Skip To Main

Is Protecting Vital Private IT a DHS Priority?-GovInfoSecurity

GAO Questions DHS Process on Critical Infrastructure Security

Eric Chabrow, Managing Editor

October 28, 2009

The Government Accountability Office is questioning whether the Department of Homeland Security considers safeguarding the nation’s critical IT infrastructure a priority. In response to a GAO report issued Wednesday, a DHS official rejects that suggestion, saying the department is taking multiple paths to assure the protection of these critical IT assets.

In 2006, DHS issued guidance that instructed lead federal agencies, referred to as sector-specific agencies (see box), to develop plans for protecting the sector’s critical cyber and physical infrastructure in industries such as banking and finance, energy and public health. These agencies issued plans in 2007, but GAO found that none fully addressed all 30 cybersecurity-related criteria identified in DHS’s guidance and recommended that the plans be updated to address it by September 2008.

Reps. Yvette Clarke, chairwoman of the Homeland Security Subcommittee on Emerging Threats, Cybersecurity and Science and Technology, and James Langevin, co-chair of the House Cybersecurity Caucus, asked GAO to determine the extent to which sector plans have been updated to fully address DHS’s cybersecurity requirements and assess whether these plans and related reports provide for effective implementation.

According to GAO, sector-specific agencies have yet to update their respective sector-specific plans to fully address key DHS cybersecurity conditions. Congressional investigators pointed out that only nine of 17 sector-specific plans (SSPs) have been updated, and of nine updates, only three addressed missing cyber criteria and those involved only a relatively small number of the criteria questioned.

“The lack of complete updates and progress reports are further evidence that the sector planning process has not been effective and thus leaves the nation in the position of not knowing precisely where it stands in securing cyber critical infrastructures,” David Powner, GAO information technology management issues director, wrote in the 65-page report. “Not following up to address these conditions also shows DHS is not making sector planning a priority.”

Jerald Levine, director of DHS’s GAO/Office of Inspector General liaison office, took exception to some of Powner’s conclusions. “The fact that SSPs have not been fully updated yet to include ongoing and planned cybersecurity activities does not correlate to a lack of cybersecurity planning and activities in the sectors or to the lack of effectiveness of planning,” Levine wrote to Powner, after reviewing the draft of the GAO report. “The report also does not take into account to the many ongoing activities in the sectors related to cybersecurity.”

Nation’s Cyber Assets at Risk

DHS recently issued guidance specifically requesting that the sectors address cyber criteria shortfalls in their 2010 sector-specific plan updates, GAO reported. “Until the plans are issued, it is not clear whether they will fully address cyber requirements,” Powner wrote. “The continuing lack of plans that fully address key cyber criteria has reduced the effectiveness of the existing sector planning approach and thus increases the risk that the nation’s cyber assets have not been adequately identified, prioritized and protected.”

The GAO report also cited recent studies by a presidential working group and an expert commission that identified shortfalls in the effectiveness of the current public-private partnership approach and related sector planning, and offered options for improving the process, including prioritizing sectors to focus planning efforts on those with the most important cyber assets and streamlining existing sectors to optimize their capacity to identify priorities and develop plans. “Given this, it is essential that DHS and the to-be-appointed (White House) cybersecurity coordinator determine whether the current process as implemented should continue to be the national approach and thus worthy of further investment,” Powner said.

GAO recommended, and DHS concurred, that the department assess whether existing sector-specific planning processes should continue to be the nation’s approach to