This is the accessible text file for GAO report number GAO-09-57 entitled 'Highway Infrastructure: Federal Efforts to Strengthen Security Should Be Better Coordinated and Targeted on the Nation's Most Critical Highway Infrastructure' which was released on March 9, 2009. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Homeland Security, House of Representatives: United States Government Accountability Office: GAO: January 2009: Highway Infrastructure: Federal Efforts to Strengthen Security Should Be Better Coordinated and Targeted on the Nation's Most Critical Highway Infrastructure: GAO-09-57: GAO Highlights: Highlights of GAO-09-57, a report to the Chairman, Committee on Homeland Security, House of Representatives. Why GAO Did This Study: The nation’s highway transportation system is vast and open—vehicles and their operators can move freely and with almost no restrictions. Securing the U.S. highway infrastructure system is a responsibility shared by federal, state and local government, and the private sector. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary responsibility for ensuring the security of the sector. GAO was asked to assess the progress DHS has made in securing the nation’s highway infrastructure. This report addresses the extent to which federal entities have conducted and coordinated risk assessments; DHS has developed a risk-based strategy; and stakeholders, such as state and local transportation entities, have taken voluntary actions to secure highway infrastructure — and the degree to which DHS has monitored such actions. To conduct this work, GAO reviewed risk assessment results and TSA’s documented security strategy, and conducted interviews with highway stakeholders. What GAO Found: Federal entities have several efforts underway to assess threat, vulnerability, and consequence—the three elements of risk—for highway infrastructure; however, these efforts have not been systematically coordinated among key federal partners and the results are not routinely shared. Several component agencies and offices within DHS and the Department of Transportation (DOT) are conducting individual risk assessment efforts of highway infrastructure vulnerabilities, and collectively have completed assessments of most of the critical highway assets identified in 2007. However, key DHS entities reported that they were not coordinating these activities or sharing the results. According to the National Infrastructure Protection Plan, TSA is responsible for coordinating risk assessment programs. Establishing mechanisms to enhance coordination of risk assessments among key federal partners could strengthen and validate assessments and leverage limited federal resources. DHS, through TSA, has developed and implemented a strategy to guide highway infrastructure security efforts, but the strategy is not informed by available risk assessments and lacks some key characteristics GAO has identified for effective national strategies. In May 2007, TSA issued the Highway Modal Annex, which is intended to serve as the principal strategy for implementing key programs for securing highway infrastructure. While its completion was an important first step to guide protection efforts, GAO identified a number of limitations that may influence its effectiveness. For example, the Annex is not fully based on available risk information, although DHS’s Transportation Systems -Sector Plan and the National Infrastructure Protection Plan call for risk information to be used to guide all protection efforts. Lacking such information, DHS cannot provide reasonable assurance that its current strategy is effectively addressing security gaps, prioritizing investments based on risk, and targeting resources toward security measures that will have the greatest impact. GAO also identified a number of additional characteristics of effective national strategies that were missing or incomplete in the current Highway Modal Annex. Federal entities, along with other highway sector stakeholders, have taken a variety of actions to mitigate risks to highway infrastructure; however, DHS, through TSA, lacks a mechanism to determine the extent to which voluntary security measures have been employed to protect critical assets. Specifically, highway stakeholders have developed publications and training, conducted research and development activities, and implemented specific voluntary protective measures for infrastructure assets, such as fencing and cameras. However, TSA does not have a mechanism to monitor protective measures implemented for critical highway infrastructure assets, although TSA is tasked with evaluating the effectiveness and efficiency of federal initiatives to secure surface transportation modes. Without such a monitoring mechanism, TSA cannot determine the level of security preparedness of the nation’s critical highway infrastructure. What GAO Recommends: GAO recommends that DHS establish a mechanism to enhance coordination of risk assessments; TSA address limitations in its documented security strategy for highway infrastructure; and that TSA develop a mechanism to monitor security measures for critical highway infrastructure. DHS and TSA concurred with these recommendations. To view the full product, including the scope and methodology, click on [hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-09-57]. For more information, contact Cathleen Berrick at (202) 512-3404 or berrickc@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Federal Entities Have Initiated Efforts to Assess Risks to Highway Infrastructure, But Coordination of These Efforts is Limited: DHS's Strategy to Secure Highway Infrastructure Was Not Fully Informed by Available Risk Information, and Should be Strengthened: Government and Industry Stakeholders Have Efforts Underway to Enhance the Security of Highway Infrastructure, but TSA Lacks a Mechanism to Monitor Implementation of Voluntary Security Measures: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendix I: Objectives, Scope and Methodology: Appendix II: Selected Laws and Federal Guidance Concerning the Security of Highway Infrastructure, 1996 to Present: Appendix III: Examples of Selected Protective Security Measures that Could be Implemented by Asset Owners and Operators: Appendix IV: Summary of Selected Federal and Non-Federal Research and Development Programs to Enhance Highway Infrastructure: Appendix V: Comments from the Department of Homeland Security: Appendix VI: GAO Contact and Staff Acknowledgments: Tables: Table 1: Summary of Federal Risk Assessment Activities for Highway Infrastructure: Table 2: Summary of Key Programs and Activities to Enhance Security of Highway Infrastructure: Table 3: FEMA Grant Funding for Highway Infrastructure-Related Security Projects, 2004 to 2007: Figures: Figure 1: Multiple Stakeholders Involved In Highway Infrastructure Security: Figure 2: NIPP Risk Management Framework: Abbreviations: 9/11 Commission Act: Implementing Recommendations of the 9/11 Commission Act: AASHTO: American Association of State Highway and Transportation Officials: ATSA: Aviation and Transportation Security Act: BEL: Bridge Explosives Loading: BZPP: Buffer Zone Protection Program: CBP: U.S. Customs and Border Protection: CIKR: critical infrastructure and key resources: CIP: Critical Infrastructure Protection: CSR: Corporate Security Review: DHS: Department of Homeland Security: DOD: Department of Defense: DOT: U.S. Department of Transportation: FEMA: Federal Emergency Management Agency: FHWA: Federal Highway Administration: FMCSA: Federal Motor Carrier Safety Administration: GCC: Government Coordinating Council: GPRA: Government Performance and Results Act: HITRAC: Homeland Infrastructure Threat and Risk Analysis Center: HMC: Highway and Motor Carrier Division: HSIN: Homeland Security Information Network: HSPD-7: Homeland Security Presidential Directive-7: HSPD-8: Homeland Security Presidential Directive-8: I&A: Office of Intelligence and Analysis: IP: Office of Infrastructure Protection: ISAC: Information Sharing Analysis Center: LLIS: Lessons Learned Information System: MOU: memorandum of understanding: MSRAM: Maritime Security Risk Analysis Model: NCHRP: National Cooperative Highway Research Programs: NIPP: National Infrastructure Protection Plan: NISAC: National Infrastructure Simulation and Analysis Center: NPPD: National Protection and Programs Directorate: NSTS: National Strategy for Transportation Security: OI: Office of Intelligence: OMB: Office of Management and Budget: PDD-63: Presidential Decision Directive 63: PSA: Protective Security Advisor: S&T: Directorate Directorate for Science and Technology: SAV: Site Assistance Visit: SCC: Highway Sector Coordinating Council: SHIRA: Strategic Homeland Infrastructure Risk Assessment: SSA: Sector-Specific Agency: TPFS: Transportation Pooled Fund Study: TRB: Transportation Research Board: TSA: Transportation Security Administration: TSP: Trucking Security Program: TSSP: Transportation Systems Sector-Specific Plan: U.S. Template: Universal Security Template: USCG: U.S. Coast Guard: VIPR: Visible Intermodal Prevention and Response: [End of section] United States Government Accountability Office: Washington, DC 20548: January 30, 2009: The Honorable Bennie G. Thompson: Chairman: Committee on Homeland Security: House of Representatives: According to the Federal Highway Administration (FHWA), the nation's highway transportation system includes approximately four million miles of roadways, 600,000 bridges, and 50 tunnels over 500 meters in length. This system supports 86 percent of all personal travel, moves 80 percent of the nation's freight (based on value), and serves as a key component in national defense mobility. The U.S. highway system is particularly vulnerable to potential terrorist attacks because of its openness--vehicles and their operators can move freely and with almost no restrictions, and some bridge and tunnel elements are easily accessible and located in isolated areas making them more challenging to secure. Failure to prepare for a terrorist attack against critical highway infrastructure could, according to security experts, lead to catastrophic loss of life and economic disruption estimated to be in the billions of dollars. Thus, the challenge of effectively securing the nation's highway infrastructure against legitimate threats involves balancing the cost and effectiveness of implementing security measures while not impeding the free flow of people and commerce. Securing the nation's highway infrastructure system is a responsibility shared by federal, state and local governments, and the private sector. Within the Department of Homeland Security (DHS), the Transportation Security Administration (TSA) has primary responsibility for ensuring the security of highway infrastructure. DHS's Infrastructure Protection (IP) Office, whose mission includes leading the coordinated national effort to reduce the risk to critical infrastructure and key resources posed by acts of terrorism, supports TSA's efforts to protect highway infrastructure.[Footnote 1] In addition, the U.S. Coast Guard (USCG) is the lead federal agency responsible for the security of the nation's ports and waterways, which may include highway assets that have a maritime nexus, such as bridges. In conjunction with highway infrastructure stakeholders, such as state and local governments, the federal government is involved in a range of security efforts, including conducting risk assessments, providing guidance and training to asset owners, and conducting research and development activities, among others. The federal government is also responsible for providing some funding assistance to highway infrastructure stakeholders. However, the bulk of the responsibility for implementing specific security measures falls largely on state and local governments who own most highway infrastructure, although independent entities, such as public authorities and private entities, own a limited number of major, iconic structures. You asked us to assess the progress DHS has made in securing the nation's highway infrastructure. This report answers the following questions: * To what extent have federal entities assessed the risks to the nation's highway infrastructure and coordinated these efforts? * To what extent has DHS developed a risk-based strategy, consistent with applicable federal guidance and characteristics of an effective national strategy, to guide its highway infrastructure security efforts? * What actions have government and highway sector stakeholders taken to secure highway infrastructure, and to what extent has DHS monitored the implementation of asset-specific protective security measures? To identify what efforts federal entities have taken to assess the risk to highway infrastructure and coordinated their efforts, we obtained and analyzed risk assessment data from DHS and the Department of Transportation (DOT), comprised of various threat, vulnerability, and consequence related assessments for highway infrastructure assets. [Footnote 2] We sought to determine the reliability of these data by, among other things, obtaining information on the processes used for collecting and maintaining written data from agency officials. On the basis of our review of the processes used to collect the data, we determined that the data were sufficiently reliable for the purposes of this report. We interviewed DHS, DOT and selected state transportation, homeland security, and law enforcement officials, associations representing highway infrastructure owners and operators, and members of the Highway Government Coordinating Council (GCC) and the Highway Sector Coordinating Council (SCC), to discuss federal risk assessment efforts.[Footnote 3] We also obtained information on federal coordination and collaboration activities from TSA and highway infrastructure stakeholders and compared these efforts to the coordination requirements established in Homeland Security Presidential Directive-7, as well as GAO's recommended practices for effective collaboration.[Footnote 4] To assess the extent to which DHS developed a risk-based strategy consistent with applicable federal guidance, including the National Infrastructure Protection Plan (NIPP) and the Transportation Systems Sector-Specific Plan (TSSP) and best practices to guide its highway infrastructure security efforts, we reviewed federal agency reports, guidelines, and infrastructure security studies on risk management sponsored by industry associations. We also interviewed DHS and DOT officials, state, and industry association highway infrastructure representatives regarding their use of risk management principles for protecting highway infrastructure. As the principal strategy for protecting the nation's highway infrastructure, we also analyzed TSA's Highway Modal Annex to determine how it aligned with the requirements set out in Executive Order 13416, Strengthening Surface Transportation Security.[Footnote 5] In addition, we assessed the extent to which the Highway Modal Annex contained the desirable characteristics for an effective national strategy that we have previously identified.[Footnote 6] To identify the actions taken by government and highway sector stakeholders to enhance the security of highway infrastructure and assess the extent to which DHS through TSA monitored the implementation of asset specific protective security measures implemented by stakeholders, we interviewed DHS, DOT, and the Department of Defense (DOD), and selected state transportation and homeland security officials; associations representing highway infrastructure operators; and the chairpersons of the Highway GCC and SCC. Although the perspectives of the state transportation and homeland security officials we spoke with cannot be generalized across the wider population of highway infrastructure owners and operators, they provided us a broad overview of highway infrastructure asset security. We selected the associations that we spoke with based on input from TSA, FHWA, and industry stakeholders who identified the major associations representing highway infrastructure owners and operators. We also analyzed TSA reviews of security practices at the state level and records of GCC and SCC meetings and stakeholder conferences. In addition, we selected 12 bridges and 1 tunnel to observe security measures implemented since September 11, 2001, and to discuss security- related issues with highway infrastructure owners and operators. We selected these assets based on criteria including location, ownership, and importance or criticality. We also considered input from TSA, DOT, and the American Association of State Highway and Transportation Officials (AASHTO) to help ensure that selected assets represented those that have implemented a range of security measures--from minimal to more robust.[Footnote 7] Due to the limited number of assets in our sample, and because the selected assets did not constitute a representative sample, the results of our observation and analysis cannot be generalized to the universe of highway infrastructure assets. However, our observations provided us with an overview of the kinds of security measures implemented at some critical infrastructure since September 11, 2001 as well as perspectives on issues highway infrastructure owners and operators face. We also compared TSA's actions to obtain data on actions taken by highway infrastructure stakeholders to enhance security and to monitor implementation of those actions with criteria in Standards for Internal Control in the Federal Government.[Footnote 8] We conducted this performance audit from May 2007 through January 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Appendix I provides additional details about our scope and methodology. Results in Brief: Federal entities have several efforts underway to assess threat, vulnerability, and consequence--the three elements of risk--for highway infrastructure; however, these assessments have not been systematically coordinated among federal partners. DHS entities--including TSA, the DHS Office of Intelligence and Analysis (I&A), and USCG--each conduct efforts to assess the threats posed to highway infrastructure. For example, the threat assessments developed for the highway sector by TSA's Office of Intelligence (OI) include information about general terrorist activity worldwide and provides additional threat and suspicious incident information to key federal and nonfederal highway infrastructure stakeholders as needed. In addition, TSA's OI has also developed likelihood estimates for specific threat scenarios involving highway infrastructure. The threat information contained in these products is used to identify specific attack scenarios which serve as an input for the other two components of a risk assessment--assessing the potential vulnerabilities to and consequences of an attack on highway assets. Federal entities have several programs underway to assess the vulnerability of highway infrastructure assets; however, the scope and purpose of these individual efforts vary considerably. For example, TSA conducts reviews of security practices at the state level through its Corporate Security Review (CSR) program to develop a baseline assessment of security nationwide. These reviews have been completed in most states to date, as well as on a select number of individual assets. While TSA's CSR assessments have a wide scope, IP, USCG, and FHWA operate programs that assess the security vulnerabilities of specific highway assets. However, the various assessments conducted to date were not well coordinated among these key federal partners, and the results have not been routinely shared. According to the NIPP, TSA is responsible for, among other things, coordinating and facilitating comprehensive risk assessment programs for the transportation sector. Our previous work has also shown that one of the principal characteristics of effective collaboration among federal agencies is leveraging available resources.[Footnote 9] Without coordinating risk assessment activities and sharing the results, federal entities are missing opportunities to leverage resources and facilitate protection efforts for the greatest number of critical assets. DHS, through TSA, has developed a strategy to guide highway infrastructure security efforts, but the strategy was not fully informed by available risk assessments, as provided for in federal guidance, and lacks key characteristics that we have identified for an effective national strategy. In accordance with Executive Order 13416, in May 2007, TSA issued the Highway Modal Annex, which serves as the principal strategy for implementing key protective programs for securing the nation's highway infrastructure. While the completion of the Annex is an important first step in guiding national efforts to protect highway infrastructure, it does not fully incorporate existing risk assessment results to inform and prioritize security efforts. Specifically, according to TSA, the Annex incorporates threat assessment results; however, it is not based on vulnerability and consequence information available from completed federal risk assessments as required by the NIPP and the TSSP. Without considering the results of completed vulnerability and consequence assessments, DHS cannot provide reasonable assurance that its strategy is addressing those areas of greatest risks or that its resources are being prioritized and allocated most effectively and efficiently. In addition, we identified areas where the Annex can be strengthened to be more consistent with Executive Order 13416. For example, the Executive Order requires that the Annex define roles and responsibilities of various stakeholders, yet the Annex only identifies a limited number of stakeholders and does not describe their roles and responsibilities. With so many distinct stakeholders, clearly defined roles and responsibilities for protecting highway infrastructure are vital to help ensure that assets are protected. The Annex also lacks characteristics of an effective national strategy--such as the inclusion of performance goals and measures with which to assess the program's overall progress toward securing highway infrastructure. Without performance measures and an evaluation of the effectiveness of the Annex's goals and objectives, TSA does not have meaningful information from which to determine whether the strategy is achieving its intended results and to target any needed improvements. According to TSA officials, the Annex was developed under a relatively short timeframe, which limited government and industry stakeholders' input to support its development, but TSA officials anticipate that future revisions will contain more detailed information. Federal entities, along with state and industry stakeholders, have various efforts underway to mitigate risks to highway infrastructure; however, TSA lacks a mechanism to monitor the extent to which highway infrastructure owners have implemented voluntary protective security measures. Efforts taken by federal and non-federal stakeholders to secure highway infrastructure include a combination of publications and training for infrastructure owners and operators, research and development activities, and implementation of specific protective measures intended to enhance the security of infrastructure assets. For example, AASHTO, in conjunction with the FHWA and TSA, has developed and issued several key publications to support states' efforts to identify critical assets, perform risk assessments, and develop potential countermeasures. A combination of federal and state-led research efforts have also served to identify methods to help protect highway infrastructure, such as the development of measures to reduce the vulnerability of flooding in underwater tunnels and potential attacks to bridge support cables. For example, in fiscal year 2008, the Science and Technology (S&T) Directorate, whose responsibilities include advising the Secretary of Homeland Security on research and development efforts, began to evaluate blast effects and mitigation measures for dams, tunnels, and bridges. In addition to these efforts, infrastructure owners and operators implemented a range of voluntary protective security measures, such as the installation of cameras and fencing to help control access to vulnerable structures. However, while TSA, through its CSR program, has determined that asset owners are implementing protective actions to secure highway infrastructure, the agency does not have a mechanism to monitor the extent to which specific protective security measures have been implemented for the nation's critical highway infrastructure. According to Executive Order 13416, DHS, through TSA, is tasked with assessing the security of each transportation mode and evaluating the effectiveness and efficiency of current federal government surface transportation security initiatives. Lacking a mechanism to monitor the implementation of voluntary protective security measures, and without evaluating the effectiveness and efficiency of these measures, TSA cannot reasonably determine the level of overall security preparedness for highway infrastructure assets deemed nationally critical. In order to strengthen collaboration between federal stakeholders involved in securing highway infrastructure, we are recommending that DHS establish a mechanism to systematically coordinate risk assessment activities and share the results of these activities among federal stakeholders. In addition, we are recommending that TSA, in consultation with the Highway GCC and the Highway SCC, incorporate the results of completed risk assessments in future revisions of the Highway Modal Annex; provide clarification of federal and non federal roles and responsibilities related to highway infrastructure protection; and establish timeframes for developing performance goals and measures for highway infrastructure security programs, among other things. Finally, we are recommending that TSA develop a mechanism to monitor the implementation of protective security measures for highway infrastructure assets identified as nationally critical. We provided a draft of this report to DHS for review. In its written comments, DHS concurred with the recommendations. However, DHS stated that TSA officials believe that GAO has misstated a key fact involving TSA's desire and intention to conduct individual vulnerability assessments on critical highway structures. Specifically, TSA noted that the report indicates that TSA has not decided whether to conduct such assessments or determined that they do not need to be done. Furthermore, TSA stated that it intends to conduct individual assessments on all bridge and tunnel properties that TSA has identified as critical beginning in 2009. Throughout this review, TSA officials repeatedly told us that it would utilize primarily a non asset-specific approach to conducting vulnerability assessments of the highway infrastructure sector, through the Corporate Security Review program. TSA did not make us aware of its plans to conduct individual vulnerability assessments of critical assets until it provided formal written comments on a draft of this report in January, 2009. While we acknowledge TSA's plans to conduct individual vulnerability assessments on all critical highway infrastructure assets, we do not believe the agency's recently reported plans to conduct these assessments affect the findings of this report. Nevertheless, we added a discussion to this report to clarify TSA's plans related to vulnerability assessments. Background: The nation's highway transportation system includes infrastructure, vehicles and users, equipment, facilities, and control and communications. Infrastructure or the "fixed" aspect of the highway transportation system includes roads, bridges, tunnels, and terminals, where travelers and freight can enter and leave the system. Many vehicle types operate on the highway system, moving both people and freight. Highway system users include commercial vehicle and private passenger drivers, cargo shippers and receivers, passengers, and pedestrians. Equipment refers to items such as machinery, cones, barriers and bollards used to create stand off distance. Facilities include terminals, warehouses, depots, and other transportation- related buildings that support the highway system. Finally, control and communications are methods for controlling vehicles, infrastructure, and the entire transportation network. These items include traffic lights, message signs, call boxes, ramp metering, closed circuit television and speed monitoring systems. Although these security enhancements are typically funded by the asset owner, the Federal Emergency Management Agency (FEMA) has provided funding to secure highway infrastructure through its grant programs. DHS funding for highway infrastructure security consists of a general appropriation to TSA for its entire surface transportation security program, which includes commercial vehicles and highway infrastructure, rail and mass transit, and pipeline security, and appropriations to FEMA for its Homeland Security Grant Program and Infrastructure Protection Program.