Beruflich Dokumente
Kultur Dokumente
10
1 Preface
2 Risk in the 21st century results from a complex mix of manmade and naturally occurring
3 threats and hazards, including terrorist attacks, hurricanes, earthquakes, floods, power
4 outages, hazardous materials spills, and industrial accidents. Within this context, our
5 critical infrastructure and key resources (CIKR) are inherently vulnerable both within and
6 across sectors, due to the nature of their physical, geographical, and virtual
7 interconnections.
8 Within the CIKR protection mission area, national priorities must include preventing
9 catastrophic loss of life and managing cascading, disruptive impacts to the U.S. and global
10 economies across multiple threat scenarios. Achieving this goal requires a strategy
11 appropriately balancing resiliency—a traditional American strength in adverse times—with
12 focused, risk-informed prevention, protection, and preparedness activities so that we can
13 manage and reduce the most serious risks we face.
14 These concepts represent the pillars of our National Infrastructure Protection Plan (NIPP)
15 and its 18 supporting Sector-Specific Plans (SSPs). They are carried out in practice by an
16 integrated network of Federal departments, State and local government agencies, private
17 sector entities, and a growing number of regional consortia—all operating together with a
18 largely voluntary CIKR protection framework. This multi-dimensional public-private sector
19 partnership is the key to success in this inherently complex mission area. Integrating
20 multi-jurisdictional and multi-sector authorities, capacities, and resources in a unified
21 approach that is also tailored to specific sector and regional risk landscapes and operating
22 environments is the path to successfully enhancing our Nation’s CIKR protection.
23 The NIPP meets the requirements that the President set forth in Homeland Security
24 Presidential Directive 7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and
25 Protection, and provides the overarching approach for integrating the Nation’s many CIKR
26 protection initiatives into a single national effort. It sets forth a comprehensive risk
27 management framework and clearly defined roles and responsibilities for the Department
28 of Homeland Security; Federal Sector-Specific Agencies; and other Federal, State, local,
29 tribal, territorial, regional, and private sector partners.
30 The 2009 NIPP captures the evolution and maturation of the processes and programs first
31 outlined in 2006. The current document was developed collaboratively with CIKR partners
32 at all levels of government and the private sector. Participation in the implementation of
33 the NIPP provides the government and the private sector the opportunity to use collective
34 expertise and experience to more clearly define CIKR protection issues and practical
35 solutions and to ensure that existing CIKR protection planning efforts, including business
36 continuity and resiliency planning, are recognized.
37 I ask for your continued commitment and cooperation in the implementation of both the
38 NIPP and the supporting SSPs so that we continue to enhance the protection of the
39 Nation’s CIKR.
1 Table of Contents
2 Preface .........................................................................................................................................2
3 Executive Summary....................................................................................................................5
4 1 Introduction ............................................................................................................................................ 5
5 2 Authorities, Roles, and Responsibilities ................................................................................................ 6
6 3 The CIKR Protection Program Strategy: Managing Risk ...................................................................... 8
7 4 Organizing and Partnering for CIKR Protection..................................................................................... 8
8 5 CIKR Protection: An Integral Part of the Homeland Security Mission ................................................. 10
9 6 Ensuring an Effective, Efficient Program Over the Long Term............................................................ 11
10 7 Providing Resources for the CIKR Protection Program ...................................................................... 11
11 1. Introduction ...........................................................................................................................13
12 1.1 Purpose............................................................................................................................................. 14
13 1.2 Scope................................................................................................................................................ 15
14 1.3 Applicability ....................................................................................................................................... 15
15 1.4 Threats to the Nation’s CIKR ............................................................................................................ 18
16 1.5 All-Hazards and CIKR Protection ..................................................................................................... 20
17 1.6 Planning Assumptions ...................................................................................................................... 21
18 1.7 Special Considerations ..................................................................................................................... 22
19 1.8 Achieving the Goal of the NIPP ........................................................................................................ 24
20 2. Authorities, Roles, and Responsibilities ............................................................................27
21 2. Authorities, Roles, and Responsibilities ............................................................................28
22 2.1 Authorities ......................................................................................................................................... 28
23 2.2 Roles and Responsibilities................................................................................................................ 29
24 3. The Strategy: Managing Risk...............................................................................................43
25 3.1 Set Goals and Objectives ................................................................................................................. 44
26 3.2 Identify Assets, Systems, and Networks .......................................................................................... 46
27 3.3 Assess Risks .................................................................................................................................... 52
28 3.4 Prioritize ............................................................................................................................................ 64
29 3.5 Implement Protective Programs and Resiliency Strategies ............................................................. 66
30 3.6 Measure Effectiveness ..................................................................................................................... 73
31 3.7 Using Metrics and Performance Measurement for Continuous Improvement ................................. 76
32 4. Organizing and Partnering for CIKR Protection.................................................................77
33 4.1 Leadership and Coordination Mechanisms ...................................................................................... 77
34 4.2 Information Sharing: A Network Approach ....................................................................................... 87
35 4.3 Protection of Sensitive CIKR Information ....................................................................................... 101
36 4.4 Privacy and Constitutional Freedoms............................................................................................. 106
37 5. CIKR Protection as Part of the Homeland Security Mission...........................................107
38 5.1 A Coordinated National Approach to the Homeland Security Mission ........................................... 107
39 5.2 The CIKR Protection Component of the Homeland Security Mission ............................................ 113
40 5.3 Relationship of the NIPP and SSPs to Other CIKR Plans and Programs...................................... 114
41 5.4 CIKR Protection and Incident Management ................................................................................... 117
42 6. Ensuring an Effective, Efficient Program Over the Long Term ......................................119
43 6.1 Building National Awareness .......................................................................................................... 119
44 6.2 Conducting Research and Development and Using Technology................................................... 129
45 6.3 Building, Protecting, and Maintaining Databases, Simulations, and Other Tools .......................... 135
46 6.4 Continuously Improving the NIPP and the SSPs............................................................................139
47 7. Providing Resources for the CIKR Protection Program..................................................141
48 7.1 The Risk-informed Resource Allocation Process ........................................................................... 141
49 7.2 Federal Resource Allocation Process for DHS, the SSAs, and Other Federal Agencies .............. 145
50 7.3 Federal Resources for State and Local Government Preparedness ............................................. 148
51 7.4 Other Federal Grant Programs That Contribute to CIKR Protection .............................................. 149
52 7.5 Setting an Agenda in Collaboration with CIKR Protection Partners ............................................... 150
53 List of Acronyms and Abbreviations ....................................................................................153
1 Executive Summary
2 Protecting the critical infrastructure and key resources (CIKR) of the United States is
3 essential to the Nation’s security, public health and safety, economic vitality, and way of
4 life. Attacks on CIKR could significantly disrupt the functioning of government and
5 business alike and produce cascading effects far beyond the targeted sector and physical
6 location of the incident. Direct terrorist attacks and natural, manmade, or technological
7 hazards could produce catastrophic losses in terms of human casualties, property
8 destruction, and economic effects, as well as profound damage to public morale and
9 confidence. Attacks using components of the Nation’s CIKR as weapons of mass destruction
10 could have even more devastating physical and psychological consequences.
11 1 Introduction
12 The overarching goal of the National Infrastructure Protection Plan (NIPP) is to:
13 Build a safer, more secure, and more resilient America by enhancing protection of the Nation’s CIKR to
14 prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy,
15 incapacitate, or exploit them; and to strengthen national preparedness, timely response, and rapid
16 recovery in the event of an attack, natural disaster, or other emergency.
17 The NIPP provides the unifying structure for the integration of existing and future CIKR
18 protection efforts and resiliency strategies into a single national program to achieve this
19 goal. The NIPP framework will enable the prioritization of protection initiatives and
20 investments across sectors to ensure that government and private sector resources are
21 applied where they offer the most benefit for mitigating risk by lessening vulnerabilities,
22 deterring threats, and minimizing the consequences of terrorist attacks and other
23 manmade and natural disasters. The NIPP risk management framework recognizes and
24 builds on existing protective programs and initiatives.
25 Protection includes actions to mitigate the overall risk to CIKR assets, systems, networks,
26 functions, or their interconnecting links resulting from exposure, injury, destruction,
27 incapacitation, or exploitation. In the context of the NIPP, this includes actions to deter the
28 threat, mitigate vulnerabilities, or minimize consequences associated with a terrorist attack
29 or other incident (see figure S-1). Protection can include a wide range of activities, such as
30 hardening facilities, building resiliency and redundancy, incorporating hazard resistance
31 into initial facility design, initiating active or passive countermeasures, installing security
32 systems, promoting workforce surety programs, implementing cybersecurity measures,
33 training and exercises, and business continuity planning, among various others.
34 Achieving the NIPP goal requires
35 actions to address a series of objectives
36 that include:
37 Understanding and sharing
38 information about terrorist threats
39 and other hazards;
40 Building partnerships to share
41 information and implement CIKR
42 protection programs;
1 Private Sector Owners and Operators: Undertake CIKR protection, restoration, coordination,
2 and cooperation activities, and provide advice, recommendations, and subject matter
3 expertise to the Federal Government;
4 Homeland Security Advisory Councils: Provide advice, recommendations, and expertise to
5 the government regarding protection policy and activities.
6 Academia and Research Centers: Provide CIKR protection subject matter expertise,
7 independent analysis, research and development (R&D), and educational programs.
8
9 Table S-1: Sector-Specific Agencies and Assigned CIKR Sectors 1 2 3 4 5 6 7
10
1The Department of Agriculture is responsible for agriculture and food (meat, poultry, and egg products).
2 The Department of Health and Human Services, Food and Drug Administration is responsible for food other than meat, poultry, and egg products.
3 Nothing in this plan impairs or otherwise affects the authority of the Secretary of Defense over the Department of Defense (DOD), including the chain of
command for military forces from the President as Commander in Chief, to the Secretary of Defense, to the commander of military forces, or military command
and control procedures.
4 The Energy Sector includes the production, refining, storage, and distribution of oil, gas, and electric power, except for nuclear power facilities.
5The U.S. Coast Guard is the SSA for the maritime transportation mode.
6As stated in HSPD-7, the Department of Transportation and the Department of Homeland Security will collaborate on all matters relating to transportation
29
1 programs and procedures, such as the Protected Critical Infrastructure Information (PCII)
2 Program, to ensure that security-related information is properly safeguarded. Other
3 relevant programs and procedures include Sensitive Security Information for
4 transportation activities, Unclassified Controlled Nuclear Information, contractual
5 provisions, classified national provisions, Classified National Security Information, Law
6 Enforcement Sensitive Information, Federal Security Information Guidelines, Federal
7 Security Classification Guidelines, and other requirements established by law.
8 The CIKR protection activities defined in the NIPP are guided by legal requirements such
9 as those described in the Privacy Act of 1974, and are designed to achieve a balance
10 between an appropriate level of security and protection of civil rights and liberties.
1 involve private sector partners in the planning process, and supports collaboration among
2 CIKR partners to establish priorities, define requirements, share information, and
3 maximize the use of finite resources.
1 1. Introduction
2 Protecting and ensuring the continuity of the critical infrastructure and key resources
3 (CIKR) of the United States is essential to the Nation’s security, public health and safety,
4 economic vitality, and way of life. CIKR includes assets, systems, and networks, whether
5 physical or virtual, so vital that their failure or destruction would have a debilitating
6 impact on security, continuity of government, continuity of operations, public health and
7 safety, public confidence, or any combination of these effects. Terrorist attacks as well as
8 manmade or natural disasters could significantly disrupt the functioning of government
9 and business alike, and produce cascading effects far beyond the affected CIKR and
10 physical location of the incident. Direct and indirect impacts could result in large-scale
11 human casualties, property destruction, and economic disruption, and also significantly
12 damage national morale and public confidence. Terrorist attacks using components of the
13 Nation’s CIKR as weapons of mass destruction (WMD) 8 could have even more devastating
14 physical, psychological, and economic consequences.
15 The protection of the Nation’s CIKR is essential
16 for making America safer, more secure, and
17 more resilient in the context of terrorist attacks
18 and other natural and manmade hazards.
19 Protection includes actions to mitigate the
20 overall risk to physical, cyber, and human
21 CIKR assets, systems, networks, functions, or
22 their interconnecting links resulting from
23 exposure, injury, destruction, incapacitation, or
24 exploitation. In the context of the National
25 Infrastructure Protection Plan (NIPP), this
26 includes actions to deter the threat, mitigate
27 vulnerabilities, or minimize consequences
28 associated with a terrorist attack or manmade
29 or natural disaster (see figure 1-1). Protection
30 can include a wide range of activities such as
31 improving business protocols, hardening
32 facilities, building resiliency and redundancy, incorporating hazard resistance into initial
33 facility design, initiating active or passive countermeasures, installing security systems,
34 leveraging “self-healing” technologies, promoting workforce surety programs, implementing
35 cybersecurity measures, training and exercises, and business continuity planning, among
36 various others. The NIPP (June 2006; revised ___ 2009) and its complementary Sector-
37 Specific Plans (SSPs) (May 2007; to be reissued in 2010) provide a consistent, unifying
38 structure for integrating both existing and future CIKR protection efforts. The NIPP also
39 provides the core processes and mechanisms that enable all levels of government and
40 private sector partners to work together to implement CIKR protection in an effective and
41 efficient manner.
8(1) Any explosive, incendiary, or poison gas (i) bomb, (ii) grenade, (iii) rocket having a propellant charge of more than 4 ounces, (iv) missile having an explosive
or incendiary charge of more than one-quarter ounce, or (v) mine or (vi) similar device; (2) any weapon that is designed or intended to cause death or serious
bodily injury through the release, dissemination, or impact of toxic or poisonous chemicals or their precursors; (3) any weapon involving a disease organism; or
(4) any weapon that is designed to release radiation or radioactivity at a level dangerous to human life (18 U.S.C. 2332a).
1 The NIPP was developed through extensive coordination with partners at all levels of
2 government and the private sector. NIPP processes are designed to be adapted and tailored
3 to individual sector and partner requirements, including State, local, or regional issues.
4 Participation in the implementation of the NIPP provides the government and the private
5 sector the opportunity to use collective expertise and experience to more clearly define
6 CIKR protection issues and practical solutions, and to ensure that existing CIKR protection
7 approaches and efforts, including business continuity and resiliency planning, are
8 recognized.
9 Since the NIPP and the SSPs were first released, the processes and programs outlined in
10 those documents have continued to evolve and mature. This update to the NIPP reflects
11 many of those advances, including:
12 The release of the SSPs, which followed the release of the NIPP
13 Establishment of Critical Manufacturing as the 18th CIKR sector and designation of
14 Education as a subsector of Government Facilities
15 Expansion of the sector partnership model to include the geographically focused
16 Regional Consortium Coordinating Council
17 Integration with State and local fusion centers
18 Evolution of the National Asset Database to the Infrastructure Information Collection
19 System and the Infrastructure Data Warehouse
20 Developments in the programs, approaches, and tools used to implement the NIPP risk
21 management framework
22 Updates on risk methodologies, information sharing mechanisms, and other DHS-led
23 programs
24 Inclusion of robust measurement and reporting processes
25 Description of additional Homeland Security Presidential Directives, National
26 Strategies, and legislation
27 Release of the Chemical Facility Anti-Terrorism Standards, regulating a segment of
28 those industries that involve the production, use, and storage of high-risk chemicals
29 Discussion of expanded education, training, outreach, and exercise programs
30 Evolution from the National Response Plan to the National Response Framework
31 Inclusion of further information on research and development and modeling, simulation,
32 and analysis efforts
33 Additionally, the revised NIPP integrates the concepts of resiliency and protection and
34 broadens the focus of NIPP-related programs and activities to the all-hazards environment.
35 1.1 Purpose
36 The NIPP provides the framework for the unprecedented cooperation that is needed to
37 develop, implement, and maintain a coordinated national effort that brings together
38 government at all levels, the private sector, nongovernmental organizations, and
39 international partners. The NIPP depends on supporting SSPs for full implementation of
40 this framework within and across each CIKR sector. SSPs are developed by the Federal
41 Sector-Specific Agencies (SSAs) designated in HSPD-7 in close collaboration with sector
42 partners.
1 Together, the NIPP and SSPs provide the mechanisms for identifying critical assets,
2 systems, and networks and their associated functions; understanding threats to CIKR;
3 assessing vulnerabilities and consequences; prioritizing protection initiatives and
4 investments based on costs and benefits so that they are applied where they offer the
5 greatest mitigation of risk; and enhancing information-sharing mechanisms and protective
6 measures within and across CIKR sectors. The NIPP and SSPs will evolve in accordance
7 with changes to the Nation’s CIKR and the risk environment, as well as evolving strategies
8 and technologies for protecting against and responding to threats and incidents.
9 Implementation of the NIPP and the SSPs occurs at all levels by all parties from Federal
10 agencies to State, regional, and local organizations, to individual CIKR owners and
11 operators.
12 1.2 Scope
13 The NIPP considers a full range of physical, cyber, and human security factors within and
14 across all of the Nation’s CIKR sectors. In accordance with the policy direction established
15 in Homeland Security Presidential Directive 7 (HSPD-7), the National Strategy for the
16 Physical Protection of Critical Infrastructures and Key Assets, and the National Strategy to
17 Secure Cyberspace, the NIPP includes an augmented focus on the protection of CIKR from
18 the unique and potentially catastrophic impacts of terrorist attacks. At the same time, the
19 NIPP builds on and is structured to be consistent with and supportive of the Nation’s all-
20 hazards approach to homeland security preparedness and domestic incident management.
21 Many of the benefits of enhanced CIKR protection are most sustainable when protective
22 programs and resiliency strategies are designed to address all hazards.
23 The NIPP addresses ongoing and future activities within each of the CIKR sectors
24 identified in HSPD-7 and across the sectors regionally, nationally, and within individual
25 States or communities. It defines processes and mechanisms used to prioritize protection of
26 U.S. CIKR (including territories and territorial seas) and to address the interconnected
27 global networks upon which the Nation’s CIKR depend. The processes outlined in the NIPP
28 and the SSPs recognize that protective measures do not end at a facility’s fence line or at a
29 national border, and are often a component of a larger business continuity approach. Also
30 considered are the implications of cross-border infrastructures, international
31 vulnerabilities, and cross-sector dependencies and interdependencies.
32 1.3 Applicability
33 While the NIPP covers the full range of CIKR sectors as defined in HSPD-7 it is applicable
34 to the various public and private sector CIKR partners in different ways. The framework
35 generally is applicable to all partners with CIKR protection responsibilities and includes
36 explicit roles and responsibilities for the Federal Government, including CIKR under the
37 control of independent regulatory agencies, and the legislative, executive, or judicial
38 branches. Federal departments and agencies with specific responsibilities for CIKR
39 protection are required to take actions consistent with HSPD-7. The NIPP also provides an
40 organizational structure, guidelines, and recommended activities for other partners to help
41 ensure consistent implementation of the national framework and the most effective use of
1 resources. State, 9 local, 10 and tribal government partners are required to establish CIKR
2 protection programs consistent with the National Preparedness Guidelines and as a
3 condition of eligibility for certain Federal grant programs.
4 Private sector owners and operators are encouraged to participate in the NIPP partnership
5 model and to initiate measures to augment existing plans for risk management, resiliency,
6 business continuity, and incident management and emergency response in line with the
7 NIPP framework.
8 1.3.1 Goal
9 The overarching goal of the NIPP is to:
10 Build a safer, more secure, and more resilient America by enhancing protection of the Nation’s CIKR to
11 prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy,
12 incapacitate, or exploit them; and to strengthen national preparedness, timely response, and rapid
13 recovery in the event of an attack, natural disaster, or other emergency.
14 Achieving this goal requires meeting a series of objectives that include: understanding and
15 sharing information about terrorist threats and other hazards, building partnerships,
16 implementing a long-term risk management program, and maximizing the efficient use of
17 resources. Measuring progress toward achieving the NIPP goal requires that CIKR
18 partners strive toward:
19 Coordinated, CIKR risk management plans and programs in place addressing known
20 and potential threats and hazards;
21 Structures and processes that are flexible and adaptable both to incorporate operational
22 lessons learned and best practices and also to quickly adapt to a changing threat or
23 incident environment;
24 Processes in place to identify and address dependencies and interdependencies to allow
25 for more timely and effective implementation of short-term protective actions and more
26 rapid response and recovery; and
27 Access to robust information-sharing networks that include relevant intelligence and
28 threat analysis and real-time incident reporting.
9 Consistent with the definition of “State” in the Homeland Security Act of 2002, all references to States within the NIPP are applicable to Territories and include
by reference any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the
Commonwealth of the Northern Mariana Islands, and any possession of the United States (Homeland Security Act).
10A county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of
whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or
instrumentality of a local government; an Indian tribe or authorized tribal organization, or, in Alaska, a Native village or Alaska Regional Native Corporation; and a
rural community, unincorporated town or village, or other public entity (Homeland Security Act).
1 networks are owned and operated by the private sector. However, in sectors such as Water
2 and Government Facilities, the majority of owners and operators are government or quasi-
3 governmental entities. The great diversity and redundancy of the Nation’s CIKR provide for
4 significant physical and economic resilience in the face of terrorist attacks, natural
5 disasters, or other emergencies, and contribute to the unprecedented strength of the
6 Nation’s economy. However, this vast and diverse aggregation of highly interconnected
7 assets, systems, and networks may also present an attractive array of targets to domestic
8 and international terrorists and magnify greatly the potential for cascading failure in the
9 wake of catastrophic natural or manmade disasters. Improvements in protection and
10 resilience focusing on elements of CIKR deemed nationally critical (through
11 implementation of the NIPP risk management framework) can make it more difficult for
12 terrorists to launch very destructive attacks, as well as lessen the impacts of any attack or
13 other disaster that does occur.
14 1.4.2 The Nature of Possible Terrorist Attacks
15 The number and high profile of international and domestic terrorist attacks during the last
16 two decades underscore the determination and persistence of terrorist organizations.
17 Extremist organizations have proven to be relentless, patient, opportunistic, and flexible,
18 learning from experience and modifying tactics and targets to exploit perceived
19 vulnerabilities and avoid observed strengths. Analysis of terrorist goals and motivations
20 points to domestic and international CIKR as potentially prime targets for terrorist attacks.
21 As security measures around more predictable targets increase, terrorists are likely to shift
22 their focus to less protected targets. Enhancing countermeasures to address any one
23 terrorist tactic or target may increase the likelihood that terrorists will shift to another,
24 which underscores the necessity for a balanced, comparative approach that focuses on
25 managing risk commensurately across all sectors and scenarios of concern.
26 Terrorist organizations have shown an understanding of the potential consequences of
27 carefully planned attacks on economic, transportation, and symbolic targets both within the
28 United States and abroad. Future terrorist attacks against CIKR located inside the United
29 States and those located abroad could seriously threaten national security, result in mass
30 casualties, weaken the economy, and damage public morale and confidence.
31 The NIPP considers a broad range of terrorist objectives, intentions, and capabilities to
32 assess the threat to various components of the Nation’s CIKR. Based on that assessment,
33 terrorists may contemplate attacks against the Nation’s CIKR to achieve three general
34 types of effects:
35 Direct Infrastructure Effects: Disruption or arrest of critical functions through direct
36 attacks on an asset, system, or network.
37 Indirect Infrastructure Effects: Cascading disruption and financial consequences for the
38 government, society, and economy through public and private sector reactions to an
39 attack. An operation could reflect an appreciation of interdependencies between
40 different elements of CIKR, as well as the psychological importance of demonstrating
41 the ability to strike effectively inside the United States.
42 Exploitation of Infrastructure: Exploitation of elements of a particular infrastructure to
43 disrupt or destroy another target or produce cascading consequences. Attacks using
44 CIKR elements as a weapon to strike other targets, allowing terrorist organizations to
1 magnify their capabilities far beyond what could be achieved using their own limited
2 resources.
3 The NIPP outlines the ways in which the Department of Homeland Security (DHS) and its
4 partners use threat analysis to inform comprehensive risk assessments and risk-mitigation
5 activities. The risk management framework discussed in chapter 3 strikes a balance
6 between ways to mitigate specific and general threats. It ensures that the range of
7 plausible attack scenarios considered is broad enough to avoid a “failure of imagination,”
8 yet contains sufficient detail to enable quantitative and qualitative risk assessment and
9 definable actions and programs to enhance resiliency, reduce vulnerabilities, deter threats,
10 and mitigate potential consequences.
1 The development and use of sophisticated analytical and modeling tools to help inform
2 effective risk-mitigation programs in an all-hazards context.
1 CIKR protection planning at the national and sector levels must address the full range
2 of plausible threats and hazards, not just those most frequently reported or considered
3 to be the most likely to occur; and
4 A proactive approach is required to enhance decision-making processes, provide advance
5 warning to potentially targeted or vulnerable CIKR, and assist owners and operators in
6 taking protective steps to enhance CIKR protection in an all-hazards context.
7 1.6.4 All-Hazards Nature of CIKR Protection
8 Natural disasters such as floods, hurricanes, tornadoes, wildfires, pandemics,
9 earthquakes, and unintentional manmade disasters such as oil spills or radiological
10 accidents, also pose threats to the Nation’s CIKR; and
11 Efforts to enhance the protection of CIKR from international and domestic terrorist
12 attacks should support all-hazards preparedness and response whenever possible and
13 vice versa.
Assets, systems, and networks include one or more of the following elements:
Physical—tangible property;
Cyber—electronic information and communications systems, and the information contained
therein; and
Cyber infrastructure includes electronic information and communications systems, and the
information contained in those systems. Computer systems, control systems such as Supervisory
Control and Data Acquisition (SCADA) systems, and networks such as the Internet are all part of
cyber infrastructure.
Information and communications systems are composed of hardware and software the process,
store, and communicate. Processing includes the creation, access, modification, and destruction of
information. Storage includes paper, magnetic, electronic, and all other media types. Communications
include sharing and distribution of information.
Information Technology (IT) critical functions are sets of processes that produce, provide, and
maintain products and services. IT critical functions encompass the full set of processes (e.g., research
and development, manufacturing, distribution, upgrades, and maintenance) involved in transforming
supply inputs into IT products and services.
9
10 The U.S. economy and national security depend highly upon the global cyber
11 infrastructure. Cyber infrastructure enables all sectors’ functions and services, resulting
12 in a highly interconnected and interdependent global network of CIKR;
13 A spectrum of malicious actors could conduct attacks against the cyber infrastructure
14 using cyber attack tools. Because of the interconnected nature of the cyber infra-
15 structure, these attacks could spread quickly and have a debilitating impact;
16 The use of innovative technology and interconnected networks in operations improves
17 productivity and efficiency, but also increases the Nation’s risk to cyber threats if
18 cybersecurity is not addressed and integrated appropriately;
19 The interconnected and interdependent nature of the Nation’s CIKR makes it
20 problematic to address the protection of physical and cyber assets independently;
21 Cybersecurity includes preventing damage to, unauthorized use of, or exploitation of
22 electronic information and communications systems and the information contained
23 therein to ensure confidentiality, integrity, and availability. Cybersecurity also includes
24 restoring electronic information and communications systems in the event of a terrorist
25 attack or natural disaster; and
26 The NIPP addresses reducing cyber risk and enhancing cybersecurity in two ways: (1)
27 as a cross-sector cyber element that involves DHS, SSAs and GCCs, and private sector
28 owners and operators; and (2) as a major component of the Information Technology
29 sector’s responsibility in partnership with the Communications sector.
30 1.7.3 The Human Element
31 The NIPP recognizes that each CIKR asset, system, and network is made up of physical
32 and cyber components, and human elements;
1 Understanding and sharing information about terrorist threats and other hazards;
2 Building partnerships to share information and implement CIKR protection programs;
3 Implementing a long-term risk management program that includes:
4 ¾ Hardening, distributing, diversifying, and otherwise ensuring the resiliency of CIKR
5 against known threats and hazards, as well as other potential contingencies;
6 ¾ Processes to interdict human threats to prevent potential attacks;
7 ¾ Planning for rapid response to CIKR disruptions to limit the impacts on public
8 health and safety, the economy, and government functions; and
9 ¾ Planning for rapid CIKR restoration and recovery for those events that are not
10 preventable; and
11 Maximizing efficient use of resources for CIKR protection.
12 This section provides a summary of the actions needed to address these objectives. More
13 detailed discussions of these actions are included in the chapters that follow.
14 1.8.1 Understanding and Sharing Information
15 One of the essential elements needed to achieve the Nation’s CIKR protection goals is to
16 ensure the availability and flow of accurate, timely, and relevant information and/or intel-
17 ligence about terrorist threats and other hazards, information analysis, and incident
18 reporting. This includes actions to:
19 Establish effective information-sharing processes and protocols among C partners;
20 Provide intelligence and information to SSAs and other CIKR sector partners as
21 permitted by law;
22 Analyze, warehouse, and share risk assessment data in a secure manner consistent with
23 relevant legal requirements and information protection responsibilities;
24 Provide protocols for real-time threat and incident reporting, alert, and warning; and
25 Provide protocols for the protection of sensitive information.
26 Chapter 3 details the risk and threat analysis processes and products aimed at better
27 understanding and characterizing terrorist threats. Chapter 4 describes the NIPP network
28 approach to information sharing and the process for protecting sensitive CIKR-related
29 information.
30 1.8.2 Building Partnerships
31 Building partnerships represents the foundation of the national CIKR protection effort.
32 These partnerships provide a framework to:
33 Exchange ideas, approaches, and best practices;
34 Facilitate security planning and resource allocation;
35 Establish effective coordinating structures among partners;
36 Enhance coordination with the international community; and
37 Build public awareness.
38 Chapters 2 and 4 detail partner roles and responsibilities related to CIKR protection, as
39 well as specific mechanisms for governance, coordination, and information sharing
40 necessary to enable effective partnerships.
1 for CIKR protection that reflect appropriate coordination with SSAs and other partners
2 regarding resource prioritization and allocation. Also discussed are processes to utilize
3 grants and other funding authorities to maximize and focus the use of resources to support
4 program priorities.
20 2.1 Authorities
21 The roles and responsibilities described in this chapter are derived from a series of
22 authorities, including the Homeland Security Act of 2002, other CIKR protection-related
23 legislation, executive orders, Homeland Security Presidential directives, and Presidential
24 strategies. The National Strategy for Homeland Security established the national CIKR
25 vision with a charge to “forge an unprecedented level of cooperation throughout all levels of
26 government, with private industry and institutions, and with the American people to
27 protect our critical infrastructures and key assets from terrorist attack.” 11 HSPD-7, Critical
28 Infrastructure Identification, Prioritization, and Protection, provided the direction to
29 implement this vision. More detailed information on these and other CIKR protection-
30 related authorities is included in chapter 5 and appendix 2A.
31 The Homeland Security Act provides the primary authority for the overall homeland
32 security mission and outlines DHS responsibilities in the protection of the Nation’s CIKR.
33 It established the DHS mission, including “reducing the Nation’s vulnerability to terrorist
34 attacks,” major disasters, and other emergencies, and charged the department with the
35 responsibility for evaluating vulnerabilities and ensuring that steps are implemented to
36 protect the high-risk elements of America’s CIKR, including food and water systems,
37 agriculture, health systems and emergency services, information technology,
38 telecommunications, banking and finance, energy (electrical, nuclear, gas and oil, and
39 dams), transportation (air, highways, rail, ports, and waterways), the chemical and defense
11The National Strategy for Homeland Security uses the term “key assets,” defined as individual targets whose destruction would not endanger vital systems, but
could create local disaster or profoundly damage the Nation’s morale or confidence. The Homeland Security Act and HSPD-7 use the term “key resources,”
defined more generally to capture publicly or privately controlled resources essential to the minimal operations of the economy or government. “Key resources” is
the current terminology.
1 industries, postal and shipping entities, and national monuments and icons. Title II, section
2 201, of the act assigned primary responsibility to DHS to develop a comprehensive national
3 plan for securing CIKR and for recommending “the measures necessary to protect the key
4 resources and critical infrastructure of the United States in coordination with other
5 agencies of the Federal Government and in cooperation with State and local government
6 agencies and authorities, the private sector, and other entities.”
7 A number of other statutes provide authorities both for cross-sector and sector-specific
8 CIKR protection efforts. Some examples of other CIKR protection-related legislation
9 include: The Public Health Security and Bioterrorism Preparedness and Response Act of
10 2002, which was intended to improve the ability of the United States to prevent, prepare
11 for, and respond to acts of bioterrorism and other public health emergencies; the Maritime
12 Transportation Security Act; the Energy Policy and Conservation Act; the Critical
13 Infrastructure Information Act; the Federal Information Security Management Act;
14 Implementing Recommendations of the 9/11 Commission Act of 2007; and various others.
15 Many different HSPDs are also relevant to CIKR protection, including:
16 HSPD-3, Homeland Security Advisory System;
17 HSPD-5, Management of Domestic Incidents: addresses the national approach to
18 domestic incident management;
19 HSPD-8, National Preparedness;
20 HSPD-9, Defense of the United States Agriculture and Food;
21 HSPD-10, Biodefense for the 21st Century;
22 HSPD-19, Combating Terrorist Use of Explosives in the United States: and
23 HSPD-20, National Continuity Policy.
24 These separate authorities and directives are tied together as part of the national approach
25 for CIKR protection through the unifying framework established in HSPD-7. HSPD-7,
26 issued in December 2003, established the U.S. policy for “enhancing protection of the
27 Nation’s CIKR.” HSPD-7 establishes a framework for public and private sector partners to
28 identify, prioritize, and protect the Nation’s CIKR from terrorist attacks, with an emphasis
29 on protecting against catastrophic health effects and mass casualties. The directive sets
30 forth the roles and responsibilities for DHS; SSAs; other Federal departments and agencies;
31 State, local, tribal, and territorial governments; regional partners; the private sector; and
32 other CIKR partners. The following sections address roles and responsibilities under this
33 integrated approach.
1 protection guidance, guidelines, and protocols; and recommending risk management and
2 performance criteria and metrics within and across sectors. Per HSPD-7, DHS is also a
3 focal point for the security of cyberspace. HSPD-7 establishes a central source for
4 coordinating uniform security practices and harmonizing security programs across and
5 within government agencies. In the directive, the President designates the Secretary of
6 Homeland Security as the “principal Federal official to lead, integrate, and coordinate
7 implementation of efforts among Federal departments and agencies, State and local
8 governments, and the private sector to protect critical infrastructure and key resources.”
9 The Secretary of Homeland Security is responsible for addressing the complexities of the
10 Nation’s Federal system of government and its multifaceted and interdependent economy,
11 as well as for establishing structures to enhance the close cooperation between the private
12 sector and government at all levels to initiate and sustain an effective CIKR protection
13 program.
14 In addition to these overarching leadership and cross-sector responsibilities, DHS serves as
15 the SSA for 11 of the CIKR sectors identified in HSPD-7 or subsequently established using
16 the criteria set out in HSPD-7: Information Technology; Communications; Transportation;
17 Chemical; Emergency Services; Nuclear Reactors, Material, and Waste; Postal and
18 Shipping; Dams; Critical Manufacturing Government Facilities; and Commercial Facilities.
19 Specific SSA responsibilities are discussed in section 2.2.2. DHS, in the person of the
20 Assistant Secretary for Infrastructure Protection or his/her designee, serves as the co-chair
21 of each of the GCCs with the respective SSA for that sector.
