ci/kr public-private partnerships
DESCRIPTION
CI/KR Public-Private Partnerships. Overview March 2010 Prepared By: Thomas DiNanno International Assessment and Strategy Center. - PowerPoint PPT PresentationTRANSCRIPT
CI/KR Public-Private Partnerships
Overview
March 2010
Prepared By:
Thomas DiNanno
International Assessment and Strategy Center
March 2010 2
Vision
The United States will forge an unprecedented level of cooperation throughout all levels of government, with private industry and institutions, and with the American people to protect our critical infrastructure and key assets from terrorist attack.
The National Strategy for Homeland SecurityJuly 2002
March 2010 3
HSPD-7 RequirementsHSPD-7 directs the development of a National Infrastructure Protection Plan (NIPP)
The NIPP is a comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection to outline national goals, objectives, milestones, and key initiatives. The Plan includes the following elements:
A strategy to identify, prioritize, and coordinate CI/KR protection, including how DHS intends to work with Federal departments and agencies, State and local governments, the private sector, foreign countries, and international organizations;
March 2010 4
HSPD-7 Designated Sectors & Agencies
DHS is responsible for coordinating the overall national effort toenhance protection of CI/KR across Sectors
Agriculture, FoodAgriculture, Food
Cri
tic
al
Infr
as
tru
ctu
re S
ec
tors
Cri
tic
al
Infr
as
tru
ctu
re S
ec
tors
Ke
y
Re
so
urc
es
Ke
y
Re
so
urc
es
Public Health, Healthcare, FoodPublic Health, Healthcare, Food
Drinking Water, Water TreatmentDrinking Water, Water Treatment
Defense Industrial BaseDefense Industrial Base
EnergyEnergy
Banking and FinanceBanking and Finance
National Monuments & IconsNational Monuments & Icons
Transportation SystemsTransportation Systems
Information TechnologyInformation Technology
TelecommunicationsTelecommunications
ChemicalChemical
Emergency ServicesEmergency Services
Postal and ShippingPostal and Shipping
USDA USDA
HHSHHS
EPAEPA
DoDDoD
DOEDOE
TREASTREAS
DOIDOI
DHSDHS
DHSDHS
DHSDHS
DHSDHS
DHSDHS
DHSDHS
Commercial FacilitiesCommercial Facilities
Government FacilitiesGovernment Facilities
DamsDams
Commercial Nuclear Reactors, Materials, & WasteCommercial Nuclear Reactors, Materials, & Waste
DHSDHS
DHSDHS
DHSDHS
DHSDHS
Sector-Specific Agencies (SSAs)
March 2010 5
Major NIPP Theme: Information Sharing and Protection The NIPP uses a network approach to information sharing that:
Enables secure multidirectional information sharing between and across government and CI/KR owners and operators at all levels.
Provides mechanisms, using “need to know” protocols as required, to support the development and sharing of strategic and specific threat assessments, incident reports and threat warning, impact assessments, and best practices.
Allows security partners to assess risks, conduct risk management activities, allocate resources, and make continuous improvements to the Nation’s CI/KR protective posture
DHS and other Federal agencies use a number of programs and procedures, such as the Protected Critical Infrastructure Information (PCII) Program, to ensure that CI/KR information is properly safeguarded
March 2010 6
Major NIPP Theme: Providing Resources for the CI/KR Protection Program
Resources must be directed to areas of greatest priority to enable effective management of risk.
The NIPP resource allocation process describes: The integrated risk-based approach that will be used to determine
how CI/KR protection programs will be prioritized and funded
How State- and local-level CI/KR protection efforts will be supported through DHS and other CI/KR protection Grant Programs
How all of these investments, coupled with appropriate incentives, support collaboration among security partners to enhance CI/KR protection
March 2010 7
NIPP Value PropositionThe success of the partnership for CI/KR protection
depends on articulating the mutual benefits to government and private sector partners. This value proposition: Enables Federal, State, local, tribal and private sector security
partners to clearly understand the national CI/KR protection priorities
Provides CI/KR protection planning, information sharing, risk management, resource coordination, and program implementation processes
Is intended to be used as a framework for coordinating CI/KR protection efforts across sectors and security partners
March 2010 8
Major NIPP Theme: Sector Partnership Model
Provides the framework for security partners to work together in a robust public-private partnership.