[Footnote 10] Annual appropriations to TSA for its surface transportation security program were $36 million in fiscal year 2006, $37.2 million in fiscal year 2007, $46.6 million in fiscal year 2008, and $49.6 million in fiscal year 2009. Total FEMA funding available under the two principal grant programs increased from approximately $2 billion to over $2.5 billion from fiscal years 2006 through 2008. Multiple Stakeholders Share Responsibility for Securing Highway Infrastructure: Protecting the nation's highway infrastructure can be complicated due to the number of stakeholders involved. As illustrated in figure 1, numerous entities at the federal, state, and local levels, including public and private sector owners and operators, play a key role in highway infrastructure security. Highway infrastructure in the United States is owned and operated by a combination of federal entities, states, counties, municipalities, tribal authorities, private enterprise, and groupings of these entities. Although state and local governments own, operate, and have law enforcement jurisdiction over most of the highway infrastructure in the United States, bridge and turnpike authorities operate some major infrastructure, and there are a few privately owned bridges, tunnels, and roadways. Figure 1: Multiple Stakeholders Involved In Highway Infrastructure Security: [Refer to PDF for image: illustration] Federal stakeholders: Science and Technology Directorate; Federal Emergency Management Agency; Federal Highway Administration; Transportation Security Administration; Customs and Border Protection; U.S. Coast Guard; Office of Infrastructure Protection. State and local stakeholders: State homeland security; State and local transportation; Public authorities. Private owners and operators: Private sector. Associations: Associations. Councils: Highway Government Coordinating Council; Highway Sector Coordinating Council. Source: GAO analysis. [End of figure] DHS is the cabinet level department with primary responsibility for helping to secure highway infrastructure.[Footnote 11] Within DHS, TSA has primary responsibility for securing all modes of transportation, including highway infrastructure with support from other DHS entities including the National Protection and Programs Directorate (NPPD), USCG, Science and Technology Directorate, FEMA, and U.S. Customs and Border Protection (CBP). For example, as part of its mission, CBP is responsible for preventing people or goods that could threaten infrastructure from entering ports of entry. Although TSA is the lead agency responsible for the security of highway infrastructure, DOT, through FHWA, provides highway transportation expertise to assist TSA with respect to securing highway infrastructure.[Footnote 12] NPPD, through IP, is responsible for coordinating efforts to protect the nation's most critical assets across all critical infrastructure and key resources, which includes surface transportation. Within the transportation sector, IP works with TSA to identify nationally critical highway assets. USCG also conducts activities in support of highway infrastructure protection, such as identifying potential vulnerabilities of individual highway assets that have a maritime nexus or that affect the marine transportation system, such as bridges over navigable waterways. The Science and Technology Directorate is responsible for advising the Secretary on research and development efforts to support the Department's mission and conducts research to identify and mitigate vulnerabilities to bridges and tunnels. FEMA is responsible for awarding and administering DHS grant funds in conjunction with responsible program offices. While federal stakeholders play a role in facilitating risk-based infrastructure security efforts, implementation of asset-specific protective security measures remains the responsibility of individual asset owners- operators, most commonly states or other public entities. A number of national organizations and coordination groups exist to represent the broad composition of public and private sector highway infrastructure stakeholders. At the state level, representation is provided by AASHTO. To date, AASHTO has played a key role in representing state interests related to protecting highway infrastructure and routinely collaborates with federal entities to assist their members in enhancing infrastructure security. In April 2006, the Highway GCC was established to foster communication across government agency lines, and between the government and private industry, in support of the nation's homeland security mission. The Highway GCC membership largely consists of key Federal departments and stakeholders responsible for or involved with highway and motor carrier security, but also includes key entities such as AASHTO. The objective of the Highway GCC is to coordinate highway and motor carrier security strategies and activities; establish policies, guidelines and standards; and develop program metrics and performance criteria for the highway mode. The counterpart to the Highway GCC is the Highway SCC. This group is comprised of private sector owners and operators and representative associations of highway and motor carrier assets. The Highway SCC is an industry advisory body that, as appropriate, is to coordinate the private industry perspective on highway and motor carrier security policy, practices, and standards that affect the highway mode. Laws and Federal Guidance Concerning the Security of Highway Infrastructure: Federal laws and directives call for critical infrastructure protection activities to help secure infrastructure assets that are essential to national security. While a number of federal laws impose safety requirements on highway infrastructure, no federal laws explicitly require highway infrastructure operators to take action to safeguard their assets against a terrorist attack. In November 2001, the Aviation and Transportation Security Act (ATSA) generally required TSA to (1) receive, assess, and distribute intelligence information related to transportation security; (2) assess threats to transportation security and develop policies, strategies, and plans for dealing with those threats, including coordinating countermeasures with other federal organizations; and, (3) enforce security-related regulations and requirements.[Footnote 13] Further, in November 2002, the Homeland Security Act of 2002 created DHS and mandated IP to comprehensively assess the vulnerabilities of the critical infrastructure and key resources of the United States; integrate relevant information, intelligence analyses, and vulnerability assessments to identify protective priorities and support implemented protective security measures; and develop a comprehensive national plan for securing the key resources and critical infrastructures of the United States. [Footnote 14] The Intelligence Reform and Terrorism Prevention Act of 2004 also requires DHS to develop and implement a National Strategy for Transportation Security to include an identification and evaluation of the transportation assets that must be protected from attack or disruption, the development of risk-based priorities for addressing security needs associated with such assets, means of defending such assets, a strategic plan that delineates the roles and missions of various stakeholders, a comprehensive delineation of response and recovery responsibilities, and a prioritization of research and development objectives.[Footnote 15] More recently, in August 2007, the Implementing Recommendations of the 9/11 Commission Act (9/11 Commission Act), among other things, specified that the transportation modal security plans, including the plan for highways, required by the Intelligence Reform and Terrorism Prevention Act must include threats, vulnerabilities, and consequences, and requires DHS to establish a Transportation Security Information Sharing Plan.[Footnote 16] The President has also issued directives concerning protecting critical infrastructure. In May 1998, Presidential Decision Directive 63 (PDD- 63) established critical infrastructure protection as a national goal and presented a strategy for cooperative efforts by the government and infrastructure stakeholders to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government. In addition, in December 2003, HSPD-7 was issued, superseding PDD-63. HSPD-7 defines responsibilities for DHS, federal stakeholders that are responsible for addressing specific critical infrastructure sectors--sector-specific agencies, and other departments and stakeholders. HSPD-7 instructs these sector-specific agencies to collaborate with all relevant Federal departments and agencies, State and local governments, and the private sector, including with key persons and entities in their infrastructure sector; conduct or facilitate vulnerability assessments of the sector; and encourage risk management strategies to protect against and mitigate the effects of attacks against critical infrastructure and key resources. HSPD-7 designates DHS as responsible for, among other things, coordinating national critical infrastructure protection efforts and establishing uniform policies, approaches, guidelines, and methodologies for integrating federal infrastructure protection and risk management activities within and across sectors. Moreover, Homeland Security Presidential Directive-8 (HSPD-8), issued at the same time as HSPD-7, directs DHS to coordinate the development of an all-hazards National Preparedness Goal that establishes measurable priorities, targets, standards for preparedness assessments and strategies, and a system for assessing the Nation's overall level of preparedness. Further, in December 2006 the President issued Executive Order 13416, which focused on strengthening the security of surface transportation modes and requires DHS to assess the security of each surface transportation mode and evaluate the effectiveness and efficiency of current surface transportation security initiatives.[Footnote 17] For additional key federal laws and guidance related to critical highway infrastructure protection, see Appendix II. Risk Management Approach to Guide Homeland Security Investments: Recognizing that each sector possesses its own unique characteristics and risk landscape, HSPD-7 designates Federal Government Sector Specific Agencies (SSAs) for each of the critical infrastructure sectors who are to work with DHS to improve critical infrastructure security. On June 30, 2006, DHS released the NIPP, which developed--in accordance with HSPD-7--a risk-based framework for the development of Sector-Specific Agency (SSA) strategic plans. The NIPP defines roles and responsibilities for security partners in carrying out critical infrastructure and key resources (CIKR) protection activities through the application of risk management principles. Figure 2 illustrates the several interrelated activities of the risk management framework as defined by the NIPP, including setting security goals and performance targets, identifying key assets and sector information, and assessing risk information including both general and specific threat information, potential vulnerabilities, and the potential consequences of a successful terrorist attack. The NIPP requires that federal agencies use this information to inform the selection of risk-based priorities and for the continuous improvement of security strategies and programs to protect people and critical infrastructure through the reduction of risks from acts of terrorism. Figure 2: NIPP Risk Management Framework: [Refer to PDF for image: illustration] NIPP Risk Management Framework: Physical; Cyber; Human: * Set security goals; * Identify assets, systems, networks, and functions; * Assess risks (consequences, vulnerabilities, and threats); * Prioritize; * Implement protective programs; * Measure effectiveness; Feedback loop: to each aspect of the framework: Continuous improvement to enhance protection of critical infrastructure and key resources. Source: DHS. [End of figure] The NIPP risk management framework consists of the following interrelated activities: * Set security goals: Define specific outcomes, conditions, end points, or performance targets that collectively constitute an effective protective posture. * Identify assets, systems, networks, and functions: Develop an inventory of the assets, systems, and networks that comprise the nation's critical infrastructure, key resources, and critical functions. Collect information pertinent to risk management that takes into account the fundamental characteristics of each sector. * Assess risks: Determine risk by combining potential direct and indirect consequences of a terrorist attack or other hazards (including seasonal changes in consequences, and dependencies and interdependencies associated with each identified asset, system, or network), known vulnerabilities to various potential attack vectors, and general or specific threat information. * Prioritize: Aggregate and analyze risk assessment results to develop a comprehensive picture of asset, system, and network risk; establish priorities based on risk; and determine protection and business continuity initiatives that provide the greatest mitigation of risk. * Implement protective programs: Select sector-appropriate protective actions or programs to reduce or manage the risk identified, and secure the resources needed to address priorities. * Measure effectiveness: Use metrics and other evaluation procedures at the national and sector levels to measure progress and assess the effectiveness of the national Critical Infrastructure and Key Resources protection program in improving protection, managing risk, and increasing resiliency. Federal Entities Have Initiated Efforts to Assess Risks to Highway Infrastructure, But Coordination of These Efforts is Limited: Several federal entities have efforts underway to assess threat, vulnerability, and consequence--the three elements of risk--for highway infrastructure; however, these assessments have not been systematically coordinated among key federal partners. DHS agencies and offices, including TSA, I&A, and USCG, each have efforts underway to assess the threats posed to highway infrastructure, including the most likely tactics that terrorists may use and potential targets. Federal agencies are also assessing the security vulnerabilities of and consequences of an attack on highway assets to some degree, although the scope and purpose of these individual efforts vary considerably. However, the risk assessment activities conducted to date have not been systematically coordinated among the federal partners. Given competing departmental priorities and limited resources identified by TSA and IP officials, it is important for federal stakeholders to coordinate their efforts and share available risk information to avoid potential duplication, better focus future assessment efforts, and leverage limited resources. Federal Stakeholders Have Taken Actions to Assess Risks to Highway Infrastructure: Several DHS stakeholders play a role in securing highway infrastructure, including TSA, I&A, IP, and USCG--along with FHWA within DOT. Collectively, they have a number of independent efforts underway to conduct threat, vulnerability, and consequence assessments of highway assets. Although the scope and purpose of these individual efforts vary by entity and are at various levels of completion, they have been used to a limited extent to assess the general state of security for the sector, and to identify potential security enhancements for a majority of highway infrastructure assets identified as nationally critical. See table 1 for a summary of federal risk assessment activities related to highway infrastructure assets. Table 1: Summary of Federal Risk Assessment Activities for Highway Infrastructure: Transportation Security Administration (TSA): Agency/Office: Office of Intelligence; Program/Activity: Highway Threat Assessments; Description: Provides an overview of threats--including key actors and possible attack tactics and targets--to the National Highway System and its critical infrastructure. Includes incidents of interest and suspicious activity targeting various highway modes (e.g. bridges, tunnels) in the United States and overseas; Risk Component: Threat: [Check]; Risk Component: Vulnerability: [Empty]; Risk Component: Consequence: [Empty]. Agency/Office: Highway and Motor Carrier Division (HMC); Program/Activity: Corporate Security Reviews (CSRs); Description: TSA conducts CSRs with state DOTs to establish baseline data to assess the state of security nationwide and identify common practices used to secure highway infrastructure. In conjunction with the State CSRs, HMC has also conducted a limited number of asset- specific CSRs; Risk Component: Threat: [Empty]; Risk Component: Vulnerability: [Check]; Risk Component: Consequence: [Empty]. Office of Infrastructure Protection (IP)/DHS Office of Intelligence and Analysis (I&A): Agency/Office: Homeland Infrastructure Threat and Risk Analysis Center (HITRAC)[A]; Program/Activity: Strategic Homeland Infrastructure Risk Assessment (SHIRA); Description: Provides a national overview of current high-risk scenarios for critical infrastructure across all industry sectors, including attacks on select highway infrastructure. Scenarios are identified on the basis of available threat information, perceived vulnerabilities of the sector, and the potential consequences of a successful attack; Risk Component: Threat: [Check]; Risk Component: Vulnerability: [Check]; Risk Component: Consequence: [Check]. Agency/Office: Office of Infrastructure Protection; Program/Activity: Site Assistance Visits (SAVs) & Buffer Zone Protection Program (BZPP); Description: These programs are intended to provide DHS and applicable stakeholders with detailed information about asset vulnerabilities to help it identify potential mitigation efforts and reduce potential consequences of an attack; * SAV: Facility-level assessments conducted by a federally-led team in partnership with asset owners. Mitigation measures to address identified vulnerabilities are provided to owners as "options for consideration"; * BZPP: An assessment conducted by local law enforcement of the "buffer area" in the vicinity of critical infrastructure which may be used to conduct surveillance or an attack. The results are utilized to identify resource needs and develop a purchasing plan, funded through a DHS grant program, to reduce vulnerabilities and mitigate potential consequences; Risk Component: Threat: [Empty]; Risk Component: Vulnerability: [Check]; Risk Component: Consequence: [Check]. Agency/Office: Office of Infrastructure Protection; Program/Activity: Tier 1/Tier 2 Program[B]; Description: In conjunction with SSAs and state Homeland Security Advisors, this effort identifies nationally significant, high- consequence assets and systems that, if destroyed or disrupted, could cause significant casualties, major economic losses, or widespread and long-term disruptions to national well-being and governance capacity. The Tier 2 CIKR assets include nationally-significant and high- consequence assets. Tier 1 assets are a small subset of the Tier 2 list that include assets and systems certain to produce the most significant consequences; Risk Component: Threat: [Empty]; Risk Component: Vulnerability: [Empty]; Risk Component: Consequence: [Check]. U.S. Coast Guard (USCG): Agency/Office: Port Security Specialists; Program/Activity: Maritime Security Risk Analysis Model (MSRAM); Description: USCG conducts assessments on key maritime bridges and tunnels with a maritime nexus, as part of its annual risk assessment of each port, via the MSRAM; Risk Component: Threat: [Check]; Risk Component: Vulnerability: [Check]; Risk Component: Consequence: [Check]. Agency/Office: Port Security Assessment Teams; Program/Activity: Terrorist; Operations Assessments; Description: From 2004 through 2005, USCG also conducted port-wide vulnerability assessments at several of the nation's most critical ports. These assessments, in part, targeted key bridges and tunnels that had not undergone any other federal assessments; Risk Component: Threat: [Empty]; Risk Component: Vulnerability: [Check]; Risk Component: Consequence: [Empty]. Federal Highway Administration (FHWA): Agency/Office: Office of Infrastructure; Program/Activity: Vulnerability Assessments; Description: FHWA conducts vulnerability assessments and provides subject matter expertise and technical assistance upon request to DHS/TSA; state, local, and tribal governments; private sector stakeholders; and infrastructure owners; Risk Component: Threat: [Empty]; Risk Component: Vulnerability: [Check]; Risk Component: Consequence: [Empty]. Source: GAO analysis. [A] HITRAC represents a joint effort between IP and the Critical Infrastructure Threat Analysis Division within I&A. [B] Assets identified as nationally significant through this program are placed into two distinct tiers based on the estimated consequences to the nation. [End of table] Threat Assessments: DHS stakeholders develop a combination of products that identify what they have determined to be the most probable threat scenarios involving highway infrastructure. For example, TSA's OI issues an annual threat assessment of the U.S. highway system and provides additional threat and suspicious incident information to key federal and nonfederal highway infrastructure stakeholders as needed.[Footnote 18] Recent suspicious activity involving highway infrastructure reported by the media could suggest potential terrorist plans to attack the nation's highway system. For example, in July 2008, the media reported a U.S.- educated female Pakistani neuroscientist suspected of having links to Al Qaeda, while captured in Afghanistan, was found carrying handwritten notes referring to a "mass casualty attack" on famous locations in New York, including the Brooklyn Bridge.[Footnote 19] In addition to the issuance of the Highway Threat Assessment, TSA's OI has also developed likelihood estimates for specific threat scenarios involving highway infrastructure. These estimates include scores of both terrorist intent and capability--the key components of threat--for five specific threat scenarios. These scores are intended to serve as the input for the threat component of the overall risk equation that TSA uses: Risk = ƒ(Threat x Vulnerability x Consequences). The Homeland Infrastructure Threat and Risk Analysis Center (HITRAC), which is a joint program office between the Office of Infrastructure Protection and the Office of Intelligence and Analysis, manages the Strategic Homeland Infrastructure Risk Assessment process. The results of this process provide a national overview of current high-risk scenarios for all critical infrastructure and key resources, which includes attacks on select highway infrastructure. In developing these scenarios, analysts consider terrorist capability and intent (threat), as well as vulnerability and consequence information.[Footnote 20] While this product is not intended to cover the full range of potential threat scenarios posed to the highway sector, it may serve to assist TSA and other federal highway security stakeholders in identifying specific high-risk scenarios that may require additional focus or resources. As part of its annual risk assessment of maritime infrastructure, USCG has also developed a number of threat scenarios involving select bridges and tunnels. USCG uses threat information provided internally by its Intelligence Coordination Center to evaluate 19 different attack scenarios for each infrastructure asset via the Maritime Security Risk Analysis Model (MSRAM).