White House Issues Twin Policy Documents

As the sixth year of the Obama Administration quickly approaches, the White House has issued two high-level homeland security policy document that are designed to shape future of programs of the Federal Government. These two documents (in order of release) are the National Strategy for Information Sharing and Safeguarding (NSISS) and the National Infrastructure Protection Plan (NIPP). Neither of these documents has any specific regulatory force, yet they are both intended to help shape the direction of a wide range of regulatory programs within the Federal government.

NISS

This strategy is designed to address the conflicts in the twin nature of information. First information must be shared to have any effect on the real world and second information shared is likely to be released to someone who should not get the information. Finding the proper balance between these two aspects of information policy is never easy.

The NISS starts out with a discussion of the current operating environment in which information collection and sharing takes place. It then establishes three Core Principals that define the Administration’s approach to information sharing (pgs 6-7):

• Information as a National Asset

• Information Sharing and Safeguarding Requires Shared Risk Management

• Information Informs Decisionmaking

With those motherhood and apple pie principals in place, the NISS outlines five goals in some depth. The listed goals are (pgs 8-13):

• Drive Collective Action through Collaboration and Accountability.

• Improve Information Discovery and Access through Common Standards.

• Optimize Mission Effectiveness through Shared Services and Interoperability.

• Strengthen Information Safeguarding through Structural Reform, Policy, and Technical Solutions.

• Protect Privacy, Civil Rights, and Civil Liberties through Consistency and Compliance.

Finally the document lists sixteen information sharing objectives with five being given the title of Priority Objectives. Those Priority Objectives are (pg 14):

• Align information sharing and safeguarding governance to foster better decisionmaking, performance, accountability, and implementation of the Strategy’s goals.

• Develop guidelines for information sharing and safeguarding agreements to address common

requirements, including privacy, civil rights, and civil liberties, while still allowing flexibility to

meet mission needs.

• Adopt metadata standards to facilitate federated discovery, access, correlation, and monitoring

across Federal networks and security domains.

• Extend and implement the FICAM [Federal Identity Credential and Access Management] Roadmap [Link] across all security domains,

• Implement removable media policies, processes and controls; provide timely audit capabilities of assets, vulnerabilities, and threats; establish programs, processes and techniques to deter, detect and disrupt insider threats; and share the management of risks, to enhance unclassified and classified information safeguarding efforts.

NIPP

The 2013 NIPP is an update of the 2009 document that I found negatively stimulating. The newer document reads better, but it still doesn’t really say much.

It starts out with the standard corporate vision-mission-goal statement (pg 5):

Vision Statement - A Nation in which physical and cyber critical infrastructure remain secure and resilient, with vulnerabilities reduced, consequences minimized, threats identified and disrupted, and response and recovery hastened.

Mission Statement – Strengthen the security and resilience of the Nation’s critical infrastructure by managing physical and cyber risks through the collaborative and integrated efforts of the critical infrastructure community.

Goals:

• Assess and analyze threats to, vulnerabilities of, and consequences to critical infrastructure to inform risk management activities;

• Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts to reduce risk, while accounting for the costs and benefits of security investments;

• Enhance critical infrastructure resilience by minimizing the adverse consequences of incidents through advance planning and

mitigation efforts, as well as effective responses to save lives and ensure the rapid recovery of essential services;

• Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk informed decision making; and

• Promote learning and adaptation during and after exercises and incidents.

There is an interesting, if broadly painted, discussion of the risk environment (pg 8) with the a summary of the information provided in figure 2, a graphic representation of the ‘evolving threats to critical infrastructure’. They are categorized as:

• Extreme weather

• Accidents or technical failures

• Cyber threats

• Acts of terrorism

• Pandemics

Interestingly there is a wide degree of overlap between the middle three categories that is not mentioned in the NIPP discussion. There is, however, one interesting risk that is tossed off at the end of this discussion that is then promptly ignored in the rest of the document; “vulnerabilities may exist as a result of a retiring workforce or lack of skilled labor”. Add in ‘reductions in force’ and you have an interesting topic for a whole series of discussions.

Then it provides a set of motherhood and apple pie statements (this time called ‘Core Tenets’; pgs 13-14) that will guide the remaining discussion of critical infrastructure protection:

• Risk should be identified and managed in a coordinated and comprehensive way across the critical infrastructure community to enable the effective allocation of security and resilience resources.

• Understanding and addressing risks from cross-sector dependencies and interdependencies is essential to enhancing critical infrastructure security and resilience.

• Gaining knowledge of infrastructure risk and interdependencies requires information sharing across the critical infrastructure community.

• The partnership approach to critical infrastructure security and resilience recognizes the unique perspectives and comparative advantages of the diverse critical infrastructure community.

• Regional and SLTT partnerships are crucial to developing shared perspectives on gaps and actions to improve critical infrastructure security and resilience.

• Infrastructure critical to the United States transcends national boundaries, requiring cross-border collaboration, mutual assistance, and other cooperative agreements.

• Security and resilience should be considered during the design of assets, systems, and networks.

The NIPP then goes into a lengthy discussion (pgs 15-20) of the iterative risk management framework that weaves together three elements of critical infrastructure; physical, cyber and human. It outlines five steps in the repetitive process:

• Set Infrastructure Goals and Objectives

• Identify Infrastructure

• Assess and Analyze Risks

• Implement Risk Management Activities

• Measure Effectiveness

It then goes on to describe 12 separate ‘Calls to Action’ that “will inform and guide efforts identified via the priority-setting and joint planning processes. They fall into three easily remembered categories:

• Build upon Partnership Efforts

• Innovate in Managing Risk

• Focus on Outcomes

Probably the most useful part of this document can be found in descriptions of the various organizations that have been established to aid in the critical infrastructure coordination process. This is found in Appendix A and includes:

• Sector Coordinating Councils

• Government Coordinating Councils

• Sector-Specific Agencies

• Critical Infrastructure Cross-Sector Council

• Federal Senior Leadership Council (FSLC)

• State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC)

• Regional Consortium Coordinating Council (RC3)

• ISACs

• Critical Infrastructure Partnership Advisory Council

• NICC and NCCIC

• NOC

• NCIJTF

The Real Effect

There is nothing really new or earthshaking here, as one would expect from policy documents issued at the end of the fifth year of an Administration. How much effect this will have on future actions by the Federal government will depend more on who wins control of the Senate next November than how well the Administration writes regulations reflecting these goals in the next two years.