Summary
A wide array of cyber and physical assets is critical to America's national security, economic well-being, and public health and safety. Information related to threats, vulnerabilities, incidents, and security techniques is instrumental to guarding these critical infrastructures against attacks and mitigating the impact of attacks that may occur. The ability to share security-related information can unify the efforts of federal, state, and local government as well as the private sector, as appropriate, in preventing and minimizing terrorist attacks. The Critical Infrastructure Information Act of 2002 was enacted to encourage nonfederal entities to voluntarily share critical infrastructure information and established protections for it. The Department of Homeland Security (DHS) has a lead role in implementing the act. GAO was asked to determine (1) the status of DHS's efforts to implement the act and (2) the challenges it faces in carrying out the act.
DHS has issued interim operating procedures and created a Program Office to administer the critical infrastructure protection program called for by the Critical Infrastructure Information Act. The interim procedures designate the responsibilities and authority of the Program Manager, and establish requirements related to accepting, protecting, sharing, and using critical infrastructure information as required by the act. The Program Office has begun to accept and safeguard critical infrastructure information submitted voluntarily by infrastructure owners and is sharing it with other DHS entities and, on a limited basis, with other government entities. For example, as of January 2006, the Program Office had received about 290 submissions of critical infrastructure information from various sectors. The Program Office also has initiated outreach efforts to publicize the program to the public and private sectors. In addition, it has trained approximately 750 potential users in DHS and other federal, state, and local government entities how to handle protected critical infrastructure information. This training is a prerequisite to being allowed to view the information. The Program Office has also trained at least 16 federal and state officials how to establish programs in their own entities so they can receive protected critical infrastructure information from DHS and then be authorized to store and share it. DHS faces challenges that impede the private sector's willingness to share sensitive information. Key challenges include defining specific government needs for critical infrastructure information, determining how the information will be used, assuring the private sector that the information will be protected and who will be authorized to have access to the information, and demonstrating to critical infrastructure owners the benefits of sharing the information. If DHS were able to surmount these challenges, it and other government users may begin to overcome the lack of trust that critical infrastructure owners have in the government's ability to use and protect their sensitive information.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change
from "In process" to "Implemented" or "Not implemented" based on our follow up work.
Director:
Team:
Phone:
David A. Powner
Government Accountability Office: Information Technology
No phone on record
Recommendations for Executive Action
Recommendation: In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, in the short term, establish a specific deadline in the near future for releasing the final rule to the Office of Management and Budget and for interagency review so that potential submitters have more assurance about how their sensitive information will be protected.
Agency Affected: Department of Homeland Security
Status: Implemented
Comments: On September 1, 2006, the Department of Homeland Security issued "Procedures for Handling Critical Infrastructure Information; Final Rule" in the Federal Register.
Recommendation: In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, define and communicate to the private sector what critical information infrastructure DHS and federal entities need to fulfill their critical infrastructure responsibilities and how federal, state, and local entities are expected to use the information submitted under the program.
Agency Affected: Department of Homeland Security
Status: Implemented
Comments: To communicate to the private sector the Department of Homeland Security's (DHS) protected critical infrastructure information (PCII)needs and expected use, the Office of Infrastructure Protection/PCII Program has made available, through its public website, answers to frequently asked questions that defines the type of information collected and what it is used for. In addition, the public website explains how PCII will be accessed, handled, and used by Federal, state and local government employees and their contractors.
Recommendation: In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, determine whether creating mechanisms, such as providing originator control and direct submissions to federal agencies other than DHS, would increase submissions.
Agency Affected: Department of Homeland Security
Status: Implemented
Comments: As outlined in the "Procedures for Handling Critical Infrastructure Information--Final Rule" issued September 1, 2006, DHS has taken the following steps to increase submissions: 1) Allowing the submission of Critical Infrastructure Information (CII) to other Federal agencies or indirect submissions, providing greater intake capability, and greater convenience for submitters, and 2) categorical inclusion of classes of Protected CII, allowing for presumptive validation and more certainty for submitters. The Final Rule identifies procedures for indirect submissions to DHS through DHS field representatives and other Federal Agencies. Federal agencies other than DHS may be designated to receive CII on behalf of DHS, but only the PCII Program Manager is authorized to make the decision to validate a submission as PCII. The Final Rule also invests the PCII Program Manager with the authority and flexibility to designate certain types of infrastructure information as presumptively valid PCII to accelerate the validation process. The PCII Program Manager may establish categories of information for which PCII status will automatically apply.
Recommendation: In order for DHS to address the challenges to the protected critical infrastructure information program--defining specific needs, determining how and who uses the information, assuring submitters that the information will be protected, and demonstrating benefits to critical infrastructure owners--the Secretary of Homeland Security should, concurrently, consistent with other infrastructure planning efforts such as the National Infrastructure Protection Plan, expand efforts to use incentives to encourage more users, such as mechanisms for state-to-state sharing.
Agency Affected: Department of Homeland Security
Status: Implemented
Comments: DHS has taken steps to encourage more users to participate by allowing State and local government officials to share PCII with other parties already authorized to receive such information by the PCII Program Manager. The PCII Program Office has developed an accreditation program as a means to share PCII with eligible government entities. The accreditation program has been designed to ensure the proper handling, use, dissemination, and safeguarding of PCII by government users. A State or local entity can become authorized to receive PCII once its accreditation process has been initiated. The PCII Program Office has already accredited Maryland, Arizona, California, and Massachusetts to receive PCII and is currently working with several other states to become accredited. Once they are fully accredited, the changes made in the Final Rule will facilitate information sharing amongst these entities, should they want to share PCII.
