guide for developing a sector-specific plan under...

2014 Sector-Specific Plan

Guidance Guide for Developing a Sector-Specific Plan

under NIPP 2013

August 2014

2014 Sector-Specific Plan Guidance ii

How to Use this Guidance

This page provides a roadmap to assist critical infrastructure partners in navigating and using the

2014 Sector-Specific Plan (SSP) Guidance. This guidance document is intended as a comprehensive

resource of information for partners to use in their sector planning and SSP development efforts.

The other sections of this document provide additional guidelines that partners may find useful for

SSP development and/or sector planning purposes. The following provides a brief description of

each section of this Guidance and how to use it.

Section 1 provides an Overview of the guidance and how it was developed.

Section 2 contains an Annotated Outline for the 2014 SSPs. The sectors are encouraged to

follow similar outlines in their SSPs to ensure coverage of the elements identified in NIPP

2013 and support uniformity across the plans.

Section 2 also provides a Table Template that sectors should use in their SSPs to show

how sector priorities align with national goals and priorities.

Section 3 presents additional Considerations for the Sector Planning Process that the

sectors may wish to use as part of their overall sector planning efforts. Each sector will

decide whether any or all of these considerations are included in their SSP based on the

unique risk and operating landscape of the sector.

The Appendix contains various Reference Materials to inform SSP development,

including:

o Key definitions;

o Sample language on the purpose of the SSPs; and

o National-level goals, priorities, and activities; with tables and graphics showing how

they map to each other and the sector-level goals, priorities, and activities.

Section 2 represents the core of this guidance document. Sector-Specific Agencies (SSAs) and

sector councils should focus on the annotated outline in section 2 to ensure that their SSPs

address the required elements described in Call to Action #2 in NIPP 2013.

2014 Sector-Specific Plan Guidance iii

Table of Contents

1. Overview .............................................................................................................................................. 1

2. Annotated Outline for the 2014 Sector-Specific Plans ....................................................................... 2

3. Considerations for the Sector Planning Process .................................................................................. 9

Supporting the NIPP Call to Action ........................................................................................................ 9

Mitigating Current and Long-Term Trends ............................................................................................ 9

Sharing and Protecting Information ....................................................................................................... 9

Assessing Critical Infrastructure Risk .................................................................................................... 10

Measuring Effectiveness (CtA 11) ........................................................................................................ 10

Learning and Adapting (CtA 9, 12; JNP) ............................................................................................. 10

Appendix: Reference Materials ................................................................................................................. 11

Lexicon of Common Terms ................................................................................................................. 11

NIPP Goals ........................................................................................................................................... 12

Joint National Priorities [DRAFT] ........................................................................................................ 12

NIPP Call to Action .............................................................................................................................. 13

NIST Cybersecurity Framework Performance Goals ............................................................................. 17

Alignment of NIPP 2013 Goals with Call to Action, Joint National Priorities, and Cybersecurity

Framework .......................................................................................................................................... 18

Explanation of SSP Planning Elements .................................................................................................. 24

Proposed Language for SSP Introduction ............................................................................................. 25

2014 Sector-Specific Plan Guidance 1

1. Overview

The 2014 Sector-Specific Plans (SSPs) are intended to tailor the strategic guidance provided in the updated

National Infrastructure Protection Plan, NIPP 2013: Partnering for Critical Infrastructure Security and Resilience

(hereafter NIPP 2013), to the unique risk and operating environment of each critical infrastructure sector.

The SSPs serve as planning tools for the Sector-Specific Agencies (SSAs), critical infrastructure owners and

operators, and their sector partners at the regional, State, local, tribal, and territorial levels, to guide and

integrate sector efforts to secure and strengthen the resilience of critical infrastructure. An SSP should

identify the sector’s security and resilience priorities and describe its approach to managing critical

infrastructure risk. It should build upon previous sector efforts, such as the 2010 SSPs, and other strategic

plans and roadmaps. It is not intended as a replacement for company-specific planning documents or risk

management processes. The SSP serves as an outreach tool for sector partners, and should be as clear and

concise as possible.

DHS is providing this guidance to assist SSAs and Government and Sector Coordinating Councils in their

sector planning and SSP development efforts. The guidance was developed collaboratively by an SSP

working group, which worked as part of the overall NIPP Implementation Working Group, composed of

representatives of SSAs and cross-sector councils. The working group sought to provide flexibility to each

sector to develop a plan that reflects their needs, while also providing a common structure that is

comparable across all SSPs. This approach resulted in the development of an Annotated Outline, which provides

a basic structure for the key topics that SSPs should cover, and Considerations for the Sector Planning Process, which

identify additional topics and issues that each sector may wish to address, as appropriate to their situation.

The Annotated Outline provides general guidance for each chapter of the SSP. The breakdown within each

section (a, b, c, etc.) provides a suggested structure and may be modified to suit each sector’s needs. In

addition, the length of the SSP will be determined by each sector. Some sectors may prefer a shorter

“business plan” approach that focuses on the sector’s priorities and builds on previous sector planning

efforts. Other sectors may choose to have a longer plan that provides more complete descriptions of sector

assets, risks, and risk management processes to provide a better context for their priorities.

However, each SSP must address the requirements of Call to Action #2 in NIPP 2013, including how the

sector will contribute to advancing the Joint National Priorities and achieving the NIPP goals.

For consistency, the SSPs should follow the same terminology used in NIPP 2013, which focuses on

priorities instead of objectives. Priorities are used to identify the most important actions that the sector will

pursue with limited resources. However, it is recognized that objectives are widely used in business and

some sectors may choose to include them in the SSP, in addition to the priorities.

This guidance document also contains reference materials from NIPP 2013 and other sources that will help

inform sector planning and SSP development. These include a lexicon of common terms; the NIPP Goals

and Call to Action; the Joint National Priorities; the Cybersecurity Framework Performance Goals required

by Executive Order 13636; and tables showing how all of these elements relate to one another.


2. Annotated Outline for the 2014 Sector-Specific Plans

The outline below offers guidance on the content of each chapter. Where appropriate, the relevant NIPP

Call to Action that corresponds to that section is noted by (CtA).

1. Executive Summary

The Executive Summary should highlight the key elements of the SSP, focusing on the sector’s

priorities and risk management approach, and describe how progress will be measured. It need not

summarize every section of the SSP.

2. Introduction

The Introduction should briefly explain the purpose of the SSP and its relationship to NIPP 2013,

PPD-21, E.O. 13636, and other strategic drivers relevant to the sector. It may also include a brief

summary of key changes from the 2010 SSP or how the sector has evolved. Sample language for

this section is provided in the Reference Materials.

3. Sector Overview

The Sector Overview should provide an updated description of the sector. The chapter should

include:

a. Sector Profile

An overview of the composition of the sector and any subsectors – to include characteristics

of sector critical infrastructure, relevant operating factors, and a general overview of owners

and operators within the sector.

b. Sector Risks

High-level overview of the current and emerging all-hazard physical and cyber risk

landscape that the sector faces, and the key trends that are shaping the sector’s approach to

managing risk. Note: Do not include classified or sensitive information about risk unless the

sector plans to issue a classified or FOUO annex.

c. Critical Infrastructure Partners

Description of the partnership structures and coordinating mechanisms in place to execute

risk management strategies, share information, and collaborate across the sector. Identify

activities that the sector pursues to leverage partnership efforts (CtA #1-4).

Description of the relevant roles and responsibilities of sector partners.

4. Vision, Mission, Goals, and Priorities

This chapter should articulate the sector’s vision, mission, goals, and priorities developed

collaboratively with sector partners, based on the five NIPP goals and the National Priorities

developed jointly across the partnership (the Joint National Priorities). It should explain how the

national goals and priorities relate to the sector, and how the sector priorities will accomplish or

advance them.


The chapter should include:

a. Vision

b. Mission

c. Goals

d. Priorities

Describe the most important focus areas the sector will pursue over the next four years that

contribute to achieving the NIPP goals and advancing the Call to Action and Joint National

Priorities. These are the sector priorities, which should help guide sector security and

resilience efforts, inform partner decisions, reflect actionable activities that partners will

pursue to enhance security and resilience, and improve risk management practices, taking

into consideration the unique risk management perspectives and resources of the sector.

Include tables that crosswalk the sector priorities to the Joint National Priorities and NIPP

Goals and Call to Action (see Crosswalk Tables at the end of the Annotated Outline).

5. Achieving Sector Goals

This chapter should provide a concise description of how the sector plans to make progress toward

its identified sector goals and contribute to achieving the NIPP goals. This description should map

to the appropriate national and sector priorities, as well as the relevant Call to Action activities.

a. Risk Management

Description of the processes and approaches used by sector partners to manage physical and

cyber risks. Identify any innovative strategies the sector employs to manage risks, including

information-sharing strategies and mechanisms (CtA #4-10).

Description of sector reliance on the lifeline functions1 and strategies to mitigate

consequences from the loss of those functions, including potential cascading effects (CtA

#2, 6, 7).

The sector’s current and planned cybersecurity efforts, including use of the Cybersecurity

Framework and the sector’s approach for:

1. Promoting and facilitating its use (CtA #4,5,6)

2. Implementing initiatives for cybersecurity information sharing (CtA #5,6)

What are the sector’s research and development (R&D) priorities and how are associated

R&D requirements collected from sector partners? (CtA #10)

b. Critical Infrastructure and National Preparedness

Sector approaches for integrating critical infrastructure security and resilience activities with

national preparedness efforts under PPD-8 (prevention, protection, mitigation, response,

1 NIPP 2013 identifies certain lifeline functions that are essential to the operation of most critical infrastructure sectors. These lifeline functions include communications, energy, transportation, and water.


and recovery activities); in particular, sector plans and processes for transitioning from

steady state to response and recovery operations2 (CtA #2,7,8).

6. Measuring Effectiveness (CtA #11)

This chapter should describe current and planned security and resilience activities in the sector, and

explain the ways in which partners measure the effectiveness of those activities and how they

contribute to achieving national and sector goals.

a. Sector Activities

Description of the activities the sector will pursue to advance critical infrastructure security

and resilience, and how those activities align to the NIPP, sector, and NIST Cybersecurity

Framework performance goals.

b. Measurement Approach

Explanation of how sector partners will measure the effectiveness of the identified activities,

and how the activities contribute to the achievement of the NIPP, sector, and NIST

Cybersecurity Framework performance goals.

7. Appendices (as appropriate)

Appendices may be used by each sector as necessary or appropriate. In past SSPs, appendices have

been used to provide more thorough explanations of specific topics (sector description, partners,

interdependencies, current sector programs, etc.). This approach can help shorten the length of the

main body of the SSP and improve readability.

Crosswalk Tables

The following table templates can be used to show how each sector’s priorities align with the NIPP goals

and Call to Action and the Joint National Priorities. All sectors are encouraged to use these tables in their

SSP.

2 For more information, see the National Preparedness Goal (2011), the National Response Framework and its Critical Infrastructure Support Annex (2013), and the National Disaster Recovery Framework (2011) at www.fema.gov.


Contribution of Sector Priorities to Joint National Priorities and NIPP Goals

NIPP Goals

Joint National Priorities (DRAFT)

Strengthen the

Management of

Cyber and Physical

Risks to Critical

Infrastructure

Build Capabilities and

Coordination for

Enhanced Incident

Response and

Recovery

Strengthen

Collaboration Across

Sectors, Jurisdictions,

& Disciplines

Enhance Effectiveness

in Resilience

Decisionmaking

Share Information to

Improve Prevention,

Protection, Mitigation,

Response, and

Recovery Activities

Assess and analyze risks to

critical infrastructure (T, V, C)

to inform risk management

activities.

Title of Sector

Priority 1

Secure critical infrastructure

against physical, cyber, and

human threats through

sustainable risk reduction

efforts, while considering

costs and benefits.

Title of Sector

Priority 2

Enhance critical

infrastructure resilience by

minimizing consequences

and employing effective

response and recovery.

Share information across the

critical infrastructure

community to build

awareness and enable risk-

informed decisionmaking.

Promote learning and

adaptation during and after

incidents and exercises.


Instructions

1. Place the title of each sector priority in the appropriate cell in the table above so that it aligns with the appropriate NIPP goals and Joint National

Priorities.

2. Note that a sector priority may contribute to more than one NIPP goal and/or more than one Joint National Priority. If this is the case, place the

name of the sector priority in each appropriate cell.


Contribution of Sector Priorities to NIPP Call to Action

Call to Action Activities

Sector Priorities

Sector

Priority 1

Sector

Priority 2

Sector

Priority 3

Sector

Priority 4

Sector

Priority 5

Sector

Priority 6

Sector

Priority 7

Sector

Priority 8

1. Set national focus through jointly

developed priorities.

2. Determine collective actions through

joint planning efforts.

3. Empower local and regional

partnerships to build capacity

nationally.

4. Leverage incentives to advance

security and resilience.

5. Enable risk-informed decisionmaking

through enhanced situational

awareness.

6. Analyze infrastructure dependencies,

interdependencies, and associated

cascading effects.

7. Identify, assess, and respond to

unanticipated infrastructure

cascading effects during and

following incidents.

8. Promote infrastructure, community,

and regional recovery following

incidents.



Sector Priorities

Sector

Priority 1

Sector

Priority 2

Sector

Priority 3

Sector

Priority 4

Sector

Priority 5

Sector

Priority 6

Sector

Priority 7

Sector

Priority 8

9. Strengthen coordinated development

and delivery of technical assistance,

training, and education.

10. Improve critical infrastructure

security and resilience by advancing

R&D solutions.

11. Evaluate progress toward the

achievement of goals.

12. Learn and adapt during and after

exercises and incidents.

Instructions

1. Place the name of each sector priority in a column heading, as appropriate (number will vary by sector; adjust number of columns as

appropriate).

2. Place a check mark in each cell in which a sector priority aligns and contributes to a Call to Action activity.

3. Note that a sector priority may contribute to more than one Call to Action, and a Call to Action may be aligned with more than one sector

priority.


3. Considerations for the Sector Planning Process

This section presents additional topics and issues that sectors may consider as part of the overall sector

planning process. It is not intended to be an exhaustive list or to increase the length or coverage of any SSP

beyond its intended use. These items may or may not be addressed in the SSPs, at the discretion of each

sector. References to relevant Call to Action activities that correspond to each consideration are noted by

(CtA); considerations that reflect Joint National Priorities are noted as (JNP). As part of implementing

Presidential Policy Directive 21 (PPD-21), the joint Evaluation & Planning Workgroup was charged with

collaboratively developing an update to the existing NIPP. During the development process, the working

group endeavored to keep the updated plan at a higher, more strategic level, and deferred more detailed or

tactical information to the 2014 SSPs. Sectors are encouraged to keep this in mind as they develop the SSPs

and provide more in-depth information on topics as they relate to the sector. This approach will assist the

critical infrastructure community in satisfying the requirements of PPD-21 through both the NIPP and SSPs.

Supporting the NIPP Call to Action

How is the sector addressing the applicable Call to Action activities? (See the Appendix for a full

listing of the NIPP Call to Action.)

Mitigating Current and Long-Term Trends

What activities has the sector undertaken (or will undertake in the future) to mitigate ongoing

natural and human-caused risks to physical and cyber infrastructure?

How is the sector mitigating the following trends3, as applicable?

o Climate change

o Aging infrastructure and infrastructure failures

o Positioning, navigation, and timing service dependencies

o “Internet of things”

o Other trends

Sharing and Protecting Information

What are the sector’s information-sharing requirements? Is sector information organized in any

common “taxonomy”?

What sector information-sharing structures, activities, and processes are used to enhance situational

awareness and inform risk management decisions? (CtA 5, JNP)

Do sectors have Information Sharing and Analysis Centers (ISACs) or other information-sharing

and analysis organizations? If so, what processes are used to exchange information with these

entities?

How do sector processes support sharing information on cyber and physical risks with public and

private sector partners in steady state and during incident response? Does the sector have defined

information flows?

3 Critical Infrastructure Strategic Environment, Draft White Paper; U.S. Department of Homeland Security, Office of Infrastructure Protection, April 25, 2014.


How do sector information-sharing processes aim to build stronger best practices, a clearer

understanding of sector dependencies and interdependencies, and a trusted environment that

facilitates multidirectional information exchange?

How does the sector safeguard critical infrastructure information and protect privacy and civil

liberties?

Assessing Critical Infrastructure Risk

How does the sector assess sector-wide risk? If a sector-wide risk assessment has not been done,

what are the plans for conducting/supporting one in the future?

How does the sector use risk assessment results to inform the prioritization of sector risk

management activities and/or influence resource/budget decisions?

How do sector risk assessments align with and support the Strategic National Risk Assessment and

the Threat and Hazard Identification and Risk Assessment (THIRA) process?

Measuring Effectiveness (CtA 11)

How do SSAs evaluate the effectiveness of security and resilience activities at different levels within

their sector (i.e., national, State, local, and regional)? Do they employ quantitative measures of

progress, qualitative descriptions of sector accomplishments, or both?

What is the SSA’s process for capturing sector activities and outcomes to support annual reporting

on national security and resilience progress? Note: This may include the information collected by

the SSA and a description of data collection limitations in the sector.

Does the sector collaborate (or plan to collaborate) with other sectors to better understand cross-

sector dependencies, interdependencies, and/or gaps?

Do existing sector metrics assess the availability, reliability, resilience, and integrity of essential

services? If not, does the sector plan to develop such metrics?

Learning and Adapting (CtA 9, 12; JNP)

How does the sector involve partners in the design, development, and/or execution of exercises

incorporating critical infrastructure considerations?

What are the sector’s procedures for after-action reporting (from incidents and exercises), tracking

and implementing associated corrective actions, and incorporating lessons learned and best

practices into training and technical assistance programs, and future planning and decisionmaking?


Appendix: Reference Materials

The following set of reference materials provides context and background to inform sector planning and

SSP development. This section includes the following:

Lexicon of Common Terms

NIPP Goals

Joint National Priorities [DRAFT}

NIPP Call to Action

NIST Cybersecurity Framework Performance Goals

Alignment of NIPP Goals with Call to Action, Joint National Priorities, and the Cybersecurity

Framework

Explanation of SSP Planning Elements

Proposed Language for SSP Introduction

Lexicon of Common Terms

Please refer to the NIPP 2013 Glossary for the most up-to-date definitions of terms related to the critical

infrastructure security and resilience mission. Some of the definitions remain unchanged from the 2009

NIPP, but others were added or updated to reflect the evolution from 2009 to 2013. The source of each

definition is provided in parentheses following the definition.

A few key definitions from the NIPP 2013 Glossary are listed below for convenience:

All Hazards. The term “all hazards” means a threat or an incident, natural or manmade, that warrants

action to protect life, property, the environment, and public health or safety, and to minimize disruptions

of government, social, or economic activities. It includes natural disasters, cyber incidents, industrial

accidents, pandemics, acts of terrorism, sabotage, and destructive criminal activity targeting critical

infrastructure. (PPD-21, 2013)

Critical Infrastructure Community. Critical infrastructure owners and operators, both public and private;

Federal departments and agencies; regional entities; State, local, tribal, and territorial (SLTT) governments;

and other organizations from the private and nonprofit sectors with a role in securing and strengthening

the resilience of the Nation’s critical infrastructure, and/or promoting practices and ideas for doing so.

(NIPP 2013: Partnering for Critical Infrastructure Security and Resilience)

Critical Infrastructure Partners. Those Federal and SLTT governmental entities; public and private sector

owners and operators and representative organizations, regional organizations and coalitions, academic and

professional entities, and certain not-for-profit and private volunteer organizations that share responsibility


for securing and strengthening the resilience of the Nation’s critical infrastructure. (Adapted from the 2009

NIPP)

National Preparedness. The actions taken to plan, organize, equip, train, and exercise to build and sustain

the capabilities necessary to prevent, protect against, mitigate the effects of, respond to, and recover from

those threats that pose the greatest risk to the security of the Nation. (PPD-8, 2011)

Regional. Entities and interests spanning geographic areas ranging from large multi-State areas to

metropolitan areas and varying by organizational structure and key initiatives, yet fostering engagement

and collaboration between critical infrastructure owners and operators, government, and other key

stakeholders within the given location. (Regional Partnerships: Enabling Regional Critical Infrastructure Resilience, RC3,

March 2011)

Risk. The potential for an unwanted outcome resulting from an incident, event, or occurrence, as

determined by its likelihood and the associated consequences. (DHS Lexicon, 2010)

Stakeholder. The NIPP does not define the word “stakeholder,” but to understand the distinction between

partners and stakeholders, it is useful to refer to the definitions of Critical Infrastructure Partners and

Critical Infrastructure Community above. Partners share responsibility for strengthening critical

infrastructure security and resilience, while stakeholders may play a role in strengthening critical

infrastructure security and resilience, and/or promoting practices and ideas for doing so. In addition,

stakeholders may simply have an interest in critical infrastructure security and resilience, based on their

involvement in related disciplines or activities. For example, Congress, the White House, and the

Government Accountability Office are all critical infrastructure stakeholders.

NIPP Goals

NIPP 2013 presents the following goals:

1. Assess and analyze threats to, vulnerabilities of, and consequences to critical infrastructure to

inform risk management activities.

2. Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts

to reduce risk, while accounting for the costs and benefits of security investments.

3. Enhance critical infrastructure resilience by minimizing the adverse consequences of incidents

through advance planning and mitigation efforts, and employing effective responses to save lives

and ensure the rapid recovery of essential services.

4. Share actionable and relevant information across the critical infrastructure community to build

awareness and enable risk-informed decisionmaking.

5. Promote learning and adaptation during and after exercises and incidents.

These five goals are mapped below to the Call to Action, Joint National Priorities, and the NIST

Cybersecurity Framework Performance Goals.

Joint National Priorities [DRAFT]

The critical infrastructure community developed and approved the following draft Joint National Priorities:


Strengthen the management of cyber and physical risks to critical infrastructure

Build capabilities and coordination for enhanced incident response and recovery

Strengthen collaboration across sectors, jurisdictions, and disciplines

Enhance effectiveness in resilience decisionmaking

Share information to improve prevention, protection, mitigation, response, and recovery activities

NIPP Call to Action

1. Set National Focus through Jointly Developed Priorities

Jointly establish a set of national critical infrastructure security and resilience priorities to support

Federal resource allocation, as well as planning and evaluation, at all levels in the national

partnership.

Review and validate the national priorities on an annual basis, and update them on a regular cycle

timed to inform Federal budget development and SLTT grant programs.

2. Determine Collective Actions through Joint Planning Efforts

All sectors will update their Sector-Specific Plans (SSPs) to support NIPP 2013, and every four years

thereafter, based on guidance developed by DHS in collaboration with the SSAs and cross-sector

councils. The SSPs will:

o Reflect joint priorities.

o Address sector reliance on lifeline functions and include strategies to mitigate consequences

from the loss of those functions, including potential cascading effects.

o Describe approaches to integrating critical infrastructure and national preparedness efforts; in

particular, transitioning from steady state to incident response and recovery via the National

Response Framework’s Emergency Support Functions (ESFs) and the National Disaster

Recovery Framework’s Recovery Support Functions (RSFs).

o Describe current and planned cybersecurity efforts, including, but not limited to, use of the

Cybersecurity Framework, cybersecurity information-sharing initiatives, programmatic

activities, risk assessments, exercises, incident response and recovery efforts, and metrics.

o Guide development of appropriate metrics and targets to measure progress toward the national

goals and priorities, as well as other sector-specific priorities.

