GAO: Department of Homeland Security must examine critical infrastructure vulnerability

The Government Accountability Office (GAO) recently released a report on the ability of the Department of Homeland Security to assess and prioritize critical infrastructure (CI) vulnerability as required by the National Infrastructure Protection Plan.

Between 2011 and 2013, the offices of the Department of Homeland Security conducted vulnerability assessments of critical infrastructure. The Government Accountability Office noted that although the Homeland Security Act of 2002 and the National Infrastructure Protection Plan (NIPP) call for integration of critical infrastructure vulnerability assessments to identify priorities, DHS is not in a position to do so.

The GAO analysis of 10 assessment tools and methods found that they consistently included some areas, like perimeter security, while other areas, like cybersecurity, were not consistently included. DHS assessments also varied in their length and detail of information collected. DHS has not established guidance on what areas should be included in a vulnerability assessment, such as vulnerabilities to all-hazards as called for in the NIPP.

The DHS Office of Infrastructure Protection has recognized the challenge of having different approaches and is taking action to harmonize them. The Office of Infrastructure Protection’s efforts include only two voluntary assessment tools, however, of the 10 that were analyzed.

Lack of information on assessment tools and methods conducted and offered by federal agencies outside DHS with critical infrastructure responsibilities prevent DHS from managing an integrated and coordinated government-wide approach for assessments as called for in the NIPP. There are opportunities for DHS to work with other federal entities to develop guidance as necessary to ensure consistency. Doing so would better position DHS and other federal entities with CI responsibilities to promote an integrated and coordinated approach for conducting vulnerability assessments of CI, as called for in the Homeland Security Act of 2002, presidential directives and the NIPP.