Critical Infrastructure Protection: Sector-Specific Plans'	 
Coverage of Key Cyber Security Elements Varies (31-OCT-07,	 
GAO-08-64T).							 
                                                                 
The nation's critical infrastructure sectors--such as banking and
finance, information technology, and public health--rely on	 
computerized information and systems to provide services to the  
public. To fulfill the requirement for a comprehensive plan,	 
including cyber aspects, the Department of Homeland Security	 
(DHS) issued a national plan in June 2006 for the sectors to use 
as a road map to enhance the protection of critical		 
infrastructure. Lead federal agencies, referred to as		 
sector-specific agencies, are responsible for coordinating	 
critical infrastructure protection efforts such as the		 
development of plans that are specific to each sector. GAO was	 
asked to summarize a report being released today that identifies 
the extent to which the sector plans addressed key aspects of	 
cyber security, including cyber assets, key vulnerabilities,	 
vulnerability reduction efforts, and recovery plans. In the	 
report, GAO analyzed each sector-specific plan against criteria  
that were developed on the basis of DHS guidance.		 
-------------------------Indexing Terms------------------------- 
REPORTNUM:   GAO-08-64T 					        
    ACCNO:   A77802						        
  TITLE:     Critical Infrastructure Protection: Sector-Specific      
Plans' Coverage of Key Cyber Security Elements Varies		 
     DATE:   10/31/2007 
  SUBJECT:   Command and control systems			 
	     Computer systems					 
	     Critical infrastructure				 
	     Cyber security					 
	     Energy						 
	     Evaluation criteria				 
	     Homeland security					 
	     Information infrastructure 			 
	     Information security				 
	     Information technology				 
	     Public health					 
	     Risk assessment					 
	     Risk management					 
	     Strategic planning 				 
	     System security plans				 
	     Transportation					 
	     Security standards 				 
	     National Infrastructure Protection Plan		 

******************************************************************
** This file contains an ASCII representation of the text of a  **
** GAO Product.                                                 **
**                                                              **
** No attempt has been made to display graphic images, although **
** figure captions are reproduced.  Tables are included, but    **
** may not resemble those in the printed version.               **
**                                                              **
** Please see the PDF (Portable Document Format) file, when     **
** available, for a complete electronic file of the printed     **
** document's contents.                                         **
**                                                              **
******************************************************************
GAO-08-64T

   

This text file was formatted by the U.S. Government Accountability 
Office (GAO) to be accessible to users with visual impairments, as part 
of a longer term project to improve GAO products' accessibility. Every 
attempt has been made to maintain the structural and data integrity of 
the original printed product. Accessibility features, such as text 
descriptions of tables, consecutively numbered footnotes placed at the 
end of the file, and the text of agency comment letters, are provided 
but may not exactly duplicate the presentation or format of the printed 
version. The portable document format (PDF) file is an exact electronic 
replica of the printed version. We welcome your feedback. Please E-mail 
your comments regarding the contents or accessibility features of this 
document to [email protected].

This is a work of the U.S. government and is not subject to copyright 
protection in the United States. It may be reproduced and distributed 
in its entirety without further permission from GAO. Because this work 
may contain copyrighted images or other material, permission from the 
copyright holder may be necessary if you wish to reproduce this 
material separately.

United States Government Accountability Office:
GAO: 

Testimony: 
Before Congressional Subcommittees: 
Committee on Homeland Security: 
U.S. House of Representatives:

For Release on Delivery: 
Expected at 2:00 p.m. EDT: 
Wednesday, October 31, 2007: 

Critical Infrastructure Protection: 

Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies:

Statement of David A. Powner: 
Director: 
Information Technology Management Issues: 

GAO-08-64T: 

GAO Highlights:

Highlights of GAO-08-64T, a testimony before congressional 
subcommittees, Committee on Homeland Security, U.S. House of 
Representatives. 

Why GAO Did This Study:

The nation's critical infrastructure sectorsï¿½such as banking and 
finance, information technology, and public healthï¿½rely on computerized 
information and systems to provide services to the public. To fulfill 
the requirement for a comprehensive plan, including cyber aspects, the 
Department of Homeland Security (DHS) issued a national plan in June 
2006 for the sectors to use as a road map to enhance the protection of 
critical infrastructure. Lead federal agencies, referred to as sector-
specific agencies, are responsible for coordinating critical 
infrastructure protection efforts such as the development of plans that 
are specific to each sector. GAO was asked to summarize a report being 
released today that identifies the extent to which the sector plans 
addressed key aspects of cyber security, including cyber assets, key 
vulnerabilities, vulnerability reduction efforts, and recovery plans. 
In the report, GAO analyzed each sector-specific plan against criteria 
that were developed on the basis of DHS guidance. 