22 Additional DHS CIKR protection roles and responsibilities include:
23 Identifying, prioritizing, and coordinating Federal action in support of the protection of
24 nationally critical assets, systems, and networks, with a particular focus on CIKR that
25 could be exploited to cause catastrophic health effects or mass casualties comparable to
26 those produced by a WMD;
27 Coordinating, facilitating, and supporting the overall process for building partnerships
28 and leveraging sector-specific security expertise, relationships, and resources across
29 CIKR sectors, including oversight and support of the sector partnership model described
30 in chapter 4 through several internal Office of Infrastructure Protection branches and
31 offices; cooperation with Federal, State, local, tribal, territorial, and regional partners;
32 and collaborating with the Department of State to reach out to foreign countries and
33 international organizations to strengthen the protection of U.S. CIKR;
34 Support the formation and development of regional partnerships, including promoting
35 new partnerships, enabling information sharing, and sponsoring clearances.
36 Establishing and maintaining a comprehensive, multi-tiered, dynamic information-
37 sharing network designed to provide timely and actionable threat information, assess-
38 ments, and warnings to public and private sector partners. This responsibility includes
39 protecting sensitive information voluntarily provided by the private sector and
40 facilitating the development of sector-specific and cross-sector information-sharing and
41 analysis systems, mechanisms, and processes;
42 Coordinating national efforts for the security of cyber infrastructure, including
43 precursors and indicators of an attack, and understanding those threats in terms of
44 CIKR vulnerabilities;
45 Coordinating, facilitating, and supporting comprehensive risk assessment programs for
46 high-risk CIKR, identifying protection priorities across sectors and jurisdictions, and
1 responsible for developing or revising and then submitting SSPs and sector-level
2 performance feedback to DHS to enable national cross-sector CIKR protection program gap
3 assessments.
4 In accordance with HSPD-7, SSAs are also responsible for collaborating with private sector
5 partners and encouraging the development of appropriate information-sharing and analysis
6 mechanisms within the sector. This includes supporting sector coordinating mechanisms to
7 facilitate sharing of information on physical and cyber threats, vulnerabilities, incidents,
8 recommended protective measures, and security-related best practices. This also includes
9 encouraging voluntary security-related information sharing, where possible, among private
10 entities within the sector, as well as among public and private entities.
11 Table 2-1: Sector-Specific Agencies and Assigned CIKR Sectors 12 13 14 15 16 17 18
12
12 The Department of Agriculture is responsible for agriculture and food (meat, poultry, and egg products).
13 The Department of Health and Human Services, Food and Drug Administration is responsible for food other than meat, poultry, and egg products.
14 Nothing in this plan impairs or otherwise affects the authority of the Secretary of Defense over the Department of Defense (DOD), including the chain of
command for military forces from the President as Commander in Chief, to the Secretary of Defense, to the commander of military forces, or military command
and control procedures.
15 The Energy Sector includes the production, refining, storage, and distribution of oil, gas, and electric power, except for nuclear power facilities.
16 The U.S. Coast Guard (USCG) is the SSA for the maritime transportation mode.
17As stated in HSPD-7, the Department of Transportation and the Department of Homeland Security will collaborate on all matters relating to transportation
1 SSAs perform the activities above, as appropriate and consistent with existing authorities
2 (including regulatory authorities in some instances), in close cooperation with other sector
3 partners, including their GCCs. HSPD-7 requires SSAs to provide an annual report to the
4 Secretary of Homeland Security on their efforts to identify, prioritize, and coordinate CIKR
5 protection in their respective sectors. Consistent with this requirement, DHS provides
6 reporting guidance and templates that include requests for specific information, such as
7 sector CIKR protection priorities, requirements, and resources. SSAs also are responsible
8 for outlining these sector-specific CIKR protection requirements and related budget
9 projections as a component of their annual budget submissions to the Office of Management
10 and Budget (OMB).
11 Additional SSA responsibilities include:
12 Identifying, prioritizing, and coordinating the protection of sector-level CIKR with a
13 particular focus on CIKR that could be exploited to cause catastrophic health effects or
14 mass casualties comparable to those produced by a WMD;
15 Managing the overall process for building partnerships and leveraging CIKR security
16 expertise, relationships, and resources within the sector, including sector-level oversight
17 and support of the sector partnership model described in chapter 4;
18 Coordinating, facilitating, and supporting comprehensive risk assessment/management
19 programs for high-risk CIKR, identifying protection priorities, and incorporating CIKR
20 protection activities as a key component of the all-hazards approach to domestic
21 incident management within the sector;
22 Facilitating the sharing of real-time incident notification, as well as CIKR protection
23 best practices and processes, and risk assessment methodologies and tools within the
24 sector;
25 Promoting sector-level CIKR protection education, training, and awareness in
26 coordination with State, local, tribal, territorial, regional, and private sector partners;
27 Informing the annual Federal budget process based on CIKR risk and protection needs
28 in coordination with partners and allocating resources for CIKR protection accordingly;
29 Monitoring performance measures for sector-level CIKR protection and NIPP
30 implementation activities to enable continuous improvement, and reporting progress
31 and gaps to DHS;
32 Contributing to the annual National Critical Infrastructure Protection Research and
33 Development (NCIP R&D) Plan;
34 Identifying/recommending appropriate strategies to encourage private sector
35 participation;
36 Supporting DHS-initiated data calls to populate the Infrastructure Data Warehouse
37 (IDW), enable national-level risk assessment, and inform national-level resource
38 allocation;
39 Supporting protocols for the Protected Critical Infrastructure Information (PCII)
40 Program;
41 Working with DHS to develop, evaluate, validate, or modify sector-specific risk
42 assessment tools;
43 Supporting sector-level dependency, interdependency, consequence, and other analysis
44 as required;
1 Acting as a focal point for and promoting the coordination of protective and emergency
2 response activities, preparedness programs, and resource support among local agencies,
3 businesses, and citizens;
4 Developing a consistent approach at the local level to CIKR identification, risk
5 determination, mitigation planning, and prioritized security investment, and exercising
6 preparedness among all relevant partners within the jurisdiction;
7 Identifying, implementing, and monitoring a risk management plan, and taking
8 corrective actions as appropriate;
9 Participating in significant national, regional, and local awareness programs to
10 encourage appropriate management and security of cyber systems;
11 Facilitating the exchange of security information, including threat assessments, attack
12 indications and warnings, and advisories, among partners within the jurisdiction;
13 Participating in the NIPP sector partnership model, including GCCs, SCCs, SLTTGCC,
14 and other CIKR governance efforts and SSP planning efforts relevant to the given
15 jurisdiction;
16 Ensuring that funding priorities are addressed and that resources are allocated
17 efficiently and effectively to achieve the CIKR protection mission in accordance with
18 relevant plans and strategies;
19 Sharing information with partners, as appropriate, on CIKR deemed critical from the
20 local perspective to enable prioritized protection and restoration of critical public
21 services, facilities, utilities, and processes within the jurisdiction;
22 Addressing unique geographical issues, including trans-border concerns, dependencies,
23 and interdependencies among agencies and enterprises within the jurisdiction;
24 Identifying and implementing plans and processes for step-ups in protective measures
25 that align to all-hazards warnings, specific threat vectors as appropriate, and each level
26 of the HSAS;
27 Documenting lessons learned from pre-disaster mitigation efforts, exercises, and actual
28 incidents, and applying that learning, where applicable, to the CIKR protection context;
29 and
30 Conducting CIKR protection public awareness activities.
31 2.2.4.4 Tribal Governments
32 Tribal government roles and responsibilities regarding CIKR protection generally mirror
33 those of State and local governments as detailed above. Tribal governments are accountable
34 for the public health, welfare, and safety of tribal members, as well as the protection of
35 CIKR and continuity of essential services under their jurisdiction. Under the NIPP
36 partnership model, tribal governments must ensure close coordination with Federal, State,
37 local, and international counterparts to achieve synergy in the implementation of the NIPP
38 and SSP frameworks within their jurisdictions. This is particularly important in the
39 context of information sharing, risk analysis and management, awareness, preparedness
40 planning, protective program investments and initiatives, and resource allocation.
41 2.2.4.5 Boards, Commissions, Authorities, Councils, and Other Entities
42 An array of boards, commissions, authorities, councils, and other entities at the State, local,
43 tribal, and regional levels perform regulatory, advisory, policy, or business oversight
44 functions related to various aspects of CIKR operations and protection within and across
45 sectors and jurisdictions. Some of these entities are established through State- or local-level
19FACA authorized the establishment of a system governing the creation and operation of advisory committees in the executive branch of the Federal
Government and for other purposes. The act, when it applies, generally requires advisory committees to meet in open session and make publicly available
1 Homeland Security Advisory Council (HSAC): The HSAC provides advice and
2 recommendations to the Secretary of Homeland Security on relevant issues. The Council
3 members, appointed by the DHS Secretary, include experts from State and local
4 governments, public safety, security and first-responder communities, academia, and
5 the private sector.
6 ¾ Private Sector Senior Advisory Committee (PVTSAC): The Secretary of Homeland
7 Security established the PVTSAC as a subcommittee of the HSAC to provide the
8 HSAC with expert advice from leaders in the private sector.
9 National Infrastructure Advisory Council (NIAC): The NIAC provides the President,
10 through the Secretary of Homeland Security, with advice on the security of physical and
11 cyber systems across all CIKR sectors. The Council is comprised of up to 30 members
12 appointed by the President. Members are selected from the private sector, academia,
13 and State and local governments. The Council was established (and amended) under
14 Executive Orders 13231, 13286, and 13385.
15 National Security Telecommunications Advisory Committee (NSTAC): The NSTAC
16 provides industry-based advice and expertise to the President on issues and problems
17 related to implementing National Security and Emergency Preparedness (NS/EP)
18 communications policy. The NSTAC is comprised of up to 30 industry chief executives
19 representing the major communications and network service providers and information
20 technology, finance, and aerospace companies. It was created under Executive Order
21 12382.
22 2.2.7 Academia and Research Centers
23 The academic and research center communities play an important role in enabling
24 national-level CIKR protection and implementation of the NIPP, including:
25 Establishing Centers of Excellence (i.e., university-based partnerships or federally
26 funded R&D centers) to provide independent analysis of CIKR protection issues;
27 Supporting the research, development, testing, evaluation, and deployment of CIKR
28 protection technologies;
29 Analyzing, developing, and sharing best practices related to CIKR protection efforts;
30 Researching and providing innovative thinking and perspective on threats and the
31 behavioral aspects of terrorism;
32 Preparing or disseminating guidelines, courses, and descriptions of best practices for
33 physical security and cybersecurity;
34 Developing and providing suitable security risk analysis and risk management courses
35 for CIKR protection professionals;
36 Establishing undergraduate and graduate curricula and degree programs; and
37 Conducting research to identify new technologies and analytical methods that can be
38 applied by partners to support NIPP efforts.
associated written materials. It also requires a 15-day notice before any meeting may be closed to public attendance, a requirement which could prevent a
meeting on short notice to discuss sensitive information in an appropriate setting.
31
32
33 The NIPP risk management framework is tailored to and applied on an asset, system,
34 network, or functional basis, depending on the fundamental characteristics of the
35 individual CIKR sectors. For those sectors primarily dependent on fixed assets and physical
36 facilities, a bottom-up, asset-by-asset approach may be most appropriate. For sectors such
37 as Communications, Information Technology, and Food and Agriculture, with accessible
16
17 Enabling DHS, SSAs, and other partners to determine the best courses of action to
18 reduce potential consequences, threats, or vulnerabilities. Some available options
19 include encouraging voluntary implementation of focused risk management strategies
20 (e.g., through public-private partnerships), pursuing economic incentive-related policies
21 and programs, and undertaking regulatory action if appropriate; and
22 Allowing the identification of risk management and resource allocation options at
23 various jurisdictional levels, as well as those under the authority of CIKR owners and
24 operators.
25 From a sector or jurisdictional perspective, CIKR protection goals or their related sup-
26 porting objectives:
27 Define the risk management posture that CIKR partners seek to attain within the
28 planning horizon;
29 Express this posture in terms of the outcomes and objective metrics and the time
30 required to attain it through focused program implementation;
31 Consider distinct assets, systems, networks, functions, operational processes, business
32 environments, and risk management approaches; and
18
19 Screening is the initial process to identify the assets, systems, networks, and functions of
20 concern. It is an important step at every level of risk-informed decision making, as it helps
21 define a subset of scenarios (both CIKR elements and the events that may produce risk) to
22 focus further analysis and risk management. Concerns that are critical to one decision
23 maker may be less so to other partners, so screening by different parties for different
24 purposes will yield alternate results. Specific programs to identify and prioritize nationally
25 and regionally significant CIKR allow DHS’ focus for risk management to be shared with
26 other partners
27 3.2.1 National Infrastructure Inventory
28 DHS maintains a national database of the assets, systems, and networks that make up the
29 Nation’s CIKR. The Nation’s infrastructure includes assets, systems, and networks that are
Tier1/Tier 2 Program
The Tier 1 and Tier 2 Program identifies nationally significant, high consequence assets and
systems in order to enhance decision-making related to CIKR protection. Assets and systems
identified through the program include those that, if destroyed or disrupted, could cause some
combination of significant casualties, major economic losses, or widespread and long-term
disruptions to national well-being and governance capacity.
The overwhelming majority of the assets and systems identified through this effort will be
classified as Tier 2. Only a small sub-set of assets, which would cause major national or regional
impacts similar to those experienced during Hurricane Katrina and 9/11, will meet the Tier 1
consequence threshold established by DHS senior leadership. The process of identifying these
nationally significant assets and systems is conducted on an annual basis and relies heavily upon
the insights and knowledge of public and private sector security partners.
The Tier 1 and 2 assets and systems resulting from this annual process provide a common basis
on which DHS and its security partners can implement important CIKR protection programs and
initiatives, such as various grant programs, buffer zone protection efforts, facility assessments
and training, and other activities. Specifically, the list of Tier 1 and Tier 2 assets and systems is
used to support eligibility determinations for Urban Area Security Initiative (UASI), State
Homeland Security and Buffer Zone Protection Grant Programs. Through the Tier 1 and Tier 2
prioritization process, the NIPP community can ensure that those assets and systems capable of
creating nationally significant consequences are the primary focus of the Nation’s ongoing risk
management efforts..
9
10 Information to be included in the IDW will come from a variety of sources, such as:
11 Sector inventories: SSAs and GCCs maintain close working relationships with
12 owners and operators, SCCs, and other sources that maintain inventories necessary for
13 the sector’s business or mission. SSAs provide relevant information to DHS and update
14 it on a periodic basis to ensure that sector assets and critical functions are adequately
15 represented, and that sector and cross-sector dependencies and interdependencies can
16 be identified and analyzed;
17 Voluntary submittals from CIKR partners: Owners and operators; State, local,
18 territorial, and tribal governments; and Federal departments and agencies voluntarily
19 submit information and previously completed inventories and analyses for DHS to
20 consider;
C/ACAMS is a Web-enabled information services portal that helps State and local governments
build CIKR protection programs in their local jurisdictions. Specifically, C/ACAMS provides a set
of tools and resources that help law enforcement, public safety, and emergency response
personnel to:
Collect and use CIKR asset data,
Assess CIKR asset vulnerabilities,
Develop all-hazards incident response and recovery plans, and
Build public/private partnerships.
The Constellation portion of C/ACAMS is an information gathering and analysis tool that allows
users to search a range of free and subscription reporting sources to find relevant information
tailored to their jurisdiction's needs. ACAMS is a secure, online database and database
management platform that allows for the collection and management of CIKR asset data; the
cataloguing, screening and sorting of this data; the production of tailored infrastructure reports;
and the development of a variety of pre- and post-incident response plans useful to strategic and
operational planners and tactical commanders. Email ACAMS-info@hq.dhs.gov for additional
information.
29
30
31 The NIPP framework calls for CIKR partners to assess risk from any scenario as a function
32 of consequence, vulnerability, and threat, as defined below.
DHS uses geospatial tools to visualize consequence, vulnerabilities and threats to CIKR. The
iCAV system is a Web-based geospatial analytical and situational awareness system consisting of
imagery, government-owned and licensed data, and dynamic, mission-specific information
integrating threats, weather, and situation awareness information. Imagery fused with data
layers and information feeds provides users with a rapid, common situational awareness of
threats, events (natural or man-made), CIKR, population centers that are impacted to support
coordinated preparedness, response and recovery activities. iCAV unites partners at Federal,
State, local, tribal, territorial and other non-government partners through an integrated
geographic Common Operating Picture (COP) for information-sharing, analysis, visualization,
and dissemination
18
19 Risk assessments for CIKR protection consider all three components of risk and are
20 conducted on assets, systems, or networks, depending on the characteristics of the
21 infrastructure being examined. Once the three components of risk have been assessed for
22 one or more given assets, systems, or networks, they must be integrated with a defensible
23 model to produce a site, sector, region, national, or international risk estimate.
One program that provides a key synthesizing assessment for the Federal NIPP community is the
Strategic Homeland Infrastructure Risk Assessment (SHIRA). This is an annual collaborative
process conducted in coordination with interested members of the CIKR protection community to
assess and analyze the risks to the Nation’s infrastructure from terrorism as well as natural and
manmade hazards. The information derived through the SHIRA process feeds a number of
analytic products, including the National Risk Profile, the foundation of the congressionally
mandated National CIKR Protection Annual Report, as well as individual Sector Risk Profiles. As
this process matures, the general approach for producing a shared risk assessment with a common
risk model for CIKR will begin to produce multiple, tailored Homeland Infrastructure Risk
Assessments (HIRAs), with SHIRA focusing on a strategic, cross-sector perspective, supported by
a set of regional, State, and local HIRAs.
20 The phrase “Baseline Criteria”, used in the 2006 edition of the NIPP has been adjusted to reflect our partners’ path toward maturity. Baseline Criteria is most
often understood as a minimal standard. In implementing the NIPP it was discovered that, since the need to assess and compare risks across infrastructure
sectors in a voluntary collaboration was a substantially new requirement, very few existing approaches fulfill the need. The phrase “Essential Features” and the
strong correlation with the cross-sector comparison purposes of the NIPP is meant to clarify that these are necessary design characteristics to support the goals
of the NIPP. They should be pursued. Not having already incorporated these features, however, does not constitute a failure to exercise reasonable risk
management for owners and operators.
21 The completeness of a risk analytic methodology is dependent on the access and authority of the organization conducting the assessment. When an
organization lacks the information to assess particular points, the lack of this information should be noted as part of the assessment, so that other organizations
which have the information may contribute to closing the gap.
1 State, local, or private sector CIKR protection communities. IRAPP involves customized
2 support to interested partners, and the sharing of best practices across the CIKR
3 protection community.
4 CFIUS Support: The Committee on Foreign Investment in the United States (CFIUS)
5 is an inter-agency committee of the United States Government that reviews the
6 national security implications of foreign investments of U.S. companies or operations.
7 HITRAC provides support to CFIUS by developing written threat and risk assessments
8 of foreign direct investment in the United States and evaluating the potential risks
9 posed by foreign acquisition of U.S. infrastructure. HITRAC also supports DHS efforts
10 to manage those risks through the interagency CFIUS process.
11 Critical Infrastructure Red Team (CIRT): The CIRT program focuses its analysis
12 on high-risk sectors/sub-sectors and high-risk attack methods from the perspective of
13 our nation’s adversaries by conducting open source analysis, developing operational
14 plans, and exercising these scenarios through tabletop exercises and developing lessons
15 learned from those activities. These efforts identify gaps in current strategies and risk
16 reduction programs for the Nation’s CIKR, and support the development of
17 recommendations for closing or managing the identified gaps.
18 Risk Analysis Development: The Risk Analysis Development Program works to
19 improve the capabilities available to CIKR risk analysts and risk managers both in
20 DHS and among the rest of the NIPP stakeholders. The program conducts research and
21 development to establish and extend a common risk model for CIKR allowing sound
22 cross-sector comparisons supporting the full range of risk management decisions, and
23 new approaches that contribute to common understanding of risk and good risk
24 management.
25 3.4 Prioritize
26 Prioritizing risk management efforts on the most significant CIKR helps focus planning,
27 increase coordination, and support effective resource allocation and incident management,
28 response, and restoration decisions.
29 Figure 3-5: NIPP Risk Management Framework: Prioritize
30
31 The NIPP risk management framework is applicable to risk assessments on an asset,
32 system, network, function, sector, State, regional, or national basis. Comparing the risk
33 faced by different entities helps identify where risk mitigation is needed, and to
34 subsequently determine and help justify the most cost-effective risk management options.
35 This identifies which CIKR should be given priority for risk management activities and
36 which alternative options represent the best investment based on their risk-reduction
1 return on investment. The prioritization process also develops information that can be used
2 during incident response to help inform decision makers regarding issues associated with
3 CIKR restoration.
4 3.4.1 The Prioritization Process
5 The prioritization process involves aggregating, combining, and analyzing risk assessment
6 results to determine which assets, systems, networks, sectors, or combinations of these face
7 the highest risk so that risk management priorities can be established. It also provides the
8 basis for understanding the risk-mitigation benefits that, along with costs, are used to
9 support planning and the informed allocation of resources.
10 This process involves two related activities: The first determines which sectors, regions, or
11 other aggregation of CIKR assets, systems, or networks have the highest risk from relevant
12 incidents or events. Of those with similar risk levels, the CIKR with the highest expected
13 losses are accorded the highest priority in risk management program development. The
14 second activity determines which actions are expected to provide the greatest mitigation of
15 risk for any given investment. The risk management initiatives that result in the greatest
16 risk mitigation for the investment proposed are accorded the highest priority in program
17 design, resource allocation, budgeting, and implementation. This approach ensures that
18 programs make the greatest contribution possible to overall CIKR risk mitigation given the
19 available resources.
20 Assessments become more complex at different aggregations, such as when comparisons are
21 necessary across sectors, across different geographic areas, or against different types of
22 events. Using a common approach with consistent assumptions and metrics increases the
23 defensibility of such comparisons. Without this, such assessments are much more
24 challenging. Less informed assessments rely heavily on the subjective interpretation of
25 estimates derived from whatever data can be collected, as well as successful resolution of
26 differences in assumptions.
27 3.4.2 Tailoring Prioritization Approaches to Sector and Decisionmakers’ Needs
28 CIKR partners rely on different approaches to prioritize risk management activities
29 according to their authorities, specific sector needs, risk landscapes, security approaches,
30 and business environment. For example, owners and operators, federal agencies, and State
31 and local authorities all have different options available to them to help reduce risk. Asset-
32 focused priorities may be appropriate for CIKR whose risk is predominately associated with
33 facilities, the local environment, and physical attacks, especially those that can be exploited
34 and used as weapons. Function-focused priorities may more effectively ensure continuity of
35 operations in the event of a terrorist attack or natural disaster in sectors where CIKR
36 resilience may be more important than CIKR hardening. Programs to reduce CIKR risk
37 give priority to investments that protect physical assets or ensure resilience in virtual
38 systems depending on which option best enables cost-effective CIKR risk management.
39 To ensure a consistent approach to risk analysis for CIKR protection, partners establish
40 priorities using on risk analysis that are consistent with the parameters of risk assessment
41 methodologies set out in appendix 3A. For quick-response decisions, lacking sound risk
42 assessments for reference, some priorities will be informed by top-down assessments using
43 surrogate data or data at high levels of CIKR aggregation (e.g., population density as a
44 surrogate for casualties). As both the NIPP partnership and the knowledgebase of risk
45 assessments grow, decisions can be increasingly informed by both top-down and bottom-up
1 analyses using detailed data and assessments on specific individual facilities, with a
2 prioritization on how much is reduced for the investment.
3 3.4.3 The Uses of Prioritization
4 A primary use of prioritization is to inform resource allocation decisions, such as where risk
5 management programs should be instituted; the appropriate level of investment in these
6 programs; and which measures offer the greatest return on investment. The result of the
7 prioritization process is information on CIKR risk management requirements and provides
8 the rationale and justification for implementing specific programs or actions. Although for
9 some specific purposes, a master inventory of facilities or sites in priority order may be
10 useful, the results of the prioritization process are primarily used in other ways, such as
11 general guidance on improving security, or the decisions underpinning department budget
12 requests. Given the vast number of CIKR partners that have varied roles and
13 responsibilities in helping to manage risks, it is critical that each authority work to
14 increase the consistency, comparability and utility of their efforts to helping defend the best
15 risk management decisions as worth the investments being considered.
16 At the national level, DHS is responsible for overall national risk-informed CIKR
17 prioritization in close collaboration with the SSAs, States, and other CIKR partners. SSA
18 responsibilities include managing the government interaction with the sector and helping
19 to cultivate an environment of trusted information sharing and collaboration to identify,
20 prioritize, and manage risk. They must also extend their sector focus to include maximizing
21 the ability for cross-sector comparisons of risk to be made that considers the best knowledge
22 available within each sector, and in metrics that allow such comparisons to support
23 evaluations of the risk-reduction return on various investments. At the State level, DHS is
24 working to develop a collaborative relationship with state and local authorities through the
25 Infrastructure Risk Analysis Partnership Program. This effort to work with state
26 authorities to foster the capability to develop, evaluate and support the implementation of
27 CIKR risk management decisions in a state/local environment will be piloted with a limited
28 group of CIKR partners, and then rolled out more broadly as the roles, responsibilities and
29 approaches are tested and refined at this level.
2
3 The Nation’s CIKR is widely distributed in both a physical and logical sense. Effective
4 CIKR protection requires both distributed implementation of protective programs by
5 partners, and focused national leadership to ensure implementation of a comprehensive,
6 coordinated, and cost-effective approach that helps to reduce or manage the risks to the
7 Nation’s most critical assets, systems, and networks. At the implementation level,
8 protective programs and resiliency strategies consist of diverse actions undertaken by
9 various CIKR partners. From the leadership perspective, programs are structured to
10 address coordination and cost-effectiveness.
11 The following sections describe the nature and characteristics of best practice protective
12 programs and resiliency strategies, as well as some existing programs that could be applied
13 to specific assets, systems, and networks.
14 3.5.1 Risk Management Actions
15 Risk management actions involve measures designed to prevent, deter, and mitigate the
16 threat; reduce vulnerability to an attack or other disaster; minimize consequences; and
17 enable timely, efficient response and restoration in a post-event situation, whether a
18 terrorist attack, natural disaster, or other incident. The NIPP risk management framework
19 focuses attention on those activities that bring the greatest return on investment, not
20 simply the vulnerability reduction. Protective programs and resiliency strategies vary
21 across a wide spectrum of activities, designed to:
22 Deter: Cause the potential attacker to perceive that the risk of failure is greater than
23 that which they find acceptable. Examples include improved awareness and security
24 (e.g., restricted access, vehicle checkpoints) and enhanced police and/or security officer
25 presence;
26 Devalue: Reduce the attacker’s incentive by reducing the target’s value. Examples
27 include developing redundancies and maintaining backup systems or key personnel to
28 improve overall resilience;
29 Detect: Identify potential attacks and validate and/or communicate the information, as
30 appropriate. General detection activities include intelligence gathering, analysis of
31 surveillance activities, and trend analysis of law enforcement reporting. For specific
32 assets, examples include intrusion-detection systems, network monitoring systems,
33 operation alarms, surveillance, detection and reporting, and employee security
34 awareness programs; and
35 Defend: Protect assets by preventing or delaying the actual attack, or reducing an
36 attack’s effect on an asset, system, or network. Examples include perimeter hardening
1 by enhancing buffer zones, fencing, structural integrity, and cyber defense tools such as
2 antivirus software.
3 Risk management actions also may include means of mitigating the consequences of an
4 attack or incident. These actions are focused on the following aspects of preparedness:
5 Mitigate: Lessen the potential impacts of an attack, natural disaster, or accident by
6 introducing system redundancy and resiliency, reducing asset dependency, or isolating
7 downstream assets;
8 Respond: Activities designed to enable rapid reaction and emergency response to an
9 incident, such as conducting exercises and having adequate crisis response plans, train-
10 ing, and equipment; and
11 Recover: Allow businesses and government organizations to resume operations quickly
12 and efficiently, such as using comprehensive mission and business continuity and
13 resiliency-based plans that have been developed through prior planning.
14 Generally, it is considered more cost-effective to build security into assets, systems, and
15 networks than to retrofit them with security measures after initial development.
16 Accordingly, CIKR partners should consider how risk management, robustness, resiliency,
17 and appropriate physical and cybersecurity enhancements could be incorporated into the
18 design and construction of new CIKR.
19 In situations where robustness and resiliency are keys to CIKR protection, providing
20 protection at the system level rather than at the individual asset level may be more
21 effective and efficient (e.g., if there are many similar facilities, it may be easier to allow
22 other facilities to provide the infrastructure service rather than to protect each facility).
23 3.5.2 Characteristics of Effective Protective Programs and Resiliency Strategies
24 Characteristics of effective CIKR protective programs and resiliency strategies include, but
25 are not limited to, the following:
26 Comprehensive: Effective programs must address the physical, cyber, and human
27 elements of CIKR, as appropriate, and consider long-term, short-term, and sustainable
28 activities. SSPs describe programs and initiatives to protect CIKR within the sector
29 (e.g., operational changes, physical protection, equipment hardening, cyber protection,
30 system resiliency, backup communications, training, response plans, and security
31 system upgrades).
32 Coordinated: Because of the highly distributed and complex nature of the various
33 CIKR sectors, the responsibility for protecting CIKR must be coordinated:
34 ¾ CIKR owners and operators (public or private sector) are responsible for protecting
35 property, information, and people through measures that manage risk to help
36 ensure more resilient operations and more effective loss prevention. These measures
37 include increased awareness of terrorist threats and implementation of operational
38 responses to reduce vulnerability (e.g., changing daily routines, keeping computer
39 software and virus-checking applications up to date, and applying fixes for known
40 software defects).
41 ¾ State, local, and tribal authorities are responsible for providing or augmenting
42 protective actions for assets, systems, and networks that are critical to the public
43 within their jurisdiction and authority. They develop protective programs,
44 supplement Federal guidance and expertise, implement relevant Federal programs
1 such as the Buffer Zone Protection Program (BZPP), and provide specific law
2 enforcement capability as needed. When appropriate, they have access to Federal
3 resources to meet jurisdictional protection priorities.
4 ¾ Federal agencies are responsible for enabling or augmenting protection for CIKR
5 that is nationally critical or coordinating the efforts of CIKR partners and the use of
6 resources from different funding sources. DHS, SSAs, and other Federal
7 departments and agencies carry out these responsibilities while respecting the
8 authorities of State, local, and tribal governments, and the prerogatives of the
9 private sector.
10 ¾ SSAs, in conjunction with sector partners, provide information on the most effective
11 long-term protective strategies, develop protective programs, and coordinate the
12 implementation of programs for their sectors. For some sectors, this includes the
13 development and sharing of best practices and related criteria, guidance documents,
14 and tools.
15 ¾ DHS, in collaboration with SSAs and other public and private sector partners,
16 serves as the national focal point for the development, implementation, and
17 coordination risk management approaches and tools and of protective programs and
18 resiliency strategies (including cybersecurity efforts) for those assets that are
19 deemed nationally critical.
20 Cost-Effective: Effective CIKR programs and strategies seek to use resources
21 efficiently by focusing on actions that offer the greatest mitigation of risk for any given
22 expenditure. The following is a discussion of factors that should be considered when
23 assessing the cost-effectiveness and public benefits derived through implementation of
24 CIKR protection initiatives:
25 ¾ Operating with full information and lowering coordination costs: The NIPP describes
26 the mechanisms that enable the use of information regarding threats and
27 corresponding protective actions. It includes information sharing; provision of a
28 dedicated communications network; and the use of established, interoperable
29 industry and trade association communications mechanisms. The NIPP also helps to
30 lower the cost of coordination through such mechanisms as partnership
31 arrangements and, where appropriate, the use of a regulatory or incentives-based
32 framework to encourage or drive action.
33 ¾ Addressing the present-future tradeoff in long lead-time investments: The NIPP
34 provides the processes and coordinating structures that allow State, local, and tribal
35 governments and private sector partners to effectively use long lead-time approaches
36 to CIKR protection.
37 ¾ Providing for NIPP-related roles and responsibilities: Appropriate roles for CIKR
38 protection reflect basic responsibilities and shared risks and burdens. CIKR owners
39 and operators are responsible for protecting property, information, and people
40 through measures that manage risk and help ensure more resilient operations and
41 more effective loss prevention. State, local, and tribal authorities are responsible for
42 providing or augmenting protective actions for assets, systems, and networks that
43 are critical to the public within their jurisdiction and authority. Federal agencies are
44 responsible for coordinating and enabling protection for CIKR that is nationally
45 critical. They coordinate with regulatory agencies to help ensure that CIKR
46 protection issues are fully understood and considered in their deliberations. As
47 discussed in chapter 7, they may make Federal resources available for selected
1 State, local, or tribal CIKR protection efforts through grant programs in certain
2 circumstances.
3 ¾ Matching the underlying economic incentives of each CIKR partner to the extent
4 possible: The NIPP supports market-based economic incentives wherever possible by
5 relying on CIKR partners to undertake those efforts that are in their own interest
6 and complementing those efforts with additional resources where necessary and
7 appropriate. This coordinated approach builds on efforts that have proven to be
8 effective and that are consistent with best business practices, such as owners and
9 operators selecting the measures that are best suited to their particular risk profile
10 and needs.
11 ¾ Addressing the public-interest aspects associated with CIKR protection: Risk
12 management actions for CIKR that provide benefits to the public at large go beyond
13 the actions that benefit owners and operators, or even those that benefit the public
14 residing in a particular State, region, or locality. Such additional actions reflect
15 different levels of the public interest—some CIKR are critical to the national
16 economy and to national well-being; some CIKR are critical to a State, region, or
17 locality; some CIKR are critical only to the individual owner/operator or direct
18 customer base. Actions to protect the public’s interest that require investment
19 beyond the level that those directly responsible for protection are willing and able to
20 provide must be of sufficient priority to warrant the use of the limited resources that
21 can be provided from public funding or may require regulatory action or appropriate
22 incentives to encourage the private sector to undertake them.
23 Risk-Informed: Protective programs and resiliency strategies focus on mitigating risk.
24 Associated actions should be designed to allow measurement, evaluation, and feedback
25 based on risk mitigation. This allows owners, operators, and SSAs to reevaluate risk
26 after the program has been implemented. These programs and strategies use different
27 mechanisms for addressing each element of risk and combine their effects to achieve
28 overall risk mitigation. These mechanisms include:
29 ¾ Consequences: Protective programs and resiliency strategies may limit or manage
30 consequences by reducing the possible loss resulting from a terrorist attack or other
31 disaster through redundant system design, backup systems, and alternative sources
32 for raw materials or information.
33 ¾ Vulnerability: Protective programs may reduce vulnerability by decreasing the
34 susceptibility to destruction, incapacitation, or exploitation by correcting flaws or
35 strengthening weaknesses in assets, systems, and networks.
