[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
VALUE OF DHS'S VULNERABILITY ASSESSMENTS IN PROTECTING OUR NATION'S
CRITICAL INFRASTRUCTURE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON
CYBERSECURITY, INFRASTRUCTURE
PROTECTION, AND SECURITY
TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
JULY 12, 2016
__________
Serial No. 114-81
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
________
U.S. GOVERNMENT PUBLISHING OFFICE
25-264 PDF WASHINGTON : 2017
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
John Ratcliffe, Texas, Chairman
Peter T. King, New York Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania Loretta Sanchez, California
Scott Perry, Pennsylvania Sheila Jackson Lee, Texas
Curt Clawson, Florida James R. Langevin, Rhode Island
Daniel M. Donovan, Jr., New York Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Brett DeWitt, Subcommittee Staff Director
Katie Rashid, Subcommittee Clerk
Christopher Schepis, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable John Ratcliffe, a Representative in Congress From
the State of Texas, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Cedric L. Richmond, a Representative in Congress
From the State of Louisiana, and Ranking Member, Subcommittee
on Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 4
Prepared Statement............................................. 5
Witnesses
Mr. Chris P. Currie, Director, Homeland Security and Justice
Issues, U.S. Government Accountability Office:
Oral Statement................................................. 6
Prepared Statement............................................. 7
Mr. Andy Ozment, Assistant Secretary, Office of Cybersecurity and
Communications, National Protection and Programs Directorate,
U.S. Department of Homeland Security:
Oral Statement................................................. 17
Joint Prepared Statement....................................... 19
Ms. Caitlin Durkovich, Assistant Secretary, Office of
Infrastructure Protection, National Protection and Programs
Directorate, U.S. Department of Homeland Security:
Oral Statement................................................. 25
Joint Prepared Statement....................................... 19
Mr. Marcus L. Brown, Homeland Security Advisor, Director of the
Office of Homeland Security, Commonwealth of Pennsylvania:
Oral Statement................................................. 27
Prepared Statement............................................. 29
Appendix
Questions From Chairman John Ratcliffe for Chris P. Currie....... 43
Questions From Chairman John Ratcliffe for Andy Ozment........... 45
Questions From Ranking Member Cedric L. Richmond for Andy Ozment. 52
Questions From Chairman John Ratcliffe for Caitlin Durkovich..... 54
Questions From Chairman John Ratcliffe for Marcus Brown.......... 60
VALUE OF DHS'S VULNERABILITY ASSESSMENTS IN PROTECTING OUR NATION'S
CRITICAL INFRASTRUCTURE
----------
Tuesday, July 12, 2016
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Cybersecurity, Infrastructure Protection,
and Security Technologies,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:02 a.m., in
room 311, Cannon House Office Building, Hon. John Ratcliffe
(Chairman of the subcommittee) presiding.
Present: Representatives Ratcliffe, Perry, Donovan,
Richmond, Sanchez, and Langevin.
Also present: Representative Payne.
Mr. Ratcliffe. The Committee on Homeland Security
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies will come to order.
The subcommittee is meeting today to examine how the
Department of Homeland Security is fulfilling its important
mission of protecting our Nation's critical infrastructure.
We look forward to examining DHS's capabilities and
conducting physical and cybersecurity vulnerability
assessments. The critical systems that are essential and
central to our daily lives are targeted every day by
terrorists, nation-States, and criminals. Taxpayer funds used
to protect these systems must be invested wisely, and must add
value for owners and operators.
Because threats to critical infrastructure are numerous and
diverse, we are interested in learning about the strategy that
DHS efforts is being guided by in this area. I want to thank
our panel of experts for joining us so Congress can better
understand the work being done in this area and the value of
DHS's vulnerability assessments in training.
For 12 years, the primary mission of the Office of
Infrastructure Protection's Protective Security Advisor Program
has been the protection of our critical infrastructure.
Protective Security Advisors, or PSAs, are regionally based in
alignment with the 10 FEMA regions. PSAs execute their primary
mission through the planning, coordination, and performance of
security survey assessments and outreach activities to those
critical infrastructure owners and operators that elect to
participate in these voluntary programs.
PSAs also support National Special Security Events, Special
Event Activity Rating or SEAR level 1 and level 2 events and
response to incidents. The mission I have just described is
enormous. Because it is voluntary in nature, its success really
hinges on stakeholder buy-in. Such buy-in requires strategic
outreach and real value added for owners and operators of
critical infrastructure.
I'm interested in hearing what strategy is guiding this
important program and what metrics DHS is using to track and
increase such value.
In 2014, DHS established the Critical Infrastructure Cyber
Community Voluntary Program to help organizations address and
improve their cybersecurity risk management. Additionally, DHS
created the Cybersecurity Advisor Program, or CSA Program, to
provide cybersecurity expertise and voluntary cybersecurity
programs to critical infrastructure owners and operators.
While the CSA Program is still in its infancy compared to
the 12-year-old PSA Program, the CSA mission of assisting our
Nation's critical infrastructure owners and operators in
strengthening their cyber hygiene is critically important. With
the passage of the Cybersecurity Act of 2015 last December, we
have to ensure the CSA Program is also guided by a strategic
plan and is well-positioned to effectively lead DHS's cyber
engagement efforts for critical infrastructure.
Last month, this committee unanimously passed the
Cybersecurity and Infrastructure Protection Agency Act of 2016
to elevate the functions of our Nation's cybersecurity and
critical infrastructure protection into an operational
component within DHS. The legislation recognizes the unique
expertise required of both cyber and physical aspects of the
agency's mission while also stressing the importance of
enhanced collaboration and coordination between the cyber and
physical missions.
The Government Accountability Office has reported
extensively on DHS's vulnerability assessment programs for
critical infrastructure and identified challenges within DHS in
2013, in 2014, and, again, in 2015. These reports included a
number of recommendations to increase the use, and to enhance
the participation, of stakeholders in these vulnerability
assessments.
One particular area of concern found in the report was
Federal fatigue, which results from a perceived weariness among
the private sector who might be repeatedly approached or
required by multiple Federal agencies to engage in risk
assessments. Federal fatigue is particularly alarming as the
PSA and CSA assessment programs at DHS depend entirely on
voluntarily participation.
Just last week, a review of the DHS's website for critical
infrastructure vulnerability assessments found conflicting and
somewhat outdated information. While errors like these may
appear to be insignificant, it's important to remember that
these programs are voluntary. If DHS can't handle basic
promotion and marketing of its programs, then I have concerns
about the likelihood of private-sector participation going
forward.
The subcommittee believes both the CSA and PSA Programs can
be of great value for the protection of our Nation's critical
infrastructure, but a clear strategy, effective stakeholder
outreach, and metrics of success are essential. It is the hope
of the subcommittee that this hearing will clarify how DHS is
working to address these issues.
Further, given the relative infancy of the CSA Program, the
subcommittee hopes to learn more about CS&C's plan to expand
this program and would hope that the lessons learned from the
PSA Program are, in fact, being incorporated.
This subcommittee is responsible not only for the oversight
of DHS's functions, but also for ensuring that it has the tools
and necessary authorities to successfully meet its objectives.
In that spirit, we welcome input as to how we can assist you in
this critical mission.
[The statement of Mr. Ratcliffe follows:]
Statement of Chairman John Ratcliffe
The subcommittee meets today to examine how the Department of
Homeland Security is fulfilling its important mission of protecting our
Nation's critical infrastructure by conducting vulnerability
assessments. Everyday terrorists, nation states and criminals are
targeting the critical systems that run our everyday lives. I want to
thank our panel of experts for joining us today so Congress can better
understand the work being done in this area and the value of DHS's
vulnerability assessments and training.
For 12 years, the Office of Infrastructure Protection's Protective
Security Advisor Program's primary mission has been the protection of
critical infrastructure. Protective Security Advisors (PSAs) are
regionally based in alignment with the 10 FEMA regions. PSAs execute
their primary mission through the planning, coordination, and
performance of security surveys, assessments, and outreach activities
to those critical infrastructure owners and operators that elect to
participate in these voluntary programs. PSAs also support National
Special Security Events, Special Event Activity Rating (SEAR) Level I
and II events and respond to incidents. I am curious to hear today what
strategy is guiding this vitally important program for homeland
security and what metrics are being used to measure the value it has
brought to the owners and operators of critical infrastructure.
In 2014, DHS established the Critical Infrastructure Cyber
Community Voluntary Program to help organizations address and improve
their cybersecurity risk management. Additionally, DHS created the
Cybersecurity Advisor Program, or CSA Program, to provide cybersecurity
expertise and voluntary cybersecurity programs to critical
infrastructure owners and operators. While the CSA Program is still in
its infancy compared to the 12-year-old PSA Program, the CSA mission of
assisting our Nation's critical infrastructure owners and operators in
raising their cyber hygiene is critically important. With the passage
of the Cybersecurity Act of 2015 last December, we must ensure the CSA
program is also guided by a strategic plan and is well-positioned to
effectively lead DHS's cyber engagement efforts for critical
infrastructure.
Last month, this committee passed unanimously the Cybersecurity and
Infrastructure Protection Agency Act of 2016 (CIPA), to elevate the
functions of our Nation's cybersecurity and critical infrastructure
protection into an operational component within DHS. The legislation
recognizes the unique expertise required of both the cyber and physical
aspects of the agency's mission while also stressing the importance of
enhanced collaboration and coordination between the cyber and physical
missions.
The Government Accountability Office has reported extensively on
DHS vulnerability assessment programs for critical infrastructure and
identified challenges within DHS in 2013, 2014, and 2015. These reports
included number of recommendations to increase the use and enhance the
participation in these vulnerability assessments. One particular area
of concern found in the report was ``Federal fatigue'' which results
from a perceived weariness among the private sector who might be
repeatedly approached or required by multiple Federal agencies to
engage in risk assessments. ``Federal fatigue'' is particularly
alarming as these DHS programs depend on voluntary participation.
Just last week, a review of the DHS's website for critical
infrastructure vulnerability assessments found conflicting and outdated
programs. While errors like these appear insignificant, it's important
to remember that these programs are voluntary in nature, and if DHS
cannot clearly and effectively promote and market the value of these
programs, private-sector entities are unlikely to participate and seek
assistance.
The subcommittee believes that both the CSA and PSA programs can be
of great value for the protection of our Nation's critical
infrastructure, but it's vital that there be effective management of
them.
It is the hope of this subcommittee that this hearing will bring
some clarity on how DHS has resolved some of these out-standing issues.
Further, given the relative infancy of the CSA program, the
subcommittee hopes to learn more about CS&C's plan to expand this
program and would hope that lessons learned from the PSA Program are
being incorporated. This subcommittee is responsible not only for the
oversight of DHS's functions but also for ensuring that it has the
tools and necessary authorities to successfully meet its objectives. In
that spirit, we welcome input as to how we can assist in this critical
mission.
Mr. Ratcliffe. The Chair now recognizes the Ranking
Minority Member of our subcommittee, the gentleman from
Louisiana, Mr. Richmond, for his opening statement.
Mr. Richmond. Thank you, Mr. Chairman. Thank you for
holding this hearing to examine how the Department conducts
vulnerability assessments for our Nation's critical
infrastructure.
Whether it's going about our daily lives, running a
business, or a local government, we all rely on the security of
resiliency of our critical infrastructure. As we have seen
after disasters like Katrina, Rita, Sandy, or the recent
devastation in West Virginia, the ability to recover quickly is
crucial.
In my district, as in many districts across the country,
multiple DHS components and a range of other agencies conduct
vulnerability assessments--The Coast Guard and the ports in my
district, TSA and airports and for pipelines and transportation
corridors, and DOE and FERC for electrical grid
vulnerabilities. Risk assessment involves integrating threats,
vulnerabilities, and consequence information and then deciding
which protective measures--measure to take based on an agreed
upon risk reduction and recovery strategy.
Within DHS, the National Infrastructure Protection Program,
or NIPP, outlines how Government and the privately-owned
critical infrastructure community can work together to manage
risk and achieve physical and cybersecurity resiliency. It is
important to remember that these are voluntary, nonregulatory
assessments, and they represent the foundation of the NIPP
risk-based programs designed to prevent, deter, and mitigate
the risk of a terrorist attack or a natural disaster.
The DHS protective security advisors, or PSAs, and
cybersecurity advisors, CSAs, conduct these assessments and
focus on coordination, training, and building existing
relationships with State, local, Tribal, territorial, and
private-sector partners.
This year, President Obama requested additional funds to
expand the PSA and CSA Programs in hopes of melding physical
security with cybersecurity and in line with the Secretary's
DHS Unity of Effort initiative.
The critical infrastructure vulnerability assessments
present DHS and the current NPPD directorate with one of their
most complex challenges. As GAO has suggested in their
testimony, it is not clear that the directorate has had a
consistent and systematic approach for identifying Nationally
critical assets, assessing the risk they pose, and using that
information for cost-effective allocation of resources.
Thank you, Mr. Chairman. I look forward to the testimony
and yield back.
[The statement of Mr. Richmond follows:]
Statement of Ranking Member Cedric L. Richmond
July 12, 2016
Mr. Chairman, thank you for holding this hearing to examine how the
Department conducts vulnerability assessments for our Nation's critical
infrastructure.
Whether it's going about our daily lives, running a business, or a
local government, we all rely on the security and resiliency of our
critical infrastructure. As we have seen after disasters like Katrina,
Rita, Sandy, or the recent devastation in West Virginia, the ability to
recover quickly is crucial.
In my district, as in many districts across the country, multiple
DHS components, and a range of other agencies conduct vulnerability
assessments--the Coast Guard in the ports in my district, the TSA in
airports and for pipelines and transportation corridors, and DOE and
FERC for electric grid vulnerabilities.
Risk assessment involves integrating threats, vulnerabilities, and
consequence information, and then deciding which protective measures to
take based on an agreed-upon risk reduction and recovery strategy.
Within DHS, the National Infrastructure Protection Plan (or NIPP)
outlines how Government and the privately-owned critical infrastructure
community can work together to manage risks and achieve physical and
cyber security and resiliency.
It is important to remember that these are voluntary, non-
regulatory assessments, and they represent the foundation of the NIPP
risk-based programs designed to prevent, deter, and mitigate the risk
of a terrorist attack, or natural disaster.
The DHS Protective Security Advisors (or PSAs), and Cybersecurity
Advisors (or CSAs), conduct these assessments and focus on
coordination, training, and building existing relationships with State,
local, Tribal, territorial, and private-sector partners.
This year, President Obama requested additional funds to expand the
PSA and the CSA programs, in hopes of melding physical security with
cybersecurity, and in line with the Secretary's DHS Unity of Effort
initiative.
Critical infrastructure vulnerability assessments present DHS and
the current NPPD Directorate with one of their most complex challenges
and, as GAO has suggested in their testimony, it is not clear that the
Directorate has had a consistent and systematic approach for
identifying Nationally-critical assets, assessing the risks they pose,
and using that information for cost-effective allocation of resources.
Thank you Mr. Chairman, I look forward to the testimony today and
yield back.
Mr. Ratcliffe. I thank the gentleman.
Other Members of the committee are reminded that opening
statements may be submitted for the record.
We are pleased to have with us today a very distinguished
panel of witnesses on this critically important topic.
With us today, Mr. Christopher Currie, is the director for
homeland security and justice at the Government Accountability
Office. Thanks for being with us.
Dr. Andy Ozment is the assistant secretary for the Office
of Cybersecurity and Communications within the National
Protection and Programs Directorate at the Department of
Homeland Security. Andy, good to have you back with this
subcommittee.
Ms. Caitlin Durkovich is the assistant secretary for the
Office of Infrastructure Protection within the National
Protection and Programs Directorate at the Department of
Homeland Security. Ms. Durkovich, again, it's great to have you
back in front of this committee as well.
Finally, Mr. Marcus Brown, is the homeland security advisor
and director for the Office of Homeland Security at the
Commonwealth of Pennsylvania.
Welcome to Washington, DC. Thanks for being here at this
committee hearing.
I now would like to ask all the witnesses to stand and
raise your right hand so I can swear you in to testify.
[Witnesses sworn.]
Mr. Ratcliffe. Let the record reflect that the witnesses
have answered in the affirmative. You all may be seated. The
witnesses' full written statements will appear in the record.
The Chair now recognizes Mr. Currie for 5 minutes for his
opening statement.
STATEMENT OF CHRIS P. CURRIE, DIRECTOR, HOMELAND SECURITY AND
JUSTICE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Currie. Thank you, Chairman Ratcliffe, Ranking Member
Richmond, Congressman Donovan. Thank you for having me here
today.
Today, I would like to talk about DHS's important but
equally difficult mission of assessing vulnerabilities across
all 16 critical infrastructure sectors. This is a challenge for
many reasons, as you know.
Each sector is very different but many are also
interconnected. Also, some sectors are heavily regulated and
not--and very accustomed to Federal oversight, others are not.
Voluntary collaboration is absolutely critical, as you both
mentioned in your opening statements. Most infrastructure is
owned and operated by the private sector or State and local
governments.
DHS needs to collect information to assess Nation-wide
risks. But, they must also earn the trust of these partners by
using the information effectively and protecting it, too.
Sharing and trust are also increased when DHS returns the
favor and gives information back to owners and operators they
can use.
In late 2014, we evaluated 10 different DHS vulnerability
assessment tools across all 16 sectors. We found that from 2010
to 2013, DHS was involved in almost 13,000 assessments of
different assets or systems. These varied from multi-day onsite
assessments of chemical facilities to voluntary on-line surveys
used by shopping malls and other commercial facilities. We also
found that these assessment tools overlapped across sectors and
collected different information and levels of detail.
For example, some of the 10 assessment tools collected
information on vulnerabilities to all hazards like earthquakes
and hurricanes while others didn't. We also found that asset
names and addresses were recorded differently across
assessments, and this simple difference made it difficult for
DHS officials and us, for that matter, to analyze whether
assessments duplicated one another across sectors.
DHS also lacked mechanisms at the time for sharing
assessment data across its own components like NPPD, TSA, Coast
Guard, as well as with other Federal departments. For example,
non-DHS agencies like EPA also provide self-assessments to
facilities to assess their risk, like waste water treatment
facilities, for example. However, DHS did not have mechanisms
in place to better integrate those assessments and avoid
potential duplication.
So we made a number of recommendations in that particular
report. First was that DHS identified the most important areas
and the detail necessary to integrate assessment efforts, first
of all.
Second of all, we recommended that DHS consistently collect
and maintain assessment data and share it across components and
other Federal departments. This could help them better identify
duplication or on the other end gaps in the coverage that these
assessments do.
DHS agreed with all of our recommendations, and I want to
give them credit, because they have taken action to address
them. For example, it's established working groups among
components and other departments. It's also considering actual
guidance within the Department to better coordinate assessment
efforts, and begun to inventory what other departments are
doing. While this is progress, there's still much more work
needed to institutionalize these efforts into DHS policies that
components must follow.
Strengthening how DHS manages and coordinates its
assessments won't just benefit DHS but also the infrastructure
owners and operators that must use these assessments. When
surveyed, they told us--and you mentioned this, Mr. Chairman,
and DHS officials told us, too--that there is Federal fatigue
or weariness in conducting numerous assessments. To this end,
we have recommended that DHS could really do more to understand
why asset owners and operators decline to participate in
voluntary assessments. We also found that DHS should more
quickly provide assessment results back to owners and
operators, which could encourage trust and participation.
To be clear, DHS has made much progress in this area since
our report. For example, they are now using web-based systems
to more quickly deliver results and have cut down on these
delays.
Last, better coordination among components and agencies and
sharing of data, as I discussed before, could also help reduce
burden on operators. For example, if a DHS protective security
adviser has access to all Federal assessment data on a
particular facility, they have a head start in assessing that
facility as well as information to build credibility with the
owner or the operator.
This concludes my statement. I look forward to the Q&A.
[The prepared statement of Mr. Currie follows:]
Prepared Statement of Chris P. Currie
July 12, 2016
gao highlights
Highlights of GAO-16-791T, a testimony before the Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies,
Committee on Homeland Security, House of Representatives.
Why GAO Did This Study
Protecting the security of CI is a top priority for the Nation. CI
includes assets and systems, whether physical or cyber, that are so
vital to the United States that their destruction would have a
debilitating impact on, among other things, National security, or the
economy. Multiple Federal entities, including DHS, are involved in
assessing CI vulnerabilities, and assessment fatigue could impede DHS's
ability to garner the participation of CI owners and operators in its
voluntary assessment activities.
This testimony summarizes past GAO findings on progress made and
improvements needed in DHS's vulnerability assessments, such as
addressing potential duplication and gaps in these efforts.
This statement is based on products GAO issued from May 2012
through October 2015 and recommendation follow-up conducted through
March 2016. GAO reviewed applicable laws, regulations, directives, and
policies from selected programs. GAO interviewed officials responsible
for administering these programs and assessed related data. GAO
interviewed and surveyed a range of stakeholders, including Federal
officials, and CI owners and operators.
What GAO Recommends
GAO made recommendations to DHS in prior reports to strengthen its
assessment efforts. DHS agreed with these recommendations and reported
actions or plans to address them. GAO will continue to monitor DHS
efforts to address these recommendations.
critical infrastructure protection.--dhs has made progress in enhancing
critical infrastructure assessments, but additional improvements are
needed
What GAO Found
GAO's prior work has shown the Department of Homeland Security
(DHS) has made progress in addressing barriers to conducting voluntary
assessments but guidance is needed for DHS's critical infrastructure
(CI) vulnerability assessments activities and to address potential
duplication and gaps. For example:
Determining why some industry partners do not participate in
voluntary assessments.--In May 2012, GAO reported that various
factors influence whether CI owners and operators participate
in voluntary assessments that DHS uses to identify security
gaps and potential vulnerabilities, but that DHS did not
systematically collect data on reasons why some owners and
operators of high-priority CI declined to participate. GAO
concluded that collecting data on the reason for declinations
could help DHS take steps to enhance the overall security and
resilience of high-priority CI crucial to National security,
public health and safety, and the economy, and made a
recommendation to that effect. DHS concurred and has taken
steps to address the recommendation, including developing a
tracking system in October 2013 to capture declinations.
Establishing guidance for areas of vulnerability covered by
assessments.--In September 2014, GAO reported that the
vulnerability assessment tools and methods DHS offices and
components use vary with respect to the areas of
vulnerability--such as perimeter security--assessed depending
on which DHS office or component conducts or requires the
assessment. As a result it was not clear what areas DHS
believes should be included in its assessments. GAO recommended
that DHS review its vulnerability assessments to identify the
most important areas of vulnerability to be assessed, and
establish guidance, among other things. DHS agreed and
established a working group in August 2015 to address this
recommendation. As of March 2016 these efforts were on-going
with a status update expected in the summer of 2016.
Addressing the potential for duplication, overlap, or gaps
between and among the various efforts.--In September 2014, GAO
found overlapping assessment activities and reported that DHS
lacks a Department-wide process to facilitate coordination
among the various offices and components that conduct
vulnerability assessments or require assessments on the part of
owners and operators. This could hinder the ability to identify
gaps or potential duplication in DHS assessments. GAO
identified opportunities for DHS to coordinate with other
Federal partners to share information regarding assessments. In
response to GAO recommendations, DHS began a process of
identifying the appropriate level of guidance to eliminate gaps
or duplication in methods and to coordinate vulnerability
assessments throughout the Department. GAO also recommended
that DHS identify key CI security-related assessment tools and
methods used or offered by other Federal agencies, analyze them
to determine the areas they capture, and develop and provide
guidance for what areas should be included in vulnerability
assessments of CI that can be used by DHS and other CI partners
in an integrated and coordinated manner. DHS agreed, and as of
March 2016, established a working group to address GAO
recommendations.
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
subcommittee: Thank you for the opportunity to discuss the Department
of Homeland Security's (DHS) efforts to assess critical infrastructure
vulnerabilities. Critical infrastructure (CI) includes assets and
systems, whether physical or cyber, that are so vital to the United
States that their incapacity or destruction would have a debilitating
impact on, among other things, National security or the economy.\1\
---------------------------------------------------------------------------
\1\ See 42 U.S.C. � 5195c(e).