What GAO Found:

The extent to which the sectors addressed aspects of cyber security in 
their sector-specific plans varied; none of the plans fully addressed 
all 30 cyber security-related criteria. Several sector plansï¿½including 
the information technology and telecommunications sectorsï¿½fully 
addressed many of the criteria, while othersï¿½such as agriculture and 
food and commercial facilitiesï¿½were less comprehensive. The following 
figure summarizes the extent to which each plan addressed the 30 
criteria.

Graph: Comprehensiveness of Sector-Specific Plans: 

This figure is a vertical stacked bar graph, depicting seventeen 
sectors on the horizontal axis in three categories: comprehensive, 
somewhat comprehensive, and less comprehensive. The vertical axis of 
the graph represents number of criteria, from 0 to 30. All bars meet 
the total of 30 criteria, through a stacking of fully addressed, 
partially addressed and not addressed. The following is an 
approximation of the number of criteria represented in the graph by 
sectors:

Information technology: Comprehensive; 
Fully addressed: 28;
Partially addressed: 2; 
Not addressed: 0.

Telecommunications: Comprehensive; 
Fully addressed: 27; 
Partially addressed: 3; 
Not addressed: 0.

Public health: Comprehensive; 
Fully addressed: 27; 
Partially addressed: 1; 
Not addressed: 2.

Energy: Comprehensive; 
Fully addressed: 24; 
Partially addressed: 3; 
Not addressed: 3. 

Government facilities: Comprehensive; 
Fully addressed: 24; 
Partially addressed: 3; 
Not addressed: 3.

Nuclear reactors: Comprehensive; 
Fully addressed: 23; 
Partially addressed: 6; 
Not addressed: 1.

Water: Comprehensive; 
Fully addressed: 23; 
Partially addressed: 6; 
Not addressed: 1. 

Chemical: Comprehensive; 
Fully addressed: 23; 
Partially addressed: 6; 
Not addressed: 1. 

Dams: Comprehensive; 
Fully addressed: 23; 
Partially addressed: 6; 
Not addressed: 1. 

Transportation: Comprehensive; 
Fully addressed: 22; 
Partially addressed: 6; 
Not addressed: 2. 

Emergency services: Comprehensive; 
Fully addressed: 22; 
Partially addressed: 4; 
Not addressed: 4. 

Postal and shipping: Comprehensive; 
Fully addressed: 21; 
Partially addressed: 8; 
Not addressed: 1. 

Banking and finance: Somewhat comprehensive; 
Fully addressed: 19; 
Partially addressed: 7; 
Not addressed: 4. 

Defense industrial base: Somewhat comprehensive; 
Fully addressed: 18; 
Partially addressed: 5; 
Not addressed: 7. 

National monuments: Somewhat comprehensive; 
Fully addressed: 17; 
Partially addressed: 8; 
Not addressed: 5. 

Agriculture and food: Less comprehensive; 
Fully addressed: 10; 
Partially addressed: 10; 
Not addressed: 10. 

Commercial facilities: Less comprehensive; 
Fully addressed: 8; 
Partially addressed: 12; 
Not addressed: 10. 

Source: GAO analysis of agency data.

[End of graph]

What GAO Recommends:

In its report, GAO recommends that the Secretary of Homeland Security 
request that, by September 2008, the sector-specific agencies develop 
plans that fully address all of the cyber-related criteria. In written 
comments on a draft of the report, DHS concurred with GAOï¿½s 
recommendation. 

To view the full product, including the scope and methodology, click on 
[hyperlink, http://www.GAO-08-64T]. For more information, contact David 
Powner at (202) 512-9286 or [email protected]. 

[End of section] 

Mr. Chairman, Madame Chairwoman, and Members of the Subcommittees:

Thank you for the opportunity to join in today's hearing to discuss 
transitioning critical infrastructure protection sector-specific plans 
into action. Because the nation's critical infrastructure relies 
extensively on computerized information systems and electronic data to 
maintain the nation's security, economy, and public health and safety, 
the security of those systems and information is essential. To help 
address critical infrastructure protection, federal policy has 
established a framework for public-and private-sector 
partnerships.[Footnote 1] It has also identified 17 critical 
infrastructure sectors that are largely owned and operated by the 
private sector, including banking and finance, information technology, 
telecommunications, energy, and public health and healthcare.

