Embed Size (px)
Citation preview
(This page intentionally left blank.)
DHS/IP ii
Contents Contents................................................................................................................................. iii Preface................................................................................................................................... iv Acronyms ............................................................................................................................... v Part I: Introduction.................................................................................................................. 1
Cross-Walk: How the Sector Annual Reports Relate to the NIPP ................................... 1 Report Development Process .......................................................................................... 3 2008 Report ..................................................................................................................... 4
Secure Web Portal ..................................................................................................... 4 Timeline for Developing Sector Annual Reports ........................................................ 5 Content of Sector Annual Reports ............................................................................. 6
Part II: Guidance – Preparing the Sector Annual Report ...................................................... 7 How to Use this Guidance................................................................................................ 7 Foreword to Sector Annual Report................................................................................... 9 Executive Summary ......................................................................................................... 9 Section 1: Sector Security Goals and Priorities ............................................................... 9
1.1 Sector Security Goals .......................................................................................... 10 1.2 Sector CIKR Risk Profile ...................................................................................... 10 1.3 CIKR Protection Gaps.......................................................................................... 11 1.4 Sector Priorities.................................................................................................... 11
Section 2: Sector Programs, Activities, and Tools ........................................................... 12 2.1 CIKR Protection Programs and Initiatives............................................................ 12 2.2 Coordination Groups and Security Partners ........................................................ 14
Section 3: CIKR R&D Progress and Updated Capability Gaps........................................ 15 3.1 Progress............................................................................................................... 16 3.2 Capability Gaps.................................................................................................... 18
Section 4: Funding Priorities ............................................................................................ 20 4.1 Planned SSA Investments ................................................................................... 21 4.2 Non-SSA Investments.......................................................................................... 22 4.3 Gaps..................................................................................................................... 22
Section 5: CIKR Protection: Security Practices and Obstacles........................................ 22 5.1 CIKR Protection Security Practices...................................................................... 22 5.2 Obstacles ............................................................................................................. 23
Section 6: Program Effectiveness and Continuous Improvement.................................... 23 6.1 CIKR Protection Mission Progress....................................................................... 26 6.2 Path Forward........................................................................................................ 27
Appendix 1: Risk Reduction Activity Questionnaire ............................................................... 28 Activity Information........................................................................................................... 28 Activity Scope................................................................................................................... 29 Activity Budget Details ..................................................................................................... 32 Activity Operational Details .............................................................................................. 33 Additional Information/Comments .................................................................................... 33
DHS/IP iii
Preface The purpose of this document is to provide suggestions and guidance to Sector Specific Agencies (SSA) in preparation of their 2008 Sector CIKR Protection Annual Reports (Sector Annual Reports). Due to the varying levels of maturity of the Critical Infrastructure-Key Resources (CIKR) sectors, it is recognized that the SSA will provide varying degrees of completeness regarding the components of the guidance. Homeland Security Presidential Directive 7 (HSPD-7) requires each SSA to provide the Secretary of Homeland Security with an annual report on its efforts to identify, prioritize, and coordinate the protection of CIKR in its respective sectors. The purpose of this document is to provide guidance to SSAs in preparing their Sector Annual Reports. The document contains two parts:
Part I: Introduction. Provides important overarching information about preparing the Sector Annual Report.
Part II: Guidance: Preparing the Sector Annual Report. Provides section-by-section
descriptions of the types of contents expected in the Sector Annual Report in order to help ensure consistency and allow effective integration of information into the National CIKR Protection Annual Report.
The DHS Office of General Counsel (OGC) has validated that compliance with the SAR guidance and the Critical Infrastructure Partnership Advisory Council (CIPAC) methodology will not violate the Paperwork Reduction Act of 1995 (PRA) provided you address annual reporting data and information within a CIPAC meeting environment. Specifically, DHS OGC noted that any information collection from the SCCs (or other entities) beyond that methodology must be mindful of a need to adhere to the guidelines set forth in the Paperwork Reduction Act of 1995. DHS OGC also encourages any SSA seeking to conduct a collection of information to seek early coordination with each SSA's POC for PRA matters and/or legal counsel before causing another agency or entity to collect information rather than populate data and information within the CIPAC meeting environment. General information on the Paperwork Reduction Act can be found at (http://www.archives.gov/federal-register/laws/paperwork-reduction/).
DHS/IP iv
Acronyms CIKR Critical Infrastructure-Key Resources CIP CS Critical Infrastructure Protection Cyber Security CIPAC Critical Infrastructure Partnership Advisory Council CR Comprehensive Review CSCSWG Cross-Sector Cyber Security Working Group CSSP Control Systems Security Program CSVA Cyber Security Vulnerability Assessment DHS Department of Homeland Security DHS/IP Department of Homeland Security/Office of Infrastructure Protection DHS/S&T Department of Homeland Security/Science & Technology DOD U.S. Department of Defense FOUO For Official Use Only FY fiscal year GCC Government Coordinating Council HITRAC Homeland Infrastructure Threat and Risk Analysis Center (DHS) HSDB Homeland Security Data Base HSPD-7 Homeland Security Presidential Directive 7 IASD Infrastructure Analysis and Strategy Division IP Office of Infrastructure Protection IED improvised explosive device KyCIP Kentucky Critical Infrastructure Protection Institute Program MS&A modeling, simulation, and analysis NIPP National Infrastructure Protection Plan NISAC Infrastructure Simulation and Analysis Center OMB Office of Management and Budget PCIKA Protecting Critical Infrastructure and Key Assets PIRR Protection Information Requirements Report PMO Program Management Office PRA Paperwork Reduction Act of 1995 R&D research and development RAMCAP Risk Analysis and Management for Critical Asset Protection RRAQ Risk Reduction Activity Questionnaire SAV Site Assistance Visit SCC Sector Coordinating Council SERRI Southeast Region Research Initiative SHIRA Strategic Homeland Infrastructure Risk Analysis NCSD National Cyber Security Division SLTTGCC State, Local, Tribal, and Territorial Government Coordinating Council SSA Sector-Specific Agency SSP Sector-Specific Plan SwA Software Assurance US CERT United States Computer Emergency Readiness Team VBIED vehicle-borne improvised explosive device
DHS/IP v
Part I: Introduction This section provides important overarching information about preparing the 2008 Sector Critical Infrastructure-Key Resources (CIKR) Protection Annual Report (hereafter referred to as the Sector Annual Report), specifically:
Cross-Walk: how the sector annual reports relate directly to requirements specified in the National Infrastructure Protection Plan (NIPP), including a table that presents each section of the annual report cross-referenced to specific chapters of the NIPP;
Report Development Process: how the reporting process works, who is involved, and how they
collaborate to produce the report; and
Report Requirements: description of the focus, the use of a new web portal to streamline collection and dissemination of information, a timeline for development of the report and submission of drafts, and changes in the 2008 reports.
Pursuant to Public Law 110-53, The Implementing the 9/11 Commission Recommendations Act of 2007, Risk Assessment, Section 201(d) (hereafter referred to as the 2007 911 Act), the Secretary of Homeland Security is required to provide Congress with the National CIKR Protection Annual Report to include the 17 Sector CIKR Protection Annual Reports that address CIKR risks and protective actions within each sector by November of each year.
Cross-Walk: How the Sector Annual Reports Relate to the NIPP As stated in Chapter 3, section 3.6.3, of the NIPP, “Assessing Performance and Reporting on Progress”:
Homeland Security Presidential Directive 7 (HSPD-7) requires each Sector-Specific Agency (SSA) to provide the Secretary of Homeland Security with an Annual Report on their efforts to identify, prioritize, and coordinate the protection of CIKR in their respective sectors. The report from each SSA will be sent to the Department of Homeland Security (DHS) annually. The reports are due no later than July 1 of each year.
Chapter 3 of the NIPP also describes the requirements of the risk management framework. The framework includes setting goals and measuring performance. Further, section 3.6.3 sets out the basic requirements of the Sector Annual Reports, including establishing a baseline of existing priorities, programs, and initiatives; identifying out-year requirements; providing a progress report; and identifying effective security practices. In addition, the NIPP, Chapter 4, section 4.2.1, first bullet, states:
DHS, in conjunction with SSAs and other State, local, tribal, and private sector security partners, will collaboratively develop and disseminate an Annual CIKR Protection Information Requirements Report (PIRR) that summarizes the sectors’ input and makes recommendations for collecting information requirements. The Information Requirements Report will be disseminated to the sectors through the Sector Coordinating Councils (SCCs). In addition to this process, DHS will coordinate with the intelligence community to support information collection that reflects the emerging requirements provided by SSAs and State, local, tribal, and private sector partners.
DHS/IP 1
Chapter 7 of the NIPP, “Providing Resources for the CIKR Protection Program,” addresses risk-based resource allocation and discusses SSA reporting to the DHS. As stated, DHS will provide SSAs with reporting guidance and templates that include requests for specific information. Table 1 provides a list of the sections in the NIPP that specify subjects to be addressed in the Sector Annual Reports.
