guide for developing a sector-specific plan under...
TRANSCRIPT
2014 Sector-Specific Plan
Guidance Guide for Developing a Sector-Specific Plan
under NIPP 2013
August 2014
2014 Sector-Specific Plan Guidance ii
How to Use this Guidance
This page provides a roadmap to assist critical infrastructure partners in navigating and using the
2014 Sector-Specific Plan (SSP) Guidance. This guidance document is intended as a comprehensive
resource of information for partners to use in their sector planning and SSP development efforts.
The other sections of this document provide additional guidelines that partners may find useful for
SSP development and/or sector planning purposes. The following provides a brief description of
each section of this Guidance and how to use it.
Section 1 provides an Overview of the guidance and how it was developed.
Section 2 contains an Annotated Outline for the 2014 SSPs. The sectors are encouraged to
follow similar outlines in their SSPs to ensure coverage of the elements identified in NIPP
2013 and support uniformity across the plans.
Section 2 also provides a Table Template that sectors should use in their SSPs to show
how sector priorities align with national goals and priorities.
Section 3 presents additional Considerations for the Sector Planning Process that the
sectors may wish to use as part of their overall sector planning efforts. Each sector will
decide whether any or all of these considerations are included in their SSP based on the
unique risk and operating landscape of the sector.
The Appendix contains various Reference Materials to inform SSP development,
including:
o Key definitions;
o Sample language on the purpose of the SSPs; and
o National-level goals, priorities, and activities; with tables and graphics showing how
they map to each other and the sector-level goals, priorities, and activities.
Section 2 represents the core of this guidance document. Sector-Specific Agencies (SSAs) and
sector councils should focus on the annotated outline in section 2 to ensure that their SSPs
address the required elements described in Call to Action #2 in NIPP 2013.
2014 Sector-Specific Plan Guidance iii
Table of Contents
1. Overview .............................................................................................................................................. 1
2. Annotated Outline for the 2014 Sector-Specific Plans ....................................................................... 2
3. Considerations for the Sector Planning Process .................................................................................. 9
Supporting the NIPP Call to Action ........................................................................................................ 9
Mitigating Current and Long-Term Trends ............................................................................................ 9
Sharing and Protecting Information ....................................................................................................... 9
Assessing Critical Infrastructure Risk .................................................................................................... 10
Measuring Effectiveness (CtA 11) ........................................................................................................ 10
Learning and Adapting (CtA 9, 12; JNP) ............................................................................................. 10
Appendix: Reference Materials ................................................................................................................. 11
Lexicon of Common Terms ................................................................................................................. 11
NIPP Goals ........................................................................................................................................... 12
Joint National Priorities [DRAFT] ........................................................................................................ 12
NIPP Call to Action .............................................................................................................................. 13
NIST Cybersecurity Framework Performance Goals ............................................................................. 17
Alignment of NIPP 2013 Goals with Call to Action, Joint National Priorities, and Cybersecurity
Framework .......................................................................................................................................... 18
Explanation of SSP Planning Elements .................................................................................................. 24
Proposed Language for SSP Introduction ............................................................................................. 25
2014 Sector-Specific Plan Guidance 1
1. Overview
The 2014 Sector-Specific Plans (SSPs) are intended to tailor the strategic guidance provided in the updated
National Infrastructure Protection Plan, NIPP 2013: Partnering for Critical Infrastructure Security and Resilience
(hereafter NIPP 2013), to the unique risk and operating environment of each critical infrastructure sector.
The SSPs serve as planning tools for the Sector-Specific Agencies (SSAs), critical infrastructure owners and
operators, and their sector partners at the regional, State, local, tribal, and territorial levels, to guide and
integrate sector efforts to secure and strengthen the resilience of critical infrastructure. An SSP should
identify the sector’s security and resilience priorities and describe its approach to managing critical
infrastructure risk. It should build upon previous sector efforts, such as the 2010 SSPs, and other strategic
plans and roadmaps. It is not intended as a replacement for company-specific planning documents or risk
management processes. The SSP serves as an outreach tool for sector partners, and should be as clear and
concise as possible.
DHS is providing this guidance to assist SSAs and Government and Sector Coordinating Councils in their
sector planning and SSP development efforts. The guidance was developed collaboratively by an SSP
working group, which worked as part of the overall NIPP Implementation Working Group, composed of
representatives of SSAs and cross-sector councils. The working group sought to provide flexibility to each
sector to develop a plan that reflects their needs, while also providing a common structure that is
comparable across all SSPs. This approach resulted in the development of an Annotated Outline, which provides
a basic structure for the key topics that SSPs should cover, and Considerations for the Sector Planning Process, which
identify additional topics and issues that each sector may wish to address, as appropriate to their situation.
The Annotated Outline provides general guidance for each chapter of the SSP. The breakdown within each
section (a, b, c, etc.) provides a suggested structure and may be modified to suit each sector’s needs. In
addition, the length of the SSP will be determined by each sector. Some sectors may prefer a shorter
“business plan” approach that focuses on the sector’s priorities and builds on previous sector planning
efforts. Other sectors may choose to have a longer plan that provides more complete descriptions of sector
assets, risks, and risk management processes to provide a better context for their priorities.
