Critical Infrastructure Protection: Improving Information Sharing
with Infrastructure Sectors (09-JUL-04, GAO-04-780).		 
                                                                 
Critical infrastructure protection (CIP) activities called for in
federal policy and law are intended to enhance the security of	 
the public and private infrastructures that are essential to our 
nation's security, economic security, and public health and	 
safety. Effective information-sharing partnerships between	 
industry sectors and government can contribute to CIP efforts.	 
Federal policy has encouraged the voluntary creation of 	 
information sharing and analysis centers (ISAC) to facilitate	 
infrastructure sector participation in CIP information sharing	 
efforts. GAO was asked to identify actions that the Department of
Homeland Security (DHS) could take to improve the effectiveness  
of CIP information-sharing efforts.				 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-04-780 					        
    ACCNO:   A10851						        
  TITLE:     Critical Infrastructure Protection: Improving Information
Sharing with Infrastructure Sectors				 
     DATE:   07/09/2004 
  SUBJECT:   Counterterrorism					 
	     Facility security					 
	     Government information dissemination		 
	     Information centers				 
	     Information disclosure				 
	     Information resources management			 
	     National policies					 
	     National preparedness				 
	     Planning						 
	     Private sector					 
	     Private sector practices				 
	     Reporting requirements				 
	     Computer security					 
	     Physical security					 
	     Intergovernmental relations			 
	     Critical infrastructure				 
	     Policies and procedures				 
	     Public/private partnerships			 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-04-780

                    United States General Accounting Office

                                   July 2004

CRITICAL INFRASTRUCTURE PROTECTION

           Improving Information Sharing with Infrastructure Sectors

                                       a

GAO-04-780

Highlights of GAO-04-780, a report to congressional requesters

Critical infrastructure protection (CIP) activities called for in federal
policy and law are intended to enhance the security of the public and
private infrastructures that are essential to our nation's security,
economic security, and public health and safety. Effective
information-sharing partnerships between industry sectors and government
can contribute to CIP efforts.

Federal policy has encouraged the voluntary creation of information
sharing and analysis centers (ISAC) to facilitate infrastructure sector
participation in CIP information sharing efforts. GAO was asked to
identify actions that the Department of Homeland Security (DHS) could take
to improve the effectiveness of CIP informationsharing efforts.

GAO recommends that the Secretary of Homeland Security direct officials
within DHS to (1) proceed with the development of an information-sharing
plan that describes the roles and responsibilities of DHS, the ISACs, and
other entities and (2) establish appropriate department policies and
procedures for interactions with other CIP entities and for coordination
and information sharing among DHS components. DHS commented on a draft of
this report and generally agreed with our findings and recommendations.

July 2004

CRITICAL INFRASTRUCTURE PROTECTION

Improving Information Sharing with Infrastructure Sectors

Federal awareness of the importance of securing the nation's critical
infrastructures-and the federal government's strategy to encourage
cooperative efforts among state and local governments and the private
sector to protect these infrastructures-have been evolving since the
mid1990s. Federal policy continues to emphasize the importance of the
ISACs and their information-sharing functions. In addition, federal policy
established specific responsibilities for DHS and other federal agencies
involved with the CIP sectors. The ISACs have identified challenges
requiring further federal action, including building trusted
relationships; developing processes to facilitate information sharing;
overcoming barriers to information sharing; clarifying the roles and
responsibilities of the various government and private-sector entities
that are involved in protecting critical infrastructures; and funding ISAC
operations and activities.

Although DHS has taken a number of actions to implement the public/private
partnership called for by federal CIP policy, it has not yet developed a
plan that describes how it will carry out its information-sharing
responsibilities and relationships. Such a plan could encourage improved
information sharing among the ISACs, other CIP entities, and the
department by clarifying the roles and responsibilities of all the
entities involved and clearly articulating actions to address the
challenges that remain. DHS officials indicated that they intend to
develop an information-sharing plan, but no specific time frame for
completing the plan has been established.

The department also lacks policies and procedures to ensure effective
coordination and sharing of ISAC-provided information among the
appropriate components within the department. Developing policies and
procedures would help ensure that information is effectively and
efficiently shared among its components and with other government and
private-sector CIP entities.

www.gao.gov/cgi-bin/getrpt?GAO-04-780.

To view the full product, including the scope and methodology, click on
the link above. For more information, contact Robert F. Dacey at
202-512-3317 or [email protected].

Contents

     Letter                                                                 1 
                                  Results in Brief                          2 
                                     Background                             3 
                Further DHS Actions Could Enhance Information Sharing      10 
                                     Conclusions                           12 
                        Recommendations for Executive Action               13 
                                   Agency Comments                         13 

Appendixes Appendix I: Appendix II: Appendix III:

Appendix IV: Appendix V: GAO's April 21, 2004, Testimony

Comments from the Department of Homeland Security

Comments from the Department of Health and Human Services

Comments from the Department of the Treasury

GAO Contact and Staff Acknowledgments

GAO Contact
Staff Acknowledgments

                                     15 58

61

62

63 63 63

Tables Table 1: Critical Infrastructure Sectors Identified by Federal
Policy 5 Table 2: ISACs by Sector 7

                Page i GAO-04-780 Critical Infrastructure ISACs

Abbreviations

CIP critical infrastructure protection
DHS Department of Homeland Security
HHS Department of Health and Human Services
HSPD Homeland Security Presidential Directive
IAIP Information Analysis and Infrastructure Protection
ISAC information sharing and analysis center
TSA Transportation Security Administration

This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed in
its entirety without further permission from GAO. However, because this
work may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this material
separately.

                Page ii GAO-04-780 Critical Infrastructure ISACs

A

United States General Accounting Office Washington, D.C. 20548

July 9, 2004

The Honorable Mac Thornberry

Chairman, Subcommittee on Cybersecurity, Science, and Research and
Development Select Committee on Homeland Security House of Representatives

The Honorable Zoe Lofgren

Ranking Member

Subcommittee on Cybersecurity, Science, and Research and Development
Select Committee on Homeland Security House of Representatives

The Honorable Dave Camp Chairman, Subcommittee on Infrastructure and
Border Security Select Committee on Homeland Security House of
Representatives

The Honorable Loretta Sanchez Ranking Member Subcommittee on
Infrastructure and Border Security Select Committee on Homeland Security
House of Representatives

Federal policy and law, including the Homeland Security Act of 2002,1 call
for critical infrastructure protection (CIP) activities intended to
enhance
the security of the cyber and physical, public, and private
infrastructures
that are essential to national security, national economic security, or
national public health and safety. Federal policy, evolving since the
mid-1990s, has encouraged the voluntary creation of information sharing
and analysis centers (ISAC) to facilitate the private sector's
participation in
CIP by serving as mechanisms for gathering and analyzing information and
sharing it among the infrastructure sectors and between the private sector
and government. In addition, federal policy established specific
responsibilities for the Department of Homeland Security (DHS) and other
federal agencies involved with the CIP infrastructure sectors, including
designation of sector-specific federal agencies for each sector to

1Homeland Security Act of 2002, P.L. 107-296 (Nov. 25, 2002).

