An updated plan from the U.S. Department of Homeland Security (DHS) for protecting the nation's critical infrastructure facilities earned high marks in a recent assessment by federal investigators for its emphasis on risk management, according to a report released Monday.
Congress asked the U.S. Government Accountability Office (GAO) to conduct an assessment of a 2009 update to the DHS' National Infrastructure Protection Plan for managing risks to critical infrastructure facilities and key resources, which include power distribution, water treatment and supply, telecommunications, national defense and emergency services.
These facilities rely largely on computers that must be protected to prevent fraud, disclosure of sensitive information and disruptions in service. The plan, first issued by the DHS in 2006 and then revised and reissued in 2009, now places a greater emphasis on regional critical infrastructure protection, risk management and resilience, federal investigators wrote in the report.
For example, the 2006 plan originally listed minimum requirements for conducting risk analyses, while the latest version includes a common risk assessment approach, which will allow for the comparison of risk across industry sectors, according to the report.
In addition, the 2009 plan now includes instructions for industry sectors to develop metrics to gauge how well critical infrastructure protection programs reduced the risk to their sector. Also, the plan includes a new provision that calls for regional coordination of critical infrastructure protection efforts through the formation of a consortium of representatives.
Federal investigators said the new plan also places a greater emphasis on the concept of resiliency, which is the capability to resist, respond to and recover from disasters. For example, the 2009 version of the plan discusses resiliency with the same level of importance as protection, whereas the 2006 version treated resiliency as a "subset" of protection.
Congress requested the assessment in light of an ongoing debate among lawmakers, educators and members of the private sector about whether the DHS' approach to critical infrastructure protection placed most of its emphasis on protection — actions to deter threats and mitigate vulnerabilities — rather than resiliency, the report states.
DHS officials told the GAO that changes in the 2009 plan came from stakeholder input. Specifically, changes around resiliency were made to increase awareness of the concept and encourage more cross-sector activities that address a wider range of risks, including cybersecurity, officials said.