Federal policy requires the development of a national plan by the 
Department of Homeland Security (DHS) to outline national goals, 
objectives, milestones, and key initiatives as well as the development 
of individual critical infrastructure sector plans--referred to as 
sector-specific plans--to outline how a sector's public and private 
stakeholders will implement the national plan. Lead federal agencies, 
referred to as sector-specific agencies (including DHS, Department of 
the Treasury, and the Department of Health and Human Services), are 
responsible for coordinating critical infrastructure protection efforts 
with the public and private stakeholders in their respective sectors.

DHS issued a National Infrastructure Protection Plan (NIPP) in June 
2006 to be used as a road map for how DHS and other relevant 
stakeholders are to use risk management principles to prioritize 
protection activities within and across the sectors in an integrated, 
coordinated fashion. NIPP requires each of the lead federal agencies 
associated with the 17 critical infrastructure sectors to develop 
sector-specific plans to address how the sectors' stakeholders would 
implement the national plan and how they would improve the security of 
their assets, systems, networks, and functions. These plans are to, 
among other things, describe how the sector will identify and 
prioritize its critical assets, including cyber assets, and define 
approaches the sector will take to assess risks and develop programs to 
protect those assets. DHS announced the release of the 17 sector plans 
on May 21, 2007.

As requested, our testimony today will summarize our report being 
released today on the cyber security aspects of the critical 
infrastructure protection sector-specific plans.[Footnote 2] In the 
report, we analyzed each sector-specific plan against 30 criteria that 
we developed based on DHS guidance. The 30 criteria are shown in 
appendix I. The report contains a detailed overview of the scope and 
methodology we used. The work on which this testimony is based was 
performed in accordance with generally accepted government auditing 
standards.

Results in Brief:

The extent to which the sectors addressed key aspects of cyber security 
in their sector-specific plans varied; none of the plans fully 
addressed all 30 cyber security-related criteria. Several plans-- 
including those from the information technology and telecommunications 
sectors--fully addressed many of the criteria, while others--such as 
those from the agriculture and food and commercial facilities sectors-
-were not as comprehensive. In addition to the varying degrees with 
which the sector-specific plans covered aspects of cyber security, the 
plans as a whole addressed certain criteria more comprehensively than 
they did others. For example, all 17 plans fully addressed the 
criterion to identify a sector governance structure for research and 
development, while only 7 plans fully addressed the process for 
identifying the consequences of cyber attacks. Further, only 3 plans 
fully addressed the criterion to describe incentives used to encourage 
voluntary performance of risk assessments.

The varying degrees to which each plan addressed the cyber security- 
related criteria can be attributed in part to the varying levels of 
maturity of the different sectors: that is, sectors where stakeholders 
had more experience working together on critical infrastructure issues 
generally had more comprehensive and complete plans than those in which 
their stakeholders had less prior experience working together. Without 
comprehensive plans, certain sectors may not be effectively 
identifying, prioritizing, and protecting the cyber aspects of their 
critical infrastructure protection efforts. For example, with most 
sectors lacking a process for identifying the consequences of cyber 
attacks against their assets, our nation's sectors could be ill- 
prepared to respond properly to a cyber attack.

To assist the sectors in securing their cyber infrastructure, we made a 
recommendation in our report to the Secretary of Homeland Security to 
request that by September 2008, the sector-specific agencies' plans 
address the cyber-related criteria that have not been fully addressed. 
In written comments on a draft of the report, DHS concurred with our 
recommendation.

Background:

Our nation's critical infrastructures--such as banking and finance, 
information technology, telecommunications, energy, and public health 
and healthcare--rely extensively on computerized information systems 
and electronic data to carry out their missions. The security of these 
systems and data, referred to as cyber critical infrastructure 
protection, is essential to preventing disruptions in critical 
operations, fraud, and inappropriate disclosure of sensitive 
information. Due in part to the importance of and increasing reliance 
on these electronic systems, we designated cyber critical 
infrastructure protection, in conjunction with protecting the federal 
government's information systems, as a high risk area in 2003. In 
January 2005 and 2007, we identified cyber critical infrastructure 
protection as a high-risk area because of the continuing concern about 
risks to information systems from escalating and emerging threats; the 
ease of obtaining and using hacking tools; the steady advance in the 
sophistication of attack technology; and the emergence of new and more 
destructive attacks.