Table 1: Sector Annual Reports and Specific Requirements Stated in the NIPP
Sector Annual Report (Section) NIPP Requirements for Sector Annual Report 1. Sector Security and Goals and
Priorities Goals
– Section 3.1, Set Security Goals – Section 7.1.1, Sector-Specific Agency Reporting to
DHS Priorities
– Section 3.4, Prioritize (see, in particular, section 3.4.3, The Uses of Prioritization)
– Section 3.6.3, Assessing Performance and Reporting on Progress
– Section 7.1.1, Sector-Specific Agency Reporting to DHS
2. Sector Programs, Activities, and Tools
Programs and Initiatives – Section 3.5.3, Protective Programs, Initiatives, and
Reports – Section 7.1.1, Sector-Specific Agency Reporting to
DHS Coordination Groups and Security Partners
– Section 4, Organizing and Partnering for CIKR Protection
3. CIKR R&D Progress and Updated Capability Gaps (including Modeling, Simulation, and Analysis)
R&D Requirements – Section 6.3, Conducting Research and Development
and Using Technology Modeling, Simulation, and Analysis
– Section 6.3, Conducting Research and Development and Using Technology
4. Funding Priorities
Planned SSA Investments, Non-SSA Investments, and Gaps – Section 7.1.1, Sector-Specific Agency Reporting to
DHS – Section 7.2.2, Sector-Specific Agencies
5. CIKR Protection: Security Practices and Obstacles
CIKR Protection Security Practices and Obstacles – Section 3.6, Measuring Effectiveness – Section 3.7, Using Metrics and Performance
Measurement for Continuous Improvement 6. Program Effectiveness and
Continuous Improvement
NIPP Risk Management Framework Implementation – Section 3.6.3, Assessing Performance and Reporting
on Progress – Section 3.7, Using Metrics and Performance
Measurement for Continuous Improvement
DHS/IP 2
Report Development Process In support of the CIKR protection mission, DHS, SSAs, SCCs, Government Coordinating Councils (GCCs), and other public- and private-sector security partners collaboratively address reporting requirements in the 2007 9/11 Act, the NIPP, and HSPD-7. These organizations work together to focus on the major issues and concerns within their sectors, including those that drive a sector’s highest priorities for CIKR protection. Integral to partnerships, the SSAs, GCCs, and SCCs are encouraged to use the Working Group mechanism under the Critical Infrastructure Partnership Advisory Council (CIPAC) to collaborate, coordinate, and jointly develop input for the Sector Annual Reports and the 2008 National CIKR Protection Annual Report (hereafter referred to as the National Annual Report). The Working Group mechanism can be used to strengthen the sector’s ability to consult and engage with its members. Several of the sectors (e.g., Communications, Energy, Food and Agriculture, Information Technology) have used this mechanism effectively to jointly develop their Sector-Specific Plans (SSPs). The Working Group mechanism is flexible and can include as many members as needed. The SCCs and GCCs jointly agree to create the Working Group. The Working Group chair(s), as designated by the SCCs and GCCs, can invite as many sector members to participate as needed to obtain input and dialogue, which is comprehensive enough to represent the entire range of perspectives from the sector and all levels of government. The chair(s) can also invite participation from subject-matter experts who are not members of the sector but whose input the Working Group deems of value to the dialogue and deliberations of the sector. The CIPAC Secretariat provides documented operating guidance on how to create, use, and maintain the necessary record keeping for these working groups. Please contact the CIPAC Secretariat to obtain a copy of these guidelines if needed. The CIPAC Secretariat will also provide a Technical Assistance (TA) session if desired by the SSAs. The DHS Office of General Counsel (OGC) has validated that compliance with the SAR guidance and the CIPAC methodology will not violate PRA provided you address annual reporting data and information within a CIPAC meeting environment. Specifically, DHS OGC noted that any information collection from the SCCs (or other entities) beyond that methodology must be mindful of a need to adhere to the guidelines set forth in the Paperwork Reduction Act of 1995. DHS OGC also encourages any SSA seeking to conduct a collection of information to seek early coordination with each SSA's POC for PRA matters and/or legal counsel before causing another agency or entity to collect information rather than populate data and information within the CIPAC meeting environment. General information on the Paperwork Reduction Act can be found at (http://www.archives.gov/federal-register/laws/paperwork-reduction/). Figure 1 illustrates the various elements of information supporting the Sector Annual Report.
DHS/IP 3
Figure 1: Example Contributions to Sector Annual Report
2008 Report In support of the CIKR protection mission, each SSA is required to provide an annual report to the Secretary of Homeland Security detailing efforts to identify, prioritize, and coordinate CIKR protection in its respective sectors. The NIPP provides a schedule and other specifics regarding this reporting requirement. Part II of this guidance provides a guide for developing sector-specific reports that are consistent across all sectors. In 2008, the focus of the Sector Annual Reports is to identify priority programs, activities, and tools. The reports will also discuss security practices and obstacles and highlight program effectiveness and continuous improvement. Guidance for identifying requirements for research and development (R&D) and modeling, simulation, and analysis (MS&A) is also provided. DHS does not intend for the Sector Annual Reports to be exhaustive compilations or detailed lists; rather, these reports are intended to identify the high-priority human-, physical-, and cyber-related programs within each sector.
Secure Web Portal DHS has established a secure Web portal to facilitate the reporting process and aid the development of the Sector Annual Reports and subsequent preparation of the National Annual Report. As shown in figure 2 and explained in more detail in appropriate sections of this guidance, the portal is designed to efficiently collect information about CIKR protection programs and initiatives, as well as metrics or other information that describes the overall progress of CIKR protection efforts in each sector, while at the same time providing flexibility to the SSAs in reporting. On the basis of the information provided, reports and appendixes for the Sector Annual Report can be generated directly from the information in the portal. The SSAs are encouraged to use the portal to the maximum extent possible.
DHS/IP 4
2008 SectorCIKR Protection Annual
Report Guidance
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CIKR Risk Profiles
Sector CIKR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CIKR ProtectionMetrics Analysis
2008 SectorCIKR Protection Annual
Report Guidance
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CIKR Risk Profiles
Sector CIKR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CIKR ProtectionMetrics Analysis
Figure 2: Development of Sector and National Annual Reports Timeline for Developing Sector Annual Reports Figure 3 shows the timeline for developing Sector Annual Reports. Key dates in the development process include the following:
Two TA sessions (TBD) focusing on the Sector Annual Report process are to be conducted by DHS.
In accordance with the NIPP, SSAs are responsible for submitting final Sector Annual Reports to
DHS no later than July 1, 2008.
Draft Sector Annual Report (including appendixes) is due to DHS by June 2, 2008. This schedule allows DHS to conduct a preliminary analysis of each Sector Annual Report as part of the development of the National Annual Report. During the month of June, SSAs can continue to refine their reports and conduct final reviews internally and with their sector security partners.
DHS/IP 5
DHS/IP Review/
Edit Process
Sept 07 Oct Nov Dec Jan Feb March April May June July Aug
Draft Sector Annual Report
Guidance SSA 30 - day comment
Sector Annual Report
TA Session Dec 20
Draft Sector Annual Report due from SSAs
June 2
Final Sector Annual Report to DHS
(annexes to National Annual Report)
July 1
Sector Annual Report Exec. Sec. Review – Jan 1 Sector Annual Report Guidance
distributed – Jan 10
Sector Annual Report Guidance Development
Finalize 2008 National Annual
Report
NovSep 08
2008 NARto EOP
2008 National Annual Report
to Congress
DHS/IP Review/
Edit Process
Sept 07 Oct NovNov Dec Jan Feb March April May June July Aug
Draft Sector Annual Report
Guidance SSA 30 - day comment
Sector Annual Report
TA Session Dec 20
Draft Sector Annual Report due from SSAs
Final Sector Annual Report to DHS
(annexes to National Annual Report)
July 1
Sector Annual Report Exec. Sec. Review – Jan 1 Sector Annual Report Guidance
distributed – Jan 10
Sector Annual Report Guidance Development Sector Annual Report
Guidance Development
Sector Annual ReportCoordination process
With SSAs TBD TA Session
Finalize 2008 National Annual
Report
NovSep 08
2008 NARto EOP
Sep 08
to EOP
2008 National Annual Report
to Congress
Figure 3: Sector Annual Report Development Timeline
Content of Sector Annual Reports To the extent possible, the Sector Annual Reports are to include sector-wide (or sub-sector-wide, if more appropriate) accomplishments and efforts that are current as of the reporting date, including processes (e.g., asset identification, risk assessment, prioritization) that have been developed or implemented. The reports are also to include, to the extent possible, specific information about the status or progress of SSP implementation and the status of CIKR protective programs, activities, and tools across the sector partnership framework. It is anticipated that the improved focus of the 2008 Sector Annual Reports, in conjunction with the increased experience level across the NIPP partnership environment, will result in more detail in the following ways (as appropriate):
Inclusion of information from a broader range of security partners resulting from increased participation from GCC members and greater coordination with the SCCs, under the CIPAC (as it applies to each sector);
Additional detail regarding the effectiveness of important CIKR protective programs, activities,
and tools;
Specific information regarding programs and requirements that provide protection against the attack methods identified in table 2-1 of this guidance or that support the national CIKR protection priorities; and
Detailed and comprehensive information on MS&A and R&D activities and requirements.
The information included in the 2008 Sector Annual Report encompasses CIKR protection programs and initiatives in fiscal year (FY) 2008, planned or proposed CIKR protection programs and initiatives for FY 2009, and CIKR protection priorities for FY 2009.
DHS/IP 6
Part II: Guidance – Preparing the Sector Annual Report Part II of this document provides the following:
How to use this guidance;
Outline of the Sector Annual Report;
Detailed guidance for preparing the report — section by section; and
Guidance for preparing Appendix 1.
How to Use this Guidance This guidance document provides section-by-section descriptions of the types of content expected in the Sector Annual Reports in order to help ensure consistency and allow effective integration of information into the National Annual Report. The Sector Annual Report consists of six sections and one appendix. Sections 1–6 of this guidance serve as a “framework” to help facilitate the annual reporting process and ensure consistency. In preparing the Sector Annual Reports, SSAs—in close coordination with SCCs, GCCs, and other public- and private-sector security partners—will collaboratively focus on the major issues and concerns within their sectors, including those that drive the sector’s highest priorities for CIKR protection. The intent of the Sector Annual Reports is to meet the requirements and direction outlined in the 2007 9/11 Act, the NIPP, and HSPD-7 by describing the status of CIKR protection efforts and providing a snapshot of existing programs and resources. It is particularly important that the Sector Annual Reports are as consistent as possible in terms of the level of detail provided, as well as the topics covered. Table 2 provides an outline of chapters and sections for the Sector Annual Report.
