Introduction to the National Infrastructure Protection Plan - PowerPoint PPT Presentation


PPT – Introduction to the National Infrastructure Protection Plan PowerPoint presentation | free to download - id: d9b10-ZDc1Z


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation

Introduction to the National Infrastructure Protection Plan


... the National Infrastructure Protection Plan. IS 860. Amelia ... Maximizing efficient use of resources for CI/KR protection. ... Information Flow and Protection ... – PowerPoint PPT presentation

Number of Views:163
Avg rating:3.0/5.0
Slides: 72
Provided by: christine86
Learn more at:


Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Introduction to the National Infrastructure Protection Plan

Introduction to the National Infrastructure
Protection Plan IS 860
Amelia Muccio Director of Disaster Planning NEW
Lesson 1 Overview
  • Explain the criticality of protecting and
    ensuring the continuity of critical
    infrastructure (CI) and key resources (KR) of the
    United States.
  • Describe how the NIPP provides the unifying
    structure for the integration of CI/KR protection
    efforts into a single national program.
  • Define CI/KR and protection in the content of the

Collaborative Partnerships
  • The NIPP was developed through a collaborative
    partnership representing the DHS other Federal
    agencies State, tribal, and local govt and the
    private sector.

Critical Infrastructure and Key Resources (CI/KR)
  • CI refers to assets, systems, and networks,
    whether physical or virtual to the U.S. that the
    incapacity or destruction of such assets,
    systems, or networks would have a debilitating
    impact on security, national economic security,
    public health or safety, or any combination of
    those matters.
  • KR as defined in the Homeland Security Act of
    2002, are publicly or privately controlled
    resources essential to the minimal operations of
    the economy or govt.

Importance of CI/KR
  • Terrorists attacks on CI/KR and other manmade or
    natural disasters could significantly disrupt the
    functioning of govt and business alike, and
    produce cascading effects far beyond the affected
    CI/KR and physical location of the incident.

  • The NIPP provides the unifying structure for the
    integration of CI/KR protection efforts into a
    single national program.
  • The NIPP establishes an overall framework for
    integrating programs and activities that are
    currently underway in the various sectors, as
    well as new and developing CI/KR protection

  • Achieving the NIPP goal requires
  • Understanding and sharing information about
    terrorists threats and other hazards.
  • Building security partnerships to share
    information and implement CI/KR protection
  • Implementing a long-term risk-management program.
  • Maximizing efficient use of resources for CI/KR

Building on Homeland Security Strategies
  • Builds on the principles of the Presidents
    National Strategy for Homeland Security and its
    companion strategies for the physical protection
    of critical infrastructure and key assets and the
    securing of cyberspace.
  • Fulfills requirements in Homeland Security
    Presidential Directive 7 (HSPD-7) and the
    Homeland Security Act of 2002.

The Terrorist Threat
  • Terrorists attacks against CI/KR across the U.S.
    could serious threaten national security, result
    in mass casualties, weaken the economy, and
    damage public morale and confidence.

All-Hazards Approach
  • The direct impacts, disruptions, and cascading
    effects of natural disasters and manmade
    incidents on the Nations CI/KR are well

Integration Framework
  • Many owners and operators, govt emergency
    managers, and first responders have developed
    strategies, plans, policies, and procedures for
    preparing for, mitigating, responding to, and
    recovering from a variety of natural and manmade

Security Partnerships
  • The NIPP defines security partners as those
    Federal, State, regional, Territorial, local, or
    tribal govt entities, private sector owners and
    operators and representative organizations,
    academic and professional entities, and certain
    not-for-profit and private volunteer orgs that
    share in the responsibility for protecting the
    Nations CI/KR.
  • NIPP provides the framework that allows these
    partners to work collaboratively.

Sector-Specific Nature of CI/KR Protection
  • HSPD 7 designated responsibility to various
    Federal govt departments to serve as
    Sector-Specific Agencies (SSAs) for each of the
    CI/KR sectors.
  • SSAs are responsible for working with DHS to
    implement the NIPP sector partnership model and
    risk management framework, develop protective
    programs and related requirements, and provide
    sector-level CI/KR protection guidance.

