Into to Intelligence – Overview of National Infrastructure Protection
From a terrorist’s standpoint, what conditions must exist for an attack to be successful? Why is it important to know this? How can we gain Intelligence in this arena? What is the value of knowing, gaining knowledge and speculating to all of this?
https://en.wikipedia.org/wiki/Patriot_Act
Homeland Security, First Edition
2012 Pearson Education, Inc.
All rights reserved.
Overview of National Infrastructure Protection
CHAPTER 3
*
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
3-*
Homeland Security
Critical Infrastructure Assets
Human Assets
Physical Infrastructure
Cyber Infrastructure
*
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
3-*
The National Infrastructure Protection Plan
(Measurement of Effort)
Accountability Measurement
Guide Future Expenditures
Provide an Estimate of Success
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
3-*
The National Infrastructure Protection Plan and Risk Management Framework
Risk Management
Operations Research
Program Evaluation
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
3-*
Six Actions for Security Assets
Set Security Goals
Identify Assets, Systems, Networks and Functions
Assess Risk
Prioritize
Implement Protective Programs
Measure Effectiveness
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
3-*
Critique of the National Infrastructure Protection Plan Model
No Firm Established Security Goal
Questionable Assurance of Asset Database
No Adequate Determination of Consequences of Attacks on Specific Assets
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
3-*
Bottom Up Approach Review
Allow For Review of Security Measures Across Various Industries
Evaluate Systems in Terms of Cost and Effectiveness
Will Lead to High Levels of Security in Terms of Asses Protection
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
3-*
The Reality of Critical Infrastructure Protection State Responsibilities
Organize and Plan for Homeland Security Events
Utilize Infrastructure Risk Management
Share Information With Private Sector and Other Government Entities
Coordinate Activities With Agencies Involved with Homeland Security
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
3-*
Key Critical Infrastructure Sectors
Water 170,000 Water Systems in U.S.
Energy Oil, Gas, and Electricity
Airline Security Cargo
Hotel Security
Transportation (Rail and Roadways) Homeland Security, First Edition
2012 Pearson Education, Inc.
All rights reserved.
Legal Aspects of Homeland Security
CHAPTER 4
*
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
4-*
Presidential Executive Orders and Directives
Govern the Execution of Public Policy
Force of Law Depending on Their Substantive Effect
Links Policy Statement of the Executive Branch of Government to Existing Legislation
Links Governmental Policy to Existing Legislation
Remains in Effect Until a President Changes It
*
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
4-*
Executive Orders of President
Bill Clinton
Control Over the Proliferation of WMDs
Control of Financial Transactions That Support Terrorism
Collection of Intelligence
Protection of the Nations Critical Infrastructure
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
4-*
Executive Orders of President George W. Bush
Established the Office of Homeland Security and the Homeland Security Council
Created National Counterterrorism Center
Interrogation of Terrorist Suspects
Enhanced Homeland Security and Protect Against the Threat of Terrorism
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
4-*
Executive Orders of President Barack Obama
Guantanamo Bay Review
Ensure Lawful Interrogations
Homeland Security, First Edition
Gaines
2012 Pearson Education, Inc.
All Rights Reserved.
4-*
Federal Antiterrorism Statutes Passed by Congress
Antiterrorism and Effective Death Penalty Act of 1996
The USA Patriot Act
Collection of Communications
Foreign Intelligence Investigation
Money Laundering
Funding and Enhancing National Border Security
US Foreign Intelligence Surveillance Court National Infrastructure
Protection Plan
2006
Preface
Preface i
The ability to protect the critical infrastructure and key resources (CI/KR) of
the United States is vital to our national security, public health and safety,
economic vitality, and way of life. U.S. policy focuses on the importance of
enhancing CI/KR protection to ensure that essential governmental missions,
public services, and economic functions are maintained in the event of a
terrorist attack, natural disaster, or other type of incident, and that elements
of CI/KR are not exploited for use as weapons of mass destruction against
our people or institutions.