However, each SSP must address the requirements of Call to Action #2 in NIPP 2013, including how the
sector will contribute to advancing the Joint National Priorities and achieving the NIPP goals.
For consistency, the SSPs should follow the same terminology used in NIPP 2013, which focuses on
priorities instead of objectives. Priorities are used to identify the most important actions that the sector will
pursue with limited resources. However, it is recognized that objectives are widely used in business and
some sectors may choose to include them in the SSP, in addition to the priorities.
This guidance document also contains reference materials from NIPP 2013 and other sources that will help
inform sector planning and SSP development. These include a lexicon of common terms; the NIPP Goals
and Call to Action; the Joint National Priorities; the Cybersecurity Framework Performance Goals required
by Executive Order 13636; and tables showing how all of these elements relate to one another.
2014 Sector-Specific Plan Guidance 2
2. Annotated Outline for the 2014 Sector-Specific Plans
The outline below offers guidance on the content of each chapter. Where appropriate, the relevant NIPP
Call to Action that corresponds to that section is noted by (CtA).
1. Executive Summary
The Executive Summary should highlight the key elements of the SSP, focusing on the sector’s
priorities and risk management approach, and describe how progress will be measured. It need not
summarize every section of the SSP.
2. Introduction
The Introduction should briefly explain the purpose of the SSP and its relationship to NIPP 2013,
PPD-21, E.O. 13636, and other strategic drivers relevant to the sector. It may also include a brief
summary of key changes from the 2010 SSP or how the sector has evolved. Sample language for
this section is provided in the Reference Materials.
3. Sector Overview
The Sector Overview should provide an updated description of the sector. The chapter should
include:
a. Sector Profile
An overview of the composition of the sector and any subsectors – to include characteristics
of sector critical infrastructure, relevant operating factors, and a general overview of owners
and operators within the sector.
b. Sector Risks
High-level overview of the current and emerging all-hazard physical and cyber risk
landscape that the sector faces, and the key trends that are shaping the sector’s approach to
managing risk. Note: Do not include classified or sensitive information about risk unless the
sector plans to issue a classified or FOUO annex.
c. Critical Infrastructure Partners
Description of the partnership structures and coordinating mechanisms in place to execute
risk management strategies, share information, and collaborate across the sector. Identify
activities that the sector pursues to leverage partnership efforts (CtA #1-4).
Description of the relevant roles and responsibilities of sector partners.
4. Vision, Mission, Goals, and Priorities
This chapter should articulate the sector’s vision, mission, goals, and priorities developed
collaboratively with sector partners, based on the five NIPP goals and the National Priorities
developed jointly across the partnership (the Joint National Priorities). It should explain how the
national goals and priorities relate to the sector, and how the sector priorities will accomplish or
advance them.
2014 Sector-Specific Plan Guidance 3
The chapter should include:
a. Vision
b. Mission
c. Goals
d. Priorities
Describe the most important focus areas the sector will pursue over the next four years that
contribute to achieving the NIPP goals and advancing the Call to Action and Joint National
Priorities. These are the sector priorities, which should help guide sector security and
resilience efforts, inform partner decisions, reflect actionable activities that partners will
pursue to enhance security and resilience, and improve risk management practices, taking
into consideration the unique risk management perspectives and resources of the sector.
Include tables that crosswalk the sector priorities to the Joint National Priorities and NIPP
Goals and Call to Action (see Crosswalk Tables at the end of the Annotated Outline).
5. Achieving Sector Goals
This chapter should provide a concise description of how the sector plans to make progress toward
its identified sector goals and contribute to achieving the NIPP goals. This description should map
to the appropriate national and sector priorities, as well as the relevant Call to Action activities.
a. Risk Management
Description of the processes and approaches used by sector partners to manage physical and
cyber risks. Identify any innovative strategies the sector employs to manage risks, including
information-sharing strategies and mechanisms (CtA #4-10).
Description of sector reliance on the lifeline functions1 and strategies to mitigate
consequences from the loss of those functions, including potential cascading effects (CtA
#2, 6, 7).
The sector’s current and planned cybersecurity efforts, including use of the Cybersecurity
Framework and the sector’s approach for:
1. Promoting and facilitating its use (CtA #4,5,6)
2. Implementing initiatives for cybersecurity information sharing (CtA #5,6)
What are the sector’s research and development (R&D) priorities and how are associated
R&D requirements collected from sector partners? (CtA #10)
b. Critical Infrastructure and National Preparedness
Sector approaches for integrating critical infrastructure security and resilience activities with
national preparedness efforts under PPD-8 (prevention, protection, mitigation, response,
1 NIPP 2013 identifies certain lifeline functions that are essential to the operation of most critical infrastructure sectors. These lifeline functions include communications, energy, transportation, and water.