As the focal point for critical infrastructure protection, DHS has many 
cyber security-related roles and responsibilities that are called for 
in law and policy. In May 2005, we identified 13 key cyber security 
responsibilities (see table 1).[Footnote 3] These responsibilities are 
described in more detail in appendix II.

Table 1: DHS Key Cyber Security Responsibilities:

1. Develop a comprehensive national plan for critical infrastructure 
protection, including cyber security. 
2. Develop partnerships and coordinate with other federal agencies, 
state and local governments, and the private sector. 
3. Improve and enhance public/private information sharing involving 
cyber attacks, threats, and vulnerabilities. 
4. Develop and enhance national cyber analysis and warning 
capabilities. 
5. Provide and coordinate incident response and recovery planning 
efforts. 
6. Identify and assess cyber threats and vulnerabilities. 
7. Support efforts to reduce cyber threats and vulnerabilities. 
8. Promote and support research and development efforts to strengthen 
cyber space security. 
9. Promote awareness and outreach. 
10. Foster training and certification. 
11. Enhance federal, state, and local government cyber security. 
12. Strengthen international cyber space security. 
13. Integrate cyber security with national security.

Source: GAO analysis of the Homeland Security Act of 2002, the Homeland 
Security Presidential Directive-7, and the National Strategy to Secure 
Cyberspace.

[End of table]

In May 2005, we reported that while DHS had initiated multiple efforts 
to fulfill its responsibilities, it had not fully addressed any of the 
13 responsibilities.[Footnote 4] For example, the department 
established the United States Computer Emergency Readiness Team as a 
public/private partnership to make cyber security a coordinated 
national effort and it established forums to build greater trust and 
information sharing among federal officials who have information 
security responsibilities and law enforcement entities. However, DHS 
had not yet developed national cyber threat and vulnerability 
assessments or government/industry contingency recovery plans for cyber 
security. In September 2006, we testified that DHS had made progress on 
its responsibilities, but that none had been completely 
addressed.[Footnote 5]

One of DHS's key cyber security responsibilities is the development of 
a comprehensive national plan for securing both the physical and cyber 
aspects of the key resources and critical infrastructure of the United 
States. The plan is to outline national strategies, activities, and 
milestones for protecting critical infrastructures. To fulfill this 
responsibility, in June 2006, DHS issued the National Infrastructure 
Protection Plan (NIPP) to guide how DHS and other relevant stakeholders 
are to use risk management principles to prioritize protection 
activities within and across the sectors in an integrated, coordinated 
fashion. NIPP requires each of the lead federal agencies associated 
with the 17 critical infrastructure sectors to develop sector-specific 
plans to address how the sectors' stakeholders would implement the 
national plan and how they would improve the security of their assets, 
systems, networks, and functions. As part of these efforts, DHS 
provided guidance to the sectors for developing their sector-specific 
plans, including guidance on cyber aspects.

To strengthen DHS's ability to implement its cyber security 
responsibilities and to resolve underlying challenges, we have made 
about 25 recommendations over the last several years. These 
recommendations focus on the need to (1) conduct threat and 
vulnerability assessments, (2) develop a strategic analysis and warning 
capability for identifying potential cyber attacks, (3) protect 
infrastructure control systems, (4) enhance public/private information 
sharing, and (5) facilitate recovery planning, including recovery of 
the Internet in case of a major disruption. For example, in May 2005, 
we recommended, among other things, that DHS prioritize key cyber 
security responsibilities, including: performing a national cyber 
threat assessment and facilitating sector cyber vulnerability 
assessments. DHS has made varying levels of progress on many of these 
recommendations; however, additional efforts are needed to fully 
address them. Regarding the protection of infrastructure control 
systems, we issued a report on September 10, 2007, and testified on 
October 17, 2007, before the Subcommittee on Emerging Threats, 
Cybersecurity, and Science and Technology, House Committee on Homeland 
Security. In the report, we made a recommendation that DHS develop a 
strategy for coordinating control systems security efforts and enhance 
information sharing with control systems stakeholders.[Footnote 6] 
Collectively, our recommendations provide a high-level road map for the 
agency to use in improving our nation's cyber security posture.

