Commercial Facilities Sector-Specific Plan An Annex to the National Infrastructure Protection Plan 2010 Preface The Commercial Facilities (CF) Sector is widely diverse in both scope and function. A dominant influence on the Nation’s economy, this sector includes retail centers, hotels, casinos, theme parks, motion picture production studios, office and apart­ ment buildings, convention centers, sports stadiums, and other sites where large numbers of people congregate to pursue business activities, conduct personal commercial transactions, and enjoy recreational pastimes and accommodations. The sector is composed primarily of privately owned facilities that operate on the principle of open public access, meaning the public may move freely throughout these facilities without the deterrent of highly visible security barriers. Each owner and operator has distinct assets, operational processes, business environments, and risk management approaches that vary across all business lines because of the considerable diversity in their objectives. These characteristics require an integrated and comprehensive approach to protecting critical infrastructure and key resources (CIKR) in the sector. The CF Sector-Specific Plan (SSP) complements the National Infrastructure Protection Plan (NIPP) by developing efforts to improve the protection of the CF Sector in an all-hazards environment. This SSP describes the processes used to identify, assess, and protect CIKR; and the plans to implement these processes and measure effectiveness. The SSP also helps define the partnership between the Commercial Facilities Sector-Specific Agency (CF SSA), other SSAs, and those additional partners protecting the sector through implementation of risk mitigation activities. This 2010 release of the CF SSP reflects the maturation of the CF Sector partnership and the progress of the sector programs first outlined in the 2007 SSP. Examples of CF Sector accomplishments since the publication of the 2007 SSP include the following: • Worked in partnership with the Emergency Services Sector and the Retail Subsector to develop training and awareness mate­ rials entitled, “Active Shooter: How to Respond.” • Developed the Risk Self-Assessment Tool for Stadiums and Arenas and the Evacuation Planning Guide for Stadiums. • Expanded cybersecurity outreach efforts by partnering with the National Cybersecurity Division (NCSD) to distribute its tools and services to sector partners. • Partnered with the CF Sector Coordinating Council (SCC), IICD, and HITRAC in developing the criteria to be used for the Level 2 and Sector lists. • Improved information sharing through the sponsorship of security clearances for more private sector partners. • Worked with U.S. sports leagues to improve their security processes. For example, the National Football League implemented emergency drills/tabletop exercises at all 31 of its stadiums. The CF SSA will continue to work with its partners to ensure that the sector remains strong and resilient by continuing to develop and execute a broad set of risk mitigation activities, like those summarized above. For example, the CF SSA will continue to produce Protective Measures Guides that address the needs of specific subsectors, as well as ones that address cross-sector concerns. Additionally, the CF SSA has engaged in a series of subsector outreach and information-sharing initiatives Preface i at the direction of DHS Secretary Napolitano. These have demonstrated that the CF SSA can work with its sector partners in a sustained way on an initiative that strengthens information sharing and leads to the creation of new products. For example, the Retail and Lodging Outreach Initiative had a number of important components, including a Table-Top Exercise, Protective Security Advisor (PSA) visits to mall owners and operators, and the development of new products including two threat rec­ ognition training tools and one video designed for retail and shopping center staff. The CF SSA will be engaging in similar initiatives targeted at additional subsectors. These and other risk mitigation activities highlight how the sector is strengthened through active engagement and partnership. Each year, the CF Sector CIKR Protection Annual Report will provide updates on the sector’s efforts to identify, prioritize, and coordinate the protection of its critical infrastructure. The Sector Annual Report provides the current priorities of the sector as well as the progress made during the past year in following the plans and strategies set out in the CF SSP. The CF SSP establishes a relationship between the government and the private sector to foster the cooperation necessary to improve the protection and resilience of the sector from a natural or man-made disaster. The CF SSP reflects the collaborative efforts between government and private sector stakeholders who are dedicated to the protection of CIKR within the CF Sector. The CF Sector Government Coordinating Council is pleased to support this CF SSP and looks forward to a continued partner­ ship to sustain and enhance the protection and resilience of CIKR in the CF Sector. Todd M. Keil W. Craig Conklin Assistant Secretary for Director Infrastructure Protection SSA Executive Management Office U.S. Department of Homeland Security U.S. Department of Homeland Security Chair, Commercial Facilities GCC Turner D. Madden Joseph B. Donovan Co-Chair Co-Chair Commercial Facilities Commercial Facilities Sector Coordinating Council Sector Coordinating Council ii 2010 Commercial Facilities Sector-Specific Plan Table of Contents Preface ................................................................................................ i Executive Summary ................................................................................... 1 1. Sector Profile and Goals ........................................................................... 1 2. Identify Assets, Systems, Networks, and Functions ..................................................... 2 3. Assess Risks ..................................................................................... 2 4. Prioritize Infrastructure ........................................................................... 3 5. Develop and Implement Protective Programs and Resilience Strategies ..................................... 3 6. Measure Effectiveness ............................................................................. 3 7. CIKR Protection Research and Development .......................................................... 3 8. Manage and Coordinate Sector-Specific Agency Responsibilities .......................................... 3 Introduction ......................................................................................... 5 1. Sector Profile and Goals ............................................................................. 7 1.1 Sector Profile ................................................................................... 7 1.1.1 Commercial Facilities Subsectors ............................................................. 8 1.1.2 Interdependencies and Relationships with Other CIKR Sectors .................................... 9 1.2 CIKR Partners ................................................................................. 11 1.2.1 DHS as the Sector-Specific Agency ........................................................... 11 1.2.2 CIKR Owners and Operators, Including Private and Public Entities ................................ 12 1.2.3 U.S. Department of Homeland Security ...................................................... 12 1.2.4 Other Federal Departments and Agencies ..................................................... 13 1.2.5 State, Local, Tribal, and Territorial Governments ................................................ 13 1.2.6 Regional Coalitions ...................................................................... 14 1.2.7 International Organizations and Foreign Countries ............................................. 15 1.3 Sector Goals and Objectives ...................................................................... 15 1.3.1 Commercial Facilities Sector Goals .......................................................... 16 1.4 Value Proposition .............................................................................. 16 2. Identify Assets, Systems, and Networks .............................................................. 19 2.1 Defining Information Parameters ................................................................. 20 Table of Contents iii 2.1.1 Infrastructure Data Warehouse (IDW) ........................................................ 23 2.1.2 CF SSA Role in Inventory Development and Maintenance ....................................... 25 2.1.3 Identifying Cyber Infrastructure ............................................................ 26 2.2 Collecting Infrastructure Information ............................................................. 27 2.2.1 Commercial Facilities Sector Partners Contribution ............................................. 29 2.3 Verifying Infrastructure Information .............................................................. 30 2.4 Updating Infrastructure Information .............................................................. 31 3. Assess Risks ........................................................................................ 33 3.1 Cyber Risk .................................................................................... 34 3.2 Use of Risk Assessment in the Sector..............................................................