2014 Sector-Specific Plan Guidance 4
and recovery activities); in particular, sector plans and processes for transitioning from
steady state to response and recovery operations2 (CtA #2,7,8).
6. Measuring Effectiveness (CtA #11)
This chapter should describe current and planned security and resilience activities in the sector, and
explain the ways in which partners measure the effectiveness of those activities and how they
contribute to achieving national and sector goals.
a. Sector Activities
Description of the activities the sector will pursue to advance critical infrastructure security
and resilience, and how those activities align to the NIPP, sector, and NIST Cybersecurity
Framework performance goals.
b. Measurement Approach
Explanation of how sector partners will measure the effectiveness of the identified activities,
and how the activities contribute to the achievement of the NIPP, sector, and NIST
Cybersecurity Framework performance goals.
7. Appendices (as appropriate)
Appendices may be used by each sector as necessary or appropriate. In past SSPs, appendices have
been used to provide more thorough explanations of specific topics (sector description, partners,
interdependencies, current sector programs, etc.). This approach can help shorten the length of the
main body of the SSP and improve readability.
Crosswalk Tables
The following table templates can be used to show how each sector’s priorities align with the NIPP goals
and Call to Action and the Joint National Priorities. All sectors are encouraged to use these tables in their
SSP.
2 For more information, see the National Preparedness Goal (2011), the National Response Framework and its Critical Infrastructure Support Annex (2013), and the National Disaster Recovery Framework (2011) at www.fema.gov.
2014 Sector-Specific Plan Guidance 5
Contribution of Sector Priorities to Joint National Priorities and NIPP Goals
NIPP Goals
Joint National Priorities (DRAFT)
Strengthen the
Management of
Cyber and Physical
Risks to Critical
Infrastructure
Build Capabilities and
Coordination for
Enhanced Incident
Response and
Recovery
Strengthen
Collaboration Across
Sectors, Jurisdictions,
& Disciplines
Enhance Effectiveness
in Resilience
Decisionmaking
Share Information to
Improve Prevention,
Protection, Mitigation,
Response, and
Recovery Activities
Assess and analyze risks to
critical infrastructure (T, V, C)
to inform risk management
activities.
Title of Sector
Priority 1
Secure critical infrastructure
against physical, cyber, and
human threats through
sustainable risk reduction
efforts, while considering
costs and benefits.
Title of Sector
Priority 2
Enhance critical
infrastructure resilience by
minimizing consequences
and employing effective
response and recovery.
Share information across the
critical infrastructure
community to build
awareness and enable risk-
informed decisionmaking.
Promote learning and
adaptation during and after
incidents and exercises.
2014 Sector-Specific Plan Guidance 6
Instructions
1. Place the title of each sector priority in the appropriate cell in the table above so that it aligns with the appropriate NIPP goals and Joint National
Priorities.
2. Note that a sector priority may contribute to more than one NIPP goal and/or more than one Joint National Priority. If this is the case, place the
name of the sector priority in each appropriate cell.
2014 Sector-Specific Plan Guidance 7
Contribution of Sector Priorities to NIPP Call to Action
Call to Action Activities
Sector Priorities
Sector
Priority 1
Sector
Priority 2
Sector
Priority 3
Sector
Priority 4
Sector
Priority 5
Sector
Priority 6
Sector
Priority 7
Sector
Priority 8
1. Set national focus through jointly
developed priorities.
2. Determine collective actions through
joint planning efforts.
3. Empower local and regional
partnerships to build capacity
nationally.
4. Leverage incentives to advance
security and resilience.
5. Enable risk-informed decisionmaking
through enhanced situational
awareness.
6. Analyze infrastructure dependencies,
interdependencies, and associated
cascading effects.
7. Identify, assess, and respond to
unanticipated infrastructure
cascading effects during and
following incidents.
8. Promote infrastructure, community,
and regional recovery following
incidents.
2014 Sector-Specific Plan Guidance 8
Call to Action Activities
Sector Priorities
Sector
Priority 1
Sector
Priority 2
Sector
Priority 3
Sector
Priority 4
Sector
Priority 5
Sector
Priority 6
Sector
Priority 7
Sector
Priority 8
9. Strengthen coordinated development
and delivery of technical assistance,
training, and education.
10. Improve critical infrastructure
security and resilience by advancing
R&D solutions.
11. Evaluate progress toward the
achievement of goals.
12. Learn and adapt during and after
exercises and incidents.
Instructions
1. Place the name of each sector priority in a column heading, as appropriate (number will vary by sector; adjust number of columns as
appropriate).
2. Place a check mark in each cell in which a sector priority aligns and contributes to a Call to Action activity.
3. Note that a sector priority may contribute to more than one Call to Action, and a Call to Action may be aligned with more than one sector
priority.
