National Protection and Programs DirectorateDepartment of Homeland Security

The Office of Infrastructure Protection

Urban Area Security Initiative Conference, Columbus, OH

May 23, 2012

Critical Infrastructure Protection: Program Overview

Presenter’s Name June 17, 2003

Historical Perspective

Risk Management Framework Implementation

Current Environment

Key Initiatives

The Current Challenge

2

Agenda

The homeland security enterprise is entering a new stage in its evolution. Focus is shifting to considerations of all-hazards while resources are

becoming increasingly scarce due to the challenging budget environment. Therefore, partnerships of all types must be leveraged to ensure that

resources are utilized in the most effective ways possible.

Mo

3

Historical Perspective

When the Department of Homeland Security (DHS) was established in 2002, it faced distinct challenges with regards to the protection and resilience of critical infrastructure:

Other DHS components, such as the Federal Emergency Management Agency (FEMA) and the U.S. Coast Guard (USCG), already had a well defined mission space and implementation processes were functioning;

Critical infrastructure protection and resilience was generally a new mission area and required the establishment of implementation mechanisms; and

The establishment of a governance structure was necessary in order to reach the network of critical infrastructure protection and resilience partners in the private sector and at all levels of government.

4

Critical Infrastructure Authorities Critical Infrastructure: 42 U.S.C. 5195c (e) defines the term “critical infrastructure” as the

“systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”

Policy of the United States: 42 U.S.C. 5195c (c) establishes that it is the “policy of the United States … that any physical or virtual disruption of the operation of the critical infrastructures of the United States be rare, brief, geographically limited in effect, manageable, and minimally detrimental to the economy, human and government services, and national security of the United States…”

Homeland Security Presidential Directive 7 – Critical Infrastructure Identification, Prioritization, and Protection (HSPD-7): Establishes a national policy for Federal departments and agencies to identify and prioritize critical infrastructure and to protect them from terrorist attacks (now all-hazards) and established the original 17 (now 18) critical infrastructure sectors.

National Infrastructure Protection Plan (NIPP): Provides the unifying structure for the integration of efforts for the enhanced protection and resilience of the Nation’s critical infrastructure.

5

NIPP Risk Management FrameworkRisk management framework:

Integrates and coordinates strategies, capabilities, and governance to enable risk-informed decision making related to the nation’s critical infrastructure

Six interrelated activities to continuously enhance the protection of critical infrastructure

6

Risk Management Framework ImplementationTo effectively implement the risk management framework and help critical infrastructure protection and resilience partners make risk-informed decisions, the following were developed:

Governance Structure

Information Sharing

Assessments & Analysis

Creates a nationwide network in which partners may effectively collaborate to prepare for, protect against, respond to, and recover from all-hazards.

Establishes threats, vulnerabilities, and consequences for individual and clustered critical infrastructure to develop applicable security measures.

Allows the Department to communicate with both public and private sector partners.

7

Current EnvironmentThe critical infrastructure protection and resilience mission has become more dynamic while resources are being decreased: There is increased emphasis on all-hazards. Cyber risks are more prevalent. Climate related risks are receiving more attention. There is increased focus on providing justification for how resources are utilized.

To meet these challenges, we must gather risk-informed requirements for our programs that will allow us to make investments that truly support our partners. In order to do this, we are implementing mechanisms that will: Define the risk-informed outcomes we want to achieve. Develop metrics to determine if we are meeting those outcomes. Use information generated through the metrics to make decisions about how our

programs will get us closer to the outcomes we want to achieve.

One IP Objectives

– Protective Security Advisors– Sector Partnerships– Information Sharing Environment– State and local partners

– Regional Resiliency Assessment Program (RRAP)

– Fusion Center engagement– Stakeholder Input Project

– Sector Annual Reports– National Annual Report– Critical Infrastructure Risk Management

Plan

8

Strengthen partnerships and information sharing capacity

Provide partners with the programs and tools they need

Measure program effectiveness so that efforts can be improved

Objectives Example Implementing Mechanisms

CIRMEI: Risk-informed Resource Allocation

Feedback Loop

Understand risks to critical infrastructure

1

3

2

4

Assess impact of activities

Adjust resources accordingly

Develop plan to address gaps

9

A Regional ApproachTo advance the Assistant Secretary’s vision, Secretary Napolitano’s “One DHS” agenda and the critical infrastructure mission, NPPD/IP is collecting regional requirements and will adjust programs to meet those requirements.A regional approach is necessary because:

» Critical infrastructure assets, systems, functions, and networks cross jurisdictional boundaries

» The types, integration, and concentration of assets vary across regions» Risk landscapes and resources vary region-by-region» All incidents begin and end in local communities» The effectiveness of protection and resilience activities is best measured by

their impact on stakeholders in communities across the country

10

Regional Initiative Approach

11

IAugust 2011

Partnership Support Assessing

Security and Resiliency

Analysis Information Sharing

Regulatory Requirements

IIAugust 2011

XFY 2013

IIIFY 2013

IVFebruary 2012

VFY 2013

VIFY 2012

VIIFY 2013

VIIIFY 2012

IXFY 2012

Federal Regions

Critical Infrastructure Mission Partners (Public and Private)

Region-Specific Mission

Requirements

Outcome: A sustainable One IP Framework that will enable NPPD/IP to operationalize partnerships and deliver tailored programs to each region.

NPPD/IP Core Mission Areas

Components of the Regional Initiative

Key Recommendations for NPPD/IP Leadership

Feedback from Outreach to Private Sector

Infrastructure Owners and Operators

Feedback from Outreach to State and Local

Government Partners

Feedback Provided in Reports by various Partner and Advisory Councils

Focus group discussions in

Regional locations

One-on-one interviews with SLTT critical infrastructure

protection government

officials

Analysis of reportsfrom partner councils containing feedback relevant to service

delivery

21 3

Regional Initiative – Current Status As of May 2012, NPPD/IP has achieved the following progress with the

Regional Initiative:– Received feedback on the status of critical infrastructure protection and

resilience activities in FEMA Regions I, II, and IV from State and local government partners as well as private sector owners and operators.

– Completed an analysis of 14 relevant reports and white papers submitted to NPPD/IP on critical infrastructure protection and resilience and identified key findings.

– Coordinated with State and local partners to pursue focus groups in three additional FEMA Regions (VI, VIII, and IX) this fiscal year.

Findings from this effort will inform programmatic and budgetary decisions: More user friendly, flexible tools More scalable, realistic exercises to help identify interdependencies Tailoring and providing training and capabilities valued by our stakeholders

13

Questions?

(1)The Current Challenge

14

The homeland security enterprise is entering a new stage in its evolution. Focus is shifting to considerations of all-hazards while resources are

becoming increasingly scarce due to the challenging budget environment. Therefore, partnerships of all types must be leveraged to ensure that

resources are utilized in the most effective ways possible.

For more information visit:www.dhs.gov/criticalinfrastructure

Ken BuellPolicy Development and Coordination UnitOffice of Infrastructure ProtectionNational Protection and Programs Directorate

Kenneth.Buell@HQ.DHS.GOV