The Value Proposition
  • The public-private partnership called for in the
    NIPP provides the foundation for effective CI/KR
  • Govt and private-sector bring core competencies.
  • Prevention, response, mitigation, and recovery
    efforts are most efficient and effective when
    there is full participation of govt and private
    sector partners.
  • The success of the partnership depends on
    articulating the mutual benefits to govt and
    private sector partners.

Private Sector Capabilities
  • Management of a vast majority of CI/KR in many
  • Knowledge of CI/KR assets, networks, facilities,
    functions, and other capabilities.
  • Capability to take initial first-response actions
    in the event of an incident.
  • Ability to innovate and to provide products,
    services, and technologies to address security
  • Robust mechanisms for sharing and protecting
    sensitive information regarding threats,
    vulnerabilities, countermeasures, and best

Risk Management Framework
  • The cornerstone of the NIPP is its risk
    management framework.
  • This framework establishes the process for
    combining consequence, vulnerability, and threat
    information to produce a comprehensive, systemic,
    and rational assessment of national or
    sector-specific risk that drives CI/KR protection

Adaptive Nature of Terrorist Threat
  • A risk-based approach will provide the basis for
    an effective risk management strategy and
    efficient resource allocation.

Information Sharing Among Security Partners
  • Robust, multidirectional information sharing.
  • When owners/operators are provided with
    comprehensive picture of threats and hazards to
    CI/KR and participate in ongoing multidirectional
    information flow, their ability to assess risks,
    make prudent security investments, and take
    protective actions is sustainably enhanced.
  • When the govt is equipped with an understanding
    of private sector information needs, it can
    adjust its information collection, analysis,
    synthesis, and dissemination activities

Information Sharing (cont)
  • When the private sector is assured that critical
    infrastructure information that it shares with
    the govt will be protected from release or
    disclosure, the Nations CI/KR protection
    capabilities will be enhanced.

Information Flow and Protection
  • The NIPP information sharing approach constitutes
    a shift from a strictly hierarchical to a
    networked model, allowing distribution and access
    to information to enable decentralized
    decision-making and actions.
  • Information in the network is
  • Protected
  • Safeguarded
  • Monitored

NIPP Components
  • The NIPP covers the full range of physical,
    cyber, and human protection within and across all
    of the Nations CI/KR sectors
  • Executive Summary
  • Introduction
  • Authorities, Roles, and Responsibilities
  • The Protection Program Strategy
  • Organizing and Partnering
  • Integrating CI/KR Protection
  • Ensuring an Effective and Efficient Program
  • Providing Resources for the CI/KR Protection

Lesson 2 Overview
  • DHS
  • SSAs
  • Other Federal departments/agencies
  • State, local, and tribal jurisdictions
  • Private-Sector owners and operators

Homeland Security Act of 2002
  • Provides the primary authority for the overall
    homeland security mission and provides the basis
    for DHS responsibilities in the protection of the
    Nations CI/KR.

  • The national approach to CI/KR protection is
    provided through the unifying framework
    established by HSPD-7.
  • This directive establishes the U.S. policy for
    enhancing protection of the Nations CI/KR and
    mandates a national plan to actuate that policy.
  • Security of Homeland Security as the principal
    Federal office to lead CI/KR protection efforts.

  • SSAs are responsible for working with DHS to
    implement the NIPP sector partnership model and
    risk management framework, develop protective
    programs and related requirements, and provide
    sector-level CI/KR protection guidance in line
    with overarching guidance.
  • SSAs also develop sector-specific plans and

SSAs Assignments SSA------------------CI/KR
  • Dept of Agriculture Agriculture and Food
  • HHS
  • DoD Defense Industrial
  • Dept of Energy Energy
  • HHS Public
  • Dept of Interior Monuments/Icons
  • Dept of Treasury Banking/Finance
  • EPA Drinking
    H20/Water Treatment
  • DHS OIP Chemical, Dams,
    Nuclear Reactors, Waste
  • DHS Cyber IT
  • TSA Postal and
  • TSA Transportation
  • Immigration Govt Facilities

