Review the National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience plan and identify how the government and private sectors work together to
Are you pressed for time and haven’t started working on your assignment yet? Would you like to buy an assignment? Use our custom writing services for better grades. Even if your deadline is approaching fast, our writers can handle your task right when you need it.
Order a Similar Paper Order a Different Paper
Review the National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience plan and identify how the government and private sectors work together to manage risks while achieving security outcomes.
Review the National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience plan and identify how the government and private sectors work together to
Order Code RL33648 Critical Infrastructure: The National Asset Database Updated July 16, 2007 John Moteff Specialist in Science and Technology Policy Resources, Science, and Industry Division Critical Infrastructure: The National Asset Database Summary The Office of Infrastructure Protection (OIP) in the Department of Homeland Security (DHS) has been developing and maintaining a National Asset Database. The Database contains information on over 77,000 individual assets, ranging from dams, hazardous materials sites, and nuclear power plants to local festivals, petting zoos, and sporting good stores. The presence of a large number of entries of the latter type (i.e. assets generally perceived as having more local importance than national importance) has attracted much criticism from the press and from Members of Congress. Many critics of the Database have assumed that it is (or should be) DHS’s list of the nation’s most critical assets and are concerned that, in its current form, it is being used inappropriately as the basis upon which federal resources, including infrastructure protection grants, are allocated. According to DHS, both of those assumptions are wrong. DHS characterizes the National Asset Database not as a list of critical assets, but rather as a national asset inventory providing the ‘universe’ from which various lists of critical assets are produced. As such, the Department maintains that it represents just the first step in DHS’s risk management process outlined in the National Infrastructure Protection Plan. DHS has developed, apparently from the National Asset Database, a list of about 600 assets that it has determined are critical to the nation. Also, while the National Asset Database has been used to support federal grant-making decisions, according to a DHS official, it does not drive those decisions. In July 2006 the DHS Office of the Inspector General released a report on the National Asset Database. Its primary conclusion was that the Database contained too many unusual and out-of-place assets and recommended that those judged to be of little national significance be removed from the Database. In his written response to the DHS IG report, the Undersecretary of DHS did not concur with this recommendation, asserting that keeping these less than nationally significant assets in the Database gave it a situational awareness that will assist in preparing and responding to a variety of incidents. Accepting the DHS descriptions of the National Asset Database, questions and issues remain. For example, the National Asset Database seems to have evolved away from its origins as a list of critical infrastructures, perhaps causing the differences in perspective on what the Database is or should be. As an inventory of the nation’s assets, the National Asset Database is incomplete, limiting its value in preparing and responding to a wide variety of incidents. Assuring the quality of the information in the Database is important and a never-ending task. If DHS not only keeps the less than nationally significant assets in the Database but adds more of them to make the inventory complete, assuring the quality of the data on these assets may dominate the cost of maintaining the Database, while providing uncertain value. Finally, the information currently contained in the Database carries with it no legal obligations on the owner/operators of the asset. If, however, the Database becomes the basis for regulatory action in the future, what appears in the Database takes on more immediate consequences for both DHS and the owner/operators. Contents Introduction………………………………………………1 A Short Review of the DHS IG Report ……………………………1 The National Asset Database: What It Is and What It Is Not……………..5 What Are Its Intended Uses? …………………………………..6 First Step in Identifying Critical Assets and Prioritizing Risk Reduction Activities…………………………………7 Situational Awareness ……………………………………8 Basis for Allocating Critical Infrastructure Protection Grants ………..11 Issues ………………………………………………….11 Quality……………………………………………..12 What to Keep …………………………………………13 A Potential Change in Status for the Database ………………….14 Congressional Action ……………………………………14 List of Figures Figure 1. National Asset Database Entries by Sector…………………..3 1 Department of Homeland Security. Office of the Inspector General. Progress in Developing the National Asset Database. OIG-06-04. June 2006. 2 Operation Liberty Shield was a comprehensive national plan to protect the homeland during U.S. operations in Iraq. For a discussion of some of the other initiatives taken as part of Operation Liberty Shield, see CRS Report RS21475, Operation Liberty Shield: Border, Transportation, and Domestic Security, by Jennifer E. Lake. Critical Infrastructure: The National Asset Database Introduction The Office of Infrastructure Protection (OIP) in the Department of Homeland Security (DHS) has been developing and maintaining a National Asset Database. The Database contains information on a wide range of individual assets, from dams, hazardous materials sites, and nuclear power plants to local festivals, petting zoos, and sporting good stores. The presence of a large number of entries of the latter type (i.e. assets generally perceived as having more local importance than national importance) has attracted much criticism from the press and from Members of Congress. Many critics of the Database have assumed that it is (or should be) DHS’s list of the nation’s most critical assets and are concerned that, in its current form, it is being used inappropriately as the basis upon which federal resources, including infrastructure protection grants, are allocated. According to DHS, both of those assumptions are wrong. The purpose of this report is to discuss the National Asset Database: what is in it, how it is populated, what the Database apparently is, what it is not, and how it is intended to be used. The report also discusses some of the issues on which Congress could focus its oversight. This report relies primarily on a DHS Office of the Inspector General (DHS IG) report, 1 released on July 11, 2006, but makes reference to other government documents as well. A Short Review of the DHS IG Report The genesis of the National Asset Database remains somewhat unclear. A list of critical sites was begun in the spring of 2003 as part of Operation Liberty Shield. 2 The list contained 160 assets, including chemical and hazardous materials sites, nuclear plants, energy facilities, business and finance centers, and more. The assets were selected by the newly formed Protective Services Division within the Office of Infrastructure Protection, in what was then called the Information Analysis and CRS-2 3 DHS offered assistance to help protect these sites through its Buffer Zone Protection Plan program. At times the State Homeland Security grants could be used to help pay for overtime of law enforcement officials and National Guardsmen protecting critical sites. 4 According to testimony by the then Undersecretary for Information Analysis and Infrastructure Protection, a list of 1,700 assets (according to the DHS IG report the actual number was 1,849) was culled from the larger list. However, the DHS IG report implied that the Protected Measures Target List grew independently, to which was added additional information from the states and other sources, leading to a combined list of 28,368 assets, which then grew into the National Asset Database. 5 In June 2004, the House Appropriations Committee made reference to a Unified National Database of Critical Infrastructure, described as a master database of all existing critical infrastructures in the country. See, U.S. Congress. House of Representatives. Department of Homeland Security Appropriations Bill, 2005. H.Rept. 108-541. p. 92. The comparable Senate Appropriations Committee report (S.Rept. 108-280) made reference to a National Asset Database. The budget request for FY2005 mentions the development of a primary database of the nations critical infrastructure, but gave it no name. 6 The statutory definition of critical infrastructure is given in the USA PATRIOT Act (P.L.107-56). It is: “…systems and assets…so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health and safety, or any combination of those matters.” There are currently 12 sectors of the economy and 5 groups of key resources (dams, commercial assets, government facilities, national monuments, nuclear facilities) that DHS considers as possessing systems or assets that, if lost, may have a critical impact on the United States. Infrastructure Protection Directorate, Department of Homeland Security. The Secretary of DHS asked states to provide additional security for these sites. 3 During the course of the year (2003), DHS continued to collect information on various assets from a variety of sources. By early 2004, DHS had accumulated information on 28,368 assets. Although Operation Liberty Shield was now considered over, the initial list of 160 critical assets, those judged to be in need of additional protection because of their vulnerability and the potential consequences if attacked, grew to 1,849 assets and became known as the Protected Measures Target List. 4 It is not clear when the information being gathered became known as the National Asset Database. 5 By January 2006, according to the DHS IG report, the Database had grown to include 77,069 assets, ranging from nuclear power plants and dams to a casket company and an elevator company. It also contains locations and events ranging from Times Square in New York City to the Mule Day Parade in Columbia Tennessee (which, according to the city’s website, draws over 200,000 spectators each year for the week-long event). The IG report categorized entries in the National Asset Database by critical infrastructure/key resource sector (see Figure 1). 6 Additionally, the DHS IG report identified some of the entries with more specificity. For example, the Database contained, at the time, 4,055 malls, shopping centers, and retail outlets; 224 racetracks; 539 theme parks and 163 water parks; 1,305 casinos; 234 retails stores; CRS-3 7 Department of Homeland Security. National Infrastructure Protection Plan. Released June 30, 2006. See, [http://www.dhs.gov/xprevprot/programs/editorial_0827.shtm]. 8 According to the DHS IG report, examples of existing government databases that have contributed to the National Asset Database include the Chemical Sites List (an Environmental Protection Agency database), and the Government Services Administration list of GSA Buildings. 514 religious meeting places; 127 gas stations; 130 libraries; 4,164 educational facilities; 217 railroad bridges; and 335 petroleum pipelines. Source: Office of the Inspector General. Department of Homeland Security. Taken from Progress in Developing the National Asset Database. The DHS gets information for the Database from a variety of sources. According to the National Infrastructure Protection Plan (NIPP) 7, sources include existing government and commercially available databases; 8 sector-specific agencies and other federal entities; voluntary submittals by owners and operators; periodic requests for information from states and localities and the private sector; and DHS- initiated studies. The number of assets in the Database is expected to grow as additional information is gathered. The DHS IG report focused much of its attention on information provided by states and localities as the result of two data requests made by DHS. According to the DHS IG report, the vast majority of the 77,069 entries was collected as a result of those requests. Commer c ial A s s ets , 17327 National Monuments and Ic ons , 224 Public Health, 8402 Pos tal and Shipping, 417 Energy , 7889 Not Spec if ied, 290 Dams , 2029 A gric ulture and Food, 7542 Inf ormation Tec hnology , 757 Trans portation, 6141 Banking and Financ e, 669 Water, 3842 Telec ommunic ations , 3020 Chemic al/Haz ardous Materials , 2963 Nuc lear Pow er Plants , 178 Emergenc y Serv ic es , 2420 Government Facilities, 12019 Def ens e Indus trial Bas e, 140 Figure 1. National Asset Database Entries by Sector CRS-4 9 Department of Homeland Security. Office of the Inspector General. Op. Cit. p. 11. The Office of Domestic Preparedness is now called Grants and Training and is located within the Federal Emergency Management Agency, newly reconstituted by the Post-Katrina Management Reform Act of 2006 (part of the FY2007 DHS appropriation bill). Referred to as ODP throughout this report, it manages the majority of grants to states and localities for homeland security and critical infrastructure protection. 10 Ibid p. 8. 11 Ibid p. 8. This is similar language used in ODP’s Urban Areas Security Initiative grants. 12 Ibid. p. 12. 13 The collection of personal information in the Database requires DHS to publish a Privacy Impact Assessment. That Assessment can be found at [http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_nadb.pdf]. A discussion of the Assessment is beyond the scope of this report. Site last visited on July 16, 2007. 14 Department of Homeland Security. Office of the Inspector General. Op. cit. p. 6. 15 According to the DHS IG report, the Database contains 11,018 entries identified as nationally significant, 32,631 identified as not considered nationally significant, and 33,419 whose significance are undetermined. According to the IG report, the first data call to the states, made by the Office of Domestic Preparedness in 2003, yielded poor quality data. 9 The IG report described the guidance given states and localities as “minimal.”10 The guidance apparently did tell states, however, to “consider any system or asset that, if attacked, would result in catastrophic loss of life and/or catastrophic economic loss.” 11 As a result, assets such as the petting zoos, local festivals and other places where people within a community congregate, or local assets ostensibly belonging to one of the critical infrastructure sectors, were among the assets reported. According to the IG report, many state officials were surprised to learn that additional assets from their states were added to the Database, which raises additional questions about how the information was collected. According to the IG report, the second request to the states for critical infrastructure information came from the Office of Infrastructure Protection in July 2004 and was “significantly more organized and achieved better results.” 12 Guidance was more specific, as was the information requested. DHS requested information for 17 data fields. Of those, DHS considered the following to be most important: address, owner, owner type, phone, local law enforcement point of contact, and latitude and longitude coordinates. 13 States were also asked to identify those assets that they felt met a level of national significance. Criteria for identifying assets of national significance was provided by DHS. The criteria described certain thresholds, such as refineries with refining capacity in excess of 225,000 barrels per day, or commercial centers with potential economic loss impact of $10 billion or capacity of more than 35,000 people. Although the request was more specific, states were given much leeway as to what to include, and OIP accepted into the Database every submitted asset. 14 As a result, additional assets of questionable national significance were added to the Database. 15 The DHS IG report drew two primary conclusions. The first is that the Database contains many “unusual, or out-of-place, assets whose criticality is not readily CRS-5 16 Department of Homeland Security. Office of Inspector General. Op. cit. p. 9. 17 Ibid p. 18. 18 Other examples of what the DHS IG considered to be inconsistent were: some states listed schools for their sheltering function, some did not; Indiana listed over 8,000 assets, more than states larger in area and population like New York, Texas, and California; and, fewer banking and finance centers are listed for New York than North Dakota. 19 Office of Homeland Security. National Strategy for Homeland Security. July 2002. p. 30. 20 White House. The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. February 2003. p. 23. apparent,” 16 while, at the same time, it “may have too few assets in essential areas and may present an incomplete picture.” 17 The second conclusion was that the types of assets that were included and the information provided are inconsistent from state to state, locality to locality. For example, California entries included the entire Bay Area Regional Transit System as a single entry, while entries listed for New York City included 739 separate subway stations. 18 The IG report made 4 recommendations: ! review the National Asset Database for out-of-place assets and assets marked as not nationally significant, and determine whether those assets should remain in the Database; ! provide state homeland security advisers the opportunity to review their assets in the Database to identify previously submitted assets that may not be relevant; ! during future data calls, provide States a list of their respective Database assets to reduce … duplicate submissions; and ! establish a milestone for the completion of a comprehensive risk assessment of critical infrastructure and key resources and ensure they are accurately captured in the National Infrastructure Protection Plan. The National Asset Database: What It Is and What It Is Not The National Strategy for Homeland Security recognized that not all assets within each critical infrastructure sector are equally important, and that the federal government would focus its effort on the highest priorities. 19 The National Strategy for the Physical Protection of Critical Infrastructure and Key Assets stated that DHS will develop a methodology for identifying assets with national-level criticality and using this methodology will build a comprehensive database to catalog these critical assets. 20 Judging from the criticism leveled at it, many believe the National Asset Database is (or should be) DHS’s list of assets critical to the nation. CRS-6 21 Department of Homeland Security. Office of Inspector General. Op. cit. p. 29. 22 Department of Homeland Security. National Infrastructure Protection Plan. Op. cit. pg159. 23 See USA Today, “Database is Just the 1 st Step,” by Robert Stephan. July 21, 2006. p. 8A. 24 See Congressional Quarterly’s internet publication, CQ Homeland Security, July 29, 2004, at [http://homeland.cq.com/hs/display.do?docid=1278697&sourcetype=31], last viewed July 16, 2007. However, in his written response to the IG report, the Undersecretary for Preparedness, George Foresman, to whom the Office of Infrastructure Protection reports, stated that the National Asset Database is “not a list of critical assets…[but rather] a national asset inventory…[providing] the ‘universe’ from which various lists of critical assets are produced.” 21 According to the National Infrastructure Protection Plan, the National Asset Database is a comprehensive catalog with descriptive information regarding the assets and systems that comprise the nation’s critical infrastructure and key resources. 22 The Assistant Secretary for Infrastructure Protection, Robert Stephan, has called the Database a ‘phonebook’ of 77,000 facilities, assets and systems from across the nation, needed to facilitate more detailed risk analyses. 23 Some may ask why there should be this difference in perception regarding the National Asset Database. One possible explanation is that, as noted above, the National Asset Database started out as the Protected Measures Target List, which was a prioritized list of assets considered critical at the national level. Also, as reported in at least one media source, when asked for its list of critical assets, Members of Congress were shown the expanded list containing the questionable assets. 24 Based on subsequent response, Congressional interest appears focused on a prioritized list. Also, what is meant by the term “critical infrastructure” continues to generate some confusion. The definition provided in the USA PATRIOT Act and in other policy documents refers to specific assets or systems within a selected set of sectors or categories. However, the term also is used often to identify the sectors and categories themselves. For example, the transportation sector is often called a critical infrastructure, when, according to the statutory definition, only those assets within the transportation sector whose loss would be debilitating to the nation should be called critical infrastructure. Given the varied usage of the term critical infrastructure, the National Infrastructure Protection Plan description of the National Asset Database above, is unclear. Is it a list of assets that are critical, or is it a list of assets that make up each of the critical sectors, with criticality to be determined later? What Are Its Intended Uses? There appear to be two primary uses for the Database: as a first step in a prioritization process that eventually will help focus risk reduction activities; and, to CRS-7 25 USA Today. Op. cit. 26 For a discussion on common basic elements of a risk management process, in the context of critical infrastructure protection, see CRS Report RL32561. Risk Management and Critical Infrastructure Protection: Assessing, Integrating, and Managing Threat, Vulnerability, and Consequences, by John Moteff. 27 As mentioned above, in the second data request to the states, DHS provided some characteristic thresholds by which DHS may assess whether or not an asset is critical at the national level. Also, according to the NIPP, as the various sectors work with their Sector Specific Agencies to develop sector-level protection plans, another source of information for the Database, owners/operators will have a standard form containing a few questions that can assist in determining criticality. 28 Department of Homeland Security. Office of Inspector General. Op. cit. p. 10. provide a degree of situational awareness. According to Assistant Secretary Stephan, the Database “does not drive the Department’s funding decisions.” 25 First Step in Identifying Critical Assets and Prioritizing Risk Reduction Activities Taking an inventory of one’s assets is a standard first step for most risk management processes used to prioritize the protection of those assets. 26 The second step is to screen this initial list for those assets considered critical to the organization (or country) using specific criteria. Further analysis is focused on these critical assets. The National Infrastructure Protection Plan establishes DHS’s risk management process. According to the NIPP, identifying the assets that comprise the nation’s 17 critical infrastructure sectors and key resources within the National Asset Database represents the first step in its process. As envisioned by the NIPP, DHS will then select those assets from the Database it considers critical to the nation as a whole. 27 If the asset is judged not to be critical from a national perspective, DHS does not require any further information. If the asset does have the potential to be critical, DHS will ask for more information, which includes information that will support further risk and risk mitigation analysis (e.g. vulnerability to specific forms of attack or natural disasters and more detailed analysis of the consequences associated with the loss of the asset, including interdependencies with other assets). Vulnerability, consequences, and threat information then will be integrated to yield a risk score. According to the NIPP, those assets that pose the greatest risk are further analyzed to identify potential risk reduction initiatives, which are then prioritized (i.e. the risk reduction initiatives) based on their cost-effectiveness. Presumably, as additional analysis and information is generated for a particular asset, it will be added, or linked, to the Database. According to the IG report, DHS officials acknowledge that many of the assets currently in the Database “will never be analyzed in depth or used to support any program activity.” 28 According to the Assistant Secretary, DHS had identified about 600 assets that it considers to be critical to the nation, based on its analysis of vulnerability to attack CRS-8 29 In more recent testimony, before the Senate Committee on Homeland Security and Governmental Affairs, Ad Hoc Subcommittee on State, Local, and Private Sector Preparedness and Integration, July 12, 2007, the number of such assets has grown to about 2,500. It is not clear how this list of about 600 assets compares with the earlier Protective Measures Target List. Presumably, the list is a subset of the 77,069 assets in the Database and not a parallel list, but that is not clear either. 30 See, ABC News Internet Ventures, Government Confirms Much Shorter List of Critical U.S. Locations, at [http://www.abcnews.go.com/GMA/print?id=2218846]. Site last viewed July 16, 2007. 31 USA Today. Op. cit. 32 Gas stations of any size or location are not listed in the criteria of what DHS considers to be a nationally significant asset within the oil and gas sector or any other sector or key resource category. 33 Neither DHS or the IG report use the term “situational awareness” to describe the activities discussed in this section. This is a term CRS believes captures the breadth of the statements made regarding this particular use of the Database. or natural events and the possible consequences. 29 This list is apparently prioritized further. 30 The Assistant Secretary asserted that this shorter list does not contain petting zoos, popcorn factories or other such facilities. 31 While it may be common practice to take an initial inventory of one’s assets as a first step in a risk management process, detailed information on individual assets is not necessarily needed to determine their criticality. The presence of gas stations listed in the National Asset Database is a case in point. Gas stations could be considered a part of the oil and gas infrastructure, a subsector of the energy sector. In assessing the oil and gas infrastructure, one may want to identify, in general, all the assets that make up that infrastructure from production fields, to refineries, to distribution, and all the transport elements in between. Gas stations would be on that list, at the very end of the distribution chain. In determining which assets are the most critical, one does not need specific information on individual gas stations to determine that the loss of any individual gas station would have a minimal effect on the distribution of gasoline throughout the country, or on the economy, or national public health, beyond the immediate vicinity of the gas station itself. Yet the National Asset Database contains 127 gas stations. Unless these 127 specific gas stations have some unique characteristics (perhaps being located next to an identified critical asset which could be damaged if there were a loss of the gas station), maintaining specific information on those gas stations seems unnecessary to determine their criticality. 32 Situational Awareness DHS justifies keeping assets that have not been judged as being critical at the national level in the Database as a way to provide a degree of situational awareness. 33 CRS-9 34 Department of Homeland Security. Office of Inspector General. Op. cit. p. 29. 35 Department of Homeland Security. National Infrastructure Protection Plan. Op. cit. p. 32. 36 It is not clear how, or if, the Database was used to inform preparedness and response decisions made during the hurricanes of 2005. 37 The Washington Post. “U.S. Struggles to Rank Potential Terror Targets. Securing All Sites Not Financially Feasible, but Choices Are Fraught With Uncertainty,” by Spencer Hsu. July 16, 2006. p. A9. 38 The IP/IS program supports much of the Department’s critical infrastructure protection activities, including its coordinating responsibilities, the National Infrastructure Protection Plan, the Protected Critical Infrastructure Information Program, etc. It is one of the Preparedness Directorate’s Budget Activities. 39 For example, the FY2007 budget justification discussed a program called Constellation, an automated critical asset management system, which would allow law enforcement to inventory, categorize, prioritize, and database critical assets. It also includes a risk assessment system, compatible with the National Asset Database, and allows for automated BZPP development. Constellation was begun in Los Angeles as a pilot program. The (continued…) Undersecretary Foresman noted in his response to the IG report that, “Many assets not ‘critical’ are, in fact, critical depending upon the circumstances….” 34 For example, as noted in the NIPP, “…the information may be used to quickly identify those assets…that may be the subject of emergent terrorist statements or interest or that may be located in the areas of greatest impact from natural disasters.” 35 According to the NIPP, having this information (apparently regardless of the criticality level of the asset) will help inform decisions made regarding preparedness, response, and recovery to a wide range of incidents and emergencies. 36 In defense of the contents of the National Asset Database, Assistant Secretary Stephan is quoted as saying: “What happens the very first day that al-Qaeda attacks a convenience store chain times a dozen across the country?…we better have some of those things in the database so that we know what that universe of things is that we have to worry about.” 37 According to the FY2007 Congressional Budget Justification for the Infrastructure Protection and Information Security (IP/IS) Program, 38 the Database will deliver something called the Risk/Readiness Dashboard to DHS management. The budget justification identified the Risk/Readiness Dashboard as a planning and management tool that will eventually fuse threat streams with critical infrastructure vulnerability information and consequences, and will visually present a risk profile for critical infrastructure assets. According to the budget justification, such a capability will provide real-time knowledge that can be used to support rapid decision-making during periods of heightened threats. Also, while a particular asset may not be critical at the national level, it may still be critical at the state or local level. Since DHS plans to allow many stakeholders eventually (with appropriate clearances) to have selected access to the Database, and the information in it or linked to it, the Database represents a common picture (i.e. a standard format and taxonomy) for all to use. 39 Also, according to the CRS-10 39 (…continued) program is suppose to expand to other cities during FY2007 and information integrated with the National Asset Database. 40 Department of Homeland Security. Office of Inspector General. Op. cit. p. 31. 41 National Petroleum News. “Market Facts: Mid-July 2006. 2006 NPN Station Count.” p. 98. 42 White House. The National Strategy for the Physical Protection of Critical Infrastructures and Key Assets. Op. Cit. p. 9. 43 Department of Homeland Security. Office of the Inspector General. Op. cit. p. 12. Undersecretary, DHS does not support purging the Database of these non-nationally critical assets, because it is important to the Department to be informed about what is important to the states and localities. 40 The statements above raise a number of issues. First, that assets may be critical under some circumstances and not others, or become critical because they have been identified by intelligence as possible targets, seems to conflict with the statutory definition of critical infrastructures. Under the conditions stated above, just about any asset could be considered critical and setting and implementing priorities would become even more complicated than it is now. Many would expect DHS to respond to such intelligence as part of its counter-terrorism efforts, which might include quickly deploying critical infrastructure resources such as sending out vulnerability assessment teams and establishing buffer zone protection plans. However, such efforts seem to lie beyond the fundamental goal of the critical infrastructure protection program, which is to identify those assets most critical to the nation as a whole. Also, if the National Asset Database is meant to be a comprehensive list of the nation’s infrastructure assets, regardless of criticality, it is incomplete. As noted in the previous section, only 127 gas stations are in the Database. There are over 167,000 gas stations in the United States. 41 Similarly, the Database contains only 140 defense industrial base assets, 417 postal and shipping sites, 669 banking and financial assets, and 7,542 agriculture and food assets. According to the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, DHS estimated that there are 250,000 defense industrial firms, 137 million postal and shipping delivery sites, 26,600 FDIC insured institutions, and almost 2 million farms and 87,000 food processing plants. 42 To identify only a few a these assets, perhaps in some states, but not in others, limits the utility of the current National Asset Database to support situational awareness to those relatively few instances where the Database may have the appropriate information. The position that the National Asset Database holds data on those assets that states and localities have identified as important to them is contradicted by the DHS IG report. According to the report, state officials were repeatedly surprised to learn about the assets that were added as part of the ODP data call and which remain in the Database. 43 The Database includes many assets not selected by the states. CRS-11 44 See, Department of Homeland Security. Office of Grants and Training. Discussion of the FY2006 Risk Methodology and the Urban Area Security Initiative located at [http://www.ojp.usdoj.gov/odp/docs/FY_2006_UASI_Program_Explanation_Paper_011 805.doc], last viewed on July 16, 2007. 