Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threats, Vulnerabilities and Consequences [Updated February 4, 2005] [open pdf - 124KB]
"The 9/11 Commission recommended that efforts to protect various modes of transportation and allocation of federal assistance to state and local governments should be based on an assessment of risk. In doing so, the Commission was reiterating existing federal policy regarding the protection of all the nation's critical infrastructures. The Homeland Security Act of 2002 (P.L. 107-296) and other Administration documents have assigned the Department of Homeland Security specific duties associated with coordinating the nation's efforts to protect its critical infrastructure, including using a risk management approach to set priorities. Many of these duties have been delegated to the Information Analysis and Infrastructure Protection (IA/IP) Directorate. [...] The IA/IP Directorate has been accumulating a list of infrastructure assets (specific sites and facilities). From this list the Directorate is selecting assets that have been judged to be critical from a national point of view. The Directorate intends to assess the vulnerability of all the assets on this shorter list. According to Directorate officials, vulnerability assessments and threat information are considered when determining the risk each asset poses to the nation. This risk assessment is then used to prioritize subsequent additional protection activities. The IA/IP Directorate's efforts to date, however, raise several concerns, ranging from the process and criteria used to populate its lists of assets, its prioritization strategy, and the extent to which the Directorate is coordinating its efforts with the intelligence community and other agencies both internal and external to the Department."
CRS Report for Congress, RL32561