1. Critical Infrastructure Protection: Program Overview
Urban Area Security Initiative Conference, Columbus, OH
May 23, 2012

2. Agenda Historical Perspective Risk Management Framework ImplementationMo
Historical Perspective
Risk Management Framework Implementation
Current Environment
Key Initiatives
The Current Challenge
The homeland security enterprise is entering a new stage in its evolution. Focus is shifting to considerations of all-hazards while resources are becoming increasingly scarce due to the challenging budget environment. Therefore, partnerships of all types must be leveraged to ensure that resources are utilized in the most effective ways possible.
Thesis: demands in the CIP community are increasing but resources are being decreased. Therefore, NPPD/IP must leverage resources in the most efficient way possible. The way to do that is to determine the desired outcomes, gather feedback on how our programs are performing to the meet those outcomes, and adjust both programmatic and budgetary resources accordingly. 2

3. Historical Perspective
When the Department of Homeland Security (DHS) was established in 2002, it faced distinct challenges with regards to the protection and resilience of critical infrastructure:
Other DHS components, such as the Federal Emergency Management Agency (FEMA) and the U.S. Coast Guard (USCG), already had a well defined mission space and implementation processes were functioning;
Critical infrastructure protection and resilience was generally a new mission area and required the establishment of implementation mechanisms; and
The establishment of a governance structure was necessary in order to reach the network of critical infrastructure protection and resilience partners in the private sector and at all levels of government.
When the Department first stood up, many components, including FEMA and the Coast Guard had well established mission space. Infrastructure protection was different – it required the establishment of implementation mechanisms.
Governance structure was established to deliver capabilities to partners.

4. Critical Infrastructure Authorities
Critical Infrastructure: 42 U.S.C. 5195c (e) defines the term “critical infrastructure” as the “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
Policy of the United States: 42 U.S.C. 5195c (c) establishes that it is the “policy of the United States … that any physical or virtual disruption of the operation of the critical infrastructures of the United States be rare, brief, geographically limited in effect, manageable, and minimally detrimental to the economy, human and government services, and national security of the United States…”
Homeland Security Presidential Directive 7 – Critical Infrastructure Identification, Prioritization, and Protection (HSPD-7): Establishes a national policy for Federal departments and agencies to identify and prioritize critical infrastructure and to protect them from terrorist attacks (now all-hazards) and established the original 17 (now 18) critical infrastructure sectors.
National Infrastructure Protection Plan (NIPP): Provides the unifying structure for the integration of efforts for the enhanced protection and resilience of the Nation’s critical infrastructure.
Authorities which established the mission space for NPPD/IP

5. NIPP Risk Management Framework
Integrates and coordinates strategies, capabilities, and governance to enable risk-informed decision making related to the nation’s critical infrastructure
Six interrelated activities to continuously enhance the protection of critical infrastructure
Risk management:
“Process of identifying, analyzing, assessing, and communicating risk and accepting, avoiding, transferring or controlling it to an acceptable level at an acceptable cost”

6. Risk Management Framework Implementation
To effectively implement the risk management framework and help critical infrastructure protection and resilience partners make risk-informed decisions, the following were developed:
Governance Structure
Allows the Department to communicate with both public and private sector partners.
Information Sharing
Creates a nationwide network in which partners may effectively collaborate to prepare for, protect against, respond to, and recover from all-hazards.
Mechanisms for implementing the NIPP risk management framework.
Assessments & Analysis
Establishes threats, vulnerabilities, and consequences for individual and clustered critical infrastructure to develop applicable security measures.

7. Current Environment
The critical infrastructure protection and resilience mission has become more dynamic while resources are being decreased:
There is increased emphasis on all-hazards.
Cyber risks are more prevalent.
Climate related risks are receiving more attention.
There is increased focus on providing justification for how resources are utilized.
To meet these challenges, we must gather risk-informed requirements for our programs that will allow us to make investments that truly support our partners. In order to do this, we are implementing mechanisms that will:
Define the risk-informed outcomes we want to achieve.
Develop metrics to determine if we are meeting those outcomes.
Use information generated through the metrics to make decisions about how our programs will get us closer to the outcomes we want to achieve.
The resource environment is now changing – more focus on all-hazards
To meet these challenges, we must gather risk-informed information that help us support investments that are truly valued by our partners.
Define risk informed outcomes to achieve
Metrics to determine meeting outcomes
Info to make decisions about how our programs can get us close to outcomes we want to achieve.

