On March 19, 2025, President Trump signed an Executive Order entitled “Achieving Efficiency Through State and Local Preparedness.”  (1) The purpose of the order is to devote responsibility for the risk management of critical infrastructure to state and local governments.

In December 2024 the Government Accountability Office (GAO) issued the results of an audit of the Department of Homeland Security’s Artificial Intelligence risk assessment compliance. (2)

This piece looks at the Executive Order and the implications of the GAO’s audit methodology for use as a template to assess state and local government critical infrastructure risk management.

Executive Order

The Executive Order seeks to create a commonsense approach to preparedness and infrastructure resilience. Its clear intent is to devolve the responsibility for Critical Infrastructure Risk Management to state and local government. “Federal policy must rightly recognize that preparedness is most effectively owned and managed at the State, local and even individual levels, support by a competent, accessible and efficient Federal Government.”

The order changes the focus towards infrastructure risk management, from an all-hazard approach to one that is risk informed. To further this reorientation, a National Risk Register is to be developed. The Risk Register shall identify, articulate and quantify natural and “malign risks” to the nation’s infrastructure. It will also provide a template for developing the methodology and architecture for implementing a National Resilience Strategy. This template will also be used by the federal government in its evaluation of the state and local government Critical Infrastructure Risk Management plans. An evaluation which will impact the allocation of federal funds and development of associated regulations.

The Executive Order provides general directions to federal agencies, to determine the practical implications one needs to look elsewhere. That elsewhere is the GAO Audit methodology of DHS’s Artificial Intelligence Risk Assessment.

GAO Artificial Intelligence Risk Assessment Audit

On December 24, 2024, the GAO issued the results of its audit of DHS’s Artificial Intelligence Risk Assessment. The purpose of the audit was to determine the extent to which the Sector Risk Management Agencies had evaluated potential risks and developed mitigation strategies to address risk related to AI.

To make this assessment GAO examined the best practices for assessing IT risks and mitigation, AI risks and risks related to each of the sixteen critical infrastructure sectors. Based on this analysis, GAO developed six key activities against which to evaluate the risk assessment of each of the sixteen Sector Risk Management Agencies and one subsector with respect to AI.

Table 1 lists the six key activities along with a description.

The results of the audit indicate that the SRMA’s had taken steps to evaluate potential risks and developed mitigation strategies as called for in federal policy and guidelines. However, none fully addressed the six activities selected for this assessment. Sixteen addressed activities 1, 2, 3 and 5. None addressed activity 4. Only seven addressed activity 6.

There are two important aspects of the audit. The first is that the seventeen SRMA’s have further work before being considered to be successfully managing the risks associated with Critical Infrastructure.  While they can identify the risks, they have not evaluated the adverse impact in terms of likelihood and consequence.

The second is the methodology. The six activities provide a template for examining the organization’s risk management or Enterprise Risk Management (ERM) processes. While the audit focused on AI, the ERM process can be applied to all the enterprise activities. Thus, the methodology is applicable to any area of critical infrastructure. Consequently, it is likely that it will be used to evaluate the Critical Infrastructure Risk management activities of state and local government, in accordance with the intent of the Presidential Executive Order.

Summary

President Trump via Executive Order is changing the response to dangers to Critical Infrastructure in two respects. First, he is moving away from an “all hazard” approach to one which is risk assessment based. As a result, the federal government will develop a National Risk Register. The risks will be prioritized based on the likelihood of the occurrence and the impact they will have. This register will help inform federal agencies on where and how to spend federal dollars and what regulations need to be added, modified or eliminated.

Second, the primary responsibility for Critical Infrastructure Risk Management will be at the state and local government level. This devolution of responsibilities will require state and local governments to implement a risk-based assessment in the management of their critical infrastructure. A possible template that might be used by the federal government in assessing state and local government’s Critical Infrastructure Risk Management process is that used by the GAO in evaluating DHS’s Artificial Intelligence Assessment.

Endnotes

1. White House, 2025, Achieving Efficiency Through State and Local Preparedness, March 19, https://www.whitehouse.gov/presidential-actions/2025/03/achieving-efficiency-through-state-and-local-preparedness.
2. Government Accountability Office, 2024, Artificial Intelligence: DHS Needs to Improve Risk Assessment Guidance for Critical Infrastructure Sectors, https://www/gap/gpv.products/gao-25-107435.

James J. Kline has a PhD from Portland State University. He has worked for the federal, state, and local government. He has consulted on economic, quality and workforce development issues. He has authored numerous articles on quality and risk management in government. His books Enterprise Risk Management in Government: Implementing ISO 31000:2018 and Risk Based Thinking for Government, are available on Amazon. He edited “Quality Disrupted” which is also available on Amazon.