---------------------------------------------------------------------------
Protecting the security of our critical infrastructure is a top
priority for the Nation. For example, in 2013, the President issued
Presidential Policy Directive/PPD-21: Critical Infrastructure Security
and Resilience to increase the overall security and resilience of U.S.
critical infrastructure.\2\ In addition, in 2013, DHS issued an update
to its National Infrastructure Protection Plan (NIPP),\3\ which
provides the overarching approach for integrating the Nation's critical
infrastructure security and resilience activities into a single
National effort.\4\ A fundamental component of DHS's efforts to protect
and secure our Nation's infrastructure is its reliance on voluntary
collaboration between private-sector owners and operators of critical
infrastructure and their Government counterparts. The NIPP outlines the
roles and responsibilities of DHS with regard to critical
infrastructure protection and resilience and sector-specific agencies
(SSA)--Federal departments and agencies responsible for critical
infrastructure protection and resilience activities in 16 critical
infrastructure sectors. Sectors include the commercial facilities,
energy, and transportation sectors. Appendix I lists the 16 CI sectors
and their SSAs.
---------------------------------------------------------------------------
\2\ Presidential Policy Directive-21--Critical Infrastructure
Security and Resilience (Washington, DC: Feb. 12, 2013).
\3\ See DHS, NIPP 2013, Partnering for Critical Infrastructure
Security and Resilience (Washington, DC: December 2013), which is an
update to previous versions of the NIPP.
\4\ According to DHS, in this context, resilience is the ability to
adapt to changing conditions, and prepare for, withstand, and rapidly
recover from disruptions. See DHS, Risk Steering Committee, DHS Risk
Lexicon (Washington, DC: September 2010).
---------------------------------------------------------------------------
Over the last several years, DHS has taken actions to assess
vulnerabilities at CI facilities and within groups of related
infrastructure, regions, and systems. According to DHS, a vulnerability
assessment is a process for identifying physical features or
operational attributes that render an entity, asset, system, network,
or geographic area open to exploitation or susceptible to a given
hazard that has the potential to harm life, information, operations,
the environment, or property.\5\
---------------------------------------------------------------------------
\5\ According to the NIPP, vulnerabilities may be associated with
physical (e.g., no barriers or alarm systems), cyber (e.g., lack of a
firewall), or human (e.g., untrained guards) factors. A vulnerability
assessment can be a stand-alone process or part of a full risk
assessment and involves the evaluation of specific threats to the
asset, system, or network under review to identify areas of weakness
that could result in consequences of concern. For the purposes of this
testimony, we use the term ``tools and methods'' when referring to
specific survey questionnaires or tools that DHS offices and components
and other Federal agencies use in conducting vulnerability assessments
or in offering self-assessments to CI owners and operators. These tools
and methods contain various areas that can be assessed for
vulnerabilities, such as perimeter security, entry controls, and
cybersecurity, among others.
---------------------------------------------------------------------------
We reported in September 2014 that DHS offices and components had
conducted or required thousands of vulnerability assessments of CI from
October 2010 to September 2013, some of which are voluntary, and that
DHS needed to enhance integration and coordination of these efforts.\6\
Specifically, DHS officials representing the National Protection and
Programs Directorate (NPPD), Transportation Security Administration
(TSA), and the Coast Guard conducted more than 5,300 assessments using
6 different voluntary assessment tools and methods covering various
types of assets and systems.\7\ During the same time period, as many as
7,600 asset owners and operators were required to perform self-
assessments to comply with Coast Guard requirements pursuant to
Maritime Transportation Security Act (MTSA)\8\ and NPPD's
Infrastructure Security Compliance Division (ISCD) requirements
pursuant to Chemical Facility Anti-Terrorism Standards (CFATS).\9\
---------------------------------------------------------------------------
\6\ GAO, Critical Infrastructure Protection: DHS Action Needed to
Enhance Integration and Coordination of Vulnerability Assessment
Efforts, GAO-14-507 (Washington, DC: Sept. 15, 2014).
\7\ During the early stages of our review, NPPD, TSA, and Coast
Guard officials identified various assessment tools and methods. We
further analyzed these 10 assessment tools and methods because based on
our preliminary work, these tools and methods contained two or more
areas assessed for vulnerability, such as perimeter security, or the
presence of a security force. Tools and methods include the
Infrastructure Survey Tool (IST), Site Assistance Visit (SAV), Chemical
Security Assessment Tool Security Vulnerability Assessment (CSAT SAV),
and Modified Infrastructure Survey Tool (MIST) from NPPD; the Baseline
Assessment for Security Enhancements (BASE). Freight Rail Risk Analysis
Tool, Pipeline Security Critical Facility Security Reviews (CFSR) and
Joint Vulnerability Assessment (JVA) from TSA; and Port Security
Assessments and Maritime Transportation Security Act (MTSA)-regulated
facility vulnerability assessments performed by the Coast Guard.
\8\ See Pub L. No. 107-295, 116 Stat. 2064 (2002).
\9\ See 6 C.F.R. pt. 27; Department of Homeland Security
Appropriations Act, 2007. Pub. L. No. 109-295, tit. V. � 550, 120 Stat.
1355, 1388-89 (2006).
---------------------------------------------------------------------------
My testimony today describes: (1) Progress made by DHS in
addressing barriers to conducting voluntary assessments and sharing
information, and (2) the extent to which DHS provided guidance for
DHS's CI vulnerability assessment activities and to address potential
duplication and gaps in assessment efforts. This statement is based on
products we issued from May 2012 to October 2015 on factors to consider
when reorganizing, and recommendation follow-up activities conducted
through March 2016 related to multiple aspects of DHS's efforts to
assess critical infrastructure and provide information to CI owners and
operators to help them enhance the security of their facilities.\10\ To
perform the work for our previous reports, among other things, we
reviewed applicable laws, regulations, and directives as well as
policies and procedures for selected programs to protect critical
infrastructure. We interviewed DHS officials responsible for
administering these programs and obtained and assessed data on the
conduct and management of DHS's security-related programs. We also
interviewed and surveyed a range of other stakeholders, including
Federal officials, industry owners and operators, and CI experts.
Further details on the scope and methodology for the previously-issued
reports are available within each of the published products. In
addition, after the issuance of our reports and through March 2016 we
contacted DHS to obtain updated information and documentation, as
appropriate, on the status of recommendations we made as part of our
on-going recommendation follow-up activities.
---------------------------------------------------------------------------
\10\ GAO, National Protection and Programs Directorate: Factors to
Consider When Reorganizing, GAO-16-140T (Washington, DC: Oct. 7, 2015);
Critical Infrastructure Protection: Observations on Key Factors in
DHS's Implementation of Its Partnership Approach, GAO-14-464T
(Washington, DC: Mar. 26, 2014); Critical Infrastructure Protection:
DHS Could Strengthen the Management of the Regional Resiliency
Assessment Program, GAO-13-616 (Washington, DC: July 30, 2013); GAO-14-
507; Critical Infrastructure Protection: DHS List of Priority Assets
Needs to Be Validated and Reported to Congress, GAO-13-296 (Washington,
DC: Mar. 25, 2013); and Critical Infrastructure Protection: DHS Could
Better Manage Security Surveys and Vulnerability Assessments, GAO-12-
378 (Washington, DC: May 31, 2012).
---------------------------------------------------------------------------
We conducted the work on which this statement is based in
accordance with generally accepted Government auditing standards. Those
standards require that we plan and perform the audit to obtain
sufficient, appropriate evidence to provide a reasonable basis for our
findings and conclusions based on our audit objectives. We believe the
evidence obtained provides a reasonable basis for our findings and
conclusions based on our audit objectives.
background
Federal law and policy have established roles and responsibilities
for Federal agencies to coordinate with industry in enhancing the
security and resilience of critical Government and industry
infrastructures. According to the Homeland Security Act of 2002, as
amended, DHS is to, among other things, carry out comprehensive
vulnerability assessments of CI; integrate relevant information,
analyses, and assessments from within DHS and from CI partners; and use
the information collected to identify priorities for protective and
support measures. Assessments include areas that can be assessed for
vulnerability (hereinafter referred to as ``areas''), such as perimeter
security, the presence of a security force, or vulnerabilities to
intentional acts, including acts of terrorism. Presidential Policy
Directive/PPD-21 directs DHS to, among other things, provide strategic
guidance, promote a National unity of effort, and coordinate the
overall Federal effort to promote the security and resilience of the
Nation's CI. Related to PPD-21, the NIPP calls for the CI community and
associated stakeholders to carry out an integrated approach to: (1)
Identify, deter, detect, disrupt, and prepare for threats and hazards
(all hazards); (2) reduce vulnerabilities of critical assets, systems,
and networks; and (3) mitigate the potential consequence to CI to
incidents or events that do occur. According to the NIPP, CI partners
are to identify risk in a coordinated and comprehensive manner across
the CI community; minimize duplication; consider interdependencies;
and, as appropriate, share information within the CI community.
Within DHS, NPPD is responsible for working with public and
industry infrastructure partners and leads the coordinated National
effort to mitigate risk to the Nation's infrastructure through the
development and implementation of the infrastructure security program.
NPPD's Office of Infrastructure Protection (IP) has overall
responsibility for coordinating implementation of the NIPP across the
16 CI sectors, including providing guidance to SSAs and CI owners and
operators on protective measures to assist in enhancing the security of
infrastructure and helping CI-sector partners develop the capabilities
to mitigate vulnerabilities and identifiable risks to the assets.\11\
The NIPP also designates other Federal agencies, as well as some
offices and components within DHS, as SSAs that are responsible for,
among other things, coordinating with DHS and other Federal departments
and agencies and CI owners and operators to identify vulnerabilities,
and to help mitigate incidents, as appropriate. DHS offices and
components or asset owners and operators have used various assessment
tools and methods, some of which are voluntary, while others are
required by law or regulation, to gather information about certain
aspects of CI. For example, Protective Security Coordination Division
(PSCD), within NPPD, relies on Protective Security Advisors (PSA)\12\
to offer and conduct voluntary vulnerability assessments to owners and
operators of CI to help identify potential security actions;
Infrastructure Security Compliance Division, within NPPD, requires
regulated chemical facilities to complete a security vulnerability
assessment pursuant to CFATS; TSA conducts various assessments of
airports, pipelines, and rail and transit systems;\13\ and Coast Guard
requires facilities it regulates under the Maritime Transportation
Security Act of 2002 (MTSA) to complete assessments as part of their
security planning process.\14\ In addition, SSAs external to DHS also
offer vulnerability assessment tools and methods to owners or operators
of CI and these assessments include areas such as resilience management
or perimeter security. For example, the Environmental Protection
Agency, the SSA for the water sector, provides a self-assessment tool
for the conduct of voluntary security-related assessments at water and
wastewater facilities.
---------------------------------------------------------------------------
\11\ A delegation memo to the Under Secretary for NPPD delineates
the directorate's roles and responsibilities.
\12\ As of July 2016, DHS has deployed 89 PSAs in all 50 States,
Puerto Rico, and the Nation's capital region to, among other things,
conduct outreach with State and local partners and asset owners and
operators who participate in DHS's voluntary CI protection and
resiliency efforts.
\13\ See, e.g., 49 U.S.C. � 44904; Pub. L. No. 104-264, � 310, 110
Stat. 3213, 3253 (1996).
\14\ See Pub L. No. 107-295, 116 Stat. 2064 (2002); 33 C.F.R. ��
105.300-.310.
---------------------------------------------------------------------------
progress made addressing barriers to conducting voluntary assessments
and sharing information
DHS took steps to address barriers to conducting critical
infrastructure vulnerability assessments and sharing information, in
response to findings from our previous work. Specifically, DHS has made
progress in the following areas:
Determining why some industry partners do not participate in
voluntary assessments.--DHS supports the development of the National
risk picture by conducting vulnerability assessments and security
surveys to identify security gaps and potential vulnerabilities in the
Nation's high-priority critical infrastructure.\15\ In a May 2012
report, we assessed the extent to which DHS had taken action to conduct
security surveys using its Infrastructure Survey Tool (IST) and
vulnerability assessments among high-priority infrastructure, shared
the results of these surveys and assessments with asset owners or
operators, and assessed their effectiveness.\16\
---------------------------------------------------------------------------
\15\ DHS vulnerability assessments are conducted during site visits
at individual assets and are used to identify security gaps and provide
options for consideration to mitigate these identified gaps. DHS
security surveys are intended to gather information on an asset's
current security posture and overall security awareness. Security
surveys and vulnerability assessments are generally asset-specific and
are conducted at the request of asset owners and operators.
\16\ GAO-12-378.
---------------------------------------------------------------------------
We found that various factors influence whether industry owners and
operators of assets participate in these voluntary programs, but that
DHS did not systematically collect data on reasons why some owners and
operators of high-priority assets declined to participate in security
surveys or vulnerability assessments. We concluded that collecting data
on the reason for declinations could help DHS take steps to enhance the
overall protection and resilience of those high-priority critical
infrastructure assets crucial to National security, public health and
safety, and the economy. We recommended, and DHS concurred, that DHS
design and implement a mechanism for systematically assessing why
owners and operators of high-priority assets decline to participate.
In response to our recommendations, in October 2013 DHS developed
and implemented a tracking system to capture and account for
declinations. In addition, in August 2014 DHS established a policy to
conduct quarterly reviews to, among other things, track these and other
survey and assessment programs and identify gaps and requirements for
priorities and help DHS better understand what barriers owners and
operators of critical infrastructure face in making improvements to the
security of their assets.
Sharing of assessment results at the asset level in a timely
manner.--DHS security surveys and vulnerability assessments can provide
valuable insights into the strengths and weaknesses of assets and can
help asset owners and operators that participate in these programs make
decisions about investments to enhance security and resilience. In our
May 2012 report, we found that, among other things, DHS shared the
results of security surveys and vulnerability assessments with asset
owners or operators.\17\ However, we also found that the usefulness of
security survey and vulnerability assessment results could be enhanced
by the timely delivery of these products to the owners and operators.
We reported that the inability to deliver these products in a timely
manner could undermine the relationship DHS was attempting to develop
with these industry partners. Specifically, we reported that, based on
DHS data from fiscal year 2011, DHS was late meeting the 30-day time
frame for delivering the results of its security surveys required by
DHS guidance 60 percent of the time. DHS officials acknowledged the
late delivery of survey and assessment results and said they were
working to improve processes and protocols. However, DHS had not
established a plan with time frames and milestones for managing this
effort. We recommended, and DHS concurred, that it develop time frames
and specific milestones for managing its efforts to ensure the timely
delivery of the results of security surveys and vulnerability
assessments to asset owners and operators. In response to our
recommendation, DHS established time frames and milestones to ensure
the timely delivery of assessment results of the surveys and
assessments to CI owners and operators. In addition, in February 2013,
DHS transitioned to a web-based delivery system, which, according to
DHS, has since resulted in a significant drop in overdue deliveries.
---------------------------------------------------------------------------
\17\ GAO-12-378.
---------------------------------------------------------------------------
Sharing certain information with critical infrastructure partners
at the regional level.--Our work has shown that over the past several
years, DHS has recognized the importance of and taken actions to
examine critical infrastructure asset vulnerabilities, threats, and
potential consequences across regions. In a July 2013 report, we
examined DHS's management of its Regional Resiliency Assessment Program
(RRAP)--a voluntary program intended to assess regional resilience of
critical infrastructure by analyzing a region's ability to adapt to
changing conditions, and prepare for, withstand, and rapidly recover
from disruptions--and found that DHS has been working with States to
improve the process for conducting RRAP projects, including more
clearly defining the scope of these projects.\18\ We also reported that
DHS shares the project results of each RRAP project report, including
vulnerabilities identified, with the primary stakeholders--officials
representing the State where the RRAP was conducted--and that each
report is generally available to SSAs and protective security advisors
within DHS.\19\
---------------------------------------------------------------------------
\18\ GAO-13-616.
\19\ A protective security advisor is a DHS field representative.
Among other things, they conduct RRAP projects.
---------------------------------------------------------------------------
Sharing information with sector-specific agencies and State and
local governments.--Federal SSAs and State and local governments are
key partners that can provide specific expertise and perspectives in
Federal efforts to identify and protect critical infrastructure. In a
March 2013 report, we reviewed DHS's management of the National
Critical Infrastructure Prioritization Program (NCIPP), and how DHS
worked with States and SSAs to develop the high-priority CI list.\20\
The program identifies a list of Nationally-significant critical
infrastructure each year that is used to, among other things,
prioritize voluntary vulnerability assessments conducted by PSAs on
high-priority critical infrastructure. We reported that DHS had taken
actions to improve its outreach to SSAs and States in an effort to
address challenges associated with providing input on nominations and
changes to the NCIPP list. However, we also found that most State
officials we contacted continued to experience challenges with
nominating assets to the NCIPP list using the consequence-based
criteria developed by DHS. Among other actions, we recommended that DHS
commission an independent, external peer review of the NCIPP with clear
project objectives. In November 2013, DHS commissioned a panel that
reviewed the NCIPP process, guidance documentation, and process phases
to provide an evaluation of the extent to which the process is
comprehensive, reproducible, and defensible. The panel made 24
observations about the NCIPP; however, panel members expressed
different views regarding the classification of the NCIPP list, and
views on whether private-sector owners of the assets, systems, and
clusters should be notified of inclusion on the list. As of August
2014, DHS officials reported that they are exploring options to
streamline the process and limit the delay of dissemination among those
who have a need to know.
---------------------------------------------------------------------------
\20\ GAO-13-296.
---------------------------------------------------------------------------
guidance and coordination to address potential duplication and gaps
needed for ci vulnerability assessment activities
Our previous work identified a need for DHS vulnerability
assessment guidance and coordination. Specifically, we found:
Establishing guidance for areas of vulnerability covered by
assessments.--In a September 2014 report examining, among other things,
the extent to which DHS is positioned to integrate vulnerability
assessments to identify priorities, we found that the vulnerability
assessment tools and methods DHS offices and components use vary with
respect to the areas assessed depending on which DHS office or
component conducts or requires the assessment.\21\ As a result, it was
not clear what areas DHS believes should be included in a comprehensive
vulnerability assessment. Moreover, we found that DHS had not issued
guidance to ensure that the areas it deems most important are captured
in assessments conducted or required by its offices and components. Our
analysis of 10 vulnerability assessment tools and methods showed that
DHS vulnerability assessments consistently included some areas that
were assessed for vulnerability but included other areas that were not
consistently assessed. Our analysis showed that all 10 of the DHS
assessment tools and methods we analyzed included areas such as
``vulnerabilities from intentional acts''--such as terrorism--and
``perimeter security'' in the assessment. However, 8 of the 10
assessment tools and methods did not include areas such as
``vulnerabilities to all hazards'' such as hurricanes or earthquakes
while the other 2 did. These differences in areas assessed among the
various assessment tools and methods could complicate or hinder DHS's
ability to integrate relevant assessments in order to identify
priorities for protective and support measures.
---------------------------------------------------------------------------
\21\ GAO-14-507.
---------------------------------------------------------------------------
We found that the assessments conducted or required by DHS offices
and components also varied greatly in their length and the detail of
information to be collected. For example, within NPPD, PSCD used its
IST to assess high-priority facilities that voluntarily participate and
this tool was used across the spectrum of CI sectors. The IST, which
contains more than 100 questions and 1,500 variables, is used to gather
information on the security posture of CI, and the results of the IST
can inform owners and operators of potential vulnerabilities facing
their asset or system. In another example from NPPD, ISCD required
owners and operators of facilities that possess, store, or manufacture
certain chemicals under CFATS to provide data on their facilities using
an on-line tool so that ISCD can assess the risk posed by covered
facilities. This tool, ISCD's Chemical Security Assessment Tool
Security Vulnerability Assessment contained more than 100 questions
based on how owners respond to an initial set of questions. Within DHS,
TSA's Office of Security Operations offered or conducted a number of
assessments, such as a 205-question assessment of transit systems
called the Baseline Assessment for Security Enhancements that contained
areas to be assessed for vulnerability, and TSA's 17-question Freight
Rail Risk Analysis Tool was used to assess rail bridges.
In addition to differences in what areas were included, there were
also differences in the detail of information collected for individual
areas, making it difficult to determine the extent to which the
information collected was comparable and what assumptions and/or
judgments were used while gathering assessment data. We also observed
that components used different questions for the same areas assessed.
These variations, among others we identified, could impede DHS's
ability to integrate relevant information and use it to identify
priorities for protective and support measures regarding terrorist and
other threats to homeland security. For example, we found that while
some components asked open-ended questions such as ``describe security
personnel,'' others included drop-down menus or lists of responses to
be selected.
We recommended that DHS review its vulnerability assessments to
identify the most important areas to be assessed, and determine the
areas and level of detail that are necessary to integrate assessments
and enable comparisons, and establish guidance, among other things. DHS
agreed with our recommendation, and established a working group in
August 2015 to address this recommendation and others we made. As of
March 2016 these efforts are on-going and DHS intends to provide an
update in the summer of 2016.
Establishing guidance on common data standards to help reduce
assessment fatigue and improve information sharing.--As we reported in
September 2014, Federal assessment fatigue could impede DHS's ability
to garner the participation of CI owners and operators in its voluntary
assessment activities. During our review of vulnerability assessments,
the Coast Guard, PSCD, and TSA field personnel we contacted reported
observing what they called Federal fatigue, or a perceived weariness
among CI owners and operators who had been repeatedly approached or
required by multiple Federal agencies and DHS offices and components to
participate in or complete assessments. One official who handles
security issues for an association representing owners and operators of
CI expressed concerns at the time about his members' level of fatigue.
Specifically, he shared observations that DHS offices and components do
not appear to effectively coordinate with one another on assessment-
related activities to share or use information and data that have
already been gathered by one of them. The official also noted that,
from the association's perspective, the requests and invitations to
participate in assessments have exceeded what is necessary to develop
relevant and useful information, and information is being collected in
a way that is not the best use of the owners' and operators' time. As
figure 1 illustrates, depending on a given asset or facility's
operations, infrastructure, and location, an owner or operator could be
asked or required to participate in multiple separate vulnerability
assessments.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
DHS officials expressed concern at the time that this ``fatigue''
may diminish future cooperation from asset owners and operators. We
recommended in September 2014 that DHS develop an approach for
consistently collecting and maintaining data from assessments conducted
across DHS to facilitate the identification of potential duplication
and gaps in coverage. Having common data standards would better
position DHS offices and components to minimize the aforementioned
fatigue, and the resulting declines in CI owner and operator
participation, by making it easier for DHS offices and components to
use each other's data to determine what CI assets or facilities may
have been already visited or assessed by another office or component.
They could then plan their assessment efforts and outreach accordingly
to minimize the potential for making multiple visits to the same assets
or facilities. DHS agreed with our recommendation, and as of March 2016
DHS had established a working group to address the recommendations from
our report and planned to provide us with a status update in the summer
of 2016.
Addressing the potential for duplication, overlap, or gaps between
and among the various efforts.--As with the sharing of common
assessment data, we found in our 2014 review of vulnerability
assessments that DHS also lacks a Department-wide process to facilitate
coordination among the various offices and components that conduct
vulnerability assessments or require assessments on the part of owners
and operators.\22\ This could hinder the ability to identify gaps or
potential duplication in DHS assessments. For example, among 10
different types of DHS vulnerability assessments we compared, we found
that DHS assessment activities were overlapping across some of the
sectors, but not others. Given the overlap of DHS's assessments among
many of the 16 sectors, we attempted to compare data to determine
whether DHS had conducted or required vulnerability assessments at the
same critical infrastructure within those sectors. However, we were
unable to conduct this comparison because of differences in the way
data about these activities were captured and maintained.\23\ Officials
representing DHS acknowledged at the time they encountered challenges
with the consistency of assessment data and stated that DHS-wide
interoperability standards did not exist for them to follow in
recording their assessment activities that would facilitate consistency
and enable comparisons among the different data sets.
---------------------------------------------------------------------------
\22\ GAO-14-507.
\23\ Data sets used by DHS offices and components did not share
common formats or defined data standards. For example, infrastructure
names and addresses generally were not entered in a standardized way or
were not available in some cases in a way that would allow us to
identify matches across data sets. See GAO-14-507.
---------------------------------------------------------------------------
The NIPP calls for standardized processes to promote integration
and coordination of information sharing through, among other things,
jointly-developed standard operating procedures. However, DHS officials
stated at the time that they generally relied on field-based personnel
to inform their counterparts at other offices and components about
planned assessment activities and share information as needed on what
assets may have already been assessed. For example, PSAs may inform and
invite CI partners to participate in these assessments, if the owner
and operator of the asset agrees. PSAs may also alert their DHS
counterparts depending on assets covered and their areas of
responsibility. However, we found that absent these field-based
coordination or sharing activities, it was unclear whether all
facilities in a particular geographic area or sector were covered. For
example, after CFATS took effect, in 2007, ISCD officials asked PSCD to
stop having PSAs conduct voluntary assessments at CFATS-regulated
chemical facilities to reduce potential confusion about DHS authority
over chemical facility security and to avoid overlapping assessments.
