Lesson 2 Overview

When something threatens the homeland, it almost certainly threatens critical infrastructure and, due to the interconnectivity of all of our assets and systems, many other aspects of American life as well. NIPP 2013 is informed by changes in the risk, policy and operating environments, as well as experience gained and lessons learned from exercises and real-world events, such as Hurricane Sandy and various cyber incidents.

The update reflects the input and expertise of partners across the critical infrastructure community, including Federal, State, local, tribal and territorial governments; regional entities; private sector owners and operators; academic and non-profit organizations; and the public.

This lesson provides an overview of the critical infrastructure environment. By the end of this lesson, you will be able to:
  • Describe the risk environment
  • Identify dependencies and interdependencies across critical infrastructure systems
  • Identify the relevant authorities and roles of:
    • The Department of Homeland Security (DHS).
    • Sector-Specific Agencies (SSAs).
    • Other Federal departments and agencies.
    • State, local, tribal and territorial jurisdictions.
    • Owners and operators.
  • Discuss the importance of partnerships
  • Describe the NIPP sector and cross-sector coordinating structure
  • Describe how the NIPP fosters information sharing at all levels
The Risk Environment

Evolving Threats to Critical Infrastructure. Threats include extreme weather, accidents or technical failures, cyber threats, acts of terrorism, and pandemics. The risk environment is complex and uncertain; threats, vulnerabilities and consequences have all evolved over the last 10 years.

For example, due to the growing integration of information and communication technologies within operations and adversaries focusing on exploiting cyber vulnerabilities, critical infrastructure is increasingly exposed to cyber risks.

The Strategic National Risk Assessment (SNRA) defines numerous threats and hazards to homeland security. In addition to the known risks analyzed as part of the SNRA, the potential for interconnected events with unknown consequences adds uncertainty.

Evolving Threats to Critical Infrastructure. Threats include extreme weather, accidents or technical failures, cyber threats, acts of terrorism, and pandemics.
Threats that Pose the Greatest Risk to National Security
Critical assets, systems and networks face many broadly categorized threats including:
  • Natural
    • Severe weather events and catastrophic natural disasters
    • Pandemic illnesses or other widespread health crises
  • Technological/Accidental
    • Accidents or technical failures due to aging infrastructure
    • Chemical Substance Spill or Release
  • Adversarial/Human-caused
    • Acts of terrorism
    • Cyber-attacks against data or physical assets
    • Other crimes intended to cause harm and disrupt essential services
You will learn more about these and other threats in Lesson 3
Complex Operating Environment

Collaborative planning and action is required due to the extent of interconnected infrastructure. The Nation’s critical infrastructure has become much more interdependent, continuing to move from an operating environment characterized by disparate assets, systems and networks to one in which cloud computing, mobile devices and wireless connectivity have dramatically changed the way infrastructure is operated.

Interdependencies may be limited to small urban or rural areas or span vast regions, crossing jurisdictional and national boundaries, including infrastructure that require accurate and precise positioning, navigation and timing (PNT) data used in global positioning system (GPS), radio frequency identification (RFID), and global information systems (GIS) technology.

The nature of critical infrastructure ownership and operations is also distributed and the need for joint planning and investment to increase the security and resilience of critical infrastructure is becoming more common and necessary on the international level.

Interdependencies

Effective risk management requires an understanding of the criticality of assets, systems, and networks, as well as the associated dependencies and interdependencies of critical infrastructure.

Growing interdependencies, particularly reliance on information and communications technologies, have increased the potential vulnerabilities to physical and cyber threats and potential consequences resulting from the compromise of underlying systems or networks. The potential impacts increase with these interdependencies and the ability of a diverse set of threats to exploit them to cause harm and disrupt essential services.

Interdependencies affect all risk elements.
  • Threat: Natural hazards such as extreme weather poses a significant risk to critical infrastructure, dependencies and interdependencies emerging from complex cyber capabilities and limitations can also pose a risk. Humans can also negatively impact critical infrastructure interdependencies through accidental, uninformed, or intentional activities to cause harm and disrupt essential services.
  • Vulnerability: There is an expanded set of vulnerabilities due to interdependencies within an increasingly interconnected infrastructure.
  • Consequence: Consequences such as accidents, technical failures, and compromise of interdependent systems or networks are greater due to the potential for cascading impacts across multiple critical infrastructure assets, systems and networks.

Critical infrastructure is now increasingly exposed to cyber risks, which stems from growing operational integration of information and communications technologies, such as cloud computing, mobile devices and wireless connectivity, and an adversary focus on exploiting potential cyber vulnerabilities.

Interdependencies and dependencies help us consider second- and third-order effects. The focus on regional partnerships/initiatives is important because of the regionally interdependent nature of many critical infrastructure sectors.

Building on Homeland Security Strategies

Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience explicitly calls for the development of an updated national plan.

