This letter formally discusses a congressional request to review the Department of Homeland Security's framework for securing critical infrastructure and key resources (CIKR), and subsequent agency comments. As such, this correspondence provides information on: (1) how DHS coordinates with CIKR stakeholders to identify overlaps and gaps in CIKR security activities across all sectors, (2) how DHS addresses these potential overlaps in CIKR security activities, and (3) how DHS addresses CIKR security gaps. To conduct this work, among other things, we selected a non-random sample of nine sectors with a mix of regulations related to security to obtain stakeholders views on working with DHS to identify and address overlaps and gaps in CIKR activities; reviewed applicable laws and regulations, DHS documents such as the National Infrastructure Protection Plan, and pertinent GAO reports; and interviewed DHS officials in the Office of Infrastructure Protection (IP) in the National Protection and Programs Directorate and officials representing the sectors we selected. While the results of these efforts are not generalizable to all CIKR sectors, stakeholders, and activities, they provided valuable insights into CIKR partner perspectives across a range of CIKR.

(1) DHS coordinates with CIKR stakeholders, including other federal regulatory authorities, through information-sharing mechanisms, such as council meetings, and other efforts to identify overlaps and gaps in CIKR security activities. (2) DHS is taking action to address overlapping security activities by clarifying roles and responsibilities for CIKR security activities with agencies that have regulatory oversight, such as the Nuclear Regulatory Commission, through coordination mechanisms, including memorandums of understanding and working groups. (3) DHS works to address gaps in infrastructure security by developing and distributing tools such as guides that promote common security activities; conducting voluntary training and security exercises to enhance security capabilities; providing information on resources available to security partners; and, as appropriate, conducting site vulnerability assessments and security surveys at both public and privately owned facilities that voluntarily participate in such efforts. We are not making any recommendations for congressional consideration or agency action.