In response, PSCD reduced the number of voluntary vulnerability
assessments conducted in the chemical sector. However, one former ISCD
official noted that without direct and continuous coordination between
PSCD and ISCD on what facilities are being assessed or regulated by
each division, this could create a gap in assessment coverage between
CFATS-regulated facilities and facilities that could have participated
in PSCD assessments given that the number of CFATS-regulated facilities
can fluctuate over time.\24\
---------------------------------------------------------------------------
\24\ The number of facilities actively regulated under the Chemical
Facility Anti-Terrorism Standards requirements can fluctuate over time
because of facilities changing their regulated operations or the types
and quantities of chemicals handled, new facilities being built, or
older facilities being decommissioned, for example.
---------------------------------------------------------------------------
Without processes for DHS offices and components to share data and
coordinate with each other in their CI vulnerability assessment
activities, DHS cannot provide reasonable assurance that it can
identify potential duplication, overlap, or gaps in coverage that could
ultimately affect DHS's ability to work with its partners to enhance
National CI security and resilience, consistent with the NIPP. We
recommended in September 2014 that DHS develop an approach to ensure
that vulnerability data gathered on CI be consistently collected and
maintained across DHS to facilitate the identification of potential
duplication and gaps in CI coverage. As of March 2016, DHS has begun a
process of identifying the appropriate level of guidance to eliminate
gaps or duplication in methods and to coordinate vulnerability
assessments throughout the Department.
We also recommended that DHS identify key CI security-related
assessment tools and methods used or offered by SSAs and other Federal
agencies, analyze them to determine the areas of vulnerability they
capture, and develop and provide guidance for what areas should be
included in vulnerability assessments of CI that can be used by DHS and
other CI partners in an integrated and coordinated manner. DHS
concurred with our recommendations and stated that it planned to take a
variety of actions to address the issues we identified, including
conducting an inventory survey of the security-related assessment tools
and methods used by SSAs to address CI vulnerabilities. As of March
2016, DHS has established a working group, consisting of members from
multiple departments and agencies, to enhance the integration and
coordination of vulnerability assessment efforts. These efforts are on-
going and we will continue to monitor DHS's progress in implementing
these recommendations.
In addition to efforts to address our recommendations, DHS is in
the process of reorganizing NPPD to ensure that it is appropriately
positioned to carry out its critical mission of cyber and
infrastructure security. Key priorities of this effort are to include
greater unity of effort across the organization and enhanced
operational activity to leverage the expertise, skills, information,
and relationships throughout DHS. The NPPD reorganization presents DHS
with an opportunity to engage stakeholders in decision making and may
achieve greater efficiency or effectiveness by reducing programmatic
duplication, overlap, and fragmentation. It also presents DHS with an
opportunity to mitigate potential duplication or gaps by consistently
capturing and maintaining data from overlapping vulnerability
assessments of CI and improving data sharing and coordination among the
offices and components involved with these assessments.
Chairman Ratcliffe, Ranking Member Richmond, and Members of the
sub-committee, this completes my prepared statement. I would be happy
to respond to any questions you may have at this time.
Appendix I: Critical Infrastructure Sectors
This appendix provides information on the 16 critical
infrastructure (CI) sectors and the Federal agencies responsible for
sector security. The National Infrastructure Protection Plan (NIPP)
outlines the roles and responsibilities of the Department of Homeland
Security (DHS) and its partners--including other Federal agencies.
Within the NIPP framework, DHS is responsible for leading and
coordinating the overall National effort to enhance security via 16
critical infrastructure sectors. Consistent with the NIPP, Presidential
Decision Directive/PPD-21 assigned responsibility for the critical
infrastructure sectors to sector-specific agencies (SSAs).* As an SSA,
DHS has direct responsibility for leading, integrating, and
coordinating efforts of sector partners to protect 10 of the 16
critical infrastructure sectors. Seven other Federal agencies have sole
or coordinated responsibility for the remaining 6 sectors. Table 1
lists the SSAs and their sectors.
---------------------------------------------------------------------------
* Issued on February 12, 2013, Presidential Policy Directive/PPD-
21, Critical Infrastructure Security and Resilience, purports to refine
and clarify critical infrastructure-related functions, roles, and
responsibilities across the Federal Government, and enhance overall
coordination and collaboration, among other things. Pursuant to
Homeland Security Presidential Directive/HSPD-7 and the National
Infrastructure Protection Plan, DHS had established 18 critical
infrastructure sectors. PPD-21 subsequently revoked HSPD-7, and
incorporated 2 of the sectors into existing sectors, thereby reducing
the number of critical infrastructure sectors from 18 to 16. Plans
developed pursuant to HSPD-7, however, remain in effect until
specifically revoked or superseded.
TABLE 1: CRITICAL INFRASTRUCTURE SECTORS AND SECTOR-SPECIFIC AGENCIES
(SSA)
------------------------------------------------------------------------
Critical Infrastructure Sector SSA(s) \1\
------------------------------------------------------------------------
Food and agriculture................... Department of Agriculture \2\
and the Department of Health
and Human Services \3\
Defense industrial base \4\............ Department of Defense
Energy \5\............................. Department of Energy
Government facilities.................. Department of Homeland Security
and the General Services
Administration
Health care and public health.......... Department of Health and Human
Services
Financial services..................... Department of the Treasury
Transportation systems................. Department of Homeland Security
and the Department of
Transportation \6\
Water and wastewater systems \7\....... Environmental Protection Agency
Commercial facilities.................. Department of Homeland Security
Critical manufacturing................. Office of Infrastructure
Protection \8\
Emergency services..................... ...............................
Nuclear reactors, materials, and waste. ...............................
Dams................................... ...............................
Chemical............................... ...............................
Information technology................. ...............................
Communications......................... Office of Cyber Security and
Communications \9\
------------------------------------------------------------------------
Source: Presidential Policy Directive/PPD-21/GAO-16-791T.
\1\ Presidential Policy Directive/PPD-21, released in February 2013,
identifies 16 critical infrastructure sectors and designates
associated Federal SSAs. In some cases co-SSAs are designated where
those departments share the roles and responsibilities of the SSA.
\2\ The Department of Agriculture is responsible for agriculture and
food (meat, poultry, and egg products).
\3\ The Food and Drug Administration is the Department of Health and
Human Services component responsible for food other than meat,
poultry, and egg products and serves as the co-SSA.
\4\ Nothing in the NIPP impairs or otherwise affects the authority of
the Secretary of Defense over the Department of Defense, including the
chain of command for military forces from the President as Commander-
in-Chief, to the Secretary of Defense, to the commanders of military
forces, or military command-and-control procedures.
\5\ The energy sector includes the production, refining, storage, and
distribution of oil, gas, and electric power, except for commercial
nuclear power facilities.
\6\ Presidential Policy Directive/PPD-21 establishes the Department of
Transportation as co-SSA with the Department of Homeland Security
(DHS) for the transportation systems sector. Within DHS, the U.S.
Coast Guard and the Transportation Security Administration are the
responsible components.
\7\ The water sector includes drinking water.
\8\ The Office of Infrastructure Protection is the DHS component
responsible for the commercial facilities; critical manufacturing;
emergency services; nuclear reactors, materials, and waste; dams; and
chemical sectors.
\9\ The Office of Cyber Security and Communications is the DHS component
responsible for the information technology and communications sectors.
Mr. Ratcliffe. Thank you, Mr. Currie.
The Chair now recognizes Dr. Ozment for 5 minutes for his
opening statement.
STATEMENT OF ANDY OZMENT, ASSISTANT SECRETARY, OFFICE OF
CYBERSECURITY AND COMMUNICATIONS, NATIONAL PROTECTION AND
PROGRAMS DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Ozment. Thank you.
Chairman Ratcliffe, Ranking Member Richmond, and Members of
the committee, thank you for the opportunity to appear before
you today.
My organization within NPPD has three sets of cybersecurity
customers; Federal civilian agencies, private-sector companies,
and State, local, Tribal, and territorial governments.
Today, I will focus on the Cybersecurity Advisors Program,
or CSA Program. Our CSA's focus is on the latter two customers,
private-sector companies and State and local governments. The
CSA Program is modeled after the Protective Security Advisor,
or PSA Program that you will hear from my colleague, Assistant
Secretary Durkovich.
Although the CSA Program does reflect several differences
to account for its focus on cybersecurity. Importantly, the CSA
Program, as you noted, Chairman, is more nascent than the PSA
Program. While there are over 100 PSAs, as of last weekend,
there were only 5 regionally-deployed Cybersecurity Advisors. I
say last weekend, because yesterday, our sixth CSA started
work, a nice milestone for us.
Our customers have demonstrated a significant demand for
the resources and support provided by our CSAs. For this
reason, we expect to deploy 13 CSAs in the field by the end of
this fiscal year. The President's 2017 budget requests a total
of 24 field-deployed CSAs. As you know, the vast majority of
our Nation's critical infrastructure is owned and operated by
the private sector or by State and local governments. To
protect that infrastructure, we must help those owners and
operators improve their cybersecurity.
Now, people who work in Washington, DC, are sometimes
criticized for thinking that only of Washington, DC. Our Nation
cannot afford for NPPD to think that way. We must work across
the United States helping private-sector and State and local
government customers where they live.
For critical infrastructure owned by small businesses,
there's often no other way to reach them. Our Cybersecurity
Advisors are thus NPPD's deployed cyber work force who live
across the United States helping critical infrastructure where
it is located and where the owners and operators live. Our
Cybersecurity Advisors have 4 areas in which they support our
customers. They help our customers adopt best practices, they
share information, respond to incidents, and support special
National security and other events. I'll speak to each of those
in turn.
First, we help our customers adopt cybersecurity and best
practices as exemplified by the NIST cybersecurity framework.
We do that by advising them on risk management. One of the more
concrete and visible ways we advise on risk management is by
performing risk assessments.
We offer a wide range of cyber risk assessments starting at
the most strategic level and then going down into more
technical areas depending on what a company or other customer
needs.
For example, our most strategic cyber risk assessment is a
questionnaire that could take a full day, working with many
different leaders within an organization to complete to get a
full picture of their risk management methodology.
With our current work force, we average about 80
assessments a year. A few months after the assessments, we
survey the companies to see, did the company or State and local
organization make a major change based on the assessment?
So far, 96 percent of the respondees to our post-assessment
survey have made at least one major security improvement as a
consequence of our assessment.
CSAs also link critical infrastructure owners and operators
to more technical hands-on assessment teams based in the NCCIC.
For example, the NCCIC can actually try to break into a
company, that is, we can try to hack them. I'll emphasize that
we do this only at the invitation of the company.
Second, CSAs connect companies to our information-sharing
activities. For example, the Cybersecurity Information Sharing
Act of 2015 has passed, and CSAs are helping us to recruit
companies to share machine-to-machine data at real time, in our
automated indicator sharing program. Let me thank you and the
committee, again, for your help in passing that very important
legislation.
Third, CSAs can provide support to our customers who
experience a cybersecurity incident. When an incident occurs,
our customers can work with CSAs to obtain incident response
and to coordinate resources and information coming out of the
NCCIC.
Finally, CSAs provide support to officials responsible for
planning and leading special events, sometimes known as
National security events. Examples of special events supported
by the CSAs include major sporting events such as the Super
Bowl and major league baseball all-star game and upcoming
conventions.
These are the 4 major lines of effort by which CSAs support
customers--best practices and risk assessments, information
sharing, incident response, and special events. But CSAs have
an additional role, which is to aid and inform our National
efforts. For example, a local perspective could be critical to
identify which infrastructure matters the most. CSAs use their
local knowledge to identify the most critical infrastructure in
a given region.
Increasingly, they are also asked to bring their expertise
into close collaboration as trusted advisers, planners, and
emergency management executives who report to the State
Homeland Security Advisor. Ultimately, CSAs are also the voice
of individual companies in the development of National plans
and programs.
CSAs provide a local point of connection to help their
customers manage their cyber risk and brings their insight into
this National conversation. Although we only have 6 CSAs in the
field today, I ask your support in passing the fiscal year
President's budget to bring us to a total of 24 CSAs in the
field.
Thank you again for the opportunity to appear before you
today, and I look forward to your questions.
[The joint prepared statement of Mr. Ozment and Ms.
Durkovich follows:]
Joint Prepared Statement of Andy Ozment and Caitlin Durkovich
July 12, 2016
i. introduction
Chairman Ratcliffe, Ranking Member Richmond, thank you for the
opportunity to appear before you today to discuss the crucial role that
Protective Security Advisors (PSAs) and Cybersecurity Advisors (CSAs)
serve in furthering the U.S. Department of Homeland Security's (DHS)
mission to enhance the security and resilience of the Nation's critical
infrastructure in an all-hazards environment. We appreciate Congress'
draft legislation that would stand up the National Protection and
Programs Directorate (NPPD) as an operational component focused on
cyber and infrastructure protection and further our holistic risk
management approach.
PSAs and CSAs both support NPPD's operational mission by assisting
State, local, territorial, and Tribal (SLTT) governments and private-
sector customers in understanding and mitigating threats,
vulnerabilities, and consequences affecting the provision of essential
functions, goods, and services. PSAs and CSAs achieve this end through
information sharing, capacity building, and direct assistance. The
risks that our stakeholders face are cyber and physical, natural and
man-made. Some risks blur the distinction between cyber and physical,
such as space weather or electromagnetic pulse, while others combine
aspects of cyber and physical risk: Cyber attacks causing physical
impacts, natural disasters impacting communication networks, or man-
made attacks on lifeline critical infrastructure. The proposed
realignment, which was included in NPPD's draft reorganization
proposal, will further the ability of our cybersecurity experts and
physical security experts to work side-by-side, ensuring that risks to
critical infrastructure are fully assessed and effectively mitigated
and directly supporting our ability to address an emerging risk
environment in which cyber and physical boundaries are increasingly
meaningless.
ii. risk management
DHS has an all-hazards mission for protecting the homeland. This
means that we must plan for and prioritize a range of risks from
natural disasters to terrorism to cyber attacks. Our mission includes
recurring, persistent, and relatively well-understood hazards such as
hurricanes and earthquakes, as well as threats and hazards such as
solar storms where we must continue to understand the likelihood and
consequences of a possible event. For this reason, DHS approaches
threats and hazards based on an all-hazards analysis of risk and due
caution in the face of inherent uncertainty. This risk-informed
approach guides our planning efforts and the development of new or
enhanced capabilities to address emerging hazards and threats.
Risk is comprised of three variables: Threats that exploit
vulnerabilities to cause undesirable consequences. In other words, risk
is a function of threat, vulnerability, and consequence. DHS recognizes
that risk cannot be eliminated and therefore must be managed through
proven practices including timely information sharing. Risk management
practices include risk acceptance as well as risk mitigation. Risk
management can also include risk transfer, such as contractual
provisions or insurance coverage. But ultimately, risk cannot be
eliminated: There will be incidents, so we must also focus on the
resiliency of our infrastructure under all conditions.
iii. threat landscape
NPPD is particularly focused on two threats that are particularly
salient in the current risk environment: Terrorism and cyber attacks.
Terrorist attacks such as those in France in 2015, Belgium in 2016, and
the tragic attacks in Istanbul and Orlando just last month highlight
the continuing threat. These attacks underscore the persistence of our
adversaries and the vulnerability of public gathering sites.
Terrorist tactics and techniques have transitioned from complicated
attacks such as 9/11 to simple acts of violence using readily-available
weapons such as a gun, knife, hatchet, or car. The threats we face
today are thus more decentralized than a decade ago and reflect, as
Secretary Johnson has said, a new phase of global terrorism. We have
moved from a world of directed attacks to one of inspired attacks.
Inspired attacks are harder for intelligence and law enforcement
communities to detect, can occur with little or no notice, and create a
more complex homeland security challenge.
The threat landscape in cyber space is also changing. Threat actors
in cyber space have highly diverse motivations. Some seek to achieve a
political or social aim. Others seek financial benefit and are
developing new means to monetize cyber intrusions, as exemplified by
the recent wave of ``ransomware'' attacks. Other adversaries attempt to
use strong-arm tactics to advance a goal, such as destroying systems
and data to convey a political message, or target sensitive Government
and private-sector systems to steal critical information for espionage
purposes.
Perhaps most importantly, the past year saw the use of a cyber
attack to achieve a significant disruption of civilian critical
infrastructure. In December, several Ukrainian power companies
experienced a cyber attack that resulted in power outages lasting
around 6 hours that impacted over 200,000 customers. The cyber attack
was well-planned, well-coordinated, and used destructive malware to
delay recovery efforts. This attack should be a warning to our Nation.
Our adversaries have the cyber capabilities to harm our National
security, economic security, public health, and safety. This threat
environment requires DHS to place renewed focus on providing our
customers with risk management tools, information, and support to
protect against cyber attacks and mitigate the consequences when a
compromise occurs.
iv. critical infrastructure security and resilience
These trends in the threat landscape require NPPD, as directed by
the National Infrastructure Protection Plan (NIPP), to approach risk
management from both a top-down and bottom-up perspective. The majority
of the Nation's critical infrastructure is owned and operated by the
private sector or by State, local, Tribal, and territorial (SLTT)
governments. As a result, it is important that Government and industry
work together to mitigate threats, vulnerabilities, and consequences.
We use a top-down approach as we work closely with and across
critical infrastructure sectors to understand and address sector- and
economy-wide risks. We use a bottom-up approach to develop a trusted
relationship with owners and operators of the Nation's critical
infrastructure: For example, a single power plant. PSAs and CSAs are
the core of our bottom-up approach and serve as the focal point of
support to individual critical infrastructure owners and operators. As
our stakeholders make challenging decisions about how to manage their
own risk, field-based PSAs and CSAs provide advice and connect
operators to security capabilities offered across the U.S. Government.
Our PSAs and CSAs operate within a statutory, policy, and doctrinal
framework of voluntary partnerships. They conduct vulnerability and
consequence assessments, provide information on emerging threats and
hazards, and offer tools and training to help critical infrastructure
owners and operators and SLTT partners understand and address risks.
Finally, they provide on-site critical infrastructure subject-matter
expertise during special events and incident responses.
The PSAs have been valuable advisors to local law enforcement.
During last year's events in Baltimore, the local PSA received a
request from Baltimore Gas and Electric (BGE) to facilitate National
Guard Troops at their Spring Gardens facility, fearing that the private
security at the main gate may not be able to prevent protestors from
entering the plant. The Baltimore PSA advised the Baltimore Police
Department Incident Commander of the request and subsequently, the
Maryland Army National Guard provided troops near the main entrance,
and no incidents took place. This direct, community-based security
support is precisely the public service that PSAs provide, as
highlighted by the recent tragic attacks in Orlando, and the still
unfolding events in Dallas last week.
v. psa and csa value proposition
The Department's approach to critical infrastructure security and
resilience is predicated on public-private partnerships. Such
partnerships depend on the formation of trusted relationships between
public and private-sector partners. These trusted partnerships are most
effectively formed through regular and meaningful interactions among
Federal agencies, private-sector owners and operators, and SLTT
governments. In turn, such interactions are most effectively enabled by
regionally-based Federal representatives. The PSAs and CSAs serve as
these regional representatives to establish and mature the
relationships with critical infrastructure owners and operators and
SLTT governments that are foundational to our voluntary approach to
risk management.
In existence since 2004, the PSA program is a mature initiative
that presently fields 102 regionally-based personnel. The President's
fiscal year budget requests further growth to 119 regionally-based PSAs
to meet demand. As field-based representatives, the PSAs work closely
with private-sector companies and with State Homeland Security
Advisers. SLTT stakeholders from every region served by the PSA
programs have consistently identified PSAs as a highly-valued source of
support for their critical infrastructure protection responsibilities.
While PSAs focus principally on physical security, they are beginning
to provide customers with targeted information based on the existing
NPPD portfolio of cybersecurity services to maximize the breadth of
outreach for both cyber and physical risk management activities.
The CSA program is modeled after the PSA program, although it
reflects several differences to account for its focus on cybersecurity.
More nascent than the PSA program, there are currently 5 regionally-
deployed CSAs. By the end of this fiscal year, we expect to deploy 13
total CSAs in the field. The President's fiscal year budget requests a
total strength of 24 CSAs. CSAs provide NPPD's most effective mechanism
to reach small and medium businesses that may lack the resources to
participate in other cybersecurity programs, offer cybersecurity risk
assessments to our stakeholders, and provide the Department with
invaluable insight into National risk trends that are applicable to the
development of new capabilities. CSAs' primary points of contact are
private-sector and SLTT government chief information officers and chief
information security officers.
vi. psa program
The PSA program's primary mission is to proactively engage with
Federal and SLTT government mission partners and members of the
private-sector stakeholder community to protect critical
infrastructure. The PSAs have five mission areas that directly support
the protection of critical infrastructure:
1. Conduct Assessments to Foster Risk Management Best Practices;
2. Threat and Hazard Outreach;
3. Support to National Special Security Events (NSSEs) and Special
Event Activity Rating (SEAR) Events;
4. Incident Response; and
5. Coordinate and Support Risk Mitigation Training--particularly
active-shooter and bombing prevention training.
1. Conduct Assessments to Foster Risk Management Best Practices
One of the central ways that PSAs support critical infrastructure
owners and operators is by planning, coordinating, and conducting
voluntary, non-regulatory security surveys and assessments on critical
infrastructure assets and facilities within their respective regions,
ranging from houses of worship to major league sports stadiums. Our
PSAs offer a range of assessment capabilities including Infrastructure
Survey Tool (IST) security surveys, Assist Visits, Infrastructure
Visualization Platform imagery captures and broader assessments
conducted through the Regional Resiliency Assessment Program (RRAP).
The resulting survey information is provided to owners and
operators and highlights areas of potential concern, recommendations to
mitigate identified vulnerabilities, and options to view the impact of
potential enhancements to protection and resilience measures. Over 85
percent of the assessed facilities indicate that they will use the
feedback from the PSA to guide their security or resilience
enhancements.
The increasingly tight coupling and interconnection between cyber
and physical systems has required PSA's to begin to conducting joint
assessments of cyber and physical security. A principal example of such
joint assessment was an RRAP conducted on a Data Center Cluster in
Ashburn, VA that assessed cyber and physical risks to a key information
technology facility. PSAs serve as a conduit for accessing other DHS
cybersecurity resources, and are able to connect stakeholders to
resources for encouraging cyber hygiene and information assurance
practices. When additional or local cyber expertise is needed, PSAs can
connect partners to CSAs.
2. Information Sharing
In the past 3 years, the PSA program has conducted multiple
outreach activities focusing on specific communities of interest and
sectors such as faith-based organizations, shopping malls, energy/
electrical sector entities, sports leagues and venues, and K-12
schools. These engagements were intended to provide an overview of
evolving threats, such as active-shooter awareness, an understanding of
available tools and resources, and best practices designed to enhance
information sharing, physical security, and resilience. These efforts
often led to customers requesting security/vulnerability assessments
from the PSAs. PSAs also encourage businesses to ``Connect, Plan,
Train, and Report.'' Applying these 4 steps in advance of an incident
or attack can help better prepare businesses and their employees to
proactively think about the role they play in the safety and security
of their businesses and communities.
As an example, the Metcalf Electrical Substation, in San Jose,
California, was subject to a breach by unknown actors in April 2013.
The assailants were able to access the substation and caused
significant damage to five transformers and fiber optic cables, which
in turn affected telecommunications in Santa Clara County. As a result
of this incident and others, the Department of Energy and DHS, in
coordination with other Federal agencies and regulatory commissions,
conducted an outreach program. The outreach was conducted in 10 U.S.
cities and 2 Canadian cities and addressed proactive security measures,
threat detection and assessment technologies, and the creation of an
incident response plan. Following the completion of the Electrical
Substation Outreach, PSAs provided briefings for the 10 most critical
electrical substations and their stakeholders, and conducted IST
security surveys. The data from the security surveys was used to
analyze common protective and resilience measures, summarized in a
report published April 2015.
An additional example followed the mass shooting at the Emanuel AME
church in Charleston, SC on June 17, 2015. Our local PSA offered around
20 security briefings and conducted active-shooter briefings for
companies, schools, and churches. All briefings were well-received and
some recipients requested further training. On February 17, the PSA
also supported holding a DHS Interfaith Town Hall in Charleston, South
Carolina where we brought public and private-sector partners together
and discussed protective security resources for faith-based and non-
profit community stakeholders.