Other Federal Agencies
  • Assist in assessing risk, prioritizing CI/KR, and
    enabling protective actions and programs within
    that sector.
  • Support the national goal of enhancing CI/KR
    protection through their roles as the regulatory
    agencies for owners and operators represented
    within specific sectors when so designated by

State and Territorial Govt
  • Serve as crucial coordination hubs, bringing
    together prevention, protection, response, and
    recovery authorities capacities and resources.
  • Coordinate requests for Federal assistance when
    the threat or incident situation exceeds
    jurisdictional capabilities.
  • Develop and implement statewide/regional CI/KR
    protection programs that reflect the full range
    of NIPP activities.

Local Govt
  • Provide critical public services and functions in
    conjunction with private-sector owners and
  • Drive emergency preparedness, as well as local
    participation in NIPP and SSP implementation,
    across a variety of jurisdictional security

Tribal Govt
  • Tribal govt roles and responsibilities regarding
    CI/KR mirror those of State and local govt.
  • Under NIPP, tribal govt must ensure close
    coordination with Federal, State and local and
    international counterparts to achieve synergy in
    the implementation of the NIPP/SSP frameworks.

Regional Partners
  • Regional security partners include a variety of
    public-private initiatives that cross
    jurisdictional and/or sector boundaries and focus
    on homeland security and phases of disaster mgt.
  • Specific regional initiatives range in scope from
    orgs that include multiple jurisdictions and
    private-sector partners within a single State to
    groups that involve jurisdictions and enterprises
    in more than one State and internationally

Regional Partners Best Practices
  • Pacific Northwest Economic Region
  • The region established by statute in all member
    States and provinces, sponsors binational,
    multijurisdictional CI/KR protection
    interdependency exercises, and has developed an
    action plan outlining several physical and cyber
    CI/KR protection projects with important regional

Boards, Commissions, Authorities, Councils, and
Other Entities
  • Perform regulatory, advisory, policy, or business
    oversight functions related to various aspects of
    CI/KR operations and protection within and across
    sectors and jurisdictions.
  • These entities may serve as SSAs within a State
    and contribute expertise.
  • Housing authorities, water and sewer boards, park
    commissions (examples)

Commissions Public Utility
  • Creating networks among utility regulators and
    other Federal, State, local, and private sector
    entities to address cross-sector issues.
  • Recommending strategies to facilitate information
  • Recommending cost-effective solutions
  • Identifying and prioritizing issues, researching
    best practices, and disseminating information.

Private-Sector Owners and Operators
  • Owners and operators generally represent the
    first line of defense for the CI/KR under their
  • Private-sector owners and operators are
    responsible for taking action to support risk mgt
    planning and make prudent investments in security
    measures by
  • Continuity of Business and EMPs
  • Protect facilities against physical and cyber
    attacks and natural disasters
  • Guarding against the insider threat
  • Building increased resiliency and redundancy into
    business processes and systems
  • Minimize impact of surrounding communities

Sector Coordinating Councils (SCCs)
  • The sector partnership encourages CI/KR owners
    and operators to create or identify a Sector
    Coordinating Council as the principal entity for
    coordinating with the govt on a wide range of
    CI/KR protection activities and issues.
  • The PCIS provides senior level, cross sector
    strategic coordination through partnerships with
    DHS and the SSAs.

Government Coordinating Councils (GCCs)
  • Formed as the government counterpart for each SCC
    to enable interagency and cross-jurisdictional
  • GCC is compromised of all levels of govt.
  • Government Cross-Sector Council addresses
    cross-sector issues.

