GAO applauds DHS critical infrastructure protection plan

Share this article:

An updated plan from the U.S. Department of Homeland Security (DHS) for protecting the nation's critical infrastructure facilities earned high marks in a recent assessment by federal investigators for its emphasis on risk management, according to a report released Monday.

Congress asked the U.S. Government Accountability Office (GAO) to conduct an assessment of a 2009 update to the DHS' National Infrastructure Protection Plan for managing risks to critical infrastructure facilities and key resources, which include power distribution, water treatment and supply, telecommunications, national defense and emergency services.

These facilities rely largely on computers that must be protected to prevent fraud, disclosure of sensitive information and disruptions in service. The plan, first issued by the DHS in 2006 and then revised and reissued in 2009, now places a greater emphasis on regional critical infrastructure protection, risk management and resilience, federal investigators wrote in the report.

For example, the 2006 plan originally listed minimum requirements for conducting risk analyses, while the latest version includes a common risk assessment approach, which will allow for the comparison of risk across industry sectors, according to the report.

In addition, the 2009 plan now includes instructions for industry sectors to develop metrics to gauge how well critical infrastructure protection programs reduced the risk to their sector. Also, the plan includes a new provision that calls for regional coordination of critical infrastructure protection efforts through the formation of a consortium of representatives.

Federal investigators said the new plan also places a greater emphasis on the concept of resiliency, which is the capability to resist, respond to and recover from disasters. For example, the 2009 version of the plan discusses resiliency with the same level of importance as protection, whereas the 2006 version treated resiliency as a "subset" of protection.

Congress requested the assessment in light of an ongoing debate among lawmakers, educators and members of the private sector about whether the DHS' approach to critical infrastructure protection placed most of its emphasis on protection — actions to deter threats and mitigate vulnerabilities — rather than resiliency, the report states.

DHS officials told the GAO that changes in the 2009 plan came from stakeholder input. Specifically, changes around resiliency were made to increase awareness of the concept and encourage more cross-sector activities that address a wider range of risks, including cybersecurity, officials said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Beazley: employee errors root of most data breaches, but malware incidents cost ...

Insurance firm Beazley analyzed more than 1,500 data breaches it serviced between 2013 and 2014.

Apple issues seven updates, fixes more than 40 vulnerabilities in iOS 8, OS 10.9.5

Apple issues seven updates, fixes more than 40 ...

In one of its infrequent "Update Surprisedays," Apple plugged holes, boosted security and added features.

Canadian telecom co. Telus unveils first transparency report

The company received more than 100,000 government requests for customer data last year.