Page 1 GAO-04-780 Critical Infrastructure ISACs

coordinate CIP activities and sector coordinators from the sectors to work
with the sector-specific agencies.

In April, we testified before your subcommittees on the status of
private-sector ISACs and their efforts to help protect our nation's
critical infrastructures2 (see app.1). In brief, we reported that

o 	the current ISACs were established and developed based on the unique
characteristics and needs of their individual sectors;

o 	DHS and the sector-specific agencies have undertaken a number of
efforts to address the public/private partnership called for by federal
policy on critical infrastructure protection and to continue to develop
their relationships with the ISACs and with each other; and

o 	a number of challenges to the ISACs' successful establishment,
operation, and partnership with DHS and other federal agencies remain,
some of which were described by the ISAC Council3 through a series of
white papers.

Subsequent to the April 2004 testimony, your staff requested that we
identify actions DHS could take to improve the effectiveness of CIP
information sharing efforts. To address this objective, we considered
evidence gathered to support our April 2004 testimony, including analysis
of information obtained from officials from ISAC organizations, the ISAC
Council, and sector-specific agencies. We performed our work from November
2003 to May 2004, in accordance with generally accepted government
auditing standards.

Results in Brief	DHS can take two key actions to improve the effectiveness
of its information-sharing efforts with the ISACs and others. First, a
number of challenges have been identified by the ISAC community that could
be

2U.S. General Accounting Office, Critical Infrastructure Protection:
Establishing Effective Information Sharing with Infrastructure Sectors,
GAO-04-699T (Washington, D.C.: Apr. 21, 2004).

3Eleven ISACs created an ISAC Council to improve the ISACs' efficiency and
effectiveness. It works on various operational, process, and other common
issues to effectively analyze and disseminate information and, where
possible, to leverage the work of the entire ISAC community.

                Page 2 GAO-04-780 Critical Infrastructure ISACs

addressed with the development of an information-sharing plan that, among
other things, defines the roles and responsibilities of the various
stakeholders and establishes criteria for providing the appropriate
incentives to address the challenges. In addition, DHS's ability to
gather, analyze, and disseminate information could be improved by
developing information sharing-related policies and procedures for its
components. We are making recommendations to DHS to proceed with the
development of an information sharing plan and to establish appropriate
policies and procedures for interacting with ISACs, sector coordinators,
and sector-specific agencies, and for coordination and information sharing
within DHS components.

DHS and the Departments of Health and Human Services (HHS) and the
Treasury provided written comments on a draft of this report (see app. II,
III, and IV, respectively). In its comments, a representative from DHS's
Office of the Chief Financial Officer stated that the department generally
agreed with our findings and the recommendations. We also received
technical comments from the Environmental Protection Agency, which have
been incorporated into this report, as appropriate. The Departments of
Agriculture and Energy reviewed a draft of this report and responded by
stating that they had no comments.

Background	Information sharing is an integral part of the federal
government's CIP efforts. As discussed in our April testimony, a number of
ISACs have been established to meet the information-sharing needs of their
respective sectors, and the federal government has undertaken steps to
improve CIP information sharing. Yet sector representatives have
identified a number of challenges to effective information sharing.

Federal CIP Policy Federal law and policy emphasize the importance of
information sharing to Emphasizes Information the successful protection of
our nation's critical infrastructures. The Sharing Homeland Security Act
of 2002 established DHS and made the department's

Information Analysis and Infrastructure Protection (IAIP) Directorate

                Page 3 GAO-04-780 Critical Infrastructure ISACs

responsible for CIP functions with a lead role for information sharing
within DHS and the federal government.4 IAIP's responsibilities include

o 	accessing, receiving, and analyzing law enforcement information,
intelligence information, and other threat and incident information from
respective agencies of federal, state, and local governments and the
private sector;

o 	combining and analyzing such information to identify and assess the
nature and scope of terrorist threats; and

o 	disseminating, as appropriate, information analyzed by DHS, within the
department, to other federal agencies, state and local government
agencies, and private-sector entities.

As also required by the Homeland Security Act, IAIP is responsible for (1)
developing a comprehensive national plan for securing the key resources
and critical infrastructure of the United States and (2) recommending
measures to protect the key resources and critical infrastructure of the
United States in coordination with other federal agencies and in
cooperation with state and local government agencies and authorities, the
private sector, and other entities.

Current CIP policy, described in Homeland Security Presidential Directive
7 (HSPD-7), defines responsibilities for DHS, sector-specific agencies,
and other departments and agencies. It instructs federal departments and
agencies to identify, prioritize, and coordinate the protection of
critical infrastructure to prevent, deter, and mitigate the effects of
attacks. The Secretary of Homeland Security is assigned several
responsibilities, including establishing uniform policies, approaches,
guidelines, and methodologies for integrating federal infrastructure
protection and risk management activities within and across sectors. To
ensure the coverage of critical sectors, HSPD-7 designated sector specific
agencies for the critical infrastructure sectors identified. These
agencies are responsible for infrastructure protection activities in their
assigned sectors, which include coordinating and collaborating with
relevant federal agencies, state and

4The Homeland Security Act of 2002 designated five undersecretaries, among
other entities, with responsibility over directorates for management,
science and technology, information analysis and infrastructure
protection, border and transportation security, and emergency preparedness
and response.

                Page 4 GAO-04-780 Critical Infrastructure ISACs

local governments, and the private sector to carry out their
responsibilities and facilitating the sharing of information about
physical and cyber threats, vulnerabilities, incidents, potential
protective measures, and best practices. Further, the sector-specific
agencies are to continue to encourage the development of
information-sharing and analysis mechanisms and to support
sector-coordinating mechanisms. Table 1 identifies the infrastructure
sectors specified in federal policy and the related sector-specific
agencies.