3. Incident Response
In response to natural or man-made incidents, PSAs deploy to State
and local Emergency Operations Centers and, when appropriate, Federal
Emergency Management Agency (FEMA) Regional Response Coordination
Centers. PSAs provide situational awareness and facilitate information
sharing to support the response, recovery, and rapid reconstitution
efforts of critical infrastructure. During major incidents and when
designated by the Assistant Secretary of the Office of Infrastructure
Protection, PSAs serve as Infrastructure Liaisons at Joint Field
Offices or Unified Coordination Groups.
In 2015 and 2016, the National Preparedness System went through a
``refresh'' effort to update the National Preparedness Goal, the 5
mission area Frameworks and the Federal Interagency Operational Plans
for Prevention, Protection, Response, and Recovery. These foundational
documents further define the role of the PSAs in ensuring that the
connection between infrastructure stakeholders and partners across the
Nation are able to support and engage in National preparedness efforts.
4. Special Events
PSAs provide support to officials responsible for planning and
leading special events. This includes providing expert knowledge of
local critical infrastructure; participating in planning committees and
exercises; conducting security surveys and assessments of event venues
and supporting infrastructure; and coordinating the development and
delivery of geospatial products. Examples of special events supported
by the PSAs include:
Presidential Inauguration, State of the Union, Papal Visit
and Republican and Democratic National Conventions;
Major sporting events such as the Super Bowl (The Houston
PSA is the Deputy Federal Coordinator for Super Bowl 51), World
Series, Stanley Cup, and Indianapolis 500;
Annual United Nations General Assembly; and
New Year's Celebration at Times Square in New York City.
5. Risk Mitigation Training
To reduce risk to the Nation's critical infrastructure, NPPD
develops and delivers a diverse curriculum of training to build Nation-
wide counter-improvised explosive device (IED) core capabilities and
enhance awareness of terrorist threats. Coordinated by PSAs, the
courses educate SLTT participants such as municipal officials and
emergency managers, State and local law enforcement and other emergency
services, critical infrastructure owners and operators, and security
staff on strategies to prevent, protect against, respond to, and
mitigate bombing incidents.
Annually, the PSAs provide active-shooter briefings to a diverse
audience. These briefings provide an overview and characteristics of an
active-shooter incident, personal response, and ``Active Shooter--How
to Respond'' materials. PSAs also assist with the coordination of
comprehensive Active-Shooter Workshops that provide training and
detailed information to assist facilities in developing emergency
action plans to respond to active-shooter threats.
vii. csa program
NPPD modeled the CSA program after the PSA program, incorporating
appropriate customization to focus on cybersecurity issues. CSAs
promulgate best practices and conduct vulnerability assessments,
connect stakeholders to information-sharing resources, serve as a
liaison between critical infrastructure owners and operators and the
National Cybersecurity and Communications Integration Center (NCCIC)
for incident response and support to special events CSAs function as a
regionally deployed source of subject-matter expertise and provide
expert consultation on cybersecurity best practices to improve our
stakeholders' cybersecurity risk management.
1. Conduct Assessments to Foster Risk Management Best Practices
Each CSA promotes and assists stakeholders in their implementation
of the Cybersecurity Framework, which was jointly developed by the
Government and private sector. The prioritized, flexible, repeatable,
and cost-effective approach of the Framework helps critical
infrastructure owners and operators manage their cybersecurity risk.
CSAs also provide critical infrastructure owners and operators with
tools, guidance, and individualized assistance to help entities use the
Framework in a manner that supports their specific risk management
needs. CSAs ensure that critical infrastructure stakeholders receive
alerts, warnings, and bulletins on cybersecurity vulnerabilities,
mitigations, and best practices through the NCCIC. These alerts,
warnings, and bulletins concern risks to general IT systems as well as
specialized risks to industrial control systems--the types of systems
used to control power plants, manufacturing assembly lines, and other
physical devices.
CSAs also help our customers improve their cybersecurity risk
management through voluntary vulnerability assessments. CSAs offer two
primary types of assessments to supplement an organization's existing
activities. First, the Cyber Resilience Review (CRR) evaluates an
organization's operational resilience and cybersecurity practices
across 10 domains including risk management, incident management, and
continuity. Second, the Cybersecurity Evaluation Tool (CSET) is a
desktop software program that guides asset owners and operators through
a step-by-step process to evaluate their industrial control system and
information technology network security practices. Both the CRR and the
CSET are now mapped to the Cybersecurity Framework and allow
organizations to understand their relative maturity across the
Framework's functions. CSAs also offer more specialized risk
assessments, such as assessments focused on supply chain risk
management.
In addition, CSAs also link critical infrastructure owners and
operators and technical penetration testing teams based in the NCCIC.
For example, CSAs connect critical infrastructure partners with the
National Cybersecurity and Assessment and Technical Services, which
provides a variety of technical assessments to identify vulnerabilities
in an organization's enterprise, including phishing tests, wireless
application assessments, and internal penetration testing.
2. Information Sharing
CSAs connect critical infrastructure entities with the NCCIC's
information-sharing programs. Pursuant to the Cybersecurity Act of 2015
(Pub. L. 114-113, Division N), DHS serves as the U.S. Government's
primary portal for automated cyber threat indicator sharing. By
participating in the Automated Indicator Sharing initiative,
organizations receive machine-readable cyber threat indicators to
immediately detect and block cybersecurity threats. CSAs are leveraging
the relationships that they and the PSAs have built to encourage
companies to sign up for Automated Indicator Sharing. Additionally,
CSAs help stakeholders learn about and join the Cyber Information
Sharing and Collaboration Program (CISCP), which provides a trusted
forum where vetted partners share threat and incident information with
the Government and other private-sector partners. CISCP also permits
participating companies gain access to the NCCIC watch floor for
operational collaboration.
3. Incident Response
Cybersecurity is about risk management, and no organization can
eliminate all risk. Organizations that implement best practices and
share information will increase the cost for adversaries and stop many
threats. But ultimately, there exists no perfect cyber defense, and
persistent adversaries will at times find ways to infiltrate networks
in both Government and the private sector. When an incident occurs,
private sector and SLTT governments may work with CSAs to obtain
incident response and coordination resources from the NCCIC as well as
any additional information they need to respond effectively. CSAs
provide valuable insight to help the NCCIC coordinate responses to
incidents and to enhance senior leaders' situational awareness.
4. Special Events
CSAs also provide support to officials responsible for planning and
leading special events. This includes participating in planning
committees and exercises and conducting security assessments of event
venues and supporting infrastructure. Examples of special events
supported by the CSAs include the Republican and Democratic National
Conventions and major sporting events such as the Super Bowl and the
Major League Baseball All-Star Game, where adversaries could
potentially target the industrial control systems that enable the
provision of lighting, crowd control, security measures, and other
critical functions to the host venues.
viii. the way forward
As with all of NPPD's programs, we are continuously assessing
progress and looking for opportunities to enhance our capability to
most effectively serve our customers. As a result of such a continuous
improvement effort, NPPD is further integrating the PSAs and CSAs. For
example, CSAs frequently leverage the PSA program to identify and
initiate stakeholder engagement where a PSA has previously partnered.
In fiscal year 2015, more than 20 percent of CSA evaluations were
initiated as a result of direct referrals from PSAs. CSAs and PSAs also
conduct joint physical and cyber assessments of critical infrastructure
entities and coordinate analytical resources and assessment methods.
PSAs and CSAs often exchange information regarding interaction with
shared partners and stakeholder groups.
In recognition of growing opportunities for joint cyber-physical
stakeholder engagement, we asked Congress to authorize the
establishment of a new operational component within DHS, the Cyber and
Infrastructure Protection Agency. We submitted a plan that will better
align the PSAs and CSAs and streamline and strengthen existing
functions within the Department to ensure we are prepared for the
growing cyber threat and the potential for physical consequences as a
result of an attack. We urge Congress to take action so that DHS is
best positioned to execute this vital mission.
1. Way Forward for the PSA Program
i. Three-Year Strategic Plan
IP is working with the Office of Cyber and Infrastructure Analysis
(OCIA) to develop a 3-year Strategic Plan for PSA's Assessments, as
required by Congress, to determine how we can enhance the value and
impact of its assessment portfolio for its stakeholders over the next 3
years. The strategic plan will:
1. Clarify the strategic intent behind IP's conduct of assessments;
2. Expand the value derived from assessments for IP's primary
stakeholders;
3. Articulate how assessments can better leverage, and be better
leveraged by, related efforts from partners such as OCIA and
FEMA; and
4. Optimize how assessments are prioritized and measured.
Once completed, this project will guide how the PSA assessment
portfolio supports stakeholders across the Nation, contributes to a
National understanding of risk, and supports National preparedness
planning, as well as grants decision making. The CSA program will
identify improvements by drawing upon the analysis in this plan and its
lessons learned.
ii. Regionalization
The owners and operators of critical infrastructure in the United
States are not exclusively located in the Washington, DC area. In order
to rebalance resources and meet our stakeholders where they operate,
the PSA Program and other NPPD programs are regionally and field-based.
These regional programs are so integral to successful delivery of
products and assessments to owners and operators that NPPD has begun
the process of shifting headquarters-based staff into the field. NPPD
will be placing additional staff from IP in each region to supplement
the current PSAs. PSAs provide direct support of mission benefactors,
tailored and adapted to meet regional, State, and local needs, and this
disciplined shift toward field-based and regionalized operations is
designed to optimize the way that PSAs support partners across the
Nation, both providing more locally-tailored support, and managing
expanding security challenges. The CSAs will operate in a similar
manner and will be tied into this regional construct.
2. Way Forward for the CSA Program
NPPD is expanding the number of CSAs deployed across the Nation.
The allocation of CSAs is based on a risk-informed set of criteria,
including:
Public-Sector Partners.--The presence of public-sector
partners (e.g., SLTT governments) with strong cybersecurity
programs that would benefit from a closer relationship with
NPPD.
Private-Sector Partners.--High concentrations of companies
in particular critical infrastructure sectors, particularly
entities identified under Section 9(a) of Executive Order 13636
as especially critical.
PSA Activity.--Regions with existing PSAs that will provide
new CSAs with an existing network of critical infrastructure
contacts.
FEMA Models.--CSA expansion will also be informed by
available FEMA models, such as those utilized in the context of
the Urban Areas Security Initiative and Threat and Hazard
Identification and Risk Assessment.
ix. closing
Protecting the Nation, its critical infrastructure, and each
community is a shared responsibility. PSAs and CSAs provide an
essential local point of connection between DHS and our critical
infrastructure stakeholders. They are the primary ``bottom-up''
capability to help individual companies better manage their risks, and
consequentially they create trust relationships that can inform the
development of top-down programs to manage risks across entire sectors.
This local point of connection allows the Department to more
effectively accomplish its mission and helps our stakeholders manage
their all-hazards risk.
Thank you again for the opportunity to appear before you today. We
look forward to your questions.
Mr. Ratcliffe. Thank you, Dr. Ozment.
I now would like to recognize Ms. Durkovich for 5 minutes
for her opening statement.
STATEMENT OF CAITLIN DURKOVICH, ASSISTANT SECRETARY, OFFICE OF
INFRASTRUCTURE PROTECTION, NATIONAL PROTECTION AND PROGRAMS
DIRECTORATE, U.S. DEPARTMENT OF HOMELAND SECURITY
Ms. Durkovich. Chairman Ratcliffe, Ranking Member Richmond,
and Members of the subcommittee, thank you for the opportunity
to appear before you today to discuss the crucial role that
Protective Security Advisors and Cybersecurity Advisors, or
PSAs and CSAs, respectively, serve in supporting critical
infrastructure owners and operators in their efforts to manage
an increasingly complex and dynamic risk environment.
NPPD's mission is derived from the recognition that
critical infrastructure is essential to the Nation's security,
economic prosperity, the resilience of our communities, and our
way of life. However, the majority of our Nation's
infrastructure is owned and operated by the private sector and
by State and localities. As such, the Federal Government shares
responsibility in helping them navigate a risk landscape that
has become multi-dimensional, covering physical, cyber, and
even space-based threats and hazards.
To that end, we appreciate your support for establishing a
cyber and infrastructure protection operational component
within the Department and for authorizing the PSA and CSA
Program.
The Department's approach to critical infrastructure
security and resilience is predicated on building trusted,
value-added partnerships with owners and operators of critical
infrastructure. We build partnerships at the National level
with the 16 sectors to identify requirements and gaps, develop
tools, build capacity, and promulgate best practices to manage
threats and hazards specific to their sectors while recognizing
the important dependencies and interdependencies that are
created by their interception.
But equally important we build partnerships at the
regional, State, and local level beyond the Beltway, where
owners and operators are living the daily reality of this
dynamic risk environment. The PSAs and CSAs are responsible for
developing and sustaining these trusted relationships and
bringing resources to bear to help owners and operators put
appropriate security and resilience measures in place. And in
the event of a bad day, help mitigate the consequences so we
can not only limit the loss of life but the economic impact and
disruption to our communities.
We fielded the first PSA cohort in 2004 with the goal of
putting at least one PSA in every State. Today, it is a mature
program with 102 regionally-based personnel, and we've done
more than just putting a PSA in every State. Larger States and
urban areas are home to several PSAs. In the President's fiscal
year 2017 budget request, we have been asked for an additional
17 PSAs.
No week for a PSA is the same. I have had the opportunity
to witness first-hand what they accomplish each day in our
communities. It ranges from conducting the vulnerability
assessments we are here today to discuss, to organizing
security campaigns on evolving threats, such as violent
extremism or substation attacks. It may include active-shooter
training and counterimprovised explosive device workshops or
planning for special events such as the upcoming political
conventions.
Equally important, as I expect you will hear today from
Director Brown, they support State and local critical
infrastructure protection activities and provide critical
decision support information about disruptions to
infrastructure and cascading impacts during an incident.
Recent events demonstrate why critical infrastructure must
be secure and able to rapidly recover from all hazards.
Terrorist attacks and active-shooter incidents both here and
abroad highlight the continuing interest that adversaries have
shown in targeting critical infrastructure, the vulnerability
of public gathering sites, and they underscore the persistence
of those who wish to cause harm, whatever their motive.
In addition, the last several months highlight the
convergence of the cyber and physical domains. The disruption
to the Ukrainian power grid is the first known example of a
remote cyber attack that had physical consequences. We know
that nation-States are looking to gain footholds into our
infrastructure to use in times of conflict. To meet the threat
head-on, CSAs and PSAs have already begun to coordinate their
efforts, conducting joint physical and cyber assessments of
critical infrastructure and aligning analytical resources and
assessment methods.
In fiscal year 2015, more than 20 percent of CSA
evaluations were initiated as a result of direct referrals from
the PSAs. The Office of Infrastructure Protection is working to
develop a 3-year strategic plan for assessments as required by
Congress, which we expect to be completed by the second quarter
of fiscal year 2017. This plan will enable us to clarify the
strategic intent behind IPs conduct of assessments, expand the
value derived by our stakeholders, and will further guide how
the assessments are prioritized and measured.
In closing, protecting the Nation, our critical
infrastructure, our communities, and our way of life is a
shared responsibility. PSAs and CSAs provide the local point of
connection between DHS programs and our critical infrastructure
stakeholders. They are the primary bottom-up capability to help
owners and operators better manage their risks and consequently
are the basis for the trusted relationships that have resulted
in a National critical infrastructure program that is a model
around the world.
Thank you, again, for the opportunity to appear before you
today. I look forward to your questions and to working with you
to ensure NPPD or cyber and infrastructure protection is
appropriately organized and positioned to carry out this
critical mission.
Mr. Richmond. Mr. Chairman, I would ask unanimous consent
that Mr. Payne be allowed to participate in today's hearing.
Mr. Ratcliffe. Without objection.
I would like to welcome the gentleman from New Jersey to
our subcommittee today. Glad to have you.
Thank you, Ms. Durkovich. The Chair now recognizes Mr.
Brown for 5 minutes for his opening statement.
STATEMENT OF MARCUS L. BROWN, HOMELAND SECURITY ADVISOR,
DIRECTOR OF THE OFFICE OF HOMELAND SECURITY, COMMONWEALTH OF
PENNSYLVANIA
Mr. Brown. Good morning, committee Members, Chairman,
Ranking Member. I appreciate the opportunity to be here today
to discuss our partnership with the Department of Homeland
Security's Office of Infrastructure Protection.
A significant aspect of our mission relates to prevention
and protection of our citizens and our critical infrastructure
in the face of terrorist threats.
Many of the ways we maximize our efforts with prevention
and protection activities is working with our three protective
security advisers and our regional director.
In a joint effort with the PSAs, we have developed programs
that better prepare our citizens by identifying vulnerabilities
and improving capabilities that address the threat of
terrorism.
We follow the National Infrastructure Protection Plan, and
we have developed and implemented a State critical
infrastructure plan as a component of the overarching Homeland
Security program.
Together, we have been able to establish a list of the most
critical infrastructure in Pennsylvania by collecting,
prioritizing, analyzing facilities and assets through
meaningful outreach.
Our three PSAs provide immense value in assisting local,
State, and Federal officials and the private sector in
protecting Pennsylvania's critical infrastructure.
One of the ways the PSAs accomplish this is by conducting
vulnerability assessments, surveys, active-shooter protection
walkthroughs of facilities and assets. My staff has accompanied
the PSAs in many of these facilities when they are conducting
vulnerability assessments. From our observations, having the
owners and operators of these facilities in a room with law
enforcement, with emergency medical services, and with other
public safety officials always provided one-of-a-kind
opportunities for everyone involved to identify the
complexities of a facility in terms of physical and
cybersecurity.
The main tools the PSA uses in their vulnerability surveys
is called an Infrastructure Survey Tool, or an IST. The IST is
used to capture information about a facility in order to
identify the areas where the facility is most vulnerable. After
that data is collected and analyzed, a report containing a
comparative analysis known as the dashboard is provided to the
owner of the facility in order to assist in reducing risk.
While the interactive dashboard shows how weak or strong
that facility is compared to like facilities around the
country, the report also zeros in on vulnerabilities specific
to that facility and provides options of consideration, meaning
that these specific actions taken by a facility will reduce its
vulnerability and, therefore, reduce its risk against man-made
or natural disasters.
Additionally, this information gives local, State, and
Federal public safety officials a picture of what is most at
risk in their area of operations.
For example, with this information in hand, the PSAs can
monitor critical infrastructure that may be vulnerable during a
specific event such as the upcoming Democratic National
Convention in Pennsylvania. The tool used for this purpose is
called the Special Event or Domestic Incident Tracker tool.
During the upcoming Democratic National Convention in
Philadelphia, the PSAs will share the information in this tool
with all of the members of our State Emergency Operation
Center. Then the EOC will be able to provide me with
situational awareness reports that I can then feed to public
safety leadership and the Governor.
From the perspective of my office and the citizens of
Pennsylvania, the PSAs and the Cybersecurity Advisors bring
their experience and expertise into play to assist in critical
infrastructure protection efforts, and their value cannot be
overstated.
The tools that they use to assist the private-sector
facilities are most beneficial to my office, especially during
times when my staff has to report to our State EOC during an
activation. We value their input and assistance when they are
participants with us in our tabletop exercises and training
events. What they offer our office is immeasurable to our
mission of protecting the citizens of Pennsylvania.
We have provided in an Appendix a list of the assessments,
that have been done by our PSAs in advance of the Democratic
National Convention. So once again, I would just like to thank
the committee for having me here, and I'm more than willing to
answer any questions.
[The prepared statement of Mr. Brown follows:]
Prepared Statement of Marcus L. Brown
July 12, 2016
Good morning committee Members. I am Marcus Brown, director of the
Pennsylvania Office of Homeland Security. I appreciate the opportunity
to be here today and discuss our partnership with the Department of
Homeland Security's Office of Infrastructure Protection.
A significant aspect of our mission relates to the prevention and
protection of our citizens and our critical infrastructure in the face
of terrorist threats. Many of the ways we maximize our efforts with
prevention and protection activities is working with our three
protective security advisors (PSAs) and their regional director.
In a joint effort with the PSAs we have developed programs that
better prepare our citizens by identifying vulnerabilities and
improving capabilities that address the threat of terrorism. We follow
the National Infrastructure Protection Plan (NIPP) and have developed
and implemented a State critical infrastructure protection plan as a
component of the overarching Homeland Security program. Together we
have been able to establish a list of the most critical infrastructure
in Pennsylvania by collecting, prioritizing, and analyzing facilities
and assets through meaningful outreach.
Our 3 PSAs provide immense value in assisting local, State, and
Federal officials and the private sector in protecting Pennsylvania's
critical infrastructure. One of the ways PSAs accomplish this is by
conducting vulnerability assessments, surveys, and active-shooter
protection walk-throughs of facilities or assets. My staff has
accompanied the PSAs many times to facilities when they conducted
vulnerability assessments or surveys. From our observations, having the
owners and operators of the facilities in a room with law enforcement,
emergency medical services, and other public safety officials always
provided a one-of-a-kind opportunity for everyone involved to identify
the complexities of a facility in terms of physical and cyber security.
The main tool the PSAs use for their vulnerability surveys is
called the Infrastructure Survey Tool (IST). The IST is used to capture
information about a facility in order to identify the areas where that
facility is most vulnerable. After that data is collected and analyzed
a report containing a comparative analysis, known as a dashboard, is
provided to the owner of the facility in order to assist in reducing
risk. While the interactive dashboard shows how weak or strong that
facility is compared to like-facilities around the country, the report
also zeros in on vulnerabilities specific to that facility and provides
``options for consideration,'' meaning the actions taken by a facility
will reduce its vulnerability and therefore reduce its risk against
man-made and natural hazards.
Additionally, this information gives our local, State, and Federal
public safety officials a picture of what is most at-risk in their area
of operations. For example with this information in hand the PSAs can
monitor critical infrastructure that may be vulnerable during a special
event, such as the Democratic National Convention (DNC). The tool used
for this purpose is called the Special Event and Domestic Incident
Tracker (SEDIT) tool. During the upcoming Democratic National
Convention in Philadelphia the PSAs will share the information in this
tool with my Infrastructure Protection Specialists, who will be sitting
in the State's Emergency Operations Center (EOC). They will provide me
with situational awareness reports that I can share with Governor Wolf.
From the perspective of my office and the citizens of Pennsylvania
the PSAs and Cyber Security Advisor (CSA) bring their experience and
expertise into play to assist in critical infrastructure protection
efforts and their value cannot be overstated. The tools that they use
to assist the private-sector facilities are most beneficial to our
office especially during the times when my staff has to report to the
State EOC during activation. We value their input and assistance when
we host table-top exercises or training events. What they offer our
office is immeasurable to our mission of protecting the citizens of
Pennsylvania.
I have provided an appendix that lists the assessments that have
been completed by our PSAs and CSA in advance of the Democratic
National Convention.
Once again, I would like to thank the committee for inviting me
here to speak on this matter. To the extent there are questions I will
be happy to attempt to answer any inquiries.
APPENDIX
I. In preparation for the Democratic National Convention, the
Infrastructure Survey Tool has been used on the following facilities in
Philadelphia:
Wells Fargo Center (Location for the DNC)
PA Convention Center
National Constitution Center
Lincoln Financial Field
Citizens Bank Park
Hahnemann Hospital
Equinix Data Center
One Liberty Place high-rise
Multiple Exelon/PECO substations
II. Other facilities that have been assessed in the past and whose data
will be used during the Democratic National Convention include:
Philadelphia Gas Works
Multiple assets of the Philadelphia Water Department
Penn Presbyterian Hospital
Transportation assets--Southeastern Pennsylvania
Transportation Authority
Amtrak
Delaware River Port Authority (Walt Whitman and Ben Franklin
Bridges)
Comcast Center
Philadelphia Museum of Art
PJM Interconnect
III. Cyber assessments conducted on Pennsylvania facilities that will
have a role in supporting the Democratic National Convention
PA Convention Center
Samuel Baxter Water Treatment Plant (main water treatment
plant of the Philadelphia Water Department)
Comcast Center
Philadelphia Gas Works
PJM Interconnect
IV. Requests for cyber assessments currently in the planning process
Delaware River Port Authority
One Liberty Place
Philadelphia Museum of Art
National Constitution Center
V. Additional training conducted by DHS and Governor's Office of
Homeland Security in advance of the Democratic National Convention
Active-Shooter Workshop (Public & Private Sectors)
29 April 2016 (Independence Visitors Center--41 N. 6th
Street, Philadelphia, PA 19106)
Surveillance Detection Training (Public and Private
Sectors):
10-12 May 2016 (National Park Service HQs--143 S. 3rd
Street, Philadelphia, PA 19106)
07-09 June 2016 (National Park Service HQs--143 S. 3rd
Street, Philadelphia, PA 19106)
Protective Measures Course and Vehicle-Borne IED Search
Procedures (Public and Private Sectors):
25 and May 2016 respectively (Delaware Valley Intelligence
Center, 2800 S. 20th Street, Philadelphia, PA 19145)
Mr. Ratcliffe. Thank you, Mr. Brown.
