Dhs foia-dsac-etc-april-15-2013-records-for-release-123-pages-1

DHS Private Sector Information-Sharing Working Plan March 28, 2011

Table of Contents

Enhanced Information Sharing Working Plan .......................................................................... 1 Introduction ................................................................................................................................. 1 Purpose and Scope of This Plan .................................................................................................. 2 A Common Understanding of “Private Sector Engagement” ..................................................... 2 Developmental Approach ............................................................................................................ 3 Implementation of Recommendations ........................................................................................ 3 Resources Required ..................................................................................................................... 4 Conclusion ................................................................................................................................... 4

Overview: Private Sector Information Sharing Integrated Project Team Timelines andWork Plans .............................................................................................................................. 6

Focus Area I – Adopt “One DHS” Private Sector Information-Sharing Approach .................... 6 Focus Area II – Enhance Strategic Communications Coordination ........................................... 6 Focus Area III – Strengthen Regionally Focused Information-Sharing Efforts ......................... 7 Focus Area IV – Enhance Information Sharing and Accountability .......................................... 8

Attachment A: Recommendation Timelines and Work Plans .................................................. 9 Recommendation #1: ................................................................................................................... 9 Recommendation #2: ................................................................................................................. 12 Recommendation #3: ................................................................................................................. 15 Recommendation #4: ................................................................................................................. 19 Recommendation #5: ................................................................................................................. 24 Recommendation #6: ................................................................................................................. 28 Recommendation #7: ................................................................................................................. 30 Recommendation #8: ................................................................................................................. 33 Recommendation #9: ................................................................................................................. 36 Recommendation #10: ............................................................................................................... 40 Recommendation #11: ............................................................................................................... 44 Recommendation #12: ............................................................................................................... 49 Recommendation #13: ............................................................................................................... 51 Recommendation #14: ............................................................................................................... 56 Recommendation #15: ............................................................................................................... 59 Recommendation #16 A: ........................................................................................................... 63 Recommendation #16 B: ........................................................................................................... 63

Attachment B: Private Sector Information-Sharing Working Group Participants – Private Sector Companies and Trade Associations............................................................................... 66 List of Acronyms ......................................................................................................................... 67

DRAFT // PRE-DECISIONAL // FOR DISCUSSION PURPOSES ONLY

1

The American People and the Private Sector: The ideas, values, energy, creativity, and resilience of our citizens are America’s greatest resource. We will support the development of prepared, vigilant, and engaged communities and underscore that our citizens are the heart of a resilient country. And we must tap the ingenuity outside government through strategic partnerships with the private sector, non-governmental organizations, foundations, and community-based organizations. Such partnerships are critical to U.S. success at home and abroad, and we will support them through enhanced opportunities for engagement, coordination, transparency, and information sharing.

- President Barack Obama’s National Security Strategy, May 2010

Enhanced Information Sharing Working Plan 1

Introduction 2

The U.S. Department of Homeland Security (DHS) recognizes, as illustrated in the Quadrennial 3 Homeland Security Review (QHSR) and the National Security Strategy (NSS), the vital role that 4 the private sector plays in supporting efforts to secure the homeland and enhance the resilience 5 of our communities. Many Department-wide initiatives—increasing cybersecurity awareness, 6 fostering a national culture of preparedness, maximizing the effectiveness of the National 7 Network of Fusion Centers and integrating them as per the NSS, and enhancing the security and 8 resilience of the national critical infrastructure —require active engagement and coordination 9 with the private sector. DHS has made strides in its efforts to effectively engage the private 10 sector—which includes businesses of all sizes, academic institutions, and non-governmental 11 groups—and has numerous tools and processes in place. However, challenges and areas of 12 improvement remain in the Department’s approach to information sharing with the private 13 sector. 14

To address these challenges and gaps, 15 the Secretary of Homeland Security 16 (Secretary) tasked a group, under the 17 leadership of the Under Secretary for 18 the Office of Intelligence & Analysis 19 (I&A), to meet with private sector 20 representatives from across the country 21 and identify specific actions the 22 Department could take to improve two-23 way information sharing with the 24 private sector. The DHS Private Sector 25 Information-Sharing Working Plan 26 (Plan) describes how the Department 27 can implement 16 recommendations 28 that resulted from these discussions 29 with representatives from 51 Fortune 30 500 companies. Implementation of the deliverables identified in this Plan demonstrates the 31 commitment of DHS Headquarters and Operational Components to work with the private sector 32 to build effective, transparent, and sustainable processes for information sharing in order to meet 33 the public-private shared responsibility of homeland security. 34

The Plan represents a comprehensive effort by DHS and offers executable options for improving 35 DHS’s partnership with America’s private sector. The Plan recognizes the requirements that 36 many DHS Headquarters and Operational Components have to engage the private sector, either 37 through legislation or activities mandated by the executive branch. The recommendations are 38 not intended to interfere with these components' responsibilities, prerogatives, or actions to 39 perform aspects of their missions. Instead, this Plan is intended to enhance internal and external 40 visibility of existing efforts and capabilities in order to strengthen cross-component collaboration 41 on specific areas that impact the private sector. 42

43


2

Purpose and Scope of This Plan 44

Purpose—The Plan identifies how the Department will act on and implement 16 45 recommendations focused on enhancing and aligning private sector engagement and 46 information-sharing efforts across DHS. This Plan describes the key activities that will support 47 DHS efforts to transition the existing information-sharing and collaboration processes to a more 48 internally and externally transparent environment that will better support DHS in meeting its 49 goals and objectives. 50

Scope—Each of the recommendations and deliverables identified in the Plan have Department-51 wide implications that, when taken together, represent a significant step forward in achieving 52 timely and coordinated information sharing among DHS Headquarters and Operational 53 Components with private sector engagement responsibilities as well as with DHS’s private sector 54 partners. The Plan recognizes the substantial progress that DHS and the National Network of 55 Fusion Centers have already made in developing the processes required for internal and external 56 information sharing and seeks to leverage these successes and expand existing capabilities. To 57 this end, DHS Headquarters and Operational Components with private sector engagement roles 58 and responsibilities used best practices and lessons learned from their respective components’ 59 efforts, as well as direct feedback from private sector stakeholders, to inform the development of 60 the Plan. 61

A Common Understanding of “Private Sector Engagement” 62

• The private sector is complex and not a single monolithic entity. There are many 63 elements that comprise the private sector, including countless groups, subgroups, elements, 64 and stakeholders. DHS components must frequently communicate with various elements 65 of the private sector in a targeted manner rather than attempting to engage the private sector 66 as a single entity. 67

• DHS recognizes the need to interface with certain elements of the private sector 68 differently based on varying missions DHS shares with the private sector. Specific 69 elements and subsets within the private sector require varying levels of information 70 exchange that are distinct from the private sector at large. 71

• Critical infrastructure owners and operators have specific threat and risk 72 information requirements different from the non-critical infrastructure private 73 sector. DHS offices share Sensitive But Unclassified (SBU) information and, in some 74 cases, classified information with private sector entities in a targeted way that may not 75 always be appropriate or authorized to share with other private sector entities. Information 76 must be tailored for delivery to the appropriate element of the private sector. 77

• Communication and information sharing occurs at various levels across all 78 organizations. When DHS engages with the private sector, it must do so at multiple 79 organizational levels and tailor the information appropriately to the various levels it seeks 80 to share with. 81

• This effort is intended to broadly improve, across the entire DHS enterprise, the 82 consistency of information sharing with the private sector, and to ensure that the correct 83


3

information is shared with the appropriate individuals and organizations in a timely, 84 efficient, and sustainable manner. 85

Developmental Approach 86

Pursuant to a tasking from the Secretary of Homeland Security, I&A’s Principal Deputy Under 87 Secretary Bart Johnson, the Private Sector Office (PSO), and the National Protection and 88 Programs Directorate (NPPD) Office of Infrastructure Protection (IP)—in collaboration with 89 I&A’s Information Sharing and Collaboration Branch (IS&C)—formed the Private Sector 90 Information-Sharing Working Group (Working Group) to engage the Department’s private 91 sector partners in order to identify challenges in two-way communications and to solicit 92 suggestions for improving information sharing between the public and private sectors. 93 94 Using the Critical Infrastructure Partnership Advisory Council (CIPAC) process, which is 95 exempt from the Federal Advisory Committee Act (FACA), the Working Group held roundtable 96 discussions with 79 representatives from 51 Fortune 500 companies. PSO and NPPD/IP 97 conducted these discussions with private sector representatives from companies headquartered in 98 four geographically dispersed cities: Minneapolis, MN; Chicago, IL; Washington, DC; and 99 Santa Clara, CA. These cities were chosen based on the concentration of Fortune 500 100 companies, differing levels of fusion center maturity, and existence of varying levels of local 101 partnership in order to provide a diverse sample of security environments and perspectives. To 102 best accomplish the communication necessary for private sector engagement, a strategy 103 leveraging the centralized Department roles and the National Network of Fusion Centers is 104 necessary. 105 106 After substantial analysis of the data collected from the stakeholders, PSO and NPPD/IP 107 developed 16 recommendations for improvement. These recommendations were subsequently 108 briefed to DHS leadership in a number of components as well as the various staff and leaders of 109 the Information Sharing Governance Board (ISGB). 110 111 The ISGB approved the 16 recommendations at its August 5, 2010 quarterly meeting. The ISGB 112 further directed its action body, the Information Sharing Coordinating Council (ISCC), to 113 establish an Integrated Project Team (IPT) to develop a working plan to implement the 16 114 recommendations. The IPT members, including representatives from across the Department’s 115 Headquarters and Operational Components, collaboratively developed this Plan. 116 117 Pursuant to the Secretary’s direction, this Plan will be delivered to the Secretary, so that the 118 Secretary can provide private sector stakeholders an update on the Department’s initiatives and 119 activities that were developed in direct response to their feedback. 120 121 Implementation of Recommendations 122

The 16 recommendations to improve two-way information sharing between DHS and the private 123 sector fall into the following four focus areas: 124

• Adopt “One DHS” Coordinated Private Sector Information-Sharing Approach—125 Formally align and synchronize Department-wide efforts to improve visibility and enable 126


4

the coordination of programs, policies, efforts, and initiatives that relate to the private 127 sector while reducing duplication and improving efficiency. 128

• Enhance Strategic Communications Coordination—Rapidly and effectively 129 communicate with key companies, entities, and organizations in times of calm and when 130 responding to crisis through the use of enhanced, standardized, repeatable, and formal 131 communications processes. 132

• Strengthen Regionally Focused Information-Sharing Efforts—Strengthen the ability of 133 National Network of Fusion Centers and DHS field-level representatives to be the critical 134 delivery vehicle and mission advocate for the two-way exchange of useful intelligence and 135 information between the Federal Government and our State, local, tribal, territorial, and 136 private sector partners, and non-profit communities and individual citizens. 137

• Enhance Information Sharing and Accountability—Increase the accountability of DHS 138 efforts to push products and services to the private sector to better ensure that the right 139 information is getting to the right people in a timely manner. The recommendations here 140 help enable the recognition of programmatic performance toward achieving and leveraging 141 a successful information-sharing environment. 142

The recommendations in each of the four categories and their accompanying deliverables 143 represent an initial set of improvements which DHS, in collaboration with the private sector, has 144 identified as necessary to enhance internal and external information sharing. Lead and 145 supporting offices have been assigned to each recommendation and are responsible for working 146 with other offices and components, as necessary, to implement their recommendations. When 147 applicable, the National Network of Fusion Centers will be engaged to support communicating 148 and tailoring the local information. As requested, the detailed work plans and timelines for the 149 implementation of each recommendation are attached as an appendix. 150

The Private Sector Information Sharing IPT, established through the ISCC and ISGB process, 151 will track the progress of implementation and will update ISGB on the progress of 152 implementation for each recommendation. 153

Resources Required 154

The IPT representatives anticipate that implementation of these recommendations can be 155 accomplished according to the timelines outlined in Attachment A, should internal resources and 156 personnel be aligned to this priority. To make tangible and cost-effective improvements, when 157 appropriate, this Plan relies on existing capabilities and ongoing initiatives both within and 158 external to DHS. However, implementing large-scale changes of the types recommended herein 159 is a complex endeavor and, to be successful, the Plan does identify the need for increased 160 resources in a few areas in order to implement some of the recommendations successfully. 161

Conclusion 162

The outcome of this effort we envisioned will be enhanced public-private sector engagement that 163 incorporates shared public-private responsibility for economic and national security and is 164 timely, transparent, and appropriate. With existing DHS relationships, private sector 165


5

commitment, and these new strategies, DHS is poised to capitalize on enhanced engagement and 166 coordination with the private sector. 167

168


6

Overview: Private Sector Information Sharing Integrated Project 169 Team Timelines and Work Plans 170

Focus Area I – Adopt “One DHS” Private Sector Information-Sharing Approach 171

To enhance and maintain meaningful and strategic partnerships with private sector entities, DHS 172 needs to enhance internal and external visibility on existing programs, policies, efforts, and 173 initiatives that relate to the private sector. Increased internal visibility will allow for 174 strengthened component collaboration in mission-specific areas that impact the private sector 175 and will enhance the ability of the private sector to leverage their resources and capabilities in 176 partnership with DHS. DHS should also increase visibility of and coordination with interagency 177 private sector information-sharing efforts to further support the broader national information-178 sharing landscape or the “whole of government” approach, as called for in the NSS. 179

Table 1. Focus Area I Recommendations

1 Clearly define the roles and responsibilities of DHS offices that engage in private sector information sharing

2 Establish an intra-DHS Homeland Security Information Network (HSIN) Private Sector Shared Community to ensure Department-wide transparency and synchronization of efforts

3 Increase DHS coordination with interagency private sector information-sharing efforts.

4 Formalize a process for including private sector participation in DHS all-hazards operational planning, exercise, and evaluation activities.

180 Focus Area II – Enhance Strategic Communications Coordination 181

Rapid and effective communication with key companies, entities, and organizations in times of 182 calm and when responding to crisis requires enhanced, standardized, repeatable, and formal 183 communications processes. DHS Headquarters and Operational Components and the National 184 Network of Fusion Centers need to understand how and when their colleagues engage with the 185 private sector so they can leverage existing communication tools and ensure that relevant, timely, 186 accurate, and consistent information is clearly communicated to the intended audience. In 187 addition, to improve synergy of effort between internal and external stakeholders, the 188 information that each Critical Infrastructure and Key Resources (CIKR) Sector possesses should 189 be better shared across sectors. The nature of the global marketplace necessitates that many 190 stakeholders operate in multiple sectors as trusted partners and need to collaborate across the 191 sector partnership. Improving the synchronization of intra-DHS and cross-sector strategic 192 communications will provide stakeholders with access to a greater range of resources and 193 information products and add to their abilities to contribute to collective homeland security 194 efforts. 195

196


7

Table 2. Focus Area II Recommendations

5 Establish a DHS-wide Standard Operating Procedure (SOP) for private sector communications related to incident management.

6 Develop an ‘education toolkit’ to ensure that public and private sectors can communicate rapidly and effectively.

7 Evaluate and enhance existing processes and methods of information sharing with critical infrastructure owners and operators.

8 Enhance cross-sector information visibility and collaboration within the Critical Infrastructure Key Resources Information Sharing Environment (CIKR ISE).

197 Focus Area III – Strengthen Regionally Focused Information-Sharing Efforts 198

Field-level relationships have proven to be a successful means to establish and maintain strong 199 partnerships with our private sector partners. DHS must actively support these regional 200 information-sharing efforts and ensure that regional- and local-level representatives continue to 201 be a viable delivery vehicle and mission advocate for the two-way exchange of information. The 202 objective is to jointly construct shared knowledge, context, and mutual understanding, enabling 203 unified public and private collaborative action by: (i) improving delivery of regional and local 204 threat and risk briefings through formal scheduling, and (ii) developing a headquarters-level, 205 cross-cutting analysis effort that prioritizes the information needs of public and private CIKR 206 owners and operators and other private sector partners. This will enable field-level 207 representatives to more rapidly and consistently provide private sector partners with the 208 information they need to help protect their employees, their property, and the national economy 209 within the all-hazards framework. When applicable, the National Network of Fusion Centers 210 will be leveraged to outreach, disseminate, tailor, and support targeted homeland security 211 information related to the private sector. 212

Table 3. Focus Area III Recommendations

9 Develop a fusion center Best Practices Guide to provide fusion centers with vetted models of successful information sharing with private sector partners.

10 Enhance coordination and communication between field-level personnel and regional and national coordination efforts.

11 Increase critical infrastructure owners and operators and other private sector entities’ awareness of the threats and risks applicable to their region and sector.

12 Expand the Cybersecurity Partner Local Access Plan (CPLAP) pilot program to enable more classified cybersecurity information sharing and discussions.

213 214


8

Focus Area IV – Enhance Information Sharing and Accountability 215

To ensure that the right information is getting to the right people, and that it is having the desired 216 impact, DHS must increase accountability of efforts to provide information to private sector 217 partners. In order to identify private sector information needs, DHS Headquarters and 218 Operational Components and the National Network of Fusion Centers should more actively 219 engage private sector partners and solicit feedback on a continuous basis. In addition, to ensure 220 sustainable two-way information sharing, DHS should: (i) provide clear guidance to the private 221 sector on how to recognize, handle, and share information provided by DHS, and (ii) increase 222 educational outreach to assure private sector partners that information provided to DHS will be 223 protected from public disclosure or misuse. Finally, DHS must increase private sector awareness 224 of how they can participate with DHS in the shared responsibility of homeland security and 225 provide expanded opportunities for private sector involvement in existing and maturing DHS 226 public-private partnerships activities. This will enable the development of more effective 227 processes for information sharing needed to reduce and mitigate risks to the Nation’s critical 228 infrastructure and the national economy. 229

Table 4. Focus Area IV Recommendations

13 Provide more useful information to the private sector and engage private sector entities in the Standing Information Needs (SINs) process.

14 Provide clear guidance to the private sector for handling and dissemination For Official Use Only (FOUO) information or Controlled Unclassified Information (CUI).

15 Increase information to critical infrastructure owners and operators on methods to become more involved in public-private partnerships.

16

Increase educational outreach to private sector partners regarding Protected Critical Infrastructure Information (PCII) and Chemical-terrorism Vulnerability Information (CVI) to ensure partners that information provided to DHS will be protected from public disclosure or misuse.

230 231

232


9

Attachment A: Recommendation Timelines and Work Plans 233

Recommendation #1: 234

Clearly define the roles and responsibilities of DHS Headquarters and Operational Components 235 that regularly engage in private sector information sharing to ensure coordination of mission and 236 to reduce duplication of effort. 237

Discussion: 238

An organization’s internal and external transparency plays a significant role in any successful 239 information-sharing environment. To better form and maintain meaningful and strategic 240 partnerships with private sector entities, DHS needs to enhance internal and external 241 transparency of existing programs, policies, efforts, and initiatives that relate to the private 242 sector. Increased transparency will allow for the: (i) identification of any gaps or unnecessary 243 areas of overlap (some overlap/redundancy should and always will exist), (ii) development of 244 recommended strategies to strengthen component collaboration in mission-specific areas that 245 impact the private sector, and (iii) increased opportunities to leverage existing programs, efforts, 246 and partnerships for the benefit of the whole Department. 247

Deliverables: 248

• A “One DHS” Private Sector Information-Sharing Matrix internal data call that details 249 items such as authorities, mission requirements, types of information, stakeholders, and 250 capabilities of offices throughout DHS (for internal use only) 251

• An options paper to the ISGB, through the ISCC, that provides options to highlight mission 252 focus areas, reduce redundancies, close gaps, leverage DHS internal core competencies and 253 capabilities, and align resources with respect to private sector communications 254

• Drawing from the data gathered from the Task 1 Matrix, the options paper will also 255 potentially discuss whether there is a need to develop a shared mission community or a 256 long term IPT to enhance transparency on an ongoing basis 257

• A “One DHS” Private Sector Information-Sharing Matrix coordinated with the National 258 Network of Fusion Centers for distribution to external homeland security stakeholders 259

• An updated, more extensive, digitized Private Sector Resources Catalog with a regular 260 update mechanism and an office charged with maintaining its currency 261

• A list that identifies component program managers with private sector information-sharing 262 roles and responsibilities 263

• A coordinating mechanism (to be identified in the options paper) that provide forums for 264 component representatives to update the larger DHS private sector information-sharing 265 community on their efforts 266

Component Support Activities: 267

DHS Headquarters and Operational Components and the National Network of Fusion Centers 268 across DHS have developed processes to improve intra-component transparency in order to 269 enhance information sharing with their private sector partners. However, there are very few 270 established processes to strengthen collaboration across components, making it difficult to 271


10

increase opportunities to leverage existing programs, efforts, and partnerships for the benefit of 272 the whole Department and, in the end, for private sector partners. 273

Metrics of Success: 274

Developing the appropriate performance metrics that capture the intended outcome of a more 275 transparent internal effort of private sector engagement requires close analysis of the results of 276 the intended internal data call. The intended metrics will be focused on achieving ongoing 277 internal coordination and information sharing, not on programmatic impact or effectiveness. 278 Metrics will more closely resemble activities such as “participation” in the to-be-determined 279 governance mechanism; or “documents/products shared and posted” on the future internal 280 Homeland Security Information Network (HSIN) private sector coordination portal. 281

Timeline for Completion1: 282

Form the “One DHS” Private Sector Information-Sharing Working Group and begin development of the matrix for the data call.

Day 1 – 15

Disseminate the “One DHS” Private Sector Information-Sharing Matrix that requires input on the mission requirements, types of information, stakeholders, and capabilities of offices throughout DHS and send out through ISCC channels and the Executive Secretariat.

Day 15

Receive input from the matrix data collection effort from offices throughout DHS.

Day 45

Analyze the data acquired from the matrix and share the data with the other Tiger Team leads.

Day 45 – 75

Update the Private Sector Resources Catalog using the matrix and the Executive Secretariat data calls.

Day 60

Develop a list that identifies component program managers (necessary data gathered from the matrix) with private sector information-sharing roles and responsibilities. Require these component representatives to participate in coordinating mechanisms to update the larger DHS private sector information-sharing community on their efforts.

Day 60

Digitize the Private Sector Resources Catalog to increase the utility and make the information more accessible for private sector partners.

Day 75

1 Unless indicated otherwise, ‘Day 1’ for all of the following timelines occurs when the Secretary of the Department of Homeland Security approves this DHS Private Sector Information Sharing Working Plan.


11

Develop a user friendly and accessible Private Sector Information-Sharing Matrix for distribution to homeland security stakeholders, both within and external to DHS.

Day 90

Use the data from the matrix to develop an options paper to the ISGB that provides options to close gaps, leverage DHS internal core competencies and capabilities, and align resources.

Day 120

Develop performance metrics that adequately capture, measure, and encourage accountability of efforts to increase internal transparency and coordination of private sector engagement.

Day 135

Solicit feedback from relevant public and private sector stakeholders on the usefulness of the Private Sector Information-Sharing Matrix, the Private Sector Resources Catalog, and other efforts to increase transparency.

Appropriate targeted times

Brief the ISCC/ISGB on progress of increasing transparency on a quarterly basis.

As requested

283 Lead Component (Office of Primary Responsibility): 284

PSO 285

Supporting Components/Subcomponents: 286

Office of the Chief Information Officer (OCIO), National Protection and Programs Directorate 287 (NPPD), NPPD/IP, NPPD/Office of Cybersecurity and Communications (CS&C), Science and 288 Technology Directorate (S&T), U.S. Coast Guard (USCG), Customs and Border Protection 289 (CBP), Immigration and Customs Enforcement (ICE), U.S. Citizenship and Immigration 290 Services (USCIS), Federal Emergency Management Agency (FEMA), Office of Public Affairs 291 (OPA), Office of Intergovernmental Affairs (IGA), Office of Operations Coordination (OPS), 292 I&A, FEMA State and Local Program Office (SLPO), Transportation Security Administration 293 (TSA), U.S. Secret Service (USSS), Office of Privacy (PRIV), Office for Civil Rights and Civil 294 Liberties (CRCL), Office of the General Counsel (OGC) 295

296


12


Establish an intra-DHS HSIN Private Sector Shared Community and afford offices throughout 298 DHS the opportunity to post communications and information disseminated to the private sector 299 to ensure transparency and synchronization. 300

Discussion: 301

An important aspect of DHS’s ability to successfully collect and disseminate useful and 302 actionable information to our private sector partners lies in our ability to coordinate internally. 303 The private sector is better able to leverage their capabilities in partnership with DHS if 304 opportunities for collaboration and information sharing are better coordinated internally—within 305 DHS—before engaging externally with private sector stakeholders. Given the various entities 306 housed within DHS, it becomes difficult to track the types and categories of information, 307 communications, and activities relevant to private sector engagement that are underway at every 308 point throughout DHS. Against this backdrop, there exists a need for an internal HSIN portal 309 where all DHS offices and components can openly and freely share information and knowledge 310 relevant to enhancing the Department’s partnerships with private sector entities. 311

This portal will increase the ability for offices and programs across DHS to share information 312 about existing private sector engagement activities in order to (i) allow other programs at DHS to 313 gain from stakeholder interactions, (ii) reduce redundancy and gaps in outreach efforts while 314 increasing the impact of the efforts, (iii) deliver more effective communications to private sector 315 stakeholders, and (iv) establish terms of use that adequately protect civil rights, civil liberties, 316 and privacy. Participation and use of the portal by DHS components, offices, and programs 317 provides an essential organizing space where DHS can better ensure that barriers to effective 318 two-way information sharing and collaboration can be identified, assessed, and mitigated while 319 opportunities can be seized in a coordinated manner. 320

Deliverables: 321

• A list of representatives from all headquarters elements and operational components that 322 have private sector information-sharing roles and responsibilities to serve as the 323 components’ HSIN Private Sector Shared Community Administrators. Each Administrator 324 will ensure that relevant and timely information regarding their respective component’s 325 private sector engagement is shared on the portal. 326

• A list of personnel from DHS Headquarters and Operational Components that, due to the 327 nature of their programs’ engagement with the private sector, would benefit from 328 participation in the HSIN portal 329

• An SOP for an intra-DHS HSIN Private Sector Shared Community outlining who will 330 manage the platform, the taxonomy for what information will be included, portal 331 nomination and validation processes to ensure proper membership vetting, the process for 332 updating the intra-DHS HSIN Private Sector Shared Community, and metrics that ensure 333 participation 334


13

• A recommendation for a performance goal requirement for externally focused program 335 managers promoting internal collaboration on private sector engagement 336

• An operational intra-DHS HSIN Private Sector Shared Community platform 337


Headquarters elements and operational components DHS-wide have developed technology 339 platforms to improve intra-component transparency and to provide information to their private 340 sector partners. However, no platform currently exists to strengthen component collaboration in 341 regards to private sector engagement, making it difficult to increase opportunities to leverage 342 existing programs, efforts, and partnerships for the benefit of the whole Department. 343


• User or membership statistics gathered by the platform itself 345

• Level of activity or traffic being passed on the platform (platform administrator will have 346 visibility into this) 347

• Quantity and quality of discussion generated on platform’s discussion board (number of 348 threads, replies, comments) 349

• Quantity and quality of application use encountered on platform (document and media 350 sharing, Webinars and conference calls originated from platform 351

Timeline for Completion: 352

Through the ISCC/ISCG, request a representative from each Headquarters and Operational Component to serve as the HSIN Administrator for the respective component. (Preferably, the representative will have private sector information-sharing roles and responsibilities.)