     Table 1: Critical Infrastructure Sectors Identified by Federal Policy

     Sector                Description               Sector-specific agency   
                  Provides for the fundamental need                           
                       for food. The infrastructure Department of Agriculture 
Agriculture                             includes                       and
                 supply chains for feed and crop    Department of Health and  
                           production.              
                                                         Human Services       

Banking and finance	Provides the financial infrastructure of the nation.
This sector consists of Department of the Treasury commercial banks,
insurance companies, mutual funds, government-sponsored enterprises,
pension funds, and other financial institutions that carry out
transactions including clearing and settlement.

Chemicals and Transforms natural raw materials into commonly used products
benefiting Department of Homeland

hazardous materials	society's health, safety, and productivity. The
chemical industry represents Security a $450 billion enterprise and
produces more than 70,000 products that are essential to automobiles,
pharmaceuticals, food supply, electronics, water treatment, health,
construction, and other necessities.

Defense industrial base	Supplies the military with the means to protect
the nation by producing Department of Defense weapons, aircraft, and ships
and providing essential services, including information technology and
supply and maintenance.

Emergency services	Saves lives and property from accidents and disaster.
This sector includes Department of Homeland fire, rescue, emergency
medical services, and law enforcement Security organizations.

Energy	Provides the electric power used by all sectors, including critical
Department of Energy infrastructures, and the refining, storage, and
distribution of oil and gas. The sector is divided into electricity and
oil and natural gas.

Food Carries out the postharvesting of the food supply, including
processing and Department of Agriculture and retail sales. Department of
Health and Human Services

Government	Ensures national security and freedom and administers key
public Department of Homeland functions. Security

Information technology Provides communications and processes to meet the
needs of businesses Department of Homeland and telecommunications and
government. Security

Postal and shipping	Delivers private and commercial letters, packages, and
bulk assets. The Department of Homeland U.S. Postal Service and other
carriers provide the services of this sector. Security

                Page 5 GAO-04-780 Critical Infrastructure ISACs

(Continued From Previous Page)

                   Sector Description Sector-specific agency

Public health and Mitigates the risk of disasters and attacks and also
provides recovery Department of Health and

healthcare	assistance if an attack occurs. The sector consists of health
departments, Human Services clinics, and hospitals.

Transportation	Enables movement of people and assets that are vital to our
economy, Department of Homeland mobility, and security with the use of
aviation, ships, rail, pipelines, Security highways, trucks, buses, and
mass transit.

Drinking water and water Provides drinking water and wastewater treatment
through approximately Environmental Protection treatment systems 170,000
public water systems. These systems depend on reservoirs, dams, Agency

     wells, treatment facilities, pumping stations, and transmission lines.

Source: GAO analysis of the President's National Strategy documents and
HSPD-7.

  Private Sector ISACs Established

As more fully discussed in our April testimony, ISACs were voluntarily
created to provide an information sharing and analysis capability to
support their members' efforts to mitigate risk and effectively respond to
adverse events, including cyber, physical, and natural events. ISACs have
been established within most of the critical infrastructure sectors
identified in federal policy, including those for banking and finance,
chemicals and hazardous materials, drinking water and water treatment
systems, emergency services, energy, food, government, information
technology and telecommunications, and transportation. ISACs have also
been established for other industry sectors, including real estate and
research and education networking. Further, the agriculture and healthcare
infrastructure sectors are continuing their efforts to establish
information sharing mechanisms. Table 2 identifies the sectors with ISACs.

                Page 6 GAO-04-780 Critical Infrastructure ISACs

Table 2: ISACs by Sector

                                      Sector               ISAC  Established  
                         Banking and Finance Financial Services October 1999  
                     Chemicals and Hazardous           Chemical  April 2002   
                                   Materials                    
                          Emergency Services   Emergency Fire   October 2000  
                                      Energy           Electric October 2000  
                                                         Energy November 2001 
                                        Food               Food February 2002 
                                  Government        Multi-State January 2003  

Information Technology and Telecommunications

IT December 2000

Telecom January 2000 Research and Education

                            February 2003 Networking

                          Transportation         Public Transit January 2003  
                                         Surface Transportation      May 2002 
                                                        Highway    March 2003 
                Drinking Water and Water                  Water December 2002 
                               Treatment                        
                                 Systems                        
                                   Other            Real Estate    April 2003 

Source: GAO.

Although their overall missions are similar, the current ISACs were
established and developed based on the unique characteristics and needs of
their individual sectors. They operate under different management and
operational structures and, among other things, have different business
models and funding mechanisms. For example, most are managed or operated
as private entities, and some, such as the Water and Chemical ISACs, are
part of associations that represent their sectors. Others have partnered
with government agencies, such as the Telecommunications ISAC, which is a
government/industry operational and collaborative body sponsored by DHS's
National Communications Systems/National Coordinating Center for
Telecommunications. Different funding mechanisms used by the ISACs include
fee-for-service, association sponsorship, grants, contracts, and/or
voluntary or in-kind operations by ISAC participants. ISACs that use
fee-for-service funding include the Financial Services, Information
Technology, and Water ISACs, which offer tiered memberships with fees
based on the level of service provided.

                Page 7 GAO-04-780 Critical Infrastructure ISACs

  Federal Actions Taken to Address Information Sharing Challenges

Sector-specific agencies are to collaborate with the private sector and
continue to encourage the development of information-sharing and analysis
mechanisms. In addition, sector-specific agencies are to facilitate the
sharing of information about physical and cyber threats, vulnerabilities,
incidents, potential protective measures, and best practices. Some
sector-specific agencies have taken steps to help the ISACs to increase
their memberships and breadth of impact within their respective sectors
and to improve their analytical and communications capabilities. As we
discussed more specifically in our April testimony, sector-specific
agencies, among other things, have

o 	Provided funds to enhance ISAC capabilities and expand membership. For
example, the Environmental Protection Agency is the sector-specific agency
for the water sector. It reported that for fiscal year 2004, it had issued
in March 2004 a $2 million grant to the Water ISAC to enhance its
capabilities-to fund 24x7 operations and to increase and support ISAC
membership. In addition, the Department of the Treasury entered into a $2
million contract with the Financial Services ISAC for developing the "next
generation" Financial Services ISAC by enhancing the ISAC's capabilities
and develop performance metrics.

o 	Sponsored outreach briefings to address why the private sector needs to
partner with the federal government. For example, the Federal Deposit
Insurance Corporation, Financial and Banking Information Infrastructure
Committee, and the Financial Services Sector Coordinating Council are
sponsoring regional outreach briefings that address why the private sector
needs to partner with the federal government to improve its security. 5 In
addition, in December 2003, DHS hosted a 2-day CIP retreat with ISAC
representatives, sector coordinators, and high-level DHS and White House
Homeland Security Council officials. Participants discussed the needs,
roles, and responsibilities of public-and private-sector entities related
to information sharing and analysis, incident coordination and response

5The Financial and Banking Information Infrastructure Committee
coordinates federal and state financial regulatory efforts to improve the
reliability and security of U.S. financial systems. The Financial Services
Sector Coordinating Council's mission is to foster and facilitate the
coordination of financial services sector-wide voluntary activities and
initiatives designed to improve critical infrastructure protection and
homeland security.