Sector-Specific Plans' Coverage of Key Cyber Security Elements Varies:

In May 2007, DHS announced the release of 17 sector-specific plans to 
fulfill the NIPP requirement for individual sector plans. The extent to 
which the sectors addressed aspects of cyber security in their plans 
varied; none of the plans fully addressed all 30 cyber security-related 
criteria. Several plans--including those from the information 
technology and telecommunications sectors--fully addressed many of the 
criteria, while others--such as agriculture and food and commercial 
facilities--were less comprehensive. Figure 1 summarizes the extent to 
which each plan addressed the 30 criteria.

Figure 1: Comprehensiveness of Sector-Specific Plans:

[See PDF for image]

This figure is a vertical stacked bar graph, depicting seventeen 
sectors on the horizontal axis in three categories: comprehensive, 
somewhat comprehensive, and less comprehensive. The vertical axis of 
the graph represents number of criteria, from 0 to 30. All bars meet 
the total of 30 criteria, through a stacking of fully addressed, 
partially addressed and not addressed. The following is an 
approximation of the number of criteria represented in the graph by 
sectors:

Information technology: Comprehensive; 
Fully addressed: 28;
Partially addressed: 2; 
Not addressed: 0.

Telecommunications: Comprehensive; 
Fully addressed: 27; 
Partially addressed: 3; 
Not addressed: 0.

Public health: Comprehensive; 
Fully addressed: 27; 
Partially addressed: 1; 
Not addressed: 2.

Energy: Comprehensive; 
Fully addressed: 24; 
Partially addressed: 3; 
Not addressed: 3. 

Government facilities: Comprehensive; 
Fully addressed: 24; 
Partially addressed: 3; 
Not addressed: 3.

Nuclear reactors: Comprehensive; 
Fully addressed: 23; 
Partially addressed: 6; 
Not addressed: 1.

Water: Comprehensive; 
Fully addressed: 23; 
Partially addressed: 6; 
Not addressed: 1. 

Chemical: Comprehensive; 
Fully addressed: 23; 
Partially addressed: 6; 
Not addressed: 1. 

Dams: Comprehensive; 
Fully addressed: 23; 
Partially addressed: 6; 
Not addressed: 1. 

Transportation: Comprehensive; 
Fully addressed: 22; 
Partially addressed: 6; 
Not addressed: 2. 

Emergency services: Comprehensive; 
Fully addressed: 22; 
Partially addressed: 4; 
Not addressed: 4. 

Postal and shipping: Comprehensive; 
Fully addressed: 21; 
Partially addressed: 8; 
Not addressed: 1. 

Banking and finance: Somewhat comprehensive; 
Fully addressed: 19; 
Partially addressed: 7; 
Not addressed: 4. 

Defense industrial base: Somewhat comprehensive; 
Fully addressed: 18; 
Partially addressed: 5; 
Not addressed: 7. 

National monuments: Somewhat comprehensive; 
Fully addressed: 17; 
Partially addressed: 8; 
Not addressed: 5. 

Agriculture and food: Less comprehensive; 
Fully addressed: 10; 
Partially addressed: 10; 
Not addressed: 10. 

Commercial facilities: Less comprehensive; 
Fully addressed: 8; 
Partially addressed: 12; 
Not addressed: 10. 


Source: GAO analysis of agency data.

[End of figure]

In addition to the variations in the extent to which the plans covered 
aspects of cyber security, there was also variance among the plans in 
the extent to which certain criteria were addressed. For example, all 
plans fully addressed (1) identifying a sector governance structure for 
research and development, (2) describing how the sector- specific 
agency intends to manage its NIPP responsibilities; and (3) describing 
the sector's coordinating mechanisms and structures. Also, at least 15 
of the plans fully addressed (1) characterizing the sector's 
infrastructure, including the cyber reliance, (2) identifying 
stakeholder relationships for securing cyber assets, (3) describing a 
process for updating, reporting, budgeting, and training, and (4) 
describing a process for cyber-related information sharing. However, 
fewer than half of the plans fully addressed: (1) describing a process 
to identify potential consequences of cyber attacks, (2) describing any 
incentives used to encourage voluntary performance of risk assessments, 
(3) developing and using cyber metrics to measure progress, and (4) 
identifying existing cyber-related projects that support goals and 
identify gaps.

The varying degrees to which each plan addressed the cyber security-
related criteria can be attributed in part to the varying levels of 
maturity of the different sectors. According to DHS officials, the 
sectors that have been working together longer on critical 
infrastructure issues generally have developed more comprehensive and 
complete plans than the sectors with stakeholders that had not 
previously worked together. For example, the plan for the energy sector 
was among those categorized as most comprehensive: the chemical sector 
had worked with DHS to improve the cyber component in its plans and it 
included most of the key information required for each plan element. 
Furthermore, the limited amount of time to complete the plans--6 
months--was a factor for those sectors that had not previously been 
working together on critical infrastructure issues and were thus less 
mature.

