Critical Infrastructure Protection
Full Title of Reference
Critical Infrastructure Protection - Current Cyber Sector-Specific Planning Approach Needs Reassessment
Full Citation
GAO, Critical Infrastrcture Protection - Current Cyber Sector-Specific Planning Approach Needs Reassessment (2009). Report to Congressional Requesters and prepared by Government Accountability Office. web
Categorization
Overview: Government Reports
Issues: Government Organization; Public Critical Infrastrcture; Regulation/Liability
Key Words
National Cybersecurity Strategy, Department of Homeland Security
Synopsis
Although DHS reported many efforts under way and planned to improve the cyber content of sector-specific plans, sector-specific agencies have yet to update their respective sector-specific plans to fully address key DHS cyber security criteria. For example, of the 17 sector-specific plans, only 9 have been updated. Of these 9 updates, just 3 addressed missing cyber criteria, and those 3 involved only a relatively small number (3 or fewer) of the criteria in question. Recently DHS issued guidance specifically requesting that the sectors address cyber criteria shortfalls in their 2010 sector-specific plan updates. Until the plans are issued, it is not clear whether they will fully address cyber requirements. Accordingly, the continuing lack of plans that fully address key cyber criteria has reduced the effectiveness of the existing sector planning approach and thus increases the risk that the nation’s cyber assets have not been adequately identified, prioritized, and protected.
Most sector-specific agencies developed and identified in their 2007 sector plans those actions—referred to by DHS as implementation actions—essential to carrying out the plans; however, since then, most agencies have not updated the actions and reported progress in implementing them as called for by DHS guidance. Specifically, in response to 2006 guidance that called for agencies to address three key implementation elements (action descriptions, completion milestones, and parties responsible), most sectors initially developed implementation actions that fully addressed the key elements. However, while 2008 guidance called for implementation actions to be updated and for sector reports to include progress reporting against implementation action milestone commitments, only five sectors updated their plans and reported on progress against implementation actions. DHS attributed this in part to the department not following up and working to ensure that all sector plans are fully developed and implemented in accordance with department guidance.
The lack of complete updates and progress reports are further evidence that the sector planning process has not been effective and thus leaves the nation in the position of not knowing precisely where it stands in securing cyber critical infrastructures. Not following up to address these conditions also shows DHS is not making sector planning a priority. Further, recent studies by a presidential working group—which resulted in the President establishing the White House Office of Cybersecurity Coordinator—and an expert commission also identified shortfalls in the effectiveness of the current public- private partnership approach and related sector planning and offered options for improving the process. Such options include (1) prioritizing sectors to focus planning efforts on those with the most important cyber assets and (2) streamlining existing sectors to optimize their capacity to identify priorities and develop plans. Given this, it is essential that DHS and the to-be-appointed Cybersecurity Coordinator determine whether the current process as implemented should continue to be the national approach and thus worthy of further investment.
Additional Notes and Highlights
Contact: David A. Powner at (202) 512-9286 or pownerd@gao.gov