[Footnote 21] As with TSA and IP, USCG uses threat information as an input when conducting assessments of potential vulnerabilities and consequences of an attack on maritime highway infrastructure. Vulnerability Assessments: According to the NIPP, DHS is responsible for ensuring that comprehensive vulnerability assessments are performed for infrastructure that is deemed nationally critical. Given the potential for loss of life, economic disruption, and other impacts resulting from an attack on critical highway infrastructure, DHS stakeholders and other federal partners have a number of efforts underway to assess the vulnerabilities of these assets. These efforts are intended to help identify potential security gaps and prioritize mitigation solutions. However, the degree to which vulnerability assessments have been completed for individual highway infrastructure assets varies considerably between these entities, given their available resources and other security priorities. For example, given the substantial number of highway infrastructure assets under their jurisdiction and staffing limitations, TSA's Highway Motor Carrier Division (HMC) has chosen to identify highway infrastructure vulnerabilities by working primarily with State departments of transportation to identify the extent to which common security practices are employed.[Footnote 22] However, more comprehensive asset-specific vulnerability analyses are conducted by both IP and USCG, although the scope and purpose of the resulting products vary considerably. While these distinct entities each have vulnerability assessment efforts underway, the assessment efforts of TSA and IP have slowed considerably due to other identified priorities, and no timeframes currently exist for their completion. In addition, during the course of this review TSA officials stated TSA, as the Sector-Specific Agency for highway infrastructure, had not yet determined whether asset-specific federal vulnerability assessments should be completed for all critical highway infrastructure. However, when providing written comments on this report in January 2009, TSA officials noted that they intend to conduct individual assessments on all bridge and tunnel properties that it has identified as critical beginning in 2009. The following represents the specific vulnerability assessment activities conducted by DHS entities and their federal partners. TSA - Highway Motor Carrier Division: Through its CSR program, HMC conducts interviews with state officials to assess the security plans, policies, and security actions of organizations whose operations include critical highway infrastructure. As part of these interviews, TSA utilizes standardized questions to document the extent to which security efforts have been implemented within 11 functional areas, including security planning, physical security measures, and security training programs, among others. [Footnote 23] These security reviews focus primarily on state DOT offices, but may include other state agencies with transportation security functions, such as the Offices of Emergency Management or Homeland Security. At the time of our review, HMC officials stated that the resources associated with conducting vulnerability assessments makes it impractical to conduct asset-specific assessments of the vast number of bridges and tunnels that comprise the nation's highway system. For this reason, HMC had chosen to utilize primarily a non asset-specific approach to conducting vulnerability assessments of the highway infrastructure sector, through the CSRs. HMC officials stated that they rely on infrastructure owners and operators to conduct asset- level vulnerability assessments on highway assets, and that they generally review these findings as a component of their CSR activities. However, as previously stated, after reviewing a draft this report, TSA commented in January 2009 that it intends to conduct individual assessments on all bridge and tunnel properties that TSA has identified as critical beginning in 2009. Since the CSR program was initiated in May 2004, HMC has completed CSRs for most of the states and a select number of CSRs for specific highway infrastructure assets.[Footnote 24] According to HMC officials, the goal of these efforts is to assess potential security gaps and provide state officials with suggested actions for strengthening security. However, the pace of TSA's CSR program has slowed considerably in recent years, and no timeframe currently exists for their completion for all 50 states. Specifically, most of the state level CSRs were conducted during the first two years of the program's implementation, which began in May 2004. HMC officials stated that a combination of competing priorities and a reduction in staff available to perform CSR's led to the slowing of this effort. Specifically, HMC officials said that the 9/11 Commission Act placed a number of additional requirements on the division, such as completing a national risk assessment for school buses. While HMC officials are currently planning to conduct highway infrastructure CSR's in all remaining states, it remains unclear if, or when, this will be achieved.[Footnote 25] In accordance with standard program management principles, timeframes or milestones should typically be incorporated as part of a road map to achieve a specific desired outcome or result.[Footnote 26] The voluntary nature of the CSR program contributes to the inability for TSA to establish clear timeframes for completion. For example, according to HMC officials, two states have already declined to participate in the CSR program due to their lack of perceived security risk to their assets. In January 2009, HMC officials said that one of those states subsequently reversed its decision and is willing to participate in the CSR program. In 2008, HMC also began conducting follow-up state level CSR's to states previously assessed, and has completed a limited number of such assessments as of January 2009. According to TSA officials, the purpose of these visits is to update existing data and determine current infrastructure security efforts at the state-level. In the absence of CSR vulnerability data for infrastructure assets in the remaining states, TSA may rely on other mechanisms to obtain this data. As outlined in HSPD-7, the SSA is responsible for conducting or facilitating vulnerability assessments across the sector. According to TSA officials, the CSR effort represents their primary mechanism for meeting this responsibility. Yet, given competing priorities and resource limitations identified by HMC, there may be limited value to expending further resources to complete highway infrastructure CSRs in states or territories lacking any critical assets. Specifically, only two remaining states or territories that have not undergone a CSR have any highway infrastructure assets deemed nationally critical by IP. However, to obtain vulnerability information for the remaining critical assets, TSA could conduct a CSR visit or collaborate with other highway sector stakeholders. For example, HMC may be able to leverage the resources of other federal partners that have completed vulnerability assessments for those assets. Another potential option includes the utilization of the existing bridge safety program to obtain information about critical asset vulnerabilities. According to HMC officials, they are currently conducting pilot programs with several states to incorporate security-related questions within mandatory National Bridge Inspection program conducted biennially by state inspectors.[Footnote 27] While TSA has stated that it intends to conduct individual assessments on all bridge and tunnel properties that it has identified as critical, TSA does not plan to begin those assessments until our review is completed. Thus, it is too early to tell whether these assessments will provide TSA with sufficient data about asset vulnerabilities to make informed decisions about sector needs and priorities. Office of Infrastructure Protection (IP): As part of its responsibility to help protect critical infrastructure in all industry sectors, since 2002, IP has completed a number of vulnerability assessments of specific highway infrastructure assets through two key programs.[Footnote 28] Specifically, IP has conducted, or participated in, assessments evaluating vulnerabilities of major roadways, bridges, and tunnels as part of its SAV and BZPP programs. While the scope and purpose of these two programs differ considerably, they each serve to provide DHS, as well as applicable stakeholders and owners and operators, with detailed information about identified asset vulnerabilities to develop and prioritize mitigation efforts. Site Assistance Visits (SAVs). This voluntary program includes asset- level vulnerability assessments conducted by a federally-led team in partnership with asset owners and operators. SAVs are designed to facilitate discussion about vulnerability identification and mitigation between security partners and asset owners and operators. The visits, which take between one and three days to complete, incorporate various attack scenarios to identify potential asset vulnerabilities that could be exploited by a potential terrorist. Given the voluntary nature of the SAVs, implementation of identified mitigation measures is not required through the program; however, IP provides asset owners and operators with "options for consideration" intended to help them detect and prevent terrorist attacks. According to IP officials, their experience has shown that asset operators are generally willing to address these options because it is in their best economic and social interest to do so, given the potential consequences that may result in the event of an attack. As of January 2009, IP has conducted SAVs on a number of highway infrastructure assets; however, many of these were completed prior to July 2005. Buffer Zone Protection Program (BZPP). Under this DHS grant program, IP assists state and local authorities, as well as private industry, in developing protection plans for critical infrastructure assets, including selected highway assets. Unlike the SAV, which focuses on the security of infrastructure assets directly, the BZPP focuses on the buffer area surrounding an asset that a terrorist may use to conduct surveillance or an attack. While DHS provides the assessment tools as well as operational and technical support, the actual BZPP assessment is conducted by local law enforcement agencies with jurisdiction over the selected asset. Based on the vulnerabilities identified during the assessment, a Buffer Zone Plan is developed, in cooperation between IP and state and local partners, to address potential security gaps and identify measures to deter terrorist activity near key assets. As part of this plan, recommended enhancements are identified that may be eligible for grant funding based on a validation of the assessment and approval of a spending plan by IP officials.[Footnote 29] Potential items funded through this program include personal protective equipment, interoperable communication equipment, patrol boats, and detection equipment, among others. Since October 2002, a number of highway infrastructure assets have been assessed through the BZPP program, and additional highway assets were assessed since fiscal year 2006.[Footnote 30] While BZPP and SAV assessments serve as some of DHS' principal efforts to identify vulnerabilities and inform risk analysis of the highway sector, the pace of both of these activities has slowed considerably since 2006 due, in large part, to competing agency priorities. According to IP officials, the principal reason for the reduction in these activities is the office's focus on sectors that are a higher priority, such as dams and nuclear facilities. Since 2006, these sectors have been deemed a higher priority due to the potential for catastrophic effects resulting from a terrorist attack. Moreover, it is uncertain to what extent IP vulnerability assessments will be conducted on additional highway infrastructure assets in the future because no timeframes for additional assessments currently exist and future resource priorities remain unknown. United States Coast Guard (USCG): As part of its maritime security responsibilities, USCG completes an annual risk assessment of all key bridges and tunnels that are located on or within U.S. navigable waters. In addition to this broad effort, USCG has also conducted more comprehensive vulnerability assessments for a number of critical maritime bridges and tunnels as part of its Terrorist Operations Assessments completed in the wake of the attacks on September 11, 2001. Maritime Security Risk Analysis Model (MSRAM). Each year, USCG uses the MSRAM to develop a risk-score for maritime infrastructure likely to result in significant potential consequences if attacked, including select bridges and tunnels, as part of its port-wide risk assessments. The vulnerability component of the model is determined by identifying any applicable protective measures employed, such as access controls, perimeter security and surveillance, and explosives detection, among others, against a number of identified threat scenarios. According to USCG officials, all available federal assessments, such as SAVs, as well as those conducted by private contractors, are incorporated into the analysis to assist in determining the vulnerability of each asset being assessed. The purpose of the model is to identify port critical infrastructure that may pose the highest overall risk. The resulting information is then used to prioritize USCG security efforts and guide security planning actions with maritime stakeholders.[Footnote 31] USCG does not regulate or enforce the risk mitigation efforts for bridges and tunnels. According to USCG officials, these efforts remain voluntary and it is the owner or operator's responsibility to implement potential countermeasures. The MSRAM tool currently covers approximately 370 maritime bridges and tunnels, including the majority of critical highway assets identified by DHS in 2007. Terrorist Operations Assessments. USCG also performed vulnerability analyses on a number of maritime bridges and tunnels as a component of port-wide security assessments conducted at the nation's most critical ports after the attacks of September 11, 2001. These vulnerability assessments were conducted on a number of individual bridges and tunnels selected based on a combination of their perceived criticality and the absence of any previous federal assessments conducted. According to USCG officials, these assessments helped inform the agency's infrastructure security operations and were incorporated into the MSRAM analysis described above. The results of these assessments were also shared with the owners and operators of the assets, according to USCG officials. Federal Highway Administration (FHWA): Although DHS entities are currently the primary lead for federal highway infrastructure risk assessments, FHWA has played a key role in facilitating these efforts. Beginning in 2003, FHWA began conducting risk management workshops and responded to requests by state officials to conduct vulnerability assessments of selected bridges and tunnels that the states had identified as critical. To date, FHWA has taken the lead for conducting assessments at the state or local-level, as well as additional asset-specific assessments. Collectively, these assessments cover a number of individual bridges and tunnels, including some identified as critical assets. According to FHWA, owners generally receive a report of all assessment findings, including a suite of measures that can be used to make a facility more secure. However, officials noted that it remains the decision of the asset owner to determine how much risk to accept and how much money should be invested to protect against terrorism. From 2004 through 2005, FHWA also played a key role in assisting USCG conduct its port-wide vulnerability assessments. According to FHWA officials, their current role is to help support DHS' overall efforts to protect highway infrastructure by providing subject matter expertise; participating in assessments with various DHS entities; conducting training, and developing guidance, in conjunction with AASHTO, to assist states in conducting their own risk assessments of transportation infrastructure. Consequence Assessments: Although federal entities have collected consequence information as part of their ongoing efforts to identify critical assets and conduct vulnerability assessments, detailed consequence assessments of highway infrastructure have been limited. According to the NIPP, risk assessments should include consequence assessments to measure key effects to the well being of the nation. These effects include the negative consequences on public health and safety, the economy, public confidence in national economic and political institutions, and the functioning of government that can be expected if an asset, system, or network is damaged, destroyed, or disrupted by a terrorist attack. On a sector-wide basis, TSA and IP work together to develop a list of highway infrastructure assets deemed nationally critical based on several consequence-related factors, such as the potential loss of life and economic impact.[Footnote 32] While this list is not intended to provide the type of detailed consequence information used to prioritize mitigation decisions between specific assets, as called for in the NIPP, DHS officials stated that it serves to identify those assets that should be considered when conducting more comprehensive risk assessments of the sector. Since 2007, IP has been responsible for developing critical asset lists for all critical infrastructure and key resources in conjunction with applicable SSAs and state and territorial Homeland Security Advisors. This list is broken into two distinct tiers based on estimated consequences to the nation. The first list, Tier 1, is comprised of critical infrastructure assets and key resources that, if disrupted or destroyed, would have significant negative consequences. Currently, no highway infrastructure assets are included on the Tier 1 list. The Tier 2 list includes highway infrastructure that, based on established criteria, represent assets that, if destroyed, are also likely to result in relatively significant potential negative consequences to the nation. As part of DHS's effort to assess risk to the nation's critical infrastructure, HITRAC also engages in a collaborative effort with SSAs to collect consequence information. Specifically, HITRAC incorporates analysis of potential consequences when developing the high-risk threat scenarios contained within the SHIRA report. For example, HITRAC disseminates worksheets to each of the SSA's to collect estimates of consequences resulting from a variety of different attack scenarios. For each scenario, the SSA develops numerical rankings for several categories of potential consequences, including potential loss of life, economic effects, psychological consequences, and potential effect on agency mission. Upon review of this data, HITRAC is then able to identify and prioritize those scenarios that are likely to result in significant potential consequences relative to other attack methods or targets. In addition, some asset-level federal vulnerability assessments, such as SAVs, also include estimates of potential consequences. For example, the standard template used to record information during these visits incorporates a series of questions regarding consequences to estimate the potential loss of life and other economic consequences resulting from an attack, and to determine how critical the asset is based on its interdependencies with other transportation systems or facilities. Although these consequence estimates are a key component of an asset-specific risk assessment, not all critical highway assets have been subject to an SAV assessment to allow for consequence data to be evaluated nationwide to help establish protection priorities. Similarly, USCG also calculates consequence scores for all maritime critical infrastructure as a key component of its MSRAM analysis; however, not all of the nation's critical bridges and tunnels have a maritime nexus for which USCG analysis applies. Federal Risk Assessment Activities Have Been Hampered by Limited Coordination: While federal entities are conducting a number of individual efforts to assess highway infrastructure risks, they have not systematically coordinated these efforts or shared the results. Federal entities have collectively conducted asset-level vulnerability assessments on a substantial percentage of highway infrastructure assets identified on the 2007 Tier 2 list. However, limited mechanisms exist to share the assessment results among the various federal partners to inform their own assessment efforts. For example, HMC reported that it is generally unfamiliar with the assessment processes, mechanisms, and results of the other DHS entities, particularly IP. Lacking adequate coordination mechanisms, the potential for duplication and inadequate leveraging of federal resources exists. For example, multiple vulnerability assessments were conducted by federal agencies for numerous assets that were on the fiscal year 2007 Tier 2 list. Specifically, IP and USCG conducted assessments on a number of the same assets identified as critical.[Footnote 33] Given the number of highway infrastructure assets identified as critical, it is especially important to ensure that future risk assessment efforts are effectively coordinated between federal entities and the results shared amongst these entities. As the SSA for highway infrastructure security, TSA is responsible for facilitating and coordinating risk assessment activities and protection efforts for these assets. As further specified in the NIPP, the SSA is responsible for the overall coordination and facilitation of comprehensive risk assessment programs for the sector, which include gathering all available threat, vulnerability, and consequence information from sector partners for use in national risk management efforts. Our previous work has also indicated that a key component for successful collaboration between federal agencies includes the effective leveraging of available resources.[Footnote 34] While TSA is compiling limited vulnerability assessment information through its CSR program, no policies or mechanisms currently exist to coordinate this effort with those of other federal partners.[Footnote 35] Considering that IP and USCG are conducting nearly all of the federal asset- specific vulnerability assessments completed to date, TSA is missing an opportunity to fully inform its vulnerability analysis for the highway infrastructure sector and validate the findings obtained from its CSRs. While some efforts have been initiated by DHS entities to improve the coordination of highway infrastructure assessment activities, such actions have been limited. According to USCG officials, MSRAM analysis routinely includes the review of completed IP assessments of port- related infrastructure, including bridges and tunnels; however, coordination among the other two agencies is less mature. For example, HMC officials were generally unfamiliar with the scope of IP's SAV assessments and were unaware how these activities may be leveraged to achieve mutual goals. According to TSA officials, they had begun to receive notifications of IP assessments in July 2008; however, in September 2008, they stated that they generally do not review these assessments or incorporate the results.[Footnote 36] HMC officials also stated that they have not reached out to obtain MSRAM data because they believe that port areas are well managed by USCG. Similarly, IP officials stated that they had not requested or reviewed the results of TSA's highway infrastructure CSRs. According to IP officials, a Protective Measures Section was created in fiscal year 2008 to consolidate and track IP assessments, as part of the Vulnerability Assessment Project. This project, as described in the IP Strategic Plan: FY 2008-2013, was originally intended to also provide a mechanism to track and analyze the vulnerability assessments conducted by other Federal, State, local, and private sector partners in order to enhance coordination and collaboration with stakeholders, eliminate duplication of effort, and enable assessment prioritization. However, OIP officials stated that, due to a lack of funding, the scope of this effort was limited only to IP's own vulnerability assessments.[Footnote 37] Another area where additional collaboration between federal partners may be improved involves the potential streamlining, or standardization, of existing assessment tools and methodologies. As outlined in the NIPP, vulnerability assessments need to be comparable to support national-level and cross-sector analysis. Further, HSPD-7 requires DHS to establish uniform policies, approaches, guidelines, and methodologies for integrating Federal infrastructure protection and risk management activities within and across sectors. However, a number of varied risk assessment tools and methodologies exist both within and across sectors that differ in terms of assumptions, comprehensiveness, and objectivity. Efforts to combine or streamline some of these tools and methodologies may assist to enhance the comparability and usefulness of the various risk assessments. For example, IP's Strategic Plan: FY 2008-2013, identifies opportunities for the development of a scalable methodology, in collaboration with other SSAs, to standardize current approaches for identifying vulnerabilities and promote better coordination and collaboration. USCG officials also cited the need for a comprehensive risk analysis model so that all sectors could utilize a common tool. According to the Highway Modal Annex to the TSSP, issued in May 2007, TSA was working with DOT agencies, including the Federal Motor Carrier Safety Administration (FMCSA) and FHWA, to combine their respective risk assessment and risk mitigation tools into a single product that will reduce redundancy, increase efficiencies, and minimize impact on private stakeholders. However, in October 2008, FHWA officials stated that this effort had not occurred.