DHS/IP 7
Table 2: Sector Annual Report Outline
Section Name Suggested Length Foreword to the Sector Annual Report 2–4 paragraphs
Executive Summary
1-2 pages
Section 1: Sector Security Goals and Priorities 4–6 pages 1.1 Sector Security Goals 1.2 Sector CIKR Risk Profile 1.3 CIKR Protection Gaps 1.4 Sector Priorities Section 2: Sector Programs, Activities, and Tools 4–5 pages 2.1 CIKR Protection Programs and Initiatives 2.2 Coordination Groups and Security Partners Section 3: CIKR R&D Progress and Updated Capability Gaps 4–5 pages 3.1 Progress 3.2 Capability Gaps Section 4: Funding Priorities 4–5 pages 4.1 Planned SSA Investments 4.2 Non-SSA Investments 4.3 Gaps Section 5: CIKR Protection: Security Practices and Obstacles 4–5 pages 5.1 CIKR Protection Security Practices 5.2 Obstacles Section 6: Program Effectiveness and Continuous Improvement 3–4 pages 6.1 CIKR Protection Mission Progress 6.2 Path Forward Appendix 1: Risk Reduction Activity Questionnaire Varies
DHS/IP 8
Foreword to Sector Annual Report Each Sector Annual Report begins with a few paragraphs that describe how the SSA interacted and worked with its sector security partners to produce the report. While each SSA has overall responsibility to prepare and submit its Sector Annual Report, the extent and form of security partner participation may differ. Sectors may use the following questions to focus the discussion and provide general context to the information contained in the report:
Did the sector involve public- and private-sector security partners when developing priorities and requirements, or did security partners simply review drafts of the report?
How complete was the engagement? Were members of the SCC and GCC involved or did the
engagement include owners and operators?
Does the budget information include the efforts of GCC members and other government agencies with significant equities?
Do the descriptions of MS&A and R&D progress and effectiveness include the efforts of individual
companies, academic institutions, trade associations, or others? This section also describes planned changes for the 2008 Sector Annual Report development process to focus on the status and progress of the sector as a whole.
Executive Summary The Sector Annual Report Executive Summary is tailored for readers who are knowledgeable about the sector, who are familiar with the NIPP, and who understand the intended scope of the Sector Annual Reports. The Executive Summary does not need to provide a lengthy description or background of the sector. Rather, it intends to provide the reader with a summary of the key points in the subsequent sections of the report, including a brief overview of the sector’s CIKR protection priorities and key protective programs, activities, tools, accomplishments, and challenges, and highlight those related to cyber security for the sector. It describes the current Sector Annual Report but does not give comparisons with prior years’ reports.
Section 1: Sector Security Goals and Priorities This section serves as the foundation for the Sector Annual Report. Subsequent sections of the report will build on the vision and mission statement, security goals, sector risk profile, CIKR protection gaps, and priorities discussed in this section. Section 1 reflects the sector as a whole. State and local governments and the private sector should provide input to their SSAs for inclusion in the Sector Annual Report. It is also important that cyber security goals and priorities be reflective of the sector as a whole.
DHS/IP 9
1.1 Sector Security Goals This section includes the sector’s vision/mission statement along with its goals for CIKR protection. Some sectors may also have cyber specific goals, while others may incorporate cyber security within broader efforts, such as “conducting risk assessments.” CIKR sectors should consider and, if appropriate, customize the five cyber security objectives—identified in the NIPP—when articulating their sector security goals. The material in this section may be the same as presented in the SSP, or it may reflect further development efforts since publication of the SSP. Sectors may highlight any updates or enhancements to their goals, particularly those based on enhanced interactions with security partners. Please note any discrepancy when there is a significant deviation from the SSP. When presenting the sector’s vision/mission statement and security goals, please follow the format of Table 1-1, which is shown in Figure 4. In addition, please indicate whether the sector has prioritized its sector security goals.
Sector Vision/Mission Statement
[text]
Sector Goals Goal 1 [text] Goal 2 [text] Goal 3 [text]
Goal n [text]
Table 1-1: [SECTOR NAME] Sector Security Vision/Mission Statement and Security Goals
Figure 4: Format for Table 1-1 to be Included in Each Sector’s Annual Report
1.2 Sector CIKR Risk Profile This section includes a summary of the most recently updated terrorism CIKR risk profile (For Official Use Only [FOUO]) for the sector, as well as a discussion of cyber risk as part of the overall sector risk profile. The risk profile is based on information provided by the DHS Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) via the Strategic Homeland Infrastructure Risk Analysis (SHIRA). This information should be provided to the sectors by April 1, 2008. Sectors may add information, as necessary, to their risk profile to support the identification of the CIKR protection gaps discussed in section 1.3. Other sources of information may include, but are not limited to, sector security partners, the National Cyber Security Division (NCSD), and other agencies. When a sector adds data and information from other sources, the sector should discuss the sources of that data and information with HITRAC to ensure (1) parallel work on the National Annual Report—particularly the national and state CIKR risk profiles—is consistent and (2) sector-specific information is presented appropriately. This section should also include a discussion of cyber risk as part of the overall sector risk profile, examining cyber risk relative to other sector risks. Because each sector relies on cyber infrastructure, the section should discuss the associated risk, including the degree to which cyber infrastructure and security
DHS/IP 10
are integrated into the sector’s essential functions, products, and services. The analysis of cyber risk should be based on a number of sources, including the information provided by HITRAC via the SHIRA of cyber threat themes and the sector’s unique understanding of cyber threats, vulnerabilities, and consequences.
1.3 CIKR Protection Gaps Section 1.3 summarizes the gaps that exist between issues highlighted in the sector risk profile and the existing CIKR protection efforts and goals in the sector. These gaps reflect input and coordination from public- and private-sector, State, and local security partners on the effectiveness and progress of current CIKR protection efforts. This section should also summarize known gaps that exist between cyber security issues highlighted in the sector risk profile and the sector’s existing cyber security efforts and goals. One example of a cyber security-related protection gap from the 2007 Sector Annual Reports is: “Security concerns relating to supervisory control and data acquisition (SCADA) systems and other protected systems have increased.” Section 1.4 presents priorities to address the gaps identified in this section. Gaps specifically related to financial limitations are covered in section 4 and should not be included in section 1.3.
1.4 Sector Priorities This section describes areas in which the sector has focused its efforts across the spectrum of CIKR protection activities, including sector priorities for cyber security. It also provides the background for later discussion on protective programs, activities, and tools; R&D and MS&A needs; and funding/resource priorities. This section emphasizes the need to identify the sector’s highest priorities, not the universe of activities and concerns within the sector. Prioritization is used to inform various activities in the risk management process, including decisions regarding the implementation of protective programs, activities, and tools. This section includes a prioritized set of actions that the sector intends to take to expand its CIKR protection efforts, particularly those targeted at addressing the gaps described in section 1.3. If possible, list and number the sector’s priorities in order of importance. The following are examples of sector priorities (for illustrative purposes only):
Example 1: Develop information platforms to communicate and coordinate security issues among and between the sector’s GCC and SCC member organizations.
Example 2: Collaborate, develop, and share appropriate threat, vulnerability, and consequence
information among the Federal, State, and local governments, along with the public- and private-sector security partners. Include the development of indications and warnings.
The sector should also provide a prioritized set of actions that it intends to take to improve its cyber security posture. One example of a cyber security-related priority from the 2007 Sector Annual Reports is: “Identifying and disseminating information assurance standards, best practices, and training materials to improve the information assurance posture of unclassified networks.” In addition, discuss how the sector is balancing its cyber security efforts with other risk management efforts based on the unique aspects of its infrastructure. This discussion provides the background for cyber security protective programs, R&D, and funding priorities described later in the report. Given the diverse audience for the Sector Annual Report, it is important for it to note that the priorities listed represent sector-wide actions prioritized for improving CIKR protection, not a prioritized list of assets, systems, networks, or functions.
DHS/IP 11
Please use the following guidelines to help determine and describe the SSA’s priorities:
The priorities may be the high-level set of actions the sector intends to take to expand its CIKR protection efforts. The sector maps each action to at least one sector security goal identified in section 1.1.
The priorities may stem from an analysis of the sector security goals, the sector risk profile, and
sector CIKR protection gaps identified during the development of the Sector Annual Report, as well as during the development and implementation of the SSP.
Sector priorities may include items addressed in the 2007 sector priorities, represent the next
step or ongoing efforts in the fulfillment of those priorities, or represent entirely new concerns.
The priorities may align with the sector’s risk profile (in section 1.2) and provide a sense of how the sector will protect CIKR assets and systems from various terrorist attack methods.
Sector priorities may not include specific CIKR protection programs and initiatives; section 2.1
covers these. Section 1.4 describes how each priority will mitigate, manage, and reduce the risk to the sector, including the sector’s key dependencies and interdependencies on other CIKR sectors. To facilitate the widest possible distribution among sector security partners, a low level of detail is acceptable if necessary to avoid the need to classify the report. If necessary, classified appendices may be used. Section 2: Sector Programs, Activities, and Tools The Sector Annual Report describes the sector’s most significant existing and planned CIKR protection-related programs, activities, and tools, including cyber protection-related programs. DHS and SSAs use this information to assess the baseline for national, cross-sector CIKR protection efforts. The emphasis is on those programs, activities, and tools that focus on terrorism prevention, mitigation, and recovery and on risk reduction. Ultimately, this information will serve as the basis for final recommendations and funding decisions to address current national priorities, close gaps in CIKR protection programs, and support national CIKR protection efforts.
