NPPD Makes CSF Notifications

The DHS National Protection and Programs Directorate (NPPD) published a notice in today’s Federal Register (79 FR 21780-21782) announcing that it had, in accordance with §9 of the President’s executive order on Improving Critical Infrastructure Cybersecurity (EO 13636), completed notification of facilities that they have been identified as “critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security”. The notice also outlines the procedure by which a facility can appeal that designation.

The actual list of designated facilities was submitted to the President on July 19^th of last year. The facilities have been designated as “cyber-dependent critical infrastructure” and the list will be reviewed on an annual basis.

Definitions

Today’s notice provides several definitions that are important to understanding this program. They include:

● Critical infrastructure;

● Cyber dependent;

● Cyber incident; and

● Reconsideration official.

The above definitions seem to be IT system centric. For example the ‘cyber incident’ definition covers events that impair “the confidentiality, integrity, or availability of electronic information, information systems, services, or networks”. While this does not specifically exclude control systems, it certainly needs to be stretched to include them.

The definition of ‘critical infrastructure’ is taken verbatim from §2 of the EO. As I noted in an earlier blog the definition would be difficult to apply to any single production facility though national distribution networks (pipelines and the electric grid, for instance) would easily fall within the definition.

It is strange that NPPD did not use the §9(a) definition from the EO that expands coverage to facilities with potential catastrophic regional effects. This is especially true since §9(a) is the section directing DHS to prepare the list of critical infrastructure. Of course, since the list will not be publicly available, we will never really know how expansive the definition is in actual practice.

Listed Facilities

Being listed as a cyber-dependent critical infrastructure (CDCI) facility does not currently add to any regulatory burden, though adoption of the NIST Cybersecurity Framework (CSF) is encouraged. CDCI designation does provide facilities with the following perks:

● Ability to request expedited processing through the DHS Private Sector Clearance Program, which may provide access to classified government cybersecurity threat information as appropriate;

● May be prioritized for routine and incident-driven cyber technical assistance activities offered by DHS and other agencies; and

● May receive priority in gaining access to Federal resources and programs to enhance the security and resilience of critical infrastructure against cybersecurity threats.

Please note all of the permissive ‘mays’ in the descriptions. There are no guarantees provided. This is almost certainly due to the fact that this program is based upon an EO not legislative authority.

Status Appeal

The notice also provides instructions on how a facility can appeal their designation (or lack of designation) as a CDCI. The process for a request of reconsideration is actually quite simple in concept if not necessarily in actual execution. A letter or email is sent to the Under Secretary for NPPD requesting reconsideration. The request should include:

● The entity for which the reconsideration is being requested;

● The name, title, telephone number and email address of a designated point of contact, whether an employee or non-employee agent, for the owner or operator of that entity to whom all communications related to the reconsideration process will be directed; and

● If desired, a request for a meeting with DHS representatives.

After DHS confirms receipt of the initial request the process becomes less well defined as it involves the provision of information by the facility to DHS. That information will be the justification for why a facility should or should not be on the CDCI list. What the information might be and how much information will be necessary will vary considerably.

The notice does provide some very specific requirements for the formatting of information. It should be submitted by email (with certain exceptions) as a single attachment. It must be:

● Double-spaced;

● In 12 point Times New Roman text or visual material;

● Have 1” margins; and

● Have page numbers. 

The Notice specifically reminds submitters that the information provided may constitute Protected Critical Infrastructure Information (PCII) and provides a list of references about that program. Information designated as PCII (by the submitter) must be protected against disclosure by the Federal government and by anyone with whom it shares that information.

Anyone that submits information for this reconsideration process should become familiar with the PCII program as outlined in 6 CFR Part 29, and the PCII Program Procedures Manual (additional information can be found here). The single most important thing to remember is that information to be protected under the PCII program must be so designated {in a very prescribed manner, see §29.5(a)(3)} when it is submitted. If that is not done, the information is not required to be protected under the program.

The notice also reminds personnel submitting classified information that such information cannot be submitted by email.

Deadline

Facilities or organizations wishing to request a reconsideration must have their initial request submitted to NPPD by May 15^th, 2014. Requests received after that date will not result in reconsideration, but may be added to the consideration process in the preparation of the next annual list of CDCI.

Once NPPD notifies a facility that there request was received, facilities will have 60-days to submit supporting information.