1. Homeland Security UNCLASSIFIED Executive Order 13636 Presidential Policy Directive (PPD) - 21 Implementing the Presidential Executive Order (EO) on cybersecurity and Critical Infrastructure Presidential Policy Directive (PPD) with public and private stakeholders Eric Chapman - Office of Maritime Security Response Policy Brett Rouzer - CG Cyber Command LCDR Ulysses Mullins – Office of Port & Facility Compliance

2. UNCLASSIFIED Homeland Security Cyber EO/PPD-21: Background __________________________________________________ 2  Cyber EO and PPD 21 signed on February 12, 2013  Sector Specific Agencies to collaborate with industry to identify critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security  National Institute of Standards & Technology develop a voluntary framework for cybersecurity resilience  PPD-21 cancels PPD-7 & establishes an All-Hazards approach to ensuring security & resilience  Multiple deliverables derived from the PPD/EO with varying deadlines over the next year

3. UNCLASSIFIED Homeland Security Cyber EO/PPD-21: Integrated Cyber-Physical Security –Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to: –Develop a technology-neutral voluntary cybersecurity framework –Promote and incentivize the adoption of cybersecurity practices –Increase the volume, timeliness and quality of cyber threat information sharing –Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure –Explore the use of existing regulation to promote cyber security –Presidential Policy Directive-21: Critical Infrastructure Security and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to: –Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near- real time –Understand the cascading consequences of infrastructure failures –Evaluate and mature the public-private partnership –Update the National Infrastructure Protection Plan –Develop comprehensive research and development plan 3

4. UNCLASSIFIED Homeland Security Cyber EO/PPD-21: Deliverables 4 DeliverableSourceDue Date Lead Coordination DHS Lead Consultative process for engaging CI partners EO – 6UnspecifiedDHSSSAsITF (Stakeholder Engagement) Cybersecurity voluntary program incentive reports EO – 8 (d)120 Days 6/12/2013 DHS, Treasury, Commerce DHSITF (Incentives) Feasibility of cyber security standards in acquisition planning and contract administration EO – 8 (e)120 Days 6/12/2013 DOD, GSADHS, Federal Acquisition Regulatory Council USM Instructions on timely production of unclassified cyber threat info EO – 4(a)120 Days 6/12/2013 DHS and DNI NPPD/I&A Process for rapidly disseminating unclassified threat info EO – 4(b)UnspecifiedDHS and DOJ DNINPPD/I&A Description of CISR Functional Relationships PPD – 1120 Days 6/12/2013 DHSSSAs, Relevant Ds and As ITF (Planning and Evaluation) Expand Enhanced Cybersecurity Services to all CI sectors EO – 4(c)120 Days 6/12/2013 DHSNPPD

5. UNCLASSIFIED Homeland Security Cyber EO/PPD-21: Deliverables 5 DeliverableSourceDue DateLeadCoordinationDHS Lead Identification of CI at Greatest RiskEO – 9150 Days 7/12/2013 DHSSSAsITF (Risk Identification) Evaluation of the Public-Private Partnership Model PPD – 2150 Days 7/12/2013 DHSSSAs, Relevant Ds and As ITF (Planning and Evaluation) Process of notifying CI owners of status on the list EO – 9Unspecified (150 Days +) 7/12/2013 DHSSSAsITF (Risk Identification) Baseline System and Data for information exchange PPD – 3180 Days 8/11/2013 DHSSSAs, Relevant Ds and As ITF (Situational Awareness and Info Exchange) Provision of technical assistance to regulatory Ds and As for cybersecurity EO – 10UnspecifiedDHSDs and As with regulatory ability NPPD Expedite processing of security clearancesEO – 4(d)UnspecifiedDHSNPPD/USM Private sector SMEs/ Federal service program EO – 4(e)UnspecifiedDHSPSO

6. UNCLASSIFIED Homeland Security Cyber EO/PPD-21: Deliverables 6 DeliverableSourceDue DateLeadCoordinationDHS Lead Situational awareness capability for critical infrastructure PPD – 4240 Days 10/10/2013 DHSITF (Situational Awareness and Info Exchange) Update to the NIPPPPD – 5240 Days 10/10/2013 DHSSSAs, Relevant Ds and As; SLTT; O/Os ITF (Planning and Evaluation) Cybersecurity Framework (Draft)EO – 7240 Days 10/10/2013 NISTDHS, NSA, SSAs, OMB ITF (Framework Collaboration) Report on applicability of Cybersecurity Framework to regulations EO – 10 (a)240 Days + 90 Days 10/10/2013 - 1/8/2014 Ds and As with regulatory ability DHS, OMB, NSSTBD Cybersecurity Framework (Final)EO – 7365 Days 2/12/2014 NISTDHS, NSA, SSAs, OMB ITF (Framework Collaboration) Report on privacy and civil rights and civil liberties risks associated with cybersecurity enhancements EO – 5 (b)365 days 2/12/2014 DHSOther Ds and As/ Privacy and Civil Liberties Oversight Board/ OMB Privacy and CR/CL

7. UNCLASSIFIED Homeland Security Cyber EO/PPD-21: Integrated Task Force (ITF) DHS Established the ITF to Lead Implementation of E.O. 13636 & PPD-21  Coordinate interagency, public & private sector efforts to ensure effective integration & synchronization of EO & PPD requirements across the homeland security enterprise  Establish & manage 9 Working Groups to accomplish specific deliverables  ITF Director & Deputy Director report to Deputy Secretary Executive Steering Committee  Expected to work for est. nine months to meet E.O. & PPD implementation timeline  Long-term EO and PPD work then stays with responsible DHS program offices  Engages partners and stakeholders to develop products 7

