Critical Infrastructure Protection: Sector-Specific Plans'	 
Coverage of Key Cyber Security Elements Varies (31-OCT-07,	 
GAO-08-113).							 
                                                                 
The nation's critical infrastructure sectors--such as public	 
health, energy, water, and transportation--rely on computerized  
information and systems to provide services to the public. To	 
fulfill the requirement for a comprehensive plan, including cyber
aspects, the Department of Homeland Security (DHS) issued a	 
national plan in June 2006 for the sectors to use as a road map  
to enhance the protection of critical infrastructure. Lead	 
federal agencies, referred to as sector-specific agencies, are	 
responsible for coordinating critical infrastructure protection  
efforts, such as the development of plans that are specific to	 
each sector. In this context, GAO was asked to determine if these
sector-specific plans address key aspects of cyber security,	 
including cyber assets, key vulnerabilities, vulnerability	 
reduction efforts, and recovery plans. To accomplish this, GAO	 
analyzed each sector-specific plan against criteria that were	 
developed on the basis of DHS guidance. 			 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-113 					        
    ACCNO:   A77804						        
  TITLE:     Critical Infrastructure Protection: Sector-Specific      
Plans' Coverage of Key Cyber Security Elements Varies		 
     DATE:   10/31/2007 
  SUBJECT:   Command and control systems			 
	     Computer systems					 
	     Critical infrastructure				 
	     Cyber security					 
	     Energy						 
	     Evaluation criteria				 
	     Homeland security					 
	     Information infrastructure 			 
	     Information security				 
	     Information technology				 
	     Public health					 
	     Risk assessment					 
	     Risk management					 
	     Strategic planning 				 
	     System security plans				 
	     Transportation					 
	     Security standards 				 
	     National Infrastructure Protection Plan		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-113

   

     * [1]Compliance with Aspects of Cyber Security Criteria
     * [2]Conclusions
     * [3]Recommendation for Executive Action
     * [4]Agency Comments and Our Evaluation
     * [5]Appendix I: Briefing for Congressional Staff
     * [6]Appendix II: Comments from the Department of Homeland Securi
     * [7]Appendix III: GAO Contacts and Staff Acknowledgments

          * [8]GAO Contacts
          * [9]Staff Acknowledgments

               * [10]Order by Mail or Phone

Report to Congressional Requesters

United States Government Accountability Office

GAO

October 2007

CRITICAL INFRASTRUCTURE PROTECTION

Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies

GAO-08-113

Contents

Letter 1

Compliance with Aspects of Cyber Security Criteria 3
Conclusions 4
Recommendation for Executive Action 5
Agency Comments and Our Evaluation 5
Appendix I Briefing for Congressional Staff 7
Appendix II Comments from the Department of Homeland Security 48
Appendix III GAO Contacts and Staff Acknowledgments 50

Figure

Figure 1: Comprehensiveness of Sector-Specific Plans 3

This is a work of the U.S. government and is not subject to copyright
protection in the United States. The published product may be reproduced
and distributed in its entirety without further permission from GAO.
However, because this work may contain copyrighted images or other
material, permission from the copyright holder may be necessary if you
wish to reproduce this material separately.

United States Government Accountability Office
Washington, DC 20548

October 31, 2007

The Honorable Joseph I. Lieberman
Chairman
The Honorable Susan M. Collins
Ranking Member
Committee on Homeland Security and Governmental Affairs
United States Senate

The Honorable James R. Langevin
Chairman
Subcommittee on Emerging Threats, Cybersecurity,
  and Science and Technology
Committee on Homeland Security
House of Representatives

Because the nation's critical infrastructure relies extensively on
computerized information systems and electronic data, the security of
those systems and information is essential to our nation's security,
economy, and public health and safety. To help address critical
infrastructure protection, federal policy has established a framework for
public and private sector partnerships and identified 17 critical
infrastructure sectors, including banking and finance, information
technology, telecommunications, energy, and public health and
healthcare.^1

The Department of Homeland Security (DHS) is a key player in these
partnerships. The agency issued a National Infrastructure Protection Plan
(NIPP) in June 2006 to be used as a road map for how DHS and other
relevant stakeholders are to use risk management principles to prioritize
protection activities within and across the sectors in an integrated,
coordinated fashion. Lead federal agencies, referred to as sector-specific
agencies (including DHS, the Department of the Treasury, and the
Department of Health and Human Services), are responsible for coordinating
critical infrastructure protection efforts with the public and private
stakeholders in their respective sectors.

