Defense Critical Infrastructure Program (DCIP) DoD CIO/DISA/GSA DCIP is organizationally located under the Office of the Assistant Secretary of Defense for Homeland Defense [OASD(HD)] ASD(HD) is Hon. Paul F. McHale, previous Congressman from Pennsylvania ASD(HD), along with OUSD(Intelligence) and ASD(Networks & Information Integration), created out of 2003 Defense Authorization Act OASD(HD) formally “stood up” in March 2003 OASD(HD) legacy was the DoD Homeland Security Task Force (HSTF), created immediately following 11 Sep 2001, initially led by Gen Libutti, then Mr. Pete Verga Mr. Bill Bryan Director, Critical Infrastructure Protection Office of the Assistant Secretary of Defense for Homeland Defense 13 July 2006
Defense Critical Infrastructure Program DCIP Program-Wide Mission-Vision-Goals Enhance Risk Management Decisions At All Levels To Ensure That Defense Critical Infrastructure Is Available When Required Vision: Assurance of Defense Mission Critical Infrastructure in an All Hazards Environment Goals: DCIP Policy and Program Guidance DCIP Strategic Partnerships & Enabling Technologies DCIP Plans, Programs and Capabilities Integrated and Implemented At All Levels DCIP Resourcing At All Levels Education and Outreach
Defense Critical Infrastructure Program Assessment Framework DCIP Addresses The Following Questions: What Is Mission Critical? Are Mission Critical Assets Vulnerable? What Can Be Done To Lower Risk? Assessment Framework: …then, DCIP Addresses The Following Questions: What Is Mission Critical? Are Mission Critical Assets Vulnerable? What Can Be Done To Lower Risk? Defense Critical Asset. An asset of such extraordinary importance to DoD operations in peace, crisis, and war that its incapacitation or destruction would have a very serious, debilitating effect on the ability of the DoD to fulfill its missions. Vulnerability (Infrastructure). The characteristics of an installation, system, asset, application, or its dependencies that could cause it to suffer a degradation or loss (incapacity to perform its designated function) as a result of having been subjected to a certain level of threat or hazard. Threat. An adversary having the intent, capability, and opportunity to cause loss or damage. Hazard (Infrastructure). Non-hostile incidents such as accidents, natural forces, technological failure, etc., that cause loss or damage to infrastructure assets. Risk. Probability and severity of loss linked to threats or hazards. Critical Infrastructure Protection (CIP). Actions taken to prevent, remediate, or mitigate the risks resulting from vulnerabilities of critical infrastructure assets. Depending on the risk, these actions could include: changes in tactics, techniques, or procedures; adding redundancy; selection of another asset; isolation or hardening; guarding, etc. Mitigation. Actions taken in response to a warning or after an incident occurs that are intended to lessen the potentially adverse effects on a given military operation or infrastructure. Remediation. Actions taken to correct known deficiencies and weaknesses. These actions are undertaken once a vulnerability has been identified.
