects of the agency's mission while also stressing the importance of enhanced collaboration and coordination between the cyber and physical missions. The Government Accountability Office has reported extensively on DHS's vulnerability assessment programs for critical infrastructure and identified challenges within DHS in 2013, in 2014, and, again, in 2015. These reports included a number of recommendations to increase the use, and to enhance the participation, of stakeholders in these vulnerability assessments. One particular area of concern found in the report was Federal fatigue, which results from a perceived weariness among the private sector who might be repeatedly approached or required by multiple Federal agencies to engage in risk assessments. Federal fatigue is particularly alarming as the PSA and CSA assessment programs at DHS depend entirely on voluntarily participation. Just last week, a review of the DHS's website for critical infrastructure vulnerability assessments found conflicting and somewhat outdated information. While errors like these may appear to be insignificant, it's important to remember that these programs are voluntary. If DHS can't handle basic promotion and marketing of its programs, then I have concerns about the likelihood of private-sector participation going forward. The subcommittee believes both the CSA and PSA Programs can be of great value for the protection of our Nation's critical infrastructure, but a clear strategy, effective stakeholder outreach, and metrics of success are essential. It is the hope of the subcommittee that this hearing will clarify how DHS is working to address these issues. Further, given the relative infancy of the CSA Program, the subcommittee hopes to learn more about CS&C's plan to expand this program and would hope that the lessons learned from the PSA Program are, in fact, being incorporated. This subcommittee is responsible not only for the oversight of DHS's functions, but also for ensuring that it has the tools and necessary authorities to successfully meet its objectives. In that spirit, we welcome input as to how we can assist you in this critical mission. [The statement of Mr. Ratcliffe follows:] Statement of Chairman John Ratcliffe The subcommittee meets today to examine how the Department of Homeland Security is fulfilling its important mission of protecting our Nation's critical infrastructure by conducting vulnerability assessments. Everyday terrorists, nation states and criminals are targeting the critical systems that run our everyday lives. I want to thank our panel of experts for joining us today so Congress can better understand the work being done in this area and the value of DHS's vulnerability assessments and training. For 12 years, the Office of Infrastructure Protection's Protective Security Advisor Program's primary mission has been the protection of critical infrastructure. Protective Security Advisors (PSAs) are regionally based in alignment with the 10 FEMA regions. PSAs execute their primary mission through the planning, coordination, and performance of security surveys, assessments, and outreach activities to those critical infrastructure owners and operators that elect to participate in these voluntary programs. PSAs also support National Special Security Events, Special Event Activity Rating (SEAR) Level I and II events and respond to incidents. I am curious to hear today what strategy is guiding this vitally important program for homeland security and what metrics are being used to measure the value it has brought to the owners and operators of critical infrastructure. In 2014, DHS established the Critical Infrastructure Cyber Community Voluntary Program to help organizations address and improve their cybersecurity risk management. Additionally, DHS created the Cybersecurity Advisor Program, or CSA Program, to provide cybersecurity expertise and voluntary cybersecurity programs to critical infrastructure owners and operators. While the CSA Program is still in its infancy compared to the 12-year-old PSA Program, the CSA mission of assisting our Nation's critical infrastructure owners and operators in raising their cyber hygiene is critically important. With the passage of the Cybersecurity Act of 2015 last December, we must ensure the CSA program is also guided by a strategic plan and is well-positioned to effectively lead DHS's cyber engagement efforts for critical infrastructure. Last month, this committee passed unanimously the Cybersecurity and Infrastructure Protection Agency Act of 2016 (CIPA), to elevate the functions of our Nation's cybersecurity and critical infrastructure protection into an operational component within DHS. The legislation recognizes the unique expertise required of both the cyber and physical aspects of the agency's mission while also stressing the importance of enhanced collaboration and coordination between the cyber and physical missions. The Government Accountability Office has reported extensively on DHS vulnerability assessment programs for critical infrastructure and identified challenges within DHS in 2013, 2014, and 2015. These reports included number of recommendations to increase the use and enhance the participation in these vulnerability assessments. One particular area of concern found in the report was ``Federal fatigue'' which results from a perceived weariness among the private sector who might be repeatedly approached or required by multiple Federal agencies to engage in risk assessments. ``Federal fatigue'' is particularly alarming as these DHS programs depend on voluntary participation. Just last week, a review of the DHS's website for critical infrastructure vulnerability assessments found conflicting and outdated programs. While errors like these appear insignificant, it's important to remember that these programs are voluntary in nature, and if DHS cannot clearly and effectively promote and market the value of these programs, private-sector entities are unlikely to participate and seek assistance. The subcommittee believes that both the CSA and PSA programs can be of great value for the protection of our Nation's critical infrastructure, but it's vital that there be effective management of them. It is the hope of this subcommittee that this hearing will bring some clarity on how DHS has resolved some of these out-standing issues. Further, given the relative infancy of the CSA program, the subcommittee hopes to learn more about CS&C's plan to expand this program and would hope that lessons learned from the PSA Program are being incorporated. This subcommittee is responsible not only for the oversight of DHS's functions but also for ensuring that it has the tools and necessary authorities to successfully meet its objectives. In that spirit, we welcome input as to how we can assist in this critical mission. Mr. Ratcliffe. The Chair now recognizes the Ranking Minority Member of our subcommittee, the gentleman from Louisiana, Mr. Richmond, for his opening statement. Mr. Richmond. Thank you, Mr. Chairman. Thank you for holding this hearing to examine how the Department conducts vulnerability assessments for our Nation's critical infrastructure. Whether it's going about our daily lives, running a business, or a local government, we all rely on the security of resiliency of our critical infrastructure. As we have seen after disasters like Katrina, Rita, Sandy, or the recent devastation in West Virginia, the ability to recover quickly is crucial. In my district, as in many districts across the country, multiple DHS components and a range of other agencies conduct vulnerability assessments--The Coast Guard and the ports in my district, TSA and airports and for pipelines and transportation corridors, and DOE and FERC for electrical grid vulnerabilities. Risk assessment involves integrating threats, vulnerabilities, and consequence information and then deciding which protective measures--measure to take based on an agreed upon risk reduction and recovery strategy. Within DHS, the National Infrastructure Protection Program, or NIPP, outlines how Government and the privately-owned critical infrastructure community can work together to manage risk and achieve physical and cybersecurity resiliency. It is important to remember that these are voluntary, nonregulatory assessments, and they represent the foundation of the NIPP risk-based programs designed to prevent, deter, and mitigate the risk of a terrorist attack or a natural disaster. The DHS protective security advisors, or PSAs, and cybersecurity advisors, CSAs, conduct these assessments and focus on coordination, training, and building existing relationships with State, local, Tribal, territorial, and private-sector partners. This year, President Obama requested additional funds to expand the PSA and CSA Programs in hopes of melding physical security with cybersecurity and in line with the Secretary's DHS Unity of Effort initiative. The critical infrastructure vulnerability assessments present DHS and the current NPPD directorate with one of their most complex challenges. As GAO has suggested in their testimony, it is not clear that the directorate has had a consistent and systematic approach for identifying Nationally critical assets, assessing the risk they pose, and using that information for cost-effective allocation of resources. Thank you, Mr. Chairman. I look forward to the testimony and yield back. [The statement of Mr. Richmond follows:] Statement of Ranking Member Cedric L. Richmond July 12, 2016 Mr. Chairman, thank you for holding this hearing to examine how the Department conducts vulnerability assessments for our Nation's critical infrastructure. Whether it's going about our daily lives, running a business, or a local government, we all rely on the security and resiliency of our critical infrastructure. As we have seen after disasters like Katrina, Rita, Sandy, or the recent devastation in West Virginia, the ability to recover quickly is crucial. In my district, as in many districts across the country, multiple DHS components, and a range of other agencies conduct vulnerability assessments--the Coast Guard in the ports in my district, the TSA in airports and for pipelines and transportation corridors, and DOE and FERC for electric grid vulnerabilities. Risk assessment involves integrating threats, vulnerabilities, and consequence information, and then deciding which protective measures to take based on an agreed-upon risk reduction and recovery strategy. Within DHS, the National Infrastructure Protection Plan (or NIPP) outlines how Government and the privately-owned critical infrastructure community can work together to manage risks and achieve physical and cyber security and resiliency. It is important to remember that these are voluntary, non- regulatory assessments, and they represent the foundation of the NIPP risk-based programs designed to prevent, deter, and mitigate the risk of a terrorist attack, or natural disaster. The DHS Protective Security Advisors (or PSAs), and Cybersecurity Advisors (or CSAs), conduct these assessments and focus on coordination, training, and building existing relationships with State, local, Tribal, territorial, and private-sector partners. This year, President Obama requested additional funds to expand the PSA and the CSA programs, in hopes of melding physical security with cybersecurity, and in line with the Secretary's DHS Unity of Effort initiative. Critical infrastructure vulnerability assessments present DHS and the current NPPD Directorate with one of their most complex challenges and, as GAO has suggested in their testimony, it is not clear that the Directorate has had a consistent and systematic approach for identifying Nationally-critical assets, assessing the risks they pose, and using that information for cost-effective allocation of resources. Thank you Mr. Chairman, I look forward to the testimony today and yield back. Mr. Ratcliffe. I thank the gentleman. Other Members of the committee are reminded that opening statements may be submitted for the record. We are pleased to have with us today a very distinguished panel of witnesses on this critically important topic. With us today, Mr. Christopher Currie, is the director for homeland security and justice at the Government Accountability Office. Thanks for being with us. Dr. Andy Ozment is the assistant secretary for the Office of Cybersecurity and Communications within the National Protection and Programs Directorate at the Department of Homeland Security. Andy, good to have you back with this subcommittee. Ms. Caitlin Durkovich is the assistant secretary for the Office of Infrastructure Protection within the National Protection and Programs Directorate at the Department of Homeland Security. Ms. Durkovich, again, it's great to have you back in front of this committee as well. Finally, Mr. Marcus Brown, is the homeland security advisor and director for the Office of Homeland Security at the Commonwealth of Pennsylvania. Welcome to Washington, DC. Thanks for being here at this committee hearing. I now would like to ask all the witnesses to stand and raise your right hand so I can swear you in to testify. [Witnesses sworn.] Mr. Ratcliffe. Let the record reflect that the witnesses have answered in the affirmative. You all may be seated. The witnesses' full written statements will appear in the record. The Chair now recognizes Mr. Currie for 5 minutes for his opening statement. STATEMENT OF CHRIS P. CURRIE, DIRECTOR, HOMELAND SECURITY AND JUSTICE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE Mr. Currie. Thank you, Chairman Ratcliffe, Ranking Member Richmond, Congressman Donovan. Thank you for having me here today. Today, I would like to talk about DHS's important but equally difficult mission of assessing vulnerabilities across all 16 critical infrastructure sectors. This is a challenge for many reasons, as you know. Each sector is very different but many are also interconnected. Also, some sectors are heavily regulated and not--and very accustomed to Federal oversight, others are not. Voluntary collaboration is absolutely critical, as you both mentioned in your opening statements. Most infrastructure is owned and operated by the private sector or State and local governments. DHS needs to collect information to assess Nation-wide risks. But, they must also earn the trust of these partners by using the information effectively and protecting it, too. Sharing and trust are also increased when DHS returns the favor and gives information back to owners and operators they can use. In late 2014, we evaluated 10 different DHS vulnerability assessment tools across all 16 sectors. We found that from 2010 to 2013, DHS was involved in almost 13,000 assessments of different assets or systems. These varied from multi-day onsite assessments of chemical facilities to voluntary on-line surveys used by shopping malls and other commercial facilities. We also found that these assessment tools overlapped across sectors and collected different information and levels of detail. For example, some of the 10 assessment tools collected information on vulnerabilities to all hazards like earthquakes and hurricanes while others didn't. We also found that asset names and addresses were recorded differently across assessments, and this simple difference made it difficult for DHS officials and us, for that matter, to analyze whether assessments duplicated one another across sectors. DHS also lacked mechanisms at the time for sharing assessment data across its own components like NPPD, TSA, Coast Guard, as well as with other Federal departments. For example, non-DHS agencies like EPA also provide self-assessments to facilities to assess their risk, like waste water treatment facilities, for example. However, DHS did not have mechanisms in place to better integrate those assessments and avoid potential duplication. So we made a number of recommendations in that particular report. First was that DHS identified the most important areas and the detail necessary to integrate assessment efforts, first of all. Second of all, we recommended that DHS consistently collect and maintain assessment data and share it across components and other Federal departments. This could help them better identify duplication or on the other end gaps in the coverage that these assessments do. DHS agreed with all of our recommendations, and I want to give them credit, because they have taken action to address them. For example, it's established working groups among components and other departments. It's also considering actual guidance within the Department to better coordinate assessment efforts, and begun to inventory what other departments are doing. While this is progress, there's still much more work needed to institutionalize these efforts into DHS policies that components must follow. Strengthening how DHS manages and coordinates its assessments won't just benefit DHS but also the infrastructure owners and operators that must use these assessments. When surveyed, they told us--and you mentioned this, Mr. Chairman, and DHS officials told us, too--that there is Federal fatigue or weariness in conducting numerous assessments. To this end, we have recommended that DHS could really do more to understand why asset owners and operators decline to participate in voluntary assessments. We also found that DHS should more quickly provide assessment results back to owners and operators, which could encourage trust and participation. To be clear, DHS has made much progress in this area since our report. For example, they are now using web-based systems to more quickly deliver results and have cut down on these delays. Last, better coordination among components and agencies and sharing of data, as I discussed before, could also help reduce burden on operators. For example, if a DHS protective security adviser has access to all Federal assessment data on a particular facility, they have a head start in assessing that facility as well as information to build credibility with the owner or the operator. This concludes my statement. I look forward to the Q&A. [The prepared statement of Mr. Currie follows:] Prepared Statement of Chris P. Currie July 12, 2016 gao highlights Highlights of GAO-16-791T, a testimony before the Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies, Committee on Homeland Security, House of Representatives. Why GAO Did This Study Protecting the security of CI is a top priority for the Nation. CI includes assets and systems, whether physical or cyber, that are so vital to the United States that their destruction would have a debilitating impact on, among other things, National security, or the economy. Multiple Federal entities, including DHS, are involved in assessing CI vulnerabilities, and assessment fatigue could impede DHS's ability to garner the participation of CI owners and operators in its voluntary assessment activities. This testimony summarizes past GAO findings on progress made and improvements needed in DHS's vulnerability assessments, such as addressing potential duplication and gaps in these efforts. This statement is based on products GAO issued from May 2012 through October 2015 and recommendation follow-up conducted through March 2016. GAO reviewed applicable laws, regulations, directives, and policies from selected programs. GAO interviewed officials responsible for administering these programs and assessed related data. GAO interviewed and surveyed a range of stakeholders, including Federal officials, and CI owners and operators. What GAO Recommends GAO made recommendations to DHS in prior reports to strengthen its assessment efforts. DHS agreed with these recommendations and reported actions or plans to address them. GAO will continue to monitor DHS efforts to address these recommendations. critical infrastructure protection.--dhs has made progress in enhancing critical infrastructure assessments, but additional improvements are needed What GAO Found GAO's prior work has shown the Department of Homeland Security (DHS) has made progress in addressing barriers to conducting voluntary assessments but guidance is needed for DHS's critical infrastructure (CI) vulnerability assessments activities and to address potential duplication and gaps. For example: Determining why some industry partners do not participate in voluntary assessments.--In May 2012, GAO reported that various factors influence whether CI owners and operators participate in voluntary assessments that DHS uses to identify security gaps and potential vulnerabilities, but that DHS did not systematically collect data on reasons why some owners and operators of high-priority CI declined to participate. GAO concluded that collecting data on the reason for declinations could help DHS take steps to enhance the overall security and resilience of high-priority CI crucial to National security, public health and safety, and the economy, and made a recommendation to that effect. DHS concurred and has taken steps to address the recommendation, including developing a tracking system in October 2013 to capture declinations. Establishing guidance for areas of vulnerability covered by assessments.--In September 2014, GAO reported that the vulnerability assessment tools and methods DHS offices and components use vary with respect to the areas of vulnerability--such as perimeter security--assessed depending on which DHS office or component conducts or requires the assessment. As a result it was not clear what areas DHS believes should be included in its assessments. GAO recommended that DHS review its vulnerability assessments to identify the most important areas of vulnerability to be assessed, and establish guidance, among other things. DHS agreed and established a working group in August 2015 to address this recommendation. As of March 2016 these efforts were on-going with a status update expected in the summer of 2016.
Addressing the potential for duplication, overlap, or gaps between and among the various efforts.--In September 2014, GAO found overlapping assessment activities and reported that DHS lacks a Department-wide process to facilitate coordination among the various offices and components that conduct vulnerability assessments or require assessments on the part of owners and operators. This could hinder the ability to identify gaps or potential duplication in DHS assessments. GAO identified opportunities for DHS to coordinate with other Federal partners to share information regarding assessments. In response to GAO recommendations, DHS began a process of identifying the appropriate level of guidance to eliminate gaps or duplication in methods and to coordinate vulnerability assessments throughout the Department. GAO also recommended that DHS identify key CI security-related assessment tools and methods used or offered by other Federal agencies, analyze them to determine the areas they capture, and develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS and other CI partners in an integrated and coordinated manner. DHS agreed, and as of March 2016, established a working group to address GAO recommendations. Chairman Ratcliffe, Ranking Member Richmond, and Members of the subcommittee: Thank you for the opportunity to discuss the Department of Homeland Security's (DHS) efforts to assess critical infrastructure vulnerabilities. Critical infrastructure (CI) includes assets and systems, whether physical or cyber, that are so vital to the United States that their incapacity or destruction would have a debilitating impact on, among other things, National security or the economy.\1\ --------------------------------------------------------------------------- \1\ See 42 U.S.C. 5195c(e). --------------------------------------------------------------------------- Protecting the security of our critical infrastructure is a top priority for the Nation. For example, in 2013, the President issued Presidential Policy Directive/PPD-21: Critical Infrastructure Security and Resilience to increase the overall security and resilience of U.S. critical infrastructure.\2\ In addition, in 2013, DHS issued an update to its National Infrastructure Protection Plan (NIPP),\3\ which provides the overarching approach for integrating the Nation's critical infrastructure security and resilience activities into a single National effort.\4\ A fundamental component of DHS's efforts to protect and secure our Nation's infrastructure is its reliance on voluntary collaboration between private-sector owners and operators of critical infrastructure and their Government counterparts. The NIPP outlines the roles and responsibilities of DHS with regard to critical infrastructure protection and resilience and sector-specific agencies (SSA)--Federal departments and agencies responsible for critical infrastructure protection and resilience activities in 16 critical infrastructure sectors. Sectors include the commercial facilities, energy, and transportation sectors. Appendix I lists the 16 CI sectors and their SSAs. --------------------------------------------------------------------------- \2\ Presidential Policy Directive-21--Critical Infrastructure Security and Resilience (Washington, DC: Feb. 12, 2013). \3\ See DHS, NIPP 2013, Partnering for Critical Infrastructure Security and Resilience (Washington, DC: December 2013), which is an update to previous versions of the NIPP. \4\ According to DHS, in this context, resilience is the ability to adapt to changing conditions, and prepare for, withstand, and rapidly recover from disruptions. See DHS, Risk Steering Committee, DHS Risk Lexicon (Washington, DC: September 2010). --------------------------------------------------------------------------- Over the last several years, DHS has taken actions to assess vulnerabilities at CI facilities and within groups of related infrastructure, regions, and systems. According to DHS, a vulnerability assessment is a process for identifying physical features or operational attributes that render an entity, asset, system, network, or geographic area open to exploitation or susceptible to a given hazard that has the potential to harm life, information, operations, the environment, or property.\5\ --------------------------------------------------------------------------- \5\ According to the NIPP, vulnerabilities may be associated with physical (e.g., no barriers or alarm systems), cyber (e.g., lack of a firewall), or human (e.g., untrained guards) factors. A vulnerability assessment can be a stand-alone process or part of a full risk assessment and involves the evaluation of specific threats to the asset, system, or network under review to identify areas of weakness that could result in consequences of concern. For the purposes of this testimony, we use the term ``tools and methods'' when referring to specific survey questionnaires or tools that DHS offices and components and other Federal agencies use in conducting vulnerability assessments or in offering self-assessments to CI owners and operators. These tools and methods contain various areas that can be assessed for vulnerabilities, such as perimeter security, entry controls, and cybersecurity, among others. --------------------------------------------------------------------------- We reported in September 2014 that DHS offices and components had conducted or required thousands of vulnerability assessments of CI from October 2010 to September 2013, some of which are voluntary, and that DHS needed to enhance integration and coordination of these efforts.\6\ Specifically, DHS officials representing the National Protection and Programs Directorate (NPPD), Transportation Security Administration (TSA), and the Coast Guard conducted more than 5,300 assessments using 6 different voluntary assessment tools and methods covering various types of assets and systems.\7\ During the same time period, as many as 7,600 asset owners and operators were required to perform self- assessments to comply with Coast Guard requirements pursuant to Maritime Transportation Security Act (MTSA)\8\ and NPPD's Infrastructure Security Compliance Division (ISCD) requirements pursuant to Chemical Facility Anti-Terrorism Standards (CFATS).\9\ --------------------------------------------------------------------------- \6\ GAO, Critical Infrastructure Protection: DHS Action Needed to Enhance Integration and Coordination of Vulnerability Assessment Efforts, GAO-14-507 (Washington, DC: Sept. 15, 2014). \7\ During the early stages of our review, NPPD, TSA, and Coast Guard officials identified various assessment tools and methods. We further analyzed these 10 assessment tools and methods because based on our preliminary work, these tools and methods contained two or more areas assessed for vulnerability, such as perimeter security, or the presence of a security force. Tools and methods include the Infrastructure Survey Tool (IST), Site Assistance Visit (SAV), Chemical Security Assessment Tool Security Vulnerability Assessment (CSAT SAV), and Modified Infrastructure Survey Tool (MIST) from NPPD; the Baseline Assessment for Security Enhancements (BASE). Freight Rail Risk Analysis Tool, Pipeline Security Critical Facility Security Reviews (CFSR) and Joint Vulnerability Assessment (JVA) from TSA; and Port Security Assessments and Maritime Transportation Security Act (MTSA)-regulated facility vulnerability assessments performed by the Coast Guard. \8\ See Pub L. No. 107-295, 116 Stat. 2064 (2002). \9\ See 6 C.F.R. pt. 27; Department of Homeland Security Appropriations Act, 2007. Pub. L. No. 109-295, tit. V. 550, 120 Stat. 1355, 1388-89 (2006). --------------------------------------------------------------------------- My testimony today describes: (1) Progress made by DHS in addressing barriers to conducting voluntary assessments and sharing information, and (2) the extent to which DHS provided guidance for DHS's CI vulnerability assessment activities and to address potential duplication and gaps in assessment efforts. This statement is based on products we issued from May 2012 to October 2015 on factors to consider when reorganizing, and recommendation follow-up activities conducted through March 2016 related to multiple aspects of DHS's efforts to assess critical infrastructure and provide information to CI owners and operators to help them enhance the security of their facilities.