The President directed me to coordinate and implement national initiatives
and develop a national plan to unify and enhance CI/KR protection efforts
through an unprecedented partnership involving the private sector, as well
as Federal, State, local, and tribal governments. The National Infrastructure
Protection Plan (NIPP) meets the requirements that the President set forth in
Homeland Security Presidential Directive 7 (HSPD-7), Critical Infrastructure Identification, Prioritization,
and Protection, and provides the overarching approach for integrating the Nations many CI/KR protection
initiatives into a single national effort.
The NIPP provides the coordinated approach that will be used to establish national priorities, goals, and
requirements for CI/KR protection so that Federal funding and resources are applied in the most effec-
tive manner to reduce vulnerability, deter threats, and minimize the consequences of attacks and other
incidents. It establishes the overarching concepts relevant to all CI/KR sectors identified in HSPD-7, and
addresses the physical, cyber, and human considerations required for effective implementation of com-
prehensive programs. The plan specifies the key initiatives, milestones, and metrics required to achieve
the Nations CI/KR protection mission. It sets forth a comprehensive risk management framework and
clearly defined roles and responsibilities for the Department of Homeland Security; Federal Sector-Specific
Agencies; and other Federal, State, local, tribal, and private sector security partners.
The NIPP was developed through extensive coordination with security partners at all levels of government
and the private sector. The processes described herein can be adapted and tailored to sector and individual
security partner requirements. Participation in the implementation of the NIPP provides the government
Michael Chertoff
Secretary
Department of Homeland Security
and the private sector the opportunity to use collective expertise and experience to more clearly define
CI/KR protection issues and practical solutions and to ensure that existing CI/KR protection planning
efforts, including business continuity and resiliency planning, are recognized.
Continued cooperation and collaboration between and among these security partners is critical to the
successful implementation of this plan. The NIPP provides specific implementation guidance for Federal
departments and agencies and implementation recommendations for other security partners. I ask for
your continued commitment and cooperation as we move forward to develop and implement the sector-
specific aspects of the NIPP and enhance the protection of the Nations CI/KR.
Michael Chertoff
Secretary
Department of Homeland Security
ii National Infrastructure Protection Plan Letter of Agreement iii
Letter of Agreement
The National Infrastructure Protection Plan (NIPP) provides the unifying structure for the integration
of critical infrastructure and key resources (CI/KR) protection into a single national program. The NIPP
provides an overall framework for programs and activities that are currently underway in the various
sectors, as well as new and developing CI/KR protection efforts. This collaborative effort between the
private sector; State, Territorial, local, and tribal governments; nongovernmental organizations; and the
Federal Government will result in the prioritization of protection initiatives and investments across sectors.
It also will ensure that resources are applied where they offer the most benefit for mitigating risk by
lowering vulnerabilities, deterring threats, and minimizing the consequences of terrorist attacks and other
incidents. By signing this letter of agreement, Sector-Specific Agencies and other Federal departments
and agencies with special functions related to CI/KR protection, as designated in Homeland Security
Presidential Directive 7 (HSPD-7), commit to:
Support NIPP concepts, frameworks, and processes, and carry out their assigned functional
responsibilities as appropriate and consistent with their own agency-specific authorities, resources,
and programs regarding the protection of CI/KR as described herein;
Work with the Secretary of Homeland Security, as appropriate and consistent with their own
agency-specific authorities, resources, and programs, to coordinate funding and implementation of
programs that enhance CI/KR protection;
Provide annual reports, consistent with HSPD-7 requirements, to the Secretary of Homeland Security
on their efforts to identify, prioritize, and coordinate CI/KR protection in their respective sectors;
Coordinate development of Sector-Specific Plans (SSPs) in collaboration with security partners and
submit completed SSPs to the Department of Homeland Security within 180 days of final approval
of the NIPP. Each SSP will align with the NIPP risk management framework and include a menu of
sector-specific protective activities and a description of the sectors information-sharing mechanisms
and protocols;
Undertake the initiatives and actions outlined in the NIPP Initial Implementation Initiatives and
Actions matrix in appendix 2B of this plan;
ii National Infrastructure Protection Plan Letter of Agreement iii
Develop or modify existing interagency and agency-specific CI/KR plans, as appropriate, to facilitate
compliance with the NIPP and SSPs;
Develop and maintain partnerships for CI/KR protection with appropriate State, regional, local,
tribal, and international entities; the private sector; and nongovernmental organizations as described
herein; and
Protect critical infrastructure information according to the Protected Critical Infrastructure
Information program or other appropriate guidelines, and share information relevant to CI/KR
protection (e.g., actionable information on threats, incidents, CI/KR status, etc.) as appropriate and
consistent with their own agency-specific authorities and the processes described herein.
