GAO applauds DHS critical infrastructure protection plan

Share this article:

An updated plan from the U.S. Department of Homeland Security (DHS) for protecting the nation's critical infrastructure facilities earned high marks in a recent assessment by federal investigators for its emphasis on risk management, according to a report released Monday.

Congress asked the U.S. Government Accountability Office (GAO) to conduct an assessment of a 2009 update to the DHS' National Infrastructure Protection Plan for managing risks to critical infrastructure facilities and key resources, which include power distribution, water treatment and supply, telecommunications, national defense and emergency services.

These facilities rely largely on computers that must be protected to prevent fraud, disclosure of sensitive information and disruptions in service. The plan, first issued by the DHS in 2006 and then revised and reissued in 2009, now places a greater emphasis on regional critical infrastructure protection, risk management and resilience, federal investigators wrote in the report.

For example, the 2006 plan originally listed minimum requirements for conducting risk analyses, while the latest version includes a common risk assessment approach, which will allow for the comparison of risk across industry sectors, according to the report.

In addition, the 2009 plan now includes instructions for industry sectors to develop metrics to gauge how well critical infrastructure protection programs reduced the risk to their sector. Also, the plan includes a new provision that calls for regional coordination of critical infrastructure protection efforts through the formation of a consortium of representatives.

Federal investigators said the new plan also places a greater emphasis on the concept of resiliency, which is the capability to resist, respond to and recover from disasters. For example, the 2009 version of the plan discusses resiliency with the same level of importance as protection, whereas the 2006 version treated resiliency as a "subset" of protection.

Congress requested the assessment in light of an ongoing debate among lawmakers, educators and members of the private sector about whether the DHS' approach to critical infrastructure protection placed most of its emphasis on protection — actions to deter threats and mitigate vulnerabilities — rather than resiliency, the report states.

DHS officials told the GAO that changes in the 2009 plan came from stakeholder input. Specifically, changes around resiliency were made to increase awareness of the concept and encourage more cross-sector activities that address a wider range of risks, including cybersecurity, officials said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters


More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.