45 According to a conversation with Assistant Secretary Stephan, July 12, 2007, the short list of critical assets is forwarded to the Office of Grants and Training (referred to as ODP in this report), to be incorporated into their modeling exercise. Basis for Allocating Critical Infrastructure Protection Grants The role that the National Asset Database plays in allocating federal resources to states and localities for infrastructure protection is of obvious interest to Congress. In FY2006, allocations of Urban Area Security Initiative grants saw some significant changes based on new risk calculations by the DHS. A number of cities saw their grant levels drop. Some Members believe that allocations were based on what they consider to be a flawed National Asset Database. Over the last two grant cycles, according to the DHS IG report, ODP has made increased use of information in the National Asset Database to support its allocation of various critical infrastructure protection grants to states and localities. However, according to the Assistant Secretary, the National Asset Database does not drive DHS’s funding decisions. The exception is the Buffer Zone Protection Plan grants, which were initiated to support the protection efforts associated with the original Protected Measures Target List and Operation Liberty Shield. The relationship between the ODP’s grant-making process, the National Asset Database, and the NIPP is not explicitly stated in DHS documents. The NIPP risk assessment process was finalized June 30, 2006, but ODP has had some form of risk assessment process in place for determining initial grant allocations for programs such as the Urban Area Security Initiative since 2003. Also, for the FY2006 cycle, ODP indicated it had evaluated over 120,000 specific infrastructure assets, 44 but the National Asset Database only contained 77,069 assets as of January 2006. It would appear that ODP’s grant-making process operates independently from both the National Asset Database and the National Infrastructure Protection Plan. 45 Issues Assuming that the Undersecretary is not changing the definition of critical infrastructure, and accepting DHS’s argument that the National Asset Database is not a prioritized list of critical assets, and that it is not the basis for determining grant allocations, two issues remain: the quality of the information contained in the Database; and, whether the value of keeping low criticality assets in the Database warrant the costs associated with maintaining them in the Database. Another potential issue could arise if the current voluntary nature of the Database changes. Congress may ultimately focus its oversight of the National Asset Database on these areas. CRS-12 46 Based on personal communication with industry official, September 29, 2003. 47 Quoted by CQ Homeland Security. Op. cit. 48 Department of Homeland Security. Office of Inspector General. Op. cit. p. 16. 49 Protective Security Advisors are DHS employees stationed in the field to act as liaison with state and local stakeholders. 50 The Protected Critical Infrastructure Information Program implements the Critical Infrastructure Information Act of 2002, passed as part of the Homeland Security Act, P.L. 107-296, Title I, Subtitle B. The act provides for a variety of protections of critical infrastructure information submitted voluntarily to the Department, including exemption from the Freedom of Information Act (552 U.S.C. 15). For a discussion of the Critical Infrastructure Information Act see, Archived CRS Report RL31762. Homeland Security Act of 2002: Critical Infrastructure Information Act. Quality Data quality is always an issue in generating any database. In the case of the National Asset Database, quality includes accuracy, consistency, and completeness. The quality of the information gathered early in the development of the Database has been questioned. For example, early in the evolution of the list, certain electric utility operators were presented with a list of critical electric power assets drawn up by DHS and noticed that some of the entries were not currently in use. 46 Also, one Member of Congress noted that the location for Disneyland was incorrect.47 According to the IG report, DHS itself determined that the early Protected Measures Target List was unreliable. 48 DHS has taken a number of steps to improve the quality of the information contained in the Database. The IG report noted that during the second data call to the states, DHS hired contractors to put the information it received into a consistent format, to research missing information, and to verify the accuracy of the information. DHS has approved a taxonomy which everyone submitting information can use to categorize and subcategorize assets. DHS plans to use this taxonomy in future data calls. The IG report also stated that DHS intends to use expert panels to review information in their sector of expertise. According the FY2007 budget justification, one of the responsibilities of the Protective Security Advisors 49 is to verify critical infrastructure information. Of particular concern is the completeness of the information included. Beyond the issue that there appears to be an incomplete inventory of the less than critical assets, as noted above, the IG was particularly concerned that the Database does not include assets that one might conclude should be included. The IG attributed part of this problem to reluctance on the part of private sector owner/operators to share certain information with DHS, notwithstanding the Protected Critical Infrastructure Information Program. 50 Insuring the quality of the information in the Database is likely to require a continuous effort, since quality also implies currency. If a particular site closes, moves, or changes ownership, the changes would logically need to be captured in the Database. CRS-13 51 Department of Homeland Security. Office of Inspector General. Op. cit. p. 32. 52 While the NIPP suggests that this would not occur, the NIPP also makes reference to (as do the IG report and the FY2007 budget justification) a “national risk profile.” The NIPP describes the national risk profile as a high level summary of the aggregate risk and protective status across all sectors. The IG report makes reference to a contractor developed Gross Consequences of Attack tool that would automatically estimate, across a large number of potential targets held in the Database, the consequences associated with various types of attacks. It is not clear if this includes all entries or just those eventually judged most critical. 53 U.S. Congress. House of Representatives. Making Appropriations for the Department of Homeland Security for the Fiscal Year Ending September 30, 2006, and for Other Purposes. H.Rept. 109-241, accompanying H.R. 2360. p. 71. The consideration of quality could include also the accessibility, flexibility, and security of the database. The NIPP suggested that the Database would be accessible to many type of queries, by many types of stakeholders. However, it is not clear that the Database yet has these capabilities. DHS intends to develop a second generation Database, one that includes the integration of vulnerability, risk, threat, and other relevant information. According to the IG report, DHS does not expect the second generation Database to be ready for two more years. In regard to security, the Undersecretary, in his response to the IG report, asserted that the Database currently “exceeds all security and protection standards.” 51 Assessing the accuracy of this assertion is beyond the scope of this report. What to Keep The IG report asserted that maintaining unusual and out-of-place entries in the Database may: ! complicate efforts to develop a useful database; ! make resource allocation more challenging; ! obscure desired data; ! waste time and money in repeatedly filtering them out of analyses or trying to prioritize them; and ! taint credibility. The DHS IG report, however, does not explain how these entries would necessarily complicate, challenge, and obscure efforts. While the Database may not yet be as accessible or as searchable as eventually planned, it is not clear why less critical (or more critical) data could not be tagged as such. However, the presence of this data does involve cost in time and resources. At the very least, as discussed above, the information collected on all assets must be entered and verified (even the less critical ones) and missing data also may have to be located. Also, additional costs would likely be incurred if any further analysis (such as vulnerability assessment or more detailed consequence analysis) were done on these entries. 52 The budget justification documents do not present data on how much money DHS spends on the Database, or how that expense is broken down. However, Congress did appropriate $20 million for the Database in FY2006. 53 While the argument could be made that the costs might be marginal, the DHS IG report noted that, currently, those entries identified as not being critical at the CRS-14 54 Note that the Database may contain information associated with regulations which require submission of the information for other regulatory purposes. national level outnumber, by 3 to 1, those that are identified as critical at the national level. Currently, DHS considers only 600 assets as being the most critical, indicating that less than critical sites could actually dominate the cost of maintaining the Database. It is not clear how to evaluate the value of maintaining these non-critical assets in the Database, especially if their numbers are under-represented and the risk associated with them is relatively low. A Potential Change in Status for the Database Currently the presence of a particular asset in the Database carries with it no specific obligations on the part of the owner/operator. They are not required by statute or regulation to provide information to the Database, per se, or to take any specific actions as a result of having an asset listed. 54 Information solicited by DHS is voluntarily given. Presumably, publicly available information does not require the permission of the owner/operator for it to be included in the Database. However, if ever having an asset on the National Asset Database carries with it some legal or regulatory requirements, then what is in and not in the Database, or adding or removing assets from it, might result in much greater consequences for both the owners/operators and DHS. Congressional Action The House of Representatives, as part of the 110 th Congress’s first 100 hours of legislation, passed H.R. 1, “Implementing the 9/11 Commission Recommendations Act of 2007.” Title IX of this act includes a section (Sec. 902) dealing with the National Asset Database. The Section did a number of things. It amended the Homeland Security Act to include the requirement that the Secretary of Homeland Security establish a National Asset Database. It also required the Secretary to establish within this Database a subset of assets that the Secretary determines are most at risk. This subset of assets shall be called the National At-Risk Database. This requirement indicated that the House disagrees with the Undersecretary that the National Asset Database should not include a prioritization of assets. Section 902 also established a National Asset Database Consortium, made up of representatives from at least two, but no more than four, national laboratories along with officials from other federal agencies with appropriate experience in working with and identifying critical infrastructure. The Consortium is to advise the Secretary on how to identify, generate, organize, and maintain the National Asset Database. In addition, the Secretary is to solicit comments from the Consortium on the appropriateness of the risk methodologies employed by the National Infrastructure Protection Plan and alternative methods for defining risk and identifying specific criteria by which to set priorities. The Secretary is to secure recommendations from the Consortium 60 days after this act is enacted. CRS-15 55 These bills may be combined with other homeland security related legislation. See, Congress Daily PM. “House Will Merge 9/11, Transit Bills And Name Conferees.” Monday, July 16, 2007, at [http://nationaljournal.com/pubs/congressdaily/dj070716.htm#6]. Site last visited July 16, 2007. The Section also required the Secretary to annually review the Database to examine assets in the Database to determine if the information on these assets is incorrect or if they do not meet national asset guidelines used by the Secretary to determine which assets should remain in the Database. It required the Secretary to remove from the Database any asset whose information is not verifiable or which does not meet the nation asset guidelines. The requirement disagrees with the Undersecretary’s position that less-than-nationally-critical assets should remain in the Database. Also, the Secretary is to provide the Database to states for review and to meet annually with the states to discuss guidelines their submissions of information for the Database. This requirement is in agreement with recommendations made by the Inspector General. Section 902 also required the Secretary to ensure that the information contained in the Database can be organized by sector, state, locality, and region. Section 902 required the Secretary to report to Congress annually on those assets in the Database considered to be most at risk. The report is to include name, location, and sector of each asset. It is also to include any changes in the criteria used to define or identify critical infrastructure and any changes in the compiling of the Database. It is also to include the extent to which the Database has been used as a tool for allocating resources. It is likely that DHS would classify much of the information specific to particular assets in the Database. Title XI in the Senate’s companion bill, S. 4, “Improving America’s Security Act of 2007,” also required the Secretary to develop a risk-based prioritized list of critical infrastructure and key resources. The list should consider those assets or systems that, if destroyed or disrupted, by attack or natural catastrophe, would cause significant loss of life, severe economic harm, mass evacuations, or lead to the loss of vital public services. The list should reflect a cross-sector analysis to determine priorities for prevention, protection, recovery, and reconstitution. The act also instructed the Secretary to report to Congress annually the criteria used to create the list, the methodology used to solicit and verify information submitted to the list, and how the list will be used in program activities, including grant making. No further action on either of these bills has occurred to date. 55 The House version of the FY2008 Department of Homeland Security Appropriations Bill, H.R. 2638, contained report language directing the National Protection and Programs Directorate to remove from the National Asset Database items it deems insignificant, and encouraged the Directorate to provide states and local partners the opportunity to review their assets listed in the Database and to recommend items for removal. The language also stated that the Directorate should CRS-16 clarify its guidance when soliciting information to ensure uniform and accurate information. The Senate version (S. 1644) contained no similar language.
Review the National Infrastructure Protection Plan (NIPP) 2013: Partnering for Critical Infrastructure Security and Resilience plan and identify how the government and private sectors work together to
National Infrastructure Protection Plan Partnering to enhance protection and resiliency 2009 Preface Risk in the 21st century results from a complex mix of manmade and natu- rally occurring threats and hazards, including terrorist attacks, accidents, natural disasters, and other emergencies. Within this context, our critical infrastructure and key resources (CIKR) may be directly exposed to the event themselves or indirectly exposed as a result of the dependencies and interde – pendencies among CIKR. Within the CIKR protection mission area, national priorities must include preventing catastrophic loss of life and managing cascading, disruptive impac on the U.S. and global economies across multiple threat scenarios. Achieving this goal requires a strategy that appropriately balances resiliency—a tra – ditional American strength in adverse times—with focused, risk-informed Michael Chertoff prevention, protection, and preparedness activities so that we can manage an reduce the most serious risks that we face. These concepts represent the pillars of our National Infrastructure Protection Plan (NIPP) and its 18 sup- porting Sector-Specific Plans (SSPs). The plans are carried out in practice by an integrated network of Federal departments and agencies, State and local government agencies, private sector entities, and a growing number of regional consortia—all operating together within a largely voluntary CIKR protectio framework. This multidimensional public-private sector partnership is the key to success in this inher – ently complex mission area. Building this partnership under the NIPP has been a major accomplishment to date and has facilitated closer cooperation and a trusted relationship in and across the 18 CIKR sectors. Integrating multi-jurisdictional and multi-sector authorities, capabilities, and resources in a unified but flexible approach that can also be tailored to specific sector and regional risk landscapes and operating environments is the path to successfully enhancing our Nation’s CIKR protection. The NIPP meets the requirements that the President set forth in Homeland Security Presidential Directive 7 (HSPD-7), Critical Infrastructure Identification, Prioritization, and Protection, and provides the overarch ing approach for integrating the Nation’s many CIKR protection initiatives into a single national effort. It sets forth a comprehensive risk management framework and clearly defined roles and responsibilities for s ts d n – Preface i the Department of Homeland Security; Federal Sector-Specific Agencies; and other Federal, State, regional, local, tribal, territorial, and private sector partners implementing the NIPP. The 2009 NIPP captures the evolution and maturation of the processes and programs first outlined in 2006 and was developed collaboratively with CIKR partners at all levels of government and the private sector. Participation in the implementation of the NIPP provides the government and the private sector with the opportunity to use collective expertise and experience to more clearly define CIKR protection issues and practical solutions and to ensure that existing CIKR protection planning efforts, including business conti- nuity and resiliency planning, are recognized. I ask for your continued commitment and cooperation in the implementation of both the NIPP and the supporting SSPs so that we can continue to enhance the protection of the Nation’s CIKR. Michael Chertoff iiii NaNational Infrtional Infrastrastructuructure Protection Plane Protection Plan Table of Contents Preface i Executive Summary 1 1. Introduction 7 1.1 Purpose 8 1.2 Scope 9 1.3 Applicability 9 1.3.1 Goal 9 1.3.2 The Value Proposition 10 1.4 Threats to the Nation’s CIKR 11 1.4.1 The Vulnerability of the U.S. Infrastructure to 21 st Century Threats and Hazards 11 1.4.2 The Nature of the Terrorist Adversary 11 1.4.3 All-Hazards and CIKR Protection 11 1.5 Special Considerations 12 1.5.1 The Cyber Dimension 12 1.5.2 International CIKR Protection 12 1.6 Achieving the Goal of the NIPP 13 1.6.1 Understanding and Sharing Information 13 1.6.2 Building Partnerships 13 1.6.3 Implementing a CIKR Risk Management Program 13 1.6.4 Maximizing Efficient Use of Resources for CIKR Protection 14 2. Authorities, Roles, and Responsibilities 15 2.1 Authorities 15 2.2 Roles and Responsibilities 16 2.2.1 Department of Homeland Security 16 2.2.2 Sector-Specific Agencies 18 2.2.3 Other Federal Departments, Agencies, and Offices 20 2.2.4 State, Local, Tribal, and Territorial Governments 21 2.2.5 CIKR Owners and Operators 24 2.2.6 Advisory Councils 25 2.2.7 Academia and Research Centers 25 Table of Contents iii 3. The Strategy: Managing Risk 27 3.1 Set Goals and Objectives 28 3.2 Identify Assets, Systems, and Networks 29 3.2.1 National Infrastructure Inventory 29 3.2.2 Protecting and Accessing Inventory Information 30 3.2.3 SSA Role in Inventory Development and Maintenance 31 3.2.4 State and Local Government Role in Inventory Development and Maintenance 31 3.2.5 Identifying Cyber Infrastructure 32 3.2.6 Identifying Positioning, Navigation, and Timing Services 32 3.3 Assess Risks 32 3.3.1 NIPP Core Criteria for Risk Assessments 33 3.3.2 Risk Scenario Identification 34 3.3.3 Consequence Assessment 34 3.3.4 Vulnerability Assessment 36 3.3.5 Threat Assessment 37 3.3.6 Homeland Infrastructure Threat and Risk Analysis Center 38 3.4 P rioritize 40 3.4.1 The Prioritization Process 40 3.4.2 Tailoring Prioritization Approaches to Sector and Decisionmakers’ Needs 41 3.4.3 The Uses of Prioritization 42 3.5 Implement Protective Programs and Resiliency Strategies 42 3.5.1 Risk Management Actions 43 3.5.2 Characteristics of Effective Protective Programs and Resiliency Strategies 43 3.5.3 Risk Management Activities, Initiatives, and Reports 44 3.6 Measure Effectiveness 46 3.6.1 NIPP Metrics Types and Progress Indicators 47 3.6.2 Gathering Performance Information 47 3.6.3 Assessing Performance and Reporting on Progress 48 3.7 Using Metrics and Performance Measurement for Continuous Improvement 48 4. Organizing and Partnering for CIKR Protection 49 4.1 Leadership and Coordination Mechanisms 49 4.1.1 National-Level Coordination 50 4.1.2 Sector Partnership Coordination 50 4.1.3 Regional Coordination and the Partnership Model 53 4.1.4 International CIKR Protection Cooperation 53 4.2 Information Sharing: A Network Approach 56 4.2.1 Supporting the CIKR Protection Mission 57 iviv NaNational Infrtional Infrastrastructuructure Protection Plane Protection Plan 4.2.2 The CIKR Information-Sharing Environment 60 4.2.3 Federal Intelligence Node 61 4.2.4 Federal Infrastructure Node 62 4.2.5 State, Local, Tribal, Territorial, and Regional Node 62 4.2.6 Private Sector Node 62 4.2.7 DHS Operations Node 63 4.2.8 Other Information-Sharing Nodes 65 4.3 Protection of Sensitive CIKR Information 66 4.3.1 Protected Critical Infrastructure Information Program 66 4.3.2 Other Information Protection Protocols 68 4.4 Privacy and Constitutional Freedoms 69 5. CIKR Protection as Part of the Homeland Security Mission 71 5.1 A Coordinated National Approach to the Homeland Security Mission 71 5.1.1 Legislation 71 5.1.2 Strategies 71 5.1.3 Homeland Security Presidential Directives and National Initiatives 73 5.2 The CIKR Protection Component of the Homeland Security Mission 76 5.3 Relationship of the NIPP and SSPs to Other CIKR Plans and Programs 76 5.3.1 Sector-Specific Plans 76 5.3.2 State, Regional, Local, Tribal, and Territorial CIKR Protection Programs 77 5.3.3 Other Plans or Programs Related to CIKR Protection 77 5.4 CIKR Protection and Incident Management 78 5.4.1 The National Response Framework 78 5.4.2 Transitioning From NIPP Steady-State to Incident Management 78 6. Ensuring an Effective, Efficient Program Over the Long Term 81 6.1 Building National Awareness 81 6.1.1 Education and Training 82 6.1.2 Core Competencies for Implementing CIKR Protection 83 6.1.3 Individual Education and Training 85 6.1.4 Organizational Training and Exercises 86 6.1.5 CIKR Partner Role and Approach 88 6.2 Conducting Research and Development and Using Technology 88 6.2.1 The SAFETY Act 89 6.2.2 National Critical Infrastructure Protection R&D Plan 90 6.2.3 Other R&D That Supports CIKR Protection 91 6.2.4 DHS Science and Technology Strategic Framework 91 6.2.5 Transitioning Requirements Into Reality 91 Table of Contents v 6.3 Building, Protecting, and Maintaining Databases, Simulations, and Other Tools 92 6.3.1 National CIKR Protection Data Systems 92 6.3.2 Simulation and Modeling 93 6.3.3 Coordination on Databases and Modeling 94 6.4 Continuously Improving the NIPP and the SSPs 94 6.4.1 Management and Coordination 94 6.4.2 Maintenance and Updates 95 7. Providing Resources for the CIKR Protection Program 97 7.1 The Risk-Informed Resource Allocation Process 97 7.1.1 Sector-Specific Agency Reporting to DHS 98 7.1.2 State Government Reporting to DHS 98 7.1.3 State, Local, Tribal, and Territorial Government Coordinating Council Reporting to DHS 99 7.1.4 Regional Consortium Coordinating Council Reporting to DHS 99 7.1.5 Aggregating Submissions to DHS 99 7.2 Federal Resource Prioritization for DHS, the SSAs, and Other Federal Agencies 100 7.2.1 Department of Homeland Security 100 7.2.2 Sector-Specific Agencies 100 7.2.3 Summary of Roles and Responsibilities 101 7.3 Federal Resources for State and Local Government Preparedness 101 7.3.1 Overarching Homeland Security Grant Programs 101 7.3.2 Targeted Infrastructure Protection Programs 102 7.4 Other Federal Grant Programs That Contribute to CIKR Protection 102 7.5 Setting an Agenda in Collaboration with CIKR Protection Partners 103 List of Acronyms and Abbreviations 105 Glossary of Key Terms 109 Appendixes Appendix 1: Special Considerations 113 Appendix 1A: Cross-Sector Cybersecurity 113 Appendix 1B: International CIKR Protection 125 Appendix 2: Summary of Relevant Statutes, Strategies, and Directives 135 Appendix 3: The Protection Program 147 Appendix 3A: NIPP Core Criteria for Risk Assessments 147 Appendix 3B: Existing CIKR Protection Programs and Initiatives 149 Appendix 3C: Infrastructure Data Warehouse 155 Appendix 4: Existing Coordination Mechanisms 159 Appendix 5: Integrating CIKR Protection as Part of the Homeland Security Mission 163 Appendix 5A: State, Local, Tribal, and Territorial Government Considerations 163 Appendix 5B: Recommended Homeland Security Practices for Use by the Private Sector 167 Appendix 6: S&T Plans, Programs, and Research & Development 171 vivi NaNational Infrtional Infrastrastructuructure Protection Plane Protection Plan List of Figures and Tables Figu res Figure S-1: Protection 2 Figure S-2: NIPP Risk Management Framework 4 Figure 1-1: Protection 7 Figure 3-1: NIPP Risk Management Framework 27 Figure 3-2: NIPP Risk Management Framework: Set Goals and Objectives 29 Figure 3-3: NIPP Risk Management Framework: Identify Assets, Systems, and Networks 30 Figure 3-4: NIPP Risk Management Framework: Assess Risks 33 Figure 3-5: NIPP Risk Management Framework: Prioritize 40 Figure 3-6: NIPP Risk Management Framework: Implement Programs 42 Figure 3-7: NIPP Risk Management Framework: Measure Effectiveness 46 Figure 3-8: NIPP Risk Management Framework: Feedback Loop for Continuous Improvement of CIKR Protection 48 Figure 4-1: Sector Partnership Model 50 Figure 4-2: NIPP Networked Information-Sharing Approach 58 Figure 5-1: National Framework for Homeland Security 72 Figure 6-1: Continuum of CIKR Capability Development 82 Figure 6-2: Developing CIKR Core Competencies 83 Figure 6-3: National Exercise Program Tiers 87 Figure 6-4: The NIPP R&D Requirements Generation Process 92 Figure 7-1: National CIKR Protection Annual Report Process 99 Figure 7-2: National CIKR Protection Annual Report Analysis 1 00 Figure 7-3: DHS and SSA Roles and Responsibilities in Federal Resource Allocation 101 Tab le s Table S-1: Sector-Specific Agencies and Assigned CIKR Sectors 3 Table 2-1: Sector-Specific Agencies and Assigned CIKR Sectors 19 Table 6-1: CIKR Competencwy Areas 84 Table 3C-1: Database Integration 1 56 Table of Contents vii Executive Summary Protecting and ensuring the resiliency of the critical infrastructure and key resources (CIKR) of the United States is essential to the Nation’s security, public health and safety, economic vitality, and way of life. Attacks on CIKR could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident. Direct ter- rorist attacks and natural, manmade, or technological hazards could produce catastrophic losses in terms of human casualties, property destruction, and economic effects, as well as profound damage to public morale and confidence. Attacks using components of the Nation’s CIKR as weapons of mass destruction could have even more devastating physical and psychological consequences. 1 Introduction The overarching goal of the National Infrastructure Protection Plan (NIPP) is to: Build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our Nation’s CIKR and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency. The NIPP provides the unifying structure for the integration of existing and future CIKR protection efforts and resil- iency strategies into a single national program to achieve this goal. The NIPP framework supports the prioritization of protection and resiliency initiatives and investments across sectors to ensure that government and private sector resources are applied where they offer the most benefit for mitigating risk by lessening vulnerabilities, deterring threats, and minimizing the consequences of terrorist attacks and other manmade and natural disasters. The NIPP risk management framework recognizes and builds on existing public and private sector protective programs and resiliency strategies in order to be cost-effective and to minimize the burden on CIKR owners and operators. Protection includes actions to mitigate the overall risk to CIKR assets, systems, networks, functions, or their inter- connecting links. In the context of the NIPP, this includes actions to deter the threat, mitigate vulnerabilities, or minimize the consequences associated with a terrorist attack or other incident (see figure S-1). Protection can include a wide range of activities, such as improving secu- rity protocols, hardening facilities, building resiliency and redundancy, incorporating hazard resistance into facility design, initiating active or passive countermeasures, install- ing security systems, leveraging “self-healing” technolo- gies, promoting workforce surety programs, implementing cybersecurity measures, training and exercises, business continuity planning, and restoration and recovery actions, among various others. Achieving the NIPP goal requires actions to address a series of objectives, which include: • Understanding and sharing information about terrorist threats and other hazards with CIKR partners; • Building partnerships to share information and implement CIKR protection programs; Executive Summary 1 2 National Infrastructure Protection Plan • Implementing a long-term risk management program; and • Maximizing the efficient use of resources for CIKR protec – tion, restoration, and recovery. These objectives require a collaborative partnership among CIKR partners, including: the Federal Government; State, local, tribal, and territorial governments; regional coalitions; the private sector; international entities; and nongovernmental organizations. The NIPP provides the framework that defines a set of flexible processes and mechanisms that these CIKR part – ners will use to develop and implement the national program to protect CIKR across all sectors over the long term. 2 Authorities, Roles, and Responsibilities The Homeland Security Act of 2002 provides the basis for Department of Homeland Security (DHS) responsibilities in the protection of the Nation’s CIKR. The act assigns DHS the responsibility for developing a comprehensive national plan for securing CIKR and for recommending the “measures necessary to protect the key resources and critical infrastruc – ture of the United States in coordination with other agencies of the Federal Government and in cooperation with State and local government agencies and authorities, the private sector, and other entities.” The national approach for CIKR protection is provided through the unifying framework established in Homeland Security Presidential Directive 7 (HSPD-7). This directive establishes the U.S. policy for “enhancing protection of the Nation’s CIKR” and mandates a national plan to actuate that policy. In HSPD-7, the President designates the Secretary of Homeland Security as the “principal Federal official to lead CIKR protection efforts among Federal departments and agencies, State and local governments, and the private sector” and assigns responsibility for CIKR sectors to Federal Sector- Specific Agencies (SSAs) (see table S-1). It also provides the criteria for establishing or recognizing additional sectors. In accordance with HSPD-7, the NIPP delineates the roles and responsibilities for partners in carrying out CIKR protection activities while respecting and integrating the authorities, jurisdictions, and prerogatives of these partners. Primary roles for CIKR partners include: • Department of Homeland Security: Coordinates the Na- tion’s overall CIKR protection efforts and oversees NIPP de – velopment, implementation, and integration with national preparedness initiatives. • Sector-Specific Agencies: Implement the NIPP framework and guidance as tailored to the specific characteristics and risk landscapes of each of the CIKR sectors. • Other Federal Departments, Agencies, and Offices: Imple – ment specific CIKR protection roles designated in HSPD-7 or other relevant statutes, executive orders, and policy directives. • State, Local, Tribal, and Territorial Governments: Develop and implement a CIKR protection program, in accordance with the NIPP risk management framework, as a compo – nent of their overarching homeland security programs. • Regional Partners: Use partnerships that cross jurisdiction – al and sector boundaries to address CIKR protection within a defined geographical area. • Boards, Commissions, Authorities, Councils, and Other Entities: Perform regulatory, advisory, policy, or busi – ness oversight functions related to various aspects of CIKR operations and protection within and across sectors and jurisdictions. • Private Sector Owners and Operators: Undertake CIKR protection, restoration, coordination, and cooperation ac – tivities, and provide advice, recommendations, and subject matter expertise to all levels of government. • Homeland Security Advisory Councils: Provide advice, recommendations, and expertise to the government re – garding protection policy and activities. • Academia and Research Centers: Provide CIKR protection subject matter expertise, independent analysis, research and development (R&D), and educational programs. 3 The CIKR Protection Program Strategy: Managing Risk The cornerstone of the NIPP is its risk analysis and manage – ment framework (see figure S-2) that establishes the pro – cesses for combining consequence, vulnerability, and threat information to produce assessments of national or sector Mitigate Vulnerabilities Minimize Consequences Deter Threat s PROTECTION MANAGE RISKS Figure S-1: Protection Table S-1: Sector-Specific Agencies and Assigned CIKR Sectors a The Department of Agriculture is responsible for agriculture and food (meat, poultry, and egg products). b The Department of Health and Human Services is responsible for food other than meat, poultry, and egg products.c Nothing in this plan impairs or otherwise affects the authority of the Secretary of Defense over the Department of Defense (DoD), including the chain of command for military forces from the President as Commander in Chief, to the Secretary of Defense, to the commander of military forces, or military command and control procedures. d The Energy Sector includes the production, refining, storage, and distribution of oil, gas, and electric power, except for commercial nuclear power facilities.e The Water Sector includes drinking water and wastewater systems.f The U.S. Coast Guard is the SSA for the maritime transportation mode.g As stated in HSPD-7, the Department of Transportation and the Department of Homeland Security will collaborate on all matters relating to transportation security and transportation infrastructure protection. h The Department of Education is the SSA for the Education Facilities Subsector of the Government Facilities Sector. Executive Summary 3 risk. The risk management framework is structured to pro- mote continuous improvement to enhance CIKR protection by focusing activities on efforts to: set goals and objectives; identify assets, systems, and networks; assess risk based on consequences, vulnerabilities, and threats; establish priorities based on risk assessments and, increasingly, on return-on- investment for mitigating risk; implement protective pro – grams and resiliency strategies; and measure effectiveness. The results of these processes drive CIKR risk-reduction and management activities. The NIPP risk management frame – work is tailored to and applied on an asset, system, network, or mission essential function basis, depending on the funda – mental characteristics of the individual CIKR sectors. DHS, the SSAs, and other CIKR partners share responsibilities for implementing the risk management framework. 