Signatory departments and agencies follow.
iv National Infrastructure Protection Plan Signatories v
Signatories
Mike Johanns
Secretary
Department of Agriculture
Donald H. Rumsfeld
Secretary
Department of Defense
Samuel W. Bodman
Secretary
Department of Energy
Robert S. Mueller, III
Director
Federal Bureau of Investigation
Carlos M. Gutierrez
Secretary
Department of Commerce
Margaret Spellings
Secretary
Department of Education
Stephen L. Johnson
Administrator
Environmental Protection Agency
Michael O. Leavitt
Secretary
Department of Health and Human Services
iv National Infrastructure Protection Plan Signatories v
vi National Infrastructure Protection Plan
Michael Chertoff
Secretary
Department of Homeland Security
Alberto R. Gonzales
Attorney General
Department of Justice
Condoleezza Rice
Secretary
Department of State
P. Lynn Scarlett
Acting Secretary
Department of the Interior
Nils Diaz
Chairman
Nuclear Regulatory Commission
Maria Cino
Deputy Secretary
Department of Transportation
John W. Snow
Secretary
Department of the Treasury
Table of Contents
Table of Contents vii
Preface i
Letter of Agreement iii
Signatories v
Executive Summary 1
1. Introduction 7
1.1 Purpose 8
1.2 Scope 8
1.3 Applicability 8
1.3.1 Goal 9
1.3.2 The Value Proposition 9
1.4 Threats to the Nations CI/KR 10
1.4.1 The Vulnerability of the U.S. Infrastructure to 21st Century Threats 10
1.4.2 The Nature of Possible Terrorist Attacks 10
1.5 All-Hazards and CI/KR Protection 11
1.6 Planning Assumptions 11
1.6.1 Sector-Specific Nature of CI/KR Protection 11
1.6.2 Cross-Sector Dependencies and Interdependencies 12
1.6.3 Adaptive Nature of the Terrorist Threat 12
1.6.4 All-Hazards Nature of CI/KR Protection 12
1.7 Special Considerations 12
1.7.1 Protection of Sensitive Information 12
1.7.2 The Cyber Dimension 13
1.7.3 The Human Element 13
1.7.4 International CI/KR Protection 13
1.8 Achieving the Goal of the NIPP 14
1.8.1 Understanding and Sharing Information 14
1.8.2 Building Security Partnerships 14
1.8.3 Implementing a Long-Term CI/KR Risk Management Program 15
1.8.4 Maximizing Efficient Use of Resources for CI/KR Protection 15
2. Authorities, Roles, and Responsibilities 17
2.1 Authorities 17
2.2 Roles and Responsibilities 18
2.2.1 Department of Homeland Security 18
2.2.2 Sector-Specific Agencies 19
2.2.3 Other Federal Departments, Agencies, and Offices 22
2.2.4 State, Local, and Tribal Governments 23
2.2.5 Private Sector Owners and Operators 26
2.2.6 Advisory Councils 27
2.2.7 Academia and Research Centers 28
3. The Protection Program Strategy: Managing Risk 29
3.1 Set Security Goals 30
3.2 Identify Assets, Systems, Networks, and Functions 31
3.2.1 National Infrastructure Inventory 31
3.2.2 Protecting and Accessing Inventory Information 33
3.2.3 SSA Roles in Inventory Development and Maintenance 33
3.2.4 State Roles in Inventory Development and Maintenance 34
3.2.5 Identifying Cyber Infrastructure 34
3.2.6 Identifying Positioning, Navigation, and Timing Services 35
3.3 Assess Risks 35
3.3.1 NIPP Baseline Criteria for Assessment Methodologies 36
3.3.2 Consequence Analysis 37
3.3.3 Vulnerability Assessment 38
3.3.4 Threat Analysis 39
3.4 Prioritize 43
3.4.1 The Prioritization Process 43
3.4.2 Tailoring Prioritization Approaches to Sector Needs 43
3.4.3 The Uses of Prioritization 44
3.5 Implement Protective Programs 45
3.5.1 Protective Actions 45
3.5.2 Characteristics of Effective Protective Programs 46
3.5.3 Protective Programs, Initiatives, and Reports 47