                Page 8 GAO-04-780 Critical Infrastructure ISACs

activities, critical infrastructure information requests, and level of DHS
funding.

o 	Assisted infrastructure sectors in organizing sector-wide activities
and establishing ISACs. For example, last summer, DHS, the Department of
Agriculture, and HHS' Food and Drug Administration initiated efforts to
organize the agriculture and food critical infrastructure sectors to raise
awareness, coordinate, and improve security efforts. In addition to the
efforts listed above, DHS officials stated that they are providing funding
for tabletop exercises, including for the Financial Services,
Telecommunications, and Electricity Sector ISACs.

  Challenges to Effective Information Sharing Remain

The ISACs and the series of ISAC Council white papers confirmed that a
number of challenges remain to the successful establishment and operation
of ISACs and their partnership with DHS and the other sector-specific
agencies. The ISACs and the ISAC Council identified challenges that would
require federal action. Some of the more significant challenges identified
were the following:

o 	Government agencies and the ISACs need to build trusted relationships
between them to facilitate information sharing. In some cases,
establishing such relationships may be difficult because sector-specific
agencies may also have a regulatory role.

o 	The federal government and the private sector should share information
on incidents, threats, and vulnerabilities. Most ISACs reported that they
believed they were providing appropriate information to the government
but, while noting improvements, they still had concerns with the
information being provided to them by DHS and/or their sector-specific
agencies. These concerns included the limited quantity of information and
the need for more specific, timely, and actionable information. In its
recent white papers, the ISAC Council also has identified a number of
potential barriers to information sharing between the private sector and
the government. These included the sensitivity of the information (such as
law enforcement information), legal limits on disclosure (such as Privacy
Act limitations on disclosure of personally identifiable information), and
contractual and business limits on how and when information is disclosed
(e.g., the Financial Services ISAC does not allow any governmental or law
enforcement access to its database). The Council also emphasized that
perhaps the greatest

                Page 9 GAO-04-780 Critical Infrastructure ISACs

barriers to information sharing stem from practical and business
considerations in that, although important, the benefits of sharing
information are often difficult to discern, while the risks and costs of
sharing are direct and foreseeable.

o 	The roles of the various government and private-sector entities
involved in protecting critical infrastructures must continue to be
identified and defined. In particular, officials for several ISACs wanted
a better definition of DHS's role with respect to them. The ISAC Council
also identified the need for DHS to establish the goals of its
directorates and the relationships of these directorates with the private
sector. The Council also wants clarification of the roles of other federal
agencies, state agencies, and other entities-such as the National
Infrastructure Advisory Council.

o 	Government funding is needed. Ten of the ISACs we contacted emphasized
the importance of government funding for purposes including creating the
ISAC, supporting operations, increasing membership, developing metrics,
and providing for additional capabilities.

o 	Private-sector analytical efforts should not be overlooked and must be
integrated into the federal processes for a more complete understanding.
The private sector understands its processes, assets, and operations best
and can be relied upon to provide the required private-sector subject
matter expertise.

  Further DHS Actions Could Enhance Information Sharing

DHS has taken a number of actions to implement the public/private
partnership called for by federal CIP policy. However, DHS has not yet
developed a plan for how it will carry out its information sharing
responsibilities, including efforts to address the challenges identified
by the ISACs and the ISAC Council. In addition, DHS has not developed
internal policies and procedures to help ensure effective information
sharing by the many entities within the department that collect and
analyze information that may impact the security of our nation's critical
infrastructure. It is essential for DHS to develop this plan, along with
internal policies and procedures, to establish effective
information-sharing relationships both within DHS and with other federal
agencies and infrastructure sectors.

                Page 10 GAO-04-780 Critical Infrastructure ISACs

  DHS Has Not Developed an Overall Information Sharing Plan

Although DHS has taken a number of actions to develop relationships with
the private sector and enhance information sharing capabilities, it has
not developed a plan that describes how it will carry out its
information-sharing responsibilities and/or how it will address the many
identified challenges that exist in building a public/private
information-sharing partnership. Development of a plan could improve
information sharing by clarifying roles and responsibilities and clearly
articulating actions to address the challenges that remain, including
consideration of appropriate incentives for nonfederal entities to
increase information sharing with the federal government, increase sector
participation, and/or perform other specific tasks to protect the critical
infrastructure.

In addition, soliciting input and feedback from the ISACs, sector
coordinators, and sector-specific agencies in developing the plan could
help DHS to ensure that the challenges identified by the ISACs and the
ISAC Council are appropriately considered.

According to DHS officials, the department intends to develop a plan
(referred to as a "roadmap") that documents the current
information-sharing relationships among DHS, the sectors and their ISACs,
and other agencies; goals for improving that information-sharing
relationship; and methods for measuring the progress in the improvement.
According to one official, the plan will define the roles and
responsibilities of DHS, the ISACs, and other entities, including a
potential overlap of ISAC-related responsibilities between IAIP and the
Transportation Security Administration (TSA). Further, the official
indicated that, in developing such a plan, DHS would consider issues
raised by the ISACs and the ISAC Council. This official indicated that a
specific time frame for completing the plan had not yet been established
but that DHS intends to develop a time frame this summer.

  DHS Lacks Policies and Procedures to Guide Its Information-Sharing Efforts

DHS has established functions within the department to support the ISACs
and other CIP efforts. IAIP, as the DHS component directly responsible for
CIP activities, carries out many of these functions. The Infrastructure
Coordination Division within IAIP plays a key role in coordinating with
the ISACs concerning information sharing. Nonetheless, ISACs may interact
with multiple components of the department. For example, the ISACs may
discuss cyber issues with the National Cyber Security Division and/or with
the Homeland Security Operations Center when reporting incidents.

