GAO applauds DHS critical infrastructure protection plan

Share this article:

An updated plan from the U.S. Department of Homeland Security (DHS) for protecting the nation's critical infrastructure facilities earned high marks in a recent assessment by federal investigators for its emphasis on risk management, according to a report released Monday.

Congress asked the U.S. Government Accountability Office (GAO) to conduct an assessment of a 2009 update to the DHS' National Infrastructure Protection Plan for managing risks to critical infrastructure facilities and key resources, which include power distribution, water treatment and supply, telecommunications, national defense and emergency services.

These facilities rely largely on computers that must be protected to prevent fraud, disclosure of sensitive information and disruptions in service. The plan, first issued by the DHS in 2006 and then revised and reissued in 2009, now places a greater emphasis on regional critical infrastructure protection, risk management and resilience, federal investigators wrote in the report.

For example, the 2006 plan originally listed minimum requirements for conducting risk analyses, while the latest version includes a common risk assessment approach, which will allow for the comparison of risk across industry sectors, according to the report.

In addition, the 2009 plan now includes instructions for industry sectors to develop metrics to gauge how well critical infrastructure protection programs reduced the risk to their sector. Also, the plan includes a new provision that calls for regional coordination of critical infrastructure protection efforts through the formation of a consortium of representatives.

Federal investigators said the new plan also places a greater emphasis on the concept of resiliency, which is the capability to resist, respond to and recover from disasters. For example, the 2009 version of the plan discusses resiliency with the same level of importance as protection, whereas the 2006 version treated resiliency as a "subset" of protection.

Congress requested the assessment in light of an ongoing debate among lawmakers, educators and members of the private sector about whether the DHS' approach to critical infrastructure protection placed most of its emphasis on protection — actions to deter threats and mitigate vulnerabilities — rather than resiliency, the report states.

DHS officials told the GAO that changes in the 2009 plan came from stakeholder input. Specifically, changes around resiliency were made to increase awareness of the concept and encourage more cross-sector activities that address a wider range of risks, including cybersecurity, officials said.

Share this article:

Sign up to our newsletters

More in News

Feds warn health care sector of looming cyber attacks

The FBI believes that the lax security systems that the health care industry has in place make it a prime target for cyber attacks.

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.