[Footnote 38] The Modal Annex does not identify any additional plans for TSA to combine or incorporate any other key risk assessment tools, including USCG's MSRAM tool, IP's risk assessment and mitigation tools, or AASHTO's risk methodology. While the development of a single risk assessment tool that meets the individual needs of the distinct federal entities involved in highway infrastructure security may not be a realistic alternative, opportunities remain for DHS to identify where specific assessment tools and methodologies can be used most effectively to enhance assessments and better leverage future resources. Effective coordination of federal vulnerability assessments and sharing of assessment results is more important given the number of highway infrastructure assets. Lacking adequate coordination with federal partners, TSA will be unable to determine the extent to which specific critical assets have been assessed and if potential adjustments in its own CSR methodology may be necessary to adequately target remaining critical infrastructure assets. Given the resource limitations and competing priorities of TSA and IP discussed previously, it is increasingly important for federal entities to coordinate their risk assessment activities and to share all available risk information to avoid duplication, better focus future assessments, and more effectively leverage resources. DHS's Strategy to Secure Highway Infrastructure Was Not Fully Informed by Available Risk Information, and Should be Strengthened: While DHS has developed a strategy--the Highway Modal Annex--to secure the nation's highway infrastructure, it is not based on completed risk assessments to help ensure that federal programs and resources are focused on the areas of greatest need. Moreover, the Annex can be strengthened to better address the requirements of Executive Order 13416 on Strengthening Surface Transportation, and more fully incorporate characteristics of an effective national strategy. In addition, we identified areas where the Highway Modal Annex can be strengthened to enhance its value to highway security stakeholders by providing greater clarity of roles and focusing resources to protect highway infrastructure. TSA plans to revise the strategy in the near future, as required by the Annex and in accordance with TSA guidance, and officials stated that they would consider enhancing the Annex to address these areas at that time. DHS's Highway Modal Annex Does Not Fully Incorporate Risk Assessment Results: In May 2007, TSA published the Highway Modal Annex which documents DHS's strategy for securing the nation's highway infrastructure; [Footnote 39] however, while both the NIPP and the TSSP outline a framework whereby infrastructure protection efforts are to be guided by risk assessments of critical assets, the TSSP Highway Modal Annex is not fully informed by available vulnerability and consequence information. The Annex describes key TSA and FHWA programs related to highway infrastructure security efforts, as well as how transportation sector goals and objectives are to be achieved to protect the highway transportation system. However, while nearly all of TSA's and IP's completed vulnerability assessments were conducted prior to the issuance of the Highway Modal Annex, their results were not used to develop the Annex. Both the NIPP and TSSP sets forth a comprehensive risk management framework which includes a process of considering threat, vulnerability and consequence assessments together to determine the likelihood of a terrorist attack and the severity of its impact. In addition, the TSA guidance used to assist each mode in drafting the Annex identifies that the Annex should emphasize how each mode will use risk informed decision-making to determine specific actions required to achieve the transportation sector goals and objectives. According to HMC officials, the Highway Modal Annex was developed in conjunction with the Highway GCC and SCC using available threat information, professional judgment, and information about past terrorist incidents. However, HMC officials stated that they did not review available IP and USCG vulnerability and consequence assessments of highway infrastructure--which represents the vast majority of asset-specific information. According to these officials, the initial development of the Highway Modal Annex was limited by time, which impacted HMC's ability to consider more comprehensive risk assessment information collected and incorporate stakeholder input.[Footnote 40] However, officials stated that they anticipate that future revisions to the TSSP Highway Modal Annex will consider more risk assessment information and stakeholder input. In addition, HMC officials said that they are working on developing a separate national bridge strategy to supplement the Annex, but officials did not have a time frame for its completion. According to TSA guidance used to develop the Highway Modal Annex, the Highway GCC and SCC are to review the Annex annually and make periodic interim updates as required, which provide TSA with an opportunity to consider the results of risk assessments to inform its strategy moving forward. The Highway GCC and SCC are instructed to conduct a complete revision of TSA's Highway Modal Annex every three years, and as necessary in the interim. HMC is beginning the revision process and updating the TSSP Highway Modal Annex in 2008 to allow time for the revised strategy to be reviewed by government and sector stakeholders. However, HMC officials stated that they did not know when the revision would be issued. Without considering the results of available risk assessments, TSA is limited in its ability to assist highway infrastructure operators in prioritizing investments based on risk, and target resources towards security measures that will have the greatest impact. DHS's Highway Modal Annex Does Not Fully Address Areas Outlined in Executive Order: In reviewing the Highway Modal Annex, we identified areas in which the Annex does not fully address areas outlined in Executive Order 13416, Strengthening Surface Transportation Security, which was issued in December 2006 to address surface transportation security challenges consistent with the NIPP risk management framework. Executive Order 13416 requires that the Secretary of Homeland Security assess the security of each surface transportation mode and evaluate the effectiveness and efficiency of current surface transportation security initiatives. In addition, the Executive Order required the Secretary to develop modal annexes that include, at a minimum: * an identification of existing security guidelines and requirements and any security gaps; * a description of how the TSSP will be implemented for each mode, and the respective roles, responsibilities, and authorities of Federal, State, local, and tribal governments and the private sector; * schedules and protocols for annual reviews of the effectiveness of surface transportation security-related information sharing mechanisms; and: * a process for assessing compliance with any security guidelines and requirements issued by the Secretary for surface transportation, and the need for revisions of such guidelines and requirements to ensure their continuing effectiveness. Although Executive Order 13416 requires the identification of existing security guidelines and security requirements for each surface transportation mode, the Annex does not reference existing guidance developed by other federal and state highway infrastructure stakeholders including IP, FHWA, or AASHTO guidance on protective measures for highway infrastructure.[Footnote 41] TSA acknowledged that this information is missing from the Annex. Without including such information in TSA's national strategy for highway security, the agency is missing opportunities to identify and leverage available guidance resources for securing highway infrastructure. In addition, as called for in Executive Order 13416, the Annex does identify a number of existing security gaps related to highway infrastructure, and recognizes that addressing potential threats to the highway system is particularly challenging because of the openness of the system. However, while the Annex identifies that the conveyance of hazardous materials poses the greatest threat to highway infrastructure--and is where HMC has focused its efforts--the Annex provides little details about the different types of threats to highway infrastructure and their relative likelihood. For example, the Annex does not describe how terrorists might use explosives against highway infrastructure. According to the Annex, some bridges and tunnels are especially vulnerable because their structural components are in some cases easily accessible and because the assets themselves are located in remote areas. Furthermore, Executive Order 13416 requires DHS to describe how the TSSP will be implemented within the specific transportation mode, yet we identified areas where the Annex could improve its description of how the TSSP would be implemented. For example, although not specifically required, the Annex lacks milestones. Specifically, the Annex does not indicate timeframes or milestones for its overall implementation or for accomplishing specific actions or initiatives for which entities can be held responsible. In addition, the Annex's priorities, goals and supporting objectives and activities are not ranked by their importance. Executive Order 13416 also calls for Modal Annexes to include a description of the roles and responsibilities of key stakeholders, which the Highway Modal Annex only partially addresses because the Annex does not clearly define the authorities of federal, state, local, and tribal governments and the private sector to secure highway infrastructure. For example, the Annex does not identify that TSA has the authority to issue and enforce security related regulations and requirements it deems necessary to protect transportation assets. In addition, the Highway Modal Annex discusses the Highway GCC and Highway SCC roles and responsibilities related to highway and motor carrier security strategies and activities, as well as policies, guidelines and standards and developing program metrics and performance criteria for the mode. It also describes several TSA and FHWA highway related risk assessment programs involving collaboration with stakeholders. However, the strategy does not identify the specific roles of federal and non federal stakeholders such as HMC, IP, FEMA, CBP, FHWA, or AASHTO in the protection of critical highway infrastructure or key assets. HMC officials attributed these omissions to the short turn around time required to develop the Annex. In addition, HMC officials stated that the Annex was vetted by a variety of stakeholders including IP, and no one raised concerns over the absence of a description of the roles of these federal and non federal entities and their programs. HMC officials stated that they were willing to consider including these entities in future revisions of the Annex. Moreover, the Annex does not identify lead, support, and partner roles related to highway infrastructure security. For example, CBP is responsible for prohibiting the entry into the United States of people or goods that pose a security threat; as well as the protection of the infrastructure within the footprint of the ports of entry, while TSA is responsible for the security of all modes of transportation, including any associated infrastructure.[Footnote 42] An overlap in responsibility exists when the people and goods crossing the border intend to harm infrastructure, e.g. a truck crossing a border bridge with the intention of exploding the bridge. Our prior work has highlighted the importance of addressing which organizations will implement a national strategy, their roles and responsibilities, and mechanisms for collaborating their efforts.[Footnote 43] DHS's Highway Modal Annex Should Be Enhanced by Incorporating Characteristics of an Effective National Strategy: We assessed the Highway Modal Annex using desirable characteristics developed by our prior work on national strategies, and found several areas where future versions of the Annex can be enhanced.[Footnote 44] Our prior work has shown that national strategies can be more useful if they contain characteristics such as a description of the purpose, scope, and methodology of the strategy; goals, objectives, activities, and performance measures; a definition of the roles and responsibilities and mechanisms for collaborating; the sources and types of resources and investments associated with a strategy; and a description of how a national strategy will be integrated with other national strategies and how it will be implemented. We believe that these characteristics can assist DHS in strengthening and implementing the Highway Modal Annex going forward, as well as enhance its usefulness in resource and policy decisions and to better assure accountability. Purpose, Scope, and Methodology: This characteristic addresses the purpose for developing the strategy, the scope of its coverage, and the process by which it was developed. In addition to describing what it is meant to do and the major functions, mission areas, or activities it covers, a national strategy would ideally address the methodology used to develop it. For example, a strategy might discuss the principles or theories that guided its development, what organizations or offices drafted the document, whether it was the result of a working group, or which parties were consulted in its development. The purpose and scope of the strategy are generally described in the Annex. For example, the Annex provides a description of the nation's highway transportation system and how transportation sector goals and objectives will be achieved to protect the highway transportation system. However, the Annex does not explain the methodology used in its development. For example, while the Highway Modal Annex references the NIPP and TSSP as providing the principles or theories that guided its development, the Annex does not describe the process and information that was used to develop it. HMC officials attributed this omission to the TSA guidance used to develop the Highway Modal Annex not requiring the process and information that was used to develop it be documented. HMC officials stated that stakeholders used their collective professional judgment to develop the Annex. Goals, Objectives, Activities, and Performance Measures: This characteristic addresses what the national strategy strives to achieve and the steps needed to garner those results, as well as the priorities, milestones, and performance measures that will be used to gauge results. At the highest level, this could be a description of an ideal "end-state" of the strategy, followed by a logical hierarchy of major goals, subordinate objectives, and specific activities to achieve results. Our prior work has shown that long-term action-oriented goals and a time line with milestones are necessary to track an organization's progress toward its goals.[Footnote 45] Ideally, a national strategy would set clear desired results and priorities, specific milestones, and outcome-related performance measures while giving implementing parties flexibility to pursue and achieve those results within a reasonable timeframe. While the Highway Modal Annex identifies individual, high-level goals, subordinate objectives, and specific activities to achieve results which are aligned with the specific goals and objectives identified in the TSSP, it does not describe key related activities. The Annex identifies three major goals--prevent and deter acts of terrorism using or against the transportation system, enhance resilience of the transportation system, and improve the cost-effective use of resources for transportation security. The three goals are underpinned by objectives, such as an objective supporting the goal of implementing flexible, layered, and effective security programs using risk management principles. The objectives in turn, have accompanying activities. For example, one of the supporting activities for the goal to prevent and deter acts of terrorism using or against the transportation system is HMC's CSR program. However, the Annex focuses on HMC and FHWA activities, but does not describe several key related federal and non federal activities. For example, the Highway Modal Annex does not describe the relationship of IPs Vulnerability Assessment program, USCG's risk assessment activities related to highway infrastructure, S&T Directorate's related research and development projects, AASHTO's security design standard development efforts, or CBP's activities related to international border crossings as they relate to supporting the Annex's goals and objectives. In addition, one of the Annex's objectives is to enhance information and intelligence sharing among transportation security partners. Accordingly, the strategy identifies the Highway Information Sharing Analysis Center (ISAC) and the Homeland Security Information Network (HSIN) as two mechanisms to share information with the highway infrastructure stakeholders. However, the Annex does not discuss how HSIN complements or is different from other information sharing tools, such as DHS's Lessons Learned Information System (LLIS), as it concerns highway infrastructure. The Annex also does not discuss how HSIN is related to state efforts for sharing information. For example, during our review, one of the states we visited was developing a web site to share information for transportation security stakeholders which would potentially duplicate or overlap with information available through HSIN or LLIS. Furthermore, TSA, in conjunction with the Highway GCC and the Highway SCC, has not developed a baseline set of performance goals and measures or established a time frame upon which to assess and improve preparedness of highway infrastructure to an attack that are linked to the Annex's goals, objectives, and activities for securing highway infrastructure. The NIPP requires DHS to work with its security partners to develop sector-specific metrics. In addition, the Government Performance and Results Act (GPRA) as well as Standards for Internal Control in the Federal Government,[Footnote 46] require that agencies use performance measurement to reinforce the connection between their long-term strategic goals and the day-to-day activities of their managers and staff. In addition, the Office of Management and Budget requires all programs to have at least one cost efficiency measure as part of their mix of performance measures. With respect to highway infrastructure security, performance measures would gauge to what extent federal efforts and highway infrastructure operators are achieving the Annex's goals and objectives. HMC officials stated that although they recognize the importance of measuring the effectiveness of security efforts, they have not developed performance measures for highway infrastructure. HMC officials attributed this omission to the TSA guidance used to develop the Highway Modal Annex not requiring performance measures. Without performance measures and an evaluation of the effectiveness of the Annex's goals and objectives, TSA will lack meaningful information from which to determine whether the strategy is achieving its intended results and to target any needed improvements. Organizational Roles, Responsibilities, and Collaboration: This characteristic addresses which organizations will implement the strategy, their roles and responsibilities, and mechanisms for coordinating their efforts. It helps answer the fundamental question about who is in charge, not only during times of crisis, but also during all phases of homeland security and combating terrorism efforts: prevention, vulnerability reduction, and response and recovery. This characteristic entails identifying the specific federal departments, agencies, or offices involved and, where appropriate, the different sectors, such as state, local, private, or international sectors. In our past work, we reported that a successful strategy clarifies implementing organizations' relationships in terms of leading, supporting, and partnering. In addition, a strategy could describe the organizations that will provide the overall framework for accountability and oversight. Furthermore, a strategy might identify specific processes for collaboration between sectors and organizations- -and address how any conflicts would be resolved. For example, our previous work on effective interagency collaboration has also demonstrated that a strategy provide for some mechanism to ensure that the parties are prepared to fulfill their assigned responsibilities. [Footnote 47] The Annex provides limited information related to collaboration between highway infrastructure stakeholders. In addition, the 9/11 Commission Act requires DHS and DOT to execute and develop an annex to the memorandum of understanding (MOU) between the two agencies, which was signed in September 2004, that addresses motor carrier security. [Footnote 48] The annex must delineate specific roles, responsibilities, and resources needed to address motor carrier transportation security matters and the processes the Departments will follow to promote communications, efficiency, and ensure non duplication of effort. HMC officials stated that they plan on developing a similar annex to the MOU for highway infrastructure, but they do not have a timetable for doing so. Our prior work has shown that collaboration between federal stakeholders can be improved by clearly identifying organizational roles, responsibilities and specific processes for collaboration between sectors--and how any conflicts would be resolved. HMC officials stated that such an annex would serve to lay the groundwork and provide the proper protocols for sharing of data and personnel, and acknowledge leadership roles and responsibilities to strengthen highway infrastructure security. The 9/11 Commission Act also requires that DHS, to the greatest extent practicable, provide public and private stakeholders with transportation security information in an unclassified format.[Footnote 49] The Highway Modal Annex provides limited details on how (process, policy, mechanism) it will collaborate or what is needed to enhance information and intelligence sharing. For example, the Annex does not describe HITRAC's role related to information sharing. HITRAC is a joint organization between IP and the Critical Infrastructure Threat Analysis Division within I&A that is to integrate, analyze, and share information regarding threats and risks to U.S. critical infrastructure for DHS, other federal departments and stakeholders, the intelligence community, state and local governments and law enforcement stakeholders, and the private sector. HMC officials attributed this omission to the TSA guidance used to develop the Highway Modal Annex not requiring a description of how it is to collaborate or what is needed to enhance information and intelligence sharing. The Act also required DHS to establish a plan to share transportation information relating to the risks to transportation modes, including the highway mode that was due in early 2008; however the plan has not yet been completed.[Footnote 50] TSA officials said that DHS was developing the information sharing plan, but they did not know when the plan would be issued. Development of a plan could improve information sharing by clarifying roles and responsibilities and clearly articulating actions to address any remaining challenges, including consideration of appropriate incentives for nonfederal entities to increase information sharing with the federal government, increase sector participation, and perform other specific tasks to protect critical highway infrastructure. Resources and Investments: This characteristic addresses what the strategy will cost, the sources and types of resources and investments associated with the strategy, and where those resources and investments should be targeted. Ideally, a strategy would also identify criteria and appropriate mechanisms to allocate and take in resources--such as grants, in-kind services, loans, and user fees--based on identified needs. Alternatively, as our prior work has shown, the strategy might identify appropriate "tools of government," such as regulations, tax incentives, and standards, to mandate or stimulate nonfederal organizations to use their unique resources.