2.1 CIKR Protection Programs and Initiatives This section includes descriptions of ongoing and emerging priority CIKR protection programs, activities, and tools (including those related to cyber security) within the sector for consideration as part of the National Annual Report. The National Annual Report captures the most significant CIKR protection-related programs and initiatives designed to mitigate consequences, reduce vulnerabilities, address the most likely threats, and/or provide other protection-related capabilities. It is not necessary, then, to provide an exhaustive list of each sector’s protective programs, activities, and tools. Given the diverse nature of sector/agency missions, the number and types of programs reported for this effort will vary. To the extent possible, SSAs should collect information on all programs conducted by the sector's infrastructure protection community partners, not simply those undertaken by the SSA, GCC, and/or SCC. This section should also include descriptions of ongoing and emerging priority cyber security programs within the sector. One example of a cyber security protection program or initiative from the 2007 Sector Annual
DHS/IP 12 National Cyber Exercises Information-Sharing Networks Risk Management Manuals Training Programs Site Assistance Visits Buffer Zone Protection Program
Examples:
Definition of Protective Programs, Activities, and Tools
Actions and initiatives designed to prevent, deter, or mitigate the threat; reduce vulnerabilities; minimize consequences; and enable timely, efficient response and recovery following an event or incident.
Reports is: “Network Security Information Exchanges, which meet jointly every two months, exchange information and views on threats and incidents affecting the public network’s software elements, vulnerabilities, and their remedies.” Risk reduction activities in the National Annual Report will be based on an analysis of the National CIKR Risk Profile, which is derived from the SHIRA report. The overarching goals of the Web-based Risk Reduction Activity Questionnaires (RRAQs), as well as general guidance on the types of programs, activities, and tools that require assessment, are described below. Appendix 1 of this guidance document provides specific, section-by-section instructions on how to populate the Web-based RRAQs. Data and information for this year’s RRAQs will be collected through the NIPP Metrics Web Portal. DHS pre-populates the information for each sector in the portal based on the last year’s submissions. Sectors should attach the completed RRAQs, generated through the portal, as Appendix 1 of the Sector Annual Report. The development of the Sector Annual Report highlights the sector’s primary risk reduction activities. In collaboration with sector partners, SSAs produce a focused representation of priority sector risk reduction activities that cover the following three categories:
1. Activities designed to reduce risks identified in the National and sector Risk Profile; 2. Activities required by law; and 3. Activities mentioned elsewhere in the Sector Annual Report.
The RRAQs will be used in the development of the National Annual Report. The report will focus on those risk-reduction activities associated with the terrorist attack methods addressed in the National CIKR Risk Profile (Figure 5). Currently, the National CIKR Risk Profile focuses strictly on terrorist risk, although DHS plans to move to an all-hazards approach.
Aircraft as a Weapon Food or Water Contamination Assault Improvised Explosive Device (IED) Biological – Contagious Human Disease Maritime Vessels as Weapons Biological – Livestock and Crop “Disease” Nuclear Explosive Device Biological – Noncontagious Human Disease Radiological Dispersal Device Chemical Standoff Weapons – Guided Cyber – Directed Attack Standoff Weapons – Unguided Cyber – Nondirected Attack Vehicle-borne IED (VBIED)
Table 2-1: Terrorist Attack Methods Addressed in the National CIKR Risk Profile
Figure 5: Format for Table 2-1 to be Included in the Sector’s Annual Report SSAs should include an RRAQ for every program, activity, or tool, based on the DHS HITRAC and SHIRA efforts. The DHS Office of Infrastructure Protection (DHS/IP) will ensure the programs, activities, and tools are consistent across the 17 CIKR sectors. DHS/IP works with SSAs to prioritize their risk-reduction activities and to order the RRAQs. The prioritization of risk reduction activities includes the following:
The sector’s overall risk to the attack method(s);
Risk reduction already realized by the activity (i.e., maturity of the activity);
Budget expenditures on the activity;
DHS/IP 13
Scope of the activity’s impact (e.g., geographic and sector reach); and
Cost-benefit analyses conducted by the sector.
Working with their sector security partners, where necessary SSAs will provide the prioritization of the RRAQs (indicated by their order of submission). When needed, DHS support SSAs in establishing priorities to complete their RRAQs. SSAs should provide separate justification for their rankings only in those cases in which the top risk reduction for the sector do not align with the top risks to the sector, as identified in the National and Sector Risk Profiles. This justification should be provided in Appendix 1, Question 6a, immediately following the discussion of which risk factors are being mitigated by the activity.
2.2 Coordination Groups and Security Partners This section focuses on the effectiveness of the NIPP Partnership Model as the framework for the activities undertaken by SCCs, GCCs and other security partners that support CIKR protection programs, activities, or tools described in Section 2.1. Please provide a narrative describing the overall effectiveness of the NIPP Partnership Model for your sector. The questions and broad themes listed below are intended to assist you in structuring your narrative and describing the effectiveness of the sector’s partnership implementation. Due to unique sector characteristics and differing stages of maturity of the partnership, it is recognized that sectors will vary in their ability to discuss the themes provided. However, in order to support production of the National Annual Report it is important that each of the three main question areas is addressed. The themes are offered as areas to consider in your narrative and do not represent either a comprehensive or restrictive checklist. Has the sector been successful in implementing coordination and communication mechanisms with partners across the sector as envisioned in the NIPP and the SSP? Describe representation, participation, and engagement.
Composition of sector GCCs and SCCs and extent of sector representation as defined in the SSP
Degree of sector participation
Depth of communication and information sharing across sector security partners
Scope of activities, such as exercises, training, participation in meetings
SCC and GCC collaboration across sectors
Role of State, local, tribal, and territorial government entities in sector CIKR protection activities and participation in the partnership
Ways to increase participation and engagement, such as altering the charter or composition of the SCC and GCC or changing the location and frequency of meetings.
Are partnership activities productive in terms of achieving the Sector Security Goals and progress measurement indicators identified in the SSP? Describe output of the partnership and processes put in place.
Milestones reached
Degree to which information is timely and channeled to appropriate end users, information sharing mechanisms, and threat/advisory distribution channels
DHS/IP 14
Extent to which relationships between and among partnerships identified issues and resulted in decisions made and actions taken to move the issues toward resolution
Do partnership activities carried out under the NIPP and the SSP support the security protection efforts of the sector i.e., is the sector’s security posture improved through use of the NIPP and SSP mechanisms? Where possible, provide examples.
Coordination and implementation of key activities during an incident
Development and distribution of products, tools and/or other deliverables
Communication to enhance understanding and sharing information about all-hazard threats, vulnerabilities, and consequences
Challenges within the partnership – ways to improve the collaborative process.
Section 3: CIKR R&D Progress and Updated Capability Gaps In 2007, there were separate R&D and MS&A sections (sections 3 and 4) in the Sector Annual Reports and the National Annual Report. Beginning in 2008, these topics have been merged into a single section. Sectors requested this simplification, noting that MS&A is a category of technology development and that it can be addressed as part of an overall Capability Gaps section. Because MS&A is an R&D category identified in the Critical Infrastructure Protection R&D Plan, this change will go much further toward integrating the efforts of DHS Science & Technology (S&T), DHS/IP, the White House, and CIKR sectors. The purpose of this section is to identify capability gaps. The sector’s capabilities provide the means to accomplish its missions and achieve desired outcomes by performing critical tasks, under specified conditions, to meet target levels of performance. The section should indicate the sector’s progress in overcoming capability shortfalls identified in the SSP and past Sector Annual Reports, and it should update sector capability requirements. During identification or implementation of solutions to the capability gaps identified in Sector Annual Reports and SSPs, DHS/S&T and DHS/IP will work closely with the sectors to find collaborative solutions. This section should also identify the sector’s technology development requirements for cyber elements; describe current cyber security R&D initiatives; note gaps between cyber security requirements and initiatives; and discuss planned cyber security R&D programs, including leveraging current initiatives and sponsoring new ones. The National CIP R&D Plan identifies nine technology themes that define common needs across sectors. These themes resulted from workshops initiated in 2004, and they have been confirmed on the basis of subsequent sector feedback. A complete description of the themes can be found at [www.dhs.gov/ xlibrary/assets/ST_2004_NCIP_RD_PlanFINALApr05.pdf]. Sectors are encouraged to frame their progress reporting, R&D planning, and capability gaps using these themes. Sector initiatives that fall outside these themes can also be discussed, but use of the themes will help DHS and the sectors identify dual-use projects, as well as projects with cross-sector benefits. During interviews and consultations during preparation of Sector Annual Reports, S&T and the Infrastructure Analysis and Strategy Division (IASD) will help sectors categorize and describe capability gaps that may be difficult to categorize.
DHS/IP 15
Dual-use projects are those that have benefits beyond just security, perhaps including safety, longevity, sustainability, or lower operating cost, For example, research in advanced materials is expected to result in blast resistant solutions that minimize damage and improve resiliency of infrastructures; these same solutions may also increase the longevity of structures, ease construction, and/or reduce maintenance costs. The dual-use nature of such projects may contribute directly to make their implementation economically viable. Using the themes will directly support identification of requirements and projects that relate to multiple sectors. For example, insider threat is noted as an important challenge by many sectors. The threat manifests itself similarly across sectors, and countermeasures should be applicable across sectors. MS&A projects often directly address multi-sector issues such as modeling interdependencies and cascading consequences across sectors. Note that MS&A is focused on the fifth theme (Analysis and Decision Support Systems), but MS&A tools can support, and may be integral to, many of the other themes. MS&A may also be a recognized step in developing a tool needed to fill a capability gap. In particular, the following MS&A topics were identified in 2007 Sector Annual Reports as being important to two or more sectors:
Application of National Planning Scenarios, Pre-Positioning of Equipment,
Sector Effects of Pandemic,
Acquisition of Data and Information and/or Development of Methodology,
Economic Impact,
Process Optimization or Risk Mitigation, and
Evacuation Planning Analysis.
3.1 Progress This section describes the progress made in finding and implementing solutions to the sector’s technology capability gaps, in terms of maturation of R&D management processes and accomplishments stemming from projects the sector is sponsoring or monitoring (sectors should indicate which programs they monitor and which they sponsor). The section should also summarize current and planned R&D initiatives, highlighting those that are new in the past year. In addition, this section should identify the sector’s technology development requirements for cyber elements and describe current and planned cyber security R&D and MS&A initiatives. Sectors should identify and prioritize MS&A requirements that will become candidate studies for the NISAC, which prepares and shares analyses of CIKR, including their interdependencies, vulnerabilities, consequences, and other complexities under the direction of DHS/IP. The section should also include discussions of how the sector has leveraged current cyber security initiatives and sponsored new ones. Sectors should indicate cyber security R&D progress achieved since last year’s Sector Annual Report. Use the nine technology themes to classify projects, if appropriate. Respond separately, if possible, to each theme.