36 ¾ Threat: Protective programs and resiliency strategies indirectly reduce threat by
37 making assets, systems, or networks less attractive targets to terrorists by lessening
38 vulnerability and lowering consequences. As a result, terrorists may be less likely to
39 achieve their objectives and, therefore, less likely to focus on the CIKR in question.
40 3.5.3 Risk Management Activities, Initiatives, and Reports
41 DHS, in collaboration with SSAs and other sector partners, undertakes a number of
42 protective programs, resiliency strategies, initiatives, activities, and reports that support
43 CIKR protection. Many of these are available to or provide resources for CIKR partners.
44 These activities span a wide range of efforts that include, but are not limited to, the
45 following:
The DHS/IP Vulnerability Assessment (VA) Project serves as the focal point for strategic
planning, coordination and information sharing in conducting vulnerability assessments of the
Nation’s Tier 1 and Tier 2 CIKR. Through the development and deployment of a scalable
assessment methodology, the VA Project supports the implementation of the NIPP through
identifying vulnerabilities, supporting collaborative security planning, and recommending
protective measures strategies. IP VA Project initiatives include the Buffer Zone Protection
Program (BZPP), Site Assistance Visits (SAVs), Comprehensive Reviews (CRs), and the
Computer-Based Assessment Tool (C-BAT). The VA Project provides vulnerability assessment
methodologies that enhance DHS’ and CIKR stakeholders’ ability to prevent, protect, and respond
to terrorist attacks and all-hazards incidents. The VA Project: brings together Federal, State,
local and territorial and tribal governments, local law enforcement, emergency responders, and
CIKR owner and operators to conduct assessments to identify critical assets, vulnerabilities,
consequences, and protective measures and resiliency strategies. The VA Project also provides
analysis of CIKR facilities to include potential terrorist actions for an attack, consequences of
such an attack, and integrated preparedness and response capabilities of the Federal, State, local,
tribal and territorial and private sector partners. The results are used to enhance the overall
CIKR protection posture of the facilities, surrounding communities, and the geographic region
using short-term enhancements and long-term risk-informed investments in training, processes,
procedures, equipment, and resources.
PSAs were directed to form partnerships with the owners and operators of the Nation’s
identified high-priority CIKR, known as Tier 1 and Tier 2 CIKR and conduct site visits
(Enhanced Critical Infrastructure Protection) for all of these assets during the period of political
transition in 2008 - 2009. PSAs coordinate site visits with owners and operators, HSAs, Federal
Bureau of Investigation (FBI), Local Law Enforcement (LLE) and other CIKR partners, as
necessary. During the visit, PSAs document information on the facility’s current CIKR protection
posture and overall security awareness. The primary goals fro ECIP site visits are to:
Inform facility owners and operators of the importance of their facilities as an identified
high-priority CIKR and the need to be vigilant in light of the ever-present threat of
terrorism;
Identify protective measures currently in place at Tier 1/Tier 2 facilities, provide comparison
across like assets of CIKR protection posture, and track the implementation of new
protective measures;
Enhance existing relationships between Tier 1/Tier 2 facility owners and operators, DHS,
and Federal, State, and LLE personnel in order to:
¾ Provide increased situational awareness regarding potential threats
¾ Maintain an in-depth knowledge of the current CIKR protection posture at each facility
¾ Provide a constant Federal resource to facility owners and operators
2
3 3.6.1.2 Metrics
4 Quantitative indicators are used for different groups of metrics to support national
5 assessments. The CIKR Protection Reporting and Analysis Program is following an arc of
6 increasing maturity along several dimensions. The program is consistent with the risk
7 framework set forth in the NIPP and comprises six components that together provide DHS
8 with an overall picture of CIKR protection performance. The components are:
9 NIPP Core Metrics are measures of progress in NIPP Risk Management Framework
10 implementation that are common across the 18 CIKR Sectors. They provide a basis for
11 establishing accountability, documenting performance, identifying issues, promoting
12 effective management, and reassessing goals and objectives.
13 SSA Programmatic Metrics are measures of effectiveness of SSA activities, programs,
14 and initiatives that are identified in the individual Sector SSPs and SARs.
15 National Coordinator Programmatic Metrics are measures of effectiveness of the
16 programs, products, and tools developed by DHS IP to support NIPP- and SSP-related
17 activities
18 Partnership Metrics are used to gauge the effectiveness of the sector partnership in
19 contributing to enhanced risk management and CIKR protection. The partnership metrics
20 provide a point of reference for individual CIKR sectors to reflect their distinctive
21 characteristics and requirements.
22 CIKR Information Sharing Environment Metrics measure the effectiveness of the
23 processes that enable the sharing of CIKR information among security partners.
24 Sector-Specific Metrics are measures of the status of CIKR protection efforts unique to
25 individual Sectors or sub-Sectors as viewed by the owners and operators.
26 Collectively, these six types of metrics provide a holistic picture of the health and
27 effectiveness (see appendix 3D) of the national CIKR protection effort and help drive future
28 investments and resource decisions.
29 3.6.2 Gathering Performance Information
30 DHS works with the SSAs and sector partners to gather the information necessary to
31 measure the level of performance associated with each set of metrics. Given the inherent
32 differences in CIKR sectors, a one-size-fits-all approach to gathering this information is not
33 appropriate. DHS also works with SSAs and sector partners to determine the appropriate
1 measurement approach to be included in the sector’s SSP and to help ensure that partners
2 engaged with multiple sectors or in cross-sector matters are not subject to unnecessary
3 redundancy or conflicting guidance in information collection. Information collected as part
4 of this effort is protected as discussed in detail in chapter 4.
5 SSAs identify and, as appropriate, share or facilitate the sharing of best practices based on
6 the effective use of metrics to improve program performance.
7 3.6.3 Assessing Performance and Reporting on Progress
8 HSPD-7 requires each SSA to provide the Secretary of Homeland Security with an annual
9 report on their efforts to identify, prioritize, and coordinate the protection of CIKR in their
10 respective sectors. The report from each SSA will be sent to DHS annually. The reports are
11 due no later than June 1 of each year.
12 The Sector CIKR Annual Protection Reports provide the following information:
13 Provide a common vehicle across all CIKR sectors for communicating CIKR protection
14 performance and progress to partners and government entities;
15 Establish a baseline of existing sector-specific CIKR protection priorities, programs, and
16 initiatives against which future improvements will be assessed;
17 Identify sector priorities and out-year requirements with a focus on projected shortfalls
18 in resources for sector-specific CIKR protection and for protection of CIKR within the
19 sector that is deemed to be critical at the national level;
20 Determine and explain how sector efforts support the national effort;
21 Provide an overall progress report for the CIKR sector and measure that progress
22 against the CIKR protection goals and objectives for that sector as described in the SSP;
23 Provide feedback to DHS, the CIKR sectors, and other government entities to provide
24 the basis for the continuous improvement of the CIKR protection program; and
25 Help identify best practices from successful programs and share these within and
26 among sectors.
27 SSAs work in close collaboration with sector partners, the respective SCCs and the GCCs,
28 and other organizations in developing this report. DHS works with SSAs to assess progress
29 made toward goals in each sector based on these reports.
30 Similar reports are now prepared for the SLTTGCC and the Regional Consortium
31 Coordinating Council (RCCC) and included as appendixes to the National Annual Report.
32 Additional appendixes to the National Annual Report address the year’s accomplishments
33 for DHS IP, the Office of Cybersecurity & Communications, the Tier 1 and 2 Program, and
34 the National Infrastructure Simulation and Analysis Center (NISAC).
35 DHS compiles all of these reports into a national cross-sector report that describes annual
36 progress toward CIKR protection goals on a national basis and makes recommendations to
37 the Executive Office of the President for prioritized resource allocation across the Federal
38 Government to meet national CIKR protection requirements. A more detailed discussion of
39 the national resource allocation process for CIKR protection is included in chapter 7.
40 In addition to these annual reports, SSAs regularly update their measurements of CIKR
41 status and protection levels to support DHS status tracking and comprehensive inventory
42 update. By maintaining a regularly updated knowledge base, DHS is able to quickly
1 compile real-time CIKR status and protection posture to respond to changing circumstances
2 as indicated by tactical intelligence assessments of terrorist threats or natural disaster
3 damage assessments. This helps inform resource allocation decisions during incident
4 response and other critical operations supporting the homeland security mission.
33
34
1 ¾ Ientifying and disseminating CIKR protection best practices across the sectors;
2 ¾ Participating in coordinated planning efforts related to the development,
3 implementation, and revision of the NIPP and SSPs; and
4 ¾ Coordinating with DHS to support efforts to plan and execute the Nation’s CIKR
5 protection mission.
6 4.1.2.2 Government Cross-Sector Council
7 Cross-sector issues and interdependencies between the GCCs will be addressed through the
8 Government Cross-Sector Council, which is comprised of two subcouncils: the NIPP FSLC
9 and the SLTTGCC:
10 NIPP Federal Senior Leadership Council: The objective of the NIPP FSLC is to drive
11 enhanced communications and coordination between and among Federal departments
12 and agencies with a role in implementing the NIPP and HSPD-7. The Council’s primary
13 activities include:
14 ¾ Forging consensus on CIKR risk management strategies;
15 ¾ Evaluating and promoting implementation of risk management-based CIKR
16 protection programs;
17 ¾ Advancing CIKR protection collaboration within and across sectors;
18 ¾ Advancing CIKR protection collaboration with the international community; and
19 ¾ Evaluating and reporting on the progress of Federal CIKR protection activities.
20 State, Local, Tribal, and Territorial Government Coordinating Council: The SLTTGCC
21 serves as a forum to ensure that State, local, and tribal homeland security advisors or
22 their designated representatives are fully integrated as active participants in national
23 CIKR protection efforts and to provide an organizational structure to coordinate across
24 jurisdictions on State- and local-level CIKR protection guidance, strategies, and
25 programs. The SLTTGCC will provide the State, local, tribal, or territorial perspective
26 or feedback on a wide variety of CIKR issues. The primary functions of the SLTTGCC
27 include the following:
28 ¾ Providing senior-level, cross-jurisdictional strategic communications and
29 coordination through partnership with DHS, the SSAs, and private sector owners
30 and operators;
31 ¾ Participating in planning efforts related to the development, implementation,
32 update, and revision of the NIPP and SSPs;
33 ¾ Coordinating strategic issues and issue management resolution among State, local,
34 tribal, and territorial partners;
35 ¾ Coordinating with DHS to support efforts to plan, implement, and execute the
36 Nation’s CIKR protection mission; and
37 ¾ Providing DHS with information on State-, local-, tribal-, and territorial-level CIKR
38 protection initiatives; activities; and best practices.
39
2
3 The cross-sector bodies described in sections 4.1.2.1 and 4.1.2.2 will convene in joint session
4 and/or working groups, as appropriate, to address cross-cutting CIKR protection issues. The
5 NIPP-related functions of the cross-sector bodies include activities to:
6 Provide or facilitate coordination, communications, and strategic-level information
7 sharing across sectors and between and among DHS, the SSAs, the GCCs and other
8 supporting Federal departments and agencies, and other public and private sector
9 partners;
10 Identify issues shared by multiple sectors that would benefit from common
11 investigations and/or solutions;
12 Identify and promote best practices from individual sectors that have applicability to
13 other sectors;
14 Contribute to cross-sector planning and prioritization efforts, as appropriate; and
15 Provide input to the government on R&D efforts that would benefit multiple sectors.
16 4.1.2.3 Sector Coordinating Councils
17 The sector partnership model encourages CIKR owners and operators to create or identify
18 an SCC as the principal entity for coordinating with the government on a wide range of
19 CIKR protection activities and issues. SCCs should be self-organized, self-run, and self-
20 governed, with a spokesperson designated by the sector membership. Specific membership
21 will vary from sector to sector, reflecting the unique composition of each sector; however,
22 membership should be representative of a broad base of owners, operators, associations,
23 and other entities—both large and small—within a sector.
24 The SCCs enable owners and operators to interact on a wide range of sector-specific
25 strategies, policies, activities, and issues. SCCs serve as principal sector policy coordination
26 and planning entities. Sectors also rely on ISACs, or other information-sharing
1 mechanisms, which provide operational and tactical capabilities for information sharing
2 and, in some cases, support for incident response activities. (A more detailed discussion of
3 ISAC roles and responsibilities is included in section 4.2.7.)
4 The primary functions of an SCC include the following:
5 Represent a primary point of entry for government into the sector for addressing the
6 entire range of CIKR protection activities and issues for that sector;
7 Serve as a strategic communications and coordination mechanism between CIKR
8 owners, operators, and suppliers, and with the government during response and
9 recovery as determined by the sector;
10 Identify, implement, and support the information-sharing capabilities and mechanisms
11 that are most appropriate for the sector. ISACs may perform this role if so designated
12 by the SCC;
13 Facilitate inclusive organization and coordination of the sector’s policy development
14 regarding CIKR protection planning and preparedness, exercises and training, public
15 awareness, and associated plan implementation activities and requirements;
16 Advise on integration of Federal, State, regional, and local planning with private sector
17 initiatives; and
18 Provide input to the government on sector R&D efforts and requirements.
19 SCCs are encouraged to participate in voluntary consensus standards development efforts
20 to ensure that sector perspectives are included in standards that affect CIKR protection. 22
21 4.1.2.4 Government Coordinating Councils
22 A GCC is formed as the government counterpart for each SCC to enable interagency and
23 cross-jurisdictional coordination. The GCC is comprised of representatives across various
24 levels of government (Federal, State, local, or tribal) as appropriate to the security
25 landscape of each individual sector. Each GCC is co-chaired by a representative from the
26 designated SSA with responsibility for ensuring appropriate representation on the GCC
27 and providing cross-sector coordination with State, local, and tribal governments. Each
28 GCC is co-chaired by the DHS Assistant Secretary for Infrastructure Protection or his/her
29 designee.
30 The GCC coordinates strategies, activities, policy, and communications across government
31 entities within each sector. The primary functions of a GCC include the following:
32 Provide interagency strategic communications and coordination at the sector level
33 through partnership with DHS, the SSA, and other supporting Federal departments
34 and agencies;
35 Participate in planning efforts related to the development, implementation, update, and
36 revision of the NIPP and SSPs;
37 Coordinate strategic communications, and issue management and resolution among
38 government entities within the sector; and
22Voluntary consensus standards are developed or adopted by voluntary consensus standards bodies, both domestic and international. These organizations
plan, develop, establish, or coordinate standards through an agreed-upon procedure that relies on consensus, though not necessarily on unanimity. Federal law
encourages Federal participation in these bodies to increase the likelihood that standards meet both public and private sector needs. Examples of other
standards that are distinct from voluntary consensus standards include non-consensus standards, industry standards, company standards, or de facto standards
developed in the private sector but not in the full consensus process, government-unique standards developed by government for its own uses, and standards
mandated by law.
1 Coordinate with and support the efforts of the SCC to plan, implement, and execute the
2 Nation’s CIKR protection mission.
3 4.1.2.5 Critical Infrastructure Partnership Advisory Council
4 The CIPAC directly supports the sector partnership model by providing a legal framework
5 for members of the SCCs and GCCs to engage in joint CIKR protection-related activities.
6 The CIPAC serves as a forum for government and private sector partners to engage in a
7 broad spectrum of activities, such as:
8 Planning, coordination, implementation, and operational issues;
9 Implementation of security programs;
10 Operational activities related to CIKR protection, including incident response, recovery,
11 and reconstitution; and
12 Development and support of national plans, including the NIPP and the SSPs.
13 The CIPAC membership consists of private sector CIKR owners and operators, or their
14 representative trade or equivalent associations, from the respective sector’s recognized
15 SCC; and representatives of Federal, State, local, and tribal government entities (including
16 their representative trade or equivalent associations) that comprise the corresponding GCC
17 for each sector. DHS published a Federal Register Notice on March 24, 2006, announcing
18 the establishment of CIPAC as a FACA-exempt body, pursuant to section 871 of the
19 Homeland Security Act.
20 4.1.3 Regional Coordination and the Partnership Model
21 Regional partnerships, organizations, and governance bodies enable CIKR protection
22 coordination among CIKR partners within and across certain geographical areas, as well as
23 planning and program implementation aimed at a common hazard or threat environment.
24 These groupings include public-private partnerships that cross jurisdictional, sector, and
25 international boundaries and take into account dependencies and interdependencies. They
26 are typically self-organizing and self-governing.
27 Regional organizations, whether interstate or intrastate, vary widely in terms of mission,
28 composition, and functionality. Regardless of the variations, these organizations provide
29 structures at the strategic and/or operational levels that help to address cross-sector CIKR
30 planning and protection program implementation. They may also provide enhanced
31 coordination between jurisdictions within a State where CIKR cross multiple jurisdictions
32 and help sectors coordinate with multiple States that rely on a common set of CIKR. In
33 many instances, State homeland security advisors serve as focal points for regional
34 initiatives and provide linkages between the regional organizations and the sector partner-
35 ship model. Based on the nature or focus of the regional initiative, these organizations may
36 link into the sector partnership model, as appropriate, through individual SCCs or GCCs or
37 cross-sector councils. Additionally, DHS assisted in the formation of a national-level RCCC
38 to address issues that cross sectors and/or jurisdictions of government within a defined
39 geographic area.
40 4.1.4 International CIKR Protection Cooperation
41 Many CIKR assets, systems, and networks, both physical and cyber, are interconnected
42 with a global infrastructure that has evolved to support modern economies. Each of the
43 CIKR sectors is linked in varying degrees to global energy, transportation,
44 telecommunications, cyber, and other infrastructure. This global system creates benefits
1 and efficiencies, but also brings interdependencies, vulnerabilities, and challenges in the
2 context of CIKR protection. The Nation’s safety, security, prosperity, and way of life depend
3 on these “systems of systems,” which must be protected both at home and abroad.
4 The NIPP strategy for international CIKR protection coordination and cooperation is
5 focused on:
6 Instituting effective cooperation with international CIKR partners, as well as high-
7 priority cross-border protective programs. Specific protective actions are developed
8 through the sector planning process and specified in SSPs;
9 Implementing current agreements that affect CIKR protection; and
10 Addressing cross-sector and global issues such as cybersecurity and foreign investment.
11 International CIKR protection activities require coordination with the Department of State
12 and must be designed and implemented to benefit the United States and its international
13 partners.
14 4.1.4.1 Cooperation with International Partners
15 DHS, in coordination with the Department of State, works with international partners and
16 other entities involved in the international aspects of CIKR protection to exchange
17 experiences, share information, and develop a cooperative environment to materially
18 improve U.S. CIKR protection. DHS, the Department of State, and the SSAs work with
19 foreign governments to identify international interdependencies, vulnerabilities, and risk-
20 mitigation strategies, and through international organizations, such as the Group of Eight
21 (G8), NATO, the European Union, the Organization of American States (OAS), and the
22 Organisation for Economic Co-operation and Development (OECD), to enhance CIKR
23 protection.
24 While SSAs and owners and operators are responsible for developing CIKR protection
25 programs to address risks that arise from or include international sources or
26 considerations, DHS manages specific programs to enhance the cooperation and
27 coordination needed to address the unique challenges and opportunities posed by the
28 international aspects of CIKR protection:
29 Critical Foreign Dependencies Initiative (CFDI): In response to the NIPP requirement
30 for the Federal Government to create a comprehensive inventory of infrastructure
31 located outside the United States that if disrupted or destroyed, would lead to loss of life
32 in the United States, or critically affect the Nation’s economic, industrial, or defensive
33 capabilities, DHS, working with the Department of State, developed the CFDI, a process
34 designed to ensure the resulting classified National Critical Foreign Dependencies List
35 is inclusive, representative, and leveraged in a coordinated and responsible manner.
36 The Initiative involves three phases:
37 ¾ Phase I – Identification: DHS working with Federal infrastructure protection
38 community partners developed the first ever National Critical Foreign Dependencies
39 List in FY2008, reflecting the critical foreign dependencies of the initial 17 CIKR
40 sectors, as well as critical foreign dependencies of interest to the Nation as a whole.
41 The identification process is conducted on a yearly basis, and includes input from
42 public and private sector infrastructure protection community partners.
43 ¾ Phase II – Prioritization: DHS, working with infrastructure protection community
44 partners, and in particular DOS, prioritized the National Critical Foreign
1 Dependencies List based upon factors such as overall criticality of the element to the
2 United States, risk to the element, and foreign partner willingness and capability to
3 engage in risk management activities. The prioritization process is conducted on a
4 yearly basis.
5 ¾ Phase III – Engagement: Phase III involves leveraging the prioritized National
6 Critical Foreign Dependencies List to guide current and future U.S. bilateral and
7 multilateral incident and risk management activities with foreign partners. DHS
8 and DOS established mechanisms to ensure coordinated engagement domestic
9 coordination and collaboration by public sector entities.
10 International Outreach Program: DHS, in cooperation with the Department of State
11 and other Federal agencies, carries out international outreach activities to engage
12 foreign governments and international/multinational organizations to promote a global
13 culture of physical and cybersecurity. These outreach activities enable international
14 cooperation and engage constituencies that often do not traditionally address CIKR
15 protection. This outreach encourages the development and adoption of best practices,
16 training, and other programs designed to improve the protection of U.S. CIKR overseas,
17 as well as the reliability of international CIKR on which this country depends. Other
18 Federal, State, local, tribal, and private sector entities also engage in international
19 outreach that may be related to CIKR risk mitigation in situations where they work
20 directly with their foreign counterparts.
21 The National Exercise Program: DHS provides overarching coordination for the
22 National Exercise Program to ensure the Nation’s readiness to respond in an all-
23 hazards environment and to practice and evaluate the steady-state protection plans and
24 programs put in place by the NIPP. This exercise program engages international
25 partners to address cooperation and cross-border issues, including those related to
26 CIKR protection. DHS and other CIKR partners also participate in exercises sponsored
27 by international partners.
28 National Cyber Exercises: DHS and its partners conduct exercises to identify, test, and
29 improve coordination of the cyber incident response community, including Federal,
30 State, regional, local, tribal, and international government elements, as well as private
31 sector corporations and coordinating councils.
32 Where applicable, DHS encourages the use of PCII protections to safeguard private sector
33 CIKR information when sharing it with international partners. The PCII Program will
34 solicit the submitter’s express permission before sharing the submitter’s proprietary CIKR
35 information with international partners.
36 4.1.4.2 Implementing Current Agreements
37 Existing agreements with international partners include bilateral and multilateral
38 partnerships that have been entered into with the assistance of the Department of State.
39 The key partners involved in existing agreements include:
40 Canada and Mexico: CIKR interconnectivity between the United States and its
41 immediate neighbors makes the borders virtually transparent. Electricity, natural gas,
42 oil, roads, rail, food, water, minerals, and finished products cross our borders with
43 Canada and Mexico as a routine component of commerce and infrastructure operations.
44 The importance of this trade, and the infrastructures that support it, was highlighted
45 after the terrorist attacks of September 11, 2001, nearly closed both borders. The United
46 States entered into the 2001 Smart Border Declaration with Canada and the 2002
1 Border Partnership Declaration with Mexico, in part, to address bilateral CIKR issues.
2 In addition, the 2005 Security and Prosperity Partnership of North America (SPP)
3 established a common approach to security to protect North America from external
4 threats, prevent and respond to threats, and further streamline the secure and efficient
5 movement of legitimate, low-risk traffic across the shared borders.
6 United Kingdom: DHS has formed a Joint Contact Group (JCG) with the United
7 Kingdom that brings officials into regular, formal contact to discuss and resolve a range
8 of bilateral homeland security issues.
9 Group of Eight: The G8 underscored its determination to combat all forms of terrorism
10 and to strengthen international cooperation when heads of government attending the
11 July 2005 meeting in Scotland issued a Statement on Counter-Terrorism, citing three
12 areas of focus related to CIKR protection:
13 ¾ To improve the sharing of information on the movement of terrorists across
14 international borders;
15 ¾ To assess and address the threat to the transportation infrastructure; and
16 ¾ To promote best practices for rail and metro security.
17 North Atlantic Treaty Organization: NATO addresses CIKR protection issues through
18 the Senior Civil Emergency Planning Committee, the senior policy and advisory body to
19 the North Atlantic Council on civil emergency planning and disaster relief matters. The
20 committee is responsible for policy direction and coordination of planning boards and
21 committees in the NATO environment. It has developed considerable expertise that
22 applies to CIKR protection and has planning boards and committees covering ocean
23 shipping, inland surface transport, civil aviation, food and agriculture, industrial
24 preparedness, civil communications planning, civil protection, and civil-military medical
25 issues.
26 4.1.4.3 Approach to International Cybersecurity
27 The United States proactively integrates its intelligence capabilities to protect the country
28 from cyber attack; its diplomatic outreach, advocacy, and operational capabilities to build
29 awareness, preparedness, capacity, and partnerships in the global community; and its law
30 enforcement capabilities to combat cyber crime wherever it originates. The private sector,
31 international industry associations, and companies with global interests and operations
32 also are engaged to address cybersecurity internationally. For example, the U.S.-based
33 Information Technology Association of America participates in international cybersecurity
34 conferences and forums, such as the India-based National Association for Software and
35 Service Companies Joint Conference. These efforts require interaction between policy and
36 operations functions to coordinate national and international activity that is mutually
37 supportive across the globe:
38 International Cybersecurity Outreach: DHS, in cooperation with the Department of
39 State, other Federal departments and agencies and the private sector, engages in mul-
40 tilateral and bilateral discussions to further international computer security awareness
41 and policy development, as well as incident response team information-sharing and
42 capacity-building objectives. DHS engages in bilateral discussions on cybersecurity
43 issues with various international partners, such as India, Italy, Japan, and Norway.
44 DHS also works with international partners in multilateral and regional forums to
45 address cybersecurity and critical information infrastructure protection. For example,
46 the Asia-Pacific Economic Cooperation Telecommunications Working Group recently
17
18 4.2.3 The Information-Sharing Approach
19 Figure 4.2 illustrates the broad concept of the NIPP multidirectional networked
20 information-sharing approach. This information-sharing network consists of components
21 that are connected by a national communications platform, the Homeland Security
22 Information Network (HSIN). HSIN is a counterterrorism communications system
1 developed by State and local authorities and connecting all 50 States, 5 territories,
2 Washington, DC, and 50 major urban areas. HSIN is one of the key DHS technology tools
3 for strengthening the protection and ensuring reliable performance of the nation's critical
4 infrastructure through communication, coordination, and information sharing. It is an
5 Internet-based platform that enables secure, encrypted sensitive but unclassified (SBU)
6 and for official use only (FOUO) communication between DHS and vetted members within
7 and across CIKR sectors so that partners can obtain, analyze, and share information. The
8 diagram illustrates how the HSIN is used for two-way and multi-directional information
9 sharing between DHS; the Federal Intelligence Community; Federal departments and
10 agencies; State, local, and tribal jurisdictions; and the private sector. The connectivity of
11 the network also allows these partners to share information and coordinate among them-
12 selves (e.g., State-to-State coordination). CIKR partners are grouped into nodes in the
13 information-sharing network approach.
14 4.2.3.1 Information Sharing Environment
15 As specified in the Intelligence Reform and Terrorism Prevention Act of 2004, the Federal
16 Government is working with State and local partners and the private sector to create the
17 information-sharing environment (ISE) for terrorism information, in which access to such
18 information is matched to the roles, responsibilities, and missions of all organizations
19 engaged in countering terrorism and is timely and relevant to their needs. CIKR ISE has
20 been adopted as the private sector component, with the Assistant Secretary for
21 Infrastructure Protection as the designated Federal government lead. It is important to
22 note that most of the information shared day-to-day with the CIKR ISE consists of
23 information necessary for coordination and management of risks resulting from natural
24 hazards and accidents. Consequently, for information sharing to be efficient and
25 sustainable for the CIKR owners and operators, the same environment should be used to
26 share terrorism information.
27 CIKR information sharing breaks new ground. It also creates business risks for the owners
28 and operators. Significant questions are raised, such as: What information is required for a
29 productive two-way exchange? How is information most efficiently delivered and to whom
30 to elicit effective action? How is information–both proprietary and government–
31 appropriately protected? How will the sectors effect appropriate action in coordination with
32 all levels of government? How can business risks be mitigated when an exchange takes
33 place?
34 Of particular criticality is the coordination of CIKR information sharing at the national
35 level with that at the local level, where most decisions are made and actions taken to
36 support the CIKR protection mission. The integration of the CIKR ISE into the national
37 ISE as its private sector component, in recognition of its comprehensiveness and
38 engagement with all levels of government, strengthens the foundation for effective
39 coordination.
40 The CIKR ISE supports three levels of decision making and action: 1) strategic planning
41 and investment; 2) situational awareness and preparedness; and 3) operational planning
42 and response. It provides for policy, governance, planning, and coordination of information
43 sharing, as well as forums for developing effective, tailored forms and identifying the types
44 of information necessary for partners to make appropriate decisions and take necessary
45 actions for effective risk management.
1 The CIKR ISE also encompasses a number of mechanisms that facilitate the flow of
2 information, mitigate obstacles to voluntary information sharing by CIKR owners and
3 operators, and provide feedback and continuous improvement for structures and processes.
4 The CIKR ISE accommodates a broad range of sector cultures, operations, and risk
5 management approaches and recognizes the unique policy and legal challenges for full two-
6 way sharing of information between the CIKR owners and operators and various levels of
7 government.
8 4.2.3.2 Information Sharing With HSIN
9 When fully deployed, the HSIN will constitute a robust and significant information-sharing
10 system that supports NIPP-related steady-state CIKR protection and NRF-related incident
11 management activities, as well as serving the information-sharing processes that form the
12 bridge between these two homeland security missions. The linkage between the nodes
13 results in a dynamic view of the strategic risk and evolving incident landscape. HSIN
14 functions as one of a number of mechanisms that enable DHS, SSAs, and other partners to
15 share information. Other supporting technologies and more traditional methods of
16 communications will continue to support CIKR protection, as appropriate, and will be fully
17 integrated into the network approach.
18 DHS and the SSAs work with other partners to measure the efficacy of the network and to
19 identify areas in which new mechanisms or supporting technologies are required. The
20 HSIN and the key nodes of the NIPP information-sharing approach are detailed in the
21 subsequent sections. By offering a user-friendly, efficient conduit for information sharing,
22 HSIN enhances the combined effectiveness in an all-hazards environment. HSIN network
23 architecture design is informed by experience gained by DOD and other Federal agencies in
24 developing networks to support similar missions. It supports a secure common operating
25 picture for all command or watch centers, including those of supporting emergency manage-
26 ment and public health activities.
27 HSIN will be one part of the ISE, and when fully developed, users of HSIN will be able to
28 access ISE terrorism information based on their roles, responsibilities, and missions. The
29 HSIN is composed of multiple, non-hierarchal communities of interest (COIs) that offer
30 CIKR partners the means to share information based on secure access. COIs provide virtual
31 areas where groups of participants with common concerns, such as law enforcement,
32 counterterrorism, critical infrastructure, emergency management, intelligence,
33 international, and other topics, can share information. This structure allows government
34 and industry partners to engage in collaborative exchanges, based on specific sector-
35 generated information requirements, mission emphasis, or interest level. Within the
36 Homeland Security Information Network for Critical Sectors (HSIN-CS) COI, each sector
37 establishes rules for participation, including vetting and verification processes that are
38 appropriate for the sector CIKR landscape and requirements for information protection. For
39 example, in some sectors, applicants are vetted through the SCC or ISAC; others may
40 require participants to be documented members of a specific profession, such as law
41 enforcement.
42 4.2.3.3 Critical Infrastructure Warning Information Network
43 Critical Infrastructure Warning Information Network (CWIN) is a relatively new
44 mechanism that facilitates the flow of information, mitigates obstacles to voluntary
45 information sharing by CIKR owners and operators, and provides feedback and continuous
46 improvement for structures and processes. CWIN is the critical, survivable network
1 connecting DHS with vital sector partners that are essential to restoring the Nation's core
2 infrastructure. Those sectors/subsectors are communications, IT, and electricity as well as
3 their Federal and State official counterparts. In the circumstance where all or a major part
4 of telecommunications and Internet connectivity are lost or disrupted, CWIN is designed to
5 provide a survivable “out of band” communications and information-sharing capability to
6 coordinate and support infrastructure restoration. Once the core capabilities of
7 telecommunications, the Internet, and electricity are restored, normal communication
8 channels can be utilized and other critical infrastructures can begin the process of
9 restoration.
10 4.2.4 The Federal Intelligence Node
11 The Federal Intelligence Node, comprised of national Intelligence Community agencies,
12 SSA intelligence offices, and the DHS Office of Intelligence and Analysis (DHS/OI&A),
13 identifies and establishes the credibility of general and specific threats. This node also
14 includes national, regional, and field-level information-sharing and intelligence fusion
15 center entities that contribute to information sharing in the context of the CIKR protection
16 mission.
17 At the national level, these centers include, but are not limited to, the DHS/HITRAC, the
18 FBI-led National Joint Terrorism Task Force (NJTTF), the National Counterterrorism
19 Center (NCTC), and the National Maritime Intelligence Center.
20 DHS/HITRAC analyzes and
Project Seahawk is a taskforce comprised of 40
21 integrates threat information and
Federal, State, and local law enforcement agencies that
22 works closely with components of the enhances intermodal transportation and port security by
23 Federal Infrastructure Node to sharing jurisdictional responsibility for the Port of
24 generate and disseminate threat Charleston and its metropolitan area. Other examples of
25 warning products to CIKR partners, information-sharing and intelligence fusion center
26 both internal and external to the entities include:
27 network, as appropriate.
DHS/USCG operates a Maritime Intelligence Fusion
28 The NJTTF mission is to enhance Center (MIFC)—Pacific (Alameda, CA) and an
29 communications, coordination, and MIFC—Atlantic (Dam Neck, VA). These centers
30 cooperation among Federal, State, serve as resources for intelligence support for the
31 local, and tribal agencies DHS/USCG, as well as for local and international
32 representing the intelligence, law maritime, intelligence, and law enforcement
33 enforcement, defense, diplomatic, partners;
34 public safety, and homeland security DHS/Immigration and Customs Enforcement
35 communities by providing a point of operates the Human Smuggling and Trafficking
36 fusion for terrorism intelligence and Center, an inter-agency joint intelligence fusion
center focused specifically on human smuggling and
37 by supporting Joint Terrorism Task
human trafficking. Other DHS entities, the
38 Forces (JTTFs) throughout the Department of State, DOJ, and other members of the
39 United States. Intelligence Community participate in the Center;
40 The NCTC serves as the primary and
41 Federal organization for analyzing The Defense Intelligence Agency operates analytic
42 and integrating all intelligence fusion centers in the various overseas areas of
43 possessed or acquired by the U.S. operation (i.e., EUCOM, PACOM, CENTCOM,
44 Government pertaining to terrorism SOUTHCOM, NORTHCOM). These fusion cells
45 and counterterrorism, except purely support production coordination and
46 domestic counterterrorism targeting/operational activities, as well as ongoing
area operations or special programs.
1 information. The NCTC may, consistent with applicable law, receive, retain, and
2 disseminate information from any Federal, State, or local government or other source
3 necessary to fulfill its responsibilities.
