|
Guide
to GAO and CRS Reports on Critical Infrastructure GAO-03-1165T,
Report Abstract states, The Homeland
Security Act of 2002, which created the Department of Homeland Security
(DHS), brought together 22 diverse organizations to help prevent terrorist
attacks in the United minimize damage and assist in recovery from attacks
that do occur. To accomplish this mission, the act established specific
homeland security responsibilities for the department, which included
sharing information among its own entities and with other federal agencies,state and local governments, the private sector, and
others. GAO was asked to discuss the significance of
fulfilling DHS's
responsibilities, emphasizing GAO's related prior analyses and recommendations
for improving the federal government's information sharing efforts. DHS's
responsibilities include coordinating and sharing information related
to threats of domestic terrorism within the department and with and
between other federal agencies, state and local governments, the private
sector, and other entities. To accomplish its missions, DHS must,
for example, access, receive, and analyze law enforcement information,
intelligence information, and other threat,
incident, and vulnerability information from federal and nonfederal
sources and nature and scope of terrorist threats. DHS must also share
information both internally and externally with agencies and law enforcement
on such things as goods and passengers inbound to the GAO-03-985R July 7, 2003, Post-Hearing Question From the May 8, 2003, Hearing on Barriers to Information
Sharing at the Department of Homeland Security. Report Abstract
states, “This letter
provides GAO's response for the record to the question posed by Congress
concerning whether GAO believes that the Department of Homeland Security
should consolidate databases correlation of relationships in that data that
can point to developing threats. Standardizing and consolidating stovepiped databases can offer significant benefits. In particular,
it can help reduce or eliminate duplicative data capture and storage
and enable faster data access and better data consistency, which can reduce costs as well
as improve data reliability and sharing. Analyzing these benefits in
relation to associated costs and risks, such as security and privacy,
provides a (such as the number and variability of the lists and the
commonality of their purposes) of opportunities to consolidate and standardize.
Consequently, we recommended that the Department of Homeland Security
determine the extent of watch list consolidation needed to accomplish
its mission and that such consolidation be done as part of the department's
efforts to develop an enterprise architecture..” GAO-03-564T,
Protecting
the computer systems that support federal agencies' operations and our
nation's critical infrastructures--such as power concern. These
concerns are well-founded for a number of reasons, including the dramatic
increases in reported computer security incidents, the ease of obtaining
and using hacking tools, the steady advance in the sophistication
and effectiveness of attack technology, and the dire warnings of new
and more destructive attacks. GAO first designated computer security
as high risk in 1997, and in 2003 expanded this high-risk area to include
protecting the systems that support our nation's critical infrastructures,
referred to as cyber critical infrastructure protection or cyber CIP.
GAO has made previous recommendations and periodically testified on
federal information security weaknesses—including agencies' progress
in implementing key legislative provisions on information security--and
the challenges that the nation faces in protecting our nation's critical
infrastructures. GAO was asked to provide an update on the status of
federal information security and CIP. With the enactment of the Federal Information Security Management Act of 2002, the Congress continued its efforts to improve federal information security by permanently authorizing and strengthening key information security requirements. The administration has also made progress through a number of efforts, among them the Office of Management and Budget's emphasis of information security in the budget process. However, significant information security weaknesses at 24 major agencies continue to place a broad array of federal operations and assets at risk of fraud, misuse, and disruption. Although recent reporting by these agencies showed some improvements, GAO found that agencies still have not established information security programs consistent with the legal requirements. For example, periodic testing of security controls is essential to security program management, but for fiscal year 2002, 14 agencies reported they had tested the controls of less than 60 percent of their systems. Further information security improvement efforts are also needed at the government-wide level, and these efforts need to be guided by a comprehensive strategy in which roles and responsibilities are clearly delineated, appropriate guidance is given, adequate technical expertise is obtained, and sufficient agency information security resources are allocated. Although improvements have been made in protecting our nation's critical infrastructures and continuing efforts are in progress, further efforts are needed to address critical challenges that GAO has identified over the last several years. These challenges include: (1) developing a comprehensive and coordinated national CIP plan; (2) improving information sharing on threats and vulnerabilities between the private sector and the federal government, as well as within the government itself; (3) improving analysis and warning capabilities for both cyber and physical threats; and (4) encouraging entities outside the federal government to increase their CIP efforts. GAO-03-509R,
“The events
of GAO-03-260 , Excerpt concerning
the status of “partnership issues” and “collaboration with private sector” in Critical Infrastructure Assurance
programs. GAO-03-121, Report series description states, “This report on protecting information systems supporting the federal government and the nation’s critical infrastructures is part of GAO’s high-risk series, first issued in 1993 and updated periodically. This series identifies areas at high risk due to either their greater vulnerabilities to waste, fraud, abuse, and mismanagement or major challenges associated with their economy, efficiency, or effectiveness.” GAO-03-119, Excerpt part of GAO’s overview of Progress in Addressing High Risk Areas. Includes: “Protecting Information Systems Supporting the Federal Government and the Nation’s Critical Infrastructures” (pp. 15-17) and “Highlights of High Risk Areas” (p.32). GAO-03-24R,
Report Abstract states, “Congress
passed the Chemical Safety Information, Site Security and Fuels Regulatory
Relief Act after a number of testimonies expressing concerns about the
vulnerability of chemical facilities to criminal and terrorist attacks.
