The Department of Homeland Security (DHS) does not track why some infrastructure asset owners and operators decline its free and voluntary site security surveys and vulnerability assessments, thereby losing an opportunity to increase participation in these services by addressing owner and operator concerns, according to the Government Accountability Office (GAO).
Critical infrastructure owners and operators can allow DHS to assess their assets’ security vulnerabilities through two options offered by the department's Office of Infrastructure Protection: the Enhanced Critical Infrastructure Protection (ECIP) security surveys and Site Assistance Visit (SAV) vulnerability assessments. Each service’s goal is to identify security gaps and overlaps at an asset and help critical infrastructure owners and operators, who are overwhelmingly in the private sector, protect their assets and increase their resilience if bad things do occur.
During an ECIP, a protective security advisor (PSA)--a DHS field representative in a particular area who promotes these security services to critical infrastructure stakeholders--conducts a half- to full-day survey of the asset’s security posture. The results, which compare the asset’s security measures to other assets in the same sector, are then shown to stakeholders to increase their security awareness .
An SAV is a more comprehensive look at an asset’s security posture, the goal of which is to identify security gaps and make suggestions to rectify them. The visit, which is conducted by an infrastructure protection team in coordination with the area’s PSA, can take up to three days to complete. (For previous coverage of the SAV, read “Dover Speedway Plays It Safe” from the June 2009 issue of Security Management.)
Because both programs are voluntary and require the consent of the owner or operator of the asset, such as a dam, some owners and operators decline PSA invitations to participate in ECIP surveys or SAVs. DHS, however, does not require PSAs to record the reason why owners and operators deny their requests--an oversight GAO considers shortsighted.
“It is important that DHS systematically identify reasons why high-priority asset owners and operators may decline to participate, especially if reasons differ from PSA region to PSA region or by sector or subsector,” the report states. “By doing so, DHS may be able to assess which declinations are within DHS’s ability to control or influence and strategize how the security survey and vulnerability assessment program and DHS’s approach toward promoting it can be modified to overcome any barriers identified.”