\10\ To perform the work for our previous reports, among other things, we reviewed applicable laws, regulations, and directives as well as policies and procedures for selected programs to protect critical infrastructure. We interviewed DHS officials responsible for administering these programs and obtained and assessed data on the conduct and management of DHS's security-related programs. We also interviewed and surveyed a range of other stakeholders, including Federal officials, industry owners and operators, and CI experts. Further details on the scope and methodology for the previously-issued reports are available within each of the published products. In addition, after the issuance of our reports and through March 2016 we contacted DHS to obtain updated information and documentation, as appropriate, on the status of recommendations we made as part of our on-going recommendation follow-up activities. --------------------------------------------------------------------------- \10\ GAO, National Protection and Programs Directorate: Factors to Consider When Reorganizing, GAO-16-140T (Washington, DC: Oct. 7, 2015); Critical Infrastructure Protection: Observations on Key Factors in DHS's Implementation of Its Partnership Approach, GAO-14-464T (Washington, DC: Mar. 26, 2014); Critical Infrastructure Protection: DHS Could Strengthen the Management of the Regional Resiliency Assessment Program, GAO-13-616 (Washington, DC: July 30, 2013); GAO-14- 507; Critical Infrastructure Protection: DHS List of Priority Assets Needs to Be Validated and Reported to Congress, GAO-13-296 (Washington, DC: Mar. 25, 2013); and Critical Infrastructure Protection: DHS Could Better Manage Security Surveys and Vulnerability Assessments, GAO-12- 378 (Washington, DC: May 31, 2012). --------------------------------------------------------------------------- We conducted the work on which this statement is based in accordance with generally accepted Government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. background Federal law and policy have established roles and responsibilities for Federal agencies to coordinate with industry in enhancing the security and resilience of critical Government and industry infrastructures. According to the Homeland Security Act of 2002, as amended, DHS is to, among other things, carry out comprehensive vulnerability assessments of CI; integrate relevant information, analyses, and assessments from within DHS and from CI partners; and use the information collected to identify priorities for protective and support measures. Assessments include areas that can be assessed for vulnerability (hereinafter referred to as ``areas''), such as perimeter security, the presence of a security force, or vulnerabilities to intentional acts, including acts of terrorism. Presidential Policy Directive/PPD-21 directs DHS to, among other things, provide strategic guidance, promote a National unity of effort, and coordinate the overall Federal effort to promote the security and resilience of the Nation's CI. Related to PPD-21, the NIPP calls for the CI community and associated stakeholders to carry out an integrated approach to: (1) Identify, deter, detect, disrupt, and prepare for threats and hazards (all hazards); (2) reduce vulnerabilities of critical assets, systems, and networks; and (3) mitigate the potential consequence to CI to incidents or events that do occur. According to the NIPP, CI partners are to identify risk in a coordinated and comprehensive manner across the CI community; minimize duplication; consider interdependencies; and, as appropriate, share information within the CI community. Within DHS, NPPD is responsible for working with public and industry infrastructure partners and leads the coordinated National effort to mitigate risk to the Nation's infrastructure through the development and implementation of the infrastructure security program. NPPD's Office of Infrastructure Protection (IP) has overall responsibility for coordinating implementation of the NIPP across the 16 CI sectors, including providing guidance to SSAs and CI owners and operators on protective measures to assist in enhancing the security of infrastructure and helping CI-sector partners develop the capabilities to mitigate vulnerabilities and identifiable risks to the assets.\11\ The NIPP also designates other Federal agencies, as well as some offices and components within DHS, as SSAs that are responsible for, among other things, coordinating with DHS and other Federal departments and agencies and CI owners and operators to identify vulnerabilities, and to help mitigate incidents, as appropriate. DHS offices and components or asset owners and operators have used various assessment tools and methods, some of which are voluntary, while others are required by law or regulation, to gather information about certain aspects of CI. For example, Protective Security Coordination Division (PSCD), within NPPD, relies on Protective Security Advisors (PSA)\12\ to offer and conduct voluntary vulnerability assessments to owners and operators of CI to help identify potential security actions; Infrastructure Security Compliance Division, within NPPD, requires regulated chemical facilities to complete a security vulnerability assessment pursuant to CFATS; TSA conducts various assessments of airports, pipelines, and rail and transit systems;\13\ and Coast Guard requires facilities it regulates under the Maritime Transportation Security Act of 2002 (MTSA) to complete assessments as part of their security planning process.\14\ In addition, SSAs external to DHS also offer vulnerability assessment tools and methods to owners or operators of CI and these assessments include areas such as resilience management or perimeter security. For example, the Environmental Protection Agency, the SSA for the water sector, provides a self-assessment tool for the conduct of voluntary security-related assessments at water and wastewater facilities. --------------------------------------------------------------------------- \11\ A delegation memo to the Under Secretary for NPPD delineates the directorate's roles and responsibilities. \12\ As of July 2016, DHS has deployed 89 PSAs in all 50 States, Puerto Rico, and the Nation's capital region to, among other things, conduct outreach with State and local partners and asset owners and operators who participate in DHS's voluntary CI protection and resiliency efforts. \13\ See, e.g., 49 U.S.C. 44904; Pub. L. No. 104-264, 310, 110 Stat. 3213, 3253 (1996). \14\ See Pub L. No. 107-295, 116 Stat. 2064 (2002); 33 C.F.R. 105.300-.310. --------------------------------------------------------------------------- progress made addressing barriers to conducting voluntary assessments and sharing information DHS took steps to address barriers to conducting critical infrastructure vulnerability assessments and sharing information, in response to findings from our previous work. Specifically, DHS has made progress in the following areas: Determining why some industry partners do not participate in voluntary assessments.--DHS supports the development of the National risk picture by conducting vulnerability assessments and security surveys to identify security gaps and potential vulnerabilities in the Nation's high-priority critical infrastructure.\15\ In a May 2012 report, we assessed the extent to which DHS had taken action to conduct security surveys using its Infrastructure Survey Tool (IST) and vulnerability assessments among high-priority infrastructure, shared the results of these surveys and assessments with asset owners or operators, and assessed their effectiveness.\16\ --------------------------------------------------------------------------- \15\ DHS vulnerability assessments are conducted during site visits at individual assets and are used to identify security gaps and provide options for consideration to mitigate these identified gaps. DHS security surveys are intended to gather information on an asset's current security posture and overall security awareness. Security surveys and vulnerability assessments are generally asset-specific and are conducted at the request of asset owners and operators. \16\ GAO-12-378. --------------------------------------------------------------------------- We found that various factors influence whether industry owners and operators of assets participate in these voluntary programs, but that DHS did not systematically collect data on reasons why some owners and operators of high-priority assets declined to participate in security surveys or vulnerability assessments. We concluded that collecting data on the reason for declinations could help DHS take steps to enhance the overall protection and resilience of those high-priority critical infrastructure assets crucial to National security, public health and safety, and the economy. We recommended, and DHS concurred, that DHS design and implement a mechanism for systematically assessing why owners and operators of high-priority assets decline to participate. In response to our recommendations, in October 2013 DHS developed and implemented a tracking system to capture and account for declinations. In addition, in August 2014 DHS established a policy to conduct quarterly reviews to, among other things, track these and other survey and assessment programs and identify gaps and requirements for priorities and help DHS better understand what barriers owners and operators of critical infrastructure face in making improvements to the security of their assets. Sharing of assessment results at the asset level in a timely manner.--DHS security surveys and vulnerability assessments can provide valuable insights into the strengths and weaknesses of assets and can help asset owners and operators that participate in these programs make decisions about investments to enhance security and resilience. In our May 2012 report, we found that, among other things, DHS shared the results of security surveys and vulnerability assessments with asset owners or operators.\17\ However, we also found that the usefulness of security survey and vulnerability assessment results could be enhanced by the timely delivery of these products to the owners and operators. We reported that the inability to deliver these products in a timely manner could undermine the relationship DHS was attempting to develop with these industry partners. Specifically, we reported that, based on DHS data from fiscal year 2011, DHS was late meeting the 30-day time frame for delivering the results of its security surveys required by DHS guidance 60 percent of the time. DHS officials acknowledged the late delivery of survey and assessment results and said they were working to improve processes and protocols. However, DHS had not established a plan with time frames and milestones for managing this effort. We recommended, and DHS concurred, that it develop time frames and specific milestones for managing its efforts to ensure the timely delivery of the results of security surveys and vulnerability assessments to asset owners and operators. In response to our recommendation, DHS established time frames and milestones to ensure the timely delivery of assessment results of the surveys and assessments to CI owners and operators. In addition, in February 2013, DHS transitioned to a web-based delivery system, which, according to DHS, has since resulted in a significant drop in overdue deliveries. --------------------------------------------------------------------------- \17\ GAO-12-378. --------------------------------------------------------------------------- Sharing certain information with critical infrastructure partners at the regional level.--Our work has shown that over the past several years, DHS has recognized the importance of and taken actions to examine critical infrastructure asset vulnerabilities, threats, and potential consequences across regions. In a July 2013 report, we examined DHS's management of its Regional Resiliency Assessment Program (RRAP)--a voluntary program intended to assess regional resilience of critical infrastructure by analyzing a region's ability to adapt to changing conditions, and prepare for, withstand, and rapidly recover from disruptions--and found that DHS has been working with States to improve the process for conducting RRAP projects, including more clearly defining the scope of these projects.\18\ We also reported that DHS shares the project results of each RRAP project report, including vulnerabilities identified, with the primary stakeholders--officials representing the State where the RRAP was conducted--and that each report is generally available to SSAs and protective security advisors within DHS.\19\ --------------------------------------------------------------------------- \18\ GAO-13-616. \19\ A protective security advisor is a DHS field representative. Among other things, they conduct RRAP projects. --------------------------------------------------------------------------- Sharing information with sector-specific agencies and State and local governments.--Federal SSAs and State and local governments are key partners that can provide specific expertise and perspectives in Federal efforts to identify and protect critical infrastructure. In a March 2013 report, we reviewed DHS's management of the National Critical Infrastructure Prioritization Program (NCIPP), and how DHS worked with States and SSAs to develop the high-priority CI list.\20\ The program identifies a list of Nationally-significant critical infrastructure each year that is used to, among other things, prioritize voluntary vulnerability assessments conducted by PSAs on high-priority critical infrastructure. We reported that DHS had taken actions to improve its outreach to SSAs and States in an effort to address challenges associated with providing input on nominations and changes to the NCIPP list. However, we also found that most State officials we contacted continued to experience challenges with nominating assets to the NCIPP list using the consequence-based criteria developed by DHS. Among other actions, we recommended that DHS commission an independent, external peer review of the NCIPP with clear project objectives. In November 2013, DHS commissioned a panel that reviewed the NCIPP process, guidance documentation, and process phases to provide an evaluation of the extent to which the process is comprehensive, reproducible, and defensible. The panel made 24 observations about the NCIPP; however, panel members expressed different views regarding the classification of the NCIPP list, and views on whether private-sector owners of the assets, systems, and clusters should be notified of inclusion on the list. As of August 2014, DHS officials reported that they are exploring options to streamline the process and limit the delay of dissemination among those who have a need to know. --------------------------------------------------------------------------- \20\ GAO-13-296. --------------------------------------------------------------------------- guidance and coordination to address potential duplication and gaps needed for ci vulnerability assessment activities Our previous work identified a need for DHS vulnerability assessment guidance and coordination. Specifically, we found: Establishing guidance for areas of vulnerability covered by assessments.--In a September 2014 report examining, among other things, the extent to which DHS is positioned to integrate vulnerability assessments to identify priorities, we found that the vulnerability assessment tools and methods DHS offices and components use vary with respect to the areas assessed depending on which DHS office or component conducts or requires the assessment.\21\ As a result, it was not clear what areas DHS believes should be included in a comprehensive vulnerability assessment. Moreover, we found that DHS had not issued guidance to ensure that the areas it deems most important are captured in assessments conducted or required by its offices and components. Our analysis of 10 vulnerability assessment tools and methods showed that DHS vulnerability assessments consistently included some areas that were assessed for vulnerability but included other areas that were not consistently assessed. Our analysis showed that all 10 of the DHS assessment tools and methods we analyzed included areas such as ``vulnerabilities from intentional acts''--such as terrorism--and ``perimeter security'' in the assessment. However, 8 of the 10 assessment tools and methods did not include areas such as ``vulnerabilities to all hazards'' such as hurricanes or earthquakes while the other 2 did. These differences in areas assessed among the various assessment tools and methods could complicate or hinder DHS's ability to integrate relevant assessments in order to identify priorities for protective and support measures. --------------------------------------------------------------------------- \21\ GAO-14-507. --------------------------------------------------------------------------- We found that the assessments conducted or required by DHS offices and components also varied greatly in their length and the detail of information to be collected. For example, within NPPD, PSCD used its IST to assess high-priority facilities that voluntarily participate and this tool was used across the spectrum of CI sectors. The IST, which contains more than 100 questions and 1,500 variables, is used to gather information on the security posture of CI, and the results of the IST can inform owners and operators of potential vulnerabilities facing their asset or system. In another example from NPPD, ISCD required owners and operators of facilities that possess, store, or manufacture certain chemicals under CFATS to provide data on their facilities using an on-line tool so that ISCD can assess the risk posed by covered facilities. This tool, ISCD's Chemical Security Assessment Tool Security Vulnerability Assessment contained more than 100 questions based on how owners respond to an initial set of questions. Within DHS, TSA's Office of Security Operations offered or conducted a number of assessments, such as a 205-question assessment of transit systems called the Baseline Assessment for Security Enhancements that contained areas to be assessed for vulnerability, and TSA's 17-question Freight Rail Risk Analysis Tool was used to assess rail bridges. In addition to differences in what areas were included, there were also differences in the detail of information collected for individual areas, making it difficult to determine the extent to which the information collected was comparable and what assumptions and/or judgments were used while gathering assessment data. We also observed that components used different questions for the same areas assessed. These variations, among others we identified, could impede DHS's ability to integrate relevant information and use it to identify priorities for protective and support measures regarding terrorist and other threats to homeland security. For example, we found that while some components asked open-ended questions such as ``describe security personnel,'' others included drop-down menus or lists of responses to be selected. We recommended that DHS review its vulnerability assessments to identify the most important areas to be assessed, and determine the areas and level of detail that are necessary to integrate assessments and enable comparisons, and establish guidance, among other things. DHS agreed with our recommendation, and established a working group in August 2015 to address this recommendation and others we made. As of March 2016 these efforts are on-going and DHS intends to provide an update in the summer of 2016. Establishing guidance on common data standards to help reduce assessment fatigue and improve information sharing.--As we reported in September 2014, Federal assessment fatigue could impede DHS's ability to garner the participation of CI owners and operators in its voluntary assessment activities. During our review of vulnerability assessments, the Coast Guard, PSCD, and TSA field personnel we contacted reported observing what they called Federal fatigue, or a perceived weariness among CI owners and operators who had been repeatedly approached or required by multiple Federal agencies and DHS offices and components to participate in or complete assessments. One official who handles security issues for an association representing owners and operators of CI expressed concerns at the time about his members' level of fatigue. Specifically, he shared observations that DHS offices and components do not appear to effectively coordinate with one another on assessment- related activities to share or use information and data that have already been gathered by one of them. The official also noted that, from the association's perspective, the requests and invitations to participate in assessments have exceeded what is necessary to develop relevant and useful information, and information is being collected in a way that is not the best use of the owners' and operators' time. As figure 1 illustrates, depending on a given asset or facility's operations, infrastructure, and location, an owner or operator could be asked or required to participate in multiple separate vulnerability assessments. [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT] DHS officials expressed concern at the time that this ``fatigue'' may diminish future cooperation from asset owners and operators. We recommended in September 2014 that DHS develop an approach for consistently collecting and maintaining data from assessments conducted across DHS to facilitate the identification of potential duplication and gaps in coverage. Having common data standards would better position DHS offices and components to minimize the aforementioned fatigue, and the resulting declines in CI owner and operator participation, by making it easier for DHS offices and components to use each other's data to determine what CI assets or facilities may have been already visited or assessed by another office or component. They could then plan their assessment efforts and outreach accordingly to minimize the potential for making multiple visits to the same assets or facilities. DHS agreed with our recommendation, and as of March 2016 DHS had established a working group to address the recommendations from our report and planned to provide us with a status update in the summer of 2016. Addressing the potential for duplication, overlap, or gaps between and among the various efforts.--As with the sharing of common assessment data, we found in our 2014 review of vulnerability assessments that DHS also lacks a Department-wide process to facilitate coordination among the various offices and components that conduct vulnerability assessments or require assessments on the part of owners and operators.\22\ This could hinder the ability to identify gaps or potential duplication in DHS assessments. For example, among 10 different types of DHS vulnerability assessments we compared, we found that DHS assessment activities were overlapping across some of the sectors, but not others. Given the overlap of DHS's assessments among many of the 16 sectors, we attempted to compare data to determine whether DHS had conducted or required vulnerability assessments at the same critical infrastructure within those sectors. However, we were unable to conduct this comparison because of differences in the way data about these activities were captured and maintained.\23\ Officials representing DHS acknowledged at the time they encountered challenges with the consistency of assessment data and stated that DHS-wide interoperability standards did not exist for them to follow in recording their assessment activities that would facilitate consistency and enable comparisons among the different data sets. --------------------------------------------------------------------------- \22\ GAO-14-507. \23\ Data sets used by DHS offices and components did not share common formats or defined data standards. For example, infrastructure names and addresses generally were not entered in a standardized way or were not available in some cases in a way that would allow us to identify matches across data sets. See GAO-14-507. --------------------------------------------------------------------------- The NIPP calls for standardized processes to promote integration and coordination of information sharing through, among other things, jointly-developed standard operating procedures. However, DHS officials stated at the time that they generally relied on field-based personnel to inform their counterparts at other offices and components about planned assessment activities and share information as needed on what assets may have already been assessed. For example, PSAs may inform and invite CI partners to participate in these assessments, if the owner and operator of the asset agrees. PSAs may also alert their DHS counterparts depending on assets covered and their areas of responsibility. However, we found that absent these field-based coordination or sharing activities, it was unclear whether all facilities in a particular geographic area or sector were covered. For example, after CFATS took effect, in 2007, ISCD officials asked PSCD to stop having PSAs conduct voluntary assessments at CFATS-regulated chemical facilities to reduce potential confusion about DHS authority over chemical facility security and to avoid overlapping assessments. In response, PSCD reduced the number of voluntary vulnerability assessments conducted in the chemical sector. However, one former ISCD official noted that without direct and continuous coordination between PSCD and ISCD on what facilities are being assessed or regulated by each division, this could create a gap in assessment coverage between CFATS-regulated facilities and facilities that could have participated in PSCD assessments given that the number of CFATS-regulated facilities can fluctuate over time.\24\ --------------------------------------------------------------------------- \24\ The number of facilities actively regulated under the Chemical Facility Anti-Terrorism Standards requirements can fluctuate over time because of facilities changing their regulated operations or the types and quantities of chemicals handled, new facilities being built, or older facilities being decommissioned, for example. --------------------------------------------------------------------------- Without processes for DHS offices and components to share data and coordinate with each other in their CI vulnerability assessment activities, DHS cannot provide reasonable assurance that it can identify potential duplication, overlap, or gaps in coverage that could ultimately affect DHS's ability to work with its partners to enhance National CI security and resilience, consistent with the NIPP. We recommended in September 2014 that DHS develop an approach to ensure that vulnerability data gathered on CI be consistently collected and maintained across DHS to facilitate the identification of potential duplication and gaps in CI coverage. As of March 2016, DHS has begun a process of identifying the appropriate level of guidance to eliminate gaps or duplication in methods and to coordinate vulnerability assessments throughout the Department. We also recommended that DHS identify key CI security-related assessment tools and methods used or offered by SSAs and other Federal agencies, analyze them to determine the areas of vulnerability they capture, and develop and provide guidance for what areas should be included in vulnerability assessments of CI that can be used by DHS and other CI partners in an integrated and coordinated manner. DHS concurred with our recommendations and stated that it planned to take a variety of actions to address the issues we identified, including conducting an inventory survey of the security-related assessment tools and methods used by SSAs to address CI vulnerabilities. As of March 2016, DHS has established a working group, consisting of members from multiple departments and agencies, to enhance the integration and coordination of vulnerability assessment efforts. These efforts are on- going and we will continue to monitor DHS's progress in implementing these recommendations. In addition to efforts to address our recommendations, DHS is in the process of reorganizing NPPD to ensure that it is appropriately positioned to carry out its critical mission of cyber and infrastructure security. Key priorities of this effort are to include greater unity of effort across the organization and enhanced operational activity to leverage the expertise, skills, information, and relationships throughout DHS. The NPPD reorganization presents DHS with an opportunity to engage stakeholders in decision making and may achieve greater efficiency or effectiveness by reducing programmatic duplication, overlap, and fragmentation. It also presents DHS with an opportunity to mitigate potential duplication or gaps by consistently capturing and maintaining data from overlapping vulnerability assessments of CI and improving data sharing and coordination among the offices and components involved with these assessments. Chairman Ratcliffe, Ranking Member Richmond, and Members of the sub-committee, this completes my prepared statement. I would be happy to respond to any questions you may have at this time. Appendix I: Critical Infrastructure Sectors This appendix provides information on the 16 critical infrastructure (CI) sectors and the Federal agencies responsible for sector security. The National Infrastructure Protection Plan (NIPP) outlines the roles and responsibilities of the Department of Homeland Security (DHS) and its partners--including other Federal agencies. Within the NIPP framework, DHS is responsible for leading and coordinating the overall National effort to enhance security via 16 critical infrastructure sectors. Consistent with the NIPP, Presidential Decision Directive/PPD-21 assigned responsibility for the critical infrastructure sectors to sector-specific agencies (SSAs).