According to the Attorney General's interim report, chemical facilities
visited generally had safety and emergency response measures that could
mitigate the consequences of a terrorist attack. The report further
stated that the level of security at chemical facilities is roughly
equivalent to standard security practices found in most industries.
The interim report also contains nine preliminary findings that cumulatively
address the other required reporting elements--the vulnerability of
facilities to criminal and terrorist activity, current industry site
security practices, and the security of chemicals being transported.
These findings address the extent to which 11 facilities conducted facility
security assessments, had the capability to respond to armed attacks,
conducted emergency response exercises, conducted routine pre-employment
background investigations, had secure process control systems, had secure
chemical transportation containers, had adequate security measures over
transportation of hazardous chemicals, received meaningful threat information,
and had effective facility security systems.” GAO-02-1122T, Excerpt from GAO Report concerning securing computer networks (pp.31-32) GAO-02-918T, Report found that, “As proposed,
the functions of the Information Analysis and Infrastructure Protection
division would include receiving and analyzing law enforcement and intelligence
information, assessing cyber and physical vulnerabilities of critical
infrastructures, and taking measures to protect them. The consolidation
of these six organizations into a single division, if properly implemented,
could result in combining similar functions, thereby avoiding duplication
and possibly creating more robust capabilities. For example, analysis
and warning of cyber incidents is currently performed by both the National
Infrastructure Protection center and the
Excerpt showing GAO recommendations for “Starting Points” (pp. 15-16) and “Building Tools to Detect and Assess Terrorist Threats” GAO-02-799,
Report Abstract states, “The GAO-02-150T,
Report analyzes risk assessment, including CII. Abstract states, “Risk management
is a systematic and analytical process that weighs the likelihood that
a threat will endanger an asset, individual, or function and identifies
actions to reduce the risk and mitigate the consequences of an attack.
A good risk management approach includes the following three assessments:
a threat, a vulnerability, and a criticality.
After these assessments have been completed and evaluated, key steps
can be taken to better prepare the GAO-01-1168T,
Report Abstract states, “Federal agencies, and other public and private groups, rely extensively on computer systems and electronic data. The security of these systems and data is essential to avoiding disruptions in critical operations and preventing data tampering, fraud, and inappropriate disclosure of sensitive information. However, federal computer systems contain weaknesses that continue to put critical operations and assets at risk. In particular, deficiencies exist in entity-wide security programs that are critical to agencies' success in ensuring that risks are understood and effective controls are nationally critical infrastructure protection strategy outlined in Presidential Decision Directive (PDD) 63. However, progress in key areas has been limited. Although outreach efforts by many federal entities to establish cooperative relationships with and among private and other nonfederal entities have raised awareness and prompted information sharing, efforts to perform substantive analyses of sector-wide and cross-sector interdependencies and related vulnerabilities have been limited. A major impediment to implementing the strategy outlined in PDD 63 is the lack of a national plan that clearly spells out the roles and responsibilities of federal and nonfederal entities and defines interim objectives.” See
especially Figure 1: Critical Infrastructure Protection Responsibilities
as Outlined by PPD 63, excerpt (p.24) GAO-01-1132T, “Federal
computer systems are riddled with weaknesses that continue to put critical
operations and assets at risk. New information security provisions introduced
by Congress will be a major catalyst for federal agencies to improve
their security program management. To help maintain the momentum that
the new information security reform provisions have generated, federal
agencies must act quickly to implement strong security program management.
A key element of the strategy outlined in Presidential Decision Directive
(PDD) 63 was establishing the Congressional
Research Service (CRS) Reports The following CRS reports provide the most clear-cut analysis of how Critical Information Infrastructure …….. See:
CRS RL30153, RL31534, RL30153 |