From fiscal 2011 to 2013, various DHS offices and components conducted or required thousands of vulnerability assessments of critical infrastructure, but DHS is not positioned to integrate them in order to identify priorities, GAO has said.
It said that although the Homeland Security Act of 2002 and the National Infrastructure Protection Plancall for DHS to integrate those vulnerability assessments to identify priorities, the department cannot do so because of variation in the areas to be assessed for vulnerability included in the various tools and methods used by DHS.
DHS offices and components have not consistently captured and maintained data on vulnerability assessment activities in a way that allows DHS to identify potential duplication or overlap, according to GAO-14-507.
It said that having consistent data would also better position DHS to minimize the fatigue critical infrastructureowners expressed experiencing from participation in multiple assessments.
The report also said that DHS lacks sufficient information about the assessment tools and methods conducted or offered by federal entities external to DHS with critical infrastructureresponsibilities, such as the EPA, which oversees critical infrastructure activities related to water and wastewater systems.
DHS agreed with recommendations to identify the areas assessed for vulnerability most important for integrating and comparing results, establish guidance for DHS offices and components to incorporate these areas into their assessments, ensure that assessment data are consistently collected, and work with other federal entities to develop guidance for what areas to include in vulnerability assessments.