^1The White House, Homeland Security Presidential Directive 7 (Washington,
D.C.: Dec. 17, 2003); and Department of Homeland Security, National
Infrastructure Protection Plan (Washington, D.C.: 2006).

The NIPP requires each of the lead federal agencies associated with the 17
critical infrastructure sectors to develop plans to address how the
sectors' stakeholders would implement the national plan and how they would
improve the security of their assets, systems, networks, and functions.
These sector-specific plans are to, among other things, describe how the
sector will identify and prioritize its critical assets, including cyber
assets, and define approaches the sector will take to assess risks and
develop programs to protect these assets.

As agreed, our objective was to determine if the sector-specific plans
address key aspects of cyber security, including cyber assets, key
vulnerabilities, vulnerability reduction efforts, and recovery plans. To
accomplish this objective, we analyzed each sector-specific plan against
30 criteria that were developed on the basis of DHS guidance.

On August 7 and 20, 2007, we presented a briefing to the staffs of the
House Subcommittee on Emerging Threats, Cybersecurity, and Science and
Technology, Committee on Homeland Security, and the Senate Committee on
Homeland Security and Governmental Affairs, respectively. This report
transmits the presentation slides we used to brief the staffs and the
recommendation that we made to the Secretary of Homeland Security. The
full briefing, including our scope and methodology, is reprinted in
appendix I. In commenting on a draft of this report, the Director, DHS
Departmental GAO/OIG Liaison, concurred with our recommendation. In
addition, DHS provided technical comments that have been addressed in this
report as appropriate.

Compliance with Aspects of Cyber Security Criteria

The extent to which the sectors addressed aspects of cyber security in
their sector-specific plans varied; none of the plans fully addressed all
30 cyber security-related criteria. Several plans--including those from
the information technology and telecommunications sectors--fully addressed
many of the criteria, while others--such as agriculture and food and
commercial facilities--were less comprehensive. Figure 1 summarizes the
extent to which each plan addressed the 30 criteria.

Figure 1: Comprehensiveness of Sector-Specific Plans

In addition to the variations in the extent to which the plans covered
aspects of cyber security, there was also variance among plans in the
extent to which certain criteria were addressed. For example, all plans
fully addressed identifying a sector governance structure for research and
development, while fewer than half of the plans fully addressed describing
any incentives used to encourage voluntary performance of risk
assessments.

Without comprehensive plans, certain sectors may not be effectively
identifying, prioritizing, and protecting the cyber aspects of their
critical infrastructure protection efforts. For example, with most sectors
lacking a process for identifying the consequences of cyber attacks
against their assets, our nation's sectors could be ill-prepared to
respond properly to a cyber attack.

The varying degrees to which each plan addressed the cyber
security-related criteria can be attributed in part to the varying levels
of maturity of the different sectors. According to DHS officials, the
sectors that have been working together longer on critical infrastructure
issues generally have developed more comprehensive and complete plans than
the sectors with stakeholders that had not previously worked together. For
example, the plan for the energy sector included most of the key
information required for each plan element, and the chemical sector had
worked with DHS to improve the cyber component in its plans; this sector's
plan was among those categorized as comprehensive. Furthermore, for those
sectors that had not been previously working together on critical
infrastructure issues and were thus less mature, the limited amount of
time to complete the plans--6 months--was a factor in their plans being
less comprehensive and complete.

DHS acknowledges the GAO-identified shortcomings in the plans. DHS
officials stated that the sector-specific plans represent only the early
efforts by the sectors to develop their respective plans and anticipate
that the plans will improve over time. Nevertheless, until the plans fully
address key cyber elements, certain sectors may not be prepared to respond
to a cyber attack against our nation's critical infrastructure.