Day 1

Form the HSIN Private Sector Shared Community Working Group.

Day 15

Discuss, gather, and analyze components’ requirements and internal needs. Discuss portal membership and desired data management and collaboration tools. Note: Data collection effort from Rec. 1 will be a primary source for development of this milestone.

Day 15 – 60

Submit requirements to technical team for portal development.

Day 60

353


14

Draft process SOPs for the HSIN portal. Day 90

Test the HSIN portal, using the Working Group, to identify further requirements and necessary collaboration tools.

Day 105 – 135

Open access to the HSIN portal to previously defined membership.

Day 135

Provide outreach, education, and training for portal members. Develop a performance goal requirement for externally focused program managers promoting internal collaboration on private sector engagement.

Day 135 – 165

Brief the ISCC/ISGB on progress of implementation and use of the portal.

Day 165

Monitor, update, and refine the site. Ongoing process 354 Lead Component: 355

PSO 356


OCIO, NPPD, NPPD/IP, NPPD/CS&C, S&T, USCG, CBP, USCIS, ICE, FEMA, OPA, OPS, 358 I&A, TSA, USSS, PRIV, CRCL, OGC 359


15


Increase DHS coordination with interagency private sector information-sharing efforts, such as 361 the Overseas Security Advisory Council (OSAC), the Domestic Security Alliance Council 362 (DSAC), and InfraGard. 363

Discussion: 364

Increasing coordination between DHS and interagency private sector information-sharing efforts 365 will reduce duplication of effort and enhance two-way, sustainable, and coordinated information 366 sharing between the U.S. Government and private sector partners. DHS support for and 367 coordination with external information-sharing efforts demonstrates commitment to leveraging 368 resources, coordinating messages, and consolidating points of contact for the information needs 369 of private sector partners. 370

Deliverables: 371

• An agreement, jointly signed by DHS and DOJ senior leadership, expressing a shared 372 commitment to improved coordination/participation of activities/events between DHS and 373 DOJ nationally, regionally, and locally. 374

• A Memorandum of Understanding between DHS and OSAC that (i) clarifies information-375 sharing expectations and responsibilities with respect to transnational threats, and (ii) 376 identifies the roles and responsibilities of DHS technical advisors to OSAC. 377

• An increased amount of I&A products posted to the DSAC and InfraGard portals. 378

• Educational briefings on Homeport, Electronic Crimes Task Forces (ECTFs), Financial 379 Crimes Task Forces (FCTFs), OSAC, DSAC, and InfraGard programs, resources, and 380 capabilities to increase awareness and education for DHS Headquarters and Operational 381 Components on existing U.S. Government and private sector partnerships. These briefings 382 will allow DHS components to leverage and build upon existing interagency efforts and 383 areas of expertise. 384

• Educational briefings on sector partnerships, the National Maritime Security Advisory 385 Committee (NMSAC), and Area Maritime Security Committees (AMSCs) to increase 386 awareness and education of interagency-led programs and personnel on DHS programs and 387 capabilities. See above. 388

• Re-chartering of the NMSAC (charter expired on September 30, 2010). 389


• OSAC is a Federal Advisory Committee with a U.S. Government charter to promote 391 security cooperation between American business and private sector interests worldwide and 392 the U.S. Department of State. Currently, DHS has four technical advisors assigned to the 393 OSAC (TSA, I&A, USSS, USCG). 394


16

• The DSAC, (which is not a formal Federal Advisory Committee), was originally 395 established by the FBI to provide a strategic partnership between the U.S. Government and 396 the U.S. private sector in order to enhance communication and to promote the timely and 397 effective exchange of domestic security information. DHS was offered, and I&A accepted, 398 a co-chair position in DSAC in June 2010, which is currently filled by I&A’s Deputy 399 Under Secretary for Analysis. A revised charter, reflecting the inclusion of DHS and 400 emphasizing information sharing and partnership, was drafted and is in review within I&A. 401 I&A has had two full-time equivalents embedded in the DSAC Program Office for two 402 years. 403

• The Public/Private Alliance Unit (PPAU) in the Strategic Outreach and Initiatives Section 404 of the FBI’s Cyber Division is responsible for program management of the InfraGard 405 program. InfraGard is an association of businesses, academic institutions, State and local 406 law enforcement agencies, and other participants dedicated to sharing information and 407 intelligence to prevent hostile acts against the United States. The 86 InfraGard chapters 408 meet in cities across the United States. Funds provided by NPPD/IP to the FBI were 409 dispersed to individual InfraGard Chapters demonstrating the ability to organize and host 410 specific activities to implement the National Infrastructure Protection Plan (NIPP) at the 411 community level and to expand outreach and communication to a diverse group of critical 412 infrastructure owners and operators. I&A sends FBI/PPAU finished intelligence to post to 413 the InfraGard portal, participates in InfraGard meetings with private sector partners, briefs 414 at the Annual InfraGard Coordinators Conference, and is active in local chapters. 415

• NMSAC is a Federal Advisory Committee established under the Maritime Transportation 416 Security Act (MTSA) of 2002 and chartered to advise, consult with, and make 417 recommendations to the Secretary of Homeland Security, via the Commandant of the Coast 418 Guard, on matters affecting national maritime security. To most effectively deal with the 419 diversity of complex challenges that maritime security presents, members reflect a cross 420 section of maritime industries and port and waterway stakeholders, including but not 421 limited to: shippers, carriers, port authorities, and facility operators. At the port level, 422 MTSA established AMSCs to provide a vital regional link for contingency planning, and 423 development, review, and update of Area Maritime Security Plans (AMSPs). The AMSCs 424 serve as discussion forums for maritime security issues and incorporate key port 425 stakeholders and maritime industry, as well as Federal, State, and local law enforcement. 426

• The USSS currently collaborates with interagency partners, including the Department of 427 Treasury, through the 31 ECTFs and 38 FCTFs to include ECTFs in London, England and 428 Rome, Italy that bring together not only Federal, State, and local law enforcement, but also 429 prosecutors, private industry, and academia. The common purpose is the prevention, 430 detection, mitigation, and aggressive investigation of attacks on the Nation’s financial and 431 critical infrastructures. The ECTFs also organize and host quarterly meetings and other 432 meetings as needed to expand outreach and communication to a diverse group of critical 433 infrastructure owners and operators. Critical infrastructure owners and operators within the 434 Financial Services Sector are encouraged to partner with the ECTF or FCTF in their region. 435

436


17


• Regular senior level (Under Secretary-level) engagement among DHS components and 438 leadership of other agency councils 439

• Increased amount of DHS analytical products posted to Homeport, DSAC, and InfraGard 440 portals 441

• Quarterly interaction between DHS personnel at the local and regional levels and 442 FBI/InfraGard Coordinators 443

• The addition of DHS technical advisors, at the Senior Executive Service level, from other 444 components of DHS to OSAC 445

• An increased number of completed exchanges, site visits, and mission briefs between DHS 446 and OSAC managers and personnel; DHS and DSAC managers and personnel; and DHS 447 and InfraGard managers and personnel 448

• The continuation of the DHS/FBI Interagency Agreement that outlines a shared 449 commitment to sustained and enhanced coordination of educational, information-sharing, 450 and outreach efforts with InfraGard 451

• Enhanced exchanges with AMSCs on maritime and cross–sector issues including supply 452 chain security 453

• Increased participation of DOJ and State Department representatives in DHS programs and 454 activities (e.g., sector council meetings, joint briefings for the private sector) 455

• Re-chartering of NMSAC as a Federal Advisory Committee 456


Develop a strategy for DHS participation in, and support of, interagency councils at the national and local levels, including an organizational framework and roles and responsibilities. Send out for DHS senior leadership approval.

Day 1 – 30

Receive a commitment from I&A to post more products to DSAC and InfraGard portals.

Day 30

Draft an agreement, to be jointly signed by DHS and DOJ senior leadership, expressing a shared commitment to improved coordination/participation of activities/events between DHS and DOJ components, nationally, regionally, and locally.

Day 45

458


18

Draft a Memorandum of Understanding between DHS and OSAC that (i) clarifies information sharing expectations and responsibilities with respect to transnational threats, and (ii) identifies and expands the roles and responsibilities of DHS technical advisors to OSAC. Provide to DHS and Diplomatic Security senior leadership for signature.

Day 60

Develop educational briefings on Homeport, OSAC, DSAC, ECTF, FCTF, and InfraGard programs, resources, and capabilities to increase awareness/education of DHS headquarters elements and components on existing U.S. Government and private sector partnerships. Provide these briefings to relevant component representatives throughout DHS.

Day 90 – 135

Develop educational briefings on the Sector Partnership, NMSAC, and AMSCs to increase awareness/education of interagency-led programs and personnel on DHS programs and capabilities. Provide these briefings to relevant interagency personnel.

Day 135 – 180

Brief the ISCC/ISGB on progress/success in increasing DHS coordination with interagency private sector information-sharing efforts, such as the OSAC, DSAC, and InfraGard.

Day 180

Lead Component (Office of Primary Responsibility): 459

I&A and NPPD/IP co-lead this recommendation 460


PSO, USCIS, USSS, USCG, TSA, CBP, ICE, FEMA, S&T, OGC 462

463


19


Describe the process that allows for the inclusion of private sector participation, as appropriate, 465 in DHS all-hazards operational planning, exercise, and evaluation activities. 466

Discussion: 467

Having a process in place to allow and encourage private sector entities to participate in DHS all-468 hazards operational planning, exercises, and evaluation activities is imperative. At the non-469 Federal level, a number of State and local emergency operations centers have engaged the 470 private sector in those areas to help maintain operational awareness on issues impacting a speedy 471 recovery after a disaster and to more fully align and leverage private sector resources and 472 capabilities. Although each DHS component has crucial capabilities and assets for addressing 473 the potential crises facing our Nation, the ability to integrate and coordinate our actions with our 474 partners across the homeland security enterprise, including private sector entities, is the crucial 475 factor for our success. Combining stakeholders’ resources and capabilities ensures that efforts 476 are not duplicated, encourages the blending of expertise, and provides another avenue for 477 information sharing. 478

All-hazards operational plans are the primary tools used to prepare for and address the potential 479 crises facing our Nation, and exercises enable the Department to evaluate its capability to 480 perform in a threat, event, or incident. The lack of a formal framework and process for including 481 the private sector in all-hazards operational planning has diminished the utility of exercises and 482 evaluation activities because relevant partners have not been allowed to participate fully in the 483 first step of a three-stage process. Several DHS components and program offices have 484 successfully included the private sector in all-hazards operational planning, but a lot of this 485 inclusion happens on an ad hoc, or as needed, basis. Consequently, there remain numerous gaps 486 in the ability for the Department to engage the private sector in regards to all-hazards operational 487 planning activities and this has resulted in the inability to fully coordinate, communicate, and 488 collaborate with private sector partners during an emergency. 489

Deliverables: 490

• An informational memo that clearly discusses methods for DHS Headquarters and 491 Operational Components to engage the private sector in DHS operational planning, 492 exercises, and evaluation activities. This memo will be developed in coordination with the 493 Office of the General Counsel (OGC). 494

• A formal framework and process for including the private sector in all-hazards operational 495 planning that is consistent with the guidelines developed by FEMA Office of Chief 496 Counsel (OCC) and DHS OGC. This framework will be developed in coordination with 497 relevant public and private sector partners and will describe the process to fully leverage 498 and align private sector resources and capabilities by including relevant partners in 499 operational planning activities. 500

• An action memorandum, codifying the requirements and fundamental roles for the 501 establishment of a National Private Sector Working Group for all Tier I and Tier II 502 National Exercise Program (NEP) exercise events. This Working Group should include 503


20

FEMA National Exercise Division (NED) and Private Sector Division (PSD), NPPD/IP, 504 PSO, and representative partners from the private sector. In addition, participation of other 505 government partners with private sector relationships (both voluntary and regulatory 506 entities) will be considered. 507

• A strategic plan, developed by NPPD/IP, to coordinate inclusion of PSO, FEMA PSD, 508 Office of the Director of National Intelligence Private Sector Office (ODNI PSO), Sector-509 Specific Agencies (SSAs), and other private sector stakeholders in efforts to plan, execute, 510 and evaluate NIPP partnership exercises at an agreed-to frequency. 511

• A framework for developing a coordinated approach between DHS, DoD, and other 512 relevant agencies to increase private sector participation in planning, exercises, and 513 evaluation activities. This framework will be developed using existing coordination 514 mechanisms, including After-Action conferences, to capture the lessons learned from past 515 disasters to inform future U.S. Government efforts to more effectively align and leverage 516 private sector resources and capabilities. 517

• A lessons learned/best practices guide, developed in coordination with public and private 518 sector partners that have previously contributed to DHS all-hazards planning efforts and 519 exercises, to inform future efforts to better align public and private sector resources and 520 capabilities. 521

• An action memo that develops a requirement for DHS Headquarters and Operational 522 Components to submit a document every quarter that highlights private sector engagement 523 in their respective component-sponsored operational planning, exercises, and evaluation 524 activities. 525

• Briefings, provided to relevant private sector partners, to educate on the process to become 526 involved with DHS all-hazards operational planning, exercise, and evaluation activities and 527 to encourage increased participation. 528


Since the 2007 Top Officials 4 exercise, NPPD/IP, PSO, and FEMA PSD have worked together 530 to integrate the critical infrastructure private sector community as an extension of the NIPP 531 framework. Private sector integration has increased in subsequent exercises, and increased 532 coordination has also been taking place among NPPD/IP, PSO, FEMA PSD, and FEMA NED, as 533 well as DHS, other SSAs, and other key stakeholders (ODNI, the Department of State (OSAC 534 and Consular Affairs), the FBI, and others) through integrated National Level and Sector-535 Specific Exercises. 536

FEMA is currently engaging the private sector in numerous ways to include having them 537 participate in internal disaster planning exercises called Thunderbolts. Thunderbolt planning 538 exercises are intended to test readiness and discover areas where improvement is needed. 539 Exercises, especially no-notice exercises such as Thunderbolt, give FEMA the opportunity to 540 identify shortfalls and work toward a more effective and efficient delivery of services during 541 actual emergency and disaster events. Exercises such as these could be implemented DHS-wide 542 to include all components along with the private sector. FEMA is also working with PSO and 543


21

NPPD/IP to establish a more defined channel of communication between the private sector and 544 DHS on retail operational status reports during disasters. In addition, the Agency is working to 545 bring in the actual private sector in the National Response Coordination Center in the coming 546 months. All of these initiatives will improve information sharing between DHS and the private 547 sector. FEMA can provide substantive information on these initiatives to support an action 548 memorandum. 549

FEMA NED, NPPD/IP, PSO, and FEMA PSD have improved the coordination and unity of 550 efforts for private sector integration and coordination into National Level Exercises (NLEs). 551 There have been considerable voluntary improvements to the process, outreach, and support of 552 private sector partners in the NLEs, through close government and industry collaboration and 553 leveraging of existing partnerships and relationships. NLE 11 has brought these stakeholders 554 into the closest working relationship of any NLE to date and elevated the integration and 555 coordination of the private sector into the annual Tier I exercise. Lessons learned and best 556 practices from NLE 11 collaboration should be deliberately developed and documented and used 557 as a basis to inform the development of the recommended deliverables noted above. 558

Further, through the SSAs and their private sector Sector Coordinating Councils (SCCs), 559 NPPD/IP has been executing sector- or subsector-level exercises focused on improving the 560 information-sharing processes and coordination between government and industry, at all levels, 561 among one another and within their respective communities. This effort began with the Retail 562 and Lodging Subsectors exercise in December 2009 and has continued through exercises with 563 the professional sports leagues, the food service industry, the real estate community, and the oil 564 and natural gas community. Related efforts have also included the development of exercise 565 materials for the Chemical Sector and the Dams Sector through the NPPD/IP Sector-Specific 566 Tabletop Exercise Program. These efforts are planned to continue and NPPD/IP is currently 567 planning similar efforts for Fiscal Year 2011. These exercises have been planned and executed 568 with PSO, FEMA PSD, the SSAs, critical infrastructure private sector partners and other 569 pertinent government partners at the Federal, State, and local levels. Additionally, 570 NPPD/CS&C, through the Cyber Exercise Program, executes the Cyber Storm national exercise 571 on a bi-annual basis. CEP also works with Federal, State, local, international, and private sector 572 partners to design regional, sector-specific, and table top exercises. 573


The metrics of success will be shown in the increased participation captured by a quarterly 575 memo from DHS components highlighting private sector engagement in operational planning, 576 exercises, and evaluation activities. 577 578 Timeline for Completion: 579

Establish a Working Group (including Tiger Team participants and other relevant representatives from DHS Headquarters and Operational Components).

Day 1

Complete an informational memo that clearly discusses methods for DHS Headquarters and Operational Components to engage the private sector

Day 30


22

in DHS operational planning, exercises, and evaluation activities. This memo will be developed in coordination with OGC.

Develop a lessons learned/best practices guide, in coordination with public and private sector partners that have previously contributed to DHS all-hazards planning efforts and exercises, to inform future efforts to better align public and private sector resources and capabilities

Day 60

Develop a formal framework and process for including the private sector in all-hazards operational planning that is consistent with the guidelines developed by OGC. This framework will be developed in coordination with relevant public and private sector partners, as appropriate, and will describe the process to fully leverage and align private sector resources and capabilities through including relevant partners in planning activities.

Day 90

Develop an action memorandum, codifying the requirements and fundamental role for the establishment of a National Private Sector Working Group for all Level I and Level II NEP exercise events. This Working Group should include FEMA NED, NPPD/IP, PSO, FEMA PSD, and representative partners from the private sector, as appropriate. I n addition, participation of other government partners with private sector relationships (both voluntary and regulatory entities) will be considered.

Day 105

Complete strategic plan, developed by NPPD/IP, to coordinate inclusion of PSO, FEMA PSD, ODNI PSO, SSAs, and other private sector stakeholders in efforts to plan, execute, and evaluate NIPP partnership exercises at an agreed-to frequency.

Day 120

Create framework for developing a coordinated approach between DHS, DoD, and other relevant agencies to increase private sector participation in planning, exercises, and evaluation activities. This framework will be developed using existing coordination mechanisms, including After-Action conferences, to capture the lessons learned from past disasters to inform future U.S. Government efforts to more effectively align and leverage private sector resources and capabilities.

Day 135


23

Brief relevant private sector partners to educate on the process to become involved with DHS all-hazards operational planning, exercise, and evaluation activities and to encourage increased participation.

Day 135 – 180

Brief the ISCC and ISGB on progress of implementation and discuss methods to address remaining gaps.

Day 180

Track the progress of implementation through reviewing the quarterly document submitted by components that highlights private sector engagement in their respective component-sponsored operational planning, exercises, and evaluation activities.

Ongoing


National Protection and Programs Directorate (NPPD) NPPD/Office of Infrastructure Protection 582 (IP), Private Sector Office (PSO), and FEMA/NED 583

Supporting Components/Subcomponents: 584 TSA, OPS, NPPD, PSO, FEMA/PSD, I&A, OGC 585 Sector-Specific Exercises: NPPD/IP, PSO, FEMA PSD 586

587

588


24


Develop an incident communications SOP that outlines existing DHS capabilities, methods, 590 target audiences, and purposes for communicating with various private sector stakeholders 591 during incidents. 592

Recommendation #5 proposes to establish a DHS-wide SOP that documents processes and tools 593 used by public affairs and operational components to communicate with the private sector during 594 incident management. 595

To implement this recommendation, questions included in the Department-wide data call will be 596 designed to gather information from all components on the processes used for communicating 597 with the private sector via online tools; informal and formal phone calls and email distributions 598 sent to specific stakeholder lists; and live interactions. Questions will also seek information on 599 how and when these communications take place. Examples we expect to document 600 include portals on HSIN; CBP’s Automated Commercial Environment Cargo Systems 601 Messaging Service; TSA communication with various transportation industries; and a DHS 602 Office of Public Affairs Private Sector Incident Communications Conference Line distribution 603 list consisting of corporate communicators. In addition, there are many other program-specific 604 alerts, stakeholder calls, and other conduits for communication and information sharing. 605

Discussion: 606

Overview: 607

The hazards that threaten the United States and its private sector interests encompass everything 608 from severe weather, pandemic health issues, illicit narcotics, geological and other natural events 609 that impact entire communities to human-caused accidents or attacks that target specific 610 infrastructure systems, processes, and people. 611

Depending on variables such as the size, type, potential impact, and location of an incident, DHS 612 and its components work with private sector stakeholders spanning large and small business, 613 industry, critical infrastructure, voluntary, non-profit, faith-based, academic, think tank, and 614 other non-governmental organizations or their association representatives. 615

Current Situation: 616

Numerous communication mechanisms with varying levels of security currently exist in 617 programs across the Department, for both day-to-day and incident-specific communications. 618

To ensure appropriate actions are taken and to minimize the possibility of confusion among 619 internal and external stakeholders, there should be a DHS-wide SOP clearly laying out how, 620 when, and with whom DHS communicates during incidents. This SOP is not intended to change 621 existing tools and processes, but rather to improve coordination, transparency, and efficiency. 622

The Emergency Support Function (ESF) 15 SOP, which was released in 2009, contains an 623 updated private sector external communications section which provides the current basis for 624 Federal incident communications with the private sector during incidents. This ESF 15 SOP for 625


25

private sector communications will be enhanced by additional detail and guidance developed for 626 the ISCC program SOP. 627

The Requirement: 628

During an incident, information is one of the most critical requirements for prompt, successful 629 response and recovery. Specifically, this information must be clearly communicated to its 630 intended audience, and it must be relevant, accurate and consistent with other messages on the 631 issue. 632

This SOP focuses on private sector stakeholders that DHS components work with on a regular or 633 intermittent basis, rather than general public messaging provided through the media and other 634 open sources. 635

DHS components need to understand how and when their colleagues reach out to the private 636 sector before/during/after incidents so they can leverage existing communication tools as needed 637 and reduce the likelihood of similar communications going to the same recipients from different 638 programs. 639

Moreover, when various outreach efforts do impact the same recipients, it is crucial that the 640 messaging be consistent. This increased internal coordination and transparency will increase 641 stakeholder confidence and Department credibility as a unified team. 642

Deliverables: 643

• A DHS-wide private sector communications SOP that will make it easier for internal and 644 private sector stakeholders to navigate the many methods the Department uses to send and 645 receive information related to the private sector 646

• Concurrent updates to the National Response Framework ESF 15 (External Affairs) SOP 647 for the private sector to reflect any changes or new information resulting from the SOP 648 development 649 650


• Provide staff for Working Group and information for data calls. 652

• Provide access to current tools and stakeholder lists for review by implementation team. 653 654


• Readily measurable outreach for each incident, by stakeholder group, measured after each 656 incident 657

• Enhanced situational awareness, measured by the addition of relevant information in 658 National Operations Center (NOC) and National Response Coordination Center (NRCC) 659 situation reports from non-traditional sources 660

• Ability to share information in real time (long-term goal) 661


26

• Transparency and easier navigation of DHS tools and processes for communication with 662 the private sector, measured by formal and informal feedback from internal and private 663 sector stakeholders 664

• Synchronized messaging and ability to leverage existing delivery systems, measured by 665 increased component coordination 666

• Greater stakeholder comprehension and participation (long-term measurement) 667


Identify Working Group chair(s) and members Day 1

Establish and charter Working Group Day 1 – 15

Develop data call questions Day 15 – 30

Provide informational update to all DHS, with consolidated data call for existing information-sharing tools and mechanisms Send request for stakeholder feedback to current DHS private sector stakeholders

Day 30

Complete review of the data call Day 90

Review, concurrently, ESF 15 and the current SOP for incident communications

Day 90

Develop a summary of findings Day 120

Brief DHS internal and external stakeholder components to socialize concept, alert them to coming change, and gain buy in

Day 125

Begin drafting SOP and/or update ESF 15 private sector SOP, based on findings

Day 125

Update or send a reminder communication to DHS internal and external stakeholders

Day 130

Draft SOP for review by DHS components through the Executive Secretariat

Day 175

Comment on draft SOP to Working Group Day 205

Adjudicate draft comments, to be completed by Working Group.

Day 235

Revise SOP for routing through leadership via the Executive Secretariat

Day 245

669


27

Send overview highlighting key changes to the ESF 15 SOP for private sector to DHS internal stakeholders. Send highlights of the new DHS-wide private sector communication SOP to all internal stakeholders.

Day 255

Brief final SOP to ISCC and ISGB. Day 265

Disseminate directive on SOP/Updated ESF 15 DHS-wide.

Day 270

Post new SOP to www.DHS.gov and communicate to all stakeholders.

Day 285

Post updated ESF 15 Private Sector SOP to www.fema.gov/nrf

Day 285

Roll out new SOP to private sector stakeholders, with support from Public Affairs on the rollout plan.

Day 285


Office of Policy 672 673 Supporting Components/Subcomponents: 674

CBP, PSO, FEMA/External Affairs, I&A, ICE, IGA, NPPD/IP, NPPD/CS&C, OPA, OPS, TSA, 675 USCG, OGC 676

677

678

http://www.dhs.gov/

http://www.fema.gov/nrf


28


Develop an “education toolkit” for private sector stakeholders to ensure that public and private 680 sectors can communicate rapidly and effectively during emerging situations. 681

Discussion: 682

The toolkit would include DHS component resources and contact information specifically for 683 emerging situations. 684

In emerging situations that threaten the United States, DHS works closely as a team with private 685 sector organizations to achieve the most effective protection and response. 686

DHS can strengthen the team by publishing a clear and concise toolkit and contact list guiding 687 private sector organizations on contacting or teaming with DHS in emerging situations. This 688 toolkit will help private sector organizations understand the DHS approach to and appropriate 689 contacts for emerging situations. 690

Deliverables: 691

A toolkit or fact sheet listing all publicly provided resources that DHS can make available to 692 private sector partners in emerging situations and a list of DHS entities, and/or private sector 693 groups representing DHS, to contact will be developed and published. This toolkit could be 694 compiled largely by pulling relevant information from DHS’s Private Sector Resources Catalog 695 and by using relevant contact information currently published on DHS.gov and component Web 696 sites. 697


DHS Headquarters and Operational Components would contribute to the compiling and editing 699 of the toolkit. Components with a stake or equity in this product include FEMA, U.S. 700 Citizenship and Immigration Services (USCIS), DHS Office of Public Affairs (OPA), 701 Transportation Security Administration (TSA), Customs and Border Patrol (CBP), NPPD CS&C, 702 and the United States Secret Service (USSS). 703


DHS may track the following: 705

• Number of requests for the toolkit 706

• Number of toolkits distributed 707

• Traffic to links and emails generated by the toolkit 708

• Calls/requests for information generated by the toolkit 709

• Feedback through customer surveys and direct inquiry 710

• Case studies and success stories where available 711


29


Develop draft of the toolkit, using the data from the ‘One DHS Private Sector Information-Sharing Matrix’ (see deliverable #1).

