HomelandSecurity

UNCLASSIFIED

Executive Order 13636Presidential Policy Directive

(PPD) - 21

Implementing the Presidential Executive Order (EO) on cybersecurity and Critical Infrastructure Presidential Policy Directive (PPD) with public

and private stakeholders

Eric Chapman - Office of Maritime Security Response PolicyBrett Rouzer - CG Cyber Command LCDR Ulysses Mullins – Office of Port & Facility Compliance

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Cyber EO/PPD-21: Background__________________________________________________

2

Cyber EO and PPD 21 signed on February 12, 2013

Sector Specific Agencies to collaborate with industry to identify critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security

National Institute of Standards & Technology develop a voluntary framework for cybersecurity resilience

PPD-21 cancels PPD-7 & establishes an All-Hazards approach to ensuring security & resilience

Multiple deliverables derived from the PPD/EO with varying deadlines over the next year

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Cyber EO/PPD-21: Integrated Cyber-Physical Security

– Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to:

– Develop a technology-neutral voluntary cybersecurity framework

– Promote and incentivize the adoption of cybersecurity practices

– Increase the volume, timeliness and quality of cyber threat information sharing

– Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure

– Explore the use of existing regulation to promote cyber security

– Presidential Policy Directive-21: Critical Infrastructure Security and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to:

– Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time

– Understand the cascading consequences of infrastructure failures

– Evaluate and mature the public-private partnership

– Update the National Infrastructure Protection Plan

– Develop comprehensive research and development plan

3

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Cyber EO/PPD-21: Deliverables

4

Deliverable Source Due Date

Lead Coordination DHS Lead

Consultative process for engaging CI partners

EO – 6 Unspecified DHS SSAs ITF (Stakeholder Engagement)

Cybersecurity voluntary program incentive reports

EO – 8 (d) 120 Days6/12/2013

DHS, Treasury, Commerce

DHS ITF (Incentives)

Feasibility of cyber security standards in acquisition planning and contract administration

EO – 8 (e) 120 Days6/12/2013

DOD, GSA DHS, Federal Acquisition Regulatory Council

USM

Instructions on timely production of unclassified cyber threat info

EO – 4(a) 120 Days6/12/2013

DHS and DNI

NPPD/I&A

Process for rapidly disseminating unclassified threat info

EO – 4(b) Unspecified DHS and DOJ

DNI NPPD/I&A

Description of CISR Functional Relationships

PPD – 1 120 Days6/12/2013

DHS SSAs, Relevant Ds and As

ITF (Planning and Evaluation)

Expand Enhanced Cybersecurity Services to all CI sectors

EO – 4(c) 120 Days6/12/2013

DHS NPPD

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Cyber EO/PPD-21: Deliverables

5

Deliverable Source Due Date Lead Coordination DHS Lead

Identification of CI at Greatest Risk EO – 9 150 Days7/12/2013

DHS SSAs ITF (Risk Identification)

Evaluation of the Public-Private Partnership Model

PPD – 2 150 Days7/12/2013

DHS SSAs, Relevant Ds and As

ITF (Planning and Evaluation)

Process of notifying CI owners of status on the list

EO – 9 Unspecified (150 Days +)7/12/2013

DHS SSAs ITF (Risk Identification)

Baseline System and Data for information exchange

PPD – 3 180 Days8/11/2013

DHS SSAs, Relevant Ds and As

ITF (Situational Awareness and Info Exchange)

Provision of technical assistance to regulatory Ds and As for cybersecurity

EO – 10 Unspecified DHS Ds and As with regulatory ability

NPPD

Expedite processing of security clearances EO – 4(d) Unspecified DHS NPPD/USM

Private sector SMEs/ Federal service program

EO – 4(e) Unspecified DHS PSO

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Cyber EO/PPD-21: Deliverables

6

Deliverable Source Due Date Lead Coordination DHS Lead

Situational awareness capability for critical infrastructure

PPD – 4 240 Days10/10/2013

DHS ITF (Situational Awareness and Info Exchange)

Update to the NIPP PPD – 5 240 Days10/10/2013

DHS SSAs, Relevant Ds and As; SLTT; O/Os

ITF (Planning and Evaluation)

Cybersecurity Framework (Draft) EO – 7 240 Days10/10/2013

NIST DHS, NSA, SSAs, OMB

ITF (Framework Collaboration)

Report on applicability of Cybersecurity Framework to regulations

EO – 10 (a) 240 Days + 90 Days10/10/2013 -

1/8/2014

Ds and As with regulatory ability

DHS, OMB, NSS TBD

Cybersecurity Framework (Final) EO – 7 365 Days2/12/2014

NIST DHS, NSA, SSAs, OMB

ITF (Framework Collaboration)

Report on privacy and civil rights and civil liberties risks associated with cybersecurity enhancements

EO – 5 (b) 365 days2/12/2014

DHS Other Ds and As/ Privacy and Civil Liberties Oversight Board/ OMB

Privacy and CR/CL

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Cyber EO/PPD-21: Integrated Task Force (ITF)

DHS Established the ITF to Lead Implementation of E.O. 13636 & PPD-21

Coordinate interagency, public & private sector efforts to ensure effective integration & synchronization of EO & PPD requirements across the homeland security enterprise

Establish & manage 9 Working Groups to accomplish specific deliverables

ITF Director & Deputy Director report to Deputy Secretary Executive Steering Committee

Expected to work for est. nine months to meet E.O. & PPD implementation timeline

Long-term EO and PPD work then stays with responsible DHS program offices

Engages partners and stakeholders to develop products

7

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Cyber EO/PPD-21: Working GroupsITF Working Groups Task Deliverable

Stakeholder Engagement Coordinate outreach to stakeholders (including critical infrastructure owner-operator communities and SLTTs) throughout implementation.

