National Infrastructure Protection Plan
 The National Infrastructure Protection Plan (NIPP) provides a
coordinated approach to critical infrastructure and key resource
protection roles and responsibilities for federal, state, local, tribal,
and private sector security partners.
 The latest update to the plan occurred in 2013.
National Infrastructure Protection Plan
 The NIPP sets national priorities, goals, and requirements for
effective distribution of funding and resources which will
help ensure that our government, economy, and public
services continue in the event of a terrorist attack or other
disaster.
National Infrastructure Protection Plan
 The cornerstone of the NIPP is the risk management
framework.
 This framework establishes a process for identifying risks and
prioritizing protection initiatives within and across sectors.
National Infrastructure Protection Plan
 The overarching goal of the National Infrastructure
Protection Plan (NIPP) is to:
 enhance protection of the Nation’s Critical Infrastructure and
Key Resources (CI/KR) to prevent, deter, neutralize, or
mitigate the effects of deliberate efforts by terrorists to destroy,
incapacitate, or exploit them;
 and to strengthen national preparedness, timely response, and
rapid recovery in the event of an attack, natural disaster, or
other emergency.
National Infrastructure Protection Plan
 The NIPP provides the unifying structure for the integration of
existing and future CI/KR protection efforts into a single
national program to achieve this goal.
 The NIPP framework enables the prioritization of protection
initiatives and investments across sectors to ensure that
government and private sector resources are applied where they
offer the most benefit for mitigating risk by lessening
vulnerabilities, deterring threats, and minimizing the
consequences of terrorist attacks and other manmade and
natural disasters.
Sector Specific Agencies
 Homeland Security Presidential Directorate-7 (HSPD-7) identified 17 CI/KR
sectors and designated Federal Government Sector-Specific Agencies (SSAs) for
each of the sectors.
 SSAs are responsible for working with Department of Homeland Security
(DHS) to implement the NIPP sector partnership model and risk management
framework, develop protective programs and related requirements, and provide
sector-level CI/KR protection guidance in line with the overarching guidance
established by DHS pursuant to HSPD-7.
 Working in collaboration with security partners, they are responsible for
developing and submitting Sector-Specific Plans and sector-level performance
feedback to DHS to enable national cross-sector CI/KR protection program
gap assessments.
Sector Specific Agencies
 In accordance with HSPD-7, SSAs are also responsible for
collaborating with private sector security partners and
encouraging the development of appropriate information-sharing
and analysis mechanisms within the sector.
 This includes supporting sector coordinating mechanisms to
facilitate sharing of information on physical and cyber threats,
vulnerabilities, incidents, recommended protective measures, and
security-related best practices.
 This also includes encouraging voluntary security-related
information sharing, where possible, among private entities within
the sector, as well as among public and private entities.
Sector Specific Agencies
 Agencies have been assigned responsibilities for the
protection of Critical Infrastructure Sectors.
 For example:
 Department of Agriculture & DHHS: Food and Agriculture
 Department of Defense: Defense industrial base
 DOE: Energy
 DHHS: Healthcare & public health
 Department of the treasury: Financial Services
NIPP Risk Management Framework
 The NIPP Risk Management Framework consists of:
 Setting goals and objectives
 Identifying infrastructures
 Assessing and analyzing Risks
 Implementing risk management activities
 Measuring effectiveness
 Along each step, there is information sharing occurring.
 The elements of critical infrastructure includes physical, cyber,
and human elements.
NIPP Risk Management Framework
 The NIPP risk management framework recognizes and builds
on existing protective programs and initiatives.
Risk Management Framework
 Step 1: Set Goals and Objectives
 The National NIPP Plan establishes a set of broad national goals
for critical infrastructure security and resilience.
Risk Management Framework
 Step 2: Identify Infrastructure
 In this step, entities identify the assets, systems, and networks
that are essential to their continued operation, considering
associated dependencies and interdependencies.
 This aspect of the risk management process also should identify
information and communications technologies that facilitate the
provision of essential services.