8. UNCLASSIFIED Homeland Security Cyber EO/PPD-21: Working Groups ITF Working GroupsTaskDeliverable Stakeholder Engagement Coordinate outreach to stakeholders (including critical infrastructure owner- operator communities and SLTTs) throughout implementation. Consultative process for engaging stakeholders Cyber-Dependent Infrastructure Identification Identify critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security & evaluate how best to enhance the ongoing prioritization process for all critical infrastructure. Identification of CI at Greatest Risk Process of notifying CI owners of status on the list Planning and Evaluation Lead effort to evaluate existing public-private critical infrastructure partnership model & its functionality for physical & cyber security. Update the National Infrastructure Protection Plan (NIPP), in coordination with Sector Specific Agencies & other CI partners. Evaluation of the Public-Private Partnership Model Update the NIPP Situational Awareness and Information Exchange Identify & map existing CI security & resilience functional relationships across the Federal Government. Identify baseline data & systems requirements for the Federal Government. Develop a situational awareness capability for CI. Identify mechanisms to improve effective information sharing. Description of CISR Functional Relationships Baseline System & Data for information exchange Situational awareness capability for critical infrastructure 8

9. UNCLASSIFIED Homeland Security Cyber EO/PPD-21: Working Groups ITF Working GroupsTaskDeliverable Incentives Lead study of incentives for voluntary participation CI cybersecurity program. Contribute to developing recommendations feasibility, security benefits & relative merits of incorporating security standards into acquisition planning & contract administration. Cybersecurity voluntary program incentive reports Framework Collaboration along with NIST Work with National Institute of Standards & Technology to develop, evaluate & disseminate cybersecurity framework. Encourage adoption by CI owners & operators, to include adoption of cybersecurity performance goals. Cybersecurity Framework Report on applicability of Cybersecurity Framework to regulations Performance Goals Assessments: Privacy and Civil Rights and Civil Liberties Coordinate w/Privacy & Civil Rights & Civil Liberties representatives across agencies & assessing privacy & CRCL impacts to EO/PPD deliverables. Report on privacy and civil rights and civil liberties risks associated with cybersecurity enhancements Research and Development Lead all research & development-related tasks in EO/PPD. CISR R&D Plan Cyber Threat Information Sharing Develop instructions to ensure timely production of unclas reports of cyber threats to specific targets. Establish a process that rapidly disseminates unclas cybersecurity information reports to targeted CIKR & disseminates classified cybersecurity reports to authorized CIKR. Unclas Cyber Threat Report Production Instruction Unclas/Classified Cybersecurity Information Dissemination Process 9

10. UNCLASSIFIED Homeland Security Transportation Sector Specific Agencies __________________________________________________ Collaboration MARITIMEAVIATIONHIGHWAYFREIGHT/ RAIL MASS TRANSIT PIPELINE GCCs CIPAC, SCCs Transportation Sector All-Hazards Risk Management 10

11. UNCLASSIFIED Homeland Security CYBER EO/PPD-21: TSSCWG Transportation Systems Sector Cyber Working Group  Transportation SSA (DOT/TSA/USCG)  Meet with ITF and WG leads to address Sector Specific Issues  Participate/Contribute in 9 WGs  Through CIPAC Engage & Collaborate with Stakeholders  Needs Maritime Sector Industry Representation 11

12. UNCLASSIFIED Homeland Security CYBER EO/PPD-21: Maritime Industry How Does Industry Contribute to the Process?  Feedback to Working Groups  Participation in TSSCWG via CIPAC  Proactive engagement through review current Cyber practices and governance DHS Cybersecurity Evaluation Tool (CSET) DHS On-Site Assessment by Control Systems Security Program ICS-CERT (http://ics-cert.us-cert.gov)  Visit USCG Maritime Security-Cybersecurity page on Homeport Register to receive page update notifications  Voluntary adoption of framework when developed  Continuous Feedback 12

13. UNCLASSIFIED Homeland Security CYBER EO/PPD-21: Maritime Industry NIST REQUEST FOR INFORMATION – APRIL 2013  Current Risk Management Process  Use of Frameworks, Standards, Guidelines and Best Practices  Specific Industry Practices  Public Workshop on April 3, 2013  Submit comments by April 8, 2013 13

14. UNCLASSIFIED Homeland Security CYBER EO/PPD-21: Maritime Industry CRITICAL INFRASTRUCTURE IDENTIFICATION – APRIL 2013 SESSION 1:  Determine Critical Functions that encompass the full set of processes that produce, provide, and maintain a sector’s products and services  Examine Supporting Value Chain(s) that include the general sequence of events for providing a sector’s critical function  Identify Cyber Critical Infrastructure that support value chain activities, including business systems, control systems, and specialty systems, to support identification of sector cyber-dependent critical infrastructure SESSION 2:  Discuss and confirm identification criteria that will be used to determine the sector’s cyber-dependent cyber infrastructure 14

15. UNCLASSIFIED Homeland Security CYBER EO/PPD-21: What Now? What Do We Need From Industry?  Participation in the EO/PPD implementation  Participants who can respond to supply chain impacts from a cyber incident Decision Makers Understand the interface between operations & information technology  Rapidly respond to short-fused tasks & reviews of working group products  Initial participation will be informing the identification of Cyber-dependent Critical Infrastructure (CI) & Framework Development 15

16. UNCLASSIFIED Homeland Security CYBER EO/PPD-21 QUESTIONS? 16 Eric Chapman – eric.k.chapman@uscg.mil Brett Rouzer – brett.r.rouzer@uscg.mil LCDR Ulysses Mullins – ulysses.s.mullins@uscg.mil