The federal agencies charged with protecting the nation’s highway systems have failed to adequately coordinate risk analysis efforts, share risk data, and catalog and measure mitigation measures, according to a new report by the independent U.S. Government Accountability Office (GAO) [1].

GAO blames the Transportation Security Administration (TSA), which under the National Infrastructure Protection Plan (NIPP) [2] is responsible for coordinating sector-specific risk management efforts between a variety of other federal, state, and private-sector stakeholders.

TSA and federal partners including the Department of Transportation’s Federal Highway Administration, “have several efforts underway to assess threat, vulnerability, and consequence—the three elements of risk—for highway infrastructure; however, these efforts have not been systematically coordinated among key federal partners and the results are not routinely shared,” GAO found.

"In order to strengthen collaboration between federal stakeholders involved in securing highway infrastructure, we are recommending that DHS establish a mechanism to systematically coordinate risk assessment activities and share the results of these activities among federal stakeholders," GAO wrote.

In 2006, the U.S. Department of Homeland Security formalized its risk-based approach to protect critical infrastructure and key resources (CI/KR) in the NIPP, which was supplemented a year later with sector-specific plans [3] (SSPs), including the Transportation Systems SSP [4] and its modal annexes, among them the Highway Infrastructure and Motor Carrier Modal Annex.

The highway annex named stakeholders to the protection process and set primary risk-management goals for the sector, including establishment of standardized risk assessment and management methodologies for the sector, training, simplified licensing programs, and integration of security into future infrastructure designs.

In its new report, GAO calls the highway annex “an important first step” but criticized the absence of any concrete risk data. In its response to a draft of the report, TSA explained that the original annex was produced under tight time constraints.

Risk assessments of key national CI/KR are typically administered by owner-operators, in close collaboration with DHS infrastructure protection advisors, who counsel management during formal site assistance visits. TSA pledged to GAO that the agency would conduct its own risk assessments of “all bridge and tunnel properties that TSA has identified as critical beginning this year."

Finally, GAO faulted TSA for not establishing a mechanism to catalog and measure mitigation efforts against risk. “Without such a monitoring mechanism, TSA cannot determine the level of security preparedness of the nation’s critical highway infrastructure,” GAO wrote.

A scheduled revision of the NIPP came out last month, while revisions of the SSPs and transportation modal annexes are expected. TSA told GAO that the revisions would incorporate the new report’s recommendations.