[Footnote 51] The Highway Modal Annex does not describe any incentives that could be used to encourage owners to conduct voluntary risk assessments, such as grants or training that could be used to determine the best courses of action to reduce potential consequences, threats, or vulnerabilities, as required by the NIPP. These incentives are important because asset owners are not currently regulated by TSA. According to HMC officials, the guidance provided by TSA to HMC used to develop the Highway Modal Annex did not require a description of possible incentives. In addition, HMC officials said that they are working on developing a separate national bridge strategy to supplement the Annex. According to HMC officials the national bridge strategy is to assist the stakeholder community in assessing both the criticality and the security vulnerabilities of its assets; identify the most appropriate and cost- effective mitigation tools; and serve as a mechanism for the identification of sources of funding that are exclusively dedicated to security needs and do not require diversion of funding that is otherwise reserved for safety or structural enhancement or refurbishment. However, this effort is not completed and HMC does not have a time frame for its implementation. In addition, the Annex identifies that measures to secure assets of the Highway Transportation System must be implemented in a way that balances cost, efficiency, and preservation of the nation's commerce; however, it provides relatively few details on the types and levels of resources associated with implementation of security measures or where to target resources for securing highway infrastructure. Highway infrastructure operators have received some federal funding for implementing security upgrades since September 11th, 2001, but available funding has been limited due to competing priorities, such as dams and nuclear facilities. Targeting investments is especially important given that the current economic environment makes this a difficult time for private industry or state and local governments to make security investments. Integration and Implementation: This characteristic addresses both how a national strategy relates to other strategies' goals, objectives, and activities, and to subordinate levels of government and their plans to implement the strategy. For example, a national strategy could discuss how its scope complements, expands upon, or overlaps with other national strategies. Similarly, related strategies could highlight their common or shared goals, subordinate objectives, and activities. In addition, a national strategy could address its relationship with relevant documents from implementing organizations, such as the strategic plans, annual performance plans, or annual performance reports. A strategy might also discuss, as appropriate, various strategies and plans produced by the state, local, private, or international stakeholders. The Highway Modal Annex contains certain elements of this characteristic, but it lacks a description of how it relates to other strategies. For example, the Annex references FHWA's Multiyear Plan for Bridge and Tunnel Security Research, Development, and Deployment, which highlights efforts to secure the nation's highway infrastructure. However, the Highway Modal Annex does not define its relationship with other related strategies or federal actions, or address its relationship with other plans by federal, state, local, and international implementing parties. Specifically, although TSA is engaged in three strategic planning initiatives that have similar goals but slightly different requirements, the Annex does not discuss its relationship to these strategies. First, the Intelligence Reform and Terrorism Prevention Act of 2005 requires a strategy for transportation security--the National Strategy for Transportation Security (NSTS)-- containing the identification and evaluation of transportation assets and appropriate mitigation approaches. Second, the NIPP and HSPD-7 require each sector to prepare a sector specific plan, in collaboration with its security partners across government and private industry. Third, Executive Order 13416 contains requirements for developing modal annexes to the TSSP for surface modes of transportation. However, the Annex does not discuss how its scope complements, expands upon, or overlaps with these strategic plans and guidance. In addition, the Annex does not discuss how the programs in IP's strategic plan complement or overlap with the Highway Modal Annex. Without such information in TSA's national strategy for highway security, the agency is missing opportunities to build on organizational roles and responsibilities and further clarify relationships, which could improve the strategy's implementation. Government and Industry Stakeholders Have Efforts Underway to Enhance the Security of Highway Infrastructure, but TSA Lacks a Mechanism to Monitor Implementation of Voluntary Security Measures: Government and industry highway sector stakeholders have taken actions to mitigate the risks to highway infrastructure through a combination of efforts, including developing publications and conducting seminars, sponsoring research and development activities, and implementing specific infrastructure protection measures. However, because HMC does not routinely conduct asset-specific assessments of highway infrastructure, TSA does not have a mechanism to monitor the implementation of both government and industry voluntary security enhancements put in place to address identified asset vulnerabilities and help protect the nation's critical highway infrastructure. TSA is tasked with assessing and evaluating the effectiveness and efficiency of current federal government surface transportation security initiatives. According to TSA officials, such a monitoring mechanism for voluntary efforts is not necessary because TSA obtains the information that it needs to monitor highway infrastructure security efforts through HMC's CSR efforts. However, the CSRs are at a high level and do not provide a means to assess the protective security measures implemented for specific assets. Lacking a mechanism to monitor the implementation of protective security measures, TSA cannot evaluate the effectiveness of existing programs and assessing the overall security preparedness of the nation's critical highway infrastructure. The Federal Government, States, and Other Highway Stakeholders Have Voluntary Efforts Underway to Enhance the Security of Highway Infrastructure: Highway sector stakeholders have taken a variety of voluntary actions intended to enhance the security of highway infrastructure. Key efforts include developing security publications, sponsoring infrastructure security workshops, conducting research and development activities, and implementing specific protective measures intended to deter an attack or reduce potential consequences, such as security patrols, electronic detection systems, and physical barriers. Overall, these programs and activities are intended to provide asset owners and operators with tools and guidance for assessing highway infrastructure security risks, highlight effective practices in security planning and vulnerability reduction, and share technical expertise and information for enhancing asset security. See table 2 for a summary of key highway infrastructure security programs and activities. Table 2: Summary of Key Programs and Activities to Enhance Security of Highway Infrastructure: Publications, Guidance, and Training: Key Programs and Activities: Bridge and Tunnel; Workshops; Description: These workshops, introduced in fiscal year 2004, are intended to provide participants with information about identifying infrastructure risks and developing appropriate mitigation measures. As of January 2009, FHWA had conducted a series of workshops, targeted primarily to bridge and tunnel engineers and asset operators, in 28 locations; Responsible Organizations: FHWA. Key Programs and Activities: Publications; Description: Since 2002, AASHTO, through the Transportation Research Board (TRB), has sponsored or developed several key publications to help asset owners identify critical assets, perform risk assessments, and evaluate potential countermeasures. At the request of AASHTO and FHWA, in 2003, a Blue Ribbon Panel was convened to prepare recommendations for bridge and tunnel security; FHWA has also issued security-related publications, such as the Multi-Year Plan for Bridge and Tunnel Security Research Development and Deployment, and an article entitled Risk Management for Terrorist Threats to Bridges and Tunnels; IP has developed several reports identifying general threats and common vulnerabilities for highway infrastructure assets; Responsible Organizations: TRB, AASHTO, FHWA, IP. Key Programs and Activities: Regional Conferences; Description: In cooperation with AASHTO, TSA and FHWA co-sponsored a series of regional infrastructure protection conferences for state DOT officials. These conferences provided an opportunity for participants to exchange information concerning effective security practices and communicate security concerns and implementation challenges; Responsible Organizations: TSA, FHWA, AASHTO. Research and Development: Key Programs and Activities: Transportation Sector Research & Development Working Group; Description: With broad-based federal and state representation, this group serves to identify potential research areas for the highway sector; Responsible Organizations:TSA, IP, FHWA, State DOTs. Key Programs and Activities: DHS Science & Technology (S&T); Description: S&T is responsible for executing multiple highway research projects based on identified needs and national risk priorities. Several bridge and tunnel projects have been initiated in recent years (see appendix IV for additional project details); Responsible Organizations: DHS S&T. Key Programs and Activities: Cooperative Research Programs; Description: The TRB, through its Cooperative Research Programs, produced a number of reports each year addressing highway research issues, such as Recommendations for Bridge and Tunnel Security, and a guide to making transportation tunnels safe and secure; Responsible Organizations: TRB, FHWA, AASHTO. Key Programs and Activities: Transportation Pooled Fund Study (TPFS); Description: This program consists of pooled funds provided by individual states and other agencies, including TSA, to conduct research or provide training or education materials desired by the contributors. FHWA is currently managing several projects, including the development of training materials in the areas of security and emergency management, and development of blast mitigation measures for critical bridges; Responsible Organizations: FHWA. Protective Security Measures: Key Programs and Activities: Owner/Operator Funded Security Measures; Description: States and other highway infrastructure asset owners/operators have implemented a variety of protective security measures, including security patrols, cameras and other detection equipment, physical barriers, and security awareness training, among others. According to state officials, funding represents the principal constraint to implementation of security measures; Responsible Organizations: Highway Asset Owners/Operators. Key Programs and Activities: Grant Programs; Description: FEMA manages DHS grant programs and has allocated funds to state and local stakeholders for highway security enhancements through two primary programs--the Homeland Security Grant Program and the Infrastructure Protection Program. Since 2004, approximately $34 million has been allocated to projects related, in part, to highway infrastructure security; The Trucking Security Program (TSP), within the Infrastructure Protection Program, provides funds to assist professionals and operating entities in the highway sector to develop awareness of potential highway-related security concerns. The program also includes a 24-hour call center for the anti-terrorism and security awareness program, and the Highway Information Sharing and Analysis Center (ISAC) for investigation of terrorist threats. While FEMA has the lead for the administrative mechanisms needed to manage the TSP, TSA provides subject matter expertise and oversight. A grantee is responsible for the day to day operations of these efforts; IP guides the allocation of BZPP grant funds, part of the Infrastructure Protection Program, administered by FEMA, and shares in overall programmatic oversight and final decision-making authority with FEMA; Responsible Organizations: FEMA, TSA, IP. Key Programs and Activities: Protective Security Advisor (PSA) Program; Description: These individuals serve as liaisons between Federal stakeholders, state and local governments, and the private sector. Their principal roles and responsibilities include identifying, assessing, monitoring, and mitigating risk to high-risk critical infrastructure and key resources at the local level. PSAs are knowledgeable of all high-priority critical infrastructure and key resources across the various sectors, within their area of responsibility; Responsible Organizations: IP. Source: GAO analysis of highway infrastructure security related programs and activities. [End of table] Publications, Guidance, and Training: Highway infrastructure stakeholders have developed a number of products and programs intended to facilitate the identification of critical assets and provide guidance for conducting security planning. Many of these products and programs are conducted as joint efforts between the State highway agencies, represented by AASHTO and federal partners, including TSA, FHWA, and the Transportation Research Board (TRB). Since 2002, AASHTO, through TRB's Cooperative Research Programs, sponsored or developed several key publications that serve to assist states in identifying critical assets, perform risk assessments, and evaluate options for reducing asset vulnerabilities, including providing a characterization of potential costs and challenges associated with infrastructure security enhancements.[Footnote 52] According to AASHTO, all state DOTs have access to, and a large majority (84 percent) are using, AASHTO guidance on vulnerability and criticality assessment, and risk management, to determine the extent and nature of vulnerabilities to their state's transportation systems. As discussed previously, IP has also developed and issued several reports to provide sector stakeholders guidance on security measures, and identifies general threats and common vulnerabilities for highway infrastructure assets. [Footnote 53] In addition, IP provides stakeholders with guidance on security measures to implement based on homeland security advisory system threat levels. According to IP officials, these reports are made available to industry stakeholders via an internet portal.[Footnote 54] TSA, FHWA, and AASHTO have also co-sponsored a series of regional conferences to facilitate the exchange of information about effective security practices and communicate stakeholder concerns and implementation challenges.[Footnote 55] These conferences provide state transportation officials with a forum to share knowledge concerning infrastructure protection methods and help them identify potential training and guidance resources available. In a separate effort, FHWA also provided risk management training to bridge and tunnel engineers, asset operators, and first responders through a series of workshops. These workshops, introduced in 2003, are intended, in part, to provide highway infrastructure stakeholders a methodology for identifying vulnerabilities and developing appropriate and cost-effective risk mitigation plans. In addition, a security awareness training program is provided as part of the Trucking Security Program directed at highway sector professionals, which includes truck and motor coach drivers, highway engineers, and law enforcement, to identify and report suspicious activity on the nation's highway system.[Footnote 56] Research and Development: A collection of research and development activities designed to secure highway infrastructure are currently being conducted by federal and state entities. As outlined in the Homeland Security Act of 2002, DHS is responsible for, among other things, working with federal laboratories and the private sector to develop innovative approaches to address homeland security challenges. Within the highway sector, these activities include research on the vulnerabilities of bridges and tunnels to various types of explosives and experimental methods to help protect these assets. At the federal level, research and development activities are coordinated through the DHS Transportation Sector Working Group. With fairly broad-based representation---including representatives from TSA, IP, S&T Directorate, FHWA, and state DOTs, among others--this group serves to identify potential research areas, which are then prioritized by IP and executed by DHS' S&T Directorate. According to S&T officials, highway infrastructure has been a focus of infrastructure security research efforts in recent years. Since 2005, bridges, in particular, have been prioritized to gain a better understanding of their potential vulnerabilities and identify better retrofit techniques. Some individual projects identified through this effort include the development of measures to reduce the vulnerability of flooding in underwater tunnels and potential attacks to bridge cables, as well as understanding failure mechanisms and mitigation against explosive attacks and other cross cutting research. See Appendix IV for a list of selected highway infrastructure research and development projects. Other key research programs include the National Cooperative Highway Research Programs (NCHRP) administered by the Transportation Research Board TRB and FHWA's Transportation Pooled Fund Study program. Through the NCHRP Cooperative Research Programs, a number of research projects are conducted each year addressing highway-related research issues proposed by AASHTO.[Footnote 57] Although highway infrastructure security comprises just one component of the program's research portfolio, several security-related products have been developed in recent years. Some of these products include guidance on securing transportation tunnels and a tool to estimate the impact of disruption of key transportation choke points.[Footnote 58] The Transportation Pooled Fund Study is a separate program, administered by FHWA, whereby states and other agencies contribute to a pooled fund to conduct research or provide training or education materials desired by the contributors. Some proposed products include the development of experimentally verified mitigation measures, clearly defined roles and responsibilities for State DOTs in infrastructure security, risk management training tailored to bridge and tunnel vulnerability assessments, and the development of blast mitigation measures for steel bridge towers and a bridge surveillance and security technology database, among others. Protective Security Measures: While federal stakeholders play a role in facilitating risk-based infrastructure security efforts, the actual implementation of asset- specific protective security measures remains the responsibility of individual asset owners and operators, most commonly states or other public entities. Unlike some other transportation modes, such as commercial aviation, no federal laws explicitly require highway infrastructure owners to take security actions to safeguard their assets against a terrorist attack. The protection of highway infrastructure is being undertaken using a voluntary approach, although TSA retains the authority to issue and enforce security related regulations and requirements it deems necessary to protect transportation assets. According to HMC officials, TSA's decision to implement a voluntary approach to highway infrastructure security is based on available threat information, as well as information obtained during CSR activities, which indicates to them that states are generally aware of their security responsibilities and are implementing protective actions. In addition, HMC officials stated that a voluntary approach to security requires reduced federal resources and provides a greater amount of buy-in and acceptance from asset owners than government regulations. Asset owners have implemented a range of voluntary protective security measures to help ensure public safety and protect their highway infrastructure assets. For example, asset owners commonly employ measures such as cameras or other surveillance equipment, and install fencing and other physical barriers to control access to vulnerable structures, among other protective measures. (See appendix III for additional examples of protective security measures for highway infrastructure assets). Specific mitigation measures typically fall into three broad categories: * Deterrence and Detection. These mitigation measures secure access to restricted areas and reduce the likelihood of a potential attack. Common protective security measures include installing fencing, improving lighting, conducting security patrols and installing electronic detection systems. * Defense. Defensive measures are intended to reduce the consequences of a successful attack. For example, installation of a physical barrier around vulnerable components or systems, such as a bridge pier, may reduce the impact of an explosive blast on the structure. * Design and Redesign. These efforts are intended to harden planned or existing infrastructure assets against potential attacks by incorporating security considerations into engineering designs. According to highway infrastructure operators, factors such as competing priorities and budgetary constraints greatly influence whether security measures are implemented. One principal factor impacting the implementation of security measures identified by some state officials we spoke to concerns the availability of revenue sources to fund security improvements for individual assets. For example, bridges and tunnels funded by user fees, such as tolls, could generate additional revenue for security enhancements. Alternately, mitigation measures financed with general federal and state transportation funds may be limited due to competing state priorities. However, the federal government has provided funds to state and local stakeholders to implement highway infrastructure improvements through a combination of several FEMA grant programs. Since 2004, FEMA has funded 60 highway-related security projects, totaling approximately $34 million (see table 3). Some of these projects include funding for additional cameras and surveillance equipment, watercraft for investigation and response to threats, and interoperable communication equipment, among others. Table 3: FEMA Grant Funding for Highway Infrastructure-Related Security Projects, 2004 to 2007: Grant Year: 2004; Number of Highway-Related Projects: 23; FEMA Grant Funding for Highway-Related Projects[A]: $16,981,204. Grant Year: 2005; Number of Highway-Related Projects: 23; FEMA Grant Funding for Highway-Related Projects[A]: $5,703,092. Grant Year: 2006; Number of Highway-Related Projects: 11; FEMA Grant Funding for Highway-Related Projects[A]: $8,431,666. Grant Year: 2007; Number of Highway-Related Projects: 3; FEMA Grant Funding for Highway-Related Projects[A]: $2,844,538. Grant Year: Total; Number of Highway-Related Projects: 60; FEMA Grant Funding for Highway-Related Projects[A]: $33,960,501. Source: GAO analysis of FEMA data. [A] An initial list of potential highway-related projects was provided by FEMA using a keyword search of Biannual Strategy Implementation Reports. These reports--required by FEMA to be updated every six months as part of its grant monitoring process--are comprised of self-reported data submitted by grantees describing their use of allocated grant funds. To determine the total number of projects included in this analysis, we reviewed each of the project descriptions and omitted those that did not clearly have a component related to highway security. For example, a number of projects were specific to mass transit tunnels or railroad bridges and consequently, were not included. In addition, 22 of the projects that GAO identified above were targeted only in part to highway security, such as the purchase of patrol boats or interoperable communications equipment for first responders. [End of table] States have generally taken actions to help secure their highway infrastructure; however, wide variation exists regarding the implementation of specific protection efforts. According to TSA's 2006 summary of its CSRs, all of the states polled have completed at least some security-related actions among the 11 functional areas assessed by TSA.[Footnote 59] However, TSA reported that the level of implementation of security actions varied between states. For example, TSA reported that background checks of transportation workers conducted by state agencies ranged from a criminal history check driving records and citizenship checks down to reference checks for employment applications. According to TSA, the need for background checks varied from state to state, since the perceived threat and the level of risk tolerance also vary by state. In another example, most of the states responded that they conducted security planning at the state level; however, according to TSA, state governments vary considerably in the way the security plans are organized. For example, they reported that states assign different security functions to different agencies-- particularly for transportation security functions. Each agency does some level of planning to ensure its ability to perform its functions. As a result, these preparations are documented in different places, including emergency response plans, traffic management plans, hazardous materials management plans, National Guard plans, homeland security advisory level preparedness plans, continuity of operations plans, and police patrol plans. Some of the plans are more complete than others, depending on the diligence of the agency. TSA reported that most of these states were able to produce a document that defined basic responses to different threat levels and defined who was in charge. Similar variation in state responses and the scope of individual efforts were also illustrated in several of the other security-related functional areas. The variation in state security efforts identified by TSA is generally consistent with what we identified during interviews with officials and observations of select highway infrastructure in five states.[Footnote 60] Although the specific protective security measures implemented at the 13 individual assets we visited were varied, we identified some common mitigation themes, such as investment in new security equipment, leveraging law enforcement resources, and identifying incident response roles, among others. Specific protective measures identified by asset owners with whom we spoke, include increased surveillance efforts-- adding cameras and other detection equipment--as well as installation of fencing, physical barriers, and implementation of enhanced access controls. In addition, some state officials we interviewed stated that they restricted access to building designs and response plans, increased their patrol of critical structures, and implemented stand- off distances. TSA Lacks a Mechanism to Monitor the Implementation of Protective Security Measures for Critical Infrastructure: Although government and industry stakeholders have taken actions to address the risks to highway infrastructure, TSA lacks a mechanism to determine the extent to which specific protective security measures have been implemented for critical assets. Such a mechanism is important to evaluate the security preparedness of nationally critical infrastructure assets and to help ensure that TSA's voluntary approach to highway infrastructure security remains adequate. For example, a monitoring mechanism would provide TSA with feedback regarding how its existing programs and security initiatives, in conjunction with highway stakeholders, are translating into specific security actions by asset owners. TSA is tasked with assessing the security of each transportation mode and evaluating the effectiveness and efficiency of current federal government surface transportation security initiatives. [Footnote 61] In addition, Standards for Internal Control in the Federal Government generally calls for controls to be designed to ensure that an agency has relevant and reliable information about programs and that ongoing monitoring occurs.