Critical Infrastructure Protection: Current Cyber Sector-Specific Planning Approach Needs Reassessment

The nation's critical infrastructure sectors (e.g., energy, banking) rely extensively on information technology systems. The Department of Homeland Security (DHS) issued guidance in 2006 that instructed lead federal agencies, referred to as sector-specific agencies, to develop plans for protecting the sector's critical cyber and other (physical) infrastructure. These agencies issued plans in 2007, but GAO found that none fully addressed all 30 cyber security-related criteria identified in DHS's guidance and recommended that the plans be updated to address it by September 2008. GAO was asked to determine the extent to which sector plans have been updated to fully address DHS's cyber security requirements and assess whether these plans and related reports provide for effective implementation. To do this, GAO analyzed documentation, interviewed officials, and compared sector plans and reports with DHS cyber criteria. GAO recommends that DHS assess whether existing sector-specific planning processes should continue to be the nation's approach to securing cyber and other critical infrastructure and consider whether other options would provide more effective results. DHS concurred with the recommendation; however, it took exception with certain report facts and conclusions. GAO addressed these comments, but they did not result in substantive report revisions.