Date post: | 13-Jan-2016 |
Category: |
Documents |
Upload: | martin-hill |
View: | 217 times |
Download: | 0 times |
HomelandSecurity
UNCLASSIFIED
Executive Order 13636Presidential Policy Directive
(PPD) - 21
Implementing the Presidential Executive Order (EO) on cybersecurity and Critical Infrastructure Presidential Policy Directive (PPD) with public
and private stakeholders
Eric Chapman - Office of Maritime Security Response PolicyBrett Rouzer - CG Cyber Command LCDR Ulysses Mullins – Office of Port & Facility Compliance
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Background__________________________________________________
2
Cyber EO and PPD 21 signed on February 12, 2013
Sector Specific Agencies to collaborate with industry to identify critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security
National Institute of Standards & Technology develop a voluntary framework for cybersecurity resilience
PPD-21 cancels PPD-7 & establishes an All-Hazards approach to ensuring security & resilience
Multiple deliverables derived from the PPD/EO with varying deadlines over the next year
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Integrated Cyber-Physical Security
– Executive Order 13636: Improving Critical Infrastructure Cybersecurity directs the Executive Branch to:
– Develop a technology-neutral voluntary cybersecurity framework
– Promote and incentivize the adoption of cybersecurity practices
– Increase the volume, timeliness and quality of cyber threat information sharing
– Incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure
– Explore the use of existing regulation to promote cyber security
– Presidential Policy Directive-21: Critical Infrastructure Security and Resilience replaces Homeland Security Presidential Directive-7 and directs the Executive Branch to:
– Develop a situational awareness capability that addresses both physical and cyber aspects of how infrastructure is functioning in near-real time
– Understand the cascading consequences of infrastructure failures
– Evaluate and mature the public-private partnership
– Update the National Infrastructure Protection Plan
– Develop comprehensive research and development plan
3
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Deliverables
4
Deliverable Source Due Date
Lead Coordination DHS Lead
Consultative process for engaging CI partners
EO – 6 Unspecified DHS SSAs ITF (Stakeholder Engagement)
Cybersecurity voluntary program incentive reports
EO – 8 (d) 120 Days6/12/2013
DHS, Treasury, Commerce
DHS ITF (Incentives)
Feasibility of cyber security standards in acquisition planning and contract administration
EO – 8 (e) 120 Days6/12/2013
DOD, GSA DHS, Federal Acquisition Regulatory Council
USM
Instructions on timely production of unclassified cyber threat info
EO – 4(a) 120 Days6/12/2013
DHS and DNI
NPPD/I&A
Process for rapidly disseminating unclassified threat info
EO – 4(b) Unspecified DHS and DOJ
DNI NPPD/I&A
Description of CISR Functional Relationships
PPD – 1 120 Days6/12/2013
DHS SSAs, Relevant Ds and As
ITF (Planning and Evaluation)
Expand Enhanced Cybersecurity Services to all CI sectors
EO – 4(c) 120 Days6/12/2013
DHS NPPD
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Deliverables
5
Deliverable Source Due Date Lead Coordination DHS Lead
Identification of CI at Greatest Risk EO – 9 150 Days7/12/2013
DHS SSAs ITF (Risk Identification)
Evaluation of the Public-Private Partnership Model
PPD – 2 150 Days7/12/2013
DHS SSAs, Relevant Ds and As
ITF (Planning and Evaluation)
Process of notifying CI owners of status on the list
EO – 9 Unspecified (150 Days +)7/12/2013
DHS SSAs ITF (Risk Identification)
Baseline System and Data for information exchange
PPD – 3 180 Days8/11/2013
DHS SSAs, Relevant Ds and As
ITF (Situational Awareness and Info Exchange)
Provision of technical assistance to regulatory Ds and As for cybersecurity
EO – 10 Unspecified DHS Ds and As with regulatory ability
NPPD
Expedite processing of security clearances EO – 4(d) Unspecified DHS NPPD/USM
Private sector SMEs/ Federal service program
EO – 4(e) Unspecified DHS PSO
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Deliverables
6
Deliverable Source Due Date Lead Coordination DHS Lead
Situational awareness capability for critical infrastructure
PPD – 4 240 Days10/10/2013
DHS ITF (Situational Awareness and Info Exchange)
Update to the NIPP PPD – 5 240 Days10/10/2013
DHS SSAs, Relevant Ds and As; SLTT; O/Os
ITF (Planning and Evaluation)
Cybersecurity Framework (Draft) EO – 7 240 Days10/10/2013
NIST DHS, NSA, SSAs, OMB
ITF (Framework Collaboration)
Report on applicability of Cybersecurity Framework to regulations
EO – 10 (a) 240 Days + 90 Days10/10/2013 -
1/8/2014
Ds and As with regulatory ability
DHS, OMB, NSS TBD
Cybersecurity Framework (Final) EO – 7 365 Days2/12/2014
NIST DHS, NSA, SSAs, OMB
ITF (Framework Collaboration)
Report on privacy and civil rights and civil liberties risks associated with cybersecurity enhancements
EO – 5 (b) 365 days2/12/2014
DHS Other Ds and As/ Privacy and Civil Liberties Oversight Board/ OMB
Privacy and CR/CL
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Integrated Task Force (ITF)
DHS Established the ITF to Lead Implementation of E.O. 13636 & PPD-21
Coordinate interagency, public & private sector efforts to ensure effective integration & synchronization of EO & PPD requirements across the homeland security enterprise
Establish & manage 9 Working Groups to accomplish specific deliverables
ITF Director & Deputy Director report to Deputy Secretary Executive Steering Committee
Expected to work for est. nine months to meet E.O. & PPD implementation timeline
Long-term EO and PPD work then stays with responsible DHS program offices
Engages partners and stakeholders to develop products
7
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Working GroupsITF Working Groups Task Deliverable
Stakeholder Engagement Coordinate outreach to stakeholders (including critical infrastructure owner-operator communities and SLTTs) throughout implementation.
