On February 12, 2013, in conjunction with the release of an executive order on Improving Critical Infrastructure Cybersecurity (the “Executive Order”), President Obama signed a Presidential Policy Directive on Critical Infrastructure Security and Resilience (“PPD-21” or “PPD”). The PPD revokes the 2003 Homeland Security Presidential Directive-7 (issued by President George W. Bush as an initiative under the former Office of Homeland Security and the Homeland Security Council) to adjust to the new risk environment and make the nation’s critical infrastructure more resilient. The PPD expands upon the work that has been accomplished to date for the physical security of critical infrastructure and lays a foundation for the implementation of the Executive Order to protect critical infrastructure cybersecurity.
The PPD seeks to accomplish three strategic imperatives spearheaded by the Department of Homeland Security (“DHS”) through a collaborative effort with sector-specific government agencies (“SSAs”), other government entities, and the owners and operators of the nation’s critical infrastructure.
First, the PPD seeks to “refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience.” Through this imperative, the Obama Administration is forcing review of the Critical Infrastructure Partnership Advisory Council (“CIPAC”) partnership model in order to identify areas of improvement. While the current partnership engagement has had some success, many believe that there is a need for a system-wide improvement to fulfill the new missions established by the PPD and the Executive Order. The PPD will establish two national critical infrastructure centers operated by DHS, one for physical and the other for cyber infrastructure. The likely challenge for these centers will be to coordinate the operations and information exchange between them and with the private sector.
Second, the PPD aims to “enable effective information exchange by identifying baseline data and systems requirements for the Federal government.” The expressed goal of this imperative is to enable efficient information exchange and promote greater information sharing between government and the private sector, consistent with applicable law and policy.
Finally, the PPD directs the government to “implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure.” In protecting the homeland, it is recognized that a necessary government function is to analyze the security of our nation’s critical infrastructure. Currently, this function is done within DHS National Protection and Programs Directorate (“NPDD”). By using the newly established constructs of the PPD, DHS is directed to reinvigorate this analysis through a heightened focus on four areas: (1) prioritizing assets and managing risks, (2) anticipating interdependencies and cascading impacts, (3) recommending security and resilience measures, and (4) supporting incident management and restoration efforts.
Like the Executive Order, the PPD sets tight time lines for government action. Within 120 days, DHS will need to develop a description of the functional relationships within DHS and across the federal government related to critical infrastructure security and resilience. This description will serve as a “roadmap” for the private sector to navigate the government’s functions. Within 150 days, DHS, in coordination with SSAs and critical infrastructure owners and operators, will need to complete an assessment of the existing public-private partnership model and recommend options for improving the partnership. Within 180 days, DHS, through a similar coordinated effort with SSAs and the private sector, will need to identify baseline data and systems requirements for the federal government to enable efficient information exchange; and, within 240 days, to develop a situational awareness capability for critical infrastructure. In addition, DHS is required to update the NIPP within 240 days and complete a national critical infrastructure security and resilience research and development plan within two years. These tight time frames, in conjunction with directives contained in the Executive Order, will require significant effort by DHS.
The PPD recognizes that the success of this effort will be based fundamentally on the level of engagement of private sector owners and operators of critical infrastructure. The collaborative framework established both by the Executive Order and the PPD will provide significant opportunities to the private sector for formal and informal interaction with DHS and other government entities. Industry should be prepared to provide meaningful and timely comments.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- Iowa
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code