• Consultative process for engaging stakeholders

Cyber-Dependent Infrastructure Identification

Identify critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security & evaluate how best to enhance the ongoing prioritization process for all critical infrastructure.

• Identification of CI at Greatest Risk • Process of notifying CI owners of status on the list

Planning and Evaluation Lead effort to evaluate existing public-private critical infrastructure partnership model & its functionality for physical & cyber security. Update the National Infrastructure Protection Plan (NIPP), in coordination with Sector Specific Agencies & other CI partners.

• Evaluation of the Public-Private Partnership Model • Update the NIPP

Situational Awareness and Information Exchange

Identify & map existing CI security & resilience functional relationships across the Federal Government. Identify baseline data & systems requirements for the Federal Government. Develop a situational awareness capability for CI. Identify mechanisms to improve effective information sharing.

• Description of CISR Functional Relationships • Baseline System & Data for information exchange • Situational awareness capability for critical infrastructure

8

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Cyber EO/PPD-21: Working Groups

ITF Working Groups Task Deliverable

Incentives Lead study of incentives for voluntary participation CI cybersecurity program. Contribute to developing recommendations feasibility, security benefits & relative merits of incorporating security standards into acquisition planning & contract administration.

• Cybersecurity voluntary program incentive reports

Framework Collaboration along with NIST

Work with National Institute of Standards & Technology to develop, evaluate & disseminate cybersecurity framework. Encourage adoption by CI owners & operators, to include adoption of cybersecurity performance goals.

• Cybersecurity Framework • Report on applicability of Cybersecurity Framework to regulations • Performance Goals

Assessments: Privacy and Civil Rights and Civil Liberties

Coordinate w/Privacy & Civil Rights & Civil Liberties representatives across agencies & assessing privacy & CRCL impacts to EO/PPD deliverables.

• Report on privacy and civil rights and civil liberties risks associated with cybersecurity enhancements

Research and Development Lead all research & development-related tasks in EO/PPD.

• CISR R&D Plan

Cyber Threat Information Sharing

Develop instructions to ensure timely production of unclas reports of cyber threats to specific targets. Establish a process that rapidly disseminates unclas cybersecurity information reports to targeted CIKR & disseminates classified cybersecurity reports to authorized CIKR.

•Unclas Cyber Threat Report Production Instruction•Unclas/Classified Cybersecurity Information Dissemination Process

9

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

Transportation Sector Specific Agencies__________________________________________________

Collaboration

MARITIME AVIATION HIGHWAY FREIGHT/RAIL

MASS TRANSIT

PIPELINE

GCCs

CIPAC, SCCs

Transportation Sector All-Hazards Risk Management

10

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

CYBER EO/PPD-21: TSSCWG

Transportation Systems Sector Cyber Working Group

Transportation SSA (DOT/TSA/USCG)

Meet with ITF and WG leads to address Sector Specific Issues

Participate/Contribute in 9 WGs

Through CIPAC Engage & Collaborate with Stakeholders

Needs Maritime Sector Industry Representation

11

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

CYBER EO/PPD-21: Maritime Industry

How Does Industry Contribute to the Process?

Feedback to Working Groups

Participation in TSSCWG via CIPAC

Proactive engagement through review current Cyber practices and governance

• DHS Cybersecurity Evaluation Tool (CSET)• DHS On-Site Assessment by Control Systems Security Program• ICS-CERT (http://ics-cert.us-cert.gov)

Visit USCG Maritime Security-Cybersecurity page on Homeport• Register to receive page update notifications

Voluntary adoption of framework when developed

Continuous Feedback

12

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

CYBER EO/PPD-21: Maritime Industry

NIST REQUEST FOR INFORMATION – APRIL 2013

Current Risk Management Process

Use of Frameworks, Standards, Guidelines and Best Practices

Specific Industry Practices

Public Workshop on April 3, 2013

Submit comments by April 8, 2013

13

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

CYBER EO/PPD-21: Maritime Industry

CRITICAL INFRASTRUCTURE IDENTIFICATION – APRIL 2013

SESSION 1:

Determine Critical Functions that encompass the full set of processes that produce, provide, and maintain a sector’s products and services

Examine Supporting Value Chain(s) that include the general sequence of events for providing a sector’s critical function

Identify Cyber Critical Infrastructure that support value chain activities, including business systems, control systems, and specialty systems, to support identification of sector cyber-dependent critical infrastructure

SESSION 2:

Discuss and confirm identification criteria that will be used to determine the sector’s cyber-dependent cyber infrastructure

14

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

CYBER EO/PPD-21: What Now?

What Do We Need From Industry?

Participation in the EO/PPD implementation Participants who can respond to supply chain impacts from a cyber incident

• Decision Makers• Understand the interface between operations & information technology

Rapidly respond to short-fused tasks & reviews of working group products Initial participation will be informing the identification of Cyber-dependent Critical Infrastructure (CI) & Framework Development

15

UNCLASSIFIED

UNCLASSIFIED

HomelandSecurity

CYBER EO/PPD-21

QUESTIONS?

16

Eric Chapman – eric.k.chapman@uscg.milBrett Rouzer – brett.r.rouzer@uscg.milLCDR Ulysses Mullins – ulysses.s.mullins@uscg.mil