4 Organizing and Partnering for CIKR Protection The enormity and complexity of the Nation’s CIKR, the distributed character of our national protective architecture, and the uncertain nature of the terrorist threat and other manmade or natural disasters make the effective implementa – tion of protection and resiliency efforts a great challenge. To be effective, the NIPP must be implemented using organiza – tional structures and partnerships committed to sharing and protecting the information needed to achieve the NIPP goal and supporting objectives. The NIPP defines the organizational structures that provide the framework for coordination of CIKR protection efforts at all levels of government, as well as within and across sec – tors. Sector-specific planning and coordination are addressed through coordinating councils that are established for each sec – tor. Sector Coordinating Councils (SCCs) comprise the repre – sentatives of owners and operators, generally from the private sector. Government Coordinating Councils (GCCs) comprise the representatives of the SSAs; other Federal departments and agencies; and State, local, tribal, and territorial governments. These councils create a structure through which representative groups from all levels of government and the private sector can collaborate or share existing approaches to CIKR protec- tion and work together to advance capabilities. Engaging and coordinating with foreign governments and international organizations are also essential to ensuring the protection and resiliency of U.S. CIKR, both at home and abroad. The NIPP provides the mechanisms and processes necessary to enable DHS, the Department of State, the SSAs, and other partners to strengthen international cooperation to support CIKR protec – tion activities and initiatives. DHS works with cross-sector entities established to promote coordination, communications, and sharing of best practices across CIKR sectors, jurisdictions, or specifically defined geographical areas. Cross-sector issues are challenging to identify and assess comparatively. Interdependency analysis is often so complex that modeling and simulation capabilities must be brought to bear. Cross-sector issues and interde – pendencies are addressed among the SCCs through the CIKR Cross-Sector Council, which comprises the leadership of each of the SCCs. The Partnership for Critical Infrastructure Security provides this representation with support from the DHS CIKR Executive Secretariat. Cross-sector issues and interdependencies among the GCCs are addressed through the Government Cross-Sector Council, which comprises the NIPP Federal Senior Leadership Council (FSLC) and the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC). Additionally, the Regional Consortium Coordinating Council (RCCC) provides a forum for those with regionally based interests in CIKR protection. Figure S-2: NIPP Risk Management Framework 4 National Infrastructure Protection Plan Efficient information-sharing and information-protection processes based on mutually beneficial, trusted relation- ships help ensure implementation of effective, coordinated, and integrated CIKR protection programs and activities. Information sharing enables both government and private sector partners to assess events accurately, formulate risk assessments, and determine appropriate courses of action. The NIPP uses a network approach to information sharing that represents a new model for how CIKR partners share and protect the information needed to analyze risk and make risk-informed decisions. A network approach enables secure, multidirectional information sharing between and across government and industry. This approach provides mecha – nisms, using information-protection protocols as required, to support the development and sharing of strategic and specific threat assessments, threat warnings, incident reports, all- hazards consequence assessments, risk assessments, and best practices. This information-sharing approach allows CIKR partners to assess risks, identify and prioritize risk manage – ment opportunities, allocate resources, conduct risk manage – ment activities, and make continuous improvements to the Nation’s CIKR protection posture. NIPP implementation relies on CIKR information pro – vided voluntarily by owners and operators. Much of this is sensitive business or security information that could cause serious damage to private firms, the economy, public safety, or security through unauthorized disclosure or access. The Federal Government has a statutory responsibility to safe – guard CIKR protection-related information. DHS and other Federal agencies use a number of programs and procedures, such as the Protected Critical Infrastructure Information (PCII) Program, to ensure that security-related information is properly safeguarded. The CIKR protection activities defined in the NIPP are guided by legal requirements such as those described in the Privacy Act of 1974 and are designed to achieve both security and protection of civil rights and liberties. 5 CIKR Protection: An Integral Part of the Homeland Security Mission The NIPP defines the CIKR protection component of the homeland security mission. Implementing CIKR protection requires partnerships, coordination, and collaboration among all levels of government and the private sector. To enable this, the NIPP provides guidance on the structure and content of each sector’s CIKR plan, as well as the CIKR protection-related aspects of State and local homeland security plans. This provides a baseline framework that informs the flexible and tailored development, implementation, and updating of Sector- Specific Plans; State and local homeland security strategies; and partner CIKR protection programs and resiliency strategies. To be effective, the NIPP must complement other plans designed to help prevent, prepare for, protect against, respond to, and recover from terrorist attacks, natural disasters, and other emergencies. Homeland security plans and strategies at the Federal, State, local, tribal, and territorial levels of government address CIKR protection within their respec – tive jurisdictions. Similarly, CIKR owners and operators have responded to the increased threat environment by institut – ing a range of CIKR protection-related plans and programs, including business continuity and resilience and response measures. Implementation of the NIPP is coordinated among CIKR partners to ensure that it does not result in the creation of duplicative or costly risk management requirements that offer little enhancement of CIKR protection. The NIPP, the National Preparedness Guidelines (NPG), and the National Response Framework (NRF) together provide a comprehensive, integrated approach to the homeland secu – rity mission. The NIPP establishes the overall risk-informed approach that defines the Nation’s CIKR protection posture, while the NRF provides the approach for domestic incident management. The NPG sets forth national priorities, doc – trine, and roles and responsibilities for building capabilities across the prevention, protection, response, and recovery mission areas. Increases in CIKR protective measures in the context of specific threats or that correspond to the threat conditions established in the Homeland Security Advisory System (HSAS) provide an important bridge between NIPP steady-state protection and the incident management activi – ties under the NRF. The NRF is implemented to guide overall coordination of domestic incident management activities. NIPP partnerships and processes provide the foundation for the CIKR dimen – sion of the NRF, facilitating threat and incident manage – ment across a spectrum of activities, including incident prevention, response, and recovery. The NPG is imple – mented through the application of target capabilities during the course of assessment, planning, training, exercises, grants, and technical assistance activities. Implementation of the NIPP is both a national preparedness priority and a framework with which to achieve protection capabilities as defined by the NPG. Executive Summary 5 6 Ensuring an Effective, Efficient Program Over the Long Term To ensure an effective, efficient CIKR protection program over the long term, the NIPP relies on the following mechanisms: Building national awareness to support the CIKR protection • program, related protection investments, and protection ac – tivities by ensuring a focused understanding of all hazards and of what is being done to protect and enable the timely restoration of the Nation’s CIKR in light of such threats; Enabling education, training, and exercise programs to • ensure that skilled and knowledgeable professionals and ex – perienced organizations are able to undertake NIPP-related responsibilities in the future; Conducting research and development and using technol – • ogy to improve CIKR protection-related capabilities or to lower the costs of existing capabilities so that CIKR partners can afford to do more with limited budgets; Developing, safeguarding, and maintaining data systems • and simulations to enable continuously refined risk assess – ment within and across sectors and to ensure preparedness for incident management; and Continuously improving the NIPP and associated plans and • programs through ongoing review and revision, as required. 7 Providing Resources for the CIKR Protection Program Chapter 7 describes an integrated, risk-informed approach used to: establish priorities, determine requirements, and guide resource support for the national CIKR protection pro – gram; focus Federal grant assistance to State, local, tribal, and territorial entities; and complement relevant private sector activities. At the Federal level, DHS provides recommenda – tions regarding CIKR protection priorities and requirements to the Executive Office of the President through the National CIKR Protection Annual Report. This report is based on information about priorities, requirements, and related pro – gram funding information that is submitted to DHS by the SSA of each sector, the SLTTGCC, and the RCCC as assessed in the context of the National Risk Profile and national priori – ties. The process for allocating Federal resources through grants to State, local, and tribal governments uses a similar approach. DHS aggregates information regarding State, local, tribal, and territorial CIKR protection priorities and require – ments. DHS uses these data to inform the establishment of national priorities for CIKR protection and to help ensure that resources are prioritized for protective programs that have the greatest potential for mitigating risk. This risk-informed approach also includes mechanisms to involve private sector partners in the planning process and supports collaboration among CIKR partners to establish priorities, define require – ments, share information, and maximize risk reduction. 6 National Infrastructure Protection Plan 1. Introduction Protecting and ensuring the continuity of the critical infrastructure and key resources (CIKR) of the United States is essential to the Nation’s security, public health and safety, economic vitality, and way of life. CIKR includes systems and assets, whether physical or virtual, so vital to the United States that the incapacita- tion or destruction of such systems and assets would have a debilitating impact on national security, national economic security, public health or safety, or any combination of those matters. Terrorist attacks on our CIKR, as well as other manmade or natural disasters, could significantly disrupt the functioning of government and business alike and produce cascading effects far beyond the affected CIKR and physical location of the incident. Direct and indirect impacts could result in large-scale human casualties, property destruction, economic disruption, and mission failure, and also significantly damage national morale and public confidence. Terrorist attacks using components of the Nation’s CIKR as weapons of mass destruction (W M D) 1 could have even more devastating physical, psychological, and economic consequences. Protecting the Nation’s CIKR is essential to making America safer, more secure, and more resilient in the context of terrorist attacks and other natural and manmade hazards. Protection includes actions to mitigate the overall risk to CIKR assets, systems, networks, functions, or their intercon – necting links resulting from exposure, injury, destruction, incapacitation, or exploitation. In the context of the National Infrastructure Protection Plan (NIPP), this includes actions to deter the threat, mitigate vulnerabilities, or minimize the consequences associated with a terrorist attack or other manmade or natural disaster (see figure 1-1). Protection can include a wide range of activities such as improving secu – rity protocols, hardening facilities, building resiliency and redundancy, incorporating hazard resistance into facility design, initiating active or passive countermeasures, install – ing security systems, leveraging “self-healing” technolo – gies, promoting workforce surety programs, implementing cybersecurity measures, training and exercises, and business continuity planning, among others. The NIPP (June 2006; revised January 2009) and its complementary Sector-Specific Plans (SSPs) (May 2007; to be reissued in 2010) provide a 1 (1)Any explosive, incendiary, or poison gas (i) bomb, (ii) grenade, (iii) rocket having a propellant charge of more than 4 ounces, (iv) missile having an explosive or incendiary charge of more than one-quarter ounce, (v) mine, or (vi) similar device; (2) any weapon that is designed or intended to cause death or serious bodily injury through the release, dissemination, or impact of toxic or poisonous chemicals or their precursors; (3) any weapon involving a disease organism; or (4) any weapon that is designed to release radiation or radioactivity at a level dangerous to human life (18 U.S.C. 2332a). Introduction 7 Mitigate Vulnerabilities Minimize Consequences Deter Threats PROTECTION Cybersecurity • Exercises • Awareness Personnel surety • Physical measures • Plans Reduced attractiveness • Redundancy • Reliability Resiliency • Information sharing • Training IMPLEMENT ACTIONS MANAGE RISKS Figure 1-1: Protection consistent, unifying structure for integrating both existing and future CIKR protection efforts. The NIPP also provides the core coordinating processes and mechanisms that enable all levels of government and private sector partners to work together to implement CIKR protection in an effective and efficient manner. The NIPP was developed through extensive coordination with partners at all levels of government and the private sec- tor. NIPP processes are designed to be adapted and tailored to individual sector and partner requirements, including State, local, or regional issues. Participation in the implementation of the NIPP provides government and the private sector with the opportunity to use collective expertise and experience to more clearly define issues and solutions, and to ensure that existing CIKR protection approaches and efforts, including business continuity and resiliency planning, are recognized. Since the NIPP and the SSPs were first released, the processes and programs outlined in those documents have continued to evolve and mature. This update to the NIPP reflects many advances, including: • The issuance of the SSPs, which followed the release of the NIPP; • Establishment of Critical Manufacturing as the 18 th CIKR sector and the designation of Education as a subsector of Government Facilities; • Expansion of the sector partnership model to include the geographically focused Regional Consortium Coordinating Council (RCCC); • CIKR mission integration within State and local fusion centers; • Evolution of the National Asset Database to the Infrastruc – ture Information Collection System and the Infrastructure Data Warehouse; • Developments in the programs, approaches, and tools used to implement the NIPP risk management framework; • Updates on risk methodologies, information-sharing mechanisms, and other CIKR protection programs; • Inclusion of outcome-focused performance measurement and reporting processes; • Description of additional Homeland Security Presidential Directives, national strategies, and legislation; • Release of the Chemical Facility Anti-Terrorism Standards (CFATS), establishing a regulatory framework for those industries that involve the production, use, and storage of high-risk chemicals; • Discussion of expanded CIKR protection-related education, training, outreach, and exercise programs; • Evolution from the National Response Plan to the National Response Framework (NRF); and • Inclusion of further information on research and devel – opment (R&D) and modeling, simulation, and analysis processes and initiatives. Additionally, the revised NIPP integrates the concepts of resil – iency and protection, and broadens the focus of NIPP-related programs and activities to an all-hazards environment. 1.1 Purpose The NIPP provides the framework for the unprecedented cooperation that is needed to develop, implement, and maintain a coordinated national effort to bring together government at all levels, the private sector, nongovernmental organizations, and international partners. The NIPP depends on supporting SSPs for full implementation of this frame – work within and across CIKR sectors. SSPs are developed by the Federal Sector-Specific Agencies (SSAs) designated in Homeland Security Presidential Directive 7 (HSPD-7) in close collaboration with sector partners. Together, the NIPP and SSPs provide the mechanisms for: identifying critical assets, systems, and networks, and their associated functions; understanding threats to CIKR; identify – ing and assessing vulnerabilities and consequences; prioritiz – ing protection initiatives and investments based on costs and benefits so that they are applied where they offer the greatest mitigation of risk; and enhancing information-sharing mech – anisms and protection and resiliency within and across CIKR sectors. The NIPP and SSPs will evolve along with changes to the Nation’s CIKR and the risk environment, as well as evolv – ing strategies and technologies for protecting against and responding to threats and incidents. Implementation of the NIPP and the SSPs occurs at all levels through actions taken by: Federal agencies; State, regional, local, tribal, and ter – ritorial governments and organizations; and individual CIKR owners and operators. 8 National Infrastructure Protection Plan 1.2 Scope The NIPP considers a full range of physical, cyber, and human risk elements within and across sectors. In accor – dance with the policy direction established in HSPD-7, the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets, and the National Strategy to Secure Cyberspace, the NIPP includes a special focus on the unique and potentially catastrophic impact of terrorist attacks. At the same time, the NIPP builds on and is structured to be consistent with and supportive of the Nation’s all-hazards approach to homeland security preparedness and domestic incident management. Many of the benefits of enhanced CIKR protection are most sustainable when protective programs and resiliency strategies are designed to address all hazards. The NIPP addresses ongoing and future activities within each of the CIKR sectors identified in HSPD-7 and across the sectors regionally, nationally, and within individual States or commu – nities. It defines processes and mechanisms used to prioritize protection of U.S. CIKR (including territories and territorial seas) and to address the interconnected global networks upon which the Nation’s CIKR depend. The processes outlined in the NIPP and the SSPs recognize that protective measures do not end at a facility’s fence or at a national border, and are often a component of a larger business continuity approach. Also considered are the implications of cross-border infra – structures, international vulnerabilities, and cross-sector dependencies and interdependencies. 1.3 Applicability The NIPP is applicable to a wide array of public and private sector CIKR partners in different ways. The framework generally is applicable to all partners with CIKR protection responsibilities and includes explicit roles and responsibili – ties for the Federal Government, including CIKR under the control of independent regulatory agencies, and the legisla – tive, executive, and judicial branches. Federal departments and agencies with specific responsibilities for CIKR protection are required to take actions that are consistent with HSPD-7. The NIPP also provides an organizing structure, guidelines, and recommended activities for other partners to help ensure consistent implementation of the national framework and the most effective use of resources. State, 2 local, 3 tribal, and territorial government partners are required to establish CIKR protection programs that are consistent with the National Preparedness Guidelines and as a condition of eligibility for certain Federal grant programs. Owners and operators are encouraged to participate in the NIPP partnership and to initiate measures to augment exist – ing plans for risk management, resiliency, business continu – ity, and incident management and emergency response in line with the NIPP framework. 1.3.1 Goal The overarching goal of the NIPP is to: Build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our Nation’s CIKR, and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency. Achieving this goal requires understanding and shar – ing information about terrorist threats and other hazards, building partnerships, implementing a long-term risk management program, and maximizing the efficient use of resources. Measuring progress toward achieving the NIPP goal requires that CIKR partners strive toward: Coordinated CIKR risk management plans and programs • that are in place to address known and potential threats and hazards; Structures and processes that are flexible and adaptable • both to incorporate operational lessons learned and best practices, and also to quickly reflect a changing threat or incident environment; Processes in place to identify and address dependencies and • interdependencies to allow for more timely and effective implementation of short-term protective actions and more rapid response and recovery; and Access to robust information-sharing networks that include • relevant intelligence and threat analysis, and real-time inci – dent reporting. 2 Consistent with the definition of “State” in the Homeland Security Act of 2002, all references to States within the NIPP are applicable to the territories and include by reference any State of the United States, the District of Columbia, the Commonwealth of Puerto Rico, the Virgin Islands, Guam, American Samoa, the Commonwealth of the Northern Mariana Islands, and any possession of the United States (Homeland Security Act). 3 A county, municipality, city, town, township, local public authority, school district, special district, intrastate district, council of governments (regardless of whether the council of governments is incorporated as a nonprofit corporation under State law), regional or interstate government entity, or agency or instrumentality of a local government; an Indian tribe or authorized tribal organization, or, in Alaska, a Native village or Alaska Regional Native Corporation; and a rural community, unincorporated town or village, or other public entity (Homeland Security Act). Introduction 9 1.3.2 The Value Proposition The public-private partnership called for in the NIPP provides the foundation for effective CIKR protection. Prevention, response, mitigation, and recovery efforts are most efficient and effective when there is the full participation of govern – ment and industry partners; the mission suffers (e.g., full benefits are not realized) without the robust participation of a wide array of CIKR partners. The success of the NIPP partnership depends on articulating the benefits to government and the private sector partners. Industry capabilities that add value to the government include: Understanding of CIKR assets, systems, networks, and facili – • ties, and other capabilities through industry ownership and management of a vast majority of CIKR in most sectors; Ability to take action to reduce risk and to respond to and • recover from incidents; Ability to innovate and to provide products, services, and • technologies to quickly focus on mission needs; and Robust relationships that are useful for sharing and protect – • ing sensitive information regarding threats, vulnerabilities, countermeasures, and best practices. Although articulating the value proposition to the govern – ment typically is easier to achieve, it is often more difficult to articulate the direct benefits of participation for the private sector. In assessing the value proposition for the private sec – tor, there is a clear national interest in ensuring the collective protection and resiliency of the Nation’s CIKR. More specific benefits that have been realized during the first few years of the partnership include: Participation in both a policy development and risk analysis • and management framework that helps focus both corpo – rate and government planning and resource investment; Greater information sharing regarding specific threats and • hazards enabled by the issuance of security clearances to private sector partners; Leveraged application of preparedness guidelines and • self-assessment tools within and across sectors so that risks can be managed more effectively and efficiently from the corporate level down to the individual facility level; Targeted application of limited resources to the highest risk • issues, to include Federal grant funding where appropriate; Coordination and planning across multiple agencies for • those assets and facilities that are considered to be at the greatest risk; Joint R&D and modeling, simulation, and analysis programs; • Participation in national-level and cross-sector training and • exercise programs, as well as the National Incident Man – agement System; Access and input into cross-sector interdependency analyses; • Established informal networks among private sector part – • ners and between the private sector and the various Federal agencies that can be used for all-hazards planning and response; and Identification of potential improvements in regulations. • Government can encourage industry to go beyond efforts already justified by their corporate business needs to assist in broad-scale CIKR protection through activities such as: Providing owners and operators with timely, accurate, and • useful analysis and information on threats to CIKR; Ensuring that industry is engaged as early as possible in • the development of policies and initiatives related to NIPP implementation; Articulating to corporate leaders, through the use of public • platforms and private communications, both the business and national security benefits of investing in security mea – sures that exceed their business case; Creating an environment that encourages and supports in – • centives and recognition for companies to voluntarily adopt widely accepted security practices; Working with industry to develop and clearly prioritize key • missions and enable the protection and/or restoration of related CIKR; Providing support for R&D initiatives that is needed to • enhance future CIKR protection efforts; Providing the resources to enable cross-sector interdepen – • dency studies; exercises, symposiums, training sessions, and computer modeling; and otherwise support business continuity planning; and Enabling time-sensitive information sharing and restoration • and recovery support to priority CIKR facilities and services during emerging threat and incident management situations. The above examples illustrate some of the ways in which the government can partner with the private sector to add value to industry’s ability to assess risk and refine its own business continuity and security plans, as well as to contribute to the security and sustained economic vitality of the Nation. 10 National Infrastructure Protection Plan 1.4 Threats to the Nation’s CIKR Presidential guidance and national strategies issued in the aftermath of the September 11, 2001, attacks focused initial CIKR protection efforts on addressing the terrorist threat environment. These new challenges required approaches that focused on intelligence-driven analyses, information sharing, and unprecedented partnerships between the government and the private sector at all levels. The Nation’s CIKR owners and operators have decades of experience planning for and responding to natural disasters, industrial accidents, and the deliberate acts of malicious individuals in order to maintain business continuity. However, such plans and preparedness efforts must continue to adapt to a dynamic threat environ – ment and to address vulnerabilities and gaps in CIKR protec – tion in an all-hazards context. 1.4.1 The Vulnerability of the U.S. Infrastructure to 21 st Century Threats and Hazards America is an open, technologically sophisticated, highly interconnected, and complex Nation with a wide array of infrastructure that spans important aspects of the U.S. Government, economy, and society. The vast majority of the CIKR-related assets, systems, and networks are owned and operated by the private sector. However, in sectors such as Water and Government Facilities, the majority of own – ers and operators are governmental or quasi-governmental entities. The great diversity and redundancy of the Nation’s CIKR provide for significant physical and economic resilience in the face of terrorist attacks, natural disasters, or other emergencies, and contribute to the strength of the Nation’s economy. However, this vast and diverse aggregation of highly interconnected assets, systems, and networks may also present an attractive array of targets to domestic and international terrorists and magnify greatly the potential for cascading failure in the wake of catastrophic natural or manmade disasters. Improvements in protection and resil – ience that focus on elements of CIKR that are deemed to be nationally critical can make it more difficult for terrorists to launch destructive attacks, as well as lessen the impact of any attack or other disaster that does occur and provide greater resiliency in response and recovery. 1.4.2 The Nature of the Terrorist Adversary The number and high profile of international and domestic terrorist attacks and disrupted plots during the last two decades underscore the determination and persistence of terrorist organizations. Terrorists have proven to be relentless, patient, opportunistic, and flexible, learning from experience and modifying tactics and targets to exploit perceived vulnerabili – ties and avoid observed strengths. Analysis of terrorist goals and motivations points to domestic and international CIKR as potentially prime targets for terrorist attacks. As security mea – sures around more predictable targets increase, terrorists are likely to shift their focus to less protected targets. Enhancing countermeasures to address any one terrorist tactic or target may increase the likelihood that terrorists will shift to another, which underscores the necessity for a balanced, compara – tive approach that focuses on managing risk commensurately across all sectors and scenarios of concern. Terrorist organizations have shown an understanding of the potential consequences of carefully planned attacks on eco – nomic, transportation, and symbolic targets, both within the United States and abroad. Future terrorist attacks against CIKR located inside the United States and those located abroad could seriously threaten national security, result in mass casualties, weaken the economy, and damage public morale and confidence. The NIPP considers a broad range of terrorist objectives, inten – tions, and capabilities to assess the threat to various compo – nents of the Nation’s CIKR. Terrorists may contemplate attacks against the Nation’s CIKR to achieve direct or indirect effects, or to exploit the infrastructure to cause catastrophic loss of life or economic disruptions. The NIPP outlines the ways in which the Department of Homeland Security (DHS) and its partners use threat analysis to inform comprehensive risk assessments and risk-mitigation activities. The risk management framework discussed in chap – ter 3 strikes a balance between ways to mitigate specific threats and general threats. It ensures that the range of risk scenarios considered is broad enough to avoid a “failure of imagina – tion,” yet provides a process to enable risk assessment sufficient for the purpose of formulating action plans and programs to enhance resiliency, reduce vulnerability, deter threats, and mitigate potential consequences. 1.4.3 All-Hazards and CIKR Protection In addition to addressing CIKR protection related to ter – rorist threats, the NIPP also describes activities relevant to CIKR protection and preparedness in an all-hazards con – text. The direct impact, disruption, and cascading effects of natural disasters (e.g., Hurricanes Katrina and Rita, the Northridge earthquake, the 2008 Mississippi River floods) and manmade incidents (e.g., the Minneapolis I-35 bridge collapse or the Exxon Valdez oil spill) are documented and underscore the vulnerabilities and interdependencies of the Nation’s CIKR. Introduction 11 Many owners and operators, government emergency manag- ers, and first-responders have developed strategies, plans, policies, and procedures to prepare for, mitigate, respond to, and recover from a variety of natural and manmade incidents. The NIPP framework supports these efforts and, additionally, provides an augmented focus on the protection of America’s CIKR against terrorist attacks. In fact, the day- to-day public-private coordination structures, information- sharing networks, and risk management frameworks used to implement NIPP steady-state CIKR protection efforts continue to function and provide the CIKR protection dimension for incident management under the National Response Framework (NRF). Likewise, the mitigation and business continuity practices employed to protect against natural hazards and other non-terrorist attacks should support and augment the goals of the NIPP. The NIPP, and the public and private sector partnership that it represents, work in con – junction with other plans and initiatives to provide a strong foundation for preparedness in an all-hazards context. 1.5 Special Considerations CIKR protection planning involves special consideration for unique cyber elements that support CIKR operations and complex international relationships—two areas of recent focus and attention. 1.5.1 The Cyber Dimension The U.S. economy and national security depend greatly • and increasingly on the global cyber infrastructure. Cyber infrastructure enables all sectors’ functions and services, resulting in a highly interconnected and interdependent global network of CIKR. A spectrum of malicious actors routinely conducts attacks • against the cyber infrastructure using cyber attack tools. Because of the interconnected nature of the cyber infra – structure, these attacks could spread quickly and have a debilitating effect. Cybersecurity includes preventing damage to, unauthorized • use of, or exploitation of electronic information and com – munications systems and the information contained therein to ensure confidentiality, integrity, and availability. Cyber – security also includes restoring electronic information and communications systems in the event of a terrorist attack or natural disaster. The use of innovative technology and interconnected net – • works in operations improves productivity and efficiency, but also increases the Nation’s vulnerability to cyber threats if cybersecurity is not addressed and integrated appropriately. The interconnected and interdependent nature of the Na – • tion’s CIKR makes it problematic to address the protection of physical and cyber assets independently. The NIPP addresses reducing cyber risk and enhancing cy – • bersecurity in two ways: (1) as a cross-sector cyber element that involves DHS, SSAs and Government Coordinating Councils (GCCs), and private sector owners and operators; and (2) as a major component of the Information Technol – ogy Sector’s responsibility in partnership with the Commu – nications Sector. 