Day 1 – Day 30 (Day 1 begins after the data has been received from the ‘One DHS Private Sector Information-Sharing Matrix’)

Submit toolkit to internal DHS stakeholders for review and comments.

Day 30

Make edits and incorporate recommended changes. Day 30 – 60

Publish toolkit. Day 75

Place a version of the toolkit on DHS.gov and Ready.gov; DHS Headquarters and Operational Components will distribute toolkits to their respective stakeholders.

Day 75 – Ongoing


Private Sector Office 714


CBP, OPA, NPPD/IP/NICC, PLCY, FEMA/NCP, FEMA/External Affairs, NPPD/CS&C, TSA, 716 USCIS, USSS, PSO, OGC 717

718


30


Evaluate existing processes and methods for information sharing with critical infrastructure 720 owners and operators and develop and implement enhancements for broader sector penetration. 721

Discussion: 722

Improving the ability to communicate and share information with critical infrastructure owners 723 and operators is essential in enhancing the security and resilience of these vital assets, systems, 724 and networks. These communications include day-to-day information exchanges, distributions 725 of threat and warning information, and incident management-related activities. 726

Improved processes are needed to properly share with those who have a need to know at the 727 owner/operator level. Improving the effectiveness and efficacy of existing sector information 728 sharing-mechanisms is central to this recommendation. New and improved information-sharing 729 efforts, tools, and processes—including fusion centers, Homeland Security Information 730 Network-Critical Sectors (HSIN-CS), and the Protective Security Advisor (PSA) Program—offer 731 opportunities that should be leveraged. Existing DHS Headquarters and Operational Component 732 activities for sharing information with critical infrastructure owners and operators should be 733 synchronized to eliminate gaps and redundancies to improve synergy of effort as needed. New 734 processes, tools, and methods should be considered. 735

NPPD/IP, as the manager for the NIPP partnership, is responsible for ensuring effective 736 communication and information sharing to CIKR Sector partners. 737

Deliverables: 738

• Formation of working group to perform the actions required to fulfill this recommendation 739

• A map of current activities, methods, and processes across the DHS enterprise to 740 communicate and share information with critical infrastructure owners and operators 741

• An evaluation and gap analysis of the ability of current capabilities to reach critical 742 infrastructure stakeholders, with a focus on owners and operators 743

• Recommendations for modifications to improve existing activities, methods, and processes 744 to communicate and share information with critical infrastructure owners and operators 745

• Development of new activities, methods, processes, and tools for communicating and 746 sharing information with critical infrastructure owners and operators 747

• Develop an enhanced communication strategy that incorporates requirements of all DHS 748 components with equities in information sharing with CIKR stakeholders. This framework 749 will illustrate to all components the processes for providing agile, flexible information 750 sharing across the critical infrastructure enterprise and enable tailored information sharing, 751 as appropriate, for specific Sectors, regions, and types of contacts. 752

753

754


31


NPPD/IP has a core mission to enhance protection of critical infrastructure. DHS entities 756 including NPPD/IP, NPPD/CS&C, TSA, and USCG have responsibilities as SSAs for CIKR 757 Sectors under the NIPP. These components have developed and implemented processes¸ 758 procedures, and tools for information sharing with stakeholders. Other DHS entities including 759 FEMA, I&A, USSS, and the PSO have responsibilities and requirements for information sharing 760 with various critical infrastructure stakeholders. Information-sharing processes of the non-DHS 761 SSAs must also be included in this effort. Communication with the critical infrastructure 762 stakeholder community must be consistent with the sector partnership framework of the NIPP. 763

DHS components have made significant progress in establishing points of contact and building 764 relationships throughout the critical infrastructure community. Many of the ongoing activities, 765 processes, and messaging are tailored to specific audiences. Efforts to improve information 766 sharing must recognize—and not impede—the mission requirements of DHS components to 767 swiftly communicate with their stakeholders. Improvements should enhance the ability to 768 expand the reach of information sharing to a wider audience of critical infrastructure owners and 769 operators, as appropriate for each situation. 770

The working group requires participation by the DHS components that serve as SSAs. In 771 addition, the working group will identify complementary activities in other DHS components 772 that intersect or support critical infrastructure owner/operator focused efforts in order to come to 773 an agreement on coordinated mechanisms and structures to share information with the private 774 sector. 775


• Full participation of all applicable DHS components with critical infrastructure 777 information-sharing equities, to include all components serving as SSAs 778

• Expanded usage of existing tools and membership of HSIN-CS against baseline 779

• Expanded participation in sector partnership activities against baseline 780

• User feedback on functionality and usefulness of processes and systems 781


Establish working group Day 1

Develop project plan Day 1 – 30

Map current activities, analyze gaps, and provide recommendations for improvement

Day 45 – 75 (if resources provided)

Develop enhanced strategy and associated framework Day 105

Develop enhanced communications processes (as needed)

Day 135


32

Implement enhanced communications processes Day 195


National Protection and Programs Directorate/Office of Infrastructure Protection 784


TSA, USCG, NPPD/CS&C, FEMA, I&A, PSO, USSS, S&T, OGC 786

787

788


33


Address policy and procedural issues with the CIKR ISE to enhance cross-sector information 790 visibility and collaboration through the recommendations acquired by the partnership. 791

Discussion: 792

Increased cross-sector visibility and collaboration among the CIKR Sectors depends on public 793 and private stakeholders within each of the sectors first mastering intra-sector information-794 sharing processes. Once stakeholders have developed competency with internal 795 communications, current information-sharing processes can be assessed and cross-sector 796 connections fostered. 797

Each CIKR Sector has information that would strengthen national security if shared across 798 sectors among a broader base of trusted public and private sector stakeholders. Improving cross-799 sector collaboration and information sharing is especially important at a regional level, as it will 800 provide stakeholders with access to a greater range of resources and information products. It will 801 also help limit duplication of critical infrastructure protection efforts across sectors and across 802 Federal and regional levels. 803

To enhance cross-sector communication among public and private stakeholders within sectors 804 that have reached an adequate internal information-sharing level of maturity, standardized 805 processes and procedures within each sector must be evaluated against those of other sectors 806 targeted for cross-sector information sharing. Through this comparison, cross-sector 807 requirements will become easily defined, reducing redundant private sector engagement work 808 and policy ambiguity. The resulting behavioral consistencies will enhance predictability 809 between CIKR Sectors and smooth the progress of collaboration efforts regardless of the level of 810 operation (Federal, State, regional, and local) and specific information-sharing environment 811 being used. 812

The group will work with existing sanctioned governance authorities to get recommendations, 813 obtain information, and implement solutions. Authorities include Sector Coordinating Council 814 (SCCs), Government Coordinating Council (GCCs), the Federal Senior Leadership Council 815 (FSLC), and the sanctioned Cross-Sector Leadership Council. 816

Deliverables (all documents will be coordinated among DHS components, allowing for 817 private sector input): 818

• Develop a method with the CIKR ISE to improve existing cross-sector tools and policies 819 for enhancing cross-sector visibility and collaboration—this update must be leveraged 820 through the sector partnership. 821

• Provide best practice guidance for sectors to use when reaching out to other sectors on a 822 national level. This could include how to make sure the right point of contact is tapped, 823 how one sector can demonstrate the value of their information products to another, how the 824 process can be accomplished expeditiously, and Memorandum of Understanding templates. 825 It could be based on specific tools available through shared use of a single platform (i.e. 826 HSIN-CS), or it could have application in other channels (personal networks, industry 827


34

forums, etc). The guidance will need to account for the fact that not all sectors have elected 828 to use HSIN-CS for their information-sharing needs. 829


• Assess current procedures that would relate to information sharing. 831

• Assess the need for policy, or amendments to existing policy, if applicable, including 832 definitions for handling Sensitive But Unclassifed (SBU) including FOUO, information 833 with and among private sector stakeholders. 834

• Recommendation # 14 addresses the need for clear guidance regarding the handling and 835 dissemination of SBU, including FOUO. Resulting guidelines must be disseminated to 836 private sector stakeholders via methods proposed by the Recommendation #14 837 implementation plan, consistent with forthcoming Executive- and Department-level 838 guidance implementing Executive Order 13556 of November 4, 2010, to ensure the 839 security of information shared across sectors. 840

• Develop a procedural document (e.g., a Concept of Operations) to accomplish the 841 recommendation and ensure that information is shared across CIKR Sectors without 842 violating trust or protocols. Public and private leadership within all 18 sectors must define 843 key areas in which improved information is required, what other sectors can provide that 844 information, and how that information can improve critical infrastructure protection efforts. 845


• Positive user feedback regarding functionality and usefulness of cross-sector information-847 sharing efforts. 848

• Usage of the processes and procedures, including technology systems, to facilitate the 849 exchange of information that enables informed decision-making. 850


• The timeline will be based on the Tiger Team’s determination as to whether the 852 recommendation should be addressed at a national or regional level. The following 853 timeline is based on a national-level recommendation. 854

Mobilize cross-sector initiative working group: • Identify the appropriate public and

private representatives of CIKR Sectors. • Educate public and private components

of CIKR Sectors (using Information-Sharing Working Groups, where possible) about DHS cross-sector communication initiative.

Day 1 – 60


35

Determine Process of Engagement: • Identify and assess current cross-sector

information sharing policies and procedures, tools, metrics and stakeholder relations.

• Create a summary of findings for individual sector maturity levels, capacity, and interest for cross-sector communication.

• Brief DHS internal and external stakeholder components to socialize concept, alert them to coming change, and gain buy in.

Day 60 – 90

Develop Engagement Plan: • Develop draft engagement plan and

distribute for review by DHS components.

• Comments on draft engagement plan are due to working group.

• Adjudication of comments by working group.

• Revise engagement plan. • Submit revised plan to leadership for

review, via the Executive Secretariat.

Day 90 – 120

Brief ISCC and ISGB. Day 160

Approve final implementation plan. Day 175 855 Lead Component (Office of Primary Responsibility): 856

National Protection and Programs Directorate, Office of Infrastructure Protection 857


All DHS Headquarters and Operational Components 859

860


36


Develop a fusion center Best Practices Guide to provide fusion centers with a number of vetted 862 models that have been successful in meeting baseline capability requirements for information 863 sharing with critical infrastructure owners and operators and other private sector partners. 864

Discussion: 865

Numerous national-level policies, including the National Strategy for Information Sharing and 866 the National Infrastructure Protection Plan, recognize the important role that public-private 867 partnerships play in overarching national efforts to protect and secure the homeland. DHS, as 868 the lead Federal agency responsible for planning and managing private sector outreach and 869 engagement related to infrastructure protection and resilience, as well as the lead for 870 coordinating all Federal interaction with State and major urban area fusion centers, is well-871 positioned to lead efforts to bridge the information-sharing gap between the private sector and 872 State and major urban area fusion centers. In addition, developing a fusion center Best Practices 873 Guide for critical infrastructure and private sector engagement, is a natural extension of existing 874 departmental priorities related to the Nationwide Suspicious Activity Report (SAR) Initiative and 875 the “See Something, Say Something” campaign, as well as ongoing efforts to develop fusion 876 center guidance through the Critical Infrastructure and Key Resources Capabilities for Fusion 877 Center Appendix to the Baseline Capabilities for State and Major Urban Area Fusion Centers. 878 DHS will leverage, tie together, and build upon all of these efforts as it works toward 879 development of the Best Practices Guide. 880

Deliverables: 881

Produce a Best Practices Guide for fusion center information sharing with critical infrastructure 882 owners and operators and other private sector partners. 883


I&A, State and Local Program Office (SLPO), as the lead for managing both departmental and 885 overall Federal coordination and interaction with State and major urban area fusion centers, will 886 oversee the development of the Best Practices Guide. 887

I&A/SLPO will oversee engagement with State and major urban area fusion centers to research, 888 survey, and collect best practice examples for inclusion in the Guide. 889

I&A/SLPO will leverage the Federal Emergency Management Agency (FEMA) to identify best 890 practice examples given previous, current, and ongoing FEMA efforts to capture data to measure 891 the effectiveness of technical assistance and grant funding. 892

I&A/SLPO will engage directly and extensively with NPPD/IP to capture best practices. FEMA, 893 through the joint DHS/Department of Justice Fusion Process Technical Assistance Program, and 894 in coordination with NPPD/IP and I&A, has conducted outreach, research, and product 895 development of a guidebook similar to the one called for by this recommendation. Leveraging 896 that work will speed the timeline for completion of the Guide. I&A/SLPO will also engage with 897 the NPPD/IP PCII Program Office to ensure that best practices examples and implementation 898


37

properly account for PCII regulations regarding the proper management and safekeeping of 899 private sector information. 900

I&A/SLPO and NPPD/IP will engage the Regional Consortium Coordinating Council; the State, 901 Local, Tribal, Territorial Government Coordinating Council (SLTTGCC); FBI’s InfraGard 902 National Program Office; and private sector stakeholders as appropriate to capture their input 903 and best practices. 904

I&A/SLPO will engage with DHS components currently supporting the Nationwide SAR 905 Initiative (NSI) to determine how NSI plans and activities related to fusion centers and private 906 sector partners can be integrated in the Guidebook. 907

I&A/SLPO will engage directly with the DHS Privacy Office (Privacy), the Office for Civil 908 Rights and Civil Liberties (CRCL), and the Office of General Counsel (OGC) to ensure that best 909 practices included in the Guide properly account for private sector privacy, civil rights and civil 910 liberties, and other legal concerns and are consistent with DHS and fusion center privacy, civil 911 rights and civil liberties, and legal policies and guidelines. I&A/SLPO understands that there is 912 an interagency effort in development to address the unique issues inherent in extending the 913 requirements in the Information Sharing Environment’s Privacy Guidelines (which includes civil 914 rights, civil liberties and other legal issues) to the Private Sector. I&A/SLPO will work with 915 CRCL, Privacy, and OGC to ensure implementation of any best practices or other guidance that 916 result from those efforts. 917

I&A/SLPO will engage TSA to enhance coordination with TSA’s Field Intelligence Officers and 918 discuss best practices and lessons learned in building regional- and local-level partnerships with 919 private sector entities. 920

I&A/SLPO will engage USCG to better understand best practices learned through interaction 921 with ports and other private sector maritime partners under the auspices of the Port Security 922 Grant Program and other USCG maritime safety, security, and regulatory responsibilities. 923

I&A/SLPO will engage with other DHS components as appropriate to gather insights and 924 examples of successful private sector coordination and information-sharing activities. 925


Process/Policy Metrics 927

• Progress towards completion of the Best Practices Guide (measured as a percentage 928 completed over time) 929

• Number of CIKR and private sector information-sharing best practices implemented at 930 fusion centers and reflected in fusion center policy or standard operating procedures 931 (measured in increase over time across the National Network of Fusion Centers) 932

933

934


38

Transactional Metrics 935

• Increase in the number of threat briefings to the private sector (measured in number of 936 individuals, companies, sectors briefed) 937

• Increase in the amount of positive feedback from private sector partners resulting from 938 information sharing between private sector and State and major urban area fusion centers 939 (measured in number of comments received and increases over time) 940

• Increase in the number of individual reports shared with private sector partners (measured 941 as an increase in reports over time) 942

• Increase in the number of suspicious activity reports generated by the private sector 943 (measured in numerical values) 944

• Increase in the number of suspicious activity reports generated by the private sector that 945 lead to the opening of investigations (measured in numerical values and in percentage 946 increase over time) 947

Outcome Metric 948

• Increase in the number of investigations started as a result of private sector reporting that 949 result in thwarted crimes or attacks (measured as an increase over time) 950


Conduct research and gather existing data and materials from FEMA, I&A, and NPPD/IP on fusion center best practices for private sector and critical infrastructure owner/operator engagement.

Ongoing

Conduct limited outreach to State and major urban area fusion centers, through I&A/SLPO, to conduct interviews and data gathering on best practices for private sector and critical infrastructure owner/operator engagement.

Ongoing

Develop first draft of Best Practices Guide. Day 1 – 15

Staff first draft of Guide among internal DHS stakeholders for review and comments.

Day 15 – 30

Make edits and incorporate recommended changes.

Day 30 – 45

Staff second draft of Guide among internal DHS stakeholders, State and major urban area fusion centers, and private sector and critical infrastructure stakeholders.

Day 45 – 75


39

Make edits and incorporate recommended changes.

Day 75 – 90

Develop strategic communications and marketing plan, including technical assistance implementation options, to familiarize stakeholders with the Guide.

Day 90 – 105

Distribute Guide and begin executing marketing plan and providing technical assistance.

Day 130

Track progress of technical assistance and best practice implementation.

Day 130 – 190

Brief Information-Sharing Coordinating Council, Information-Sharing Governance Board, Homeland Security Information Center, NSI Program Management Office, Criminal Intelligence Coordinating Council, National Fusion Center Association, and Information Sharing and Access Interagency Policy Committee on implementation results.

Day 190

952


I&A, I&A/SLPO 954

Supporting Components: 955

NPPD/IP, NPPD/CS&C, FEMA, PSO, TSA, USCG, PRIV, CRCL, OGC 956

957


40


Build on existing relationships through field-level personnel, including I&A Fusion Center 959 Intelligence Officers, NPPD/Infrastructure Security Specialists, and FEMA Regional 960 Representatives to connect local-level groups with regional and national coordination efforts. 961

Discussion: 962

Numerous national-level policies, including the NIPP, recognize the important role that DHS field-963 level personnel play in building and maintaining relationships such that local-level groups remain 964 engaged and active with regional and national coordination efforts. The goal described in 965 Recommendation #10 can be achieved based on the following initiatives, which are currently 966 underway: 967

• Executing the planned deployment of Protection Security Specialists (ISS) to fusion centers 968 nationwide 969

• Establishing working relationships and communication protocols between local fusion 970 centers, I&A fusion center Intelligence Officers, NPPD/IP PSAs, and FEMA’s Federal 971 Preparedness Coordinators 972

• Enhancing NPPD/IP regional capacity by placing additional PSAs in regions with 973 significant concentrations of assets in high-consequence CIKR Sectors 974

• Creating a new, permanent, full-time position in each of FEMA’s 10 regional Offices of 975 External Affairs to focus on private sector and tribal engagement (a combined position) 976

• Developing methods to enhance engagement between I&A’s fusion center analysts, 977 NPPD/Infrastructure Analysts, FEMA’s FPCs, and all other DHS field-level personnel 978 including, but not limited to, TSA’s Field Intelligence Officers, representatives from the 979 United States Secret Service’s Electronic Crimes Task Forces, and USCG’s AMSC 980

NPPD/IP is dedicated to supporting the national network of fusion centers, in coordination with I&A, 981 the Department lead for fusion center integration. As part of this coordination with I&A, NPPD/IP is 982 in the beginning stages of planning the deployment of ISSs to State and major urban area fusion 983 centers throughout the country. The ISSs will serve as important resources in the exchange of 984 information between Federal, State, and local government entities; critical infrastructure owners and 985 operators; and private sector partners. Incorporating critical infrastructure subject matter expertise into 986 the intelligence fusion process will improve two-way communication by facilitating timely incident 987 response and reconstitution efforts as well as enable fusion centers to better analyze risks, trends, and 988 targets in light of current intelligence information within an all-crimes and an all-hazards environment. 989 One of the most important benefits of this process will be to alert critical infrastructure owners and 990 operators of impending attacks and assist them in effort s to prevent, interdict, mitigate, or harden 991 targets against probable attack methods. 992

NPPD/IP’s PSA Program is also establishing regional ties with FEMA’s FPCs through FEMA’s 993 Office of Preparedness Integration and Coordination (OPIC). As part of FEMA’s “Regional 994 Empowerment” principle and the “One IP” and “One DHS” concepts, the 10 regional FPCs, working 995


41

in conjunction with NPPD/IP’s Regional Directors, District PSAs, PSSs, and the fusion centers will 996 achieve the following: 997

• Assist States and urban areas develop and implement preparedness strategies 998

• Provide guidance and direction regarding the delivery of all preparedness programs and 999 activities to State, local, territorial, and tribal partners and private sector stakeholders 1000

• Facilitate and integrate their regional communities as the Nation’s focal points for national 1001 preparedness through expanded networks 1002

The addition of PSAs to regions with significant concentrations of assets in high-consequence critical 1003 infrastructure sectors (Energy, Banking, Water, Telecommunications, Dams, Information Technology, 1004 and Transportation) will ensure that the highest concentrations of assets receive more focused 1005 attention. This will enhance DHS protection and prevention support through the provision of 1006 protective measures, vulnerability assessments, risk mitigation training, and planning for all-hazard 1007 response efforts. PSAs contribute to the NIPP and National Response Framework-related 1008 requirements by identifying, assessing, and monitoring critical infrastructure and key resources and 1009 coordinating protective activities within their respective geographic areas during steady-state 1010 operations as well as during incidents. 1011 1012 FEMA is currently hiring 10 new, full-time positions to provide a person in each region dedicated to 1013 combined private sector and tribal outreach—two priorities for the Agency. These new employees 1014 will report to the regional Office of External Affairs. Within the context of private sector engagement, 1015 the regional staff will act as a single point of entry for private sector stakeholders wishing to 1016 collaborate with FEMA, help to better integrate existing FEMA efforts across the regional programs 1017 related to the private sector—such as Voluntary Agency Liaisons, Federal Preparedness Coordinators, 1018 and mitigation experts—as well as facilitate more regular communication and coordination with DHS 1019 and other Federal counterparts. With support from FEMA HQ Private Sector Division, the regional 1020 positions will be able to bring the current efforts conducted at HQ to the regional level. For example, 1021 these positions will regionalize HQ efforts by providing more direct interaction, coordination, and 1022 collaboration with national private sector stakeholders headquartered in the regions, State-level 1023 organizations, and associations. 1024 Additionally, these positions will support disaster efforts in the region, including private sector team 1025 deployments. 1026 1027 Deliverables: 1028

• An action memorandum detailing the need for creating a team of infrastructure analysts, 1029 one for each fusion center 1030

• A joint NPPD/IP, FEMA, and I&A Concept of Operations (CONOPS) to integrate fusion 1031 center activities to support regional Critical Infrastructure Protection and Preparedness 1032 initiatives, expand information-sharing networks, and leverage resources to connect local-1033 level groups with regional and national coordination efforts 1034

• An action memorandum detailing the need for increased personnel and funding to enhance 1035 the PSA Program’s regional capacity 1036


42


Current state: 1038

• Infrastructure Security Specialists—NPPD/IP has a DRAFT version of a CONOPS for 1039 integrating the ISSs into fusion centers 1040

• The PSA and FEMA program collaboration—have met with FEMA OPIC to discuss 1041 increased PSA Program and FEMA FPC collaboration; PSA program leadership will attend 1042 the FPC Quarterly Conference in Chicago at the end of October 1043

• Additional PSAs to enhance regional capacity—NPPD/IP has submitted a Program 1044 Decision Option (PDO) to NPPD/IP leadership for consideration. A total of 23 PSA 1045 Program personnel will be hired in Fiscal Year 2012 (FY 2012)—12 Supervisory PSAs and 1046 11 Protective Security Advisors. 1047

Requirements: 1048

• Obtain approval of the ISS CONOPS and identify funding for ISSs 1049

• Obtain agreement between NPPD/IP, I&A, and FEMA to continue exploring opportunities 1050 for PSA Program and FEMA FPC collaboration 1051

• Obtain approval of NPPD/IP’s PDO to hire 23 PSAs in FY 2012 1052


Process/Policy Metrics 1054

• Progress towards completion of action memorandums (measured as a percentage 1055 completed over time) 1056

• Progress towards completion of a joint NPPD/IP and FEMA Concept (measured as a 1057 percentage competed over time) 1058

• Obtain additional personnel and funding resources for the NPPD/IP PSA Program to 1059 increase regional capacity 1060

• Improve resource allocation by leveraging existing or emerging NPPD/IP, FEMA, I&A, 1061 and fusion center capabilities 1062

Transactional Metrics 1063

• Increase in outreach activities and information-sharing events at the regional level 1064

• Increase number of State- and local-level participation at national-level conferences, 1065 workshops, and protective measure briefings 1066

• Increase in the amount of positive State- and local-level feedback resulting from 1067 information sharing between the I&A Fusion Center Intelligence Officers, NPPD/IP PSAs, 1068


43

and FEMA Regional Representatives (to be measured in number of comments received and 1069 increases over time) 1070

• Increase in engagement with State and local government partners and private sector 1071 stakeholders through regionalization of NPPD/IP programs and activities 1072


PSA Program, I&A, and FEMA FPC collaboration In progress

An action memorandum detailing the need for creating a team of infrastructure specialists, one for each fusion center

Q4, FY11

A joint NPPD/IP, FEMA, and I&A CONOPS to integrate fusion center activities to support regional Critical Infrastructure Protection and Preparedness initiatives, expand information-sharing networks, and leverage resources to connect local-level groups with regional and national coordination efforts

Q4, FY11

An action memorandum identifying need for increased personnel and funding to enhance the NPPD/IP PSA Program’s regional capacity

Q4, FY11

Deployment of ISSs—pending approval of the ISS CONOPS, 15 ISSs could be deployed to select fusion centers, in coordination with the I&A State and Local Program Office

FY12

Fielding additional PSAs FY12

Lead Component (Office of Primary Responsibility): 1074 1075 NPPD/IP, I&A, FEMA 1076


NPPD, NPPD/IP, NPPD/CS&C, PSO, FEMA, I&A, TSA, NPPD/FPS, OGC 1078

1079


44


Increase critical infrastructure owners and operators and other private sector entities’ awareness 1081 of threats and risks applicable to their region and sector. There will be two separate deliverables 1082 for Recommendation #11. 1083

Discussion: 1084

Overview 1085

The hazards that threaten the United States and its private sector interests encompass everything 1086 from severe weather, pandemic health issues, geological and other natural events impacting 1087 entire communities, to human-caused accidents or attacks that target specific infrastructure 1088 systems, processes, and people. 1089

Depending on variables such as the size, type, potential impact, and location of an incident, DHS 1090 works with private sector stakeholders spanning large and small business, industry, critical 1091 infrastructure, voluntary, non-profit, faith-based, academic, think tank, and other non-1092 governmental organizations or their association representatives to provide timely threat 1093 assessments and informal risk analyses of potential impacts of manmade or natural hazards. 1094


To prevent, prepare for, respond to, and recover from all-threat and all-hazards incidents, 1096 information is one of the most critical requirements for prompt, successful response and 1097 recovery. Specifically, this information must be clearly communicated to its intended audience, 1098 and it must be relevant, timely, accurate, and consistent with other messages on the issue. 1099

Deliverables: 1100

Deliverable 1: Threat and Risk Briefings and Risk Analysis Courses 1101

Develop and implement a joint NPPD/IP and I&A Threat and Risk Briefing SOP and a DHS-1102 wide synchronized threat briefing schedule for regional and cross-sector threat and risk briefings 1103 at DHS regional and local field-level locations, including at fusion centers, as appropriate—1104 additional sector-specific briefings to be conducted as required. In addition, subject to 1105 availability of resources, to further increase the frequency and utility of threat and risk briefings 1106 for public and private sector stakeholders, NPPD/IP, in coordination with I&A, will offer the 1107 Introduction to Risk Analysis Course to support fusion centers as they work to achieve baseline 1108 levels of capability that increase analytical tradecraft. 1109

Deliverable 2: Future NPPD Office Focused on Analysis and Modeling 1110

NPPD—including CS&C, IP, the Federal Protective Service (FPS), the Risk Management & 1111 Analysis (RMA), and US-VISIT—will develop for NPPD senior leadership an organizational 1112 concept paper for a new NPPD office that focuses on Analysis and Modeling to assist NPPD in 1113 providing public and private critical infrastructure owners and operators and other private sector 1114 stakeholders with the information they need to help protect their employees, their property, and 1115 the national economy from all manner of threats. A cross-cutting analysis effort that meets that 1116 need and simultaneously supports both the day-to-day operational and strategic missions of 1117


45

CS&C, IP, FPS, and US-VISIT will ensure that NPPD successfully leads the DHS effort to 1118 safeguard, protect, and ensure the resilience of the Nation’s physical and cyber infrastructure. 1119



• Provide staff for working group, information for data calls, and access to current sector-1122 specific information needs for cross-sector threat and risk briefings. 1123

• DHS field-level representatives, from Headquarter Elements and Operational Components 1124 throughout the Department, will conduct threat and risk briefings at regional and local DHS 1125 locations, including at fusion centers, as appropriate. 1126

• DHS field-level representatives will collaborate with private sector partners to identify 1127 topics of interest for each briefing and will give private sector entities the opportunity to 1128 brief DHS field-level representatives on their industry risks at these briefings. 1129

• NPPD/IP will coordinate the threat briefings in coordination with I&A. 1130

• Subject to available resources, NPPD/IP, in coordination with I&A, will coordinate and 1131 conduct risk training courses for fusion center intelligence officers. 1132

• Based on requests from the individual Sectors, NPPD/IP will coordinate and conduct 1133 quarterly or annual risk briefings to DHS SCC meetings. 1134

• The United States Secret Service will continue to provide classified threat briefings to 1135 critical infrastructure owners as well as members of the Financial Services-Information 1136 Sharing and Analysis Center. 1137


A future NPPD office focused on analysis and modeling, developed in partnership with I&A and 1139 the other components of the DHS Intelligence Enterprise, must focus on providing relevant 1140 information that will enable NPPD stakeholders to manage and mitigate risk to their individual 1141 business and enterprises. NPPD already makes it a priority to base programmatic strategy and 1142 related resource allocation decisions on the enterprise risks that arise in an all-hazards 1143 environment. Taking a similar enterprise risk management approach to analysis will encourage a 1144 standardized view of risk not only within NPPD, but also throughout the public and private 1145 sectors—promoting resource allocation that protects against and responds to both manmade and 1146 natural events. This approach to risk—which will expand the threat component of the “threat, 1147 vulnerability, and consequence” risk paradigm beyond terrorism to include all manner of 1148 threats—will more fully implement the policy objectives of the NIPP and the National Response 1149 Framework. It likewise will make NPPD a more valuable player within the wider DHS 1150 Intelligence Enterprise. Most importantly, it will enhance NPPD’s ability to provide useful 1151 information to its consumers. 1152

Development of this new office within NPPD will occur in two phases. Phase One involved the 1153 standup of an Enterprise Risk Working Group (“Working Group”) to identify a prioritized list of 1154


46

public and private sector enterprise risk information requirements, as well as requirements from 1155 other stakeholders inside DHS, State and local governments, and other Federal departments and 1156 agencies. Phase Two will involve NPPD’s internal application of those validated requirements 1157 to flesh out the office’s mission, its functions and processes, and its organizational structure. 1158

This approach will result in the following at each phase: 1159

• Phase One—the Working Group’s completion of a strawman document that identifies and 1160 describes a variety of potential enterprise risk categories of concern to the public and 1161 private sectors, Working Group conversations with public and private sector/stakeholders 1162 to review and validate the strawman document’s enterprise risk categories by assigning 1163 values and prioritizing those categories, and the completion of that validation work 1164

• Phase Two—the standup of a NPPD Working Group that will use the validated stakeholder 1165 requirements from Phase One to develop the new office's organizational concept paper 1166 proposal and the completion of the strategy proposal 1167

• Phase Three—decision and direction from senior NPPD leadership on implementing the 1168 new office's organizational concept paper 1169



• Number of stakeholder information requirements satisfied by briefings 1172

• Increased number of regional and local threat and risk briefings provided to private sector 1173 partners 1174

• Increased number, as appropriate, of DHS field-level representatives from Headquarters 1175 Elements and Operational Components throughout the Department present at DHS-hosted 1176 briefings 1177

• Increased number of participants who attempt to register in the Risk Analysis Courses 1178


The requirements development process and the eventual creation of an office within NPPD 1180 focused on analysis and modeling are designed to enhance the effectiveness of the Department’s 1181 information-sharing efforts with its partners, especially the private sector. In this regard, key 1182 metrics will include the satisfaction of these partners with the products and services provided by 1183 DHS, the timeliness of the information sharing, and the degree to which DHS information is 1184 driving risk management by public and private sector partners. 1185

1186

1187

1188


47


Deliverable 1: Threat and Risk Briefings 1190

The primary deliverable will be a joint NPPD/IP and I&A SOP on conducting scheduled threat 1191 and risk briefings and emerging issue threat briefings. This SOP will be informed by lessons 1192 learned and ad-hoc procedures developed during the series of briefings that have occurred in the 1193 recent months through the month of October. 1194

Phase 1: Establish joint NPPD/IP and I&A threat and risk briefing working group

Day 1 – 30

Phase 2: Draft Threat and Risk Briefing SOP Day 30 – 60

Phase 3: Synchronize threat and risk briefing schedule with other DHS component briefing activities.

Day 60 – 90

Phase 4: Draft a DHS-wide threat and briefing calendar

Day 90

Phase 5: Publish SOP and implement briefing calendar Day 120

Deliverable 1: Risk Analysis Training 1195 NPPD/IP, in coordination with I&A, is coordinating a series of Introduction to Risk Analysis 1196 training courses for fusion center intelligence officers. Each course will last 5 days and will have 1197 up to 30 fusion center intelligence officers. Subject to availability of resources, additional 1198 training courses will be held quarterly in Chicago. 1199


Phase 1: Develop and validate strawman document November–December 2010 – COMPLETED

Phase 2: Internal NPPD discussions and concept development

January–March 2011

Phase 2: Organizational concept paper March 2011

Phase 3: NPPD senior leadership review TBD 1201 Lead Component (Office of Primary Responsibility): 1202

Deliverable 1: NPPD/IP 1203

Deliverable 2: NPPD 1204

Supporting Components: 1205

Deliverable 1: NPPD/Front Office, I&A, OGC 1206


48

Deliverable 2: For the Phase One Working Group/Focus Group efforts, NPPD will partner with 1207 I&A, NPPD/IP, the Science and Technology Directorate, and potentially other DHS 1208 Headquarters and Operational Components, including OGC. In addition, it is envisioned that 1209 this working group will solicit input from and collaborate with members of the private sector and 1210 other stakeholder communities, including State and local governments, other Federal agencies, 1211 and academia. 1212

1213


49


Expand the Cybersecurity Partner Local Access Plan (CPLAP) pilot program (led by the DHS 1215 National Cyber Security Division (NCSD) and I&A) to enable more cost-effective and efficient 1216 classified cybersecurity information sharing and discussions. Ensure that fusion centers 1217 recognize that physical and cyber risk information is useful to both physical and cybersecurity 1218 executives. 1219

Discussion: 1220

The CPLAP leverages the existing capabilities of fusion centers nationwide as platforms for 1221 DHS to conduct multidirectional information sharing for threat context, vulnerability 1222 identification and analysis, and consequence discussion across CIKR Sectors and levels of 1223 government and enables more effective and efficient classified cybersecurity information sharing 1224 between Federal; State, local, tribal, and territorial; and private sector partners. The plan 1225 involves mechanisms for cleared State, local, and private sector partners to access their State or 1226 major urban area fusion center (at the discretion of the fusion center director) to read periodic 1227 classified e-mails regarding cyber threats; participate in quarterly cybersecurity briefings and 1228 discussions through secure video teleconference or secure audio teleconference; and access 1229 classified communications channels in the event of a cybersecurity incident. The CPLAP lays a 1230 foundation for more broad-ranging information-sharing efforts between public and private sector 1231 partners as relationships and processes mature. 1232 1233 Deliverable: 1234

A plan to expand the CPLAP pilot program and to continue to reinforce fusion centers as the 1235 primary access points for private sector cybersecurity partners to acquire and share classified 1236 information. 1237 1238 Component Support Activities: 1239

The policy component of the CPLAP pilot has been underway for nearly two years. The 1240 operational component of the CPLAP pilot has been underway since the summer of 2010. 1241 1242 Metrics of Success: 1243

• An increase in the number of private sector partners who receive scheduled cybersecurity 1244 briefings and discussions at fusion centers using secure video teleconferences or secure 1245 audio teleconferences 1246

• An increase in the ability to identify CIKR partners with DHS-held SECRET clearances—1247 and those who currently do not have them but should 1248

1249


Phase I: CPLAP pilot implementation (two fusion centers)

Summer 2010 – COMPLETED


50

Phase II: Pilot expansion (three additional fusion centers)

Q2, Fiscal Year 2011

Phase III: Pilot expansion to additional fusion centers with operational/functional capabilities to support classified read file review and secure video teleconferencing (SVTC)

March 31, 2011

Phase III: Pilot expansion to remaining fusion centers with operational/functional capabilities to support classified read file review and SVTC

December 31, 2011


NPPD/CS&C/NCSD 1253


I&A/Cyber Threat Branch and Joint Field Office—Project Management Office, 1255 NPPD/IP/Partnership and Outreach Division (Security Clearance Program), SLPO, OGC 1256

1257


51


DHS should provide more useful information to the private sector and engage private sector 1259 entities into the SINs process. 1260

Executive Summary: 1261

DHS is developing an implementation plan to deploy teams of specialists to collect and integrate 1262 the information needs of the private sector into DHS SINs in order to identify and close the 1263 intelligence gaps that will enable DHS to more accurately identify, assess, and mitigate threats to 1264 the homeland. The success of this effort will be evidenced by DHS’s ability to disseminate 1265 information to private sector partners to mitigate threats in advance of an attack, the commission 1266 of a crime, or recovery from an attack by providing better intelligence support to critical 1267 infrastructure owners and operators in order to enhance infrastructure protection. 1268

Discussion: 1269

A SIN is an enduring, continuous intelligence or information requirement derived from the 1270 information needs of DHS and its State, local, tribal and territorial (SLTT) partners. SINs are the 1271 equivalent of the Intelligence Community’s (IC’s) intelligence requirements and are the 1272 foundational blocks DHS uses for the DHS intelligence cycle. DHS reaches out to its 1273 components and fusion centers to gather their SINs, which are prioritized by the customer in 1274 accordance with their statutory authorities and initiatives. These prioritized SINs are then used 1275 by intelligence officers to develop collection strategies to address information gaps, which are 1276 then further refined and developed into multi-disciplined collection plans with collection 1277 managers and operations. These plans are then executed by the operational components of DHS 1278 and members of the IC who have the capabilities to assist in filling the information gaps. The 1279 response DHS receives from the components and IC on its SINs are provided in the form of raw 1280 and finished intelligence products that are then used to close the information gaps. DHS will 1281 replicate this process with its private sector partners to enhance the Department’s ability to more 1282 accurately identify, assess, and mitigate threats, combining the totality of SINs from the DHS 1283 community of interest. Information captured through the SINs process that is not intelligence 1284 related will be forwarded to the appropriate entity for action. The DHS SINs team will 1285 incorporate the private sector SINs into the Homeland Security Intelligence Priorities Framework 1286 through the Policy, Plans and Performance Management Directorate. 1287

The private sector has identified a need for DHS to more fully and formally engage the private 1288 sector into the development and validation of the SINs that represent their information needs. 1289 The I&A’s Collection Requirements Division (CRD) will lead the private sector SINs effort as 1290 they have successfully led the SINs integration effort across the Department’s Headquarters and 1291 Operational Components and fusion centers. This cumulative effort is being done to develop a 1292 concise common intelligence requirements picture, identify critical information gaps, more 1293 accurately drive the DHS intelligence collection and production cycles, and provide the 1294 Department with an executive performance management tool to quantifiably measure the 1295 effectiveness of intelligence collection and production. The enhancement of the SINs process 1296 with the private sector will establish the necessary point of commonality that DHS and the 1297 private sector can use to satisfy one another’s information needs and fill in their respective 1298 intelligence gaps. 1299


52

This revised process will accomplish the following: 1300

• Streamline communication between the U.S. Government and the private sector; 1301

• Establish a point of commonality that DHS and the private sector can use to satisfy one 1302 another’s information needs through the integration of private sector information needs 1303 with DHS SINs; 1304

• Use private sector information to fill intelligence gaps; 1305

• Use private sector information to provide more comprehensive sector based homeland 1306 threat assessments; 1307

• Provide DHS with previously untapped collection resources in the private sector; 1308

• Improve compliance with statutory requirements—such as the Homeland Security Act of 1309 2002, as amended; the Patriot Act; and the Post-Katrina Emergency Management and 1310 Reform Act to “assess, receive, analyze” information, “integrate relevant information,” 1311 “disseminate, as appropriate, information analyzed by the Department,” “consult with,” 1312 and “request additional information” with public and private sector entities; 1313

• Enables priority setting, identification and assessment of threats, and the reduction of 1314 vulnerabilities and risk; 1315

• Promote collaborative public-private partnerships for mutual support to strengthen national 1316 security and economic security of the United States; 1317

• Engender trust and confidence with private sector based on the professionalism of 1318 departmental employees and integrity of sound policies and management practices; 1319

• Ensure DHS mission achievement, particularly “ensure that the overall economic security 1320 of the United States is not diminished by efforts, activities, and programs aimed at securing 1321 the homeland” (Section 101(b)(1)(F), Homeland Security Act of 2002); 1322

• Educate the private sector on the workings of the intelligence process so they better 1323 understand the importance of their inputs; 1324

• Educate the IC professionals on the private sector requirements’ ties to their critical 1325 business processes; and 1326

• Establish, through the ongoing engagement process between the IC (through I&A) and the 1327 private sector, more robust feedback on collection and reporting. 1328

Deliverables: 1329

Institutionalizing the integration of broader private sector information needs into the DHS SINs 1330 process will require outreach to private sector entities not currently members of the established 1331 18 sectors included in the NIPP partnership framework. However, initial efforts will focus in 1332


53

CIKR Sectors as defined in the NIPP. This will be achieved through the following multi-phased 1333 effort: 1334

Phase I: The DHS SINs team will work with interested DHS partners to develop and begin to 1335 implement the engagement plan with private sector entities to be included in the SINs process. 1336

Phase II: The DHS SINs team, working with IP, will brief the SSA responsible for each sector 1337 and the Cross-Sector Leadership Council (the private sector leadership body of the 18 CIKR 1338 Sectors) on the SINs process and the plan for working with the sectors to create and validate 1339 requirements. The sectors will be asked to identify a working group within each sector to work 1340 with the government in meetings to develop requirements; 1341

Phase III: The government teams will meet with the sector working groups to train and educate 1342 them on the SINs process, prioritization with a customized SINs template to help them identify 1343 their information needs, introduce them to the automation tool currently under development by 1344 the I&A Knowledge Management Division, and begin an annual cycle of meeting with the sector 1345 groups to review products issued, re-validate requirements and priorities, and promote the 1346 automated reporting mechanism for the private sector to provide information back to DHS to 1347 answer DHS SINs. The following steps will ensure that private sector input will be included in 1348 the next SINs cycle, scheduled for release in Fiscal Year 2011: 1349

• Brief all 18 Sector Coordinating Councils (SCCs) within 365 days. 1350

• Conduct assessment of existing SINs implementation procedures and make the necessary 1351 revisions to gather private sector SINs and use the Oil and Natural Gas Pilot Project with 1352 NPPD/IP as the first sector to frame SINs outreach. 1353

• Host monthly “One DHS” production board meetings to discuss any and all analytic 1354 production activity from all components to all potential consumers or audiences. 1355

• Provide a listing of “who’s who” and their roles and responsibilities in the intelligence 1356 information-sharing space: a fact sheet of IA representatives, SSAs, Sector Specialists, 1357 PSAs, TSA FIOs, etc. and who goes to whom for what and when. 1358


I&A will coordinate with all DHS Headquarters and Operational Components, particularly those 1360 with statutory missions to interface with the private sector. Working with the SSAs, NPPD/IP 1361 will facilitate the requirements interface with the private sector for the CIKR Sectors. I&A will 1362 conduct briefings to the private sector on the SINs process in cooperation with components. 1363 I&A will provide appropriate documents and materials to begin the process and will provide 1364 subject matter expertise as requested. 1365

1366

1367

1368

1369


54


The metrics for this initiative are as follows: 1371

Phase I 1372

• Development and implementation of the private sector engagement plan 1373

• Briefings provided to the Cross-Sector Leadership Council and SSAs on the engagement 1374 plan 1375

• The formation of information requirements work groups within each sector 1376

Phase II 1377

• Meetings held with each of the sector information requirements work groups to develop 1378 and validate SINs for each sector 1379

Phase III 1380

• Sectors trained on automated process 1381

• Increased numbers of sectors with completed or drafted SINs 1382

• Annual follow-up meetings conducted with each sector to discuss feedback and validate the 1383 SINs 1384

1385 Timeline for Completion: 1386

I&A CRD understands the implementation and gathering of private sector information needs will 1387 be phased in over a period of time and is contingent on the acquisition of additional personnel to 1388 perform the information requirements outreach and the ability of the DHS teams to meet each 1389 successive milestone. The DHS team will brief the ISCC and the ISGB quarterly on the status of 1390 the gathering of information requirements from the private sector. 1391

Use Knowledge Management Tool to roll out the SINs automation tool

Day 1–45

Develop and deploy two pilot projects with NPPD/IP and National Protection and Programs Directorate

Day 1–60

Brief the Cross-Sector Leadership Council Day 60–75

Develop the 18 specialized private sector outreach briefings, training, and education

Day 60–90

Successfully implement the development of individualized plans to have completed private sector SINs across the 18 sectors, integrate the

Day 90–365


55

private sector SINs with DHS SINs, coordinate collection and production activities with the IC on the private sector needs through DHS SINs

Brief the ISCC private sector IS IPT on the progress of the private sector outreach

Day 60, 120, 180, 240, and 365


The office of primary responsibility in the collection of information requirements is 1394 I&A/Collection and Requirements Division. The office of primary responsibility for critical 1395 infrastructure is NPPD/IP. 1396


All DHS Headquarters and Operational Components 1398

1399


56


Provide clear guidance to the private sector for handling and disseminating current SBU 1401 designations, including FOUO. 1402

Discussion: 1403

• DHS seeks to make policies and procedures for handling, disseminating, and disposal of 1404 the FOUO information in anticipation of forthcoming guidance related to recently issued 1405 Executive Order 13356, available and accessible for members of the private sector to 1406 ensure that the Department’s information is adequately protected against unwanted 1407 disclosure. 1408

• By addressing the Department’s private sector information-sharing partners’ questions on 1409 FOUO information, the Department will reduce confusion among its private sector 1410 partners. A better understanding of how to recognize, handle, and store FOUO information 1411 will enhance the information flow between the Department and the private sector. 1412

• Executive-level policies and procedures defining “Controlled Unclassified Information” 1413 (CUI) and its implementation across government have not been issued by the Executive 1414 Agent. A DHS CUI policy committee has been established both to inform the government-1415 wide processes for developing Executive-level guidance and to develop appropriate 1416 policies and training throughout DHS once the government-wide program is implemented. 1417 As such, it is not addressed as part of this recommendation. 1418

Overview: 1419

To assist the Department of Homeland Security’s mission to protect the Nation’s critical 1420 infrastructure, the Department often shares FOUO information with State, local, tribal, and 1421 territorial governments and the private sector. These non-Federal entities are not always familiar 1422 with Departmental handling procedures for FOUO information and this uncertainty sometimes 1423 results in hesitancy by both sides to share information. The Department seeks to make its current 1424 policy and procedures for handling and disseminating FOUO information available and 1425 accessible for these non-Federal entities. 1426

Current Situation: 1427

Members of the private sector often contact various offices across the Department with questions 1428 regarding FOUO information received from DHS. These questions often relate to how to 1429 adequately safeguard the information or whether the information can be shared further. DHS 1430 Management Directive (MD) 11042.1, “Safeguarding Sensitive But Unclassified [For Official 1431 Use Only] Information” describes the Department’s policy relating to the use, storage, 1432 dissemination, and destruction of FOUO information; however, neither the private sector nor the 1433 Department staff are aware of or sufficiently familiar with it to answer questions on FOUO 1434 information. 1435

1436

1437


57


When private sector entities have questions about FOUO information, it is important that they 1439 have access to the appropriate policy and guidance documents to address their concerns. HSIN 1440 would provide the most efficient means to access and exchange this information. Written or 1441 online documents can be kept or accessed repeatedly for future reference and may preclude the 1442 need to make repeated inquiries to a Department component. This saves both private sector and 1443 Department time and avoids the possibility that the private sector will contact an office that is not 1444 familiar with Departmental policies on FOUO information. 1445

Any document should be written in precise language, using the terms of the MD, but may be 1446 organized in a way more conducive to the needs and questions of the private sector. 1447 Additionally, the Department should provide the private sector with access to the MD and any 1448 other guidance documents associated with safeguarding and handling FOUO, or other SBU 1449 information shared by DHS, even if not explicitly covered by the current DHS directive. 1450

One office within the Department should be clearly identified as the point of contact for all 1451 private sector questions regarding FOUO information policies. Members of the private sector 1452 shall be expected to communicate with representatives from this office when they are uncertain 1453 whether prospective recipients of FOUO have a need to know the information. This will ensure 1454 that private sector questions are answered uniformly and will make it easier for the Department 1455 to speak to the private sector about FOUO with one voice, reducing confusion. 1456

Deliverables: 1457

• A set of FAQs that consist of the most commonly asked questions by the private sector 1458 about properly handling, storing, disseminating, and disposing of FOUO information. 1459

• A fact sheet that clearly conveys DHS policy guidance to members of the private sector 1460 who receive FOUO information separate from any contractual relationship for goods or 1461 services they may have with a Federal agency. It will accompany Management Directive 1462 11042.1, “Safeguarding Sensitive But Unclassified [For Official Use Only] Information.” 1463

• A standardized, official DHS disclaimer on each document marked FOUO that includes a 1464 hyperlink to a DHS public website for a copy of the FAQs, fact sheet, and the MD. 1465


• Designating one office within the Department as the official point of contact for all private 1467 sector questions on safeguarding FOUO information policies. 1468

• Providing continued access to HSIN for members of the private sector. 1469

• Consider including SSI specific guidance into this guide or a separate guide. 1470


• Reduced number of private sector questions relating to FOUO information 1472

• Acceptance of the guidance by the SCCs 1473


58

• Distribution of policy guidance and FAQs to all private sector stakeholders including, but 1474 not limited to, PSAs; the SLTTGCC; the RCCC; the CIKR Cross Sector Coordinating 1475 Council; and other component representatives 1476

• Fewer violations of FOUO handling and disseminating procedures reported to DHS PSAs 1477 and the Office of Chief Security Officer 1478

• All FOUO documents released by DHS to the private sector contain information on the 1479 office within DHS that can answer any private sector questions, a disclaimer, and a 1480 hyperlink 1481


Draft FAQs and supplemental fact sheet for review by Department stakeholders.

Day 1 – 15

Designate one Department office as the official point of contact for all FOUO inquiries.

Day 1

Finalize FAQs and fact sheet. Day 30

Make FAQs and fact sheet available to private sector stakeholders via HSIN.

Day 45

Require originators within the Department to list a point of contact line, disclaimer, and hyperlink on all FOUO documents released to the private sector.

Day 75

Distribute deliverables to all PSAs, the SLTTGCC, RCCC, CIKR Cross Sector Coordinating Council, and other component representatives as well as broad dissemination to all private sector stakeholders.

Day 105


Office of the Chief Security Officer 1485


Office of Security, NPPD/IP, I&A, USCG, OGC 1487

1488


59


Increase information to critical infrastructure owners and operators on methods to become more 1490 involved in the public-private partnerships. 1491

Discussion: 1492

Federal laws and Presidential directives provide clear mandates for DHS to establish and sustain 1493 engaged partnerships and share information between and among governments and private sector 1494 entities at all levels. Information sharing enables priority setting, identification and assessment 1495 of threats, and reduces vulnerabilities and risk—as mandated by law. These authorities also 1496 promote collaborative public-private partnerships for mutual support to strengthen the national 1497 security and economic security of the United States. 1498

The majority of the critical infrastructure in the United States is owned and operated by the 1499 private sector. Consequently, public-private partnerships and information sharing to support 1500 joint activities are recognized as key elements of achieving the homeland security mission of 1501 protecting and ensuring the resilience of the Nation’s critical infrastructure. Optimal 1502 participation in public-private partnerships is based on sound processes, policies, and 1503 management practices. Increased awareness and expanded opportunities for involvement by 1504 critical infrastructure owners and operators in public-private partnership activities will result in 1505 more effective processes for the information sharing needed to reduce and mitigate risk to the 1506 Nation’s critical infrastructure. 1507

Deliverables: 1508

• Complete a review of existing DHS policies and procedures as they relate to partnership 1509 engagement and information sharing. 1510

• Analyze data regarding current critical infrastructure partnership model and information-1511 sharing processes and mechanisms to determine levels of awareness of existing resources, 1512 levels of participation, and scope of the target audience for participation. The analysis will 1513 identify gaps and opportunities to increase awareness and participation in critical 1514 infrastructure information sharing and participation in public-private partnerships. The 1515 scope of the analysis will include, but will not be limited to, review of current sector 1516 participation in partnership councils, organizations, HSIN-CS, and other information-1517 sharing mechanisms, as appropriate. 1518

• Develop strategy, recommendations, and implementation plans at the national and regional 1519 levels promoting awareness and encouraging participation in the critical infrastructure 1520 partnership, HSIN-CS, and the CIKR ISE among critical infrastructure owners and 1521 operators. The strategy and implementation plan may include recommendations to achieve 1522 the following: 1523

o Establish and communicate new or amend DHS policy, management directive, or 1524 other procedures as identified through the analysis. 1525

o Develop or amend existing communications and outreach programs that address 1526 the needs of Federal and State partners. 1527


60

o Develop an initial suite of products (i.e., fact sheet, brochure, job aid, or Web-1528 content) that provide information to critical infrastructure owners and operators on 1529 ways to get involved with the public-private partnerships. Identify mechanisms 1530 and initiate distribution and placement of products in communications resources 1531 that may include, but are not limited to: DHS.gov, the Private Sector Resources 1532 Catalog, and relevant Web portals, toolkits, or other printed products. 1533


NPPD/IP is responsible for overall coordination of the DHS infrastructure protection and 1535 resilience mission. NPPD/IP is responsible for leading public-private coordination across the 18 1536 sectors. NPPD/IP implements this capability through a robust Critical Infrastructure Partnership 1537 Model and information-sharing capabilities—HSIN-CS—at the national level, risk and threat 1538 analysis, and a 24/7 critical infrastructure coordination center (the National Infrastructure 1539 Coordinating Center). NPPD/IP has responsibility as the SSA for six CIKR Sectors (Chemical, 1540 Critical Manufacturing, Commercial Facilities, Dams, Emergency Services, and Nuclear), while 1541 other DHS components also are designated to have SSA responsibilities (TSA for Transportation 1542 and Postal and Shipping; USCG for Maritime; the National Protection and NPPD/CS&C for 1543 Information Technology and Telecommunications; and NPPD/FPS for Federal Facilities). 1544 NPPD/IP and the other SSAs are responsible for coordination with sector partners and 1545 facilitating information-sharing activities. 1546

Other DHS components share responsibility for engagement with critical infrastructure owners 1547 and operators. I&A, for example, works with critical infrastructure owners and operators in 1548 terms of providing actionable and relevant threat information and the Science and Technology 1549 Directorate leads efforts to identify requirements and coordinate relevant research and 1550 development to support and continue to improve critical infrastructure protection and resilience. 1551 FEMA leads efforts for emergency preparedness and incident management that require engaged 1552 partnership with the private sector; and the PSO provides overarching coordination with private 1553 sector partners at the executive level. 1554


• NPPD/IP collects and reports on the following several metrics for the Critical Infrastructure 1556 Partnership Project (Fiscal Year 2010 metrics) that apply to this recommendation: 1557

• Percent increase in user activity on the HSIN for receipt of critical infrastructure analytical, 1558 information-sharing, and protective measures products 1559

• Percent increase of critical infrastructure sector members participation in sector partnership 1560 beyond the Council members 1561

• Percent of critical infrastructure owners and operators reachable through the Sector 1562 Partnership organizational communication vehicles 1563

• Other proposed metrics: 1564

• Percent increase in critical infrastructure partnerships at the State, local, and regional levels 1565


61

• Outreach by stakeholder group 1566

• Number of non-DHS and non-contractor users on HSIN-CS 1567

• Responsiveness by DHS to partner queries (e.g., clarity of process for resolving issues or 1568 answering questions—for example, within three business days, even if draft reply) 1569

• Customer feedback on the usefulness and value of the information and process 1570

• Increased partner activity with DHS to further engage (e.g., white papers, policy 1571 recommendations, requests for assistance) 1572


Working group established and chartered Day 1

Review of existing DHS policies, procedures, and tools (including metrics) for participation in Partnership Councils and HSIN-CS. Review of current methods available for sharing information with critical infrastructure owners and operators.

Day 1 – 30

Summary of findings briefing to DHS internal and external stakeholder components to socialize concept, alert them to coming change, and gain buy-in

Day 30 – 45

Begin drafting strategy and engagement plan Day 45

Draft strategy and engagement plan distributed for review by DHS components through the Executive Secretariat

Day 75

Comments on draft strategy and engagement plan due to working group

Day 90

Adjudication of comments by working group Day 105

Revised strategy and engagement plan ready for routing through leadership, through the Executive Secretariat (two weeks)

Day 120

Final strategy and engagement plan briefed to the ISCC and the ISGB

Day 150

Begin developing initial suite of products for internal review

Day 160


NPPD/IP 1575

1576


62


USCG, TSA, NPPD/CS&C, I&A, FEMA, PSO, OGC 1578

1579


63

Recommendation #16 A: 1580

Increase educational outreach to private sector partners regarding Chemical-terrorism 1581 Vulnerability Information (CVI) to assure partners that provided information to DHS will be 1582 protected from public disclosure or misuse. 1583

Discussion: 1584

CVI is the information protection regime authorized by Section 550 of Public Law 109-295 to 1585 protect from inappropriate public disclosure certain information developed or submitted pursuant 1586 to Section 550. This includes information that is developed or submitted to DHS pursuant to the 1587 Chemical Facility Anti-Terrorism Standards regulation that implements Section 550. 1588

Chemical facilities expect that the information provided to DHS will be protected from public 1589 disclosure or misuse. DHS expects individuals in possession of CVI to safeguard it with equal 1590 care. Following the requirements in 6 CFR § 27.400 and the guidance in the CVI Procedures 1591 Manual will ensure sensitive information about the Nation's high-risk chemical facilities is 1592 safeguarded. 1593

Deliverables: 1594

NPPD/IP will produce fact sheets for dissemination to appropriate security partners by NPPD/IP 1595 personnel, such as the chemical inspectors, and will also place this information on DHS.gov and 1596 make the information available for placement on chemical industry websites. 1597


• NPPD/IP increases dissemination (through events or web-downloads) of CVI fact sheets 1599


Fact sheet development, request for stakeholder input sent to the SLTTGCC for review

Day 1 – 30

Final review of SLTTGCC comments, request for OGC review

Day 30

Final review of OGC comments Day 60

Revised fact sheet ready for routing through leadership

Day 90

Briefing to DHS internal and external stakeholder components to socialize concept, alert them of coming fact dissemination and educational outreach

Day 120

1601 Lead Component (Office of Primary Responsibility): NPPD/IP 1602

Supporting Components/Subcomponents: IGA, OGC 1603

Recommendation #16 B: 1604


64

Increase educational outreach to private sector partners regarding PCII to assure partners that 1605 providing information to DHS will be protected from public disclosure or misuse. 1606

Discussion: 1607

PCII is a statutorily-mandated form of sensitive but unclassified information designed to 1608 encourage voluntary information sharing between the private sector and Federal, State, and local 1609 governments. NPPD/IP oversees the PCII program, which has accredited more than 50 Federal, 1610 State, and local partners and trained more than 12,000 individuals on authorized ways to access, 1611 store, and safeguard PCII. The information shared with the Government via the PCII program is 1612 information that otherwise might not be shared and is critical to the development of protection 1613 and resilience strategies designed to protect the Nation’s critical infrastructure and way of life. 1614 Communicating the legal safeguards of the PCII program to private sector partners will lead to 1615 increased awareness and use of the PCII program by the private sector. 1616

Deliverables: 1617

In order to meet the DHS information sharing requirements for communicating PCII’s legal 1618 safeguards and assurances to our private sector stakeholders, NPPD/IP has identified a plan to 1619 procure PCII brochures and fact sheets for distribution to DHS PSAs and fusion center 1620 intelligence officers. These publication sets will be produced and provided for dissemination to 1621 our identified DHS regional representatives to help support their outreach efforts and better 1622 inform our sector partners of the protection capabilities DHS provides with regard to sharing of 1623 proprietary information. 1624

NPPD/IP will offer PCII-focused Webinars for the private sector community, DHS, and other 1625 government communities to provide additional information or answer questions on the program. 1626


The PCII Program currently partners with the PSA program to provide information on the PCII 1628 program so that the PSAs can leverage the use of PCII to increase private sector sharing of 1629 critical infrastructure information. In addition, NPPD/IP is engaged in a fusion center pilot 1630 currently in progress to promote the use of NPPD/IP tools to include PCII. Also, NPPD/IP and 1631 the PCII program staff specifically provide presentations on the PCII program to a wide variety 1632 of private sector audiences. 1633

The PCII program will increase coordination with the PSO to ensure PCII activities are 1634 integrated as appropriate into PSO activities. 1635

IP will establish a PCII working group as part of the NPPD/IP led- Federal Senior Leadership 1636 Council (FSLC) to identify and address issues and recommendations on the PCII program from 1637 the sector partners. 1638


• Increased awareness of fusion center personnel regarding PCII and use of the program 1640

• Continued PSA outreach to the private sector related to the PCII program 1641


65

• Increased private sector awareness and trust in the program 1642


PCII Fact Sheet Distribution Ongoing

PCII Brochure: • Brochure developed and approved • Print production

Q2, Fiscal Year 2011

PCII and CVI Interaction Document Additional policy input from NPPD/IP needed

PCII Outreach Activities • PSA coordination • Fusion Center personnel • Homeland Security Advisors • PCII stakeholder community (to include

owners and operators, PCII authorized users)

Ongoing

Lead Component (Office of Primary Responsibility): 1644 NPPD/IP 1645


IGA, PSO, OGC1647

66

Attachment B: Private Sector Information-Sharing Working Group Participants – Private Sector Companies and Trade Associations

3M Abbott Laboratories Airports Council International American Bus Association American Trucking Association Ameriprise Financial Aon ASIS International Association of American Railroads Bank of America BASF Baxter Healthcare, Inc. Beacon Capital Partners Best Buy Blue Shield Boeing Brookfield Properties Business Executives for National Security Caterpillar ChicagoFIRST, LLC Cisco Systems Clorox CME Group Colonial Pipeline Consumers Energy Con-way Ennis Strategic Financial Engines Food Marketing Institute Gap Google Grocery Manufacturers Association Harris Bank Intel

International Dairy Foods Association Juniper Networks Kaiser Permanente KinderMorgan Land O'Lakes Madden & Patton LLC Mall of America Mesirow Financial Microsoft Motorola National Defense Industrial Association National Rural Electric Cooperative Association Nation Grain and Feed Association Northern Trust Bank Oracle Pacific Gas and Electric Company Qwest Communications Real Estate Roundtable Retail Industry Leadership Association Rx Response Sara Lee Sears Holdings Stanford Hospital SuperValu Target U.S. Travel Association United Airlines (UAL) United Health Group Walgreens Water ISAC Wells Fargo Xcel Energy

67

List of Acronyms

AMSCs Area Maritime Security Committees AMSPs Area Maritime Security Plans CBP Customs and Border Protection CFATS Chemical Facility Anti-Terrorism Standards CICC Criminal Intelligence Coordinating Council CIKR Critical Infrastructure and Key Resources CIKR ISE Critical Infrastructure Key Resources Information Sharing Environment CIPAC Critical Infrastructure Partnership Advisory Council COI Community of Interest CONOPS Concept of Operations CPLAP Cybersecurity Partner Local Access Plan CRCL Office for Civil Rights and Civil Liberties CRD Collection Requirements Division CS&C Office of Cybersecurity and Communications CUI Controlled Unclassified Information CVI Chemical-terrorism Vulnerability Information DHS U.S. Department of Homeland Security DoD U.S. Department of Defense DOJ U.S. Department of Justice DOS U.S. Department of State DSAC Domestic Security Alliance Council ECTFs Electronic Crimes Task Forces ESF Emergency Support Function FACA Federal Advisory Committee Act FAQ Frequently Asked Questions FCTFs Federal Crimes Task Forces FEMA Federal Emergency Management Agency FOUO For Official Use Only FPC FEMA Federal Preparedness Coordinator FPS Federal Protective Service FS-ISAC Financial Services—Information Sharing and Analysis Center FSLC Federal Senior Leadership Council FTE Full-time Equivalent FY Fiscal Year GCC Government Coordinating Council HQ Headquarters HSIC Homeland Security Information Center HSIN Homeland Security Information Network HSIN-CS Homeland Security Information Network—Critical Sectors HSIP-F Homeland Security Intelligence Priorities Framework I&A Office of Intelligence and Analysis IC Intelligence Community ICE Immigration and Customs Enforcement IP Office of Infrastructure Protection

68

IPT Integrated Project Team IS&C Information Sharing and Collaboration Branch ISA sub-IPC Information Sharing and Access Interagency Policy Committee ISCC Information Sharing Coordinating Council ISE Information Sharing Environment ISGB Information Sharing Governance Board MD Management Directive MOU Memorandum of Understanding MTSA Maritime Transportation Security Act of 2002 NCSD National Cyber Security Division NED FEMA National Exercise Division NEP National Exercise Program NFCA National Fusion Center Association NICC National Infrastructure Coordinating Center NIPP National Infrastructure Protection Plan NLEs National Level Exercises NMSAC National Maritime Security Advisory Committee NOC National Operations Center NPPD National Protection and Programs Directorate NRCC National Response Coordination Center NSI Nationwide SAR Initiative NSI PMO National SAR Initiative Program Management Office NSS National Security Strategy OCIO Office of the Chief Information Officer OCSO Office of the Chief Security Officer ODNI Office of the Director of National Intelligence OGC Office of the General Counsel OPA Office of Public Affairs OPIC Office of Preparedness Integration and Coordination OPS Office of Operations Coordination OSAC Overseas Security Advisory Council PCII Protected Critical Infrastructure Information PDO Program Decision Option PICCL Private Sector Incident Communications Conference Line POC Point of Contact POD Partnership Outreach Division PPAU Public/Private Alliance Unite PPPM Policy, Plans, and Performance Management Directorate PRIV Office of Privacy PSA Protective Security Advisor PSD Private Sector Division PSO Private Sector Office QHSR Quadrennial Homeland Security Review RCCC Regional Consortium Coordinating Council RMA Risk Management & Analysis S&T Science and Technology Directorate

69

SAR Suspicious Activity Report SCC Sector Coordinating Council SES Senior Executive Service SINs Standing Information Needs SLPO FEMA State and Local Program Office SLTT State, Local, Tribal, and Territorial SLTTGCC State, Local, Tribal, and Territorial Government Coordinating Council SOP Standard Operating Procedure SSA Sector-Specific Agency STRATCOM Strategic Communications SVTC Secure Video Teleconferencing TSA Transportation Security Administration USCG U.S. Coast Guard USCIS U.S. Citizenship and Immigration Services USG U.S. Government USSS United States Secret Service WG Working Group

Table of Contents Introduction .................................................................................................................................. 1

SAFE Port Act Sec. 201(b)(1): Roles, Responsibilities and Authorities ......................................... 2

SAFE Port Act Sec. 201(b)(5): Economic Analysis of Supply Chain Security Measures................. 8

SAFE Port Act Sec. 201(b)(6): Incentives and Voluntary Measures for the Private Sector ........14

SAFE Port Act Sec. 201(b)(7): Small‐ and Medium‐sized Entity Considerations..........................15

SAFE Port Act Sec. 201(b)(8): Information Sharing with Private‐Sector Stakeholders................16

SAFE Port Act Sec. 201(b)(9), 201(b)(10), and 202(d): Protocols for the Expeditious Resumption of Maritime Trade................................................................................21

SAFE Port Act Sec. 201(b)(11): Supply Chain Linkages with Terrorism Financing ......................25

SAFE Port Act Sec. 201(b)(12): Links with Existing Strategies .....................................................26

SAFE Port Act Sec. 201(c): Stakeholder Consultation..................................................................38

SAFE Port Act Sec. 201(f): International Standards and Practices..............................................40

Appendix A: List of Acronyms ................................................................................................... A‐1

i

Introduction In addition to establishing an approach to securing worldwide trade, the National Strategy for Global Supply Chain Security (the Strategy) also satisfies a number of statutory requirements mandated in the Security and Accountability for Every Port Act of 2006 (the SAFE Port Act, P.L. 109‐347, 120 Stat. 1884, October 13, 2006). The SAFE Port Act directs the Secretary of Homeland Security, in consultation with appropriate Federal, State, local, and tribal government agencies and private‐sector stakeholders, to develop a strategic plan to enhance the security of the global supply chain. Specifically, sections 201 and 202 identify a series of requirements to be addressed through the strategic plan. As described in the table below, these requirements informed the development of the Strategy and, in some instances, are also discussed in further detail in its supporting documents. Requirements not described specifically in the Strategy or elsewhere in its supporting documents are discussed further herein.

Security and Accountability for Every Port (SAFE Port) Act Section 201(b) Requirement

Fulfilling the SAFE Port Act Requirements

National Strategy for Global Supply Chain Security1

(1) describe the roles, responsibilities, and authorities of Federal, State, local, and tribal government agencies and private‐sector stakeholders that relate to the security of the movement of containers through the international supply chain;

(2) identify and address gaps and unnecessary overlaps in the roles, responsibilities, or authorities described in paragraph (1);

(3) identify and make recommendations regarding legislative, regulatory, and organizational changes necessary to improve coordination among the entities or to enhance the security of the international supply chain;

(4) provide measurable goals, including objectives, mechanisms, and a schedule, for furthering the security of commercial operations from point of origin to point of destination;

(5) build on available resources and consider costs and benefits;

(6) provide incentives for additional voluntary measures to enhance cargo security, as recommended by the Commissioner;

(7) consider the impact of supply chain security requirements on small‐ and medium‐sized companies;

(8) include a process for sharing intelligence and information with private‐sector stakeholders to assist in their security efforts;

(9) identify a framework for prudent and measured response in the event of a transportation security incident involving the international supply chain;

(10) provide protocols for the expeditious resumption of the flow of trade in accordance with section 202;

(11) consider the linkages between supply chain security and security programs within other systems of movement, including travel security and terrorism finance programs;

(12) expand upon and relate to existing strategies and plans, including the National Response Plan, the National Maritime Transportation Security Plan, the National Maritime Transportation Security Plan, the National Strategy for Maritime Security, and the 8 supporting plans of the Strategy, as required by Homeland Security Presidential Directive 13.

1 Inclusive of the National Strategy for Global Supply Chain Security and its supporting plans.

1

SAFE Port Act Sec. 201(b)(1): Roles, Responsibilities, and Authorities U.S. Federal Government Department of Agriculture

The Department of Agriculture (USDA), in coordination with the Department of Homeland Security (DHS) and the Department of Health and Human Services (HHS)/Food and Drug Administration (FDA), plays an important role in monitoring plant and animal health and the safety of imported food and agricultural

products. The USDA also coordinates with DHS and the Department of Commerce (DOC) to work with the Office of the U.S. Trade Representative (USTR) in administering U.S. trade agreements and monitoring trade compliance. USDA and HHS/FDA share Sector‐Specific Agency (SSA) lead for the Agriculture and Food Critical Infrastructure and Key Resources (CIKR) Sector. Department of Commerce

DOC, along with the Department of State (DOS) and the Department of Defense (DOD), contributes to trade compliance by enforcing export controls and ensuring treaty compliance. DOC is also charged with compiling information on commodityclassifications, tracking import and export statistics, and maintaining records of export regulations. In addition to these primary responsibilities, DOC works with

USTR in administering U.S. trade agreements and monitoring trade compliance. DOC is also charged with strengthening the competitiveness of U.S. businesses, ensuring fair trade and compliance with laws and agreements, and resolving trade complaints.

DOC and the Department of Energy (DOE) also support the Department of Transportation (DOT) and DHS in improving infrastructure capacity and improving security at ports of entry. During a system disruption, DOC can provide expertise in the management of cargo and trade issues, develop economic impact data and analysis, and provide awareness and monitoring of cargo subject to export controls for appropriate government agencies. Department of Defense

In response to large‐scale disruptions, the U.S. Army Corps of Engineers (USACE) conducts post‐event assessments of public works and infrastructure and provides emergency repairs. Additionally, at the direction of the President or the Secretary of Defense, DOD may provide Defense Support of Civil Authorities, in accordance with the National Response Framework (NRF) and consistent with the law, to

Federal, State, and local response and recovery activities. In addition, local military commanders and responsible officials of other DOD components are authorized to take necessary action in response to requests by civil authorities to save lives, prevent human

2

suffering, or mitigate large‐scale property damage. DOD is the SSA lead for the Defense Industrial Base CIKR Sector. Department of Energy

DOE plays an integral part in ensuring the security of the Nation, including activities in nonproliferation, countering terrorism, and responding to incidents involving weapons of mass destruction. DOE provides technology, analysis, and expertise to aid the U.S. Government in preventing the spread or use of weapons of mass destruction. In particular, DOE collaborates with DOD, DHS, and DOS to counter

nuclear and radiological threats both domestically and internationally. DOE collaborates with DHS in applying science and technology to achieve operational and technological improvements in aviation security. DOE also supports DOT and DHS in improving infrastructure capacity and security at ports of entry. DOE ensures the security, resiliency, and survivability of key energy assets and critical energy infrastructure at home and abroad. Working with DHS, the Federal Energy Regulatory Commission, and other national, regional, State, and local government and commercial organizations, DOE supports the national critical infrastructure protection program; analyzes infrastructure vulnerabilities and recommends preventive measures; helps other agencies prepare for and respond to energy emergencies and minimizes the consequences of an emergency; conducts emergency energy operations during a declared emergency or national security special event in accordance with the National Response Framework; and develops, implements, and maintains a national energy cyber security program. DOE is the SSA lead for the Energy CIKR Sector (less nuclear reactors, associated materials, and waste). Department of Homeland Security

In accordance with the Homeland Security Act of 2002 and Homeland Security Presidential Directives 7 and 14, DHS holds lead authority and primary responsibility for security activities across all transportation modes entering, leaving and within the U.S. and collaborates with DOT on all matters relating to transportation security and transportation security infrastructure. Additional DHS

law enforcement responsibilities within the United States include regulating and facilitating international trade, collecting import duties, and enforcing appropriate U.S. regulations. DHS is the primary agency responsible for assessing incoming and outbound air, land, and maritime cargo for compliance with relevant trade laws.

The Homeland Security Act of 2002 provides the basis for DHS’s responsibilities in protecting the Nation’s CIKR. Specific to global supply chain infrastructure and conveyances, DHS is responsible for inspecting and assessing the security of the Nation’s port facilities, assessing effectiveness of antiterrorism measures at foreign ports, and ensuring security of the surface transportation and commercial vehicle sectors (including rail and truck). DHS also ensures that

3

port facilities and airports develop and comply with appropriate security plans in concert with port authorities and law enforcement agencies. DHS is charged with ensuring that every U.S. port facility, airport, and border crossing develop appropriate credentialing and access control procedures. DHS is also responsible for the research, development, testing, and deployment of security technology countermeasures employed to protect the transportation system against terrorist threats. DHS supports improved transportation infrastructure development through the administration of grants aimed at improving security measures. DHS is responsible for developing the enhanced global nuclear detection architecture. This detection architecture is an integral part of supply chain security by detecting activities of interest related to illicit radiological and nuclear materials within the supply chain, and also acts outside the supply chain to prevent introduction of materials into the supply chain.

In response to a large‐scale disruption, DHS is broadly responsible for working with Federal officials within DOT and other departments, State, local, tribal and territorial (SLTT) officials, and the private sector to ensure that the global supply chain—to the greatest extent possible—is able to maintain or resume operations. DHS’s responsibilities involve participating in recovery planning, furnishing surge personnel to maintain cargo flow and help handle diversions, and leading trade resumption efforts.

Additionally, DHS also operates a number of trusted traveler programs, implements the Visa Waiver Program, and works with DOS regarding passports and visa requirements. DHS is the SSA lead for the following CIKR sectors: Chemical; Commercial Facilities; Critical Manufacturing; Dams; Emergency Services; Information Technology; Communications; and Nuclear Reactors, Materials, and Waste. In addition, DHS’s subordinate components are the SSA leads for CIKR in the following sectors: (Transportation Security Administration) Postal and Shipping, Aviation and Land Transportation Systems; (U.S. Coast Guard) Maritime Transportation System; (Immigration and Customs Enforcement and Federal Protective Service) Government Facilities (less Education Facilities). Department of the Interior

During the response to a transportation disruption, the Department of the Interior (DOI) serves as the lead trustee to protect natural resources and provides tribal nation liaisons. DOI is also the SSA charged with the protection of national monuments, icons, and associated critical infrastructure.

Department of Justice

The Department of Justice (DOJ), including the Federal Bureau of Investigation (FBI), acts to reduce terrorist threats and investigates and prosecutes actual or attempted attacks on, sabotage of, or disruptions to the global supply chain, or its illicit use to transport drugs and other controlled substances.

4

In the event of transportation disruption related to or caused by a terrorist act or a terrorist threat, DOJ:

• Through the FBI, pursuant to statutory authority and Presidential directions, is the lead Federal agency for investigations of terrorist acts or terrorist threats by individuals or groups inside the United States, or directed at U.S. citizens or institutions abroad, where such acts are within the Federal criminal jurisdiction of the United States, and will conduct and coordinate all Federal law enforcement and criminal investigation activities during a terrorist incident.

• Coordinates the activities of other members of the Federal law enforcement community to detect, prevent, preempt, and disrupt terrorist attacks against the United States.

• Consults with other Federal agencies with regard to the temporary easement of enforcement regulations to facilitate the reconstruction of critical infrastructure and resumption of commerce.

Department of State

The Department is the lead institution for the conduct of American diplomacy and promotes and protects the interests of American citizens abroad. DOS is responsible for coordinating trade diversions with foreign partners. DOS also collaborates with DOE and DHS to counter nuclear and radiological threats via U.S.‐bound maritime shipping containers, as well as addressing non‐container

threats to bulk cargoes. DOS, in collaboration with DHS, also develops visa and passport requirements. In the event of a supply chain disruption, DOS coordinates requests for, and offers of, transportation assistance from foreign governments; notifies foreign governments, as appropriate, of impacts on commerce; provides support to DHS Maritime and Cargo Security Programs; and provides awareness and monitoring of cargo subject to export control. Department of Transportation

DOT is broadly responsible for transportation infrastructure development and improvement. This includes supporting the construction of the Nation's ports, highways, rail lines, pipelines, and airports, as well as leading research and development for improved transportation safety. DOT collaborates with DHS on all matters related to transportation infrastructure protection and works with DHS in

the development and implementation of private‐sector safety and security training. DOT and DHS also work together to regulate the domestic transportation of hazardous materials across all modes of transportation. During a system disruption, DOT leads national assessment of damage to the Nation's aviation, rail, pipeline, transit, seaport, and multimodal transportation network infrastructure and identifies temporary alternative transportation solutions when systems or infrastructure are

5

damaged, unavailable, or overwhelmed. Additionally, DOT participates in the economic impact assessment of a transportation network disruption or incident and can coordinate actions and provide technical expertise and financial assistance for repair and restoration of transportation infrastructure and network operation. DOT also provides advice and assistance on the transportation of contaminated and hazardous materials. Department of the Treasury

Transport of cargo is only one portion of the entire global supply chain cycle. Lawful and illicit financial transactions associated with the movement of cargo represent another major portion. The Department of the Treasury is broadly responsible for maintaining a strong U.S. economy and strengthening national security by combating threats and protecting the integrity of the U.S. financial system. This includes safeguarding the financial system against illicit use and

combating the financial actions of rogue nations, terrorist facilitators, weapons of mass destruction (WMD) proliferators, money launderers, drug kingpins, and other national security threats. Treasury also represents U.S. interests on international economic and financial organizations including the Financial Action Task Force, an international policy‐making and standard‐setting body centralizing global efforts to combat money laundering and terrorist financing, and monitors and helps regulate the global financial system as a member of or advisor to more than 40 regional international organizations focused on anti‐money laundering and counter‐terrorist financing. Treasury is also the SSA lead for the Banking and Finance CIKR Sector. Office of the Director of National Intelligence

The Intelligence Community, under the Office of the Director of National Intelligence (ODNI), is responsible for collecting, analyzing, integrating, sharing and protecting vast quantities of information. ODNI is responsible for ensuring that national intelligence is provided to key decision makers through development and refinement of analytic products, such as assessments of the

diverse range of evolving, adaptive and asymmetric threats associated with the global supply chain. These analytic products iteratively feed threat‐vulnerability‐risk assessment processes and subsequent risk management approaches to global supply chain security.

State, Local, Tribal, and Territorial Governments Under the principles established by the National Incident Management System (NIMS), SLTT governments are responsible for incident management response and recovery efforts immediately after an incident. To manage their responsibilities, many of these government agencies currently have pre‐established emergency response plans in place. However, recovery plans, especially for maritime infrastructure recovery and restoration of cargo flow, are not as prevalent. Many States engage individual task forces to manage a myriad of disaster scenarios and response situations. Due to the fact that responsibilities, capabilities, and organizational

6

structures vary from agency to agency, it is difficult to establish specific functional responsibilities that are able to provide for recovery from a transportation disruption. In order to bring together CIKR protection experts from the private sector and all levels of government, the Department of Homeland Security established the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC). The SLTTGCC functions as a forum for State, local, tribal, and territorial government representatives to engage with the Federal Government and the CIKR owners and operators within the Sector Partnership Framework of the National Infrastructure Protection Plan (NIPP) to achieve the homeland security mission of protecting the Nation's critical infrastructure. In addition to their roles in supporting response and recovery and CIKR protection, SLTT authorities play an important role in conducting law enforcement response within the global supply chain. In coordination with Federal departments and agencies, these jurisdictional bodies help protect the supply chain from being exploited or targeted by adversaries. Authorities Given its complex set of interlocking jurisdictions and authorities, the global supply chain is subject to a wide collection of laws and regulations at the Federal, State, local, tribal, and territorial levels. Similarly, response efforts involved with supply chain disruptions fall under the provisions of further authorities. The 2007 Strategy to Enhance International Supply Chain Security describes the primary laws that provide the Federal Government and its agencies with authority to regulate supply chain security and response to disruptions. In addition to those laws, recent legislative actions have affected roles and responsibilities for securing the global supply chain, including the following.

Implementing Recommendations of the 9/11 Commission Act of 2007 This act implements some of the recommendations of the 9/11 Commission, mandates 100 percent inspection of all air and sea cargo entering the United States, and provides a new method of redistributing antiterrorism funding.

Defense Production Act of 1950, as Amended by the Defense Production Reauthorization Act of 2003

This act provides the primary authority to ensure the timely availability of resources for national defense and civil emergency preparedness and response. Among other powers, the President is authorized to demand that companies accept and give priority to Government contracts that the President “deems necessary or appropriate to promote the national defense,” and allocate materials, services, and facilities, as necessary, to promote the national defense in a major national emergency. It authorizes loan guarantees, direct loans, direct

7

purchases, and purchase guarantees for those goods necessary for national defense. It also allows the President to void international mergers that would adversely affect national security. This act defines “national defense” to include critical infrastructure protection and restoration, as well as activities authorized by the emergency preparedness sections of the Robert T. Stafford Disaster Relief and Emergency Assistance Act (Stafford Act), which was designed to bring an orderly and systemic means of Federal natural disaster assistance for SLTT governments in carrying out their responsibilities to aid citizens. Consequently, the authorities stemming from the Defense Production Act are available for activities and measures undertaken in preparation for, during, or following a natural disaster or accidental or malicious event. Under the act and related Presidential orders, the Secretary of Homeland Security has the authority to place and, upon application, authorize SLTT governments to execute priority‐rated contracts in support of Federal and SLTT emergency preparedness activities.

Post‐Katrina Emergency Management Reform Act of 2006 The Post‐Katrina Emergency Management Reform Act (PKEMRA) established new leadership positions and position requirements within the Federal Emergency Management Agency (FEMA), brought new missions into FEMA and restored some that had previously been removed, and enhanced the Agency’s authority by directing the FEMA Administrator to undertake a broad range of activities before and after disasters occur. PKEMRA contains provisions that set out new law, amended the Homeland Security Act, and modified the Stafford Act.

SAFE Port Act Sec. 201(b)(5): Economic Analysis of Supply Chain Security Measures Reductions in transport costs, advances in communications technologies, the liberalization of global capital markets, the competitive drive for firms to lower average costs by producing on a larger scale, and the breakdown of tariff and nontariff trade barriers have all contributed to the increasing economic importance of international trade both domestically and globally. Figure 1 shows the steady increase in global exports as a percentage of global production, with global exports growing from a little over 10 percent of global production in 1960 to nearly 30 percent of global production in 2007. Figure 2 shows similar trends at work in the U.S. economy. U.S. exports grew from just over $90 billion (2000USD), approximately 5 percent of U.S. gross domestic product (GDP), in 1960 to over $1.42 trillion (2000USD), about 12 percent of U.S. GDP, in 2007, while imports grew from 4 percent of GDP to 17 percent over the same time period.2 With increased trade, the world economies have become more interdependent, with multiple countries often involved sequentially in the production of a single good.

2 Figures 1 and 2 should not be compared against one another due to accounting differences between global exports and exports of a single country.

8

Figure 1. Global Exports as % of World GDP

0

10

20

30

1960 1970 1980 1990 2000

Figure 2. U.S. Trade as % of U.S. GDP

0

5

10

15

20

1960 1970 1980 1990 2000

Imports

Exports

Source: The World Bank Group: World dataBank, 2010

Because of this increase in international trade and economic integration, the security, efficiency, and resilience of the global supply chain have become more important to U.S. national security and economic prosperity. Policies designed to secure the supply chain can have significant economic costs and benefits. Although this paper does not attempt to quantify the costs and benefits of specific global supply chain security measures, it does describe categories of costs and benefits for policymakers to consider. Costs of the Security Measures The potential costs of supply chain security measures can be divided into three broad categories: 1) the direct physical costs, 2) direct costs of delay, and 3) indirect trade costs. The first two categories of direct costs can create nontariff trade barriers, which impose indirect costs by reducing trade or changing trading patterns.

9

Direct Physical Costs The direct physical costs of supply chain security measures can include:

• The installation and maintenance of scanning equipment. • Additional staffing requirements at port facilities. • Additional background checks and personnel training. • Updates to communication systems and other port infrastructure. • Physical protection for facilities, conveyances, and cargo (e.g., fences, tracking devices,

etc.). • Additional documentation and records requirements. • The reconfiguration of port operations and procedures. • Development and updating of security plans. • Possible negative impacts on health, safety, and the environment if shippers change

transport modes in response to security measures. • Redistribution of trade among ports due to security costs and constraints, which may

decrease the efficiency of trade and prove less cost effective. Some of these costs will come as direct government costs, such as scanning equipment, while others, such as additional staffing requirements, may also be borne by industry. The direct costs of security measures can be significant; however, relative to the total value of trade, the significance of the cost is unclear. For example, Bennett and Chin (2008) estimated the per container cost of 100 percent screening between $4 and $219 depending on assumptions.3 While the value of cargo in each container can vary greatly, it is possible costs are relatively minor compared to the value of goods inside each container. Costs cannot simply be written off, though, since not all of the direct costs are passed along to end‐customers. Entities involved directly in the transport of goods, such as port owners and operators, shippers, and importers and exporters, must still bear a portion of the burden of large upfront expenditures for equipment purchases or the redesign of operations and procedures. Costs of Time Delay Security requirements can cause delays in the shipment of goods. For instance, suppliers must fill out more paperwork and increase lead‐time, truckers are delayed by increased scanning, ports face capacity pressure and reduced throughput because of scanning and longer dwell times, carriers must deal with departure delays and containers missing their vessels, and importers confront depreciation of goods and tighter production constraints. In addition, delays can directly result in logistics issues between modes due to constrained transportation availability. For instance, domestic U.S. short seas shipping relies on the availability of smaller

3 Allison C. Bennett and Yi Zhuan Chin, “100 Percent Container Screening: Security Policy Implications for Global Supply Chains,” Massachusetts Institute of Technology, June 2008, p. 98‐104.

10

U.S.‐flag commercial freight or tank vessels, which may or may not be readily available. These delay costs, in addition to the increased uncertainty regarding shipping times, can prove very disruptive for businesses. There are two categories of time costs when shipments of goods are delayed. The first is pipeline inventory costs—the interest costs on the value of goods in transit. Delays and variability in transit time can also cause firms to hold a larger safety stock to avoid production stoppages or lost sales due to stock outs. Larger safety stocks increase interest and storage costs for firms. The second is depreciation—the rate at which goods lose value with time. Depreciation rates vary across categories of goods. Some agricultural goods may depreciate 100 percent in a very short period of time due to spoilage. Fresh seafood, usually shipped by air, loses its value very rapidly as well. The cost of production stoppages due to delays in the arrival of component parts or raw materials can exceed the value of the intermediate goods themselves, implying a deprecation rate greater than 100 percent.4 The increased probability of damage or theft during a longer transit time also contributes to depreciation, along with drops in market prices while goods are delayed. Hummels (2001) was able to estimate the value of changes in transit time by using data on the choice of firms to ship by air or by sea. The increased rates for air shipment reflect the willingness of firms to pay for reductions in transit time. Using this approach, Hummels estimated that an additional day’s transit time imposes a cost equal to about 0.8 percent of the good’s value for machinery and miscellaneous manufactured goods. This estimate is commonly used as in input into models used to estimate the trade effects of delays. Indirect Trade Costs The direct physical costs and delays associated with supply chain security measures can translate to increased transportation costs, which constitute a nontariff trade barrier. In fact, Hummels et al. (2007) found that reported time delays in the movement of international cargo frequently have a more significant effect on trade than tariffs.5 In addition, Martínez‐Zarzoso (2009) estimated that a 1 percent increase in transportation costs could decrease trade by 0.85 and 3.4 percent.6

These indirect effects are not distributed equally among goods and countries. Djankov et al. (2006) concluded that, on average, each additional day that a product is delayed prior to being shipped reduces trade by at least 1 percent; however, a day’s delay reduces a country’s relative

4 David Hummels, “Time as a Trade Barrier,” Purdue University, July 2001, accessed at: <http://www.krannert.purdue.edu/faculty/hummelsd/research/time3b.pdf> 5 Peter J. Minor, “Time as a Barrier to Trade: A GTAP Database of ad valorem Trade Time Costs,” Purdue University, 2010, accessed at: <https://www.gtap.agecon.purdue.edu/resources/download/4784.pdf> 6 Inmaculada Martínez‐Zarzoso, “On Transport Costs and Sectoral Trade: Further Evidence for Latin‐American Imports from the European Union,” The EU and Emerging Markets, Springer Vienna: 2009, p. 111‐131.

11

exports of time‐sensitive agricultural goods by 6 percent on average.7 Further, poorer nations are disproportionately hurt by time delays and additional documentation needs. Minor and Tsigas (2008) estimated that the impact of a 50 percent reduction in total time to export a commodity from sub‐Saharan Africa would increase GDP in that nation by 2.2 percent, and in South Asian and Central Asian nations GDP would increase by approximately 4 percent.8 This implies that, conversely, delays in time for exports to reach their final destinations would result in GDP reductions for those exporting countries. Additionally, many of these nations do not have the capacity or resources to make the changes required to comply with certain regulations. Potential impacts of increased transportation costs aside, it is not a foregone conclusion that supply chain security initiatives increase transportation costs. Signoret (2009) found, using econometric analysis, no significant evidence through 2006 that the Container Security Initiative impacted trade flows or import costs.9 As implementation levels of security measures change, this conclusion may change. Benefits of Supply Chain Security Measures Although global supply chain security measures can create a variety of costs, they can also provide benefits. There are three main categories of benefits: 1) mitigation of risk, 2) improved efficiency, and 3) protection of intellectual property. Risk Mitigation Benefits Risk is defined as the potential for an adverse outcome, characterized by its likelihood and consequences. The primary benefits of increasing the security and resilience of the global supply chain are reductions in the risks associated with all‐hazards threats, including terrorism and natural disasters. Security measures reduce terrorism risk primarily by decreasing the probability or frequency of successful attacks, while policies that foster resilience reduce risk by lessening the consequences of an adverse event. The probability of a successful attack is commonly defined as threat (the probability of an attack attempt) multiplied by vulnerability (the probability that an attack, once attempted, will be successful). Security measures can reduce risk by reducing vulnerability directly. Due to the adaptive nature of our terrorist adversaries, reductions in vulnerability or consequences can also affect threat probabilities. For instance, a security measure that reduces the vulnerability of a target in the global supply chain can lead to deterrence (if the potential attacker is

7 Djankov, Simeon and Caroline Freund, and Cong S. Pham, “Trading on Time,” World Bank Policy Research Paper 3909, May 2006. 8 Peter Minor and Marinow Tsigas, “Impacts of Better Trade Facilitation in Developing Countries,” submitted to GTAP 11th Annual Conference, 7 May 2008, accessed at: <https://www.gtap.agecon.purdue.edu/resources/download/4036.pdf> 9 Jose E. Signoret, “On Cargo Security Measures and Trade Costs,” U.S. International Trade Commission, October 2009, accessed at: <http://www.usitc.gov/publications/332/working_papers/EC200910D.pdf> (15 July 2010)

12

discouraged from conducting any attacks at all) or to threat‐shifting (if the attacker simply switches targets or tactics). Deterrence reduces overall risk, while threat‐shifting implies that a reduction of risk of one type of attack scenario may be partially offset by an increase in the risk of another. As a practical matter, deterrence and threat‐shifting make it extremely difficult to quantify the benefits of individual homeland security measures. However, these effects can be significant. Because deterrence and threat‐shifting depend, in part, on the relative attractiveness of different attacker options, the benefits of any security measure against a specific target or tactic should be evaluated within the context of an overall global supply chain security strategy. Because of the economic importance of the global supply chain, the consequences of disruption can be significant and extend far beyond the direct target. For example, researchers at the National Center for Risk and Economic Analysis of Terrorism Events (CREATE) simulated a radiological bomb attack on the ports of Long Beach and Los Angeles, CA. The analysis estimated that should there be bridge damage, the ports would be closed for at least 120 days, resulting in $34 billion in lost output, 212,165 person‐years of employment lost, and $648 million in travel delay costs. Two‐thirds of trade flow interruptions were expected to be felt outside of Southern California.10 In traditional cost‐benefit analysis, economists estimate the benefits of risk mitigation measures by using these kinds of probability and consequence estimates to calculate the expected value of losses averted. If the costs of the risk mitigation measure exceed the expected value of losses averted, the policy does not pass the cost‐benefit test. However, the expected value approach to cost‐benefit analysis is inadequate for the purposes of evaluating supply chain security and resilience because of the potentially catastrophic scale of some of the events, such as detonation of a nuclear device in the United States, that supply chain security is intended to prevent. In the case of truly catastrophic events, supply chain security and resilience are analogous to insurance policies. Households are willing to pay more than the expected value of losses for a homeowner’s insurance policy to avoid economic calamity in the event that their home is destroyed. In the same way, it is worth investing more than the expected value of losses in supply chain security in order to avoid or mitigate catastrophic events. Incurring regular incremental security costs reduces the likelihood of sudden catastrophe. Improved Supply Chain Efficiency Supply chain security measures can produce trade benefits due to increased standardization, greater predictability, and improved coordination. These benefits include protection against counterfeiting and theft, reduced insurance and inventory carrying costs, and improved visibility and predictability in the supply chain. A 2007 survey commissioned by U.S. Customs

10 Peter Gordon, James Moore, Harry Richardson, and Qisheng Pan, “The Economic Impact of a Terrorist Attack on the Twin Ports of Los Angeles‐Long Beach,” CREATE University of Southern California, accessed at: http://create.usc.edu/assets/pdf/51876.pdf

13

and Border Protection (CBP) and carried out by University of Virginia researchers assessed the benefits of the Customs‐Trade Partnership Against Terrorism (C‐TPAT). In the survey, 24.4 percent of businesses reported that C‐TPAT increased the predictability of moving goods and 28.9 percent of importers reported that participation decreased disruptions in their supply chains.11 The greater efficiency that accompanies improved predictability can provide major cost savings for businesses. Intellectual Property Protection Securing the global supply chain contributes to the protection of intellectual property rights, which, as stated by the 2010 Joint Strategic Plan on Intellectual Property Enforcement, is essential to support national and economic security, uphold the U.S. Constitution, grow the U.S. economy, promote U.S. innovation, and protect consumer trust and safety. The missions of DHS components such as CBP, Immigration and Customs Enforcement, and the U.S. Secret Service to protect against both security threats and counterfeiting, for instance, are tightly woven. Enhancing protection for one purpose likely has auxiliary benefits for other missions as well. The National Strategy for Global Supply Chain Security will produce several positive outcomes for the Nation’s security; some of those positive outcomes will include stemming intellectual property theft and protecting intellectual property in general.

SAFE Port Act Sec. 201(b)(6): Incentives and Voluntary Measures for the Private Sector Incentives that the government can provide for participation in programs aimed at promoting support of secure flow strategic elements, such as instituting security or resilience measures, span a range of options. The options might include:

• Direct financial incentives such as grants, tax credits and/ or reduced fees. • Expedited pathways to minimize time in transit. • Expedited information processing. • Facilitated customs processes. • Reduced paperwork or evaluation burden. • Education and training. • Effectiveness testing of measures.

As programs or methods are considered and adopted to accomplish the Strategy goals, the benefits of applying appropriate incentives will be considered. The U.S. Government has a number of incentives programs already in place. Part of this additional effort will focus on determining the effectiveness of existing incentives in reaching the expected outcome,

11 Abdoulaye Diop, Ph.D., David Hartman, Ph.D., Customs‐Trade Partnership Against Terrorism Cost/Benefit Survey Report of Results, Weldon Cooper Center for Public Service, University of Virginia, August 2007, p. 46‐47.

14

15

assessing how existing incentives could be adapted or modified to increase their effectiveness, and/or what new incentives should be developed and employed. The application of incentives will be tied to the priority established for implementation of various secure flow measures and also to the expected effectiveness of the specific incentive type in encouraging participation of stakeholders where other benefits are not readily apparent. The Cross‐Sector Supply Chain Working Group (CSSCWG), under the Critical Infrastructure Partnership Advisory Council framework, is obtaining external stakeholder review of the Strategy. The Federal Government asked the CSSCWG to identify business incentives that will increase the security and resiliency of the global supply chain. The recommendations of the CSSCWG will be reviewed by the Government in the drafting of the National Action Plan.

SAFE Port Act Sec. 201(b)(7): Small‐ and Medium‐sized Entity Considerations Small businesses, according to the U.S. Small Business Administration, made up 97.5 percent of all identified U.S. exporters and produced 31 percent of the known export value in FY 2008.12 They also rely heavily on imports to support their businesses. As fundamental players in the economy, small businesses have a crucial interest in global supply chain security, no matter where along the supply chain they might fall. In addition, security measures can provide operational benefits for small business. On the other hand, it is also possible that small businesses face a disproportionate cost burden related to regulatory compliance. Therefore, the impact of supply chain security regulations on small business deserves special attention. The Regulatory Flexibility Act of 1980 (Regulatory Flexibility Act, P.L. 96‐354, 5 U.S.C. 601, September 19, 1980), as amended by the Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA), Small Business Regulatory Fairness Act, P.L. 104‐121, 110 Stat. 850, March 29, 1996) and Executive Order 13272, entitled “Proper Consideration of Small Entities in Agency Rulemaking,” require agencies to consider the potential impact of regulations on small businesses, small government jurisdictions, and small organizations during the development of their rules. Due to the high percentage of small entities involved in the supply chain, it is very likely that a substantial number of small businesses will be affected by supply chain security measures. However, the diversity of programs and regulations and the lack of specific data regarding shipping volumes for different sized entities make it difficult to estimate the overall cost to small entities of supply chain security measures. Nevertheless, supply chain security requires full participation. In the Final Regulatory Flexibility Analysis for Importer Security Filing and Other Carrier Requirements, CBP states, “Given the prevalence of small entities conducting importing activities and the need for all entities to participate for the rule to be effective, CBP is not exempting small entities from the regulation.”

12 U.S. Small Business Administration, FAQs, Advocacy Small Business Statistics and Research, <http://web.sba.gov/faqs/faqindex.cfm?areaID=24>, accessed December 2, 2010.

Although the level of the costs cannot be estimated and security needs prohibit small entity exemption from regulation, steps can be taken to lessen the burden on the many small businesses inevitably affected. For example, CBP phased in its 24‐hour advance manifest regulations over 90 days in order to reduce the cost of compliance to businesses. In addition, favoring variable costs for compliance over large upfront fixed costs places less of an unfair burden on small businesses. Overall, policy should consider whether scale will put small and medium entities at a disadvantage in complying with supply chain security requirements.

SAFE Port Act Sec. 201(b)(8): Information Sharing with Private‐Sector Stakeholders As with many homeland security efforts, there are multiple overlapping venues by which the U.S. Government endeavors to share homeland security‐related information with the private sector. The Intelligence Reform and Terrorism Prevention Act (IRTPA, Intelligence Reform Act, P.L. 108‐458, 118 Stat. 3638, December 17, 2004) established the Program Manager Office for the Information Sharing Environment (ISE) and an interagency Information Sharing Council (ISC) to improve terrorism information sharing across the homeland security and intelligence communities. The Obama Administration has since integrated the ISC into the White House policy process through the Information Sharing and Access Interagency Policy Committee, which the Program Manager for the ISE co‐chairs. As a result, the ISC’s efforts fall under the Executive Office of the President.13 The National Strategy for Information Sharing recognizes the importance of private‐sector involvement in the ISE, particularly critical infrastructure owners and operators. In accordance with the National Infrastructure Protection Plan (NIPP)14, the ISE has integrated such private‐sector security partners into the intelligence cycle and National Common Operating Picture. In 2007, the Program Manager for the ISE, working with DHS and other stakeholders, integrated DHS’s critical infrastructure and key resources (CIKR) information sharing approach into the national ISE. The resulting “CIKR ISE” provides a unifying, integrated framework for stakeholders from all levels of government and critical infrastructure owners and operators to communicate, coordinate, and collaborate through the efficient exchange of timely and useful information pertinent to their shared mission of protection and resilience.15 Other mission areas inside and outside of DHS relevant to global supply chain security have established information sharing and communication mechanisms with private‐sector entities beyond the critical infrastructure owners and operators to achieve their missions.

13 http://www.ise.gov/pages/vision.aspx 14 http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf 15 http://www.ise.gov/sharingprivatesector.aspx

16

http://www.ise.gov/pages/vision.aspx

http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf

http://www.ise.gov/sharingprivatesector.aspx

In addition to the private‐sector CIKR‐focused initiatives, other efforts are underway to engage the private sector at large, such as through the DHS Private Sector Office, Area Maritime Security Committees (AMSCs), and State and major urban area fusion centers. This Strategy supports these existing efforts for sharing strategic and tactical intelligence and information with the private sector.16 The Strategy also relies on the National Response Framework’s CIKR Support Annex and Private‐Sector Coordination Support Annex to coordinate with and communicate to the private sector during an incident.17 Communication venues include the Sector Coordinating Councils (SCCs), Government Coordinating Councils (GCCs), Sector‐Specific Agencies (SSAs), National Infrastructure Coordinating Center (NICC), sector‐level Information Sharing and Analysis Centers (commonly referred to as ISACs), DHS Protective Security Advisors (PSAs), DHS’s Homeland Infrastructure Threat and Risk Analysis Center, the Federal Bureau of Investigation (FBI)’s InfraGard, AMSCs, and State and major urban area fusion centers, to name a few. The NIPP Network Model for Information Sharing Implemented by the Office of Infrastructure Protection (DHS/IP), DHS utilizes the information and sharing component of the NIPP to partner with the private sector. To accomplish this, DHS/IP has deployed 93 Regional Directors and PSAs to 74 districts in all 50 States and one territory to serve as on‐site critical infrastructure and vulnerability assessment specialists supporting State, local, tribal, and territorial (SLTT) governments efforts, and to facilitate partnership and information sharing between DHS/IP and SLTT and private‐sector partners. The NIPP defines a process for sharing with the private sector as part of a networked approach to information sharing that includes Federal agencies, State and local government, and DHS. The CIKR ISE Framework, in a paper transmitted to the ISE Program Manager, reflects the implementation of this model. This network model includes the following private‐sector component:

16 These efforts assume the need‐to‐know threshold has been met. Government at all levels has multiple channels for delivering information to the public, including the private sector, which is a very large and diverse segment of our society. The difficulty is communicating useful information to the private sector in a timely fashion. This is further complicated by the level of security attached to that information. Relevant security information falls into three primary categories: unclassified, sensitive but unclassified (SBU) [transitioning to controlled unclassified information (CUI) per Executive Order 13556], and classified. The rule for targeting recipients of SBU/CUI‐level information is the “need to know.” Government has to be able to justify and validate the “need to know” for transmitting SBU/CUI information to a third party and be assured that the recipients will manage that information appropriately. A similar rule exists for classified information, with additional requirements for validating qualifications of the recipient. The “need to know” identification and validation requirements are built into the mission policies and authorities for government entities with responsibility for handling sensitive information. Sharing of SBU/CUI and classified information is driven and justified by mission relevance, so information sharing processes are framed and authorized by individual mission authorities. Such mission components generally have well established structures, means, and methods for delivering these types of information to recipients they have identified as relevant to their mission. 17 http://www.fema.gov/pdf/emergency/nrf/nrf‐support‐private.pdf

17

4.2.6 Private Sector Node

The Private Sector Node includes CIKR owners and operators, SCCs, Sector‐recognized ISACs, and trade associations [which represent CIKR owners and operators] that provide incident information, as well as reports of suspicious activity that may indicate actual or potential criminal intent or terrorist activity. DHS, in return, provides all‐hazards warning products, recommended protective measures, and alert notification to a variety of industry coordination and information‐sharing mechanisms, as well as directly to affected CIKR owners and operators [through various mechanisms such as Homeland Security Information Network–Critical Sectors]. The NIPP network approach connects and augments existing information‐sharing mechanisms, where appropriate, to reach the widest possible population of CIKR owners and operators and other partners. Owners and operators need accurate and timely incident and threat‐related information in order to effectively: manage risk; enable post‐event response and recovery; and make decisions regarding protection strategies, partnerships, mitigation plans, security measures, and investments for addressing risk. HSPD‐7 and the NIPP recognize that CIKR sectors have diverse approaches to establishing their own sectors’ information‐sharing programs that will most effectively and efficiently meet the requirements of their industry structures, operating cultures, and regulatory regimes. Each sector has the ability to implement a tailored information‐sharing solution that may include: privately owned and operated ISACs; voluntary standards development organizations; or other mechanisms, such as trade associations, security organizations, and industry‐wide or corporate operations centers, working in concert to expand the flow of knowledge exchange to all infrastructure owners and operators. ISACs provide an example of a private sector information‐sharing and analysis mechanism. Originally recommended by Presidential Decision Directive 63 (PDD‐63) in 1998, ISACs are private sector‐specific entities that advance physical and cyber CIKR protection by establishing and maintaining collaborative frameworks for operational interaction between and among members and external partners. ISACs, when identified by the sector’s SCC, typically serve as the tactical and operational arms for sector information‐sharing efforts.