Conclusions

The sector-specific plans varied in how comprehensively they addressed the
cyber security aspects of their sectors. Without comprehensive plans,
stakeholders within the infrastructure sectors may not adequately
identify, prioritize, and protect their critical assets, systems,
networks, and functions; be prepared to respond to a significant attack;
or identify the cyber risks they face. As the plans are updated, it will
be important that DHS work with the sector representatives to ensure that
the areas not sufficiently addressed are covered. Otherwise, the plans
will remain incomplete and selected sectors' efforts will remain
insufficient to enhance the protection of their computer-reliant assets.

Recommendation for Executive Action

To assist the sectors in securing their cyber infrastructure, we
recommended that the Secretary of Homeland Security direct the Assistant
Secretary for Infrastructure Protection and the Assistant Secretary for
Cybersecurity and Communications to request that by September 2008, the
sector-specific agencies' plans address the cyber-related criteria that
were only partially addressed or not addressed at all.

Agency Comments and Our Evaluation

We received written comments on a draft of this report from DHS (see app.
II). In the response, the Director, Departmental GAO/OIG Liaison,
concurred with our recommendation. The director also proposed replacing
the term "cyber assets" with "cyber infrastructure" to broaden the
recommendation and update the Assistant Secretary's title. We agreed and
addressed his comments accordingly. In addition, the director stated that
DHS is currently working on an action plan to assist sectors in addressing
cyber security issues not adequately addressed in the initial sector
specific plans. Furthermore, DHS provided technical comments that have
been addressed in this report as appropriate.

We are sending copies of this report to interested congressional
committees, the Secretary of Homeland Security, and other interested
parties. We also will make copies available to others upon request. In
addition, this report will be available at no charge on GAO's Web site at
http://www.gao.gov.

Should you or your staffs have any questions on matters discussed in this
report, please contact Dave Powner at (202) 512-9286 or
[11][email protected] , or Keith Rhodes at (202) 512-6412, or
[email protected]. Contact points for our Offices of Congressional

Relations and Public Affairs may be found on the last page of this report.
GAO staff who made key contributions to this report are listed in appendix
III.

David A. Powner
Director, Information Technology Management Issues

Keith A. Rhodes
Chief Technologist
Applied Research and Methods
Center for Technology and Engineering

Appendix I: Briefing for Congressional Staff

Appendix II: Comments from the Department of Homeland Security 

Appendix III: GAO Contacts and Staff Acknowledgments

GAO Contacts

David A. Powner at (202) 512-9286 or [12][email protected]
Keith A. Rhodes at (202) 512-6412 or [email protected]

Staff Acknowledgments

In addition to the contacts named above, the following also made key
contributions to this report: Scott Borre, Barbara Collier, Neil Doherty,
Michael Gilmore, Nancy Glover, Franklin Jackson, Barbarol James, and Eric
Winter.

(310858)

GAO's Mission

The Government Accountability Office, the audit, evaluation, and
investigative arm of Congress, exists to support Congress in meeting its
constitutional responsibilities and to help improve the performance and
accountability of the federal government for the American people. GAO
examines the use of public funds; evaluates federal programs and policies;
and provides analyses, recommendations, and other assistance to help
Congress make informed oversight, policy, and funding decisions. GAO's
commitment to good government is reflected in its core values of
accountability, integrity, and reliability.

Obtaining Copies of GAO Reports and Testimony

The fastest and easiest way to obtain copies of GAO documents at no cost
is through GAO's Web site ( [13]www.gao.gov ). Each weekday, GAO posts
newly released reports, testimony, and correspondence on its Web site. To
have GAO e-mail you a list of newly posted products every afternoon, go to
[14]www.gao.gov and select "E-mail Updates."