4 The National Maritime Intelligence Center serves as the central point of connectivity to
5 fuse, analyze, and disseminate information and intelligence for shared situational
6 awareness across classification boundaries.
7 At the regional and field levels, Federal information-sharing and intelligence fusion centers
8 include entities such as the local JTTFs, the DHS/DOJ-sponsored Project Seahawk, and
9 FBI Field Intelligence Groups that provide the centralized intelligence/information-sharing
10 component in every FBI field office.
11 4.2.5 The Federal Infrastructure Node
12 The Federal Infrastructure Node, comprised of DHS, SSAs, GCCs, and other Federal
13 departments and agencies, gathers and receives threat, incident, and other operational
14 information from a variety of sources (including a wide range of watch/operations centers).
15 This information enables assessment of the status of CIKR and facilitates the development
16 and dissemination of appropriate real-time threat and warning products and corresponding
17 protective measures recommendations to CIKR partners (see chapter 3). Participants in the
18 Federal node collaborate with CIKR owners and operators to gain input during the
19 development of threat and warning products and corresponding protective measures
20 recommendations.
21 4.2.6 State, Local, Tribal, Territorial, and Regional Node
22 This node provides links between DHS, the SSAs, and partners at the State, local, regional,
23 tribal, and territorial levels. Several established communications channels provide
24 protocols for passing information from the local to the State to the Federal level and
25 disseminating information from the Federal Government to other partners. The NIPP
26 network approach augments these established communications channels by facilitating
27 two-way and multi-directional information sharing. Members of this node provide incident
28 response, first-responder information, and reports of suspicious activity to the FBI and
29 DHS for purposes of awareness and analysis. Homeland security advisors receive and
30 further disseminate coordinated DHS/FBI threat and warning products, as appropriate.
31 Numerous States and urban area jurisdictions also have established fusion centers or
32 terrorism early warning centers to facilitate a collaborative process between law
33 enforcement, public safety, other first-responders, and private entities to collect, integrate,
34 evaluate, analyze, and disseminate criminal intelligence and other information that relates
35 to CIKR protection.
Information exchange between fusion centers
36 4.2.6.1 Fusion Centers and local partners
37 Another key mechanism for information Site-specific risk information
38 exchange at the local level is SLFCs. SLFCs Interdependency information
39 are developing or integrating operational Suspicious activity reports
40 capabilities that focus on securing CIKR
Communications capability information
41 and advancing Federal, State, local, and
42 private sector CIKR protection efforts. The Adversary tactics, techniques, and procedures
43 operational capability will include the Best practices
44 development of analytical products, such as Standard operating procedures for incident
45 risk and trend analysis, and the response
Emergency contact/alert information
1 within and across sectors. DHS and other Federal watch/operations centers provide the
2 24/7 capability required to enable the real-time alerts and warnings, incident reporting,
3 situational awareness, and assessments needed to support CIKR protection.
4 The principal purpose of a watch/operations center is to collect and share information.
5 Therefore, the value and effectiveness of such centers is largely dependent upon a timely,
6 accurate, and extensive population of information sources. The NIPP information-sharing
7 network approach virtually integrates numerous primary watch/operations centers at
8 various levels to enhance information exchange, providing a far-reaching network of
9 awareness and coordination.
10 4.2.8.1 National Operations Center 23
11 The NOC, formerly known as the Homeland Security Operations Center, serves as the
12 Nation’s hub for domestic incident management operational coordination and situational
13 awareness. The NOC is a standing 24/7 interagency organization fusing law enforcement,
14 national intelligence, emergency response, and private sector reporting. The NOC
15 facilitates homeland security information-sharing and operational coordination among
16 Federal, State, local, tribal, and private sector partners, as well as select members of the
17 international community. As such, it is at the center of the NIPP information-sharing
18 network.
19 The NOC information-sharing and coordination functions include:
20 Information Collection and Analysis: The NOC maintains national-level situational
21 awareness and provides a centralized, real-time flow of information. An NOC common
22 operating picture is generated using data collected from across the country to provide a
23 broad view of the Nation’s current overall risk and preparedness status. Using the
24 common operating picture, NOC personnel, in coordination with the FBI and other
25 agencies, as appropriate, perform initial assessments to gauge the terrorism nexus and
26 track actions taking place across the country in response to a threat, natural disaster, or
27 accident. The information compiled by the NOC is distributed to partners, as
28 appropriate, and is accessible to affected CIKR partners through the HSIN.
29 Situational Awareness and Incident Response Coordination: The NOC provides the all-
30 hazards information needed to help make decisions and define courses of action.
31 Threat Warning Products: DHS jointly reviews threat information with the FBI,
32 Intelligence Community, and other Federal departments and agencies on a continuous
33 basis. When a threat is determined to be credible and actionable, DHS is responsible for
34 coordinating with these Federal partners in the development and dissemination of
35 threat warning products. This coordination ensures, to the greatest extent possible, the
36 accuracy and timeliness of the information, as well as concurrence by Federal partners.
37
38 DHS disseminates threat warning products to Federal, State, local, and tribal governments,
39 as well as to private sector organizations and international partners as COI members
40 through the HSIN, established e-mail distribution lists, and other methods, as required:
23The Federal Response to Hurricane Katrina: Lessons Learned, issued by the Homeland Security Council, February 2006, recommended the establishment of
the NOC as a single entity to unify situational awareness and response, recovery, and mitigation functions. The NOC replaces the DHS Homeland Security
Operations Center.
1 ¾ National Response Planning and Execution: The NICC supports the NRF by
2 facilitating information sharing among SCCs, GCCs, ISACs, and other partners
3 during CIKR mitigation, response, and recovery activities.
4 4.2.8.2 National Coordinating Center for Telecommunications
5 Pursuant to Executive Order 12472, the National Communications System (NCS) assists
6 the President, National Security Council, Homeland Security Council, Office of Science and
7 Technology Policy (OSTP) and OMB in the coordination and provision of NS/EP
8 communications for the Federal Government under all circumstances, including crisis or
9 emergency, attack, recovery, and reconstitution. As called for in the Executive order, the
10 NCS has established the NCC, which is a joint industry-government entity. Under the
11 Executive order, the NCC assists the NCS in the initiation, coordination, restoration, and
12 reconstitution of national security or emergency preparedness communications services or
13 facilities under all conditions of crisis or emergency. The NCC regularly monitors the status
14 of communications systems. It collects situational and operational information on a regular
15 basis, as well as during a crisis, and provides information to the NCS. The NCS, in turn,
16 shares information with the White House and other DHS components.
17 4.2.8.3 United States Computer Emergency Readiness Team
18 The United States Computer Emergency Readiness Team (US-CERT) is a 24/7 single point
19 of contact for cyberspace analysis, warning, information sharing, and incident response and
20 recovery for CIKR partners. It is a partnership between DHS and the public and private
21 sectors designed to enable protection of cyber infrastructure and to coordinate the
22 prevention of and response to cyber attacks across the Nation.
23 US-CERT coordinates with CIKR partners to disseminate reasoned and actionable
24 cybersecurity information through a Web site, accessible through the HSIN, and through
25 mailing lists. Among the products it provides are:
26 Cybersecurity Bulletins: Weekly bulletins written for systems administrators and other
27 technical users that summarize published information concerning new security issues
28 and vulnerabilities.
29 Technical Cybersecurity Alerts: Written for system administrators and experienced
30 users, technical alerts provide timely information on current security issues,
31 vulnerabilities, and exploits.
32 Cybersecurity Alerts: Written in a language for home, corporate, and new users, these
33 alerts are published in conjunction with technical alerts when there are security issues
34 that affect the general public.
35 Cybersecurity Tips: Tips provide information and advice on a variety of common
36 security topics. They are published biweekly and are primarily intended for home,
37 corporate, and new users.
38 National Web Cast Initiative: DHS, through US-CERT and the Multi-State Information
39 Sharing and Analysis Center (MS-ISAC), has initiated a joint partnership to develop a
40 series of national Web casts that will examine critical and timely cybersecurity issues.
41 The purpose of the initiative is to strengthen the Nation’s cyber readiness and
42 resilience.
43 US-CERT also provides a method for citizens, businesses, and other important institutions
44 to communicate and coordinate directly with the Federal Government on matters of
1 cybersecurity. The private sector can use the protections afforded by the Critical
2 Infrastructure Information Act to electronically submit proprietary data to US-CERT.
3 4.2.10 Other Information-Sharing Nodes
4 DHS, other Federal agencies, and the law enforcement community provide additional
5 services and programs that share information supporting CIKR protection with a broad
6 range of partners. These include, but are not limited to, the following:
7 Sharing National Security Information: DHS sponsors security clearances for
8 designated private sector owners and operators to promote the sharing of classified
9 information using currently available methods and systems.
10 FBI Law Enforcement Online (LEO): LEO can be accessed by any approved employee of
11 a Federal, State, or local law enforcement agency, or approved member of an authorized
12 law enforcement special interest group. LEO provides a communications mechanism to
13 link all levels of law enforcement throughout the United States.
14 RISSNET™ is a secure nationwide law enforcement and information-sharing network
15 that operates as part of the Regional Information Sharing Systems (RISS) Program.
16 RISS is composed of six regional centers that share intelligence and coordinate efforts
17 targeted against criminal networks, terrorism, cyber crime, and other unlawful activi-
18 ties that cross jurisdictional lines. RISSNET features include online access to a RISS
19 electronic bulletin board, databases, RISS center Web pages, secure e-mail, a RISS
20 search engine, and other center resources. The RISS program is federally funded and
21 administered by the DOJ/Bureau of Justice Assistance.
22 FBI InfraGard: InfraGard is a partnership between the FBI, other government entities,
23 and the private sector. The InfraGard National Membership Alliance is an association
24 of businesses, academic institutions, State and local law enforcement agencies, and
25 other participants that enables the sharing of knowledge, expertise, information, and
26 intelligence related to the protection of U.S. CIKR from physical and cyber threats.
27 Interagency Cybersecurity Efforts: The intelligence and law enforcement communities
28 have various information-sharing mechanisms in place. Examples include:
29 – U.S. Secret Service’s Electronic Crimes Task Forces: U.S. Secret Service’s Electronic
30 Crimes Task Forces (ECTFs) prevent, detect, and investigate electronic crimes, cyber-
31 based attacks, and intrusions against CIKR and electronic payment systems, and
32 provide interagency information sharing on related issues.
33 – Cybercop Portal: The DHS-sponsored Cybercop portal is a secure Internet-based
34 information-sharing mechanism that connects more than 5,300 members of the law
35 enforcement community, bank investigators, and the network security specialists
36 involved in electronic crimes investigations.
37 CEO COM LINKSM: The Critical Emergency Operations Communications Link (CEO
38 COM LINK) is a telephone communications system that will enable the Nation’s top
39 chief executive officers (CEOs) to enhance the protection of employees, communities,
40 and the Nation’s CIKR by communicating with government officials and each other
41 about specific threats or during national crises. The calls, which are restricted to
42 authorized participants, allow top government officials to brief CEOs on developments
43 and threats, and allow CEOs to ask questions or share information with government
44 leaders and with each other.
1 The PCII Program Office validates the information as PCII if it qualifies for protection
2 under the CII Act;
3 All PCII is stored in a secure data management system and CIKR partners follow PCII
4 Program safeguarding, handling, dissemination and storage requirements established
5 in the Final Rule and promulgated by the PCII Program Office;
6 Secure methods are used for disseminating PCII, which may only be accessed by
7 authorized PCII users who have taken the PCII Program training (see Section 6.2 for
8 PCII training offerings), have homeland security duties as well as a need-to-know for
9 the specific PCII;
10 Authorized users must comply with safeguarding requirements defined by the PCII
11 Program Office; and
12 Any suspected disclosure of PCII will be promptly investigated.
13 The Final Rule invested the PCII Program Manager with the authority and flexibility to
14 designate certain types of CII as presumptively valid PCII to accelerate the validation
15 process and to facilitate submissions directly to SSAs. This is known as a “categorical
16 inclusion.” Specifically, categorical inclusions allow:
17 The PCII Program Manager to establish categories of information for which PCII status
18 will automatically apply;
19 Indirect submissions to DHS through DHS field representatives and other SSAs;
20 The PCII Program Office to designate DHS field representatives and SSAs other than
21 DHS to receive CII indirectly on behalf of DHS, but only the PCII Program Manager is
22 authorized to make the decision to validate a submission as PCII.
23 The Final Rule enables submitters to submit their CII directly to a PCII Program Manager
24 Designee within a given SSA. Interested submitters should contact the PCII Program Office
25 at pcii-info@dhs.gov to determine whether an SSA has an appropriate PCII categorical
26 inclusion program established. If the SSA does not have one, the PCII Program Office will
27 work with the submitter and the SSA to establish a program and facilitate the application
28 of PCII protections to the submitter’s CIKR information.
29 4.3.1.3 Uses of PCII
30 PCII may be shared with accredited government entities, including authorized Federal,
31 State, or local government employees or contractors supporting Federal agencies, only for
32 the purposes of securing CIKR and protected systems. PCII will be used for analysis,
33 prevention, response, recovery, or reconstitution of CIKR threatened by terrorism or other
34 hazards.
35 Accredited government entities may generate advisories, alerts, and warnings relevant to
36 the private sector based on the PCII. Communications available to the public, however, will
37 not contain any actual PCII. PCII can be combined with other information, including
38 classified information to support CIKR protection activities, but must be marked
39 accordingly.
40 The CII Act specifically authorizes disclosure of PCII without the permission of the
41 submitter to:
42 Further an investigation or prosecute a criminal act;
1 Either House of Congress, or to the extent they address matters within their
2 jurisdiction, or any related committee, subcommittee, or joint committee;
3 The Comptroller General or any authorized representative of the Comptroller General,
4 while performing the duties of the General Accounting Office.
5 4.3.1.4 PCII Protections and Authorized Users
6 The PCII Program has established policies and procedures to ensure that PCII is properly
7 accessed, used, and safeguarded throughout its life cycle. These safeguards ensure that
8 submitted information is:
9 Used appropriately for homeland security purposes;
10 Accessed only by authorized and properly trained government employees and
11 contractors with homeland security duties who have a need to know and for non-Federal
12 government employees who have signed a Non-Disclosure Agreement;
13 Protected from disclosure under the Freedom of Information Act (FOIA) and similar
14 State and local disclosure laws, and from use in civil litigation and regulatory actions;
15 and
16 Protected and handled in a secure manner.
17 The law and rule prescribe criminal penalties for intentional unauthorized access,
18 distribution, and misuse of PCII including the following provisions:
19 Federal employees may be subject to disciplinary action, including criminal and civil
20 penalties and loss of employment;
21 Contract employees may face termination, and the contractor may have its contract
22 terminated; and
23 The CII Act sanctions for unauthorized disclosure of PCII apply only to Federal
24 personnel. In order to become accredited, State and local participating entities must
25 demonstrate that they can apply appropriate State and local penalties for improperly
26 handling sensitive information such as PCII.
27 PCII is actively used by numerous DHS information collection and assessment tools,
28 including the Constellation/Automated Critical Asset Management System (C/ACAMS),
29 Buffer Zone Plans (BZPs), and Site Assistance Visits (SAVs). PCII also partners with many
30 Federal agencies, notably the Department of Health and Human Services (HHS) and the
31 Department of Defense (DoD). In addition, the PCII Program actively partners with all
32 States and territories interested in becoming accredited.
33 4.3.2 Other Information Protection Protocols
34 Information protection protocols may impose requirements for access or other standard
35 processes for safeguarding information. Information need not be validated as PCII to
36 receive security protection and disclosure restrictions. Several categories of information
37 related to CIKR are considered to be sensitive but unclassified and require protection.
38 Examples include sector-specific information, such as sensitive transportation or nuclear
39 information, or information determined to be classified information based on the analysis of
40 unclassified information. The major categories that apply to CIKR are discussed below.
21
1 5.1.2.2 The National Strategy for the Physical Protection of Critical Infrastructures and Key
2 Assets
3 The National Strategy for the Physical Protection of Critical Infrastructures and Key
4 Assets identifies national policy, goals, objectives, and principles needed to “secure the
5 infrastructures and assets vital to national security, governance, public health and safety,
6 economy, and public confidence.” The strategy identifies specific initiatives to drive near-
7 term national protection priorities and inform the resource allocation process; identifies key
8 initiatives needed to secure each of the CIKR sectors; and addresses specific cross-sector
9 security priorities. Additionally, it establishes a foundation for building and fostering the
10 cooperative environment in which government, industry, and private citizens can carry out
11 their respective protection responsibilities more effectively and efficiently.
12 5.1.2.3 The National Strategy to Secure Cyberspace
13 The National Strategy to Secure Cyberspace sets forth objectives and specific actions
14 needed to prevent cyber attacks against America’s CIKR; identifies and appropriately
15 responds to those responsible for cyber attacks; reduces nationally identified
16 vulnerabilities; and minimizes damage and recovery time from cyber attacks. This strategy
17 articulates five national priorities, including the establishment of a security response
18 system, a threat and vulnerability reduction program, awareness and training programs,
19 efforts to secure government cyberspace, and international cooperation.
20 Priority in this strategy is focused on improving the national response to cyber incidents;
21 reducing threats from and vulnerabilities to cyber attacks; preventing cyber attacks that
22 could affect national security assets; and improving the international management of and
23 response to such attacks.
24 5.1.2.4 Implementing Recommendations of the 9/11 Commission Act of 2007
25 This act requires the implementation of some of the recommendations made by the 9/11
26 Commission, to include requiring the Secretary of Homeland Security to: 1) establish
27 department-wide procedures to receive and analyze intelligence from State, local, and tribal
28 governments and the private sector; and 2) establish a system that screens 100 percent of
29 maritime and passenger cargo. The Act also established grants to support high-risk urban
30 areas and State, local, and tribal governments in preventing, preparing for, protecting
31 against, and responding to acts of terrorism; and to assist States in carrying out initiatives
32 to improve international emergency communications.
33 5.1.3 Homeland Security Presidential Directives and National Initiatives
34 Homeland Security Presidential directives set national policies and executive mandates for
35 specific programs and activities (see figure 5-1, column 3). The first was issued on October
36 29, 2001, shortly after the attacks on September 11, 2001, establishing the Homeland
37 Security Council. It was followed by a series of directives regarding the full spectrum of
38 actions required to “prevent terrorist attacks within the United States; reduce America’s
39 vulnerability to terrorism, major disasters, and other emergencies; and minimize the
40 damage and recover from incidents that do occur.” A number of these are relevant to CIKR
41 protection. HSPD-3, Homeland Security Advisory System, provides the requirement for the
42 dissemination of information regarding terrorist acts to Federal, State, and local
43 authorities, and the American people. HSPD-5 addresses the national approach to domestic
44 incident management; HSPD-7 focuses on the CIKR protection mission; and HSPD-8
1 focuses on ensuring the optimal level of preparedness to protect, prevent, respond to, and
2 recover from terrorist attacks and the full range of natural and manmade hazards.
3 This section addresses the Homeland Security Presidential directives that are most
4 relevant to the overarching CIKR protection component of the homeland security mission
5 (e.g., HSPDs 3, 5, 7, and 8). Other Presidential directives, such as HSPD-9, Defense of the
6 United States Agriculture and Food, and HSPD-10, Biodefense for the 21st Century, are
7 relevant to CIKR protection in specific sectors and are addressed in further detail in the
8 appropriate SSPs.
9 5.1.3.1 HSPD-3, Homeland Security Advisory System
10 HSPD-3 (March 2002) established the policy for the creation of the HSAS to provide
11 warnings to Federal, State, and local authorities, and the American people in the form of a
12 set of graduated Threat Conditions that escalate as the risk of the threat increases. At each
13 threat level, Federal departments and agencies are required to implement a corresponding
14 set of protective measures to further reduce vulnerability or increase response capabilities
15 during a period of heightened alert. The threat conditions also serve as guideposts for the
16 implementation of tailored protective measures by State, local, tribal, and private sector
17 partners.
18 5.1.3.2 HSPD-5, Management of Domestic Incidents
19 HSPD-5 (February 2003) required DHS to lead a coordinated national effort with other
20 Federal departments and agencies; State, local, and tribal governments; and the private
21 sector to develop and implement a National Incident Management System (NIMS) and the
22 NRF (see figure 5-1, column 4).
23 The NIMS (March 2004) provides a nationwide template enabling Federal, State, local, and
24 tribal governments; the private sector; and nongovernmental organizations to work
25 together effectively and efficiently to prevent, protect against, respond to, and recover from
26 incidents regardless of cause, size, and complexity. The NIMS provides a uniform doctrine
27 for command and management, including Incident Command, Multiagency Coordination,
28 and Joint Information Systems; resource, communications, and information management;
29 and application of supporting technologies.
30 The NRP (December 2004) was superseded by the National Response Framework (January
31 of 2008) Both the NRP and the NRF were built on the NIMS template to establish a single,
32 comprehensive framework for the management of domestic incidents (including threats)
33 that require DHS coordination and effective response and engaged partnership by an
34 appropriate combination of Federal, State, local, and tribal governments; the private sector;
35 and nongovernmental organizations. The NRF includes a CIKR Support Annex that
36 provides the policies and protocols for integrating the CIKR protection mission as an
37 essential element of domestic incident management, and establishes the Infrastructure
38 Liaison function to serve as a focal point for CIKR coordination at the field level.
39 5.1.3.3 HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection
40 HSPD-7 (December 2003) established the U.S. policy for “enhancing protection of the
41 Nation’s CIKR.” It mandated development of the NIPP as the primary vehicle for imple-
42 menting the CIKR protection policy. HSPD-7 directed the Secretary of Homeland Security
43 to lead development of the plan, including, but not limited to, the following four key
44 elements:
1 secure information-sharing systems to provide law enforcement agencies and other first
2 responders with access to detailed information that enhances the preparedness of
3 Federal, State, local, territorial, and tribal government personnel to deter, prevent, detect,
4 protect against, and respond to explosive attacks in the US. The information-sharing
5 systems will include lessons learned and best practices regarding the use of explosives
6 as a terrorist weapon and related insurgent war fighting tactics employed both domestically
7 and internationally.
8 Additionally, HSPD-19 states that the Secretary of Homeland Security, in coordination
9 with the Attorney General, the Secretary of Defense, and the Director of the Office of
10 Science and Technology Policy, is responsible for coordinating Federal Government
11 research, development, testing, and evaluation activities related to the detection and
12 prevention of, protection against, and response to explosive attacks and the development
13 of explosives render-safe tools and technologies.
HSPD-19 Implementation efforts seek to coordinate and enhance the Nation’s capabilities to
deter, prevent, detect protect against, and respond to a terrorist attack using explosives or IEDs.
1 5.3 Relationship of the NIPP and SSPs to Other CIKR Plans and
2 Programs
3 The NIPP and SSPs outline the overarching elements of the CIKR protection effort that
4 generally are applicable within and across all sectors. The SSPs are an integral component
5 of the NIPP and exist as independent documents to address the unique perspective, risk
6 landscape, and methodologies associated with each sector. Homeland security plans and
7 strategies at the State, local, and tribal levels of government address CIKR protection
8 within their respective jurisdictions, as well as mechanisms for coordination with various
9 regional efforts and other external entities. The NIPP also is designed to work with the
10 range of CIKR protection-related plans and programs instituted by the private sector, both
11 through voluntary actions and as a result of various regulatory requirements. These plans
12 and programs include business continuity and resilience measures. NIPP processes are
13 designed to enhance coordination, cooperation, and collaboration among CIKR partners
14 within and across sectors to synchronize related efforts and avoid duplicative or
15 unnecessarily costly security requirements.
16 5.3.1 Sector-Specific Plans
17 Based on guidance from DHS, SSPs were developed jointly by SSAs in close collaboration
18 with SCCs, GCCs, and others, including State, local, and tribal homeland partners with key
19 interests or expertise appropriate to the sector. The SSPs provide the means by which the
20 NIPP is implemented across all sectors, as well as a national framework for each sector
21 that guides the development, implementation, and updating of State and local homeland
22 security strategies and CIKR protection programs. The SSPs for the original 17 sectors
23 were all submitted to DHS by December 31, 2006 and were officially released on May 21,
24 2007 after review and comment by the Homeland Security Council’s Critical Infrastructure
25 Protection Policy Coordinating Committee.
26 Those SSPs that are available for general release may be downloaded from:
27 http://www.dhs.gov/nipp (click on Sector-Specific Plans). If an SSP is not posted there, it is
28 marked as For Official Use Only (FOUO). For copies of the FOUO SSPs, please contact the
29 responsible SSA, or the NIPP Program Management Office (NIPP@dhs.gov).
30 SSPs are tailored to address the unique characteristics and risk landscapes of each sector
31 while also providing consistency for protective programs, public and private protection
32 investments, and resources. SSPs serve to:
33 Define sector partners, authorities, regulatory bases, roles and responsibilities, and
34 interdependencies;
35 Establish or institutionalize already existing procedures for sector interaction,
36 information sharing, coordination, and partnership;
37 Establish the goals and objectives, developed collaboratively between sector partners,
38 required to achieve the desired protective posture for the sector;
39 Identify international considerations;
40 Identify areas for government action above and beyond an owner/operator or sector risk
41 model; and
20
21
22 5.3.2 State, Regional, Local, Tribal, and Territorial CIKR Protection Programs
23 The National Preparedness Guidelines defines the development and implementation of a
24 CIKR protection program as a key component of State, regional, local, and tribal homeland
25 security programs. Creating and managing a CIKR protection program for a given
26 jurisdiction entails building an organizational structure and mechanisms for coordination
1 between government and private sector entities that can be used to implement the NIPP
2 risk management framework. This includes taking actions within the jurisdiction to set
3 security goals; identifying assets, systems, and networks; assessing risks; prioritizing CIKR
4 across sectors and jurisdictional levels; implementing protective programs; measuring the
5 effectiveness of risk management efforts; and sharing information between relevant public
6 and private sector partners. These elements form the basis of focused CIKR protection
7 programs and guide the implementation of the relevant CIKR protection-related goals and
8 objectives outlined in State, local, and tribal homeland security strategies. To assist in the
9 development of such CIKR protection programs, DHS issued A Guide to Critical
10 Infrastructure and Key Resources Protection at the State, Regional, Local, Tribal, and
11 Territorial Levels (2008).
12 In a regional context, the NIPP risk management framework and information-sharing
13 processes can be applied through the development of a regional partnership model or the
14 use of existing regional coordinating structures. Effective regional approaches to CIKR
15 protection involve coordinated information sharing, planning, and sharing of costs and risk.
16 Regional approaches also include exercises to bring public and private sector partners
17 together around a shared understanding of the challenges to regional resilience; analytical
18 tools to inform decisionmakers on risk and risk management with the associated benefits
19 and costs; and forums to enable decisionmakers to formulate protective measures and
20 identify funding requirements and resources within and across sectors and jurisdictions.
21 State, regional, local, tribal, and territorial CIKR protection efforts enhance
22 implementation of the NIPP and the SSPs by providing unique geographical focus and
23 cross-sector coordination potential. To ensure that these efforts are consistent with other
24 CIKR protection planning activities, the basic elements to be incorporated in these efforts
25 are provided in appendix 5A. The recommended elements described in this appendix
26 recognize the variations in governance models across the States; recognize that not all
27 sectors are represented in each State or geographical region; and are flexible enough to
28 reflect varying authorities, resources, and issues within each State or region.
29 5.3.3 Other Plans or Programs Related to CIKR Protection
30 Federal partners should review and revise, as necessary, other plans that address elements
31 of CIKR protection to ensure that they support the NIPP in a manner that avoids
32 unnecessary layers of CIKR protection guidance. Examples of government plans or
33 programs that may contain relevant prevention, protection, and response activities that
34 relate to or affect CIKR protection include plans that address: State, local, and tribal
35 hazard mitigation; continuity of operations (COOP); continuity of government (COG);
36 environmental, health, and safety operations; and integrated contingency operations.
37 Review and revision of State, local, and tribal strategies and plans should be completed in
38 accordance with overall homeland security and grant program guidance.
39 Private sector owners and operators develop and maintain plans for business risk
40 management that include steady-state security and facility protection, as well as business
41 continuity and emergency management plans. Many of these plans include heightened
42 security requirements for CIKR protection that address the terrorist threat environment.
43 Coordination with these planning efforts is relevant to effective implementation of the
44 NIPP. Private sector partners are encouraged to consider the NIPP when revising these
45 plans, and to work with government partners to integrate their efforts with Federal, State,
46 local, and tribal CIKR protection efforts as appropriate.
1 ¾Efforts to address the threat environment and enhance CIKR protection and rapid
2 restoration.
3 DHS and other Federal agencies also engage in comprehensive national cyberspace security
4 awareness campaigns to remove impediments to sharing vulnerability information among
5 CIKR partners. This campaign includes audience-specific awareness materials, expansion
6 of the Stay Safe Online campaign, and development of awards programs for those making
7 significant contributions to the effort.
8 A Continuum of Capability Development
9 This document establishes a framework to enable awareness, education, training, and
10 exercise programs that allow people and organizations to develop and maintain core
11 competencies and expertise required for effective implementation of the CIKR protection
12 mission. Building the requisite individual and organizational capabilities requires
13 attracting, training, and maintaining sufficient numbers of professionals who have the
14 particular expertise unique or essential to CIKR protection. This, in turn, requires
15 individual education and training to develop and maintain the requisite levels of
16 competency through technical, academic, and professional development programs. It also
17 requires organizational training and exercises to validate process and enhance efficiency
18 and effectiveness of CIKR programs.
19 As illustrated below, outreach and awareness create the foundation upon which a
20 comprehensive CIKR education and training program can be built. Exercises provide an
21 objective assessment of an entity’s or individual’s capabilities thus identifying areas for
22 improvement and highlighting training gaps and needs.
23
24
25
26
27
28
29
30
31
32 The objectives of NIPP-related training and education programs are to:
33 • Provide an integrated, coordinated approach to NIPP and CIKR-related education
34 and training that energizes and involves all partners
35 • Develop and implement grassroots education and training programs that
36 communicate effectively with key audiences
37 • Maximize coordination, deepen relationships, and broaden participation and
38 practices required for implementing the NIPP and the SSPs
39 The framework for education, training, and exercises is discussed below.
33
34
35
36
37
38
1
2
3
4
5
6
7
8
9
10
11
12
Area Includes Knowledge and Skills To . . .
Risk Analysis • Perform accurate, thorough, and complete risk-informed analyses (threat,
vulnerability, and consequence).
• Design, develop, and conduct analyses that are current, timely, and accurate.
• Support executive and managerial decision making related to CIKR programs.
Protective Measures/ • Establish CIKR program goals and objectives based on risk analysis.
Mitigation Strategies • Plan, develop, and implement CIKR-related projects, measures, and activities. Take
advantage of existing emerging and anticipated methods and technologies in order
to develop effective strategies, projects, and activities.
• Implement continuous feedback mechanisms.
Partnership Building/ • Understand the roles and responsibilities of all partners.
Networking • Establish mechanisms for interacting with partners and exchanging information
and resources (including best practices).
Information • Use systems, tools, and protocols to collect, analyze, organize, report, and evaluate
Collection & information.
Reporting • Communicate and share information with sector partners at each tier of
(Information Sharing) governance including: sector-specific, across sectors, and within the private
sector.
Program • Establish sector-specific or jurisdictional CIKR goals and plans.
Management • Identify and prioritize CIKR projects, strategies, and activities for a sector or
jurisdiction.
• Manage a CIKR program on schedule, within budget, and in compliance with
performance standards.
• Design and implement continuous feedback mechanisms at the program level.
• Develop and implement CIKR training plans.
Metrics & Program • Define and establish CIKR metrics based on goals and objectives.
Evaluation • Establish data collection and measurement plans, systems, and tools.
• Collect and analyze data.
• Report findings and conclusions.
Technical & Tactical • Note: This area includes the specialized (sector-specific) expertise required to
Expertise (Sector- plan, implement, and evaluate technical and tactical activities, measures, and
Specific) programs.
1
2 The Training Delivery levels identified in the graphic above represent a cumulative
3 structure that begins with basic awareness and progresses to expert knowledge and skills
4 required to perform specific CIKR related tasks and functions. Training and education
5 programs typically fall into these levels:
6 Awareness Materials: Motivate or inform course participants about CIKR-related
7 concepts, principles, policies, or procedures.
8 College Courses: Present advanced CIKR knowledge, research, and theories to promote
9 professional development.
10 Skill Development Sessions: Focus on improving the performance of specific CIKR
11 functions and tasks both during training and in the workplace.
12 Exercises: Reinforce and test CIKR skill acquisition, processes, and procedures.
13 Job Aids: Include tools or resources (such as guides, checklists, templates, and decision
14 aids) that allows an individual to quickly access the CIKR information he or she needs
15 to perform a task.
16 6.1.3 Individual Education and Training
17 Building and sustaining capabilities to implement the NIPP involves a complex approach to
18 the education and training effort that leverages existing accredited academic programs,
19 professional certification standards, and technical training programs. This requires an
20 effort with a national scope that includes, but is not limited to, the following components:
21 Training to provide individuals with the skills needed to perform their roles and
22 responsibilities under the NIPP and SSPs;
23 Academic and research programs that result in formal degrees from accredited
24 institutions; and
25 Professional continuing education, which incorporates the latest advances in CIKR risk-
26 mitigation approaches and, where appropriate, certification based on government,
27 industry, and professional organization standards.
28 To enable each of these components, the specific areas of emphasis are discussed in the
29 subsections that follow.
30 6.2.3.1 CIKR Protection Training
31 DHS, SSAs, and other CIKR partners offer a wide array of training programs designed to
32 enhance core competencies and build capabilities needed to support NIPP and SSP
33 implementation among the various target audiences. The level and content of training
34 programs vary based on sector requirements. Some sectors rely on the use of established
35 training programs while others develop courses to meet specific tactical or technical
1 objectives. DHS offers NIPP awareness level training through the DHS/FEMA Emergency
2 Management Institute (EMI). The Independent Study Course (IS860) is available online or
3 for classroom delivery. This course provides a foundation of basic principles of the NIPP
4 including the risk management and partnership frameworks, information-sharing, and
5 roles and responsibilities.
6 DHS, SSAs and other CIKR partners offer courses that enhance CIKR protection. One of
7 the ongoing objectives of NIPP and SSP-related training is to identify and align training
8 that enhances the core competencies and provides the appropriate level of training and
9 development opportunities for each of the identified training audiences.
10 NIPP and SSP-related training and education programs, to date, focus on enhancing risk
11 management, information collection, and the tactical and technical competencies required
12 to detect, deter, defend, and mitigate against terrorist activities and other incidents. DHS
13 and other Federal agencies support and provide training resources to local law enforcement
14 and others, with a special focus on urban areas with significant clusters of CIKR, localities
15 where high-profile special events are typically scheduled, or other potentially high-risk
16 geographical areas or jurisdictions. Federally provided technical training covers a range of
17 topics such as buffer zone protection, bombing prevention, workforce terrorism awareness,
18 surveillance detection, high-risk target awareness, and WMD incident training.
