Security and resilience 'primary aim' of critical infrastructure planning, says new NIPP


A revised National Infrastructure Protection Plan issued by the Homeland Security Department in late December places greater emphasis on security and resilience than its predecessor from 2009.

Security and resilience are "the primary aim of critical infrastructure homeland security planning efforts," the new NIPP states. President Obama required its revision in February when he signed Presidential Policy Directive 21, which calls for a national unity of effort to strengthen critical infrastructure against vulnerabilities.

In particular, the new NIPP reaffirms the existing coordination council structure DHS has put in place to coordinate public and private sector actions among 16 identified critical infrastructure sectors. But, it calls on national-level councils to jointly issue multi-year priorities based on multiple information sources, including results of state and regional Threat and Hazard Identification and Risk Assessments.

The THIRA process, in turn, should be used as a method to integrate "human, physical and cyber elements of critical infrastructure risk management," the revised NIPP says, in a final section listing a dozen "calls to action."

A call to action for "collective actions through joint planning efforts" also references the cybersecurity framework under development by the National Institute of Standards and Technology, stating that a new round of updated sector council plans should describe current and planned cybersecurity efforts, "including, but not limited to" use of the NIST framework.

The NIPP is a high level document often lacking in specific details. For example a call to action for private sector incentives for greater security and resilience simply states that the critical infrastructure should "continue to identify, analyze, and where appropriate, implement incentives."

That call to action does offer a glimpse into plan authors' thoughts, however, as it also states that the critical infrastructure community should support research "to quantify the potential cost imposed by a lack of critical infrastructure security and resilience, and inadequate cyber preparedness."

Information sharing also merits greater attention in the new NIPP than before, with a critical infrastructure risk management framework updated in the plan including it as an element to occur at all stages.

For more:
- go to a DHS webpage with links to the 2013 NIPP and supplementary material
- download the 2013 NIPP directly (.pdf)

Related Articles:
DHS starts critical infrastructure R&D plan public process 
Unclear why candidates for critical infrastructure review program are picked 
PCAST calls for auditable cybersecurity processes in federally regulated industries