The Homeland Security Act of 2002 directed the Department of Homeland Security to ensure the protection of the Nation’s critical infrastructure and key resources (CI/KR). Homeland Security Presidential Directive 7 (HSPD-7) (“Critical Infrastructure Identification, Prioritization, and Protection”) of December 17, 2003, directed the Secretary of Homeland Security to establish a national plan, working closely with other Federal departments and agencies, State, local, tribal, and territorial governments, and the private sector, to unify national efforts to protect CI/KR.
The NIPP was published in 2006. It established a partnership structure for coordination across 18 CIKR Sectors, and a risk management framework to identify assets, systems, networks and functions whose loss or compromise pose the greatest risk. The NIPP was updated in 2009 and again in December 2013, in part, to reflect changes in federal cybersecurity policy since 2009. It identifies the roles and responsibilities of DHS, sector-specific agencies, and private sector partners.
The overarching goal of the NIPP is to:
|“||Build a safer, more secure, and more resilient America by preventing, deterring, neutralizing, or mitigating the effects of deliberate efforts by terrorists to destroy, incapacitate, or exploit elements of our Nation's CIKR and to strengthen national preparedness, timely response, and rapid recovery of CIKR in the event of an attack, natural disaster, or other emergency.||”|
The NIPP provides the unifying structure for the integration of existing and future CIKR protection efforts and resiliency strategies into a single national program to achieve this goal. The NIPP framework supports the prioritization of protection and resiliency initiatives and investments across sectors to ensure that government and private sector resources are applied where they offer the most benefit for mitigating risk by lessening vulnerabilities, deterring threats, and minimizing the consequences of terrorist attacks and other man-made and natural disasters.
The NIPP risk management framework recognizes and builds on existing public and private sector protective programs and resiliency strategies in order to be cost-effective and to minimize the burden on CIKR owners and operators.
Protection includes actions to mitigate the overall risk to CIKR assets, systems, networks, functions, or their inter-connecting links. In the context of the NIPP, this includes actions to deter the threat, mitigate vulnerabilities, or minimize the consequences associated with a terrorist attack or other incident (see Diagram 1). Protection can include a wide range of activities, such as improving security protocols, hardening facilities, building resiliency and redundancy, incorporating hazard resistance into facility design, initiating active or passive countermeasures, installing security systems, leveraging “self-healing” technologies, promoting workforce surety programs, implementing cybersecurity measures, training and exercises, business continuity planning, and restoration and recovery actions, among various others.
Achieving the NIPP goal requires actions to address a series of objectives, which include:
- Understanding and sharing information about terrorist threats and other hazards with CIKR partners;
- Building partnerships to share information and implement CIKR protection programs;
- Implementing a long-term risk management program; and
- Maximizing the efficient use of resources for CIKR protection, restoration, and recovery.
These objectives require a collaborative partnership among CIKR partners, including: the Federal Government; State, local, tribal, and territorial governments; regional coalitions; the private sector; international entities; and nongovernmental organizations.
The NIPP provides the framework that defines a set of flexible processes and mechanisms that these CIKR partners will use to develop and implement the national program to protect CIKR across all sectors over the long term.
CIKR partner responsibilities
In accordance with HSPD-7, the NIPP delineates the roles and responsibilities for partners in carrying out CIKR protection activities while respecting and integrating the authorities, jurisdictions, and prerogatives of these partners.
Primary roles for CIKR partners include:
- Department of Homeland Security: Coordinates the Nation’s overall CIKR protection efforts and oversees NIPP development, implementation, and integration with national preparedness initiatives.
- Sector-Specific Agencies: Implement the NIPP framework and guidance as tailored to the specific characteristics and risk landscapes of each of the CIKR sectors.
- Other Federal Departments, Agencies, and Offices: Implement specific CIKR protection roles designated in HSPD-7 or other relevant statutes, executive orders, and policy directives.
- State, Local, Tribal, and Territorial Governments: Develop and implement a CIKR protection program, in accordance with the NIPP risk management framework, as a component of their overarching homeland security programs.
- Regional Partners: Use partnerships that cross jurisdictional and sector boundaries to address CIKR protection within a defined geographical area.
- Boards, Commissions, Authorities, Councils, and Other Entities: Perform regulatory, advisory, policy, or business oversight functions related to various aspects of CIKR operations and protection within and across sectors and jurisdictions.
- Private Sector Owners and Operators: Undertake CIKR protection, restoration, coordination, and cooperation activities, and provide advice, recommendations, and subject matter expertise to all levels of government.
- Homeland Security Advisory Councils: Provide advice, recommendations, and expertise to the government regarding protection policy and activities.
- Academia and Research Centers: Provide CIKR protection subject matter expertise, independent analysis, research and development (R&D), and educational programs.