2014 Sector-Specific Plan Guidance 9
3. Considerations for the Sector Planning Process
This section presents additional topics and issues that sectors may consider as part of the overall sector
planning process. It is not intended to be an exhaustive list or to increase the length or coverage of any SSP
beyond its intended use. These items may or may not be addressed in the SSPs, at the discretion of each
sector. References to relevant Call to Action activities that correspond to each consideration are noted by
(CtA); considerations that reflect Joint National Priorities are noted as (JNP). As part of implementing
Presidential Policy Directive 21 (PPD-21), the joint Evaluation & Planning Workgroup was charged with
collaboratively developing an update to the existing NIPP. During the development process, the working
group endeavored to keep the updated plan at a higher, more strategic level, and deferred more detailed or
tactical information to the 2014 SSPs. Sectors are encouraged to keep this in mind as they develop the SSPs
and provide more in-depth information on topics as they relate to the sector. This approach will assist the
critical infrastructure community in satisfying the requirements of PPD-21 through both the NIPP and SSPs.
Supporting the NIPP Call to Action
How is the sector addressing the applicable Call to Action activities? (See the Appendix for a full
listing of the NIPP Call to Action.)
Mitigating Current and Long-Term Trends
What activities has the sector undertaken (or will undertake in the future) to mitigate ongoing
natural and human-caused risks to physical and cyber infrastructure?
How is the sector mitigating the following trends3, as applicable?
o Climate change
o Aging infrastructure and infrastructure failures
o Positioning, navigation, and timing service dependencies
o “Internet of things”
o Other trends
Sharing and Protecting Information
What are the sector’s information-sharing requirements? Is sector information organized in any
common “taxonomy”?
What sector information-sharing structures, activities, and processes are used to enhance situational
awareness and inform risk management decisions? (CtA 5, JNP)
Do sectors have Information Sharing and Analysis Centers (ISACs) or other information-sharing
and analysis organizations? If so, what processes are used to exchange information with these
entities?
How do sector processes support sharing information on cyber and physical risks with public and
private sector partners in steady state and during incident response? Does the sector have defined
information flows?
3 Critical Infrastructure Strategic Environment, Draft White Paper; U.S. Department of Homeland Security, Office of Infrastructure Protection, April 25, 2014.
2014 Sector-Specific Plan Guidance 10
How do sector information-sharing processes aim to build stronger best practices, a clearer
understanding of sector dependencies and interdependencies, and a trusted environment that
facilitates multidirectional information exchange?
How does the sector safeguard critical infrastructure information and protect privacy and civil
liberties?
Assessing Critical Infrastructure Risk
How does the sector assess sector-wide risk? If a sector-wide risk assessment has not been done,
what are the plans for conducting/supporting one in the future?
How does the sector use risk assessment results to inform the prioritization of sector risk
management activities and/or influence resource/budget decisions?
How do sector risk assessments align with and support the Strategic National Risk Assessment and
the Threat and Hazard Identification and Risk Assessment (THIRA) process?
Measuring Effectiveness (CtA 11)
How do SSAs evaluate the effectiveness of security and resilience activities at different levels within
their sector (i.e., national, State, local, and regional)? Do they employ quantitative measures of
progress, qualitative descriptions of sector accomplishments, or both?
What is the SSA’s process for capturing sector activities and outcomes to support annual reporting
on national security and resilience progress? Note: This may include the information collected by
the SSA and a description of data collection limitations in the sector.
Does the sector collaborate (or plan to collaborate) with other sectors to better understand cross-
sector dependencies, interdependencies, and/or gaps?
Do existing sector metrics assess the availability, reliability, resilience, and integrity of essential
services? If not, does the sector plan to develop such metrics?
Learning and Adapting (CtA 9, 12; JNP)
How does the sector involve partners in the design, development, and/or execution of exercises
incorporating critical infrastructure considerations?
What are the sector’s procedures for after-action reporting (from incidents and exercises), tracking
and implementing associated corrective actions, and incorporating lessons learned and best
practices into training and technical assistance programs, and future planning and decisionmaking?
2014 Sector-Specific Plan Guidance 11
Appendix: Reference Materials
The following set of reference materials provides context and background to inform sector planning and
SSP development. This section includes the following:
Lexicon of Common Terms
NIPP Goals
Joint National Priorities [DRAFT}
NIPP Call to Action
NIST Cybersecurity Framework Performance Goals
Alignment of NIPP Goals with Call to Action, Joint National Priorities, and the Cybersecurity
Framework
Explanation of SSP Planning Elements
Proposed Language for SSP Introduction
Lexicon of Common Terms
Please refer to the NIPP 2013 Glossary for the most up-to-date definitions of terms related to the critical
infrastructure security and resilience mission. Some of the definitions remain unchanged from the 2009
NIPP, but others were added or updated to reflect the evolution from 2009 to 2013. The source of each
definition is provided in parentheses following the definition.
A few key definitions from the NIPP 2013 Glossary are listed below for convenience:
All Hazards. The term “all hazards” means a threat or an incident, natural or manmade, that warrants
action to protect life, property, the environment, and public health or safety, and to minimize disruptions
of government, social, or economic activities. It includes natural disasters, cyber incidents, industrial
accidents, pandemics, acts of terrorism, sabotage, and destructive criminal activity targeting critical
infrastructure. (PPD-21, 2013)
Critical Infrastructure Community. Critical infrastructure owners and operators, both public and private;
Federal departments and agencies; regional entities; State, local, tribal, and territorial (SLTT) governments;
and other organizations from the private and nonprofit sectors with a role in securing and strengthening
the resilience of the Nation’s critical infrastructure, and/or promoting practices and ideas for doing so.