1.5.2 International CIKR Protection The NIPP addresses international CIKR protection, includ – • ing interdependencies and vulnerabilities based on threats (and associated consequences) that originate outside the country or pass through it. The Federal Government and the private sector work with • foreign governments and international/multinational organizations to enhance the confidentiality, integrity, and availability of cyber infrastructure and products. Protection of assets, systems, and networks that operate • across or near the borders with Canada and Mexico, or rely on other international aspects to enable critical functional – ity, requires coordination with and planning and/or shar – ing resources among neighboring governments at all levels, as well as private sector CIKR owners and operators. The Federal Government and private sector corporations • have a significant number of facilities located outside the United States that may be considered CIKR. Cyber infrastructure includes electronic information and communication systems, and the information contained in these systems. Computer systems, control systems such as Supervisory Control and Data Acquisition (SCADA) systems, and networks such as the Internet are all part of cyber infrastructure. Information and communications systems are composed of hardware and software that process, store, and communicate data of all types. Processing includes the creation, access, modi – fication, and destruction of information. Storage includes paper, magnetic, electronic, and all other media types. Communications include sharing and distribution of information. Information Technology (IT) critical functions are sets of processes that produce, provide, and maintain products and services. IT critical functions encompass the full set of processes (e.g., R&D, manufacturing, distribution, upgrades, and maintenance) involved in transforming supply inputs into IT products and services. 12 National Infrastructure Protection Plan Special consideration may be required when CIKR is ex- • tensively integrated into an international or global market (e.g., financial services, agriculture, energy, transportation, telecommunications, or information technology) or when a sector relies on inputs that are not within the control of U.S. entities. Special consideration is required when government facili – • ties and functions are directly affected by foreign-owned and -operated commercial facilities. The Federal Government, working in close coordination • and cooperation with the private sector, launched the Criti – cal Foreign Dependencies Initiative in 2007 to identify as – sets and systems located outside the United States, which, if disrupted or destroyed, would critically affect public health and safety, the economy, or national security. The result – ing strategic compendium guides engagement with foreign countries in the CIKR protection mission area. 1.6 Achieving the Goal of the NIPP Achieving the NIPP goal of building a safer, more secure, and more resilient America requires actions that address the following principal objectives: Understanding and sharing information about terrorist • threats and other hazards; Building partnerships to share information and implement • CIKR protection and resiliency programs; Implementing a long-term risk management program that • inc ludes: Hardening, distributing, diversifying, and otherwise en – – suring the resiliency of CIKR against known threats and hazards, as well as other potential contingencies; Developing processes to interdict human threats to pre – – vent potential attacks; Planning for rapid response to CIKR disruptions to limit –the impact on public health and safety, the economy, and government functions; and Planning for rapid CIKR recovery for those events that –are not preventable; and Maximizing the efficient use of resources for CIKR protec – • tion. This section provides a summary of the actions needed to address these objectives. More detailed discussions of these actions are included in the chapters that follow. 1.6.1 Understanding and Sharing Information One of the essential elements needed to achieve the Nation’s CIKR protection goals is to ensure the availability and flow of accurate, timely, and relevant information and/or intel – ligence about terrorist threats and other hazards, information analysis, and incident reporting. This includes: Establishing effective information-sharing processes and • protocols among CIKR partners; Providing intelligence and information to SSAs and other • CIKR sector partners as permitted by law; Analyzing, warehousing, and sharing risk assessment data • in a secure manner that is consistent with relevant legal requirements and information protection responsibilities; Providing protocols for real-time threat and incident re – • porting, alert, and warning; and Providing protocols for the protection of sensitive informa – • tion. Chapter 3 details the risk and threat analysis processes and products aimed at better understanding and characteriz – ing terrorist threats. Chapter 4 describes the NIPP network approach to information sharing and the process for protect – ing sensitive CIKR-related information. 1.6.2 Building Partnerships Building partnerships represents the foundation of the national CIKR protection effort. These partnerships provide a framework to: Exchange ideas, approaches, and best practices; • Facilitate security planning and resource allocation; • Establish effective coordinating structures among partners; • Enhance coordination with the international community; • and Build public awareness. • Chapters 2 and 4 describe partners’ roles and responsibilities related to CIKR protection, as well as specific mechanisms for the governance, coordination, and information sharing necessary to enable effective partnerships. 1.6.3 Implementing a CIKR Risk Management Program The risk management program detailed in the NIPP includes processes to: Introduction 13 Establish a risk management framework to guide CIKR • protection and resiliency programs and activities; Take appropriate risk management actions to enhance CIKR • protection and resiliency based on all-hazards risk assess – ments; Conduct and update risk assessments, as appropriate, at • the asset, system, network, sector, cross-sector, regional, national, and international levels; Develop and deploy new technologies to enable more effec – • tive and efficient CIKR protection; and Provide a system for measurement and improvement of • CIKR protection, including: Establishing performance metrics to track the effective – – ness of protection programs and resiliency strategies; and Updating the NIPP and SSPs as required. – The NIPP also specifies the processes, initiatives, and mile – stones necessary to implement an effective long-term CIKR risk management program. Chapter 3 provides details regarding the NIPP risk management framework and the measurement and analysis processes that support its continuous improve – ment; chapter 6 addresses issues that are important for sustain – ing and improving CIKR protection over the long term. 1.6.4 Maximizing Efficient Use of Resources for CIKR Protection Maximizing the efficient use of resources for CIKR protec – tion includes a coordinated and integrated annual process for program implementation that: Supports prioritization of programs and activities within • and across sectors considering sector needs and require – ments; Informs the annual Federal process regarding planning, • programming, and budgeting for national-level CIKR pro – tection; Helps align Federal resources with the CIKR protection • mission and supports the tracking and accountability of public funds; Considers State, local, tribal, and territorial government and • private sector issues related to planning, programming, and budgeting; Draws on expertise across organizational and national • boundaries; Shares expertise and speeds implementation of best prac – • tices; Recognizes the need to build a business case to support • further private sector CIKR protection investments; and Identifies potential incentives for preparedness and securi – • ty-related activities where they do not naturally exist in the marketplace. Chapter 5 explains how a coordinated national approach to the CIKR protection mission supports the efficient application of resources. Efficient use of resources enables the continu – ous improvement of the technology, databases, data systems, and other approaches used to protect CIKR and manage risk. These processes are detailed in chapter 6. Chapter 7 describes the annual processes that reflect coordination with SSAs and other partners regarding resource prioritization and allocation. Also discussed are processes to target grants and other funding authorities to maximize and focus the use of resources to support national and sector priorities. More information about the NIPP is available on the Internet at: www.dhs.gov/nipp or by contacting DHS at: [email protected] 14 National Infrastructure Protection Plan 2. Authorities, Roles, and Responsibilities Improving the all-hazards protection and resilience of the Nation’s CIKR necessitates: a comprehensive, unifying organization; defined roles and responsibilities; and close cooperation across all levels of govern – ment and the private sector. Protection authorities, requirements, resources, capabilities, and risk land – scapes vary widely across governmental jurisdictions, sectors, and individual industries and enterprises. This reality presents a complex set of challenges in terms of implementing NIPP programs and measur – ing performance. Hence, successful implementation of the NIPP and the supporting SSPs depends on an effective partnership framework that: fosters integrated, collaborative engagement and interaction; divides responsibilities among diverse Federal, State, regional, local, tribal, territorial, and private sector partners; and helps to efficiently target the Nation’s protection resources based on risk and need. This chapter includes a brief overview of the relevant author – ities and outlines the principal roles and responsibilities of: DHS; SSAs and GCCs; NIPP partners at all levels of govern – ment and in the private sector; CIKR owners and operators; and other partners who share responsibility in protecting the Nation’s CIKR. A comprehensive understanding of these roles and responsibilities provides the foundation for an effective and sustainable national CIKR protection effort. 2.1 Authorities The roles and responsibilities described in this chapter are derived from a series of authorities, including the Homeland Security Act of 2002, as well as other CIKR protection-related legislation, Executive Orders, Homeland Security Presidential Directives, and national strategies. The National Strategy for Homeland Security established the national CIKR vision with a charge to “forge an unprecedented level of cooperation throughout all levels of government, with private industry and institutions, and with the American people to protect our critical infrastructures and key assets from terrorist attack.” 4 HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection, provided the direction to implement this vision. More detailed information on these and other CIKR protection-related authorities is included in chapter 5 and appendix 2A. The Homeland Security Act provides the primary author – ity for the overall homeland security mission and outlines DHS responsibilities in the protection of the Nation’s CIKR. It established the DHS mission, including “reducing the Nation’s vulnerability to terrorist attacks,” major disasters, and other emergencies, and charged the department with evaluating vulnerabilities and ensuring that steps are imple – mented to protect the high-risk elements of America’s CIKR, including food and water systems, agriculture, healthcare systems, emergency services, information technology, communications, banking and finance, energy (electrical, nuclear, gas and oil, and dams), transportation (air, high – ways, rail, ports, and waterways), the chemical and defense industries, postal and shipping entities, and national monu – ments and icons. Title II, section 201, of the act assigned primary responsibility to DHS to develop a comprehensive 4 The National Strategy for Homeland Security uses the term “key assets,” defined as individual targets whose destruction would not endanger vital systems, but could create a local disaster or profoundly damage the Nation’s morale or confidence. The Homeland Security Act and HSPD-7 use the term “key resources,” defined more generally to capture publicly or privately controlled resources essential to the minimal operations of the economy or government. “Key resources” is the current terminology. Authorities, Roles, and Responsibilities 15 national plan for securing CIKR and for recommending “the measures necessary to protect the key resources and criti- cal infrastructure of the United States in coordination with other agencies of the Federal Government and in cooperation with State and local government agencies and authorities, the private sector, and other entities.” A number of other statutes provide specific legal authori – ties for both cross-sector and sector-specific CIKR protec – tion and resiliency programs. Examples include the Public Health Security and Bioterrorism Preparedness and Response Act of 2002, which was intended to improve the ability of the United States to prevent, prepare for, and respond to acts of bioterrorism and other public health emergen – cies; the Maritime Transportation Security Act; the Aviation Transportation Security Act of 2001; the Energy Policy and Conservation Act; the Critical Infrastructure Information Act; the Federal Information Security Management Act; Implementing Recommendations of the 9/11 Commission Act of 2007; and various others. Many different HSPDs are also relevant to CIKR protection, including, but not limited to: • HSPD-3, Homeland Security Advisory System • HSPD-5, Management of Domestic Incidents • HSPD-8, National Preparedness • HSPD-9, Defense of the United States Agriculture and Food • HSPD-10, Biodefense for the 21st Century • HSPD-19, Combating Terrorist Use of Explosives in the United States • HSPD-20, National Continuity Policy • HSPD-22, Domestic Chemical Defense These separate authorities and directives are tied together as part of the national approach for CIKR protection through the unifying framework established in HSPD-7. HSPD-7, issued in December 2003, established the U.S. policy for “enhanc – ing protection of the Nation’s CIKR.” HSPD-7 establishes a framework for public and private sector partners to identify, prioritize, and protect the Nation’s CIKR from terrorist attacks, with an emphasis on protecting against catastrophic health effects and mass casualties. The directive sets forth the roles and responsibilities for: DHS; SSAs; other Federal departments and agencies; State, local, tribal, and territorial governments; regional partners; the private sector; and other CIKR partners. The following sections address the roles and responsibilities under this integrated approach. 2.2 Roles and Responsibilities Given the fact that terrorist attacks and certain natural or manmade disasters can have a national-level impact, it is incumbent upon the Federal Government to provide leader – ship and coordination in the CIKR protection mission area. 2.2.1 Depar tment of Homeland Security Under HSPD-7, DHS is responsible for leading, integrating, and coordinating the overall national effort to enhance CIKR protection, including collaboratively developing the NIPP and supporting SSPs; developing and implementing comprehen – sive, multi-tiered risk management programs and meth – odologies; developing cross-sector and cross-jurisdictional protection guidance, guidelines, and protocols; and recom – mending risk management and performance criteria and metrics within and across sectors. Per HSPD-7, DHS is also a focal point for the security of cyberspace. HSPD-7 establishes a central source for coordinating best practices and support – ing protective programs across and within government agen – cies. In the directive, the President designates the Secretary of Homeland Security as the “principal Federal official to lead, integrate, and coordinate implementation of efforts among Federal departments and agencies, State and local govern – ments, and the private sector to protect critical infrastructure and key resources.” The Secretary of Homeland Security is responsible for addressing the complexities of the Nation’s Federal system of government and its multifaceted and inter – dependent economy, as well as for establishing structures to enhance the close cooperation between the private sector and government at all levels to initiate and sustain an effective CIKR protection program. In addition to these overarching leadership and cross-sector responsibilities, DHS and its component agencies serve as the SSAs for 11 of the CIKR sectors identified in HSPD-7 or sub – sequently established using the criteria set forth in HSPD-7: Information Technology; Communications; Transportation Systems; Chemical; Emergency Services; Nuclear Reactors, Materials, and Waste; Postal and Shipping; Dams; Critical Manufacturing; Government Facilities; and Commercial Facilities. Specific SSA responsibilities, as appropriate, are discussed in section 2.2.2. DHS, in the person of the Assistant Secretary for Infrastructure Protection or his/her designee, serves as the co-chair of each of the GCCs with the respective Federal SSA for that sector. Additional DHS CIKR protection roles and responsibilities include: 16 National Infrastructure Protection Plan Identifying, prioritizing, and coordinating Federal action in • support of the protection of nationally critical assets, sys – tems, and networks, with a particular focus on CIKR that could be exploited to cause catastrophic health effects or mass casualties comparable to those produced by a WMD; Coordinating, facilitating, and supporting the overall pro – • cess for building partnerships and leveraging sector-specific security expertise, relationships, and resources across CIKR sectors, including oversight and support of the sector part – nership model described in chapter 4; cooperating with Federal, State, local, tribal, territorial, and regional partners; and collaborating with the Department of State to reach out to foreign governments and international organizations to strengthen the protection of U.S. CIKR; Supporting the formation and development of regional • partnerships, including promoting new partnerships, enabling information sharing, and sponsoring security clearances; Establishing and maintaining a comprehensive, multi- • tiered, dynamic information-sharing network designed to provide timely and actionable threat information, assess – ments, and warnings to public and private sector partners. This responsibility includes protecting sensitive informa – tion voluntarily provided by the private sector and facili – tating the development of sector-specific and cross-sector information-sharing and analysis systems, mechanisms, and processes; Coordinating national efforts for the security of cyber • infrastructure, including precursors and indicators of an attack, and understanding those threats in terms of CIKR vulnerabilities; Coordinating, facilitating, and supporting comprehensive • risk assessment programs for high-risk CIKR, identifying priorities across sectors and jurisdictions, and integrating CIKR protection and resiliency programs with the all-haz – ards approach to domestic incident management described in HSPD-5; Facilitating the sharing of best practices and processes, and • risk assessment methodologies and tools across sectors and jurisdictions; Ensuring that interagency, sector, and cross-sector coordi – • nation and information-sharing mechanisms and resources (e.g., DHS sector specialists) are in place to support CIKR- related incident management operations; Sponsoring CIKR protection-related R&D, demonstration • projects, and pilot programs; Supporting the development and transfer of advanced • technologies while leveraging private sector expertise and competencies, including participation in the development of voluntary standards or best practices, as appropriate; Promoting national-level CIKR protection education, train – • ing, and awareness in cooperation with State, local, tribal, territorial, regional, and private sector partners; Identifying and implementing plans and processes for ap – • propriate increases in protective measures that align to all- hazards warnings; specific threats, as appropriate; and each level of the Homeland Security Advisory System (HSAS); Providing real-time (24/7) threat and incident reporting; • Conducting modeling and simulations to analyze sector, • cross-sector, and regional dependencies and interdependen – cies, to include cyber, and sharing the results with CIKR partners, as appropriate; Helping inform the annual Federal budget process based on • CIKR risk and the potential for reducing risk and need, in coordination with SSAs, GCCs, and other partners; Supporting performance measurement for the national • CIKR protection program and NIPP implementation process to encourage continuous improvement and providing an – nual CIKR protection reports to the Executive Office of the President (EOP) and Congress; Integrating national efforts for the protection and recovery • of critical information systems and the cyber components of physical CIKR, including analysis, warning, information- sharing, and risk management activities and programs; Evaluating preparedness for CIKR protection across sectors • and jurisdictions; Documenting lessons learned from exercises, actual in – • cidents, and pre-disaster mitigation efforts and applying those lessons, where applicable, to CIKR protection efforts; Promoting CIKR awareness to provide incentives for par – • ticipation by CIKR owners and operators; Working with the Department of State, SSAs, and other • partners to ensure that U.S. CIKR protection efforts are fully coordinated with international partners; and Evaluating the need for and coordinating the protection of • additional CIKR categories over time, as appropriate. Authorities, Roles, and Responsibilities 17 2.2.2 Sector-Specific Agencies Recognizing that each CIKR sector possesses its own unique characteristics, operating models, and risk landscapes, HSPD-7 designates Federal Government SSAs for each of the CIKR sectors (see table 2-1). The SSAs are responsible for working with DHS and their respective GCCs to: implement the NIPP sector partnership model and risk management framework; develop protective programs, resiliency strate – gies, and related requirements; and provide sector-level CIKR protection guidance in line with the overarching guidance established by DHS pursuant to HSPD-7. Working in collabo – ration with partners, the SSAs are responsible for developing or revising and then submitting SSPs and sector-level per – formance feedback reports to DHS to enable national cross- sector CIKR protection program assessments. In accordance with HSPD-7, SSAs are also responsible for col – laborating with private sector partners and encouraging the development of appropriate voluntary information-sharing and analysis mechanisms within the sector. This includes encouraging voluntary security-related information sharing, where possible, among private entities within the sector, as well as among public and private entities. Consistent with existing authorities (including regulatory authorities in some instances), SSAs perform the activities above, as appropriate, and in close cooperation with other sector partners. HSPD-7 requires SSAs to provide an annual report to the Secretary of Homeland Security on their efforts to identify, prioritize, and coordinate CIKR protection and resiliency in their respective sectors. DHS provides guid – ance and templates that inform reporting on sector CIKR protection priorities, requirements, and resources. The SSA’s established annual budget process is the primary mechanism for outlining these sector-specific CIKR protection require – ments and related budget projections, to the extent possible, as a component of their annual budget submissions to the Office of Management and Budget (OMB). Additional SSA responsibilities include: Identifying, prioritizing, and coordinating Federal activi – • ties in support of CIKR protection and resiliency within the sector, with a particular focus on CIKR that could be exploited to cause catastrophic health effects or mass casu – alties comparable to those produced by a WMD; Managing the overall process for building partnerships • and leveraging CIKR security expertise, relationships, and resources within the sector, including sector-level oversight and support of the sector partnership model described in chapter 4; Coordinating, facilitating, and supporting comprehensive • risk assessment/management programs for high-risk CIKR, identifying protection and resiliency priorities, and incor – porating CIKR protection activities as a key component of the all-hazards approach to domestic incident management within the sector; Facilitating the sharing of real-time incident notification, • as well as CIKR protection best practices and processes, and risk assessment methodologies and tools within the sector; Promoting CIKR protection education, training, and aware – • ness within the sector in coordination with State, regional, local, tribal, territorial, and private sector partners; Helping inform the annual Federal budget process con – • sidering CIKR risk and protection needs in coordination with partners and allocating resources for CIKR protection accordingly; Supporting performance measures for CIKR protection and • NIPP implementation activities within the sector to enable continuous improvement, and reporting progress and gaps to DHS; Contributing to the annual National Critical Infrastructure • Protection Research and Development (NCIP R&D) Plan; Identifying/recommending appropriate strategies to en – • courage private sector participation; Responding to or otherwise supporting DHS-initiated data • calls, as appropriate, to populate the Infrastructure Data Warehouse (IDW), enable national-level risk assessment, and inform the national-level resource allocation; Supporting protocols for the Protected Critical Infrastruc – • ture Information (PCII) Program, as appropriate; Working with DHS, as appropriate, to develop and evaluate • sector-specific risk assessment tools; Supporting dependency, interdependency, consequence, • and other sector analyses, as needed; Coordinating with DHS and other NIPP partners to pro – • mote CIKR awareness to encourage participation by CIKR owners and operators; Coordinating sector-level participation in the National Ex – • ercise Program (NEP) (through the NEP Executive Steering Committee representatives), Homeland Security Exercise and Evaluation Program (HSEEP), and other sector-level activities; 18 National Infrastructure Protection Plan Table 2-1: Sector-Specific Agencies and Assigned CIKR Sectors a The Department of Agriculture is responsible for agriculture and food (meat, poultry, and egg products). b The Department of Health and Human Services is responsible for food other than meat, poultry, and egg products.c Nothing in this plan impairs or otherwise affects the authority of the Secretary of Defense over the Department of Defense (DoD), including the chain of command for military forces from the President as Commander in Chief, to the Secretary of Defense, to the commander of military forces, or military command and control procedures. d The Energy Sector includes the production, refining, storage, and distribution of oil, gas, and electric power, except for commercial nuclear power facilities.e The Water Sector includes drinking water and wastewater systems.f The U.S. Coast Guard is the SSA for the maritime transportation mode.g As stated in HSPD-7, the Department of Transportation and the Department of Homeland Security will collaborate on all matters relating to transportation security and transportation infrastructure protection. h The Department of Education is the SSA for the Education Facilities Subsector of the Government Facilities Sector. Authorities, Roles, and Responsibilities 19 Assisting sector partners in their efforts to: • Organize and conduct protection and continuity-of-oper – – ations planning, and elevate awareness and understand – ing of threats and vulnerabilities to their assets, systems, and networks; and Identify and promote effective sector-specific best prac – – tices and methodologies; Supporting the identification and implementation of plans • and processes within the sector for enhancements in pro – tective measures that align to all-hazards warnings; specific threats, as appropriate; and each level of the HSAS; Understanding and mitigating sector-specific cyber risk by • developing or encouraging appropriate protective measures, information-sharing mechanisms, and emergency recovery plans for cyber assets, systems, and networks within the sector and interdependent sectors; and Coordinating with DHS, the Department of State (DOS), • and other appropriate departments and agencies to inte – grate U.S. CIKR protection programs into the international and global markets, and address relevant dependency, inter – dependency, and cross-border issues. 2.2.3 Other Federal Departments, Agencies, and Offices All Federal departments and agencies function as CIKR part – ners in coordination with DHS and the SSAs. In accordance with HSPD-7, they cooperate with DHS in implementing CIKR protection efforts, consistent with the Homeland Security Act and other applicable legal authorities. In this capacity, they support implementation of the NIPP and SSPs, as appropriate, and are responsible for supporting identification, prioritization, assessment, and remediation of, and enhancing the protection of, CIKR under their control. Federal departments and agencies that are not designated as SSAs, but that have unique respon – sibilities, functions, or expertise in a particular CIKR sector (such as GCC members) will: Assist in identifying and assessing high-consequence CIKR • and enabling protective actions and programs within that sector; Support the national goal of enhancing CIKR protection • through their role as the regulatory agency for owners and operators represented within a specific sector when so des – ignated by statute; and Collaborate with all relevant partners to share security- • related information within the sector, as appropriate. Depending on their regulatory roles and their relationships with the SSAs, these agencies may play an important support – ing role in developing and implementing the SSPs and related protective activities within the sector. Under HSPD-7, a number of Federal departments and agencies and components of the EOP have special functions related to CIKR protection. The following section addresses Federal departments, agencies, and commissions specifically identified in HSPD-7. Many other Federal entities have sector- specific or cross-sector authorities and responsibilities that are more appropriately addressed in the SSPs. The DOS, in coordination with DHS and the Departments • of Justice, Commerce, Defense, and the Treasury, works with foreign governments and international organizations to strengthen U.S. CIKR protection efforts. The Department of Justice (DOJ), including the Federal • Bureau of Investigation (FBI), acts to reduce terrorist threats and investigates and prosecutes actual or attempted attacks on, sabotage of, or disruptions of CIKR in collaboration with DHS. The Department of Commerce (DOC) works with: DHS; • the private sector; and research, academic, and government organizations to improve technology for cyber systems and promote other critical infrastructure efforts, includ – ing using its authority under the Defense Production Act to ensure the timely availability of materials, services, and facilities to meet homeland security requirements, and to address economic security issues. The Department of Transportation (DOT) collaborates with • DHS on all matters related to transportation security and transportation infrastructure protection, and is also respon – sible for operating the National Airspace System. DOT and DHS collaborate on regulating the transportation of hazard – ous materials by all modes (including pipelines). The Nuclear Regulatory Commission (NRC) works with • DHS and the Department of Energy (DOE), as appropriate, to ensure the protection of commercial nuclear reactors for generating electric power and non-power nuclear reactors used for research, testing, and training; nuclear materials in medical, industrial, and academic settings and facilities that fabricate nuclear fuel; and the transportation, storage, and disposal of commercial nuclear materials and waste. In addition, the NRC collaborates with DHS on any changes in the protective measures for this sector, as well as the ap – proval of new reactor applications. 20 National Infrastructure Protection Plan The Intelligence Community, the Department of Defense • (DoD), and other appropriate Federal departments, such as the Department of the Interior (DOI) and DOT, have collaborated with DHS to develop and implement a suite of geospatial visualization and analysis tools to map, image, analyze, and sort CIKR data using commercial satellite and airborne systems, as well as associated agency capabilities. DHS works with these Federal departments and agencies to identify and help protect those positioning, navigation, and timing services, such as global positioning systems (GPS), that are critical enablers for CIKR sectors such as Banking and Finance and Communications. DHS and the Intel – ligence Community also collaborate with other agencies, such as the Environmental Protection Agency, that manage data addressed by geographic information systems. The Homeland Security Council ensures the coordination • of interagency policy related to physical and cyber CIKR protection based on advice from the Critical Infrastructure Protection Policy Coordination Committee (PCC). This PCC is chaired by a Federal officer or employee designated by the Assistant to the President for Homeland Security. The White House Office of Science and Technology Policy • coordinates with DHS to further interagency R&D related to CIKR protection. The OMB oversees the implementation of government- • wide policies, principles, standards, and guidelines for Federal Government computer security programs. 