Order by Mail or Phone

The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent of
Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more
copies mailed to a single address are discounted 25 percent. Orders should
be sent to:

U.S. Government Accountability Office 441 G Street NW, Room LM Washington,
DC 20548

To order by Phone: Voice: (202) 512-6000
TDD: (202) 512-2537
Fax: (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs

Contact:

Web site: [15]www.gao.gov/fraudnet/fraudnet.htm
E-mail: [16][email protected]
Automated answering system: (800) 424-5454 or (202) 512-7470

Congressional Relations

Gloria Jarmon, Managing Director, [17][email protected] , (202) 512-4400
U.S. Government Accountability Office, 441 G Street NW, Room 7125
Washington, DC 20548

Public Affairs

Chuck Young, Managing Director, [18][email protected] , (202) 512-4800 U.S.
Government Accountability Office, 441 G Street NW, Room 7149 Washington,
DC 20548

To view the full product, including the scope
and methodology, click on [19]GAO-08-113 .

For more information, contact David Powner at (202) 512-9286 or
[email protected].

Highlights of [20]GAO-08-113 , a report to congressional requesters

October 2007

CRITICAL INFRASTRUCTURE PROTECTION

Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies

The nation's critical infrastructure sectors--such as public health,
energy, water, and transportation--rely on computerized information and
systems to provide services to the public. To fulfill the requirement for
a comprehensive plan, including cyber aspects, the Department of Homeland
Security (DHS) issued a national plan in June 2006 for the sectors to use
as a road map to enhance the protection of critical infrastructure. Lead
federal agencies, referred to as sector-specific agencies, are responsible
for coordinating critical infrastructure protection efforts, such as the
development of plans that are specific to each sector. In this context,
GAO was asked to determine if these sector-specific plans address key
aspects of cyber security, including cyber assets, key vulnerabilities,
vulnerability reduction efforts, and recovery plans. To accomplish this,
GAO analyzed each sector-specific plan against criteria that were
developed on the basis of DHS guidance.

[21]What GAO Recommends

To assist the sectors in securing their cyber infrastructure, GAO
recommends that the Secretary of Homeland Security request that, by
September 2008, the sector-specific agencies develop plans that address
all of the cyber-related criteria. In written comments on a draft of this
report, DHS concurred with GAO's recommendation and provided technical
comments that have been addressed as appropriate.

The extent to which the sectors addressed aspects of cyber security in
their sector-specific plans varied; none of the plans fully addressed all
30 cyber security-related criteria. Several sector plans--including the
information technology and telecommunications sectors--fully addressed
many of the criteria, while others--such as agriculture and food and
commercial facilities--were less comprehensive. The following figure
summarizes the extent to which each plan addressed the 30 criteria.

Comprehensiveness of Sector-Specific Plans

In addition to the variations in the extent to which the plans covered
aspects of cyber security, there was also variance among the plans in the
extent to which certain criteria were addressed. For example, all plans
fully addressed identifying a sector governance structure for research and
development, but fewer than half of the plans fully addressed describing
any incentives used to encourage voluntary performance of risk
assessments. The varying degrees to which each plan addressed the cyber
security-related criteria can be attributed in part to the varying levels
of maturity in the different sectors.

DHS acknowledges the shortcomings in the plans, and officials stated that
the sector-specific plans represent only the early efforts by the sectors
to develop their respective plans. Nevertheless, until the plans fully
address key cyber elements, stakeholders within the infrastructure sectors
may not adequately identify, prioritize, and protect their critical
assets. As the plans are updated, it will be important that DHS work with
the sector representatives to ensure that the areas not sufficiently
addressed are covered. Otherwise, the plans will remain incomplete and
sector efforts will not be sufficient to enhance the protection of their
computer-reliant assets.

References

Visible links
  11. mailto:[email protected]
  12. mailto:[email protected]
  13. http://www.gao.gov/
  14. http://www.gao.gov/
  15. http://www.gao.gov/fraudnet/fraudnet.htm
  16. mailto:[email protected]
  17. mailto:[email protected]
  18. mailto:[email protected]
  19. http://www.gao.gov/cgi-bin/getrpt?GAO-08-113
  20. http://www.gao.gov/cgi-bin/getrpt?GAO-08-113
*** End of document. ***