19 DHS supports cybersecurity training, education, and awareness programs by educating
20 vendors and manufacturers on the value of pre-configuring security options in products so
21 that they are secure on initial installation; educating users on secure installation and use of
22 cyber products; increasing user awareness and ease of use of the security features in
23 products; and, where feasible, promotion of industry guides. These training efforts also
24 encourage programs that leverage the existing Cyber Corps Scholarship for Service
25 program, as well as various graduate and post-doctoral programs; link Federal
26 cybersecurity and computer forensics training programs; and establish cybersecurity
27 programs for departments and agencies, including awareness, audits, and standards as
28 required.
29 DHS solicits recommendations from national professional organizations and from Federal,
30 State, local, tribal, and private sector partners for additional discipline-specific technical
31 training courses related to CIKR protection, and supports course development as
32 appropriate.
33 6.2.3.2 Academic Programs
34 DHS works with a wide range of academic institutions to incorporate CIKR protection into
35 professional education programs with majors or concentrations in CIKR protection. DHS
36 collaborates with universities to incorporate homeland security-related curriculum,
37 sponsors a post-graduate level program at the Naval Postgraduate School in homeland
38 defense and security, and collaborates with other higher education programs. These
39 programs offer opportunities to incorporate concentrations in various aspects of CIKR
40 protection as part of the multi-disciplinary degree programs.
41 DHS is promoting the development of a long-term higher education program which will
42 include academic degrees and adult education. The program is being developed through a
43 collaborative effort involving the DHS/IP, the DHS/S&T Universities and Centers for
44 Excellence Programs, DHS/TSA, and others. The initial program is being developed in
45 conjunction with the National Transportation Security Center for Excellence (NTSCOE)
1 that brings together a number of academic institutions with a mandate to build education
2 and training programs relevant to the CIKR protection mission. This initiative provides the
3 framework for the identification, development, and delivery of critical infrastructure
4 courses for the transportation industry. The initiative will lead to the implementation of
5 adult education and academic degree programs as part of a multidisciplinary core
6 curriculum applicable across all critical infrastructure sectors.
7 DHS will examine existing cybersecurity programs within the research and academic
8 communities to determine their applicability as models for CIKR protection education and
9 broad-based research. These programs include:
10 Co-sponsorship of the National Centers of Academic Excellence in Information
11 Assurance Education (CAEIAE) program with the National Security Agency; and
12 Collaboration with the National Science Foundation to co-sponsor the Cyber Corps
13 Scholarship for Service program. The Scholarship for Service program provides grant
14 money to selected CAEIAE and other universities with programs of a similar caliber to
15 fund the final 2 years of student bachelor’s, master’s, or doctoral study in information
16 assurance in exchange for an equal amount of time spent working for the Federal
17 Government.
18 DHS will ensure that the NCIP R&D Plan appropriately considers the human capital needs
19 for protection-related R&D by incorporating analysis of the research community’s future
20 needs for advanced degrees in protection-related disciplines into the plan development
21 process.
22 6.2.3.3 Continuing Education and Professional Competency
23 DHS encourages the use of established professional standards where practicable and, when
24 appropriate, works with CIKR partners to facilitate the development of continuing
25 education, professional competency programs, and professional standards for areas
26 requiring unique and critical CIKR protection expertise. For example DHS is fostering the
27 development of CIKR adult and continuing education programs and leading the
28 development of private sector Preparedness Standards that are relevant to the CIKR
29 protection mission.
30 The adult education initiative focuses on enhancing the skills and ability of the CIKR
31 professionals and employees at all levels, to provide:
32 General awareness and baseline understanding of critical infrastructure, preparedness,
33 and protective measures.
34 Specialized CIKR training for individuals directly engaged in jobs or activities related to
35 CIKR protection (security, business continuity, emergency management, IT,
36 engineering, and others).
37 6.1.4 Organizational Training and Exercises
38 Building and maintaining organizational and sector expertise requires comprehensive
39 exercises to test the interaction between the NIPP and the NRF in the context of terrorist
40 incidents, natural disasters, and other emergencies. Exercises are conducted by private
41 sector owners and operators, and across all levels of government. They may be organized by
42 these entities, on a sector-specific basis, or through the National Exercise Program (NEP).
1 DHS IP serves as the conduit for all eighteen CIKR sectors’ participation in NEP-sponsored
2 activities and events. As such, the IP exercise program strictly adheres to the tenets of the
3 NEP. Exercise planning and participation is coordinated within IP through its Exercise
4 Working Group (EWG), which consists of representation from all IP projects and the
5 private sector. The EWG allows IP and private sector partners to translate goals and
6 priorities into specific objectives, coordinate exercise activities, and track improvement plan
7 actions against current capabilities, training and exercises. This group is also responsible
8 for maintaining the IP Multi-Year Training and Exercise Plan. This document is assessed
9 and revised, as needed, on an annual basis at the IP Training and Exercise Planning
10 Workshop.
11 National Exercise Program
12 DHS provides overarching coordination for the National Exercise Program (NEP) to ensure
13 the Nation’s readiness to respond in an all-hazards environment and to test the steady-
14 state protection plans and programs put in place by the NIPP and their transition to the
15 incident management framework established in the NRF.
16 NEP program components include:
17 National Level Exercise- an annual national security and/or homeland security
18 exercise centered on White House directed, U.S. Government-wide strategy and policy
19 Principal Level Exercise (PLE)- a quarterly cabinet level exercise focused on current
20 U.S. Government-wide strategic issues
21 Five-year schedule of NLE/PLE and significant NEP Tiered exercises with a strategic
22 U.S. Government-wide focus
23 National Exercise Schedule (NEXS)- a schedule of all Federal, State, and local
24 exercises
25 Corrective Action Program (CAP) - administered by DHS in support of the HSC and
26 NSC, involves a system and process for identifying, assigning, and tracking remediation
27 of issues.
28 Homeland Security Exercise and Evaluation Program (HSEEP) - DHS policy
29 and guidance for designing, developing, conducting, and evaluating exercises. Provides a
30 threat and performance-based exercise process that includes a mix and range of exercise
31 activities through a series of four reference manuals to help States and local
32 jurisdictions establish exercise programs and design, develop, conduct, and evaluate
33 exercises.
34 The NEP categorizes exercise activities into four tiers. These tiers reflect the relative
35 priority for interagency participation, with Tier I as the highest and Tier IV the lowest.
36 USG exercises are assigned to tiers based on a consensus interagency judgment of how
37 closely they align to USG-wide strategic and policy priorities.
38 Tier I Exercises (Required). Tier I exercises are centered on White House directed,
39 U.S. Government-wide strategy and policy-related issues and are executed with the
40 participation of all appropriate Cabinet level Secretaries or their Deputies and all
41 necessary operations centers. NLEs and Cabinet Level Exercises (CLEs) constitute Tier
42 I and there are five NEP Tier I exercises annually. Examples include the Top Officials
43 and Eagle Horizon (COOP) exercises.
1 sector awareness, metrics, and other content relevant for all sectors and jurisdictions. DHS
2 encourages and, where appropriate, facilitates specialized NIPP-related occupational and
3 professional training and education, and development of professional and personnel
4 security guidelines. It also will encourage academic and research programs, and coordinate
5 the design of exercises that test and validate the interaction between the NIPP framework
6 and the NRF.
7 The SSAs and other Federal agencies are responsible for reviewing, updating and, as
8 appropriate, developing new CIKR protection-related training and education programs that
9 align with the NIPP and the compentency model. Other CIKR partners are encouraged to
10 review existing and/or develop new training to align with the competency model and
11 support implementation of the NIPP, the SSPs, and/or identified CIKR protection needs
12 within their jurisdiction. All CIKR partners should work with DHS and the SSAs to
13 identify and fill gaps in current training, education, and exercise programs for those
14 specialized disciplines that are unique to CIKR protection.
1 Because owners and operators play a major role in CIKR protection, research programs
2 that support the NIPP must find effective ways to consider the perspectives of sector
3 professional associations, sector councils, and other sources that understand owner and
4 operator technology needs.
5 Key activities needed to enhance CIKR protection over the long term include:
6 Building national awareness to support the CIKR protection program, related protection
7 investments, and protection activities by ensuring a focused understanding of the all-
8 hazards threat environment and of what is being done to protect and enable the timely
9 restoration of the Nation’s CIKR in light of such threats;
10 Enabling education, training, and exercise programs to ensure that skilled and
11 knowledgeable professionals and experienced organizations are able to undertake NIPP-
12 related responsibilities in the future;
13 Conducting R&D and using technology to improve protective capabilities or to lower the
14 costs of existing capabilities so that CIKR partners can afford to do more with limited
15 budgets;
16 Developing, protecting, and maintaining data systems and simulations to enable
17 continuously refined risk assessment within and across sectors and to ensure
18 preparedness for domestic incident management; and
19 Continuously improving the NIPP and associated plans and programs through ongoing
20 management and revision, as required.
21 Unique R&D needs associated with CIKR protection include:
22 Conducting development, or re-design, of technology-based equipment to significantly
23 lower the costs of existing capabilities rather than improving technical performance, so
24 that CIKR partners with limited budgets can afford state-of-the-art solutions;
25 Researching issues, such as resiliency and protection in building design, that affect all
26 CIKR and can result in solutions that can provide benefits across sectors if imple-
27 mented; and
28 Focusing research on the implementation and operational aspects of technology used for
29 CIKR protection to provide resources that can help inform technology investment
30 decisions, such as technical evaluation of security equipment or technology clearing
31 house information.
32 6.2.1 The SAFETY Act
33 Ingenuity and invention are the lifeblood of robust research and development. But potential
34 liabilities could stifle the entrepreneurial spirit for developing disruptive and enabling
35 technologies and products. As part of the Homeland Security Act, Public Law 107-296,
36 Congress enacted the SAFETY Act, which creates liability protections for sellers of
37 qualified anti-terrorism technologies. The SAFETY Act provides incentives for the develop-
38 ment and deployment of anti-terrorism technologies by limiting liability through a system
39 of risk and litigation management. The purpose of the SAFETY Act is to ensure that the
40 threat of liability does not deter potential sellers of anti-terrorism technologies from
41 developing, deploying, and commercializing technologies that could save lives. The SAFETY
42 Act gives liability protection to both sellers of qualified anti-terrorism technology and their
43 customers, and applies to all types of enterprises that develop, sell, or use anti-terrorism
44 technologies.
1 The SAFETY Act applies to a broad range of technologies, including products, services, and
2 software, or combinations thereof, as well as technology firms and providers of security
3 services. The SAFETY Act protects those businesses and their customers and contractors
4 by providing a series of liability protections if their products or services are found to be
5 effective by the Secretary of Homeland Security. Additionally, if the Secretary certifies the
6 technology under the SAFETY Act (i.e., that the technology actually performs as it is
7 intended to do and conforms to certain seller specifications), the seller is afforded a
8 complete defense in litigation related to the performance of the technology in preventing,
9 detecting, or deterring terrorist acts or deployment to recover from one. Those technologies
10 that have been “certified” are placed on an Approved Product List for Homeland Security
11 that is published at www.safetyact.gov.
12 A clear benefit of the SAFETY Act is that a cause of action may be brought only against the
13 seller of the Qualified Anti-Terrorism Technology and may not be brought against the
14 buyer(s), their contractors, or downstream users of the Qualified Anti-Terrorism
15 Technology, or against the seller’s suppliers or contractors. This stipulation includes CIKR
16 owners and operators.
17 CIKR facility owners and operators are encouraged to examine the SAFETY Act closely
18 because: (1) CIKR owners (if purchasers of qualified technologies) will enjoy the liability
19 protections that flow from using qualified SAFETY Act technologies, and (2) CIKR owners
20 will also have a level of assurance that the qualified products/services they are utilizing
21 have been vetted by DHS. Lower liability insurance burdens for those using qualified
22 technologies are another potential outcome.
23 In these ways, the SAFETY Act is a valuable tool that can enhance the ability of owners
24 and operators to protect our Nation’s CIKR.
25 6.2.2 National Critical Infrastructure Protection R&D Plan
26 As directed by HSPD-7, the Secretary of Homeland Security works with the Director of the
27 OSTP, Executive Office of the President, to develop the National Critical Infrastructure
28 Protection (NCIP) R&D Plan as a vehicle to support implementation of CIKR risk
29 management and supporting protective activities and programs.
30 The NCIP R&D Plan provides the focus and coordination mechanisms required to achieve
31 the vision provided in the President’s Physical and Cyber CIKR Protection Strategies. That
32 vision calls for a “systematic national effort to fully harness the Nation’s research and
33 development capabilities.” The R&D planning process is designed to address common issues
34 faced by the various sector partners and ensure a coordinated R&D program that yields the
35 greatest value across a broad range of interests and requirements. The plan addresses both
36 physical and cyber CIKR protection. The planning process also provides for the revision of
37 research goals and priorities over the long term to respond to changes in the threat,
38 technology, environment, business continuity, and other factors.
39 DHS and OSTP coordinate with Federal and private sector partners, including academic
40 and national laboratory representatives, during the R&D planning cycle. The interagency
41 process used to develop and coordinate this plan is managed through the Infrastructure
42 Subcommittee of the National Science and Technology Council (NSTC), which is co-chaired
43 by DHS and OSTP. The SSAs are responsible for providing input into the plan after
44 coordination with sector representatives and experts through such bodies as the SCCs and
45 GCCs.
1 The NCIP R&D Plan articulates strategic R&D goals and identifies the R&D areas in which
2 advances in CIKR protection must be made. The goals and cross-sector R&D areas
3 contained in the NCIP R&D Plan are discussed in the following subsections. A final
4 subsection describes coordination of SSP R&D planning with the NCIP R&D Plan.
5 6.2.2.1 CIKR Protection R&D Strategic Goals
6 The NCIP R&D planning process identifies three long-term, strategic R&D goals for CIKR
7 protection:
8 A common operating picture architecture;
9 A next-generation Internet architecture with designed-in security; and
10 Resilient, self-diagnosing, self-healing systems.
11 The strategic goals are used to guide Federal R&D investment decisions and also to provide
12 a coordinated approach to the overall Federal research program. The S&T Directorate and
13 OSTP will work with the OMB to use the R&D Plan as a decision making tool for evalu-
14 ation of budget submissions across Federal agencies. These goals also help guide programs
15 of research performers who receive Federal grants and contracts.
16 6.2.2.2 CIKR Protection R&D Areas
17 R&D development projects for CIKR protection programs fall into nine R&D areas or
18 themes that cut across all CIKR sectors:
19 Detection and sensor systems;
20 Protection and prevention systems;
21 Entry and access portals;
22 Insider threats;
23 Analysis and decision support systems;
24 Response, recovery, and reconstitution tools;
25 New and emerging threats and vulnerabilities;
26 Advanced infrastructure architectures and systems design; and
27 Human and social issues.
28 Organizing research in these areas enables the development of effective solutions that may
29 be applied across sectors and disciplines. These themes also provide an organizing frame-
30 work for SSA use during the development of R&D requirements for their respective sectors,
31 which will be reflected in the SSPs. These requirements specify the capabilities each sector
32 needs to satisfy CIKR protection needs. By incorporating these requirements into the NCIP
33 R&D Plan, OMB is better able to ensure that agency R&D budget requests are aligned with
34 the National R&D Plan for CIKR Protection. Requirements are refreshed each year through
35 the Sector Annual Reporting process.
36 6.2.2.3 Coordination of NCIP R&D Plan with SSP and Sector Annual Report R&D Planning
37 Each SSP includes a section on sector-specific CIKR protection R&D that explains how the
38 sector will strengthen the linkage between sector-specific and national R&D planning
39 efforts, technology requirements, current R&D initiatives, gaps, and candidate R&D
40 initiatives. New candidate R&D initiatives are developed during the Sector Annual Report
41 writing process. The SSP explains the process for:
1 Federal Air Marshals, and state, local, and Federal emergency responders, as well as the
2 many others teamed and committed to the vital mission of securing the Nation. To reach
3 its goals, the S&T Directorate created a customer-focused, output-oriented, full-service
4 science and technology management organization.
5 S&T established Integrated Product Teams (IPTs) to coordinate the planning and execution
6 of R&D programs together with the eventual hand-off to maintainers and users of project
7 results. The IPTs are critical nodes in the process to determine operational requirements,
8 assess current capabilities to meet operational needs, analyze gaps in capabilities and
9 articulate programs and projects to fill in the gaps an expand competencies.
10 IPTs constitute the Transition portfolio of DHS S&T, targeting deployable capabilities in
11 the near term. IPTs generally include the research and technology perspective, the
12 customer and end user perspective, and an acquisition perspective. The customer and end
13 users monitor and guide the capability being developed; the research and technology
14 representatives inform the discussions with scientific and engineering advances and
15 emerging technologies; and the acquisition staff help transition the results into practice by
16 the maintainers and end-users of the capability.
1 Properly maintaining systems with current and useful data involves long-term support,
2 coordination, and resource commitments by DHS, the SSAs, the States, private sector
3 entities, and other partners. Important aspects of the support, coordination, and resource
4 commitments required over the long term to sustain the NIPP include:
5 Need for Information Protection: Data accuracy and currency for CIKR protection is
6 dependent upon the ability of the various partners to keep their databases and data
7 systems current. Over the long term, the level of cooperation and commitment needed
8 for this must be sustained by a trusted working relationship. This requires that
9 information regarded as sensitive by providers be protected from unauthorized access,
10 use, or disclosure. Data content, accuracy, and currency must also be protected from
11 tampering or other corruption.
12 Durable Information: The complexity, scope, and magnitude of the U.S. CIKR require
13 reliance on multiple data sources that are acquired over long periods of time. As a
14 result, information pertaining to the characteristics and quality of the data must be
15 provided along with the actual data from each source. This requires the use of a
16 common and standardized format, data scheme, and categorization system (i.e.,
17 taxonomy) that is viable over the long term. DHS and the SSAs are responsible for
18 working together to establish and utilize the appropriate data collection format. The
19 DHS taxonomy is the foundation for multiple DHS programs that focus on CIKR
20 information, such as the IDW and the National Threat Incident Database. This
21 taxonomy provides the foundation for a national-level information scheme.
22 Recurring Nature of Information Needs: The process of information identification and
23 additional data collection represents a recurring need. Data requirements and
24 availability are continually reassessed based on the current threat environment,
25 analyses to identify gaps, or other factors. Focused data calls to specific sectors or
26 locales, in coordination with the SSAs and the States, as appropriate, may be required
27 to fill identified information gaps. This imposes a continuing need for resources to build
28 and update the system over the long term.
29 6.3.2 Simulation and Modeling
30 A number of CIKR partners make use of models and simulations to comprehensively
31 examine potential consequences from terrorist attacks, natural disasters, and manmade
32 accidents that impact CIKR, including the effects of sector and cross-sector dependencies
33 and interdependencies. Continuous maintenance and updating are required for these tools
34 to produce reliable projections. Over the long term, new tools are needed to address
35 fundamental changes due to factors such as technology, threats, or the business
36 environment.
37 DHS /IP is the lead for modeling and simulation capabilities regarding CIKR protection. In
38 this capacity, the DHS will:
39 Coordinate with the DHS S&T Directorate on requirements for the development,
40 maintenance, and application of research-related modeling capabilities for CIKR
41 protection;
42 Specify requirements for the development, maintenance, and application of operations-
43 related modeling capabilities for CIKR protection in coordination with the DHS S&T
44 Directorate and the SSAs, as appropriate;
1 Coordinate with the SSAs that have relevant modeling capabilities to develop
2 appropriate mechanisms for the development, maintenance, and use of such for CIKR
3 protection as directed by HSPD-7;
4 Familiarize the SSAs and other CIKR partners with the availability of relevant
5 modeling and simulation capabilities through training and exercises;
6 Work with end-users to design operations-related tools that provide maximum utility
7 and clarity for CIKR protection activities in both emergencies and routine operations;
8 Work with end-users to design appropriate information protection plans for sensitive
9 information used and produced by CIKR protection modeling tools;
10 Provide guidance on the vetting of modeling tools to include the use of private sector
11 operational, technical, and business expertise where appropriate; and
12 Review existing private sector modeling initiatives and opportunities for joint ventures
13 to ensure that DHS and its CIKR partners make maximum use of applicable private
14 sector modeling capabilities.
15 The principal modeling, simulation and analysis capability within the DHS IP is the
16 National Infrastructure Simulation and Analysis Center (NISAC). NISAC analysts and
17 operational resources are located at the Sandia and Los Alamos National Laboratories, and
18 the program operates under the direction of a small DC-based program office within IP’s
19 Infrastructure Analysis and Strategy Division (IASD). Mandated by Congress to be a
20 “source of National Expertise to address critical infrastructure protection” research and
21 analysis, NISAC prepares and shares analyses of CIKR including their interdependencies,
22 vulnerabilities, consequences of loss, and other complexities. Over a span of several years,
23 NISAC has developed tailored analytical tools, a core of unique expertise, and procedures
24 designed to effectively address the strategic-level analytical needs of CIKR decision makers.
25 While the 2001 PATRIOT (Provide Appropriate Tools Required to Intercept and Obstruct
26 Terrorism) Act established the requirement for NISAC, the Homeland Security
27 Appropriations Act of 2007 specifies its current mission. NISAC is required to provide
28 “modeling, simulation, and analysis of the assets and systems comprising CIKR in order to
29 enhance preparedness, protection, response, recovery, and mitigation activities.” The
30 Center is also directed to share information with Federal agencies and departments that
31 have CIKR responsibilities. Information sharing is accomplished through outreach
32 meetings with sectors, analysts, and consumers. NISAC pre-incident studies (e.g, hurricane
33 scenario studies) are posted and available for download on HSIN. Selected products are
34 reproduced for widespread dissemination in hard copy. Products requested from the NISAC
35 program office are usually distributed by email or on electronic media.
36 NISAC’s objectives cover two main areas of focus:
37 Provide operational support to DHS and other Federal Government entities on an
38 as-needed basis in the form of analysis, simulation, and scenario development; and
39 Develop long-term capabilities by maintaining expertise in the application of analysis
40 tools and the development of improved processes and tools in support of longer-term
41 DHS projects.
42 NISAC accomplishes its mission through three types of products:
43 Pre-planned long-term analyses;
44 Pre-planned short-term analyses; and
1 Unplanned priority analytical projects that are based on higher-level tasking or that are
2 related to current threats to critical infrastructure (e.g., hurricanes).
3 NISAC utilizes CIKR information and data from a variety of government CIKR sector and
4 private sector sources, including other participants in CIKR protection projects and
5 programs. NISAC uses some data that are considered proprietary to a single industry—or
6 even to a specific firm; the data must therefore be protected from unrestricted
7 dissemination in order to maintain the trust of the information providers. NISAC products
8 principally serve government decision makers, who can derive valuable insight into
9 incident consequences at a higher level than the supporting data could provide. In selected
10 cases, NISAC products are made available to the private sector in order to facilitate access
11 to key NISAC recommendations of concern to a wider community of CIKR stakeholders.
12 Although NISAC is the principal resource within the Office of Infrastructure Protection for
13 modeling, simulation, and analysis, it is not the sole source available to CIKR stakeholders
14 in need of these capabilities. NISAC strives to establish joint ventures with other
15 stakeholders and to share critical authoritative data in order to improve overall analytical
16 quality and insure consistency with other providers of CIKR analysis.
17 6.3.3 Coordination on Databases and Modeling
18 Integrating existing databases into DHS databases, such as the IDW, not only reduces
19 duplication of effort, but also ensures that available data are consistent, current, and
20 accurate, and provide users with a consolidated picture across all CIKR sectors. However,
21 this approach is effective only if the source information is protected and maintained prop-
22 erly. Maintaining a current and useful database involves the support, coordination, and
23 commitment of the SSAs, private sector entities, and other partners. Because the most
24 current and accurate CIKR-related data are best known by owners and operators, the
25 effectiveness of the effort depends on all CIKR partners keeping their databases and data
26 systems current.
27 As the responsible agent for the identification of assets and existing databases for their
28 sectors, the SSAs:
29 Outline in their SSPs the sector plans and processes for the database, data system, and
30 modeling and simulation development and updates;
31 Work with sector partners to facilitate the collection and protection of accurate
32 information for database, data system, and modeling and simulation use;
33 Specify the timelines and milestones for the initial population of CIKR databases; and
34 Specify a regular schedule for maintenance and updating of the databases.
35 DHS works with the SSAs and other CIKR partners to:
36 Identify databases and other data services that will be integrated with CIKR protection
37 databases and data systems;
38 Facilitate the actual integration of supporting databases or importation of data into
39 CIKR protection databases and data systems, using a common and standardized format,
40 data scheme, and categorization system or taxonomy specified by DHS in coordination
41 with the SSAs; and
42 Define the schedule for integrating data and databases into such systems as the IDW.
1 responsibilities under the NIPP may propose a change to the plan. DHS is responsible
2 for coordinating the review and approval of all proposed modifications to the NIPP with
3 SSAs and other CIKR partners, as appropriate. Policy changes will be coordinated and
4 approved thorough the Homeland Security Council policy process.
5 Notice of Change: DHS will issue an official Notice of Change for each interim revision
6 to the NIPP. After publication, the modifications will be considered part of the NIPP for
7 operational purposes pending a formal revision and re-issuance of the entire document.
8 Interim changes can be further modified or updated using this process. (Periodic
9 updates resulting from the annual review process do not require the formal Notice of
10 Change.)
11 Distribution: DHS will distribute Notices of Change to SCCs, GCCs, and other CIKR
12 partners. Notices of Change to other organizations will be provided upon request.
13 Re-Issuance: DHS will coordinate full reviews and updating of the NIPP every 3 years,
14 or more frequently, if the Secretary deems necessary. The review and updating will
15 consider lessons learned and best practices identified during implementation in each
16 sector and will incorporate the periodic changes and any new information technologies.
17 DHS will distribute revised NIPP documents for interagency review and concurrence
18 through the Homeland Security Council process.
19 The SSAs, in coordination with their GCCs and SCCs, establish and operate the
20 mechanism(s) necessary to coordinate SSP maintenance and update in accordance with the
21 process established for the NIPP.
22
23
24
1 assets that can be logically prioritized. Some have thousands of identical assets, not all of
2 which are equally critical. Others are made up of systems or networks, as opposed to
3 distinct assets, for which the identification of specific protective measures may prove to be
4 impossibly complex. Furthermore, interdependencies among sectors can cause duplicative
5 protection efforts or lead to gaps in funding for CIKR protection. To ensure that resources
6 are allocated according to national priorities and are based on national risk and need, DHS
7 must be able to accurately assess priorities, requirements, and efforts across these diverse
8 sectors.
9 As DHS conducts this assessment, the SSAs, supported by their respective SCCs and GCCs,
10 provide information regarding their sectors’ individual CIKR protection efforts. The SCCs
11 participate in the process to ensure that private sector input is reflected in SSA reporting of
12 sector priorities and requirements. The first step for an SSA in the risk-informed resource
13 allocation process is to coordinate with sector partners, including SCCs and GCCs as
14 appropriate, to accurately determine sector priorities, program requirements, and funding
15 needs for CIKR protection. HSPD-7 requires each SSA to provide an annual report to the
16 Secretary of Homeland Security on their efforts to identify, prioritize, and coordinate CIKR
17 protection in their respective sectors. Consistent with this requirement, DHS provides the
18 SSAs with reporting guidance and templates that include requests for specific information,
19 such as CIKR protection priorities, requirements, and resources. The following elements
20 are included in the Sector CIKR Protection Annual Report to help inform prioritization
21 resource allocation recommendations:
22 Priorities and annual goals for CIKR protection and associated gaps;
23 Sector-specific requirements for CIKR protection activities and programs based on risk
24 and need; and
25 Projected CIKR-related resource requirements for the sector, with an emphasis on
26 anticipated gaps or shortfalls in funding for sector-level CIKR protection and/or for
27 protection efforts related to national-level CIKR that exist within the sector.
28 7.1.2 State Government Reporting to DHS
29 Like sectors, State governments face diverse CIKR protection challenges and have different
30 priorities, requirements, and available resources. Furthermore, State CIKR protection
31 efforts are closely intertwined with those of other government and private sector partners.
32 In particular, States work closely with local and tribal governments to address CIKR
33 protection challenges at those levels. To accurately assess the national CIKR protection
34 effort and identify protection needs that warrant attention at a national level, DHS must
35 aggregate information across State jurisdictions as it does across sectors.
36 DHS requires that each State develop a homeland security strategy that establishes goals
37 and objectives for its homeland security program that include CIKR protection as a core
38 element. State administrative agencies develop a Program and Capability Enhancement
39 Plan that prioritizes statewide resource needs to support this program. The State adminis-
40 trative agency works with DHS to identify:
41 Priorities and annual goals for CIKR protection;
42 State-specific requirements for CIKR protection activities and programs, based on risk
43 and need;
1 Mechanisms for coordinated planning and information sharing with government and
2 private sector partners;
3 Unfunded CIKR protection initiatives or requirements that should be considered for
4 funding using Federal grants (described in further detail below); and
5 Other funding sources utilized to implement the NIPP and address identified priorities
6 and annual goals.
7 For consideration in the deliberations related to CIKR protection resources as part of the
8 Federal budget cycle, information on statewide CIKR resources needs must be reported to
9 DHS by the date specified in the appropriate annual DHS/GPD planning guidance.
10 DHS/GPD includes information such as model reports or report templates with the
11 planning guidance to support the States’ reporting efforts.
12 7.1.3 State, Local, Tribal, and Territorial Government Coordinating Council
13 (SLTTGCC) Reporting to DHS
14 In 2007, DHS formed the SLTTGCC in order to better support the State, local, tribal, and
15 territorial partners. It provides a forum to ensure that SLTT governments are fully
16 integrated into the CIKR protection process and can actively coordinate across their
17 jurisdictions and with the Federal government on CIKR protection guidance, strategies,
18 and programs. Furthermore, the Council is the second subcouncil of the Government Cross-
19 Sector Council, as prescribed in the NIPP, which provides the forum to address cross-sector
20 issues and interdependencies among the Government Coordinating Councils.
21 The SLTTGCC comprises representatives from a broad and diverse group of SLTT
22 governments. The intent of the Council is to provide SLTT input and suggestions for
23 implementation of the NIPP, including sector protection programs and initiatives. These
24 types of engagements foster broad public sector partner involvement in actively developing
25 sector priorities and requirements. Through the SLTTGCC Annual Report, the Council
26 provides annual updates on protection programs and initiatives that are being conducted or
27 planned by the Council, DHS, other Federal partners, or private sector partners. The
28 Council leverages its broad experiential base and apolitical perspective to:
29 Inform implementation and planning efforts related to the NIPP, State-specific, and
30 regional-focused plans;
31 Coordinate strategic communication and achieve resolution among SLTT partners;
32 Facilitate the building and implementation of information-sharing channels to
33 promulgate CIKR plans, programs, and processes; and
34 Develop policy recommendations.
35 7.1.4 Regional Consortium Coordinating Council (RCCC) Reporting to DHS
36 Cross-sector and multijurisdictional CIKR protection challenges provide an opportunity to
37 manage interdependent risks at the regional level Individually, regional consortiums’
38 activities can enhance the physical security, cybersecurity, emergency preparedness, and
39 overall public/private continuity and resiliency of one or more States, urban areas, or
40 municipalities.
41 Because of the multitude of public and private sector partners involved, specific regional
42 initiatives have a broad-reaching scope. In some cases, initiatives can even cross national
43 borders and become international efforts. To better support these initiatives and further
44 implement the National Infrastructure Implementation Plan, DHS supported the formation
1 of the RCCC in July 2008. The RCCC provides a unique mechanism to integrate NIPP
2 implementation on a regional scale and details its efforts in the RCCC CIKR Protection
3 Annual Report.
4 The mission of the RCCC is to strengthen regional consortiums that enhance protection,
5 response, recovery, and resilience of the Nation’s critical infrastructure and key resources
6 by working to:
7 Develop a policy framework for regional infrastructure protection, prevention,
8 deterrence, response, recovery, and longer-term restoration;
9 Provide the foundation for regional cross-sector collaboration;
10 Foster the development of risk-informed protection and mitigation measures to enable
11 measurable progress towards robust security and disaster resilience; and
12 Enhance the education and awareness of critical infrastructure interdependencies.
13 7.1.5 Aggregating Submissions to DHS
14 DHS uses the information collected from the Sector CIKR Protection Annual Reports, the
15 SLTTGCC Annual Report, the RCCC Annual Report, and State reports to DHS/GPD to
16 assess CIKR protection status and requirements across the country. As national priorities
17 and requirements are established, DHS will develop funding recommendations for
18 programs and initiatives designed to reduce national-level risk in the CIKR protection
19 mission area. In cases where gaps or duplicative efforts exist, DHS will work with the SSAs
20 and the States to identify strategies or additional funding sources to help ensure that
21 national CIKR protection priorities are efficiently and effectively addressed.
22 Following the collection and aggregation of sector- and State-level reports, DHS
23 summarizes this information in the National CIKR Protection Annual Report. This report
24 provides a summary of national CIKR protection priorities and requirements and makes
25 recommendations for prioritized resource allocation across the Federal Government to meet
26 national-level CIKR protection needs. The National CIKR Protection Annual Report is
27 submitted along with the DHS budget submission to the Executive Office of the President
28 on or before September 1 as part of the annual Federal budget process (see figure 7-1).
2
3
4 7.2 Federal Resource Allocation Process for DHS, the SSAs, and
5 Other Federal Agencies
6 The Federal resource allocation process described in this section is designed to ensure that
7 the collective efforts of DHS, the SSAs, and other Federal departments and agencies
8 support the NIPP and national priorities. It is also designed to be consistent with the DHS
9 responsibility to coordinate overall national CIKR protection and to identify national-level
10 gaps, overlaps, or shortfalls. Driven in large part by existing and well-understood Federal
11 budget process milestones, this approach is integrated with the established Federal budget
12 process and reporting requirements. The resource allocation process for CIKR protection
13 outlined in this chapter recognizes the existing budget authorities and responsibilities of all
14 Federal departments and agencies with CIKR protection-related programs and activities.
15 The NIPP process aims to create synergy between current and future efforts to ensure a
16 unified and effective national CIKR protection effort. The specific roles of DHS and the
17 SSAs are described in further detail below.
18 7.2.1 Department of Homeland Security
19 DHS is responsible for overall coordination of the Nation’s CIKR protection efforts. To carry
20 out this responsibility, DHS must identify and prioritize nationally critical assets, systems,
21 and networks; help ensure that appropriate protective initiatives are implemented; and
22 help address any gaps or shortfalls in the protection of nationally critical CIKR. DHS works
23 closely with the Executive Office of the President to aggregate CIKR protection-related
24 activities and related resource requests from the SSAs and other Federal departments and
25 agencies as a way to make informed tradeoffs in prioritizing Federal investments.
26 DHS works with the Executive Office of the President offices to establish a national CIKR
27 protection strategic approach and priorities, and with the SSAs, supported by their
15
1 Figure 7-3: DHS and SSA Roles and Responsibilities in Federal Resource Allocation
2
3
4 7.2.2 Sector-Specific Agencies
5 Earlier chapters of the NIPP articulate how DHS and the SSAs work with the respective
6 CIKR sectors to determine risk and set priorities. Based on guidance from DHS, each SSA
7 develops and maintains an SSP that supports the NIPP goal and supporting objectives.