2.2.4 State, Local, Tribal, and Territorial Governments State, local, tribal, and territorial governments are responsible for implementing the homeland security mission, protect – ing public safety and welfare, and ensuring the provision of essential services to communities and industries within their jurisdictions. They also play a very important and direct role in enabling CIKR protection and resilience, including CIKR under their control, as well as that owned and operated by other NIPP partners within their jurisdictions. The efforts of these public entities are critical to the effective implementa – tion of the NIPP, SSPs, and various jurisdictionally focused protection and resiliency plans. They are equally critical in terms of enabling time-sensitive, post-event CIKR response and recovery activities. CIKR partners at all levels of government have developed homeland security strategies that align with and support the priorities established in the National Preparedness Guidelines. With the inclusion of NIPP implementation as one of these national priorities, CIKR protection programs form an essential component of State, local, tribal, and territorial homeland security strategies, particularly with regard to establishing funding priorities and informing security invest – ment decisions. To permit effective NIPP implementation and performance measurement at each jurisdictional level, these protection programs should reference all core elements of the NIPP framework, where appropriate, including key cross-jurisdictional security and information-sharing link – ages, as well as specific CIKR protection programs focused on risk management. These programs play a primary role in the identification and protection of CIKR regionally and locally and also support DHS and SSA efforts to identify, ensure con – nectivity with, and enable the protection of CIKR of national- level criticality within the jurisdiction. 184.108.40.206 State and Territorial Governments State (and territorial, where applicable) governments are responsible for establishing partnerships, facilitating coor – dinated information sharing, and enabling planning and preparedness for CIKR protection within their jurisdictions. They serve as crucial coordination hubs, bringing together prevention, protection, response, and recovery authorities; capabilities; and resources among local jurisdictions, across sectors, and between regional entities. States and territories also act as conduits for requests for Federal assistance when the threat or incident situation exceeds the capabilities of public and private sector partners at lower jurisdictional levels. States receive CIKR information from the Federal Government to support national and State CIKR protection and resiliency programs. State and territorial governments shall develop and imple – ment State or territory-wide CIKR protection programs that reflect the full range of NIPP-related activities. State and territorial programs should address all relevant aspects of CIKR protection, leverage support from homeland security assistance programs that apply across the homeland security mission area, and reflect priority activities in their strategies to ensure that resources are effectively allocated. Effective statewide and regional CIKR protection efforts should be integrated into the overarching homeland security pro – gram framework at the State or territory level to ensure that prevention, protection, response, and recovery efforts are synchronized and mutually supportive. CIKR protection at the State or territory level must cut across all sectors present within the State or territory and support national, State, and local priorities. The program also should explicitly address unique geographical issues, including transborder concerns, as well as interdependencies among sectors and jurisdictions within those geographical boundaries. Authorities, Roles, and Responsibilities 21 Specific CIKR protection-related activities at the State and ter- ritorial level include, but are not limited to: Acting as a focal point for and promoting the coordination • of protective and emergency response activities, prepared – ness programs, and resource support among local jurisdic – tions, regional organizations, and private sector partners; Developing a consistent approach to CIKR identification, • risk determination, mitigation planning, and prioritized security investment, and exercising preparedness among all relevant stakeholders within their jurisdictions; Identifying, implementing, and monitoring a risk manage – • ment plan and taking corrective actions, as appropriate; Participating in significant national, regional, and local • awareness programs to encourage appropriate management and security of cyber systems; Acting as conduits for requests for Federal assistance when • the threat or current situation exceeds the capabilities of State and local jurisdictions and the private entities resident within them; Facilitating the exchange of security information, includ – • ing threat assessments and other analyses, attack indications and warnings, and advisories, within and across jurisdic – tions and sectors therein; Participating in the NIPP sector partnership model, includ – • ing: sector-specific GCCs; the State, Local, Tribal, and Terri – torial Government Coordinating Council (SLTTGCC); SCCs; and other CIKR governance and planning efforts relevant to the given jurisdiction; Ensuring that funding priorities are addressed and that • resources are allocated efficiently and effectively to achieve the CIKR protection mission in accordance with relevant plans and strategies; Sharing information on CIKR deemed to be critical from • national, State, regional, local, tribal, and/or territorial perspectives to enable prioritized protection and restoration of critical public services, facilities, utilities, and functions within the jurisdiction; Addressing unique geographical issues, including transbor – • der concerns, dependencies, and interdependencies among the sectors within the jurisdiction; Identifying and implementing plans and processes for • increasing protective measures that align to all-hazards warnings; specific threats, as appropriate; and each level of the HSAS; Documenting lessons learned from pre-disaster mitigation • efforts, exercises, and actual incidents, and applying that learning, where applicable, to the CIKR context; Coordinating with NIPP partners to promote CIKR aware – • ness to motivate participation by CIKR owners and opera – tors; Providing response and protection, as appropriate, where • there are gaps and where local entities lack the resources needed to address those gaps; Identifying and communicating the requirements for CIKR- • related R&D to DHS; and Providing information, as part of the grants process and/or • homeland security strategy updates, regarding State priori – ties, requirements, and CIKR-related funding needs. 220.127.116.11 Regional Organizations Regional partnerships include a variety of public-private sec – tor initiatives that cross jurisdictional and/or sector boundar – ies and focus on homeland security preparedness, protection, response, and recovery within or serving the population of a defined geographical area. Specific regional initiatives range in scope from organizations that include multiple jurisdic – tions and industry partners within a single State to groups that involve jurisdictions and enterprises in more than one State and across international borders. In many cases, State governments also collaborate through the adoption of interstate compacts to formalize regionally based partnerships regarding CIKR protection. Partners leading or participating in regional initiatives are encouraged to capitalize on the larger area- and sector- specific expertise and relationships to: Promote collaboration among partners in implementing • NIPP-related CIKR risk assessment and protection activities; Facilitate education and awareness of CIKR protection ef – • forts occurring within their geographical areas; Participate in regional exercise and training programs, • including a focus on CIKR protection collaboration across jurisdictional and sector boundaries; Support threat-initiated and ongoing operations-based ac – • tivities to enhance protection and preparedness, as well as to support mitigation, response, and recovery; Work with State, local, tribal, territorial, and international • governments and the private sector, as appropriate, to evaluate regional and cross-sector CIKR interdependencies, including cyber considerations; 22 National Infrastructure Protection Plan • Conduct the appropriate regional planning efforts and undertake appropriate partnership agreements to enable regional CIKR protection activities and enhanced response to emergencies; • Facilitate information sharing and data collection between and among regional initiative members and external partners; • Share information on progress and CIKR protection requirements with DHS, the SSAs, State and local govern – ments, and other CIKR partners, as appropriate; and • Participate in the NIPP sector partnership model, as ap – propriate. 18.104.22.168 Local Governments Local governments represent the front lines for homeland security and, more specifically, CIKR protection and imple – mentation of the NIPP partnership model. They provide criti – cal public services and functions in conjunction with private sector owners and operators. In some sectors, local govern – mental entities own and operate CIKR such as water, storm – water, and electric utilities. Most disruptions or malevolent acts that affect CIKR begin and end as local situations. Local authorities typically shoulder the weight of initial prevention, response, and recovery operations until coordinated support from other sources becomes available, regardless of who owns or operates the affected asset, system, or network. As a result, local governments are critical partners under the NIPP framework. They drive emergency preparedness, as well as local participation in NIPP and SSP implementation across a variety of jurisdictional partners, including government agencies, owners and operators, and private citizens in the communities that they serve. CIKR protection focus at the local level should include, but is not limited to: • Acting as a focal point for and promoting the coordination of protective and emergency response activities, prepared – ness programs, and resource support among local agencies, businesses, and citizens; • Developing a consistent approach at the local level to CIKR identification, risk determination, mitigation planning, and prioritized security investment, and exercising prepared – ness among all relevant partners within the jurisdiction; • Identifying, implementing, and monitoring a risk manage – ment plan, and taking corrective actions, as appropriate; • Participating in significant national, State, local, and re – gional education and awareness programs to encourage appropriate management and security of cyber systems; Fa cilitating the exchange of security information, including • threat assessments, attack indications and warnings, and advisories, among partners within the jurisdiction; Participating in the NIPP sector partnership model, in – • cluding GCCs, SCCs, SLTTGCC, and other CIKR structures relevant to the given jurisdiction; Ensuring that funding priorities are addressed and that • resources are allocated efficiently and effectively to achieve the CIKR protection mission in accordance with relevant plans and strategies; Establishing continuity plans and programs that facilitate • the performance of critical functions during an emergency or until normal operations can be resumed; Sharing with partners, as appropriate, CIKR information • deemed to be critical from the local perspective to enable prioritized protection and restoration of critical public ser – vices, facilities, utilities, and processes within the jurisdic – tion; Addressing unique geographical issues, including transbor – • der concerns, dependencies, and interdependencies among agencies and enterprises within the jurisdiction; Identifying and implementing plans and processes for step- • ups in protective measures that align to all-hazards warn – ings; specific threats, as appropriate; and each level of the HSAS; Documenting lessons learned from pre-disaster mitigation • efforts, exercises, and actual incidents, and applying that learning, where applicable, to the CIKR protection context; and Conducting CIKR protection public awareness activities. • 22.214.171.124 Tribal Governments Tribal government roles and responsibilities regarding CIKR protection generally mirror those of State and local govern – ments as detailed above. Tribal governments are accountable for the public health, welfare, and safety of tribal members, as well as the protection of CIKR and the continuity of essen – tial services under their jurisdiction. Under the NIPP partner – ship model, tribal governments shall ensure coordination with Federal, State, local, and international counterparts to achieve synergy in the implementation of the NIPP and SSP frameworks within their jurisdictions. This is particularly important in the context of information sharing, risk analysis and management, awareness, preparedness planning, and protective program investments and initiatives. Authorities, Roles, and Responsibilities 23 126.96.36.199 Boards, Commissions, Authorities, Councils, and Other Entities An array of boards, commissions, authorities, councils, and other entities at the State, local, tribal, and regional levels perform regulatory, advisory, policy, or business oversight functions related to various aspects of CIKR operations and protection within and across sectors and jurisdictions. Some of these entities are established through State- or local-level executive or legislative mandates with elected, appointed, or voluntary membership. These groups include, but are not limited to, transportation authorities, public utility commis – sions, water and sewer boards, park commissions, housing authorities, public health agencies, and many others. These entities may serve as the equivalents of SSAs within a State and contribute expertise, assist with regulatory authorities, or help facilitate investment decisions related to CIKR protection efforts within a given jurisdiction or geographical region. 2.2.5 CIKR Owners and Operators Owners and operators generally develop and implement the protective programs and resiliency strategies for the CIKR under their control. CIKR are owned by both the public and private sector; however, the majority of CIKR is owned by the private sector. Owners and operators take action to support risk management planning and investments in security as a necessary component of prudent business planning and oper – ations. In today’s risk environment, these activities generally include reassessing and adjusting continuity-of-business and emergency management plans, building increased resiliency and redundancy into business processes and systems, protect – ing facilities against physical and cyber attacks, reducing the vulnerability to natural disasters, guarding against insider threats, and increasing coordination with external organiza – tions to avoid or minimize the impact on surrounding com – munities or other industry partners. For many private sector enterprises, the level of investment in security reflects risk-versus-consequence tradeoffs that are based on two factors: (1) what is known about the risk environment, and (2) what is economically justifiable and sustainable in a competitive marketplace or within resource constraints. In the context of the first factor, the Federal Government is uniquely positioned to help inform criti – cal security investment decisions and operational planning. For example, owners and operators generally look to the government as a source of security-related best practices and for attack or natural hazard indications, warnings, and threat assessments. In relation to the second factor, owners and operators also generally rely on governmental entities to address risks outside of their property or in situations in which the current threat exceeds an enterprise’s capability to protect itself or requires an unreasonable level of additional investment to mitigate risk. In this situation, public and private sector partners at all levels must collaborate to address the protection of national-level CIKR, provide timely warn – ings, and promote an environment in which CIKR owners and operators can better carry out their specific protection responsibilities. Additionally, CIKR owners and operators may be required to invest in security as a result of Federal, State, and/or local regulations. The CIKR protection responsibilities of specific owners or operators vary widely within and across sectors. Some sectors have regulatory or statutory frameworks that govern private sector security operations within the sector; however, most are guided by voluntary security regimes or adherence to industry-promoted best practices. Within this diverse protec – tive landscape, private sector entities can better secure the CIKR under their control by: Performing comprehensive risk assessments tailored to • their specific sector, enterprise, or facility risk landscape; Implementing protective actions and programs to reduce • identified vulnerabilities appropriate to the level of risk presented; Participating in the NIPP sector partnership model (includ – • ing SCCs and information-sharing mechanisms); Developing an awareness of critical dependencies and inter – • dependencies at the sector, enterprise, and facility levels; Assisting and supporting Federal, State, local, and tribal • government CIKR data collection and protection efforts; Developing and coordinating CIKR protective and emer – • gency response actions, plans, and programs with appro – priate Federal, State, and local government authorities; Establishing continuity plans and programs that facilitate • the performance of critical functions during an emergency or until normal operations can be resumed; Establishing cybersecurity programs and associated aware – • ness training within the organization; Adhering to recognized industry best business practices and • standards, including those with a cybersecurity nexus (see appendix 5B); Participating in Federal, State, local, and tribal govern – • ment emergency management programs and coordinating structures; 24 National Infrastructure Protection Plan Establishing resilient, robust, and/or redundant operational • systems or capabilities associated with critical functions; Promoting CIKR protection education, training, and aware – • ness programs; Adopting and implementing effective workforce security • assurance programs to mitigate potential insider threats; Providing technical expertise to the SSAs and DHS; • Participating in regular CIKR protection-focused training • and exercise programs with other public and private sector partners; Identifying and communicating requirements to DHS • and/or the SSAs and State and local governments for CIKR protection-related R&D Sharing security-related best practices and entering into • operational mutual-aid agreements with other industry partners; and Working to identify and reduce barriers to public-private • partnerships. 2.2.6 Advisory Councils Advisory councils provide advice, recommendations, and expertise to the government (e.g., DHS, SSAs, and State or local agencies) regarding CIKR protection policy and activi – ties. These entities also help enhance public-private part – nerships and information sharing. They often provide an additional mechanism to engage with a pre-existing group of private sector leaders to obtain feedback on CIKR protection policy and programs, and to make suggestions to increase the efficiency and effectiveness of specific government programs. Examples of CIKR protection-related advisory councils and their associated responsibilities include: Critical Infrastructure Partnership Advisory Council • (C I PAC ) : CIPAC is a partnership between government and private sector CIKR owners and operators that facilitates ef – fective coordination of Federal CIKR protection programs. CIPAC engages in a range of CIKR protection activities, such as planning, risk assessments, coordination, NIPP imple – mentation, and operational activities, including incident response and recovery. DHS published a Federal Register Notice on March 24, 2006, announcing the establishment of CIPAC as a Federal Advisory Committee Act (FACA) 5 -exempt body pursuant to section 871 of the Homeland Security Act (see chapter 4). Homeland Security Advisory Council (HSAC) • : HSAC provides advice and recommendations to the Secretary of Homeland Security on relevant issues. The Council mem – bers, appointed by the DHS Secretary, include experts from State and local governments, public safety, security and first- responder communities, academia, and the private sector. Private Sector Senior Advisory Committee (PVTSAC): The –Secretary of Homeland Security established PVTSAC as a subcommittee of HSAC in order to provide HSAC with expert advice from leaders in the private sector. National Infrastructure Advisory Council (NIAC) • : NIAC provides the President, through the Secretary of Homeland Security, with advice on the security of physical and cyber systems across all CIKR sectors. The council comprises up to 30 members appointed by the President. Members are selected from the private sector, academia, and State and local governments. The council was established (and amended) under Executive Orders 13231, 13286, and 13385. National Security Telecommunications Advisory Com – • mittee (NSTAC) : NSTAC provides industry-based advice and expertise to the President on issues and problems related to implementing National Security and Emergency Preparedness (NS/EP) communications policy. NSTAC, created under Executive Order 12382, comprises up to 30 industry chief executives representing the major commu – nications and network service providers and information technology, finance, and aerospace companies. 2.2.7 Academia and Research Centers The academic and research center communities play an important role in enabling national-level CIKR protection and implementation of the NIPP, including: Establishing Centers of Excellence (i.e., university-based • partnerships or federally funded R&D centers) to provide independent analysis of CIKR protection issues; Supporting the research, development, testing, evaluation, • and deployment of CIKR protection technologies; Analyzing, developing, and sharing best practices related to • CIKR prioritization and protection efforts; Researching and providing innovative thinking and per – • spective on threats and the behavioral aspects of terrorism; 5 FACA authorized the establishment of a system governing the creation and operation of advisory committees in the executive branch of the Federal Government and for other purposes. The act, when it applies, generally requires advisory committees to meet in open session and make publicly available associated written materials. It also requires a 15-day notice before any meeting may be closed to public attendance, a requirement that could prevent a meeting on short notice to discuss sensitive information in an appropriate setting. Authorities, Roles, and Responsibilities 25 Preparing or disseminating guidelines, courses, and de- • scriptions of best practices for physical security and cyber – security; Developing and providing suitable all-hazards risk analysis • and risk management courses for CIKR protection profes – sionals; Establishing undergraduate and graduate curricula and • degree programs; Conducting research to identify new technologies and ana – • lytical methods that can be applied by partners to support NIPP efforts; and Participating in the review and validation of NIPP-support – • ing risk analysis and management approaches. 26 National Infrastructure Protection Plan 3. The Strategy: Managing Risk The cornerstone of the NIPP is its risk management framework. Risk is the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associ- ated consequences. Simply stated, risk is influenced by the nature and magnitude of a threat, the vulner – abilities to that threat, and the consequences that could result. Risk is an important means of prioritizing mitigation efforts for partners ranging from facility owners and operators to Federal agencies. The NIPP risk management framework (see figure 3-1) integrates and coordinates strategies, capabilities, and governance to enable risk-informed decisionmaking related to the Nation’s CIKR. This framework is applicable to threats such as natural disasters, manmade safety hazards, and terrorism, although different information and meth – odologies may be used to understand each. This chapter addresses the use of the NIPP risk management framework as part of the overall effort to ensure the protec – tion and resiliency of our Nation’s CIKR. DHS, the SSAs, and their public and private sector partners share responsibility for implementation of the NIPP risk management frame – work. The SSAs are responsible for leading sector-specific risk management programs and for ensuring that the tailored, sector-specific application of the risk management frame – work is addressed in their respective SSPs. DHS supports these efforts by providing guidance and analytical support to the SSAs and other partners. DHS, in collaboration with other CIKR partners, is responsible for using the best avail – able information to conduct cross-sector risk analysis and risk management activities. This includes the assessment of: dependencies, interdependencies, and cascading effects; iden – tification of common vulnerabilities; development and shar – ing of common threat scenarios; assessment and comparison of risk across sectors; identification and prioritization of risk management opportunities across sectors; development and sharing of cross-sector measures to reduce or manage risk; and identification of specific cross-sector R&D needs. The NIPP risk management framework is tailored toward and applied on an asset, system, network, or functional basis, Figure 3-1: NIPP Risk Management Framework The Strategy: Managing Risk 27 depending on the fundamental characteristics of the indi- vidual CIKR sectors. For those sectors primarily dependent on fixed assets and physical facilities, a bottom-up, asset-by- asset approach may be most appropriate. For sectors such as Communications, Information Technology, and Agriculture and Food, with accessible and distributed systems, a top- down, business or mission continuity approach, or risk assessments that focus on network and system interdepen – dencies may be more effective. Each sector must pursue the approach that produces the most effective use of resources for the sector and contributes to cross-sector comparative risk analyses conducted by DHS. The NIPP risk management framework includes the follow – ing activities: Set goals and objectives • : Define specific outcomes, condi – tions, end points, or performance targets that collectively constitute an effective risk management posture. Identify assets, systems, and networks • : Develop an inven- tory of the assets, systems, and networks, including those located outside the United States, that make up the Nation’s CIKR or contribute to the critical functionality therein, and collect information pertinent to risk management that takes into account the fundamental characteristics of each sector. Assess risks • : Evaluate the risk, taking into consideration the potential direct and indirect consequences of a terrorist attack or other hazards (including, as capabilities mature, seasonal changes in the consequences and dependencies and interdependencies associated with each identified as – set, system, or network), known vulnerabilities to various potential attack methods or other significant hazards, and general or specific threat information. Prioritize • : Aggregate and compare risk assessment results to: develop an appropriate view of asset, system, and/or network risks and associated mission continuity, where applicable; establish priorities based on risk; and determine protection, resilience, or business continuity initiatives that provide the greatest return on investment for the mitigation of risk. Implement protective programs and resiliency strategies • : Select appropriate actions or programs to reduce or man – age the risk identified; identify and provide the resources needed to address priorities. Measure effectiveness • : Use metrics and other evaluation procedures at the appropriate national, State, local, regional, and sector levels to measure progress and assess the effec – tiveness of the CIKR protection programs. This process features a continuous feedback loop, which allows the Federal Government and its CIKR partners to track progress and implement actions to improve national CIKR protection and resiliency over time. The physical, cyber, and human elements of CIKR should be considered in tandem in each aspect of the risk management framework. The sector partnership model discussed in chapter 4 provides the struc – ture for coordination and management of risk management activities that are flexibly tailored to different sectors and levels of government. 3.1 Set Goals and Objectives Achieving robust, protected, and resilient infrastructure requires national, State, local, and sector-specific CIKR protection visions, goals, and objectives that describe the desired risk management posture. These goals and objectives should consider the physical, cyber, and human elements of CIKR protection and resiliency. Goals and objectives may vary across and within sectors and levels of government, depending on the risk landscape, operating environment, and composition of a specific industry, resource, or other aspect of CIKR. Nationally, the overall goal of CIKR-related risk management is an enhanced state of protection and resilience achieved through the implementation of focused risk-reduction strate – gies within and across sectors and levels of government. The NIPP risk management framework supports this goal by: Enabling the development of the national, State, regional, • and sector risk profiles that serve as the foundation for the National CIKR Protection Annual Report described in chap – ter 7. These risk profiles outline the highest risks facing dif – ferent sectors and geographical regions, and identify cross- sector or regional issues of concern that are appropriate for the Federal CIKR protection focus, as well as opportunities for sector-, State-, and regionally based initiatives. Enabling DHS, SSAs, and other partners to determine the • best courses of action to reduce potential consequences, threats, or vulnerabilities. Some available options include encouraging voluntary implementation of focused risk management strategies (e.g., through public-private part – nerships), pursuing economic incentive-related policies and programs, and undertaking regulatory action, if appropri – ate; and Allowing the identification of risk management and re – • source allocation options for CIKR owners and operators, as well as different government partners. 28 National Infrastructure Protection Plan From a sector or jurisdictional perspective, CIKR protection goals or their related supporting objectives: • Consider distinct assets, systems, networks, functions, operational processes, business environments, and risk management approaches; • Define the risk management posture that CIKR partners seek to attain; and • Express this posture in terms of the outcomes and objec – tives sought. Taken collectively, these goals and objectives guide all levels of government and the private sector in tailoring risk man – agement programs and activities to address CIKR protection and resilience needs. 3.2 Identify Assets, Systems, and Networks To meet its responsibilities under the Homeland Security Act and HSPD-7, DHS continuously engages partner agencies and other CIKR partners to build, manage, refine, and improve a comprehensive inventory of the assets, systems, and networks that make up the Nation’s CIKR. This inventory provides a common baseline of knowledge that can support CIKR part – ners at various levels of government and the private sector in understanding infrastructure dependencies and interdepen – dencies, as well as enable national, local, regional, and sector- based risk assessment, prioritization, and management. Given the Nation’s vast and varied infrastructure, developing an inventory of critical assets, systems, and networks will vary by sector and types of CIKR. 3.2.1 National Infrastructure Inventory DHS maintains a national inventory of the assets, systems, and networks that make up the Nation’s CIKR. The Nation’s infrastructure includes assets, systems, and networks that are nationally significant and those that may not be significant on a national level but are, nonetheless, important to State, local, or regional CIKR protection, incident management, and response and recovery efforts. The principal national inventory of CIKR systems and assets is the IDW. The IDW comprises a federated data architecture that provides a single virtual view of one or more infrastructure data sources. DHS uses this data to provide all relevant public and private sector CIKR partners with access to the most current and complete view of the Nation’s infrastructure information allowed under applicable Federal, State, or local regulation. Section 3.2.2 discusses protecting and accessing this data. The goal of the IDW is to provide access to relevant infor- mation for natural disasters, industrial accidents, and other incidents, as well as maintain basic information about the relationships, dependencies, and interdependencies among various assets, systems, and networks, including foreign CIKR on which the United States may rely. The inventory will also eventually include a cyber data framework to char- acterize each sector’s unique and significant cyber assets, systems, or networks. This information is needed not only to help manage CIKR protection and resiliency approaches, but also to inform and support the response to a wide array of incidents and emer – gencies. Risk may change based on many factors including damage resulting from a natural disaster; seasonal or cyclic dependencies; and changes in technology, the economy, or the terrorist threat. The inventory supports domestic incident Figure 3-2: NIPP Risk Management Framework: Set Goals and Objectives The Strategy: Managing Risk 29 management by helping to: prioritize and focus preparedness planning; inform decisionmaking; establish strategies for response; and identify priorities for restoration, remediation, and reconstruction. Currently, the inventory and associated attributes are main- tained through the Infrastructure Information Collection System (IICS), a federated IDW, accessible in a geospatial context using the capabilities provided by the Integrated Common Analytical Viewer (iCAV) suite of tools, including the iCAV and DHS Earth viewers. The SSAs and DHS work together and in concert with State, local, tribal, and territo – rial governments and private sector partners to ensure that the inventory data structure is accurate, current, and secure. DHS provides guidelines concerning information needed to develop and maintain the inventory. Within this inventory, the set of nationally and regionally significant infrastructure is maintained and constantly updated and refined. Information in the IDW comes from a variety of sources and takes advantage of work that has already been done, such as: • Sector inventories : SSAs and GCCs maintain close work- ing relationships with owners and operators, SCCs, and other sources that maintain the inventories necessary for the sector’s business or mission. CIKR partners provide relevant information to DHS and update it on a periodic basis to ensure that sector CIKR and associated critical functionality are adequately represented and that sector and cross-sector dependencies and interdependencies can be identified and analyzed. • Voluntary submittals from CIKR partners : Owners and operators; State, local, tribal, and territorial governments; and Federal departments and agencies voluntarily submit information and previously completed inventories and analyses for DHS to consider. • Results of studies : Various government or commercial da – tabases developed as a result of studies undertaken by trade associations, advocacy groups, and regulatory agencies may contain relevant information. • Annual data calls : DHS, in cooperation with the SSAs and other CIKR partners, conducts a voluntary annual data call to State, territorial, and Federal partners. This data call process allows State, territorial, and Federal partners to propose CIKR data inputs meeting specified criteria. • Ongoing reviews of particular locations where risk is believed to be higher : DHS- and SSA-initiated site as – sessments to: provide information on vulnerability; help identify assets, systems, and networks and their depen – dencies, interdependencies, and critical functionality; and provide information that will help quantify their value in risk analyses. DHS, in coordination with the SSAs, State and local gov – ernments, private sector owners and operators, and other partners, works to build from and update existing inventories at the State and local levels to avoid duplication of past or ongoing complementary efforts. 