CI/KR Public-Private Partnerships Overview March 2010 Prepared By: Thomas DiNanno International Assessment and Strategy Center
March Vision The United States will forge an unprecedented level of cooperation throughout all levels of government, with private industry and institutions, and with the American people to protect our critical infrastructure and key assets from terrorist attack. The National Strategy for Homeland Security July 2002
March HSPD-7 Requirements HSPD-7 directs the development of a National Infrastructure Protection Plan (NIPP) The NIPP is a comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection to outline national goals, objectives, milestones, and key initiatives. The Plan includes the following elements: A strategy to identify, prioritize, and coordinate CI/KR protection, including how DHS intends to work with Federal departments and agencies, State and local governments, the private sector, foreign countries, and international organizations;
March HSPD-7 Designated Sectors & Agencies DHS is responsible for coordinating the overall national effort to enhance protection of CI/KR across Sectors Agriculture, Food Critical Infrastructure Sectors Key Resources Public Health, Healthcare, Food Drinking Water, Water Treatment Defense Industrial Base Energy Banking and Finance National Monuments & Icons Transportation Systems Information Technology Telecommunications Chemical Emergency Services Postal and Shipping USDA HHS EPA DoD DOE TREAS DOI DHS Commercial Facilities Government Facilities Dams Commercial Nuclear Reactors, Materials, & Waste DHS Sector-Specific Agencies (SSAs)
March Major NIPP Theme: Information Sharing and Protection The NIPP uses a network approach to information sharing that: Enables secure multidirectional information sharing between and across government and CI/KR owners and operators at all levels. Provides mechanisms, using “need to know” protocols as required, to support the development and sharing of strategic and specific threat assessments, incident reports and threat warning, impact assessments, and best practices. Allows security partners to assess risks, conduct risk management activities, allocate resources, and make continuous improvements to the Nation’s CI/KR protective posture DHS and other Federal agencies use a number of programs and procedures, such as the Protected Critical Infrastructure Information (PCII) Program, to ensure that CI/KR information is properly safeguarded
March Major NIPP Theme: Providing Resources for the CI/KR Protection Program Resources must be directed to areas of greatest priority to enable effective management of risk. The NIPP resource allocation process describes: The integrated risk-based approach that will be used to determine how CI/KR protection programs will be prioritized and funded How State- and local-level CI/KR protection efforts will be supported through DHS and other CI/KR protection Grant Programs How all of these investments, coupled with appropriate incentives, support collaboration among security partners to enhance CI/KR protection
March NIPP Value Proposition The success of the partnership for CI/KR protection depends on articulating the mutual benefits to government and private sector partners. This value proposition: Enables Federal, State, local, tribal and private sector security partners to clearly understand the national CI/KR protection priorities Provides CI/KR protection planning, information sharing, risk management, resource coordination, and program implementation processes Is intended to be used as a framework for coordinating CI/KR protection efforts across sectors and security partners
March Major NIPP Theme: Sector Partnership Model Provides the framework for security partners to work together in a robust public-private partnership.
