In an effort to gauge why owners and operators declined site security surveys and vulnerability assessments, the GAO conducted a web-based survey of nearly all PSAs. According to the results, PSAs reported there were three main reasons why owners and operators declined an ECIP or an SAV. The two major concerns, noted almost equally, were that stakeholders were already subject to federal or state safety and security regulations or that they were worried that information they provide to DHS might not be properly safeguarded. The final reason was that critical infrastructure owners and operators were fearful any vulnerabilities discovered could open them to liability if an incident occurred at the asset.
While DHS said it’s developing a survey tool that will allow PSAs to collect the reasons why owners and operators decline to participate in the security assessements, its auditors were not satisfied with the details. “DHS could not provide specifics as to what would be included in the tool, which office would be responsible for implementing it, or timeframes for its implementation,” according to the GAO.
To find out for sure why owners and operators decline DHS security assessments, the GAO has recommended that DHS develop a road map, with timeframes and milestones, to systematically record the reasons why owners and operators decline to participate in ECIP surveys and SAVs.
In response to DHS’s comments, the GAO’s Stephen Caldwell, director of homeland security and justice issues, wrote that “DHS’s proposed actions appear to be a step in the right direction, but it is too early to tell whether DHS’s actions will result in an improved mechanism for systematically assessing why owners and operators decline to participate.”
♦ Screenshot of GAO's Critical Infrastructure Protection report