National Infrastructure Protection Plan Comments – 12-05-08

As I noted in a blog last month (see: “Draft 2009 National Infrastructure Protection Plan”) DHS is doing its required revision of the National Infrastructure Protection Plan (NIPP). With the comment period having closed this last week (12-01-08) we finally see comments posted to the Regulations.Gov web site. Not very many comments I must say.

The comments were received from:
Becatech
National Association of State Energy Officials
National Association of State Chief Information Officers
Digital Sandbox, Inc
Security Analysis and Risk Management Association

Becatech Comments Becatech disagrees with the apparent focus on resilience and recovery as opposed to protective security. Becatech is concerned that the potential scale of terrorist attacks on critical infrastructure and key resources (CIKR) will quickly overwhelm the ability of that infrastructure to quickly and adequately recover. Becatech would like to see “DHS revise the NIPP to include the establishment of a framework, timeline, and funding for the mandated deployment of systems of protective security for CIKR”.

National Association of State Energy Officials Comments NASEO believes that the document contains too many abbreviations and acronyms which makes it difficult to read and understand. They also find that the draft is more focused on prescriptive measures than previous versions of the NIPP. NASEO would like to see the NIPP take a more ‘All Hazards’ approach, addressing issues beyond just terrorism.They are concerned that the criteria based Tier1/Tier2 program does not address dynamic systems like the electric power grid and the national pipeline system. NASEO believes that the inclusion of Appendix 1A (Cross-Sector Cyber Security) is too detailed for this document and that other cross-sector security issues like energy could also be included. NASEO would like to see their organization and the National Association of Regulatory Utility Commissioners (NARUC) added to the list state-level professional associations mentioned in the NIPP.

National Association of State Chief Information Officers Comments NASCIO would like to see provisions included in the NIPP for clear requirements and procedures for state and local government partners to receive TS and TS-SCI clearances. This would allow for more threat information sharing. NASCIO would also like to see Section 4.2 expanded to include state and local government security personnel to be included in developing the information sharing requirements for a Common Operating Picture.

Digital Sandbox, Inc Digital Sandbox provides some very technical comments on risk model development and valuing risk components. They express their disappointment that the Terrorist Target Selection Matrix from page 42 of the original NIPP is not included in the draft document.

Security Analysis and Risk Management Association SARMA provides a number of detailed editorial comments on sections that need clarification or expansion. SARMA notes that section 1.4.2 should include a reference to the DHS/FBI Joint Special Assessment on Potential Terrorist Attack Methods and describe the frequency with which it will be updated. They also recommend that a similar document be prepared describing potential natural or man-made hazards.

My Comments on Comments I have to admit that I have been unable to get through reading the NIPP draft. I am well used to reading government documents and regulations, but this particular document is boring beyond belief. The words are strung together in the worst example of bureaucratic writing that I have ever seen. I commend the commenters for being able to get through the document, much less comment intelligently on it.