Along with the release of an executive order on Improving Critical Infrastructure Cybersecurity, President Obama signed a Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21) on February 12, 2013. This PPD effectively revokes the 2003 Homeland Security Presidential Directive-7, issued by President George W. Bush under the former Office of Homeland Security and the Homeland Security Council. This article presents a brief outline of the Directive.
Three Strategic Imperatives
The new PPD makes changes appropriate to the new risk environment, ensuring that the nation’s critical infrastructure is more resilient. It seeks to accomplish three strategic imperatives initiated by the Department of Homeland Security (DHS) via a collaborative effort with sector-specific government agencies (SSAs), other government entities and the owners and operators of the nation’s critical infrastructure. These three imperatives are outlined below:
- “… refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience.”
This imperative forces a review of the Critical Infrastructure Partnership Advisory Council (CIPAC) partnership model in order to identify areas of improvement. Current partnership engagement has had some success, however many argue there is a need for a system-wide improvement to fulfill the new missions established by the PPD and the Executive Order.
The PPD establishes two national critical infrastructure centers operated by DHS – one for physical infrastructure, the other for cyber infrastructure. It’s likely that the centers will have to coordinate the operations and information exchange between them, as well as with the private sector.
- “… enable effective information exchange by identifying baseline data and systems requirements for the Federal government.”
The goal of this imperative is to enable efficient information exchange and promote greater information sharing between government and the private sector, consistent with applicable law and policy.
- “… implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure.”
In protecting the homeland, it is recognized that a necessary government function is to analyze the security of the nation’s critical infrastructure. Currently, this is accomplished through the DHS National Protection and Programs Directorate (NPPD). The newly established constructs of the PPD require the DHS to increase focus on the following areas:
a) Prioritize assets and manage risks
b) Anticipate interdependencies and cascading impacts
c) Recommend security and resilience measures
d) Support incident management and restoration efforts
Just like the Executive Order on Improving Critical Infrastructure Cybersecurity, the PPD sets deadlines for government action. DHS has 120 days to develop a description the functional relationships within DHS and across the federal government related to critical infrastructure security and resilience. This will serve as a roadmap for the private sector to better understand the government’s functions.
The DHS, along with SSAs and critical infrastructure owners and operators, have 150 days to complete an assessment of the existing public-private partnership model and recommend options for improving the partnership.
Through a similar coordinated effort with SSAs and the private sector, the DHS has 180 days to identify baseline data and systems requirements for the federal government to enable efficient information exchange.
The DHS has 240 days to develop a situational awareness capability for critical infrastructure. Within this timeframe, the DHS is also required to update the NIPP.
The DHS must complete a national critical infrastructure security and resilience research and development plan within two years.
This article provides a brief summary of the Presidential Policy Directive on Critical Infrastructure Security and Resilience (PPD-21), which was signed by President Obama on February 12, 2013.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/United States (CIPP/US), a privacy professional should be comfortable with topics related to this post, including:
- National security and privacy (III.B.)