Critical Infrastructure Partnership Advisory
Council (CIPAC)
  • Directly supports the NIPP sector partnerships by
    providing a legal framework for members of the
    SCCs and GCCs to engage in joint CI/KR
    protection-related activities.
  • CIPAC serves as a forum for govt and private
    sector security partners to engage in a broad
    spectrum of activities including planning,
    coordination, and implementation of operational

Regional and Intl Coordination
  • Regional regional partnerships, groupings, and
    governance bodies enable CI/KR protection within
    and across geographical areas and sectors.
  • Intl The U.S.-Canada-Mexico Security and
    Prosperity Partnership, North Atlantic Treaty Org
    Senior Civil EP Committee, and other
    non-governmental and public-private orgs enable a
    range of CI/KR protection through intl

Advisory Councils
  • Provide advice, recommendations, and expertise to
    the govt regarding CI/KR.
  • Enhance private-public partnerships
  • Engagement of PPP

AC Examples
  • Homeland Security Advisory Council advice to
    Secretary of DHS
  • Private Sector Senior Advisory Committee
    provides HSAC (above) with expertise
  • National Infrastructure Advisory Council
    provides the President with advice
  • National Security Telecommunications Advisory
    Committee industry-based advice and expertise

Academia, Research Centers, and Think Tanks
  • Establishing Centers of Excellence
  • Supporting research
  • Analyzing, and sharing best practices
  • Disseminating guidelines
  • Conducting research for new technologies

Lesson 3 Overview
  • Describe how the use of the risk mgt framework
    ensures a steady state of protection within and
    across the CI/KR sectors.
  • Indentify the risk mgt activities implemented by
    security partners.

Managing Risk
  • The NIPP risk mgt framework establishes a process
    for identifying risks and prioritizing protection
    initiatives and investments within and across
  • Govt and private sector offer the most benefit
    for mitigating risk by lessening vulnerabilities,
    deterring threats, and minimizing the consequence
    of terrorist attacks and other manmade and
    natural disasters.

What is Risk?
  • Risk is defined as a measure of potential harm
    that encompasses threat, vulnerability, and
  • Risk is the expected magnitude of loss due to an
    event along with the likelihood of such an event
    occurring and causing that loss.

NIPP Risk Mgt Framework
  • Setting security goals
  • Identifying assets
  • Assessing risks
  • Prioritizing and implementing corrective programs
  • Measuring performance
  • Taking corrective action

NIPP Risk Mgt Framework (cont)
  • Applicable to the general threat environment, as
    well as to specific threats or incidents
  • Structured to promote continuous improvement to
    enhance CI/KR protection
  • Tailored ad applied on an asset depending on the
    fundamental characteristics of the individual
    CI/KR sectors.

SSAs Responsibilities
  • Developing and implementing Sector-specific plans
  • Fostering communication
  • Coordinating sector-wide risk mgt
  • Prioritizing sector risks and needs

DHS Responsibilities
  • Supporting risk mgt efforts by providing
    guidance, tools, and analytical support to SSAs
    and other security partners.
  • Using the results obtained in sector-specific
    risk mgt efforts to conduct cross-sector risk
    analysis and mgt activities.
  • Working with security partners to identify and
    share threat information, lessons learned and
    best practices.

Physical, Cyber, and Human Elements
  • Physical tangible property
  • Cyber electronic information and communication
    systems, and the information contained therein
  • Human critical knowledge of functions or people
    uniquely susceptible to attack

Set Security Goals
  • Security partners work together to define
    specific outcomes, conditions, end points, or
    performance targets that collectively constitute
    an effective protective posture.

Identify Assets, Systems, Networks, and Functions
  • The next activity is to develop and maintain an
    inventory of the assets, et al that compromise
    the Nations critical infrastructure and key
    resouces and their functions.
  • The inventory allows for the inclusion of a wide
    diversity of items, thereby reflecting the unique
    nature of the different sectors.

Assess Risks
  • Based on the inventory, risk is assessed as a
    function of consequence, vulnerability, and
  • Consideration is given to the potential direct
    and indirect consequences of a terrorist attack
    or other hazards, know vulnerabilities to various
    potential attack vectors, and general or specific
    threat information.

Riskf (Consequence, Vulnerability, and Threat)
  • Consequence the negative effects on public
    health, economy, and the functioning of govt.
  • Vulnerability the likelihood that a flaw in a
    system renders it susceptible to destruction.
  • Threat the likelihood that a particular asset
    will suffer an attack or an incident.