[Footnote 62] However, TSA has not documented how it will monitor the industry's progress in implementing voluntary highway infrastructure protective security measures for assets identified as nationally critical. Although various federal entities have issued suggested security measures to asset owners, the extent that they have been implemented remains unclear. DHS risk assessment activities, including the CSR and SAV programs, identified highway infrastructure assets that would benefit from additional security measures and have suggested a number of voluntary protective actions to asset owners to address these enhancements. However, given the voluntary nature of these programs, TSA, IP, and USCG stated that they do not know the extent to which asset owners are implementing the protective security measures identified by completed risk assessments for critical infrastructure. In addition to competing resource priorities previously identified, IP officials stated that monitoring the implementation of voluntary protective security measures remains difficult due to limited resources. Specifically, they stated that IP does not have the resources needed to conduct follow-up assessments on all Tier 1 and Tier 2 assets across all critical infrastructure and key resources. They also noted that repeated visits may create a burden on private sector partners. In 2008, IP implemented the Enhanced Critical Infrastructure Protection initiative. This effort involves sending PSAs to all Tier 1 and 2 assets, including transportation infrastructure. According to DHS, while this is a voluntary, non-regulatory program, PSAs conduct initial and follow-up visits to CIKR and document the implementation of enhanced security and protective measures. According to HMC officials, the completion of a second round of state CSR visits will provide an opportunity to review whether asset owners are implementing previous CSR-related security considerations; however, the follow-up visits will be performed over a four year cycle and will not be conducted at the asset level. While these efforts are a positive step, they do not provide the type of detailed information necessary to ensure that specific highway infrastructure assets, particularly those deemed nationally critical, are protected. According to TSA officials, the collection of more detailed data about protective measures is not currently feasible given available resources and other security priorities. However, HMC officials have stated that alternative cost- effective methods of collecting this information may be available, such as potentially leveraging the resources of state transportation inspectors during biannual bridge safety inspections. According to these officials, this program would provide a means to assess the protective security measures implemented for specific assets. Lacking a mechanism to monitor what protective security measures are being implemented to protect the nation's critical highway infrastructure assets, TSA is unable to determine, with any degree of certainty, the level of overall security preparedness of these assets. In addition, without a process in place to better understand what security measures owners and operators are implementing, TSA is not effectively utilizing available information to help identify potential security gaps, establish protection priorities, and determine what, if any, additional measures may be needed to enhance highway infrastructure security. Conclusions: Securing the nation's vast and diverse highway infrastructure is a daunting task. The nature, size, and complexity of this infrastructure highlights the need for federal and non-federal entities to work together to secure these assets and enhance security. While the cost of enhancing highway infrastructure security can be significant, the potential costs of a terrorist attack, in terms of both the loss of life and property and long-term economic impacts, would also be significant although difficult to predict and quantify. The importance of the nation's highway infrastructure and the limited resources available to protect it underscore the need for a risk management approach to prioritize security efforts so that a proper balance between costs and security can be achieved. By not fully evaluating the risks posed by terrorists to the nation's highway infrastructure through available assessments, TSA and its security partners are limited in their ability to focus resources on those highway infrastructure vulnerabilities that represent the most critical security needs. The large and diverse group of stakeholders involved in highway infrastructure security makes it difficult to achieve the needed cooperation and consensus to move forward with security efforts. As we have noted in past reports, coordination and consensus-building are critical to the successful implementation of security efforts. By coordinating risk assessment activities and sharing the results of risk assessments, DHS could more effectively use scarce resources to target further assessment activities and mitigate identified risks. By developing the Highway Modal Annex for highway infrastructure, TSA established strategic goals and objectives, a key first step in implementing a risk management approach. However, highway infrastructure stakeholders could benefit from a Highway Modal Annex that clearly describes their roles, responsibilities, relationships, and expectations for securing highway infrastructure and provides accountability for accomplishing its objectives. Moreover, performance measures developed in conjunction with the Highway GCC and SCC are important to assist TSA in evaluating the effectiveness of highway infrastructure programs, based on desired results that are defined by the Annex. Without performance measures, TSA may not have information with which to systematically assess these program's strengths, weaknesses, and performance. Additional guidance on where to target resources and investments would help implementing parties allocate resources and investments according to priorities and constraints, track costs and performance, and shift such investments and resources as appropriate. We recognize that the Highway Modal Annex is not an endpoint for communicating and providing a framework for protecting highway infrastructure, but rather, a starting point. As with any planning effort, implementation is the key. The ultimate measure of this strategy's value will be the extent to which it proves useful as guidance for policy and decision-makers in allocating resources and balancing highway infrastructure security priorities with other important, non-highway infrastructure security objectives. It will be important over time to obtain and incorporate feedback from the stakeholder community as to how the strategy can better provide this guidance, and how Congress and the executive branch can identify and remedy impediments to implementation, such as legal, jurisdictional, or resource constraints. Finally, while the varied actions government and industry stakeholders have taken to address the risks to highway infrastructure are important initial efforts, without a mechanism to monitor what protective security measures are being taken to secure nationally critical infrastructure, TSA cannot fully determine the extent of security preparedness across the nation's highway infrastructure. Recommendations for Executive Action: We are recommending that the Secretary of Homeland Security take the following three actions: * To enhance collaboration among federal entities involved in securing highway infrastructure and better leverage federal resources, we recommend that the Secretary of Homeland Security establish a mechanism to systematically coordinate risk assessment activities and share the results of these activities among the federal partners. * To help ensure that highway infrastructure stakeholders are provided with useful information to identify and prioritize potential infrastructure security measures, enhance future planning efforts, and determine the extent to which specific protective security measures have been implemented, we recommend that the Secretary of Homeland Security direct the Assistant Secretary for the Transportation Security Administration, in consultation with the Highway Government Coordinating Council and the Highway Sector Coordinating Council, to take the following actions: (1) for the upcoming revision to the Highway Modal Annex: - in addition to the results of threat assessment information, incorporate the results of available vulnerability, and consequence assessment information into the strategy for securing highway infrastructure; - consistent with Executive Order 13416 and desirable characteristics of an effective national strategy, identify existing guidance developed by other federal and state highway infrastructure stakeholders; indicate timeframes or milestones for its overall implementation for which entities can be held responsible; more clearly define security- related roles and responsibilities for highway infrastructure security activities for itself and other federal stakeholders, state and local government, and the private sector; establish a timeframe for developing performance goals and measures for monitoring the implementation of the Annex's goals, objectives, and activities; and provide more guidance on resources, investments and risk management to help implementing parties allocate resources and investments according to priorities and constraints; and: (2) develop a cost-effective mechanism to monitor the implementation of voluntary protective security measures on highway infrastructure assets identified as nationally critical. Agency Comments and Our Evaluation: We provided a draft of this report to DHS for review and comment. DHS provided written comments on January 21, 2009, which are presented in Appendix VI. In commenting on the draft report, DHS and TSA reported that they concurred with all three of our recommendations and have started to develop plans to implement these recommendations. With regard to our first recommendation that DHS establish a mechanism to systematically coordinate risk assessment activities and share the results of these activities among federal partners, DHS stated TSA will have the lead in developing a sector coordinated risk assessment. TSA stated that it recognizes that it is responsible for all transportation security matters, must fulfill its leadership role in the highway infrastructure arena, and is prepared to assume responsibility for all highway infrastructure security issues. TSA added that it will request of all DHS, DOT and State or local governmental bodies that TSA become the repository for all risk assessment models and data associated with this mode. Toward this goal, DHS stated that TSA has convened representatives of both DHS and DOT agencies to produce the "National Strategy for Highway Bridge Security," which is currently under review by agencies and offices within both Departments. Once fully vetted, DHS believes that this document will provide for appropriate participation and coordination of efforts by all Federal agencies engaged in highway infrastructure security. We support TSA's efforts to improve coordination and develop the National Strategy for Highway Bridge Security. The intent of our recommendation is to help DHS avoid potential duplication, better focus future assessment efforts, and leverage limited resources. Thus, if TSA's efforts result in a mechanism that systematically coordinates risk assessment activities among the federal partners, this effort would go far in addressing the intent of our recommendation. Developing a plan that establishes a mechanism to systematically coordinate risk assessment activities and share the results of these activities among federal partners will also be an important and necessary step to fulfilling the agency's oversight and coordination responsibilities. TSA concurred with our second recommendation to include the results of available vulnerability and consequence assessment information in the upcoming revision to the Highway Modal Annex. In addition, TSA agreed to incorporate existing guidance developed by other federal and state highway infrastructure stakeholders, more clearly define security- related roles and responsibilities, establish a timeframe for its overall implementation and developing performance goals and measures. TSA stated that at the time of the drafting of the first iteration of the Highway Modal Annex, such vulnerability and consequence data was not available. TSA further stated that as the agency has expanded its CSR program, become more familiar with the stakeholder community security practices, and conducted much more detailed analyses of vulnerability and mitigation tools, TSA has improved its ability to conduct more comprehensive risk assessments that address threat, vulnerability, and consequences. TSA further stated that while those elements were considered in the preparation of the initial Annex, the document itself did not adequately explain how they were incorporated into the resulting strategy, and that future Annex publications would better explain TSA's use of all three risk elements. TSA agreed that the agency is in the best position to provide strategy guidance, coordination and oversight in this area. TSA also agreed that implementation milestones and preparedness timeframes are appropriate for the Highway Modal Annex. However, TSA cautioned that any limitations on the stakeholder community's implementation strategies will be based on a lack of resources, and indicated that the National Strategy for Highway Bridge Security is intended to help responsible stakeholders find resources dedicated exclusively to address the security needs of their structures. TSA stated that it does not believe that direct regulation is appropriate for the stakeholder community accountable for highway structures because, based on its experience, TSA believes this to be an overwhelmingly responsible constituency that will be highly proactive given appropriate resources and guidance. However, until TSA provides the details of how it plans to address our recommendation that it incorporate available vulnerability and consequence information into the Highway Annex and take other steps to strengthen the Annex, it remains unclear whether TSA can demonstrate that the Highway Modal Annex provides highway infrastructure stakeholders with available useful information to identify and prioritize potential infrastructure security measures, enhances future planning efforts, clarifies roles and responsibilities, and provides accountability. With regard to our third recommendation to develop a cost-effective mechanism to monitor the implementation of voluntary protective security measures on highway infrastructure assets identified as nationally critical, TSA agrees and stated that it is moving forward to identify a variety of mechanisms to monitor the voluntary security measures implemented with respect to critical highway structures. TSA stated that in fiscal year 2009, using funds made available specifically for this purpose for the first time since TSA was created, the agency will begin conducting individual vulnerability assessments on the nationally critical Tier 2 structures list. According to TSA, each assessment will be accompanied by a TSA-recommended approach to risk mitigation, and TSA will track the status of those recommendations on a periodic basis. TSA stated that its security partners will be kept informed of the progress of this effort. In addition, TSA stated its intention to clearly identify any to the implementation of voluntary security measures and would assist stakeholders in executing identified measures. Our intention in making this recommendation is for TSA to have the tools to allow it to more effectively monitor the level of overall security preparedness of critical assets, help identify potential security gaps, establish protection priorities, and determine what, if any, additional measures may be needed to enhance highway infrastructure security. Despite TSA's stated plans, the agency has not indicated the frequency with which it plans to compile or analyze information on highway infrastructure operator's security practices for critical assets, nor did TSA provide a time frame for completing the asset specific vulnerability assessments or identify what mechanisms would be used to monitor their implementation of voluntary protective security measures on highway infrastructure assets identified as nationally critical. Taking such actions would be necessary to fully address the intent of this recommendation. In addition, TSA noted that GAO has misstated or misinterpreted a key fact involving TSA's desire and intention to conduct individual vulnerability assessments on critical highway structures. TSA believes this misstatement significantly affects the findings of the report. TSA noted that the report indicates that TSA has either not decided whether to conduct such assessments or determined that they do not need to be done. Furthermore, TSA stated that it intends to conduct individual assessments on all bridge and tunnel properties that TSA has identified as critical, beginning in 2009. However, TSA did not indicate its desire to conduct these assessments, nor did it provide any documentation to support these plans, during the course of this review. Rather, throughout this review, TSA officials repeatedly told us that the resources associated with conducting individual vulnerability assessments of critical assets made it impractical to conduct such assessments. For this reason, TSA officials stated that they would utilize primarily a non asset-specific approach to conducting vulnerability assessments of the highway infrastructure sector, through the CSR program, and that the agency would rely on infrastructure owners and operators to conduct asset-level vulnerability assessments on highway assets. TSA officials did not make us aware of its plans to conduct individual vulnerability assessments of critical assets until the agency provided written comments on a draft of this report in January 2009. While we acknowledge TSA's stated intention to conduct individual vulnerability assessments on all critical highway infrastructure assets, we do not believe that the agency's recently reported plans to conduct these assessments affect the findings of this report because our discussion of TSA's efforts related to highway infrastructure vulnerability assessments was not used as the basis of any of the report's recommendations. However, we have revised this report to clarify TSA's plans related to vulnerability assessments. DHS also provided technical comments and clarifications, which we have considered and incorporated where appropriate. As agreed with your office, unless you publicly announce the contents of this report, we plan no further distribution for 30 days from the report date. At that time, we will send copies of this report the Secretary of Homeland Security, the Secretary of Transportation, the Assistant Secretary of the Transportation Security Administration, and appropriate congressional committees. In addition, this report will be available at no charge on the GAO Web site at [hyperlink, http://www.gao.gov/]. If you have any further questions about this report, please contact me at (202) 512-3404 or berrickc@gao.gov. Contact points for our Office of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix VII. Signed by: Cathleen A. Berrick: Managing Director: Homeland Security and Justice Issues: [End of section] Appendix I: Objectives, Scope and Methodology: Objectives: You asked us to assess the progress DHS has made in securing the nation's highway infrastructure. This report answers the following questions: To what extent have federal entities assessed the risks to the nation's highway infrastructure and coordinated these efforts? To what extent has DHS developed a risk-based strategy, consistent with applicable federal guidance and characteristics of an effective national strategy, to guide its highway infrastructure security efforts? and: What actions have government and highway sector stakeholders taken to secure highway infrastructure, and to what extent has DHS monitored the implementation of asset-specific protective security measures? Scope and Methodology: To determine the extent that federal entities have assessed the risks to the nation's highway infrastructure and coordinated these efforts, we obtained and analyzed risk assessment data from DHS and DOT, comprised of various threat, vulnerability, and consequence related assessments for highway infrastructure assets.[Footnote 63] We did not assess the quality of the assessments completed. We sought to determine the reliability of these data by, among other things, discussing methods of inputting and maintaining data with agency officials. On the basis of these discussions and our review of the processes used to collect the data, we determined that the data were sufficiently reliable for the purposes of this report. We interviewed DHS, DOT and selected state transportation, homeland security, and law enforcement officials, associations representing highway infrastructure owners and operators, and members of the Highway GCC and the Highway SCC, to discuss federal risk assessment efforts. Although the selected state transportation and homeland security officials perspectives cannot be generalized across the wider population of highway infrastructure owners and operators, because we selected these states based on characteristics including location, and input on states representing security programs in which minimal to more robust security measures were implemented, they provided us a broad overview of highway infrastructure asset security. We selected the associations that we spoke with based on input from TSA, FHWA, and industry stakeholders who identified the major associations representing highway infrastructure owners and operators. To determine the extent to which TSA has used a risk management approach to guide decisions on securing highway infrastructure, we compared NIPP and TSSP requirements with TSA's efforts to implement such an approach. We focused on the strategic planning and risk assessment elements related activities of the NIPP management framework because DHS is early on in the process. The views reported include only those individuals we interviewed and are not necessarily representative of the views of others in those organizations. We also reviewed federal coordination and collaboration activities related to stakeholder efforts to assess and strengthen highway infrastructure security and compared them to GAO's recommended coordination practices. We also discussed with DHS, DOT and selected state transportation, homeland security, and law enforcement officials, associations representing highway infrastructure operators, and members of the Highway GCC, and the Highway SCC, the federal coordination and collaboration activities related to stakeholder efforts to assess and strengthen highway infrastructure security and compared them to the coordination requirements established in Homeland Security Presidential Directive-7, as well as GAO's recommended practices for effective collaboration. In addition, we analyzed TSA's actions regarding performance measurement with requirements in the Government Performance Results Act and GAO Standards for Internal Control in the Federal Government[Footnote 64] regarding the use of use performance measurement. To obtain information on how threat information is shared and TSA's efforts to address threats, we met with officials from TSA's Highway Motor Carrier Division, TSA's OI, and HITRAC. Individuals from these offices provided documentation on DHS and DOT's threat assessment efforts. In addition, we met with officials from DOT's Office of Intelligence regarding the sharing of threat information. To assess the extent to which DHS developed a risk-based strategy consistent with applicable federal guidance and characteristics of an effective national strategy to guide its highway infrastructure security efforts, we reviewed federal agency reports, guidelines, and infrastructure security studies sponsored by industry associations on using risk management, and interviewed DHS, and DOT officials and state and industry association highway infrastructure representatives regarding their use of risk management for protecting highway infrastructure. As the principal strategy for protecting the nation's highway infrastructure, we also analyzed TSA's Highway Modal Annex to determine how it aligned with the requirements set out in Executive Order 13416: Strengthening Surface Transportation Security. In addition, we assessed the extent to which the Highway Modal Annex contained the desirable characteristics for an effective national strategy that we have previously identified.[Footnote 65] To identify the actions taken by government and highway sector stakeholders to enhance the security of highway infrastructure and assess the extent TSA has monitored the implementation of protective security measures implemented by stakeholders, we interviewed DHS, DOT, DOD, and selected state transportation, homeland security, and law enforcement officials, all major associations representing highway infrastructure operators, and members of the Highway GCC, and the Highway SCC. We also analyzed TSA, IP, and USCG vulnerability assessments of security practices at the state level and records of GCC and SCC meetings and stakeholder conferences. In addition, we selected 12 bridges and one tunnel to observe security measures implemented since September 11, 2001 and to discuss security-related issues with highway infrastructure owners and operators. We selected these assets based on characteristics including location, ownership, and criticality, and input on locations representing assets in which minimal to more robust security measures were implemented from TSA, DOT, and AASHTO[Footnote 66]. Because of the limited number of assets in our sample, and because the selected assets did not constitute a representative sample, the results of our observation and analysis cannot be generalized to the universe of highway infrastructure assets. However, we believe that the observations obtained from these visits provide us with a broad overview of highway infrastructure asset security. We also reviewed federal guidance and applicable laws and regulations. In addition, we observed FHWA training programs and joint stakeholder conferences. We also reviewed DHS Science and Technology Directorate, TSA, DOT, AASHTO, and TRB documents to identify research and development efforts to improve highway infrastructure security. We also compared TSA's actions to obtain data on actions taken by highway infrastructure stakeholders to enhance security and to monitor implementation of those actions with criteria in GAO Standards for Internal Control in the Federal Government.