(NIPP 2013: Partnering for Critical Infrastructure Security and Resilience)
Critical Infrastructure Partners. Those Federal and SLTT governmental entities; public and private sector
owners and operators and representative organizations, regional organizations and coalitions, academic and
professional entities, and certain not-for-profit and private volunteer organizations that share responsibility
2014 Sector-Specific Plan Guidance 12
for securing and strengthening the resilience of the Nation’s critical infrastructure. (Adapted from the 2009
NIPP)
National Preparedness. The actions taken to plan, organize, equip, train, and exercise to build and sustain
the capabilities necessary to prevent, protect against, mitigate the effects of, respond to, and recover from
those threats that pose the greatest risk to the security of the Nation. (PPD-8, 2011)
Regional. Entities and interests spanning geographic areas ranging from large multi-State areas to
metropolitan areas and varying by organizational structure and key initiatives, yet fostering engagement
and collaboration between critical infrastructure owners and operators, government, and other key
stakeholders within the given location. (Regional Partnerships: Enabling Regional Critical Infrastructure Resilience, RC3,
March 2011)
Risk. The potential for an unwanted outcome resulting from an incident, event, or occurrence, as
determined by its likelihood and the associated consequences. (DHS Lexicon, 2010)
Stakeholder. The NIPP does not define the word “stakeholder,” but to understand the distinction between
partners and stakeholders, it is useful to refer to the definitions of Critical Infrastructure Partners and
Critical Infrastructure Community above. Partners share responsibility for strengthening critical
infrastructure security and resilience, while stakeholders may play a role in strengthening critical
infrastructure security and resilience, and/or promoting practices and ideas for doing so. In addition,
stakeholders may simply have an interest in critical infrastructure security and resilience, based on their
involvement in related disciplines or activities. For example, Congress, the White House, and the
Government Accountability Office are all critical infrastructure stakeholders.
NIPP Goals
NIPP 2013 presents the following goals:
1. Assess and analyze threats to, vulnerabilities of, and consequences to critical infrastructure to
inform risk management activities.
2. Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts
to reduce risk, while accounting for the costs and benefits of security investments.
3. Enhance critical infrastructure resilience by minimizing the adverse consequences of incidents
through advance planning and mitigation efforts, and employing effective responses to save lives
and ensure the rapid recovery of essential services.
4. Share actionable and relevant information across the critical infrastructure community to build
awareness and enable risk-informed decisionmaking.
5. Promote learning and adaptation during and after exercises and incidents.
These five goals are mapped below to the Call to Action, Joint National Priorities, and the NIST
Cybersecurity Framework Performance Goals.
Joint National Priorities [DRAFT]
The critical infrastructure community developed and approved the following draft Joint National Priorities:
2014 Sector-Specific Plan Guidance 13
Strengthen the management of cyber and physical risks to critical infrastructure
Build capabilities and coordination for enhanced incident response and recovery
Strengthen collaboration across sectors, jurisdictions, and disciplines
Enhance effectiveness in resilience decisionmaking
Share information to improve prevention, protection, mitigation, response, and recovery activities
NIPP Call to Action
1. Set National Focus through Jointly Developed Priorities
Jointly establish a set of national critical infrastructure security and resilience priorities to support
Federal resource allocation, as well as planning and evaluation, at all levels in the national
partnership.
Review and validate the national priorities on an annual basis, and update them on a regular cycle
timed to inform Federal budget development and SLTT grant programs.
2. Determine Collective Actions through Joint Planning Efforts
All sectors will update their Sector-Specific Plans (SSPs) to support NIPP 2013, and every four years
thereafter, based on guidance developed by DHS in collaboration with the SSAs and cross-sector
councils. The SSPs will:
o Reflect joint priorities.
o Address sector reliance on lifeline functions and include strategies to mitigate consequences
from the loss of those functions, including potential cascading effects.
o Describe approaches to integrating critical infrastructure and national preparedness efforts; in
particular, transitioning from steady state to incident response and recovery via the National
Response Framework’s Emergency Support Functions (ESFs) and the National Disaster
Recovery Framework’s Recovery Support Functions (RSFs).
o Describe current and planned cybersecurity efforts, including, but not limited to, use of the
Cybersecurity Framework, cybersecurity information-sharing initiatives, programmatic
activities, risk assessments, exercises, incident response and recovery efforts, and metrics.
o Guide development of appropriate metrics and targets to measure progress toward the national
goals and priorities, as well as other sector-specific priorities.