8 Additionally, the SSAs, in partnership with the SCCs and GCCs, determine sector-specific
9 priorities and requirements for CIKR protection. The SSAs submit these priorities and
10 requirements to DHS in their sector annual reports, along with identification of resource
11 needs, to allow for a more comprehensive National CIKR Protection Annual Report. SSAs
12 work within their respective department or agency budget process to determine the CIKR
13 protection-related aspects of their department’s budget submission. SSA annual reports are
14 submitted to DHS on or before June 1 of each year. Resource information contained in the
15 SSA annual reports is based on appropriated funding, as well as the President’s most
16 recent budget.
17 Additionally, the subset of CIKR protection funding requirements directed toward R&D and
18 S&T investments are highlighted by the SSAs, SCCs, and GCCs in the sector annual
19 reports to inform the NCIP R&D Plan and its technology roadmap, while ensuring efficient
20 coordination with the DHS R&D/S&T community and supporting the Federal research and
21 technology base. These R&D and S&T plans and requirements are based on the R&D
1 planning section of each sector’s SSP. The identified R&D requirements are prioritized
2 based on the potential increase in CIKR protection capabilities for a given investment.
3 7.2.3 Summary of Roles and Responsibilities
4 Figure 7-2 outlines the roles and responsibilities of DHS and the SSAs throughout this
5 process, as well as the annual timelines associated with major activities.
6 The final determination of funding priorities, based on the collaborative efforts of DHS, the
7 SSAs and other Federal departments and agencies, and the Executive Office of the
8 President, guides CIKR protection programs and the allocation of resources in support of
9 the NIPP. These priorities support Federal Government (DHS and SSA) CIKR protection
10 activities, as well as guide and support homeland security and CIKR protection activities
11 across and within State, local, tribal, and territorial jurisdictions.
1 the National Preparedness Guideline, the NIMS, the NRF, and the NIPP to support the
2 prevention of, protection against, response to, and recovery from acts of terrorism.
3 Urban Areas Security Initiative: UASI funds address the unique planning, equipment,
4 training, and exercise needs of high-threat, high-density urban areas, and assist them
5 in building an enhanced and sustainable capacity to prevent, protect against, respond
6 to, and recover from acts of terrorism.
7 Targeted Infrastructure Protection Programs: Targeted infrastructure protection programs
8 include grants for specific activities that focus on the protection of CIKR, such as ports,
9 mass transit, rail transportation, etc. These funds support CIKR protection capabilities
10 based on risk and need in coordination with DHS, SSAs, and Federal agencies. Though
11 recent appropriations have been divided among specific sectors, DHS seeks to combine
12 these grants into a program that supports a more integrated risk-informed approach across
13 CIKR sectors.
14 DHS/IP and DHS/GPD work with States to focus targeted infrastructure protection grant
15 programs, such as the BZPP and transportation security grants, to support national-level
16 CIKR protection priorities and to reinforce activities funded through Federal department
17 and agency budgets and other homeland security grant programs. As appropriate, SSAs
18 serve as subject matter experts reviewing and providing recommendations for specific
19 target grant programs. Grantees should apply resources available under the overarching
20 homeland security grant programs, such as SHSP and UASI to address their regionally or
21 locally critical priority CIKR protection initiatives. A further prioritized combination of
22 grant funding across various programs may be necessary to enable the protection of certain
23 assets, systems, networks, and functions deemed to be nationally critical.
24 Available DHS/GPD grant funding is awarded to the Governor-appointed State
25 administrative agency, which serves in each State as the lead for program implementation.
26 Through the State administrative agencies, States will identify and prioritize their
27 homeland security needs, including CIKR protection, and leverage assistance from these
28 funding streams to accomplish the priorities identified in their State Homeland Security
29 Strategies, and Program and Capability Enhancement Plans. These planning processes
30 undertaken at the State level are built on the common framework articulated in the
31 National Preparedness Guideline; the National Priorities, including implementation of the
32 NIPP; and capabilities enhancements based on the TCL.
33 DHS provides State, local, and tribal authorities with additional guidance on how to
34 identify, assess, and prioritize CIKR protection needs and programs in support of the
35 National Preparedness Guidelines as they apply for homeland security grants. Additional
36 information on DHS grant programs, guidelines, allocations, and eligibility is available at:
37 http://www.fema.gov/grants.
1 the overall effort. While Federal Government funding of programs and initiatives that sup-
2 port CIKR protection makes a significant contribution to the security of the Nation, a fully
3 successful effort requires DHS; the SSAs; and State, local, and tribal governments to work
4 closely with the private sector to promote the most effective use of Federal and non-Federal
5 resources.
6 The NIPP uses the risk management framework to support coordination between CIKR
7 partners outside the Federal Government. Each step of the risk management framework
8 presents opportunities for collaboration between and among all CIKR partners.
9 Coordination between State and local agencies and the sectors themselves ensures that
10 cross-sector needs and priorities are more accurately identified and understood.
11 Government coordination with private sector owners and operators at all levels is required
12 throughout the process to ensure a unified national CIKR protection effort; provide
13 accurate, secure identification of CIKR assets and systems; provide and protect risk-related
14 information; ensure implementation of appropriate protective measures; measure program
15 effectiveness; and make required improvements.
16 These opportunities for collaboration allow private sector owners and operators to benefit
17 from CIKR protection investments in a number of ways. First, investments in CIKR
18 protection will enable risk mitigation in a broader, all-hazards context, including common
19 threats posed by malicious individuals or acts of nature, in addition to those posed by
20 terrorist organizations. Second, business continuity planning can facilitate recovery of
21 commercial activity after an incident. Finally, investing in CIKR protection within the
22 NIPP framework will help private sector owners and operators enhance protective
23 measures, and will support decisionmaking with more comprehensive risk-informed
24 information. DHS explores new opportunities to encourage such collaboration through
25 incentives (such as the SAFETY Act), which creates liability protection for sellers of
26 qualified anti-terrorism technologies), regulatory changes, and by providing more useful
27 information on risk assessment and management. While States typically are the eligible
28 applicants for DHS grant programs, certain private sector entities can apply directly for
29 grant funds through programs such as the Port Security Grant Program and the Intercity
30 Bus Security Grant Program.
31
32 More information about the NIPP is
33 available on the Internet at:
34 www.dhs.gov/nipp or by contacting DHS at:
35 nipp@dhs.gov
36
37
38
39
40
41
42
In this situation, the following resources may be applied to support the safety and security of the
mass transit system:
Owner/Operator Responsibilities
The local mass transit authority, as the owner and operator of the system, funds system-specific
protection and security measures, including resiliency and business continuity planning activities,
for the system on a day-to-day basis.
State, local, and tribal governments support the day-to-day protection of the public; enforce
security, protective, and preventive measures around the system’s facilities; and provide response
and/or recovery capabilities should an incident occur.
Federal Support and Grant Funding
Assistance from the Federal Government through a variety of resources, including grants (both
targeted infrastructure protection grant programs and overarching homeland security grant
programs), training, technical assistance, and exercises, further support and enhance ongoing
homeland security and CIKR protection activities. In this example, DHS, as the SSA for the
Transportation sector; TSA; DOT; and the USCG may contribute to the protection efforts through
either appropriated program funds or grants. Based on eligibility, a range of grants may support
the overall protection of this system, including:
If the mass transit system is eligible for targeted infrastructure protection program funding,
such as the Transit Security Grant Program, this funding source may be leveraged to support
security enhancements for the mass transit system.
If the mass transit system is eligible under the BZPP, this funding source may also be leveraged
to improve security around the system or enhance preparedness capabilities within the
surrounding community.
Homeland Security grant program funding from programs such as the SHSP, UASI, and Law
Enforcement Terrorism Prevention Program may be leveraged to enhance prevention,
protection, response, and recovery capabilities in and around the mass transit system if the
system is deemed critical by the State and/or local authorities within their homeland security
strategies and priorities, and in accordance with allowable cost guidance.
The Assistance to Firefighters Grant Program may be leveraged to support preparedness
capabilities of the local fire department that are necessary to protect the system within the city.
Federal Transit Administration grant programs to support metropolitan and State planning
may be leveraged to provide planning for upgrades to the system, which include more resilient
CIKR design, and the major capital investments and special flexible-funding grant programs
may be leveraged to help build these improvements.
All of these resources, used in support of the region’s mass transit system, are coordinated with
State and urban area homeland security strategies, as well as the applicable Regional Transit
Security Strategy. Additionally, other services, training, exercises, and/or technical assistance (for
example, the DHS/GPD Mass Transit Technical Assistance Program, which includes a facilitated
1 risk assessment) may be leveraged from a variety of Federal partners.
1 violates Federal, State, or local law, harms interstate commerce of the United States, or
2 threatens public health or safety.
3 The ability of any critical infrastructure or protected system to resist such interference,
4 compromise, or incapacitation, including any planned or past assessment, projection, or
5 estimate of the vulnerability of critical infrastructure or a protected system, including
6 security testing, risk evaluation thereto, risk management planning, or risk audit.
7 Any planned or past operational problem or solution regarding critical infrastructure or
8 protected systems, including repair, recovery, reconstruction, insurance, or continuity,
9 to the extent it is related to such interference, compromise, or incapacitation.
10 Cybersecurity. The prevention of damage to, unauthorized use of, or exploitation of, and, if
11 needed, the restoration of electronic information and communications systems and the
12 information contained therein to ensure confidentiality, integrity, and availability. Includes
13 protection and restoration, when needed, of information networks and wireline, wireless,
14 satellite, public safety answering points, and 911 communications systems and control
15 systems.
16 Dependency. The one-directional reliance of an asset, system, network, or collection thereof,
17 within or across sectors, on input, interaction, or other requirement from other sources in
18 order to function properly.
19 Function. In the context of the NIPP, function is defined as the service, process, capability,
20 or operation performed by specific infrastructure assets, systems, or networks.
21 Government Coordinating Council. The government counterpart to the SCC for each sector
22 established to enable interagency coordination. The GCC is comprised of representatives
23 across various levels of government (Federal, State, territorial, local, and tribal) as
24 appropriate to the security and operational landscape of each individual sector.
25 Hazard. Something that is potentially dangerous or harmful, often the root cause of an
26 unwanted outcome.
27 HSPD-19. This directive establishes a national policy, and calls for the development of a
28 national strategy and implementation plan, on the prevention and detection of, protection
29 against, and response to terrorist use of explosives in the US.
30 Incident. An occurrence or event, natural or human-caused, that requires an emergency
31 response to protect life or property. Incidents can, for example, include major disasters,
32 emergencies, terrorist attacks, terrorist threats, wildland and urban fires, floods, hazardous
33 materials spills, nuclear accidents, aircraft accidents, earthquakes, hurricanes, tornadoes,
34 tropical storms, war-related disasters, public health and medical emergencies, and other
35 occurrences requiring an emergency response.
36 Infrastructure. The framework of interdependent networks and systems comprising
37 identifiable industries, institutions (including people and procedures), and distribution
38 capabilities that provide a reliable flow of products and services essential to the defense and
39 economic security of the United States, the smooth functioning of government at all levels,
40 and society as a whole. Consistent with the definition in the Homeland Security Act,
41 infrastructure includes physical, cyber, and/or human elements.
42 Interdependency. The multi- or bi-directional reliance of an asset, system, network, or
43 collection thereof, within or across sectors, on input, interaction, or other requirement from
44 other sources in order to function properly.
1 Key Resources. As defined in the Homeland Security Act, “key resources” are publicly or
2 privately controlled resources essential to the minimal operations of the economy and
3 government.
4 Mitigation. Activities designed to reduce or eliminate risks to persons or property or to
5 lessen the actual or potential effects or consequences of an incident. Mitigation measures
6 may be implemented prior to, during, or after an incident. Mitigation measures are often
7 developed in accordance with lessons learned from prior incidents. Mitigation involves
8 ongoing actions to reduce exposure to, probability of, or potential loss from hazards.
9 Measures may include zoning and building codes, floodplain buyouts, and analysis of
10 hazard-related data to determine where it is safe to build or locate temporary facilities.
11 Mitigation can include efforts to educate governments, businesses, and the public on
12 measures they can take to reduce loss and injury.
13 Network. In the context of the NIPP, a group of assets or systems that share information or
14 interact with each other in order to provide infrastructure services within or across sectors.
15 Normalize. In the context of the NIPP, the process of transforming risk-related data into
16 comparable units.
17 Owners/Operators. Those entities responsible for day-to-day operation and investment in a
18 particular asset or system.
19 Preparedness. The range of deliberate critical tasks and activities necessary to build,
20 sustain, and improve the operational capability to prevent, protect against, respond to, and
21 recover from domestic incidents. Preparedness is a continuous process involving efforts at
22 all levels of government and between government and private sector and nongovernmental
23 organizations to identify threats, determine vulnerabilities, and identify required activities
24 and resources to mitigate risk.
25 Prevention. Actions taken to avoid an incident or to intervene to stop an incident from
26 occurring. Prevention involves actions taken to protect lives and property. Involves
27 applying intelligence and other information to a range of activities that may include such
28 countermeasures as deterrence operations; heightened inspections; improved surveillance
29 and security operations; investigations to determine the full nature and source of the
30 threat; immunizations, isolation, or quarantine; public health and agricultural surveillance
31 and testing processes; and, as appropriate, specific law enforcement operations aimed at
32 deterring, preempting, interdicting, or disrupting illegal activity and apprehending
33 potential perpetrators and bringing them to justice.
34 Prioritization. In the context of the NIPP, prioritization is the process of using risk
35 assessment results to identify where risk-reduction or mitigation efforts are most needed
36 and subsequently determine which protective actions should be instituted in order to have
37 the greatest effect.
38 Protected Critical Infrastructure Information (PCII). PCII refers to all critical infrastructure
39 information, including categorical inclusion PCII, that has undergone the validation process
40 and that the PCII Program Office has determined qualifies for protection under the CII Act.
41 All information submitted to the PCII Program Office or Designee with an express
42 statement is presumed to be PCII until the PCII Program Office determines otherwise.
43
1 Protection. Actions to mitigate the overall risk to CIKR assets, systems, networks, or their
2 interconnecting links resulting from exposure, injury, destruction, incapacitation, or
3 exploitation. In the context of the NIPP, protection includes actions to deter the threat,
4 mitigate vulnerabilities, or minimize consequences associated with a terrorist attack or
5 other incident. Protection can include a wide range of activities, such as hardening
6 facilities, building resiliency and redundancy, incorporating hazard resistance into initial
7 facility design, initiating active or passive countermeasures, installing security systems,
8 promoting workforce surety, and implementing cybersecurity measures, among various
9 others.
10 Protective Security Advisor (PSA) Program. DHS CIKR protection and vulnerability
11 assessment specialists are assigned as liaisons between DHS and the protective community
12 at the State, local, and private sector levels in geographical areas representing major
13 concentrations of CIKR across the United States. PSAs are responsible for sharing risk
14 information and providing technical assistance to local law enforcement and owners and
15 operators of CIKR within their respective areas of responsibility.
16 Recovery. The development, coordination, and execution of service- and site-restoration
17 plans for impacted communities and the reconstitution of government operations and
18 services through individual, private sector, nongovernmental, and public assistance
19 programs that identify needs and define resources; provide housing and promote
20 restoration; address long-term care and treatment of affected persons; implement
21 additional measures for community restoration; incorporate mitigation measures and
22 techniques, as feasible; evaluate the incident to identify lessons learned; and develop
23 initiatives to mitigate the effects of future incidents.
24 Resiliency. In the context of the NIPP, resiliency is the capability of an asset, system, or
25 network to maintain its function during or to recover from a terrorist attack or other
26 incident.
27 Response. Activities that address the short-term, direct effects of an incident, including
28 immediate actions to save lives, protect property, and meet basic human needs.
29 Response also includes the execution of emergency operations plans and incident mitigation
30 activities designed to limit the loss of life, personal injury, property damage, and other
31 unfavorable outcomes. As indicated by the situation, response activities include applying
32 intelligence and other information to lessen the effects or consequences of an incident;
33 increased security operations; continuing investigations into the nature and source of the
34 threat; ongoing surveillance and testing processes; immunizations, isolation, or quarantine;
35 and specific law enforcement operations aimed at preempting, interdicting, or disrupting
36 illegal activity, and apprehending actual perpetrators and bringing them to justice.
37 Risk. A measure of potential harm that encompasses threat, vulnerability, and consequence.
38 In the context of the NIPP, risk is the expected magnitude of loss due to a terrorist attack,
39 natural disaster, or other incident, along with the likelihood of such an event occurring and
40 causing that loss.
41 Risk Management Framework. A planning methodology that outlines the process for setting
42 security goals; identifying assets, systems, networks, and functions; assessing risks; pri-
43 oritizing and implementing protective programs; measuring performance; and taking
44 corrective action. Public and private sector entities often include risk management
45 frameworks in their business continuity plans.
1 Sector. A logical collection of assets, systems, or networks that provide a common function to
2 the economy, government, or society. The NIPP addresses 18 CIKR sectors, as identified by
3 the criteria set forth in HSPD-7.
4 Sector Coordinating Council. The private sector counterpart to the GCCs, these councils are
5 self-organized, self-run, and self-governed organizations that are representative of a
6 spectrum of key stakeholders within a sector. SCCs serve as the government’s principal
7 point of entry into each sector for developing and coordinating a wide range of CIKR
8 protection activities and issues.
9 Sector Partnership Model. The framework used to promote and facilitate sector and cross-
10 sector planning, coordination, collaboration, and information sharing for CIKR protection
11 involving all levels of government and private sector entities.
12 Sector-Specific Agency. Federal departments and agencies identified in HSPD-7 as
13 responsible for CIKR protection activities in specified CIKR sectors.
14 Sector-Specific Plan. Augmenting plans that complement and extend the NIPP Base Plan and
15 detail the application of the NIPP framework specific to each CIKR sector. SSPs are
16 developed by the SSAs in close collaboration with other sector partners.
17 Steady-State. In the context of the NIPP, steady-state is the posture for routine, normal, day-
18 to-day operations as contrasted with temporary periods of heightened alert or real-time
19 response to threats or incidents.
20 System. In the context of the NIPP, a system is a collection of assets, resources, or elements
21 that performs a process that provides infrastructure services to the Nation.
22 Terrorism. Any activity that: (1) involves an act that is (a) dangerous to human life or
23 potentially destructive of critical infrastructure or key resources, and (b) a violation of the
24 criminal laws of the United States or of any State or other subdivision of the United States;
25 and (2) appears to be intended to (a) intimidate or coerce a civilian population, (b) influence
26 the policy of a government by intimidation or coercion, or (c) affect the conduct of a
27 government by mass destruction, assassination, or kidnapping.
28 Threat. The intention and capability of an adversary to undertake actions that would be
29 detrimental to CIKR.
30 Value Proposition. A statement that outlines the national and homeland security interest in
31 protecting the Nation’s CIKR and articulates benefits gained by all CIKR partners through
32 the risk management framework and public-private partnership described in the NIPP.
33 Vulnerability. A weakness in the design, implementation, or operation of an asset, system, or
34 network that can be exploited by an adversary, or disrupted by a natural hazard or
35 technological failure.
36 Weapons of Mass Destruction. (1) Any explosive, incendiary, or poison gas (i) bomb, (ii)
37 grenade, (iii) rocket having a propellant charge of more than 4 ounces, (iv) missile having
38 an explosive or incendiary charge of more than one-quarter ounce, or (v) mine or (vi) similar
39 device; (2) any weapon that is designed or intended to cause death or serious bodily injury
40 through the release, dissemination, or impact of toxic or poisonous chemicals or their
41 precursors; (3) any weapon involving a disease organism; or (4) any weapon that is designed
42 to release radiation or radioactivity at a level dangerous to human life (18 U.S.C. 2332a).
17 1A.1 Introduction
18 The U.S. economy and national security are highly dependent upon cyber infrastructure.
19 Cyber infrastructure enables the Nation’s essential services, resulting in a highly
20 interconnected and interdependent network of CIKR. This network provides services
21 supporting business processes and financial markets, and also assists in the control of
22 many critical processes, including the electric power grid and chemical processing plants,
23 among various others.
24 A spectrum of malicious actors can and do conduct attacks against critical cyber
25 infrastructure on an ongoing basis. Of primary concern is the risk of organized cyber
26 attacks capable of causing debilitating disruption to the Nation’s CIKR, economy, or
27 national security. Furthermore, while terrorist groups have not yet initiated a major attack
28 against the Internet, there is potential of their using it as a means of attack or for other
29 purposes that support terrorist activities.
30 DHS and the SSAs are committed to working collaboratively with other public, private,
31 academic, and international entities to enhance cybersecurity awareness and preparedness
32 efforts, and ensure that the cyber elements of CIKR are:
33 Robust enough to withstand attacks without incurring catastrophic damage;
34 Responsive enough to recover from attacks in a timely manner; and
35 Resilient enough to sustain nationally critical operations.
36 1A.1.1 Value Proposition for Cybersecurity
37 The value proposition for cybersecurity aligns with that for CIKR protection in general, as
38 discussed in chapter 1 of the NIPP Base Plan, but with a concentrated focus on cyber
39 infrastructure. Many CIKR functions and services are enabled through cyber systems and
1 services; if cybersecurity is not appropriately addressed, the risk to CIKR is increased. The
2 responsibility for cybersecurity spans all CIKR partners, including public and private sector
3 entities. The NIPP provides a coordinated and collaborative approach to help public and
4 private sector partners understand and manage cyber risk.
5 The NIPP promotes cybersecurity by facilitating participation and partnership in CIKR
6 protection initiatives, leveraging cyber-specific expertise and experience, and improving
7 information exchange and awareness of cybersecurity concerns. It also provides a
8 framework for public and private sector partner efforts to recognize and address
9 similarities and differences between approaches to cyber risk management for business
10 continuity and national security. This framework enables CIKR partners to work
11 collaboratively to make informed cyber risk management decisions, define national cyber
12 priorities, and address cybersecurity as part of an overall national CIKR protection
13 strategy.
14 1A.1.2 Definitions
15 The following definitions explain key terms and concepts related to the cyber dimension of
16 CIKR protection:
17 Cyber infrastructure: Includes electronic information and communications systems and
18 services and the information contained therein. Information and communications
19 systems and services are composed of all hardware and software that process, store, and
20 communicate information, or any combination of all of these elements. Processing
21 includes the creation, access, modification, and destruction of information. Storage
22 includes paper, magnetic, electronic, and all other media types. Communications
23 includes sharing and distribution of information. For example, computer systems;
24 control systems (e.g., SCADA); networks, such as the Internet; and cyber services (e.g.,
25 managed security services) are part of cyber infrastructure:
26 ¾ Producers and providers of cyber infrastructure represent the information
27 technology industrial base, and comprise the Information Technology sector. The
28 producers and providers of cyber infrastructure play a key role in developing secure
29 and reliable products and services.
30 ¾ Consumers of cyber infrastructure must maintain its security as new vulnerabilities
31 are identified and the threat environment evolves. Individuals, whether private
32 citizens or employees with cyber systems administration responsibility, play a
33 significant role in managing the security of computer systems to ensure that they
34 are not used to enable attacks against CIKR.
35 Information Technology (IT) critical functions are sets of processes that produce,
36 provide, and maintain products and services. IT critical functions encompass the full set
37 of processes (e.g., research and development, manufacturing, distribution, upgrades,
38 and maintenance) involved in transforming supply inputs into IT products and services.
39 Cybersecurity: The prevention of damage to, unauthorized use of, exploitation of, and, if
40 needed, the restoration of electronic information and communications systems and
41 services (and the information contained therein) to ensure confidentiality, integrity, and
42 availability.
43 Cross-Sector Cybersecurity: Collaborative efforts between DHS, the SSAs, and other
44 CIKR partners to improve the cybersecurity of the CIKR sectors by facilitating cyber
45 risk-mitigation activities.
1 Providing guidance, review, and functional advice on the development of effective cyber-
2 protective measures; and
3 Coordinating cybersecurity programs and contingency plans, including recovery of
4 Internet functions.
5 1A.2.2 Sector-Specific Agencies
6 Recognizing that each CIKR sector possesses its own unique characteristics and operating
7 models, SSAs provide the subject matter and industry expertise through relationships with
8 the private sector to enable protection of the assets, systems, networks, and functions they
9 provide within each of the sectors. SSAs must understand and mitigate cyber risk by:
10 Identifying subject matter expertise regarding the cyber aspects of their sector;
11 Increasing awareness of how the business and operational aspects of the sector rely on
12 cyber systems and processes;
13 Determining whether approaches for CIKR inventory, risk assessment, and protective
14 measures currently address cyber assets, systems, and networks; require enhancement;
15 or require the use of alternative approaches;
16 Reviewing and modifying existing and future sector efforts to ensure that cyber
17 concerns are fully integrated into sector security strategies and protective activities;
18 Establishing mutual assistance programs for cybersecurity emergencies; and
19 Exchanging cyber-specific information with sector partners, including the international
20 community, as appropriate, to improve the Nation’s overall cybersecurity posture.
21 1A.2.3 Other Federal Departments and Agencies
22 All Federal departments and agencies must manage the security of their cyber
23 infrastructure while maintaining awareness of vulnerabilities and consequences to ensure
24 that the cyber infrastructure is not used to enable attacks against the Nation’s CIKR. A
25 number of Federal agencies have specific additional responsibilities outlined in the
26 National Strategy to Secure Cyberspace:
27 The Department of Justice and the Federal Trade Commission: Working with the sectors
28 to address barriers to mutual assistance programs for cybersecurity emergencies.
29 The Department of Justice and Other Federal Agencies:
30 ¾ Developing and implementing efforts to reduce or mitigate cyber threats by
31 acquiring more robust data on victims of cyber crime and intrusions;
32 ¾ Leading the national effort to investigate and prosecute those who conduct or
33 attempt to conduct cyber attacks;
34 ¾ Exploring means to provide sufficient investigative and forensic resources and
35 training to facilitate expeditious investigation and resolution of CIKR incidents; and
36 ¾ Identifying ways to improve cyber information sharing and investigative
37 coordination among Federal, State, local, and tribal law enforcement communities;
38 other agencies; and the private sector.
39 The Federal Bureau of Investigation and the Intelligence Community: Ensuring a strong
40 counterintelligence posture to deter intelligence collection against the Federal
41 Government, as well as commercial and educational organizations.
1 The Intelligence Community, the Department of Defense, and Law Enforcement Agencies:
2 Improving the Nation’s ability to quickly attribute the source of threats or attacks to
3 enable timely and effective response.
4 1A.2.4 State, Local, and Tribal Governments
5 State, local, and tribal governments are encouraged to implement the following cyber
6 recommendations:
7 Managing the security of their cyber infrastructure while maintaining awareness of
8 threats, vulnerabilities, and consequences to ensure that it is not used to enable attacks
9 against CIKR, and ensuring that government offices manage their computer systems
10 accordingly;
11 Participating in significant national, regional, and local awareness programs to
12 encourage local governments and citizens to manage their cyber infrastructure
13 appropriately; and
14 Establishing cybersecurity programs, including policies, plans, procedures, recognized
15 business practices, awareness, and audits.
16 1A.2.5 Private Sector
17 The private sector is encouraged to implement the following recommendations as indicated
18 in the National Strategy to Secure Cyberspace:
19 Managing the security of their cyber infrastructure while maintaining awareness of
20 vulnerabilities and consequences to ensure that it is not used to enable attacks against
21 the Nation’s CIKR;
22 Participating in sector-wide programs to share information on cybersecurity;
23 Evaluating the security of networks that affect the security of the Nation’s CIKR,
24 including:
25 ¾ Conducting audits to ensure effectiveness and the use of best practices;
26 ¾ Developing continuity plans that consider the full spectrum of necessary resources,
27 including off-site staff and equipment; and
28 ¾ Participating in industry-wide information sharing and best practices dissemination;
29 Reviewing and exercising continuity plans for cyber infrastructure and examining
30 alternatives (e.g., diversity in service providers, implementation of recognized
31 cybersecurity practices) as a way of improving resiliency and mitigating risk;
32 Identifying near-term R&D priorities that include programs for highly secure and
33 trustworthy hardware, software, and protocols; and
34 Promoting more secure out-of-the-box installation and implementation of software
35 industry products, including increasing user awareness of the security features of
36 products; ease of use for security functions; and, where feasible, promotion of industry
37 guidelines and best practices that support such efforts.
38 1A.2.6 Academia
39 Colleges and universities are encouraged to implement several recommendations as
40 indicated in the National Strategy to Secure Cyberspace:
1 Section 1A.4.1 of this appendix describes outreach and awareness initiatives to empower
2 CIKR partners at all levels of government and the private sector to secure cyberspace.
3 Additionally, Section 1A.3.5 of this appendix describes various cybersecurity initiatives and
4 programs, as well as exercise programs that promote effective collaborative response to
5 cyber attack while Section 1A.4 of this appendix describes information sharing and inter-
6 national efforts to improve collaboration and coordination.
7 Objective 3: Ensure that cybersecurity is integrated into federal, state, private sector and
8 international risk assessment, preparedness, and response efforts
9 Working with the public and private sectors to reduce vulnerabilities and minimize the
10 severity of cyber attacks will help improve the security of CIKR by reducing risks to cyber
11 infrastructure, such as control systems. Section 1A.3.5 of this appendix describes protective
12 programs to reduce vulnerabilities and minimize the severity of cyber attacks.
13 Objective: Develop and promote the adoption of cybersecurity standards and best practices
14 by all levels of government, the private sector, the general public, and the international
15 community.
16 The adoption of cybersecurity standards and best practices strengthens the security of
17 individual systems and the security posture of interconnected infrastructures. Similarly,
18 training and education on standards and best practices are important components of
19 establishing a knowledge base focused on the security of cyberspace. To foster adequate
20 training and education to support the Nation’s cybersecurity needs, a cadre of cybersecurity
21 professionals must be developed and maintained through appropriate training and
22 education programs.
23 Section 1.A.3.5 of this appendix discusses cybersecurity standards and best practices while
24 Section 1A.4.3 of this appendix describes training and education programs designed to help
25 develop cybersecurity professionals.
26 1A.3.2 Identify Cyber Assets, Systems, Networks, and Functions
27 Cyber assets, systems, networks, and functions are examined as a key aspect of risk
28 analysis. The process for identifying cyber assets, systems, networks, and functions should
29 be repeatable, scalable, and distributable, and enable cyber interdependency analysis at
30 both the sector and national levels to facilitate risk prioritization and mitigation.
31 Cyber assets, systems, and networks represent a variety of hardware and software
32 components that perform a particular function. Examples of assets, systems, networks, and
33 functions include networking equipment, database software, security systems, operating
34 systems, local area networks, modeling and simulation, and electronic communications. The
35 following are examples of cyber systems that exist in most, if not all, sectors and should be
36 identified individually or included as a cyber element of a physical asset’s description if the
37 operation of that asset depends on them:
38 Business Systems: Cyber systems used to manage or support common business
39 processes and operations. Examples of business systems include Enterprise Resource
40 Planning, e-commerce, e-mail, and R&D systems.
41 Control Systems: Cyber systems used within many infrastructure and industries to
42 monitor and control sensitive processes and physical functions. Control systems
43 typically collect measurement and operational data from the field, process and display
1 the information, and relay control commands to local or remote equipment or human-
2 machine interfaces (operators). Examples of control systems include SCADA, Process
3 Control Systems, and Distributed Control Systems.
4 Access Control Systems: Cyber systems allowing only authorized personnel and visitors
5 physical access to defined areas of a facility. Access control systems provide monitoring
6 and control of personnel passing throughout a facility by various means, including
7 electronic card readers, biometrics, and radio frequency identification.
8 The Internet is a key resource comprised of domestic and international assets within both
9 the Information Technology and Communications sectors. It is used by all sectors to
10 varying degrees. Availability of Internet service is the responsibility of both the Information
11 Technology and Communications sectors; however, the need for access to and reliance on
12 the Internet are common to all sectors.
13 DHS, in collaboration with other CIKR partners, provides a cross-sector cyber asset
14 identification methodology that, when applied, enables a sector to identify cyber assets,
15 systems, networks, and functions that may have nationally significant consequences if
16 destroyed, incapacitated, or exploited. This methodology also characterizes the reliance of a
17 sector’s business and operational functionality on cyber assets, systems, and networks.
18 Additional documentation on this methodology will be available in the near future. If an
19 appropriate cyber asset identification methodology is already being used within the sector,
20 DHS will work with the sector to ensure alignment of that methodology with the NIPP risk
21 management framework described in chapter 3.
22 1A.3.3 Assess Risks
23 Risk assessment for cyber assets, systems, and networks is an integral part of the risk
24 management framework described in the NIPP. This framework combines consequences,
25 threats, and vulnerabilities to produce systematic, comprehensive, and defensible risk
26 assessments. DHS and the SSAs assess risk for cyber assets, systems, and networks
27 associated with other CIKR at the national and sector levels.
28 DHS and the SSAs will incorporate the results of these risk assessments into their overall
29 risk management processes to prioritize where the Nation’s limited resources for CIKR
30 protection activities should be applied.
31 Consequence Analysis: The first step in the risk assessment process involves determining
32 the consequences of destruction; incapacitation; or exploitation of an asset, system,
33 network, or the functions they provide.
34 To assess whether a given asset may be nationally consequential, physical, cyber, and
35 human asset dependencies and interdependencies need to be assessed. Cyber
36 interdependence presents a unique challenge for all sectors because of the borderless
37 nature of cyberspace. Interdependencies are dual in nature (e.g., the Energy sector relies on
38 computer-based control systems to manage the electric power grid, while those same control
39 systems require electric power to operate).
40 Modeling and simulations through the NISAC will help quantify national and international
41 dependency and interdependency, as well as their resulting consequences. However, this
42 effort is highly complex and may not be appropriate for all assessments. When such
43 advanced capability is not available or required, dependency and interdependency analyses
44 may be carried out in a more subjective manner, with the participation of subject matter
1 experts who have operational knowledge of the sectors involved, as well as the cross-sector
2 interactions that are likely.
3 The consequences of cyber asset, system, or network destruction, incapacitation, or
4 exploitation should be measured and described using a consistent system of measurements
5 to ensure that the results can be compared across sectors. The NIPP provides essential
6 features and core elements of assessment methodologies to ensure such consistency. DHS
7 also makes consequence analysis tools and processes available for sectors to use at their
8 discretion. The NIPP essential features and DHS tools and processes require that cyber
9 assets, systems, and networks be properly accounted for in the analysis process for the
10 results to accurately reflect the consequences of cyber loss.