March 2010 9
Implementing the NIPP
Public Health, Healthcare, FoodPublic Health, Healthcare, Food
Drinking Water, Water TreatmentDrinking Water, Water Treatment
Defense Industrial BaseDefense Industrial Base
EnergyEnergy
Banking and FinanceBanking and Finance
National Monuments & IconsNational Monuments & Icons
Transportation SystemsTransportation Systems
Information TechnologyInformation Technology
TelecommunicationsTelecommunications
ChemicalChemical
Emergency ServicesEmergency Services
Postal and ShippingPostal and Shipping
HHSHHS
EPAEPA
DoDDoD
DOEDOE
TREASTREAS
DOIDOI
DHSDHS
DHSDHS
DHSDHS
DHSDHS
DHSDHS
DHSDHS
Commercial FacilitiesCommercial Facilities
Government FacilitiesGovernment Facilities
DamsDams
Commercial Nuclear Reactors, Materials, & WasteCommercial Nuclear Reactors, Materials, & Waste
DHSDHS
DHSDHS
DHSDHS
DHSDHS
March 2010 10
Sector-Specific Plans (SSPs) Content
SSPs are annexes to the NIPP Base Plan
SSPs detail the application of the NIPP risk management framework across each of the 17 CI/KR sectors
Sector-Specific Agencies partner with their sector to develop the individual SSP
Finalized SSPs are to be submitted to DHS within 180 days after the NIPP is issued by the Secretary of Homeland SecuritySector-Specific
PlansSector-Specific
PlansSector-Specific Plans
Sector-Specific Plans
Sector-Specific Plans
Sector-Specific Plans
Sector-Specific Plans
Sector-Specific Plans
Sector-Specific Sector-Specific Plans (17)Plans (17)
March 2010 11
Set Security Goals
Security goals collectively represent the desired national and sector-specific security posture
These goals will vary between sectors and should consider the physical, human, and cyber elements of CI/KR protection
From the sector perspective, security goals: Define the protective (and, if appropriate, the response or recovery) posture
that security partners seek to attain Consider distinct assets, systems, networks, operational processes, business
environments, and risk management approaches Vary according to the specific characteristics and security landscape for the
affected sector, jurisdiction, or locality
March 2010 12
Identify Assets, Systems, Networks, and Functions
Involves developing a comprehensive inventory containing basic information on the Nation’s assets, systems, and networks
This inventory can be used to determine which assets systems, or networks are nationally critical, state critical, or locally critical based on the most current risk profile
March 2010 13
Evaluating Existing Risk MethodologiesIs the Methodology Credible?
Integrity: Is the methodology based on classic risk analysis and security vulnerability analysis
Complete: Does the methodology provide reasonably complete results via a quantitative, systematic, and rigorous process
Defensible: Is the methodology thorough and does it use the recognized methods of the professional disciplines relevant to the analysis
Is the Methodology Comparable to Other Methodologies? Documented
Transparent
Reproducible
Accurate
March 2010 14
Prioritize
DHS will work with security partners to prioritize the results of risk assessments to help identify where risk reduction is most pressing and to subsequently determine what protective actions should be taken
Requires a comparison of the relative levels of asset and sector risk along with options for achieving the established security goals
Enables protective actions to be applied where they offer the greatest reduction in risk relative to the cost
March 2010 15
Implement Protective Programs
Protective actions are intended to reduce risk by: Deterring attacks Devaluing the attractiveness of the asset, system, or network Detecting potential attacks Defending the asset, system, or network to delay or prevent an attack
Protective programs may also include actions that reduce consequences should an attack occur, including: Mitigating the range of potential attacks Responding and recovering efficiently and effectively
March 2010 16
Measure Effectiveness
NIPP establishes a metrics-based system to provide feedback on efforts to attain specified security goals
Metrics provide a basis for establishing accountability, documenting actual performance, facilitating diagnoses, promoting effective management, and reassessing goals and objectives at the national and sector level
NIPP Risk Management Framework uses three types of metrics Descriptive Process (or output) Outcome
March 2010 17
NIPP Development & Coordination The NIPP was developed as a collaborative process between DHS, the SSAs
and State, local, and private sector security partners. The review and comment process:
Broadly distributed for review across sectors and at each level of government and the private sector and the public to obtain individual comments and input
Draft NIPP Base Plan was Distributed to the following Security Partners: Federal Government
DHS; Sector-Specific Agencies; HSPD-7 Departments & Agencies; Government Coordinating Councils
State, Local, Territorial, and Tribal Governments Homeland Security Advisors; State Administrative Agents and
Emergency Managers Advisory Councils
National Infrastructure Advisory Council; National Security Telecommunications Committee; Homeland Security Advisory Committee
Private Sector Partners Sector Coordinating Councils; Private Sector Security Partners
March 2010
Facilities deemed not high-risk
20,000?
Tier 1=
HIGH RISK CHEMICAL FACILITIES – Sec 550
Universe Potentially High-Risk Chemical Facilities
Perform CSAT Consequence
Screen
20,000 6000
Tier 1=
Chemical Security
March 2010
Chemical Security
Define the Performance Standards
Have defined 17 Performance Standards
Standards will be tied to specific risk types present at the facility (i.e., release hazard; precursor; sabotage; economic/mission criticality).
Standards address the full range of security practices:
Physical Security
Perimeter Control
Access Control
Cyber Security (physical and logical)
Personnel surety
Deter Detect Delay
Security and Response Force planning and training & Exercise
Material Control
Counter Theft – Counter Diversion
19
Risk Based Performance Standards
March 2010
Emergency Management
Support response, recover, and reconstitution efforts of States affected by a disaster:
Support PFO and FCO in Joint Field Offices (JFOs)
Serve as pre-designated IL and JFO when requested
Help coordinated Federal, State, and LLE CIKR protection efforts
Coordinate sharing of IP HQ analysis within JFO
Perform SAVs to identify vulnerabilities
Provide advice on protective measures to enhance security at CIKR in and around impact area
Provide key stakeholders with updates on issues relating to CIKR assets
20