As appropriate, SLTT and regional entities can develop supporting plans to NIPP 2013 and the
updated SSPs, whether cross-sector or by individual sector, that articulate shared priorities and
activities at those levels. The State, Local, Tribal, and Territorial Government Coordinating Council
(SLTTGCC) will collaborate with partners to provide guidance for such plans.
The Federal government will work with the critical infrastructure community to provide updated
guidance on cyber incident response.
3. Empower Local and Regional Partnerships to Build Capacity Nationally
Identify existing local and regional partnerships addressing critical infrastructure security and
resilience, their focus and alignment with national partnership structures, and how to engage with
2014 Sector-Specific Plan Guidance 14
them. Leverage State and major urban area fusion centers to engage with local and regional
partners.
Expand a national network of critical infrastructure and SLTT partnerships and coalitions to
complement and enhance the national-level focus on sectors, while remaining cognizant of varying
legal structures in different jurisdictions and organizations.
Employ the THIRA process as a method to integrate human, physical, and cyber elements of critical
infrastructure risk management. Using the existing process will facilitate better coordination of
planning, resource allocation, and evaluation of progress by State and local governments, as well as
local infrastructure owners and operators.
Develop and advance a joint set of regional preparedness projects demonstrating the integrated
application of critical infrastructure risk management and planning. This will involve Federal
agencies responsible for implementing PPD-8 and PPD-21 working collaboratively with states,
metropolitan areas, rural communities, and regional coalitions.
4. Leverage Incentives to Advance Security and Resilience
Continue to identify, analyze, and where appropriate, implement incentives.
Support research and data gathering to quantify the potential costs imposed by a lack of critical
infrastructure security and resilience, and inadequate cyber preparedness.
Establish innovation challenge programs to incentivize new solutions to strengthen infrastructure
security and resilience during infrastructure planning, design, and redesign phases, including
technological, engineering, and process improvements.
5. Enable Risk-Informed Decisionmaking through Enhanced Situational Awareness
Undertake a partnership-wide review of impediments to information sharing to support efforts to
address those challenges and develop best practices. Analyze legal considerations, the classification
or sensitive nature of certain information, laws and policies that govern information dissemination,
and the need to build trust among partners.
Build upon the functional relationship descriptions developed as part of PPD-21 by further
analyzing functional relationships within and across the Federal government (focused on critical
infrastructure security and resilience) to identify overlaps, inefficiencies, and gaps and recommend
changes to enhance situational awareness and risk-informed decisionmaking.
Develop streamlined, standardized processes to promote integration and coordination of
information sharing via jointly developed doctrine and supporting SOPs.
Develop interoperability standards to enable more efficient information exchange through defined
data standards and requirements, to include (1) a foundation for an information-sharing
environment that has common data requirements and information flow and exchange across
entities; and (2) sector-specific critical information requirements (i.e., critical reporting criteria),
to allow for improved information flow and reporting to produce more complete and timely
situational awareness for security and resilience.
2014 Sector-Specific Plan Guidance 15
6. Analyze Infrastructure Dependencies, Interdependencies, and Associated Cascading
Effects
Mature the capability to identify and understand cross-sector physical and cyber dependencies and
interdependencies over different time frames at international, national, regional, and local levels.
Focus on the lifeline functions and resilience of global supply chains during potentially high-
consequence incidents, given their importance to public health, welfare, and economic activity.
Continue to evolve the Cyber-Dependent Infrastructure Identification approach under Executive
Order 13636 to consider the potential risks resulting from dependency on information and
communications technology, and inform preparedness planning and capability development.
7. Identify, Assess, and Respond to Unanticipated Infrastructure Cascading Effects During
and Following Incidents
Enhance the capability to rapidly identify and assess cascading effects involving the lifeline
functions, and contribute to identifying infrastructure priorities—both known and emerging—
during response and recovery efforts.
Enhance the capacity of critical infrastructure partners to work through incident management
structures such as the ESFs to mitigate the consequences of disruptions to the lifeline functions.
8. Promote Infrastructure, Community, and Regional Recovery Following Incidents
Leverage Federal field staff (including Protective Security Advisors) and encourage states and
localities to promote consideration of critical infrastructure challenges in pre-incident recovery
planning, post-incident damage assessments, and development of recovery strategies.
Support examination of initiatives to enhance, repair, or replace infrastructure providing lifeline
functions during recovery.
9. Strengthen Coordinated Development and Delivery of Technical Assistance, Training,
and Education
Capture, report, and prioritize the technical assistance, training, and education needs of the various
partners within the critical infrastructure community.
Examine current Federal technical assistance, training, and education programs to ensure that they
support the national priorities and the risk management activities described in NIPP 2013 to
advance progress toward the national goals.
Increase coordination of technical assistance efforts—particularly within DHS and among the
SSAs—and leverage a wider network of partners to deliver training and education programs to
better serve recipients and reach a wider audience while conserving resources.
Partner with academia to establish and update critical infrastructure curricula that help to train
critical infrastructure professionals, including executives and managers, to manage the benefits and
inherent vulnerabilities introduced by information and communications technologies in critical
infrastructure assets, systems, and networks.