3.6 Measure Effectiveness 48
3.6.1 NIPP Metrics and Measures 48
3.6.2 Gathering Performance Information 49
3.6.3 Assessing Performance and Reporting on Progress 49
3.7 Using Metrics and Performance Measurement for Continuous Improvement 50
4. Organizing and Partnering for CI/KR Protection 51
4.1 Leadership and Coordination Mechanisms 51
4.1.1 National-Level Coordination 52
viii National Infrastructure Protection Plan Table of Contents ix
4.1.2 Sector Partnership Coordination 52
4.1.3 Regional Coordination and the Partnership Model 55
4.1.4 International CI/KR Protection Cooperation 55
4.2 Information Sharing: A Network Approach 57
4.2.1 Information Sharing Between NIPP Security Partners 58
4.2.2 Information-Sharing Life Cycle 59
4.2.3 The Information-Sharing Approach 60
4.2.4 The Federal Intelligence Node 61
4.2.5 The Federal Infrastructure Node 62
4.2.6 State, Local, Tribal, and Regional Node 62
4.2.7 Private Sector Node 62
4.2.8 DHS Operations Node 63
4.2.9 Other Information-Sharing Nodes 65
4.3 Protection of Sensitive CI/KR Information 66
4.3.1 Protected Critical Infrastructure Information Program 66
4.3.2 Other Information Protection Protocols 67
4.4 Privacy and Constitutional Freedoms 69
5. Integrating CI/KR Protection as Part of the Homeland Security Mission 71
5.1 A Coordinated National Approach to the Homeland Security Mission 71
5.1.1 Legislation 71
5.1.2 Strategies 71
5.1.3 Homeland Security Presidential Directives and National Initiatives 73
5.2 The CI/KR Protection Component of the Homeland Security Mission 74
5.3 Relationship of NIPP and SSPs to Other CI/KR Plans and Programs 75
5.3.1 Sector-Specific Plans 75
5.3.2 State, Regional, Local, and Tribal CI/KR Protection Programs 76
5.3.3 Other Security Partner Plans or Programs Related to CI/KR Protection 76
5.4 CI/KR Protection and Incident Management 77
5.4.1 The National Response Plan 77
5.4.2 Transitioning From NIPP Steady-State to Incident Management 77
6. Ensuring an Effective, Efficient Program Over the Long Term 79
6.1 Building National Awareness 79
6.2 Enabling Education, Training, and Exercise Programs 80
6.2.1 Types of Expertise for CI/KR Protection 80
6.2.2 Individual Education and Training 80
6.2.3 Organizational Training and Exercises 82
6.2.4 Security Partner Role and Approach 83
viii National Infrastructure Protection Plan Table of Contents ix
6.3 Conducting Research and Development and Using Technology 83
6.3.1 R&D Programs 83
6.3.2 The SAFETY Act 84
6.3.3 National Critical Infrastructure Protection R&D Plan 84
6.3.4 Cyber Security R&D Planning 86
6.3.5 Other R&D That Supports CI/KR Protection 86
6.3.6 Technology Pilot Programs 86
6.4 Building, Protecting, and Maintaining Databases, Simulations, and Other Tools 87
6.4.1 National CI/KR Protection Data Systems 87
6.4.2 Simulation and Modeling 88
6.4.3 Coordination With Security Partners on Databases and Modeling 88
6.5 Continuously Improving the NIPP and the SSPs 89
6.5.1 Management and Coordination 89
6.5.2 Maintenance and Updating 89
7. Providing Resources for the CI/KR Protection Program 91
7.1 The Risk-Based Resource Allocation Process 91
7.1.1 Sector-Specific Agency Reporting to DHS 92
7.1.2 State Government Reporting to DHS 92
7.1.3 Aggregating Submissions to DHS 92
7.2 Federal Resource Allocation Process for DHS, the SSAs, and Other Federal Agencies 93
7.2.1 Department of Homeland Security 94
7.2.2 Sector-Specific Agencies 95
7.2.3 Summary of Roles and Responsibilities 96