* As an SSA, DHS has direct responsibility for leading, integrating, and coordinating efforts of sector partners to protect 10 of the 16 critical infrastructure sectors. Seven other Federal agencies have sole or coordinated responsibility for the remaining 6 sectors. Table 1 lists the SSAs and their sectors. --------------------------------------------------------------------------- * Issued on February 12, 2013, Presidential Policy Directive/PPD- 21, Critical Infrastructure Security and Resilience, purports to refine and clarify critical infrastructure-related functions, roles, and responsibilities across the Federal Government, and enhance overall coordination and collaboration, among other things. Pursuant to Homeland Security Presidential Directive/HSPD-7 and the National Infrastructure Protection Plan, DHS had established 18 critical infrastructure sectors. PPD-21 subsequently revoked HSPD-7, and incorporated 2 of the sectors into existing sectors, thereby reducing the number of critical infrastructure sectors from 18 to 16. Plans developed pursuant to HSPD-7, however, remain in effect until specifically revoked or superseded. TABLE 1: CRITICAL INFRASTRUCTURE SECTORS AND SECTOR-SPECIFIC AGENCIES (SSA) ------------------------------------------------------------------------ Critical Infrastructure Sector SSA(s) \1\ ------------------------------------------------------------------------ Food and agriculture................... Department of Agriculture \2\ and the Department of Health and Human Services \3\ Defense industrial base \4\............ Department of Defense Energy \5\............................. Department of Energy Government facilities.................. Department of Homeland Security and the General Services Administration Health care and public health.......... Department of Health and Human Services Financial services..................... Department of the Treasury Transportation systems................. Department of Homeland Security and the Department of Transportation \6\ Water and wastewater systems \7\....... Environmental Protection Agency Commercial facilities.................. Department of Homeland Security Critical manufacturing................. Office of Infrastructure Protection \8\ Emergency services..................... ............................... Nuclear reactors, materials, and waste. ............................... Dams................................... ............................... Chemical............................... ............................... Information technology................. ............................... Communications......................... Office of Cyber Security and Communications \9\ ------------------------------------------------------------------------ Source: Presidential Policy Directive/PPD-21/GAO-16-791T. \1\ Presidential Policy Directive/PPD-21, released in February 2013, identifies 16 critical infrastructure sectors and designates associated Federal SSAs. In some cases co-SSAs are designated where those departments share the roles and responsibilities of the SSA. \2\ The Department of Agriculture is responsible for agriculture and food (meat, poultry, and egg products). \3\ The Food and Drug Administration is the Department of Health and Human Services component responsible for food other than meat, poultry, and egg products and serves as the co-SSA. \4\ Nothing in the NIPP impairs or otherwise affects the authority of the Secretary of Defense over the Department of Defense, including the chain of command for military forces from the President as Commander- in-Chief, to the Secretary of Defense, to the commanders of military forces, or military command-and-control procedures. \5\ The energy sector includes the production, refining, storage, and distribution of oil, gas, and electric power, except for commercial nuclear power facilities. \6\ Presidential Policy Directive/PPD-21 establishes the Department of Transportation as co-SSA with the Department of Homeland Security (DHS) for the transportation systems sector. Within DHS, the U.S. Coast Guard and the Transportation Security Administration are the responsible components. \7\ The water sector includes drinking water. \8\ The Office of Infrastructure Protection is the DHS component responsible for the commercial facilities; critical manufacturing; emergency services; nuclear reactors, materials, and waste; dams; and chemical sectors. \9\ The Office of Cyber Security and Communications is the DHS component responsible for the information technology and communications sectors. Mr. Ratcliffe. Thank you, Mr. Currie. The Chair now recognizes Dr. Ozment for 5 minutes for his opening statement. STATEMENT OF ANDY OZMENT, ASSISTANT SECRETARY, OFFICE OF CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Ozment. Thank you. Chairman Ratcliffe, Ranking Member Richmond, and Members of the committee, thank you for the opportunity to appear before you today. My organization within NPPD has three sets of cybersecurity customers; Federal civilian agencies, private-sector companies, and State, local, Tribal, and territorial governments. Today, I will focus on the Cybersecurity Advisors Program, or CSA Program. Our CSA's focus is on the latter two customers, private-sector companies and State and local governments. The CSA Program is modeled after the Protective Security Advisor, or PSA Program that you will hear from my colleague, Assistant Secretary Durkovich. Although the CSA Program does reflect several differences to account for its focus on cybersecurity. Importantly, the CSA Program, as you noted, Chairman, is more nascent than the PSA Program. While there are over 100 PSAs, as of last weekend, there were only 5 regionally-deployed Cybersecurity Advisors. I say last weekend, because yesterday, our sixth CSA started work, a nice milestone for us. Our customers have demonstrated a significant demand for the resources and support provided by our CSAs. For this reason, we expect to deploy 13 CSAs in the field by the end of this fiscal year. The President's 2017 budget requests a total of 24 field-deployed CSAs. As you know, the vast majority of our Nation's critical infrastructure is owned and operated by the private sector or by State and local governments. To protect that infrastructure, we must help those owners and operators improve their cybersecurity. Now, people who work in Washington, DC, are sometimes criticized for thinking that only of Washington, DC. Our Nation cannot afford for NPPD to think that way. We must work across the United States helping private-sector and State and local government customers where they live. For critical infrastructure owned by small businesses, there's often no other way to reach them. Our Cybersecurity Advisors are thus NPPD's deployed cyber work force who live across the United States helping critical infrastructure where it is located and where the owners and operators live. Our Cybersecurity Advisors have 4 areas in which they support our customers. They help our customers adopt best practices, they share information, respond to incidents, and support special National security and other events. I'll speak to each of those in turn. First, we help our customers adopt cybersecurity and best practices as exemplified by the NIST cybersecurity framework. We do that by advising them on risk management. One of the more concrete and visible ways we advise on risk management is by performing risk assessments. We offer a wide range of cyber risk assessments starting at the most strategic level and then going down into more technical areas depending on what a company or other customer needs. For example, our most strategic cyber risk assessment is a questionnaire that could take a full day, working with many different leaders within an organization to complete to get a full picture of their risk management methodology. With our current work force, we average about 80 assessments a year. A few months after the assessments, we survey the companies to see, did the company or State and local organization make a major change based on the assessment? So far, 96 percent of the respondees to our post-assessment survey have made at least one major security improvement as a consequence of our assessment. CSAs also link critical infrastructure owners and operators to more technical hands-on assessment teams based in the NCCIC. For example, the NCCIC can actually try to break into a company, that is, we can try to hack them. I'll emphasize that we do this only at the invitation of the company. Second, CSAs connect companies to our information-sharing activities. For example, the Cybersecurity Information Sharing Act of 2015 has passed, and CSAs are helping us to recruit companies to share machine-to-machine data at real time, in our automated indicator sharing program. Let me thank you and the committee, again, for your help in passing that very important legislation. Third, CSAs can provide support to our customers who experience a cybersecurity incident. When an incident occurs, our customers can work with CSAs to obtain incident response and to coordinate resources and information coming out of the NCCIC. Finally, CSAs provide support to officials responsible for planning and leading special events, sometimes known as National security events. Examples of special events supported by the CSAs include major sporting events such as the Super Bowl and major league baseball all-star game and upcoming conventions. These are the 4 major lines of effort by which CSAs support customers--best practices and risk assessments, information sharing, incident response, and special events. But CSAs have an additional role, which is to aid and inform our National efforts. For example, a local perspective could be critical to identify which infrastructure matters the most. CSAs use their local knowledge to identify the most critical infrastructure in a given region. Increasingly, they are also asked to bring their expertise into close collaboration as trusted advisers, planners, and emergency management executives who report to the State Homeland Security Advisor. Ultimately, CSAs are also the voice of individual companies in the development of National plans and programs. CSAs provide a local point of connection to help their customers manage their cyber risk and brings their insight into this National conversation. Although we only have 6 CSAs in the field today, I ask your support in passing the fiscal year President's budget to bring us to a total of 24 CSAs in the field. Thank you again for the opportunity to appear before you today, and I look forward to your questions. [The joint prepared statement of Mr. Ozment and Ms. Durkovich follows:] Joint Prepared Statement of Andy Ozment and Caitlin Durkovich July 12, 2016 i. introduction Chairman Ratcliffe, Ranking Member Richmond, thank you for the opportunity to appear before you today to discuss the crucial role that Protective Security Advisors (PSAs) and Cybersecurity Advisors (CSAs) serve in furthering the U.S. Department of Homeland Security's (DHS) mission to enhance the security and resilience of the Nation's critical infrastructure in an all-hazards environment. We appreciate Congress' draft legislation that would stand up the National Protection and Programs Directorate (NPPD) as an operational component focused on cyber and infrastructure protection and further our holistic risk management approach. PSAs and CSAs both support NPPD's operational mission by assisting State, local, territorial, and Tribal (SLTT) governments and private- sector customers in understanding and mitigating threats, vulnerabilities, and consequences affecting the provision of essential functions, goods, and services. PSAs and CSAs achieve this end through information sharing, capacity building, and direct assistance. The risks that our stakeholders face are cyber and physical, natural and man-made. Some risks blur the distinction between cyber and physical, such as space weather or electromagnetic pulse, while others combine aspects of cyber and physical risk: Cyber attacks causing physical impacts, natural disasters impacting communication networks, or man- made attacks on lifeline critical infrastructure. The proposed realignment, which was included in NPPD's draft reorganization proposal, will further the ability of our cybersecurity experts and physical security experts to work side-by-side, ensuring that risks to critical infrastructure are fully assessed and effectively mitigated and directly supporting our ability to address an emerging risk environment in which cyber and physical boundaries are increasingly meaningless. ii. risk management DHS has an all-hazards mission for protecting the homeland. This means that we must plan for and prioritize a range of risks from natural disasters to terrorism to cyber attacks. Our mission includes recurring, persistent, and relatively well-understood hazards such as hurricanes and earthquakes, as well as threats and hazards such as solar storms where we must continue to understand the likelihood and consequences of a possible event. For this reason, DHS approaches threats and hazards based on an all-hazards analysis of risk and due caution in the face of inherent uncertainty. This risk-informed approach guides our planning efforts and the development of new or enhanced capabilities to address emerging hazards and threats. Risk is comprised of three variables: Threats that exploit vulnerabilities to cause undesirable consequences. In other words, risk is a function of threat, vulnerability, and consequence. DHS recognizes that risk cannot be eliminated and therefore must be managed through proven practices including timely information sharing. Risk management practices include risk acceptance as well as risk mitigation. Risk management can also include risk transfer, such as contractual provisions or insurance coverage. But ultimately, risk cannot be eliminated: There will be incidents, so we must also focus on the resiliency of our infrastructure under all conditions. iii. threat landscape NPPD is particularly focused on two threats that are particularly salient in the current risk environment: Terrorism and cyber attacks. Terrorist attacks such as those in France in 2015, Belgium in 2016, and the tragic attacks in Istanbul and Orlando just last month highlight the continuing threat. These attacks underscore the persistence of our adversaries and the vulnerability of public gathering sites. Terrorist tactics and techniques have transitioned from complicated attacks such as 9/11 to simple acts of violence using readily-available weapons such as a gun, knife, hatchet, or car. The threats we face today are thus more decentralized than a decade ago and reflect, as Secretary Johnson has said, a new phase of global terrorism. We have moved from a world of directed attacks to one of inspired attacks. Inspired attacks are harder for intelligence and law enforcement communities to detect, can occur with little or no notice, and create a more complex homeland security challenge. The threat landscape in cyber space is also changing. Threat actors in cyber space have highly diverse motivations. Some seek to achieve a political or social aim. Others seek financial benefit and are developing new means to monetize cyber intrusions, as exemplified by the recent wave of ``ransomware'' attacks. Other adversaries attempt to use strong-arm tactics to advance a goal, such as destroying systems and data to convey a political message, or target sensitive Government and private-sector systems to steal critical information for espionage purposes. Perhaps most importantly, the past year saw the use of a cyber attack to achieve a significant disruption of civilian critical infrastructure. In December, several Ukrainian power companies experienced a cyber attack that resulted in power outages lasting around 6 hours that impacted over 200,000 customers. The cyber attack was well-planned, well-coordinated, and used destructive malware to delay recovery efforts. This attack should be a warning to our Nation. Our adversaries have the cyber capabilities to harm our National security, economic security, public health, and safety. This threat environment requires DHS to place renewed focus on providing our customers with risk management tools, information, and support to protect against cyber attacks and mitigate the consequences when a compromise occurs. iv. critical infrastructure security and resilience These trends in the threat landscape require NPPD, as directed by the National Infrastructure Protection Plan (NIPP), to approach risk management from both a top-down and bottom-up perspective. The majority of the Nation's critical infrastructure is owned and operated by the private sector or by State, local, Tribal, and territorial (SLTT) governments. As a result, it is important that Government and industry work together to mitigate threats, vulnerabilities, and consequences. We use a top-down approach as we work closely with and across critical infrastructure sectors to understand and address sector- and economy-wide risks. We use a bottom-up approach to develop a trusted relationship with owners and operators of the Nation's critical infrastructure: For example, a single power plant. PSAs and CSAs are the core of our bottom-up approach and serve as the focal point of support to individual critical infrastructure owners and operators. As our stakeholders make challenging decisions about how to manage their own risk, field-based PSAs and CSAs provide advice and connect operators to security capabilities offered across the U.S. Government. Our PSAs and CSAs operate within a statutory, policy, and doctrinal framework of voluntary partnerships. They conduct vulnerability and consequence assessments, provide information on emerging threats and hazards, and offer tools and training to help critical infrastructure owners and operators and SLTT partners understand and address risks. Finally, they provide on-site critical infrastructure subject-matter expertise during special events and incident responses. The PSAs have been valuable advisors to local law enforcement. During last year's events in Baltimore, the local PSA received a request from Baltimore Gas and Electric (BGE) to facilitate National Guard Troops at their Spring Gardens facility, fearing that the private security at the main gate may not be able to prevent protestors from entering the plant. The Baltimore PSA advised the Baltimore Police Department Incident Commander of the request and subsequently, the Maryland Army National Guard provided troops near the main entrance, and no incidents took place. This direct, community-based security support is precisely the public service that PSAs provide, as highlighted by the recent tragic attacks in Orlando, and the still unfolding events in Dallas last week. v. psa and csa value proposition The Department's approach to critical infrastructure security and resilience is predicated on public-private partnerships. Such partnerships depend on the formation of trusted relationships between public and private-sector partners. These trusted partnerships are most effectively formed through regular and meaningful interactions among Federal agencies, private-sector owners and operators, and SLTT governments. In turn, such interactions are most effectively enabled by regionally-based Federal representatives. The PSAs and CSAs serve as these regional representatives to establish and mature the relationships with critical infrastructure owners and operators and SLTT governments that are foundational to our voluntary approach to risk management. In existence since 2004, the PSA program is a mature initiative that presently fields 102 regionally-based personnel. The President's fiscal year budget requests further growth to 119 regionally-based PSAs to meet demand. As field-based representatives, the PSAs work closely with private-sector companies and with State Homeland Security Advisers. SLTT stakeholders from every region served by the PSA programs have consistently identified PSAs as a highly-valued source of support for their critical infrastructure protection responsibilities. While PSAs focus principally on physical security, they are beginning to provide customers with targeted information based on the existing NPPD portfolio of cybersecurity services to maximize the breadth of outreach for both cyber and physical risk management activities. The CSA program is modeled after the PSA program, although it reflects several differences to account for its focus on cybersecurity. More nascent than the PSA program, there are currently 5 regionally- deployed CSAs. By the end of this fiscal year, we expect to deploy 13 total CSAs in the field. The President's fiscal year budget requests a total strength of 24 CSAs. CSAs provide NPPD's most effective mechanism to reach small and medium businesses that may lack the resources to participate in other cybersecurity programs, offer cybersecurity risk assessments to our stakeholders, and provide the Department with invaluable insight into National risk trends that are applicable to the development of new capabilities. CSAs' primary points of contact are private-sector and SLTT government chief information officers and chief information security officers. vi. psa program The PSA program's primary mission is to proactively engage with Federal and SLTT government mission partners and members of the private-sector stakeholder community to protect critical infrastructure. The PSAs have five mission areas that directly support the protection of critical infrastructure: 1. Conduct Assessments to Foster Risk Management Best Practices; 2. Threat and Hazard Outreach; 3. Support to National Special Security Events (NSSEs) and Special Event Activity Rating (SEAR) Events; 4. Incident Response; and 5. Coordinate and Support Risk Mitigation Training--particularly active-shooter and bombing prevention training. 1. Conduct Assessments to Foster Risk Management Best Practices One of the central ways that PSAs support critical infrastructure owners and operators is by planning, coordinating, and conducting voluntary, non-regulatory security surveys and assessments on critical infrastructure assets and facilities within their respective regions, ranging from houses of worship to major league sports stadiums. Our PSAs offer a range of assessment capabilities including Infrastructure Survey Tool (IST) security surveys, Assist Visits, Infrastructure Visualization Platform imagery captures and broader assessments conducted through the Regional Resiliency Assessment Program (RRAP). The resulting survey information is provided to owners and operators and highlights areas of potential concern, recommendations to mitigate identified vulnerabilities, and options to view the impact of potential enhancements to protection and resilience measures. Over 85 percent of the assessed facilities indicate that they will use the feedback from the PSA to guide their security or resilience enhancements. The increasingly tight coupling and interconnection between cyber and physical systems has required PSA's to begin to conducting joint assessments of cyber and physical security. A principal example of such joint assessment was an RRAP conducted on a Data Center Cluster in Ashburn, VA that assessed cyber and physical risks to a key information technology facility. PSAs serve as a conduit for accessing other DHS cybersecurity resources, and are able to connect stakeholders to resources for encouraging cyber hygiene and information assurance practices. When additional or local cyber expertise is needed, PSAs can connect partners to CSAs. 2. Information Sharing In the past 3 years, the PSA program has conducted multiple outreach activities focusing on specific communities of interest and sectors such as faith-based organizations, shopping malls, energy/ electrical sector entities, sports leagues and venues, and K-12 schools. These engagements were intended to provide an overview of evolving threats, such as active-shooter awareness, an understanding of available tools and resources, and best practices designed to enhance information sharing, physical security, and resilience. These efforts often led to customers requesting security/vulnerability assessments from the PSAs. PSAs also encourage businesses to ``Connect, Plan, Train, and Report.'' Applying these 4 steps in advance of an incident or attack can help better prepare businesses and their employees to proactively think about the role they play in the safety and security of their businesses and communities. As an example, the Metcalf Electrical Substation, in San Jose, California, was subject to a breach by unknown actors in April 2013. The assailants were able to access the substation and caused significant damage to five transformers and fiber optic cables, which in turn affected telecommunications in Santa Clara County. As a result of this incident and others, the Department of Energy and DHS, in coordination with other Federal agencies and regulatory commissions, conducted an outreach program. The outreach was conducted in 10 U.S. cities and 2 Canadian cities and addressed proactive security measures, threat detection and assessment technologies, and the creation of an incident response plan. Following the completion of the Electrical Substation Outreach, PSAs provided briefings for the 10 most critical electrical substations and their stakeholders, and conducted IST security surveys. The data from the security surveys was used to analyze common protective and resilience measures, summarized in a report published April 2015. An additional example followed the mass shooting at the Emanuel AME church in Charleston, SC on June 17, 2015. Our local PSA offered around 20 security briefings and conducted active-shooter briefings for companies, schools, and churches. All briefings were well-received and some recipients requested further training. On February 17, the PSA also supported holding a DHS Interfaith Town Hall in Charleston, South Carolina where we brought public and private-sector partners together and discussed protective security resources for faith-based and non- profit community stakeholders. 3. Incident Response In response to natural or man-made incidents, PSAs deploy to State and local Emergency Operations Centers and, when appropriate, Federal Emergency Management Agency (FEMA) Regional Response Coordination Centers. PSAs provide situational awareness and facilitate information sharing to support the response, recovery, and rapid reconstitution efforts of critical infrastructure. During major incidents and when designated by the Assistant Secretary of the Office of Infrastructure Protection, PSAs serve as Infrastructure Liaisons at Joint Field Offices or Unified Coordination Groups. In 2015 and 2016, the National Preparedness System went through a ``refresh'' effort to update the National Preparedness Goal, the 5 mission area Frameworks and the Federal Interagency Operational Plans for Prevention, Protection, Response, and Recovery. These foundational documents further define the role of the PSAs in ensuring that the connection between infrastructure stakeholders and partners across the Nation are able to support and engage in National preparedness efforts. 4. Special Events PSAs provide support to officials responsible for planning and leading special events. This includes providing expert knowledge of local critical infrastructure; participating in planning committees and exercises; conducting security surveys and assessments of event venues and supporting infrastructure; and coordinating the development and delivery of geospatial products. Examples of special events supported by the PSAs include: Presidential Inauguration, State of the Union, Papal Visit and Republican and Democratic National Conventions; Major sporting events such as the Super Bowl (The Houston PSA is the Deputy Federal Coordinator for Super Bowl 51), World Series, Stanley Cup, and Indianapolis 500; Annual United Nations General Assembly; and New Year's Celebration at Times Square in New York City. 5. Risk Mitigation Training To reduce risk to the Nation's critical infrastructure, NPPD develops and delivers a diverse curriculum of training to build Nation- wide counter-improvised explosive device (IED) core capabilities and enhance awareness of terrorist threats. Coordinated by PSAs, the courses educate SLTT participants such as municipal officials and emergency managers, State and local law enforcement and other emergency services, critical infrastructure owners and operators, and security staff on strategies to prevent, protect against, respond to, and mitigate bombing incidents. Annually, the PSAs provide active-shooter briefings to a diverse audience. These briefings provide an overview and characteristics of an active-shooter incident, personal response, and ``Active Shooter--How to Respond'' materials. PSAs also assist with the coordination of comprehensive Active-Shooter Workshops that provide training and detailed information to assist facilities in developing emergency action plans to respond to active-shooter threats. vii. csa program NPPD modeled the CSA program after the PSA program, incorporating appropriate customization to focus on cybersecurity issues. CSAs promulgate best practices and conduct vulnerability assessments, connect stakeholders to information-sharing resources, serve as a liaison between critical infrastructure owners and operators and the National Cybersecurity and Communications Integration Center (NCCIC) for incident response and support to special events CSAs function as a regionally deployed source of subject-matter expertise and provide expert consultation on cybersecurity best practices to improve our stakeholders' cybersecurity risk management. 1. Conduct Assessments to Foster Risk Management Best Practices Each CSA promotes and assists stakeholders in their implementation of the Cybersecurity Framework, which was jointly developed by the Government and private sector. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps critical infrastructure owners and operators manage their cybersecurity risk. CSAs also provide critical infrastructure owners and operators with tools, guidance, and individualized assistance to help entities use the Framework in a manner that supports their specific risk management needs. CSAs ensure that critical infrastructure stakeholders receive alerts, warnings, and bulletins on cybersecurity vulnerabilities, mitigations, and best practices through the NCCIC. These alerts, warnings, and bulletins concern risks to general IT systems as well as specialized risks to industrial control systems--the types of systems used to control power plants, manufacturing assembly lines, and other physical devices. CSAs also help our customers improve their cybersecurity risk management through voluntary vulnerability assessments. CSAs offer two primary types of assessments to supplement an organization's existing activities. First, the Cyber Resilience Review (CRR) evaluates an organization's operational resilience and cybersecurity practices across 10 domains including risk management, incident management, and continuity. Second, the Cybersecurity Evaluation Tool (CSET) is a desktop software program that guides asset owners and operators through a step-by-step process to evaluate their industrial control system and information technology network security practices. Both the CRR and the CSET are now mapped to the Cybersecurity Framework and allow organizations to understand their relative maturity across the Framework's functions. CSAs also offer more specialized risk assessments, such as assessments focused on supply chain risk management. In addition, CSAs also link critical infrastructure owners and operators and technical penetration testing teams based in the NCCIC. For example, CSAs connect critical infrastructure partners with the National Cybersecurity and Assessment and Technical Services, which provides a variety of technical assessments to identify vulnerabilities in an organization's enterprise, including phishing tests, wireless application assessments, and internal penetration testing. 2. Information Sharing CSAs connect critical infrastructure entities with the NCCIC's information-sharing programs. Pursuant to the Cybersecurity Act of 2015 (Pub. L. 114-113, Division N), DHS serves as the U.S. Government's primary portal for automated cyber threat indicator sharing. By participating in the Automated Indicator Sharing initiative, organizations receive machine-readable cyber threat indicators to immediately detect and block cybersecurity threats. CSAs are leveraging the relationships that they and the PSAs have built to encourage companies to sign up for Automated Indicator Sharing. Additionally, CSAs help stakeholders learn about and join the Cyber Information Sharing and Collaboration Program (CISCP), which provides a trusted forum where vetted partners share threat and incident information with the Government and other private-sector partners. CISCP also permits participating companies gain access to the NCCIC watch floor for operational collaboration. 3. Incident Response Cybersecurity is about risk management, and no organization can eliminate all risk. Organizations that implement best practices and share information will increase the cost for adversaries and stop many threats. But ultimately, there exists no perfect cyber defense, and persistent adversaries will at times find ways to infiltrate networks in both Government and the private sector. When an incident occurs, private sector and SLTT governments may work with CSAs to obtain incident response and coordination resources from the NCCIC as well as any additional information they need to respond effectively. CSAs provide valuable insight to help the NCCIC coordinate responses to incidents and to enhance senior leaders' situational awareness. 4. Special Events CSAs also provide support to officials responsible for planning and leading special events. This includes participating in planning committees and exercises and conducting security assessments of event venues and supporting infrastructure. Examples of special events supported by the CSAs include the Republican and Democratic National Conventions and major sporting events such as the Super Bowl and the Major League Baseball All-Star Game, where adversaries could potentially target the industrial control systems that enable the provision of lighting, crowd control, security measures, and other critical functions to the host venues. viii. the way forward As with all of NPPD's programs, we are continuously assessing progress and looking for opportunities to enhance our capability to most effectively serve our customers. As a result of such a continuous improvement effort, NPPD is further integrating the PSAs and CSAs. For example, CSAs frequently leverage the PSA program to identify and initiate stakeholder engagement where a PSA has previously partnered. In fiscal year 2015, more than 20 percent of CSA evaluations were initiated as a result of direct referrals from PSAs. CSAs and PSAs also conduct joint physical and cyber assessments of critical infrastructure entities and coordinate analytical resources and assessment methods. PSAs and CSAs often exchange information regarding interaction with shared partners and stakeholder groups. In recognition of growing opportunities for joint cyber-physical stakeholder engagement, we asked Congress to authorize the establishment of a new operational component within DHS, the Cyber and Infrastructure Protection Agency. We submitted a plan that will better align the PSAs and CSAs and streamline and strengthen existing functions within the Department to ensure we are prepared for the growing cyber threat and the potential for physical consequences as a result of an attack. We urge Congress to take action so that DHS is best positioned to execute this vital mission. 1. Way Forward for the PSA Program i. Three-Year Strategic Plan IP is working with the Office of Cyber and Infrastructure Analysis (OCIA) to develop a 3-year Strategic Plan for PSA's Assessments, as required by Congress, to determine how we can enhance the value and impact of its assessment portfolio for its stakeholders over the next 3 years. The strategic plan will: 1. Clarify the strategic intent behind IP's conduct of assessments; 2. Expand the value derived from assessments for IP's primary stakeholders; 3. Articulate how assessments can better leverage, and be better leveraged by, related efforts from partners such as OCIA and FEMA; and 4. Optimize how assessments are prioritized and measured. Once completed, this project will guide how the PSA assessment portfolio supports stakeholders across the Nation, contributes to a National understanding of risk, and supports National preparedness planning, as well as grants decision making. The CSA program will identify improvements by drawing upon the analysis in this plan and its lessons learned. ii. Regionalization The owners and operators of critical infrastructure in the United States are not exclusively located in the Washington, DC area. In order to rebalance resources and meet our stakeholders where they operate, the PSA Program and other NPPD programs are regionally and field-based. These regional programs are so integral to successful delivery of products and assessments to owners and operators that NPPD has begun the process of shifting headquarters-based staff into the field. NPPD will be placing additional staff from IP in each region to supplement the current PSAs. PSAs provide direct support of mission benefactors, tailored and adapted to meet regional, State, and local needs, and this disciplined shift toward field-based and regionalized operations is designed to optimize the way that PSAs support partners across the Nation, both providing more locally-tailored support, and managing expanding security challenges. The CSAs will operate in a similar manner and will be tied into this regional construct. 2. Way Forward for the CSA Program NPPD is expanding the number of CSAs deployed across the Nation. The allocation of CSAs is based on a risk-informed set of criteria, including: Public-Sector Partners.--The presence of public-sector partners (e.g., SLTT governments) with strong cybersecurity programs that would benefit from a closer relationship with NPPD. Private-Sector Partners.--High concentrations of companies in particular critical infrastructure sectors, particularly entities identified under Section 9(a) of Executive Order 13636 as especially critical. PSA Activity.--Regions with existing PSAs that will provide new CSAs with an existing network of critical infrastructure contacts. FEMA Models.--CSA expansion will also be informed by available FEMA models, such as those utilized in the context of the Urban Areas Security Initiative and Threat and Hazard Identification and Risk Assessment. ix. closing Protecting the Nation, its critical infrastructure, and each community is a shared responsibility. PSAs and CSAs provide an essential local point of connection between DHS and our critical infrastructure stakeholders. They are the primary ``bottom-up'' capability to help individual companies better manage their risks, and consequentially they create trust relationships that can inform the development of top-down programs to manage risks across entire sectors. This local point of connection allows the Department to more effectively accomplish its mission and helps our stakeholders manage their all-hazards risk. Thank you again for the opportunity to appear before you today. We look forward to your questions. Mr. Ratcliffe. Thank you, Dr. Ozment. I now would like to recognize Ms. Durkovich for 5 minutes for her opening statement. STATEMENT OF CAITLIN DURKOVICH, ASSISTANT SECRETARY, OFFICE OF INFRASTRUCTURE PROTECTION, NATIONAL PROTECTION AND PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY Ms. Durkovich. Chairman Ratcliffe, Ranking Member Richmond, and Members of the subcommittee, thank you for the opportunity to appear before you today to discuss the crucial role that Protective Security Advisors and Cybersecurity Advisors, or PSAs and CSAs, respectively, serve in supporting critical infrastructure owners and operators in their efforts to manage an increasingly complex and dynamic risk environment. NPPD's mission is derived from the recognition that critical infrastructure is essential to the Nation's security, economic prosperity, the resilience of our communities, and our way of life. However, the majority of our Nation's infrastructure is owned and operated by the private sector and by State and localities. As such, the Federal Government shares responsibility in helping them navigate a risk landscape that has become multi-dimensional, covering physical, cyber, and even space-based threats and hazards. To that end, we appreciate your support for establishing a cyber and infrastructure protection operational component within the Department and for authorizing the PSA and CSA Program. The Department's approach to critical infrastructure security and resilience is predicated on building trusted, value-added partnerships with owners and operators of critical infrastructure. We build partnerships at the National level with the 16 sectors to identify requirements and gaps, develop tools, build capacity, and promulgate best practices to manage threats and hazards specific to their sectors while recognizing the important dependencies and interdependencies that are created by their interception. But equally important we build partnerships at the regional, State, and local level beyond the Beltway, where owners and operators are living the daily reality of this dynamic risk environment. The PSAs and CSAs are responsible for developing and sustaining these trusted relationships and bringing resources to bear to help owners and operators put appropriate security and resilience measures in place. And in the event of a bad day, help mitigate the consequences so we can not only limit the loss of life but the economic impact and disruption to our communities. We fielded the first PSA cohort in 2004 with the goal of putting at least one PSA in every State. Today, it is a mature program with 102 regionally-based personnel, and we've done more than just putting a PSA in every State. Larger States and urban areas are home to several PSAs. In the President's fiscal year 2017 budget request, we have been asked for an additional 17 PSAs. No week for a PSA is the same. I have had the opportunity to witness first-hand what they accomplish each day in our communities. It ranges from conducting the vulnerability assessments we are here today to discuss, to organizing security campaigns on evolving threats, such as violent extremism or substation attacks. It may include active-shooter training and counterimprovised explosive device workshops or planning for special events such as the upcoming political conventions. Equally important, as I expect you will hear today from Director Brown, they support State and local critical infrastructure protection activities and provide critical decision support information about disruptions to infrastructure and cascading impacts during an incident. Recent events demonstrate why critical infrastructure must be secure and able to rapidly recover from all hazards. Terrorist attacks and active-shooter incidents both here and abroad highlight the continuing interest that adversaries have shown in targeting critical infrastructure, the vulnerability of public gathering sites, and they underscore the persistence of those who wish to cause harm, whatever their motive. In addition, the last several months highlight the convergence of the cyber and physical domains. The disruption to the Ukrainian power grid is the first known example of a remote cyber attack that had physical consequences. We know that nation-States are looking to gain footholds into our infrastructure to use in times of conflict. To meet the threat head-on, CSAs and PSAs have already begun to coordinate their efforts, conducting joint physical and cyber assessments of critical infrastructure and aligning analytical resources and assessment methods. In fiscal year 2015, more than 20 percent of CSA evaluations were initiated as a result of direct referrals from the PSAs. The Office of Infrastructure Protection is working to develop a 3-year strategic plan for assessments as required by Congress, which we expect to be completed by the second quarter of fiscal year 2017. This plan will enable us to clarify the strategic intent behind IPs conduct of assessments, expand the value derived by our stakeholders, and will further guide how the assessments are prioritized and measured. In closing, protecting the Nation, our critical infrastructure, our communities, and our way of life is a shared responsibility. PSAs and CSAs provide the local point of connection between DHS programs and our critical infrastructure stakeholders. They are the primary bottom-up capability to help owners and operators better manage their risks and consequently are the basis for the trusted relationships that have resulted in a National critical infrastructure program that is a model around the world. Thank you, again, for the opportunity to appear before you today. I look forward to your questions and to working with you to ensure NPPD or cyber and infrastructure protection is appropriately organized and positioned to carry out this critical mission. Mr. Richmond. Mr. Chairman, I would ask unanimous consent that Mr. Payne be allowed to participate in today's hearing. Mr. Ratcliffe. Without objection. I would like to welcome the gentleman from New Jersey to our subcommittee today. Glad to have you. Thank you, Ms. Durkovich. The Chair now recognizes Mr. Brown for 5 minutes for his opening statement. STATEMENT OF MARCUS L. BROWN, HOMELAND SECURITY ADVISOR, DIRECTOR OF THE OFFICE OF HOMELAND SECURITY, COMMONWEALTH OF PENNSYLVANIA Mr. Brown. Good morning, committee Members, Chairman, Ranking Member. I appreciate the opportunity to be here today to discuss our partnership with the Department of Homeland Security's Office of Infrastructure Protection. A significant aspect of our mission relates to prevention and protection of our citizens and our critical infrastructure in the face of terrorist threats. Many of the ways we maximize our efforts with prevention and protection activities is working with our three protective security advisers and our regional director. In a joint effort with the PSAs, we have developed programs that better prepare our citizens by identifying vulnerabilities and improving capabilities that address the threat of terrorism. We follow the National Infrastructure Protection Plan, and we have developed and implemented a State critical infrastructure plan as a component of the overarching Homeland Security program. Together, we have been able to establish a list of the most critical infrastructure in Pennsylvania by collecting, prioritizing, analyzing facilities and assets through meaningful outreach. Our three PSAs provide immense value in assisting local, State, and Federal officials and the private sector in protecting Pennsylvania's critical infrastructure. One of the ways the PSAs accomplish this is by conducting vulnerability assessments, surveys, active-shooter protection walkthroughs of facilities and assets. My staff has accompanied the PSAs in many of these facilities when they are conducting vulnerability assessments. From our observations, having the owners and operators of these facilities in a room with law enforcement, with emergency medical services, and with other public safety officials always provided one-of-a-kind opportunities for everyone involved to identify the complexities of a facility in terms of physical and cybersecurity. The main tools the PSA uses in their vulnerability surveys is called an Infrastructure Survey Tool, or an IST. The IST is used to capture information about a facility in order to identify the areas where the facility is most vulnerable. After that data is collected and analyzed, a report containing a comparative analysis known as the dashboard is provided to the owner of the facility in order to assist in reducing risk. While the interactive dashboard shows how weak or strong that facility is compared to like facilities around the country, the report also zeros in on vulnerabilities specific to that facility and provides options of consideration, meaning that these specific actions taken by a facility will reduce its vulnerability and, therefore, reduce its risk against man-made or natural disasters. Additionally, this information gives local, State, and Federal public safety officials a picture of what is most at risk in their area of operations. For example, with this information in hand, the PSAs can monitor critical infrastructure that may be vulnerable during a specific event such as the upcoming Democratic National Convention in Pennsylvania. The tool used for this purpose is called the Special Event or Domestic Incident Tracker tool. During the upcoming Democratic National Convention in Philadelphia, the PSAs will share the information in this tool with all of the members of our State Emergency Operation Center. Then the EOC will be able to provide me with situational awareness reports that I can then feed to public safety leadership and the Governor. From the perspective of my office and the citizens of Pennsylvania, the PSAs and the Cybersecurity Advisors bring their experience and expertise into play to assist in critical infrastructure protection efforts, and their value cannot be overstated. The tools that they use to assist the private-sector facilities are most beneficial to my office, especially during times when my staff has to report to our State EOC during an activation. We value their input and assistance when they are participants with us in our tabletop exercises and training events. What they offer our office is immeasurable to our mission of protecting the citizens of Pennsylvania. We have provided in an Appendix a list of the assessments, that have been done by our PSAs in advance of the Democratic National Convention. So once again, I would just like to thank the committee for having me here, and I'm more than willing to answer any questions. [The prepared statement of Mr. Brown follows:] Prepared Statement of Marcus L. Brown July 12, 2016 Good morning committee Members. I am Marcus Brown, director of the Pennsylvania Office of Homeland Security. I appreciate the opportunity to be here today and discuss our partnership with the Department of Homeland Security's Office of Infrastructure Protection. A significant aspect of our mission relates to the prevention and protection of our citizens and our critical infrastructure in the face of terrorist threats. Many of the ways we maximize our efforts with prevention and protection activities is working with our three protective security advisors (PSAs) and their regional director. In a joint effort with the PSAs we have developed programs that better prepare our citizens by identifying vulnerabilities and improving capabilities that address the threat of terrorism. We follow the National Infrastructure Protection Plan (NIPP) and have developed and implemented a State critical infrastructure protection plan as a component of the overarching Homeland Security program. Together we have been able to establish a list of the most critical infrastructure in Pennsylvania by collecting, prioritizing, and analyzing facilities and assets through meaningful outreach. Our 3 PSAs provide immense value in assisting local, State, and Federal officials and the private sector in protecting Pennsylvania's critical infrastructure. One of the ways PSAs accomplish this is by conducting vulnerability assessments, surveys, and active-shooter protection walk-throughs of facilities or assets. My staff has accompanied the PSAs many times to facilities when they conducted vulnerability assessments or surveys. From our observations, having the owners and operators of the facilities in a room with law enforcement, emergency medical services, and other public safety officials always provided a one-of-a-kind opportunity for everyone involved to identify the complexities of a facility in terms of physical and cyber security. The main tool the PSAs use for their vulnerability surveys is called the Infrastructure Survey Tool (IST). The IST is used to capture information about a facility in order to identify the areas where that facility is most vulnerable. After that data is collected and analyzed a report containing a comparative analysis, known as a dashboard, is provided to the owner of the facility in order to assist in reducing risk. While the interactive dashboard shows how weak or strong that facility is compared to like-facilities around the country, the report also zeros in on vulnerabilities specific to that facility and provides ``options for consideration,'' meaning the actions taken by a facility will reduce its vulnerability and therefore reduce its risk against man-made and natural hazards. Additionally, this information gives our local, State, and Federal public safety officials a picture of what is most at-risk in their area of operations. For example with this information in hand the PSAs can monitor critical infrastructure that may be vulnerable during a special event, such as the Democratic National Convention (DNC). The tool used for this purpose is called the Special Event and Domestic Incident Tracker (SEDIT) tool. During the upcoming Democratic National Convention in Philadelphia the PSAs will share the information in this tool with my Infrastructure Protection Specialists, who will be sitting in the State's Emergency Operations Center (EOC). They will provide me with situational awareness reports that I can share with Governor Wolf. From the perspective of my office and the citizens of Pennsylvania the PSAs and Cyber Security Advisor (CSA) bring their experience and expertise into play to assist in critical infrastructure protection efforts and their value cannot be overstated. The tools that they use to assist the private-sector facilities are most beneficial to our office especially during the times when my staff has to report to the State EOC during activation. We value their input and assistance when we host table-top exercises or training events. What they offer our office is immeasurable to our mission of protecting the citizens of Pennsylvania. I have provided an appendix that lists the assessments that have been completed by our PSAs and CSA in advance of the Democratic National Convention. Once again, I would like to thank the committee for inviting me here to speak on this matter. To the extent there are questions I will be happy to attempt to answer any inquiries. APPENDIX I. In preparation for the Democratic National Convention, the Infrastructure Survey Tool has been used on the following facilities in Philadelphia: Wells Fargo Center (Location for the DNC) PA Convention Center National Constitution Center Lincoln Financial Field Citizens Bank Park Hahnemann Hospital Equinix Data Center One Liberty Place high-rise Multiple Exelon/PECO substations II. Other facilities that have been assessed in the past and whose data will be used during the Democratic National Convention include: Philadelphia Gas Works Multiple assets of the Philadelphia Water Department Penn Presbyterian Hospital Transportation assets--Southeastern Pennsylvania Transportation Authority Amtrak Delaware River Port Authority (Walt Whitman and Ben Franklin Bridges) Comcast Center Philadelphia Museum of Art PJM Interconnect III. Cyber assessments conducted on Pennsylvania facilities that will have a role in supporting the Democratic National Convention PA Convention Center Samuel Baxter Water Treatment Plant (main water treatment plant of the Philadelphia Water Department) Comcast Center Philadelphia Gas Works PJM Interconnect IV. Requests for cyber assessments currently in the planning process Delaware River Port Authority One Liberty Place Philadelphia Museum of Art National Constitution Center V. Additional training conducted by DHS and Governor's Office of Homeland Security in advance of the Democratic National Convention Active-Shooter Workshop (Public & Private Sectors) 29 April 2016 (Independence Visitors Center--41 N. 6th Street, Philadelphia, PA 19106) Surveillance Detection Training (Public and Private Sectors): 10-12 May 2016 (National Park Service HQs--143 S. 3rd Street, Philadelphia, PA 19106) 07-09 June 2016 (National Park Service HQs--143 S. 3rd Street, Philadelphia, PA 19106) Protective Measures Course and Vehicle-Borne IED Search Procedures (Public and Private Sectors): 25 and May 2016 respectively (Delaware Valley Intelligence Center, 2800 S. 20th Street, Philadelphia, PA 19145) Mr. Ratcliffe. Thank you, Mr. Brown. I now recognize myself for 5 minutes for questions. Dr. Ozment, I want to start with you. We talked about the fact that, as you said, the CSA program that hopefully, you'll be able to leverage and learn from some of the lessons of the PSA's 12-year history. One of the questions that I have for you is can you advise us on the developmental and training programs for the CSAs to ensure that the field-based personnel out there have a diverse cyber experience that includes computer engineering skills, that includes a well-versed knowledge of cyber incident response and a solid working knowledge of the NCCIC and its capabilities and services? Mr. Ozment. Thank you, Chairman. Let me, first, highlight what we are looking for in a Cybersecurity Advisor. Cybersecurity Advisors are the risk advisors in organizations. So if you look at a typical chief information security officer office, the chief cybersecurity office of a customer, they usually have a CISO, chief information security officer, a policy office, a risk management office, an operations office, and maybe an information-sharing office. The CSAs bring in that high-level risk management knowledge. So we do not expect them to put hands on a keyboard and be able to do a technical risk assessment. We want them to bring that strategic perspective. Risk management is really the chassis upon which we build cyber programs, and so it's really core. So right now, let me tell you, in fact, about our 6 CSAs, because I think we have a really impressive group of folks. We have one individual who is a former State CISO. We have a National lab expert on cybersecurity. We have a long-time Navy cyber individual who is also the CISO of a private-sector company. We are about to bring on to Houston in the next month a person who is an executive in an oil and natural gas company to be our Cybersecurity Advisor in Houston. So, and that's just an example of the great talent we've got in this program. So we are bringing in the right people. To your point, we then have to continue to train them. So one of the things that we do is we actually look to existing training programs such as--well actually, I won't mention certification programs by name, but there are existing private- sector-led certification programs that you use to really ensure that your people have the best risk management knowledge, and so we use those certification programs plus bringing them in back to headquarters to train them on what's available from the headquarters organization and the NCCIC itself. Mr. Ratcliffe. Thank you, Dr. Ozment. Ms. Durkovich, let me turn to you. As I understand, the Protective Security Advisor Program has developed a new public outreach initiative, ``Homeland Security Starts With Hometown Security.'' You and I talked about that. I've got this handout that you gave me. This sounds like a great initiative. My question to you is, have you determined any benchmarks or metrics to determine the success of programs like these or other PSA outreach? Then depending on your answer, Mr. Currie, I would like to have you weigh in on your experience with respect to whether there are any best practices for determining or reporting measurable metrics in areas that are activity- based? Ms. Durkovich. Thank you very much, Chairman, for that question. It is a great question. I want to begin by acknowledging that we are continuing to look at how we enhance and improve our metrics. As you know, most of what we do