DHS acknowledges the shortcomings we identified in the plans. Officials 
stated that the sector-specific plans represent only the early efforts 
by the sectors to develop their respective plans and anticipate that 
the plans will improve over time. Nevertheless, until the plans fully 
address key cyber elements, certain sectors may not be prepared to 
respond to a cyber attack against our critical infrastructure. As the 
plans are updated, it will be important that DHS work with the sector 
representatives to ensure that the areas not sufficiently addressed are 
covered. Otherwise, the plans will remain incomplete and sector efforts 
will not be sufficient to enhance the protection of their computer-
reliant assets.

To assist the sectors in securing their cyber infrastructure, we 
recommended in our report that the Secretary of Homeland Security 
direct the Assistant Secretary for Infrastructure Protection and the 
Assistant Secretary for Cybersecurity and Communications to request 
that by September 2008, the sector-specific agencies' plans address the 
cyber-related criteria that were not fully addressed. In written 
comments on a draft of the report, DHS's Director, Departmental GAO/OIG 
Liaison, concurred with our recommendation. In addition, he stated that 
DHS is currently working on an action plan to assist sectors in 
addressing cyber security issues not adequately addressed in the 
initial sector-specific plans.

In summary, without comprehensive plans, certain sectors may not be 
effectively identifying, prioritizing, and protecting the cyber aspects 
of their critical infrastructure. For example, with most sectors 
lacking a process for identifying the consequences of cyber attacks 
against their assets, our nation's sectors could be ill- prepared to 
respond properly to a cyber attack. In addition, without comprehensive 
plans, DHS cannot adequately identify where it and the rest of the 
federal government can most effectively assist in enhancing the 
security of the nation's critical infrastructures that are largely 
owned and operated by the private sector.

Ultimately, our nation needs to move beyond the planning stages of 
securing our critical infrastructures and public and private sector 
owners and operators of our nation's critical infrastructure need to 
effectively implement these plans. Implementation of these plans is 
more likely if DHS can successfully fulfill its role as a focal point 
for critical infrastructure protection. To accomplish this, DHS needs 
to address its 13 key responsibilities and our previous 
recommendations. For example, if DHS enhanced national cyber analysis 
and warning capabilities and provided assessments of cyber threats and 
vulnerabilities, it would be viewed as providing a valuable service to 
critical infrastructure owners, thus improving our nation's ability to 
prepare for, respond to, and prevent major cyber attacks from occurring.

Mr. Chairman and Madame Chairwoman, this concludes my statement. I 
would be happy to answer any questions at this time.

If you have any questions on matters discussed in this testimony, 
please contact me at (202) 512-9286 or by e-mail at [email protected]. 
Other key contributors to this testimony include Scott Borre, Michael 
Gilmore, Nancy Glover, Barbarol James, and Eric Winter.

[End of section]

Appendix I: Cyber Security Criteria:

Section 1: Sector Profile and Goals: 
* Characterizes cyber aspects; 
* Identifies stakeholder relationships for securing cyber assets. 

Section 2: Identify Assets, Systems, Networks, and Functions: 
* Describes process to identify cyber assets, functions, or elements; 
* Describes process to identify cyber dependencies/independences. 

Section 3: Assess Risks: 
* Describes how the risk assessment process addresses cyber elements;  
* Describes a screening process for cyber aspects; 
* Describes methodology to identify potential consequences of cyber 
attacks; 
* Describes methodology for vulnerability assessments of cyber aspects; 
* Describes methodology for threat analyses of cyber aspects; 
* Describes incentives to encourage voluntary vulnerability 
assessments. 

Section 4: Prioritizing Infrastructure: 
* Identifies entity responsible for prioritization of cyber aspects; 
* Describes criteria and basis for prioritization of cyber aspects. 

Section 5: Develop and Implement Protective Programs: 
* Describes process to develop long-term protective plans for cyber 
aspects; 
* Describes process to identify specific cyber-related program needs; 
* Identifies programs to deter, respond, and recover from cyber attack; 
* Addresses implementation and maintenance of protective programs. 