8. Example Implementing Mechanisms
One IP Objectives
Objectives
Example Implementing Mechanisms
Protective Security Advisors
Sector Partnerships
Information Sharing Environment
State and local partners
Regional Resiliency Assessment Program (RRAP)
Fusion Center engagement
Stakeholder Input Project
Sector Annual Reports
National Annual Report
Critical Infrastructure Risk Management Plan
Strengthen partnerships and information sharing capacity
Provide partners with the programs and tools they need
Measure program effectiveness so that efforts can be improved 8

9. 1 2 4 3 CIRMEI: Risk-informed Resource Allocation
Understand risks to critical infrastructure
Assess impact of activities 1 2
Feedback
Loop 4 3
Adjust resources accordingly
Develop plan to address gaps

10. A Regional Approach
To advance the Assistant Secretary’s vision, Secretary Napolitano’s “One DHS” agenda and the critical infrastructure mission, NPPD/IP is collecting regional requirements and will adjust programs to meet those requirements.
A regional approach is necessary because:
Critical infrastructure assets, systems, functions, and networks cross jurisdictional boundaries
The types, integration, and concentration of assets vary across regions
Risk landscapes and resources vary region-by-region
All incidents begin and end in local communities
The effectiveness of protection and resilience activities is best measured by their impact on stakeholders in communities across the country 10

11. Regional Initiative Approach
NPPD/IP Core Mission Areas
Partnership Support
Regulatory
Requirements
Assessing Security and Resiliency
Analysis
Information Sharing
Region-Specific Mission Requirements
Federal Regions I
August 2011 II
August 2011
III
FY 2013 IV
February 2012 V
FY 2013 VI
FY 2012
VII
FY 2013
VIII
FY 2012 IX
FY 2012 X
FY 2013
Critical Infrastructure Mission Partners (Public and Private)
Outcome: A sustainable One IP Framework that will enable NPPD/IP to operationalize partnerships and deliver tailored programs to each region. 11

12. Key Recommendations for NPPD/IP Leadership
Components of the Regional Initiative
Key Recommendations for NPPD/IP Leadership
Feedback from Outreach to Private Sector Infrastructure Owners and Operators
Feedback from Outreach to State and Local Government Partners
Feedback Provided in Reports by various Partner and Advisory Councils 1 2 3
Focus group discussions in Regional locations
One-on-one interviews with SLTT critical infrastructure protection government
officials
Analysis of reports
from partner councils containing feedback relevant to service delivery

13. Regional Initiative – Current Status
As of May 2012, NPPD/IP has achieved the following progress with the Regional Initiative:
Received feedback on the status of critical infrastructure protection and resilience activities in FEMA Regions I, II, and IV from State and local government partners as well as private sector owners and operators.
Completed an analysis of 14 relevant reports and white papers submitted to NPPD/IP on critical infrastructure protection and resilience and identified key findings.
Coordinated with State and local partners to pursue focus groups in three additional FEMA Regions (VI, VIII, and IX) this fiscal year.
Findings from this effort will inform programmatic and budgetary decisions:
More user friendly, flexible tools
More scalable, realistic exercises to help identify interdependencies
Tailoring and providing training and capabilities valued by our stakeholders 13

14. Questions? The Current Challenge
The homeland security enterprise is entering a new stage in its evolution. Focus is shifting to considerations of all-hazards while resources are becoming increasingly scarce due to the challenging budget environment. Therefore, partnerships of all types must be leveraged to ensure that resources are utilized in the most effective ways possible. 14

15. Ken Buell
Policy Development and Coordination Unit
Office of Infrastructure Protection
National Protection and Programs Directorate