Defense Critical Infrastructure Program Tasks & Responsibilities FUNCTIONS TASKS RESPONSI BILITIES Identify & Prioritize Missions and Tasks What’s Critical? Combatant Commands Identify Warfighting Systems &Assets SERVICES: Component Commands DoD “SECTORS” DIB Financial Services Global Info Grid Health Affairs ISR Logistics Transportation Personnel Public Works Space SERVICES Army Marine Corps Navy Air Force <Nat’l Guard> <Coast Guard> Identify & Characterize Supporting Infrastructure Assets and Networks Are Critical Assets Vulnerable? Conduct Vulnerability Assessments SUPPORT ACTIVITIES Defense Agencies Defense Activities CIP Ctr’s Of Excellence Industry & Private Sector DCIP Functions, Tasks, and Analytic Roles & Responsibilities DCIP Infrastructure Categories: DoD owned Non-DoD owned, but depended upon by DoD to accomplish missions Non-DoD owned, not depended upon by DoD, but may be critical to National CIP Acronyms: DIB – Defense Industrial Base GIG – Global Information Grid ISR – Intelligence, Surveillance, & Reconnaissance DEFESE SECTOR – “A virtual association within DCIP that traverses organizational boundaries of defense assets or networks that perform a similar function within DoD, and are essential to the execution of the National Military Strategy.” OTHER Federal Depts States Local Govt’s Industry & Private Sector DOD OSD Services Combatant Commands Defense Agencies What Can Be Done To Lower Risk? Remediate & Mitigate Risks
DCIP-Related Guidance NATIONAL - National Strategy for Physical Protection of CI & KA (Feb 03) NATIONAL - HSPD-7 (Dec 03) DHS - NIPP-Base Plan (Signed June 30) ASD(HD)/DCIP - DIB SSP (Under development) ASD(HD)/DCIP - DIB Strategy (Requested by ASD(HD)) ASD(HD) - Strategy for HD & CS (Jun 05) DCIP - Mission Assurance Framework (at the request of DepSecDef) DCIP - Strategy for Defense Critical Infrastructure (at the request of JS) DCIP - DoDD 3020.40 (Defense Critical Infrastructure Program (Aug 05) DCIP - Interim Implementation Guidance (includes Standards) DoDI 3020.aa DCIP - DoDI DCIP (to follow the Interim Implementation Guidance ) DCIP - Criticality Methodology ~ (How to Identify critical assets) DCIP - Benchmarks (Standards to Assess critical assets) (Jun 06) DCIP – Essential Elements of Information (Jun 06) JS/DTRA - Modular DCIP Assessment Program (Jan 06) NG CIP - Mission Assurance Assessment Program Plan DCIP - Communications Plan ~ no requirement (How to Communicate across the DCIP Enterprise) DCIP - Portfolio Management Plan ~ recommended in DoDD 8115.01 (How to Measure Results DCIP - GIS Data Strategy ~ (How to standardize and visualize GIS data) *Note: Draft Documents Developed and Under Review.
Backup’s & Reference
DoD Homeland Defense The OASD(HD) Within DoD Secretary of Defense Deputy Secretary of Defense USD (Policy) USD (Comptroller) USD (Personnel & Readiness) USD (Intelligence) USD (Acquisition, Technology, & Logistics) ASD (Networks & Info Integration/ DoD CIO PDUSD (Policy) PDUSD (Comptroller) PDUSD (Personnel & Readiness) PDUSD (Intelligence) DUSD (Acquisition & Technology) DASD (Deputy CIO) ASD (Int Sec Affairs) Dir, Program Analysis & Evaluation ASD (Reserve Affairs) DUSD (Programs, Resources & Reqts) DUSD (Logistics & Material Readiness) DASD (Resources) ASD (Int Sec Policy) ASD (Health Affairs) DUSD (Preparation & Warning) Dir, Defense Research & Engineering DASD (C3, Space, & IT Programs) ASD (SO/LIC) DUSD (Warfighting & Operations) ATSD (Nuc, Chem, & Bio Def Programs) DASD (Spectrum, Space, & C3) OASD(HD) located within OUSD(Policy) organization [Hon. Doug Feith]: PDUSD(Policy) – Hon. Ryan Henry ASD(International Security Policy) – ISP – Hon. J. Crouch ASD(International Security Affairs) – ISA – Hon. Peter Rodman ASD(Special Ops/Low Intensity Conflict) – SO/LIC – Hon. Thomas O’Connell ASD(Homeland Defense) – HD – Hon. Paul McHale ASD (Homeland Defense) DUSD (CI & Security) ATSD (Intelligence Oversight) Inspector General General Council ASD (Legislative Affairs) Dir, Administration & Management Dir, Force Transformation Dir, Net Assessment Dir, Operational Test & Evaluation ASD (Public Affairs)