11 Vulnerability Assessment: The second step of
12 the risk assessment process is analysis of NCSD has developed the Cyber Security
13 vulnerability—determining which elements of Vulnerability Assessment (CSVA), a
14 infrastructure are most susceptible to attack flexible and scalable approach that
15 and how attacks against these elements would analyzes an entity’s cybersecurity
posture and describes gaps and targeted
16 most likely be carried out.
considerations that can reduce overall
17 DHS works to identify cross-sector best cyber risks. It assesses the policies,
18 practices to ensure that existing methodologies plans, and procedures in place to reduce
cyber vulnerability in 10 categories (e.g.,
19 used by SSAs and other CIKR partners address
access control, configuration
20 cyber vulnerabilities. DHS has taken a broad, management, physical security of cyber
21 inclusive approach by reviewing various assets, etc.) and leverages various
22 existing, publicly available methods across recognized standards, guidance, and
23 government, industry, and academia to methodologies (e.g., International
24 assemble a hybrid of the best practices. For Organization for Standardization 27001,
25 example, DHS not only examines vulnerability Information Systems Audit and Control
26 standards from the International Organization Association Control Objects for
27 for Standardization and NIST, but also studies Information and related Technology, and
28 vulnerability assessment methods used in the the National Institute of Standards and
Technology Special Publication 800
29 law enforcement and intelligence communities
series).
30 and the private sector. DHS works to leverage
31 established methodologies that have
32 traditionally focused on physical vulnerabilities by enhancing them to better address cyber
33 elements.
34 There are cyber vulnerabilities that all sectors should consider when conducting their
35 assessments, such as system interconnections. System interconnections (also known as
36 trusted connections) are defined as the direct connection of two or more cyber systems
37 owned by separate organizations. Business or government offices may interconnect for a
38 variety of reasons, depending on the relationship between the interconnected entities.
39 These interconnections may increase the security risk by exposing one system to
40 vulnerabilities associated with another location.
41 Threat Analysis: The third step of the risk assessment process is the analysis of threat,
42 which provides the likelihood that a target will be attacked. There are increasing indicators
43 that potential adversaries intend to conduct cyber attacks and are actively acquiring cyber
44 attack capabilities. Cyber attacks may not only target the Internet, but rather they may use
45 it as a means of attack or for other purposes that support terrorist activities. Additionally,
1 the increasing ease with which powerful cyber attack tools can be obtained and used puts
2 the capability of conducting cyber attacks within reach of most groups or individuals who
3 wish to do harm to the United States. However, credible information on specific adversaries
4 is often not available. As such, DHS collaborates with the law enforcement and intelligence
5 communities and the private sector to more accurately portray the possible ways in which
6 the cyber threat may affect CIKR, including the exploitation of the Internet as a weapon.
7 As called for in the National Strategy to Secure Cyberspace, DHS provides input on cyber-
8 related issues for the National Intelligence Estimate of Cyber Threats to the U.S.
9 Information Infrastructure. DHS will update its assessment on an annual basis to inform
10 the general threat scenarios used in risk assessments and provide input to the National
11 Intelligence Estimate as required.
12 The HITRAC conducts integrated threat analysis for CIKR within DHS. HITRAC brings
13 together intelligence and infrastructure specialists to ensure a complete and sophisticated
14 understanding of the risks to U.S. CIKR, including cyber infrastructure. To do this,
15 HITRAC works in partnership with the U.S. Intelligence Community and national law
16 enforcement to integrate and analyze intelligence and law enforcement information on the
17 threat. It also works in partnership with the SSAs and owners and operators to ensure that
18 their expertise on infrastructure operations is integrated into threat analysis. HITRAC
19 combines intelligence, which includes all-source information, threat assessments, and trend
20 analysis, with expert operational and practical knowledge, and an understanding of U.S.
21 CIKR to provide products for CIKR risk assessment that include actionable conclusions
22 regarding terrorist threats and risks. Additional information on HITRAC products can be
23 found in section 3.3.4 of the NIPP Base Plan.
24 1A.3.4 Prioritize
25 NIPP risk assessments provide comparable estimates of the risk faced by each CIKR
26 element and sector. This process allows key elements and sectors to be prioritized according
27 to risk, and protective programs, including those focused on improving cybersecurity, to be
28 designed that can help mitigate the highest priority risks. Those programs that offer the
29 greatest risk mitigation for the dollars spent are afforded the highest priority. Although
30 cyber-specific protective programs are frequently perceived to be costly, the costs of these
31 programs may be significantly lower than the cascading costs associated with a successful
32 cyber attack.
33 Cyber assets, systems, and networks and the functions they provide are prioritized using an
34 overall risk-informed approach. By integrating cyber threats, vulnerabilities, and
35 consequences into risk analysis and by measuring risk in comparable terms for all elements
36 and sectors, cyber assets, systems, networks, and functions are included in the
37 prioritization process in a manner that ensures that they are appropriately considered
38 along with other aspects of CIKR.
39 1A.3.5 Implement Protective Programs
40 Since each sector has a unique reliance on cyber infrastructure, DHS will assist the SSAs in
41 developing a range of effective and appropriate cyber-protective measures.
42 In addition to individual sector-level protective measures, DHS has partnered with other
43 public and private sector entities to develop and implement specific programs to help
1 improve the security of the cyber infrastructure across sectors, as well as to support
2 national cyber risk-mitigation activities, including:
3 Government Forum of Incident Response and Security Teams (GFIRST): Following the
4 model of the global FIRST organization, the Federal interagency community established
5 the GFIRST to facilitate interagency information sharing and cooperation across
6 Federal agencies for readiness and response efforts. GFIRST is a group of technical and
7 tactical security response team practitioners responsible for securing government
8 information technology systems. The members work together to understand and handle
9 computer security incidents and to encourage proactive and preventive security
10 practices.
11 Cross Sector Cybersecurity Working Group (CSCSWG): The CSCSWG serves as a forum
12 to bring government and the private sector together to collaboratively address risk
13 across the CIKR sectors. This cross-sector perspective facilitates the sharing of
14 perspectives and knowledge about various cybersecurity concerns, such as common
15 vulnerabilities and protective measures, and leverages functional cyber expertise in a
16 comprehensive forum.
17 The National Cyber Response Coordination Group: The NCRCG member agencies use
18 their established relationships with the private sector and State, local, and tribal
19 governments to facilitate cyber incident management, develop courses of action, and
20 devise appropriate response and recovery strategies. NCRCG facilitates coordination of
21 the Federal Government’s efforts to prepare for, respond to, and recover from cyber
22 incidents and physical attacks that have significant cyber consequences. Outlined in the
23 NRF Cyber Annex, the NCRCG serves as the Federal Government’s principal
24 interagency mechanism for operational information sharing and coordination of Federal
25 Government response and recovery efforts during a cyber crisis.
26 Programs for Federal Systems Cybersecurity: The Federal Government is continually
27 increasing capabilities to address cyber risk associated with critical networks and
28 information systems. Current measures to prevent future attacks and intrusion
29 attempts include:
30 ¾ Increasing personnel support to the U.S. Computer Emergency Readiness Team
31 (US-CERT), DHS’ 24x7 watch and warning center for the Federal Government’s
32 Internet infrastructure.
33 ¾ Expanding the EINSTEIN Program to all Federal departments and agencies,
34 providing government officials with an early warning system to gain better
35 situational awareness, earlier identification of malicious activity, and a more
36 comprehensive network defense. The EINSTEIN Program helps identify unusual
37 network traffic patterns and trends which signal unauthorized network traffic so
38 security personnel are able to quickly identify and respond to potential threats.
39 ¾ Consolidating the number of external connections including Internet points of
40 presence for the Federal Government Internet infrastructure, as part of the Office of
41 Management and Budget’s (OMB) “Trusted Internet Connections Initiative,” will
42 more efficiently manage and implement security measures to help bring more
43 comprehensive protection across the federal “.gov” domains.
44 ¾ Creating a National Cybersecurity Center to further our progress in addressing
45 cyber threats and increasing cybersecurity efforts. This Center will bring together
46 federal cybersecurity organizations, by virtually connecting and in some cases,
1 DHS also partners with NIST in the National Information Assurance Partnership
2 (NIAP), a Federal Government initiative originated to meet the security testing needs of
3 both information technology consumers and producers. NIAP is operated by NSA to
4 address security testing, evaluation, and validation programs.
5 Control Systems Cybersecurity Program: The DHS Control Systems Cybersecurity
6 Program coordinates efforts among Federal, State, local, and tribal governments, as
7 well as control system owners, operators, and vendors to improve control system
8 security within and across all critical infrastructure sectors. The Control Systems
9 Cybersecurity Program coordinates activities to reduce the likelihood of success and
10 severity of impact of a cyber attack against critical infrastructure control systems
11 through risk-mitigation activities. These activities include assessing and managing
12 control system vulnerabilities, assisting the US-CERT Control Systems Security Center
13 with control system incident management, and providing control system situational
14 awareness through outreach and training initiatives.
15 The Standards and Best
Control systems, which are critical components of our Nation’s
16 Practices Program: As critical infrastructure, monitor and control sensitive processes and
17 part of its efforts to functions upon which our Nation depends (e.g., electricity
18 develop practical generation, transmission, and distribution; natural gas production
19 guidance and review and distribution; transportation systems monitoring and control;
20 tools, and promote R&D water supply and treatment; and chemical processing.
21 investment in
Control systems historically were designed with proprietary
22 cybersecurity, DHS and
solutions for specific uses in isolation, but are now frequently
23 NIST co-sponsor the being implemented with remote access and open connectivity,
24 National Vulnerability utilizing common operations systems and, thus, are potentially
25 Database. This database vulnerable to various cyber attacks. Cybersecurity practices
26 provides centralized and commonly implemented in business systems are often difficult to
27 comprehensive implement in operational control systems environments. As a
28 vulnerability mitigation result, cyber threats to control systems could potentially have
29 resources for all types of devastating impacts on national security, economic security,
30 users, including the public health and safety, as well as the environment.
31 general public, system
32 administrators, and vendors to assist with incident prevention and management
33 (including links to patches) to mitigate consequences and vulnerabilities.
34 1A.3.6 Measure Effectiveness and Improve Programs
35 The NIPP uses a metrics-based approach as a means to document performance, facilitate
36 diagnoses, promote effective management, and reassess goals. Within the NIPP metrics
37 framework, DHS works with CIKR partners to help ensure that the NIPP core measures
38 include the review, consideration, and integration of common cybersecurity policies, plans,
39 procedures, and sound business practices, as appropriate. Additionally, DHS works with
40 CIKR sectors to develop cybersecurity sector-specific metrics where applicable. Separate
41 sector-specific measures for cybersecurity may not be necessary in all cases; however, the
42 sector-specific measures should strive to consider all sector assets, including cyber assets,
43 systems, and networks when measuring performance against goals.
44 The overall purpose of measuring effectiveness using metrics is to improve cyber CIKR
45 protection by mitigating risk. This means that using metrics as descriptors is not sufficient
46 and that measured effectiveness must be compared to goals and improvements to enable
47 the addressing of priority gaps.
1 and with DHS and the SSAs to maximize resources, coordinate preparedness and response
2 efforts, and maintain situational awareness to enable risk mitigation regarding cyber
3 infrastructure.
4 Cybersecurity Awareness for CIKR Partners: DHS plays an important leadership role in
5 coordinating a public-private partnership to promote and raise cybersecurity awareness
6 among the general public by:
7 Partnering with other Federal and private sector organizations to sponsor the National
8 Cyber Security Alliance (NCSA), including creating a public-private organization, Stay
9 Safe Online, to educate home users, small businesses, and K-12 and higher education
10 audiences on cybersecurity best practices.
11 Engaging with the MS-ISAC to help enhance the Nation’s cybersecurity readiness and
12 response at the State and local levels, and launching a national cybersecurity awareness
13 effort in partnership with the MS-ISAC. The MS-ISAC is an information-sharing
14 organization, with representatives of State and local governments, that analyzes,
15 sanitizes, and disseminates information pertaining to cyber events and vulnerabilities
16 to its constituents and private industry.
17 Collaborating with the NCSA, the MS-ISAC, and the public and private sector to
18 establish October as National Cyber Security Awareness Month and participating in
19 activities to continuously raise cybersecurity awareness nationwide.
20 Cyberspace Emergency Readiness: DHS established the US-CERT, which is a 24/7 single
21 point of contact for cyberspace analysis and warning, information sharing, and incident
22 response and recovery for a broad range of users, including government, enterprises, small
23 businesses, and home users. US-CERT is a partnership between DHS and the public and
24 private sectors designed to help secure the Nation’s Internet infrastructure and to
25 coordinate defenses against and responses to cyber attacks across the Nation. US-CERT is
26 responsible for:
27 Analyzing and reducing cyber threats and vulnerabilities;
28 Disseminating cyber threat warning information; and
29 Coordinating cyber incident response activities.
30 To support the information-sharing requirements of the network approach, US-CERT
31 provides the following information on their Web site, accessible through the HSIN, and
32 through mailing lists:
33 Cybersecurity Alerts: Written in a language for home, corporate, and new users, these
34 alerts are published in conjunction with technical alerts in the context of security issues
35 that affect the general public.
36 Cybersecurity Bulletins: Bulletins summarize information that has been published
37 regarding emergent security issues and vulnerabilities. They are published weekly and
38 are written primarily for systems administrators and other technical users.
39 Cybersecurity Tips: Tips provide information and advice on a variety of common
40 cybersecurity topics. They are published biweekly and are written primarily for home,
41 corporate, and new users.
42 National Web Cast Initiative: In an effort to increase cybersecurity awareness and
43 education among the States, DHS, through US-CERT, and the MS-ISAC have launched
44 a joint partnership to develop a series of national Web casts that will examine critical
1 and timely cybersecurity issues. The purpose of the initiative is to strengthen the
2 Nation’s cyber readiness and resilience.
3 Technical Cybersecurity Alerts: Written for systems administrators and experienced
4 users, technical alerts provide timely information on current cybersecurity issues,
5 vulnerabilities, and exploits.
6 US-CERT also provides a method for citizens, businesses, and other institutions to
7 communicate and coordinate directly with the Federal Government on matters of
8 cybersecurity. The private sector can use the protections afforded by the Protected Critical
9 Infrastructure Information Act to electronically submit proprietary data to US-CERT.
10 1A.4.2 International Coordination on Cybersecurity
11 The Federal Government proactively uses its intelligence capabilities to protect the country
12 from cyber attack, its diplomatic outreach and operational capabilities to build partnerships
13 in the global community, and its law enforcement capabilities to combat cyber crime
14 wherever it originates. The private sector, international industry associations, and
15 companies with global interests and operations are also engaged in addressing
16 cybersecurity internationally. For example, the U.S.-based Information Technology
17 Association of America participates in international cybersecurity conferences and forums,
18 such as the India-based National Association for Software and Service Companies Joint
19 Conference. These efforts involve interaction with both the policy and operational
20 communities to coordinate national and international activities that are mutually
21 supportive across the globe:
22 International Cybersecurity Outreach: DHS, in conjunction with the Department of
23 State and other Federal agencies, engages in multilateral and bilateral discussions to
24 further international security awareness and policy development, as well as incident
25 response team information-sharing and capacity-building objectives. The United States
26 engages in bilateral discussions on important cybersecurity issues with close allies and
27 others with whom the United States shares networked interdependencies, to include,
28 but not limited to: Australia, Canada, Egypt, Germany, Hungary, India, Italy, Japan,
29 the Netherlands, Romania, the United Kingdom, etc. The United States also provides
30 leadership in multilateral and regional forums addressing cybersecurity and CIKR
31 protection to encourage all nations to take systematic steps to secure their networked
32 systems. For example, U.S. initiatives include: the Asia-Pacific Economic Cooperation
33 Telecommunications Working Group capacity-building program to help member
34 countries develop CSIRTs, and the OAS framework proposal to create a regional
35 computer incident response points-of-contact network for information sharing and to
36 help member countries develop CSIRTs. Other U.S. efforts to build a culture of
37 cybersecurity include participation in OECD, G8, and United Nations activities. The
38 U.S. private sector is actively involved in this international outreach in partnership
39 with the Federal Government.
40 Collaboration on Cyber Crime: The U.S. outreach strategy for comprehensive cyber laws
41 and procedures draws on the Council of Europe Convention on Cyber Crime, as well as:
42 (1) the G8 High-Tech Crime Working Group’s principles for fighting cyber crime and
43 protecting critical information infrastructure, (2) the OECD guidelines on information
44 and network security, and (3) the United Nations General Assembly resolutions based
45 on the G8 and OECD efforts. The goal of this outreach strategy is to encourage
1 individual nations and regional groupings of nations to join DHS in efforts to protect
2 internationally interconnected national systems.
3 Collaborative Efforts for Cyber Watch, Warning, and Incident Response: The Federal
4 Government is working strategically with key allies on cybersecurity policy and
5 operational cooperation. For example, DHS is leveraging pre-existing relationships
6 among CSIRTs. DHS also has established a preliminary framework for cooperation on
7 cybersecurity policy, watch, warning, and incident response with key allies. The
8 framework also incorporates efforts related to key strategic issues as agreed upon by
9 these allies. An IWWN is being established among cybersecurity policy, computer
10 emergency response, and law enforcement participants representing 15 countries. The
11 IWWN will provide a mechanism for the participating countries to share information to
12 build global cyber situational awareness and coordinate incident response.
13 Partnerships to Address Cyber Aspects of Critical Infrastructure Protection: DHS and
14 the SSAs are leveraging existing agreements, such as the SPP and the JCG with the
15 United Kingdom, to address the Information Technology sector and cross-cutting cyber
16 components of CIKR protection. The trilateral SPP builds on existing bilateral
17 agreements between the United States and Canada and the United States and Mexico
18 by allowing issues to be addressed on a dual bi-national basis. In the context of the JCG,
19 DHS established a 10-point action plan to address cybersecurity, watch, warning, and
20 incident response and other strategic initiatives.
21 1A.4.3 Training and Education
22 The National Strategy to Secure Cyberspace highlights the importance of cyberspace
23 security training and education. Education and training are strategic initiatives in which
24 DHS and other Federal agencies are actively engaged to affect a greater awareness and
25 participation in efforts to promote cybersecurity for the future.
26 The Federal Government has undertaken several initiatives in partnership with the
27 research and academic communities to better educate and train future cybersecurity
28 practitioners:
29 DHS developed the IT Security Essential Body of Knowledge (EBK): A Competency and
30 Functional Framework for IT Security Workforce Development. The EBK is provides a
31 national baseline representing the essential knowledge and skills that IT security
32 practitioners should have to perform specific roles and responsibilities.
33 DHS co-sponsors the National CAEIAE program with NSA. Together, DHS and NSA
34 are working to expand the program nationally.
35 DHS collaborates with the National Science Foundation to co-sponsor and expand the
36 Cyber Corps Scholarship for Service program. The Scholarship for Service program
37 provides grant money to selected CAEIAE and other universities with programs of a
38 similar caliber to fund the final 2 years of bachelor’s, master’s, or doctoral study in
39 information assurance in exchange for an equal amount of time spent working for the
40 Federal Government.
41 In fiscal year 2004, the joint DHS/Treasury Computer Investigative Specialist program
42 trained 48 Federal criminal investigators in basic computer forensics. Agents from ICE,
43 the Internal Revenue Service, and the U.S. Secret Service attended the basic 6½-week
44 course. This training was funded through the Treasury Executive Office of Asset
45 Forfeiture.
1 public and private sectors through various programs and outreach efforts (e.g., US-CERT,
2 the Control Systems Cybersecurity Program, and the Software Assurance Program) to
3 promote awareness of cybersecurity risks, and create incentives for increased investment in
4 cybersecurity.
5
6
7
8
9
10
11
12
13
1 and connecting constituencies not traditionally engaged in security. The broad structure of
2 this approach is outlined in this appendix; it is based on the following high-level
3 considerations.
1 Sectors with CIKR that are extensively integrated into an international or global
2 market (e.g., Banking and Finance or other information-based sector, Energy, or
3 Transportation) or when the proper functioning of a sector relies on inputs that are not
4 within the control of U.S. entities; and
5 U.S. Government and corporate facilities located overseas may be regarded as CIKR
6 based on implementation of the NIPP framework. Protection for the Government
7 Facilities sector involves careful interagency collaboration, as well as cooperation with
8 foreign CIKR partners.
9 The following subsections discuss issues associated with the international aspects of CIKR
10 protection in the context of the steps of the NIPP risk management process. (See NIPP
11 Chapter 3, The Protection Program Strategy: Managing Risk.)
12 1B.3.1 Setting Security Goals
13 The overarching goal of the NIPP—to enhance the protection of U.S. CIKR—applies to the
14 international “system of systems” that underpins U.S. CIKR. The NIPP and the SSPs
15 provide guidance and risk management approaches to address the international aspects of
16 CIKR protection efforts on both a national and a sector-specific level. In addition, a
17 separate set of goals and priorities guide cross-sector and global efforts to improve
18 protection for CIKR with international linkages. These goals fall into three categories:
19 Identifying and addressing cross-sector and global issues;
20 Implementing existing and developing new agreements that affect CIKR; and
21 Improving the effectiveness of international cooperation.
22 DHS, in conjunction with DOS and other CIKR partners, defines the requirement for a
23 comprehensive international CIKR protection strategy. The integration of international
24 CIKR protection considerations and measures into each SSPs is important for pursuing and
25 achieving these goals in ways that complement each other and are achievable with the
26 resources available.
27 Important considerations in achieving these goals are discussed in this section; actions
28 required to achieve these goals are addressed in the section on key implementation actions.
29 1B.3.2 Identifying CIKR Affected by International Linkages or Located
30 Internationally
31 Once international security goals are set, the next step in the risk management process is
32 to develop and maintain a comprehensive inventory of the Nation’s CIKR outside U.S.
33 borders and of foreign CIKR that may lead to loss of life in the United States, or critically
34 affect the Nation’s economic, industrial, or defensive capabilities. The process for
35 identifying nationally critical CIKR involves working with U.S. industry, SSAs, academia,
36 and international partners to gather and protect information on the foreign infrastructure
37 and resources on which U.S. CIKR rely or which significantly impact U.S. interests as
38 noted above.
39 Dependency, Interdependency and International CIKR Protection Cooperation: The NIPP
40 risk management framework details a structured approach for use in determining
41 dependencies and interdependencies, including physical, cyber, and international
42 considerations. This approach is designed to address CIKR protection needs and
43 vulnerabilities in three areas:
1 1B.3.4 Prioritizing
2 Assessing CIKR on a level playing field that adjudicates risk based on a common
3 framework ensures resources are applied where they offer the most benefit for reducing
4 risk; deterring threats; and minimizing the consequences of attacks, natural disasters, and
5 other emergencies. The same prioritization used for domestic CIKR protection is observed
6 to evaluate the risk arising from international linkages and CIKR located in foreign
7 countries. The priority for investment in protecting CIKR could be raised if international
8 linkages/location increase the risk.
9 1B.3.5 Implementing Programs
10 The primary responsibility for developing protective measures that address risks arising
11 from international factors belongs to the SSAs. In addition to sector protective measures,
12 DHS has specific programs to help enhance the cooperation and coordination needed to
13 address the unique challenges posed by the international aspects of CIKR protection:
14 International Outreach Program: DHS works in conjunction with DOS and with other
15 departments/agencies that have foreign affairs coordination responsibilities to conduct
16 international outreach with foreign countries and international organizations to
17 encourage the promotion and adoption of organizational and policymaking structures,
18 information-sharing mechanisms, industry partnerships, best practices, training, and
19 other programs as needed to improve the protection of overseas assets and the
20 reliability of foreign infrastructure on which the United States depends.
21 The National Cyber Response Coordination Group: The NCRCG facilitates coordination
22 of the Federal Government’s efforts to prepare for, respond to, and recover from cyber
23 incidents and physical attacks that have significant cyber consequences (collectively
24 known as cyber incidents). It serves as the Federal Government’s principal interagency
25 mechanism for operational information sharing and coordination of Federal
26 Government response and recovery efforts during a cyber incident. The NCRCG
27 considers and consults with international partners on a regular basis for routine
28 situational awareness and during incidents. NCRCG member agencies integrate their
29 capabilities to facilitate assessment of the domestic and international scope and severity
30 of a cyber incident.
31 The National Exercise Program: DHS provides overarching coordination for the
32 National Exercise Program to ensure the Nation’s readiness to respond in an all-
33 hazards environment and to test the steady-state protection plans and programs put in
34 place by the NIPP. The exercise program, as appropriate, engages international
35 partners to address cooperation and cross-border issues, including those related to
36 CIKR protection. DHS and other CIKR partners also participate in exercises sponsored
37 by international partners, including cross-border, multi-sector tabletops.
38 National Cyber Exercises: DHS conducts exercises to identify, test, and improve
39 coordination of the cyber incident response community, including Federal, State,
40 territorial, local, tribal, and international government elements, as well as private
41 sector corporations and coordinating councils.
42 Because of the complex nature of the international dimension of CIKR, a substantial
43 emphasis is placed on best practices that can be used to improve cooperation and
44 coordination. To this end, DHS leads efforts to:
1 Canada and Mexico: The CIKR relationships between the United States and its
2 immediate neighbors are closely interconnected and cover a wide range of sectors.
3 Electricity, natural gas, oil, telecommunications, roads, rail, food, water, minerals, and
4 finished products cross the borders on a regular basis as part of normal commerce. The
5 importance of this trade, and the infrastructure that supports it, was highlighted after
6 the terrorist attacks of September 11, 2001, nearly closed both borders. The United
7 States entered into the 2001 Smart Border Accord with Canada and the 2002 Border
8 Partnership Plan with Mexico, in part, to address bilateral CIKR issues. In addition, the
9 2005 SPP established a trilateral approach to common security issues. The SPP
10 complements, rather than replaces, existing agreements.
11 United Kingdom: The United Kingdom is a close ally with much experience in fighting
12 terrorism and protecting its CIKR. The United Kingdom developed substantial expertise
13 in law enforcement and intelligence systems, and in the protection of commercial
14 facilities based on its experience in countering terrorism. Like the United States, most
15 of the critical infrastructure in the United Kingdom is privately owned. The government
16 of the United Kingdom developed an effective, sophisticated system of managing public-
17 private partnerships. DHS formed a JCG with the United Kingdom that brings officials
18 into regular, formal contact to discuss and resolve a range of bilateral homeland
19 security issues.
20 G8:Since September 11, the infrastructure in several G8 countries has been exploited
21 and used to inflict casualties and fear. As a result, G8 partners underscored their
22 determination to combat all forms of terrorism and to strengthen international
23 cooperation. Counterterrorism work is the focus of a number of initiatives launched at
24 G8 summits. For example, at their meeting in Gleneagles in Scotland, in July 2005, the
25 G8 heads of government issued a Statement on Counterterrorism. In it, they pledged to
26 “commit ourselves to new joint efforts. We will work to improve the sharing of
27 information on the movement of terrorists across international borders, to assess and
28 address the threat to the transportation infrastructure, and to promote best practices
29 for rail and metro security.” DHS works closely with the G8 to address the common
30 threats to CIKR and cyberspace.
31 European Union: The European Union is pursuing CIKR as a matter of policy, noting
32 that an effective strategy should focus on both preparedness and on consequence
33 management. DHS engages the European Union early in this process to share its
34 experience, and to further cooperate on characteristics and common vulnerabilities of
35 critical infrastructure and cyberspace, risk analysis techniques, and strategies to
36 mitigate risk and minimize consequences.
37 North Atlantic Treaty Organization: NATO addresses CIKR issues through the Senior
38 Civil Emergency Planning Committee, the senior policy and advisory body to the North
39 Atlantic Council on civil emergency planning and disaster relief matters. The committee
40 is responsible for policy direction and coordination of Planning Boards and Committees
41 in the NATO environment. It developed considerable expertise that applies to CIKR
42 protection and implemented planning boards and committees covering ocean shipping,
43 inland surface transport, civil aviation, food and agriculture, industrial preparedness,
44 civil communications planning, civil protection, and civil-military medical issues. DHS
45 provides a delegation to the Senior Civil Emergency Planning Committee at NATO,
46 participates in NATO’s telecommunications working group, and engages with NATO in
47 preparedness exercises.
1 with Canada, Mexico, the United Kingdom, NATO, and others, and provides the framework
2 for collaborative engagement with additional international partners.
3 SSPs include descriptions of sector relationships and partner roles and responsibilities that
4 address international/multinational organizations and foreign governments. SSPs also
5 provide a comprehensive view of CIKR, including cross-sector dependencies and
6 interdependencies; international links; and cyber systems needed for the sector to function.
11 2A.1 Statutes
12 Homeland Security Act of 2002 24
13 This act establishes a Cabinet-level department headed by a Secretary of Homeland
14 Security with the mandate and legal authority to protect the American people from the
15 continuing threat of terrorism. In the act, Congress assigns DHS the primary missions to:
16 Prevent terrorist attacks within the United States;
17 Reduce the vulnerability of the United States to terrorism at home;
18 Minimize the damage and assist in the recovery from terrorist attacks that occur; and
19 Ensure that the overall economic security of the United States is not diminished by
20 efforts, activities, and programs aimed at securing the homeland.
21 This statutory authority defines the protection of CIKR as one of the primary missions of
22 the department. Among other actions, the act specifically requires DHS:
23 To carry out comprehensive assessments of the vulnerabilities of the CIKR of the
24 United States, including the performance of risk assessments to determine the risks
25 posed by particular types of terrorist attacks;
26 To develop a comprehensive national plan for securing the key resources and critical
27 infrastructure of the United States, including power production, generation, and
28 distribution systems; information technology and telecommunications systems
29 (including satellites); electronic financial and property record storage and transmission
30 systems; emergency preparedness communications systems; and the physical and
31 technological assets that support such systems; and
32 To recommend measures necessary to protect the CIKR of the United States in
33 coordination with other agencies of the Federal Government and in cooperation with
34 State and local government agencies and authorities, the private sector, and other
35 entities.
24 Public Law 107-296, November 25, 2002, 116 Stat. 2135. It is coded at 6 U.S.C.
1 Those requirements, combined with the President’s direction in HSPD-7, mandate the
2 unified approach to CIKR protection taken in the NIPP.
3 Critical Infrastructure Information Act of 2002 25
4 Enacted as part of the Homeland Security Act, this act creates a framework that enables
5 members of the private sector and others to voluntarily submit sensitive information
6 regarding the Nation’s CIKR to DHS with the assurance that the information, if it satisfies
7 certain requirements, will be protected from public disclosure.
8 The PCII Program, created under the authority of the act, is central to the information-
9 sharing and protection strategy of the NIPP. By protecting sensitive information submitted
10 through the program, the private sector is assured that the information will remain secure
11 and only be used to further CIKR protection efforts. 26
12 Implementing Recommendations of the 9/11 Commission Act of 2007
13 This act requires the implementation of some of the recommendations made by the 9/11
14 Commission, to include requiring the Secretary of Homeland Security to: 1) establish
15 department-wide procedures to receive and analyze intelligence from State, local, and tribal
16 governments and the private sector; and 2) establish a system that screens 100 percent of
17 maritime and passenger cargo.
18 This Act establishes the International Border Community Interoperable Communications
19 Demonstration Project, to help identify and implement solutions to cross-border
20 communications and cooperation, and the Interagency Threat Assessment and
21 Coordination Group (ITACG), to improve interagency communications. The establishment
22 of ITACG Advisory Councils allows Federal agencies to set policies to improve
23 communication within the information-sharing environment and supports establishment of
24 an ITACG Detail that gives State, local, and tribal homeland security officials, law
25 enforcement officers, and intelligence analysts the opportunity to work in the National
26 Counterterrorism Center.
27 The Act also established grants to support high-risk urban areas and State, local, and tribal
28 governments in preventing, preparing for, protecting against, and responding to acts of
29 terrorism; and to assist States in carrying out initiatives to improve international
30 emergency communications.
31 National Strategy for Homeland Security (October 2007)
32 The updated strategy serves to guide, organize, and unify our Nation's homeland security
33 efforts. It is a national strategy – not a Federal strategy – that articulates the approach to
34 secure the homeland over the next several years. It builds on the first National Strategy for
35 Homeland Security, issued in July 2002, and complements both the National Security
36 Strategy issued in March 2006 and the National Strategy for Combating Terrorism, issued
37 in September 2006. It reflects the increased understanding of threats confronting the
38 United States, incorporates lessons learned from exercises and real-world catastrophes, and
39 addresses ways to ensure long-term success by strengthening the homeland security
40 foundation that has been built.
25 The CII Act is presented as subtitle B of title II of the Homeland Security Act (sections 211-215) and is codified at 6 U.S.C. 131 et seq.
26 Procedures for Handling Critical Infrastructure Information, 68 Fed. Reg. 8079 (Feb. 20, 2004), are codified at 6 CFR Part 29.
1 Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act) 27
2 The Stafford Act provides comprehensive authority for response to emergencies and major
3 disasters—natural disasters, accidents, and intentionally perpetrated events. It provides
4 specific authority for the Federal Government to provide assistance to State and local
5 entities for disaster preparedness and mitigation, and major disaster and emergency
6 assistance. Major disaster and emergency assistance includes such resources and services
7 as:
8 The provision of Federal resources, in general;
9 Medicine, food, and other consumables;
10 Work and services to save lives and restore property, including:
11 ¾ Debris removal;
12 ¾ Search and rescue; emergency medical care; emergency mass care; emergency
13 shelter; and provision of food, water, medicine, and other essential needs, including
14 movement of supplies or persons;
15 ¾ Clearance of roads and construction of temporary bridges;
16 ¾ Provision of temporary facilities for schools and other essential community services;
17 ¾ Demolition of unsafe structures that endanger the public;
18 ¾ Warning of further risks and hazards;
19 ¾ Dissemination of public information and assistance regarding health and safety
20 measures;
21 ¾ Provision of technical advice to State and local governments on disaster
22 management and control; and
23 ¾ Reduction of immediate threats to life, property, and public health and safety;
24 Hazard mitigation;
25 Repair, replacement, and restoration of certain damaged facilities; and
26 Emergency communications, emergency transportation, and fire management
27 assistance.
28 Disaster Mitigation Act of 2000
29 This act amends the Stafford Act by repealing the previous mitigation planning provisions
30 (section 409) and replacing them with a new set of requirements (section 322). This new
31 section emphasizes the need for State, Tribal, and local entities to closely coordinate
32 mitigation planning and implementation efforts.
33 Section 322 continues the requirement for a State mitigation plan as a condition of disaster
34 assistance, adding incentives for increased coordination and integration of mitigation
35 activities at the State level through the establishment of requirements for two different
36 levels of State plans—standard and enhanced. States that demonstrate an increased
37 commitment to comprehensive mitigation planning and implementation through the
38 development of an approved Enhanced State Plan can increase the amount of funding
39 available through the Hazard Mitigation Grant Program (HMGP). Section 322 also
40 established a new requirement for local mitigation plans and authorized up to 7 percent of
1 HMGP funds available to a State to be used for development of State, local, and tribal
2 mitigation plans.
3 Corporate and Criminal Fraud Accountability Act of 2002 (also known as the Sarbanes-Oxley
4 Act) 28
5 The act applies to entities required to file periodic reports with the Securities and Exchange
6 Commission under the provisions of the Securities and Exchange Act of 1934, as amended.
7 It contains significant changes to the responsibilities of directors and officers, as well as the
8 reporting and corporate governance obligations of affected companies. Among other things,
9 the act requires certification by the company’s CEO and chief financial officer that
10 accompanies each periodic report filed that the report fully complies with the requirements
11 of the securities laws and that the information in the report fairly presents, in all material
12 respects, the financial condition and results of the operations of the company. It also
13 requires certifications regarding internal controls and material misstatements or omissions,
14 and the disclosure on a “rapid and current basis” of information regarding material changes
15 in the financial condition or operations of a public company. The act contains a number of
16 additional provisions dealing with insider accountability and disclosure obligations, and
17 auditor independence. It also provides severe criminal and civil penalties for violations of
18 the act’s provisions.
