Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats, Vulnerabilities and Consequences (CRS Report for Congress)
Premium Purchase PDF for $24.95 (29 pages)
add to cart or
subscribe for unlimited access
Pro Premium subscribers have free access to our full library of CRS reports.
Subscribe today, or
request a demo to learn more.
| Release Date |
Revised July 17, 2007 |
| Report Number |
RL32561 |
| Report Type |
Report |
| Authors |
John Moteff, Resources, Science, and Industry Division |
| Source Agency |
Congressional Research Service |
| Older Revisions |
-
Premium Revised Jan. 19, 2007 (29 pages, $24.95)
add
-
Premium Revised Feb. 4, 2005 (28 pages, $24.95)
add
-
Premium Sept. 2, 2004 (27 pages, $24.95)
add
|
Summary:
The Homeland Security Act of 2002 (P.L. 107-296) and other Administration documents have assigned the Department of Homeland Security specific duties associated with coordinating the nation's efforts to protect its critical infrastructure, including using a risk management approach to set priorities. Many of these duties have been delegated to what is now called the National Protection and Programs Directorate.
Risk assessment involves the integration of threat, vulnerability, and consequence information. Risk management involves deciding which risk reduction measures to take based on an agreed upon risk reduction strategy. Many models/methodologies have been developed by which threats, vulnerabilities, and consequences are integrated to determine risks and then used to inform the allocation of resources to reduce those risks. For the most part, these methodologies consist of the following elements, performed, more or less, in the following order.
identify assets and identify which are most critical
identify, characterize, and assess threats
assess the vulnerability of critical assets to specific threats
determine the risk (i.e., the expected consequences of specific types of attacks on specific assets)
identify ways to reduce those risks
prioritize risk reduction measures based on a strategy
Beginning in 2003, the Department of Homeland Security has been accumulating a list of infrastructure assets (specific sites and facilities). From this list the Department selects high-priority assets that it judges to be critical from a national point of view, based on the potential consequences associated with their loss. The Department intends to assess the vulnerability of all the high-priority assets it has identified. Department officials have described, in very general terms, that these vulnerability and consequence assessments are used to determine the risk each asset poses to the nation. This risk assessment is then used to prioritize subsequent additional protection activities. While these statements allude to some of the steps mentioned above, they do so only in a most general way. With its release of the National Infrastructure Protection Plan in June 2006, the Department has laid out a much more detailed discussion of the risk management methodology it intends to use (or is using). The Department's efforts, to date, still raise several questions, ranging from the process and criteria used to populate its lists of assets, its prioritization strategy, and the extent to which the Department is coordinating its efforts with the intelligence community and other agencies both internal and external to the Department. This report will be updated as needed.