State and Major Urban Area Fusion Centers

State and major urban fusion centers serve as focal points within the State and local environment for the receipt, analysis, gathering, and sharing of threat‐related information between the Federal Government and State, local, tribal, territorial (SLTT), and private‐sector partners. These centers are uniquely situated to empower front‐line law enforcement, public

18

safety, fire service, emergency response, public health, CIKR partner, and private‐sector security personnel to understand local implications of national intelligence, thus enabling local officials to better protect their communities. Fusion centers provide interdisciplinary expertise and situational awareness to inform decision‐making at all levels of government. They conduct analysis and facilitate information sharing while assisting law enforcement and homeland security partners in preventing, protecting against, and responding to crime and terrorism. The Critical Infrastructure and Key Resources Appendix to the Baseline Capabilities for State and Major Urban Area Fusion Centers provides guidance for those fusion centers that have chosen to support Critical Infrastructure Protection (CIP) activities,18 and the NIPP also identifies the State and major urban area fusion centers as a key mechanism for information exchange at the local and regional levels with CIKR partners. Sector‐Specific Agencies and Government Coordinating Councils Homeland Security Presidential Directive 7 (HSPD‐7)19 encourages DHS and SSAs to collaborate with appropriate private‐sector entities in the development of information sharing mechanisms and to support both strategic and operational activities as follows:

In accordance with applicable laws or regulations, the Department and the Sector‐Specific Agencies will collaborate with appropriate private sector entities and continue to encourage the development of information sharing and analysis mechanisms. Additionally, the Department and Sector‐Specific Agencies shall collaborate with the private sector and continue to support sector‐coordinating mechanisms [through the GCCs]:

a. to identify, prioritize, and coordinate the protection of critical infrastructure and key resources; and

b. to facilitate sharing of information about physical and cyber threats, vulnerabilities, incidents, potential protective measures, and best practices.

Accordingly, the SSAs provide an avenue available to the private sector for reaching the Federal Government (in the GCCs) to share information. GCC membership is often composed of representation from both Federal agencies and State and local agencies relevant to the security and public safety issues of the sector. Regional Consortium Coordinating Council The Regional Consortium Coordinating Council brings together representatives of regional partnerships, groupings, and governance bodies to enable CIKR protection coordination among CIKR partners within and across geographical areas and sectors.

18 http://www.it.ojp.gov/docdownloader.aspx?ddid=1136 19 http://www.dhs.gov/xabout/laws/gc_1214597989952.shtm#1

19

Other Mission‐Specific Mechanisms The private‐sector stakeholders may also participate in specialized efforts to meet their needs in specific regions, modalities, or industries. For instance, when conducting recovery operations, Area Maritime Security Committees are the primary means for communicating with local authorities and the private sector and are augmented at the national level by the NICC. Additionally, Section IV of the National Maritime Transportation Security Plan (NMTSP) describes how and when the Federal Government will share intelligence with local, regional, and national‐level partners following large‐scale incidents Information Sharing Platforms Several platforms exist for sharing information with the private sector, such as the Homeland Security Information Network and the U.S. Coast Guard’s Homeport. Both are Web sites that allow the public and private sectors to share sensitive information between each other in an appropriate manner. InfraGard InfraGard is a partnership among the FBI, other governmental entities, and the private sector. The InfraGard National Membership Alliance is an association of businesses, academic institutions, State and local law enforcement agencies, and other participants that enables the sharing of knowledge, expertise, information, and intelligence related to the protection of U.S. CIKR from physical and cyber threats.20

Overseas Security Advisory Council The Overseas Security Advisory Council (OSAC) is an information sharing collaboration between over 6,000 private‐sector companies with international business operations and the Department of State (DOS). OSAC members share information among themselves about security incidents within the jurisdictions they operate, and with DOS. DOS provides a team of intelligence analysts who analyze information available through the intelligence community relevant to companies operating overseas and provide unclassified sensitive products back on a daily basis. Domestic Security Alliance Council The Domestic Security Alliance Council (DSAC) was originally established by the FBI (and co‐chaired with DHS) to provide a strategic partnership between the U.S. Government and the U.S.

20 http://www.dhs.gov/xlibrary/assets/NIPP_Plan.pdf, page 62

20

private sector in order to enhance communication and to promote the timely and effective exchange of domestic security information. Area Maritime Security Committees AMSCs were established under the Maritime Transportation Security Act of 2002 (Maritime Transportation Security Act, P.L. 107‐295, 116 Stat. 2064, November 25, 2002). Each AMSC acts under the direction of the USCG Captain of the Port (COTP)—serving as Federal Maritime Security Coordinator—and assists in the development, review, and updating of the Area Maritime Security Plan for the COTP’s area of responsibility. The AMSC's principal duty is to help the COTP assess security risks to the port and determine appropriate risk mitigation strategies. AMSCs also act as a link in communicating security threats and changes in Maritime Security levels within the port. AMSC members may include: U.S. Coast Guard (USCG); Federal, State, and local law enforcement; emergency response; port managers; labor representatives; etc. There must be at least seven members of the Committee. At least seven of the total number of members must each have 5 years or more experience related to maritime or port security operations. AMSC members may be required to have access to sensitive security information (SSI) or secret‐level national security information. In these cases, the appropriate background/clearance/administrative procedures are followed.

SAFE Port Act Secs. 201(b)(9), 201(b)(10), and 202(d): Protocols for the Expeditious Resumption of Maritime Trade Maritime trade resumption or continuity specifically addresses the activities related to coordinating and facilitating the movement of goods and people to, through, and away from U.S. ports of entry and departure following an incident that significantly disrupts the transportation system or that poses the potential to do so. Trade resumption may involve efforts to maintain or enhance cargo movement at ports that have not been impacted by the event. It may also involve efforts to assist the private sector in identifying and implementing mitigation plans and to establish processing priorities consistent with capabilities. Maritime trade resumption activities or support may be conducted in parallel with incident response and continue through recovery. Purpose/Goals The United States requires a national strategic framework for coordinating the continuation or resumption of the flow of goods and people following an event that significantly disrupts their movement to, through, and away from our maritime borders and ports. Such a framework must provide for the synchronization between the public and private sectors, government agencies and departments, and as needed with international trading partners.

21

These protocols describe a set of national‐level processes by which Federal departments and agencies will:

• Engage in intergovernmental coordination and joint Government/private sector dialogues to identify and act on important issues to expedite maritime trade resumption or maintain the continuity of commerce.

• Collect, fuse, and disseminate the information necessary to understand the status of the national transportation system and facilitate decision‐making.

• Provide senior‐level decisionmakers with recommendations for national‐level priorities for recovery of the maritime transportation system and resumption/continuity of trade, taking into consideration local and regional supply chain issues and needs.

The protocols for the rapid resumption of trade in the maritime environment are found in the Maritime Infrastructure Recovery Plan (MIRP), a subordinate plan to the National Strategy for Maritime Security. Scope Because no single Government agency or private‐sector entity possesses the responsibility, the resources required, the statutory or regulatory authority, or the awareness needed to independently manage the maritime transportation system following a large‐scale disruption, these protocols establish processes for collaborative trade resumption efforts. The maritime transportation system is vulnerable to events or other circumstances that can significantly affect domestic and foreign trade. Actual or potential events encompass all hazards such as natural disasters, security incidents, pandemics, and other major disruptive events. Field‐level efforts will be managed by appropriate operational authorities and their respective chains of command. If a conflict arises in the assignment of resources, or there are competing priorities at the local and regional levels, senior‐level decisionmakers may resolve Federal resource assignments and align priorities. Incidents requiring coordinated maritime trade resumption may or may not involve a Presidential declaration of an emergency or a declaration of a major disaster, invoking the Robert T. Stafford Disaster Relief and Emergency Assistance Act (the Stafford Act, P.L. 93‐288, as amended) and may be of local, regional, or national scope. Similarly, the area requiring trade resumption or continuity management may extend beyond the region immediately impacted by an incident. Guiding Principles The guiding principles related to the resumption of maritime trade are:

22

• Each agency will exercise its unique authorities and fulfill its responsibilities using its own organizational structures, procedures, and chains of command, while coordinating decisions and activities with appropriate Federal, State, and local organizations and private stakeholders.

• Each agency will facilitate the optimum balance between the Nation’s security and the free flow of goods and people.

• Each agency will seek to avoid unnecessarily constraining cargo flow or unduly impacting normal commercial processes.

• Information will be safeguarded as appropriate. • The international exchange of information will be in accordance with Government‐to‐

Government information sharing arrangements. • Response and recovery may be conducted simultaneously and in accordance with the

National Response Framework (NRF), the National Incident Management System (NIMS), the MIRP, and other pertinent national structures.

• Unity of effort is essential to effectively respond to a large‐scale supply chain disruption of extended duration.

Roles and Responsibilities Section 202 of the SAFE Port Act requires that the Secretary of Homeland Security identify the appropriate initial Federal incident commander for maritime transportation system disruptions. Under current statutory authorities (see the Federal Strategic Plan to Implement the Global Supply Chain Security Strategy, page 30), unless otherwise directed:

• The Secretary of Homeland Security is the Principal Federal Official for domestic incident management and for coordinating Federal operations within the United States to prevent, prepare for, respond to, and recover from terrorist attacks, major disasters, and other emergencies.

• The FBI is the initial Incident Commander for criminal investigations involving terrorist incidents, with other agencies providing support for response and recovery activities.

• The USCG COTP is the initial Incident Commander for incidents affecting the navigable waterways (including inland waterways21 consistent with agreement with the U.S. Environmental Protection Agency (EPA)), territorial waters, contiguous zone, and Exclusive Economic Zone.

• For incidents on Department of Defense (DOD) installations, the installation commander is the initial Incident Commander.

• For incidents on Department of Energy installations, the installation commander is the initial Incident Commander.

• The U.S. EPA is the initial Incident Commander for environmental response incidents affecting the inland zone,20 inland navigable waterways (consistent with agreement with the USCG), and all other inland waterways.

21 “Inland waters” and the “inland zone” definitions are found in Title 40 Code of Federal Regulations Part 300, Section 5, the National Oil and Hazardous Substances Contingency Plan.

23

• The Federal Emergency Management Agency is the initial Incident Commander for areas other than specified above, subject to a Presidential declaration of an emergency, or a declaration of a major disaster, invoking the Stafford Act.

When multiple authorities are involved in a response or recovery effort, a unified command structure, comprised of officials who have jurisdictional authority or functional responsibility for the incident under an appropriate law, ordinance, or agreement, may be established by the Secretary of Homeland Security in coordination with affected departments. Trade Resumption Protocols In keeping with the precepts of NIMS, incidents will initially be addressed at the local level with broader management structures growing to meet event conditions. Stakeholders at multiple levels will implement business continuity and trade resumption plans autonomously, and in many cases this will be sufficient to address the movement of goods and people. The MIRP sets forth the procedures and protocols for these actions. Once a determination is made by either the President or the Secretary of Homeland Security or their duly designated representatives that there has been, or could be, a large‐scale maritime transportation system disruption of extended duration, a decision will be made whether to initiate these protocols in whole or in part. As appropriate, this decision will be made through consultation between Federal organizations with trade resumption and business continuity missions and may necessitate consultation with the Secretaries of other cabinet agencies or their duly designated representatives. Considerations for triggering this high‐level consultation for trade passing through the maritime mode include, but are not limited to, a recommendation for protocol initiation from the Commandant, USCG; the Commissioner, CBP; an SSA; or a DOD notification through the NICC that priority treatment is needed for a specific supply chain or cargo category, or exceptionally high levels of national economic risk exist. Factors that could result in this consultative process may include:

• The duly designated Incident Commander provides an assessment that a large scale disruption of the supply chain exists that requires, or could require, the identification of national priorities and U.S. agency response action is or could be imminent.

• One or more of the Federal departments or agencies responsible for regulation of the movement of goods and people through the port system requests that the consultative process be activated.

• One or more Federal departments or agencies determine that the actual or potential disruption could have a large scale adverse effect on the national economy.

• DOS concludes that the large‐scale supply chain disruption poses the potential to adversely affect the foreign affairs of the United States.

24

The MIRP provides for a response that is flexible and properly scalable to the nature of the incident. Training and Exercises The U.S. Government departments and agencies involved in trade recovery activities are responsible for training their personnel and exercising trade recovery processes. Such training and exercise programs should be incorporated into existing training regimes, be collaborative in nature, and involve the private sector. International trade resumption protocols shall be considered in appropriate exercises under the National Exercise Program.

SAFE Port Act Sec. 201(b)(11): Supply Chain Linkages with Terrorism Financing In addition to being potential targets and vectors for attack, supply chains also have the potential to be misused for the financing of terrorist and criminal organizations. According to the Financial Action Task Force, an intergovernmental body whose purpose is the development and promotion of national and international standards to combat money laundering and terrorist financing, there are three main methods by which terrorist financiers and criminals move money for the purposes of concealing the identity, source, or destination of funds:

• The first involves movement through financial systems using checks and wire transfers. • The second involves the physical movement of bank notes via couriers and bulk cash

smuggling. • The third involves the use of false documentation and declaration of traded goods and

services.

Each of these methods can involve the movement of large values, at a domestic or international level. Of primary concern to supply chain security is the third methodology. Trade‐Based Money Laundering Trade‐based money laundering (TBML) refers to the practice of moving value through trade transactions in order to disguise and transfer the proceeds of crime. TBML schemes include under‐ and over‐invoicing, phantom shipments, and other schemes to falsify the value of a shipment in order to transfer value from one jurisdiction to another. However, TBML can also involve the transfer of illicit cash, use of illicit cash to purchase and ship goods, currency exchange, and front companies, all of which are directly related to the security of the global supply chain.

25

TBML is a concept best represented by the Black Market Peso Exchange (BMPE). In the traditional example of this complex form of money laundering, drug traffickers in the United States sell their illicit dollars to a money exchanger who in turn sells the currency to Colombian businesses that need it to pay for U.S. exports. The Colombian merchants exchange pesos for U.S. drug dollars, with the drug traffickers receiving the pesos in Colombia through the money exchanger. The money exchanger takes responsibility for getting the drug cash into the U.S. financial system and using it to pay for U.S. goods on behalf of the Colombian merchants. This method of money laundering has expanded beyond its original setting and is now used globally and involves various currencies. A recent case involved the shipment of gray and black market electronics to support a U.S.‐designated terrorist entity. U.S.‐based businesses were falsifying commercial invoices and trade documents, altering the information that identified the individuals who were receiving the goods. The value and the contents of the shipment were also falsified in order to permit the shipment to reach a U.S.‐designated terrorist entity and evade duties and taxes. The proceeds of the sales were generating income for the terrorist organization. In practice, money laundering usually combines several different techniques. Customs and law enforcement experience show that a number of elements are required to identify, investigate, and prosecute trade‐based money laundering with links to terrorist financing. Strong cooperation between customs and law enforcement with expertise in financial investigations, adequate prioritization of exports and trade‐related investigations, and systems to monitor and compare trade data to detect anomalies both internally and internationally are all important to combating TBML.

SAFE Port Act Sec. 201(b)(12): Links with Existing Strategies This Strategy does not exist in a vacuum—it builds upon years of strategies, policies, and assessments that aimed to improve the security, resilience, and efficiency of commerce in the global supply chain. The summaries below offer an overview of those strategies that are most closely connected to global supply chain security. 2010 National Security Strategy The 2010 National Security Strategy (NSS) establishes the themes and concepts of security under the current Administration. The NSS presents the four “enduring national interests”: security of the American people, prosperity, support for U.S. values, and international order adept at addressing 21st century challenges. These four interests reflect a clear understanding of an increasingly complex, interconnected world.

The NSS is an integral component of U.S. homeland security guidance. The NSS seeks to promote American security and American values abroad while the homeland security

26

enterprise seeks to preserve them domestically. The principles that guide national security and the homeland security enterprise are mutually reinforcing and work together to ensure comprehensive security and prosperity for the American people. As in the 2010 NSS, the National Strategy for Global Supply Chain Security underlines the inherent link between the security of the American people and the prosperity of the U.S. economy. A gain by one should not significantly take from the other; they should instead be improved and balanced with one another. Secondly, the 2010 NSS recognizes the significance of the part played by non‐state actors within the national security landscape. Without addressing how these non‐state actors affect national security and the global economy, the U.S. Government cannot sufficiently protect the Nation. Finally, there is an understanding that security includes preventive actions taken both domestically and abroad. Both the 2010 NSS and the National Strategy for Global Supply Chain Security understand that economic interdependence has reached a point at which the United States is negatively impacted if security is breached in a foreign country and vice versa. Thus, both strategies recognize the need for the United States to focus on shaping future events instead of resisting them. 2007 National Strategy for Homeland Security The 2007 National Strategy for Homeland Security (NSHS) broadened the U.S. Government homeland security paradigm to include not only prevention of terrorist attacks but also the reduction of vulnerability from the cascading effects of terrorist events. This was a significant shift from previous concepts of homeland security, which centered on natural incidents, the direct impact of terrorist attacks, and the resulting recovery operations. The NSHS used this new homeland security paradigm to create a strategic direction for securing the homeland by guiding, organizing, and unifying our Nation’s homeland security efforts around four goals: preventing and disrupting terrorist attacks, protecting the American people and our critical infrastructure and key resources, responding to and recovering from incidents that do occur, and continuing to strengthen the foundation to ensure our long‐term success. While the guidance articulated in the NSHS is aimed at holistic homeland security, many of the initiatives have direct implications for the mission of securing the global supply chain. For example, the NSHS emphasizes the importance of continuing our efforts to “prevent terrorist exploitation of legitimate pathways into the Homeland.” This speaks directly to this Strategy’s goal of security, which aims to prevent illicit or harmful materials from entering and being used to exploit the global supply chain. The NSHS also promotes the need for DHS to “mitigate the Nation’s vulnerability to acts of terrorism, other man‐made threats, and natural disasters by ensuring the structural and operational resilience of our critical infrastructure and key resources.” This focus on the resilience of infrastructure and resources is a key focus of the framework created by this Strategy.

27

National Response Framework Mandated by HSPD‐5, the NRF establishes guiding principles for an all‐hazards approach to domestic incident response across all levels of government. The NRF seeks to unify the efforts of Federal, State, local, tribal, and territorial jurisdictional bodies, along with the private sector, in order to provide effective and coordinated responses to large‐scale disruptions. The NRF is predicated on five key principles to response: engaged partnership; tiered response; scalable, flexible, and adaptable operational capabilities; unity of effort through unified command; and readiness to act. The NRF is an essential component of the homeland security enterprise. It provides roles and responsibilities for coordinating incident response across the Federal Government as well as State, local, tribal, and territorial jurisdictions. It builds upon the National Incident Management System and the former National Response Plan to create a method for rapid incident response. The NRF provides a framework for responding to large‐scale disruptions of the global supply chain, a critical area that was outside the scope of this Strategy. The NRF has large implications for the resilience section of this Strategy, especially trade resumption protocols. Broadly, the NRF provides guidance that helps ensure rapid response and recovery from global supply chain incidents. Cyberspace Policy Review The 2009 Cyberspace Policy Review (CPR) was a 60‐day “clean slate” review of national cybersecurity policies and structures. The CPR sought to balance the need for the efficiency, innovation, and prosperity that our digital information and communications infrastructure allows, while also promoting safety, security, civil liberties, and privacy rights. The CPR tackled this challenge by offering 10 discrete, short‐term recommendations while also pledging to work with the private sector and other stakeholders to develop better security systems, more secure infrastructure, and plans for response to a cyber event. The ability to communicate and transmit information through cyberspace has been a tremendous boon to both U.S. and global prosperity. However, these cyber systems were developed with cost and efficiency in mind, making them extremely vulnerable to exploitation by adversaries. As such, cyber assets are identified by the NIPP as infrastructure critical to the homeland security enterprise. Securing cyberspace is closely linked with efforts to secure the global supply chain. The ability to effectively collect, analyze, share, and protect information is critical to maintaining the risk management approach this Strategy advocates. Information management, as imagined by this Strategy, rests almost entirely on the ability to secure cyberspace and prevent attempts to

28

exploit cyber assets. A cyberspace initiative focused on the global supply chain is currently being developed by the Transborder Interagency Policy Committee.

2007 DHS Strategy to Enhance International Supply Chain Security The 2007 DHS Strategy to Enhance International Supply Chain Security (hereafter the 2007 Strategy) is the direct predecessor to this Strategy. Mandated by the 2006 SAFE Port Act, the 2007 Strategy was developed by DHS to examine existing programs that aimed to secure the global supply chain and describe how the plans and initiatives enacted after September 11, 2001, work together to strengthen security throughout the global supply chain. The 2007 Strategy marked a preliminary attempt to define the roles and responsibilities of the homeland security enterprise in securing the global supply chain. The application of the 2007 Strategy continued to evolve as the homeland security enterprise matured, resulting in the development of this Strategy. The 2007 Strategy served as an interim version for this Strategy. Where it analyzed the disparate efforts across DHS and the interagency community in an attempt to develop a holistic view of programs and policies to secure the supply chain, this final Strategy looks to an ideal end‐state and provides forward‐leaning recommendations to achieve it. While both strategies examine the global supply chain, the 2007 Strategy was primarily concerned with the maritime movement of containerized cargo, where this Strategy examines all cargo types across all modes. National Strategy for the Marine Transportation System The 2008 National Strategy for the Marine Transportation System (NSMTS) is a 5‐year policy framework developed by the Committee on the Marine Transportation System that serves as the foundation for subsequent implementation plans. The NSMTS includes 34 recommended actions to improve 5 priority areas of the U.S. marine transportation system (MTS): capacity; safety and security; environmental stewardship; resilience and reliability; and finance and economics.

One of the functions of the MTS identified in the NSMTS—commerce—and two of the priority areas—safety and security, and resilience and reliability—underscore its critical link to the homeland security enterprise. The NSMTS highlights the significant role the MTS plays in the trade of goods to and from the United States and its associated contributions to the U.S. economy. This function directly relates to the emphasis in the Quadrennial Homeland Security Review (QHSR) on safeguarding lawful trade and travel, an enterprise‐wide homeland security goal. Additionally, the NSMTS focus on safety and security is reinforced in the 2010 QHSR’s focus on preventing terrorism and enhancing security while the resilience and reliability priority area is reinforced by its focus on ensuring resilience to disaster. Both missions are enterprise‐wide homeland security missions.

29

While the NSMTS and its policy areas pertain to global supply chain security, they are by no means wholly related or comprehensive. The elements of the MTS (waterways, ports, intermodal connections, vessels, and users) identified in the NSMTS largely mirror the elements of the global supply chain; however, these components are limited to the maritime environment and do not extend into the other modes or nodes or fully address intermodal connectivity. National Strategy for Information Sharing The 2007 National Strategy for Information Sharing (NSIS) establishes a plan to improve information sharing capabilities at the Federal, State, local, territorial, and tribal levels and with the private sector and foreign partners. The NSIS also emphasizes the importance of protecting privacy and other legal rights when sharing information. It is intended to help ensure that those responsible for combating terrorism have access to timely and accurate information and, in concert with the Information Sharing Environment, will enable intelligence products to be easily shared, facilitate a coordinated set of requirements and information needs across all levels of government, and ensure that efforts to prevent future attacks are risk based. The shift from the “need to know” to “need to share” paradigm formalized in the NSIS is a fundamental underlying component of the homeland security enterprise. As missions expand beyond DHS and become truly enterprise‐wide, it becomes increasingly important to ensure that information is shared at all levels of government and with the private sector. Multiple overarching homeland security strategy documents, including the QHSR and the National Homeland Security Strategy, emphasize the importance of information sharing partnerships in successfully fulfilling these homeland security missions. Additionally, the principles identified in the NSIS are reinforced in this Strategy. Specifically, knowledge management is a key enabling activity to achieve comprehensive global supply chain security. Both sharing information and protecting information are foundational elements of global supply chain information management. To achieve the former and promote global supply chain security, information must be timely, discoverable, accessible, trustworthy, and reliable. To achieve the latter, the appropriate degree of protection must be established while guarding against overly rigorous protection when there is a legitimate need for access that would help enable global supply chain security. National Strategy for Aviation Security

By integrating public and private aviation security activities, the 2007 National Strategy for Aviation Security (NSAS) seeks to secure the people and interests of the United States, strengthen international partnerships, and advance the economic well‐being of the country. The NSAS is guided by the following objectives: deter and prevent terrorist attacks in the air domain, protect U.S. interests in the air domain, mitigate damages and expedite recovery from aviation‐related incidents, minimize the impact of aviation‐related incidents on the U.S.

30

economy, and engage domestic and international partners. To achieve these objectives, the NSAS outlines five critical strategic actions: maximize domain awareness; deploy layered security; promote a safe, efficient, and secure Aviation Transportation System (ATS); enhance international cooperation; and assure continuity of the ATS. The strategic objectives identified in the NSAS are elements of the missions in the subsequent 2010 QHSR. In the 2010 QHSR, Securing and Managing Our Borders, including controlling the air domain, is an enterprise‐wide mission. Additionally, Goal 5.1, Mitigate Hazards, and Goal 5.4, Rapidly Recover, are essential goals under the Ensuring Resilience to Disasters mission. The sector‐specific NSAS is not only consistent with the homeland security mission writ large, but it also applies to global supply chain security. The NSAS is an important component in addressing global supply chain vulnerabilities. Like this Strategy, the NSAS emphasizes layered security and focuses on the ability to mitigate damage and recover quickly as key components of systemic resilience. While it only covers the air domain, the goals of the NSAS are in alignment with the recommendations of this Strategy. National Strategy for Maritime Security Mandated by National Security Presidential Directive 41 (NSPD‐41)/HSPD‐13, the National Strategy for Maritime Security (NSMS) and its eight supporting plans aimed to create a comprehensive security system for the maritime domain. The NSMS lays out the myriad threats to maritime security and proposes four strategic objectives: prevent terrorist attacks and criminal actions, protect maritime‐related population centers and infrastructure, minimize the potential for damage and ensure rapid recovery, and safeguard the ocean and its resources. Developed with the participation of more than 20 agencies and in coordination with the private sector, the NSMS represented a coordinated effort across the homeland security enterprise. Securing the maritime domain is a primary homeland security objective and Safeguarding Lawful Trade and Travel is identified as a goal by the 2010 QHSR. The NSMS underscored the importance of maritime security and required the development of plans and strategies to accomplish this important goal. The NSMS was a critical step forward in addressing the manifold threats to the global supply chain. While it only covers one sector—the maritime domain—the NSMS and its supporting plans provide another stepping stone for this Strategy. Like this Strategy, the NSMS placed an emphasis on resilience through mitigating vulnerabilities and ensuring rapid recovery in the event of a disruption. Similarly, the NSMS called for supporting plans to achieve marine domain awareness and intelligence integration—key goals of information management envisioned by this Strategy.

31

National Strategy for Transportation Security (classified) The Intelligence Reform and Terrorism Prevention Act of 2004 resulted in the development of the National Strategy for Transportation Security (NSTS). Delivered to Congress on September 9, 2005, and called for by the 9/11 Commission, the NSTS is a classified document, and therefore its details cannot be discussed in a public forum. In general, it outlines the Federal Government’s approach, in partnership with State, local, and tribal governments and private industry, to secure the U.S. transportation system from terrorist threats and attacks and to prepare the Nation by increasing our capacity to respond if either occurs. It describes the policies the Federal Government will apply to manage transportation risk and discusses how the Government will organize its resources to secure the transportation system from terrorist attacks. The NSTS applied a threat‐based risk management approach, using the factors of threat, vulnerability, and consequence, to evaluate asset categories in the six transportation modes: aviation; freight rail; highway; maritime; pipeline; and transit, commuter, and long‐distance passenger rail. This evaluation identified asset categories at greatest risk for each mode, for which corresponding risk‐based priorities were developed. The document also discusses the roles and missions of Federal, State, regional, local, territorial, and tribal authorities and the private sector; response and recovery responsibilities; and research and development requirements. The Maritime Appendix of the NSTS is also known as the National Maritime Transportation Security Plan, and was additionally required by the Maritime Transportation Security Act (MTSA) of 2002. The NMTSP is a partially open source/partially SSI document, and is discussed in general below. The open source portion of the NMTSP may be found as Annex B, Maritime, in the Transportation Systems Sector Specific Plan. National Maritime Transportation Security Plan (classified) The MTSA of 2002 mandated the development of the National Maritime Transportation Security Plan. The NMTSP provides for efficient, coordinated, and effective action to deter and minimize damage from a transportation security incident involving maritime assets and infrastructure. This is accomplished through a three‐tiered maritime security planning regime, with the “capstone” tier being the NMTSP itself. The second tier is comprised of Area Maritime Security Plans (AMSPs) developed by the local USCG Sector Commander acting as Federal Maritime Security Coordinator in cooperation with Area Maritime Security Committees comprised of local stakeholders and government officials. The third tier is comprised of Vessel and Facility Security Plans (VSPs and FSPs) developed by facility and vessel owners and operators.

32

Specific to the global supply chain, the NMTSP includes a “Plan to Re‐establish Cargo Flow after a Security Incident” and, at all three tiers, provides for both preventive security and incident responses in the maritime domain. At each level of the three‐tier structure, the plans are based upon security risk assessments. VSPs and FSPs are based on private‐sector assessments that are required to be conducted as part of a 5‐year plan review and approval cycle. AMSPs are based upon an initial risk assessment conducted by the USCG, and a continuous risk assessment process (also conducted by the USCG). These risk assessment results are used to update the AMSPs as necessary, but at a minimum each AMSP is reviewed annually. On the national level, the continuous risk assessment results from each Area Maritime Security (AMS) process are merged and analyzed to develop a National Maritime Risk Assessment, with appropriate risk‐reduction measures developed to inform the security planning process. Additionally, the 2010 Coast Guard Authorization Act requires the USCG to establish area response and recovery protocols to prepare for, respond to, mitigate, and recover from a transportation security incident consistent with the SAFE Port Act of 2006. These plans should be developed in accordance with the trade resumption protocols discussed in this document. 2010 Quadrennial Homeland Security Review The 2010 QHSR represents the first comprehensive effort by DHS to analyze and succinctly define the entire homeland security enterprise mission space. The QHSR presents a vision for a secure homeland and identifies five enterprise‐wide homeland security missions and associated goals. The five homeland security missions are defined as: preventing terrorism and enhancing security, securing and managing our borders, enforcing and administering our immigration laws, safeguarding and securing cyberspace, and ensuring resilience to disasters. By clearly delineating the homeland security enterprise‐wide mission space, the QHSR provides a foundation of metrics upon which future resource and organizational decisions can be made. This, in turn, allows for future planning of homeland security needs while concluding legacy programs which no longer directly contribute to achieving core missions. The QHSR contains several goals with direct relevance to global supply chain security. The QHSR emphasizes the need to safeguard lawful trade and travel, which promotes the need for security and resilience of global movement systems. The QHSR discusses “twin goals” of securing our Nation’s borders by ensuring that cargo that crosses is legal and free of harmful materials, while simultaneously expediting the flow of commerce. Furthermore, Mission 2 of the QHSR calls upon the homeland security enterprise to search beyond our borders to anticipate and prevent harmful materials from even entering the global supply chain outside of the United States. Small Vessel Security Strategy

In April 2008, DHS released the Small Vessel Security Strategy (SVSS) aimed at “reducing the risk of terrorist use of small vessels through cooperation, partnership, effective operations, and

33

technology while simultaneously protecting our citizens’ use of the maritime domain.” The large numbers of small vessels (including both private and commercial vessels less than 300 gross tons) and the lack of information about users, owners, or operating partners present a unique vulnerability to homeland security. To address this vulnerability and reduce security gaps, the SVSS identifies four major goals:

• Enhance maritime domain awareness through a public/private partnership with the small vessel community.

• Enhance maritime security and safety based on a coherent plan with a layered, innovative approach.

• Use technology to detect, determine intent, and when necessary interdict small vessels. • Enhance coordination, cooperation, and communication between public, private, and

international partners. While specific to small vessels, the SVSS underscores DHS’s commitment to securing the maritime domain, a critical homeland security area identified in both HSPD‐13/NSPD‐41 and the QHSR. In addition to highlighting the importance of the maritime domain in the strategic environment, the SVSS identifies the potential for utilizing small vessels as a conveyance for smuggling weapons (including weapons of mass destruction (WMD)) into the United States as a specific risk. By taking steps to prevent enemies from threatening the United States with WMD, the SVSS addresses a primary national security mission identified in the National Security Strategy. Surface Transportation Security Priority Assessment The Surface Transportation Security Priority Assessment (STSPA) was conducted as a review of the Nation’s surface transportation systems including mass transit, rail systems, commercial trucking, and pipelines. STSPA, a White House‐led interagency effort, serves as an assessment of security actions already being undertaken and also an analysis of remaining gaps. STSPA resulted in the development of 20 distinct recommendations for improving security in surface transportation modes, including designating a lead agency to coordinate cross‐modal risk analyses and fully identifying Federal roles and responsibilities regarding surface transportation security. A critical addition to the homeland security enterprise, STSPA represents an important evaluation of the surface domain. Along with the National Strategy for Maritime Security and National Strategy for Aviation Security, STSPA helps fulfill the Federal Government’s continued pursuit of cross‐domain security. The surface transportation system is an important component of the global supply chain, and efforts to secure it augment this Strategy. The STSPA also shares an emphasis on risk assessment and information management with this Strategy.

34

National Infrastructure Protection Plan The NIPP was written to fulfill an HSPD‐7 requirement to develop a strategy to protect CIKR. The NIPP provides a review of current efforts to protect CIKR and develops a framework for developing new programs and efforts. The NIPP’s focus is on three specific actions: deterring threats, mitigating vulnerabilities, and minimizing consequences. The NIPP also requires various sectors to develop Sector‐Specific Plans (SSPs) to identify strategies to protect the CIKR under their purview. The protection of critical infrastructure is a major focus of the QHSR and a key responsibility of the homeland security enterprise. The NIPP serves as a foundational document for securing CIKR and preventing threats to it. The NIPP and its SSPs provide details regarding security of CIKR that are integral to this Strategy, as well as an extensive discussion of information sharing. The principles laid out in the NIPP are fundamental to the promotion of resilience and continuity of operations planning, a key goal of this Strategy in general and of the trade resumption protocols in particular. Global Nuclear Detection Architecture Strategic Plan The Domestic Nuclear Detection Office was authorized by the SAFE Port Act as an entity within DHS with the mission of developing an enhanced Global Nuclear Detection Architecture (GNDA) and implementing its domestic portion as part of “coordinating Federal efforts to detect and protect against the unauthorized importation, possession, storage, transportation, development, or use of a nuclear explosive device, fissile material, or radiological material in the United States, and to protect against attack using such devices or materials against the people, territory, or interests of the United States.” The GNDA is the worldwide network of sensors, telecommunications, information exchanges, personnel, programs, and protocols that serve to detect and to report on nuclear and radioactive materials and weapons out of regulatory control. This system of systems includes both the tangible assets (people and equipment) and the plans and procedures for its design and implementation. The GNDA strategic plan articulates a comprehensive structure of activities and approaches aimed at preventing an unconventional nuclear or radiological attack. The detection of WMD is a paramount concern of the homeland security enterprise. The 2010 QHSR identifies preventing acts of terrorism, especially chemical, biological, radiological, and nuclear attacks, as its very first goal. The GNDA is a fundamental component of the Federal Government’s effort to detect and thwart attempts to use nuclear and radiological weapons within the United States.

The Global Nuclear Detection Architecture Strategic Plan is linked to this Strategy because of its emphasis on the detection of nuclear and radiological materials and devices that could be transported illicitly through the commercial supply chain. At the one noted specific point of

35

overlap, that of illicit transport of nuclear or radiological material through the commercial supply chain, the general frameworks supplied by each strategy apply and are compatible. The operational end‐users of both strategies include CBP and the Transportation Security Administration (TSA) where multiple threats must be addressed within their respective purview. Both strategies advocate a risk‐informed, multilayered, defense‐in‐depth approach to addressing threats and vulnerabilities, and both advocate for regional and international cooperation with Federal, State, local, tribal, territorial, and private industry partners. HSPD‐5, Management of Domestic Incidents Signed in February 2003, HSPD‐5, Management of Domestic Incidents, is a seminal homeland security document that established the requirement for coordinated incident preparedness, response, and recovery. HSPD‐5 and the documents it mandated provide the response framework for global supply chain incidents and have important ramifications for resilience. It requires DHS, working with State and local governments, to lead a national effort to respond to terrorist attacks and major disasters within the United States. It requires the Secretary of Homeland Security to coordinate Federal efforts to prepare for and prevent disruptions, and to direct Federal response and recovery efforts. HSPD‐5 established a single, unified approach to domestic incident management by requiring the development and implementation of NIMS and the National Response Plan (NRP). The NRP was replaced by the National Response Framework in March 2008. The NRF establishes a comprehensive, national, all‐hazards approach to domestic incident response. HSPD‐7, Critical Infrastructure Identification, Prioritization, and Protection HSPD‐7, Critical Infrastructure Identification, Prioritization, and Protection, established a national policy to identify and prioritize critical infrastructure and key resources within the United States and protect them from terrorist attacks. HSPD‐7 designates the Secretary of Homeland Security as the lead Federal official in charge of coordinating efforts to protect critical infrastructure, and identifies roles and responsibilities for additional departments and agencies. HSPD‐7 required DHS to develop a national plan for critical infrastructure and key resources protection which outlines national goals, milestones, and initiatives to protect CIKR, a direct corollary to Goal 1.3 in the 2010 QHSR, Manage Risks to Critical Infrastructure, Key Leadership, and Events. HSPD‐7 resulted in the development of the NIPP and several Sector‐Specific Plans. The 2009 NIPP provides the unifying structure for the integration of a wide range of efforts for the enhanced protection and resilience of CIKR.

HSPD‐7 is a foundational document for the National Strategy for Global Supply Chain Security. It sets guidelines directing DHS to identify, prioritize, and protect CIKR, a process that has implications for both infrastructure protections at ports of entry and for post‐incident trade

36

resumption protocols. Many nodes of the global supply chain within the United States qualify as critical infrastructure, and the global supply chain is indispensible in the movement of key resources into and throughout the United States. NSPD‐41/HSPD‐13, Maritime Security Policy The importance of securing the maritime domain was underscored in NSPD‐41/HSPD‐13, Maritime Security Policy. NSPD‐41/HSPD‐13 established the Maritime Security Policy Coordinating Committee (now the Maritime Security Interagency Policy Committee) to oversee the development of a National Strategy for Maritime Security and eight supporting implementation plans. The NSMS provides for the extension of U.S. efforts into the international sphere through domestic and global maritime intelligence integration, development of Maritime Domain Awareness, and international outreach and coordination. NSPD‐41/HSPD‐13 is currently in the final stages of an Administration revision. Securing the maritime domain is critical to Safeguarding Lawful Trade and Travel, Goal 2.2 identified by the 2010 QHSR. NSPD‐41/HSPD‐13 underscored the importance of maritime security and required the development of plans and strategies to accomplish this important goal. The NSMS and its supporting plans articulate protective strategies and plans for the global supply chain. The requirements established in mandating the eight implementation plans clearly reflect an emphasis on security, resilience, and facilitation of lawful commerce and a focus on enabling functions such as international collaboration and knowledge management. All of these elements are key components of this Strategy. NSPD‐47/HSPD‐16, Aviation Security Policy Recognizing the need for a government‐wide plan to coordinate and integrate aviation security efforts, NSPD‐47/HSPD‐16, Aviation Security Policy, mandated the creation of a National Strategy for Aviation Security and seven implementation plans. These seven implementation plans are aimed at securing the air domain and include System Security, Operational Threat Response, System Recovery, Surveillance and Intelligence Integration, Domestic Outreach, and International Collaboration. The implementation plans required by HSPD‐16 closely mirror the Strategy’s focus on security, resilience, and key enablers such as knowledge management and stakeholder collaboration. For a more detailed analysis of the relationship to the homeland security enterprise and this Strategy specifically, refer to the earlier discussion of the National Strategy for Aviation Security (see page 30).

37

SAFE Port Act Sec. 201(c): Stakeholder Consultation In order to draft a comprehensive National Strategy and to comply with requirements under the SAFE Port Act, Federal, State, local, and private‐sector stakeholders, as well as subject‐matter experts and advisory committees, were consulted during the development of the National Strategy for Global Supply Chain Security. The goal of this consultation was to improve upon the 2007 Strategy to Enhance International Supply Chain Security, develop a thorough understanding of stakeholder concerns, and receive input on potential strategies to make the global supply chain stronger, more resilient, and more efficient. This consultation took place over many months and through various mediums, including teleconferences, webinars, briefings, meetings, and email. The groups consulted included:

• American Association of Exporters and Importers (AAEI)

• American National Standards Institute (ANSI)

• American Society for Industrial Security (ASIS) Agriculture and Food Security Council

• Canadian Embassy • Advisory Committee on Commercial

Operations of Customs and Border Protection (COAC)

• Critical Infrastructure Partnership Advisory Council (CIPAC)

• Department of Defense/U.S. Central Command (DOD/USCENTCOM)

• Chamber of Commerce • Consultative Shipping Group

• Germany: Joint U.S./Germany Research and Development Conference in Berlin

• Homeland Security Advisory Council (HSAC)

• International Customs Attaché Group

• International Labour Organization (ILO)

• International Maritime Organization (IMO)

• National Maritime Security Advisory Committee (NMSAC)

• Women in Government Relations (WGR)

● World Customs Organization (WCO)

In addition to providing the groups with the 2007 Strategy to Enhance International Supply Chain Security and asking for comments, specific questions were posed to elicit focused feedback. These questions included, but were not limited to:

• What are your key concerns regarding threats/vulnerabilities in the global supply chain? • How well does the U.S. Government reduce these threats/vulnerabilities? • What are some examples of industry best practices in reducing threats/vulnerabilities?

How might the U.S. Government better leverage private‐sector interests and efforts to secure the global supply chain?

• What are the different threats/vulnerabilities between and among modes of transportation and what are opportunities for improvement?

38

• What assumptions that currently inform our policies and programs may be incorrect or dated?

• Are there opportunities for legislative/regulatory improvements? • How might we better measure and account for private‐sector efforts to increase

security and resilience?

The feedback collected during the consultation was then aggregated, analyzed, and used to inform this Strategy. The external engagement process is an ongoing process and stakeholder consultation will continue to be conducted throughout the implementation of the Strategy. External Engagement Feedback Summary During the external engagement process, the global supply chain security core team and external engagement team received a large number of comments from formal advisory committees, trade groups such as the Chamber of Commerce and American Association of Exporters and Importers, and international organizations. The preponderance of these comments were narrow and reflected concerns over specific provisions of the 2007 Strategy to Enhance International Supply Chain Security, but there were several topics which received multiple comments expressing a broader concern. This summary provides a breakdown of feedback by goal and organization as well as an overview of those topic areas which elicited comments from multiple sources. Comment Breakdown

Number of Comments

Security Resilience Commerce Information Management General

CIPAC 16 28 11 3 5

NMSAC 8 7 3 4 6

COAC 32 20 17 15 12

AAEI 0 3 3 0 0

Chamber 14 0 13 11 0

IMO 0 0 4 0 3 Subject Matter Expert 32 12 12 9 30

Total 102 70 63 42 56

39

SAFE Port Act Sec. 201(f): International Standards and Practices Frameworks, Standards, and Harmonization The existing framework and standards landscape consists of various systems and processes in which the U.S. Government participates: through treaty organizations where the governments are members; through private, voluntary organizations where the United States is represented by a single “national body” organization; through professional and technical organizations whose membership is on an individual or organizational basis; and through consortia. The combination of trade flow, security, and system resilience can only be improved by the combined efforts of all partners in the global supply chain, which will enhance the overall security of this supply chain. As part of this effort, the U.S. Government must proactively engage with the trade and international communities in a coordinated fashion with the goal of mutual recognition of standards at multiple levels. This includes policies, programs, regulations, processes, procedures, and technical standards, thus requiring the interfacing at several levels including:

• Agency to agency within the U.S. Government • U.S. Government to private sector • U.S. Government to foreign governments

A major part of this work needs to include the harmonization of current standards and the development of standards where none currently exist. Harmonization will also require a reduction in standards that are duplicative or that place an undue burden on industry and our trading partners. Mutual recognition and harmonization of standards can improve security and also serve to facilitate the flow of goods in the global trading system only if our efforts are approached collectively. International Engagement Congress mandated DHS external engagement with four specific international organizations involved in global supply chain security and sustainability standards via the 2006 SAFE Port Act. The following paragraphs are in response to SAFE Port Act section 201(b)(3). In addition to being responsive to the congressional mandate, it also provides recommended organizations for future engagement. International Organization for Standardization Engagement

In an effort to foster development of standards‐based, open‐architecture, interoperable, globally acceptable, business‐driven, commercially available, proven off‐the‐shelf technologies for use in demonstrating effective cargo security solutions, while minimizing potential negative

40

impacts on business, the DHS Policy Directorate and Science and Technology Directorate arranged for attendance at International Organization for Standardization (ISO) meetings involving standards development for ocean freight container technologies. This was done at ISO Technical Committees (TCs) in close collaboration with foreign and U.S. Technical Advisory Group (TAG) delegations to those committees. The U.S. TAGs are accredited by ANSI, the official national body representation in ISO for the United States. This approach of “engage, observe, and if necessary influence” international standards development has proven beneficial in understanding/merging industry needs and government requirements regarding the global supply chain in a manner to minimize negative impact on commerce and to promote global supply chain sustainability, security, and in‐transit visibility. The following are some specific examples of ISO TCs (including associated subcommittees and working groups) dealing with aspects of the global supply chain with which DHS has engaged through attendance, thus meeting the congressional requirements for external engagement with ISO under the SAFE Port Act, section 201(f). Process/best practices standards:

• ISO TC 8 (Ships and Marine Technology): Responsible for ISO 28000 series (Supply Chain Security Management Systems). Specifies the requirements to establish, implement, maintain, improve, and audit a security system to protect people, goods, infrastructure, equipment, and transportation against security incidents and other potentially devastating situations.

Technology standards:

• ISO TC 104 (Freight Containers): Responsible for standards for electronic (e)‐seals, container identification (ID) tags, mechanical seals, freight container Radio‐Frequency Identification (RFID) shipment tag system, and global freight common wireless network architecture.

• ISO TC 122/104 Joint Working Group (Supply Chain Applications of RFID): Responsible for freight container supply chain tagging.

• ISO/International Electrotechnical Commission Joint Technical Committee 1/Sub‐committee 31 (Automatic ID and Data Capture): Responsible for real‐time locating systems, mobile item ID and management, and security for item management.

Continued and increased government representation at ISO standards development meetings is essential. This is in line with the recent U.S. Government initiatives for increased government participation “at the table” with industry and other interested parties during standards development. Policy should continue to be determined, in part, from industry and end‐user feedback as standards are being developed in a collaborative manner.

In addition to ISO, external engagement by DHS with three other international organizations (the ILO, the IMO, and the WCO) was encouraged by the SAFE Port Act (section 201(f)). All of the aforementioned ISO technical committees have multiple interactions and established liaison relationships with these three and other international stakeholder organizations in the

41

global supply chain security realm. Effectively, this affords such organizations an opportunity to contribute to the work of the technical committees. Each of these three groups is listed here to describe the organization and reasons for engagement with ISO. Additionally, information on two other groups with supply chain security involvement is also provided to ensure international engagement is broad and robust. International Labour Organization The ILO is the United Nations agency that brings together governments, employers, and workers of its member states in common action to promote decent work throughout the world. The ILO develops international labor standards that serve as a comprehensive system of instruments on work and social policy, backed by a supervisory system designed to address a variety of problems in their application at the national level. International Maritime Organization The IMO serves as a permanent international body that promotes maritime safety more effectively through the development of international regulations that are followed by all shipping nations. Additionally, the IMO develops global standards for seafarers, including international conventions and codes relating to search and rescue, the facilitation of international maritime traffic, load lines, tonnage measurement, and the shipment of dangerous goods. The USCG has been a key participant and the primary U.S. representative to the IMO for all policy development since the IMO Convention entered into force 50 years ago. Numerous USCG offices and personnel with various skill sets take the lead in addressing international maritime issues with the help of various government and industry advisors. These advisors include members from DOS, DHS, DOD, the Department of Justice, EPA, the National Oceanic and Atmospheric Administration, the National Transportation Safety Board, and numerous industry experts—all providing the technical support and guidance necessary to sufficiently advocate U.S. positions on the issues. In all, over 250 U.S. members (from government, shipping industry, and academia) are sent to the IMO on a yearly basis. World Customs Organization The WCO is the only intergovernmental organization exclusively focused on customs matters. With its worldwide membership, the WCO is now recognized as the voice of the global customs community. The WCO develops global standards that include measures for securing the global supply chain while facilitating the flow of legitimate trade and implementing national requirements.

CBP, through the WCO, endorses a strategy to secure the movement of global trade in a way that does not impede but facilitates the movement of that trade. WCO members have

42

developed a regime that will enhance the security and facilitation of international trade. This method is called the WCO SAFE Framework of Standards. The SAFE Framework sets forth the principles and the standards and presents them for adoption as a minimal threshold of what must be done by WCO members. The U.S. Government will seek to strengthen and facilitate the WCO SAFE Framework in conjunction with standards harmonization using a collaborative approach to optimize the securing of the international trade supply chain while ensuring continued improvements in trade facilitation. International Civil Aviation Organization The ICAO is a specialized agency of the United Nations dedicated to promoting the safe and orderly development of international civil aviation throughout the world. It sets standards and regulations necessary for aviation safety, security, efficiency and regularity, as well as for aviation environmental protection. TSA leads U.S. involvement with the ICAO, supporting efforts to enhance passenger and cargo aviation safety and security. Universal Postal Union The UPU is the primary forum for cooperation between postal sector stakeholders, working to ensure a truly universal network of postal products and service. The organization fulfils an advisory, mediating, and liaison role, provides technical assistance where needed, sets the rules for international mail exchanges. Engagement with the UPU is led by the U.S. Department of State, with specific focal areas involving appropriate Department and Agency representation.

43

Appendix A: List of Acronyms AAEI American Association of Exporters AMS AMSC

Area Maritime Security Area Maritime Security Committee

AMSP Area Maritime Security Plan ANSI American National Standards Institute ASIS American Society for Industrial Security ATS Aviation Transportation System BMPE Black Market Peso Exchange CBP U.S. Customs and Border Protection CIKR Critical Infrastructure and Key Resources CIKR ISE CIP

Critical Infrastructure and Key Resources Information Sharing Environment Critical Infrastructure Protection

CIPAC Critical Infrastructure Partnership Advisory Council COAC Advisory Committee on Commercial Operations of Customs and Border

Protection COTP Captain of the Port CPR Cyberspace Policy Review CREATE Center for Risk and Economic Analysis of Terrorism CSSCWG Cross‐Sector Supply Chain Working Group C‐TPAT CUI

Customs‐Trade Partnership Against Terrorism Controlled Unclassified Information

DHS Department of Homeland Security DHS/IP Department of Homeland Security Office of Infrastructure Protection DOC DOD DOE DOI DOJ

Department of Commerce Department of Defense Department of Energy Department of the Interior Department of Justice

DOS DOT

Department of State Department of Transportation

DSAC Domestic Security Alliance Council EPA Environmental Protection Agency FBI FDA FEMA

Federal Bureau of Investigation Food and Drug Administration Federal Emergency Management Agency

FSP Facility Security Plan GCC GDP

Government Coordinating Council Gross Domestic Product

GNDA HHS

Global Nuclear Detection Architecture Department of Health and Human Services

A ‐ 1

HITRAC Homeland Infrastructure Threat and Risk Analysis Center HSAC Homeland Security Advisory Council HSPD ID

Homeland Security Presidential Directive Identification

ILO International Labour Organization IMO International Maritime Organization IRTPA Intelligence Reform and Terrorism Prevention Act of 2004 ISAC Information Sharing and Analysis Center ISC Information Sharing Council ISE Information Sharing Environment ISO International Organization for Standardization MIRP Maritime Infrastructure Recovery Plan MTS Marine Transportation System MTSA Maritime Transportation Security Act of 2002 NICC National Infrastructure Coordinating Center NIMS National Incident Management System NIPP National Infrastructure Protection Plan NMSAC National Maritime Security Advisory Committee NMTSP National Maritime Transportation Security Plan NRF National Response Framework NRP National Response Plan (replaced by the NRF) NSAS National Strategy for Aviation Security NSHS National Strategy for Homeland Security NSIS National Strategy for Information Sharing NSMS National Strategy for Maritime Security NSMTS National Strategy for the Marine Transportation System NSPD National Security Presidential Directive NSS National Security Strategy NSTS ODNI

National Strategy for Transportation Security Office of the Director of National Intelligence

OSAC Overseas Security Advisory Council PDD PKEMRA

Presidential Decision Directive Post‐Katrina Emergency Management Reform Act of 2006

PSA Protective Security Advisor QHSR Quadrennial Homeland Security Review RFID Radio‐Frequency Identification SAFE Port Act Security and Accountability for Every Port Act of 2006 SBREFA Small Business Regulatory Enforcement Fairness Act of 1966 SBU Sensitive But Unclassified SCC Sector Coordinating Council SLTT SLTTGCC

State, Local, Tribal, and Territorial State, Local, Tribal, and Territorial Government Coordinating Council

SSA Sector‐Specific Agency

A ‐ 2

SSI Sensitive Security Information SSP Sector‐Specific Plan Stafford Act Robert T. Stafford Disaster Relief and Emergency Assistance Act (P.L.

93‐288, as amended) STSPA Surface Transportation Security Priority Assessment SVSS Small Vessel Security Strategy TAG Technical Advisory Group TBML Trade‐Based Money Laundering TC Technical Committee TSA USACE

Transportation Security Administration U.S. Army Corps of Engineers

USCENTCOM U.S. Central Command USCG U.S. Coast Guard USD USDA USTR

U.S. Dollars U.S. Department of Agriculture U.S. Trade Representative

VSP Vessel Security Plan WCO World Customs Organization WGR Women in Government Relations WMD Weapons of Mass Destruction

A ‐ 3

A ‐ 4

Dhs foia-dsac-etc-april-15-2013-records-for-release-123-pages-1

Documents

Transcript of Dhs foia-dsac-etc-april-15-2013-records-for-release-123-pages-1