3.2.2 Protecting and Accessing Inventory Information The Federal Government recognizes the sensitive, busi – ness, or proprietary nature of much of the information accessed through the IDW. DHS is responsible for protect – ing this information from unauthorized disclosure or use. Information in the IDW is protected from unauthorized disclosure or misuse to the maximum extent allowed under applicable Federal, State, or local regulations, including PCII and security classification rules (see section 4.3). Additionally, DHS ensures that all data and licensing restrictions are strictly enforced. DHS is implementing important resilient Figure 3-3: NIPP Risk Management Framework: Identify Assets, Systems, and Networks 30 National Infrastructure Protection Plan and redundant security measures that apply to the IDW and provide system integrity and security, software security, and data protection. 3.2.3 SSA Role in Inventory Development and Maintenance The SSAs have a leading role in several phases of CIKR inven – tory development and maintenance, including nominating assets and systems and adjudication of those high-risk assets and systems proposed by States and territories in response to the annual data call. The specific methods by which the SSAs collect sector-spe – cific asset, system, and network data vary by sector and are described in the individual SSPs. The SSPs include descrip – tions of mechanisms for making data collection efforts more manageable and less burdensome, such as: Prioritizing the approach for data outreach to different • partners; Identifying assets, systems, networks, or functions of po – • tential national-, regional-, or sector-level importance; and Identifying, reviewing, and leveraging existing sector infra – • structure data sources. The SSAs enable sector-specific asset, system, and network awareness, data collection, and information sharing primar – ily by understanding existing sector-based data sources and by facilitating information-sharing agreements with data owners. For example, DHS, in its capacity as the SSA for the Dams Sector (which includes locks and levees), works closely with the U.S. Army Corps of Engineers (USACE) in the Dams Sector to facilitate data discovery within the National Inventory of Dams (NID). Although owned and maintained by USACE, shared access to the NID provides CIKR partners in Federal, State, and local governments and the private sector with a comprehensive understanding of the national dams landscape. More details on SSA roles and responsibilities in facilitating sector awareness and understanding related to the IDW are included in appendix 3C. 3.2.4 State and Local Government Role in Inventory Development and Maintenance State and local government agencies play an important role in understanding the national CIKR landscape by enabling the identification of assets, systems, and networks at the State and local levels. State and local first-responders, emergency managers, public health officials, and others involved in homeland security missions frequently interact with infra – structure owners and operators in their jurisdictions to plan for and respond to all manner of natural and manmade haz – ards. These relationships form the core of the public-private partnership model and translate into first-hand knowledge of the infrastructure landscape at the State and local levels, as well as an understanding of those CIKR that are considered critical from a State and local perspective. DHS provides a number of tools and resources to help State and local officials leverage their knowledge to cre – ate infrastructure inventories that contribute to the IDW. This includes the Constellation/Automated Critical Asset Management System (C/ACAMS) that helps State and local officials leverage their knowledge to create infrastructure inventories, implement practical CIKR protection programs, and facilitate information sharing within and across State and local boundaries, as well as with DHS and other Federal partners. By sharing first-hand knowledge and understand – ing through tools such as C/ACAMS, State and local partners contribute directly to the national CIKR protection mission. Additional information on State roles and responsibilities in this area is contained in appendix 3C. Constellation/Automated Critical Asset Management System C/ACAMS is a Web-enabled information services portal that helps State and local governments build CIKR protection programs in their local jurisdictions. Specifically, C/ACAMS pro – vides a set of tools and resources that help law enforcement, public safety, and emergency response personnel to: Collect and use CIKR asset data; • Assess CIKR asset vulnerabilities;• Develop all-hazards incident response and recovery plans; • and Build public-private partnerships. • The Constellation portion of C/ACAMS is an information gather – ing and analysis tool that allows users to search a range of free and subscription reporting sources to find relevant information tailored to their jurisdiction’s needs. ACAMS is a secure, online database and database management platform that allows for: the collection and management of CIKR asset data; the cata – loguing, screening, and sorting of this data; the production of tailored infrastructure reports; and the development of a variety of pre- and post-incident response plans that are useful for strategic and operational planners and tactical commanders. Email [email protected] for additional information. The Strategy: Managing Risk 31 3.2.5 Identifying Cyber Infrastructure The NIPP addresses the protection of the cyber elements of CIKR in an integrated manner rather than as a separate consideration. As a component of the sector-specific risk assessment process, cyber infrastructure components should be identified individually or included as a cyber element of a larger asset, system, or network’s description if they are associated with one. The identification process should include information on international cyber infrastructure with cross-border implications, interdependencies, or cross-sector ramifications. Cyber infrastructure that exist in most, if not all, sectors include business systems, control systems, access control systems, and warning and alert systems. The Internet has been identified as a key resource, compris – ing the domestic and international assets within both the Information Technology and Communications Sectors, and is used by all sectors to varying degrees. While the availability of the service is the responsibility of both the Information Technology and Communications sectors, the need for access to and reliance on the Internet is common to all sectors. DHS supports the SSAs and other CIKR partners by develop – ing tools and methodologies to assist in identifying cyber assets, systems, and networks, including those that involve multiple sectors. As needed, DHS works with sector represen – tatives to help identify cyber infrastructure within the NIPP risk management framework. Additionally, DHS, in collaboration with other CIKR part – ners, provides cross-sector cyber methodologies that, when applied, enable sectors to identify cyber assets, systems, and networks that may have nationally significant consequences if destroyed, incapacitated, or exploited. These methodologies also characterize the reliance of a sector’s business and opera – tional functionality on cyber infrastructure components. Also, if an appropriate cyber identification methodology is already being used within the sector, DHS will work with the sector to ensure alignment of that methodology with the NIPP risk management framework. 3.2.6 Identifying Positioning, Navigation, and Timing Services Space-based and terrestrial positioning, navigation, and tim – ing (PNT) services are a component of multiple CIKR sectors. These services underpin almost every aspect of transporta – tion across all its various modes. Additionally, the Banking and Finance, Communications, Energy, and Water Sectors rely on GPS as their primary timing source. The systems that support or enable critical functions in the CIKR sectors should be identified, either as part of or independent of the infrastructure, as appropriate. Examples of CIKR functions that depend on PNT services include: aviation (navigation, air traffic control, surface guidance); maritime (harbor, inland waterway vessel movement, and maritime surveillance, such as Automatic Identification Systems (AIS)); surface transporta – tion (rail, hazardous materials (HAZMAT) tracking); com – munications networks (global fiber and wireless networks); and power grids. PNT services must be reliable, seamless, resistant, and resilient to unintentional or intentional inter – ference or jamming. DHS has developed a PNT Interference Detection and Mitigation (IDM) Plan as required by the U.S. Space-Based PNT Policy of December 8, 2004. The policy established responsibilities for multiple departments and agencies within the Federal Government to better plan, manage, and protect PNT services, and assigned to the DHS specific responsibilities governing the protection of PNT services within CIKR. The IDM Plan details the DHS initial response to the policy implementation action and lays the founda – tion for further planning and actions necessary to meet the responsibilities. The IDM Plan was approved by the President on August 20, 2007. 3.3 Assess Risks Common definitions, scenarios, assumptions, metrics, and processes are needed to ensure that risk assessments contrib – ute to a shared understanding among CIKR partners. The approach outlined by the NIPP risk management framework results in sound, scenario-based consequence and vulnerabil – ity estimates, as well as an assessment of the likelihood that the postulated threat would occur. The NIPP framework calls for CIKR partners to assess risk from any scenario as a function of consequence, vulnerabil – ity, and threat, as defined below. As stated in the introduction to this chapter, it is important to think of risk as influenced by the nature and magnitude of a threat, the vulnerabilities to that threat, and the consequences that could result: R = f (C,V,T) Consequence • : The effect of an event, incident, or occur – rence; reflects the level, duration, and nature of the loss resulting from the incident. For the purposes of the NIPP, consequences are divided into four main categories: public health and safety (i.e., loss of life and illness); economic (direct and indirect); psychological; and governance/mis – sion impacts. 32 National Infrastructure Protection Plan • Vulnerability : Physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard. In calculating the risk of an intentional haz – ard, a common measure of vulnerability is the likelihood that an attack is successful, given that it is attempted. • Threat : Natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or prop – erty. For the purpose of calculating risk, the threat of an intentional hazard is generally estimated as the likelihood of an attack being attempted by an adversary; for other hazards, threat is generally estimated as the likelihood that a hazard will manifest itself. In the case of terrorist attacks, the threat likelihood is estimated based on the intent and capability of the adversary. CIKR-related risk assessments consider all three components of risk and are conducted on assets, systems, or networks, depending on the characteristics of the infrastructure being examined. Once the three components of risk have been assessed for one or more given assets, systems, or networks, they must be integrated into a defensible model to produce a risk estimate. DHS conducts risk analyses for each of the 18 CIKR sectors, working in close collaboration with the SSAs, State and local authorities, and private sector owners and operators. This includes execution of the Strategic Homeland Infrastructure Risk Assessment (SHIRA) data call that provides input to risk analysis programs and projects and considers data collected more broadly through other DHS Office of Infrastructure Protection (IP) program activities as well. DHS has identified a number of risk assessment character – istics and data requirements to produce results that enable cross-sector risk comparisons; these are termed core crite- ria . These features provide a guide for improving existing methodologies or modifying them so that the investment and expertise they represent can be used to support national- level, comparative risk assessment, investments, incident response planning, and resource prioritization. The NIPP core criteria for risk assessments are summarized in appendix 3A and are discussed below. 3.3.1 NIPP Core Criteria for Risk Assessments The NIPP core criteria for risk assessments identify the char – acteristics and information needed to produce results that can contribute to cross-sector risk comparisons. These criteria include both the analytic principles that are broadly applicable to all parts of a risk methodology and specific guidance regard – ing information needed to understand and address each of the three components of the risk equation: consequence, vulner – ability, and threat. Risk assessments are conducted by many CIKR partners to meet their own decisionmaking needs, using a broad range of methodologies. Whenever possible, DHS seeks to use information from partners’ risk assessments to contrib – ute to an understanding of risks across sectors and throughout the Nation. Thus, adherence to the NIPP core criteria will facilitate the broadest applicability of existing assessments. Figure 3-4: NIPP Risk Management Framework: Assess Risks A very important program that provides a key synthesizing assessment for the Federal NIPP community is the Strategic Homeland Infrastructure Risk Assessment (SHIRA) process. The SHIRA involves an annual collaborative process conducted in coordination with interested members of the CIKR protec- tion community to assess and analyze the risks to the Nation’s infrastructure from terrorism, as well as natural and manmade hazards. The information derived through the SHIRA process feeds a number of analytic products, including the National Risk Profile, the foundation of the National CIKR Protection Annual Report, as well as individual Sector Risk Profiles. The Strategy: Managing Risk 33 Recognizing that many risk assessment methodologies are under development and others evolve in a dynamic environ- ment, the core criteria for risk assessment methodologies also serve as a guide to future adaptations. The basic analytic principles ensure that risk assessments are: • Documented : The methodology and the assessment must clearly document what information is used and how it is synthesized to generate a risk estimate. Any assumptions, weighting factors, and subjective judgments need to be transparent to the user of the methodology, its audience, and others who are expected to use the results. The types of decisions that the risk assessment is designed to support and the timeframe of the assessment (e.g., current condi – tions versus future operations) should be given. • Reproducible : The methodology must produce compara – ble, repeatable results, even though assessments of different CIKR may be performed by different analysts or teams of analysts. It must minimize the number and impact of sub – jective judgments, leaving policy and value judgments to be applied by decisionmakers. • Defensible : The risk methodology must logically integrate its components, making appropriate use of the professional disciplines relevant to the analysis, as well as be free from significant errors or omissions. Uncertainty associated with consequence estimates and confidence in the vulnerability and threat estimates should be communicated. • Complete : The methodology should assess consequence, vulner- ability, and threat for every defined risk scenario and follow the more specific guidance for each of these as given in the subsections that follow. The guidance is also summarized in appendix 3A. 3.3.2 Risk Scenario Identification All risk is assessed with respect to a specific scenario or set of scenarios. Simply put, the risk scenario answers the question “The risk of what?” All consequence, vulnerability, and threat estimates are specific to the risk scenario. Risks can be assessed for assets, networks, systems, and defined combinations of these. In the case of the risk from terrorism, the subject of the risk assessment is commonly called the target. When developing scenarios for a risk assessment of a relatively fixed system, an important first step is to identify those components or critical nodes where potential conse – quences would be highest and where protective measures an d resiliency strategies can be focused. Open and adaptive systems are likely to require more sophisticated approaches to screening, which are still under development. The risk scenario also identifies the potential source of harm. For terrorism, the risk scenario must include the means of attack and delivery, such as a 4000-pound TNT-equivalent, vehicle-borne improvised explosive device (VBIED). In the case of natural hazards, the risk scenario must include the type and magnitude of the hazard (e.g., a Category 5 hurri – cane or an earthquake of 6.5 on the Richter scale). Finally, the scenario must identify the conditions that are relevant to calculating consequence, vulnerability, and threat. DHS uses reasonable worst-case conditions to assess terror – ism risks because intelligent adversaries can choose circum – stances where targets are vulnerable and consequences are maximized. The concept of “worst case” (that combination of conditions that would make the most harmful results the ones that occur) is moderated by reason. Scenarios should not be compounded in complexity to include numerous unlikely conditions, unless the focus of the contingency and other planning is on extremely rare events. Neither should scenarios be based simply on average conditions. Each type of target will have the different characteristics needed to accurately describe reasonable worst-case conditions, such as a stadium’s maximum capacity, the storage volume of a particularly hazardous material at a chemical facility, or the height and duration of a high water level at a dam. 3.3.3 Consequence Assessment The consequences that are considered for the national-level comparative risk assessment are based on the criteria set forth in HSPD-7. These criteria can be divided into four main categories: Public Health and Safety • : Effect on human life and physi – cal well-being (e.g., fatalities, injuries/illness). 6 Economic • : Direct and indirect economic losses (e.g., cost to rebuild asset, cost to respond to and recover from attack, downstream costs resulting from disruption of product or service, long-term costs due to environmental damage). Psychological • : Effect on public morale and confidence in national economic and political institutions. This encom – passes those changes in perceptions emerging after a sig – nificant incident that affect the public’s sense of safety and well-being and can manifest in aberrant behavior. 6 Injuries and illnesses are not commonly assessed at this point; however, the capability exists to develop this information and NIPP partners should move toward including it when it is relevant and possible. 34 National Infrastructure Protection Plan • Governance/Mission Impact : Effect on government’s or industry’s ability to maintain order, deliver minimum es – sential public services, ensure public health and safety, and carry out national security-related missions. Under the general rubric of governance/mission impact are several discrete, federally mandated missions that may be dis – rupted. Although many of these missions are directly fulfilled by government agencies, some are fulfilled or supported by the private sector; however, government actions can serve to either foster a healthy environment for them or inadvertently disrupt them. These include the responsibility to: ensure national security and perform other Federal missions; ensure public health; maintain order; enable the provision of essen – tial public services; and ensure an orderly economy. There are indirect and cascading impacts of disruptions that are difficult to understand and may be even more difficult to appraise. Some may already be accounted for in estimates of economic losses, while others may require further metrics development to enable them to be considered in a more comprehensive risk assessment. Ongoing work with NIPP partners will pursue solutions to these challenges, aiming to improve our ability to compare and prioritize mission-dis – ruption losses in addition to the other types of consequences of concern. A full-consequence assessment takes into consideration all four consequence criteria; however, estimating potential indirect impacts requires the use of numerous assumptions and other complex variables. An assessment of all categories of consequence may be beyond the capabilities available (or the precision needed) for a given risk assessment. At a mini – mum, assessments should focus on the two most fundamen – tal impacts—the human consequences and the most relevant direct economic consequences. 188.8.131.52 Consequence Assessment Me thodologies That Enable National Risk Analysis DHS works with CIKR partners to develop or improve consequence assessment methodologies that can be applied to a variety of asset, system, or network types and to produce comparable quantitative consequence estimates. Many tools and methods can support the assessment of direct effects and consequences and are often sector-specific. Consequence analysis should ideally address both direct and indirect effects. Many assets, systems, and networks depend on connections to other CIKR to function. For example, nearly all Sectors share relationships with elements of the Energy, Information Technology, Communications, Banking and Finance, and Transportation Systems sectors. In many cases, the failure of an asset or system in one sector will affect the ability of interrelated assets or systems in the same or another sector to perform the necessary functions. Furthermore, cyber interdependencies present unique challenges for all sectors because of the borderless nature of cyberspace. Interdependencies are dual in nature (e.g., the Energy Sector relies on computer-based control systems to manage the electric power grid, while those same control systems require electric power to operate). As a result, complete consequence analysis addresses both CIKR interconnections for the pur – poses of NIPP risk assessment. Various Federal and State entities, including national labora – tories, are developing sophisticated models and simulations to identify dependencies and interdependencies within and across sectors. The Federal Government established the National Infrastructure Simulation and Analysis Center (NISAC) to support these efforts (see section 6.4.2). NISAC is chartered to develop advanced modeling, simulation, and analysis capabilities for the Nation’s CIKR. These tools and analyses address dependencies and interdependencies, both physical and cyber, in an all-hazards context. These sophisticated models enhance the Nation’s understanding of CIKR dependencies and interdependencies to better inform decisionmakers, especially for cross-sector priorities. The level of detail and specificity achieved by using the most sophisticated models and simulations may not be practical or necessary for all assets, systems, or networks. In these circumstances, a simplified dependency and interdependency analysis based on expert judgment may provide sufficient insight to make informed risk management decisions in a timely manner. 184.108.40.206 Consequence Uncer tainty There is an element of uncertainty in consequence estimates. Even when a scenario with reasonable worst-case condi – tions is clearly stated and consistently applied, there is often a range of outcomes that could occur. For some incidents, the consequence range is small and a single estimate may provide sufficient information to support decisions. If the range of outcomes is large, the scenario may require more specificity about conditions to obtain appropriate estimates of the outcomes. However, if the scenario is broken down to a reasonable level of granularity and there is still significant uncertainty, the single estimate should be accompanied by the uncertainty range to support more informed decisionmaking. The best way to communicate uncertainty will depend on the factors that make the outcome uncertain, as well as the amount and type of information that is available. The Strategy: Managing Risk 35 Core Criteria Guidance for Consequence Assessments • Document the scenarios assessed, tools used, and any key assumptions made. • Estimate the number of fatalities, injuries, and illnesses, where applicable and feasible, keeping each separate estimate visible to the user. • Estimate the economic loss in dollars, stating which costs are included (e.g., property damage losses, lost revenue, loss to the economy) and what duration was considered. • If monetizing human health consequences, document the value(s) used and the assumptions made. • Consider and document any protective or consequence mitigation measures that have their effect after the incident has occurred, such as the rerouting of systems or HAZMAT or fire-and-rescue response. • Describe psychological impacts and mission disruption where feasible. 3.3.4 Vulnerability Assessment Vulnerabilities are physical features or operational attributes that render an entity open to exploitation or susceptible to a given hazard. Vulnerabilities may be associated with physi – cal (e.g., a broken fence), cyber (e.g., lack of a firewall), or human (e.g., untrained guards) factors. A vulnerability assessment can be a stand-alone process or part of a full risk assessment. The vulnerability assessment involves the evaluation of specific threats to the asset, system, or network under review to identify areas of weakness that could result in consequences of concern. 220.127.116.11 Vulnerability Assessment Methodologies That Enable National Risk Analysis Many different vulnerability assessment approaches are used in the different CIKR sectors and by various govern- ment authorities. The primary vulnerability assessment methodologies used in each sector are described in the respective SSPs. The SSPs also provide specific details regarding how the assessments can be carried out (e.g., by whom and how often). The results of the vulnerability assessments need to be comparable in order to contribute to national-level, cross-sector risk analysis. As with risk assess- ments, vulnerability assessments should meet the same core criteria (i.e., be documented, objective, defensible, and complete) if the results are to be compared at a national, cross-sector level. In addition, vulnerability-specific core criteria guidance is provided at the end of this section. 18.104.22.168 SSA and DHS Analysis Responsibilities SSAs and their sector partners are responsible for collecting and documenting the vulnerability assessment approaches used within their sectors. Owners or operators typically perform the vulnerability assessments, sometimes with facilitation by government authorities. The SSAs are also responsible for compiling, where possible, vulnerability assessment results for use in sector and national risk analysis efforts. In addition, the SSAs work with DHS, where possible, to review the results of assessments for assets, systems, and networks that are of greatest concern from the SSA’s perspec – tive. The SSAs should strive to involve owners and operators in this effort. Vulnerability assessment information may be submitted by owner/operators for validation as PCII under the PCII Program (see section 4.3, Protection of Sensitive CIKR Information). The PCII Program Manager may desig – nate some information as “categorically included” PCII (see section 4.3.1, Protected Critical Infrastructure Information Program). This designation provides the SSA with the option to receive the categorically included Critical Infrastructure Information (CII) directly from the submitter. This arrange – ment is based on pre-approval from the PCII Program Office on a case-by-case basis. DHS works to ensure that appropriate vulnerability assess – ments are performed for nationally critical CIKR. DHS works with CIKR owners and operators, the SSAs, and appropriate State and local authorities, to either perform the assessment or to verify the adequacy and relevance of previously per – formed assessments to support risk management decisions. California Water System Comprehensive Review Federal, State, and local stakeholders collaborated success- fully to complete the first systems-based Comprehensive Review (CR). A systems-based CR is a cooperative government- led analysis of CIKR facilities. The California Water System CR required extensive coordination, planning, research, data collection, and outreach to State and local partners to identify critical assets and system interdependencies. DHS, in conjunc- tion with Federal and California State partners, worked with facility owners and operators to identify critical water system assets. This system consists of 161 assets spanning 33 coun- ties. The review determined that 40 of the 161 assets were critical assets. DHS completed 32 onsite vulnerability assess- ments and six Emergency Services Capabilities Assessments. DHS met with site owners and operators, California State and local law enforcement, and emergency management enti- ties to analyze and track the gaps, potential enhancements, and protective measures that were identified and to evaluate vulnerability mitigation and grant funding effectiveness. 36 National Infrastructure Protection Plan DHS and the SSAs collaborate to support vulnerability assess- ments that address the specific needs of the NIPP’s approach to CIKR protection and risk management. Such assessments may: More fully investigate dependencies and interdependencies; • Serve as a basis for developing common vulnerability • reports that can help identify strategic needs for protective programs or R&D across sectors or subsectors; Fill gaps when sectors or owner/operators have not yet • completed assessments and decisionmaking requires such studies immediately; and Test and validate new methodologies or streamlined ap – • proaches for assessing vulnerability. In some sectors and subsectors, vulnerability assessments have never been performed or may have been performed for only a small number of high-profile or high-value assets, systems, or networks. To assist in closing this gap, DHS works with the SSAs, owners and operators, and other CIKR partners to provide the following: Vulnerability assessment tools that may be used as part of • self-assessment processes; Informative reports for industrial sectors, classes of activi – • ties, and high-consequence or at-risk special event sites; Generally accepted risk assessment principles for major • classes of activities and high-consequence or at-risk special event sites; Assistance in the development and sharing of industry- • based standards and tools; Recommendations regarding the frequency of assessments, • particularly in light of emergent threats; Site assistance visits and vulnerability assessments of spe – • cific CIKR as requested by owners and operators, when resources allow; and Cyber vulnerability assessment best practices. (DHS works • to leverage established methodologies that have tradition – ally focused on physical vulnerabilities by enhancing them to better address cyber elements.) Some vulnerability assessments will include both vulnerabil – ity analysis and consequence analysis for specified scenarios. 3.3.5 Threat Assessment The remaining factor to be considered in the NIPP risk assessment process is the assessment of threat. Assessment of the current terrorist threat to the United States is derived from extensive study and understanding of terrorists and ter – rorist organizations, and frequently is dependent on analysis of classified information. DHS provides its partners with Federal Government-coordinated unclassified assessments of potential terrorist threats and appropriate access to classified assessments where necessary and authorized. These threat assessments are derived from analyses of adversary intent and capability, and describe what is known about terrorist interest in particular CIKR sectors, as well as specific attack methods. Since international terrorists, in particular, have continually demonstrated flexibility and unpredictability, DHS and its partners in the Intelligence Community also analyze known terrorist goals, objectives, and developing capabilities to provide CIKR owners and operators with a broad view of the potential threat and postulated terrorist attack methods. DHS National Cybersecurity Division (NCSD) has developed the Cyber Security Vulnerability Assessment (CSVA), a flexible and scalable approach that analyzes an entity’s cybersecurity posture and describes gaps and targeted considerations that can reduce overall cyber risks. It assesses the policies, plans, and procedures in place to reduce cyber vulnerability in 10 categories (e.g., access control, configuration management, physical security of cyber assets, etc.) and leverages various recognized standards, guidance, and methodologies (e.g., the International Organization for Standardization 27001, the Information Systems Audit and Control Association (ISACA) Control Objects for Information and Related Technology (COBIT), and the National Institute of Standards and Technology Special Publication 800 series). Core Criteria Guidance for Vulnerability Assessments Identify the vulnerabilities associated with physical, cyber, or • human factors (openness to both insider and outsider threats), critical dependencies, and physical proximity to hazards. Describe all protective measures in place and how they • reduce the vulnerability for each scenario. In evaluating security vulnerabilities, develop estimates of • the likelihood of an adversary’s success for each attack scenario. For natural hazards, estimate the likelihood of the incident • causing harm to the asset, system, or network, given that the natural hazard event occurs at the location of interest for the risk scenario. The Strategy: Managing Risk 37 22.214.171.124 Key Aspects of the Terrorist Threat to CIKR Analysis of terrorist goals and motivations reveals that domestic and international CIKR are potentially prime targets for terrorist attack. Given the deeply rooted nature of these goals and motivations, CIKR likely will remain highly attrac- tive targets for terrorists. Threat assessments must address the various elements of CIKR—physical, cyber, and human— depending on the attack type and target. Physical attacks, including the exploitation of physical elements of CIKR, represent the attack method most frequently used overtly by terrorists. In addition, there is increasing indication of terror – ists’ intent to conduct cyber attacks and exploit the knowl – edge, influence, and access of insiders. 