1. Major projects completed by the sector during the reporting period and an indication of the life-cycle stage of the results.
DHS/IP 16
2. Initiatives for which the sector has made significant progress in the past year and which can be leveraged in other efforts within or across sectors. When possible, identify specific ongoing or planned sector-specific related DHS/S&T projects or projects outside S&T that will benefit the sector. These may include DHS/S&T projects for which signed Technology Transition Agreements are in place.
3. Primary initiatives underway in 2008. Be sure to note which of these are continuations of prior
year efforts and which were started new in 2008. 4. Programs from other sectors or agencies that have been reoriented to support sector-specific
needs (e.g., DOD cyber security measures applicable to the Banking and Finance Sector);
5. R&D efforts that address interdependencies across sectors;
6. R&D management accomplishments, including information-sharing communities, such as a joint working group focused on R&D that combines the SSA, SCC, GCC, or other sectors that share common needs. Also identify progress made in the development of working relationships with DHS/IP/IASD and DHS/S&T; and
7. Progress in identifying requirements and establishing relationships with IASD’s National
Infrastructure Simulation and Analysis Center (NISAC) and other MS&A providers.1 MS&A is the most commonly requested R&D theme. In one of every three capability gaps or requirements identified, MS&A was central. Therefore, further specificity will be critical to prioritizing capabilities gaps and implementing solutions to address them. For sectors just beginning to work with IASD’s NISAC within DHS/IP, or whose programs are assigned to S&T Infrastructure and Geophysical Division research centers, Kentucky Critical Infrastructure Protection Institute Program (KyCIP), or the Southeast Region Research Initiative (SERRI), progress in these relationships should be described.
The following background questions, designed to capture the key information about existing MS&A capabilities and needs, will help significantly in implementing solutions to the capability gaps identified:
1. What is the name of the principal agency or analytical organization that supports analysis for your sector? Enter “none” or “unknown,” if appropriate.
2. What are the names of the principal MS&A tools supporting analysis for your sector? Enter “none” or “unknown,” if appropriate.
3. What are the most authoritative, trustworthy databases or data and information sources
(no more than five) that support analysis of your sector?
4. Have SSA and/or SCC members met their corresponding DHS/NISAC staff analysts?
5. Understanding that “modeling and simulation” represents only one approach or step in the analysis process, what specific high-priority questions or issues should MS&A address at this time?
6. Does the SSA, or do other sector assets, have specific databases that DHS/NISAC could
apply to this analytical problem?
1 The IASD/NISAC is a unique asset within DHS, but it is a limited resource and it can presently address fewer than
10% of the capability gaps for priority attention. Accordingly, IASD’s NISAC will work collaboratively with sector security partners to coordinate, develop, and implement CIKR requirements into a comprehensive cross-sector approach.
DHS/IP 17
3.2 Capability Gaps This section updates and affirms the sector’s capability requirements, gaps, and priorities—highlighting changes from previous reports. The goal of this section is to identify needed capabilities, gaps, and shortcomings in CIKR protection, perceived barriers to achieving the needed capability, and potential approach(es) to resolving these shortcomings, if known. Submissions should define the “capability gap” not “solutions or system specifications.” In this section, sectors should also note gaps between cyber security requirements and initiatives, including sector-based cyber security issues or queries that lend themselves to MS&A. Two examples of cyber security-related capabilities gaps from the 2007 Sector Annual Reports: (1) “The security of 911 call centers is essential to the functioning of the sector. A more in-depth analysis of call centers needs to be conducted to determine specific vulnerabilities and protection measures.” (2) “Modeling and simulation capabilities are needed to analyze cascading consequences of cyber attacks on the IT infrastructure.” The information will be submitted in table format (see table 3-1). The paragraphs that follow the table provide guidance to the sectors for obtaining and preparing the capability gaps information.
DHS/IP 18
Question Response
Capability Gap Statement Tracking and Priority Number
Year–3-digit number–sector (The 3-digit number is the priority number, e.g., “2007–001–Dams” is the highest-priority Dam capability gap, “2007– 002–Dams” is the second-highest Dam capability gap priority, etc.)
Is this submission an MS&A requirement?
Yes/No
Proposed Title of Requirement
Short, concise title – no more than one sentence
Goal/Objective to which Requirement Responds
Identify the specific goal, objective, regulation, or statute this requirement is intended to address (e.g., NIPP, NIPP SSP identified requirements)
Theme Identify which of the nine CIKR Protection R&D theme(s) this capability requirement aligns with (see NIPP, p.176)
Threat Identification Identify and summarize the threat to be countered
Gaps of Existing Capabilities
Provide a brief description of deficiencies in current capabilities and describe why existing systems and/or technology(ies) cannot meet current or projected requirements, or why additional research is required
Description of Required Operational Capability
Summarize the mission need and capability requirement (this should not be system specific). Define critical task elements and performance requirements:
Describe the specific desired outcome not presently achievable
Identify the operational performance parameters (capabilities and characteristics) required for the proposed capability
Provide examples of who might use this capability - where, when and how, and under what conditions
Describe interfaces with other systems/components Identify key characteristics/attributes of desirable solution(s)
Identification of Existing Related Capabilities or Technology
If known, provide information on existing systems and/or technologies that may provide leverage and assist in the development of the capability
Identification of Possible Approaches/Solutions
Identify/define potential solutions that may address the capability gap
1 Sectors should answer the 10 questions in table 3-1 for each identified capability gap. Attributes of a well-written capability gap statement include:
Specifies important needed outcomes/missions that are not currently achievable, Specifies measures/standards that describe/quantify performance of outcome/mission, Specifies conditions under which outcome/mission must be achieved, and Specifies “what” needs to be achieved, not “how” to achieve it.
Table 3-1: [SECTOR NAME] Capability Gap Statement1
Figure 6: Format for Table 3-1 to be Included in the Sector’s Annual Report
DHS/IP 19
The process for developing a capability gaps statement should begin with a capability gap analysis to assess the capabilities of the current and programmed systems to meet relevant mission objectives. The analysis must identify gaps and their potential effects on the success of the sector in achieving the relevant objectives. The format and process of the gap analysis are not specified, and a formal report of the analysis is not required; however, it is recommended that the SSA documents the analysis protocol used and the results obtained. The analysis should help sectors better articulate capability gaps. The analysis should also consider, at minimum, the following:
Required operational capabilities; Known operational deficiencies;
Threats requiring mitigation;
Strategy and operational factors;
Existing technological alternatives;
Emerging technologies;
Collateral technologies;
Nonmaterial alternatives, and
Priorities.
Sectors are encouraged to gain a broader picture of technology requirements and initiatives from public- and private-sector security partners and state and Federal government sources, including the following:
The SCC, which can help identify industry priorities and initiatives;
DHS S&T, which will support SCC and GCC members in coordinating the compilation of R&D initiatives across Federal agencies; and
DHS, which can provide information (as available) regarding states that have invested heavily in
R&D and that, in turn, have established homeland security R&D programs (these programs should be included to the extent that addresses CIKR protection within a sector).
Sectors are encouraged to work closely with the DHS/S&T/Infrastructure and Geophysical Division and DHS/IP/IASD in developing this section. DHS/S&T and DHS/IP/IASD have assembled information regarding current initiatives across the Federal S&T community; DHS can provide this information to sectors, which can then tailor it to their individual needs as necessary.
Section 4: Funding Priorities Information submitted by SSA and GCC members to the Office of Management and Budget (OMB) provides the foundation for sections 4.1 and 4.2, which identify SSA and non-SSA funding for CIKR protection. OMB Circular A-11 describes the population of homeland security spending data and information into the Homeland Security Data Base (HSDB). All NIPP-related activities relate to the “Protecting Critical Infrastructure and Key Assets” (PCIKA) mission in the HSDB. They should be further designated as being related to human, physical, or cyber critical infrastructure protection. Programs that are R&D efforts can also be identified as such in the database. Entries made by SSA and GCC members into the HSDB include the federally funded programs, activities, and tools described in section 2.1. For this section, the sector’s entries into the HSDB should include
DHS/IP 20
those cyber security programs and initiatives described in section 2.1 that are federally funded. As part of the Sector Annual Report development process, OMB is currently revising the structure of the HSDB to provide more consistency in the information collected. Guidance regarding the use of the new form of the database will be provided to the SSAs once OMB has approved the new version for dissemination. Each Federal agency is responsible for populating this database under the requirements of OMB.
4.1 Planned SSA Investments This section identifies the requested funding for sector priority programs, activities, and tools—as identified in section 2.1—and relates it to the sector’s CIKR protection efforts. The SSA should also identify the planned funding for cyber security programs and initiatives as identified in section 2.1 and relate them to the sector’s cyber protection efforts. These data and information support the analysis conducted for the National Annual Report and provide a foundation for an assessment of national, cross-sector CIKR protection efforts. This section also identifies the President’s budget request for security-related CIKR protection activities in FY 2009. This section provides prior-year enacted and current-year requests for each SSA-sponsored program in the Sector Annual Report. The future-year budget request will be addressed as part of the budget process deliverables in September. SSAs coordinate with department or agency budget offices to ensure the accuracy of these data and information. Budget requests align with the requirements and milestones set out in the SSP. The following table provides information to enable consolidation of the budget, as submitted by the HSDB and in the Sector Annual Report. This table also helps ensure all program dollars reference their appropriate OMB accounts. The relevant OMB account should be provided for all program-level data entry into the HSDB, as well as for non-homeland security spending so OMB will know what budget data and information will be unavailable through the HSDB. Submission to DHS and subsequent submission to OMB, of a Microsoft Excel version of this funding table enables tracking of non-homeland security requests throughout the budget process.
