DHS Releases Final National Infrastructure Protection Plan

Print PDFPatrick Currier, Jay Ryan, Van Ness Feldman Issue Alert
July 6, 2006

On June 30, pursuant to Homeland Security Presidential Directive 7, the Department of Homeland Security (DHS) released a final National Infrastructure Protection Plan (NIPP), articulating a comprehensive risk management framework that clearly defines critical infrastructure protection roles and responsibilities for all levels of government, private industry, nongovernmental agencies, and tribal partners. The final NIPP builds on the framework established in both the interim and draft versions of the NIPP, issued in February 2005 and November 2005 respectively. In finalizing the NIPP, DHS reviewed nearly 10,000 public comments and collaborated with nearly 300 federal, state, local, tribal, and private sector agencies and organizations.

National Infrastructure Protection Plan

The final version of the NIPP enhances protection of the nation’s critical infrastructure and key resources (CI/KR) in order to prevent or mitigate the debilitating effects of terrorist attacks and natural disasters on such assets. To this end, the NIPP focuses on the following principles and objectives:

Building Security Partnerships for Improved Coordination. Through coordination with government and private industry security partners, Sector-Specific Agencies (SSAs) (e.g., DOE for energy facilities, EPA for water systems, DOT for transportation facilities) will develop and submit Sector-Specific Plans (SSPs) detailing the application of core NIPP processes tailored to each CI/KR sector. As part of this objective, the private sector is encouraged to establish Sector Coordinating Councils (SCCs) that will provide a single point of internal coordination within each sector to work with Government Coordinating Councils (GCCs), which will be comprised of representatives of the SSAs, other federal departments and agencies, and state, local, and tribal governments. These councils create a structure through which representative groups from all levels of government and the private sector can collaborate and share approaches to CI/KR protection.
Managing Risk. The NIPP’s risk-reduction program applies the following basic framework: (1) Set security goals; (2) Identify assets; (3) Assess risks; (4) Prioritize risks; (5) Implement protective programs; and (6) Measure effectiveness. This framework is tailored and applied on an asset, system, network, or function basis, depending on the characteristics of the individual CI/KR sector. For instance, sectors that are primarily dependent on fixed assets and physical facilities may use a bottom-up, asset-by-asset approach, while sectors with diverse and logical assets may use a top-down business or mission continuity approach. Each sector has the flexibility to choose the approach that best fits its needs and produces the most effective results.
Network Approach to Information Sharing. Representing a fundamental shift in how security partners share and protect critical infrastructure information, the final NIPP uses a network approach to information sharing. Such an approach enables secure, multidirectional information sharing between and across government and industry. The network approach provides mechanisms to support the development and sharing of strategic and specific threat assessments, threat warnings, incident reports, all-hazards impact assessments, and best practices.
Ensuring an Effective Long-Term Program. To ensure an effective, efficient CI/KR protection program over the long-term, the NIPP seeks to: (1) Build national awareness by ensuring a focused understanding of the all-hazards threat environment; (2) Enable education, training, and exercise programs to ensure that professionals and organizations are able to undertake NIPP-related responsibilities; (3) Conduct R&D and use technology to improve CI/KR protection-related capabilities or to lower the costs of existing capabilities; (4) Develop, safeguard, and maintain data systems and simulations to enable refined risk assessment; and (5) Continuously improve the NIPP through ongoing management and revision.

Private Sector Implications

Although private sector compliance remains voluntary, the final version of the NIPP contemplates increased industry involvement. In contrast to prior versions, the final NIPP provides private industry with significant input opportunities, particularly with respect to the development of SSPs. For instance, DHS has announced that, within 180 days of the NIPP’s issuance, it intends to release SSPs for 17 industries detailing the risk management framework for each sector. As part of this process, DHS is seeking to collaborate with SCCs to develop coordinated and functional SSPs. Beyond drafting SSPs, DHS is encouraging all private sector owners and operators to implement the NIPP framework for the assets under their control and to provide CI/KR related data to DHS to facilitate national protection program implementation.

###

Based in Washington, DC — with an office in Seattle, Washington — Van Ness Feldman is a nationally recognized law firm specializing in energy, the environment, natural resources, and infrastructure security. Founded in 1977, the firm now has more than 75 attorneys and public policy professionals. A number of our members have served as counsel or chief counsel to congressional committees with jurisdiction over energy and environmental policy, as well as senior advisors to Democratic and Republican Members of Congress on those committees. Others have held high-level appointments in the Department of Energy, the Department of the Interior, the Federal Energy Regulatory Commission, and the Environmental Protection Agency.

This document has been prepared by Van Ness Feldman for informational purposes only and is not a legal opinion, does not provide legal advice for any purpose, and neither creates nor constitutes evidence of an attorney-client relationship.