Privacy & Information Security Law Blog

On February 12, 2013, in conjunction with the release of an executive order on Improving Critical Infrastructure Cybersecurity (the “Executive Order”), President Obama signed a Presidential Policy Directive on Critical Infrastructure Security and Resilience (“PPD-21” or “PPD”). The PPD revokes the 2003 Homeland Security Presidential Directive-7 (issued by President George W. Bush as an initiative under the former Office of Homeland Security and the Homeland Security Council) to adjust to the new risk environment and make the nation’s critical infrastructure more resilient. The PPD expands upon the work that has been accomplished to date for the physical security of critical infrastructure and lays a foundation for the implementation of the Executive Order to protect critical infrastructure cybersecurity.

The PPD seeks to accomplish three strategic imperatives spearheaded by the Department of Homeland Security (“DHS”) through a collaborative effort with sector-specific government agencies (“SSAs”), other government entities, and the owners and operators of the nation’s critical infrastructure.

First, the PPD seeks to “refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience.” Through this imperative, the Obama Administration is forcing review of the Critical Infrastructure Partnership Advisory Council (“CIPAC”) partnership model in order to identify areas of improvement. While the current partnership engagement has had some success, many believe that there is a need for a system-wide improvement to fulfill the new missions established by the PPD and the Executive Order. The PPD will establish two national critical infrastructure centers operated by DHS, one for physical and the other for cyber infrastructure. The likely challenge for these centers will be to coordinate the operations and information exchange between them and with the private sector.

Second, the PPD aims to “enable effective information exchange by identifying baseline data and systems requirements for the Federal government.” The expressed goal of this imperative is to enable efficient information exchange and promote greater information sharing between government and the private sector, consistent with applicable law and policy.

Finally, the PPD directs the government to “implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure.” In protecting the homeland, it is recognized that a necessary government function is to analyze the security of our nation’s critical infrastructure. Currently, this function is done within DHS National Protection and Programs Directorate (“NPDD”). By using the newly established constructs of the PPD, DHS is directed to reinvigorate this analysis through a heightened focus on four areas: (1) prioritizing assets and managing risks, (2) anticipating interdependencies and cascading impacts, (3) recommending security and resilience measures, and (4) supporting incident management and restoration efforts.

Like the Executive Order, the PPD sets tight time lines for government action. Within 120 days, DHS will need to develop a description of the functional relationships within DHS and across the federal government related to critical infrastructure security and resilience. This description will serve as a “roadmap” for the private sector to navigate the government’s functions. Within 150 days, DHS, in coordination with SSAs and critical infrastructure owners and operators, will need to complete an assessment of the existing public-private partnership model and recommend options for improving the partnership. Within 180 days, DHS, through a similar coordinated effort with SSAs and the private sector, will need to identify baseline data and systems requirements for the federal government to enable efficient information exchange; and, within 240 days, to develop a situational awareness capability for critical infrastructure. In addition, DHS is required to update the NIPP within 240 days and complete a national critical infrastructure security and resilience research and development plan within two years. These tight time frames, in conjunction with directives contained in the Executive Order, will require significant effort by DHS.

The PPD recognizes that the success of this effort will be based fundamentally on the level of engagement of private sector owners and operators of critical infrastructure. The collaborative framework established both by the Executive Order and the PPD will provide significant opportunities to the private sector for formal and informal interaction with DHS and other government entities. Industry should be prepared to provide meaningful and timely comments.