7.3 Federal Resources for State and Local Government Preparedness 96
7.4 Other Federal Grant Programs That Contribute to CI/KR Protection 97
7.5 Setting an Agenda in Collaboration With CI/KR Protection Security Partners 98
List of Acronyms and Abbreviations 101
Glossary of Key Terms 103
Appendixes
Appendix 1: Special Considerations 107
Appendix 1A: Cross-Sector Cyber Security 107
Appendix 1B: International CI/KR Protection 123
Appendix 2: Authorities, Roles, and Responsibilities 135
Appendix 2A: Summary of Relevant Statutes, Strategies, and Directives 135
Appendix 2B: NIPP Initial Implementation Initiatives and Actions 145
x National Infrastructure Protection Plan Table of Contents xi
Appendix 3: Managing Risks 149
Appendix 3A: NIPP Baseline Criteria for Assessment Methodologies 149
Appendix 3B: Existing Protective Programs and Other In-Place Measures 153
Appendix 3C: National Asset Database 159
Appendix 4: Organizing and Partnering for CI/KR Protection: Existing Coordination Mechanisms 163
Appendix 5: Integrating CI/KR Protection as Part of the Homeland Security Mission 167
Appendix 5A: State, Local, and Tribal Government Considerations 167
Appendix 5B: Recommended Homeland Security Practices for Use by the Private Sector 171
Appendix 6: Research and Development to Improve CI/KR Protection Capabilities 175
List of Figures and Tables
Figures
Figure S-1: Protection 2
Figure S-2: NIPP Risk Management Framework 4
Figure 1-1: Protection 7
Figure 3-1: NIPP Risk Management Framework 29
Figure 3-2: NIPP Risk Management Framework: Set Security Goals 31
Figure 3-3: NIPP Risk Management Framework: Identify Assets, Systems, Networks, and Functions 32
Figure 3-4: NIPP Risk Management Framework: Assess Risks 35
Figure 3-5: Threat Analysis Combines Intelligence and Infrastructure Expertise to Provide
Threat and Incident Information and Strategic Planning Information 41
Figure 3-6: NIPP Risk Management Framework: Prioritize 43
Figure 3-7: NIPP Risk Management Framework: Implement Protective Programs 44
Figure 3-8: NIPP Risk Management Framework: Measure Effectiveness 48
Figure 3-9: NIPP Risk Management Framework: Feedback Loop for
Continuous Improvement of CI/KR Protection 50
Figure 4-1: Sector Partnership Model 53
Figure 4-2: NIPP Networked Information-Sharing Approach 60
Figure 5-1: National Framework for Homeland Security 72
Figure 5-2: Sector-Specific Plan Structure 75
Figure 7-1: National CI/KR Protection Annual Report Process 93
Figure 7-2: National CI/KR Protection Annual Report Analysis 94
Figure 7-3: DHS and SSA Roles and Responsibilities in Federal Resource Allocation 95
Tables
Table S-1: Sector-Specific Agencies and HSPD-7 Assigned CI/KR Sectors 3
Table 2-1: Sector-Specific Agencies and HSPD-7 Assigned CI/KR Sectors 20
Table 3C-1: Database Integration 160
x National Infrastructure Protection Plan Table of Contents xi
Executive Summary
Protecting the critical infrastructure and key resources (CI/KR) of the United States is essential to the
Nations security, public health and safety, economic vitality, and way of life. Attacks on CI/KR could
significantly disrupt the functioning of government and business alike and produce cascading effects
far beyond the targeted sector and physical location of the incident. Direct terrorist attacks and natural,
manmade, or technological hazards could produce catastrophic losses in terms of human casualties,
property destruction, and economic effects, as well as profound damage to public morale and confidence.