2014 Sector-Specific Plan Guidance 16
10. Improve Critical Infrastructure Security and Resilience by Advancing Research and
Development Solutions
Promoting R&D to enable the secure and resilient design and construction of critical infrastructure
and more secure accompanying cyber technology;
Enhancing modeling capabilities to determine the potential impacts of an incident or threat
scenario on critical infrastructure, as well as cascading effects on other sectors;
Facilitating initiatives to incentivize cybersecurity investments and the adoption of critical
infrastructure design features that strengthen all-hazards security and resilience; and
Prioritizing efforts to support the strategic guidance issued by DHS.
11. Evaluate Progress toward the Achievement of Goals
Jointly identify high-level outputs or outcomes associated with the national goals and priorities to
facilitate evaluation of progress toward the goals and priorities.
Develop the Critical Infrastructure National Annual Report and National Preparedness Report
annually through standardized data calls to SSAs and sector partners to build a national picture of
progress toward the NIPP vision and goals and the National Preparedness Goal. Incorporate
performance data from industry, SLTT, and regional entities to reflect progress throughout the
critical infrastructure community at all levels.
12. Learn and Adapt During and After Exercises and Incidents
Develop and conduct exercises through participatory processes to suit diverse needs and purposes.
o Promote broad participation and coordination among government and interested private
sector partners—including the R&D community—in exercise design, conduct, and
evaluation to reflect the perspectives of all partners and maximize the value for future
planning and operations.
o Develop exercises at multiple levels and in various formats to suit national, regional, and
SLTT needs.
Design exercises to reflect lessons learned and test corrective actions from previous exercises and
incidents, address both physical and cyber threats and vulnerabilities, and evaluate the transition
from steady state to incident response and recovery efforts.
Share lessons learned and corrective actions from exercises and incidents, and rapidly incorporate
them into technical assistance, training, and education programs to improve future security and
resilience efforts.
2014 Sector-Specific Plan Guidance 17
NIST Cybersecurity Framework Performance Goals
The NIST Cybersecurity Framework identifies the following performance goals:
1. Critical systems and functions are identified and prioritized, and cyber risk is understood as part of
a risk management plan.
2. Risk-informed actions are taken to protect critical systems and functions.
3. Resources are coordinated and applied to triage and respond to cyber events and incidents in order
to minimize impacts to critical systems and functions.
4. Following a cyber incident, impacted critical systems and functions are reconstituted based on
prior planning and informed by situational awareness.
5. Adverse cyber activities are detected and situational awareness of threats is maintained.
6. Security and resilience are continually improved based on lessons learned, consistent with risk
management planning
2014 Sector-Specific Plan Guidance 18
Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework
NIPP Goals
Assess &
Analyze Risks
to Critical
Infrastructure
to Inform Risk
Mgmt.
Activities
Secure Critical
Infrastructure
Against Threats
While Considering
Costs and Benefits
Enhance Critical
Infrastructure
Resilience by
Minimizing
Consequences &
Employing Effective
Response & Recovery
Share Information
to Enable Risk-
Informed
Decisions
Promote Learning &
Adaptation
During/After
Incidents &
Exercises
Call to Action Activities
1. Set national focus through
jointly developed priorities.
2. Determine collective actions
through joint planning efforts.
3. Empower local and regional
partnerships to build capacity
nationally.
4. Leverage incentives to
advance security & resilience.
5. Enable risk-informed
decisionmaking through
enhanced situational
awareness.
2014 Sector-Specific Plan Guidance 19
Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework
NIPP Goals
Assess &
Analyze Risks
to Critical
Infrastructure
to Inform Risk
Mgmt.
Activities
Secure Critical
Infrastructure
Against Threats
While Considering
Costs and Benefits
Enhance Critical
Infrastructure
Resilience by
Minimizing
Consequences &
Employing Effective
Response & Recovery
Share Information
to Enable Risk-
Informed
Decisions
Promote Learning &
Adaptation
During/After
Incidents &
Exercises
6. Analyze infrastructure
dependencies,
interdependencies, and
associated cascading effects.
7. Identify, assess, and
respond to unanticipated
infrastructure cascading
effects during and following
incidents.
8. Promote infrastructure,
community, and regional
recovery following incidents.
9. Strengthen coordinated
development and delivery of
technical assistance, training,
and education.
2014 Sector-Specific Plan Guidance 20
Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework
NIPP Goals
Assess &
Analyze Risks
to Critical
Infrastructure
to Inform Risk
Mgmt.
Activities
Secure Critical
Infrastructure
Against Threats
While Considering
Costs and Benefits
Enhance Critical
Infrastructure
Resilience by
Minimizing
Consequences &
Employing Effective
Response & Recovery
Share Information
to Enable Risk-
Informed
Decisions
Promote Learning &
Adaptation
During/After
Incidents &
Exercises
10. Improve critical
infrastructure security and
resilience by advancing
R&D solutions.
11. Evaluate progress toward
the achievement of goals.
12. Learn and adapt during
and after exercises and
incidents.
