National Infrastructure Protection Plan The National Infrastructure Protection Plan

(NIPP) provides a coordinated approach to critical infrastructure and key resource protection roles and responsibilities for federal, state, local, tribal, and private sector security partners.

The latest update to the plan occurred in 2013.

National Infrastructure Protection PlanThe NIPP sets national priorities, goals, and

requirements for effective distribution of funding and resources which will help ensure that our government, economy, and public services continue in the event of a terrorist attack or other disaster.

National Infrastructure Protection PlanThe cornerstone of the NIPP is the risk

management framework. This framework establishes a process for

identifying risks and prioritizing protection initiatives within and across sectors.

National Infrastructure Protection PlanThe overarching goal of the National

Infrastructure Protection Plan (NIPP) is to:enhance protection of the Nation’s Critical

Infrastructure and Key Resources (CI/KR) to prevent, deter, neutralize, or mitigate the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit them;

and to strengthen national preparedness, timely response, and rapid recovery in the event of an attack, natural disaster, or other emergency.

National Infrastructure Protection Plan

The NIPP provides the unifying structure for the integration of existing and future CI/KR protection efforts into a single national program to achieve this goal.

The NIPP framework enables the prioritization of protection initiatives and investments across sectors to ensure that government and private sector resources are applied where they offer the most benefit for mitigating risk by lessening vulnerabilities, deterring threats, and minimizing the consequences of terrorist attacks and other manmade and natural disasters.

Sector Specific Agencies Homeland Security Presidential Directorate-7 (HSPD-7)

identified 17 CI/KR sectors and designated Federal Government Sector-Specific Agencies (SSAs) for each of the sectors.

SSAs are responsible for working with Department of Homeland Security (DHS) to implement the NIPP sector partnership model and risk management framework, develop protective programs and related requirements, and provide sector-level CI/KR protection guidance in line with the overarching guidance established by DHS pursuant to HSPD-7.

Working in collaboration with security partners, they are responsible for developing and submitting Sector-Specific Plans and sector-level performance feedback to DHS to enable national cross-sector CI/KR protection program gap assessments.

Sector Specific AgenciesIn accordance with HSPD-7, SSAs are also

responsible for collaborating with private sector security partners and encouraging the development of appropriate information-sharing and analysis mechanisms within the sector.

This includes supporting sector coordinating mechanisms to facilitate sharing of information on physical and cyber threats, vulnerabilities, incidents, recommended protective measures, and security-related best practices.

This also includes encouraging voluntary security-related information sharing, where possible, among private entities within the sector, as well as among public and private entities.

Sector Specific AgenciesAgencies have been assigned

responsibilities for the protection of Critical Infrastructure Sectors.

For example:Department of Agriculture & DHHS: Food and

AgricultureDepartment of Defense: Defense industrial

baseDOE: EnergyDHHS: Healthcare & public healthDepartment of the treasury: Financial Services

NIPP Risk Management FrameworkThe NIPP Risk Management Framework

consists of:Setting goals and objectivesIdentifying infrastructuresAssessing and analyzing RisksImplementing risk management activitiesMeasuring effectiveness

Along each step, there is information sharing occurring.

The elements of critical infrastructure includes physical, cyber, and human elements.

NIPP Risk Management FrameworkThe NIPP risk management framework

recognizes and builds on existing protective programs and initiatives.

Risk Management FrameworkStep 1: Set Goals and Objectives

The National NIPP Plan establishes a set of broad national goals for critical infrastructure security and resilience.

Risk Management Framework Step 2: Identify Infrastructure

In this step, entities identify the assets, systems, and networks that are essential to their continued operation, considering associated dependencies and interdependencies.

This aspect of the risk management process also should identify information and communications technologies that facilitate the provision of essential services.

Risk Management FrameworkStep 3: Analyzing RisksRisk is a function of:

Consequence : The negative effects on public health and safety, the economy, public confidence in institutions, and the functioning of government, both direct and indirect, that can be expected if an asset, system, or network is damaged, destroyed, or disrupted.

Vulnerability: The likelihood that a characteristic of, or flaw in, an asset, system, or network’s design, location, security posture, process, or operation renders it susceptible to destruction, incapacitation, or exploitation.

Threat: The likelihood that a particular asset, system, or network will suffer an attack or an incident.

Risk Management Framework Step 4: Implement Protective Programs Using the established priorities, security partners select

sector-appropriate protective actions or programs to reduce or manage the risk identified and secure the resources needed to address priorities.

Protective actions or programs are designed to manage risks by: Deterring threats. Mitigating vulnerabilities. Minimizing consequences. To be effective, protective actions and programs must be: Comprehensive. Coordinated. Cost effective. Risk based.

Risk Management FrameworkStep 5: Measure Effectiveness

Measuring effectiveness determines the extent to which sector-level and overall program performance goals are being met. Metrics and other evaluation techniques are used to assess if protection is improving, risks are being managed, and resiliency is being increased.

Risk Management FrameworkStep 5: Continuous Improvement

The NIPP Risk Management Framework includes a feedback loop for ensuring continuous improvement of protective actions and programs. Information about the current status of each sector is compared to the “baseline” of information collected and assessed during initial risk assessments to measure progress over time.

Site Specific Plans Based on guidance from DHS, SSPs are developed jointly

by SSAs in close collaboration with SCCs, GCCs, and others, including State, local, and tribal homeland security partners with key interests or expertise appropriate to the sector.

The SSPs provide the means by which the NIPP is implemented across all sectors, as well as a national framework for each sector that guides the development, implementation, and updating of State and local homeland security strategies and CI/KR protection programs.

SSPs are tailored to address the unique characteristics and risk landscapes of each sector while also providing consistency for protective programs, public and private protection investments, and resources.

Site Specific PlansSSPs serve to:

Define sector security partners, authorities, regulatory bases, roles and responsibilities, and interdependencies;

Establish or institutionalize already existing procedures for sector interaction, information sharing, coordination, and partnership;

Establish the goals and objectives, developed collaboratively between security partners, required to achieve the desired protective posture for the sector;

Education and TrainingThe NIPP establishes a framework to enable

the education, training, and exercise programs that allow people and organizations to develop and maintain key CI/KR protection expertise.

Information Sharing The NIPP information-sharing approach constitutes a

shift from a strictly hierarchical to a networked model, allowing distribution and access to information both vertically and horizontally, as well as the ability to enable decentralized decision making and actions. The objectives of the network approach are to:

Enable secure multi-directional information sharing between and across government and industry that focuses, streamlines, and reduces redundant reporting to the greatest extent possible;

Information Sharing Provide security partners with timely incident reporting

and verification of related facts that CI/KR owners and operators can use with confidence when considering how evolving incidents might affect their security posture;

Provide a means for State, local, tribal, and private sector security partners to be integrated, as appropriate, into the intelligence cycle, to include providing inputs to the intelligence requirements development process;

Enable the flow of information required for security partners to assess risks, conduct risk management activities, invest in security measures, and allocate resources; and

Protect the integrity and confidentiality of sensitive information.

Cyber SecurityHR 3696 the National Cybersecurity and Critical

Infrastructure Protection Act of 2013.To amend the Homeland Security Act of 2002 to make

certain improvements regarding cybersecurity and critical infrastructure protection, and for other purposes.

On February 13, 2014, the White House on Wednesday released the first version of its cyber security framework for protecting critical infrastructure.

It is a catalog of industry best-practices and standards that creates a voluntary template for companies to use in developing better security programs.