I now recognize myself for 5 minutes for questions.
Dr. Ozment, I want to start with you. We talked about the
fact that, as you said, the CSA program that hopefully, you'll
be able to leverage and learn from some of the lessons of the
PSA's 12-year history.
One of the questions that I have for you is can you advise
us on the developmental and training programs for the CSAs to
ensure that the field-based personnel out there have a diverse
cyber experience that includes computer engineering skills,
that includes a well-versed knowledge of cyber incident
response and a solid working knowledge of the NCCIC and its
capabilities and services?
Mr. Ozment. Thank you, Chairman. Let me, first, highlight
what we are looking for in a Cybersecurity Advisor.
Cybersecurity Advisors are the risk advisors in
organizations. So if you look at a typical chief information
security officer office, the chief cybersecurity office of a
customer, they usually have a CISO, chief information security
officer, a policy office, a risk management office, an
operations office, and maybe an information-sharing office.
The CSAs bring in that high-level risk management
knowledge. So we do not expect them to put hands on a keyboard
and be able to do a technical risk assessment. We want them to
bring that strategic perspective. Risk management is really the
chassis upon which we build cyber programs, and so it's really
core.
So right now, let me tell you, in fact, about our 6 CSAs,
because I think we have a really impressive group of folks. We
have one individual who is a former State CISO. We have a
National lab expert on cybersecurity. We have a long-time Navy
cyber individual who is also the CISO of a private-sector
company. We are about to bring on to Houston in the next month
a person who is an executive in an oil and natural gas company
to be our Cybersecurity Advisor in Houston. So, and that's just
an example of the great talent we've got in this program. So we
are bringing in the right people.
To your point, we then have to continue to train them. So
one of the things that we do is we actually look to existing
training programs such as--well actually, I won't mention
certification programs by name, but there are existing private-
sector-led certification programs that you use to really ensure
that your people have the best risk management knowledge, and
so we use those certification programs plus bringing them in
back to headquarters to train them on what's available from the
headquarters organization and the NCCIC itself.
Mr. Ratcliffe. Thank you, Dr. Ozment.
Ms. Durkovich, let me turn to you. As I understand, the
Protective Security Advisor Program has developed a new public
outreach initiative, ``Homeland Security Starts With Hometown
Security.'' You and I talked about that. I've got this handout
that you gave me. This sounds like a great initiative. My
question to you is, have you determined any benchmarks or
metrics to determine the success of programs like these or
other PSA outreach? Then depending on your answer, Mr. Currie,
I would like to have you weigh in on your experience with
respect to whether there are any best practices for determining
or reporting measurable metrics in areas that are activity-
based?
Ms. Durkovich. Thank you very much, Chairman, for that
question. It is a great question. I want to begin by
acknowledging that we are continuing to look at how we enhance
and improve our metrics.
As you know, most of what we do within the Office of
Infrastructure Protection is voluntary. So owners and operators
are not required to participate in our assessments, nor are
they required to report back to us what options or
considerations they accept. However, we have, over the course
of the last several years, begun to do a better job in terms of
tracking those options or considerations that are recommended,
and we know, for instance, that at least 90 percent of owners
and operators at least adopt one of our options for
consideration.
We are working to go through the Information Collection
Request process, which will allow us to provide surveys and
questionnaires, to our owners and operators, to more
effectively understand how useful the value that campaigns such
as the connect-plan-train-report initiative are bringing.
Once we have that information collection request completed,
again, we will be able to actually hand out surveys and get
their direct input. We do this right now for the Office of
Bombing Protection within IP, and many of the counter-
improvised explosive device training courses that we offer, and
we know, for example, that our owners and operators rate most
of our trainings 4.7 out of 5 stars. So that's an encouraging
statistic.
Some of the metrics is anecdotal or qualitative, I should
say, and it is based on the participants that come to our
workshops. We have recently rolled out an updated version of
our active-shooter workshop that is focused on developing an
emergency action plan for owners and operators in the event of
an active-shooter incident. I will tell you, having
participated in one in Philadelphia a month ago, the room is
overflowing. I will--again, some of this is just based on the
feedback that we get directly whether it is from homeland
security advisers, from owners and operators, in terms of the
value that we have brought in helping them understand the range
of threats and hazards and the measures that are appropriate
for their operating environment.
Not every business, shopping mall, movie theater, can put
mags in, can do the things that you have here when you enter
into this building. So part of what we do is working with them
over time to develop that plan and to ensure that the
appropriate measures are in place.
But it is an area that we recognize that we have to
continue to work on, and it is why we are working diligently to
complete the 3-year strategic assessment which will, again,
give us a better foundation for the metrics that we collect.
Mr. Currie. Yes, sir. So I agree with everything Ms.
Durkovich said at the end. I would sort of make two points. No.
1, and, you know, data sharing and data collection is not an
exciting topic, but I think that that is the key first step, is
that there are so many assessments that have already been done
and so many tools out there and so much data that has been
collected, first looking across all of this data to see what we
first have.
One of the problems we identified when we actually tried to
look across all that information was that there may have been
similar information collected in different assessments but just
asked in a different way. So it wasn't consistently collected,
and you could not compare it across sectors, across facilities
and all that type of thing. That makes it really, really
difficult to identify priorities across the country. But I also
want to make the point that--I mean, this is really difficult,
you are dealing with 16 individual unique sectors; each sector
has to have unique tailored questions to it. But there is a way
to collectively do this.
I do want to make the other point, though that, there are
certain programs where DHS is a little bit more involved in the
actual assessment and follow-up, like the Regional Resiliency
Assessment Program, where DHS goes out with local partners and
other Federal agencies and assesses regional risk and
resiliency. One of our past recommendations is they better
follow up on that to see what mitigation actions were taken and
how that actually decreased vulnerabilities. So you can
quantitatively look at that issue, too.
Mr. Ratcliffe. Thank you, Mr. Currie and Ms. Durkovich.
My time has expired. The Chair now recognizes my friend
from Louisiana, the Ranking Member, Mr. Richmond.
Mr. Richmond. Thank you very much.
This is to Director Brown, and it's also a follow-up of
some things that you mentioned in your testimony.
In your experience in Pennsylvania, and especially in light
of the upcoming Democratic convention, how are critical
infrastructure owners and operators taking advantage of the
vulnerability assessments performed by PSAs and CSAs, and are
they actually adopting the recommended countermeasures and
security controls, No. 1?
Then, No. 2, in your opinion, have these assessment
programs been noticeably beneficial? If not, what would you
suggest improving?
Mr. Brown. First, I would like to take a step back from the
DNC last year. We had the papal visit in Philadelphia, also.
Again probably the largest a NSSC event that the country has
ever seen. And, again, I sat on the Executive Steering
Committee for that, and so, oversaw a great deal of the
security planning for the event at all levels--local, State,
and Federal. The PSAs played a very important role in what we
were doing there. You know, they--and that was in several ways.
No. 1, the assessments that they did, they had done a
significant number of assessments in the Philadelphia area for
that event, leading up to that event, and then again prior to
the DNC. Those facilities, when we did table-top exercises,
many of those facilities came into a component of the exercise.
The fact that we had security assessments done and more
importantly, actions taken as a result of those security
assessments to make those facilities safer, I think, played a
big role in the level of protection everybody expected at those
locations and then how we felt about our preparation for the
events.
You know, in each one of those events also leading up to
them, including the DNC, you know, our PSAs also assisted
greatly in training preparation for those events. They had
active-shooter training, they had vulnerability facility
training, they had IED training, they had surveillance
protection training. So it goes beyond just the assessments
themselves. When they do the assessments, they see that there
are certain vulnerabilities, and then their training comes in
behind that to ensure that we're looking at those things and
trying to solve some of those problems.
So my thought is that, that they play an important role
working with public safety to ensure that the facility and the
location and the events that we are putting on, especially in
the ones coming up here in Philadelphia for the DNC, I think we
are in a much safer position now as a result of their work.
Mr. Richmond. Thank you. I would direct this question to
the panel, and I think that--I would be interested in the
response.
GAO reported that Coast Guard Protective Service Security
Advisors and TSA field personnel, have reported observing
Federal fatigue or a perceived weariness among critical
infrastructure owners and operators that have repeatedly been
approached by different Federal agencies and offices. What's
being done to address this, both, within the Office of
Infrastructure Protection and Cybersecurity and Communications,
and externally in regards to other agencies and is it something
you all notice and see?
Ms. Durkovich. I'm happy to start with that question. Thank
you. It is a great one.
I do want to begin by mentioning that we have moved to a
single assessment methodology within the Office of
Infrastructure Protection, in part because of the work that the
GAO has done in identifying some of the challenges behind
having multiple assessments.
So over the course of the last several years, we have,
again, moved to a single assessment methodology. That
assessment methodology is housed in something called the IP
Gateway, which really serves as the chassis that underpins our
entire suite of assessment tools, our integrated situational
awareness, and our integrated planning tools.
The IP Gateway now is used not only by DHS but by many of
our Federal partners across the departments and agencies, and
equally important, it is used by every State and often in urban
areas to conduct these assessments.
But I think that your question raises why our efforts to
continue to move toward operationalization, and to enhance our
efforts out in the field in the regions is so important.
Part the reason that we have established an IP senior
leader in every region is to ensure that we are coordinating,
more closely than ever before, with our Federal partners, with
our State partners not only in the conduct of assessments to
ensure that we are not duplicating efforts, but equally
important that we are coordinated in support of special events
and incident response.
We have seen the dividends already play out in the regions.
I think that we, again, are doing a much better job in limiting
duplication.
So as we continue to move in, you know, move to getting
additional resources out there, I think that we will continue
to see the benefits from this.
Mr. Richmond. Anyone else wanted to comment?
Mr. Ozment. I'll just chime in and highlight that this is
one of the strengths of having the PSA Program and the CSA
Program closely coupled. The CSAs cybersecurity advisers
coordinate with the PSAs, Protective Security Advisors to make
sure that their activities are in line, and really look to the
PSAs to be the core relationship manager in a given region.
Mr. Brown. If I could just make one final comment. You
know, I think the security assessments that are done play an
important role. But when we couple them, our office has--a huge
part of what we do is put on table-top exercises. So, when we
can couple that assessment with an actual exercise, we all of a
sudden now--the facility is now testing what they got in their
assessment in an exercise to ensure that the implementation of
it, that the surrounding public safety officials are all on-
board with what the assessment is saying and then how best to
protect the facility.
So I really think the coordination of both of those things
has played an important role in Pennsylvania, especially for
some of the large events that we've had.
Mr. Richmond. Thank you, Mr. Chairman.
I yield back.
Mr. Donovan [presiding]. The gentleman yields back. I don't
want you to think that your testimony caused the Chairman to
lose his hair, to get a little bit older. He had another
commitment, and he's asked me to assume his role.
The Chair is going to recognize other Members of the
subcommittee for 5 minutes of questions they may wish to ask
the witnesses. In accordance with the committee's rules and
practice, I plan to recognize Members would were present at the
start of the hearing by seniority on the subcommittee. Those
coming in later will be recognized in the order of arrival. We
alternate Republican and Democrat. Since I'm the only
Republican left, I will ask you questions for 5 minutes.
Mr. Currie, you have testified before this committee
before; I thank you for coming again. You had many suggestions
during your testimony on how DHS can gain the trust of the
private sector, the private owners, and how your suggestions
can decrease Federal fatigue that these people are
experiencing. Why haven't we done anything about it? You had
great suggestions. I thought your testimony was wonderful. Why
haven't we done it?
Mr. Currie. Well, I think we have done a better job in
recent years, no doubt. I think there's two keys to this, and I
mean--and the folks talk about it. I mean, one is local
relationships. There has to be local relationships in these
areas, and that's really important. It's also really difficult
to measure how good that is, but it's key.
One of our key points, and, again, not the most exciting
topic, but data sharing and data consistency across so many
different assessments is critical. If a PSA has reviewed
information on assessments that have already been done of a
facility, they go in not just informed for their own jobs, but
they go in and it lends credibility with the owner and
operator.
If there's consistency across questions, especially in the
same area, they also don't have to ask the same question a
different way that the person may have been asked 3 months ago
by the EPA, for example. So I think both things are absolutely
critical.
Mr. Donovan. Do you think that--you're seeing results,
increase, a change? I mean, the program has been going on for
12 years now.
Mr. Currie. Sir, to be fair. So we issued our report in
2014, and DHS has done a lot since that time. She mentioned the
IP Gateway, which is basically, you know, a web-based tool
where people don't have to hand out paper assessments and read
them. Everyone can go in and have access to certain
information. We think that's good progress. But what we don't
know, because our work is a little bit dated is, you know, we
surveyed owners and operators at the time. We would have to go
back and actually talk to them to get their perspectives, and
we haven't done that. So that may be a better question for Mr.
Brown.
Mr. Donovan. Mr. Brown? It's tough when another witness
passes the ball.
Mr. Brown. You know, I would say one thing about the number
of different assessments that are done. You know the agencies
that are doing those assessments have very, very high expertise
in that certain area, so they are assessing a location or a
facility where that type of assessment is probably very
important, whether it's the Coast Guard, whether it's
environment. You know, they are assessing a certain business or
facility where that part is critical.
So, you know, the concern for us always is the last thing
we would like to see is a watered-down assessment that sort-of
fits everybody. So I think there's sort-of a balance in, you
know, what's been reported here compared to exactly what's
going to work out in the field.
You know, if it's a maritime facility, we would like to see
specialists in the maritime arena be the ones doing the
assessment.
So I would caution there should be some balance as we move
forward on this to try and make a single assessment that fits
everybody or ensuring that we have a comprehensive assessments
for each individual sector, because when we have had exercises
where multiple assessments have been done, you know, we do get
some specific input from each of those assessments that helps
us sort of move forward in the security plan.
Mr. Currie. Sir, I would absolutely agree with that, too.
Then we're not suggesting that there be one single assessment
to apply to all 16 different sectors. I think--you know, I
absolutely agree. I think what we noticed in our work is that
there was a lot of information collected across a lot of
different assessments and sectors that was the same, but
different. It was collected differently. It could have been
used differently if it was collected consistently and analyzed
across sectors.
Of course, there has to be subject-matter expertise. That's
why the Coast Guard, for example, does port security
inspections instead of NPPD, for example.
Mr. Donovan. Just for all of you, is this well-spent money?
I know, Ms. Durkovich, you said that it's a voluntary
program, people have to, because their private sector, have to
volunteer to participate. We're spending a lot of taxpayer
dollars on this. Do you feel, each of you, that this is a
worthwhile effort, and we're achieving the goal that we set out
to achieve when the program began?
Ms. Durkovich. Thank you, sir, and I'm happy to start with
that question. My answer is unequivocally, yes. As I alluded to
in my opening remarks, we are living in a very dynamic and
complex risk environment. At the end of the day, our reliance
on critical infrastructure is really what, you know, drives our
way of life and helping owners, and operators navigate this
environment and manage the risk is really the essence behind
our program.
So our ability to do these assessments, to share
information with them, to make recommendations on how they can
improve their security. The reality is you cannot operate in
this day and age without having some sort of security plan and
some plan for how you are going to bounce back in the event of
an incident.
So that is the value that we bring to them, a no-cost
assessment that helps them understand where they compare to
others in their sector or subsector, and the return on
investment that they will get if they make certain enhancements
in security and resilience. So I will tell you, absolutely, it
is taxpayer money well spent. We have saved lives. We have
limited disruptions to critical infrastructure.
I do want to just speak briefly to the different types of
assessments. We have this, you know, this reality in the Office
of Infrastructure Protection where we actually have the
authority to regulate high-risk chemical facilities. There are
about 3,400 facilities that we have deemed high-risk because of
quantities, threshold quantities, that they have of chemicals
of interest. So we have a special program and chemical security
inspectors who are responsible for helping that facility
develop a Sites Security Plan and ensure that those chemicals
are well-protected.
Our chemical inspectors work closely with our PSAs to
ensure that we're not duplicating efforts. Then in addition to
a CSI showing up on-site that you don't have a PSA then
knocking on the door and saying, hey, do you want an
assessment?
We have learned, though--and this is where the work we are
doing in the field, to better serve their activity is so
important--that even though you may be a high-risk chemical
facility, you still have the need for some of our other
voluntary services, whether it be active-shooter training, many
of, again, the kind of voluntary, the voluntary programs that
we do participating in exercises at the State and local level,
ensuring that we are accounting for you in NSSCs and the such.
So I think that the earlier comments about the need for
specialized assessments is true as well. Thank you.
Mr. Donovan. Thank you very much. My time has expired.
The Chair now recognizes the gentlewoman from California,
Ms. Sanchez.
Ms. Sanchez. Thank you, Mr. Chairman. Thank you, all, for
the incredible difficulty of the work that you do.
I believe that both Mr. Langevin and I have been working on
this both from the Armed Services Committee and from the
Homeland Security Committee. He has ranked for a while with
respect to cybersecurity on the Armed Services, and I ranked
earlier on that, and of course, we have been very involved here
on this issue on homeland.
It's at times just overwhelming, as you know, trying to
figure out how we safeguard what we need to safeguard. So I
have only one question. Because we have really, and I believed
in this, sort-of kept a hands-off method in ensuring with our
third parties, those who own our very critical infrastructure,
and 90 percent of which really sits in these third parties'
hands, we've really attempted to stay short of regulations and
playing on red tape and in an effort to keep costs down so that
they might be able to better use those funds, that they would
otherwise spend to enhance the security of these structures.
We have had both small businesses who have been--who are
contractors to some of these larger infrastructure pieces very
engaged. We've had, of course, many larger companies engaged.
But we've also had a set that have declined to even tell us
what they are doing or what they might have, asked us to come
in and take a look from an expert standpoint and maybe help
them.
What can we do to engage those who are still outside of
what we are doing? That would be my only question.
Mr. Ozment. Thank you, Representative Sanchez.
I think that's really a fundamental question for us all,
and I really appreciate your putting your finger on it. The key
question here is in a world where we work voluntarily with
companies, how do we get them to engage?
I'll tell you, on the cyber side, and I think the same is
true on the all-hazards side, having a local regionally-
deployed presence is critical, because ultimately, companies
work--or small and medium businesses, or State and local
governments, they work with the Federal Government when they
have a trust in the Federal Government. We build that trust
through having people who are living where they live, working
where they work, and really providing value to them, making it
real that the Federal Government has services to improve your
company's security, your local government security. We do have
those services.
So having these cybersecurity advisers on the cyber side
living and working with our customers has been incredibly
important. As you know, I mentioned earlier right now we only
have 6, and we are really looking for the Congress' support to
increase the number of field-deployed cybersecurity advisers in
the 2017 budget.
Ms. Durkovich. I would agree with my colleague, but I would
like to add one thing, and I think it is an important component
of the assessments that we do. But when we work with owners and
operators to evaluate their security posture, one of our claims
is you are kind-of only secure--you are only as resilient as
your weakest link. We encourage them to look across their
entire supply chain, to have conversations with their
suppliers, to recognize where their key dependencies are,
whether it is power, whether it is water, whether it is
communications, and to, at a minimum, have conversations with
those key dependencies, with those key third-party providers
about what their security plans are.
But, equally important, and I think we are seeing this more
in the cyber realm than we are in the physical realm, but is
ensuring that as you develop relationships and contracts, with
those third-party providers, with those in your supply chain,
that you are making security, that you are making resilient a
key part of that agreement between your organizations, that in
some ways, we are pushing the need for security into that
supply chain.
Mr. Ozment. Congresswoman, I apologize. Can I add one
additional point? My apologies.
I think one other key aspect of this is actually the
legislative protections that you, the Congress, has given us
for protecting the information our customers share with us.
I'd highlight two in particular--protected critical
infrastructure information, which means that when a company
shares vulnerabilities or their risk profile with us,
statutorily we protect that information. We cannot give it to a
regulator. It cannot be accessed through a Freedom of
Information Act or other State Sunshine Act Laws and it cannot
be disclosed in civil litigation. That protection is critical.
We treat information we receive under that protection
extraordinarily carefully.
Then obviously the Cybersecurity Information Sharing Act of
2015 also gave us additional statutory protections for
cybersecurity indicator information and those protects are also
extremely important.
Mr. Brown. If I could just weigh in, you know, from the
field what we found out is that the more of assessments and the
training is done, the more you have other facilities wanting
the training. So when you have several hospitals in a city or a
locale that have done the assessment, the next thing you
realize is you start getting calls from the third hospital
saying, hey, I understand these assessments were done, we would
like that to have happen.
Now the same thing is happening with the minor league
baseball stadiums in the State of Pennsylvania. You know we've
done the Philly stadium now, several of their minor league
stadiums are asking for an assessment done, followed by a
table-top exercise. It is sort of a snowballing effect. The
more we are doing these types of things, I think the more the
industry is asking for them.
Ms. Sanchez. Thank you, Mr. Chairman.
Mr. Donovan. The Chair now recognizes the gentleman from
New Jersey, Mr. Payne.
Mr. Payne. Thank you, Mr. Chair. Also I thank the Ranking
Member for allowing me to sit in today on a very important
topic. In my work as Ranking Member on my subcommittee, that
deals with resilience and communications, this is something
that I've been very interested in and have advocated the
administration on. In 2013 the National Infrastructure
Protection Plan focuses not only on the security of the
Nation's critical infrastructure, but also its resilience,
which is something that I've dealt with a great deal.
What training and technical assistance is DHS providing
through the PSA and CSA programs to increase resiliency of our
critical infrastructure?
Ms. Durkovich. I am happy to start with that question,
Congressman Payne, and thank you very much. Over the course of
the evolution, of our program, we have moved from a security
focus to a security and resilience focus because of our
recognition of the importance to work with owners and
operators, to be able to return to normal operations in the
event of an incident.
Resiliency has become a very key part of the vulnerability
assessments that we do. Of the 1,400 questions that are part of
the infrastructure survey tool, that Director Brown alluded to,
a number of them cover resilience-related measures.
Again, that ranges everything from do you have a business
continuity plan in place? Do you have route diversity when it
comes to your communications? Do you understand who is
providing your electricity, your water in the event of a power
outage? Do you have a generator? Do you have enough fuel to
fuel that generator for at least 72 hours, if not longer?
So again, those types of questions are considered in the
IST and we give an owner and operator the ability to see where
they stand from a resiliency index compared to others. If for
example they didn't have a business continuity plan but they
developed one, how that score would improve.
Equally important, a cornerstone of the office of
infrastructure protection has become our regional resilience
assessment program. This is where we look at a key industry, a
key critical infrastructure asset. In New Jersey, for example,
one of our first regional resilience assessment programs
projects was focused on exit 14 and the concentration of
petrochemical plants, that you find at that exit, and their
dependency on water, on electricity, on communications, the
importance of the port in the area. We both evaluated what were
the threats and hazards that could disrupt or cause some sort
of incident at that port.
But equally important, how do we work very closely, not
only with the owners and operators, but the State and the local
authorities to improve the resilience of all of those
underlying systems and assets? It is a Regional Resilience
Assessment Program that continues to see value. It has been the
basis for a number of different exercises. The State of New
Jersey actually created an app based on that RRAP, it is the
foundation.
Recently we looked at a category 1 hurricane coming up the
southern tip of New Jersey and really the relationships that
exist in that region were because of this RRAP that we did in
2009. So resiliency has become a key piece of what we do in the
Office of Infrastructure Protection.
Mr. Payne. Good old exit 14. I live 4 minutes from there.
You know that area has been called the 2 most dangerous miles
in the country based on the airport and the seaport, the
chemical and the infrastructure, so these issues are very
important to me.
How has DHS incorporated the concept of resilience into
their vulnerability assessments?
Ms. Durkovich. Again, it is both through some of the
questions that I alluded to, but looking at really at an
organization's, or an industry's, or a particular region's,
kind of operational capability, and what is a minimal time of
disruption that that particular organization, that particular
community can sustain? That's really kind-of what drives our
concept of resiliency.
Mr. Payne. Thank you.
Mr. Ozment. I would just note, sir, that our cybersecurity
most strategic risk assessments are in fact resiliency
assessments.
Mr. Payne. OK. Thank you. I appreciate your indulgence and
yield back the balance of my time.
Mr. Donovan. The gentleman yields back.
I would just like to recognize that I live 10 minutes from
that exit, so keep up the good work.
The Chair now recognizes Mr. Langevin from Rhode Island.