[Footnote 67] We conducted this performance audit from May 2007 through January 2009 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. [End of section] Appendix II: Selected Laws and Federal Guidance Concerning the Security of Highway Infrastructure, 1996 to Present: [End of section] Although there are no laws that specifically address highway infrastructure security or require highway infrastructure owners and operators to take certain security measures, a number of laws that generally address critical infrastructure protection and transportation security have been enacted. Similarly, the President has issued directives, and federal agencies have developed strategies, designed to coordinate the federal effort to ensure the security of critical infrastructure and transportation assets. The below table lists statutes, executive orders, presidential directives, and strategies that address critical infrastructure protection and transportation security. Policy action: Executive Order 13010[A]; Date: July 1996; Key elements: Established the President's Commission on Critical Infrastructure Protection (CIP) to study the nation's vulnerabilities to both cyber and physical threats. Identified the need for the government and the private sector to work together to establish a strategy for protecting critical infrastructures from physical and cyber threats. Policy action: Presidential Decision Directive 63; Date: May 1998; Key elements: Established CIP as a national goal and presented a strategy for cooperative efforts by government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government; Superseded by HSPD-7 (see details on HSPD-7 below). Policy action: USA PATRIOT Act[B]; Date: Oct. 2001; Key elements: Established the National Infrastructure Simulation and Analysis Center (NISAC) to serve as a source of national competence to address critical infrastructure protection and continuity through support for activities related to counterterrorism, threat assessment, and risk mitigation. Policy action: Executive Order 13228[C]; Date: Oct. 2001; Key elements: Established the Office of Homeland Security, within the Executive Office of the President, to develop and coordinate the implementation of a comprehensive national strategy to secure the United States from terrorist threats or attacks; Established the Homeland Security Council to advise and assist the President with all aspects of homeland security and to ensure the coordination of homeland security-related activities of executive departments and agencies and effective development and implementation of homeland security policies. Policy action: Executive Order 13231[D]; Date: Oct. 2001; Key elements: Established the President's Critical Infrastructure Protection Board, which was to recommend policies and coordinate programs for protection information systems for critical infrastructure. Policy action: Aviation and Transportation Security Act[E]; Date: Nov. 2001; Key elements: Created the Transportation Security Administration (TSA) and conferred upon TSA responsibility for security in all modes of transportation. Policy action: National Strategy for Homeland Security[F]; Date: July 2002; Key elements: Identified the protection of critical infrastructures and key assets as a critical mission area for homeland security.; Specified 8 major initiatives for CIP, one of which specifically calls for the development of the NIPP. Policy action: Homeland Security Act of 2002[G]; Date: Nov. 2002; Key elements: Created the DHS and assigned it the following CIP responsibilities: (1) developing a comprehensive national plan for securing the key resources and critical infrastructures of the United States; (2) recommending measures to protect the key resources and critical infrastructures of the United States in coordination with other entities; and (3) disseminating, as appropriate, information to assist in the deterrence, prevention, and preemption of or response to terrorist attacks. Also provided for protection of voluntarily submitted information regarding the security of critical infrastructure. Policy action: The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets[H]; Date: Feb. 2003; Key elements: Identifies a set of goals and objectives and outlines the guiding principles that will underpin efforts to secure the infrastructures and assets vital to the nation's public health and safety, national security, governance, economy, and public confidence. Policy action: Exec. Order No. 13,286, 68 Fed. Reg. 10609 (Feb. 28, 2003); Date: Feb. 2003; Key elements: Amended Executive Order 13231 but generally maintained the same national policy statement regarding the protection against disruption of information systems for critical infrastructures.; Designated the National Infrastructure Advisory Council to continue to provide the President with advice on the security of information systems for critical infrastructures supporting other sectors of the economy through the Secretary of Homeland Security. Policy action: Homeland Security Presidential Directive 7; Date: Dec. 2003; Key elements: Superseded Presidential Decision Directive 63 and established that federal departments and agencies will identify and prioritize U.S. critical infrastructure and key resources and to protect them from terrorist attack.; Defined roles and responsibilities for the DHS and sector-specific agencies to work with sectors to coordinate CIP activities; Established a CIP Policy Coordinating Committee to advise the Homeland Security Council on interagency CIP issues. Policy action: Homeland Security Presidential Directive 8; Date: Dec. 2003; Key elements: Directed DHS to coordinate the development of an all- hazards National Preparedness Goal that establishes measurable priorities, targets, standards for preparedness assessments and strategies, and a system for assessing the Nation's overall level of preparedness. Policy action: Intelligence Reform and Terrorism Prevention Act of 2004[I]; Date: Dec. 2004; Key elements: Required the Secretary of Homeland Security to develop and implement a National Strategy for Transportation Security (NSTS) and modal security plans.; Required the NSTS to include an identification and evaluation of the transportation assets that must be protected from attack or disruption, the development of risk-based priorities for addressing security needs associated with such assets, means of defending such assets, a strategic plan that delineates the roles and missions of various stakeholders, a comprehensive delineation of response and recovery responsibilities, and a prioritization of research and development objectives. Policy action: Safe, Accountable, Flexible, Efficient Transportation Equity Act: A Legacy for Users[J]; Date: Aug. 2005; Key elements: Expanded security as a separate factor that must be addressed by statewide and metropolitan transportation plans by requiring that plans provide for consideration of projects and strategies that, among other things, will increase the security of the transportation system for motorized and non-motorized users. Policy action: National Strategy for Transportation Security; Date: Sept. 2005; Key elements: Outlines the Federal government's approach - in partnership with state, local and tribal governments and private industry - to secure the U.S. transportation system from terrorist threats and attacks, and prepare the Nation by increasing our capacity to respond if either occurs. Policy action: Post-Katrina Emergency Management Reform Act[K]; Date: Oct. 2006; Key elements: Expanded the purpose of the NISAC to include support for activities related to a natural disaster, act of terrorism, or other man-made disaster; Specified that the support must include modeling, simulation, and analysis of the systems and assets comprising critical infrastructure, in order to enhance preparedness, protection, response, recovery, and mitigation activities; Required any federal agency with critical infrastructure responsibilities under HSPD-7 to establish a relationship, including an agreement regarding information sharing, between such agency and the NISAC. Policy action: National Infrastructure Protection Plan; Date: June 2006; Key elements: Provided the framework and set the direction for implementing a coordinated, national effort. It provides a roadmap for identifying Critical Infrastructure/Key Resource assets, assessing vulnerabilities, prioritizing assets, and implementing protection measures in each infrastructure sector. Policy action: Procedures for Handling Critical Infrastructure Information[L]; Date: Sept. 2006; Key elements: Established procedures for federal, state, local, and tribal government agencies and contractors regarding the receipt, validation, handling, storage, marking, and use of critical infrastructure information voluntarily submitted to the DHS. Policy action: Executive Order 13416[M]; Date: Dec. 2006; Key elements: Required the Secretary of Homeland Security to assess the security of each surface transportation mode and evaluate the effectiveness and efficiency of current surface transportation security initiatives.; Imposed a deadline on the Secretary of Homeland Security to complete the Transportation Sector-Specific Plan (TSSP) and required the Secretary to develop modal annexes that addresses each surface transportation mode. Policy action: Transportation Sector-Specific Plan (TSSP); Date: May 2007; Key elements: Establishes the transportation sector's strategic approach and related security framework. Policy action: Highway and Motor Carrier Annex; Date: May 2007; Key elements: Describes how the TSSP will be implemented in the Highway mode. Policy action: Implementing Recommendations of the 9/11 Commission Act[N]; Date: Aug. 2007; Key elements: Required the Secretary to establish and maintain a national database of each system or asset that the Secretary determines to be vital and the loss, interruption, incapacity, or destruction of which would have a negative or debilitating effect on economic security, public health, or safety, or that the Secretary otherwise determines to be appropriate for inclusion; Required the Under Secretary for Information Analysis and Infrastructure Protection, not later than 35 days after the last day of each fiscal year, including fiscal year 2007, to submit to the appropriate committees, for each sector identified in the NIPP, a report on the comprehensive assessments carried out by the Secretary of critical infrastructure and key resources, evaluating threat, vulnerability, and consequence; Required the Secretary, not later than 6 months after the last day of each fiscal year, to submit to the appropriate committees a report that details the actions of the federal government to ensure the preparedness of industry to reduce interruption of critical infrastructure and key resource operations during an act of terrorism, natural catastrophe, or other similar national emergency; Specified that the transportation modal security plans required under 49 U.S.C. § 114(t) must include threats, vulnerabilities, and consequences for aviation, railroad, ferry, highway, maritime, pipeline, public transportation, over-the-road bus, and other transportation infrastructure assets; Required that the National Strategy for Transportation Security include a 3-and 10-year budget for federal transportation security programs that will achieve the priorities of the NSTS, methods for linking the individual transportation modal security plans and a plan for addressing intermodal transportation, and transportation modal security plans; Required the Secretary, in addition to submitting an assessment of the progress made on implementing the NSTS, to submit an assessment of the progress made on implementing the transportation modal security plans; Required that the progress reports include an accounting of all grants for transportation security, funds requested in the President's budget for transportation security, by mode, personnel working on transportation security, by mode, and information on the turnover in the previous year among senior staff working on transportation security issues; Required the Secretary, at the end of each fiscal year, to submit to the appropriate committees an explanation of any federal transportation security activity that is inconsistent with the NSTS; Required that the NSTS include the Transportation Sector-Specific Plan (TSSP) required by HSPD- 7; Required the Secretary to establish a Transportation Security Information Sharing Plan, and specifies the contents of the plan; Required the Secretary, not later than 150 days after enactment and annually thereafter, to submit to the appropriate committees a report containing the plan; Required the Secretary, to the greatest extent practicable, to provide public and private stakeholders with transportation security information in an unclassified format; Required the Secretary, in a semiannual report, to provide to the appropriate committees a report that includes the number of public and private stakeholders that were provided with each report, a description of measures that the Secretary has taken to ensure proper treatment and security for any classified information to be shared with stakeholders, and an explanation of the reason for the denial of information to any stakeholder that has previously received information; Required the Secretary to establish a National Transportation Security Center of Excellence to conduct research and education activities and to develop or provide professional security training; Provided for civil and administrative penalties for violations of transportation security regulations prescribed by the Secretary; Authorized the Secretary to develop Visible Intermodal Prevention and Response (VIPR) teams to augment the security of any mode of transportation in any location in the United States; Authorized to be appropriated such funds as may be necessary to carry out this section for fiscal years 2007 through 2011.; Authorized the Secretary to train, employ, and utilize surface transportation inspectors; Required the Secretary to establish a program to provide appropriate information that the Department has gathered or developed on the performance, use, and testing of technologies that may be used to enhance surface transportation security to surface transportation entities; Required the Inspector General of the DHS, not later than 90 days after enactment, to submit a report to the appropriate committees on the federal trucking industry security grant program for fiscal years 2004 and 2005 that addresses the grant announcement, application, receipt, review, award, monitoring, and closeout process and states the amount obligated or expended under the program for fiscal years 2004 and 2005 for certain purposes; Required the Inspector General of the DHS, not later than 1 year after enactment, to submit a report to the appropriate committees that analyzes the performance, efficiency, and effectiveness of the federal trucking industry security grant program and the need for the program, using all years of available data, and that makes recommendation regarding the future of the program. Source: GAO analysis of documents listed above. [A] Exec. Order No. 13,010, 61 Fed. Reg. 37,347 (July 15, 1996). [B] 42 U.S.C. § 5195c. [C] Exec. Order No. 13,228, 66 Fed. Reg. 51,812 (Oct. 8, 2001). [D] Exec. Order No. 13,231, 66 Fed. Reg. 53,063 (Oct. 16, 2001). [E] 49 U.S.C. § 114. [F] The White House, Office of Homeland Security, National Strategy for Homeland Security. [G] Pub. L. No. 107-296, §§ 201(d), 214, 116 Stat. 2135, 2145-47, 2152- 55 (2002). [H] The White House, The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. [I] 49 U.S.C. § 114(s). [J] Pub. L. No. 109-59, § 6001(a), 119 Stat. 1144, 1839-57 (codified at 23 U.S.C. § 134, 135). [K] 6 U.S.C. § 321. [L] 6 C.F.R. §§ 29.1-29.9. [M] Exec. Order No. 13,416, 71 Fed.Reg. 71,033 (Dec. 5, 2006). [N] Pub. L. No. 110-53, 121 Stat. 266 (2007). [End of table] [End of section] Appendix III: Examples of Selected Protective Security Measures that Could be Implemented by Asset Owners and Operators: Potential Countermeasures: Restrict physical access to critical systems and structures: * Install fencing and other physical barriers to prevent access to critical bridge elements such as decks, piers, towers, and cable anchors; * Utilize a full-time security officer to control access to restricted areas; * Utilize security badges or other identification device to ensure access to restricted areas is properly controlled; * Install locking devices on all access gates and utilize remote controlled gates where necessary; * Eliminate parking under bridges or near critical structures; * Protect tunnel ventilation intakes with barriers and install and protect ventilation emergency shut off systems; * Utilize creative landscaping to increase standoff distance from critical areas. Surveillance and detection efforts: * Provide inspections to identify potential explosive devices, as well as increased or suspicious potential criminal activity; * Display signs warning that the property is secured and being monitored; * Install CCTV systems where they cannot be easily damaged or avoided while providing coverage of critical areas (to monitor activity, detect suspicious actions, and identify suspects); * Install enhanced lighting with emergency backup; * Install motion sensors or other intrusion detection systems; * Clear overgrown vegetation to improve lines of sight to critical areas. Security planning and coordination: * Develop and implement a security plan that serves to identify critical systems and establishes procedures for their protection; * Provide emergency telephones to report incidents or suspicious activity; * Develop communication and incident-response protocols with applicable local, state, and federal law enforcement; * Review locations of trashcans or other storage areas that could be used conceal an explosive device and ensure they are not near critical areas; * Provide pass-through gates in concrete median barriers to enable rerouting of traffic and access for emergency vehicles; * Use of an advanced warning system, including warning signs, lights, horns, and pop-up barricades to restrict access after span failure (manually activated or activated by span failure detectors). Structural modifications: * Shield the lower portions of cables on cable-stayed bridges and suspension bridges with protective armor to protect against damage from blast and fragmentation; * Increase the standoff distance and reduce access to critical elements with structural modifications (extending cable guide pipe length, moving guard rails, etc.); * Reinforce welds and bolted connections to ensure plastic capacity; * Use energy absorbing bolts to strengthen connections and reduce deformations; * Provide system redundancy to ensure alternate load paths exist should a critical structural element fail or become heavily damaged as a result of a terrorist attack. Source: GAO analysis of data prepared by FHWA, IP, AASHTO, and TRB. [End of table] [End of section] Appendix IV: Summary of Selected Federal and Non-Federal Research and Development Programs to Enhance Highway Infrastructure: Project Title: Synthesis of surveillance and security technologies and development of info-sharing website; Description: This study is a synthesis of existing surveillance and security technologies to assist bridge owners in decision making. FHWA is also developing a website for infrastructure owners to access this information and interact with other owners on their effectiveness; Key Organization: FHWA. Project Title: Modeling and analysis of steel bridge towers subjected to blast loadings; Description: This is a pooled fund experimental study to determine the effects of detonating explosives on steel bridge towers, develop and test retrofit strategies, and validate computer codes and modeling techniques; Key Organization: FHWA. Project Title: Bridge specific blast loading program; Description: This study modified the Conventional Weapons Effects Program to provide a user friendly computer program for consistent definition of blast loadings on bridges titled the Bridge Explosives Loading (BEL) program; Key Organization: FHWA. Project Title: Blast testing of full scale, pre-cast, pre-stressed concrete girder bridges; Description: FHWA is participating in this pooled fund study led by Washington State DOT to assess blast loadings and develop recommendations for possible mitigation measures that would harden this type of bridge blast damage; Key Organization: WSDOT, FHWA. Project Title: Blast resistant composite barriers; Description: This study will characterize blast, fire and mechanical cutting-resistant material properties of available composite materials and the feasibility of producing improved properties through the use of nano-composites or other material modifications; Key Organization: FHWA. Project Title: Protective retrofit for small-diameter cables or thin- sectioned steel structural members; Description: This study aims to establish performance requirements for a lightweight structural system for protecting small-diameter cables and thin-sectioned steel members against different attack methods; Key Organization: FHWA. Project Title: International Survey on Underground Transportation Systems in Europe; Description: This survey identified European safety practices that can be used in the United States to improve safety. Specific practices and security strategies identified have been shared in a written report as well as outreach efforts to tunnel owners. As a secondary effort, FHWA developed a Load and Resistance Design Factor Guide for AASHTO which incorporated findings from the International Survey and has become the standard design methodology; Key Organization: FHWA, AASHTO. Project Title: Blast/Projectile Protection Project; Description: This study includes basic research to understand the blast failure mechanisms of the most vital critical infrastructures such as dams, tunnels and bridges. In fiscal year 2007, the program developed a program plan and began physical testing and numerical modeling of blast effects on embankment dams and mitigation (hardening) measures for tunnels and bridge cables. In fiscal year 2008, the project began to evaluate blast effects and mitigation measures for dams, tunnels, and bridges. The amount of project funding targeted to bridge research was approximately $3.0 million for fiscal year 2007 and fiscal year 2008. The amount dedicated to tunnels during this period was approximately $1.9 million. However, an additional $1.0 million of fiscal year 2007 Infrastructure/Geophysical funds were dedicated to tunnel research, bringing the total funding for tunnel research funding for to $2.9 million; Key Organization: DHS, Science and Technology Directorate. Project Title: Infrastructure Blast Mitigation Project; Description: This project is developing technologies to mitigate the explosive and damaging force from an IED. In fiscal year 2008, the project conducted tests and evaluation of prototype technologies to evaluate blast mitigation performance and performed proof-of-concept demonstrations. In fiscal year 2009, the project plans to begin to develop models to further determine the vulnerability of infrastructure, bridges, and tunnels to various explosive threats; Key Organization: DHS, Science and Technology Directorate. Project Title: Rapid Mitigation and Recovery (for Critical Infrastructure) Project; Description: This project is developing rapid mitigation and recovery technologies for critical infrastructure to limit damage and consequences and to more quickly resume normal operations. The project will investigate rapid response and recovery technologies in addition to conducting basic research for the most vital infrastructure assets, such as underwater tunnels, bridges, levees, and dams; Key Organization: DHS, Science and Technology Directorate. Project Title: Resilient Tunnel Project; Description: This study seeks approaches to address critical vulnerabilities in U.S. transportation tunnels. Beginning in fiscal year 2007, this project surveyed concepts for tunnel protection, including studies on advanced materials for tunnel hardening and identification of an inflatable plug system, based on European technology, to limit the spread of fire. Further development of this system has continued in fiscal year 2008, with full completion and demonstration of a prototype inflatable plug currently scheduled for fiscal year 2010; Key Organization: DHS, Science and Technology Directorate. Project Title: Cooperative Research Program; Description: The following reports represent a sample of products completed at the request of the AASHTO Special Committee on Transportation Security: * American Association of State Highway and Transportation Officials. Protecting America's Roads, Bridges, and Tunnels: The Role of State DOTs in Homeland Security. Project 20-59 (16). Washington, D.C., 2005; * Blue Ribbon Panel on Bridge and Tunnel Security. Recommendations for Bridge and Tunnel Security. Project 20-59 (3). Washington, D.C.: Federal Highway Administration, September 2003; * Transportation Research Board. A Self-Study Course on Terrorism- Related Risk Management of Highway Infrastructure. Project 20-59 (2). Washington, D.C., 2005; * Transportation Research Board. Disruption Impact Estimating Tool- Transportation (DIETT): A Tool for Prioritizing High-Value Transportation Choke Points. Project 20-59 (9).Washington, D.C., 2005; * Transportation Research Board. Guide to Making transportation tunnels safe and secure. Project 20-67. Washington, D.C., 2006; * Transportation Research Board. Guidelines for Transportation Emergency Training Exercises. Project 20-59 (18). Washington, D.C., 2005; * Transportation Research Board. National Needs Assessment for Ensuring Transportation Infrastructure