I currently have clients who have to deal with up to five separate federally regulated or supervised risk management programs. These include MTSA, CFATS, NERC CIP, EPA Programs and TSA Pipeline Security (Not to mention DOT Security for their vehicles). All have different risk management practices to include different threat assessment methodologies (if any) methods for measuring consequence and techniques for identifying vulnerabilities, yet they result in somewhat similar security plans. I recommend that the office of infrastructure protection develop a critical infrastructure / Key Resource Security plan template as well as a methodology for determining risk ACROSS ALL INFRASTRUCTURES. They can be implemented by Teams similar to the enforcement arms do on the BEST teams on the Southern Border. One plan that protects ALL of the areas of consequence on each facility. Better yet, the entire facility. We do it in the private industry all of the time. The cost of managing all of these different programs is staggering. The worst part is that as each segment of the federal govt manages its piece of the pie, there are often vulnerabilities undetected or at least unmitigated because nobody regulates the grey areas or areas on the borders between each program.
Idea No. 21