In July of 2016, Presidential Policy Directive 41: United States Cyber Incident Coordination Policy (PPD-41) was issued by President Barack Obama. This new directive sets forth principles governing the Federal Government's response to any cyber incidents and provides architecture for coordinating the response to significant cyber incidents. Specifically, the PPD establishes three Federal lines of effort for any cyber incident: threat response; asset response; and intelligence support and related activities. This PPD also establishes lead Federal agencies responsibilities for coordinating Federal responses to significant cyber incidents.

The NIPP fulfills this requirement as it formalizes and strengthens existing critical infrastructure partnerships, and creates the baseline for how the public and private sectors will work together.

In addition, the National Plan fulfills requirements in Homeland Security Act of 2002 and is consistent with Executive Order 13636: Improving Critical Infrastructure Cybersecurity (2013); and aligns with the goal of Presidential Policy Directive 8 (PPD-8): National Preparedness (2011) and its supporting National Planning Frameworks: and two other policy documents: the President’s Climate Action Plan (2013); and the National Strategy for Information Sharing and Safeguarding (2013).

Click on each document title for more information.

Risk in the Context of National Preparedness

The figure illustrates the relationship between the five National Preparedness mission areas (Prevent, Protect, Mitigate, Respond, and Recover) and the elements of risk (threat, vulnerability, and consequence). The graph shows that prevention activities are most closely associated with efforts to address threats; protection activities generally address vulnerabilities; and response and recovery activities help to minimize consequences. Mitigation activities span the entire risk spectrum. The graph also shows that prevention and protection efforts are most often associated with security, while response and recovery efforts are more closely linked to resilience. Mitigation activities can be associated with both security and resilience. The figure includes a quote from the National Preparedness Goal of 2011, which reads: 'A secure and resilient Nation maintains the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.'

PPD-8 creates the National Preparedness Goal and System which describe five mission areas that provide a useful framework for considering risk management investments. The graphic titled “Critical Infrastructure Risk in the Context of National Preparedness” illustrates the relationship of the national preparedness mission areas to the elements of risk.

  • Prevention activities are most closely associated with efforts to address threats;
  • Protection efforts generally address vulnerabilities; and
  • Response and Recovery efforts help minimize consequences.
  • Mitigation efforts transcend the entire threat, vulnerability and consequence spectrum.

The National Preparedness Goal also establishes 31 core capabilities that support the five national preparedness mission areas. The NIPP is aligned with PPD-8 and the PPD-8 mission areas are central to a comprehensive approach for enhancing national preparedness and critical infrastructure risk management activities. The development of these capabilities contributes to achieving secure and resilient critical infrastructure; additionally, the capabilities can be applied to identify risk management activities.

Such efforts are enhanced when critical infrastructure risks are considered as part of setting capability targets.

The figure illustrates the relationship between the five National Preparedness mission areas (Prevent, Protect, Mitigate, Respond, and Recover) and the elements of risk (threat, vulnerability, and consequence). The graph shows that prevention activities are most closely associated with efforts to address threats; protection activities generally address vulnerabilities; and response and recovery activities help to minimize consequences. Mitigation activities span the entire risk spectrum. The graph also shows that prevention and protection efforts are most often associated with security, while response and recovery efforts are more closely linked to resilience. Mitigation activities can be associated with both security and resilience. The figure includes a quote from the National Preparedness Goal of 2011, which reads: 'A secure and resilient Nation maintains the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.'
An Integrated Plan

The NIPP was created to complement, not replace, the Homeland Security plans and strategies, business continuity plans, preparedness strategies and security policies already developed by the critical infrastructure and first responders communities.

These existing private sector and government plans and strategies address an all-hazards approach and serve to broaden resilience and security measures for a variety of natural and manmade incidents.

Processes outlined in the NIPP are designed to enhance coordination, cooperation and collaboration among critical infrastructure partners within cross-sectors to synchronize related efforts and avoid duplicative or unnecessarily costly risk management requirements.

Critical Infrastructure Partnerships

The NIPP partnership model provides a framework used to promote and facilitate sector and cross-sector planning, coordination, collaboration and information sharing for security and resilience, involving all levels of government and private sector entities.

As the nature of the critical infrastructure risk environment precludes any one entity from managing risks entirely on its own, partners benefit from access to knowledge and capabilities that would otherwise be unavailable to them.

Many critical infrastructure sectors have worked to establish stable and representative partnerships, managing transitions in leadership and broadening the range of members and skill sets needed to accomplish collective goals.

Through trusted relationships and information sharing, Federal agencies gain a better understanding of the risks and preparedness posture associated with critical infrastructure. This allows entities to make more informed decisions when identifying and addressing national critical infrastructure priorities.