Risk management framework
The cornerstone of the NIPP is its risk management framework. It details the roles and responsibilities for DHS, SSAs, and other federal, state, regional, local, tribal, territorial, and private sector partners implementing the NIPP, including how they should use risk management principles to prioritize protection activities within and across sectors.
Risk is the potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences. Simply stated, risk is influenced by the nature and magnitude of a threat, the vulnerabilities to that threat, and the consequences that could result. Risk is an important means of prioritizing mitigation efforts for partners ranging from facility owners and operators to Federal agencies.
The NIPP risk management framework (see Diagram 2) integrates and coordinates strategies, capabilities, and governance to enable risk-informed decision-making related to the Nation’s CIKR. This framework is applicable to threats such as natural disasters, man-made safety hazards, and terrorism, although different information and methodologies may be used to understand each.
The NIPP risk management framework includes the following activities:
- Set goals and objectives: Define specific outcomes, conditions, end points, or performance targets that collectively constitute an effective risk management posture.
- Identify assets, systems, and networks: Develop an inventory of the assets, systems, and networks, including those located outside the United States, that make up the nation’s CIKR or contribute to the critical functionality therein, and collect information pertinent to risk management that takes into account the fundamental characteristics of each sector.
- Assess risks: Evaluate the risk, taking into consideration the potential direct and indirect consequences of a terrorist attack or other hazards (including, as capabilities mature, seasonal changes in the consequences and dependencies and interdependencies associated with each identified asset, system, or network), known vulnerabilities to various potential attack methods or other significant hazards, and general or specific threat information.
- Prioritize: Aggregate and compare risk assessment results to: develop an appropriate view of asset, system, and/or network risks and associated mission continuity, where applicable; establish priorities based on risk; and determine protection, resilience, or business continuity initiatives that provide the greatest return on investment for the mitigation of risk.
- Implement protective programs and resiliency strategies: Select appropriate actions or programs to reduce or manage the risk identified; identify and provide the resources needed to address priorities.
- Measure effectiveness: Use metrics and other evaluation procedures at the appropriate national, State, local, regional, and sector levels to measure progress and assess the effectiveness of the CIKR protection programs.
This process features a continuous feedback loop, which allows the federal government and its CIKR partners to track progress and implement actions to improve national CIKR protection and resiliency over time. The physical, cyber, and human elements of CIKR should be considered in tandem in each aspect of the risk management framework.
The NIPP framework calls for CIKR partners to assess risk from any scenario as a function of consequence, vulnerability, and threat, as defined below. It is important to think of risk as influenced by the nature and magnitude of a threat, the vulnerabilities to that threat, and the consequences that could result:
- R = f (C,V,T)
- Consequence: The effect of an event, incident, or occurrence; reflects the level, duration, and nature of the loss resulting from the incident. For the purposes of the NIPP, consequences are divided into four main categories: public health and safety (i.e., loss of life and illness); economic (direct and indirect); psychological; and governance/mission impacts.
- Vulnerability: Physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard. In calculating the risk of an intentional hazard, a common measure of vulnerability is the likelihood that an attack is successful, given that it is attempted.
- Threat: Natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. For the purpose of calculating risk, the threat of an intentional hazard is generally estimated as the likelihood of an attack being attempted by an adversary; for other hazards, threat is generally estimated as the likelihood that a hazard will manifest itself. In the case of terrorist attacks, the threat likelihood is estimated based on the intent and capability of the adversary.
CIKR-related risk assessments consider all three components of risk and are conducted on assets, systems, or networks, depending on the characteristics of the infrastructure being examined. Once the three components of risk have been assessed for one or more given assets, systems, or networks, they must be integrated into a defensible model to produce a risk estimate.
DHS conducts risk analyses for each of the 18 CIKR sectors, working in close collaboration with the SSAs, State and local authorities, and private sector owners and operators. This includes execution of the Strategic Homeland Infrastructure Risk Assessment (SHIRA) data call that provides input to risk analysis programs and projects and considers data collected more broadly through other DHS Office of Infrastructure Protection (IP) program activities as well.
DHS has identified a number of risk assessment characteristics and data requirements to produce results that enable cross-sector risk comparisons; these are termed core criteria. These features provide a guide for improving existing methodologies or modifying them so that the investment and expertise they represent can be used to support national-level, comparative risk assessment, investments, incident response planning, and resource prioritization.
- The 2013 NIPP reaffirms the role of various coordinating structures (such as sector coordinating councils and government coordinating councils) and integrates cyber and physical security and resilience efforts into an enterprise approach for risk management, among other things. The 2013 NIPP also reiterates the sector-specific agency roles and responsibilities as defined in Presidential Policy Directive 21. Maritime Critical Infrastructure Protection: DHS Needs to Better Address Port Cybersecurity, at 12.