3.3.6 Homeland Infrastructure Threat and Risk Analysis Center The DHS Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) conducts integrated threat and risk analy – ses for CIKR sectors. HITRAC is a joint intelligence center that spans both the DHS Office of Intelligence and Analysis (I&A)—a member of the Intelligence Community—and IP. As called for in section 201 of the Homeland Security Act, HITRAC brings together intelligence and infrastructure spe – cialists to ensure a sufficient understanding of the risks to the Nation’s CIKR from foreign and domestic threats. HITRAC works in partnership with the U.S. Intelligence Community and national law enforcement to integrate and analyze intelligence and law enforcement information in threat and risk analyses products. HITRAC also works in partnership with the SSAs and owners and operators to ensure that their expertise on infrastructure operations is integrated into HITRAC analyses. HITRAC develops analytical products by combining threat assessments based on all-source information and intel -ligence analysis with vulnerability and consequence assess – ments. This process provides an understanding of the threats, CIKR vulnerabilities, and potential consequences of attacks and other hazards. Analyses may also include poten – tial options for managing risk. This combination of intelli – gence and practical CIKR knowledge allows DHS to provide products that contain strategically relevant and actionable information. It also allows DHS to identify intelligence collection requirements in conjunction with CIKR partners so that the Intelligence Community can provide the type of information necessary to support the CIKR risk manage – ment and protection missions. HITRAC coordinates closely with partners outside the Federal Government through the SSAs, SCCs, GCCs, Information Sharing and Analysis Centers (ISACs), State and Local Fusion Centers, and State Homeland Security Offices to ensure that its products are relevant to partner needs and are accessible. 126.96.36.199 Threat and Incident Information DHS leverages, on a 24/7 basis, intelligence and operations monitoring and reporting from multiple sources to provide analyses based on the most current information available on threats, incidents, and infrastructure status. The timely analysis of information provided by DHS is of unique value to CIKR partners and helps them determine if changes are needed in steady-state and threat-based CIKR risk manage – ment measures. TRIPwire Community Gateway The TRIPwire Community Gateway (TWCG) is a new TRIPwire Web portal designed specifically for the Nation’s CIKR owners, operators, and private security personnel. TWCG provides expert threat analyses, reports, and relevant planning docu – ments to help key private sector partners anticipate, identify, and prevent improvised explosive device (IED) incidents. TWCG shares IED-related information tailored to each of the 18 sectors of CIKR. Sector partners benefit from increased communication, improved awareness of emerging threats, and access to resources and guidance on specific IED preventive and protective measures for their facilities and requirements. Core Criteria Guidance for Threat Assessments For adversary-specific threat assessments: Account for the adversary’s ability to recognize the target • and the deterrence value of existing security measures. Identify any attack methods that may be employed. • Consider the level of capability that an adversary demon -• strates for a particular attack method. Consider the degree of the adversary’s intent to attack the • target. Estimate threat as the likelihood that the adversary would • attempt a given attack method against the target. If threat likelihoods cannot be estimated, use conditional • risk values (consequence times vulnerability) and conduct sensitivity analyses to determine how likely the scenario would have to be to support the decision. For natural disasters and accidental hazards: Use best-available analytic tools and historical data to • estimate the likelihood of these events affecting CIKR. 38 National Infrastructure Protection Plan DHS uses a variety of tools and systems to support incident and threat warnings. iCAV and DHS Earth help visualize these inci- dent reports and threat warnings, allowing analysts to deliver a geospatial context to numerous information systems. It facilitates fusing information from multiple suspicious activity sources and provides situational awareness tracking for disas – ters such as hurricanes and other real-time events. This fusion provides DHS, States, local jurisdictions, and the private sector with a rapid, common understanding of the relationships between these events to support coordinated risk-mitigation, preparedness, response, and recovery activities. DHS also supports SLFC efforts by ensuring that relevant threat information is passed along in a timely manner to SLFCs, that analyses conducted by national intelligence centers such as HITRAC are readily available to SLFC partners, and that initia – tives designed to share best practices related to CIKR identifica – tion, risk analysis, and prioritization are supported. Specialized products that directly support the NIPP and the SSPs include incident reports and threat warnings, which are made available to appropriate partners. Incident Reports : DHS monitors information on incidents to provide reports that CIKR owners and operators and other decisionmakers can use when considering how evolving incidents might affect their CIKR protection posture. This reporting provides a responsive and credible source to verify or expand on information that CIKR partners may receive initially through the news media, the Internet, or other sources. DHS works with multiple government and private sector opera – tions and watch centers to combine situation reports from law enforcement, intelligence, and private sector sources with infrastructure status and operational expertise to rapidly produce reports from a trusted source. These help inform the decisions of owners and operators regarding changes in risk- mitigation measures that are needed to respond to incidents in progress, such as rail or subway bombings overseas that may call for precautionary actions domestically. Strategic Threat Assessments : HITRAC works with the Intelligence Community and with DHS’s partners to ana – lyze information on adversaries who pose a threat to CIKR. HITRAC provides a high-level assessment of terrorist groups and other adversaries to the SSAs in order to inform their SSPs and prioritization efforts. Threat Warnings : DHS monitors the flow of intelligence, law enforcement, and private sector security information on a 24/7 basis in light of the business, operational, and status expertise provided by its infrastructure analysis and owner/ operator partners to produce relevant threat warnings for CIKR protection. The fusion of intelligence and infrastructure analysis clarifies the implications of intelligence reporting about targeted locations or sectors, potential attack methods and timing, or the specific nature of an emerging threat. 188.8.131.52 Risk Analysis HITRAC uses risk analysis and other approaches to aid CIKR partners in identifying, assessing, and prioritizing risk management approaches. HITRAC also develops specialized products for strategic planning that directly support the NIPP and SSPs. In addition to these specific products, HITRAC produces strategic assessments and trend analyses that help define the evolving risk to the Nation’s CIKR. National Infrastructure Risk Analysis Program • : National, State, regional, cross-sector, sector-specific, and site-specific risk analyses and assessments aid decisionmakers with planning and prioritizing risk-reduction measures within and across the CIKR sectors. These analyses and assessments leverage a number of analytic approaches, including the SHIRA process, which are tailored to particular decisions. National CIKR Prioritization Program • : HITRAC works with CIKR partners to identify and prioritize the assets, systems, and networks most critical to the Nation through the Tier 1 and Tier 2 Program for critical assets, systems, networks, nodes, and functions within the United States, and the Critical Foreign Dependencies Initiative (CFDI) for CIKR outside of the United States. The prioritization of CIKR guides the Nation’s protective and incident manage – ment responses. Infrastructure Risk Analysis Partnership Program (IRAPP) • : IRAPP assists partners interested in pursuing their own CIKR risk analysis, whether they are in the Federal, State, local, or private sector CIKR protection communities. IRAPP involves customized support to interested partners and the sharing of best practices across the CIKR protection community. Committee on Foreign Investment in the United States • (CFIUS) Support : CFIUS is an interagency committee of the Federal Government that reviews the national security implications of foreign investments of U.S. companies or operations. HITRAC provides support to CFIUS by develop – ing written threat and risk assessments of foreign direct investment in the United States and evaluating the potential risks posed by foreign acquisition of U.S. CIKR. HITRAC also supports DHS efforts to manage those risks through the interagency CFIUS process. The Strategy: Managing Risk 39 developing operational plans, and exercising these sce- narios through tabletop exercises and developing lessons learned from those activities. These efforts identify gaps in current strategies and risk-reduction programs for the Na – tion’s CIKR and support the development of recommenda – tions for closing or managing identified gaps. • Risk Analysis Development Program : The Risk Analysis Development Program works to improve the capabilities available to CIKR risk analysts and risk managers, both in DHS and among the rest of the NIPP stakeholders. The pro – gram conducts R&D to identify sound, common risk analy – sis approaches that support cross-sector comparisons and the full range of risk management decisions. Such practices use the risk assessment core criteria summarized in appen – dix 3A as a foundation, but also require the use of common scenarios and assumptions. These capabilities are being tested and are evolving to overcome lingering challenges as risk analysis practices for homeland security mature. • Critical Foreign Dependencies Initiative (CFDI) : CFDI, as part of the larger National CIKR Prioritization Program, is the Nation’s first step toward the identification and pri – oritization of the Nation’s critical foreign dependencies. The program provides a consolidating and coordinating mechanism by which the Federal Government may more effectively and efficiently engage our foreign CIKR partners. 3.4 Prioritize Prioritizing risk management efforts regarding the most significant CIKR helps focus planning, increase coordina – tion, and support effective resource allocation and incident management, response, and restoration decisions. The NIPP risk management framework is applicable to risk assessments on an asset, system, network, function, national, State, regional, or sector basis. Comparing the risk faced by different entities helps identify where risk mitigation is needed and to subsequently determine and help justify the most cost-effective risk management options. This approach identifies which CIKR should be given priority for risk reduc – tion and which alternative options represent the best invest – ment based on their risk-reduction return on investment. The prioritization process also develops information that can be used during incident response to help inform decisionmakers regarding issues associated with CIKR restoration. 3.4.1 The Prioritization Process The prioritization process involves aggregating, combining, and analyzing risk assessment results to determine which assets, systems, networks, sectors, or combinations of these face the highest risk so that risk management priorities can be established. It also provides the basis for understanding poten – tial risk-mitigation benefits that are used to inform planning and resource decisions. This process involves two related activities: The first deter – mines which regions, sectors, or other aggregation of CIKR assets, systems, or networks have the highest risk from relevant incidents or events. Of those with similar risk levels, the CIKR with the highest expected losses are accorded the highest priority in risk management program development. The second activity determines which actions are expected to provide the greatest mitigation of risk for any given investment. The risk management initiatives that result in the greatest risk mitigation for the investment proposed are accorded the highest priority in program design, resource allocation, budgeting, and implementation. Other priorities may be set based on regulatory or statutory requirements, presidential directives, and congressional mandates. This approach ensures that programs make the greatest contri – bution possible to overall CIKR risk mitigation given the Figure 3-5: NIPP Risk Management Framework: Prioritize 40 National Infrastructure Protection Plan available resources. In light of emerging threats, the need to address current credible threat information may require shifting resources. Assessments become more complex and difficult at different aggregations, such as when comparisons are necessary across sectors, across different geographic areas, or against different types of events. Using a common approach with consistent assumptions and metrics increases the ability to make such comparisons. Without this consistency, assessments are much more challenging. 3.4.2 Tailoring Prioritization Approaches to Sector and Decisionmakers’ Needs CIKR partners rely on different approaches to prioritize risk management activities according to their authorities, specific sector needs, risk landscapes, security approaches, and business environment. For example, owners and opera – tors, Federal agencies, and State and local authorities all have different options available to them to help reduce risk. Asset-focused priorities may be appropriate for CIKR whose risk is predominantly associated with facilities, the local environment, and physical attacks, especially those that can be exploited and used as weapons. Function-focused priori – ties may more effectively ensure the continuity of operations in the event of a terrorist attack or natural disaster in sectors where CIKR resilience may be more important than CIKR hardening. Programs to reduce CIKR risk give priority to investments that protect physical assets or ensure resilience in virtual systems, depending on which option best enables cost-effective CIKR risk management. To ensure a consistent approach to risk analysis for CIKR protection, partners establish priorities using risk analyses that use common scenarios and assumptions and follow the parameters for risk assessment methodologies set out in appendix 3A. For quick-response decisions, lacking National CIKR Prioritization Program The DHS Tier 1 and Tier 2 Program identifies nationally signifi – cant critical assets and systems in order to enhance decision – making related to CIKR protection. CIKR identified through the program include those that, if destroyed or disrupted, could cause some combination of significant casualties, major economic losses, or widespread and long-term disruptions to national well-being and governance capacity. The overwhelming majority of the assets and systems identi – fied through this effort are classified as Tier 2. Only a small subset of assets meet the Tier 1 consequence threshold—those whose loss or damage could result in major national or regional impacts similar to the impacts of Hurricane Katrina or the September 11, 2001, attacks. The process of identifying these nationally significant assets and systems is conducted on an annual basis and relies heavily on the insights and knowledge of a wide array of public and private sector security partners. CIKR categorized as Tier 1 or Tier 2 as a result of this annual process provide a common basis on which DHS and its security partners can implement important CIKR protection programs and initiatives, such as various grant programs, buf – fer zone protection efforts, facility assessments and training, and other activities. Specifically, the Tier 1/Tier 2 list is used to support eligibility determinations for Urban Area Security Initiative (UASI), State Homeland Security, and Buffer Zone Protection grant programs. The Tier 1/Tier 2 list is classified. To meet the growing need for additional prioritized lists of infrastructure for planning and incident management pur – poses, the National CIKR Prioritization Program has also expanded to: identify, assess, and prioritize foreign infrastruc – ture critical to the Nation through CFDI; provide sectors and States with the opportunity to build lists to meet their individ – ual risk and incident management needs; and provide a forum through which the infrastructure protection community can and will continue to improve its ability to prioritize CIKR during incidents and enable response and recovery operations. Critical Foreign Dependencies Initiative CFDI involves three phases of activities, two on an annual basis and one ongoing: Phase I — Identification (annual): DHS, working with CIKR • protection and intelligence community partners, developed the first-ever National Critical Foreign Dependencies List in FY2008, reflecting the critical foreign dependencies of the CIKR sectors, as well as critical foreign dependencies of interest to the Nation as a whole. The identification process includes input from public and private sector CIKR partners. Phase II — Prioritization (annual): DHS, working with CIKR • partners, and in particular DOS, prioritized the National Critical Foreign Dependencies List based on factors such as the overall criticality of the CIKR to the United States and foreign partner willingness and capability to engage in collaborative risk management activities. Phase III — Engagement (ongoing): Phase III involves leverag – • ing the prioritized National Critical Foreign Dependencies List to guide current and future U.S. bilateral and multilat- eral incident and risk management activities with foreign partners. DHS and DOS established mechanisms to ensure coordinated engagement and collaboration by public sector entities, in partnership with the private sector. The Strategy: Managing Risk 41 sound risk assessments for reference, some priorities will be informed by top-down assessments using surrogate data or data at high levels of CIKR aggregation (e.g., population density as a surrogate for casualties). As both the NIPP part- nership and the knowledge base of risk assessments grow, decisions can be increasingly informed by a combination of top-down and bottom-up analyses using detailed informa – tion on specific individual facilities, with a prioritization based on the level of risk reduced by the investment. 3.4.3 The Uses of Prioritization A primary use of prioritization is to inform resource allocation decisions, such as: where risk management programs should be instituted; guidance on investments in these programs; and which measures offer the greatest return on investment. The results of the prioritization process guide CIKR risk manage – ment requirements and should drive important resource allocation decisions. At the national level, DHS is responsible for overall national risk-informed CIKR prioritization in close collaboration with the SSAs, States, and other CIKR partners. SSA responsibilities include managing government interaction with the sector and helping to cultivate information sharing and collabora – tion to identify, prioritize, and manage risk. They must also extend their sector focus to enable cross-sector comparisons of risk and metrics that help owners and operators, as well as Federal, State, local, and tribal governments, support evalu – ations of the risk-reduction return on various investments. At the State level, DHS is working to develop a collaborative relationship with State and local authorities through the Infrastructure Risk Analysis Partnership Program. This effort is geared toward working with State authorities to foster the capability to develop, evaluate, and support the implemen – tation of CIKR risk management decisions in a State/local environment. The program is initially being piloted with a limited group of CIKR partners and will subsequently be rolled out more broadly as the roles, responsibilities, and approaches are tested and refined. 3.5 Implement Protective Programs and Resiliency Strategies The risk assessment and prioritization process at the sector and jurisdictional levels will help identify requirements for near- term and future protective programs and resiliency strategies. Some of the identified shortfalls or opportunities for improve – ment will be filled by owner/operators, either voluntarily or based on various incentives. Other shortfalls will be addressed Figure 3-6: NIPP Risk Management Framework: Implement Programs The National CIKR Risk Profile Leveraging information provided through the SHIRA process, HITRAC produces a National CIKR Risk Profile that serves as the foundation of the infrastructure protection community’s common prioritization of risks to the Nation’s infrastructure and is captured in the National CIKR Protection Annual Report. Each year, the National Risk Profile identifies the highest relative risks to CIKR from among a number of natural and manmade hazards, as well as those sectors at a higher risk from the greatest number of hazards. The report also identifies additional risk management concerns, such as high-likelihood risks and low-likelihood/high-consequence infrastructure protection priorities. By providing a common understanding of the Nation’s CIKR risks, the National Risk Profile provides a common basis for prioritization and helps to focus community efforts on those hazards and sectors of greatest overall concern. 42 National Infrastructure Protection Plan through the protective programs that each sector develops under the SSP, in State CIKR protection plans, or through cross- sector or national initiatives undertaken by DHS. The Nation’s CIKR is widely distributed in both a physical and logical sense. Effective CIKR protection requires both dis- tributed implementation of protective programs by partners and focused national leadership to ensure implementation of a comprehensive, coordinated, and cost-effective approach that helps reduce or manage the risks to the Nation’s most critical assets, systems, and networks. At the implementation level, protective programs and resiliency strategies consist of numerous, diverse actions that are undertaken by various CIKR partners. From the leadership perspective, programs are structured to address coordination and cost-effectiveness. The following sections describe the nature and characteristics of best practice protective programs and resiliency strategies, as well as some existing programs that could be applied to specific assets, systems, and networks. 3.5.1 Risk Management Actions Risk management actions involve measures designed to: prevent, deter, and mitigate the threat; reduce vulnerability to an attack or other disaster; minimize consequences; and enable timely, efficient response and restoration in a post- event situation, whether a terrorist attack, natural disaster, or other incident. The NIPP risk management framework focuses attention on those activities that bring the greatest return on investment, not simply the vulnerability reduction to be achieved. Protective programs and resiliency strategies vary between sectors and across a wide spectrum of activities designed to deter, devalue, detect, or defend. Risk management actions also may include the means for mitigating the consequences of an attack or incident. These actions are focused on mitigation, response, and/or recov – ery. Generally, it is considered more cost-effective to build security and resiliency into assets, systems, and networks than to retrofit them after initial development and deploy – ment. Accordingly, CIKR partners should consider how risk management, robustness, resiliency, and appropriate physical security and cybersecurity enhancements could be incorpo – rated into the design and construction of new CIKR. In situations where robustness and resiliency are keys to CIKR protection, providing protection at the system level rather than at the individual asset level may be more effective and efficient (e.g., if there are many similar facilities, it may be easier to allow other facilities to provide the infrastructure service rather than to protect each facility). 3.5.2 Characteristics of Effective Protective Programs and Resiliency Strategies Characteristics of effective CIKR protective programs and resiliency strategies include, but are not limited to, the fol – low ing: Comprehensive • : Effective programs must address the physical, cyber, and human elements of CIKR, as appropri – ate, and consider long-term, short-term, and sustainable activities. The SSPs describe many programs and initiatives to protect CIKR within the sector (e.g., operational changes, physical protection, equipment hardening, cyber protec – tion, system resiliency, backup communications, training, response plans, and security system upgrades). Coordinated • : Because of the highly distributed and com – plex nature of the various CIKR sectors, the responsibility for protecting CIKR must be coordinated: CIKR owners and operators (public or private sector) –are responsible for protecting property, information, and people through measures that manage risk to help ensure more resilient operations and more effective loss prevention. These measures include increased awareness of terrorist threats and implementation of operational responses to reduce vulnerability (e.g., changing daily routines, keeping computer software and virus-checking applications up to date, and applying fixes for known software defects). State, local, and tribal authorities are responsible for –providing or augmenting protective actions for assets, systems, and networks that are critical to the public within their jurisdiction and authority. They develop protective programs, supplement Federal guidance and expertise, implement relevant Federal programs such as the Buffer Zone Protection Program (BZPP), and provide specific law enforcement capabilities as needed. When appropriate, they have access to Federal resources to meet jurisdictional protection priorities. Federal agencies are responsible for enabling or aug – – menting protection for CIKR that is nationally critical or coordinating the efforts of CIKR partners and the use of resources from different funding sources. DHS, SSAs, and other Federal departments and agencies carry out these responsibilities while respecting the authorities of State, local, and tribal governments, and the prerogatives of the private sector. – The Strategy: Managing Risk 43 strategies, develop protective programs, and coordinate the implementation of programs for their sectors. For some sectors, this includes the development and sharing of best and effective practices and related criteria, guid- ance documents, and tools. DHS, in collaboration with the SSAs and other public – and private sector partners, serves as the national focal point for the development, implementation, and coordi – nation of risk management approaches and tools and of protective programs and resiliency strategies (including cybersecurity efforts) for those assets that are deemed to be nationally critical. Cost-Effective • : Effective CIKR programs and strategies seek to use resources efficiently by focusing on actions that offer the greatest mitigation of risk for any given expenditure. The following is a discussion of factors that should be considered when assessing the cost-effectiveness and public benefits derived through implementation of CIKR protec – tion initiatives: Operating with full information: The NIPP describes the –mechanisms that enable the use of information regard – ing threats and corresponding protective actions. These mechanisms include: information sharing; provision of a dedicated communications network; and the use of established, interoperable industry and trade association communications mechanisms. Addressing the present-future tradeoff in long-lead- – time investments: The NIPP provides the processes and coordinating structures that allow State, local, and tribal governments and private sector partners to effectively use long-lead-time approaches to CIKR protection. Matching the underlying economic incentives of each –CIKR partner to the full extent possible: The NIPP supports market-based economic incentives wherever possible by relying on CIKR partners to undertake those efforts that are in their own interests and complementing those efforts with additional resources where necessary and appropriate. This coordinated approach builds on existing efforts that have proven to be effective and that are consistent with best business practices, such as own – ers and operators selecting the measures that are best suited to their particular risk profile and needs. Addressing the public-interest aspects associated with – CIKR protection: Risk management actions for CIKR that provide benefits to the public at large go beyond the actions that benefit owners and operators, or even those that benefit the public residing in a particular State, locality, or region. Such additional actions reflect differ – ent levels of the public interest—some CIKR are critical to the national economy and to national well-being; some CIKR are critical to a State, locality, or region; some CIKR are critical only to the individual owner/operator or direct customer base. Actions to protect the public’s interest that require investment beyond the level that those directly responsible for protection are willing and able to provide must be of sufficient priority to warrant the use of the limited resources that can be provided from public funding or may require regulatory action or appropriate incentives to encourage the private sector to undertake them. Risk-Informed • : Protective programs and resiliency strate – gies focus on mitigating risk. Associated actions should be designed to allow measurement, evaluation, and feedback based on risk mitigation. This allows owners, operators, and the SSAs to reevaluate risk after the program has been implemented. These programs and strategies use different mechanisms for addressing each element of risk and com – bine their effects to achieve overall risk mitigation. These mechanisms include: Consequences: Protective programs and resiliency strate – – gies may limit or manage consequences by reducing the possible loss resulting from a terrorist attack or other di – saster through redundant system design, backup systems, and alternative sources for raw materials or information. Vulnerability: Protective programs may reduce vulnerabili – – ty by decreasing the susceptibility to destruction, incapaci – tation, or exploitation by correcting flaws or strengthening weaknesses in assets, systems, and networks. Threat: Protective programs and resiliency strategies – indirectly reduce threat by making assets, systems, or net – works less attractive targets to terrorists by lessening their vulnerability and lowering the consequences. As a result, terrorists may be less likely to achieve their objectives and, therefore, less likely to focus on the CIKR in question. 3.5.3 Risk Management Activities, Initiatives, and Reports DHS, in collaboration with the SSAs and other sector part – ners, undertakes a number of protective programs, resiliency strategies, initiatives, activities, and reports that support CIKR protection. Many of these are available to or provide resources for CIKR partners. These activities span a wide range of efforts that include, but are not limited to, the following: 44 National Infrastructure Protection Plan Buffer Zone Protection Program • : A Federal grant program designed to provide resources to State and local law enforce – ment to enhance the protection of a given critical facility. Assistance Visits • : Facility security assessments jointly conducted by a federally led team and facility owners and operators that are designed to facilitate vulnerability identi – fication and mitigation discussions with individual owners and operators. Training Programs • : Training programs are designed to provide CIKR partners with a source from which they can obtain specialized training to enhance CIKR protection. Subject matter, course length, and location of training can be tailored to the partner’s needs. Control System Security • : DHS coordinates efforts among Federal, State, local, and tribal governments, as well as control system owners, operators, and vendors to improve control system security within and across all CIKR sectors. Multi-Jurisdictional Improvised Explosive Device Secu – • rity Plans : DHS assists high-risk urban environments with developing thorough IED security plans that efficiently inte – grate assets and capabilities from multiple jurisdictions and emergency services disciplines. The plan that results from this process can help determine what actions are necessary to enhance IED prevention and the protection capabilities of the multi-jurisdictional area, which ultimately culminates in the development of a NRF- and National Incident Management System (NIMS)-compliant multi-jurisdictional plan. Protective Security Advisor (PSA) Program • : DHS CIKR pro- tection and vulnerability assessment specialists are assigned as liaisons between DHS and the CIKR protection communi – ty at the State, local, and private sector levels in geographical areas representing major concentrations of CIKR across the United States. PSAs are responsible for sharing risk informa – tion and providing technical assistance to local law enforce – ment and owners and operators of CIKR within their respec – tive areas of responsibility. The PSA Duty Desk serves as the conduit among the PSAs, DHS, and other CIKR partners to facilitate, on a 24/7 basis, coordination and collaboration during steady-state and incident operations. IP Vulnerability Assessment Project The IP Vulnerability Assessment (VA) Project serves as the focal point for strategic planning, coordination, and information sharing in conducting vulnerability assessments of the Nation’s Tier 1 and Tier 2 CIKR. Through the development and deployment of a scalable assessment methodology, the VA Project supports the implementation of the NIPP through identifying vulnerabilities, supporting collaborative security planning, and recommending protective measures strategies. IP VA Project initiatives include the BZPP, Site Assistance Visits (SAVs), CRs, and the Computer- Based Assessment Tool (CBAT). The VA Project provides vulner – ability assessment methodologies that enhance DHS’s and CIKR stakeholders’ ability to prevent, protect, and respond to terrorist attacks and all-hazards incidents. The VA Project brings together: Federal, State, local, tribal, and territorial governments; local law enforcement; emergency responders; and CIKR owner and opera – tors to conduct assessments to identify critical assets, vulner – abilities, consequences, and protective measures and resiliency strategies. The VA Project also provides analysis of CIKR facilities to include: potential terrorist actions for an attack; the conse – quences of such an attack; and the integrated preparedness and response capabilities of Federal, State, local, tribal, and territorial and private sector partners. The results are used to enhance the overall CIKR protection posture at the facility, community, and regional levels using short-term enhancements and long-term risk-informed investments in training, processes, procedures, equipment, and resources. Protective Security Advisors The mission of the PSAs is to represent DHS and IP in local communities throughout the United States. PSAs work with State HSAs, acting as liaisons among: DHS; the private sector; and Federal, State, local, tribal, and territorial entities and serving as DHS locally based critical infrastructure protection specialists. PSAs provide support to officials responsible for special events planning and exercises, and provide real-time information on facility significance and protective measures to facility owners and operators, as well as State and local representatives. PSAs assist and facilitate IP efforts to identify, assess, monitor, and minimize risk to CIKR at the State, local, and regional levels. As a result of their national “footprint” across the United States, PSAs are often the first department personnel to provide support for emergent incidents. Consequently, PSAs are uniquely able to provide early situational awareness to DHS and IP leadership during an incident or contingency operations. During natural disasters and contingencies, PSAs deploy to State and local Emergency Operations Centers (EOCs) and SLFCs to provide situational awareness and facilitate information exchange to and from the field. During incidents, upon designation by the Assistant Secretary of Infrastructure Protection, PSAs perform as Infrastructure Liaisons (ILs) at Joint Field Offices (JFOs) in support of the Principal Federal Officials (PFOs) and Federal Coordinating Officers (FCOs) under the NRF. The Strategy: Managing Risk 45 A detailed discussion of DHS-supported programs is provided in appendix 3B. The SSAs and other Federal departments and agencies also oversee programs, initiatives, and activities that support CIKR protection and resiliency. Many of these are also available to or provide resources for CIKR partners. Examples include: • The Department of Veterans Affairs created a methodology also used by the Smithsonian Institution and adapted by Federal Emergency Management Agency (FEMA) Manual 452, Risk Management: A How-To Guide to Mitigate Poten – tial Terrorist Attacks Against Buildings, to assess the risk to and mitigation for hundreds of buildings and museums. • DOT manages a Pipeline Safety grant program that supports efforts to develop and maintain State natural gas, liquefied natural gas, and hazardous liquid pipeline safety programs. • Other risk management activities include developing and providing informational reports, such as the DHS Character – istics of Common Vulnerabilities Reports and the Indicators of Terrorist Activity Reports, which are available to all State and territorial homeland security offices. In addition to threat and vulnerability information, informational reports also include best practices for protection measures. One report in particular, a part of FEMA’s Risk Management Series, address – es the protection of buildings and is applicable across sectors. 