HomelandSecurity
UNCLASSIFIED
Executive Order 13636Presidential Policy Directive
(PPD) - 21
Implementing the Presidential Executive Order (EO) on cybersecurity and Critical Infrastructure Presidential Policy Directive (PPD) with public
and private stakeholders
Eric Chapman - Office of Maritime Security Response PolicyBrett Rouzer - CG Cyber Command LCDR Ulysses Mullins – Office of Port & Facility Compliance
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Background__________________________________________________
2
Cyber EO and PPD 21 signed on February 12, 2013
Sector Specific Agencies to collaborate with industry to identify critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security
National Institute of Standards & Technology develop a voluntary framework for cybersecurity resilience
PPD-21 cancels PPD-7 & establishes an All-Hazards approach to ensuring security & resilience
Multiple deliverables derived from the PPD/EO with varying deadlines over the next year
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Integrated Cyber-Physical Security
– Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to:
– Develop a technology-neutral voluntary cybersecurity framework
– Promote and incentivize the adoption of cybersecurity practices
– Increase the volume, timeliness and quality of cyber threat information sharing
– Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure
– Explore the use of existing regulation to promote cyber security
– Presidential Policy Directive-21: Critical Infrastructure Security and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to:
– Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time
– Understand the cascading consequences of infrastructure failures
– Evaluate and mature the public-private partnership
– Update the National Infrastructure Protection Plan
– Develop comprehensive research and development plan
3
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Deliverables
4
Deliverable Source Due Date
Lead Coordination DHS Lead
Consultative process for engaging CI partners
EO – 6 Unspecified DHS SSAs ITF (Stakeholder Engagement)
Cybersecurity voluntary program incentive reports
EO – 8 (d) 120 Days6/12/2013
DHS, Treasury, Commerce
DHS ITF (Incentives)
Feasibility of cyber security standards in acquisition planning and contract administration
EO – 8 (e) 120 Days6/12/2013
DOD, GSA DHS, Federal Acquisition Regulatory Council
USM
Instructions on timely production of unclassified cyber threat info
EO – 4(a) 120 Days6/12/2013
DHS and DNI
NPPD/I&A
Process for rapidly disseminating unclassified threat info
EO – 4(b) Unspecified DHS and DOJ
DNI NPPD/I&A
Description of CISR Functional Relationships
PPD – 1 120 Days6/12/2013
DHS SSAs, Relevant Ds and As
ITF (Planning and Evaluation)
Expand Enhanced Cybersecurity Services to all CI sectors
EO – 4(c) 120 Days6/12/2013
DHS NPPD
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Deliverables
5
Deliverable Source Due Date Lead Coordination DHS Lead
Identification of CI at Greatest Risk EO – 9 150 Days7/12/2013
DHS SSAs ITF (Risk Identification)
Evaluation of the Public-Private Partnership Model
PPD – 2 150 Days7/12/2013
DHS SSAs, Relevant Ds and As
ITF (Planning and Evaluation)
Process of notifying CI owners of status on the list
EO – 9 Unspecified (150 Days +)7/12/2013
DHS SSAs ITF (Risk Identification)
Baseline System and Data for information exchange
PPD – 3 180 Days8/11/2013
DHS SSAs, Relevant Ds and As
ITF (Situational Awareness and Info Exchange)
Provision of technical assistance to regulatory Ds and As for cybersecurity
EO – 10 Unspecified DHS Ds and As with regulatory ability
NPPD
Expedite processing of security clearances EO – 4(d) Unspecified DHS NPPD/USM
Private sector SMEs/ Federal service program
EO – 4(e) Unspecified DHS PSO
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Deliverables
6
Deliverable Source Due Date Lead Coordination DHS Lead
Situational awareness capability for critical infrastructure
PPD – 4 240 Days10/10/2013
DHS ITF (Situational Awareness and Info Exchange)
Update to the NIPP PPD – 5 240 Days10/10/2013
DHS SSAs, Relevant Ds and As; SLTT; O/Os
ITF (Planning and Evaluation)
Cybersecurity Framework (Draft) EO – 7 240 Days10/10/2013
NIST DHS, NSA, SSAs, OMB
ITF (Framework Collaboration)
Report on applicability of Cybersecurity Framework to regulations
EO – 10 (a) 240 Days + 90 Days10/10/2013 -
1/8/2014
Ds and As with regulatory ability
DHS, OMB, NSS TBD
Cybersecurity Framework (Final) EO – 7 365 Days2/12/2014
NIST DHS, NSA, SSAs, OMB
ITF (Framework Collaboration)
Report on privacy and civil rights and civil liberties risks associated with cybersecurity enhancements
EO – 5 (b) 365 days2/12/2014
DHS Other Ds and As/ Privacy and Civil Liberties Oversight Board/ OMB
Privacy and CR/CL
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Integrated Task Force (ITF)
DHS Established the ITF to Lead Implementation of E.O. 13636 & PPD-21
Coordinate interagency, public & private sector efforts to ensure effective integration & synchronization of EO & PPD requirements across the homeland security enterprise
Establish & manage 9 Working Groups to accomplish specific deliverables
ITF Director & Deputy Director report to Deputy Secretary Executive Steering Committee
Expected to work for est. nine months to meet E.O. & PPD implementation timeline
Long-term EO and PPD work then stays with responsible DHS program offices
Engages partners and stakeholders to develop products
7
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Working GroupsITF Working Groups Task DeliverableStakeholder Engagement Coordinate outreach to stakeholders
(including critical infrastructure owner-operator communities and SLTTs) throughout implementation.
