Critical Infrastructure Protection

What Needs to Be Done | Key Reports

One of the Nation's Major Ports

One of the nation's major ports

Source: GAO.

The nation's critical infrastructure is vast and diverse, encompassing 18 sectors such as banking and finance, transportation, energy, emergency services, government facilities, agriculture and food, and the water supply. These sectors are so vital to the nation that their incapacitation or destruction would have a debilitating effect on national security, the economy, and public health and safety. Safeguarding critical infrastructure involves protecting physical assets and the cyber systems—computer and communications networks—that operate and link the assets. To safeguard the nation's infrastructure, key considerations include:

  • Sectors vary considerably in their maturity and ability to develop their own protection plans, which may influence the extent to which sectors are able to plan to protect their critical assets. In developing and organizing their protection plans, sectors have faced challenges, such as the lack of an effective relationship with DHS and hesitancy by the private sector to share information with the government or within the sector.

    Highlights of GAO-07-626T (PDF), Highlights of GAO-08-113 (PDF), Highlights of GAO-07-1075T (PDF), GAO-07-706R (PDF)

  • Some sectors must depend on other sectors to function and provide assistance when responding to or recovering from an attack or disaster. However, it is unclear how much progress sectors have made in identifying these interdependencies, which may make it difficult for sectors to ensure that they can access needed technologies, energy sources, and other sector assets during recovery.

    Highlights of GAO-08-113 (PDF), GAO-07-706R (PDF)

  • Representatives from the private sector coordinating councils and the Homeland Security Advisory Committee are concerned that DHS's emphasis on protective measures—such as adding guards and gates to protect assets—may not be the optimal approach for securing the nation's critical systems. They indicated that DHS should emphasize infrastructure resiliency in addition to protection. (Homeland Security Advisory Council, Top Ten Challenges Facing The Next Secretary of Homeland Security (Washington, D.C.: Sept. 11, 2008)
  • DHS must continue to allay private-sector concerns about sharing information on vulnerabilities and gaps in protection with the federal government, fearing that such information will not be protected.

    Highlights of GAO-07-626T (PDF), GAO-07-706R (PDF)

^ Back to topWhat Needs to Be Done

  • While DHS has developed a national protection plan and facilitated the development of protection plans for individual sectors, it needs to continue to oversee the implementation of these plans, measure sectors' success at fulfilling the responsibilities identified within those plans, and systematically determine whether plans are adequate or if further steps are needed to secure these sectors.

    Highlights of GAO-07-626T (PDF), Highlights of GAO-08-113 (PDF), Highlights of GAO-07-1075T (PDF)

  • For computer-reliant critical infrastructure, DHS needs to improve its coordination with stakeholders when planning for incident response and recovery, conducting exercises, completing continuity plans for federal systems, and planning for the recovery of Internet functions.

    Highlights of GAO-08-212T (PDF), Highlights of GAO-08-113 (PDF)

  • Although DHS is sponsoring efforts to better secure control systems—computer systems used by industries to monitor and control sensitive processes and functions—it needs to better coordinate these efforts and share information with public- and private-sector entities, as appropriate.

    Highlights of GAO-07-1036 (PDF)

  • DHS needs to fully address its key cyber analysis and warning responsibilities related to monitoring networks, analyzing anomalies, providing timely warnings, and responding to threats.

    Highlights of GAO-08-113 (PDF), Highlights of GAO-08-1157T (PDF)

  • DHS needs to continue to work with stakeholders to identify asset interdependencies within and across sectors so that it can use this information to plan future protective measures for assets that may be critical to the function of multiple sectors. <

    Highlights of GAO-08-113 (PDF), GAO-07-706 (PDF)

^ Back to topKey Reports

Critical Infrastructure Protection: DHS Needs to Better Address Its Cybersecurity Responsibilities
GAO-08-1157T, September 16, 2008
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 19 pages)   Accessible Text
Critical Infrastructure Protection: DHS Needs to Fully Address Lessons Learned from Its First Cyber Storm Exercise
GAO-08-825, September 9, 2008
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 39 pages)   Accessible Text   Recommendations (HTML)
Cyber Analysis and Warning: DHS Faces Challenges in Establishing a Comprehensive National Capability
GAO-08-588, July 31, 2008
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 67 pages)   Accessible Text   Recommendations (HTML)
Critical Infrastructure Protection: Multiple Efforts to Secure Control Systems Are Under Way, but Challenges Remain
GAO-08-119T, October 17, 2007
Summary (HTML)   Highlights Page (PDF)   Full Report (PDF, 15 pages)   Accessible Text
More Reports More Results Toggle
GAO Contact
Portrait of Stephen L. Caldwell

Stephen L. Caldwell

Director, Homeland Security and Justice

caldwells@gao.gov

202-512-9610

Portrait of David Powner

David Powner

Director, Information Technology

pownerd@gao.gov

202-512-9286