A Guide to Critical Infrastructure and Key Resources Protection at the State, Regional, Local, Tribal, and Territorial Level September 2008 September 2008 Table of Contents Preface.................................................................................................................................... 1 Executive Summary............................................................................................................ 3 1. Introduction ..................................................................................................................... 3 2. Planning for CIKR Protection .......................................................................................... 4 3. Information Sharing and Protection................................................................................. 4 4. Using the Risk Management Framework to Develop a Plan........................................... 5 5. Cybersecurity Considerations ......................................................................................... 5 6. Coordinating CIKR Protection R&D Efforts ...................................................................... 5 7. Managing CIKR Protection Programs and Activities........................................................ 6 1. Introduction..................................................................................................................... 7 1.1 Background – The NIPP and the SSPs ........................................................................ 7 1.2 Sector Partnership Model............................................................................................ 10 1.3 Roles and Responsibilities.......................................................................................... 12 2. Planning for CIKR Protection................................................................................... 17 2.1 CIKR Protection and Grants........................................................................................ 18 2.2 The NIPP and the NRF -- Complementary Efforts ...................................................... 18 2.3 Working with CIKR Partners ....................................................................................... 19 3. Information Sharing and Protection ...................................................................... 23 3.1 Information Sharing..................................................................................................... 23 3.2 Fusion Centers............................................................................................................24 3.3 Information Protection................................................................................................. 25 4. Using the Risk Management Framework to Develop a Plan ......................... 29 4.1 Introduction and Background ...................................................................................... 29 4.2 Setting Goals, Objectives, and Criteria ....................................................................... 30 4.3 Identifying Assets, Systems, and Networks ................................................................ 31 4.4 Assessing Risks.......................................................................................................... 34 4.5 Prioritizing Infrastructure ............................................................................................. 36 4.6 Developing and Implementing Protective Programs and Resiliency Strategies ......... 37 4.7 Measuring Progress.................................................................................................... 40 5. Cybersecurity Considerations ................................................................................. 43 6. Coordinating CIKR Protection R&D Efforts......................................................... 47 7. Managing CIKR Protection Programs and Activities....................................... 49 7.1 Program Management Approach................................................................................ 49 7.2 Plan Maintenance and Update.................................................................................... 50 7.3 Annual Reporting ........................................................................................................ 50 7.4 Education, Training, and Outreach ............................................................................. 50 7.5 Implementation Plans.................................................................................................. 52 Appendix A – Coordinating with Grant Programs ................................................... 55 Appendix B – DHS Programs and Resources............................................................ 57 B.1 Vulnerability Assessment Program............................................................................. 57 B.2 Bombing Prevention ................................................................................................... 58 B.3 Protective Security Advisor Program.......................................................................... 59 B.4 Homeland Infrastructure Threat and Risk Analysis Center (HITRAC)........................ 60 B.5 Homeland Security Information Network (HSIN) ........................................................ 60 B.6 Critical Infrastructure Warning Information Network (CWIN) ...................................... 61 B.7 Protected Critical Infrastructure Information (PCII)..................................................... 61 B.8 Constellation/Automated Critical Asset Management System (C/ACAMS)................ 62 B.9 CIKR Asset Protection Technical Assistance Program (CAPTAP)............................. 62 B.10 Integrated Common Analytical Viewer (iCAV) .......................................................... 62 B.11 Chemical Facility Anti-Terrorism Standards (CFATS) .............................................. 63 B.12 Risk-Based Performance Standards ........................................................................ 64 B.13 National Infrastructure Coordinating Center (NICC) ................................................. 64 B.14 National Exercise Program (NEP) ............................................................................ 64 B.15 Maritime Assessment and Strategy Toolkit (MAST) Technical Assistance Program 66 B.16 Transit Risk Assessment Module (TRAM) Technical Assistance Program .............. 66 B.17 Maritime Transportation Security Act........................................................................ 66 Appendix C – Critical Infrastructure and Key Resources Protection Capabilities for Fusion Centers .................................................................................... 67 Preface States, regions, and communities have unique concerns arising from the functional and geographical interdependencies of critical infrastructure and key resources (CIKR) in their areas, as well as the need to share information across boundaries. Each area also has a unique mix of infrastructure and, as illustrated in their respective Sector-Specific Plans (SSPs), each sector has unique issues and concerns that result in very different approaches to protection. There may be CIKR that are very important to the local economy and the safety and confidence of the population, even if they are not nationally significant. Thus, it is important for State, regional, local, tribal, and territorial CIKR protection and resiliency efforts to help implement the National Infrastructure Protection Plan (NIPP) and the associated SSPs, and also to support more specific, localized concerns. This document helps interpret the requirements of the NIPP at these various non-Federal levels and outlines the attributes, capabilities, needs, and processes that a State or other governmental entity should include in establishing its own CIKR protection function so that it integrates with the NIPP. CIKR protection is an ongoing process with multiple intersecting elements. The NIPP provides the framework for the unprecedented cooperation that is needed to develop, implement, and maintain a coordinated national effort that brings together government at all levels, the private sector, nongovernmental organizations, and international CIKR partners. The NIPP addresses infrastructure protection and resiliency in an all-hazards environment. The most effective protective practices and resiliency strategies are often those that offer benefits in the case of terrorist threats as well as natural hazards and man-made failures. The Department of Homeland Security (DHS) recognizes that implementation of the CIKR protection mission requires the cooperation of, and coordination between, Federal departments and agencies; State, local, tribal, and territorial governments; regional coalitions; private sector owners and operators; and international partners. The NIPP is supported by SSPs that provide further detail on how the CIKR mission of each sector will be carried out. (These documents may be obtained at www.dhs.gov/NIPP or by emailing DHS at [email protected].) To align with the NIPP, non-Federal CIKR protection plans and resiliency strategies should explicitly address: CIKR protection roles and responsibilities; Building partnerships and information sharing; Implementing the NIPP Risk Analysis/Management Framework; Developing procedures for data use and protection; Leveraging ongoing sector-based activities for CIKR protection and resiliency; and Integrating Federal and sector CIKR protection activities.