                Page 11 GAO-04-780 Critical Infrastructure ISACs

Further, according to DHS officials, TSA, within the department's Border
and Transportation Security Directorate, is working with organizations in
the private sector to establish information-sharing relationships. For
example, Surface Transportation ISAC analysts stated that they have a good
working relationship with TSA, and TSA's Operations Center has office
space designated for them.

In addition, the Infrastructure Coordination Division is in the process of
staffing analysts who are responsible for working with each critical
infrastructure sector. The analysts would serve as the primary points of
contact within DHS for the sectors and would address information sharing,
coordination, infrastructure protection, and other issues raised by the
sectors.

According to a DHS official, the department does not intend to establish a
single point of contact for ISACs within the department. Rather, the
department plans to develop policies and procedures to ensure effective
coordination and sharing of ISAC-provided information among the
appropriate DHS components. At the time of our review, DHS had not
developed those policies and procedures and had no specific time frame for
their completion. Because of the many DHS components potentially
interacting with critical infrastructure sectors, establishment of
policies and procedures could help DHS ensure that information is
effectively and efficiently shared within the IAIP Directorate and among
DHS components, as well as with other federal agencies and infrastructure
sectors, by clarifying roles, responsibilities, and processes.

Conclusions	Although DHS has taken a number of actions to establish and
improve information sharing relationships among entities within the
infrastructure sectors and between the infrastructure sectors and the
federal government, a number of challenges remain that are barriers to
developing effective public-private partnerships. The ISACs and other
stakeholders, including sector-specific agencies and sector coordinators,
could benefit from an overall DHS strategy, as well as specific guidance,
that clearly describes their roles, responsibilities, relationships, and
expectations. In developing such a strategy, it will also be important to
consider input from all stakeholders to help ensure that a comprehensive
and trusted information-sharing process is established. DHS has also not
yet developed the internal policies and procedures needed to ensure that
appropriate information sharing occurs within the department, which could
affect its

                Page 12 GAO-04-780 Critical Infrastructure ISACs

overall ability to perform analysis and disseminate critical information
about incidents, vulnerabilities, or threats.

  Recommendations for Executive Action

To help improve the effectiveness of DHS's information-sharing efforts
with the ISACs and others, we recommend that the Secretary of Homeland
Security direct officials within the IAIP Directorate to take the
following two actions:

o 	Proceed with and establish milestones for the development of an
information-sharing plan that includes (1) a clear description of the
roles and responsibilities of DHS, the ISACs, the sector coordinators, and
the sector-specific agencies and (2) actions designed to address
information-sharing challenges. Efforts to develop this plan should
include soliciting feedback from the ISACs, sector coordinators, and
sector-specific agencies to help ensure that challenges identified by the
ISACs and the ISAC Council are appropriately considered in the final plan.

o 	Considering the roles, responsibilities, and actions established in the
information-sharing plan, develop appropriate DHS policies and procedures
for interacting with ISACs, sector coordinators, and sector-specific
agencies and for coordination and information sharing within the IAIP
Directorate (such as the National Cyber Security Division and
Infrastructure Coordination Division) and other DHS components that may
interact with the ISACs, including TSA.

Agency Comments 	We received written comments on a draft of this report
from DHS, HHS, and the Department of the Treasury (see apps. II, III, and
IV, respectively). In DHS's response, a representative from DHS's Office
of the Chief Financial Officer stated that the report generally provides
an accurate analysis of the current sector ISAC landscape. In addition,
the director provided planned actions to address the recommendations
identified in this report. HHS's Acting Principal Deputy Inspector General
stated that the department had no comments. In Treasury's response, the
Under Secretary for Domestic Finance stated that the department agreed
with our findings. These departments also provided technical comments,
which were incorporated into the report, as appropriate.

                Page 13 GAO-04-780 Critical Infrastructure ISACs

In addition, the Environmental Protection Agency provided separate
technical comments, which were incorporated into this report, as
appropriate. The Departments of Agriculture and Energy reviewed a draft of
this report and responded by stating that they had no comments.

As agreed with your offices, unless you publicly announce the contents of
this report earlier, we plan no further distribution until 30 days from
the report date. At that time, we will send copies of this report to other
interested congressional committees, the Secretary of Homeland Security,
and the heads of the agencies discussed in this report. We also will make
copies available to others upon request. In addition, the report will be
available at no charge on the GAO Web site at http://www.gao.gov.

If you should have any questions about this report, please contact me at
(202) 512-3317 or Ben Ritt, Assistant Director, at (202) 512-6443. We can
also be reached by e-mail at [email protected] and [email protected],
respectively. Key contributors to this report are listed in appendix V.

Robert F. Dacey Director, Information Security Issues

                Page 14 GAO-04-780 Critical Infrastructure ISACs

                                   Appendix I

                        GAO's April 21, 2004, Testimony

Highlights of GAO-04-699T, testimony before the Subcommittees on
Cybersecurity, Science, and Research & Development and on Infrastructure
and Border Security, Select Committee on Homeland Security, House of
Representatives

Critical infrastructure protection (CIP) activities that are called for in
federal policy and law are intended to enhance the security of the cyber
and physical public and private infrastructures that are essential to our
nation's security, economic security, and public health and safety. As our
reliance on these infrastructures increases, so do the potential threats
and attacks that could disrupt critical systems and operations. Effective
information-sharing partnerships between industry sectors and government
can contribute to CIP efforts.

Federal policy has encouraged the voluntary creation of Information
Sharing and Analysis Centers (ISACs) to facilitate the private sector's
participation in CIP by serving as mechanisms for gathering and analyzing
information and sharing it among the infrastructure sectors and between
the private sector and government. This testimony discusses the management
and operational structures used by ISACs, federal efforts to interact with
and support the ISACs, and challenges to and successful practices for
ISACs' establishment, operation, and partnerships with the federal
government.

www.gao.gov/cgi-bin/getrpt?GAO-04-699T.

To view the full product, including the scope and methodology, click on
the link above. For more information, contact Robert F. Dacey at
202-512-3317 or [email protected].

CRITICAL INFRASTRUCTURE PROTECTION

  Establishing Effective Information Sharing with Infrastructure Sectors

Federal awareness of the importance of securing the nation's critical
infrastructures-and the federal government's strategy to encourage
cooperative efforts among state and local governments and the private
sector to protect these infrastructures-have been evolving since the
mid1990s. Federal policy continues to emphasize the importance of the
ISACs and their information-sharing functions. In addition, federal policy
established specific responsibilities for the Department of Homeland
Security (DHS) and other federal agencies involved with the private sector
in CIP. The ISACs themselves, although they have similar missions, were
developed to serve the unique needs of the sectors they represent, and
they operate under different business models and funding mechanisms.