March Implementing the NIPP Public Health, Healthcare, Food Drinking Water, Water Treatment Defense Industrial Base Energy Banking and Finance National Monuments & Icons Transportation Systems Information Technology Telecommunications Chemical Emergency Services Postal and Shipping HHS EPA DoD DOE TREAS DOI DHS Commercial Facilities Government Facilities Dams Commercial Nuclear Reactors, Materials, & Waste DHS
March Sector-Specific Plans (SSPs) Content SSPs are annexes to the NIPP Base Plan SSPs detail the application of the NIPP risk management framework across each of the 17 CI/KR sectors Sector-Specific Agencies partner with their sector to develop the individual SSP Finalized SSPs are to be submitted to DHS within 180 days after the NIPP is issued by the Secretary of Homeland Security Sector-Specific Plans Sector-Specific Plans (17)
March Set Security Goals Security goals collectively represent the desired national and sector- specific security posture These goals will vary between sectors and should consider the physical, human, and cyber elements of CI/KR protection From the sector perspective, security goals: Define the protective (and, if appropriate, the response or recovery) posture that security partners seek to attain Consider distinct assets, systems, networks, operational processes, business environments, and risk management approaches Vary according to the specific characteristics and security landscape for the affected sector, jurisdiction, or locality
March Identify Assets, Systems, Networks, and Functions Involves developing a comprehensive inventory containing basic information on the Nation’s assets, systems, and networks This inventory can be used to determine which assets systems, or networks are nationally critical, state critical, or locally critical based on the most current risk profile
March Evaluating Existing Risk Methodologies Is the Methodology Credible? Integrity: Is the methodology based on classic risk analysis and security vulnerability analysis Complete: Does the methodology provide reasonably complete results via a quantitative, systematic, and rigorous process Defensible: Is the methodology thorough and does it use the recognized methods of the professional disciplines relevant to the analysis Is the Methodology Comparable to Other Methodologies? Documented Transparent Reproducible Accurate
March Prioritize DHS will work with security partners to prioritize the results of risk assessments to help identify where risk reduction is most pressing and to subsequently determine what protective actions should be taken Requires a comparison of the relative levels of asset and sector risk along with options for achieving the established security goals Enables protective actions to be applied where they offer the greatest reduction in risk relative to the cost
March Implement Protective Programs Protective actions are intended to reduce risk by: Deterring attacks Devaluing the attractiveness of the asset, system, or network Detecting potential attacks Defending the asset, system, or network to delay or prevent an attack Protective programs may also include actions that reduce consequences should an attack occur, including: Mitigating the range of potential attacks Responding and recovering efficiently and effectively
March Measure Effectiveness NIPP establishes a metrics-based system to provide feedback on efforts to attain specified security goals Metrics provide a basis for establishing accountability, documenting actual performance, facilitating diagnoses, promoting effective management, and reassessing goals and objectives at the national and sector level NIPP Risk Management Framework uses three types of metrics Descriptive Process (or output) Outcome
March NIPP Development & Coordination The NIPP was developed as a collaborative process between DHS, the SSAs and State, local, and private sector security partners. The review and comment process: Broadly distributed for review across sectors and at each level of government and the private sector and the public to obtain individual comments and input Draft NIPP Base Plan was Distributed to the following Security Partners: Federal Government DHS; Sector-Specific Agencies; HSPD-7 Departments & Agencies; Government Coordinating Councils State, Local, Territorial, and Tribal Governments Homeland Security Advisors; State Administrative Agents and Emergency Managers Advisory Councils National Infrastructure Advisory Council; National Security Telecommunications Committee; Homeland Security Advisory Committee Private Sector Partners Sector Coordinating Councils; Private Sector Security Partners
March 2010 Facilities deemed not high-risk 20,000 ? Tier 1= HIGH RISK CHEMICAL FACILITIES – Sec Universe Potentially High-Risk Chemical Facilities Perform CSAT Consequence Screen 20, Tier 1= Chemical Security
March 2010 Chemical Security Define the Performance Standards Have defined 17 Performance Standards Standards will be tied to specific risk types present at the facility (i.e., release hazard; precursor; sabotage; economic/mission criticality). Standards address the full range of security practices: Physical Security Perimeter Control Access Control Cyber Security (physical and logical) Personnel surety Deter Detect Delay Security and Response Force planning and training & Exercise Material Control Counter Theft – Counter Diversion 19 Risk Based Performance Standards
March 2010 Emergency Management Support response, recover, and reconstitution efforts of States affected by a disaster: Support PFO and FCO in Joint Field Offices (JFOs) Serve as pre-designated IL and JFO when requested Help coordinated Federal, State, and LLE CIKR protection efforts Coordinate sharing of IP HQ analysis within JFO Perform SAVs to identify vulnerabilities Provide advice on protective measures to enhance security at CIKR in and around impact area Provide key stakeholders with updates on issues relating to CIKR assets 20