19 The Defense Production Act of 1950 and the Defense Production Reauthorization Act of 2003
20 This act provides the primary authority to ensure the timely availability of resources for
21 national defense and civil emergency preparedness and response. Among other powers, this
22 act authorizes the President to demand that companies accept and give priority to
23 government contracts that the President “deems necessary or appropriate to promote the
24 national defense,” and allocate materials, services, and facilities, as necessary, to promote
25 the national defense in a major national emergency. This act also authorizes loan
26 guarantees, direct loans, direct purchases, and purchase guarantees for those goods
27 necessary for national defense. It also allows the President to void international mergers
28 that would adversely affect national security. This act defines “national defense” to include
29 critical infrastructure protection and restoration, as well as activities authorized by the
30 emergency preparedness sections of the Stafford Act. Consequently, the authorities
31 stemming from the Defense Production Act are available for activities and measures
32 undertaken in preparation for, during, or following a natural disaster or accidental or
33 malicious event. Under the act and related Presidential orders, the Secretary of Homeland
34 Security has the authority to place and, upon application, authorize State and local
35 governments to place priority-rated contracts in support of Federal, State, and local emer-
36 gency preparedness activities. The Defense Production Act has a national security nexus
37 with the NIPP. National emergencies related to CIKR may arise that require the President
38 to use his authority under the Defense Production Act.
39 The Freedom of Information Act 29
40 This act generally provides that any person has a right, enforceable in court, to obtain
41 access to Federal agency records, except to the extent that such records are protected from
42 public disclosure by nine listed exemptions or under three law enforcement exclusions.
1 Persons who make requests are not required to identify themselves or explain the purpose
2 of the request. The underlying principle of FOIA is that the workings of government are for
3 and by the people and that the benefits of government information should be made broadly
4 available. All Federal Government agencies must adhere to the provisions of FOIA with
5 certain exceptions for work in progress, enforcement confidential information, classified
6 documents, and national security information. FOIA was amended by the Electronic
7 Freedom of Information Act Amendment of 1996.
8 Information Technology Management Reform Act of 1996 30
9 Under section 5131 of the Information Technology Management Reform Act of 1996, NIST
10 develops standards, guidelines, and associated methods and techniques for Federal
11 computer systems. Federal Information Processing Standards are developed by NIST only
12 when there are no existing voluntary standards to address the Federal requirements for the
13 interoperability of different systems, the portability of data and software, and computer
14 security.
15 Gramm-Leach-Bliley Act of 1999 31
16 Among other things, this act (title V) provides limited privacy protections on the disclosure
17 by a financial institution of nonpublic personal information. The act also codifies
18 protections against the practice of obtaining personal information through false pretenses.
19 Public Health Security and Bioterrorism Preparedness and Response Act of 2002 32
20 This act improves the ability of the United States to prevent, prepare for, and respond to
21 bioterrorism and other public health emergencies. Key provisions of the act, 42 U.S.C. 247d
22 and 300hh among others, address: (1) development of a national preparedness plan by HHS
23 that is designed to provide effective assistance to State and local governments in the event
24 of bioterrorism or other public health emergencies; (2) operation of the National Disaster
25 Medical System to mobilize and address public health emergencies; (3) grant programs for
26 the education and training of public health professionals and the improvement of State,
27 local, and hospital preparedness for and response to bioterrorism and other public health
28 emergencies; (4) streamlining and clarification of communicable disease quarantine
29 provisions; (5) enhancement of controls on dangerous biological agents and toxins; and (6)
30 protection of the safety and security of food and drug supplies.
31 Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and
32 Obstruct Terrorism Act of 2001 (USA PATRIOT Act) 33
33 This act outlines the domestic policy related to deterring and punishing terrorists, and the
34 U.S. policy for CIKR protection. It also provides for the establishment of a national
35 competence for CIKR protection. The act establishes the NISAC and outlines the Federal
36 Government’s commitment to understanding and protecting the interdependencies among
37 critical infrastructure.
38 The Privacy Act of 1974 34
39 This act provides strict limits on the maintenance and disclosure by any Federal agency of
40 information on individuals that is maintained, including “education, financial transactions,
1 medical history, and criminal or employment history and that contains [the] name, or the
2 identifying number, symbol, or other identifying particular assigned to the individual, such
3 as a finger or voice print or a photograph.” Although there are specific categories for
4 permissible maintenance of records and limited exceptions to the prohibition on disclosure
5 for legitimate law enforcement and other specified purposes, the act requires strict
6 recordkeeping on any disclosure. The act also specifically provides for access by individuals
7 to their own records and for requesting corrections thereto.
8 Federal Information Security Management Act of 2002 35
9 This act requires that Federal agencies develop a comprehensive information technology
10 security program to ensure the effectiveness of information security controls over
11 information resources that support Federal operations and assets. This legislation is
12 relevant to the part of the NIPP that governs the protection of Federal assets and the
13 implementation of cyber-protective measures under the Government Facilities SSP.
14 Cyber Security Research and Development Act of 2002 36
15 This act allocates funding to NIST and the National Science Foundation for the purpose of
16 facilitating increased R&D for computer network security and supporting research
17 fellowships and training. The act establishes a means of enhancing basic R&D related to
18 improving the cybersecurity of CIKR.
19 Maritime Transportation Security Act of 2002 37
20 This act directs initial and continuing assessments of maritime facilities and vessels that
21 may be involved in a transportation security incident. It requires DHS to prepare a
22 National Maritime Transportation Security Plan for deterring and responding to a
23 transportation security incident and to prepare incident response plans for facilities and
24 vessels that will ensure effective coordination with Federal, State, and local authorities. It
25 also requires, among other actions, the establishment of transportation security and
26 crewmember identification cards and processes; maritime safety and security teams; port
27 security grants; and enhancements to maritime intelligence and matters dealing with
28 foreign ports and international cooperation.
29 Intelligence Reform and Terrorism Prevention Act of 2004 38
30 This act provides sweeping changes to the U.S. Intelligence Community structure and
31 processes, and creates new systems specially designed to combat terrorism. Among other
32 actions, the act:
33 Establishes a Director of National Intelligence with specific budget, oversight, and
34 programmatic authority over the Intelligence Community;
35 Establishes the National Intelligence Council and redefines “national intelligence”;
36 Requires the establishment of a secure ISE and an information-sharing council;
37 Establishes a National Counterterrorism Center, a National Counter Proliferation
38 Center, National Intelligence Centers, and a Joint Intelligence Community Council;
39 Establishes, within the Executive Office of the President, a Privacy and Civil Liberties
40 Oversight Board;
1 Requires the Director of the FBI to continue efforts to improve the intelligence
2 capabilities of the FBI and to develop and maintain, within the FBI, a national
3 intelligence workforce;
4 Directs improvements in security clearances and clearance processes;
5 Requires DHS to develop and implement a National Strategy for Transportation
6 Security and transportation modal security plans; enhance identification and
7 credentialing of transportation workers and law enforcement officers; conduct R&D into
8 mass identification technology, including biometrics; enhance passenger screening and
9 terrorist watch lists; improve measures for detecting weapons and explosives; improve
10 security related to the air transportation of cargo; and implement other aviation
11 security measures;
12 Directs enhancements to maritime security;
13 Directs enhancements in border security and immigration matters;
14 Enhances law enforcement authority and capabilities, and expands certain diplomatic,
15 foreign aid, and military authorities and capabilities for combating terrorism;
16 Requires expanded machine-readable visas with biometric data; implementation of a
17 biometric entry and exit system, and a registered traveler program; and implementation
18 of biometric or other secure passports;
19 Requires standards for birth certificates and driver’s licenses or personal identification
20 cards issued by States for use by Federal agencies for identification purposes, and
21 enhanced regulations for social security cards;
22 Requires DHS to improve preparedness nationally, especially measures to enhance
23 interoperable communications, and to report on vulnerability and risk assessments of
24 the Nation’s CIKR; and
25 Directs measures to improve assistance to and coordination with State, local, and
26 private sector entities.
1 protect the systems and the Department of Defense will devise strategies for counterattacks
2 against intruders.
3 HSPD-24: Biometrics for Identification and Screening to Enhance National Security (June
4 2008)
5 HSPD-24 establishes a framework to ensure that Federal executive departments and
6 agencies use mutually compatible methods and procedures in the collection, storage, use,
7 analysis, and sharing of biometric and associated biographic and contextual information of
8 individuals in a lawful and appropriate manner, while respecting their information privacy
9 and other legal rights under U.S. law.
1 Estimate the economic loss in dollars, stating which costs are included and what
2 duration was considered
3 If monetizing human health consequences, document the value(s) used and assumptions
4 made
5 Consider and document any protective or consequence mitigation measures that have
6 their effect after the incident has occurred such as the rerouting of systems or HAZMAT
7 or fire and rescue response
8 Vulnerability Assessment
9 Identify vulnerabilities associated with physical, cyber, or human factors (openness to
10 both insider and outsider threats), critical dependencies, and physical proximity to
11 hazards. Collect sufficient information to form an estimate for each attack scenario
12 Account for the protective measures in place and how they reduce the vulnerability for
13 each attack type
14 In evaluating security vulnerabilities, estimate the relative strength of collective
15 protective measures
16 In evaluating security vulnerabilities, develop estimates of the likelihood of adversaries’
17 success for each attack scenario
18 Threat Assessment
19 For adversary-specific threat assessments:
20 ¾ Account for the access to the target and the opportunity to attack it
21 ¾ Identify attack methods that may be employed
22 ¾ Consider the level of capability that an adversary demonstrates for an attack
23 method
24 ¾ Consider the degree of the adversaries’ intent to attack the target
25 ¾ Estimate threat as the likelihood that the adversary would attempt a given attack
26 method at the target
27 For natural disasters and accidental hazards:
28 ¾ Use best-available analytic tools and historical data to estimate the likelihood of
29 these events affecting CIKR
30
1 Program, the Hazard Mitigation Grant Program, and the Pre-Disaster Mitigation Program.
2 These programs enable grant recipients to undertake activities such as the elevation of
3 structures in floodplains, relocation of structures from floodplains, construction of
4 structural enhancements to facilities and buildings in earthquake-prone areas (also known
5 as retrofitting), and modifications to land-use plans to ensure that future construction
6 ameliorates, and does not exacerbate, hazardous conditions.
7 International Outreach Program: DHS works with the Department of State and other CIKR
8 partners to conduct international outreach with foreign countries and international
9 organizations to encourage the promotion and adoption of best practices, training, and
10 other programs, as needed, to improve the protection of overseas assets and the reliability
11 of the foreign infrastructure on which the United States depends.
12 National Cyber Exercises: DHS conducts exercises to identify, test, and improve
13 coordination of the cyber incident response community, including Federal, State, territorial,
14 local, tribal, and international government elements, as well as private sector corporations
15 and coordinating councils.
16 National Cyber Response Coordination Group: This entity facilitates coordination of the
17 Federal Government’s efforts to prepare for, respond to, and recover from cyber incidents
18 and physical attacks that have significant cyber consequences (collectively known as cyber
19 incidents). The NCRCG serves as the Federal Government’s principal interagency
20 mechanism for operational information sharing and coordination of the Federal
21 Government’s response and recovery efforts during a cyber crisis. It uses established
22 relationships with the private sector and State and local governments to help manage a
23 cyber crisis, develop courses of action, and devise appropriate response and recovery
24 strategies.
25 Protective Community Support Program: Specific advisory support is provided to the
26 protective community (e.g., law enforcement, first-responders), including training and
27 exercise support.
28 Protective Security Advisor Program: DHS protection specialists are assigned as liaisons
29 between DHS and the protective community at the State, local, and private sector levels in
30 geographical areas representing major concentrations of CIKR across the United States.
31 The PSAs are responsible for sharing risk information and providing technical assistance to
32 local law enforcement and CIKR owners and operators of CIKR within those areas.
33 Software Assurance: DHS is developing best practices and new technologies to promote
34 integrity, security, and reliability in software development. Focused on shifting away from
35 the current security paradigm of patch management, DHS is leading the Software
36 Assurance Program, a comprehensive strategy that addresses processes, technology, and
37 acquisition throughout the software life cycle to result in secure and reliable software that
38 supports critical mission requirements.
39 Training Programs: DHS training programs are designed to provide CIKR partners with a
40 source from which they can obtain specialized training to enhance CIKR protection. Subject
41 matter, course length, and location of training can be tailored to specific partner needs.
1 county levels; however, more than 485 State agencies and more than 920 Federal
2 agencies also participate. The Drug Enforcement Administration; FBI; U.S. Attorneys’
3 Offices; Internal Revenue Service; Secret Service; U.S. Immigration and Customs
4 Enforcement; and the Bureau of Alcohol, Tobacco, Firearms, and Explosives are among
5 the Federal agencies participating in the RISS Program.
6 Sharing National Security Information: The ability to share relevant classified
7 information poses a number of challenges, particularly when the majority of industry
8 facilities are neither designed for nor accredited to receive, store, and dispose of these
9 materials. Ultimately, HSIN may be used to more efficiently share appropriate
10 classified national security information with cleared private sector owners and
11 operators during incidents, times of heightened threat, or on an as-needed basis. While
12 supporting technologies and policies are identified to satisfy this requirement, DHS will
13 continue to expand its initiative to sponsor security clearances for designated private
14 sector owners and operators, sharing classified information using currently available
15 methods.
16 Web-Based Services for Citizens: A variety of Web-based information services are
17 available to enhance the general awareness and preparedness of American citizens.
18 These include CitizenCorps.gov, FirstGov.gov, Ready.gov, and USAonwatch.org.
19
21
1 Efficiency and reliability are maintained through the implementation by the data steward
2 of various data quality control techniques. Verification and validation efforts by contracted
3 companies or Federal employees will play a key role in ensuring information currency.
The DHS/IP Taxonomy is the foundation for multiple DHS programs that focus on CIKR, such as the IDW and the National Threat Incident Database, and
39
should provide the foundation for the lexicon used in the SSPs. This common framework will allow more efficient integration and transfer of information, as well
as a more effective analytical tool for making comparisons.
14 Descriptive Outcome
Measures to Output Measures to Measures to
15 Characterize Monitor Progress Assess
Status Effectiveness
16
17 Core Metrics (NIPP Core Metrics (NIPP NIPP Core Metrics NIPP Core Metrics
Evolution of Metrics Components
24
25
26 DHS is enhancing its established measurement and analysis capabilities through the
27 collection of data from all CIKR security partners and development of a methodology to
28 gauge effectiveness of activities that sustains the CIKR protection mission.
29 The methodology, metrics, and analysis to date provide a foundation for measuring the
30 efficacy of risk management activities performed under the NIPP and the progress made in
31 reducing the risks to the Nation’s CIKR from terrorist attacks and other hazards. The
32 measurement process supports the continuous improvement loop of the NIPP Risk
33 Management Framework. DHS is further developing the methodology to estimate
34 effectiveness of risk-mitigation activities. This methodology can be applied at different
35 levels of aggregation. In the context of CIKR protection, effectiveness is represented as a
36 function of impact, performance, and quality (see figure 3D-2).
37 Effectiveness (E) can be expressed as a function of its components:
1 E = f(I, P, Q),
2 Where
3 I = impact;
4 P = performance; and
5 Q = quality.
6
7 Figure 3D-2 Model of Effectiveness
8
9
10
11
12
13
14
15
16
17
18
19
20
21 Effectiveness (E) can be modeled at varying levels of detail depending on the unit of
22 analysis (e.g., effectiveness of an activity, action, project, or initiative) used. Impact (I)
23 refers to the robustness, value, or inherent worth (significance) of an activity, action,
24 project, or initiative associated with the metrics components if it were to fully achieve its
25 intended results: how important is an activity to the overall goals and objectives of CIKR
26 protection? Performance measures (P) are used to gauge program performance and are
27 based on targets that are quantifiable or have an otherwise measurable characteristic: how
28 well does a program meet its performance measures? Performance measures must be
29 meaningful in the context of the specific program and capture the most important aspects of
30 a program’s mission and priorities. Another essential element needed to achieve program
31 goals and objectives and develop a sustainable CIKR protection program is assessment:
32 how well is the work being performed? The quality indicator (Q) captures the completeness,
33 accuracy, timeliness, and reliability of a product or service being developed to meet
34 specified requirements.
State to Federal Associations Organizations such as the National Governors Association, National
Conference of State Legislatures, and Council of State Governments
represent the interests of States in the Federal policymaking process.
State-level professional associations, such as the Association of State
Drinking Water Administrators and the Association of State Water
Pollution Control Administrators, also provide sector-specific coordination
mechanisms. Additionally, these groups support State leaders by keeping
their members informed of key Federal decisions that impact State
government.
State Liaison Some States have formed specific liaison offices in Washington, DC, to
Offices maintain awareness of Federal developments and ensure that their
individual State perspective is represented in the Federal policymaking
process. These offices report back regularly to their State’s leadership
and legislature regarding Federal issues of interest.
Federal to Memoranda of Agreements between two or more Federal departments and agencies to
Federal Understanding or cooperate on a specific topic or initiative.
Agreement
Private Sector to Public-Private Contractual agreement between a public agency (i.e., Federal, State, or
Government (all Partnerships local) and a private sector entity. Through this agreement, the skills and
levels) assets of each sector (public and private) are shared in delivering a
service or facility for the use of the general public.
Advisory Councils, In addition to the SCCs and ISACs, a variety of private sector
Boards, and organizations exist that focus on homeland security and CIKR protection
Commissions activities on a sector and geographical basis. These groups are made up
of members of the public and subject matter experts, and provide advice
and recommendations to governments at all levels.
Associations Myriad private sector associations exist that advocate on behalf of their
members in the policymaking process at the Federal, State, and local
levels. These groups are comprised of individuals or companies with
common interests. Because of their ability to communicate with their
members, private associations provide an effective means for
government to provide information to the public and also learn the
concerns of specific groups of CIKR partners.
1
2
1 describe how each jurisdiction intends to implement these roles and responsibilities. In
2 particular, jurisdictions should consider and describe in their plans the following:
3 Which offices or organizations in the jurisdiction perform the roles or responsibilities
4 outlined in the NIPP or supporting SSPs;
5 Whether gaps exist between the jurisdiction’s current approach and those roles and
6 responsibilities outlined in the NIPP or in an SSP, and how the gaps will be addressed;
7 Whether any roles and responsibilities should be revised, modified, or consolidated to
8 accommodate the unique operating attributes of the jurisdiction;
9 How the jurisdiction will maintain operational awareness of the performance of the
10 CIKR protection roles assigned to different offices, agencies, or localities; and
11 How the jurisdiction will coordinate its CIKR protection roles and responsibilities with
12 other jurisdictions and the Federal Government.
1 to which existing mechanisms can be leveraged. The options presented above are merely a
2 description of some available mechanisms that jurisdictions may consider as they develop
3 the organization of their programs and document their processes in a CIKR protection plan.
1 Will data collection mechanisms be compatible and interoperable with the IDW
2 framework to enable data sharing?
3 How will the jurisdiction ensure that it is maintaining current information?
4 Will data requests from the Federal Government for CIKR data be channeled to the
5 owners and operators through the States?
6 Are there local legal authorities and policy directives related to data collection? Are
7 these authorities adequate? If not, how will the jurisdiction address these issues?
1 ¾ Share threat and other appropriate information with other CIKR owners and
2 operators;
3 ¾ Participate in activities or initiatives developed and sponsored by relevant NIPP
4 SCC or entity that provides the sector coordinating function;
5 ¾ Participate in, share information with (with appropriate protections), and support
6 State and local CIKR protection programs, including coordinating and planning with
7 Local Emergency Planning Committees;
8 ¾ Collaborate with other CIKR owners and operators on security issues of mutual
9 concern; and
10 ¾ Use appropriate measures to safeguard information that could pose a threat and
11 maintain open and effective communications regarding security measures and
12 issues, as appropriate, with employees, suppliers, customers, government officials,
13 and others.
14 Planning and Awareness:
15 ¾ Develop and exercise appropriate emergency response, mitigation, and business
16 continuity-of-operations plans;
17 ¾ Participate in Federal, State, local, or company exercises and other activities to
18 enhance individual, organization, and sector preparedness;
19 ¾ Demonstrate continuous commitment to security and resilience across the entire
20 company;
21 ¾ Develop an appropriate security protocol corresponding to each level of the HSAS.
22 These plans and protocols are additive so that as the threat level increases for
23 company facilities, the company can quickly implement its plans to enhance physical
24 or cybersecurity measures in operation at those facilities and modify them as the
25 threat level decreases;
26 ¾ Utilize National Fire Protection Association 1600 Standard on Disaster/Emergency
27 Management and Business Continuity Programs, endorsed by DHS and Congress,
28 when developing Emergency Response and Business Continuity-of-Operations Plans
29 if the sector has not developed its own standard;
30 ¾ Document the key elements of security programs, actions, and periodic reviews as
31 part of a commitment to sustain a consistent, reliable, and comprehensive program
32 over time;
33 ¾ Enhance security awareness and capabilities through periodic training, drills, and
34 guidance that involve all employees annually to some extent and, when appropriate,
35 involve others such as emergency response agencies or neighboring facilities;
36 ¾ Perform periodic assessments or audits to measure the effectiveness of planned
37 physical and cybersecurity measures. These audits and verifications should be
38 reported directly to the CEO or his/her designee for review and action;
39 ¾ Promote emergency response training, such as the Community Emergency Response
40 Team training offered by the U.S. Citizen Corps, 40 for employees;
40The U.S. Citizen Corps is a national organization that brings citizen groups together and focuses the efforts of individuals through education, training, and
volunteer service to help make communities safer, stronger, and better prepared to address the threats of terrorism, crime, public health issues, and disasters of
all kinds. It works through a national network of State, local, and tribal Citizen Corps Councils that include leaders from law enforcement, fire, emergency
medical, emergency management, volunteer organizations, local elected officials, the private sector, and other community stakeholders. More information is
available on the internet at www.CitizenCorps.gov.
1 ¾ Consider including programs for developing highly secure and trustworthy operating
2 systems in near-term acquisition or R&D priorities;
3 ¾ Create a culture of preparedness, reaching every level of the organization’s
4 workforce, which ingrains in each employee the importance of awareness and
5 empowers those with responsibilities as first-line defenders within the organization
6 and community;
7 ¾ As the organization performs R&D or acquires new or upgraded systems, consider
8 only those that are highly secure and trustworthy;
9 ¾ Encourage employee participation in community preparedness efforts, such as
10 Citizen Corps, schools, Red Cross, Second Harvest, etc.;
11 ¾ Work with others locally, including government, nongovernmental organizations,
12 and private sector entities, both within and outside its sector, to identify and resolve
13 gaps that could occur in the context of a terrorist incident, natural disaster, or other
14 emergency;
15 ¾ Work with DHS to improve cooperation regarding personnel screening and
16 information protection; and
17 ¾ Identify supply chain and “neighbor” issues that could cause workforce or production
18 disruptions for the company.
15
16 These technical Divisions are linked to three research and development investment
17 portfolio directors in a “matrix management” structure. These three portfolio directors –
18 Director of Research, Director of Transition, and Director of Innovation/Homeland Security
19 Advanced Research Projects Agency (HSARPA) – provide cross-cutting coordination of their
20 respective elements (or thrusts) of the investment strategy within the technical Divisions.
21 Each technical Division is comprised of at least one Section Director of Research who
22 reports to the Director of Research in addition to the Division Director so that a
1 crosscutting focus on basic and applied research capability is maintained and leveraged,
2 and a Section Director of Transition who reports to the Director of Transition in addition to
3 the Division Director to help the division stay focused on technology transition.
4 The Director of Transition coordinates within the Department to expedite technology
5 transition and transfer to customers. The Director of Innovation/HSARPA sponsors basic
6 and applied homeland security research to promote revolutionary changes in technologies;
7 advance the development, testing and evaluation, and deployment of critical homeland
8 security technologies; and accelerate the prototyping and deployment of technologies that
9 would address homeland security vulnerabilities and works with each of the Division Heads
10 to pursue game-changing, leap-ahead technologies that will significantly lower costs and
11 markedly improve operational capability through technology application.
12 This cross-cutting coordination facilitates unity of effort. The matrix structure also allows
13 the S&T Directorate to provide more comprehensive and integrated technology solutions to
14 its customers by appropriately bringing all of the disciplines together in developing
15 solutions.
16 6.1.1 Investments and Planning
17 Along with the organizational alignment discussed above, the S&T Directorate has also
18 aligned its investment portfolio to create an array of programs that balance project risk,
19 cost, mission impact, and the time it takes to deliver solutions. The S&T Directorate
20 executes projects across the spectrum of technical maturity and transitions them in
21 accordance with our customers needs. Its investment portfolio is balanced across long-term
22 research, product applications, and leap-ahead “game-changing” capabilities while also
23 meeting mandated requirements. This balanced portfolio ensures that the Directorate
24 maintains a self-replenishing pipeline of future capabilities and products to transition to
25 customers.
26 The DHS Transition Program is a formalized, structured process that aligns investments to
27 Agency requirements and is managed by Capstone Integrated Product Teams (IPTs).
28 These teams constitute the Transition portfolio of DHS S&T, targeting deployable
29 capabilities in the near term. S&T established these teams to coordinate the planning and
30 execution of R&D programs together with the eventual hand-off to maintainers and users of
31 project results. They are critical nodes in the process to determine operational
32 requirements, assess current capabilities to meet operational needs, analyze gaps in
33 capabilities and articulate programs and projects to fill in the gaps an expand
34 competencies.
35 IPTs generally include the research and technology perspective, the customer and end user
36 perspective, and an acquisition perspective, and are specifically chartered to ensure that
37 technologies are engineered and integrated into systems scheduled for delivery and made
38 available to DHS customers. The customer and end users monitor and guide the capability
39 being developed; the research and technology representatives inform the discussions with
40 scientific and engineering advances and emerging technologies; and the acquisition staff
41 help transition the results into practice by the maintainers and end-users of the capability.
42 The IPT topic areas reflect the capability requirements of homeland security stakeholders.
43 The current IPTs operated by DHS S&T are listed below. Each sponsors projects that are
44 relevant to the infrastructure protection mission. The three bolded IPTs are co-chaired by
45 the DHS Office of Infrastructure Protection.
1
Information Sharing/Management Counter IED
Border Security Cargo Security
Chem/Bio Defense People Screening
Maritime Security Infrastructure Protection
Cyber Security Preparedness & Response: Incident Management
Transportation Security Preparedness & Response: Interoperability
2
3 Each IPT identifies, validates and prioritizes requirements for the S&T Directorate and
4 provides critical input to investments in programs and projects that will ultimately deliver
5 technology solutions that can be developed, matured and delivered to customer acquisition
6 programs for deployment to the field. Investments are competitively selected and focus on
7 DHS’s highest-priority requirements that provide capability to DHS operating components
8 and first responders. A successful transition portfolio requires sustained customer feedback
9 from DHS components to ensure that programs address genuine capability gaps. To gain
10 this insight, S&T established 46 Project IPTs and semi-annually reach out to DHS
11 components to gauge their overall satisfaction with delivered products and capabilities. The
12 results are explicitly tied to outcome-based performance metrics of cost, schedule and
13 technology readiness.
14 6.2 Requirements
15 The Directorate’s top priorities recommended by the S&T capstone IPTs in each of the
16 homeland security functional areas (i.e., Border Security, Cargo Security, CBRNE,
17 Infrastructure Protection, etc.) are consistent with the DHS Strategic roadmap in this
18 document’s NIPP Implementation Initiative and Actions section (Appendix 2 B) to ensure
19 an effective and efficient program over the long term.
20 This requirements map supports several initiatives and actions necessary for NIPP
21 implementation, particularly regarding the initiatives to:
22 Review and revise CIKR-related plans as needed to reinforce linkage between NIPP
23 steady-state CIKR protection and NRP incident management requirements
24 Identify cross-sector vulnerabilities
25 Communicate requirements for CIKR-related R&D to DHS for use in the national R&D
26 planning effort
27 The Office of Infrastructure Protection has developed an R&D Requirements Map showing
28 connections between 2007 Sector Annual Report R&D requirements and ongoing S&T
29 projects in each functional area, which may fully or partially address Sectors needs. The
30 Map shows the Sector priorities in terms of the requirements needed, and how that
31 requirement is being met in S&T by citing the specific projects to meet the requirement.
32 Further, the map crosswalks the projects initiated by each Capstone IPT and the capability
33 gap it addresses. The Map will be regularly updated and undergo a detailed review as the
34 analysis continues.
35 6.2.1 High Priority Technology Needs
36 Each year S&T publishes the high priority technology needs in its functional areas. The
37 following is a representative sample of needs for the nation’s CIKR.
24 6.3 Progress
25 Critical infrastructure is a widely distributed enterprise across multiple industries,
26 government agencies, and academia, so its R&D program cannot be managed through
27 command and control. Instead, DHS and OSTP are fostering an evolving network of
28 partnerships and coordination groups. These groups have different focuses including
29 sector-specific needs, technology themes of interest to multiple sectors, and committees that
30 coordinate federal agency resources. The National Annual Report, including the National
31 CIP R&D Plan Update, provides the overarching strategy, goals, and plans that allow this
32 distributed R&D enterprise to act in coordinated ways.
33 6.3.1 Partnerships and Collaboration
34 The NIPP Partnership Framework
35 The Critical Infrastructure Protection Advisory Councils (CIPAC), established by DHS,
36 have been very effective in helping federal infrastructure protection groups work with the
37 private sector and with state, local, territorial, and tribal governments. The CIPAC
38 provides a forum in which the sectors have engaged very actively in a broad spectrum of
39 activities to implement their sector protection plans, including planning, prioritizing, and
40 coordinating R&D agendas.
41 Sector and Cross Sector Coordination
42 The Sector R&D Working Groups, typically Joint SCC and GCC, have developed well
43 founded technical R&D agendas essential for their sector to achieve sector security goals for
1 2008. These R&D agendas coordinate challenges across the spectrum of sector stakeholders
2 and are used to represent sector R&D interests in cross-sector settings. The executive
3 managers of each sector coordinate activities through the Federal Senior Leadership
4 Council (FSLC). The SCCs have formed a cross-sector group, the Partnership for Critical
5 Infrastructure Security (PCIS), to coordinate cross-sector initiatives that promote public
6 and private infrastructure protection initiatives. One of the objectives of the PCIS is to
7 provide cross-sector input regarding R&D priorities.
8 In 2007, the DHS Office of Infrastructure Protection (IP) established a group to perform
9 cross-sector R&D analyses and to help sectors coordinate with the CIKR protection R&D
10 community. The R&D Analysis Branch of the Infrastructure Analysis and Strategy
11 Division elicits sector capability gaps in order to establish R&D priorities. This branch is
12 coordinating with each Division of the DHS S&T to relate existing and planned projects to
13 these capability gaps, and to help sectors get involved in DHS-led S&T projects. In 2008,
14 they established an R&D web portal providing a means for sectors to share R&D
15 information and disseminate best practices.
16 Federal Agency Coordination
17 Within a sector, the GCC is the primary mechanism for coordination across government
18 agencies. Government coordination across multiple sectors is accomplished by the NSTC.
19 The NSTC Infrastructure Subcommittee (ISC) of the Committee on Homeland and National
20 Security was established in 2003 by HSPD-7 as the R&D interagency community to
21 examine all forms of protecting the nation’s infrastructure including security. Its primary
22 focus involves R&D that is needed by more than one sector such that economies of scope
23 and scale can be realized.
24 For 2008, the NSTC-ISC recognized the need to address aging infrastructure and new
25 methods of repair or replacement to make future infrastructure more sustainable –
26 economically, environmentally, and safely – and has formed an internal working group to
27 develop the research agenda needed to realizes these objectives. Members of the NSTC-ISC
28 include representatives from almost every federal agency, not just those that are Sector
29 Specific Agencies (SSAs).
30 Coordination Regarding Cybersecurity
31 Because of the ubiquity and importance of information technology across all sectors and
32 agencies, the NSTC created a separate group, the Network and Information Technology
33 R&D Subcommittee (NITRD), which coordinates all R&D related to IT across agencies. In
34 2006, the Cyber Security and Information Assurance Interagency Working Group (CSIA
35 IWG) was established to coordinate cybersecurity as an important subset of IT R&D.
36 Universities
37 Universities and research centers across multiple federal agencies contribute to agency
38 mission accomplishment and CIKR protection in the full spectrum of time from before a
39 disrupting event to after a disrupting event. The DHS Centers of Excellence contribute to
40 the national-level implementation of the NIPP and to CIKR protection; their contributions
41 take different forms, including the following:
42 Provide independent analysis of CIKR protection (full spectrum) issues;
43 Conduct research and provide innovative perspective on threats and the behavioral
44 aspects of terrorism;
1 Conduct research to identify new technologies and analytical methods that can be
2 applied by CIKR partners to support NIPP efforts;
3 Support research, development, testing, evaluation, and deployment of CIKR protection
4 technologies;
5 Analyze, provide, and share best practices related to CIKR protection efforts; and
6 Develop and provide suitable security risk analysis and risk management courses for
7 CIKR protection professionals.
8 International
9 HS, DoD, DOE, and other federal agencies have undertaken many different outreach efforts
10 to foreign government representatives and organizations that are pursuing similar R&D
11 planning and performance. From the United Kingdom to Scandinavian countries, France,
12 Germany, Japan, Italy, Israel, the Netherlands, Russia, and others, agreements of
13 cooperation and joint pursuit and knowledge sharing have been created. Other
14 organizations such as the Technical Support Working Group (TSWG) also have developed
15 successful R&D collaborations with a number of countries.
16 State & Local
17 State, local, territorial, and tribal governments play an important role in the protection of
18 the nation’s CIKR. These government entities not only have CIKR under their direct
19 control but also have CIKR owned and operated by other partners who are within their
20 jurisdictions. The State, Local, Territorial, and Tribal Government Coordination Council
21 (SLTGCC) brings national CIKR protection principles to the local level and is an important
22 source of capability requirements that drive R&D priorities.
23 Industry Organizations
24 In addition to R&D input provided by government organizations, there are major industrial
25 groups that provide input and comment to both influence future R&D by illuminating
26 issues they have surfaced or issues that are likely based on new product development they
27 are doing but cannot discuss openly for competitive reasons. For example, the INFOSEC
28 Research Council has provided valuable input on cybersecurity including publishing a Hard
29 Problems list41 that is an important planning tool used by all R&D contributors. The
30 National Security Telecommunications Advisory Committee (NSTAC) identified critical
31 gaps that require new cyber and telecommunications R&D.
41 http://www.cyber.st.dhs.gov/docs/IRC_Hard_Problem_List.pdf
1 priorities as well as S&T’s priorities. The five-year plan is the roadmap to achieving
2 success; however, the planning process must be flexible and nimble to adjust to a changing
3 homeland security environment. The plan will be updated annually to ensure it continues
4 to address the correct set of priorities, fills our customer’s homeland security capability
5 gaps, and enables a safer homeland.
6