DHS Doesn't Know Why CIKR Stakeholders Don't Participate in Voluntary Security Assessments
Congress's watchdog reports that DHS does not track why some infrastructure asset owners and operators decline its free and voluntary site security surveys and vulnerability assessments, thereby losing an opportunity to increase participation in these security services.
The Department of Homeland Security (DHS) does not track why some infrastructure asset owners and operators decline its free and voluntary site security surveys and vulnerability assessments, thereby losing an opportunity to increase participation in these services by addressing owner and operator concerns, according to the Government Accountability Office (GAO).
Critical infrastructure owners and operators can allow DHS to assess their assets’ security vulnerabilities through two options offered by the department's Office of Infrastructure Protection: the Enhanced Critical Infrastructure Protection (ECIP) security surveys and Site Assistance Visit (SAV) vulnerability assessments. Each service’s goal is to identify security gaps and overlaps at an asset and help critical infrastructure owners and operators, who are overwhelmingly in the private sector, protect their assets and increase their resilience if bad things do occur.
During an ECIP, a protective security advisor (PSA)--a DHS field representative in a particular area who promotes these security services to critical infrastructure stakeholders--conducts a half- to full-day survey of the asset’s security posture. The results, which compare the asset’s security measures to other assets in the same sector, are then shown to stakeholders to increase their security awareness .
An SAV is a more comprehensive look at an asset’s security posture, the goal of which is to identify security gaps and make suggestions to rectify them. The visit, which is conducted by an infrastructure protection team in coordination with the area’s PSA, can take up to three days to complete. (For previous coverage of the SAV, read “Dover Speedway Plays It Safe ” from the June 2009 issue of Security Management.)
Because both programs are voluntary and require the consent of the owner or operator of the asset, such as a dam, some owners and operators decline PSA invitations to participate in ECIP surveys or SAVs. DHS, however, does not require PSAs to record the reason why owners and operators deny their requests--an oversight GAO considers shortsighted.
“It is important that DHS systematically identify reasons why high-priority asset owners and operators may decline to participate, especially if reasons differ from PSA region to PSA region or by sector or subsector,” the report states. “By doing so, DHS may be able to assess which declinations are within DHS’s ability to control or influence and strategize how the security survey and vulnerability assessment program and DHS’s approach toward promoting it can be modified to overcome any barriers identified.”
In an effort to gauge why owners and operators declined site security surveys and vulnerability assessments, the GAO conducted a web-based survey of nearly all PSAs. According to the results, PSAs reported there were three main reasons why owners and operators declined an ECIP or an SAV. The two major concerns, noted almost equally, were that stakeholders were already subject to federal or state safety and security regulations or that they were worried that information they provide to DHS might not be properly safeguarded. The final reason was that critical infrastructure owners and operators were fearful any vulnerabilities discovered could open them to liability if an incident occurred at the asset.
While DHS said it’s developing a survey tool that will allow PSAs to collect the reasons why owners and operators decline to participate in the security assessements, its auditors were not satisfied with the details. “DHS could not provide specifics as to what would be included in the tool, which office would be responsible for implementing it, or timeframes for its implementation,” according to the GAO.
To find out for sure why owners and operators decline DHS security assessments, the GAO has recommended that DHS develop a road map, with timeframes and milestones, to systematically record the reasons why owners and operators decline to participate in ECIP surveys and SAVs.
In response to DHS’s comments, the GAO’s Stephen Caldwell, director of homeland security and justice issues, wrote that “DHS’s proposed actions appear to be a step in the right direction, but it is too early to tell whether DHS’s actions will result in an improved mechanism for systematically assessing why owners and operators decline to participate.”
♦ Screenshot of GAO's Critical Infrastructure Protection report