• Consultative process for engaging stakeholders
Cyber-Dependent Infrastructure Identification
Identify critical infrastructure where a cybersecurity incident could result in catastrophic regional or national effects on public health or safety, economic security, or national security & evaluate how best to enhance the ongoing prioritization process for all critical infrastructure.
• Identification of CI at Greatest Risk • Process of notifying CI owners of status on the list
Planning and Evaluation Lead effort to evaluate existing public-private critical infrastructure partnership model & its functionality for physical & cyber security. Update the National Infrastructure Protection Plan (NIPP), in coordination with Sector Specific Agencies & other CI partners.
• Evaluation of the Public-Private Partnership Model • Update the NIPP
Situational Awareness and Information Exchange
Identify & map existing CI security & resilience functional relationships across the Federal Government. Identify baseline data & systems requirements for the Federal Government. Develop a situational awareness capability for CI. Identify mechanisms to improve effective information sharing.
• Description of CISR Functional Relationships • Baseline System & Data for information exchange • Situational awareness capability for critical infrastructure
8
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Cyber EO/PPD-21: Working Groups
ITF Working Groups Task Deliverable
Incentives Lead study of incentives for voluntary participation CI cybersecurity program. Contribute to developing recommendations feasibility, security benefits & relative merits of incorporating security standards into acquisition planning & contract administration.
• Cybersecurity voluntary program incentive reports
Framework Collaboration along with NIST
Work with National Institute of Standards & Technology to develop, evaluate & disseminate cybersecurity framework. Encourage adoption by CI owners & operators, to include adoption of cybersecurity performance goals.
• Cybersecurity Framework • Report on applicability of Cybersecurity Framework to regulations • Performance Goals
Assessments: Privacy and Civil Rights and Civil Liberties
Coordinate w/Privacy & Civil Rights & Civil Liberties representatives across agencies & assessing privacy & CRCL impacts to EO/PPD deliverables.
• Report on privacy and civil rights and civil liberties risks associated with cybersecurity enhancements
Research and Development Lead all research & development-related tasks in EO/PPD.
• CISR R&D Plan
Cyber Threat Information Sharing
Develop instructions to ensure timely production of unclas reports of cyber threats to specific targets. Establish a process that rapidly disseminates unclas cybersecurity information reports to targeted CIKR & disseminates classified cybersecurity reports to authorized CIKR.
•Unclas Cyber Threat Report Production Instruction•Unclas/Classified Cybersecurity Information Dissemination Process
9
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
Transportation Sector Specific Agencies__________________________________________________
Collaboration
MARITIME AVIATION HIGHWAY FREIGHT/RAIL
MASS TRANSIT
PIPELINE
GCCs
CIPAC, SCCs
Transportation Sector All-Hazards Risk Management
10
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: TSSCWG
Transportation Systems Sector Cyber Working Group
Transportation SSA (DOT/TSA/USCG)
Meet with ITF and WG leads to address Sector Specific Issues
Participate/Contribute in 9 WGs
Through CIPAC Engage & Collaborate with Stakeholders
Needs Maritime Sector Industry Representation
11
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: Maritime Industry
How Does Industry Contribute to the Process?
Feedback to Working Groups
Participation in TSSCWG via CIPAC
Proactive engagement through review current Cyber practices and governance
• DHS Cybersecurity Evaluation Tool (CSET)• DHS On-Site Assessment by Control Systems Security Program• ICS-CERT (http://ics-cert.us-cert.gov)
Visit USCG Maritime Security-Cybersecurity page on Homeport• Register to receive page update notifications
Voluntary adoption of framework when developed
Continuous Feedback
12
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: Maritime Industry
NIST REQUEST FOR INFORMATION – APRIL 2013
Current Risk Management Process
Use of Frameworks, Standards, Guidelines and Best Practices
Specific Industry Practices
Public Workshop on April 3, 2013
Submit comments by April 8, 2013
13
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: Maritime Industry
CRITICAL INFRASTRUCTURE IDENTIFICATION – APRIL 2013
SESSION 1:
Determine Critical Functions that encompass the full set of processes that produce, provide, and maintain a sector’s products and services
Examine Supporting Value Chain(s) that include the general sequence of events for providing a sector’s critical function
Identify Cyber Critical Infrastructure that support value chain activities, including business systems, control systems, and specialty systems, to support identification of sector cyber-dependent critical infrastructure
SESSION 2:
Discuss and confirm identification criteria that will be used to determine the sector’s cyber-dependent cyber infrastructure
14
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21: What Now?
What Do We Need From Industry?
Participation in the EO/PPD implementation Participants who can respond to supply chain impacts from a cyber incident
• Decision Makers• Understand the interface between operations & information technology
Rapidly respond to short-fused tasks & reviews of working group products Initial participation will be informing the identification of Cyber-dependent Critical Infrastructure (CI) & Framework Development
15
UNCLASSIFIED
UNCLASSIFIED
HomelandSecurity
CYBER EO/PPD-21
QUESTIONS?
16
Eric Chapman – [email protected] Rouzer – [email protected] Ulysses Mullins – [email protected]