Attacks using components of the Nations CI/KR as weapons of mass destruction could have even more
devastating physical and psychological consequences.
1 Introduction
The overarching goal of the National Infrastructure Protection
Plan (NIPP) is to:
Build a safer, more secure, and more resilient America by
enhancing protection of the Nations CI/KR to prevent,
deter, neutralize, or mitigate the effects of deliberate efforts
by terrorists to destroy, incapacitate, or exploit them; and to
strengthen national preparedness, timely response, and rapid
recovery in the event of an attack, natural disaster, or other
emergency.
The NIPP provides the unifying structure for the integration
of existing and future CI/KR protection efforts into a single
national program to achieve this goal. The NIPP framework
will enable the prioritization of protection initiatives and
investments across sectors to ensure that government and
private sector resources are applied where they offer the
most benefit for mitigating risk by lessening vulnerabilities,
deterring threats, and minimizing the consequences of ter-
rorist attacks and other manmade and natural disasters. The
NIPP risk management framework recognizes and builds on
existing protective programs and initiatives.
Protection includes actions to mitigate the overall risk to
CI/KR assets, systems, networks, functions, or their inter-
connecting links resulting from exposure, injury, destruc-
tion, incapacitation, or exploitation. In the context of the
NIPP, this includes actions to deter the threat, mitigate
vulnerabilities, or minimize consequences associated with a
terrorist attack or other incident (see figure S-1). Protection
can include a wide range of activities, such as hardening
facilities, building resiliency and redundancy, incorporating
hazard resistance into initial facility design, initiating active
or passive countermeasures, installing security systems,
promoting workforce surety programs, and implementing
cyber security measures, among various others.
Executive Summary 1
More information about the NIPP is available on the Internet at:
www.dhs.gov/nipp or by contacting DHS at: [emailprotected]
Achieving the NIPP goal requires actions to address a series
of objectives that include:
Understanding and sharing information about terrorist
threats and other hazards;
Building security partnerships to share information and
implement CI/KR protection programs;
Implementing a long-term risk management program; and
Maximizing efficient use of resources for CI/KR protection.
These objectives require a collaborative partnership between
and among a diverse set of security partners, including
the Federal Government; State, Territorial, local, and tribal
governments; the private sector; international entities; and
nongovernmental organizations. The NIPP provides the
framework that defines the processes and mechanisms that
these security partners will use to develop and implement
the national program to protect CI/KR across all sectors over
the long term.
2 Authorities, Roles, and Responsibilities
The Homeland Security Act of 2002 provides the basis for
Department of Homeland Security (DHS) responsibilities in
the protection of the Nations CI/KR. The act assigns DHS the
responsibility to develop a comprehensive national plan for
securing CI/KR and for recommending measures necessary
to protect the key resources and critical infrastructure of
the United States in coordination with other agencies of the
Federal Government and in cooperation with State and local
government agencies and authorities, the private sector, and
other entities.
The national approach for CI/KR protection is provided
through the unifying framework established in Homeland
Security Presidential Directive 7 (HSPD-7). This directive
establishes the U.S. policy for enhancing protection of the
Nations CI/KR and mandates a national plan to actuate that
policy. In HSPD-7, the President designates the Secretary of
Homeland Security as the principal Federal official to lead
CI/KR protection efforts among Federal departments and
agencies, State and local governments, and the private sector
and assigns responsibility for CI/KR sectors to specific Sector-
Specific Agencies (SSAs) (see table S-1). In accordance with
HSPD-7, the NIPP delineates roles and responsibilities for
security partners in carrying out CI/KR protection activities
while respecting and integrating the authorities, jurisdic-
tions, and prerogatives of these security partners.
Primary roles for CI/KR security partners include:
Department of Homeland Security: Manage the Nations
overall CI/KR protection framework and oversee NIPP
development and implementation.
Sector-Specific Agencies: Implement the NIPP framework
and guidance as tailored to the specific characteristics and
risk landscapes of each of the CI/KR sectors designated in
HSPD-7.
Other Federal Departments, Agencies, and Offices:
Implement specific CI/KR protection roles designated in
HSPD-7 or other relevant statutes, executive orders, and
policy directives.