Critical Infrastructure Partners

The NIPP defines critical infrastructure partners as those Federal, State, regional, territorial, local, or tribal government entities, private sector owners and operators and representative organizations, academic and professional entities and certain not-for-profit and private volunteer organizations that share in the responsibility for protecting the Nation’s critical infrastructure.

A National Partnership Model

PPD-21 describes critical infrastructure security and resilience as a shared responsibility between governments at all levels and the private sector and calls for an evaluation of the existing public-private partnership, which identified the attributes of effective partnerships.

NIPP 2013 expands on this concept by acknowledging the differing perspectives that drive government and industry partners who work collaboratively toward shared goals.

The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community.

The NIPP is designed to be implemented using organizational structures and partnerships committed to sharing and protecting the information needed to achieve the NIPP goal and supporting objectives.

The NIPP Sector Partnership Model

The sector partnership model is a representation of how the private sector and government serve as equal partners to accomplish the infrastructure security and resilience mission.

Through the partnership model and its forums, the private sector and government conduct planning and share information, manage risk and ensure continuous improvement.

Appendix A of the NIPP further describes the functions of the partnership structures, as well as additional structures that support national critical infrastructure security and resilience.

Coordination Mechanisms

The sector and cross-sector partnership approach is designed to be scalable and allow individual owners and operators of critical infrastructure and other stakeholders across the country to participate.

It is intended to promote consistency of process to enable efficient collaboration between disparate parts of the critical infrastructure community, while allowing for the use of other viable partnership structures and planning processes.

This concept has proved successful and can be leveraged at the State, local, tribal and territorial levels as well as within and across regions to
  • Build, form, or expand existing networks;
  • Identify proven practices;
  • Adapt to or adopt lessons learned; and
  • Leverage practices, processes, or plans as appropriate.

The blue vertical arrows of the National Partnership Model represent collaborative structures through which representative groups from Federal, State, local, tribal and territorial governments and the private sector can collaborate and develop consensus approaches to critical infrastructure security and resilience.

The sector partnership model facilitates the integration of all partners into critical infrastructure planning and operational activities.

Sector and Cross-sector Council Structures Include:
Critical Infrastructure Partnership Advisory Council

Many of the sector and cross-sector council structures take advantage of the Critical Infrastructure Partnership Advisory Council (CIPAC) legal framework.

Established in 2006 by the Secretary of Homeland Security to facilitate effective coordination between federal infrastructure protection programs with the infrastructure protection activities of the private sector and of state, local, territorial and tribal governments, CIPAC allows members of the SCCs and GCCs to engage in joint critical infrastructure security-related discussions and participate in a broad spectrum of activities.

While operating under the CIPAC framework, the public-private critical infrastructure partnership meetings are exempt from the Federal Advisory Committee Act (FACA), allowing partners to engage in frank or sensitive dialogue.

The Value Proposition

Finding the appropriate value proposition among partners requires understanding these differing perspectives and how they may affect efforts to set joint priorities. Within these parameters, critical infrastructure security and resilience depend on applying risk management practices of both industry and government, coupled with available resources and incentives, to guide and sustain efforts.

NIPP 2013 promotes the concept of comparative advantage, where the unique skills and resources of individual partners are leveraged and brought to bear in a collective manner to reduce critical infrastructure risk.

Appendix B of the NIPP lists roles, responsibilities and capabilities of critical infrastructure partners and stakeholders

Value Proposition for Critical Infrastructure Private Sector Partners

Many industries justify their critical infrastructure security and resilience efforts based on corporate business needs.

Government can support these private sector efforts and assist in broad-scale preparedness through activities such as:

  • Providing owners and operators with timely, analytical, accurate and useful information on threats to critical infrastructure.
  • Ensuring that industry is engaged as early as possible in the development of policies and initiatives related to NIPP implementation.
  • Articulating to corporate leaders the business and national security benefits of investing in security measures that exceed their business case.
  • Creating an environment that encourages and supports incentives and encourages companies to voluntarily adopt widely accepted security practices.
  • Working with industry to develop and clearly prioritize key missions and enable the protection and/or restoration of related critical infrastructure.
  • Providing support for R&D initiatives that are needed to enhance future critical infrastructure security and resilience efforts.
  • Providing the resources to enable cross-sector interdependency studies, exercises, symposiums, training sessions and computer modeling; and otherwise support business continuity planning.
  • Enabling time-sensitive information sharing and restoration and recovery support to priority critical infrastructure facilities and services during emerging threat and incident management situations.
Roles, Responsibilities and Capabilities of Critical Infrastructure Partners and Stakeholders

PPD-21 states, “An effective national effort to strengthen critical infrastructure security and resilience must be guided by a national plan that identifies roles and responsibilities and is informed by the expertise, experience, capabilities and responsibilities of the SSAs, other Federal departments and agencies with critical infrastructure roles, SLTT entities and critical infrastructure owners and operators.”

PPD-41 also recognizes the shared responsibility for cybersecurity, response activities have been outlined under PPD-41 into three concurrent lines of effort: threat response, asset response, intelligence support and related activities. These concurrent lines of effort provide a foundation for harmonizing various response efforts and fostering coordination and unity of effort before, during, and after any cyber incident response.

NIPP 2013 Appendix B includes the roles, responsibilities and capabilities of critical infrastructure partners and stakeholders including those Federal Roles as prescribed in PPD-21 as well as those for State, Local, Tribal and Territorial governments as well as critical infrastructure owners and operators, advisory councils and committees and academic and research organizations.

This section of the lesson provides an overview of partner and stakeholder roles.

Secretary of Homeland Security

The Secretary of Homeland Security provides strategic guidance, promotes a national unity of effort and coordinates the overall Federal effort to promote the security and resilience of the Nation’s critical infrastructure.

As the principal Federal official for domestic incident management, the Secretary for Homeland Security coordinates Federal preparedness activities in alignment with PPD-8, including coordinating Federal Government responses to significant cyber or physical incidents affecting critical infrastructure (consistent with statutory authorities).

The Secretary of Homeland Security coordinates with other relevant members of the Executive Branch, as appropriate, to support a single, comprehensive approach to domestic incident management so all levels of government across the Nation have the capability to work efficiently and effectively together, using a national approach to domestic incident management.

Additional DHS roles and responsibilities include, as appropriate:
  • Establish and maintain a comprehensive, multi-tiered and dynamic information-sharing network to provide timely and actionable threat information, assessments and warnings to public and private sector partners;
  • Sponsor critical infrastructure security and resilience-related research and development, demonstration projects and pilot programs;
  • Conduct modeling and simulations with SSAs to analyze sector, cross-sector and regional dependencies and interdependencies (including cyber dependencies) and share the results with critical infrastructure partners, as appropriate;
  • Document and apply lessons learned from exercises, actual incidents and pre-disaster mitigation efforts to critical infrastructure security and resilience activities; and
  • Evaluate the need for and coordinate the security and resilience of additional critical infrastructure categories over time.
Sector-Specific Agencies

Presidential Policy Directive 21 (PPD-21) designated responsibility to various Federal Government departments and agencies to serve as Sector-Specific Agencies (SSAs) for each of the critical infrastructure sectors and established criteria for identifying additional sectors.

The National Strategy for Information Sharing and Safeguarding (NSISS) identifies, as one of 16 national priorities, the need to establish “information-sharing processes and sector-specific protocols with private sector partners, to improve information quality and timeliness and secure the Nation’s infrastructure.”

SSAs are responsible for working with the Department of Homeland Security to implement the NIPP sector partnership model and risk management framework; develop protective programs, resilience strategies and related requirements; and provide sector-level critical infrastructure protection guidance.

DHS, in close collaboration with the SSAs, is responsible for overall coordination of the NIPP partnership organization and information-sharing network.

The National Goals are supported by objectives and priorities developed collaboratively at the sector level, which may be articulated in Sector-Specific Plans (SSPs) and serve as targets for joint planning among SSAs and their sector partners in government and the private sector.

Other Federal Agencies

As stated in PPD-21, Federal departments and agencies provide timely information to the Secretary of Homeland Security and the national critical infrastructure centers necessary to support cross-sector analysis and inform the situational awareness capability for critical infrastructure; the centers in turn share the information back with the appropriate critical infrastructure partners.

Federal departments and agencies that are not designated as SSAs, but have unique responsibilities, functions, or expertise in a particular critical infrastructure sector (such as GCC members) assist in identifying and assessing high-consequence critical infrastructure and collaborate with relevant partners to share security and resilience-related information within the sector, as appropriate.

Presidential Policy Directive 41 (PPD-41) establishes a coordination structure in order to facilitate a more unified response for handling significant cyber incidents.

  • National Policy Level Coordination
  • Operational Level Coordination
  • Sector Coordination

In the event of a significant cyber incident, Federal lead agency responsibilities are identified as follows for coordination:

  • Threat Response - The Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, will serve as the lead Federal agency for threat response.
  • Asset Response - DHS, acting through the National Cybersecurity and Communications Integration Center (NCCIC), will serve as the lead Federal agency for asset response activities.
  • Intelligence Support - The office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will serve as the lead Federal agency for intelligence support and related activities.

More information on capabilities of partners is provided in Appendix B of the NIPP

Critical Infrastructure Owners and Operators

Critical infrastructure owners and operators in the public and private sector develop and implement security and resilience programs for the critical infrastructure under their control, while taking into consideration the public good as well. Owners and operators take action to support risk management planning and investments in security as a necessary component of prudent business planning and operations.

In today’s risk environment, these activities generally include
  • Reassessing and adjusting business continuity and emergency management plans,
  • Building increased resilience and redundancy into business processes and systems,
  • Protecting facilities against physical and cyber-attacks,
  • Reducing the vulnerability to natural disasters,
  • Guarding against insider threats and
  • Increasing coordination with external organizations to avoid or minimize the impact on surrounding communities or other industry partners.
Owners and Operators Critical Infrastructure Security-Related Activities

For many private sector enterprises, the level of investment in security reflects risk-versus-consequence tradeoffs that are based on two factors:

1. That which is known about the risk environment

  • The Federal Government is uniquely positioned to help inform investment decisions and operational planning.
  • Owners and operators may look to the government and information sharing and analysis organizations like Information Sharing and Analysis Centers (ISACs) as a source of security-related best practices and for attack or natural hazard indications, warnings and threat assessments.
2. That which is economically justifiable and sustainable in a competitive marketplace or within resource constraints.
  • Owners and operators may rely on government entities or participate in collective efforts with other owners and operators to address risks outside of their property or in situations in which the current threat exceeds an enterprise’s capability to protect itself or requires an unreasonable level of additional investment to mitigate risk.
  • In this situation, public and private sector partners at all levels collaborate to address the security and resilience of national-level critical infrastructure, provide timely warnings and promote an environment in which critical infrastructure owners and operators can carry out their specific responsibilities.
Critical infrastructure owners and operators participate in many cyber risk mitigation activities including
  • Cybersecurity information-sharing efforts (e.g., sector-specific cyber working groups, the Cross-Sector Cybersecurity Working Group and the Industrial Control Systems Joint Working Group),
  • Cyber risk assessments,
  • Cybersecurity exercises,
  • Cyber incident response and recovery efforts and
  • Cyber metrics development.
The roles of specific owners and operators vary widely within and across sectors. Some sectors have statutory and regulatory frameworks that affect private sector security operations within the sector; however, most are guided by a voluntary focus on security and resilience or adherence to industry-promoted best practices.
Critical infrastructure owners and operators may contribute to national critical infrastructure security and resilience efforts through a range of activities. These activities may include but are not limited to:
  • Performing critical infrastructure risk assessments;
  • Understanding dependencies and interdependencies;
  • Developing and coordinating emergency response plans with appropriate Federal and SLTT government authorities;
  • Establishing continuity plans and programs that facilitate the performance of lifeline functions during an incident;
  • Participating in critical infrastructure-focused training and exercise activities with public and private sector partners; and
  • Contributing technical expertise to the critical infrastructure security and resilience efforts of DHS and the SSAs.
State, Local, Tribal and Territorial Governments

State, local, tribal and territorial governments are responsible for implementing the homeland security mission, protecting public safety and welfare and ensuring the provision of essential services to communities and industries within their jurisdictions.

States and territorial governments also:

  • Serve as crucial coordination hubs, bringing together preparedness authorities; capabilities; and resources.
  • Coordinate requests for Federal assistance when the threat or incident situation exceeds jurisdictional capabilities.
  • Develop and implement statewide/regional critical infrastructure security and resilience programs that reflect the full range of NIPP-related activities.

Facilitate the information-sharing process. States receive critical infrastructure information from the Federal Government to support national and State critical infrastructure security and resilience programs.

State and Territorial Government Critical Infrastructure Security-Related Activities
  • Establish partnerships and facilitate coordinated information sharing;
  • Enable planning and preparedness for their jurisdictions;
  • Serve as crucial coordination hubs;
  • Receive critical infrastructure information from the Federal Government to support national and State critical infrastructure security and resilience programs;
  • Provide information to DHS, regarding State or territorial priorities, requirements and critical infrastructure-related funding needs;
  • Work with State and territorial-level sector-specific agencies to support the vision, mission and goals of this National Plan within those sectors, as appropriate;
  • Engage subject matter experts at the sector level to assist with this effort;
  • Address all relevant aspects of critical infrastructure security and resilience;
  • Leverage support from homeland security assistance programs that apply across the homeland security mission area and;
  • Reflect priority activities in their strategies to ensure that resources are effectively allocated.

Effective Statewide and regional critical infrastructure security and resilience efforts should be integrated into the overarching homeland security program framework at the State or territorial level to ensure that efforts are synchronized and mutually supportive.

Critical infrastructure security and resilience at the State or territorial level must cut across all sectors present within the jurisdiction and support national, State and local priorities. The program also should explicitly address unique geographical issues, including trans-border concerns, as well as interdependencies among sectors and jurisdictions within those geographical boundaries.

Regional Partners

Regional partnerships include a variety of public-private sector initiatives that cross jurisdictional and/or sector boundaries and focus on homeland security preparedness within or serving the population of a defined geographical area.

Specific regional initiatives range in scope from organizations that include multiple jurisdictions and industry partners within a single State, tribe, or territory to groups that involve jurisdictions and enterprises across State, tribal, territorial and international borders.

Regionally-based Partnership Activities

State governments can also collaborate through the adoption of interstate compacts to formalize regionally-based partnerships.

Partners in regional initiatives are encouraged to capitalize on the expertise and relationships to:

  • Promote collaboration among partners;
  • Facilitate education and awareness ;
  • Participate in regional exercise and training programs, including a focus on collaboration across jurisdictional and sector boundaries;
  • Support threat-initiated and ongoing operations-based activities to enhance security and resilience and to support mitigation, response and recovery;
  • Work with SLTT and international governments and the private sector to evaluate regional and cross-sector critical infrastructure interdependencies, including cyber considerations;
  • Conduct appropriate regional planning efforts and undertake appropriate partnership agreements;
  • Facilitate information sharing and data collection between and among regional initiative members and external partners;
  • Share information on progress and critical infrastructure security and resilience requirements with DHS, the SSAs, State and local governments and other critical infrastructure partners, as appropriate; and
  • Participate in the critical infrastructure partnership.
Regional Partners: Best Practices

Regional partners are able to connect on critical infrastructure security and resilience issues through entities other than the national-level partnership and government-led models. One mechanism is through regional partnership coalitions, such as ChicagoFIRST.

ChicagoFIRST is a member of the Regional Consortium Coordinating Council and has a membership that is primarily from the Banking and Finance Sector. ChicagoFIRST collaborates with the City of Chicago, the State of Illinois, the U.S. Department of the Treasury, DHS and other critical sectors on disaster preparedness and business continuity issues. The members of ChicagoFIRST are private sector firms.

One of its most critical achievements is the establishment and maintenance of relationships between the members and government. ChicagoFIRST acts as a conduit for information for its members and coordinates with government at all levels to provide its member firms with a means to address industry issues and gather information for their own crisis response.

State and Regionally Based Boards, Commissions, Authorities, Councils and Other Entities

An array of boards, commissions, authorities, councils and other entities at the State, local, tribal and regional levels perform regulatory, advisory, policy, or business oversight functions related to various aspects of critical infrastructure operations and security within and across sectors and jurisdictions.

Some of these entities are established through State- or local-level executive or legislative mandates with elected, appointed, or voluntary membership.

These groups include, but are not limited to, transportation authorities, public utility commissions, water and sewer boards, park commissions, housing authorities, public health agencies and many others.

These entities may serve as State-level sector-specific agencies and contribute expertise, assist with regulatory authorities, or help facilitate investment decisions related to critical infrastructure security and resilience efforts within a given jurisdiction or geographic region.

Commissions: Best Practices
Public utility commissions are responsible for electricity, gas and telecommunications infrastructures and, in some cases, water, wastewater/sewage and certain aspects of transportation. Working together, public utility commissions are able to address issues of mutual concern based on the interdependencies between the water, communications and energy infrastructures by:
  • Creating networks among utility regulators and other government and private sector entities to address cross-sector issues.
  • Recommending strategies to facilitate information sharing.
  • Recommending cost-effective solutions to cost-recovery issues associated with protecting key water, gas, communications and energy infrastructures.
  • Identifying and prioritizing issues, researching best practices and disseminating information to partners and affiliates.
Local Governments

Local governments represent the frontlines for homeland security and, more specifically, for critical infrastructure security and implementation of the NIPP.

Local governments:

  • Provide critical public services and functions in conjunction with private sector owners and operators.
  • In some sectors, local government entities own and operate critical infrastructure such as water, storm water and electric utilities.
  • Drive emergency preparedness, as well as local participation in NIPP and SSP implementation, across a variety of jurisdictional partners.
Local Government Critical Infrastructure Security and Resilience-Related Activities
Critical infrastructure protection focus at the local level should include, but is not limited to:
  • Acting as a focal point for and promoting the coordination of protective and emergency response activities, preparedness programs and resource support among local agencies, businesses and citizens;
  • Developing a consistent approach at the local level to critical infrastructure identification, risk determination, mitigation planning and prioritized security investment and exercising preparedness among all relevant partners within the jurisdiction;
  • Identifying, implementing and monitoring a risk management plan and taking corrective actions, as appropriate;
  • Participating in significant national, State, local and regional education and awareness programs to encourage appropriate management and security of cyber systems;
  • Facilitating the exchange of security information, including threat assessments, attack indications and warnings and advisories, among partners within the jurisdiction;
  • Participating in the NIPP sector partnership model, including GCCs, SCCs, SLTTGCC and other critical infrastructure structures relevant to the given jurisdiction;
  • Ensuring that funding priorities are addressed and that resources are allocated efficiently and effectively to achieve the critical infrastructure security and resilience mission in accordance with relevant plans and strategies;
  • Establishing continuity plans and programs that facilitate the performance of critical functions during an emergency or until normal operations can be resumed;
  • Sharing with partners, as appropriate, critical infrastructure information deemed to be critical from the local perspective to enable prioritized protection and restoration of critical public services, facilities, utilities and processes within the jurisdiction;
  • Addressing unique geographical issues, including trans-border concerns, dependencies and interdependencies among agencies and enterprises within the jurisdiction;
  • Identifying and implementing plans and processes for step-ups in protective measures that align to all-hazards warnings; specific threats, as appropriate; and each level of the HSAS;
  • Documenting lessons learned from pre-disaster mitigation efforts, exercises and actual incidents and applying that learning, where applicable, to the critical infrastructure security context; and
  • Conducting critical infrastructure security and resilience public awareness activities.
Advisory Councils
Advisory councils:
  • Provide advice, recommendations and expertise to the government regarding critical infrastructure security policy and activities.
  • Help enhance public-private partnerships and information sharing.
  • Often provide an additional mechanism to engage with a pre-existing group of private sector leaders to obtain feedback on critical infrastructure policy and programs and
  • Make suggestions to increase the efficiency and effectiveness of specific government programs.
Examples of critical infrastructure security and resilience-related advisory councils and their associated roles:
  • Homeland Security Advisory Council: Provides advice and recommendations to the Secretary of Homeland Security on relevant issues; council members, appointed by the DHS Secretary, include experts from State and local governments, public safety, security and first-responder communities, academia and the private sector.
  • Private Sector Senior Advisory Committee: Subcommittee of HSAC that provides the council with expert advice from leaders in the private sector.
  • National Infrastructure Advisory Council: Provides the President, through the Secretary of Homeland Security, with advice on the security of physical and cyber systems across all critical infrastructure sectors; comprises up to 30 members appointed by the President, which are selected from the private sector, academia and State and local governments. The council was established (and amended) under Executive Orders 13231, 13286, 13385 and 13652.
  • National Security Telecommunications Advisory Committee: Provides industry-based advice and expertise to the President on issues and problems related to implementing National Security and Emergency Preparedness communications policy; comprises up to 30 industry chief executives representing the major communications and network service providers and information technology, finance and aerospace companies.
Academia and Research Centers
The academic and research communities play an important role in enabling national-level critical infrastructure security and resilience, including:
  • Establishing Centers of Excellence (i.e., university-based partnerships or federally funded R&D centers) to provide independent analysis of critical infrastructure security and resilience issues;
  • Supporting the research, development, testing, evaluation and deployment of security and resilience technologies;
  • Supporting development and implementation of concepts, architectures and technical strategies associated with critical infrastructure security and resilience;
  • Analyzing, developing and sharing best practices related to critical infrastructure prioritization, security and resilience efforts;
  • Researching and providing innovative thinking and perspective on threats and the behavioral aspects of terrorism and criminal activity;
  • Preparing or disseminating guidelines and descriptions of best practices for physical and cyber security;
  • Developing and providing suitable all-hazards risk analysis and risk management courses for critical infrastructure security and resilience professionals;
  • Establishing undergraduate and graduate curricula and degree programs;
  • Conducting research to identify new technologies and analytical methods that can be applied by partners to support critical infrastructure security and resilience efforts;
  • Participating in the review and validation of critical infrastructure security and resilience risk analysis and management approaches; and
  • Engaging and serving as a resource to local communities for efforts to enhance the security and resilience of physical and cyber critical infrastructure.
International Coordination

The nature of critical infrastructure ownership and operations is also distributed and the need for joint planning and investment is becoming more common and necessary on the international level.

These global connections inform the way that the critical infrastructure community should plan to work together, within and across sectors and across jurisdictions and national borders, to increase the security and resilience of critical infrastructure.

PPD-21 calls for international collaboration as part of the national unity of effort to strengthen security and resilience. To that end, Federal, private sector and international partners work together to implement coordinated global infrastructure security measures to protect against current and future physical and cyber threats.

International collaboration occurs in many areas, including
  • Sharing information,
  • Implementing existing agreements affecting critical infrastructure security and resilience,
  • Developing policies for cross-border coordination of security and resilience initiatives,
  • Addressing cross-sector and global issues such as cybersecurity and
  • Enhancing understanding of cross-border interdependencies of critical infrastructure.
Information Sharing Among Sector Partners

Voluntary collaboration between private sector owners and operators (including their partner associations, vendors and others) and their government counterparts is the primary mechanism for advancing collective action toward national critical infrastructure security and resilience.

The effective implementation of the NIPP is predicated on active participation by government and private sector partners in robust, multidirectional information sharing.

  • This enhances owners and operators ability to assess risks, make prudent security investments and develop appropriate resilience strategies.
  • When the Government understands private sector information needs, it can adjust its information collection, analysis, synthesis and dissemination activities accordingly.
  • When the private sector is assured that the critical infrastructure information that it shares with the government will be protected from release or disclosure, the Nation’s critical infrastructure protection capabilities will be enhanced.
Benefits of Information Sharing
Information sharing enhances:
  • Owners' and operators' ability to assess risks, make prudent security investments and develop appropriate resilience strategies.
  • Government's ability to adjust its information collection, analysis, synthesis and dissemination activities based on the needs of the private sector.
  • The critical infrastructure Information-Sharing Environment supports three levels of decisionmaking and action:
    • Strategic planning and investment
    • Situational awareness and preparedness
    • Operational planning and response
Information Flow and Decisionmaking

The NIPP information-sharing approach constitutes a shift from a strictly hierarchical to a networked model, allowing distribution and access to information to enable decentralized decisionmaking and actions.

The increasing availability of data and information essential to operating and maintaining infrastructure and related technologies enables more efficient and effective practices.

This information is vulnerable to unauthorized access that could affect its confidentiality, integrity, or availability. The distribution of such information to those entities that can use it for efficient and effective risk management remains a challenge.

Protecting Privacy, Civil Liberties and Critical Infrastructure Information

It is critical to maintain the availability of information and distribute it to those who can use and protect it properly. This entails being transparent about information-sharing practices; protecting sources and methods; and ensuring privacy and protecting civil liberties, while also enabling law enforcement investigations.

Supporting information-sharing initiatives exist both at the national and regional level. Information-sharing activities can protect privacy by applying the Fair Information Practice Principles (FIPPs) and protect civil liberties by complying with applicable laws and policies.

It is equally crucial to ensure adequate protection of sensitive business and security information that could cause serious adverse impacts to private businesses, the economy and public or private enterprise security through unauthorized disclosure, access, or use.

The Federal Government has a statutory responsibility to safeguard critical infrastructure information.

DHS and other agencies use the Protected Critical Infrastructure Information (PCII) program and other protocols such as Classified National Security Information, Law Enforcement Sensitive Information and Federal Security Classification Guidelines.

The PCII program, authorized by the Critical Infrastructure Information (CII) Act of 2002 and its implementing regulations (Title 6 of the Code of Federal Regulations Part 29), defines both the requirements for submitting CII and those that government agencies must follow for accessing and safeguarding CII.

Safeguarding Against Unauthorized Disclosure and Access

NIPP implementation relies on the critical infrastructure information provided by the private sector and State, local, tribal, or territorial governments.

The NIPP recognizes that the disclosure of sensitive business or security information could cause serious damage to companies, the economy and public safety or security through unauthorized disclosure or access.

Protected Critical Infrastructure Information (PCII) Program

DHS and other Federal agencies use a number of programs and procedures, such as the Protected Critical Infrastructure Information (PCII) Program, to ensure that critical infrastructure information is properly safeguarded.

The PCII Program includes procedures that govern the receipt, validation, handling, dissemination, storage, marking and use of critical infrastructure information voluntarily submitted to the Department of Homeland Security. These procedures are also applicable to Federal, State, local, tribal, or territorial government employees or contractors supporting Federal agencies that have access to, handle, use, or store critical infrastructure information that enjoys protection under the Critical Infrastructure Information Act of 2002.

NIPP 2013 Supplement: Connecting to the NICC and the NCCIC

This supplement describes how partners throughout the critical infrastructure community can connect to the NICC and NCCIC. It describes the information desired by the centers and their partners, as well as how the centers protect and analyze data to inform prevention, protection, mitigation, response and recovery activities.

Presidential Policy Directive 21 (PPD-21) highlights the role of the national physical and cyber coordinating centers in enabling successful critical infrastructure security and resilience outcomes.

Presidential Policy Directive 41 (PPD-41) states that DHS, acting through the National Cybersecurity and Communications Integration Center (NCCIC), will serve as the lead Federal agency for (cybersecurity) asset response activities.

The National Infrastructure Coordinating Center (NICC) and the National Cybersecurity and Communications Integration Center (NCCIC) fulfill this Department of Homeland Security (DHS) responsibility within the critical infrastructure partnership.

Lesson 2 Summary
In this lesson you learned to:
  • Describe the Risk Environment
  • Identify dependencies and interdependencies across critical infrastructure systems
  • Identify the relevant authorities and roles of:
    • The Department of Homeland Security (DHS).
    • Sector-Specific Agencies (SSAs).
    • Other Federal departments and agencies.
    • State, local, tribal and territorial jurisdictions.
    • Owners and operators.
  • Discuss the importance of partnerships
  • Describe the NIPP sector and cross-sector coordinating structure
  • Describe how the NIPP fosters information sharing at all levels
Below are the NIPP 2013 resources referenced in this lesson for further review: