July 8, 2013

Lisa Barr

DHS/NPPD/IP/Office of Strategy and Policy

245 Murray Lane SW, Mail Stop 8530

Arlington, VA 20598-8530

Via e-mail to: EO-PPDTaskForce@hq.dhs.gov

RE: Review and Revision of the National Infrastructure Protection Plan (Docket # DHS-2013-

0024)

Dear Ms. Barr:

The Information Technology Industry Council (ITI) appreciates the opportunity to respond to the

Department’s planned rewrite of the National Infrastructure Protection Plan (NIPP) to conform

to the requirements of Presidential Policy Directive (PPD) 21, Critical Infrastructure Security

and Resilience.

ITI is the premier voice, advocate, and thought leader in the United States for the information

and communications technology (ICT) industry. ITI’s members1 comprise the world’s leading

technology companies, with headquarters worldwide. Cybersecurity is rightly a priority for all

governments. We share the goal with governments of improving cybersecurity and therefore our

interests are fundamentally aligned. As both producers and users of cybersecurity products and

services, our members have extensive experience working with governments around the world

on cybersecurity policy. In the United States, ITI is a member of the IT Sector Coordinating

Council (SCC), and many of our companies are members of the IT and/or Communications

Sector Coordinating Councils. Through the SCCs and other bodies and avenues we take

seriously our responsibility in the public-private partnership to improve cybersecurity.

ITI supports the review and revision of the NIPP to ensure that it remains relevant to the critical

infrastructure (CI) mission over time. Based on the initial list of proposed changes included in

the Federal Register (FR) notice, and the request for additional changes to make the NIPP more

relevant and useful in strengthening the security and resilience of the nation’s critical physical

and cyber infrastructure, ITI has the following comments and suggestions, which we present in

relation to the headings in the FR.

Review of the Risk Management Approach

National Critical Infrastructure Prioritization Program (NCIPP): Consistent with the 2006

NIPP, DHS has established the NCIPP, which uses a tiered approach to identify

nationally significant CI each year. Per a recent GAO report,2 DHS has made several

changes to how it assigns assets to the list but has not identified the impact of the changes

on the list’s users or validated its approach to developing the list. A revised NIPP should

1 See attached ITI member list.

2 U.S. Government Accountability Office, CRITICAL INFRASTRUCTURE PROTECTION: DHS List of Priority Assets

Needs to Be Validated and Reported to Congress, March 2013. http://www.gao.gov/assets/660/653300.pdf

Page 2 of 3

explicitly call for all SCCs to have greater input into the development and review of the

NCIPP prioritization lists.

IP-enabled infrastructure and assets: The 2009 NIPP reinforces the importance of joint

input from both the IT and Communications sectors for IP-enabled infrastructure and

assets. Future versions of the NIPP should seek to preserve this structure.

Closer Integration of Physical and Cyber Security

Research and development (R&D): Sector-specific R&D efforts for improving the

resiliency of critical infrastructure, as outlined in PPD-21 (e.g. the National Critical

Infrastructure Resilience and R&D Plan), should solicit input from both the associated

Sector-Specific Agencies and SSCs.

Updates to Information-Sharing Tools and Mechanisms

Leveraging Executive Order (EO) 13636: Section 4 of EO 13636, Improving Critical

Infrastructure Cybersecurity, focuses on increasing information sharing from government

to industry. The EO outlines a number of steps intended to improve the government’s

sharing of actionable information with the private sector on specific, targeted cyber

threats as well as technical indicators that flag risks generally. Future versions of the

NIPP should include the same steps presented in the EO.

Security and privacy: The revised NIPP should include comprehensive security

mechanisms and privacy considerations for cyber threat data that federal entities may

share with private sector.

Other

Bolstering the public-private partnership: In revising and implementing a revised NIPP,

DHS must fully implement and utilize the partnership structures and policies described in

the original NIPP that are aimed toward improving our nation’s cybersecurity posture.

The IT sector, though the IT SCC, began an effort in 2012 to work with DHS to identify

ways to improve our collaboration and better. Although at a nascent stage, we are

encouraged by our discussions with DHS thus far and appreciate their apparent

commitment to aligning our goals and efforts to improve infrastructure protection and

resilience, and in particular cyber security. However, it is imperative that the top

leadership at DHS and in the Administration fully commit to executing the Department’s

roles and responsibilities related to CIKR protection, as well as specific mechanisms for

the governance, coordination, and information sharing necessary to enable effective

partnerships, as described in the NIPP. A renewed commitment, followed by action, by

DHS to partner with industry to set and execute on common cybersecurity goals via a

NIPP framework will make our nation’s cyber posture stronger.

Outreach to other governments: We appreciate the outreach to U.S. industry that DHS is

conducting regarding this NIPP rewrite. Outreach should not solely be domestic,

however. The U.S. Government should conduct extensive global outreach to educate

other governments about the NIPP and any planned revisions—what they are and what

they are not—and encourage those governments to similarly take approaches to CI

security and resilience based on public-private partnerships. This will minimize the

chances that some governments might misunderstand DHS’s work and assume the U.S.

Government is developing a new regulatory process related to cybersecurity. Particularly

Page 3 of 3

given that a number of governments around the world already misunderstand the U.S.

public-private partnership approach, and are embarking down worrisome regulatory paths

in the cybersecurity field, outreach to foreign governments explaining exactly what the

Administration intends to do will help mitigate any chances foreign governments will

develop their own policies based on a misunderstanding of ours.

ITI would like to thank DHS for its industry outreach regarding revision of the NIPP. We hope that

our input is helpful and will receive due consideration. We are available at any time to elaborate on

our comments and our suggestions. ITI and its members look forward to continuing to work with

DHS and the Administration generally to improve America’s cybersecurity posture. Please continue

to consider ITI a resource on cybersecurity issues moving forward.

Sincerely,

Danielle Kriz

Director, Global Cybersecurity Policy

Innovation.Insight.

Influence.IT

Imem

ber

com

pan

ies

Apple Inc.