Mr. Langevin. Thank you, Mr. Chairman. I want to thank the
Chair and the Ranking Member for holding this hearing. I want
to thank our witnesses for your testimony here today, and the
work you're doing to protect the country.
For Secretary Ozment and Durkovich--so I appreciate the
desire to incorporate cybersecurity in your risk assessments,
particularly as more and more systems are connected to the
internet.
So as a Member of the Armed Services Committee I recognize
that today's conflict and really all future ones for that
matter are going to contain some type of a cyber component to
it going forward. It seems prudent to extend that mindset to
critical infrastructure.
So with that in mind, Secretary Ozment and Secretary
Durkovich, can you talk about the training required for PSAs to
provide these assessments, while Chairman Ratcliffe asked about
CSA training, it seems that since they are outnumbered by 20 to
1, at the moment, I imagine PSAs are required to do the
baseline assessments and basically it would seem that much of
the expertise is different from the physical security that
traditionally has been at the domain of PSAs?
Ms. Durkovich. Thank you very much for that question. As
you alluded to, we see the Protective Security Advisors as
force multipliers in this effort to secure critical
infrastructure from cyber threats. As I alluded to in my
opening statement, over 20 percent of the referrals to the CSAs
actually come from the Protective Security Advisors, this is
because we have these long-standing relationships that we have
developed with owners and operators. In addition to being
worried about natural hazards and terrorist threats, they are
also dealing with, again, the range of cyber actors.
So at a minimum what our PSAs do is connect them with the
other NPPD, cybersecurity security expertise, that may be the
NCCIC, that may by the Cybersecurity Advisors, but we also are
bringing tools and capabilities. We have a number self
assessments that are available to owners and operators on the
cyber side of the House and, as well, can articulate kind of
that basic cyber hygiene.
So, to ensure that our PSAs at least know enough to be
dangerous on the cyber front. This is something that in my role
I've had do as well. Right, it is hard for me to go out and
talk about this dynamic risk environment and not include cyber
in that conversation.
Mr. Langevin. So I just want to ask to clarify, so are they
just doing referrals to CSA, or to other entities, or do they
actually have training in that area on the site?
Ms. Durkovich. So they are largely doing referrals. They do
do kind-of general awareness about the threat. They can talk
about kind-of basic cyber hygiene, the importance of
multifactor authentication of segmenting systems. But, to
answer your question, we have sent all of them down to Hoover
and the Secret Service cybersecurity campus there to get a
basic level of training. There are some Protected Security
Advisors who have spent time at Idaho National Labs, with our
industrial control system team, getting kind-of a higher level
of training. We have only a few, but this is while Andy works
to build up his work force, that are actually certified to
conduct our cyber infrastructure survey tools. So it's a mix
of----
Mr. Langevin. So where do you see the work force going on
the CSA side? Because it seems to be that you'd almost want the
two to be co-assessing or collocating in conducting these
assessments.
Mr. Ozment. Sir, I think of this as a sort-of three-tiered
system. We have the PSAs who can do--advertise our cyber
programs, connect people with our other cyber resources and do
basic--for example, as part of their basic infrastructure
survey tool they do have strategic cyber questions there. They
can give high-level advice on cyber hygiene.
When we have a problem that demands more cyber knowledge
than that, and a lot of our customers are demanding more cyber
knowledge than that, we go to the CSAs, and the CSAs provide--
are cybersecurity specialists but they are not hands-on
technical operators, they are cybersecurity executives, if you
will.
So then at the next and final tier when a customer needs
more technical specialized assistance we draw then upon our
different technical groups within the NCCIC, whether it be the
industrial control systems team, or an instant response team,
or a hacking team if you will.
So we start with that broad base of PSAs who, as you note,
there are far more of them and they have these relationships.
When we are in a region the CSA and the PSA have to be very
tightly coupled and they are very tightly coupled so that the
CSA can draw upon that PSA's knowledge and relationships.
Mr. Langevin. So where do we see the CSA work force going?
Is that--are you working to increase that, so you have more of
balance with the PSAs?
Mr. Ozment. Yes, sir. We do very much need that CSA work
force. The demand is just huge. So we will absolutely increase
it. I don't know that we'll reach as large as PSA work force. I
think some of that is we have to see how the demand evolves,
but we are very much asking for an increase to 24 CSAs in the
field in the fiscal year 2017 budget.
Mr. Langevin. Thank you. I hope we are going to concentrate
on that more.
Thank you, Mr. Chairman I yield back.
Mr. Donovan. The gentleman yields back. I thank the
witnesses for their valuable testimony and the Members for
their questions. The Members of the committee may have some
additional questions for the witnesses. I would ask that you
respond to those in writing.
Pursuant to committee rule 7(e) the hearing record will be
held open for 10 days. Without objection the subcommittee now
stands adjourned.
[Whereupon, at 11:17 a.m., the subcommittee was adjourned.]
A P P E N D I X
----------
Questions From Chairman John Ratcliffe for Chris P. Currie
Question 1. Given the focus of some DHS assessments on threats to
specific regions, are there any U.S. cities or sectors that are
examples of best practices in collaborating with and among DHS offices
and components and other Federal partners in participating in
assessments and taking actions to address vulnerabilities identified?
Answer. DHS has taken steps in response to a past GAO
recommendation that will help officials identify U.S. cities or sectors
that have demonstrated best practices in collaborating with and among
DHS offices and components and other Federal partners. Specifically,
DHS uses follow-up surveys at facilities that have undergone
vulnerability assessments and security surveys, including those that
participate in Regional Resiliency Assessment Program (RRAP) projects,
and has initiated a broader data-gathering effort with its RRAP
critical infrastructure stakeholders to explore changes in diverse
topics such as partnering and State actions based on RRAP participation
in response to a recommendation we made to DHS in 2013.\1\ In August
2015, the Office of Infrastructure Protection (IP) provided
documentation to address this recommendation, including screen shots of
an IP-developed SharePoint capability for tracking RRAP findings. This
Tracker Tool contains questions about the status of RRAP principle
findings, any action taken by RRAP participants, whether the action was
taken due to the RRAP, and identification of the point of contact who
can confirm this linkage. The data fields in the Tracker Tool will
allow IP to identify the RRAPs and associated regions that were
successful at bringing about resiliency improvements and the types of
improvements that are more common across RRAPs.
---------------------------------------------------------------------------
\1\ GAO, Critical Infrastructure Protection: DHS Could Strengthen
the Management of the Regional Resiliency Assessment Program, GAO-13-
616 (Washington, DC: July 30, 2013).
---------------------------------------------------------------------------
Question 2a. According to the GAO testimony, DHS established a
policy in October 2014 to conduct quarterly reviews of programs related
to critical infrastructure to better understand the barriers critical
infrastructure owners and operators face in improving the security of
their assets. What trends has DHS identified in declinations using its
tracking system since October 2013?
Has DHS identified barriers that critical infrastructure owners and
operators face in making improvements?
Question 2b. If so, what are those barriers?
Answer. According to DHS's 2013 National Infrastructure Protection
Plan, our Nation's well-being relies upon secure and resilient critical
infrastructure. To achieve this, the National Plan calls for critical
infrastructure partners to collectively identify priorities, measure
progress, and adapt based on feedback and the changing environment,
among other things. Therefore, it is imperative that DHS conduct
regular reviews of its programs. In 2012, we reported that DHS could be
missing an opportunity to measure performance associated with planned
and in-process enhancements, and could better understand why certain
improvements to securing critical infrastructure were, or were not
made, following assessments.\2\ We reported that this information could
help DHS to better understand what barriers owners and operators face
in making improvements to the security of their assets. DHS began
tracking additional information in response to our recommendations.
Table 1 provides a snapshot of common reasons why facilities refused or
were not selected to participate in an assessment from October 2013
through September 2014--the last date for which DHS provided GAO data
on this issue--which could prevent owners and operators of critical
infrastructure from identifying and making needed improvements.
---------------------------------------------------------------------------
\2\ GAO, Critical Infrastructure Protection: DHS Could Better
Manage Security Surveys and Vulnerability Assessments, GAO-12-378
(Washington, DC: May 31, 2012).
TABLE 1.--COMMON REASONS WHY FACILITIES REFUSED OR WERE NOT SELECTED TO
PARTICIPATE IN A DEPARTMENT OF HOMELAND SECURITY VOLUNTARY ASSESSMENT
FROM OCTOBER 2013 THROUGH SEPTEMBER 2014
------------------------------------------------------------------------
Facility
Count
------------------------------------------------------------------------
Stakeholder believes the threat risk is low................ 20
Facility is confident in its security posture.............. 43
Facility point of contact requires coordination with 172
corporate office..........................................
Defense Industrial Base site--no data collection allowed... 47
Regulated facility--no data collection allowed............. 18
Nuclear site--no data collection allowed................... 5
Facility does not want to share its information with the 34
Government................................................
Facility lacks a budget for implementing potential 24
recommended security improvements.........................
Facility point of contact lacks time to commit to an 29
assessment................................................
Facility not selected by Protective Security Advisor (PSA) 577
for assessment due to resource constraints................
Facility not selected by PSA for assessment due to regional 94
priorities................................................
PSA performed a security assessment at the facility 188
recently..................................................
Facility received a different vulnerability assessment 55
recently..................................................
Facility not interested in assessment at this time but 349
would consider future assessment..........................
Other...................................................... 249
------------------------------------------------------------------------
Source: DHS data.
Table 2 provides a snapshot of additional information DHS gathered
from participants in its voluntary vulnerability surveys from October
2013 through September 2014, the last date for which we received an
update from DHS.
TABLE 2.--DEPARTMENT OF HOMELAND SECURITY VOLUNTARY ASSESSMENT FOLLOW-UP
SURVEY RESPONSES, OCTOBER 2013 THROUGH SEPTEMBER 2014 NUMBER OF
FACILITIES
------------------------------------------------------------------------
My
Organization
Is Likely To
Information Integrate The
Provided Information
Through The Provided By
Number of Facilities Assessment Was The Assessment
Beneficial To Into Its
My Future
Organization Security Or
Resilience
Enhancements
------------------------------------------------------------------------
Strongly Disagree....................... 54 38
Disagree................................ 5 5
Neither Agree or Disagree............... 22 37
Agree................................... 287 399
Strongly Agree.......................... 473 357
Not Applicable.......................... 11 16
------------------------------------------------------------------------
Source: DHS data.
In addition, 851 facility owners and operators responded to the
question (checking all applicable responses), What are your
organization's primary challenges with respect to implementing security
or resilience enhancements?:
Lack of budget (651 responses)
Lack of project management resources (181 responses)
Differing strategic priorities (239 responses)
Plans to move or significantly change the facility (23
responses)
Local ordinances (28 responses)
Other (90 responses).
According to a 2014 IP quarterly performance review document we
reviewed, IP has plans that could address some of these barriers,
including plans to update IP's web architecture to capture, report, and
prioritize the technical assistance, training, and education needs of
IP and its partners within the critical infrastructure community by the
end of fiscal year 2020.
Question 3a. One of the recommendations from your agency's work in
2014 and 2015 stressed the need for DHS to develop an approach to
ensure that vulnerability data gathered on critical infrastructure is
consistently collected and maintained across DHS to identify gaps and
prevent duplication of efforts.
Do you have any recommendations on how to best standardize this
data?
Question 3b. Are there any ``best-in-class'' examples that can be
leveraged to accelerate the achievement of the recommendation?
Answer. According to the National Infrastructure Protection Plan
managing risk, among other things, entails efficient information
exchange through defined data standards and requirements, including an
information-sharing environment that has common data requirements and
information flow and exchange across entities. However, we reported
that the lack of consistent, standardized data on the names and
addresses of assets already assessed by DHS's offices and components
inhibited the Department's ability to identify whether a given asset
had been previously assessed by one office or component. Without
consistent, standardized data, DHS was not positioned to readily
identify potential duplication or overlap among assessments already
conducted. Within DHS, the Office of Infrastructure Protection (IP) has
begun, in response to GAO recommendations, some notable efforts to
address data quality. These efforts include, among other things, a two-
phased automated quality assurance process that confirms that certain
data elements have appropriate data, to include but not limited to:
Ensuring phone numbers are 10 digits, geocoordinates and zip codes
correlate to the associated county and State, and the assignment of
unique identifiers. Accurately capturing this basic information in a
standardized manner is an important first step in addressing gaps and
to prevent duplication of effort. In addition, IP officials told us the
office is planning pilot projects with a limited number of Sector-
Specific Agencies to identify critical infrastructure data elements
that each agency may have a need for, after which appropriate policies
for sharing those data elements can be established. With regard to
``best-in-class'' examples that could be leveraged, in a January 2016
report,\3\ we reported on leading practices for well-constructed data
definitions derived from standards developed by the International
Organization for Standardization (ISO).\4\ While not ``best-in-class'',
these practices would be helpful for DHS to review in its efforts to
identify ``best-in-class'' examples it could leverage as it
standardizes its data.
---------------------------------------------------------------------------
\3\ GAO, DATA Act: Data Standards Established, but More Complete
and Timely Guidance Is Needed to Ensure Effective Implementation, GAO-
16-261 (Washington, DC: Jan. 29, 2016).
\4\ The ISO is an independent, nongovernmental membership
organization and the world's largest developer of voluntary
international standards. It has published more than 20,500
international standards covering a wide range of industries including
technology, agriculture, and health care. For access to the ISO leading
practices for the formulation of data definitions, published July 15,
2004, see: http://standards.iso.org/ittf/PubliclyAvailableStandards/
c035346_ISO_IEC_11179-4_2004(E).zip. � ISO: This material is reproduced
from ISO/IEC 11179-4:2004(E) with permission of the American National
Standards Institute (ANSI) on behalf of the International Organization
for Standardization. All rights reserved.
---------------------------------------------------------------------------
Questions From Chairman John Ratcliffe for Andy Ozment
Question 1. Given the focus of some DHS assessments on threats to
specific regions, are there any U.S. cities or sectors that are
examples of best practices in collaborating with and among DHS offices
and components and other Federal partners in participating in
assessments and taking actions to address vulnerabilities identified?
Answer. There are many examples of best practices in collaboration
at all levels. A few illustrative examples include the State of New
Jersey, Salt Lake City, and the Energy Sector.
State Partnerships--New Jersey.--The State of New Jersey's Office
of Homeland Security and Preparedness (OHSP) has been a strong partner
on a variety of infrastructure assessment activities. In 2009, the
State participated in one of the first Regional Resiliency Assessment
Program (RRAP) projects. The 2009 RRAP examined vulnerabilities and
dependencies of a cluster of critical lifeline infrastructure located
near Exit 14 of the New Jersey Turnpike in Newark. As part of the
project, the State was provided with detailed modeling of
interconnected water systems in northern New Jersey. Using the water
model, New Jersey took steps to develop combined analytical products
for the electrical and water systems to look at regional
interdependencies between electricity and water, thereby strengthening
the resilience of the Energy and Water Sectors. It also utilized the
model to support information-sharing and exercise activities with the
Water Sector. New Jersey is currently increasing security systems at
two major water treatment plants. As a direct result of the RRAP
project, the North District Water Supply Commission initiated a project
to improve the resilience of the northern New Jersey water system
infrastructure.
Within this RRAP, DHS conducted its first 7 Cyber Resilience
Reviews (CRR) ever, focusing on critical information technology
services that underpinned these lifeline-sector partner's operations.
The results of these cyber evaluations provided cybersecurity-focused
options for improvement to each participating organization.
Since 2009, the State has requested 3 additional RRAP projects. The
first, in 2014, focused on complex infrastructure supporting the
production and transportation of petroleum fuel. The findings were used
to drive the New Jersey 2015 Hurricane Season Rehearsal Tabletop
Exercise. Using the RRAP-provided information as its basis, the
exercise explored improvements for information sharing between the
State and the energy sector. In addition, the project delivered to the
State and the Federal Emergency Management Agency's (FEMA) Region II
office extensive geographic information system (GIS) products depicting
petroleum and related infrastructure. The results support emergency
response and recovery operations and planning.
The second additional RRAP project, in 2015, is a collaborative
effort with State partners from Delaware and Pennsylvania, and is
focused on the resilience of ports along the Delaware River,
specifically landside terminal operations and inter-modal distribution
networks for these ports and marine terminals. The Resiliency
Assessment report for the Delaware River project is with stakeholders
for review at this time. Preliminary findings were presented to
stakeholders in May 2016.
The final additional RRAP project, started in 2016, is focused on
the 6 largest wastewater treatment plants, the disruption of which
could have cascading impacts across the State and into New York and
Pennsylvania. With each of the RRAP projects, the State will receive
Resilience Enhancement Options--actions they can take to improve
resilience.
Following the RRAP-related cyber evaluations in 2009, DHS began a
continuing set of collaborative engagements with the State Chief
Information Security Officer (CISO) and the State's infrastructure
planners and preparedness coordinators. In 2011 and 2012, DHS provided
a review of the State-wide strategic cybersecurity plan. DHS began
participating in public-private partnership meetings and provided
advice to the State on cybersecurity. The State requested information
on DHS's Cyber Security Advisor (CSA) program. By 2014, the State hired
its first State-employed CSA.
City Partnerships--Salt Lake City, Utah.--Salt Lake City, Utah, is
another consistently strong and active partner. The city received two
RRAP projects in 2013 and 2015. The 2013 RRAP project analyzed the Salt
Lake City area's health systems' critical infrastructure dependencies
and interdependencies, specifically how they would be impacted by a
major earthquake. The findings were used to inform emergency response
plans, and prompted more detailed analysis of the region's health
system dependencies. The 2015 project will provide Salt Lake City with
an improved understanding of the various interconnected water and
wastewater systems, and identify critical nodes and vulnerabilities.
Sector Partnerships--Energy Sector.--DHS conducts regular
engagements with all Sector-Specific Agencies (SSAs) which provide an
opportunity to discuss on-going efforts and share best practices. Many
of the findings resulting from the different types of assessments are
incorporated as part of best practices and reference resources that are
disseminated though multiple outreach mechanisms. The RRAP in
particular, given its collaborative approach to assessment of specific
critical infrastructure within a designated geographic area and a
regional analysis of the surrounding infrastructure, lends itself to
capitalizing on sector partnerships. The RRAP team participates in SSA
coordination calls to inform them of upcoming projects, and includes
the SSAs in its annual RRAP kickoff where they have the opportunity to
provide input. SSAs are relied upon by the RRAP team to provide insight
into the operations and vulnerabilities of infrastructure, as well as
to connect the RRAP project teams to relevant private industry and
Government contacts who can assist in the assessment and analysis.
The Department of Energy (DOE) has been a close partner, providing
insights into the industry, key contacts, and access to useful DOE
resources. DOE and the Transportation Security Administration were both
involved in the 2012 regional pipelines RRAP project. The Department of
the Interior has been supporting the on-going 2016 Gulf of Mexico
project with oil production information and GIS data.
Through these RRAP projects, DHS is helping the Oil and Natural Gas
(ONG) sector better understand operational dependencies and to improve
coordination with Government emergency management officials. Federal,
State, and local emergency management officials play an important role
in responding to incidents affecting the ONG sector.
An additional example can be found in the joint DHS and DOE study
on the impacts of electromagnetic pulse (EMP) and Geomagnetic
Disturbance Events (GMD) on the electric grid. This study will analyze
the hazard environments, impacts, and consequences of different sources
of EMP and GMD. Events of concern and potential means of mitigation
will be better understood.
Federal Partnerships--Cybersecurity.--The role of cyber emergency
preparedness, threat and asset response, risk management and best
practice promotion, and information sharing in supporting resilient
infrastructure operations cannot be understated. Cyber Security
Advisors (CSAs) began working with the Coast Guard through
participation in Area Maritime Security Committees (AMSC) starting in
2010, acting in many situations as an architect for AMSC cyber working
groups and subcommittees. In 2011, DHS assisted the Coast Guard's
Pittsburgh Marine Safety Unit, via its AMSC. The CSA on the AMSC cyber
subcommittee helped to draft a 2-year strategic charter, laying out
objectives for private-sector partners to develop and test cyber
incident notifications, response coordination, and lesson-learned
collections. Since 2011, CSAs have worked with nearly 12 AMSCs.
NPPD has helped to amplify the cyber emergency coordination efforts
of the Federal Emergency Management Agency (FEMA). In 2015 and 2016,
NPPD coordinated with FEMA Regional Interagency Steering Committees and
engaged FEMA partners through cyber preparedness workshops and
cybersecurity symposiums. Most recently, NPPD supported FEMA Region III
with a 2-day, cyber preparedness symposium and DHS personnel moderated
and sat for multiple panels alongside Federal, State, and private-
sector cybersecurity officials.
As far back as 2009, NPPD began supporting the U.S. Secret Service
(USSS) Critical Systems Protection efforts related to National Special
Security Events. This coordination added a focus on cyber preparedness,
joint IT operations coordination, and asset response coordination
(i.e., ensuring the availability of technical mitigation resources for
cyber attacks and incidents). In addition, NPPD assisted in the
inauguration of several USSS Electronic Crimes Task Forces, to
demonstrated not only a unity of effort in Federal preparedness and
response but to bridge cyber crime and infrastructure resilience
issues, specific to cyber planning, coordination, and best practice
adoption.
Question 2a. According to the GAO testimony, DHS established a
policy in October 2014 to conduct quarterly reviews of programs related
to critical infrastructure to better understand the barriers critical
infrastructure owners and operators face in improving the security of
their assets. What trends has DHS identified in declinations using its
tracking system since October 2013?
Has DHS identified barriers that critical infrastructure owners and
operators face in making improvements?
Question 2b. If so, what are those barriers?
Answer. The quarterly program review process collects a broad range
of information from across the Office of Infrastructure Protection
(IP), and is a mechanism for improving data driven decision making. The
assessment portfolio is one area of information collected.
In fiscal year 2015, approximately 88% of facilities where IP
conducted an Infrastructure Survey Tool (IST) assessment reported they
were likely to integrate, or have integrated, some of the protective
measures detailed in the assessment report. This is up from 86% in
fiscal year 2014 and 85% in fiscal year 2013. Four thousand four
hundred sixteen ISTs have been conducted since fiscal year 2010. The
most common improvements include enhancements to electronic security
systems, security force, and security management. This kind of action
is one important indicator of the impact that our assessments have on
the security and resilience of infrastructure, but does not provide a
perfect measure of the overall state of preparedness.
When stakeholders are interested in accepting IP's recommendations,
the barriers that preclude them from making those changes include:
Cost-prohibitive capital investments;
Lack of project management resources;
Differing strategic priorities;
Plans to move or significantly change the facility;
Local ordinances.
When partners decline IP services and capabilities, the most common
reasons cited include:
Facility isn't interested in assessment at the initial time
of contact but indicated they would consider future survey;
The facility has had a recent security assessment, either
performed by the PSA or through another vulnerability
assessment;
Point of Contact (POC) requires coordination with corporate;
POC lacks time to commit to assessment;
Facility is confident in its security posture;
Facility does not want to share its information with the
Government;
The facility does not allow data collection because it's a
regulated facility, nuclear facility, or defense industrial
base facility;
Facility lacks a budget for implementing potential
recommended security improvements; or
Stakeholder believes the threat risk is low.
To formalize its response to these trends, NPPD is working to
develop a 3-year Strategic Plan for Assessments conducted by IP to
determine how it can enhance the value of its assessment portfolio for
stakeholders, to include addressing physical and cyber convergence in
assessments. The 3-year strategic plan will:
Articulate the strategic intent of IP's assessments;
Define specific goals to guide prioritization, maturation,
management, and use of IP's assessments;
Clarify opportunities for collaboration between IP
assessments and OCIA analyses;
Articulate mechanisms to assist the Federal Emergency
Management Agency (FEMA) and other agencies in risk assessments
supporting grant allocation decisions; and
Provide a plan to develop and use performance metrics for
program management and reporting processes.
This plan will guide how PSA-led assessments support stakeholders,
contribute to a National understanding of risk, and support National
preparedness planning. The CSA program will identify improvements by
drawing upon this plan and its lessons learned.
Question 3. According to President Policy Directive 41 (PPD-41)
Section V, ``The Department of Homeland Security, acting through the
National Cybersecurity and Communications Integration Center, shall be
the Federal lead agency for asset response activities,'' as defined by
the PPD. Do CSAs have any other cyber-related responsibilities that are
not included in PPD-41 that are carried out by the NCCIC?
Answer. Presidential Policy Directive 41 (PPD-41) sets forth
principles governing the Federal Government's response to any cyber
incident and, for significant incidents, establishes lead Federal
agencies and an architecture for coordinating the broader Federal
Government response. The Department of Homeland Security, through our
experts at the National Cybersecurity and Communications Integration
Center (NCCIC), act as the Federal lead agency for asset response.