According to ISAC representatives and a council that represents many of
them, a number of challenges to their successful establishment, operation,
and partnership with DHS and other federal agencies remain. These
challenges include increasing the percentage of entities within each
sector that are members of its ISAC; building trusted relationships and
processes to facilitate information sharing; overcoming barriers to
information sharing, clarifying the roles and responsibilities of the
various government and private sector entities that are involved in
protecting critical infrastructures; and funding ISAC operations and
activities. According to a DHS official, these issues are being
considered, and the department is developing a plan that will document the
current information-sharing relationships among DHS, the ISACs, and other
agencies; goals for improving those informationsharing relationships; and
methods for measuring progress toward these goals.

Information Sharing and Analysis Centers by Sector

                     Sector           ISAC         Established 
                   Banking and      Financial     October 1999 
                     Finance        Services     
                   Chemicals &                                 
                    Hazardous       Chemical      April 2002
                    Materials                    
                    Emergency    Emergency Fire   October 2000 
                    Services                     
                     Energy         Electric      October 2000 
                     Energy          Energy      November 2001 
                      Food            Food       February 2002 
                   Government      Multi-State    January 2003 

Information Technology & Telecommunications IT December 2000

Telecom January 2000

Research & Education Network February 2003

                   Transportation    Public Transit    January 
                                                          2003 
                                         Surface     May 2002  
                                     Transportation  
                                         Highway       March   
                                                       2003    
                  Drinking Water &                    December 
                   Water Treatment        Water           2002 
                       Systems                       
                        Other          Real Estate     April   
                                                       2003    

Source: GAO

                Page 16 GAO-04-780 Critical Infrastructure ISACs

Table 1: Critical Infrastructure Sectors Identified by the National
Strategy for Homeland Security and HSPD-7

Sector Description Sector-specific agency

Agriculture 	Provides for the fundamental need for food. The
infrastructure includes Department of Agriculture supply chains for feed
and crop production.

Banking and Finance 	Provides the financial infrastructure of the nation.
This sector consists of Department of the Treasury commercial banks,
insurance companies, mutual funds, governmentsponsored enterprises,
pension funds, and other financial institutions that carry out
transactions including clearing and settlement.

Chemicals and hazardous Transforms natural raw materials into commonly
used products benefiting Department of Homeland

materials	society's health, safety, and productivity. The chemical
industry Security represents a $450 billion enterprise and produces more
than 70,000 products that are essential to automobiles, pharmaceuticals,
food supply, electronics, water treatment, health, construction, and other
necessities.

Defense industrial base 	Supplies the military with the means to protect
the nation by producing Department of Defense weapons, aircraft, and ships
and providing essential services, including information technology and
supply and maintenance.

Emergency services 	Saves lives and property from accidents and disaster.
This sector Department of Homeland includes fire, rescue, emergency
medical services, and law enforcement Security organizations.

             Energy Provides the electric power used by  Department of Energy 
                    all sectors, including critical     
                     infrastructures, and the refining, 
                       storage, and distribution of oil 
                                               and gas. 
                        The sector is divided into      
                      electricity and oil and natural   
                                   gas.                 
                     Carries out the post-harvesting of                       
               Food          the food supply, including         Department of 
                                             processing       Agriculture and
                                      and retail sales.  Department of Health 
                                                                          and 
                                                               Human Services 
         Government Ensures national security and               Department of 
                    freedom and administers key public               Homeland 
                                             functions.              Security 

Information technology Provides communications and processes to meet the
needs of Department of Homeland and telecommunications businesses and
government. Security

Postal and shipping 	Delivers private and commercial letters, packages,
and bulk assets. The Department of Homeland U.S. Postal Service and other
carriers provide the services of this sector. Security

Public Health and Mitigates the risk of disasters and attacks and also
provides recovery Department of Health and Healthcare assistance if an
attack occurs. The sector consists of health departments, Human Services

clinics, and hospitals.

Transportation 	Enables movement of people and assets that are vital to
our economy, Department of Homeland mobility, and security with the use of
aviation, ships, rail, pipelines, Security highways, trucks, buses, and
mass transit.

Drinking water and water Sanitizes the water supply with the use of about
170,000 public water Environmental Protection

treatment systems 	systems. These systems depend on reservoirs, dams,
wells, treatment Agency facilities, pumping stations, and transmission
lines.

Source: GAO analysis based on the President's National Strategy documents
and HSPD-7.

In January, the President issued HSPD-9, which established a national
policy to defend the agriculture and food system against terrorist
attacks, major disasters, and other emergencies. HSPD-9 defines
responsibilities for DHS, lead federal agencies, or sector-specific
agencies, responsible for

Page 10 GAO-04-699T

Page 26 GAO-04-780 Critical Infrastructure ISACs

DHS officials, the Emergency Law Enforcement ISAC that was formally
operated by the NIPC and transferred to IAIP is not currently staffed and
will be considered in current efforts to organize the Emergency Services
sector.

                    Table 2: Summary of ISAC Characteristics

Critical Infrastructures Hazards Sharing and their ISAC(s) Coverage
Funding model covered Analysis capability mechanisms Agriculture

None at this time.

Banking & Finance Chemicals & Hazardous Materials

         Financial 200 members, Funded by and Operates 24          Text-based 
          Services operated Cyber             hours                   alerts, 
                   including with tiered                            through a 
        (est. Oct. membership Physical        a day, 7 days a    notification 
             1999) commercial banks, fees.              week.  system, backed 
                                                                        up by 
                        securities firms, and      Watch desk      telephone. 
                                   Contractor    analyzes and Biweekly threat 
                           operated.insurance     categorizes    intelligence 
                                   companies.        threats, 
                            Represents 90% of  incidents, and conference call 
                                                              with            
                                the financial warnings based    DHS and SAIC. 
                                              on              
                                              the sector's    
                             sector's assets. needs.          

        Chemical     538      Funded and operated by  Operates E-mails alerts 
                  individual                   Cyber     24x7.            and 
                                                     Currently                
                      members                          working                
           (est. representing         ACC's Chemical        to      warnings. 
           April the chemical PhysicalTransportation   develop Chemistry ISAC
           2002)  industries.      Emergency Center.        an      Web site.
                                                      analysis 
                                                       center. 
                     285                                       Biweekly       
                 businesses.                                   conference     
                   Represents                                      calls with 
                       90% of                                            DHS. 
                   chemical                                                   
                   sector.                                             Secure
                                                               communications 
                                                                 network with 
                                                                         DHS. 