As appropriate, SLTT and regional entities can develop supporting plans to NIPP 2013 and the

updated SSPs, whether cross-sector or by individual sector, that articulate shared priorities and

activities at those levels. The State, Local, Tribal, and Territorial Government Coordinating Council

(SLTTGCC) will collaborate with partners to provide guidance for such plans.

The Federal government will work with the critical infrastructure community to provide updated

guidance on cyber incident response.

3. Empower Local and Regional Partnerships to Build Capacity Nationally

Identify existing local and regional partnerships addressing critical infrastructure security and

resilience, their focus and alignment with national partnership structures, and how to engage with


them. Leverage State and major urban area fusion centers to engage with local and regional

partners.

Expand a national network of critical infrastructure and SLTT partnerships and coalitions to

complement and enhance the national-level focus on sectors, while remaining cognizant of varying

legal structures in different jurisdictions and organizations.

Employ the THIRA process as a method to integrate human, physical, and cyber elements of critical

infrastructure risk management. Using the existing process will facilitate better coordination of

planning, resource allocation, and evaluation of progress by State and local governments, as well as

local infrastructure owners and operators.

Develop and advance a joint set of regional preparedness projects demonstrating the integrated

application of critical infrastructure risk management and planning. This will involve Federal

agencies responsible for implementing PPD-8 and PPD-21 working collaboratively with states,

metropolitan areas, rural communities, and regional coalitions.

4. Leverage Incentives to Advance Security and Resilience

Continue to identify, analyze, and where appropriate, implement incentives.

Support research and data gathering to quantify the potential costs imposed by a lack of critical

infrastructure security and resilience, and inadequate cyber preparedness.

Establish innovation challenge programs to incentivize new solutions to strengthen infrastructure

security and resilience during infrastructure planning, design, and redesign phases, including

technological, engineering, and process improvements.

5. Enable Risk-Informed Decisionmaking through Enhanced Situational Awareness

Undertake a partnership-wide review of impediments to information sharing to support efforts to

address those challenges and develop best practices. Analyze legal considerations, the classification

or sensitive nature of certain information, laws and policies that govern information dissemination,

and the need to build trust among partners.

Build upon the functional relationship descriptions developed as part of PPD-21 by further

analyzing functional relationships within and across the Federal government (focused on critical

infrastructure security and resilience) to identify overlaps, inefficiencies, and gaps and recommend

changes to enhance situational awareness and risk-informed decisionmaking.

Develop streamlined, standardized processes to promote integration and coordination of

information sharing via jointly developed doctrine and supporting SOPs.

Develop interoperability standards to enable more efficient information exchange through defined

data standards and requirements, to include (1) a foundation for an information-sharing

environment that has common data requirements and information flow and exchange across

entities; and (2) sector-specific critical information requirements (i.e., critical reporting criteria),

to allow for improved information flow and reporting to produce more complete and timely

situational awareness for security and resilience.


6. Analyze Infrastructure Dependencies, Interdependencies, and Associated Cascading

Effects

Mature the capability to identify and understand cross-sector physical and cyber dependencies and

interdependencies over different time frames at international, national, regional, and local levels.

Focus on the lifeline functions and resilience of global supply chains during potentially high-

consequence incidents, given their importance to public health, welfare, and economic activity.

Continue to evolve the Cyber-Dependent Infrastructure Identification approach under Executive

Order 13636 to consider the potential risks resulting from dependency on information and

communications technology, and inform preparedness planning and capability development.

7. Identify, Assess, and Respond to Unanticipated Infrastructure Cascading Effects During

and Following Incidents

Enhance the capability to rapidly identify and assess cascading effects involving the lifeline

functions, and contribute to identifying infrastructure priorities—both known and emerging—

during response and recovery efforts.

Enhance the capacity of critical infrastructure partners to work through incident management

structures such as the ESFs to mitigate the consequences of disruptions to the lifeline functions.

8. Promote Infrastructure, Community, and Regional Recovery Following Incidents

Leverage Federal field staff (including Protective Security Advisors) and encourage states and

localities to promote consideration of critical infrastructure challenges in pre-incident recovery

planning, post-incident damage assessments, and development of recovery strategies.

Support examination of initiatives to enhance, repair, or replace infrastructure providing lifeline

functions during recovery.

9. Strengthen Coordinated Development and Delivery of Technical Assistance, Training,

and Education

Capture, report, and prioritize the technical assistance, training, and education needs of the various

partners within the critical infrastructure community.

Examine current Federal technical assistance, training, and education programs to ensure that they

support the national priorities and the risk management activities described in NIPP 2013 to

advance progress toward the national goals.

Increase coordination of technical assistance efforts—particularly within DHS and among the

SSAs—and leverage a wider network of partners to deliver training and education programs to

better serve recipients and reach a wider audience while conserving resources.

Partner with academia to establish and update critical infrastructure curricula that help to train

critical infrastructure professionals, including executives and managers, to manage the benefits and

inherent vulnerabilities introduced by information and communications technologies in critical

infrastructure assets, systems, and networks.


10. Improve Critical Infrastructure Security and Resilience by Advancing Research and

Development Solutions

Promoting R&D to enable the secure and resilient design and construction of critical infrastructure

and more secure accompanying cyber technology;

Enhancing modeling capabilities to determine the potential impacts of an incident or threat

scenario on critical infrastructure, as well as cascading effects on other sectors;

Facilitating initiatives to incentivize cybersecurity investments and the adoption of critical

infrastructure design features that strengthen all-hazards security and resilience; and

Prioritizing efforts to support the strategic guidance issued by DHS.

11. Evaluate Progress toward the Achievement of Goals

Jointly identify high-level outputs or outcomes associated with the national goals and priorities to

facilitate evaluation of progress toward the goals and priorities.

Develop the Critical Infrastructure National Annual Report and National Preparedness Report

annually through standardized data calls to SSAs and sector partners to build a national picture of

progress toward the NIPP vision and goals and the National Preparedness Goal. Incorporate

performance data from industry, SLTT, and regional entities to reflect progress throughout the

critical infrastructure community at all levels.

12. Learn and Adapt During and After Exercises and Incidents

Develop and conduct exercises through participatory processes to suit diverse needs and purposes.

o Promote broad participation and coordination among government and interested private

sector partners—including the R&D community—in exercise design, conduct, and

evaluation to reflect the perspectives of all partners and maximize the value for future

planning and operations.

o Develop exercises at multiple levels and in various formats to suit national, regional, and

SLTT needs.

Design exercises to reflect lessons learned and test corrective actions from previous exercises and

incidents, address both physical and cyber threats and vulnerabilities, and evaluate the transition

from steady state to incident response and recovery efforts.

Share lessons learned and corrective actions from exercises and incidents, and rapidly incorporate

them into technical assistance, training, and education programs to improve future security and

resilience efforts.


NIST Cybersecurity Framework Performance Goals

The NIST Cybersecurity Framework identifies the following performance goals:

1. Critical systems and functions are identified and prioritized, and cyber risk is understood as part of

a risk management plan.

2. Risk-informed actions are taken to protect critical systems and functions.

3. Resources are coordinated and applied to triage and respond to cyber events and incidents in order

to minimize impacts to critical systems and functions.

4. Following a cyber incident, impacted critical systems and functions are reconstituted based on

prior planning and informed by situational awareness.

5. Adverse cyber activities are detected and situational awareness of threats is maintained.

6. Security and resilience are continually improved based on lessons learned, consistent with risk

management planning


Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework

NIPP Goals

Assess &

Analyze Risks

to Critical

Infrastructure

to Inform Risk

Mgmt.

Activities

Secure Critical

Infrastructure

Against Threats

While Considering

Costs and Benefits

Enhance Critical

Infrastructure

Resilience by

Minimizing

Consequences &

Employing Effective

Response & Recovery

Share Information

to Enable Risk-

Informed

Decisions

Promote Learning &

Adaptation

During/After

Incidents &

Exercises


1. Set national focus through

jointly developed priorities.

2. Determine collective actions

through joint planning efforts.

3. Empower local and regional

partnerships to build capacity

nationally.

4. Leverage incentives to

advance security & resilience.

5. Enable risk-informed

decisionmaking through

enhanced situational

awareness.



NIPP Goals

Assess &

Analyze Risks

to Critical

Infrastructure

to Inform Risk

Mgmt.

Activities

Secure Critical

Infrastructure

Against Threats

While Considering

Costs and Benefits

Enhance Critical

Infrastructure

Resilience by

Minimizing

Consequences &

Employing Effective

Response & Recovery

Share Information

to Enable Risk-

Informed

Decisions

Promote Learning &

Adaptation

During/After

Incidents &

Exercises

6. Analyze infrastructure

dependencies,

interdependencies, and

associated cascading effects.

7. Identify, assess, and

respond to unanticipated

infrastructure cascading

effects during and following

incidents.

8. Promote infrastructure,

community, and regional

recovery following incidents.

9. Strengthen coordinated

development and delivery of

technical assistance, training,

and education.



NIPP Goals

Assess &

Analyze Risks

to Critical

Infrastructure

to Inform Risk

Mgmt.

Activities

Secure Critical

Infrastructure

Against Threats

While Considering

Costs and Benefits

Enhance Critical

Infrastructure

Resilience by

Minimizing

Consequences &

Employing Effective

Response & Recovery

Share Information

to Enable Risk-

Informed

Decisions

Promote Learning &

Adaptation

During/After

Incidents &

Exercises

10. Improve critical

infrastructure security and

resilience by advancing

R&D solutions.

11. Evaluate progress toward

the achievement of goals.

12. Learn and adapt during

and after exercises and

incidents.

Draft Joint National Priorities

Strengthen the management of

cyber and physical risks to

critical infrastructure

Enhance effectiveness in

resilience decisionmaking



NIPP Goals

Assess &

Analyze Risks

to Critical

Infrastructure

to Inform Risk

Mgmt.

Activities

Secure Critical

Infrastructure

Against Threats

While Considering

Costs and Benefits

Enhance Critical

Infrastructure

Resilience by

Minimizing

Consequences &

Employing Effective

Response & Recovery

Share Information

to Enable Risk-

Informed

Decisions

Promote Learning &

Adaptation

During/After

Incidents &

Exercises

Strengthen collaboration

across sectors, jurisdictions,

and disciplines

Build capabilities and

coordination for enhanced

incident response and recovery

Share information to improve

prevention, protection,

mitigation, response, and

recovery activities

Cybersecurity Framework Performance Goals

Critical systems and functions

are identified and prioritized,

and cyber risk is understood as

part of a risk management

plan.



NIPP Goals

Assess &

Analyze Risks

to Critical

Infrastructure

to Inform Risk

Mgmt.

Activities

Secure Critical

Infrastructure

Against Threats

While Considering

Costs and Benefits

Enhance Critical

Infrastructure

Resilience by

Minimizing

Consequences &

Employing Effective

Response & Recovery

Share Information

to Enable Risk-

Informed

Decisions

Promote Learning &

Adaptation

During/After

Incidents &

Exercises

Risk-informed actions are

taken to protect critical

systems and functions.

Resources are coordinated and

applied to triage and respond

to cyber events and incidents

in order to minimize impacts to

critical systems and functions.

Following a cyber incident,

impacted critical systems and

functions are reconstituted

based on prior planning, and

informed by situational

awareness.

Adverse cyber activities are

detected and situational

awareness of threats is

maintained.



NIPP Goals

Assess &

Analyze Risks

to Critical

Infrastructure

to Inform Risk

Mgmt.

Activities

Secure Critical

Infrastructure

Against Threats

While Considering

Costs and Benefits

Enhance Critical

Infrastructure

Resilience by

Minimizing

Consequences &

Employing Effective

Response & Recovery

Share Information

to Enable Risk-

Informed

Decisions

Promote Learning &

Adaptation

During/After

Incidents &

Exercises

Security and resilience are

continually improved based on

lessons learned, consistent

with risk management

planning.


Explanation of SSP Planning Elements

The table below provides an explanation of key planning elements used in the SSP.

SSP Planning

Elements Explanation

NIPP Goals The five national goals included on page 5 of NIPP 2013 (provided in this appendix).

Sector Goals The sector’s statement of goals that align with the NIPP goals.

Joint National

Priorities

High-level priorities based on a collaborative process that is defined in Call to Action

#1 on pages 21-22 of NIPP 2013 (provided in this appendix).

Sector Priorities

The most important broad focus areas that the sector will pursue over the next four

years to advance the national goals. These are at a higher level than an activity. It is

anticipated that all priorities will align and support one or more JNPs and Call to

Action activities. However, not all JNPs/CtAs will be addressed.

Sector Activities

The identifiable actions that the sector will take to achieve both the NIPP and sector

goals. These may be multi-year (ongoing) activities, or activities with more discrete

periods and defined end points. Many, but not all, of the activities will align and

support the JNPs and the Call to Action.

Relationship of the Sector Goals and Priorities to National-Level Goals

Each sector will develop sector goals, priorities, and activities that align with the NIPP Goals and Call to

Action, and the Joint National Priorities. The figure below demonstrates how those sector goals and

priorities relate to national-level guidance.


Proposed Language for SSP Introduction

The following sample text is provided to sectors to describe the purpose of the SSP. It can be tailored to

meet each sector’s needs. However, using similar language on the purpose of the SSPs will help maintain

consistency across the plans.

The purpose of the ______________ Sector-Specific Plan (SSP) is to guide and integrate the sector’s

efforts to secure and strengthen the resilience of critical infrastructure and describe how the

___________ Sector contributes to national critical infrastructure security and resilience, as set forth

in Presidential Policy Directive 21 (PPD-21). This SSP tailors the strategic guidance provided in NIPP

2013 to the unique operating conditions and risk landscape of the ___________ Sector.

This SSP represents a collaborative effort among the private sector; State, local, tribal, and territorial

governments; non-governmental organizations; and Federal departments and agencies to work

toward achieving shared goals and priorities to reduce critical infrastructure risk. It also reflects the

maturation of the ____________ Sector partnership and the progress made by the sector since the

2010 SSP to address the evolving risk, operating, and policy environments.

guide for developing a sector-specific plan under...

Documents