DoD Homeland Defense The OASD(HD) Organization - DoD Senior Executives Assistant Secretary of Defense for Homeland Defense Hon Paul McHale Principal Deputy Assistant Secretary of Defense for Homeland Defense Mr. Pete Verga Chief of Staff Mr. Robert Salesses Deputy Assistant Secretary Of Defense for Homeland Security Integration Mr. Pete Verga Deputy Assistant Secretary Of Defense for Force Planning & Employment - Vacant - Deputy Assistant Secretary Of Defense for Strategy, Plans, and Resources Mr. Scott Rowell Special Assistant For Civil Support - Vacant - Deputy Assistant Secretary of Defense For Continuity & Crisis Management - Vacant - ASD(HD) is the Hon. Paul McHale (SES-C) PDASD(HD) and DASD(HSI) is Mr. Pete Verga (dual-hatted) (SES) DASD(FP&E) is Mr. Thomas “TK” Kuster (SES) DASD(SP&R) is Mr. Scott Rowell (SES-C) Principal Director, Strategic Management, is Mr. Frank Jones (SES) DASD(CCM) is Mr. Mark Hewitt (SES) Special Assistant for Civil Support is –vacant- (SES-C) Principal Director, Strategic Management Mr. Frank Jones Defense Critical Infrastructure Program (DCIP) Defense Continuity & Crisis Management Office (DCCMO)
Defense Critical Infrastructure Program Policy Background DOD Directive 5160.54: Initial: “Key Asset Protection Program” (KAPP) – Jun 89 Updated: “Critical Asset Assurance Program” (CAAP) – Jan 98 DepSecDef Memoranda: Realigned CAAP into “Critical Infrastructure Protection” (CIP) under the Assistant Secretary of Defense for Command, Control, Communications, and Intelligence - Aug 99 Realigned CIP oversight to the Assistant Secretary of Defense for Homeland Defense – Sep 03 Homeland Security Presidential Directive #7 (HSPD-7) Assigned the DoD as the “Sector Specific Agency” for the Defense Industrial Base – Dec 03 DOD Directive 5111.13 DoD has a long legacy working “CIP”, however, many programs under various names Mid-1980’s under IAP – Infrastructure Assurance Program (under Navy OPNAV N89) Jun 1989, KAPP – Key Asset Protection Program (under Army FORCECOM) Jan 1998, CAAP – Critical Asset Assurance Program (under Army DOMS) Late-1998, somewhat addressed in Y2K – Year 2000 roll-over Aug 99, CIP – Critical Infrastructure Protection (under OASD(C3I)) CIP oversight moved to ASD(HD) by DepSecDef in September 2003 OASD(HD) immediately created the Defense Program Office for Mission Assurance (DPO-MA) (October 2003) OASD(HD) Charter via DoD Directive 5111.13 – in final coordination, release date pending Updated DCIP policy via DoD Directive 3020.ff – formal coordination complete, awaiting DepSecDef signature (release date pending) DCIP – Defense Critical Infrastructure Program “Assistant Secretary of Defense for Homeland Defense” – in formal coordination, release date TBD DOD Directive 3020.ff “Defense Critical Infrastructure Program (DCIP) – formal coordination complete, awaiting DepSecDef signature (release date TBD)
Risk = Impact x (Vulnerability x Threat) Defense Critical Infrastructure Program What Can Be Done To Lower Risk? R = I*(V*T) Risk = Impact x (Vulnerability x Threat) Includes Both “Threats” (i.e., intentional hostile acts) and “Hazards” (i.e., non-intentional acts or accidental events) Vulnerabilities From The DCIP FSIVA’s Operational Impacts From The DCIP Mission Area Analysis Process VISION – RESOURCES = HALLUCINATIONS !! Risk Management is really about Resource Management Resources include Money, People, Capabilities & Technologies, Time, etc. Mitigation. Actions taken in response to a warning or after an incident occurs that are intended to lessen the potentially adverse effects on a given military operation or infrastructure. Remediation. Actions taken to correct known deficiencies and weaknesses. These actions are undertaken once a vulnerability has been identified. DCIP Risks Must Be Fully Addressed In The Planning, Programming, Budgeting & Execution System (PPBES) Goal: Risk Remediation or Mitigation…