Table 4-1: [Sector Name] SSA Investments Sector:Agency:
Program/Investment Title
Priorities Addressed
Program/Investment Description: How program/investment supports CIKR
protection OMB AccountIncluded in the
HSDB?
FY08 Request
FY08 Enacted
FY09 Request (est.)
FY09 Enacted (est.)
Chemical Security 1, 2Ensures proper security measures are taken at high-risk facilities 024-65-0565 Yes $X $X $X $X
$X $X $X $X
Sector Annual Reporting Template
Agency Total:
ChemicalDepartment of Homeland Security
Budget
Sector:Agency:
Program/Investment Title
Priorities Addressed
Program/Investment Description: How program/investment supports CIKR
protection OMB AccountIncluded in the
HSDB?
FY08 Request
FY08 Enacted
FY09 Request (est.)
FY09 Enacted (est.)
Chemical Security 1, 2Ensures proper security measures are taken at high-risk facilities 024-65-0565 Yes $X $X $X $X
$X $X $X $X
Sector Annual Reporting Template
Agency Total:
ChemicalDepartment of Homeland Security
Budget
Figure 7: Format for Table 4-1 to be Included in the Sector’s Annual Report
DHS/IP 21
4.2 Non-SSA Investments This section describes, where possible, the status of resource investments (e.g., budget) for sector CIKR protection efforts by non-SSA sector security partners. In this section, sectors should also describe, where possible, the status of resource (i.e., budget) investments for cyber security protection efforts made by non-SSA sector security partners. The section should:
Describe protection activities being conducted by other Federal agencies, States, or private-sector security partners;
Identify alternate sources of funding for gaps; and
Identify, where possible, areas where sector priorities remain unfunded by any public or private
entity. As with the discussion of SSA investments, the emphasis is on resources allocated for sector priorities and priority programs, activities, and tools—rather than on all individual expenditures that are being made.
4.3 Gaps This section notes areas in which the sector has not implemented protective programs, activities, and tools, and in which additional resources and attention could be directed to support the sector’s CIKR protection priorities (see section 1.4). Sectors should also note areas where cyber protective programs have not been implemented in the sector, and where additional resources and attention could be directed to support the sector’s cyber protection priorities. Specifically, this section identifies anticipated gaps—including physical, human, and cyber gaps—and explains why such gaps are not addressed within current funding levels. (For help in identifying gaps, refer to the completed web-based RRAQs.) Please note if discussions and meetings with other sectors suggest that any of the sector’s gaps are crosscutting concerns or if they would benefit from cross-sector solutions.
Section 5: CIKR Protection: Security Practices and Obstacles 5.1 CIKR Protection Security Practices This section provides a focused discussion of CIKR protection security (including cyber) practices across the sector. It provides the SSAs with an opportunity to highlight those security practices and programs (past or current) that—from their perspective—have been most effective and have been working well; those that could be leveraged throughout the sector or in other sectors; or those that could be used to promote cross-sector CIKR protection efforts. The intent is to describe practices that individual owners and operators, as well as other security partners, can implement. The intent is also to describe cyber security practices that span the preparedness spectrum and ensure the confidentiality, integrity, and availability of cyber infrastructure for owners and operators, as well as other security partners. The set of practices may be short to start, but it will likely grow over time as the sector matures. The section should:
Describe security practices across all elements of the NIPP risk management framework.
Describe the actual security practices within the sector—as opposed to the process used to determine these practices or a list of future strategies.
DHS/IP 22
Address the physical, human, and cyber dimensions (as applicable to each sector) of the sector’s protective programs, activities, and tools. These may be addressed individually or in an integrated manner.
Address both government and private-sector security (and security management) practices.
In addition to spanning the risk management framework, this section provides examples of effective sector management practices—describing, for example:
Actions designed to protect CIKR that are being undertaken by security partners and that demonstrate good leadership and sound management;
Means of communicating and promoting CIKR protection activities as a part of regular business
practices;
Steps taken to ensure selection and implementation of protective measures are based on risk; and
Steps taken to assure that ongoing security practices are updated and enhanced through
education and awareness; exercising and training; communication and information sharing; and continuous/regular review, analysis, and update.
5.2 Obstacles This section describes obstacles or barriers that prevent the sector from fully implementing necessary CIKR protection programs, activities, or tools, including those related to cyber security. On the basis of actual experience, sectors may wish to describe:
Potential areas for policy development, as well as an indication of whether the policy should be developed by the SSA or other parties and agencies;
Areas in which improvements in partnerships could enhance implementation of CIKR programs;
Difficulties in information sharing;
Areas in which additional DHS support or resources could enhance implementation of CIKR
programs;
Absence of appropriate or affordable technology; and
Concerns related to cyber security.
Section 6: Program Effectiveness and Continuous Improvement This section provides a summary of the overall progress of CIKR protection efforts within the sector (including cyber security) and outlines the sector’s next steps in achieving the goals and objectives set forth in their SSPs. The intent of this section is also to demonstrate the progress the sector has made in enhancing cyber security. One example of an implementation action from the 2007 Sector Annual Reports is: “Implement [Nuclear Regulatory Commission]-recommended cyber security programs at all of the NPPs and maintain awareness of the latest cyber security measures developed or recommended by NCSD, US CERT, and other Government-industry bodies concerned with cyber security.” Section 6 is developed by the SSA in close collaboration with its security partners and with DHS.2
2 Although compliance with the Sector Annual Report guidance will not violate the PRA, SSAs should consider the
need to adhere to the guidelines set forth in the PRA when collecting information from the SCCs (or other entities). DHS encourages early coordination by the point of contact for each SSA regarding PRA matters and suggests that
DHS/IP 23
The information presented in this section of the Sector Annual Report is based on the metrics-based process described briefly below. The following sections provide guidance on how the metrics-based information can be used to describe progress (section 6.1, CI/KR Protection Mission Progress) and next steps (section 6.2, Path Forward). DHS, through NCSD and the NIPP Program Management Office (PMO), will also work with security partners to develop descriptive, process, and outcome cyber core metrics to enable evaluation of cyber security within and across sectors. NCSD and the NIPP PMO will work with the sectors through the CSCSWG to facilitate development of cyber security metrics to measure the progress of sectors’ cyber security efforts. DHS plans to hold a series of workshops in FY 2008. In their Sector Annual Reports, sectors should articulate any sector metrics efforts that include/consider cyber security. Measuring effectiveness is a key component of the NIPP Risk Management Framework (see figure 8). It drives the continuous improvement of CIKR protection outcomes and helps assess progress toward security goals. Metrics provide a basis to:
Establish a baseline of current performance and a foundation for continuous improvement; Demonstrate that objectives are being met or that gaps exist in protective actions; and
Identify possible corrective actions and guide decision making.
Figure 8. NIPP Risk Management Framework
DHS developed the Measurement and Analysis Initiative to measure: (1) the efficacy of risk management activities performed under the NIPP; and (2) the progress made in CIKR protection programs at the national and sector levels. The CIKR protection metrics developed as part of the initiative provide the SSAs with a foundation for discussing the sector’s overall progress. The CIKR protection metrics provide useful indicators of year-to-year progress toward achievement of the CIKR protection mission. The CIKR protection metrics process incorporates the following three types of indicators identified in the NIPP, to measure program performance:
Descriptive Measures are used to understand the resources and capabilities within a sector, but they do not reflect CIKR protection performance. They provide information regarding aspects of the sector that help define protection needs. They answer the question: Are we focusing on the right things?
Process (or Output) Measures are used to identify the conduct and completion of
activities, such as plans, assessments, and protective actions. They provide an
the SSAs seek legal advice before asking another agency or entity to collect information, as described in the applicable regulations [http://www.archives.gov/federal-register/laws/paperwork-reduction/].
DHS/IP 24
assessment of the productivity of activities, and they answer the question: Are we getting things done in CIKR protection?
Outcome Measures are used to track progress toward achieving sector security goals contained
in the SSPs. They evaluate the contributions to, and the status of, enhanced protection. Moreover, they help assess the effectiveness of activities in achieving the overall outcomes of safer, more secure, and more resilient CIKR sectors. They answer the question: Are we effective in making the CIKR sectors more secure?
Sector-Specific Metrics Sector-Specific Metrics provide an additional measure of sector progress but are in the initial stages of development. These metrics comprise a set of measures that are tailored to the unique risk profile and characteristics of each specific sector, and that focus on the CIKR protection posture of the owners and operators in each sector. They contribute to the NIPP goal by addressing the specific protection challenges the sector faces and their distinct business continuity needs. They link CIKR protection progress to sector security goals and provide meaningful information about the status of the security posture of the owners and operators in the sector. The sector should include a discussion of status with respect to the development of Sector-Specific Metrics.
The Measurement and Analysis Initiative has expanded and matured over the past year. Because of this maturation process, four principal metrics categories have been defined to address different facets of CIKR protection efforts: CIKR Protection Core Metrics; SSA Programmatic Metrics (which are based on the Implementation Actions matrix); Sector Partnership Metrics; and Sector-Specific Performance Metrics. The first three categories of metrics are being collected and analyzed this year. Sector-Specific Performance Metrics are under development for most sectors, and therefore, they will not be collected until 2009.
DHS established the NIPP Metrics Web Portal to provide a place to capture, track, analyze, and disseminate metrics information. The SSAs enter metrics data and information into the portal, which serve as the foundation for discussing sector progress in CIKR protection activities in section 6 of the Sector Annual Report. Figure 9 shows the type of metrics information collected and some of the reports that can be generated from the portal to support preparation of the Sector Annual Report.
