National Infrastructure Protection Plan The National Infrastructure Protection Plan (NIPP) provides a coordinated approach to critical infrastructure and key resource protection roles and responsibilities for federal, state, local, tribal, and private sector security partners. The latest update to the plan occurred in 2013. National Infrastructure Protection Plan The NIPP sets national priorities, goals, and requirements for effective distribution of funding and resources which will help ensure that our government, economy, and public services continue in the event of a terrorist attack or other disaster. National Infrastructure Protection Plan The cornerstone of the NIPP is the risk management framework. This framework establishes a process for identifying risks and prioritizing protection initiatives within and across sectors. National Infrastructure Protection Plan The overarching goal of the National Infrastructure Protection Plan (NIPP) is to: enhance protection of the Nation’s Critical Infrastructure and Key Resources (CI/KR) to prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit them; and to strengthen national preparedness, timely response, and rapid recovery in the event of an attack, natural disaster, or other emergency. National Infrastructure Protection Plan The NIPP provides the unifying structure for the integration of existing and future CI/KR protection efforts into a single national program to achieve this goal. The NIPP framework enables the prioritization of protection initiatives and investments across sectors to ensure that government and private sector resources are applied where they offer the most benefit for mitigating risk by lessening vulnerabilities, deterring threats, and minimizing the consequences of terrorist attacks and other manmade and natural disasters. Sector Specific Agencies Homeland Security Presidential Directorate-7 (HSPD-7) identified 17 CI/KR sectors and designated Federal Government Sector-Specific Agencies (SSAs) for each of the sectors. SSAs are responsible for working with Department of Homeland Security (DHS) to implement the NIPP sector partnership model and risk management framework, develop protective programs and related requirements, and provide sector-level CI/KR protection guidance in line with the overarching guidance established by DHS pursuant to HSPD-7. Working in collaboration with security partners, they are responsible for developing and submitting Sector-Specific Plans and sector-level performance feedback to DHS to enable national cross-sector CI/KR protection program gap assessments. Sector Specific Agencies In accordance with HSPD-7, SSAs are also responsible for collaborating with private sector security partners and encouraging the development of appropriate information-sharing and analysis mechanisms within the sector. This includes supporting sector coordinating mechanisms to facilitate sharing of information on physical and cyber threats, vulnerabilities, incidents, recommended protective measures, and security-related best practices. This also includes encouraging voluntary security-related information sharing, where possible, among private entities within the sector, as well as among public and private entities. Sector Specific Agencies Agencies have been assigned responsibilities for the protection of Critical Infrastructure Sectors. For example: Department of Agriculture & DHHS: Food and Agriculture Department of Defense: Defense industrial base DOE: Energy DHHS: Healthcare & public health Department of the treasury: Financial Services NIPP Risk Management Framework The NIPP Risk Management Framework consists of: Setting goals and objectives Identifying infrastructures Assessing and analyzing Risks Implementing risk management activities Measuring effectiveness Along each step, there is information sharing occurring. The elements of critical infrastructure includes physical, cyber, and human elements. NIPP Risk Management Framework The NIPP risk management framework recognizes and builds on existing protective programs and initiatives. Risk Management Framework Step 1: Set Goals and Objectives The National NIPP Plan establishes a set of broad national goals for critical infrastructure security and resilience. Risk Management Framework Step 2: Identify Infrastructure In this step, entities identify the assets, systems, and networks that are essential to their continued operation, considering associated dependencies and interdependencies. This aspect of the risk management process also should identify information and communications technologies that facilitate the provision of essential services. Risk Management Framework Step 3: Analyzing Risks Risk is a function of: Consequence : The negative effects on public health and safety, the economy, public confidence in institutions, and the functioning of government, both direct and indirect, that can be expected if an asset, system, or network is damaged, destroyed, or disrupted. Vulnerability: The likelihood that a characteristic of, or flaw in, an asset, system, or network’s design, location, security posture, process, or operation renders it susceptible to destruction, incapacitation, or exploitation. Threat: The likelihood that a particular asset, system, or network will suffer an attack or an incident. Risk Management Framework Step 4: Implement Protective Programs Using the established priorities, security partners select sector-appropriate protective actions or programs to reduce or manage the risk identified and secure the resources needed to address priorities. Protective actions or programs are designed to manage risks by: Deterring threats. Mitigating vulnerabilities. Minimizing consequences. To be effective, protective actions and programs must be: Comprehensive. Coordinated. Cost effective. Risk based. Risk Management Framework Step 5: Measure Effectiveness Measuring effectiveness determines the extent to which sector- level and overall program performance goals are being met. Metrics and other evaluation techniques are used to assess if protection is improving, risks are being managed, and resiliency is being increased. Risk Management Framework Step 5: Continuous Improvement The NIPP Risk Management Framework includes a feedback loop for ensuring continuous improvement of protective actions and programs. Information about the current status of each sector is compared to the “baseline” of information collected and assessed during initial risk assessments to measure progress over time. Site Specific Plans Based on guidance from DHS, SSPs are developed jointly by SSAs in close collaboration with SCCs, GCCs, and others, including State, local, and tribal homeland security partners with key interests or expertise appropriate to the sector. The SSPs provide the means by which the NIPP is implemented across all sectors, as well as a national framework for each sector that guides the development, implementation, and updating of State and local homeland security strategies and CI/KR protection programs. SSPs are tailored to address the unique characteristics and risk landscapes of each sector while also providing consistency for protective programs, public and private protection investments, and resources. Site Specific Plans SSPs serve to: Define sector security partners, authorities, regulatory bases, roles and responsibilities, and interdependencies; Establish or institutionalize already existing procedures for sector interaction, information sharing, coordination, and partnership; Establish the goals and objectives, developed collaboratively between security partners, required to achieve the desired protective posture for the sector; Education and Training The NIPP establishes a framework to enable the education, training, and exercise programs that allow people and organizations to develop and maintain key CI/KR protection expertise. Information Sharing The NIPP information-sharing approach constitutes a shift from a strictly hierarchical to a networked model, allowing distribution and access to information both vertically and horizontally, as well as the ability to enable decentralized decision making and actions. The objectives of the network approach are to: Enable secure multi-directional information sharing between and across government and industry that focuses, streamlines, and reduces redundant reporting to the greatest extent possible; Information Sharing Provide security partners with timely incident reporting and verification of related facts that CI/KR owners and operators can use with confidence when considering how evolving incidents might affect their security posture; Provide a means for State, local, tribal, and private sector security partners to be integrated, as appropriate, into the intelligence cycle, to include providing inputs to the intelligence requirements development process; Enable the flow of information required for security partners to assess risks, conduct risk management activities, invest in security measures, and allocate resources; and Protect the integrity and confidentiality of sensitive information. Cyber Security HR 3696 the National Cybersecurity and Critical Infrastructure Protection Act of 2013. To amend the Homeland Security Act of 2002 to make certain improvements regarding cybersecurity and critical infrastructure protection, and for other purposes. On February 13, 2014, the White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure. It is a catalog of industry best-practices and standards that creates a voluntary template for companies to use in developing better security programs.