• Consultative process for engaging stakeholders
Cyber-Dependent Infrastructure Identification
Identify critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security & evaluate how best to enhance the ongoing prioritization process for all critical infrastructure.
• Identification of CI at Greatest Risk • Process of notifying CI owners of status on the list
Planning and Evaluation Lead effort to evaluate existing public-private critical infrastructure partnership model & its functionality for physical & cyber security. Update the National Infrastructure Protection Plan (NIPP), in coordination with Sector Specific Agencies & other CI partners.
• Evaluation of the Public-Private Partnership Model • Update the NIPP
Situational Awareness and Information Exchange
Identify & map existing CI security & resilience functional relationships across the Federal Government. Identify baseline data & systems requirements for the Federal Government. Develop a situational awareness capability for CI. Identify mechanisms to improve effective information sharing.
• Description of CISR Functional Relationships • Baseline System & Data for information exchange • Situational awareness capability for critical infrastructure
8
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Working GroupsITF Working Groups Task DeliverableIncentives Lead study of incentives for voluntary
participation CI cybersecurity program. Contribute to developing recommendations feasibility, security benefits & relative merits of incorporating security standards into acquisition planning & contract administration.
• Cybersecurity voluntary program incentive reports
Framework Collaboration along with NIST
Work with National Institute of Standards & Technology to develop, evaluate & disseminate cybersecurity framework. Encourage adoption by CI owners & operators, to include adoption of cybersecurity performance goals.
• Cybersecurity Framework • Report on applicability of Cybersecurity Framework to regulations • Performance Goals
Assessments: Privacy and Civil Rights and Civil Liberties
Coordinate w/Privacy & Civil Rights & Civil Liberties representatives across agencies & assessing privacy & CRCL impacts to EO/PPD deliverables.
• Report on privacy and civil rights and civil liberties risks associated with cybersecurity enhancements
Research and Development Lead all research & development-related tasks in EO/PPD.
• CISR R&D Plan
Cyber Threat Information Sharing
Develop instructions to ensure timely production of unclas reports of cyber threats to specific targets. Establish a process that rapidly disseminates unclas cybersecurity information reports to targeted CIKR & disseminates classified cybersecurity reports to authorized CIKR.
•Unclas Cyber Threat Report Production Instruction•Unclas/Classified Cybersecurity Information Dissemination Process
9
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Transportation Sector Specific Agencies__________________________________________________
Collaboration
MARITIME AVIATION HIGHWAY FREIGHT/RAIL
MASS TRANSIT
PIPELINE
GCCs
CIPAC, SCCs
Transportation Sector All-Hazards Risk Management
10
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: TSSCWG
Transportation Systems Sector Cyber Working GroupTransportation SSA (DOT/TSA/USCG) Meet with ITF and WG leads to address Sector Specific Issues
Participate/Contribute in 9 WGsThrough CIPAC Engage & Collaborate with StakeholdersNeeds Maritime Sector Industry Representation
11
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: Maritime Industry
How Does Industry Contribute to the Process?Feedback to Working GroupsParticipation in TSSCWG via CIPACProactive engagement through review current Cyber practices and governance
• DHS Cybersecurity Evaluation Tool (CSET)• DHS On-Site Assessment by Control Systems Security Program• ICS-CERT (http://ics-cert.us-cert.gov)
Visit USCG Maritime Security-Cybersecurity page on Homeport• Register to receive page update notifications
Voluntary adoption of framework when developedContinuous Feedback
12
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: Maritime Industry
NIST REQUEST FOR INFORMATION – APRIL 2013Current Risk Management ProcessUse of Frameworks, Standards, Guidelines and Best PracticesSpecific Industry PracticesPublic Workshop on April 3, 2013Submit comments by April 8, 2013
13
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: Maritime Industry
CRITICAL INFRASTRUCTURE IDENTIFICATION – APRIL 2013SESSION 1: Determine Critical Functions that encompass the full set of processes that produce, provide, and maintain a sector’s products and servicesExamine Supporting Value Chain(s) that include the general sequence of events for providing a sector’s critical function Identify Cyber Critical Infrastructure that support value chain activities, including business systems, control systems, and specialty systems, to support identification of sector cyber-dependent critical infrastructure SESSION 2:Discuss and confirm identification criteria that will be used to determine the sector’s cyber-dependent cyber infrastructure
14
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: What Now?
What Do We Need From Industry? Participation in the EO/PPD implementation Participants who can respond to supply chain impacts from a cyber incident
• Decision Makers• Understand the interface between operations & information technology
Rapidly respond to short-fused tasks & reviews of working group products Initial participation will be informing the identification of Cyber-dependent Critical Infrastructure (CI) & Framework Development
15
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21
QUESTIONS?
16
Eric Chapman – [email protected] Rouzer – [email protected] Ulysses Mullins – [email protected]
Top Related