3.6 Measure Effectiveness The use of performance metrics is a critical step in the NIPP risk management process to enable DHS and the SSAs to objectively and quantitatively assess improvements in CIKR protection and resiliency at the sector and national levels. While the results of risk analyses outlined in section 3.3 help sectors set priorities, performance metrics allow NIPP partners to track progress against these priorities. The metrics provide a basis for DHS and the SSAs to establish account – ability, document actual performance, facilitate diagnoses, promote effective management, and provide a feedback mechanism to decisionmakers. Figure 3-7: NIPP Risk Management Framework: Measure Effectiveness Enhanced Critical Infrastructure Protection (ECIP) Program PSAs were directed to form partnerships with the owners and operators of the Nation’s Tier 1 and Tier 2 CIKR and conduct site visits (ECIP visits) for all of these assets. PSAs coordinate site visits with the SSAs, owners and operators, HSAs, FBI, local law enforcement (LLE), and other CIKR partners, as necessary. During the visit, PSAs document information on the facility’s current CIKR protection posture and overall security awareness. The primary goals for ECIP site visits are to: • Inform facility owners and operators of the importance of their facilities as an identified high-priority CIKR and the need to be vigilant in light of the ever-present threat of terrorism; • Identify protective measures currently in place at Tier 1 and Tier 2 facilities, provide comparisons of CIKR protection postures across like assets, and track the implementation of new protective measures; and • Enhance existing relationships between Tier 1/Tier 2 facil- ity owners and operators, DHS, and various Federal, State, local, tribal, and territorial partners in order to: – Provide increased situational awareness regarding potential threats; – Maintain an indepth knowledge of the current CIKR protection posture at each facility; and – Provide a known and available Federal resource to facil- ity owners and operators. 46 National Infrastructure Protection Plan 3.6.1 NIPP Metrics Types and Progress Indicators 184.108.40.206 Outcome Metrics The focus of the NIPP metrics program is to track progress toward a strategic goal by measuring beneficial results or outcomes. The key to NIPP performance management is to align outcome metrics to sector priorities. The 18 sectors are diverse, operate in every State, and affect every level of government. As a result, NIPP priorities and many NIPP metrics will vary from sector to sector. All NIPP metrics must be specific and clear as to what they are measuring, practical or feasible in that the needed data are available, and built on objectively measured data. In addition to outcome metrics, other information will be utilized, such as output data and descriptive data. Output (or Process) Data • are used to gauge whether specific activities were performed as planned, track the progress of a task, or report on the output of a process. Output data show progress toward performing the activities necessary to achieve CIKR protection goals and can serve as leading indicators for outcome measures. They also help build a comprehensive picture of CIKR protection status and activi – ties. Examples include the number of protective programs implemented in a fiscal year, percentage of sector orga – nizations exchanging CIKR information, and the level of response to a data call for asset information. Descriptive Data • are used to understand sector resources and activities, but do not reflect CIKR protection performance. Examples include: a narrative description of progress; the number of facilities in a jurisdiction; the population resi – dent or working in the area affected by an incident; and the number of suppliers in an infrastructure service provider’s supply chain. NIPP metrics are evolving from the current focus on descriptive and output data to a focus on outcome metrics. Descriptive and output data have been critical during the ini – tial implementation of the NIPP in order to closely track the progress of the sectors in building key NIPP elements, such as the SSPs and GCCs/SCCs. The next stage of NIPP implementa – tion will concentrate on working with the sectors to identify and track outcome metrics that are aligned to sector priori – ties and provide NIPP partners with a more comprehensive assessment of the success of CIKR protection efforts. 220.127.116.11 NIPP Metrics Progress Indicators NIPP outcome metrics and output/descriptive data will be identified and reported in two ways—the National Coordinator Progress Indicator and Sector Progress Indicators: The National Coordinator Progress Indicator describes IP efforts to support NIPP- and SSP-related activities. Sector Progress Indicators collectively describe the progress made by each sector and the effectiveness of different activi – ties within the CIKR sectors. Both types of progress indicators will have certain common features. They will contain a limited number of prioritized metrics and data that are aligned to sector priorities. Outcome metrics will be given the most importance, but some process and descriptive data may be included. Collectively, these metrics and data will provide a holistic picture of the health and effectiveness of the national and sector CIKR efforts and will help drive future investment and resource decisions. 18.104.22.168 Qualitative Information Although not considered metrics, the NIPP also provides mechanisms for qualitative feedback that can be applied to augment and improve the effectiveness and efficiency of public and private sector CIKR protection and resiliency pro – grams. DHS works with CIKR partners to identify and share lessons learned and best practices for all aspects of the risk management process. DHS also works with the SSAs to share relevant input from sector partners and other sources that can be used as part of the national effort to continuously improve CIKR protection and resiliency. 3.6.2 Gathering Performance Information DHS works with the SSAs and sector partners to gather the information necessary to measure the level of performance associated with the progress indicators. Given the inherent differences in CIKR sectors, a one-size-fits-all approach to gathering this information is not appropriate. One of the available resources to support information gathering is the PSA Program through the ECIP/Infrastructure Survey Tool. The PSAs can be particularly helpful in gathering information at individual facilities or assets when different CIKR protec – tion initiatives are implemented. This information can be used independently or combined with that of other assets, as well as with data on systems and networks that may not be amenable to physical inspection. DHS also works with the SSAs and sector partners to deter – mine the appropriate measurement approach to be included in the sector’s SSP and to help ensure that partners engaged with multiple sectors or in cross-sector matters are not subject to unnecessary redundancy or conflicting guidance in information collection. Information collected as part of this effort is protected as discussed in detail in chapter 4. The Strategy: Managing Risk 47 3.6.3 Assessing Performance and Reporting on Progress HSPD-7 requires each SSA to provide the Secretary of Homeland Security with an annual report on their efforts to identify, prioritize, and coordinate the protection of CIKR in their respective sectors. The reports are due no later than June 1 of each year. The SSAs work in close collaboration with sector partners, their respective SCCs and GCCs, and other organizations in developing this report. DHS and SSAs work in close collaboration to assess progress made toward goals in each sector based on these reports. The National Annual Report currently includes similar reports for the SLTTGCC and the RCCC as appendixes. Additional appendixes to the current National Annual Report address the year’s accomplishments for IP, the Office of Cybersecurity & Communications, the Tier 1 and Tier 2 Program, and the NISAC. DHS compiles all of these reports into a national cross-sector report that describes annual progress toward CIKR protec- tion goals on a national basis and makes recommendations to the EOP for prioritized resource allocation across the Federal Government to meet national CIKR protection requirements. A more detailed discussion of the national resource allocation process for CIKR protection is included in chapter 7. In addition to these annual reports, the SSAs regularly update their measurements of CIKR status and protection levels to support DHS status tracking and comprehensive inventory updating. By maintaining a regularly updated knowledge base, DHS is able to quickly compile real-time CIKR status and protection postures to respond to changing circum – stances as indicated by tactical intelligence assessments of terrorist threats or natural disaster damage assessments. This helps inform resource allocation decisions during incident response and other critical operations that support the home – land security mission. 3.7 Using Metrics and Performance Measurement for Continuous Improvement By using NIPP metrics to evaluate the effectiveness of efforts to achieve sector priorities, CIKR partners adjust and adapt the Nation’s CIKR protection approach to account for prog- ress achieved, as well as for changes in the threat and other relevant environments. At the national level, NIPP metrics are used to focus attention on areas of CIKR protection that warrant additional government resources or other changes through an analysis of gaps and priorities for protective pro- grams at both the national and sector levels. If an evaluation of the effectiveness of efforts to achieve priorities using NIPP metrics reveals that there is insufficient progress, DHS and its CIKR partners will undertake actions to focus efforts on addressing these particular gaps or improvement opportunities. In addition to supporting the evaluation of progress against sector priorities, metrics can also serve as a feedback mecha – nism for other parts of the NIPP risk management frame – work. The metrics can inform progress against the broader sector goals (see section 3.1). Metrics can also provide analysts with information to adjust their risk assessments (see section 3.3). For instance, metrics indicate the effectiveness of protective programs and the extent to which these programs are mitigating risks. Finally, metrics can also inform the pri – oritization process (see section 3.4), as this information can assist decisionmakers in identifying effective ways to achieve desired outcomes. Figure 3-8: NIPP Risk Management Framework: Feedback Loop for Continuous Improvement of CIKR Protection 48 National Infrastructure Protection Plan 4. Organizing and Partnering for CIKR Protection The enormity and complexity of the Nation’s CIKR, the distributed character of our national protective architecture, and the uncertain nature of the terrorist threat and manmade or natural hazards make the effective implementation of protection and resiliency efforts a great challenge. To be effective, the NIPP must be implemented using organizational structures and partnerships committed to sharing and protect – ing the information needed to achieve the NIPP goal and supporting objectives described in chapter 1. DHS, in close collaboration with the SSAs, is responsible for overall coordination of the NIPP partnership organization and information-sharing network. 4.1 Leadership and Coordination Mechanisms The coordination mechanisms described below establish linkages among CIKR protection efforts at the Federal, State, regional, local, tribal, territorial, and international levels, as well as between public and private sector partners. In addi – tion to direct coordination, the structures described below provide a national framework that fosters relationships and facilitates coordination within and across CIKR sectors: National-Level Coordination • : IP facilitates overall devel- opment of the NIPP and the SSPs, provides overarching guidance, and monitors the full range of associated coordi – nation activities and performance measures. IP will sup – port, not duplicate, SSA coordination, protection, or other risk reduction capabilities. Chapter 2 details specific roles for DHS. Sector Partnership Coordination • : The CIKR Cross-Sector Council; the Government Cross-Sector Council (made up of two subcouncils—the NIPP Federal Senior Leadership Council (FSLC) and the SLTTGCC); and individual SCCs and GCCs create a structure through which representative groups from Federal, State, local, and tribal governments and the private sector can collaborate and develop consen – sus approaches to CIKR protection. Regional Coordination • : Regional partnerships, groupings, and governance bodies such as the Great Lakes Partnership, the All-Hazards Consortium, the Pacific NorthWest Eco – nomic Region, and the Southeast Regional Research Initia – tive enable CIKR protection coordination within and across geographical areas and sectors. Such bodies are composed of representatives from industry and State, local, and tribal entities located in whole or in part within the planning area for an aggregation of high-risk targets, urban areas, or cross-sector groupings. They facilitate enhanced coor – dination among jurisdictions within a State where CIKR cross multiple jurisdictions, and help sectors coordinate with multiple States that rely on a common set of CIKR. They also are organized to address common approaches to a wide variety of natural or manmade hazards. The RCCC was established in 2008 to help enhance the engagement of regionally based partners and to leverage the CIKR protec – tion activities and resiliency strategies that they lead. Organizing and Partnering for CIKR Protection 49 50 National Infrastructure Protection Plan • International Coordination : The United States-Canada- Mexico Security and Prosperity Partnership; the North At – lantic Treaty Organization’s (NATO’s) Senior Civil Emergen – cy Planning Committee; certain government councils, such as the CFIUS; the CFDI; and consensus-based nongovern – mental or public-private organizations, such as the global Forum of Incident Response and Security Teams (FIRST), enable a range of CIKR protection coordination activities associated with established international agreements. 4.1.1 National-Level Coordination Respecting the SSA’s responsibilities as the sector lead, DHS, in collaboration with the SSAs and the GCCs, monitors the coordination and integration of national-level CIKR protec – tion activities through IP. In support of CIKR partner coordi – nation, DHS: • Leads, integrates, and coordinates the execution of the NIPP, in part by acting as a central clearinghouse for the information-sharing, reporting, and coordination activities of the individual sector governance structures; • Facilitates the development and ongoing support of gover – nance and coordination structures or models; • Facilitates NIPP revisions and updates using a comprehen – sive national review process; • Ensures that effective policies, approaches, guidelines, and methodologies regarding partner coordination are developed and disseminated to enable the SSAs and other partners to carry out NIPP responsibilities; • Facilitates the development of risk, risk-informed, and criticality-based assessments and prioritized lists of CIKR; • Facilitates the sharing of CIKR prioritization and protection- related best practices and lessons learned; • Facilitates participation in preparedness activities, planning, readiness exercises, and public awareness efforts; and • Ensures cross-sector coordination with the SSAs to avoid conflicting guidance, duplicative requirements, and re- p o r t i ng. 4.1.2 Sector Partnership Coordination The goal of NIPP-related organizational structures, partner – ships, and information-sharing networks is to establish the context, framework, and support for activities required to implement and sustain the national CIKR protection effort. DHS, in collaboration with the SSAs and sector partners, issues coordinated guidance on the framework for CIKR public-private partnerships, as well as metrics to measure their effectiveness. Sector Coordinating Council Government Coordinating Council Sector 15 Sector 15 Sector Coordinating Council Government Coordinating Council Sector 14 Sector 14 Sector Coordinating Council Government Coordinating Council Sector 7 Sector 7 Sector Coordinating Council Government Coordinating Council Sector 6 Sector 6 Sector Coordinating Council Government Coordinating Council Sector 5 Sector 5 Sector Coordinating Council Government Coordinating Council Sector 4 Sector 4 Sector Coordinating Council Government Coordinating Council Sector 1 Sector 1 Sector Coordinating Council Government Coordinating Council Sector 2 Sector 2 Sector Coordinating Council Government Coordinating Council Sector 3 Sector 3 Regional Consortium Coordinating Council CIKR Cross-Sector Council Government Cross-Sector Council NIPP FSLC SLTTGCC Figure 4-1: Sector Partnership Model The NIPP relies on a partnership model, illustrated in figure 4-1, as the primary organizational structure for coordinat- ing CIKR efforts and activities. The NIPP partnership model encourages formation of SCCs and GCCs as described below. DHS also provides guidance, tools, and support to enable these groups to work together to carry out their respective roles and responsibilities. SCCs and corresponding GCCs work in tandem to create a coordinated national framework for CIKR protection and resiliency within and across sectors. The sector partnership model facilitates the integration of all partners into CIKR planning and operational activities to help ensure a collaborative approach to CIKR protection. 22.214.171.124 CIKR Cross-Sector Council Cross-sector issues and interdependencies are addressed among the SCCs through the CIKR Cross-Sector Council, which comprises the leadership of each of the SCCs. The Partnership for Critical Infrastructure Security provides this representation with support from DHS’s CIKR Executive Secretariat. The partnership coordinates cross-sector initia – tives to support CIKR protection by identifying legislative issues that affect such initiatives and by raising awareness of issues in CIKR protection. The primary activities of the CIKR Cross-Sector Council include: Providing senior-level, cross-sector strategic coordination • through partnership with DHS and the SSAs; Identifying and disseminating CIKR protection best prac – • tices across the sectors; Participating in coordinated planning efforts related to the • development, implementation, and revision of the NIPP and the SSPs or aspects thereof; and Coordinating with DHS to support efforts to plan and ex – • ecute the Nation’s CIKR protection mission. 126.96.36.199 Government Cross-Sector Council Cross-sector issues and interdependencies between the GCCs will be addressed through the Government Cross-Sector Council, which comprises two subcouncils—the NIPP FSLC and the SLTTGCC: NIPP Federal Senior Leadership Council • : The objective of the NIPP FSLC is to facilitate enhanced communications and coordination between and among Federal departments and agencies with a role in implementing the NIPP and HSPD-7. The council’s primary activities include: Forging consensus on CIKR risk management strategies; –Evaluating and promoting implementation of risk –management-based CIKR programs; Coordinating strategic issues and issue management – resolution among Federal departments and agencies, and State, regional, local, tribal, and territorial partners; Advancing collaboration within and across sectors; – Advancing collaboration with the international com – – munity; Participating in planning efforts related to the develop – – ment, implementation, update, and revision of the NIPP and the SSPs or aspects thereof; and Evaluating and reporting on the progress of Federal CIKR –protection activities. State, Local, Tribal, and Territorial Government Coordinat – • ing Council : The SLTTGCC serves as a forum to ensure that State, local, and tribal homeland security partners are fully integrated as active participants in national CIKR protection efforts and to provide an organizational structure to coordi – nate across jurisdictions on State and local government-level CIKR protection guidance, strategies, and programs. The SLTTGCC will provide the State, local, tribal, or territorial perspective or feedback on a wide variety of CIKR issues. The primary functions of the SLTTGCC include the following: Providing senior-level, cross-jurisdictional strategic com – – munications and coordination through partnership with DHS, the SSAs, and CIKR owners and operators; Participating in planning efforts related to the develop – – ment, implementation, update, and revision of the NIPP and SSPs or aspects thereof; Coordinating strategic issues and issue management –resolution among Federal departments and agencies, and State, local, tribal, and territorial partners; Coordinating with DHS to support efforts to plan, –implement, and execute the Nation’s CIKR protection mission; and Providing DHS with information on State-, local-, tribal-, –and territorial-level CIKR protection initiatives, activities, and best practices. The cross-sector bodies described in sections 188.8.131.52 and 184.108.40.206 will convene in joint session and/or working groups, as appropriate, to address cross-cutting CIKR protection issues. The NIPP-related functions of the cross-sector bodies include activities to: Organizing and Partnering for CIKR Protection 51 supporting Federal departments and agencies, and other public and private sector partners; Identify issues shared by multiple sectors that would benefit • from common investigations and/or solutions; Identify and promote best practices from individual sectors • that have applicability to other sectors; Contribute to cross-sector information-sharing, planning, • and risk management activities, as appropriate; and Provide input to the government on R&D efforts that • would benefit multiple sectors. 220.127.116.11 Sector Coordinating Councils The sector partnership model encourages CIKR owners and operators to create or identify an SCC as the principal entity for coordinating with the government on a wide range of CIKR protection activities and issues. The SCCs are self-orga – nized, self-run, and self-governed, with a spokesperson des – ignated by the sector membership. Specific membership will vary from sector to sector, reflecting the unique composition of each sector; however, membership should be representa – tive of a broad base of owners, operators, associations, and other entities—both large and small—within a sector. The SCCs enable owners and operators to interact on a wide range of sector-specific strategies, policies, activities, and issues. The SCCs serve as principal sector policy coordination and planning entities. Sectors also rely on ISACs, or other information-sharing mechanisms, which provide opera – tional and tactical capabilities for information sharing and, in some cases, support for incident response activities. (A more detailed discussion of ISAC roles and responsibilities is included in section 4.2.7.) The primary functions of an SCC include the following: Represent a primary point of entry for government into the • sector for addressing the entire range of CIKR protection activities and issues for that sector; Serve as a strategic communications and coordination • mechanism between CIKR owners, operators, and sup – pliers, and, as appropriate, with the government during emerging threats or response and recovery operations, as determined by the sector; Identify, implement, and support the information-sharing • capabilities and mechanisms that are most appropriate for the sector. The ISACs may perform this role if so designated by the SCC; Participate in planning efforts related to the development, • implementation, update, and revision of the SSPs and re – view of the Sector Annual Reports; Facilitate inclusive organization and coordination of the • sector’s policy development regarding CIKR protection planning and preparedness, exercises and training, public awareness, and associated plan implementation activities and requirements; Advise on the integration of Federal, State, local, and re – • gional planning with private sector initiatives; and Provide input to the government on sector R&D efforts and • requirements. The SCCs are encouraged to participate in efforts to develop voluntary consensus standards to ensure that sector perspec – tives are included in standards that affect CIKR protection. 7 18.104.22.168 Government Coordinating Councils A GCC is formed as the government counterpart for each SCC to enable interagency and cross-jurisdictional coordination. The GCC comprises representatives from across various levels of government (Federal, State, local, or tribal), as appropri – ate to the operating landscape of each individual sector. Each GCC is co-chaired by a representative from the designated SSA with responsibility for ensuring appropriate representa – tion on the GCC and providing cross-sector coordination with State, local, and tribal governments. Each GCC is co-chaired by the DHS Assistant Secretary for Infrastructure Protection or his/her designee. The GCC coordinates strategies, activities, policy, and com – munications across governmental entities within each sector. The primary functions of a GCC include the following: Provide interagency strategic communications and coor – • dination at the sector level through partnership with DHS, the SSA, and other supporting agencies across various levels of government; Participate in planning efforts related to the development, • implementation, update, and revision of the NIPP and the SSPs; 7 Voluntary consensus standards are developed or adopted by voluntary consensus standards bodies, both domestic and international. These organizations plan, develop, establish, or coordinate standards through an agreed-upon procedure that relies on consensus, although not necessarily on unanimity. Federal law encourages Federal participation in these bodies to increase the likelihood that standards meet both public and private sector needs. Examples of other standards that are distinct from voluntary consensus standards include non-consensus standards, industry standards, company standards, or de facto standards developed in the private sector but not in the full consensus process, standards that are unique to government and developed by government for its own uses, and standards mandated by law. 52 National Infrastructure Protection Plan Coordinate strategic communications and discussion and • resolution of issues among government entities within the sector; and Coordinate with and support the efforts of the SCC to • plan, implement, and execute the Nation’s CIKR protec – tion mission. 22.214.171.124 Regional Consortium Coordinating Council The RCCC brings together representatives of regional part – nerships, groupings, and governance bodies to enable CIKR protection coordination among CIKR partners within and across geographical areas and sectors. 126.96.36.199 Critical Infrastructure Partnership Advisory Council (CIPAC) CIPAC directly supports the sector partnership model by pro – viding a legal framework that enables members of the SCCs and GCCs to engage in joint CIKR protection-related discus – sions. CIPAC serves as a forum for government and private sector partners to engage in a broad spectrum of activities, such as: Planning, coordination, implementation, and operational • issues; Implementation of security and preparedness programs; • Operational activities related to CIKR protection, including • incident response and recovery; and Development and support of national policies and plans, • including the NIPP and the SSPs. CIPAC membership consists of private sector CIKR owners and operators, or their representative trade or equivalent associations, from the respective sector’s recognized SCC, and representatives of Federal, State, local, and tribal gov – ernmental entities (including their representative trade or equivalent associations) that make up the corresponding GCC for each sector. DHS published a Federal Register Notice on March 24, 2006, announcing the establishment of CIPAC as a FACA-exempt body, pursuant to section 871 of the Homeland Security Act. 4.1.3 Regional Coordination and the Partnership Model Regional partnerships, organizations, and governance bodies enable CIKR protection coordination among CIKR partners within and across certain geographical areas, as well as planning and program implementation aimed at a common hazard or threat environment. These groupings include public-private partnerships that cross jurisdictional, sector, and international boundaries and take into account dependencies and interdependencies. They are typically self- organizing and self-governing. Regional organizations, whether interstate or intrastate, vary widely in terms of mission, composition, and functional – ity. Regardless of the variations, these organizations provide structures at the strategic and/or operational levels that help address cross-sector CIKR planning and protection program implementation. They may also provide enhanced coordina – tion among jurisdictions within a State where CIKR cross multiple jurisdictions and help sectors coordinate with multiple States that rely on a common set of CIKR. In some instances, State Homeland Security Advisors may serve as focal points for regional initiatives and provide linkages between the regional organizations and the sector partner – ship model. Based on the nature or focus of the regional initiative, these organizations may link into the sector part – nership model, as appropriate, through the individual SCCs or GCCs or cross-sector councils, or more broadly through the RCCC. 4.1.4 International CIKR Protection Cooperation Many CIKR assets, systems, and networks, both physical and cyber, are interconnected with a global infrastructure that has evolved to support modern economies. Each of the CIKR sectors is linked in varying degrees to global energy, transportation systems, telecommunications, cyber, and other infrastructure. This global system creates benefits and efficiencies, but also brings interdependencies, vulnerabili – ties, and challenges in the context of CIKR protection. The Nation’s safety, security, prosperity, and way of life depend on these “systems of systems,” which must be protected both at home and abroad. The NIPP strategy for international CIKR protection coordi – nation and cooperation is focused on: Instituting effective cooperation with international CIKR • partners, as well as high-priority cross-border protection programs. Specific protective actions are developed through the sector planning process and specified in the SSPs and the annual CFDI Action Plan; Implementing current agreements and instruments that • affect CIKR protection; Identifying infrastructure located outside the United States • that if disrupted or destroyed would lead to loss of life in the United States, or critically affect the Nation’s economic, industrial, or defensive capabilities; and Organizing and Partnering for CIKR Protection 53 Addressing cross-sector and global issues such as cyberse- • curity and foreign investment. International CIKR protection activities require coordination with the DOS and appropriate SSAs and must be designed and implemented to benefit the United States and its interna – tional partners. CIKR protection may be affected by foreign investment and ownership of sector assets. This issue is monitored at the Federal level by the CFIUS. The committee provides a forum for assessing the impact of proposed foreign investments on CIKR protection, monitoring to ensure compliance with agreements that result from CFIUS rulings, and supporting executive branch reviews of telecommunications applications to the Federal Communications Commission (FCC) from foreign entities to assess if they pose any national security threat to CIKR (see appendix 1B.4.2). 188.8.131.52 Cooperation With International Partners DHS, in coordination with the appropriate