Calculating Risk
  • Risk assessments are conducted based on
    consequence, vulnerability, and threat to a given
    asset, system or network.

Existing Risk Assessment Tools
  • Many institutions perform vulnerability and risk
    assessments on their assets.

Prioritization Process
  • Identify where risk mitigation is most pressing,
    and subsequently to determine the most
    cost-effective protective actions.
  • Determine which CI/KR should be given priority
    for protection and which alternative protective
    actions represents the best investment based on

Protective Actions and Programs
  • Deterring threats
  • Mitigating vulnerabilities
  • Minimizing consequences
  • Comprehensive
  • Coordinated
  • Cost-Effective
  • Risk-Based

Sector Specific Plans
  • Are tailored to address the unique
    characteristics and risk landscapes of each
  • Developed by the SSAs in partnership with SCCs
    and GCCs

Metric-Based System
  • Measure perform by
  • Provides feedback on efforts to attain the goals
    and objectives
  • Provides a basis for establishing accountability,
    documentation, promoting effective mgt, and
    reassessing goals.
  • Obtains a quantitative assessment
  • Helps identify corrective actions and provide
    decision makers with feedback
  • Promotes informed decisions

Assessing Performance
  • National Annual Report supports both strategic
    and resource allocation decisions related to the
    national CI/KR protection mission.

Continuous Improvement
  • The NIPP includes a feedback loop for ensuring
    continuous improvement of protective actions and
  • Baseline information is compared to recent
    information to measure the progress over time.

Lesson 4 Overview
  • Fosters information sharing at all levels
  • Provides guidance on the structure and content of
    each sectors CI/KR plan
  • Helps to ensure an effective, efficient CI/KR
    protection program over the long term

Benefits of Information Sharing
  • Actionable information on threats and incidents
  • Information pertaining to overall CI/KR status
  • Owners and operators to assess risk and take
    actions to safeguard their facilities.
  • Govt to adjust its information collection,
    analysis, synthesis, and dissemination activities
    based on the needs of the private sector.

NIPP Information Sharing
  • The NIPP approach constitutes a shift from a
    strictly hierarchical to a networked model,
    allowing distribution and access to information
    both vertically and horizontally, as well as the
    ability to enable decentralized decision making
    and actions.

Networked Approach
  • The NIPP uses a networked approach to information
    sharing that represents a fundamental change in
    how security partners share and protect the
    information needed to analyze risk and make

Safeguarding Against Unauthorized Disclosure
  • NIPP implementation relies on the availability of
    pertinent information provided by CI/KR owners
    and operators, including the private sector.
  • The NIPP recognizes that the disclosure of
    sensitive business or security information could
    cause serious damage to private firms, the
    economy, public safety, or security through
    unauthorized disclosure or access.

Protected Critical Infrastructure Information
  • PCII includes procedures that govern the receipt,
    validation, handing, storage, marking, and use of
    critical infrastructure information voluntarily
    submitted to DHS.
  • These procedures are also applicable to all
    Federal, State, local, and tribal government
    agencies and contractors that have access to,
    handle, use, or store critical infrastructure
    information that enjoys protection under the CII
    Act of 2002.

Complementing Other Plans
  • Homeland security pans and strategies at the
    Federal, State, local, and tribal levels of govt
    that address CI/KR protection within their
    respective jurisdictions.
  • Business continuity plans and resilience measures.

National Response Plan
  • The NIPP establishes the overall risk-based
    approach that defines that Nations CI/KR
    steady-state protective posture.
  • The NRP provides the approach and the overall
    coordination for domestic incident mgt

Ensuring an Effective, Efficient Program Over the
Long Term
  • Building national awareness to support the CI/KR
  • Enabling education, training, and exercise
    programs to ensure that skilled professionals
    undertake NIPP
  • Conducting RD and using technology improve
  • Developing, safeguarding, and maintaining data
    systems and simulations enable continuously
    refined risk assessment
  • Continuously improving the NIPP and associated
    plans and programs through ongoing mgt and
    revision, as required.