Risk Management Framework
 Step 3: Analyzing Risks
 Risk is a function of:
 Consequence : The negative effects on public health and safety, the
economy, public confidence in institutions, and the functioning of
government, both direct and indirect, that can be expected if an asset,
system, or network is damaged, destroyed, or disrupted.
 Vulnerability: The likelihood that a characteristic of, or flaw in, an
asset, system, or network’s design, location, security posture, process,
or operation renders it susceptible to destruction, incapacitation, or
exploitation.
 Threat: The likelihood that a particular asset, system, or network will
suffer an attack or an incident.
Risk Management Framework
 Step 4: Implement Protective Programs
 Using the established priorities, security partners select sector-appropriate
protective actions or programs to reduce or manage the risk identified and
secure the resources needed to address priorities.
 Protective actions or programs are designed to manage risks by:








Deterring threats.
Mitigating vulnerabilities.
Minimizing consequences.
To be effective, protective actions and programs must be:
Comprehensive.
Coordinated.
Cost effective.
Risk based.
Risk Management Framework
 Step 5: Measure Effectiveness
 Measuring effectiveness determines the extent to which sector-
level and overall program performance goals are being met.
Metrics and other evaluation techniques are used to assess if
protection is improving, risks are being managed, and resiliency
is being increased.
Risk Management Framework
 Step 5: Continuous Improvement
 The NIPP Risk Management Framework includes a feedback
loop for ensuring continuous improvement of protective actions
and programs. Information about the current status of each
sector is compared to the “baseline” of information collected
and assessed during initial risk assessments to measure progress
over time.
Site Specific Plans
 Based on guidance from DHS, SSPs are developed jointly by SSAs in close
collaboration with SCCs, GCCs, and others, including State, local, and tribal
homeland security partners with key interests or expertise appropriate to the
sector.
 The SSPs provide the means by which the NIPP is implemented across all
sectors, as well as a national framework for each sector that guides the
development, implementation, and updating of State and local homeland
security strategies and CI/KR protection programs.
 SSPs are tailored to address the unique characteristics and risk landscapes of
each sector while also providing consistency for protective programs, public
and private protection investments, and resources.
Site Specific Plans
 SSPs serve to:
 Define sector security partners, authorities, regulatory bases, roles and
responsibilities, and interdependencies;
 Establish or institutionalize already existing procedures for sector
interaction, information sharing, coordination, and partnership;
 Establish the goals and objectives, developed collaboratively between
security partners, required to achieve the desired protective posture for the
sector;
Education and Training
 The NIPP establishes a framework to enable the education,
training, and exercise programs that allow people and
organizations to develop and maintain key CI/KR protection
expertise.
Information Sharing
 The NIPP information-sharing approach constitutes a shift from a strictly
hierarchical to a networked model, allowing distribution and access to
information both vertically and horizontally, as well as the ability to enable
decentralized decision making and actions. The objectives of the network
approach are to:
 Enable secure multi-directional information sharing between and across
government and industry that focuses, streamlines, and reduces redundant
reporting to the greatest extent possible;
Information Sharing
 Provide security partners with timely incident reporting and verification of
related facts that CI/KR owners and operators can use with confidence when
considering how evolving incidents might affect their security posture;
 Provide a means for State, local, tribal, and private sector security partners to
be integrated, as appropriate, into the intelligence cycle, to include providing
inputs to the intelligence requirements development process;
 Enable the flow of information required for security partners to assess risks,
conduct risk management activities, invest in security measures, and allocate
resources; and
 Protect the integrity and confidentiality of sensitive information.
Cyber Security
 HR 3696 the National Cybersecurity and Critical Infrastructure
Protection Act of 2013.
 To amend the Homeland Security Act of 2002 to make certain
improvements regarding cybersecurity and critical infrastructure
protection, and for other purposes.
 On February 13, 2014, the White House on Wednesday released
the first version of its cyber security framework for protecting
critical infrastructure.
 It is a catalog of industry best-practices and standards that creates a
voluntary template for companies to use in developing better
security programs.