DHS/IP 25
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SSA Development ofSector CIKR Protection
Annual Reports
DHS Development of National CIKR Protection
Annual Report
SSA Portal Input
Core Metrics (NIPP Risk Management Framework) SSA Programmatic (Implementation Actions) Partnership Metrics (Sector Coordination)
SSA Portal Output
Metrics Analysis Reports Implementation Actions Reports Listing of metrics questions and responses
2008 SectorCIKR Protection Annual
Report Guidance
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CI/KR Risk Profiles
Sector CI/KR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CI/KR ProtectionMetrics Analysis
2008 SectorCIKR Protection Annual
Report Guidance
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CI/KR Risk Profiles
Sector CI/KR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CI/KR ProtectionMetrics Analysis
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CI/KR Risk Profiles
Sector CI/KR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CI/KR ProtectionMetrics Analysis
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CI/KR Risk Profiles
Sector CI/KR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CI/KR ProtectionMetrics Analysis
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SSA Development ofSector CIKR Protection
Annual Reports
DHS Development of National CIKR Protection
Annual Report
SSA Portal Input
Core Metrics (NIPP Risk Management Framework) SSA Programmatic (Implementation Actions) Partnership Metrics (Sector Coordination)
SSA Portal Output
Metrics Analysis Reports Implementation Actions Reports Listing of metrics questions and responses
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SSA Development ofSector CIKR Protection
Annual Reports
DHS Development of National CIKR Protection
Annual Report
SSA Portal Input
Core Metrics (NIPP Risk Management Framework) SSA Programmatic (Implementation Actions) Partnership Metrics (Sector Coordination)
SSA Portal Output
Metrics Analysis Reports Implementation Actions Reports Listing of metrics questions and responses
2008 SectorCIKR Protection Annual
Report Guidance
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CI/KR Risk Profiles
Sector CI/KR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CI/KR ProtectionMetrics Analysis
2008 SectorCIKR Protection Annual
Report Guidance
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CI/KR Risk Profiles
Sector CI/KR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CI/KR ProtectionMetrics Analysis
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CI/KR Risk Profiles
Sector CI/KR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CI/KR ProtectionMetrics Analysis
Consolidated Metrics
Information
Sector Annual Reports
Metrics Information
Metrics Reports
NIPP Metrics Web Portal
SectorSecurity Partners
SSA Development ofSector CIKR Protection
Annual Reports
National CIKR Protection
Annual Report
DHS Development of National CIKR Protection
Annual Report
National and State CI/KR Risk Profiles
Sector CI/KR Risk Profile
CIKR ProtectionSecurity Partners Coordination
Coordination
CI/KR ProtectionMetrics Analysis
Figure 9: NIPP Metrics Portal Information (enlarged portion of figure 2) 6.1 CIKR Protection Mission Progress The intent of this subsection is to describe the progress the sector has made in CIKR protection efforts. For section 6 of the Sector Annual Report, the SSA should consolidate the metrics information captured on the portal to provide an overall picture of sector progress. This “roll-up” helps to assess the effectiveness of CIKR protection programs, activities, and tools. Program performance should be described, if possible, in terms of the descriptive, output, and—if known—outcome measures. For example, responses to the Core Metrics questions capture key accomplishments in implementing the NIPP Risk Management Framework and should be highlighted in this section to demonstrate sector progress in that area.
How effective are sector efforts in making the CIKR sectors more secure?
Are the right things in CIKR protection getting done?
Are sector efforts focused on the right things?
Overall CIKR Protection Progress In discussing sector progress, the “roll-up” should address the following questions:
Similarly, SSA Programmatic Metrics capture progress in achieving the goals and objectives identified in the sector SSPs. This section should include a high-level description of activities, projects, and tools and their contributions to sector CIKR protection goals as well as the sector’s updated implementation matrix.
DHS/IP 26
Sector governance and coordination are key elements to successful CIKR protection and risk management. Partnership Metrics show progress toward building and sustaining effective CIKR sector partnerships and provide for a characterization of individual CIKR sector approaches and progress, which reflect their distinctive characteristics and requirements in using the Sector Partnership Framework. The primary objectives of using Sector Partnership Metrics are to ensure that the appropriate decision makers are assembled, information is shared in a trust-based environment, and consensus is built to support programmatic and investment decisions related to protecting the Nation’s CIKR.
6.2 Path Forward One purpose of measuring progress is to help security partners make decisions that are informed by the results of past and ongoing efforts. It can also help support a process of continuous improvement that will help security partners identify and implement actions to improve national CIKR protection. This section allows sectors to highlight their approach to continuous improvement of the sector-specific CIKR protection mission area. Sector should also use this section to share thoughts regarding continuous improvement of the sector-specific cyber protection mission area. Building on the discussion of progress made in CIKR protection, the sector should summarize plans and priorities for future protection efforts. Challenges and major initiatives and approaches may be highlighted here, including the following:
Gaps identified, program adjustments made, and feedback obtained;
New research initiatives developed to improve knowledge and technology that can be used by security partners to more effectively mitigate risks; and
Plans to update and improve key databases, develop and maintain simulation and modeling
capabilities, and coordinate with security partners on databases and modeling. Section 6 is a summary of sector progress and path forward in the major areas of CIKR protection. If the sector wishes to amplify on any of the metrics-based data and information that serve as the foundation for this discussion of progress, please provide the additional information in an appendix to the Sector Annual Report.
DHS/IP 27
Appendix 1: Risk Reduction Activity Questionnaire Appendix 1 of this guidance document provides specific, section-by-section instructions on how to populate the Web-based Risk Reduction Activity Questionnaires (RRAQs). Data and information for this year's RRAQs will be collected through the NIPP Metrics Web Portal. Information for each sector will be pre-populated in the portal on the basis of last year's submissions. Sectors should attach the completed RRAQs, generated through the portal, as Appendix 1 of the Sector Annual Report.
Activity Information
1. Name of activity. SSAs provide the official name of the activity, as found in business documents, on department or agency web sites, or in other literature. Unofficial, yet more commonly referred to, activity names should also be provided.
a. Name of managing entity (e.g., specific government agency, jurisdiction, private sector
group). The managing entity is considered any department, agency, office, or group that provides funding to the activity. If the entity responsible for operational management of the activity differs from the entity providing funding, provide that information and explain.
b. Is this activity required by law? If so, which law? SSAs provide a “yes/no” answer to this
question, and identify the specific law, regulation, and/or authority.
2. Brief description of activity. When providing a description of the activity, be concise, while clearly describing the intent and purpose of the activity. If available, information regarding which stakeholders benefit from the activity and how, as well as activity successes, should be included.
3. Activity type. SSAs select all that apply. Below are brief definitions of each activity type:
Physical/Personnel Security: Activities that enhance the protection of physical (tangible
property) or human (critical knowledge of functions or people uniquely susceptible to attack) elements of CIKR. Examples include guards, vehicle barriers, structural improvements, special lighting, fencing, alarms, screening, surveillance detection equipment, background checks, and regulations requiring any of the above examples.
Cyber Security: Activities that enhance the protection of cyber (electronic information and communications systems, and the information contained therein) elements of CIKR. Examples include controls system security activities and security personnel, special training and equipment, dedicated to addressing cyber threats.
Identification/Prioritization: Activities that identify or prioritize CIKR assets, systems, or resources. Examples include activities that catalogue sector CIKR assets and systems, as well as activities that prioritize sector CIKR assets and systems on the basis of risk or other factors.
Assessments: Activities that seek to determine the overall risk or components of risk (threat, vulnerability, or consequence) of a CIKR asset or system. Examples include the performance or development of threat, vulnerability, consequence, or risk assessments; interdependency analyses; modeling and simulation analyses; and infrastructure inspections.
Information Sharing/Coordination: Activities that seek to facilitate the coordination or exchange of information among CIKR partners. Examples include advisory committees, coordinating bodies, outreach programs, and development and dissemination of best practice guidelines.
DHS/IP 28
Training/Exercises: Activities that seek to provide or reinforce skill sets required to implement or enhance risk management and CIKR protection activities. Examples include educational training and tabletop exercises.
Performance Measures: Activities used to monitor performance and measure progress. Examples include metrics programs.
Preparedness: Activities necessary to build, sustain, and improve the operational capability to identify threats, determine vulnerabilities, and mitigate potential consequences of an incident. Examples include preparedness plans, readiness exercises, and public awareness efforts.
Response/Recovery: Activities that address the short-term, direct effects of an incident and the development, coordination, and execution of service- and site-restoration plans for impacted communities and the reconstitution of government operations and services. Examples include response measures designed to limit the loss of life, resiliency, personal injury, property damage, and other unfavorable outcomes, and rapid restoration capabilities.
Other: Activities that do not fit any of the above categories. Examples may include overarching regulations that may affect sector security, research and development activities, and performance studies. SSAs briefly explain how the activity is providing security to the sector’s CIKR assets or systems.
a. Supporting documentation/explanation: SSAs provide a brief explanation or, if where
possible, supporting documentation/citations of why the above selection(s) was made.
Activity Scope
4. Is this activity designed only to reduce risk in your own sector? SSAs select “yes” if the activity was designed to be sector-specific. DHS understands that some activities are originally intended to be sector-specific, but eventually will develop cross-sector applications. In such cases, SSAs still select “yes” (thus highlighting the original intent of the activity); however, make note of its current cross-sector application in section 4a – supporting documentation/explanation, and explain how it came to have cross-sector applications.
a. Supporting documentation/explanation: SSAs provide a brief explanation or, if possible,
supporting documentation/citations of why the above selection(s) was made.
5. Is this activity currently being used by other sectors or subsectors to reduce risk? SSAs select “yes” only if the activity is currently available to, or is being used by, other sectors or subsectors.
a. If so, please check which sector(s) or subsector(s) are utilizing this activity. SSAs
indicate which sector(s) or subsector(s) the activity is designed to address. This information allows DHS to determine the scope of the activity.
b. Supporting documentation/explanation: SSAs provide a brief explanation or, if possible,
supporting documentation/citations of why the above selection(s) was made.