Defense Industrial Base

None at this time.

Emergency Services

  Emergency 10 FEMA            Funded by    Cyber Developing 24x7  Electronic 
 Management Regions               FEMA's                            messaging 
                                                                    Telephone 
 & Response      6 major Office of Cyber               operations.   and when 
 (est. Oct. stakeholders Security with   Physical     Analyzes and necessary, 
      2000)       of EMR supplementation              disseminates   a secure 
                 sector. from USFA.                                 telephone 
                                                                        unit. 
            Represents                               actionable    
            100% of the                           intelligence on  
            essential         Contractor              threats,     
            components         operated.              attacks,     
            of the EMR                            vulnerabilities, 
            Sector.                                anomalies, and  
                                                     security best 
                                                        practices. 

Page 18 GAO-04-699T

                Page 34 GAO-04-780 Critical Infrastructure ISACs

Critical Infrastructures Hazards Sharing and their ISAC(s) Coverage
Funding model covered Analysis capability mechanisms Energy Food

        Electric   More then       Funded and    Cyber Operates 24x7. Secure  
                      90% of                           telephone,             
                                                         The ES-ISAC and fax, 
                                                          and Web server NERC 
                        NERC                              have created E-mail 
                 members are                                 the Indications, 
                  members of                                        Satellite 
                    the ISAC                             telephones.Analysis, 
                   including                             and Warnings Program 
                   large and                              Information such as 
           (est.       small                              (IAW) that provides 
            Oct.    electric managed/operated Physical incident reports and a 
           2000)  utilities,         by NERC.               set of guidelines 
                    regional                                        warnings, 
                    electric                                vulnerability for 
                     utility                           reporting assessments, 
                  companies,                              and operational and 
                   and power                                related documents 
                  marketers.                             cyber incidents that 
                                                            are posted on the 
                                                         adversely affect the 
                                                             public Web site. 
                                                               electric power 
                                                              infrastructure. 
                   80 plus   Funded by grants                  Operates 24x7. 
          Energy   members   from                Cyber       Conference calls 
                                                       Analyzes threats, Fax, 
                                                                Email, pager. 
                    from the                             vulnerabilities, and 
                 oil and gas                                         Detailed 
           (est.     sector.  DOE. Contractor             informationincident 
            Nov.  Represents        operated. Physical        information. on 
           2001)  85% of the                                warnings provided 
                 oil and gas                           Provides security on a 
                     sector.                           membership information 
                                                         and only, secure Web 
                                                                        site. 
                                                                   solutions. 

Food Over 40 food-No current funding. Physical Operates 24x7. E-mail

(est. Feb. 2002) 	industry trade Operated by volunteer No analysis Watch
Commander associations and labor from each member capability, due to
Listtheir members. association.

members' privacy Currently working to

concerns. Depends develop a secure eon DHS for mail system.analysis.

Government

State Gov. 49 states (excluding Funded and operated by Cyber Operates
24x7. Monthly conference (est. Jan. 2003) Kansas) and the New York State.
Physical & Issues bulletins, calls

District of Columbia. 	States provide time and Natural (as advisories, and
E-mail resources as it relates to alerts. Telephone appropriate. cyber).

Page 19 GAO-04-699T

                Page 35 GAO-04-780 Critical Infrastructure ISACs

Critical Infrastructures Hazards Sharing and their ISAC(s) Coverage
Funding model covered Analysis capability mechanisms Information
Technology & Telecommunications

IT 90% of all desktop Funded and operated by Cyber Operates 24x7. CWIN
(est. Dec. 2000) operating systems. foundational member contributions,
will soon Physical Analyzes cyber Encrypted e-mail

85% of all alerts and SSL-protected Webdatabases. implement membership
advisories and sites

fees (tiered). reports physical50% of all desktop Contractor operated.
issues. Cellular phones computers.

85% of all routers. 	VoIP telephony GETS7 system for

65% of software priority calls security.

Telecom

(est. Jan. 2000)

95% of wireline providers.

Over 60% of wireline vendors.

95% of wireless providers.

90% of wireless vendors.

42% of Internet Service subscribers.

90% of Internet Service networks.

6 of the top system integrators in the U.S. Federal IT market.

15% of Domain Name Service root and global Top Level Domain operators.

Funded by NCS. Cyber Operates 24x7.

Operated by NCC. Physical Analyzes data to

Agencies bear the costs Natural avoid crises that

of their own personnel. 	could affect the entire telecom infrastructure.

E-mail Telephone Fax Meetings CWIN

            7Government Emergency Telecommunications Service (GETS)

Page 20 GAO-04-699T

                Page 36 GAO-04-780 Critical Infrastructure ISACs

                 Critical                        Hazards       Sharing        
          Infrastructures                                
        and their ISAC(s)         Coverage Funding model  Analysis capability 
                                                 covered           mechanisms 
               Research &       200           Funded and                      
                Education  Universities.     operated by Operates 24x7.       
                                                   Cyber Public information
                                                         Receives and         
                                                         restricted to        
         Networking (est.         All U.S.       Indiana disseminates         
               Feb. 2003) universities and   University. aggregate views of   
                             colleges that               information the      
                          are connected to               network.             
                                                            regarding network 
                              national R&E                        Information 
                                                                  identifying 
                             networks have                           security 
                                                              institutions or 
                          basic                           vulnerabilities and 
                          membership.                         individuals not 
                                                               threats in the 
                                                              higher reported 
                                                                    publicly. 
                                                           education Detailed 
                                                                and sensitive 
                                                                   community. 
                                                           information shared 
                                                           only with affected 
                                                                institutions. 

                               Postal & Shipping

                               None at this time.

Public Health & Healthcare

HealthCare

None at this time.

Transportation

             Public Approximately 100  Federally  Cyber      Operations 24x7. 
            Transit                      funded.                  E-mail tree 
                                                          Collects, analyzes, 
                      of the major                          Secure e-mail and 
         (est. Jan. national transit  Contractor Physical disseminates Public 
              2003)  organizations.   operated.                   Transit Web 
                                                                     security 
                                                            information. site 
                                                           Links to HSOC, and 
                                                                DOT and TSA's 
                                                           Operation Centers. 