Section 6: Measure Progress: 
* Ensures that integration of cyber metrics is part of measurement 
process; 
* Describes how cyber metrics will be reported to DHS; 
* Includes developing and using cyber metrics to measure progress; 
* Describes how to use metrics to guide future cyber projects.

Section 7: Critical Infrastructure Protection Research and Development: 
* Describes how technology developments are related to the sectorï¿½s 
cyber goals; 
* Describes process to identify cyber security technology requirements; 
* Describes process to solicit information on ongoing cyber research 
and development initiatives; 
* Identifies existing cyber-related projects that support goals and 
identifies gaps; 
* Identifies research and development governance structure. 

Section 8: Managing Sector-Specific Agency Responsibilities: 
* Describes sector-specific agencyï¿½s management of NIPP 
responsibilities; 
* Describes process for updating, reporting, budgeting, and training; 
* Describes sectorï¿½s coordination structure; 
* Describes process for investment priorities; 
* Describes process for cyber-related information sharing. 

Source: GAO analysis based on DHS guidance. 

[End of table] 

[End of section] 

Appendix II: Thirteen DHS Cyber Security Responsibilities: 

Critical infrastructure protection responsibilities with a cyber 
element: 
1. Develop a national plan for critical infrastructure protection that 
includes cyber security; 
DHS Responsibilities: Develop a comprehensive national plan for 
securing the key resources and critical infrastructure of the United 
States, including information technology and telecommunications systems 
(including satellites) and the physical and technological assets that 
support such systems. This plan is to outline national strategies, 
activities, and milestones for protecting critical infrastructures. 

Critical infrastructure protection responsibilities with a cyber 
element: 
2. Develop partnerships and coordinate with other federal agencies, 
state and local governments, and the private sector; 
DHS Responsibilities: Foster and develop public/private partnerships 
with and among other federal agencies, state and local governments, the 
private sector, and others. DHS is to serve as the focal point for the 
security of cyber space. 

Critical infrastructure protection responsibilities with a cyber 
element: 
3. Improve and enhance public/private information sharing involving 
cyber attacks, threats, and vulnerabilities; 
DHS Responsibilities: Improve and enhance information sharing with and 
among other federal agencies, state and local governments, the private 
sector, and others through improved partnerships and collaboration, 
including encouraging information sharing and analysis mechanisms. DHS 
is to improve sharing of information on cyber attacks, threats, and 
vulnerabilities. 

Responsibilities related to the cyber space strategy's five priorities: 
4. Develop and enhance national cyber analysis and warning 
capabilities; 
DHS Responsibilities: Provide cyber analysis and warnings, enhance 
analytical capabilities, and develop a national indications and 
warnings architecture to identify precursors to attacks. 

Responsibilities related to the cyber space strategy's five priorities: 
5. Provide and coordinate incident response and recovery planning 
efforts; 
DHS Responsibilities: Provide crisis management in response to threats 
to or attacks on critical information systems. This entails 
coordinating efforts for incident response, recovery planning, 
exercising cyber security continuity plans for federal systems, 
planning for recovery of Internet functions, and assisting 
infrastructure stakeholders with cyber-related emergency recovery 
plans. 

Responsibilities related to the cyber space strategy's five priorities: 
6. Identify and assess cyber threats and vulnerabilities; 
DHS Responsibilities: Lead efforts by the public and private sectors to 
conduct a national cyber threat assessment, to conduct or facilitate 
vulnerability assessments of sectors, and to identify cross-sector 
interdependencies. 

Responsibilities related to the cyber space strategy's five priorities: 
7. Support efforts to reduce cyber threats and vulnerabilities; 
DHS Responsibilities: Lead and support efforts by the public and 
private sectors to reduce threats and vulnerabilities. Threat reduction 
involves working with the law enforcement community to investigate and 
prosecute cyberspace threats. Vulnerability reduction involves 
identifying and remediating vulnerabilities in existing software and 
systems. 

Responsibilities related to the cyber space strategy's five priorities: 
8. Promote and support research and development efforts to strengthen 
cyber space security; 
DHS Responsibilities: Collaborate and coordinate with members of 
academia, industry, and government to optimize cyber security-related 
research and development efforts to reduce vulnerabilities through the 
adoption of more secure technologies. 

Responsibilities related to the cyber space strategy's five priorities: 
9. Promote awareness and outreach; 
DHS Responsibilities: Establish a comprehensive national awareness 
program to promote efforts to strengthen cyber security throughout 
government and the private sector, including the home user. 

Responsibilities related to the cyber space strategy's five priorities: 
10. Foster training and certification; 
DHS Responsibilities: Improve cyber security-related education, 
training, and certification opportunities. 

Responsibilities related to the cyber space strategy's five priorities: 
11. Enhance federal, state, and local government cyber security; 
DHS Responsibilities: Partner with federal, state, and local 
governments in efforts to strengthen the cyber security of the nationï¿½s 
critical information infrastructure to assist in the deterrence, 
prevention, preemption of, and response to terrorist attacks against 
the United States. 

Responsibilities related to the cyber space strategy's five priorities: 
12. Strengthen international cyberspace security; 
DHS Responsibilities: Work in conjunction with other federal agencies, 
international organizations, and industry in efforts to promote 
strengthened cyber security on a global basis. 

Responsibilities related to the cyber space strategy's five priorities: 
13. Integrate cyber security with national security; 
DHS Responsibilities: Coordinate and integrate applicable national 
preparedness goals with the National Infrastructure Protection Plan. 

Source: GAO analysis of the Homeland Security Act of 2002, the Homeland 
Security Presidential Directive-7, and the National Strategy to Secure 
Cyberspace. 

[End of table] 

[End of section] 

Footnotes: 

[1] The White House, Homeland Security Presidential Directive 7 
(Washington, D.C.: Dec. 17, 2003). Department of Homeland Security, 
National Infrastructure Protection Plan, (Washington, D.C.: June 2006). 

[2] GAO, Critical Infrastructure Protection: Sector-Specific Plans' 
Coverage of Key Cyber Security Elements Varies, GAO-08-113 (Washington, 
D.C.: Oct. 31, 2007). 

[3] GAO, Critical Infrastructure Protection: Department of Homeland 
Security Faces Challenges in Fulfilling Cybersecurity Responsibilities, 
GAO-05-434 (Washington, D.C.: May 26, 2005). 

[4] GAO-05-434. 

[5] GAO, Critical Infrastructure Protection: DHS Leadership Needed to 
Enhance Cybersecurity, GAO-06-1087T (Washington, D.C.: Sep. 13, 2006). 

[6] GAO, Critical Infrastructure Protection: Multiple Efforts to Secure 
Control Systems Are Under Way, but More Remains to Be Done, GAO-07-1036 
(Washington, D.C.: Sept.10, 2007) and Critical Infrastructure 
Protection: Multiple Efforts to Secure Control Systems Are Under Way, 
but Challenges Remain, GAO-08-119T, (Washington, D.C.: Oct. 17, 2007). 

[End of section] 

GAO's Mission: 

The Government Accountability Office, the audit, evaluation and 
investigative arm of Congress, exists to support Congress in meeting 
its constitutional responsibilities and to help improve the performance 
and accountability of the federal government for the American people. 
GAO examines the use of public funds; evaluates federal programs and 
policies; and provides analyses, recommendations, and other assistance 
to help Congress make informed oversight, policy, and funding 
decisions. GAO's commitment to good government is reflected in its core 
values of accountability, integrity, and reliability. 

Obtaining Copies of GAO Reports and Testimony: 

The fastest and easiest way to obtain copies of GAO documents at no 
cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each 
weekday, GAO posts newly released reports, testimony, and 
correspondence on its Web site. To have GAO e-mail you a list of newly 
posted products every afternoon, go to [hyperlink, http://www.gao.gov] 
and select "Subscribe to Updates." 

Order by Mail or Phone: 

The first copy of each printed report is free. Additional copies are $2 
each. A check or money order should be made out to the Superintendent 
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or 
more copies mailed to a single address are discounted 25 percent. 
Orders should be sent to: 

U.S. Government Accountability Office: 
441 G Street NW, Room LM: 
Washington, D.C. 20548: 

To order by Phone: 
Voice: (202) 512-6000: 
TDD: (202) 512-2537: 
Fax: (202) 512-6061: 

To Report Fraud, Waste, and Abuse in Federal Programs: 

Contact: 

Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: 
E-mail: [email protected]: 
Automated answering system: (800) 424-5454 or (202) 512-7470: 

Congressional Relations: 

Gloria Jarmon, Managing Director, [email protected]: 
(202) 512-4400: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7125: 
Washington, D.C. 20548: 

Public Affairs: 

Chuck Young, Managing Director, [email protected]: 
(202) 512-4800: 
U.S. Government Accountability Office: 
441 G Street NW, Room 7149: 
Washington, D.C. 20548: 

*** End of document. ***