Draft Joint National Priorities
Strengthen the management of
cyber and physical risks to
critical infrastructure
Enhance effectiveness in
resilience decisionmaking
2014 Sector-Specific Plan Guidance 21
Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework
NIPP Goals
Assess &
Analyze Risks
to Critical
Infrastructure
to Inform Risk
Mgmt.
Activities
Secure Critical
Infrastructure
Against Threats
While Considering
Costs and Benefits
Enhance Critical
Infrastructure
Resilience by
Minimizing
Consequences &
Employing Effective
Response & Recovery
Share Information
to Enable Risk-
Informed
Decisions
Promote Learning &
Adaptation
During/After
Incidents &
Exercises
Strengthen collaboration
across sectors, jurisdictions,
and disciplines
Build capabilities and
coordination for enhanced
incident response and recovery
Share information to improve
prevention, protection,
mitigation, response, and
recovery activities
Cybersecurity Framework Performance Goals
Critical systems and functions
are identified and prioritized,
and cyber risk is understood as
part of a risk management
plan.
2014 Sector-Specific Plan Guidance 22
Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework
NIPP Goals
Assess &
Analyze Risks
to Critical
Infrastructure
to Inform Risk
Mgmt.
Activities
Secure Critical
Infrastructure
Against Threats
While Considering
Costs and Benefits
Enhance Critical
Infrastructure
Resilience by
Minimizing
Consequences &
Employing Effective
Response & Recovery
Share Information
to Enable Risk-
Informed
Decisions
Promote Learning &
Adaptation
During/After
Incidents &
Exercises
Risk-informed actions are
taken to protect critical
systems and functions.
Resources are coordinated and
applied to triage and respond
to cyber events and incidents
in order to minimize impacts to
critical systems and functions.
Following a cyber incident,
impacted critical systems and
functions are reconstituted
based on prior planning, and
informed by situational
awareness.
Adverse cyber activities are
detected and situational
awareness of threats is
maintained.
2014 Sector-Specific Plan Guidance 23
Alignment of NIPP Goals with Call to Action, Joint National Priorities, and Cybersecurity Framework
NIPP Goals
Assess &
Analyze Risks
to Critical
Infrastructure
to Inform Risk
Mgmt.
Activities
Secure Critical
Infrastructure
Against Threats
While Considering
Costs and Benefits
Enhance Critical
Infrastructure
Resilience by
Minimizing
Consequences &
Employing Effective
Response & Recovery
Share Information
to Enable Risk-
Informed
Decisions
Promote Learning &
Adaptation
During/After
Incidents &
Exercises
Security and resilience are
continually improved based on
lessons learned, consistent
with risk management
planning.
2014 Sector-Specific Plan Guidance 24
Explanation of SSP Planning Elements
The table below provides an explanation of key planning elements used in the SSP.
SSP Planning
Elements Explanation
NIPP Goals The five national goals included on page 5 of NIPP 2013 (provided in this appendix).
Sector Goals The sector’s statement of goals that align with the NIPP goals.
Joint National
Priorities
High-level priorities based on a collaborative process that is defined in Call to Action
#1 on pages 21-22 of NIPP 2013 (provided in this appendix).
Sector Priorities
The most important broad focus areas that the sector will pursue over the next four
years to advance the national goals. These are at a higher level than an activity. It is
anticipated that all priorities will align and support one or more JNPs and Call to
Action activities. However, not all JNPs/CtAs will be addressed.
Sector Activities
The identifiable actions that the sector will take to achieve both the NIPP and sector
goals. These may be multi-year (ongoing) activities, or activities with more discrete
periods and defined end points. Many, but not all, of the activities will align and
support the JNPs and the Call to Action.
Relationship of the Sector Goals and Priorities to National-Level Goals
Each sector will develop sector goals, priorities, and activities that align with the NIPP Goals and Call to
Action, and the Joint National Priorities. The figure below demonstrates how those sector goals and
priorities relate to national-level guidance.
2014 Sector-Specific Plan Guidance 25
Proposed Language for SSP Introduction
The following sample text is provided to sectors to describe the purpose of the SSP. It can be tailored to
meet each sector’s needs. However, using similar language on the purpose of the SSPs will help maintain
consistency across the plans.
The purpose of the ______________ Sector-Specific Plan (SSP) is to guide and integrate the sector’s
efforts to secure and strengthen the resilience of critical infrastructure and describe how the
___________ Sector contributes to national critical infrastructure security and resilience, as set forth
in Presidential Policy Directive 21 (PPD-21). This SSP tailors the strategic guidance provided in NIPP
2013 to the unique operating conditions and risk landscape of the ___________ Sector.
This SSP represents a collaborative effort among the private sector; State, local, tribal, and territorial
governments; non-governmental organizations; and Federal departments and agencies to work
toward achieving shared goals and priorities to reduce critical infrastructure risk. It also reflects the
maturation of the ____________ Sector partnership and the progress made by the sector since the
2010 SSP to address the evolving risk, operating, and policy environments.