State, Local, and Tribal Governments: Develop and imple-
ment a CI/KR protection program as a component of their
overarching homeland security programs.
Regional Partners: Use partnerships that cross jurisdic-
tional and sector boundaries to address CI/KR protection
within a defined geographical area.
Boards, Commissions, Authorities, Councils, and Other
Entities: Perform regulatory, advisory, policy, or business
oversight functions related to various aspects of CI/KR
operations and protection within and across sectors and
jurisdictions.
Private Sector Owners and Operators: Undertake CI/KR
protection, restoration, coordination, and cooperation
activities, and provide advice, recommendations, and
subject matter expertise to the Federal Government;
Homeland Security Advisory Councils: Provide advice,
recommendations, and expertise to the government
regarding protection policy and activities.
Academia and Research Centers: Provide CI/KR protection
subject matter expertise, independent analysis, research
and development (R&D), and educational programs.
Figure S-1: Protection
2 National Infrastructure Protection Plan Executive Summary 3
Table S-1: Sector-Specific Agencies and HSPD-7 Assigned CI/KR Sectors
1 The Department of Agriculture is responsible for agriculture and food (meat, poultry, and egg products).
2 The Department of Health and Human Services is responsible for food other than meat, poultry, and egg products.
3 Nothing in this plan impairs or otherwise affects the authority of the Secretary of Defense over the Department of Defense (DOD), including the chain of
command for military forces from the President as Commander in Chief, to the Secretary of Defense, to the commander of military forces, or military command
and control procedures.
4 The Energy Sector includes the production, refining, storage, and distribution of oil, gas, and electric power, except for commercial nuclear power facilities.
5 The U.S. Coast Guard is the SSA for the maritime transportation mode.
6 As stated in HSPD-7, the Department of Transportation and the Department of Homeland Security will collaborate on all matters relating to transportation
security and transportation infrastructure protection.
2 National Infrastructure Protection Plan Executive Summary 3
3 The CI/KR Protection Program Strategy:
Managing Risk
The cornerstone of the NIPP is its risk management frame-
work (see figure S-2) that establishes the processes for com-
bining consequence, vulnerability, and threat information to
produce a comprehensive, systematic, and rational assess-
ment of national or sector risk. The risk management frame-
work is structured to promote continuous improvement to
enhance CI/KR protection by focusing activities on efforts
to: set security goals; identify assets, systems, networks, and
functions; assess risk based on consequences, vulnerabilities
and threats; establish priorities based on risk assessments;
implement protective programs; and measure effectiveness.
The results of these processes drive CI/KR risk-reduction and
risk management activities. The framework applies to the
strategic threat environment that shapes program planning,
as well as to specific threats or incident situations. DHS, the
SSAs, and other security partners share responsibilities for
implementing the risk management framework.
DHS, in collaboration with other security partners, measures
the effectiveness of CI/KR protection efforts to provide
constant feedback. This allows continuous refinement of the
national CI/KR protection program in a dynamic process to
efficiently achieve NIPP goals and objectives.
The risk management framework is tailored and applied
on an asset, system, network, or function basis, depending
on the fundamental characteristics of the individual CI/KR
sectors. Sectors that are primarily dependent on fixed assets
and physical facilities may use a bottom-up, asset-by-asset
approach, while sectors (such as Telecommunications and
Information Technology) with diverse and logical assets may
use a top-down business or mission continuity approach.
Each sector chooses the approach that produces the most
actionable results for the sector and works with DHS to
ensure that the relevant risk analysis procedures are com-
patible with the criteria established in the NIPP.
4 Organizing and Partnering for
CI/KR Protection
The enormity and complexity of the Nations CI/KR, the
distributed character of its associated protective architec-
ture, and the uncertain nature of the terrorist threat and
other manmade and natural disasters make the effective
implementation of protection efforts a great challenge. To
be effective, the NIPP must be implemented using organi-
zational structures and partnerships committed to sharing
and protecting the information needed to achieve the NIPP
goal and supporting objectives.
The NIPP defines the organizational structures that pro-
vide the framework for coordination of CI/KR protection
efforts at