Asset response includes helping a victim find the bad actor on its
system, repair its system, patching the vulnerability, reducing the
risks of future incidents, and preventing the incident from spreading
to others.
Cyber Security Advisors (CSAs) do not themselves typically engage
in asset response activities, especially asset response activities
beyond those related to coordinating with relevant entities and
providing advice on how to best use Federal resources. While CSAs may
support the NCCIC role in cyber incident response by serving as field-
based support elements, CSAs focus most of their resources on cyber
preparedness and protective activities. CSAs engage private-sector
companies and State, local, Tribal, and territorial (SLTT) governments
prior to an incident to help them develop and assess their cyber
incident response plan. In an incident, the primary role of a CSA is to
connect the victim or potential targets with the resources of the
NCCIC.
Question 4a. Dr. Ozment, can you advise us on the developmental and
training plans for the CSAs to ensure that field-based personnel have a
diverse cyber experience with computer engineering skills and are well-
versed in cyber incident response activities with a solid working
knowledge of the NCCIC and its capabilities, services and personnel?
Answer. Cyber Security Advisors (CSAs) are hired based on subject-
matter expertise in Information Technology (IT) Security, Operations,
and Management--to include proficiency with IT security program and
project management, evaluation and assessment, technical communications
and presentation, and system and network administration skills. Each
CSA has unique training needs identified as they onboard and progress
through their career. This includes an orientation and regular
information on National Cybersecurity and Communications Integration
Center (NCCIC) services available to customers.
Cybersecurity skills underlying CSA activities are identified,
mapped to, and managed against workforce education initiatives and
opportunities for cybersecurity awareness, training, and education.
Additionally, a robust training and certification program is available
to CSAs. This includes training in Information Security, Ethical
Hacking and Penetration Testing, Networking, Industrial Control Systems
Cybersecurity, and Risk Management.
Question 4b. How are you ensuring the CSAs are fully integrated
with both the NCCIC and US-CERT? Are there plans to rotate the CSAs
through the NCCIC and US-CERT to ensure they have the technical and
incident response expertise?
Answer. Cyber Security Advisors (CSAs) are critical, field-based
personnel with a sound understanding of the National Cybersecurity and
Communications Integration Center (NCCIC). CSAs are a local resource
for private-sector companies and SLTT partners. As such, CSAs often
become the first element of NCCIC customer management: Coordinating
incident response requests, facilitating requests for information, such
as best practices and technical evaluations, routing requests for
operational partnership, or access to technical threat analysis and
vulnerability mitigation products. As the CSA program adds additional
personnel, we will explore the possibility of rotations back to
headquarters, to include rotations the NCCIC.
However, the CSAs are not hired for the skillset of technical
incident response, nor should they be. There are many different
skillsets in cybersecurity. The CSA skillset is intended to match more
closely the skillset of a Chief Information Security Officer (CISO) or
a CISO's policy, compliance, and metrics team. A CSA should be able to
help a company develop a security program, identify gaps, provide
strategic advice, and connect that company with services available from
the Federal Government, particularly the NCCIC.
Question 4c. How will you ensure that CSAs and their cyber outreach
and engagement activities are fully integrated into the rest of CS&C's
cyber efforts before, during, and after cyber incidents?
Answer. CSAs are not focused on cyber incident response: Their
primary role is on prevention and preparedness.
There have been very few instances, due to the small number of
Cyber Security Advisors (CSAs), where a CSA had a prior engagement with
a private-sector company or State, local, Tribal, and territorial
(SLTT) partner, and that same partner experienced a cyber incident. In
these few cases, CSAs were generally the first point of notification by
the victim. CSAs determined the situational information surrounding the
event and the victim's basic needs for assistance.
Under these limited instances, after an incident, CSAs also
provided direct process improvement guidance on the cyber incident
process and worked to identify cyber preparedness and best practice
efforts for consideration by the victim's cyber program planning,
operations procedures, and resource allocations.
Question 5. Has DHS identified any best practices in assessing and
addressing vulnerabilities from threats and hazards that our Nation's
critical infrastructure owners and operators face, and if so, has DHS
shared these practices with other critical infrastructure partners to
help them be more prepared?
Answer. The National Protection and Programs Directorate (NPPD) is
a clearing house for best practices and lessons learned, which are
continuously gathered through Protective Security Advisor (PSA) and
Cyber Security Advisor (CSA) engagements and then shared with critical
infrastructure partners.
PSA-led and CSA-led assessments produce a dashboard and/or a report
that assist stakeholders in identifying key considerations for
enhancing the security and resilience. The dashboards provide a
comparative analysis an entity's security and resilience, including a
high, low, and median score comparison. The reports contain a written
analysis of the assessments key findings. This includes documenting
vulnerabilities and identifying corresponding options for owner and
operators. These options are, in effect, best practices that have been
observed and compiled since 2009. Reports also document ``commendable''
items when an entity has already implemented best practices.
As a result of PSA and CSA support to special events and domestic
incidents, we collect after-action reports and lessons learned. In
addition, DHS is drafting an ``Effective Practice'' document that will
identify documented best protective measure practices.
NPPD works with critical infrastructure partners to assess areas of
concern and potential vulnerability gaps. These findings inform the
development of best practices for consideration by owners and
operators. A sampling includes:
Suspicious Activity Videos.--(https://www.dhs.gov/gallery/
infrastructure-protection) provide information on identifying and
reporting suspicious activity and threats in different environments and
scenarios, including:
Check It! (Bag search procedures for public venues);
What's in Store: Ordinary People/Extraordinary Events
(Retail);
No Reservations: Suspicious Behavior in Hotels (Lodging);
and
Options for Consideration (Active Shooter).
On-line Training Courses.--Self-paced courses (offered through the
Federal Emergency Management Agency's (FEMA) Emergency Management
Institute (EMI) https://training.fema.gov/emi.aspx) designed for both
people who have emergency management responsibilities and for the
general public. All are offered free-of-charge. DHS has partnered to
produce courses in active shooter, surveillance awareness, and more.
Each course, listed below, takes approximately 45 minutes to complete.
IS-906 Workplace Security Awareness;
IS-907 Active Shooter: What You Can Do;
IS-912 Retail Security Awareness--Understanding the Hidden
Hazards;
IS-914 Surveillance Awareness: What You Can Do;
IS-915 Protecting Critical Infrastructure Against Insider
Threats; and
IS-916 Critical Infrastructure Security: Theft and
Diversion--What You Can Do.
For those involved in the security of industrial control systems,
the National Cybersecurity and Communications Integration Center offers
several cybersecurity courses. These courses can be accessed at:
https://ics-cert.us-cert.gov/Training-Available-Through-ICS-CERT.
Through our Federal Virtual Training Environment (FedVTE) we offer
more than 800 hours of on-line, on-demand training on cybersecurity
topics such as ethical hacking and surveillance, risk management, and
malware analysis. Course proficiency ranges from beginner to advanced
levels, and several of the courses align with Information Technology
certifications such as Network+, Security+, and Certified Information
Systems Security Professional. FedVTE has been available to Federal,
State, local, Tribal, and territorial Government employees.
Additionally, we've teamed up with the non-profit organization Hire Our
Heroes to provide U.S. veterans with free access to FedVTE.
Hands-on Training.--In addition to on-line training courses, EMI
provides two Integrated Emergency Management Courses (IEMC) that
provide exercised-based training events to local and county
communities, based upon the community's Threat and Hazard
Identification and Risk Assessment (THIRA) and Emergency Operations
Plan. IEMCs are a combination of classroom lectures, discussions,
small-group planning sessions, and functional exercises which expose
participants to new ideas, and increase their awareness of the
necessary coordination among other agencies and organizations. For the
exercises, each participant is assigned a role similar to their real-
life position in an emergency operations center (EOC).
E0912.--Preparing Communities for a Complex Coordinated
Attack IEMC: Community-Specific; and
E0930.--IEMC: Community-Specific.
NPPD provides hands-on training to private-sector critical
infrastructure partners. For example, the National Cybersecurity and
Communications Integration Center provides intermediate and advanced
training classes on cybersecurity for industrial control systems
through regional classroom training on a quarterly basis. Notably,
these offerings include an advanced training offered at our facility in
Idaho Falls. This 1-week course includes a two-team activity that lasts
for half a day. The red team attacks and the blue team defends a small
critical infrastructure facility we built.
Protective Measures Guides: FOUO guides that assist owners and
operators in planning and managing security at their facilities. Guides
exist for:
Sports Leagues (2008--being updated);
Lodging (2010);
Outdoor Venues (2011); and
Commercial Real Estate (2013).
Evacuation Planning Guides for Stadiums and Major Events.--Assists
stadium owners and operators with preparing evacuation plans and
helping to determine when and how to evacuate, shelter-in-place, or
relocate stadium spectators and participants.
Patron Screening Best Practices Guide.--Provides suggestions and
best practices for developing and implementing patron screening
procedures at public assembly venues.
Sports Venue Bag Search Procedures Guide.--Provides suggestions for
developing and implementing bag search procedures at sporting event
venues hosting major sporting events. The purpose for establishing bag
search procedures is to control items that are hand-carried into the
sports venue. The bag search procedures should be a part of the venue's
overall security plan and should be tested and evaluated as outlined in
the security plan. The actual implementation of bag search procedures
and level of search detail will depend upon the threat to the venue as
determined by the venue's security manager.
Sports Venue Credentialing Guide.--Provides suggestions for
developing and implementing credentialing procedures at sporting event
venues that host professional sporting events. The purpose for
establishing a credentialing program is to control and restrict access
to a sports venue, and to provide venue management with information on
those who have access. Credentialing can also be used to control and
restrict vehicle movement within a venue.
Additionally, IP offers information and resources founded in best
practices to support critical infrastructure partners in the
identification and assessment of vulnerabilities and the adoption of
mitigating measures through the IP Digital Library, which is offered
through the IP Gateway. Through the IP Digital Library, Federal, State,
and local critical infrastructure partners can access sector-specific
materials relating to various industry best practices; Information-
sharing resources, practices, and protocols; applicable Standards;
sector-specific resilience reports; and other research and analytic
materials relating to critical infrastructure protection and
resilience. The Digital Library also features the Infrastructure
Protection Report Series (IPRS) which highlight common vulnerabilities
and potential indicators for specific subsets of critical
infrastructure systems, clusters, and assets.
On the cyber side, DHS participated in the development of the
National Institute for Standards and Technology's (NIST) Cybersecurity
Framework, a key resource for best practices. The Critical
Infrastructure Cyber Community Voluntary (C3VP) was created to help
improve the resiliency of critical infrastructure's cybersecurity
systems by promoting the use of the Framework. Reference materials and
assessment tools targeted to stakeholder groups can be found on-line:
https://www.us-cert.gov/ccubedvp. Additionally, DHS shares information
among public and private-sector partners to build awareness of
vulnerabilities, incidents, and mitigations. Cyber and industrial
control systems users can subscribe to information products, feeds, and
services at no cost. For example, the Cyber Resilience Review
Implementation Guide series is publicly available at the US-CERT
website to help organizations systematically address gaps in management
that often lead to vulnerabilities. The ICS-CERT website contains
alerts, advisories, and other products for critical infrastructure
owners and operators. These resources can be found at: https://www.us-
cert.gov and https://ics-cert.us-cert.gov/.
In fiscal year 2016, IP initiated a ``Connect, Plan, Train, and
Report'' campaign that is rooted in best practices to assist public and
private stakeholders proactively think about the role they play in the
safety and security their environment. In support of this effort, we
consolidated a number of key tools and resources for small and medium
venues as well as public-sector partners, on www.dhs.gov/hometown-
security. PSAs are actively engaged in this messaging campaign, and we
have developed a simple information card they can hand out to
stakeholders. We have also been able to share this messaging through
the Secretary's and other DHS senior leadership engagements.
Question 6. Dr. Ozment, how do the CSAs currently leverage, or plan
to leverage, the existing field relationships that already exist
between the private sector and Secret Service or the FBI?
Answer. Cyber Security Advisors (CSAs) regularly engage with a
number of Federal field offices, including: The Federal Bureau of
Investigation, U.S. Secret Service, Homeland Security Investigations,
U.S. Coast Guard, Federal Emergency Management Agency (FEMA), and other
partners in the field. In the case of FEMA, as noted in the
Department's response to Congressman Ratcliffe's QFR No. 1, CSAs work
with several FEMA Regions to help jurisdictions prepare for potential
physical consequences during and after a cyber incident. In addition,
CSAs leverage their relationships to assist with introductions to
owners and operators of critical infrastructure. However, each of these
agencies have relationships with the private sector that differ from
those created by a CSA. CSA engagements with private-sector companies
are voluntary, not law enforcement or regulatory. CSAs focus on cyber
preparedness, best practice promulgations, and incident planning. While
CSAs leverage those existing mechanisms, for instance to prepare
cybersecurity practitioners to work with cyber threat and incident
response partners, the CSA mission has a focus not currently replicated
within the Federal Government.
Question 7. Can you walk us through a day in the life of a CSA? At
this stage in the program's evolution, I think it will be helpful for
us to understand how much of their time is focused on making new
connections, following-up on existing relationships, conducting
assessments, etc.
Answer. Upon initial assignment to a region, new Cyber Security
Advisors (CSAs) spend significant time forming relationships with
existing Federal, State, and infrastructure sector partners, and
building holistic approaches to cyber infrastructure protection and
resilience. CSAs look for opportunities to augment what are typically
general cyber threat, incident response, and crisis management
activities, with a full spectrum of cyber preparedness, risk
mitigation, and incident planning activities--covering cyber asset
identification, protection, detection, response, and recovery
practices. As CSAs build competence with partner and individual
engagement activities, CSAs lead cybersecurity evaluation activities;
deliver cyber process improvement and best practice adoption
activities; deliver cyber preparedness and planning workshops and
presentations; attend meetings to advise cybersecurity leaders in
State, local, Tribal, and territorial (SLTT) agencies and private-
sector companies; augment cybersecurity awareness, education, and
exercise programs; support cyber threat and vulnerability-focused
outreach initiatives; work to enhance operational capabilities and
capacity within cyber communities-of-interest; advising on SLTT cyber
policy and resource activities; and supporting other Federal agency and
Sector-Specific Agency cyber engagements.
Question 8. When a cyber incident occurs on an entity that
previously engaged with a CSA, what are the roles and responsibilities
of that CSA during and after an incident? How is that CSAs previous
relationship leveraged during and after an incident?
Answer. Cyber Security Advisors (CSAs) are not focused on cyber
incident response: Their primary role is on prevention and
preparedness.
There have been very few instances, due to the small number of
CSAs, where a CSA had a prior engagement with a private-sector company
or State, local, Tribal, and territorial (SLTT) partner, and that same
partner experienced a cyber incident. In these few cases, CSAs were
generally the first point of notification by the victim. CSAs
determined the situational information surrounding the event and the
victim's basic needs for assistance.
Under these limited instances, after an incident, CSAs also
provided direct process improvement guidance on the cyber incident
process and worked to identify cyber preparedness and best practice
efforts for consideration by the victim's cyber program planning,
operations procedures, and resource allocations.
Preparedness Data--Cyber Security: In the Threat and Hazard
Identification and Risk Assessment (THIRA) process, States,
territories, urban areas, and Tribes identify their threats and hazards
of greatest concern and set capability targets that define success in
each core capability. States and territories then complete a State
Preparedness Report (SPR) to assess their current capabilities relative
to their THIRA targets.
In the 2015 THIRA, 80 percent of States and territories included a
cyber attack as a threat or hazard of primary concern, the highest
percentage of all threats and hazards. In the SPR, States and
territories identified cybersecurity as their lowest-rated capability;
Only 13 percent of State and territory responses were identified as
proficient (4 or 5 rating on 5-point scale). States and territories
have identified cybersecurity as their lowest-rated capability for 5
consecutive years.
Question 9. What are the specific metrics by which the
effectiveness of the CSA program and the assessment tools used by a CSA
are (or will be) measured?
Answer. Due to the small number of Cyber Security Advisors (CSAs)
at this time (less than 5), program effectiveness is currently measured
against limited factors. These include qualitative factors such as how
partners engaged in CSA outreach, working groups, and assessments. CSAs
report on levels of community planning toward best practices and
produce yearly analysis of partner cyber readiness, to include factors
based upon capability, capacity, and maturity. Measures and metrics for
cyber assessment effectiveness are based upon the direct solicitation
and receipt of feedback from evaluation.
Questions From Ranking Member Cedric L. Richmond for Andy Ozment
Question 1. DHS has issued a Notice of Suspension and Modification
of Certain Submission Requirements for Chemical Facilities of Interest
and Covered Chemical Facilities Under Agency Regulations (81 FR 47001)
to inform the public that the requirement to submit vulnerability
assessments and other applications would be suspended until October 1,
2016 to allow the Infrastructure Security Compliance Division (ISCD) an
opportunity to transition to ``CSAT 2.0''--an updated risk-tiering tool
that will make much-needed improvements to the existing risk assessment
methodology. The Notice provides that, once implemented, facilities
will be individually notified to re-submit applications using CSAT 2.0.
Notification will be phased. Which facilities will be notified first,
and how will facilities be staggered (i.e., by Tier? Location? Date of
original submission?)
When does ISCD expect to complete these notifications?
Answer. The Department intends to notify a broad cross-section of
the regulated community during the initial batch notification in order
to allow us to more quickly assess the actual impacts of the updated
tiering methodology and CSAT Top-Screen application on all portions of
the regulated community. The initial notification batch will include
both tiered and untiered facilities, across the country. Subsequent
notification batches are expected to include a cross-section of the
regulated community although batch composition may be adjusted, as
lessons are learned, during the review of the initial Top-Screen
submissions. The Department currently envisions notifying batches
consisting of between 500 to 1,000 facilities every 2 weeks, with all
chemical facilities of interest anticipated to have received
notification by the end of fiscal year 2018.
Question 2. The planned roll-out of CSAT 2.0 will necessarily
involve a high volume of facilities re-submitting applications within a
very short time frame. Does ISCD have systems, processes, and personnel
in place to review these resubmissions expeditiously and in a way that
does not result in administrative backlog (as seen in past years)?
Answer. DHS is implementing a phased approach for reaching out to
the facilities. The phased approach decision was made in part to reduce
the likelihood of an administrative backlog, and was based on existing
Infrastructure Security Compliance Division resource levels and
information technology capabilities. Additionally, as DHS receives and
reviews Top-Screens and issues high-risk determinations, DHS will
evaluate the length of time for each step and make adjustments, as
needed, to help prevent an administrative backlog.
Question 3. On page 47002, the Notice explains that chemical
facilities of interest, including facilities previously determined not
to be high-risk, will be among the facilities notified of the
requirement to re-submit applications using CSAT 2.0. Another section
provides that un-tiered facilities will not be notified or subject to
the re-submission requirement. Please provide more clarity on which
facilities will be notified, particularly with regard to facilities
that may have been found not to present a high level of risk in the
past but should be reconsidered against the updated tiering
methodology.
Answer. All chemical facilities of interest, including facilities
previously determined not to be high-risk, will be required to submit a
Top-Screen using the revised CSAT 2.0 Top-Screen application unless
they fall into 1 of the 4 categories of facilities enumerated in
Section IV of the Department's Federal Register Notice. 81 FR 47002.
The 4 categories enumerated in Section IV are as follows:
Agricultural Production Facilities, as defined in 73 FR
1640, or any facility subject to a similar extension issued by
the Department for submitting a Top-Screen;
Chemical facilities of interest whose only reportable
chemical of interest is present in a gasoline mixture;
Facilities that are statutorily excluded from CFATS which
include: (A) Facilities regulated under the Maritime
Transportation Security Act of 2002 (Pub. L. 107-295; 116 Stat.
2064); (B) public water systems, as that term is defined in
section 1401 of the Safe Drinking Water Act (42 U.S.C. � 300f);
(C) Treatment Works, as that term is defined in section 212 of
the Federal Water Pollution Control Act (33 U.S.C. � 1292); (D)
facilities owned or operated by the Department of Defense or
the Department of Energy; or (E) facilities subject to
regulation by the Nuclear Regulatory Commission, or by a State
that has entered into an agreement with the Nuclear Regulatory
Commission under section 274(b) of the Atomic Energy Act of
1954 (42 U.S.C. � 2021(b)) to protect against unauthorized
access of any material, activity, or structure licensed by the
Nuclear Regulatory Commission); and
Untiered facilities that previously submitted a Top-Screen
with no Chemicals of Interest (COI) selected (i.e., facilities
that have informed the Department they no longer possess a
reportable amount of any COI), so long as the facility has not
come into possession of a reportable amount of COI since
submitting their previous Top-Screen.
Question 4. Months before the July 20, 2016 notice in the Federal
Register, ISCD circulated a statement about the suspension to ``the
regulated population and industry associations to ensure maximum
dissemination.'' Why was the committee not included in this
correspondence? How will ISCD ensure that the committee is kept
apprised of the status and progress of the CSAT 2.0 transition?
Answer. In this case, the Department notified the committee
separately of the forthcoming suspension rather than include committee
Members or staff on the communication to the regulated population and
industry associations. The Department provided this notice to the
committee, via e-mail to multiple committee staff members, on June 21,
2016, 1 day after telephonically informing the Chemical and Oil and
Natural Gas Sector Coordinating Councils (SCCs) of the forthcoming
suspension, and prior to providing written notification to the SCCs. In
the future, the Department will ensure that it informs the committee
via phone or e-mail of any major programmatic activities, such as the
decision to temporarily suspend Top-Screen submission requirements,
and, as always, the Department is able to provide briefings to the
committee on any aspect of CFATS, including the CSAT 2.0 transition,
upon request.
Questions From Chairman John Ratcliffe for Caitlin Durkovich
Question 1. Ms. Durkovich, we are all aware that the majority of
the programs provided by the Office of Infrastructure Protection to
owners and operators of critical infrastructure are voluntary in
nature. Because of this it is incumbent on DHS to promote and market
the value of its services. As I mentioned in my statement, the DHS
website for critical infrastructure vulnerability assessments has
conflicting and outdated programs.
While a few minor corrections can remediate a website, those errors
lead to a larger question of how NPPD is communicating the value-added
proposition to critical infrastructure owners and operators. Can you
please discuss how NPPD currently communicates the value of these
voluntary programs to the private sector?
Answer. Through the National Protection and Programs Directorate's
(NPPD) strategic engagement efforts, we take a proactive approach to
ensure that the full range of available tools, capabilities, and
resources are well understood by our customers, including the Federal
Government; State, local, Tribal, and territorial governments; and
private-sector entities. Our customer engagements include outreach by
our field-based Protective Security Advisors and Cyber Security
Advisors. At the National level, NPPD collaborates through the National
Infrastructure Protection Plan (NIPP) Council, consisting of public and
private-sector entities to identify requirements and build capabilities
for mitigating risks. Examples include assessments, intelligence
products, and information-sharing platforms.
In addition, NPPD works with organizations across the country to
disseminate targeted information on voluntary programs available to
critical infrastructure owners and operators. Recent examples include
keynotes and panel participation at events such as the National Sports
Safety and Security Conference, Retail Industry Leaders Association
Forum, National Homeland Security Conference, Corporate Security
Symposiums, the National Conference on Building Resilience through
Public-Private Partnerships, and the Domestic Security Alliance Council
conference.
NPPD also hosts forums with our many partners utilizing the
Critical Infrastructure Partnership Advisory Council (CIPAC) where
stakeholders provide direct feedback. This translates into actionable
capabilities available at the regional, State, and local levels to
include assessments, exercises, and workshops. These include the
Active-Shooter Preparedness Program, the Homeland Security Information
Network-Critical Infrastructure portals, the Private-Sector Clearance
Program, and education and training resources.
These capabilities are actively represented by the Protective
Security Advisors (PSAs) and Cyber Security Advisors (CSAs) who work
directly with critical infrastructure owners and operators every day.
In fiscal year 2015, PSAs conducted 2,131 Enhanced Critical
Infrastructure Protection visits. These visits provide critical
infrastructure owners and operators with information on their facility,
explain how their facility fits into its critical infrastructure
sector, and provide an overview of resources available to enhance the
facility's security and resilience. Similar information is delivered
during PSA speaking engagements, panels, webinars, and meetings.
In fiscal year 2015, the 5 CSAs conducted 468 cybersecurity
engagements. On-average 90 were conducted by each CSA within their
assigned region and 13 were performed by a CSA outside of their
assigned region. These engagements encompass all evaluations, cyber
protective visits, workshops, resource briefings, and speaking
engagements. Engagements focus on assessment, planning, and promotion
of cyber preparedness, risk mitigation, and asset response
coordination.