          Surface Includes   Funded by         Cyber  Operates        Surface 
Transportation the major  membership                  24x7. 
                       North     fees and a          Conducts                 
                    American grant from the          mid-to    Transportation 
        (est. May    freight        Federal Physical long-term      Web site. 
            2002)  railroads        Transit  Natural technical         Secure 
                         and Administration          analysis      telephone.
                     Amtrak.         (FTA).          on all    
                  Represents     Contractor           threats. 
                  95% of          operated.                    
                    the U.S.                                   
                     freight                                   
                    railroad                                   
                    industry                                   
                         and                                   
                     Amtrak.                                   

Page 21 GAO-04-699T

                Page 37 GAO-04-780 Critical Infrastructure ISACs

Critical Infrastructures Hazards Sharing and their ISAC(s) Coverage
Funding model covered Analysis capability mechanisms Drinking Water &
Water Treatment Systems Other Sectors That Have Established ISACs

        Highway Over 90% of Funded and operated   Developing     Highway ISAC 
                    the                by Cyber      24x7                 Web 
          (est.   largest   the American           operations.                
          March  for-hire   Trucking                  Channels   site Highway 
          2003)    motor    PhysicalAssociation      warnings,   watch center
                 carriers.  (ATA).                             
                 Represents                     threat                        
                        60%                     information,                  
                   economic                     and advisories      Blast fax
                   activity                     to the                 E-mail
                  with over                     industry and   
                     50% of                     to             
                long haul.                      drivers                       
                                                through its       Print media
                                                  call center. communications 
                                                                 Amber alerts 

           Water     275-300 Funded by tired    Cyber    Operates   Encrypted 
                   small and                                24x7.      e-mail 
                 large water                             Analyzes             
                  utilities. membership fees           threat and      Secure 
           (est.  Represents and a grant                 incident      portal 
            Dec.      45% of from EPA.       Physical information      Secure 
           2002)       water Contractor                   for its  electronic 
                   utilities operated.                  potential    bulletin 
                 with secure Receives                   impact on  boards and 
                    portals. contributions                    the  chat rooms
                  Represents      from AMWA.              sector. 
                      85% of                                      
                  the water                                       
                  utilities                                       
                        that                                      
                     receive                                      
                      e-mail                                      
                     alerts.                                      

          Real   10 trade       Funded by Physical Operates             2-way 
        Estate                      trade            24x7.   
               associations                                                   
               representing                        Depends     communications 
         (est.      hotels, associations.          on DHS     network and Web 
         April    realtors,    Contractor          for        site Conference 
         2003)     shopping     operated.          threat      calls with top 
               centers, and                        analysis.  executives from
                    others.                                  
                                                              various sectors 
                                                                           as 
                                                                      needed. 

Sector Coordinator Roles Differ

As discussed earlier, federal CIP policy establishes the position of
sector coordinator for identified critical infrastructure sectors to
initiate and build cooperative relationships across an entire
infrastructure sector. In most cases, sector coordinators have played an
important role in the development of their respective infrastructure
sectors' ISACs. In many cases the sector coordinator also manages or
operates the ISAC.

o 	The North American Electric Reliability Council, as sector coordinator
for the electricity segment of the energy sector, operates the Electricity
Sector ISAC.

Page 22 GAO-04-699T

                Page 38 GAO-04-780 Critical Infrastructure ISACs

GAO's Mission 	The General Accounting Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

The fastest and easiest way to obtain copies of GAO documents at no cost
isObtaining Copies of through the Internet. GAO's Web site (www.gao.gov)
contains abstracts and full-GAO Reports and text files of current reports
and testimony and an expanding archive of older

products. The Web site features a search engine to help you locate
documentsTestimony using key words and phrases. You can print these
documents in their entirety, including charts and other graphics.

Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document files.
To have GAO e-mail this list to you every afternoon, go to www.gao.gov and
select "Subscribe to e-mail alerts" under the "Order GAO Products"
heading.

Order by Mail or Phone 	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

To Report Fraud, 	Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm

Waste, and Abuse in E-mail: [email protected]

Federal Programs Automated answering system: (800) 424-5454 or (202)
512-7470

Jeff Nelligan, Managing Director, [email protected] (202) 512-4800

Public Affairs 	U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

Page 57 GAO-04-780 Critical Infrastructure ISACs

Appendix II

Comments from the Department of Homeland Security

Appendix II Comments from the Department of Homeland Security

                Page 59 GAO-04-780 Critical Infrastructure ISACs

Appendix II Comments from the Department of Homeland Security

                Page 60 GAO-04-780 Critical Infrastructure ISACs

Appendix III

Comments from the Department of Health and Human Services

Appendix IV

Comments from the Department of the Treasury

Appendix V

                     GAO Contact and Staff Acknowledgments

                      GAO Contact Ben Ritt (202) 512-6443

Staff 	In addition to the individual named above, William Cook, Joanne
Fiorino, Laurence Gill, Michael Gilmore, Barbarol James, Lori Martinez,
and Kevin

Acknowledgments Secrest made key contributions to this report.

           (310519) Page 63 GAO-04-780 Critical Infrastructure ISACs

GAO's Mission	The General Accounting Office, the audit, evaluation and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of The fastest and easiest way to obtain copies of GAO
documents at no cost

is through GAO's Web site (www.gao.gov). Each weekday, GAO postsGAO
Reports and newly released reports, testimony, and correspondence on its
Web site. To Testimony have GAO e-mail you a list of newly posted products
every afternoon, go to

www.gao.gov and select "Subscribe to Updates."

Order by Mail or Phone	The first copy of each printed report is free.
Additional copies are $2 each. A check or money order should be made out
to the Superintendent of Documents. GAO also accepts VISA and Mastercard.
Orders for 100 or more copies mailed to a single address are discounted 25
percent. Orders should be sent to:

U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C.
20548

To order by Phone: 	Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202)
512-6061

  To Report Fraud, Contact:
  Waste, and Abuse in Web site: www.gao.gov/fraudnet/fraudnet.htm

E-mail: [email protected] Programs Automated answering system: (800)
424-5454 or (202) 512-7470

Congressional 	Gloria Jarmon, Managing Director, [email protected] (202)
512-4400 U.S. General Accounting Office, 441 G Street NW, Room 7125

Relations Washington, D.C. 20548

Public Affairs Jeff Nelligan, Managing Director, [email protected] (202)
512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149
Washington, D.C. 20548

                               Presorted Standard
                              Postage & Fees Paid
                                      GAO
                                Permit No. GI00

United States
General Accounting Office
Washington, D.C. 20548-0001

Official Business
Penalty for Private Use $300

Address Service Requested
*** End of document. ***