6. This activity is designed to reduce the subcomponents of threat, vulnerability, and/or consequence associated with the following attack method(s). SSAs indicate which attack methods the activity was initially designed to address. Below are definitions of each attack method:
DHS/IP 29
Aircraft as a Weapon: Terrorist use or control of an aircraft, to include use of a private aircraft, commandeering of a commercial aircraft, or use of unconventional airborne vehicles, as a means to attack infrastructure targets directly.
Assault: Assaults on assets or confined areas, such as gaining control of a facility or taking
people hostage.
Biological — Contagious Human Disease: A biological weapon is considered contagious when the disease-producing microorganisms (pathogens) are transmissible from person to person by direct or indirect contact, and are still capable of infection. Examples include pneumonic plague, smallpox, and some viral hemorrhagic fevers, such as Ebola.
Biological — Livestock and Crop Disease: Disease-producing microorganisms, also called
pathogens, can affect livestock and crops. Types of pathogens include (but are not limited to): animal pathogens (foot and mouth disease [FMD], rinderpest, swine fever, hog cholera) and plant pathogens (powdery mildew, rust, leaf spot, blight, root and crown rots, damping-off, smut, anthracnose and vascular wilts). This attack method does not include contamination of harvested crops, which is covered in the “Food and Water Contamination” attack method.
Biological — Non-Contagious Human Disease: A biological weapon is considered non-
contagious if the pathogens employed are not transmissible through direct or indirect personal contact, and are still capable of infection. Examples include anthrax, botulism, plague (bubonic plague), and tularemia anthrax and Q Fever. This method does not include contamination of water or food supply, which is covered in the “Food or Water Contamination” attack method.
Chemical: A chemical weapon is “any toxic chemical or its precursor that can cause death,
injury, temporary incapacitation or sensory irritation through its chemical action.”
Cyber – Directed Attack: Cyber attack directed at specific infrastructure resulting in the disruption or severe degradation of networks or systems essential to the functioning of CIKR, or in the manipulation of a network or system for malicious purposes. Attacks can include injection of incorrect data and information, data corruption, malicious exploitation of industrial processes, denial-of-service attacks, botnets, viruses or logic bombs (i.e., malicious code) on individual networks or systems. Attacks can include the installation of back doors, Trojan horses, botnets, viruses, or other malicious code that allows an attacker to access and control the network or system.
Cyber – Non-Directed Attack: A computer network attack that is not directed toward a
specific infrastructure or sector, but rather intended to affect information systems in general. This attack would lead to widespread degradations or disruptions to internal and external networks, systems, and devices, and thereby the functioning and operating of critical infrastructure. The worst-case scenario would be a quickly propagating virus or worm that exploits “vulnerabilities” found in large numbers of systems, released prior to the widespread application of patches or before a public advisory can be issued. The attack would degrade or destroy network communication, operating systems, databases, and control systems. The virus or worm would use malicious logic that results in both discrete and cascading effects across geography, population centers, and sectors.
Food or Water Contamination: Agents used to contaminate food or water systems include,
but are not limited to, chemicals, such as arsenic, benzene, cyanide, mercury, or pesticides; biological agents, including bacillus anthracis (anthrax), Clostridium botulinum toxin, and Salmonella Typhimurium; or radiological sources. For food systems, possible methods of employment include: contamination of food imports, contamination of food during processing, contamination of food during transport, or contamination of food during distribution. For
DHS/IP 30
drinking water systems, tactics could include: contamination of raw water sources (wells, rivers, lakes, and reservoirs) prior to treatment; contamination of distribution systems or water storage tanks following treatment; backflow contamination; or disabling or sabotaging the drinking water system.
Improvised Explosive Device: An IED is an explosive device fabricated in an improvised manner incorporating explosives or other destructive, lethal, pyrotechnic, or incendiary chemicals. Tactics include delivery by a variety of means, including: suicide bombers; backpacks; briefcases; packages; combat swimmers; or mines left behind.
Maritime Vessels as Weapons: This attack method involves using a vessel to undertake
terrorist acts: (1) within the maritime environment; (2) against other vessels or fixed platforms at sea or in port, or against any of their crews and/or passengers; and (3) against coastal facilities or settlements, including tourist resorts, port towns/areas and cities.
Nuclear Detonation: A nuclear weapon is a device with explosive power resulting from the
release of energy unleashed by the splitting of nuclei of a heavy chemical element, such as plutonium or uranium (fission), or from the fusing of nuclei from a light element, such as hydrogen (fusion).
Radiological Dispersal Device: An RDD is any device that causes the purposeful
dissemination of radioactive material without a nuclear detonation. An RDD can come in several forms, including a “dirty bomb” which uses the explosive force to disperse material.
Standoff Weapons – Guided: A standoff weapon is any weapon that fires a projectile (or is
a projectile itself) and is fired from outside the immediate small arms range. Two types of guided standoff weapons are man-portable air defense systems (MANPADS) and anti-tank guided missiles.
Standoff Weapons – Unguided: Terrorist attack using weapons that fire a projectile or that
are projectiles themselves but have no in-flight guidance system. This includes, but is not limited to, artillery; mortars; unguided shoulder-fired rockets; and long-range small arms.
Vehicle-Borne Improvised Explosive Device: VBIEDs integrate a vehicle and an explosive
device specifically for detonation against a target. After indicating which attack method(s) the activity was initially designed to address, the SSA selects which subcomponents of threat, vulnerability, and/or consequence the activity is designed to reduce for each selected attack method. If an activity is designed to reduce the overall risk of an attack method, the SSA checks all of the subcomponent boxes. Below are definitions of threat, vulnerability, and consequence, as well as definitions of their subcomponents:
Threat: Represents the likelihood that an attack will occur based on available intelligence about the intent and capability of the adversary.
Intent: The intention of an adversary to use an attack method against a sector. Capability: The means and ability to launch an attack utilizing the attack method.
Vulnerability: Represents the probability that an attack will succeed in destroying, disabling,
or otherwise significantly harming the target asset or system. The recognizability of the asset or system, the countermeasures in place, and the intrinsic robustness/resistance of the asset or system against attack should be considered.
Recognizability: The likelihood that the adversary will be able to identify and locate the
asset or system, taking into consideration labeling/signage, press, uniqueness, and the adversary’s knowledge.
DHS/IP 31
Countermeasure Effectiveness: The ability of protective measures to prevent the execution of a successful attack and should consider denial, detection, and interdiction.
Robustness/Resistance: The ability of the asset or system to withstand a given attack. Consequence: Represents the expected adverse impact(s) from an attack. The expected
loss of life, economic effects, psychological impact of an attack, and any potential disruption to the sector’s mission should be considered.
Loss of Life: The number of fatalities that occur as direct result of an attack. Economic: All costs likely to accrue to society within one year of the attack, including
both direct and indirect costs. Psychological: The psychosocial or behavioral changes that occur in society following
an attack.
a. Supporting documentation/explanation: SSAs provide a brief explanation or, if possible, supporting documentation/citations of why the above selection(s) was made.
7. The activity is designed to reduce risk across the following geographic area(s). This
information allows DHS to determine the scope of the activity. When possible, after selecting a geographic area(s) (see definitions below), SSAs list the specific area(s) in the provided text box. National: An activity designed to enhance the efforts of the sector’s CIKR assets or systems
nationwide. Regional: An activity designed to enhance the efforts of the sector’s CIKR assets or systems
in a specific region of the United States (e.g., the Northeast). State/Territorial: An activity designed to enhance the efforts of the sector’s CIKR assets or
systems in specific States or Territories. Local: An activity designed to enhance the efforts of the sector’s CIKR assets or systems in
specific cities, towns, counties, tribal areas, or small districts. Asset/System: An activity designed to enhance the efforts of specific sector CIKR assets or
systems.
a. Supporting documentation/explanation: SSAs provide a brief explanation or, if possible, supporting documentation/citations regarding why the above selection(s) was made.
Activity Budget Details
8. The drop-down menu includes budget ranges in $500,000 increments. Each budget year is listed as a separate line.
FY 2007 President’s budget request. SSAs use the drop-down choices to select an
estimate of the FY 2007 President’s budget request for this activity. If available, SSAs provide specific budget numbers in the text boxes. This information allows DHS to assess the relative interest in the activity, as well as its intended size and scope. DHS developed the drop-down choices based on submissions from previous years.
FY 2007 enacted budget. SSAs use the drop-down choices to select an estimate of the FY
2007 enacted budget for this activity. DHS understands that some entities receive budgets
DHS/IP 32
that are not parceled out per program, but would like SSAs to select a best estimate. If available, SSAs provide specific budget numbers in the text boxes. This information allows DHS to determine the general size and scope, as well as the relative priority given to the activity. DHS developed the drop-down choices based on submissions from previous years.
FY 2008 President’s budget request. Please see guidance for Question 8, but provide an
estimate for FY 2008. FY 2008 enacted budget. Please see guidance for Question 8a, but provide an estimate for
FY 2008. FY 2009 President’s budget request. Please see guidance for Question 8, but provide an
estimate for FY 2009.
a. Supporting documentation/explanation: SSAs provide a brief explanation or, if possible, supporting documentation/citations of why the above selection(s) was made.
Activity Operational Details
9. Activity status. SSAs select the drop-down option that best categorizes the current status of the activity. Definitions of each stage are below:
Planning: Planning and design of activity is occurring or has occurred, but implementation is
not scheduled to begin until FY 2008. Implementation: Initial implementation of activity occurred in FY 2007 or FY 2008.
Execution: Implementation of activity occurred prior to FY 2007, but objectives will continue
to be met throughout FY 2008. Concluding: Majority of activity objectives has been met and the activity is expected to meet
completion in FY 2008.
a. Supporting documentation/explanation: SSAs provide a brief explanation or, if possible, supporting documentation/citations of why the above selection(s) was made.
Additional Information/Comments
10. This space is for additional information/comments. This space is for SSAs to provide additional information/comments on an activity that are not already captured in the above questions.
DHS/IP 33