within the Office of Infrastructure Protection is voluntary. So owners and operators are not required to participate in our assessments, nor are they required to report back to us what options or considerations they accept. However, we have, over the course of the last several years, begun to do a better job in terms of tracking those options or considerations that are recommended, and we know, for instance, that at least 90 percent of owners and operators at least adopt one of our options for consideration. We are working to go through the Information Collection Request process, which will allow us to provide surveys and questionnaires, to our owners and operators, to more effectively understand how useful the value that campaigns such as the connect-plan-train-report initiative are bringing. Once we have that information collection request completed, again, we will be able to actually hand out surveys and get their direct input. We do this right now for the Office of Bombing Protection within IP, and many of the counter- improvised explosive device training courses that we offer, and we know, for example, that our owners and operators rate most of our trainings 4.7 out of 5 stars. So that's an encouraging statistic. Some of the metrics is anecdotal or qualitative, I should say, and it is based on the participants that come to our workshops. We have recently rolled out an updated version of our active-shooter workshop that is focused on developing an emergency action plan for owners and operators in the event of an active-shooter incident. I will tell you, having participated in one in Philadelphia a month ago, the room is overflowing. I will--again, some of this is just based on the feedback that we get directly whether it is from homeland security advisers, from owners and operators, in terms of the value that we have brought in helping them understand the range of threats and hazards and the measures that are appropriate for their operating environment. Not every business, shopping mall, movie theater, can put mags in, can do the things that you have here when you enter into this building. So part of what we do is working with them over time to develop that plan and to ensure that the appropriate measures are in place. But it is an area that we recognize that we have to continue to work on, and it is why we are working diligently to complete the 3-year strategic assessment which will, again, give us a better foundation for the metrics that we collect. Mr. Currie. Yes, sir. So I agree with everything Ms. Durkovich said at the end. I would sort of make two points. No. 1, and, you know, data sharing and data collection is not an exciting topic, but I think that that is the key first step, is that there are so many assessments that have already been done and so many tools out there and so much data that has been collected, first looking across all of this data to see what we first have. One of the problems we identified when we actually tried to look across all that information was that there may have been similar information collected in different assessments but just asked in a different way. So it wasn't consistently collected, and you could not compare it across sectors, across facilities and all that type of thing. That makes it really, really difficult to identify priorities across the country. But I also want to make the point that--I mean, this is really difficult, you are dealing with 16 individual unique sectors; each sector has to have unique tailored questions to it. But there is a way to collectively do this. I do want to make the other point, though that, there are certain programs where DHS is a little bit more involved in the actual assessment and follow-up, like the Regional Resiliency Assessment Program, where DHS goes out with local partners and other Federal agencies and assesses regional risk and resiliency. One of our past recommendations is they better follow up on that to see what mitigation actions were taken and how that actually decreased vulnerabilities. So you can quantitatively look at that issue, too. Mr. Ratcliffe. Thank you, Mr. Currie and Ms. Durkovich. My time has expired. The Chair now recognizes my friend from Louisiana, the Ranking Member, Mr. Richmond. Mr. Richmond. Thank you very much. This is to Director Brown, and it's also a follow-up of some things that you mentioned in your testimony. In your experience in Pennsylvania, and especially in light of the upcoming Democratic convention, how are critical infrastructure owners and operators taking advantage of the vulnerability assessments performed by PSAs and CSAs, and are they actually adopting the recommended countermeasures and security controls, No. 1? Then, No. 2, in your opinion, have these assessment programs been noticeably beneficial? If not, what would you suggest improving? Mr. Brown. First, I would like to take a step back from the DNC last year. We had the papal visit in Philadelphia, also. Again probably the largest a NSSC event that the country has ever seen. And, again, I sat on the Executive Steering Committee for that, and so, oversaw a great deal of the security planning for the event at all levels--local, State, and Federal. The PSAs played a very important role in what we were doing there. You know, they--and that was in several ways. No. 1, the assessments that they did, they had done a significant number of assessments in the Philadelphia area for that event, leading up to that event, and then again prior to the DNC. Those facilities, when we did table-top exercises, many of those facilities came into a component of the exercise. The fact that we had security assessments done and more importantly, actions taken as a result of those security assessments to make those facilities safer, I think, played a big role in the level of protection everybody expected at those locations and then how we felt about our preparation for the events. You know, in each one of those events also leading up to them, including the DNC, you know, our PSAs also assisted greatly in training preparation for those events. They had active-shooter training, they had vulnerability facility training, they had IED training, they had surveillance protection training. So it goes beyond just the assessments themselves. When they do the assessments, they see that there are certain vulnerabilities, and then their training comes in behind that to ensure that we're looking at those things and trying to solve some of those problems. So my thought is that, that they play an important role working with public safety to ensure that the facility and the location and the events that we are putting on, especially in the ones coming up here in Philadelphia for the DNC, I think we are in a much safer position now as a result of their work. Mr. Richmond. Thank you. I would direct this question to the panel, and I think that--I would be interested in the response. GAO reported that Coast Guard Protective Service Security Advisors and TSA field personnel, have reported observing Federal fatigue or a perceived weariness among critical infrastructure owners and operators that have repeatedly been approached by different Federal agencies and offices. What's being done to address this, both, within the Office of Infrastructure Protection and Cybersecurity and Communications, and externally in regards to other agencies and is it something you all notice and see? Ms. Durkovich. I'm happy to start with that question. Thank you. It is a great one. I do want to begin by mentioning that we have moved to a single assessment methodology within the Office of Infrastructure Protection, in part because of the work that the GAO has done in identifying some of the challenges behind having multiple assessments. So over the course of the last several years, we have, again, moved to a single assessment methodology. That assessment methodology is housed in something called the IP Gateway, which really serves as the chassis that underpins our entire suite of assessment tools, our integrated situational awareness, and our integrated planning tools. The IP Gateway now is used not only by DHS but by many of our Federal partners across the departments and agencies, and equally important, it is used by every State and often in urban areas to conduct these assessments. But I think that your question raises why our efforts to continue to move toward operationalization, and to enhance our efforts out in the field in the regions is so important. Part the reason that we have established an IP senior leader in every region is to ensure that we are coordinating, more closely than ever before, with our Federal partners, with our State partners not only in the conduct of assessments to ensure that we are not duplicating efforts, but equally important that we are coordinated in support of special events and incident response. We have seen the dividends already play out in the regions. I think that we, again, are doing a much better job in limiting duplication. So as we continue to move in, you know, move to getting additional resources out there, I think that we will continue to see the benefits from this. Mr. Richmond. Anyone else wanted to comment? Mr. Ozment. I'll just chime in and highlight that this is one of the strengths of having the PSA Program and the CSA Program closely coupled. The CSAs cybersecurity advisers coordinate with the PSAs, Protective Security Advisors to make sure that their activities are in line, and really look to the PSAs to be the core relationship manager in a given region. Mr. Brown. If I could just make one final comment. You know, I think the security assessments that are done play an important role. But when we couple them, our office has--a huge part of what we do is put on table-top exercises. So, when we can couple that assessment with an actual exercise, we all of a sudden now--the facility is now testing what they got in their assessment in an exercise to ensure that the implementation of it, that the surrounding public safety officials are all on- board with what the assessment is saying and then how best to protect the facility. So I really think the coordination of both of those things has played an important role in Pennsylvania, especially for some of the large events that we've had. Mr. Richmond. Thank you, Mr. Chairman. I yield back. Mr. Donovan [presiding]. The gentleman yields back. I don't want you to think that your testimony caused the Chairman to lose his hair, to get a little bit older. He had another commitment, and he's asked me to assume his role. The Chair is going to recognize other Members of the subcommittee for 5 minutes of questions they may wish to ask the witnesses. In accordance with the committee's rules and practice, I plan to recognize Members would were present at the start of the hearing by seniority on the subcommittee. Those coming in later will be recognized in the order of arrival. We alternate Republican and Democrat. Since I'm the only Republican left, I will ask you questions for 5 minutes. Mr. Currie, you have testified before this committee before; I thank you for coming again. You had many suggestions during your testimony on how DHS can gain the trust of the private sector, the private owners, and how your suggestions can decrease Federal fatigue that these people are experiencing. Why haven't we done anything about it? You had great suggestions. I thought your testimony was wonderful. Why haven't we done it? Mr. Currie. Well, I think we have done a better job in recent years, no doubt. I think there's two keys to this, and I mean--and the folks talk about it. I mean, one is local relationships. There has to be local relationships in these areas, and that's really important. It's also really difficult to measure how good that is, but it's key. One of our key points, and, again, not the most exciting topic, but data sharing and data consistency across so many different assessments is critical. If a PSA has reviewed information on assessments that have already been done of a facility, they go in not just informed for their own jobs, but they go in and it lends credibility with the owner and operator. If there's consistency across questions, especially in the same area, they also don't have to ask the same question a different way that the person may have been asked 3 months ago by the EPA, for example. So I think both things are absolutely critical. Mr. Donovan. Do you think that--you're seeing results, increase, a change? I mean, the program has been going on for 12 years now. Mr. Currie. Sir, to be fair. So we issued our report in 2014, and DHS has done a lot since that time. She mentioned the IP Gateway, which is basically, you know, a web-based tool where people don't have to hand out paper assessments and read them. Everyone can go in and have access to certain information. We think that's good progress. But what we don't know, because our work is a little bit dated is, you know, we surveyed owners and operators at the time. We would have to go back and actually talk to them to get their perspectives, and we haven't done that. So that may be a better question for Mr. Brown. Mr. Donovan. Mr. Brown? It's tough when another witness passes the ball. Mr. Brown. You know, I would say one thing about the number of different assessments that are done. You know the agencies that are doing those assessments have very, very high expertise in that certain area, so they are assessing a location or a facility where that type of assessment is probably very important, whether it's the Coast Guard, whether it's environment. You know, they are assessing a certain business or facility where that part is critical. So, you know, the concern for us always is the last thing we would like to see is a watered-down assessment that sort-of fits everybody. So I think there's sort-of a balance in, you know, what's been reported here compared to exactly what's going to work out in the field. You know, if it's a maritime facility, we would like to see specialists in the maritime arena be the ones doing the assessment. So I would caution there should be some balance as we move forward on this to try and make a single assessment that fits everybody or ensuring that we have a comprehensive assessments for each individual sector, because when we have had exercises where multiple assessments have been done, you know, we do get some specific input from each of those assessments that helps us sort of move forward in the security plan. Mr. Currie. Sir, I would absolutely agree with that, too. Then we're not suggesting that there be one single assessment to apply to all 16 different sectors. I think--you know, I absolutely agree. I think what we noticed in our work is that there was a lot of information collected across a lot of different assessments and sectors that was the same, but different. It was collected differently. It could have been used differently if it was collected consistently and analyzed across sectors. Of course, there has to be subject-matter expertise. That's why the Coast Guard, for example, does port security inspections instead of NPPD, for example. Mr. Donovan. Just for all of you, is this well-spent money? I know, Ms. Durkovich, you said that it's a voluntary program, people have to, because their private sector, have to volunteer to participate. We're spending a lot of taxpayer dollars on this. Do you feel, each of you, that this is a worthwhile effort, and we're achieving the goal that we set out to achieve when the program began? Ms. Durkovich. Thank you, sir, and I'm happy to start with that question. My answer is unequivocally, yes. As I alluded to in my opening remarks, we are living in a very dynamic and complex risk environment. At the end of the day, our reliance on critical infrastructure is really what, you know, drives our way of life and helping owners, and operators navigate this environment and manage the risk is really the essence behind our program. So our ability to do these assessments, to share information with them, to make recommendations on how they can improve their security. The reality is you cannot operate in this day and age without having some sort of security plan and some plan for how you are going to bounce back in the event of an incident. So that is the value that we bring to them, a no-cost assessment that helps them understand where they compare to others in their sector or subsector, and the return on investment that they will get if they make certain enhancements in security and resilience. So I will tell you, absolutely, it is taxpayer money well spent. We have saved lives. We have limited disruptions to critical infrastructure. I do want to just speak briefly to the different types of assessments. We have this, you know, this reality in the Office of Infrastructure Protection where we actually have the authority to regulate high-risk chemical facilities. There are about 3,400 facilities that we have deemed high-risk because of quantities, threshold quantities, that they have of chemicals of interest. So we have a special program and chemical security inspectors who are responsible for helping that facility develop a Sites Security Plan and ensure that those chemicals are well-protected. Our chemical inspectors work closely with our PSAs to ensure that we're not duplicating efforts. Then in addition to a CSI showing up on-site that you don't have a PSA then knocking on the door and saying, hey, do you want an assessment? We have learned, though--and this is where the work we are doing in the field, to better serve their activity is so important--that even though you may be a high-risk chemical facility, you still have the need for some of our other voluntary services, whether it be active-shooter training, many of, again, the kind of voluntary, the voluntary programs that we do participating in exercises at the State and local level, ensuring that we are accounting for you in NSSCs and the such. So I think that the earlier comments about the need for specialized assessments is true as well. Thank you. Mr. Donovan. Thank you very much. My time has expired. The Chair now recognizes the gentlewoman from California, Ms. Sanchez. Ms. Sanchez. Thank you, Mr. Chairman. Thank you, all, for the incredible difficulty of the work that you do. I believe that both Mr. Langevin and I have been working on this both from the Armed Services Committee and from the Homeland Security Committee. He has ranked for a while with respect to cybersecurity on the Armed Services, and I ranked earlier on that, and of course, we have been very involved here on this issue on homeland. It's at times just overwhelming, as you know, trying to figure out how we safeguard what we need to safeguard. So I have only one question. Because we have really, and I believed in this, sort-of kept a hands-off method in ensuring with our third parties, those who own our very critical infrastructure, and 90 percent of which really sits in these third parties' hands, we've really attempted to stay short of regulations and playing on red tape and in an effort to keep costs down so that they might be able to better use those funds, that they would otherwise spend to enhance the security of these structures. We have had both small businesses who have been--who are contractors to some of these larger infrastructure pieces very engaged. We've had, of course, many larger companies engaged. But we've also had a set that have declined to even tell us what they are doing or what they might have, asked us to come in and take a look from an expert standpoint and maybe help them. What can we do to engage those who are still outside of what we are doing? That would be my only question. Mr. Ozment. Thank you, Representative Sanchez. I think that's really a fundamental question for us all, and I really appreciate your putting your finger on it. The key question here is in a world where we work voluntarily with companies, how do we get them to engage? I'll tell you, on the cyber side, and I think the same is true on the all-hazards side, having a local regionally- deployed presence is critical, because ultimately, companies work--or small and medium businesses, or State and local governments, they work with the Federal Government when they have a trust in the Federal Government. We build that trust through having people who are living where they live, working where they work, and really providing value to them, making it real that the Federal Government has services to improve your company's security, your local government security. We do have those services. So having these cybersecurity advisers on the cyber side living and working with our customers has been incredibly important. As you know, I mentioned earlier right now we only have 6, and we are really looking for the Congress' support to increase the number of field-deployed cybersecurity advisers in the 2017 budget. Ms. Durkovich. I would agree with my colleague, but I would like to add one thing, and I think it is an important component of the assessments that we do. But when we work with owners and operators to evaluate their security posture, one of our claims is you are kind-of only secure--you are only as resilient as your weakest link. We encourage them to look across their entire supply chain, to have conversations with their suppliers, to recognize where their key dependencies are, whether it is power, whether it is water, whether it is communications, and to, at a minimum, have conversations with those key dependencies, with those key third-party providers about what their security plans are. But, equally important, and I think we are seeing this more in the cyber realm than we are in the physical realm, but is ensuring that as you develop relationships and contracts, with those third-party providers, with those in your supply chain, that you are making security, that you are making resilient a key part of that agreement between your organizations, that in some ways, we are pushing the need for security into that supply chain. Mr. Ozment. Congresswoman, I apologize. Can I add one additional point? My apologies. I think one other key aspect of this is actually the legislative protections that you, the Congress, has given us for protecting the information our customers share with us. I'd highlight two in particular--protected critical infrastructure information, which means that when a company shares vulnerabilities or their risk profile with us, statutorily we protect that information. We cannot give it to a regulator. It cannot be accessed through a Freedom of Information Act or other State Sunshine Act Laws and it cannot be disclosed in civil litigation. That protection is critical. We treat information we receive under that protection extraordinarily carefully. Then obviously the Cybersecurity Information Sharing Act of 2015 also gave us additional statutory protections for cybersecurity indicator information and those protects are also extremely important. Mr. Brown. If I could just weigh in, you know, from the field what we found out is that the more of assessments and the training is done, the more you have other facilities wanting the training. So when you have several hospitals in a city or a locale that have done the assessment, the next thing you realize is you start getting calls from the third hospital saying, hey, I understand these assessments were done, we would like that to have happen. Now the same thing is happening with the minor league baseball stadiums in the State of Pennsylvania. You know we've done the Philly stadium now, several of their minor league stadiums are asking for an assessment done, followed by a table-top exercise. It is sort of a snowballing effect. The more we are doing these types of things, I think the more the industry is asking for them. Ms. Sanchez. Thank you, Mr. Chairman. Mr. Donovan. The Chair now recognizes the gentleman from New Jersey, Mr. Payne. Mr. Payne. Thank you, Mr. Chair. Also I thank the Ranking Member for allowing me to sit in today on a very important topic. In my work as Ranking Member on my subcommittee, that deals with resilience and communications, this is something that I've been very interested in and have advocated the administration on. In 2013 the National Infrastructure Protection Plan focuses not only on the security of the Nation's critical infrastructure, but also its resilience, which is something that I've dealt with a great deal. What training and technical assistance is DHS providing through the PSA and CSA programs to increase resiliency of our critical infrastructure? Ms. Durkovich. I am happy to start with that question, Congressman Payne, and thank you very much. Over the course of the evolution, of our program, we have moved from a security focus to a security and resilience focus because of our recognition of the importance to work with owners and operators, to be able to return to normal operations in the event of an incident. Resiliency has become a very key part of the vulnerability assessments that we do. Of the 1,400 questions that are part of the infrastructure survey tool, that Director Brown alluded to, a number of them cover resilience-related measures. Again, that ranges everything from do you have a business continuity plan in place? Do you have route diversity when it comes to your communications? Do you understand who is providing your electricity, your water in the event of a power outage? Do you have a generator? Do you have enough fuel to fuel that generator for at least 72 hours, if not longer? So again, those types of questions are considered in the IST and we give an owner and operator the ability to see where they stand from a resiliency index compared to others. If for example they didn't have a business continuity plan but they developed one, how that score would improve. Equally important, a cornerstone of the office of infrastructure protection has become our regional resilience assessment program. This is where we look at a key industry, a key critical infrastructure asset. In New Jersey, for example, one of our first regional resilience assessment programs projects was focused on exit 14 and the concentration of petrochemical plants, that you find at that exit, and their dependency on water, on electricity, on communications, the importance of the port in the area. We both evaluated what were the threats and hazards that could disrupt or cause some sort of incident at that port. But equally important, how do we work very closely, not only with the owners and operators, but the State and the local authorities to improve the resilience of all of those underlying systems and assets? It is a Regional Resilience Assessment Program that continues to see value. It has been the basis for a number of different exercises. The State of New Jersey actually created an app based on that RRAP, it is the foundation. Recently we looked at a category 1 hurricane coming up the southern tip of New Jersey and really the relationships that exist in that region were because of this RRAP that we did in 2009. So resiliency has become a key piece of what we do in the Office of Infrastructure Protection. Mr. Payne. Good old exit 14. I live 4 minutes from there. You know that area has been called the 2 most dangerous miles in the country based on the airport and the seaport, the chemical and the infrastructure, so these issues are very important to me. How has DHS incorporated the concept of resilience into their vulnerability assessments? Ms. Durkovich. Again, it is both through some of the questions that I alluded to, but looking at really at an organization's, or an industry's, or a particular region's, kind of operational capability, and what is a minimal time of disruption that that particular organization, that particular community can sustain? That's really kind-of what drives our concept of resiliency. Mr. Payne. Thank you. Mr. Ozment. I would just note, sir, that our cybersecurity most strategic risk assessments are in fact resiliency assessments. Mr. Payne. OK. Thank you. I appreciate your indulgence and yield back the balance of my time. Mr. Donovan. The gentleman yields back. I would just like to recognize that I live 10 minutes from that exit, so keep up the good work. The Chair now recognizes Mr. Langevin from Rhode Island. Mr. Langevin. Thank you, Mr. Chairman. I want to thank the Chair and the Ranking Member for holding this hearing. I want to thank our witnesses for your testimony here today, and the work you're doing to protect the country. For Secretary Ozment and Durkovich--so I appreciate the desire to incorporate cybersecurity in your risk assessments, particularly as more and more systems are connected to the internet. So as a Member of the Armed Services Committee I recognize that today's conflict and really all future ones for that matter are going to contain some type of a cyber component to it going forward. It seems prudent to extend that mindset to critical infrastructure. So with that in mind, Secretary Ozment and Secretary Durkovich, can you talk about the training required for PSAs to provide these assessments, while Chairman Ratcliffe asked about CSA training, it seems that since they are outnumbered by 20 to 1, at the moment, I imagine PSAs are required to do the baseline assessments and basically it would seem that much of the expertise is different from the physical security that traditionally has been at the domain of PSAs? Ms. Durkovich. Thank you very much for that question. As you alluded to, we see the Protective Security Advisors as force multipliers in this effort to secure critical infrastructure from cyber threats. As I alluded to in my opening statement, over 20 percent of the referrals to the CSAs actually come from the Protective Security Advisors, this is because we have these long-standing relationships that we have developed with owners and operators. In addition to being worried about natural hazards and terrorist threats, they are also dealing with, again, the range of cyber actors. So at a minimum what our PSAs do is connect them with the other NPPD, cybersecurity security expertise, that may be the NCCIC, that may by the Cybersecurity Advisors, but we also are bringing tools and capabilities. We have a number self assessments that are available to owners and operators on the cyber side of the House and, as well, can articulate kind of that basic cyber hygiene. So, to ensure that our PSAs at least know enough to be dangerous on the cyber front. This is something that in my role I've had do as well. Right, it is hard for me to go out and talk about this dynamic risk environment and not include cyber in that conversation. Mr. Langevin. So I just want to ask to clarify, so are they just doing referrals to CSA, or to other entities, or do they actually have training in that area on the site? Ms. Durkovich. So they are largely doing referrals. They do do kind-of general awareness about the threat. They can talk about kind-of basic cyber hygiene, the importance of multifactor authentication of segmenting systems. But, to answer your question, we have sent all of them down to Hoover and the Secret Service cybersecurity campus there to get a basic level of training. There are some Protected Security Advisors who have spent time at Idaho National Labs, with our industrial control system team, getting kind-of a higher level of training. We have only a few, but this is while Andy works to build up his work force, that are actually certified to conduct our cyber infrastructure survey tools. So it's a mix of---- Mr. Langevin. So where do you see the work force going on the CSA side? Because it seems to be that you'd almost want the two to be co-assessing or collocating in conducting these assessments. Mr. Ozment. Sir, I think of this as a sort-of three-tiered system. We have the PSAs who can do--advertise our cyber programs, connect people with our other cyber resources and do basic--for example, as part of their basic infrastructure survey tool they do have strategic cyber questions there. They can give high-level advice on cyber hygiene. When we have a problem that demands more cyber knowledge than that, and a lot of our customers are demanding more cyber knowledge than that, we go to the CSAs, and the CSAs provide-- are cybersecurity specialists but they are not hands-on technical operators, they are cybersecurity executives, if you will. So then at the next and final tier when a customer needs more technical specialized assistance we draw then upon our different technical groups within the NCCIC, whether it be the industrial control systems team, or an instant response team, or a hacking team if you will. So we start with that broad base of PSAs who, as you note, there are far more of them and they have these relationships. When we are in a region the CSA and the PSA have to be very tightly coupled and they are very tightly coupled so that the CSA can draw upon that PSA's knowledge and relationships. Mr. Langevin. So where do we see the CSA work force going? Is that--are you working to increase that, so you have more of balance with the PSAs? Mr. Ozment. Yes, sir. We do very much need that CSA work force. The demand is just huge. So we will absolutely increase it. I don't know that we'll reach as large as PSA work force. I think some of that is we have to see how the demand evolves, but we are very much asking for an increase to 24 CSAs in the field in the fiscal year 2017 budget. Mr. Langevin. Thank you. I hope we are going to concentrate on that more. Thank you, Mr. Chairman I yield back. Mr. Donovan. The gentleman yields back. I thank the witnesses for their valuable testimony and the Members for their questions. The Members of the committee may have some additional questions for the witnesses. I would ask that you respond to those in writing. Pursuant to committee rule 7(e) the hearing record will be held open for 10 days. Without objection the subcommittee now stands adjourned. [Whereupon, at 11:17 a.m., the subcommittee was adjourned.] A P P E N D I X ---------- Questions From Chairman John Ratcliffe for Chris P. Currie Question 1. Given the focus of some DHS assessments on threats to specific regions, are there any U.S. cities or sectors that are examples of best practices in collaborating with and among DHS offices and components and other Federal partners in participating in assessments and taking actions to address vulnerabilities identified? Answer. DHS has taken steps in response to a past GAO recommendation that will help officials identify U.S. cities or sectors that have demonstrated best practices in collaborating with and among DHS offices and components and other Federal partners. Specifically, DHS uses follow-up surveys at facilities that have undergone vulnerability assessments and security surveys, including those that participate in Regional Resiliency Assessment Program (RRAP) projects, and has initiated a broader data-gathering effort with its RRAP critical infrastructure stakeholders to explore changes in diverse topics such as partnering and State actions based on RRAP participation in response to a recommendation we made to DHS in 2013.\1\ In August 2015, the Office of Infrastructure Protection (IP) provided documentation to address this recommendation, including screen shots of an IP-developed SharePoint capability for tracking RRAP findings. This Tracker Tool contains questions about the status of RRAP principle findings, any action taken by RRAP participants, whether the action was taken due to the RRAP, and identification of the point of contact who can confirm this linkage. The data fields in the Tracker Tool will allow IP to identify the RRAPs and associated regions that were successful at bringing about resiliency improvements and the types of improvements that are more common across RRAPs. --------------------------------------------------------------------------- \1\ GAO, Critical Infrastructure Protection: DHS Could Strengthen the Management of the Regional Resiliency Assessment Program, GAO-13- 616 (Washington, DC: July 30, 2013). --------------------------------------------------------------------------- Question 2a. According to the GAO testimony, DHS established a policy in October 2014 to conduct quarterly reviews of programs related to critical infrastructure to better understand the barriers critical infrastructure owners and operators face in improving the security of their assets. What trends has DHS identified in declinations using its tracking system since October 2013? Has DHS identified barriers that critical infrastructure owners and operators face in making improvements? Question 2b. If so, what are those barriers? Answer. According to DHS's 2013 National Infrastructure Protection Plan, our Nation's well-being relies upon secure and resilient critical infrastructure. To achieve this, the National Plan calls for critical infrastructure partners to collectively identify priorities, measure progress, and adapt based on feedback and the changing environment, among other things. Therefore, it is imperative that DHS conduct regular reviews of its programs. In 2012, we reported that DHS could be missing an opportunity to measure performance associated with planned and in-process enhancements, and could better understand why certain improvements to securing critical infrastructure were, or were not made, following assessments.\2\ We reported that this information could help DHS to better understand what barriers owners and operators face in making improvements to the security of their assets. DHS began tracking additional information in response to our recommendations. Table 1 provides a snapshot of common reasons why facilities refused or were not selected to participate in an assessment from October 2013 through September 2014--the last date for which DHS provided GAO data on this issue--which could prevent owners and operators of critical infrastructure from identifying and making needed improvements. --------------------------------------------------------------------------- \2\ GAO, Critical Infrastructure Protection: DHS Could Better Manage Security Surveys and Vulnerability Assessments, GAO-12-378 (Washington, DC: May 31, 2012). TABLE 1.--COMMON REASONS WHY FACILITIES REFUSED OR WERE NOT SELECTED TO PARTICIPATE IN A DEPARTMENT OF HOMELAND SECURITY VOLUNTARY ASSESSMENT FROM OCTOBER 2013 THROUGH SEPTEMBER 2014 ------------------------------------------------------------------------ Facility Count ------------------------------------------------------------------------ Stakeholder believes the threat risk is low................ 20 Facility is confident in its security posture.............. 43 Facility point of contact requires coordination with 172 corporate office.......................................... Defense Industrial Base site--no data collection allowed... 47 Regulated facility--no data collection allowed............. 18 Nuclear site--no data collection allowed................... 5 Facility does not want to share its information with the 34 Government................................................ Facility lacks a budget for implementing potential 24 recommended security improvements......................... Facility point of contact lacks time to commit to an 29 assessment................................................ Facility not selected by Protective Security Advisor (PSA) 577 for assessment due to resource constraints................ Facility not selected by PSA for assessment due to regional 94 priorities................................................ PSA performed a security assessment at the facility 188 recently.................................................. Facility received a different vulnerability assessment 55 recently.................................................. Facility not interested in assessment at this time but 349 would consider future assessment.......................... Other...................................................... 249 ------------------------------------------------------------------------ Source: DHS data. Table 2 provides a snapshot of additional information DHS gathered from participants in its voluntary vulnerability surveys from October 2013 through September 2014, the last date for which we received an update from DHS. TABLE 2.--DEPARTMENT OF HOMELAND SECURITY VOLUNTARY ASSESSMENT FOLLOW-UP SURVEY RESPONSES, OCTOBER 2013 THROUGH SEPTEMBER 2014 NUMBER OF FACILITIES ------------------------------------------------------------------------ My Organization Is Likely To Information Integrate The Provided Information Through The Provided By Number of Facilities Assessment Was The Assessment Beneficial To Into Its My Future Organization Security Or Resilience Enhancements ------------------------------------------------------------------------ Strongly Disagree....................... 54 38 Disagree................................ 5 5 Neither Agree or Disagree............... 22 37 Agree................................... 287 399 Strongly Agree.......................... 473 357 Not Applicable.......................... 11 16 ------------------------------------------------------------------------ Source: DHS data. In addition, 851 facility owners and operators responded to the question (checking all applicable responses), What are your organization's primary challenges with respect to implementing security or resilience enhancements?: Lack of budget (651 responses) Lack of project management resources (181 responses) Differing strategic priorities (239 responses) Plans to move or significantly change the facility (23 responses) Local ordinances (28 responses) Other (90 responses). According to a 2014 IP quarterly performance review document we reviewed, IP has plans that could address some of these barriers, including plans to update IP's web architecture to capture, report, and prioritize the technical assistance, training, and education needs of IP and its partners within the critical infrastructure community by the end of fiscal year 2020. Question 3a. One of the recommendations from your agency's work in 2014 and 2015 stressed the need for DHS to develop an approach to ensure that vulnerability data gathered on critical infrastructure is consistently collected and maintained across DHS to identify gaps and prevent duplication of efforts. Do you have any recommendations on how to best standardize this data? Question 3b. Are there any ``best-in-class'' examples that can be leveraged to accelerate the achievement of the recommendation? Answer. According to the National Infrastructure Protection Plan managing risk, among other things, entails efficient information exchange through defined data standards and requirements, including an information-sharing environment that has common data requirements and information flow and exchange across entities. However, we reported that the lack of consistent, standardized data on the names and addresses of assets already assessed by DHS's offices and components inhibited the Department's ability to identify whether a given asset had been previously assessed by one office or component. Without consistent, standardized data, DHS was not positioned to readily identify potential duplication or overlap among assessments already conducted. Within DHS, the Office of Infrastructure Protection (IP) has begun, in response to GAO recommendations, some notable efforts to address data quality. These efforts include, among other things, a two- phased automated quality assurance process that confirms that certain data elements have appropriate data, to include but not limited to: Ensuring phone numbers are 10 digits, geocoordinates and zip codes correlate to the associated county and State, and the assignment of unique identifiers. Accurately capturing this basic information in a standardized manner is an important first step in addressing gaps and to prevent duplication of effort. In addition, IP officials told us the office is planning pilot projects with a limited number of Sector- Specific Agencies to identify critical infrastructure data elements that each agency may have a need for, after which appropriate policies for sharing those data elements can be established. With regard to ``best-in-class'' examples that could be leveraged, in a January 2016 report,\3\ we reported on leading practices for well-constructed data definitions derived from standards developed by the International Organization for Standardization (ISO).\4\ While not ``best-in-class'', these practices would be helpful for DHS to review in its efforts to identify ``best-in-class'' examples it could leverage as it standardizes its data. --------------------------------------------------------------------------- \3\ GAO, DATA Act: Data Standards Established, but More Complete and Timely Guidance Is Needed to Ensure Effective Implementation, GAO- 16-261 (Washington, DC: Jan. 29, 2016). \4\ The ISO is an independent, nongovernmental membership organization and the world's largest developer of voluntary international standards. It has published more than 20,500 international standards covering a wide range of industries including technology, agriculture, and health care. For access to the ISO leading practices for the formulation of data definitions, published July 15, 2004, see: http://standards.iso.org/ittf/PubliclyAvailableStandards/ c035346_ISO_IEC_11179-4_2004(E).zip. ISO: This material is reproduced from ISO/IEC 11179-4:2004(E) with permission of the American National Standards Institute (ANSI) on behalf of the International Organization for Standardization. All rights reserved. --------------------------------------------------------------------------- Questions From Chairman John Ratcliffe for Andy Ozment Question 1. Given the focus of some DHS assessments on threats to specific regions, are there any U.S. cities or sectors that are examples of best practices in collaborating with and among DHS offices and components and other Federal partners in participating in assessments and taking actions to address vulnerabilities identified? Answer. There are many examples of best practices in collaboration at all levels. A few illustrative examples include the State of New Jersey, Salt Lake City, and the Energy Sector. State Partnerships--New Jersey.--The State of New Jersey's Office of Homeland Security and Preparedness (OHSP) has been a strong partner on a variety of infrastructure assessment activities. In 2009, the State participated in one of the first Regional Resiliency Assessment Program (RRAP) projects. The 2009 RRAP examined vulnerabilities and dependencies of a cluster of critical lifeline infrastructure located near Exit 14 of the New Jersey Turnpike in Newark. As part of the project, the State was provided with detailed modeling of interconnected water systems in northern New Jersey. Using the water model, New Jersey took steps to develop combined analytical products for the electrical and water systems to look at regional interdependencies between electricity and water, thereby strengthening the resilience of the Energy and Water Sectors. It also utilized the model to support information-sharing and exercise activities with the Water Sector. New Jersey is currently increasing security systems at two major water treatment plants. As a direct result of the RRAP project, the North District Water Supply Commission initiated a project to improve the resilience of the northern New Jersey water system infrastructure. Within this RRAP, DHS conducted its first 7 Cyber Resilience Reviews (CRR) ever, focusing on critical information technology services that underpinned these lifeline-sector partner's operations. The results of these cyber evaluations provided cybersecurity-focused options for improvement to each participating organization. Since 2009, the State has requested 3 additional RRAP projects. The first, in 2014, focused on complex infrastructure supporting the production and transportation of petroleum fuel. The findings were used to drive the New Jersey 2015 Hurricane Season Rehearsal Tabletop Exercise. Using the RRAP-provided information as its basis, the exercise explored improvements for information sharing between the State and the energy sector. In addition, the project delivered to the State and the Federal Emergency Management Agency's (FEMA) Region II office extensive geographic information system (GIS) products depicting petroleum and related infrastructure. The results support emergency response and recovery operations and planning. The second additional RRAP project, in 2015, is a collaborative effort with State partners from Delaware and Pennsylvania, and is focused on the resilience of ports along the Delaware River, specifically landside terminal operations and inter-modal distribution networks for these ports and marine terminals. The Resiliency Assessment report for the Delaware River project is with stakeholders for review at this time. Preliminary findings were presented to stakeholders in May 2016. The final additional RRAP project, started in 2016, is focused on the 6 largest wastewater treatment plants, the disruption of which could have cascading impacts across the State and into New York and Pennsylvania. With each of the RRAP projects, the State will receive Resilience Enhancement Options--actions they can take to improve resilience. Following the RRAP-related cyber evaluations in 2009, DHS began a continuing set of collaborative engagements with the State Chief Information Security Officer (CISO) and the State's infrastructure planners and preparedness coordinators. In 2011 and 2012, DHS provided a review of the State-wide strategic cybersecurity plan. DHS began participating in public-private partnership meetings and provided advice to the State on cybersecurity. The State requested information on DHS's Cyber Security Advisor (CSA) program. By 2014, the State hired its first State-employed CSA. City Partnerships--Salt Lake City, Utah.--Salt Lake City, Utah, is another consistently strong and active partner. The city received two RRAP projects in 2013 and 2015. The 2013 RRAP project analyzed the Salt Lake City area's health systems' critical infrastructure dependencies and interdependencies, specifically how they would be impacted by a major earthquake. The findings were used to inform emergency response plans, and prompted more detailed analysis of the region's health system dependencies. The 2015 project will provide Salt Lake City with an improved understanding of the various interconnected water and wastewater systems, and identify critical nodes and vulnerabilities. Sector Partnerships--Energy Sector.--DHS conducts regular engagements with all Sector-Specific Agencies (SSAs) which provide an opportunity to discuss on-going efforts and share best practices. Many of the findings resulting from the different types of assessments are incorporated as part of best practices and reference resources that are disseminated though multiple outreach mechanisms. The RRAP in particular, given its collaborative approach to assessment of specific critical infrastructure within a designated geographic area and a regional analysis of the surrounding infrastructure, lends itself to capitalizing on sector partnerships. The RRAP team participates in SSA coordination calls to inform them of upcoming projects, and includes the SSAs in its annual RRAP kickoff where they have the opportunity to provide input. SSAs are relied upon by the RRAP team to provide insight into the operations and vulnerabilities of infrastructure, as well as to connect the RRAP project teams to relevant private industry and Government contacts who can assist in the assessment and analysis. The Department of Energy (DOE) has been a close partner, providing insights into the industry, key contacts, and access to useful DOE resources. DOE and the Transportation Security Administration were both involved in the 2012 regional pipelines RRAP project. The Department of the Interior has been supporting the on-going 2016 Gulf of Mexico project with oil production information and GIS data. Through these RRAP projects, DHS is helping the Oil and Natural Gas (ONG) sector better understand operational dependencies and to improve coordination with Government emergency management officials. Federal, State, and local emergency management officials play an important role in responding to incidents affecting the ONG sector. An additional example can be found in the joint DHS and DOE study on the impacts of electromagnetic pulse (EMP) and Geomagnetic Disturbance Events (GMD) on the electric grid. This study will analyze the hazard environments, impacts, and consequences of different sources of EMP and GMD. Events of concern and potential means of mitigation will be better understood. Federal Partnerships--Cybersecurity.--The role of cyber emergency preparedness, threat and asset response, risk management and best practice promotion, and information sharing in supporting resilient infrastructure operations cannot be understated. Cyber Security Advisors (CSAs) began working with the Coast Guard through participation in Area Maritime Security Committees (AMSC) starting in 2010, acting in many situations as an architect for AMSC cyber working groups and subcommittees. In 2011, DHS assisted the Coast Guard's Pittsburgh Marine Safety Unit, via its AMSC. The CSA on the AMSC cyber subcommittee helped to draft a 2-year strategic charter, laying out objectives for private-sector partners to develop and test cyber incident notifications, response coordination, and lesson-learned collections. Since 2011, CSAs have worked with nearly 12 AMSCs. NPPD has helped to amplify the cyber emergency coordination efforts of the Federal Emergency Management Agency (FEMA). In 2015 and 2016, NPPD coordinated with FEMA Regional Interagency Steering Committees and engaged FEMA partners through cyber preparedness workshops and cybersecurity symposiums. Most recently, NPPD supported FEMA Region III with a 2-day, cyber preparedness symposium and DHS personnel moderated and sat for multiple panels alongside Federal, State, and private- sector cybersecurity officials. As far back as 2009, NPPD began supporting the U.S. Secret Service (USSS) Critical Systems Protection efforts related to National Special Security Events. This coordination added a focus on cyber preparedness, joint IT operations coordination, and asset response coordination (i.e., ensuring the availability of technical mitigation resources for cyber attacks and incidents). In addition, NPPD assisted in the inauguration of several USSS Electronic Crimes Task Forces, to demonstrated not only a unity of effort in Federal preparedness and response but to bridge cyber crime and infrastructure resilience issues, specific to cyber planning, coordination, and best practice adoption. Question 2a. According to the GAO testimony, DHS established a policy in October 2014 to conduct quarterly reviews of programs related to critical infrastructure to better understand the barriers critical infrastructure owners and operators face in improving the security of their assets. What trends has DHS identified in declinations using its tracking system since October 2013? Has DHS identified barriers that critical infrastructure owners and operators face in making improvements? Question 2b. If so, what are those barriers? Answer. The quarterly program review process collects a broad range of information from across the Office of Infrastructure Protection (IP), and is a mechanism for improving data driven decision making. The assessment portfolio is one area of information collected. In fiscal year 2015, approximately 88% of facilities where IP conducted an Infrastructure Survey Tool (IST) assessment reported they were likely to integrate, or have integrated, some of the protective measures detailed in the assessment report. This is up from 86% in fiscal year 2014 and 85% in fiscal year 2013. Four thousand four hundred sixteen ISTs have been conducted since fiscal year 2010. The most common improvements include enhancements to electronic security systems, security force, and security management. This kind of action is one important indicator of the impact that our assessments have on the security and resilience of infrastructure, but does not provide a perfect measure of the overall state of preparedness. When stakeholders are interested in accepting IP's recommendations, the barriers that preclude them from making those changes include: Cost-prohibitive capital investments; Lack of project management resources; Differing strategic priorities; Plans to move or significantly change the facility; Local ordinances. When partners decline IP services and capabilities, the most common reasons cited include: Facility isn't interested in assessment at the initial time of contact but indicated they would consider future survey; The facility has had a recent security assessment, either performed by the PSA or through another vulnerability assessment; Point of Contact (POC) requires coordination with corporate; POC lacks time to commit to assessment; Facility is confident in its security posture; Facility does not want to share its information with the Government; The facility does not allow data collection because it's a regulated facility, nuclear facility, or defense industrial base facility; Facility lacks a budget for implementing potential recommended security improvements; or Stakeholder believes the threat risk is low. To formalize its response to these trends, NPPD is working to develop a 3-year Strategic Plan for Assessments conducted by IP to determine how it can enhance the value of its assessment portfolio for stakeholders, to include addressing physical and cyber convergence in assessments. The 3-year strategic plan will: Articulate the strategic intent of IP's assessments; Define specific goals to guide prioritization, maturation, management, and use of IP's assessments; Clarify opportunities for collaboration between IP assessments and OCIA analyses; Articulate mechanisms to assist the Federal Emergency Management Agency (FEMA) and other agencies in risk assessments supporting grant allocation decisions; and Provide a plan to develop and use performance metrics for program management and reporting processes. This plan will guide how PSA-led assessments support stakeholders, contribute to a National understanding of risk, and support National preparedness planning. The CSA program will identify improvements by drawing upon this plan and its lessons learned. Question 3. According to President Policy Directive 41 (PPD-41) Section V, ``The Department of Homeland Security, acting through the National Cybersecurity and Communications Integration Center, shall be the Federal lead agency for asset response activities,'' as defined by the PPD. Do CSAs have any other cyber-related responsibilities that are not included in PPD-41 that are carried out by the NCCIC? Answer. Presidential Policy Directive 41 (PPD-41) sets forth principles governing the Federal Government's response to any cyber incident and, for significant incidents, establishes lead Federal agencies and an architecture for coordinating the broader Federal Government response. The Department of Homeland Security, through our experts at the National Cybersecurity and Communications Integration Center (NCCIC), act as the Federal lead agency for asset response. Asset response includes helping a victim find the bad actor on its system, repair its system, patching the vulnerability, reducing the risks of future incidents, and preventing the incident from spreading to others. Cyber Security Advisors (CSAs) do not themselves typically engage in asset response activities, especially asset response activities beyond those related to coordinating with relevant entities and providing advice on how to best use Federal resources. While CSAs may support the NCCIC role in cyber incident response by serving as field- based support elements, CSAs focus most of their resources on cyber preparedness and protective activities. CSAs engage private-sector companies and State, local, Tribal, and territorial (SLTT) governments prior to an incident to help them develop and assess their cyber incident response plan. In an incident, the primary role of a CSA is to connect the victim or potential targets with the resources of the NCCIC. Question 4a. Dr. Ozment, can you advise us on the developmental and training plans for the CSAs to ensure that field-based personnel have a diverse cyber experience with computer engineering skills and are well- versed in cyber incident response activities with a solid working knowledge of the NCCIC and its capabilities, services and personnel? Answer. Cyber Security Advisors (CSAs) are hired based on subject- matter expertise in Information Technology (IT) Security, Operations, and Management--to include proficiency with IT security program and project management, evaluation and assessment, technical communications and presentation, and system and network administration skills. Each CSA has unique training needs identified as they onboard and progress through their career. This includes an orientation and regular information on National Cybersecurity and Communications Integration Center (NCCIC) services available to customers. Cybersecurity skills underlying CSA activities are identified, mapped to, and managed against workforce education initiatives and opportunities for cybersecurity awareness, training, and education. Additionally, a robust training and certification program is available to CSAs. This includes training in Information Security, Ethical Hacking and Penetration Testing, Networking, Industrial Control Systems Cybersecurity, and Risk Management. Question 4b. How are you ensuring the CSAs are fully integrated with both the NCCIC and US-CERT? Are there plans to rotate the CSAs through the NCCIC and US-CERT to ensure they have the technical and incident response expertise? Answer. Cyber Security Advisors (CSAs) are critical, field-based personnel with a sound understanding of the National Cybersecurity and Communications Integration Center (NCCIC). CSAs are a local resource for private-sector companies and SLTT partners. As such, CSAs often become the first element of NCCIC customer management: Coordinating incident response requests, facilitating requests for information, such as best practices and technical evaluations, routing requests for operational partnership, or access to technical threat analysis and vulnerability mitigation products. As the CSA program adds additional personnel, we will explore the possibility of rotations back to headquarters, to include rotations the NCCIC. However, the CSAs are not hired for the skillset of technical incident response, nor should they be. There are many different skillsets in cybersecurity. The CSA skillset is intended to match more closely the skillset of a Chief Information Security Officer (CISO) or a CISO's policy, compliance, and metrics team. A CSA should be able to help a company develop a security program, identify gaps, provide strategic advice, and connect that company with services available from the Federal Government, particularly the NCCIC. Question 4c. How will you ensure that CSAs and their cyber outreach and engagement activities are fully integrated into the rest of CS&C's cyber efforts before, during, and after cyber incidents? Answer. CSAs are not focused on cyber incident response: Their primary role is on prevention and preparedness. There have been very few instances, due to the small number of Cyber Security Advisors (CSAs), where a CSA had a prior engagement with a private-sector company or State, local, Tribal, and territorial (SLTT) partner, and that same partner experienced a cyber incident. In these few cases, CSAs were generally the first point of notification by the victim. CSAs determined the situational information surrounding the event and the victim's basic needs for assistance. Under these limited instances, after an incident, CSAs also provided direct process improvement guidance on the cyber incident process and worked to identify cyber preparedness and best practice efforts for consideration by the victim's cyber program planning, operations procedures, and resource allocations. Question 5. Has DHS identified any best practices in assessing and addressing vulnerabilities from threats and hazards that our Nation's critical infrastructure owners and operators face, and if so, has DHS shared these practices with other critical infrastructure partners to help them be more prepared? Answer. The National Protection and Programs Directorate (NPPD) is a clearing house for best practices and lessons learned, which are continuously gathered through Protective Security Advisor (PSA) and Cyber Security Advisor (CSA) engagements and then shared with critical infrastructure partners. PSA-led and CSA-led assessments produce a dashboard and/or a report that assist stakeholders in identifying key considerations for enhancing the security and resilience. The dashboards provide a comparative analysis an entity's security and resilience, including a high, low, and median score comparison. The reports contain a written analysis of the assessments key findings. This includes documenting vulnerabilities and identifying corresponding options for owner and operators. These options are, in effect, best practices that have been observed and compiled since 2009. Reports also document ``commendable'' items when an entity has already implemented best practices. As a result of PSA and CSA support to special events and domestic incidents, we collect after-action reports and lessons learned. In addition, DHS is drafting an ``Effective Practice'' document that will identify documented best protective measure practices. NPPD works with critical infrastructure partners to assess areas of concern and potential vulnerability gaps. These findings inform the development of best practices for consideration by owners and operators. A sampling includes: Suspicious Activity Videos.--(https://www.dhs.gov/gallery/ infrastructure-protection) provide information on identifying and reporting suspicious activity and threats in different environments and scenarios, including: Check It! (Bag search procedures for public venues); What's in Store: Ordinary People/Extraordinary Events (Retail); No Reservations: Suspicious Behavior in Hotels (Lodging); and Options for Consideration (Active Shooter). On-line Training Courses.--Self-paced courses (offered through the Federal Emergency Management Agency's (FEMA) Emergency Management Institute (EMI) https://training.fema.gov/emi.aspx) designed for both people who have emergency management responsibilities and for the general public. All are offered free-of-charge. DHS has partnered to produce courses in active shooter, surveillance awareness, and more. Each course, listed below, takes approximately 45 minutes to complete. IS-906 Workplace Security Awareness; IS-907 Active Shooter: What You Can Do; IS-912 Retail Security Awareness--Understanding the Hidden Hazards; IS-914 Surveillance Awareness: What You Can Do; IS-915 Protecting Critical Infrastructure Against Insider Threats; and IS-916 Critical Infrastructure Security: Theft and Diversion--What You Can Do. For those involved in the security of industrial control systems, the National Cybersecurity and Communications Integration Center offers several cybersecurity courses. These courses can be accessed at: https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT. Through our Federal Virtual Training Environment (FedVTE) we offer more than 800 hours of on-line, on-demand training on cybersecurity topics such as ethical hacking and surveillance, risk management, and malware analysis. Course proficiency ranges from beginner to advanced levels, and several of the courses align with Information Technology certifications such as Network+, Security+, and Certified Information Systems Security Professional. FedVTE has been available to Federal, State, local, Tribal, and territorial Government employees. Additionally, we've teamed up with the non-profit organization Hire Our Heroes to provide U.S. veterans with free access to FedVTE. Hands-on Training.--In addition to on-line training courses, EMI provides two Integrated Emergency Management Courses (IEMC) that provide exercised-based training events to local and county communities, based upon the community's Threat and Hazard Identification and Risk Assessment (THIRA) and Emergency Operations Plan. IEMCs are a combination of classroom lectures, discussions, small-group planning sessions, and functional exercises which expose participants to new ideas, and increase their awareness of the necessary coordination among other agencies and organizations. For the exercises, each participant is assigned a role similar to their real- life position in an emergency operations center (EOC). E0912.--Preparing Communities for a Complex Coordinated Attack IEMC: Community-Specific; and E0930.--IEMC: Community-Specific. NPPD provides hands-on training to private-sector critical infrastructure partners. For example, the National Cybersecurity and Communications Integration Center provides intermediate and advanced training classes on cybersecurity for industrial control systems through regional classroom training on a quarterly basis. Notably, these offerings include an advanced training offered at our facility in Idaho Falls. This 1-week course includes a two-team activity that lasts for half a day. The red team attacks and the blue team defends a small critical infrastructure facility we built. Protective Measures Guides: FOUO guides that assist owners and operators in planning and managing security at their facilities. Guides exist for: Sports Leagues (2008--being updated); Lodging (2010); Outdoor Venues (2011); and Commercial Real Estate (2013). Evacuation Planning Guides for Stadiums and Major Events.--Assists stadium owners and operators with preparing evacuation plans and helping to determine when and how to evacuate, shelter-in-place, or relocate stadium spectators and participants. Patron Screening Best Practices Guide.--Provides suggestions and best practices for developing and implementing patron screening procedures at public assembly venues. Sports Venue Bag Search Procedures Guide.--Provides suggestions for developing and implementing bag search procedures at sporting event venues hosting major sporting events. The purpose for establishing bag search procedures is to control items that are hand-carried into the sports venue. The bag search procedures should be a part of the venue's overall security plan and should be tested and evaluated as outlined in the security plan. The actual implementation of bag search procedures and level of search detail will depend upon the threat to the venue as determined by the venue's security manager. Sports Venue Credentialing Guide.--Provides suggestions for developing and implementing credentialing procedures at sporting event venues that host professional sporting events. The purpose for establishing a credentialing program is to control and restrict access to a sports venue, and to provide venue management with information on those who have access. Credentialing can also be used to control and restrict vehicle movement within a venue. Additionally, IP offers information and resources founded in best practices to support critical infrastructure partners in the identification and assessment of vulnerabilities and the adoption of mitigating measures through the IP Digital Library, which is offered through the IP Gateway. Through the IP Digital Library, Federal, State, and local critical infrastructure partners can access sector-specific materials relating to various industry best practices; Information- sharing resources, practices, and protocols; applicable Standards; sector-specific resilience reports; and other research and analytic materials relating to critical infrastructure protection and resilience. The Digital Library also features the Infrastructure Protection Report Series (IPRS) which highlight common vulnerabilities and potential indicators for specific subsets of critical infrastructure systems, clusters, and assets. On the cyber side, DHS participated in the development of the National Institute for Standards and Technology's (NIST) Cybersecurity Framework, a key resource for best practices. The Critical Infrastructure Cyber Community Voluntary (C3VP) was created to help improve the resiliency of critical infrastructure's cybersecurity systems by promoting the use of the Framework. Reference materials and assessment tools targeted to stakeholder groups can be found on-line: https://www.us-cert.gov/ccubedvp. Additionally, DHS shares information among public and private-sector partners to build awareness of vulnerabilities, incidents, and mitigations. Cyber and industrial control systems users can subscribe to information products, feeds, and services at no cost. For example, the Cyber Resilience Review Implementation Guide series is publicly available at the US-CERT website to help organizations systematically address gaps in management that often lead to vulnerabilities. The ICS-CERT website contains alerts, advisories, and other products for critical infrastructure owners and operators. These resources can be found at: https://www.us- cert.gov and https://ics-cert.us-cert.gov/. In fiscal year 2016, IP initiated a ``Connect, Plan, Train, and Report'' campaign that is rooted in best practices to assist public and private stakeholders proactively think about the role they play in the safety and security their environment. In support of this effort, we consolidated a number of key tools and resources for small and medium venues as well as public-sector partners, on www.dhs.gov/hometown- security. PSAs are actively engaged in this messaging campaign, and we have developed a simple information card they can hand out to stakeholders. We have also been able to share this messaging through the Secretary's and other DHS senior leadership engagements. Question 6. Dr. Ozment, how do the CSAs currently leverage, or plan to leverage, the existing field relationships that already exist between the private sector and Secret Service or the FBI? Answer. Cyber Security Advisors (CSAs) regularly engage with a number of Federal field offices, including: The Federal Bureau of Investigation, U.S. Secret Service, Homeland Security Investigations, U.S. Coast Guard, Federal Emergency Management Agency (FEMA), and other partners in the field. In the case of FEMA, as noted in the Department's response to Congressman Ratcliffe's QFR No. 1, CSAs work with several FEMA Regions to help jurisdictions prepare for potential physical consequences during and after a cyber incident. In addition, CSAs leverage their relationships to assist with introductions to owners and operators of critical infrastructure. However, each of these agencies have relationships with the private sector that differ from those created by a CSA. CSA engagements with private-sector companies are voluntary, not law enforcement or regulatory. CSAs focus on cyber preparedness, best practice promulgations, and incident planning. While CSAs leverage those existing mechanisms, for instance to prepare cybersecurity practitioners to work with cyber threat and incident response partners, the CSA mission has a focus not currently replicated within the Federal Government. Question 7. Can you walk us through a day in the life of a CSA? At this stage in the program's evolution, I think it will be helpful for us to understand how much of their time is focused on making new connections, following-up on existing relationships, conducting assessments, etc. Answer. Upon initial assignment to a region, new Cyber Security Advisors (CSAs) spend significant time forming relationships with existing Federal, State, and infrastructure sector partners, and building holistic approaches to cyber infrastructure protection and resilience. CSAs look for opportunities to augment what are typically general cyber threat, incident response, and crisis management activities, with a full spectrum of cyber preparedness, risk mitigation, and incident planning activities--covering cyber asset identification, protection, detection, response, and recovery practices. As CSAs build competence with partner and individual engagement activities, CSAs lead cybersecurity evaluation activities; deliver cyber process improvement and best practice adoption activities; deliver cyber preparedness and planning workshops and presentations; attend meetings to advise cybersecurity leaders in State, local, Tribal, and territorial (SLTT) agencies and private- sector companies; augment cybersecurity awareness, education, and exercise programs; support cyber threat and vulnerability-focused outreach initiatives; work to enhance operational capabilities and capacity within cyber communities-of-interest; advising on SLTT cyber policy and resource activities; and supporting other Federal agency and Sector-Specific Agency cyber engagements. Question 8. When a cyber incident occurs on an entity that previously engaged with a CSA, what are the roles and responsibilities of that CSA during and after an incident? How is that CSAs previous relationship leveraged during and after an incident? Answer. Cyber Security Advisors (CSAs) are not focused on cyber incident response: Their primary role is on prevention and preparedness. There have been very few instances, due to the small number of CSAs, where a CSA had a prior engagement with a private-sector company or State, local, Tribal, and territorial (SLTT) partner, and that same partner experienced a cyber incident. In these few cases, CSAs were generally the first point of notification by the victim. CSAs determined the situational information surrounding the event and the victim's basic needs for assistance. Under these limited instances, after an incident, CSAs also provided direct process improvement guidance on the cyber incident process and worked to identify cyber preparedness and best practice efforts for consideration by the victim's cyber program planning, operations procedures, and resource allocations. Preparedness Data--Cyber Security: In the Threat and Hazard Identification and Risk Assessment (THIRA) process, States, territories, urban areas, and Tribes identify their threats and hazards of greatest concern and set capability targets that define success in each core capability. States and territories then complete a State Preparedness Report (SPR) to assess their current capabilities relative to their THIRA targets. In the 2015 THIRA, 80 percent of States and territories included a cyber attack as a threat or hazard of primary concern, the highest percentage of all threats and hazards. In the SPR, States and territories identified cybersecurity as their lowest-rated capability; Only 13 percent of State and territory responses were identified as proficient (4 or 5 rating on 5-point scale). States and territories have identified cybersecurity as their lowest-rated capability for 5 consecutive years. Question 9. What are the specific metrics by which the effectiveness of the CSA program and the assessment tools used by a CSA are (or will be) measured? Answer. Due to the small number of Cyber Security Advisors (CSAs) at this time (less than 5), program effectiveness is currently measured against limited factors. These include qualitative factors such as how partners engaged in CSA outreach, working groups, and assessments. CSAs report on levels of community planning toward best practices and produce yearly analysis of partner cyber readiness, to include factors based upon capability, capacity, and maturity. Measures and metrics for cyber assessment effectiveness are based upon the direct solicitation and receipt of feedback from evaluation. Questions From Ranking Member Cedric L. Richmond for Andy Ozment Question 1. DHS has issued a Notice of Suspension and Modification of Certain Submission Requirements for Chemical Facilities of Interest and Covered Chemical Facilities Under Agency Regulations (81 FR 47001) to inform the public that the requirement to submit vulnerability assessments and other applications would be suspended until October 1, 2016 to allow the Infrastructure Security Compliance Division (ISCD) an opportunity to transition to ``CSAT 2.0''--an updated risk-tiering tool that will make much-needed improvements to the existing risk assessment methodology. The Notice provides that, once implemented, facilities will be individually notified to re-submit applications using CSAT 2.0. Notification will be phased. Which facilities will be notified first, and how will facilities be staggered (i.e., by Tier? Location? Date of original submission?) When does ISCD expect to complete these notifications? Answer. The Department intends to notify a broad cross-section of the regulated community during the initial batch notification in order to allow us to more quickly assess the actual impacts of the updated tiering methodology and CSAT Top-Screen application on all portions of the regulated community. The initial notification batch will include both tiered and untiered facilities, across the country. Subsequent notification batches are expected to include a cross-section of the regulated community although batch composition may be adjusted, as lessons are learned, during the review of the initial Top-Screen submissions. The Department currently envisions notifying batches consisting of between 500 to 1,000 facilities every 2 weeks, with all chemical facilities of interest anticipated to have received notification by the end of fiscal year 2018. Question 2. The planned roll-out of CSAT 2.0 will necessarily involve a high volume of facilities re-submitting applications within a very short time frame. Does ISCD have systems, processes, and personnel in place to review these resubmissions expeditiously and in a way that does not result in administrative backlog (as seen in past years)? Answer. DHS is implementing a phased approach for reaching out to the facilities. The phased approach decision was made in part to reduce the likelihood of an administrative backlog, and was based on existing Infrastructure Security Compliance Division resource levels and information technology capabilities. Additionally, as DHS receives and reviews Top-Screens and issues high-risk determinations, DHS will evaluate the length of time for each step and make adjustments, as needed, to help prevent an administrative backlog. Question 3. On page 47002, the Notice explains that chemical facilities of interest, including facilities previously determined not to be high-risk, will be among the facilities notified of the requirement to re-submit applications using CSAT 2.0. Another section provides that un-tiered facilities will not be notified or subject to the re-submission requirement. Please provide more clarity on which facilities will be notified, particularly with regard to facilities that may have been found not to present a high level of risk in the past but should be reconsidered against the updated tiering methodology. Answer. All chemical facilities of interest, including facilities previously determined not to be high-risk, will be required to submit a Top-Screen using the revised CSAT 2.0 Top-Screen application unless they fall into 1 of the 4 categories of facilities enumerated in Section IV of the Department's Federal Register Notice. 81 FR 47002. The 4 categories enumerated in Section IV are as follows: Agricultural Production Facilities, as defined in 73 FR 1640, or any facility subject to a similar extension issued by the Department for submitting a Top-Screen; Chemical facilities of interest whose only reportable chemical of interest is present in a gasoline mixture; Facilities that are statutorily excluded from CFATS which include: (A) Facilities regulated under the Maritime Transportation Security Act of 2002 (Pub. L. 107-295; 116 Stat. 2064); (B) public water systems, as that term is defined in section 1401 of the Safe Drinking Water Act (42 U.S.C. 300f); (C) Treatment Works, as that term is defined in section 212 of the Federal Water Pollution Control Act (33 U.S.C. 1292); (D) facilities owned or operated by the Department of Defense or the Department of Energy; or (E) facilities subject to regulation by the Nuclear Regulatory Commission, or by a State that has entered into an agreement with the Nuclear Regulatory Commission under section 274(b) of the Atomic Energy Act of 1954 (42 U.S.C. 2021(b)) to protect against unauthorized access of any material, activity, or structure licensed by the Nuclear Regulatory Commission); and Untiered facilities that previously submitted a Top-Screen with no Chemicals of Interest (COI) selected (i.e., facilities that have informed the Department they no longer possess a reportable amount of any COI), so long as the facility has not come into possession of a reportable amount of COI since submitting their previous Top-Screen. Question 4. Months before the July 20, 2016 notice in the Federal Register, ISCD circulated a statement about the suspension to ``the regulated population and industry associations to ensure maximum dissemination.'' Why was the committee not included in this correspondence? How will ISCD ensure that the committee is kept apprised of the status and progress of the CSAT 2.0 transition? Answer. In this case, the Department notified the committee separately of the forthcoming suspension rather than include committee Members or staff on the communication to the regulated population and industry associations. The Department provided this notice to the committee, via e-mail to multiple committee staff members, on June 21, 2016, 1 day after telephonically informing the Chemical and Oil and Natural Gas Sector Coordinating Councils (SCCs) of the forthcoming suspension, and prior to providing written notification to the SCCs. In the future, the Department will ensure that it informs the committee via phone or e-mail of any major programmatic activities, such as the decision to temporarily suspend Top-Screen submission requirements, and, as always, the Department is able to provide briefings to the committee on any aspect of CFATS, including the CSAT 2.0 transition, upon request. Questions From Chairman John Ratcliffe for Caitlin Durkovich Question 1. Ms. Durkovich, we are all aware that the majority of the programs provided by the Office of Infrastructure Protection to owners and operators of critical infrastructure are voluntary in nature. Because of this it is incumbent on DHS to promote and market the value of its services. As I mentioned in my statement, the DHS website for critical infrastructure vulnerability assessments has conflicting and outdated programs. While a few minor corrections can remediate a website, those errors lead to a larger question of how NPPD is communicating the value-added proposition to critical infrastructure owners and operators. Can you please discuss how NPPD currently communicates the value of these voluntary programs to the private sector? Answer. Through the National Protection and Programs Directorate's (NPPD) strategic engagement efforts, we take a proactive approach to ensure that the full range of available tools, capabilities, and resources are well understood by our customers, including the Federal Government; State, local, Tribal, and territorial governments; and private-sector entities. Our customer engagements include outreach by our field-based Protective Security Advisors and Cyber Security Advisors. At the National level, NPPD collaborates through the National Infrastructure Protection Plan (NIPP) Council, consisting of public and private-sector entities to identify requirements and build capabilities for mitigating risks. Examples include assessments, intelligence products, and information-sharing platforms. In addition, NPPD works with organizations across the country to disseminate targeted information on voluntary programs available to critical infrastructure owners and operators. Recent examples include keynotes and panel participation at events such as the National Sports Safety and Security Conference, Retail Industry Leaders Association Forum, National Homeland Security Conference, Corporate Security Symposiums, the National Conference on Building Resilience through Public-Private Partnerships, and the Domestic Security Alliance Council conference. NPPD also hosts forums with our many partners utilizing the Critical Infrastructure Partnership Advisory Council (CIPAC) where stakeholders provide direct feedback. This translates into actionable capabilities available at the regional, State, and local levels to include assessments, exercises, and workshops. These include the Active-Shooter Preparedness Program, the Homeland Security Information Network-Critical Infrastructure portals, the Private-Sector Clearance Program, and education and training resources. These capabilities are actively represented by the Protective Security Advisors (PSAs) and Cyber Security Advisors (CSAs) who work directly with critical infrastructure owners and operators every day. In fiscal year 2015, PSAs conducted 2,131 Enhanced Critical Infrastructure Protection visits. These visits provide critical infrastructure owners and operators with information on their facility, explain how their facility fits into its critical infrastructure sector, and provide an overview of resources available to enhance the facility's security and resilience. Similar information is delivered during PSA speaking engagements, panels, webinars, and meetings. In fiscal year 2015, the 5 CSAs conducted 468 cybersecurity engagements. On-average 90 were conducted by each CSA within their assigned region and 13 were performed by a CSA outside of their assigned region. These engagements encompass all evaluations, cyber protective visits, workshops, resource briefings, and speaking engagements. Engagements focus on assessment, planning, and promotion of cyber preparedness, risk mitigation, and asset response coordination. Question 2. In responding to an incident, what are the roles and responsibilities of a PSA and how do they engage with the lead agency as the situation is developing and post-incident? Answer. As part of the National Planning Frameworks and Federal Interagency Operational Plans, the Protective Security Advisors (PSAs) support response, recovery, and reconstitution efforts during incidents. During an incident, the PSAs deploy to the Joint Field Offices; National and Regional Response Coordination Centers (RRCC); and regional, State, and county Emergency Operations Centers (EOCs) as necessary to support Federal and State emergency response officials, to include the Federal Coordinating Officer and the Unified Command Group. They serve as Infrastructure Liaisons by providing expert knowledge of the impacted infrastructure; maintaining communications and information sharing with owners and operators of critical infrastructure; and prioritizing and coordinating response, recovery, and reconstitution efforts. Specific to Emergency Support Functions (ESFs), PSAs provide direct support to lead agencies by leveraging established relationships with owners and operators of critical infrastructure. For example, under ESF-12, a PSA would support the Department of Energy with reestablishment of damaged energy systems and components. PSAs often assist with connecting owners and operators with appropriate agencies. Question 3. What are the specific metrics by which the effectiveness of the PSA program and the various assessment tools are measured? Answer. Quarterly and end-of-year performance measures are submitted under the Government Performance and Results Act (GPRA). One of these measures includes the percentage of critical infrastructure facilities that are likely to enhance their security and resilience by integrating Infrastructure Protection (IP) vulnerability assessments or survey information. Providing facilities with vulnerability information allows them to understand and reduce their risk. In fiscal year 2016 Q3, 90% of facilities reported they were likely to integrate, or have integrated, some of the protective measures detailed in their assessment report. For fiscal year 2016, IP has delivered 507 Infrastructure Survey Tool (IST) dashboards to owners and operators. The IST provides Protective and Resilience Measures Indices for facility owners and operators and identifies physical security, security management, protective measures, information sharing, dependencies, and capabilities related to preparedness, mitigation, response, resilience, and recovery. Performance is measured against a delivery of 600 IST surveys by September 30, 2016. The Regional Resiliency Assessment Program (RRAP) is measured by primary stakeholders that have implemented, planned to implement, or are in the process of implementing at least one security or resilience enhancement related to RRAP Key Findings within 3 years following the publication of the final RRAP report. This metric stands at 50%. The PSAs support National Special Security Events (NSSE) and Special Events Assessment Rating (SEAR) Level 1 & 2 events with on-site critical infrastructure expertise, products, and analysis. Performance is measured by supporting 100% of the NSSEs and SEAR 1& 2 level events in fiscal year 2016. Some of the events include Super Bowl 50, and the Republican National Convention and Democratic National Convention. This metric stands at 100%. PSAs support Federal, State, local, Tribal, and territorial partners, and owners and operators of critical infrastructure during man-made or natural incident response. In fiscal year 2016, PSAs have responded to 201 incidents. Question 4. Since 2004, DHS has maintained infrastructure protection field operations throughout the Protective Security Advisory (PSA) program. PSAs are trained critical infrastructure protection and vulnerability subject-matter experts. Given the complexity of critical infrastructure protection and the largely private ownership, what barriers, if any, impede DHS's ability to partner with facility owners and operators through the PSA program? Answer. The most common barriers are: The point of contact (POC) requires coordination with their corporate office, POC lacks the amount of time to commit to an assessment, Facility is already confident in its security posture, Facility does not allow data collection as it is a regulated facility (nuclear or defense industrial base), Facility lacks a budget for implementing potential security improvements, Facility does not want to share its information with the Government. In addition to these concerns, DHS is working to address the logistical challenge of placing sufficient staff in the field to meet the needs of our diverse and disparate stakeholders. The PSA program has been successful in large part because it provides trained staff across the Nation, reaching outside of Washington, DC, to form trusted relationships. In fiscal year 2016, DHS began a disciplined shift to build on this model and emphasize regional activities. Support for this regionalization initiative is one of the most important ways to improve DHS's ability to partner with facility owners and operators. Since its inception, the PSA program has focused on supporting partners in hardening and securing existing infrastructure. As the program has matured, the partner needs have evolved, and the PSA program is adapting to support a broad range of risk management and resilience activities across infrastructure sectors, stakeholder groups, threats, and hazards. Question 5. Dr. Ozment, how is the CSA program engaging with the critical infrastructure community in light of the fact that most critical infrastructure is privately owned and operated? Answer. Engagements with critical infrastructure owners and operators are voluntary-based. Our Cyber Security Advisors (CSAs) focus on building trusted relationships with owners and operators, demonstrating the value we bring through risk assessments and connecting customers to our services, sharing best practices, and sharing the current threat landscape. One way we reach this community is through existing fora, such as InfraGard, Electronic Crime Task Forces, Cyber Working Groups, Area Maritime Security Committee Meetings, and industry conferences. Additionally, our CSAs leverage existing relationships within the Department, including those that have been developed by Protective Security Advisors and the National Cybersecurity and Communications Integration Center (NCCIC). CSAs work with State cybersecurity leaders, including Homeland Security Advisors, Chief Information Security Officers, and cyber infrastructure protection and emergency management planners, to engage critical infrastructure owners and operators through State-led cyber working groups, information-sharing and analysis centers, fusion centers, and law enforcement outreach groups. Question 6. GAO reported that DHS has conducted thousands of assessments of critical infrastructure in the last few years using at least 10 different tools. These tools do not all cover the same vulnerabilities, they vary in detail and complexity, and some overlap. GAO made recommendations that DHS should address the overlap to avoid potentially unnecessary duplication and gaps. According to the GAO, DHS established a working group to address the overlapping assessments and potential duplication and gaps. What is the status of fulfilling GAO recommendation? Answer. The Department of Homeland Security (DHS) concurred with GAO's recommendations and has moved forward to harmonize critical infrastructure security vulnerability assessments across Federal departments and agencies. Over the past couple of years, the National Protection and Programs Directorate's (NPPD's) Office of Infrastructure Protection has worked with the Transportation Security Administration (TSA), the Federal Protective Service (FPS), the United States Coast Guard (USCG), the Office of Cybersecurity and Communications (CS&C), and other DHS agencies to collaboratively identify a core set of questions and anticipated response options from the single assessment methodology. The Cross-Agency Vulnerability Assessment Working Group, consisting of members from Federal departments and agencies with relevant vulnerability assessments, was charged to: Identify key critical infrastructure security-related assessment tools and methods used or offered by Federal departments and agencies; Analyze the key critical infrastructure security-related assessment tools and methods to understand areas each assessment captures; Develop and disseminate guidance for areas that should be included in vulnerability assessments of critical infrastructure to enable a more coordinated and integrated approach. To support the working group, NPPD established a portal for departments and agencies to upload documentation to include vulnerability assessment questionnaires, methodology, user guides, fact sheets, and other technical documentation. NPPD completed an analysis of tools and methodologies across approximately 5,000 assessments, the findings of which identified that core questions in 6 Key Security Areas have the greatest impact on infrastructure security, while covering the range of security areas envisioned by GAO. Consequently, NPPD has provided these core questions to Federal partners and has recommended inclusion of the questions in the next update or modification to respective Assessment questions and/ or tools. With respect to DHS assessment tools, these core questions have been and will be continue to be integrated into all assessment tools when appropriate and used across the Department to further enable cross component and agency comparison of assessed assets and risk. In addition, NPPD/IP has implemented a single assessment methodology that enables the IP mission partners to assess vulnerabilities and risk using the IP Gateway suite of assessment tools and integrated situational awareness and analytic planning and response tools. More than 80 State and Federal Department and agency partners currently use the IP Gateway to support their critical infrastructure protection needs. NPPD is currently working with additional partners to become IP Gateway partners. Question 7. Given the number of assessments, how prepared are the Nation's most at-risk critical infrastructure to threats from international and domestic terrorists and other high-risk vulnerabilities and hazards? Answer. NPPD's work has demonstrated that the Nation's most at-risk critical infrastructure is well-prepared--but faces new and continually evolving challenges. In addition to facing increasingly dynamic international and domestic terrorist threats and a wide range of hazards, the demands placed on infrastructure systems are expanding, while the American communities that infrastructure serves and supports have increasingly diverse needs. This environment of change emphasizes the importance of investing in the tools and resources that DHS provides for making security decisions about critical infrastructure. Further compounding these challenges is the underinvestment in critical infrastructure and the reality that the demand on infrastructure in the United States is increasing while investment capital is flagging. The 2016 National Preparedness Report identified the Infrastructure Systems core capability within the National planning system as 1 of 6 capabilities that remain National areas for improvement. Likewise, based on State Preparedness Report (SPR) data, States and territories reported some of the lowest proficiency in the Protection mission area, which is relevant to critical infrastructure. However, notwithstanding the remaining gaps in reported proficiency, we are seeing improvement over time. For example, based on a review of SPR ``proficiency delta data,'' 71% of core capabilities in the Prevention mission area, 64% in Protection, and 86% in Mitigation were reported as improving in proficiency from 2012-2015. In 2016, the first edition of the Protection Federal Interagency Operational Plan was completed, paving the way for an improved interagency model for coordinating infrastructure security and resilience concerns. In the area of National preparedness, there are evident areas for growth, and areas where the IP assessment programs can increase their support for that growth. The DHS assessment programs are vital tools for continuing to improve our understanding of risks to infrastructure, providing resources for managing those risks, and encouraging owners and operators to take action. IP assessments contribute to the preparedness of the Nation's infrastructure through a model of continued engagement and evaluation. Because our critical infrastructure is heavily networked, both large and small infrastructure enterprises can be central to security and resilience, and IP's suite of assessment capabilities is tailored to meet the varied needs of our stakeholders. Corresponding to this networked nature of our critical infrastructure, DHS measures the success of its assessment program both in terms of completing assessments, and in terms of our stakeholders taking action based on the indices and information developed through our assessments. In terms of completing assessments, since fiscal year 2010, 4,416 Infrastructure Survey Tool (IST) assessments have been conducted. In fiscal year 2015, approximately 88% of facilities where DHS conducted an Infrastructure Survey Tool (IST) assessment reported they were likely to integrate, or have integrated, some of the protective measures detailed in the assessment report. This is up from 86% in fiscal year 2014 and 85% in fiscal year 2013. The most common improvements include enhancements to electronic security systems, security force, and security management. This kind of action is one important indicator of the impact that our assessments have on the security and resilience of infrastructure, but does not provide a perfect measure of the overall state of preparedness of the Nation's infrastructure. Furthermore, the security and resilience of our Nation's critical infrastructure relies on robust sector coordination structures developed under the National Infrastructure Protection Plan, meaning that measuring impact of the IP assessment program on the security and resilience of the Nation's critical infrastructure is tied to measuring the success of these coordination structures. In 2016, all of the Sector-Specific Plans under the NIPP were updated, improving our ability to work within and across infrastructure sectors to set priorities and manage risk. NPPD provides support to owners and operators across the 16 critical infrastructure sectors that have grown due to the increasingly complex and dispersed nature of the threat, including soft targets and cyber dependence. Measuring the success of IP assessment programs must be a continuous and evolving process to capture the increasingly complex and dispersed nature of threats, as well as other high-risk vulnerabilities and hazards to at-risk infrastructure. Accordingly, at the direction of Congress, NPPD is currently undertaking a 3-year strategic plan for IP's assessments that will strengthen our ability to leverage the data we have collected during assessments to characterize our National understanding of risks, support National preparedness planning, and support our partners. This plan will allow us to better understand how DHS assessment programs inform our National picture of risk, as well as how data from assessment programs can both improve our prioritization efforts and better support National preparedness planning, particularly as it relates to our most at-risk critical infrastructure and physical/ cyber convergence in assessments. In a continually evolving environment, we strive to respond to threats, high-risk vulnerabilities and hazards to our Nation's most at- risk critical infrastructure through the use of DHS assessment programs and continued coordination with both large and small infrastructure enterprises. The DHS assessment programs are one tool that we use that can provide great value for owners and operators to take action. DHS assessment programs, as well as the 3-year strategic plan for assessments are integral mechanisms for understanding the increasingly complex and dispersed nature of threats, improving our prioritization efforts, and better supporting National preparedness planning. Question 8. How are the PSAs engaging with their counterparts from Sector-Specific Agencies such as the Department of Energy or Environmental Protection Agency, in ensuring our Nation's critical infrastructure is protected? Dr. Ozment, the same question regarding the CSAs? Answer. Protective Security Advisors (PSAs) and Cyber Security Advisors (CSAs) engage with Sector-Specific Agencies (SSAs) during assessments, incident response efforts, and threat-directed outreach. The National Protection and Programs Directorate (NPPD) serves as the SSA for 6 of the 16 critical infrastructure Sectors and coordinates with the other 10 sectors. Through this voluntary partnership framework consisting of a Government Coordinating Council and a Sector Coordinating Council an effective mechanism has been established for collecting data, sharing information, and advancing collective actions for National critical infrastructure security and resilience. NPPD employs sector liaisons who are responsible for serving as conduits between the Department and external SSAs. Training.--The Office of Infrastructure Protection (IP) in collaboration with the Environmental Protection Agency (EPA) and Water Sector partners developed an on-line training course, ``Risk Management for the Water Sector.'' The course is designed to provide water and wastewater facility owners and operators with general knowledge of risk management. In addition, the course introduces EPA's Vulnerability Self-Assessment Tool (VSAT). Threat-Directed Outreach.--During outreach to State, local, Tribal, and territorial (SLTT) Government and private-sector partners, PSAs coordinate activities with appropriate Federal agencies and SSAs. For example, in response to a coordinated attack on an electric substation in Metcalf, CA, on April 18, 2013, the Department of Energy (DOE) and the Department of Homeland Security (DHS), in coordination with the Federal Bureau of Investigation, the Federal Energy Regulatory Commission's Office of Energy Infrastructure Security, the Electricity Sector Information Sharing and Analysis Center partners, and industry experts conducted a series of briefings Nation-wide for owners, operators, and local law enforcement. These briefings provided a threat overview, and information on available tools, resources, and best practices. Additional targeted PSA-led efforts were conducted in partnership with service providers such as Exelon/PECO and ConEdison. Assessments.--One of the major strengths of the Regional Resiliency Assessment Program (RRAP) is the collaboration that brings together Federal, State, local, Tribal, and territorial governments, and the private sector to work with DHS. Collaboration at the regional level is led by the PSAs assigned to execute the project, with support from CSAs. Interagency coordination occurs between headquarters offices as well. The RRAP team provides project briefings to the SSAs and their Government Coordinating Councils (GCCs) and Sector Coordinating Councils (SCCs). SSAs are relied upon to provide insight into the operations and vulnerabilities of infrastructure, as well as to connect the RRAP project teams, which include PSAs and CSAs, to relevant industry and Government contacts who can assist in the assessment and analysis. Some examples of SSA and interagency involvement include: DOE has assisted DHS on numerous oil and natural gas RRAP projects. Current collaboration includes a resilience project for the electric power grid in the Northeast in support of recommended actions from the 2015 Quadrennial Energy Review. U.S. Coast Guard (USCG) is a strong SSA partner. The USCG is included in port- or maritime transportation-related RRAP projects. Examples include the 2013 Columbia River Basin project and the 2016 Gulf of Mexico project, in support of the USCG-led Gulf of Mexico Area Maritime Security Committee. U.S. Army Corps of Engineers regularly participates in dam- related projects. They are currently involved in a 2015 project in Louisville, Kentucky, and a 2016 project in Branson, Missouri. Department of Transportation regularly participates in transportation disruption-focused projects, including the 2013 Cajon Pass (California) and 2014 Alaska projects. U.S. Department of Agriculture has been involved in the agriculture-focused projects in Texas, California, Alabama, New Mexico, examining issues such as biosecurity of the cattle industry and the milk supply chain. In addition to the SSAs, the RRAP team also works with other Federal agencies, including the Federal Emergency Management Agency (FEMA), the National Oceanic and Atmospheric Administration (NOAA), U.S. Geological Survey (USGS), and other Emergency Support Function (ESF) and Recovery Support Function (RSF) leads. FEMA contributes hazard information and insight into regional disaster planning and capabilities. In turn, RRAP analyses improve planning factors related to infrastructure dependencies and hazard impacts. NOAA and USGS provide very specific, useful hazard information and models (e.g., earthquakes, tsunamis, overland flooding/storm surge) that the RRAP uses to inform analyses of infrastructure impacts. The many ESF and RSF agencies provide insight into their response and recovery roles, capabilities, and plans. Incident Response.--PSAs engage the agencies designated as Emergency Support Function (ESF) and Recovery Support Function (RSF) leads, which include SSAs. Under the Recovery Support Functions for infrastructure systems, the U.S. Army Corps of Engineers is the National Coordinating Agency for the Federal Government's efforts to support recovery goals related to the public engineering of the Nation's infrastructure systems. NPPD is a Primary Agency in this effort, along with a number of other SSAs who serve as Primary Agencies or Supporting Organizations. In this role, PSAs may deploy to Joint Field Offices (JFO) or Regional Field Offices (RFO) to assist with infrastructure recovery operations. Cyber Security Advisors.--CSAs engage with SSAs to raise awareness and improve readiness. For example, CSAs work with SSAs to identify sector-based, critical cyber services. CSAs then focus voluntary cybersecurity evaluations at these services. Additionally, the CSAs assisted DOE with developing the Electricity Subsector--Cybersecurity Capability Maturity Model (ES-C2M2) assessment, which is derived from the Cyber Resilience Review. ES-C2M2 is a sector-specific maturity model that guides electricity companies in implementing best practices. In the field, CSAs have coordinated with the Environmental Protection Agency on water engagements, the Coast Guard on maritime engagements, the Transportation Security Administration on mass transit engagements, and Treasury on financial service engagements. Question 9. The National Critical Infrastructure Prioritization Program (NCIPP) identifies a list of Nationally-significant critical infrastructure each year that is used to, among other things, prioritize voluntary vulnerability assessments that will be conducted by PSAs. According to GAO's testimony, as of August 2014, DHS officials reported that they are exploring options to streamline the process and limit the delay of dissemination of the NCIPP list among those who have a need-to-know. What is the status of efforts to streamline the NCIPP process and limit to delays in disseminating this list? Answer. The Department (DHS) has streamlined the NCIPP process in a number of ways: DHS has eliminated the requirement of States and sectors to re-nominate the same infrastructure every year by automatically approving infrastructure already on the Level 1 and Level 2 List. This has significantly decreased the time and manpower requirements on partners. The consequence criteria threshold used for the Level 1 and Level 2 List has remained largely stable for more than 5 years. This stability has allowed partners to better understand how the criteria may be applied to various infrastructure and focus their efforts on those assets, systems, and clusters whose consequences are most likely to reach the established criteria. DHS has increased the assistance and outreach provided to State and local partners prior to and during the data call including on specific nominations and guidance on approaches nominators might take to maximize the probability of approval. The system used to make nominations for the Level 1 and Level 2 List is available to States and sectors year round enabling partners to work on nomination justifications at their own pace. DHS continues to work with State and Territorial Homeland Security Advisors, through the PSAs, to make delivery of the completed list as efficient as possible. This includes the increased use of electronic dissemination of the lists through State and Local Fusion Centers. The overall stability of the List has also decreased the time required to finalize and prepare the list for dissemination. The average dissemination time has been reduced by approximately 2 months. As of August 2014, GAO closed out all recommendations associated with GAO 13-296 Critical Infrastructure Protection: DHS List of Priority Assets Needs to Be Validated and Reported to Congress. Question 10. Background material provided to the committee in preparation for this hearing regarding the PSAs notes that in 2015, the PSAs conducted 949 ``Cyber Enhancement'' engagements. Can you please go into more detail on what those engagements entail and how do they overlap with or differ from engagement by CSAs? Answer. The evolving risk landscape associated with cybersecurity highlights the increasingly close connection between cyber and physical systems, including the potential for physical impacts associated with the exploitation of cyber vulnerabilities. For this reason, Protective Security Advisors (PSAs) conduct cyber enhancement events that include the Office of Cybersecurity and Communications. These cybersecurity and resiliency meetings, cyber-related assessments, special event support, and engagements with stakeholders provide opportunities for addressing cyber and physical risks in a holistic and coordinated fashion. As reflected in State Preparedness Reports, cybersecurity continues to be one of the top concerns at the State and local level. PSAs are trained to communicate the Department's cybersecurity services available to stakeholders. In many cases, PSAs and Cyber Security Advisors (CSAs) work together on identifying stakeholder needs. Questions From Chairman John Ratcliffe for Marcus Brown Question 1. Given the focus of some assessments on threats to specific regions, are there any U.S. cities or sector that are examples of best practices in collaborating with and among DHS offices and components and other Federal partners in participating in assessments and taking actions to address vulnerabilities identified? Answer. There has been extremely good collaboration among Federal agencies (including various DHS elements) in conducting assessments and assisting owners and operators of critical infrastructure, and a good example would be the Greater Philadelphia area. DHS entities such as NPPD, FEMA, Coast Guard, Customs and Border Protection, the U.S. Secret Service, etc. have worked together with the Federal Bureau of Investigation, National Park Service, Health and Human Services, Environmental Protection Agency, Department of Energy, etc. to conduct/ participate in assessments of all types. There have been cyber and physical vulnerabilities identified and protective measures implemented in many sectors, including: Commercial Facilities; Energy; Water/ Wastewater; Health Care; etc. These protective measures have included: Access control (barriers, CCTV, electronic access control systems, fencing, etc.), security and emergency planning, security management practices, resilience of lifeline dependencies, cybersecurity, and a host of others. Question 2a. According to the GAO testimony, DHS established a policy in October 2014 to conduct quarterly reviews of programs related to critical infrastructure to better understand the barriers critical infrastructure owners and operators face in improving the security of their assets. What trends has DHS identified in declinations using its tracking system since October 2013? Has DHS identified barriers that critical infrastructure owners and operators face in making improvements? Question 2b. If so, what are those barriers? Answer. We believe that many of the barriers that owners and operators face in making improvements to critical infrastructure are a result of trade-offs that have to be made in a fiscally-constrained environment. Owners and operators in the State have benefitted from the voluntary surveys that DHS conducts on critical infrastructure using the Infrastructure Survey Tool (IST), a web-based vulnerability survey conducted by DHS's Protective Security Advisors (PSAs) to identify and document the overall security and resilience of a facility. Based on information from our local PSA, the resulting survey information is provided to owners and operators through the interactive Dashboards. The Dashboards highlight areas of potential concern and feature options to view the impact of potential enhancements to protection and resilience measures. The written report, developed from the IST data, contains a description of the facility and its vulnerabilities as well as recommendations to mitigate identified vulnerabilities. The PSAs follow-up with the facility approximately 1 year after the Dashboard is provided to better understand the value of the survey and potential enhancements that were made as a result of the survey. Feedback is quantified and analysis conducted on the responses to determine if security and resilience enhancements are being implemented, and if there are impediments to incorporating recommended enhancements. Based on the feedback we have received from the PSA, approximately 90% of facilities are likely to integrate, or have integrated, some of the protective measures detailed in the assessment report. The most common improvements include enhancements to electronic security systems, security force, and security management. The PSA indicated that barriers for making changes include cost-prohibitive capital investments, lack of project management resources, differing strategic priorities, plans to move or significantly change the facility, and local ordinances.