Question 2. In responding to an incident, what are the roles and
responsibilities of a PSA and how do they engage with the lead agency
as the situation is developing and post-incident?
Answer. As part of the National Planning Frameworks and Federal
Interagency Operational Plans, the Protective Security Advisors (PSAs)
support response, recovery, and reconstitution efforts during
incidents. During an incident, the PSAs deploy to the Joint Field
Offices; National and Regional Response Coordination Centers (RRCC);
and regional, State, and county Emergency Operations Centers (EOCs) as
necessary to support Federal and State emergency response officials, to
include the Federal Coordinating Officer and the Unified Command Group.
They serve as Infrastructure Liaisons by providing expert knowledge of
the impacted infrastructure; maintaining communications and information
sharing with owners and operators of critical infrastructure; and
prioritizing and coordinating response, recovery, and reconstitution
efforts. Specific to Emergency Support Functions (ESFs), PSAs provide
direct support to lead agencies by leveraging established relationships
with owners and operators of critical infrastructure. For example,
under ESF-12, a PSA would support the Department of Energy with
reestablishment of damaged energy systems and components. PSAs often
assist with connecting owners and operators with appropriate agencies.
Question 3. What are the specific metrics by which the
effectiveness of the PSA program and the various assessment tools are
measured?
Answer. Quarterly and end-of-year performance measures are
submitted under the Government Performance and Results Act (GPRA). One
of these measures includes the percentage of critical infrastructure
facilities that are likely to enhance their security and resilience by
integrating Infrastructure Protection (IP) vulnerability assessments or
survey information. Providing facilities with vulnerability information
allows them to understand and reduce their risk. In fiscal year 2016
Q3, 90% of facilities reported they were likely to integrate, or have
integrated, some of the protective measures detailed in their
assessment report.
For fiscal year 2016, IP has delivered 507 Infrastructure Survey
Tool (IST) dashboards to owners and operators. The IST provides
Protective and Resilience Measures Indices for facility owners and
operators and identifies physical security, security management,
protective measures, information sharing, dependencies, and
capabilities related to preparedness, mitigation, response, resilience,
and recovery. Performance is measured against a delivery of 600 IST
surveys by September 30, 2016.
The Regional Resiliency Assessment Program (RRAP) is measured by
primary stakeholders that have implemented, planned to implement, or
are in the process of implementing at least one security or resilience
enhancement related to RRAP Key Findings within 3 years following the
publication of the final RRAP report. This metric stands at 50%.
The PSAs support National Special Security Events (NSSE) and
Special Events Assessment Rating (SEAR) Level 1 & 2 events with on-site
critical infrastructure expertise, products, and analysis. Performance
is measured by supporting 100% of the NSSEs and SEAR 1& 2 level events
in fiscal year 2016. Some of the events include Super Bowl 50, and the
Republican National Convention and Democratic National Convention. This
metric stands at 100%.
PSAs support Federal, State, local, Tribal, and territorial
partners, and owners and operators of critical infrastructure during
man-made or natural incident response. In fiscal year 2016, PSAs have
responded to 201 incidents.
Question 4. Since 2004, DHS has maintained infrastructure
protection field operations throughout the Protective Security Advisory
(PSA) program. PSAs are trained critical infrastructure protection and
vulnerability subject-matter experts. Given the complexity of critical
infrastructure protection and the largely private ownership, what
barriers, if any, impede DHS's ability to partner with facility owners
and operators through the PSA program?
Answer. The most common barriers are:
The point of contact (POC) requires coordination with their
corporate office,
POC lacks the amount of time to commit to an assessment,
Facility is already confident in its security posture,
Facility does not allow data collection as it is a regulated
facility (nuclear or defense industrial base),
Facility lacks a budget for implementing potential security
improvements,
Facility does not want to share its information with the
Government.
In addition to these concerns, DHS is working to address the
logistical challenge of placing sufficient staff in the field to meet
the needs of our diverse and disparate stakeholders. The PSA program
has been successful in large part because it provides trained staff
across the Nation, reaching outside of Washington, DC, to form trusted
relationships. In fiscal year 2016, DHS began a disciplined shift to
build on this model and emphasize regional activities. Support for this
regionalization initiative is one of the most important ways to improve
DHS's ability to partner with facility owners and operators.
Since its inception, the PSA program has focused on supporting
partners in hardening and securing existing infrastructure. As the
program has matured, the partner needs have evolved, and the PSA
program is adapting to support a broad range of risk management and
resilience activities across infrastructure sectors, stakeholder
groups, threats, and hazards.
Question 5. Dr. Ozment, how is the CSA program engaging with the
critical infrastructure community in light of the fact that most
critical infrastructure is privately owned and operated?
Answer. Engagements with critical infrastructure owners and
operators are voluntary-based. Our Cyber Security Advisors (CSAs) focus
on building trusted relationships with owners and operators,
demonstrating the value we bring through risk assessments and
connecting customers to our services, sharing best practices, and
sharing the current threat landscape. One way we reach this community
is through existing fora, such as InfraGard, Electronic Crime Task
Forces, Cyber Working Groups, Area Maritime Security Committee
Meetings, and industry conferences. Additionally, our CSAs leverage
existing relationships within the Department, including those that have
been developed by Protective Security Advisors and the National
Cybersecurity and Communications Integration Center (NCCIC).
CSAs work with State cybersecurity leaders, including Homeland
Security Advisors, Chief Information Security Officers, and cyber
infrastructure protection and emergency management planners, to engage
critical infrastructure owners and operators through State-led cyber
working groups, information-sharing and analysis centers, fusion
centers, and law enforcement outreach groups.
Question 6. GAO reported that DHS has conducted thousands of
assessments of critical infrastructure in the last few years using at
least 10 different tools. These tools do not all cover the same
vulnerabilities, they vary in detail and complexity, and some overlap.
GAO made recommendations that DHS should address the overlap to avoid
potentially unnecessary duplication and gaps. According to the GAO, DHS
established a working group to address the overlapping assessments and
potential duplication and gaps. What is the status of fulfilling GAO
recommendation?
Answer. The Department of Homeland Security (DHS) concurred with
GAO's recommendations and has moved forward to harmonize critical
infrastructure security vulnerability assessments across Federal
departments and agencies. Over the past couple of years, the National
Protection and Programs Directorate's (NPPD's) Office of Infrastructure
Protection has worked with the Transportation Security Administration
(TSA), the Federal Protective Service (FPS), the United States Coast
Guard (USCG), the Office of Cybersecurity and Communications (CS&C),
and other DHS agencies to collaboratively identify a core set of
questions and anticipated response options from the single assessment
methodology.
The Cross-Agency Vulnerability Assessment Working Group, consisting
of members from Federal departments and agencies with relevant
vulnerability assessments, was charged to:
Identify key critical infrastructure security-related
assessment tools and methods used or offered by Federal
departments and agencies;
Analyze the key critical infrastructure security-related
assessment tools and methods to understand areas each
assessment captures;
Develop and disseminate guidance for areas that should be
included in vulnerability assessments of critical
infrastructure to enable a more coordinated and integrated
approach.
To support the working group, NPPD established a portal for
departments and agencies to upload documentation to include
vulnerability assessment questionnaires, methodology, user guides, fact
sheets, and other technical documentation.
NPPD completed an analysis of tools and methodologies across
approximately 5,000 assessments, the findings of which identified that
core questions in 6 Key Security Areas have the greatest impact on
infrastructure security, while covering the range of security areas
envisioned by GAO. Consequently, NPPD has provided these core questions
to Federal partners and has recommended inclusion of the questions in
the next update or modification to respective Assessment questions and/
or tools. With respect to DHS assessment tools, these core questions
have been and will be continue to be integrated into all assessment
tools when appropriate and used across the Department to further enable
cross component and agency comparison of assessed assets and risk.
In addition, NPPD/IP has implemented a single assessment
methodology that enables the IP mission partners to assess
vulnerabilities and risk using the IP Gateway suite of assessment tools
and integrated situational awareness and analytic planning and response
tools. More than 80 State and Federal Department and agency partners
currently use the IP Gateway to support their critical infrastructure
protection needs. NPPD is currently working with additional partners to
become IP Gateway partners.
Question 7. Given the number of assessments, how prepared are the
Nation's most at-risk critical infrastructure to threats from
international and domestic terrorists and other high-risk
vulnerabilities and hazards?
Answer. NPPD's work has demonstrated that the Nation's most at-risk
critical infrastructure is well-prepared--but faces new and continually
evolving challenges. In addition to facing increasingly dynamic
international and domestic terrorist threats and a wide range of
hazards, the demands placed on infrastructure systems are expanding,
while the American communities that infrastructure serves and supports
have increasingly diverse needs. This environment of change emphasizes
the importance of investing in the tools and resources that DHS
provides for making security decisions about critical infrastructure.
Further compounding these challenges is the underinvestment in critical
infrastructure and the reality that the demand on infrastructure in the
United States is increasing while investment capital is flagging.
The 2016 National Preparedness Report identified the Infrastructure
Systems core capability within the National planning system as 1 of 6
capabilities that remain National areas for improvement. Likewise,
based on State Preparedness Report (SPR) data, States and territories
reported some of the lowest proficiency in the Protection mission area,
which is relevant to critical infrastructure. However, notwithstanding
the remaining gaps in reported proficiency, we are seeing improvement
over time. For example, based on a review of SPR ``proficiency delta
data,'' 71% of core capabilities in the Prevention mission area, 64% in
Protection, and 86% in Mitigation were reported as improving in
proficiency from 2012-2015. In 2016, the first edition of the
Protection Federal Interagency Operational Plan was completed, paving
the way for an improved interagency model for coordinating
infrastructure security and resilience concerns.
In the area of National preparedness, there are evident areas for
growth, and areas where the IP assessment programs can increase their
support for that growth. The DHS assessment programs are vital tools
for continuing to improve our understanding of risks to infrastructure,
providing resources for managing those risks, and encouraging owners
and operators to take action. IP assessments contribute to the
preparedness of the Nation's infrastructure through a model of
continued engagement and evaluation. Because our critical
infrastructure is heavily networked, both large and small
infrastructure enterprises can be central to security and resilience,
and IP's suite of assessment capabilities is tailored to meet the
varied needs of our stakeholders.
Corresponding to this networked nature of our critical
infrastructure, DHS measures the success of its assessment program both
in terms of completing assessments, and in terms of our stakeholders
taking action based on the indices and information developed through
our assessments. In terms of completing assessments, since fiscal year
2010, 4,416 Infrastructure Survey Tool (IST) assessments have been
conducted. In fiscal year 2015, approximately 88% of facilities where
DHS conducted an Infrastructure Survey Tool (IST) assessment reported
they were likely to integrate, or have integrated, some of the
protective measures detailed in the assessment report. This is up from
86% in fiscal year 2014 and 85% in fiscal year 2013. The most common
improvements include enhancements to electronic security systems,
security force, and security management. This kind of action is one
important indicator of the impact that our assessments have on the
security and resilience of infrastructure, but does not provide a
perfect measure of the overall state of preparedness of the Nation's
infrastructure.
Furthermore, the security and resilience of our Nation's critical
infrastructure relies on robust sector coordination structures
developed under the National Infrastructure Protection Plan, meaning
that measuring impact of the IP assessment program on the security and
resilience of the Nation's critical infrastructure is tied to measuring
the success of these coordination structures. In 2016, all of the
Sector-Specific Plans under the NIPP were updated, improving our
ability to work within and across infrastructure sectors to set
priorities and manage risk. NPPD provides support to owners and
operators across the 16 critical infrastructure sectors that have grown
due to the increasingly complex and dispersed nature of the threat,
including soft targets and cyber dependence.
Measuring the success of IP assessment programs must be a
continuous and evolving process to capture the increasingly complex and
dispersed nature of threats, as well as other high-risk vulnerabilities
and hazards to at-risk infrastructure. Accordingly, at the direction of
Congress, NPPD is currently undertaking a 3-year strategic plan for
IP's assessments that will strengthen our ability to leverage the data
we have collected during assessments to characterize our National
understanding of risks, support National preparedness planning, and
support our partners. This plan will allow us to better understand how
DHS assessment programs inform our National picture of risk, as well as
how data from assessment programs can both improve our prioritization
efforts and better support National preparedness planning, particularly
as it relates to our most at-risk critical infrastructure and physical/
cyber convergence in assessments.
In a continually evolving environment, we strive to respond to
threats, high-risk vulnerabilities and hazards to our Nation's most at-
risk critical infrastructure through the use of DHS assessment programs
and continued coordination with both large and small infrastructure
enterprises. The DHS assessment programs are one tool that we use that
can provide great value for owners and operators to take action. DHS
assessment programs, as well as the 3-year strategic plan for
assessments are integral mechanisms for understanding the increasingly
complex and dispersed nature of threats, improving our prioritization
efforts, and better supporting National preparedness planning.
Question 8. How are the PSAs engaging with their counterparts from
Sector-Specific Agencies such as the Department of Energy or
Environmental Protection Agency, in ensuring our Nation's critical
infrastructure is protected?
Dr. Ozment, the same question regarding the CSAs?
Answer. Protective Security Advisors (PSAs) and Cyber Security
Advisors (CSAs) engage with Sector-Specific Agencies (SSAs) during
assessments, incident response efforts, and threat-directed outreach.
The National Protection and Programs Directorate (NPPD) serves as
the SSA for 6 of the 16 critical infrastructure Sectors and coordinates
with the other 10 sectors. Through this voluntary partnership framework
consisting of a Government Coordinating Council and a Sector
Coordinating Council an effective mechanism has been established for
collecting data, sharing information, and advancing collective actions
for National critical infrastructure security and resilience. NPPD
employs sector liaisons who are responsible for serving as conduits
between the Department and external SSAs.
Training.--The Office of Infrastructure Protection (IP) in
collaboration with the Environmental Protection Agency (EPA) and Water
Sector partners developed an on-line training course, ``Risk Management
for the Water Sector.'' The course is designed to provide water and
wastewater facility owners and operators with general knowledge of risk
management. In addition, the course introduces EPA's Vulnerability
Self-Assessment Tool (VSAT).
Threat-Directed Outreach.--During outreach to State, local, Tribal,
and territorial (SLTT) Government and private-sector partners, PSAs
coordinate activities with appropriate Federal agencies and SSAs. For
example, in response to a coordinated attack on an electric substation
in Metcalf, CA, on April 18, 2013, the Department of Energy (DOE) and
the Department of Homeland Security (DHS), in coordination with the
Federal Bureau of Investigation, the Federal Energy Regulatory
Commission's Office of Energy Infrastructure Security, the Electricity
Sector Information Sharing and Analysis Center partners, and industry
experts conducted a series of briefings Nation-wide for owners,
operators, and local law enforcement. These briefings provided a threat
overview, and information on available tools, resources, and best
practices. Additional targeted PSA-led efforts were conducted in
partnership with service providers such as Exelon/PECO and ConEdison.
Assessments.--One of the major strengths of the Regional Resiliency
Assessment Program (RRAP) is the collaboration that brings together
Federal, State, local, Tribal, and territorial governments, and the
private sector to work with DHS. Collaboration at the regional level is
led by the PSAs assigned to execute the project, with support from
CSAs. Interagency coordination occurs between headquarters offices as
well. The RRAP team provides project briefings to the SSAs and their
Government Coordinating Councils (GCCs) and Sector Coordinating
Councils (SCCs). SSAs are relied upon to provide insight into the
operations and vulnerabilities of infrastructure, as well as to connect
the RRAP project teams, which include PSAs and CSAs, to relevant
industry and Government contacts who can assist in the assessment and
analysis. Some examples of SSA and interagency involvement include:
DOE has assisted DHS on numerous oil and natural gas RRAP
projects. Current collaboration includes a resilience project
for the electric power grid in the Northeast in support of
recommended actions from the 2015 Quadrennial Energy Review.
U.S. Coast Guard (USCG) is a strong SSA partner. The USCG is
included in port- or maritime transportation-related RRAP
projects. Examples include the 2013 Columbia River Basin
project and the 2016 Gulf of Mexico project, in support of the
USCG-led Gulf of Mexico Area Maritime Security Committee.
U.S. Army Corps of Engineers regularly participates in dam-
related projects. They are currently involved in a 2015 project
in Louisville, Kentucky, and a 2016 project in Branson,
Missouri.
Department of Transportation regularly participates in
transportation disruption-focused projects, including the 2013
Cajon Pass (California) and 2014 Alaska projects.
U.S. Department of Agriculture has been involved in the
agriculture-focused projects in Texas, California, Alabama, New
Mexico, examining issues such as biosecurity of the cattle
industry and the milk supply chain.
In addition to the SSAs, the RRAP team also works with other
Federal agencies, including the Federal Emergency Management Agency
(FEMA), the National Oceanic and Atmospheric Administration (NOAA),
U.S. Geological Survey (USGS), and other Emergency Support Function
(ESF) and Recovery Support Function (RSF) leads. FEMA contributes
hazard information and insight into regional disaster planning and
capabilities. In turn, RRAP analyses improve planning factors related
to infrastructure dependencies and hazard impacts. NOAA and USGS
provide very specific, useful hazard information and models (e.g.,
earthquakes, tsunamis, overland flooding/storm surge) that the RRAP
uses to inform analyses of infrastructure impacts. The many ESF and RSF
agencies provide insight into their response and recovery roles,
capabilities, and plans.
Incident Response.--PSAs engage the agencies designated as
Emergency Support Function (ESF) and Recovery Support Function (RSF)
leads, which include SSAs.
Under the Recovery Support Functions for infrastructure systems,
the U.S. Army Corps of Engineers is the National Coordinating Agency
for the Federal Government's efforts to support recovery goals related
to the public engineering of the Nation's infrastructure systems. NPPD
is a Primary Agency in this effort, along with a number of other SSAs
who serve as Primary Agencies or Supporting Organizations. In this
role, PSAs may deploy to Joint Field Offices (JFO) or Regional Field
Offices (RFO) to assist with infrastructure recovery operations.
Cyber Security Advisors.--CSAs engage with SSAs to raise awareness
and improve readiness. For example, CSAs work with SSAs to identify
sector-based, critical cyber services. CSAs then focus voluntary
cybersecurity evaluations at these services. Additionally, the CSAs
assisted DOE with developing the Electricity Subsector--Cybersecurity
Capability Maturity Model (ES-C2M2) assessment, which is derived from
the Cyber Resilience Review. ES-C2M2 is a sector-specific maturity
model that guides electricity companies in implementing best practices.
In the field, CSAs have coordinated with the Environmental Protection
Agency on water engagements, the Coast Guard on maritime engagements,
the Transportation Security Administration on mass transit engagements,
and Treasury on financial service engagements.
Question 9. The National Critical Infrastructure Prioritization
Program (NCIPP) identifies a list of Nationally-significant critical
infrastructure each year that is used to, among other things,
prioritize voluntary vulnerability assessments that will be conducted
by PSAs. According to GAO's testimony, as of August 2014, DHS officials
reported that they are exploring options to streamline the process and
limit the delay of dissemination of the NCIPP list among those who have
a need-to-know.
What is the status of efforts to streamline the NCIPP process and
limit to delays in disseminating this list?
Answer. The Department (DHS) has streamlined the NCIPP process in a
number of ways:
DHS has eliminated the requirement of States and sectors to
re-nominate the same infrastructure every year by automatically
approving infrastructure already on the Level 1 and Level 2
List. This has significantly decreased the time and manpower
requirements on partners.
The consequence criteria threshold used for the Level 1 and
Level 2 List has remained largely stable for more than 5 years.
This stability has allowed partners to better understand how
the criteria may be applied to various infrastructure and focus
their efforts on those assets, systems, and clusters whose
consequences are most likely to reach the established criteria.
DHS has increased the assistance and outreach provided to
State and local partners prior to and during the data call
including on specific nominations and guidance on approaches
nominators might take to maximize the probability of approval.
The system used to make nominations for the Level 1 and
Level 2 List is available to States and sectors year round
enabling partners to work on nomination justifications at their
own pace.
DHS continues to work with State and Territorial Homeland Security
Advisors, through the PSAs, to make delivery of the completed list as
efficient as possible. This includes the increased use of electronic
dissemination of the lists through State and Local Fusion Centers. The
overall stability of the List has also decreased the time required to
finalize and prepare the list for dissemination. The average
dissemination time has been reduced by approximately 2 months.
As of August 2014, GAO closed out all recommendations associated
with GAO 13-296 Critical Infrastructure Protection: DHS List of
Priority Assets Needs to Be Validated and Reported to Congress.
Question 10. Background material provided to the committee in
preparation for this hearing regarding the PSAs notes that in 2015, the
PSAs conducted 949 ``Cyber Enhancement'' engagements. Can you please go
into more detail on what those engagements entail and how do they
overlap with or differ from engagement by CSAs?
Answer. The evolving risk landscape associated with cybersecurity
highlights the increasingly close connection between cyber and physical
systems, including the potential for physical impacts associated with
the exploitation of cyber vulnerabilities. For this reason, Protective
Security Advisors (PSAs) conduct cyber enhancement events that include
the Office of Cybersecurity and Communications. These cybersecurity and
resiliency meetings, cyber-related assessments, special event support,
and engagements with stakeholders provide opportunities for addressing
cyber and physical risks in a holistic and coordinated fashion. As
reflected in State Preparedness Reports, cybersecurity continues to be
one of the top concerns at the State and local level. PSAs are trained
to communicate the Department's cybersecurity services available to
stakeholders. In many cases, PSAs and Cyber Security Advisors (CSAs)
work together on identifying stakeholder needs.
Questions From Chairman John Ratcliffe for Marcus Brown
Question 1. Given the focus of some assessments on threats to
specific regions, are there any U.S. cities or sector that are examples
of best practices in collaborating with and among DHS offices and
components and other Federal partners in participating in assessments
and taking actions to address vulnerabilities identified?
Answer. There has been extremely good collaboration among Federal
agencies (including various DHS elements) in conducting assessments and
assisting owners and operators of critical infrastructure, and a good
example would be the Greater Philadelphia area. DHS entities such as
NPPD, FEMA, Coast Guard, Customs and Border Protection, the U.S. Secret
Service, etc. have worked together with the Federal Bureau of
Investigation, National Park Service, Health and Human Services,
Environmental Protection Agency, Department of Energy, etc. to conduct/
participate in assessments of all types. There have been cyber and
physical vulnerabilities identified and protective measures implemented
in many sectors, including: Commercial Facilities; Energy; Water/
Wastewater; Health Care; etc. These protective measures have included:
Access control (barriers, CCTV, electronic access control systems,
fencing, etc.), security and emergency planning, security management
practices, resilience of lifeline dependencies, cybersecurity, and a
host of others.
Question 2a. According to the GAO testimony, DHS established a
policy in October 2014 to conduct quarterly reviews of programs related
to critical infrastructure to better understand the barriers critical
infrastructure owners and operators face in improving the security of
their assets. What trends has DHS identified in declinations using its
tracking system since October 2013?
Has DHS identified barriers that critical infrastructure owners and
operators face in making improvements?
Question 2b. If so, what are those barriers?
Answer. We believe that many of the barriers that owners and
operators face in making improvements to critical infrastructure are a
result of trade-offs that have to be made in a fiscally-constrained
environment. Owners and operators in the State have benefitted from the
voluntary surveys that DHS conducts on critical infrastructure using
the Infrastructure Survey Tool (IST), a web-based vulnerability survey
conducted by DHS's Protective Security Advisors (PSAs) to identify and
document the overall security and resilience of a facility. Based on
information from our local PSA, the resulting survey information is
provided to owners and operators through the interactive Dashboards.
The Dashboards highlight areas of potential concern and feature options
to view the impact of potential enhancements to protection and
resilience measures. The written report, developed from the IST data,
contains a description of the facility and its vulnerabilities as well
as recommendations to mitigate identified vulnerabilities. The PSAs
follow-up with the facility approximately 1 year after the Dashboard is
provided to better understand the value of the survey and potential
enhancements that were made as a result of the survey. Feedback is
quantified and analysis conducted on the responses to determine if
security and resilience enhancements are being implemented, and if
there are impediments to incorporating recommended enhancements. Based
on the feedback we have received from the PSA, approximately 90% of
facilities are likely to integrate, or have integrated, some of the
protective measures detailed in the assessment report. The most common
improvements include enhancements to electronic security systems,
security force, and security management. The PSA indicated that
barriers for making changes include cost-prohibitive capital
investments, lack of project management resources, differing strategic
priorities, plans to move or significantly change the facility, and
local ordinances.