Security. Project 20-59 (5). Washington, D.C., 2002; * Transportation Research Board. Responding to Threats: A Field Personnel Manuals. Project 20-59 (6). Washington, D.C., 2003; Key Organization: Transportation Research Board. Source: GAO analysis of information provided by DHS, FHWA, AASHTO, and TRB. [End of table] [End of section] Appendix V: Comments from the Department of Homeland Security: U.S. Department of Homeland Security: Washington, DC 20528: [hyperlink, http://www.dhs.gov]: January 21, 2009: Ms. Cathleen A. Berrick: Director, Homeland Security and Justice Issues: U.S. Government Accountability Office: 441 G Street, NW: Washington, D.C. 20548: Dear Ms. Berrick: RE: Draft Report GAO-09-57SU, Highway Infrastructure: Federal Efforts to Strengthen Security Should Be Better Coordinated and Targeted on the Nation's Most Critical Highway Infrastructure (GAO Job Code 440633) The Department of Homeland Security (DHS) appreciates the opportunity to review and comment on the draft report referenced above. The report contains two recommendations, one to the Department and another specifically addressed to the Transportation Security Administration. Department and Transportation Security Administration (TSA) officials agree with the recommendations. TSA officials have already started to formulate implementation plans. The following response brings current any references made in the draft report to ongoing, developing, or maturing programs within TSA to ensure the integrity of any actions or decisions premised on this review. This report represents a snapshot of TSA initiatives as of the time of its compilation. Although there is agreement with the recommendations, TSA officials believe that the U.S. Government Accountability Office (GAO) has misstated or misinterpreted a key fact and this misstatement significantly affects the findings of the report. The issue involves the TSA Highway and Motor Carrier (HMC) Division's desire and intention to conduct individual vulnerability assessments on critical highway structures. This report indicates that the TSA HMC Division has either not decided whether to conduct such assessments or has determined that they would not be done. TSA intends to conduct individual assessments on all bridge and tunnel properties that TSA had identified as "critical" and thus selected to occupy the DHS "Tier 2" structures list. Recommendation 1: The Secretary of Homeland Security establish a mechanism to systematically coordinate risk assessment activities and share the results of these activities among the federal partners. Response: The Department agrees with the recommendation. TSA will have the lead in developing a sector coordinated risk assessment. The function of "security risk assessment" has taken many forms under many agencies since the events of 9/11 and that a uniform and central system of assessment, data storage, and information sharing is critical to the effective implementation of terrorist mitigation tools in the future. In large part, TSA attributes the current state of coordination and information sharing to the enthusiasm of legacy U.S. Department of Transportation (USDOT) agencies to play a meaningful role in security immediately after the events of 9/11, the evolution of assignment of federal security responsibility through laws and policies, and the maturation processes of TSA and fellow DHS components. TSA recognizes, however, that it is responsible for all transportation security matters and intends to fulfill its leadership role in the highway infrastructure arena. TSA is prepared to assume responsibility for all highway infrastructure security issues and will request of all DHS, USDOT and state or local governmental bodies that TSA become the repository for all risk- assessment models and data associated with this mode. Toward this goal, TSA has already convened representatives of both DHS and USDOT agencies to produce the document titled, National Strategy for Highway Bridge Security, which is currently under review by agencies and offices within both Departments. Once fully vetted, this document provides for appropriate participation and coordination of efforts by all federal agencies engaged in highway infrastructure security. Recommendation 2: The Assistant Secretary for the Transportation Security Administration, in consultation with the Highway Government Coordinating Council and the Highway Sector Coordinating Council should take the following two actions: (1) For the upcoming revision to the Highway Modal Annex: (a) in addition to the results of threat assessment information, incorporate the results of available vulnerability and consequence assessment information into the strategy for securing highway infrastructure; (b) consistent with Executive Order 13416 and desirable characteristics of an effective national strategy, identify existing guidance developed by other federal and state highway infrastructure stakeholders; indicate timeframes or milestones for its overall implementation for which entities can be held responsible; more clearly define security- related roles and responsibilities for highway infrastructure security activities for itself and other federal stakeholders, state and local government, and the private sector; establish a timeframe for developing performance goals and measures for monitoring the implementation of the Annex's goals, objectives, and activities; and provide more guidance on resource, investment, and risk management to help implementing parties allocate resources and investments according to priorities and constraints; and; (2) develop a cost-effective mechanism to monitor the implementation of voluntary protective security measures on highway infrastructure assets identified as nationally critical. Response: TSA agrees with the recommendation. (l a) At the time of the drafting of the first iteration of the Highway Modal Annex, such vulnerability and consequence data was not available. As TSA has expanded its Corporate Security Review (CSR) program, personnel have become more familiar with stakeholder community security practices, and conducted much more detailed analyses of vulnerability and mitigation tools. As a result, TSA has improved its ability to conduct more comprehensive risk assessments that address threat, vulnerability, and consequences. While those elements were considered in the preparation of the initial Annex, the document itself did not adequately explain how they were incorporated into the resulting strategy. Future Annex publications will better explain TSA's use of all three risk elements. TSA agrees that it is in the best position to provide strategy guidance, coordination, and oversight in this area. TSA also agrees that implementation milestones and preparedness timeframes are appropriate for the Highway Modal Annex, but cautions that limitations on this stakeholder community's implementation strategies will be based on lack of resources, not lack of enthusiasm. It is for that reason that the National Strategy for Highway Bridge Security document referenced in the response to Recommendation 1 seeks to help responsible stakeholders find resources dedicated exclusively to address the security needs of their structures. (lb) TSA has indicated to GAO that it does not believe that direct regulation is appropriate for the stakeholder community accountable for highway structures (largely state and local governments, quasi- government authorities and public corporations). Based on experience, TSA believes this to be an overwhelmingly responsible constituency that will be highly proactive given appropriate resources and guidance. TSA does, however, agree with GAO's recommended actions for its motor carrier constituency. TSA is responsible for both motor carriers (e.g., trucks, buses) and highway structures (e.g., bridges, roads, tunnels). To be clear, the agency will provide guidance and consider regulations and compliance for the motor carrier segment of its stakeholder community but does not believe there is a need for regulation in the stakeholder community responsible for critical highway structures. (2) TSA agrees and is moving forward to identify a variety of mechanisms to monitor the voluntary security measures implemented with respect to critical highway structures. In Fiscal Year 2009, using funds made available specifically for this purpose, TSA will begin individual vulnerability assessments on its national critical Tier II structures list. Each assessment will be accompanied by a TSA- recommended approach to risk mitigation, and TSA will track the status of those recommendations on a periodic basis. TSA's security partners will be kept informed of progress. In addition, it is TSA's intention to clearly identify any hindrances to implementation and try to assist the stakeholder in executing identified measures. Sincerely, Signed by; Jerald E. Levine: Director: Departmental GAO/OIG Liaison Office: [End of section] Appendix VI: GAO Contact and Staff Acknowledgments: GAO Contact: Cathleen A. Berrick, (202) 512-3404 or berrickc@gao.gov: Staff Acknowledgments: In addition to the contact named above, Steve Morris, Assistant Director, and Gary M. Malavenda, Analyst-in-Charge, managed this assignment. Jean Orland, Ryan Lambert, Susan Langley, and Dan Rodriguez made significant contributions to the work. Stan Kostyla and Chuck Bausell assisted with design, methodology, and data analysis. Linda Miller provided assistance in report preparation; Tracey King provided legal support; Nikki Clowers provided expertise on physical infrastructure issues; Sara Veale provided expertise on coordination and collaboration best practices; Elizabeth Curda provided expertise on performance management; and Pille Anvelt and Avrum Ashery developed the report's graphics. [End of section] Footnotes: [1] IP is an organizational entity within the National Protection and Programs Directorate. Critical infrastructure are systems and assets, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters. Key resources are publicly or privately controlled resources essential to minimal operations of the economy and government. For purposes of this report, we will use the term critical infrastructure to also include key resources. [2] DHS determined that the risk assessment information is "For Official Use Only." As a result, the related data are not contained in this report. [3] The Highway GCC was established in April 2006, and consists of federal stakeholders and state and local officials with sector-specific security responsibilities. The Highway SCC, established in June 2006, consists of private sector organization, owner-operators, and entities with transportation security responsibilities. [4] Homeland Security Presidential Directive-7, issued December 17, 2003, establishes a national policy for Federal departments and agencies to identify and prioritize U.S. critical infrastructure and to protect them from terrorist attacks. The Directive identifies key roles and responsibilities of the DHS Secretary and applicable federal agencies, including requirements for coordination of protection efforts among government agencies and with the private sector. GAO, Results- Oriented Government: Practices That Can Help Enhance and Sustain Collaboration among Federal Agencies, [hyperlink, http://www.gao.gov/products/GAO-06-15] (Washington D.C: October 21, 2005). [5] Executive Order 13416, issued in December 2005, mandates that an annex shall be completed for each surface transportation mode in support of the Transportation Systems Sector-Specific Plan. The Highway Infrastructure and Motor Carrier modal annex (Highway Modal Annex) was developed to meet this mandate and is intended to meet the minimum content requirements set forth in this Order. Exec. Order No. 13,416, 71 Fed. Reg. 71,033 (Dec. 5, 2006). [6] These characteristics were developed after our research found that there were no legislative or executive mandates identifying a uniform set of required or desirable characteristics for national strategies. For a more detailed discussion of these characteristics, see GAO: Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, GAO-04-408T (Washington, D.C: Feb. 3, 2004). [7] AASHTO represents highway and transportation departments in the 50 states, the District of Columbia, and Puerto Rico. [8] GAO, Standards for Internal Control in the Federal Government, [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1] (Washington, D.C.: Nov. 1, 1999). These standards, issued pursuant to the requirements of the Federal Managers' Financial Integrity Act of 1982 (FMFIA), provide the overall framework for establishing and maintaining internal control in the federal government. Also pursuant to FMFIA, the Office of Management and Budget (OMB) issued Circular A- 123, revised December 21, 2004, to provide the specific requirements for assessing the reporting on internal controls. Internal control standards and the definition of internal control in OMB Circular A-123 are based on GAO's Standards for Internal Control in the Federal Government. [9] See [hyperlink, http://www.gao.gov/products/GAO-06-15]. [10] The Homeland Security Grant Program consists of three underlying programs that have been used, in part, to finance highway infrastructure security enhancements--the State Homeland Security Program, the Urban Area Security Initiative, and the Law Enforcement Terrorism Prevention Program. Under the Infrastructure Protection Program, highway infrastructure security efforts have primarily been funded through the Buffer Zone Protection Program (BZPP) and the Trucking Security Program. [11] Prior to the terrorist attacks of September 11, 2001, DOT was the primary federal entity involved in regulating highway infrastructure as it concerned safety. No particular entity was responsible for highway infrastructure security prior to the establishment of TSA. [12] Homeland Security Presidential Directive-7 (HSPD-7) directed DOT and the DHS to collaborate on all matters related to transportation security and transportation infrastructure protection. [13] Pub. L. No. 107-71, § 101(a), 115 Stat. 597, 598 (2001) (codified at 49 U.S.C. § 114(f)). [14] Pub. L. No. 107-296, §§ 101, 201(d),116 Stat. 2135, 2142, 2145-46 (2002). [15] Pub. L. No. 108-458, § 4001(a), 118 Stat. 3638, 3710 (2004) (codified as amended at 49 U.S.C. § 114(s)). [16] Pub. L. No. 110-53, §§ 1202, 1203, 121 Stat. 266, 381-86 (2007). At the time of our review, DHS had not issued this plan. [17] Exec. Order No. 13,416, 71 Fed. Reg. 71,033 (Dec. 5, 2006). [18] Specific threat information is "For Official Use Only" and is not contained in this report. [19] According to TSA officials, investigation of this incident was still ongoing and no additional details were provided. [20] As part of the analysis conducted to determine the high-risk scenarios identified in the SHIRA report for the highway sector, IP incorporated vulnerability and consequence data provided by TSA, as well as input from DOT. [21] MSRAM is a terrorism risk analysis tool used by USCG units to identify critical infrastructure and support risk-based security decisions. [22] The HMC division of TSA currently has 19 staff and is responsible for managing the following functional areas: Trucking and Hazardous Materials, Motor coaches, School Transportation, Commercial Drivers Licenses, and Highway Infrastructure. [23] The 11 CSR functional areas identified by TSA include: threat assessments, vulnerability assessments, security planning, credentialing, designation and management of secure areas, critical asset identification, physical security measures, cyber security measures, security training, communications practices, and security exercises. [24] While HMC has identified these visits as asset-specific CSRs, HMC documented its findings for a limited number of cases. The other visits did not result in a formal CSR report. [25] According to HMC officials, the decision to complete CSR's in all 50 states was largely attributable to a request by AASHTO. Prior to this decision, HMC documented that CSR's would be conducted on the basis of risk and prioritized to those states with greater numbers of critical highway infrastructure assets. [26] The Standard for Program Management© (The Project Management Institute, 2006). [27] According to HMC officials, the effort has the full support of AASHTO but remains dependent on individual states to support additional training and other requirements related to these efforts. [28] The number of vulnerability assessments that were conducted is designated "For Official Use Only" and is not contained in this report. [29] Requests for federal funding under the BZPP are tracked using the Vulnerability Reduction Purchasing Plan. Once the plan is reviewed and approved by IP, FEMA is responsible for administering the funds and monitoring expenditures. [30] Grant funding available through the BZPP program was approximately $91 million in 2005 and approximately $50 million for each fiscal year from 2006 through 2008. [31] Stakeholder security efforts are coordinated within the Area Maritime Security Committee, whose members may include asset owners and operators of maritime bridges and tunnels. [32] DHS determined that the Tier 1 list criteria and all numbers related to the Tier list is "For Official Use Only." As a result, the related data are not contained in this report. [33] According to USCG officials, risk assessments conducted by IP on the same infrastructure assets may be valuable to validate and inform its own MSRAM analysis. [34] See [hyperlink, http://www.gao.gov/products/GAO-06-15]. [35] According to FHWA officials, they assisted in arranging and participated in several of the CSRs performed by TSA. [36] According to DHS officials, the SSA Auto Notification System, provided through the Linking Encryption Network System (LENS), has resolved the issue of IP notifying to SSAs when they scheduled vulnerability assessments. The Auto Notification System sends an email to the SSA when an assessment has been scheduled, including the type of vulnerability assessment, a description of the assessment, trip dates, and further contact information are listed in the email. [37] According to DHS, IP's Protective Measures Section is to collect and analyze information to evaluate the effectiveness of assessments, protective measures implemented, and grant funding provided to high- priority CIKR. [38] According to FHWA officials, representatives from TSA and FHWA met in December, 2008 to initiate planning efforts to combine risk assessment tools, where they deemed applicable. [39] Development and implementation of the Highway Modal Annex was conducted by HMC. [40] Executive Order 13416 mandated that modal annexes were to be completed within 90 days after the comprehensive TSSP was completed. [41] TSA officials stated they are planning to issue best security practices for the entire highway mode on major topics including access control and vulnerability assessments to highway infrastructure stakeholders. HMC refers to this guidance as the U.S. (Universal Security) Template, but does not have a time frame for issuing this product. [42] CBP is not responsible for the bridges or tunnels that may lead to and/or away from the port of entry as they are not owned nor leased by CBP and are not a part of the footprint of the port of entry. Ports of entry are government-designated locations where CBP inspects persons and goods to determine whether they may be lawfully admitted into the country. A land port of entry may have more than one border crossing point where CBP inspects travelers for admissibility into the United States. [43] [hyperlink, http://www.gao.gov/products/GAO-06-15]. [44] [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [45] GAO, Highlights of a GAO Forum: Mergers and Transformation: Lessons Learned for a Department of Homeland Security and Other Federal Agencies, [hyperlink, http://www.gao.gov/products/GAO-03-293SP] (Washington, D.C.: November 2002). [46] Pub. L. No. 103-62, 107 Stat. 285 (1993); and GAO/AIMD-00-21.3.1. [47] See [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [48] Pub. L. No. 110-53, § 1541, 121 Stat. 266, 469 (2007). [49] Id. at § 1203(a)(9), 121 Stat. at 386 (codified at 49 U.S.C. § 114(u)(9)). [50] Id. at § 1203(a)(2), 121 Stat. at 384 (codified at 49 U.S.C. § 114(u)(2)). [51] [hyperlink, http://www.gao.gov/products/GAO-04-408T]. [52] A Guide to Highway Vulnerability Assessment for Critical Asset Identification and Protection, Science Applications International Corporation, May 2002; National Needs Assessment for Ensuring Transportation Infrastructure Security, Parsons Brinckerhoff & Science Applications International Corporation, October 2002.; Protecting America's Roads, Bridges, and Tunnels: The Role of State DOTs in Homeland Security, AASHTO, January 2005. [53] Referred to as the "Collective Protection Papers," IP has produced a number of products to provide sector stakeholders guidance on security measures and specifically addresses the threats and vulnerabilities of highway infrastructure assets. These reports include: Characteristics and Common Vulnerabilities-Infrastructure Category: Highway Bridges; and Potential Indicators of Terrorist Activity-Infrastructure Category: Highway Bridges, among others. [54] We did not assess the extent to which these products were being utilized by stakeholders when conducting vulnerability assessments. [55] These conferences have been conducted in three locations. As of January 2009, TSA did not have any additional workshops scheduled. [56] The security awareness security program is funded through DHS' Trucking Security Program (TSP). For 2008, Congress appropriated $16 million to administer the TSP (approximately $77.8 million in total funds have been provided since fiscal year 2003). In September 2008, the DHS Inspector General identified several areas where the TSP program could be improved to enhance accountability and help ensure the viability of the program. Department of Homeland Security Inspector General, Effectiveness of the Federal Trucking Industry Security Grant Program, OIG-08-100 (Washington, D.C.: Sept. 26, 2008). [57] The Transportation Research Board is one of six divisions of the National Research Council in the National Academies. The Board provides leadership through research and information exchange. The program is supported by state transportation departments, federal stakeholders including the component administrations of DOT, and other organizations and individuals interested in the development of transportation. [58] According to FHWA, a new Cooperative Research Program study will soon be published by AASHTO entitled, "Costing Asset Protection: An All Hazards Guide for Transportation Agencies." [59] TSA Transportation Sector Network Management Office - Highway and Motor Carrier Division, Assessment of Highway Mode Security: Corporate Security Review Results, May 2006. The 11 functional areas are: threat assessment, vulnerability assessment, security planning, credentialing, secure areas, critical infrastructure, physical security, cyber security, security training, communications and exercises. [60] To observe security measures undertaken by highway infrastructure operators, we selected a non-probability sample of 13 bridges and tunnels in 5 states to visit. [61] Executive Order 13416, Strengthening Surface Transportation Security, December 5, 2006. [62] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [63] DHS determined that the risk assessment information is "For Official Use Only." As a result, the related data are not contained in this report. [64] Pub. L. No. 103-62, 107 Stat. 285 (1993); and GAO, Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (Washington, D.C.: Nov. 1999). These standards, issued pursuant to the requirements of the Federal Managers' Financial Integrity Act of 1982 (FMFIA), provide the overall framework for establishing and maintaining internal control in the federal government. Also pursuant to FMFIA, the Office of Management and Budget (OMB) issued Circular A-123, revised December 21, 2004, to provide the specific requirements for assessing the reporting on internal controls. Internal control standards and the definition of internal control in OMB Circular A-123 are based on GAO's Standards for Internal Control in the Federal Government. [65] These characteristics were developed after our research found that there were no legislative or executive mandates identifying a uniform set of required or desirable characteristics for national strategies. For a more detailed discussion of these characteristics, see Combating Terrorism: Evaluation of Selected Characteristics in National Strategies Related to Terrorism, GAO-04-408T (Washington, D.C: Feb. 3, 2004). [66] AASHTO represents highway and transportation departments in the 50 states, the District of Columbia, and Puerto Rico. [67] [hyperlink, http://www.gao.gov/products/GAO/AIMD-00-21.3.1]. [End of section] GAO's Mission: The Government Accountability Office, the audit, evaluation and investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through GAO's Web site [hyperlink, http://www.gao.gov]. Each weekday, GAO posts newly released reports, testimony, and correspondence on its Web site. To have GAO e-mail you a list of newly posted products every afternoon, go to [hyperlink, http://www.gao.gov] and select "E-mail Updates." Order by Phone: The price of each GAO publication reflects GAO’s actual cost of production and distribution and depends on the number of pages in the publication and whether the publication is printed in color or black and white. Pricing and ordering information is posted on GAO’s Web site, [hyperlink, http://www.gao.gov/ordering.htm]. Place orders by calling (202) 512-6000, toll free (866) 801-7077, or TDD (202) 512-2537. Orders may be paid for using American Express, Discover Card, MasterCard, Visa, check, or money order. Call for additional information. To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: [hyperlink, http://www.gao.gov/fraudnet/fraudnet.htm]: E-mail: fraudnet@gao.gov: Automated answering system: (800) 424-5454 or (202) 512-7470: Congressional Relations: Ralph Dawn, Managing Director, dawnr@gao.gov: (202) 512-4400: U.S. Government Accountability Office: 441 G Street NW, Room 7125: Washington, D.C. 20548: Public Affairs: Chuck Young, Managing Director, youngc1@gao.gov: (202) 512-4800: U.S. Government Accountability Office: 441 G Street NW, Room 7149: Washington, D.C. 20548: