The purpose of this course is to raise awareness across the entire critical infrastructure community — including public and private sectors as well as government at all levels — of the National Infrastructure Protection Plan key concepts, core tenants and call to action and enhance knowledge to enable participants to apply these concepts to contribute to the security and resilience of critical infrastructure within their communities and areas of responsibility.

NIPP 2013, Partnering for Critical Infrastructure Security and Resilience guides efforts of stakeholders to enhance the security and resilience of critical infrastructure across the country in conjunction with national preparedness policy. It embraces a collaborative partnership built on comparative advantage; reinforces the importance of efficient information sharing grounded in appropriate legal protections, trusted relationships and enabling technologies; and focuses on risk management innovations and outcomes.

Critical infrastructure, such as water, energy, electricity and petroleum products, represent day-to-day goods and services that are a part of the life of every single American.

Critical infrastructure provides the foundation for the Nation’s ability to maintain our way of life.

Protecting the critical infrastructure of the United States is essential to the Nation’s security, public health and safety, economic vitality and way of life. Disruption of America’s critical infrastructure could significantly interrupt the functioning of government and business alike and produce cascading effects far beyond the targeted sector and physical location of the incident. Direct terrorist attacks and natural, manmade, or technological hazards could produce catastrophic losses in terms of human casualties, property destruction and economic effects, as well as profound damage to public morale and confidence.

The National Infrastructure Protection Plan is the path forward toward building and enhancing protective measures for the critical infrastructure that sustain commerce and communities throughout the United States.

Our national well-being relies upon secure and resilient critical infrastructure—those assets, systems and networks that underpin American society.

NIPP 2013 guides the national effort to manage risk to the Nation’s critical infrastructure. This national effort is shared by all levels of government and owners and operators of critical infrastructure. The Nation’s critical infrastructure is largely owned and operated by the private sector; however, Federal, State, Local, Tribal and Territorial governments also own and operate critical infrastructure, as do foreign entities and companies.

NIPP 2013 influences critical infrastructure security and resilience planning at all governmental and owner and operator levels by establishing a vision, mission and goals that are supported by a set of Core Tenets focused on risk management and partnership.

Building on the partnership and risk management framework introduced in 2006, the 2013 update is informed by changes in the risk, policy and operating environments and from experiences gained and lessons learned since the previous NIPP was issued.

Presidential Policy Directive 21 (PPD-21) defines security and resilience as follows:

Security: Reducing the risk to critical infrastructure by physical means or defens[ive] cyber measures to intrusions, attacks, or the effects of natural or manmade disasters.

Based on the vision, mission and goals, the critical infrastructure community works jointly to set specific national priorities, while considering resource availability, progress already made, known capability gaps and emerging risks. Jointly-developed priorities drive national action and are supplemented by sector, regional, State, Local, Tribal and Territorial priorities.

Performance measures will be set based on the goals and Joint National Priorities. National reporting mechanisms include measuring progress, which helps build a common understanding of the state of security and resilience efforts.

The interrelationship of these elements is depicted in the National Plan’s approach to building and sustaining unity of effort.

Given the diverse roles and responsibilities across the infrastructure community, a proactive, collaborative and inclusive partnership among all levels of government and the private and non-profit sector is required to ensure optimal use of existing capabilities and to develop new ones. Additionally, infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance and other cooperation.

The National Plan establishes seven Core Tenets, representing the values and assumptions the critical infrastructure community should consider when conducting security and resilience planning.

Select each core tenet to expand its NIPP 2013 description

Risk should be identified and managed in a coordinated and comprehensive way across the critical infrastructure community to enable the effective allocation of security and resilience resources.

Collaboratively managing risk requires sharing information (including smart practices), promoting more efficient and effective use of resources and minimizing duplication of effort. To ensure a comprehensive approach to risk management, the critical infrastructure community considers strategies to achieve risk mitigation, as well as other ways to address risk, including acceptance, avoidance, or transference.

Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing critical infrastructure security and resilience.

The way infrastructure sectors interact, including through reliance on shared information and communications technologies (e.g., cloud services), shapes how the Nation’s critical infrastructure partners should collectively manage risk. It is important for the critical infrastructure community to understand and appropriately account for dependencies and interdependencies when managing risk. For example, all sectors rely on functions provided by energy, communications, transportation and water systems, among others.

Gaining knowledge of infrastructure risk and interdependencies requires information sharing across the critical infrastructure community.

Critical infrastructure community members possess and produce diverse information useful to the enhancement of critical infrastructure security and resilience. Sharing and jointly planning based on this information is imperative to comprehensively address security and resilience in an increasingly interconnected environment. For that to happen, appropriate legal protections, trusted relationships, enabling technologies and consistent processes must be in place.

The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community.

The public-private partnership is central to maintaining critical infrastructure security and resilience. A well-functioning partnership depends on a set of attributes, including trust; a defined purpose for its activities; clearly articulated goals; measurable progress and outcomes to guide shared activities; leadership involvement; clear and frequent communication; and flexibility and adaptability. All levels of government and the private and nonprofit sectors bring unique expertise, capabilities and core competencies to the national effort. Recognizing the value of different perspectives helps the partnership more distinctly understand challenges and solutions related to critical infrastructure security and resilience.

Regional and SLTT partnerships are crucial to developing shared perspectives on gaps and actions to improve critical infrastructure security and resilience.

The National Plan emphasizes partnering across institutions and geographic boundaries to achieve security and resilience. Risks often have local consequences, making it essential to execute initiatives on a regional scale in a way that complements and operationalizes the national effort. This requires locally based public, private and non-profit organizations to provide their perspectives in the assessment of risk and mitigation strategies.

Infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance and other cooperative agreements.

The United States benefits from and depends upon a global network of infrastructure.. The distributed nature and interconnectedness of these assets, systems and networks create a complex environment in which the risks the Nation faces are not distinctly contained within its borders. Services provided by critical infrastructure are often dependent on information gathered, stored, or processed in highly distributed locations. It is imperative that the government, private sector and international partners work collaboratively to fully understand supply chain vulnerabilities and to implement coordinated, not competing, global security and resilience measures. The National Plan is focused on domestic efforts, while recognizing the international aspects of the national approach.

Security and resilience should be considered during the design of assets, systems and networks.

As critical infrastructure is built and refreshed, those involved in making design decisions, including those related to control systems, should consider the most effective and efficient ways to identify, deter, detect, disrupt and prepare for threats and hazards; mitigate vulnerabilities; and minimize consequences. This includes considering infrastructure resilience principles.

When something threatens the homeland, it almost certainly threatens critical infrastructure and, due to the interconnectivity of all of our assets and systems, many other aspects of American life as well. NIPP 2013 is informed by changes in the risk, policy and operating environments, as well as experience gained and lessons learned from exercises and real-world events, such as Hurricane Sandy and various cyber incidents.

The update reflects the input and expertise of partners across the critical infrastructure community, including Federal, State, local, tribal and territorial governments; regional entities; private sector owners and operators; academic and non-profit organizations; and the public.

Evolving Threats to Critical Infrastructure. Threats include extreme weather, accidents or technical failures, cyber threats, acts of terrorism, and pandemics. The risk environment is complex and uncertain; threats, vulnerabilities and consequences have all evolved over the last 10 years.

The Strategic National Risk Assessment (SNRA) defines numerous threats and hazards to homeland security. In addition to the known risks analyzed as part of the SNRA, the potential for interconnected events with unknown consequences adds uncertainty.

Collaborative planning and action is required due to the extent of interconnected infrastructure. The Nation’s critical infrastructure has become much more interdependent, continuing to move from an operating environment characterized by disparate assets, systems and networks to one in which cloud computing, mobile devices and wireless connectivity have dramatically changed the way infrastructure is operated.

Interdependencies may be limited to small urban or rural areas or span vast regions, crossing jurisdictional and national boundaries, including infrastructure that require accurate and precise positioning, navigation and timing (PNT) data used in global positioning system (GPS), radio frequency identification (RFID), and global information systems (GIS) technology.

The nature of critical infrastructure ownership and operations is also distributed and the need for joint planning and investment to increase the security and resilience of critical infrastructure is becoming more common and necessary on the international level.

Effective risk management requires an understanding of the criticality of assets, systems, and networks, as well as the associated dependencies and interdependencies of critical infrastructure.

Growing interdependencies, particularly reliance on information and communications technologies, have increased the potential vulnerabilities to physical and cyber threats and potential consequences resulting from the compromise of underlying systems or networks. The potential impacts increase with these interdependencies and the ability of a diverse set of threats to exploit them to cause harm and disrupt essential services.

Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience explicitly calls for the development of an updated national plan.

In July of 2016, Presidential Policy Directive 41: United States Cyber Incident Coordination Policy (PPD-41) was issued by President Barack Obama. This new directive sets forth principles governing the Federal Government's response to any cyber incidents and provides architecture for coordinating the response to significant cyber incidents. Specifically, the PPD establishes three Federal lines of effort for any cyber incident: threat response; asset response; and intelligence support and related activities. This PPD also establishes lead Federal agencies responsibilities for coordinating Federal responses to significant cyber incidents.

The NIPP fulfills this requirement as it formalizes and strengthens existing critical infrastructure partnerships, and creates the baseline for how the public and private sectors will work together.

In addition, the National Plan fulfills requirements in Homeland Security Act of 2002 and is consistent with Executive Order 13636: Improving Critical Infrastructure Cybersecurity (2013); and aligns with the goal of Presidential Policy Directive 8 (PPD-8): National Preparedness (2011) and its supporting National Planning Frameworks: and two other policy documents: the President’s Climate Action Plan (2013); and the National Strategy for Information Sharing and Safeguarding (2013).

Click on each document title for more information.

The NIPP was created to complement, not replace, the Homeland Security plans and strategies, business continuity plans, preparedness strategies and security policies already developed by the critical infrastructure and first responders communities.

These existing private sector and government plans and strategies address an all-hazards approach and serve to broaden resilience and security measures for a variety of natural and manmade incidents.

Processes outlined in the NIPP are designed to enhance coordination, cooperation and collaboration among critical infrastructure partners within cross-sectors to synchronize related efforts and avoid duplicative or unnecessarily costly risk management requirements.

The NIPP partnership model provides a framework used to promote and facilitate sector and cross-sector planning, coordination, collaboration and information sharing for security and resilience, involving all levels of government and private sector entities.

As the nature of the critical infrastructure risk environment precludes any one entity from managing risks entirely on its own, partners benefit from access to knowledge and capabilities that would otherwise be unavailable to them.

Many critical infrastructure sectors have worked to establish stable and representative partnerships, managing transitions in leadership and broadening the range of members and skill sets needed to accomplish collective goals.

Through trusted relationships and information sharing, Federal agencies gain a better understanding of the risks and preparedness posture associated with critical infrastructure. This allows entities to make more informed decisions when identifying and addressing national critical infrastructure priorities.

The NIPP defines critical infrastructure partners as those Federal, State, regional, territorial, local, or tribal government entities, private sector owners and operators and representative organizations, academic and professional entities and certain not-for-profit and private volunteer organizations that share in the responsibility for protecting the Nation’s critical infrastructure.

PPD-21 describes critical infrastructure security and resilience as a shared responsibility between governments at all levels and the private sector and calls for an evaluation of the existing public-private partnership, which identified the attributes of effective partnerships.

NIPP 2013 expands on this concept by acknowledging the differing perspectives that drive government and industry partners who work collaboratively toward shared goals.

The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community.

The NIPP is designed to be implemented using organizational structures and partnerships committed to sharing and protecting the information needed to achieve the NIPP goal and supporting objectives.

The sector partnership model is a representation of how the private sector and government serve as equal partners to accomplish the infrastructure security and resilience mission.

Through the partnership model and its forums, the private sector and government conduct planning and share information, manage risk and ensure continuous improvement.

Appendix A of the NIPP further describes the functions of the partnership structures, as well as additional structures that support national critical infrastructure security and resilience.

The sector and cross-sector partnership approach is designed to be scalable and allow individual owners and operators of critical infrastructure and other stakeholders across the country to participate.

It is intended to promote consistency of process to enable efficient collaboration between disparate parts of the critical infrastructure community, while allowing for the use of other viable partnership structures and planning processes.

Many of the sector and cross-sector council structures take advantage of the Critical Infrastructure Partnership Advisory Council (CIPAC) legal framework.

Established in 2006 by the Secretary of Homeland Security to facilitate effective coordination between federal infrastructure protection programs with the infrastructure protection activities of the private sector and of state, local, territorial and tribal governments, CIPAC allows members of the SCCs and GCCs to engage in joint critical infrastructure security-related discussions and participate in a broad spectrum of activities.

While operating under the CIPAC framework, the public-private critical infrastructure partnership meetings are exempt from the Federal Advisory Committee Act (FACA), allowing partners to engage in frank or sensitive dialogue.

Finding the appropriate value proposition among partners requires understanding these differing perspectives and how they may affect efforts to set joint priorities. Within these parameters, critical infrastructure security and resilience depend on applying risk management practices of both industry and government, coupled with available resources and incentives, to guide and sustain efforts.

NIPP 2013 promotes the concept of comparative advantage, where the unique skills and resources of individual partners are leveraged and brought to bear in a collective manner to reduce critical infrastructure risk.

Appendix B of the NIPP lists roles, responsibilities and capabilities of critical infrastructure partners and stakeholders

PPD-21 states, “An effective national effort to strengthen critical infrastructure security and resilience must be guided by a national plan that identifies roles and responsibilities and is informed by the expertise, experience, capabilities and responsibilities of the SSAs, other Federal departments and agencies with critical infrastructure roles, SLTT entities and critical infrastructure owners and operators.”

PPD-41 also recognizes the shared responsibility for cybersecurity, response activities have been outlined under PPD-41 into three concurrent lines of effort: threat response, asset response, intelligence support and related activities. These concurrent lines of effort provide a foundation for harmonizing various response efforts and fostering coordination and unity of effort before, during, and after any cyber incident response.

NIPP 2013 Appendix B includes the roles, responsibilities and capabilities of critical infrastructure partners and stakeholders including those Federal Roles as prescribed in PPD-21 as well as those for State, Local, Tribal and Territorial governments as well as critical infrastructure owners and operators, advisory councils and committees and academic and research organizations.

This section of the lesson provides an overview of partner and stakeholder roles.

The Secretary of Homeland Security provides strategic guidance, promotes a national unity of effort and coordinates the overall Federal effort to promote the security and resilience of the Nation’s critical infrastructure.

As the principal Federal official for domestic incident management, the Secretary for Homeland Security coordinates Federal preparedness activities in alignment with PPD-8, including coordinating Federal Government responses to significant cyber or physical incidents affecting critical infrastructure (consistent with statutory authorities).

The Secretary of Homeland Security coordinates with other relevant members of the Executive Branch, as appropriate, to support a single, comprehensive approach to domestic incident management so all levels of government across the Nation have the capability to work efficiently and effectively together, using a national approach to domestic incident management.

Presidential Policy Directive 21 (PPD-21) designated responsibility to various Federal Government departments and agencies to serve as Sector-Specific Agencies (SSAs) for each of the critical infrastructure sectors and established criteria for identifying additional sectors.

The National Strategy for Information Sharing and Safeguarding (NSISS) identifies, as one of 16 national priorities, the need to establish “information-sharing processes and sector-specific protocols with private sector partners, to improve information quality and timeliness and secure the Nation’s infrastructure.”

SSAs are responsible for working with the Department of Homeland Security to implement the NIPP sector partnership model and risk management framework; develop protective programs, resilience strategies and related requirements; and provide sector-level critical infrastructure protection guidance.

DHS, in close collaboration with the SSAs, is responsible for overall coordination of the NIPP partnership organization and information-sharing network.

The National Goals are supported by objectives and priorities developed collaboratively at the sector level, which may be articulated in Sector-Specific Plans (SSPs) and serve as targets for joint planning among SSAs and their sector partners in government and the private sector.

As stated in PPD-21, Federal departments and agencies provide timely information to the Secretary of Homeland Security and the national critical infrastructure centers necessary to support cross-sector analysis and inform the situational awareness capability for critical infrastructure; the centers in turn share the information back with the appropriate critical infrastructure partners.

Federal departments and agencies that are not designated as SSAs, but have unique responsibilities, functions, or expertise in a particular critical infrastructure sector (such as GCC members) assist in identifying and assessing high-consequence critical infrastructure and collaborate with relevant partners to share security and resilience-related information within the sector, as appropriate.

Presidential Policy Directive 41 (PPD-41) establishes a coordination structure in order to facilitate a more unified response for handling significant cyber incidents.

• National Policy Level Coordination
• Operational Level Coordination
• Sector Coordination

In the event of a significant cyber incident, Federal lead agency responsibilities are identified as follows for coordination:

• Threat Response - The Department of Justice, acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force, will serve as the lead Federal agency for threat response.
• Asset Response - DHS, acting through the National Cybersecurity and Communications Integration Center (NCCIC), will serve as the lead Federal agency for asset response activities.
• Intelligence Support - The office of the Director of National Intelligence, through the Cyber Threat Intelligence Integration Center, will serve as the lead Federal agency for intelligence support and related activities.

More information on capabilities of partners is provided in Appendix B of the NIPP

Critical infrastructure owners and operators in the public and private sector develop and implement security and resilience programs for the critical infrastructure under their control, while taking into consideration the public good as well. Owners and operators take action to support risk management planning and investments in security as a necessary component of prudent business planning and operations.

Effective Statewide and regional critical infrastructure security and resilience efforts should be integrated into the overarching homeland security program framework at the State or territorial level to ensure that efforts are synchronized and mutually supportive.

Critical infrastructure security and resilience at the State or territorial level must cut across all sectors present within the jurisdiction and support national, State and local priorities. The program also should explicitly address unique geographical issues, including trans-border concerns, as well as interdependencies among sectors and jurisdictions within those geographical boundaries.

Regional partnerships include a variety of public-private sector initiatives that cross jurisdictional and/or sector boundaries and focus on homeland security preparedness within or serving the population of a defined geographical area.

Specific regional initiatives range in scope from organizations that include multiple jurisdictions and industry partners within a single State, tribe, or territory to groups that involve jurisdictions and enterprises across State, tribal, territorial and international borders.

Regional partners are able to connect on critical infrastructure security and resilience issues through entities other than the national-level partnership and government-led models. One mechanism is through regional partnership coalitions, such as ChicagoFIRST.

ChicagoFIRST is a member of the Regional Consortium Coordinating Council and has a membership that is primarily from the Banking and Finance Sector. ChicagoFIRST collaborates with the City of Chicago, the State of Illinois, the U.S. Department of the Treasury, DHS and other critical sectors on disaster preparedness and business continuity issues. The members of ChicagoFIRST are private sector firms.

One of its most critical achievements is the establishment and maintenance of relationships between the members and government. ChicagoFIRST acts as a conduit for information for its members and coordinates with government at all levels to provide its member firms with a means to address industry issues and gather information for their own crisis response.

An array of boards, commissions, authorities, councils and other entities at the State, local, tribal and regional levels perform regulatory, advisory, policy, or business oversight functions related to various aspects of critical infrastructure operations and security within and across sectors and jurisdictions.

Some of these entities are established through State- or local-level executive or legislative mandates with elected, appointed, or voluntary membership.

These groups include, but are not limited to, transportation authorities, public utility commissions, water and sewer boards, park commissions, housing authorities, public health agencies and many others.

These entities may serve as State-level sector-specific agencies and contribute expertise, assist with regulatory authorities, or help facilitate investment decisions related to critical infrastructure security and resilience efforts within a given jurisdiction or geographic region.

The nature of critical infrastructure ownership and operations is also distributed and the need for joint planning and investment is becoming more common and necessary on the international level.

These global connections inform the way that the critical infrastructure community should plan to work together, within and across sectors and across jurisdictions and national borders, to increase the security and resilience of critical infrastructure.

PPD-21 calls for international collaboration as part of the national unity of effort to strengthen security and resilience. To that end, Federal, private sector and international partners work together to implement coordinated global infrastructure security measures to protect against current and future physical and cyber threats.

The NIPP information-sharing approach constitutes a shift from a strictly hierarchical to a networked model, allowing distribution and access to information to enable decentralized decisionmaking and actions.

The increasing availability of data and information essential to operating and maintaining infrastructure and related technologies enables more efficient and effective practices.

This information is vulnerable to unauthorized access that could affect its confidentiality, integrity, or availability. The distribution of such information to those entities that can use it for efficient and effective risk management remains a challenge.

It is critical to maintain the availability of information and distribute it to those who can use and protect it properly. This entails being transparent about information-sharing practices; protecting sources and methods; and ensuring privacy and protecting civil liberties, while also enabling law enforcement investigations.

Supporting information-sharing initiatives exist both at the national and regional level. Information-sharing activities can protect privacy by applying the Fair Information Practice Principles (FIPPs) and protect civil liberties by complying with applicable laws and policies.

It is equally crucial to ensure adequate protection of sensitive business and security information that could cause serious adverse impacts to private businesses, the economy and public or private enterprise security through unauthorized disclosure, access, or use.

The Federal Government has a statutory responsibility to safeguard critical infrastructure information.

DHS and other agencies use the Protected Critical Infrastructure Information (PCII) program and other protocols such as Classified National Security Information, Law Enforcement Sensitive Information and Federal Security Classification Guidelines.

The PCII program, authorized by the Critical Infrastructure Information (CII) Act of 2002 and its implementing regulations (Title 6 of the Code of Federal Regulations Part 29), defines both the requirements for submitting CII and those that government agencies must follow for accessing and safeguarding CII.

NIPP implementation relies on the critical infrastructure information provided by the private sector and State, local, tribal, or territorial governments.

The NIPP recognizes that the disclosure of sensitive business or security information could cause serious damage to companies, the economy and public safety or security through unauthorized disclosure or access.

Protected Critical Infrastructure Information (PCII) Program

DHS and other Federal agencies use a number of programs and procedures, such as the Protected Critical Infrastructure Information (PCII) Program, to ensure that critical infrastructure information is properly safeguarded.

The PCII Program includes procedures that govern the receipt, validation, handling, dissemination, storage, marking and use of critical infrastructure information voluntarily submitted to the Department of Homeland Security. These procedures are also applicable to Federal, State, local, tribal, or territorial government employees or contractors supporting Federal agencies that have access to, handle, use, or store critical infrastructure information that enjoys protection under the Critical Infrastructure Information Act of 2002.

This supplement describes how partners throughout the critical infrastructure community can connect to the NICC and NCCIC. It describes the information desired by the centers and their partners, as well as how the centers protect and analyze data to inform prevention, protection, mitigation, response and recovery activities.

Presidential Policy Directive 21 (PPD-21) highlights the role of the national physical and cyber coordinating centers in enabling successful critical infrastructure security and resilience outcomes.

Presidential Policy Directive 41 (PPD-41) states that DHS, acting through the National Cybersecurity and Communications Integration Center (NCCIC), will serve as the lead Federal agency for (cybersecurity) asset response activities.

The National Infrastructure Coordinating Center (NICC) and the National Cybersecurity and Communications Integration Center (NCCIC) fulfill this Department of Homeland Security (DHS) responsibility within the critical infrastructure partnership.

Effective critical infrastructure protective programs and resilience strategies are comprehensive, coordinated, cost effective and risk-informed.

Risk management actions involve measures designed to prevent, deter and mitigate the threat; reduce vulnerability to an attack or other disaster; minimize consequences; and enable timely, efficient response and restoration.

The NIPP risk management framework establishes a process for identifying risks and prioritizing security and resilience initiatives and investments within and across sectors. The Strategic National Risk Assessment (SNRA), executed in support of PPD-8, helps identify the types of incidents that pose the greatest known threat to the Nation's homeland security, along with the uncertainty of potential interconnected events with unknown consequences.

The objective is to ensure that government and private sector resources are applied where they offer the most benefit for mitigating risk by lessening vulnerabilities, deterring threats and minimizing the consequences of all hazards, including terrorist attacks and other manmade and natural disasters.

The cornerstone of the NIPP is its risk analysis and management framework. NIPP 2013 builds upon and updates the risk management framework.

This framework consists of several components, including three interwoven elements of critical infrastructure (physical, cyber and human) and five steps toward implementing the risk management framework.

The elements are integrated through information sharing feedback loop, as appropriate. In addition, this framework minimizes the number of steps or “chevrons” by including prioritization with the implementation of risk management activities.

Click on each chevron to access more information about these steps

Click on “Elements of Critical Infrastructure” or “Information Sharing Feedback Loop” for more information about these features of the risk management framework

National Multi-Year Priorities:

Developed with input from all levels of the partnership, National multi-year priorities will complement these goals. These priorities might focus on particular goals or cross-sector issues where attention and resources could be applied within the critical infrastructure community with the most significant impact. Critical infrastructure owners and operators, as well as State, Local, Tribal, Territorial and regional entities, can identify objectives and priorities for critical infrastructure that align to these national priorities, national goals and sector objectives, but are tailored and scaled to their operational and risk environments and available resources.

To manage critical infrastructure risk effectively, partners must identify the assets, systems and networks that are essential to their continued operation, considering associated dependencies and interdependencies. This aspect of the risk management process also should identify information and communications technologies that facilitate the provision of essential services.

Critical infrastructure partners view criticality differently, based on their unique situations, operating models and associated risks. The Federal Government identifies and prioritizes nationally significant critical infrastructure based upon statutory definition and national considerations. SLTT governments identify and prioritize infrastructure according to their business and operating environments and associated risks. Infrastructure owners and operators identify assets, systems and networks that are essential to their continued operations and delivery of products and services to customers. At the sector level, many SSAs collaborate with owners and operators and SLTT entities to develop lists of infrastructure that are significant at the national, regional and local levels.

Effective risk management requires an understanding of criticality as well as the associated interdependencies of infrastructure. This National Plan identifies certain lifeline functions that are essential to the operation of most critical infrastructure sectors. These lifeline functions include communications, energy, transportation and water. Critical infrastructure partners should identify essential functions and resources that impact their businesses and communities. The identification of these lifeline functions can support preparedness planning and capability development.

Assess Risk

Risk is assessed as a function of consequence, vulnerability and threat. Consideration is given to the potential direct and indirect consequences of a terrorist attack or other hazards, known vulnerabilities to those threats or hazards and the nature and magnitude of the threat.

Risk assessments are conducted by many critical infrastructure partners to inform their own decisionmaking, using a broad range of methodologies. These assessments allow critical infrastructure community leaders to understand the most likely and severe incidents that could affect their operations and communities and use this information to support planning and resource allocation in a coordinated manner.

To assess risk effectively, critical infrastructure partners—including owners and operators, sector councils and government agencies—need timely, reliable and actionable information regarding threats, vulnerabilities and consequences. Non-governmental entities must be involved in the development and dissemination of products regarding threats, vulnerabilities and potential consequences and provide risk information in a trusted environment. Partners should understand intelligence and information requirements and conduct joint analysis where appropriate. Critical infrastructure partnerships can bring great value in improving the understanding of risk to both cyber and physical systems and assets. Neither public nor private sector entities can fully understand risk without this integration of wide-ranging knowledge and analysis.

Analyze Risk

Risk assessments are conducted on an asset, system, or network basis. Once the three components of risk—consequence, vulnerability and threat—have been assessed for one or more given assets, systems, or networks they must be integrated into a defensible model to produce a risk estimate. DHS has identified a number of risk assessment characteristics and data requirements to produce results that enable cross-sector risk comparisons; these are termed core criteria. These features provide a guide for improving or modifying existing methodologies as well as developing new ones.

The Prioritization Process

The prioritization process, now incorporated into the Implement Risk Management Activities step of the NIPP risk management framework, involves aggregating, combining and analyzing risk assessment results to determine which assets, systems, networks, sectors, or combinations of these face the highest risk so that risk management priorities can be established.

It also provides the basis for understanding potential risk-mitigation benefits that are used to inform planning and resource decisions.

The NIPP risk management framework provides the process for developing comparable estimates of the risk relevant to critical infrastructure.

Comparing the risk faced by different entities helps identify where risk mitigation is needed and to subsequently determine and help justify the most cost-effective risk management options.

In addition, this prioritization process develops information that can be used during incident response to help inform decision makers regarding issues associated with critical infrastructure restoration.

While the results of risk analyses help set national and sector priorities, performance metrics allow NIPP partners to track progress against these priorities. The metrics provide a basis to establish accountability, document actual performance, facilitate diagnoses, promote effective management and provide a feedback mechanism to decision makers.

The critical infrastructure community evaluates the effectiveness of risk management efforts within sectors and at national, State, local and regional levels by developing metrics for both direct and indirect indicator measurement. SSAs work with SCCs through the sector-specific planning process to develop attributes that support the national goals and national priorities as well as other sector-specific priorities. Such measures inform the risk management efforts of partners throughout the critical infrastructure community and help build a national picture of progress toward the vision of this National Plan as well as the National Preparedness Goal. At a national level, the National Plan articulates broad area goals to achieve the Plan’s vision that will be complemented by a set of multi-year national priorities. The critical infrastructure community will subsequently evaluate its collective progress in accomplishing the goals and priorities.

NIPP Performance Management

The key to NIPP performance management is to align outcome metrics to sector priorities. The 16 sectors are diverse, operate in every State and affect every level of government. As a result, NIPP priorities and many NIPP metrics will vary from sector to sector. All NIPP metrics must be specific and clear as to what they are measuring, practical or feasible in that the needed data are available and built on objectively measured data.

Measuring Performance

In addition to outcome metrics, other information will be utilized, such as output data and descriptive data.

Output (or Process) Data are used to gauge whether specific activities were performed as planned, track the progress of a task, or report on the output of a process. Output data show progress toward performing the activities necessary to achieve critical infrastructure protection goals and can serve as leading indicators for outcome measures. They also help build a comprehensive picture of critical infrastructure security status and activities. Examples include the number of protective programs implemented in a fiscal year, percentage of sector organizations exchanging critical infrastructure information and the level of response to a data call for asset information.

Descriptive Data are used to understand sector resources and activities, but do not reflect critical infrastructure security performance. Examples include: a narrative description of progress; the number of facilities in a jurisdiction; the population resident or working in the area affected by an incident; and the number of suppliers in an infrastructure service provider’s supply chain. NIPP metrics are evolving from the current focus on descriptive and output data to a focus on outcome metrics. Descriptive and output data have been critical during the initial implementation of the NIPP in order to closely track the progress of the sectors in building key NIPP elements, such as the SSPs and GCCs/SCCs. The next stage of NIPP implementation will concentrate on working with the sectors to identify and track outcome metrics that are aligned to sector priorities and provide NIPP partners with a more comprehensive assessment of the success of critical infrastructure security efforts.

The framework now depicts the importance of information sharing throughout the entire risk management process. Information is shared through each step of the framework, to include the “measure effectiveness” step, facilitating feedback and enabling continuous improvement of critical infrastructure security and resilience efforts.

Qualitative Feedback

The NIPP provides mechanisms for qualitative feedback that can be applied to augment and improve the effectiveness and efficiency of public and private sector critical infrastructure protective programs and resilience strategies.

DHS works with sector partners to identify and share lessons learned and best practices for all aspects of the risk management process. DHS also works with SSAs to share relevant input from sector partners and other sources that can be used as part of the national effort to continuously improve critical infrastructure security and resilience.

The critical infrastructure risk management framework is designed to provide flexibility for use in all sectors, across different geographic regions and by various partners. It can be tailored to dissimilar operating environments and applies to all threats and hazards.

The framework supports a collaborative decisionmaking process to inform the selection of risk management actions.

Many organizations have risk management models that have proved effective and should be maintained, however, this framework provides an organizing construct for those models.

In addition to the identified threat-, vulnerability- and consequence-reducing activities, risk reduction can be achieved through critical infrastructure and control system design.

Factoring security and resilience measures into design decisions early can facilitate integration of measures to mitigate physical and cyber vulnerabilities as well as natural and technological hazards at lower cost.

Governments and businesses can better invest in measures that increase the security and resilience of both critical infrastructure and the broader society through risk analysis, evidence-based design practices and consideration of costs and benefits.

Such efforts are also helpful during infrastructure recovery efforts, in those instances when the Federal Government is working with communities and industry to rebuild infrastructure.

Assessing vulnerabilities of critical infrastructure is an important step in developing security solutions and managing critical infrastructure risk. The Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD) works with owners and operators to conduct vulnerability assessments of select critical infrastructure to inform its internal risk management processes and provide technical assistance to its State, local, tribal and territorial (SLTT) and private sector partners to enable their own risk assessments and security plans. NPPD provides additional resources, typically in the form of informational material on known vulnerabilities, to help owners and operators understand vulnerabilities at a more general level.

This supplement provides information on Federal resources that are used by DHS and available to SLTT governments and critical infrastructure owners and operators to identify and assess critical infrastructure vulnerabilities.

This supplement provides the steps that support development decisions and investments in infrastructure that will enhance the resilience of critical infrastructure systems. This supplement was developed through research into existing resilience strategies, including the Hurricane Sandy Rebuilding Strategy and the updated NIPP 2013, Partnering for Critical Infrastructure Security and Resilience.

It is intended for government decision makers at all levels who are undertaking new infrastructure projects or enhancing security and mitigation measures on existing government-owned infrastructure. It also can be used more broadly by all critical infrastructure owners and operators as decisions are made to invest in infrastructure replacements or improvements.

Risk information allows partners to prioritize risk management efforts.

This supplement describes a useful critical infrastructure risk management approach which supports the risk management framework. The framework enables the integration of related critical infrastructure strategies, capabilities and governance structures to enable risk-informed decisionmaking. The risk management approach described in this supplement can be applied to all threats and hazards, although different information and methodologies may be used to understand each.