Executive Order 13636 - MARPRO ASSOCIATES INTERNATIONAL
Download
Report
Transcript Executive Order 13636 - MARPRO ASSOCIATES INTERNATIONAL
UNCLASSIFIED
Executive Order 13636
Presidential Policy Directive
(PPD) - 21
Implementing the Presidential Executive Order
(EO) on cybersecurity and Critical Infrastructure
Presidential Policy Directive (PPD) with public
and private stakeholders
Eric Chapman - Office of Maritime Security Response Policy
Brett Rouzer - CG Cyber Command
LCDR Ulysses Mullins – Office of Port & Facility Compliance
Homeland
Security
UNCLASSIFIED
Cyber EO/PPD-21: Background
__________________________________________________
Cyber EO and PPD 21 signed on February 12, 2013
Sector Specific Agencies to collaborate with industry to identify
critical infrastructure where a cybersecurity incident could result in
catastrophic regional or national effects on public health or safety,
economic security, or national security
National Institute of Standards & Technology develop a
voluntary framework for cybersecurity resilience
PPD-21 cancels PPD-7 & establishes an All-Hazards approach
to ensuring security & resilience
Multiple deliverables derived from the PPD/EO with varying
deadlines over the next year
Homeland
Security
UNCLASSIFIED
2
UNCLASSIFIED
Cyber EO/PPD-21: Integrated Cyber-Physical Security
– Executive Order 13636: Improving
Critical Infrastructure Cybersecurity
directs the Executive Branch to:
– Develop a technology-neutral
voluntary cybersecurity framework
– Promote and incentivize the adoption
of cybersecurity practices
– Increase the volume, timeliness and
quality of cyber threat information
sharing
– Incorporate strong privacy and civil
liberties protections into every
initiative to secure our critical
infrastructure
– Explore the use of existing regulation
to promote cyber security
Homeland
Security
– Presidential Policy Directive-21:
Critical Infrastructure Security and
Resilience replaces Homeland Security
Presidential Directive-7 and directs the
Executive Branch to:
– Develop a situational awareness
capability that addresses both physical
and cyber aspects of how
infrastructure is functioning in nearreal time
– Understand the cascading
consequences of infrastructure failures
– Evaluate and mature the public-private
partnership
– Update the National Infrastructure
Protection Plan
– Develop comprehensive research and
development plan
UNCLASSIFIED
3
UNCLASSIFIED
Cyber EO/PPD-21: Deliverables
Deliverable
Source
Due
Date
Lead
Coordination
DHS Lead
Consultative process for engaging CI
partners
EO – 6
Unspecified
DHS
SSAs
ITF
(Stakeholder
Engagement)
Cybersecurity voluntary program
incentive reports
EO – 8 (d)
120 Days
6/12/2013
DHS,
Treasury,
Commerce
DHS
ITF
(Incentives)
Feasibility of cyber security standards in
acquisition planning and contract
administration
EO – 8 (e)
120 Days
6/12/2013
DOD, GSA
DHS,
Federal
Acquisition
Regulatory
Council
USM
Instructions on timely production of
unclassified cyber threat info
EO – 4(a)
120 Days
6/12/2013
DHS and
DNI
Process for rapidly disseminating
unclassified threat info
EO – 4(b)
Unspecified
DHS and
DOJ
DNI
NPPD/I&A
Description of CISR Functional
Relationships
PPD – 1
120 Days
6/12/2013
DHS
SSAs,
Relevant
Ds and As
ITF (Planning
and
Evaluation)
Expand Enhanced Cybersecurity
Services to all CI sectors
EO – 4(c)
120 Days
6/12/2013
DHS
Homeland
Security
UNCLASSIFIED
NPPD/I&A
NPPD
4
UNCLASSIFIED
Cyber EO/PPD-21: Deliverables
Deliverable
Source
Due Date
Lead
Coordination
DHS Lead
Identification of CI at Greatest Risk
EO – 9
150 Days
7/12/2013
DHS
SSAs
ITF (Risk
Identification)
Evaluation of the Public-Private Partnership
Model
PPD – 2
150 Days
7/12/2013
DHS
SSAs,
Relevant Ds
and As
ITF (Planning
and Evaluation)
Process of notifying CI owners of status on
the list
EO – 9
Unspecified
(150 Days +)
7/12/2013
DHS
SSAs
ITF (Risk
Identification)
Baseline System and Data for information
exchange
PPD – 3
180 Days
8/11/2013
DHS
SSAs,
Relevant Ds
and As
ITF (Situational
Awareness and
Info Exchange)
Provision of technical assistance to
regulatory Ds and As for cybersecurity
EO – 10
Unspecified
DHS
Ds and As
with
regulatory
ability
NPPD
Expedite processing of security clearances
EO – 4(d)
Unspecified
DHS
NPPD/USM
Private sector SMEs/ Federal service
program
EO – 4(e)
Unspecified
DHS
PSO
Homeland
Security
UNCLASSIFIED
5
UNCLASSIFIED
Cyber EO/PPD-21: Deliverables
Deliverable
Source
Due Date
Lead
Coordination
DHS Lead
Situational awareness capability for critical
infrastructure
PPD – 4
240 Days
10/10/2013
DHS
Update to the NIPP
PPD – 5
240 Days
10/10/2013
DHS
SSAs, Relevant
Ds and As;
SLTT; O/Os
ITF (Planning
and
Evaluation)
Cybersecurity Framework (Draft)
EO – 7
240 Days
10/10/2013
NIST
DHS, NSA,
SSAs, OMB
ITF
(Framework
Collaboration)
Report on applicability of Cybersecurity
Framework to regulations
EO – 10 (a)
240 Days +
90 Days
10/10/2013 1/8/2014
Ds and As
with
regulatory
ability
DHS, OMB, NSS
TBD
Cybersecurity Framework (Final)
EO – 7
365 Days
2/12/2014
NIST
DHS, NSA,
SSAs, OMB
ITF
(Framework
Collaboration)
Report on privacy and civil rights and civil
liberties risks associated with cybersecurity
enhancements
EO – 5 (b)
365 days
2/12/2014
DHS
Other Ds and As/
Privacy and Civil
Liberties
Oversight Board/
OMB
Privacy and
CR/CL
Homeland
Security
UNCLASSIFIED
ITF
(Situational
Awareness
and Info
Exchange)
6
UNCLASSIFIED
Cyber EO/PPD-21: Integrated Task Force (ITF)
DHS Established the ITF to Lead Implementation of E.O. 13636 & PPD-21
Coordinate interagency, public & private sector efforts to ensure effective integration &
synchronization of EO & PPD requirements across the homeland security enterprise
Establish & manage 9 Working Groups to accomplish specific deliverables
ITF Director & Deputy Director report to Deputy Secretary Executive Steering
Committee
Expected to work for est. nine months to meet E.O. & PPD implementation timeline
Long-term EO and PPD work then stays with responsible DHS program offices
Engages partners and stakeholders to develop products
Homeland
Security
UNCLASSIFIED
7
UNCLASSIFIED
Cyber EO/PPD-21: Working Groups
ITF Working Groups
Task
Deliverable
Stakeholder Engagement
Coordinate outreach to stakeholders
(including critical infrastructure owneroperator communities and SLTTs) throughout
implementation.
• Consultative process for engaging
stakeholders
Cyber-Dependent Infrastructure
Identification
Identify critical infrastructure where a
cybersecurity incident could result in
catastrophic regional or national effects on
public health or safety, economic security, or
national security & evaluate how best to
enhance the ongoing prioritization process for
all critical infrastructure.
• Identification of CI at Greatest Risk
• Process of notifying CI owners of status on
the list
Planning and Evaluation
Lead effort to evaluate existing public-private
critical infrastructure partnership model & its
functionality for physical & cyber security.
Update the National Infrastructure Protection
Plan (NIPP), in coordination with Sector
Specific Agencies & other CI partners.
• Evaluation of the Public-Private Partnership
Model
• Update the NIPP
Situational Awareness and
Information Exchange
Identify & map existing CI security &
resilience functional relationships across the
Federal Government. Identify baseline data &
systems requirements for the Federal
Government. Develop a situational
awareness capability for CI. Identify
mechanisms to improve effective information
sharing.
• Description of CISR Functional
Relationships
• Baseline System & Data for information
exchange
• Situational awareness capability for critical
infrastructure
Homeland
Security
UNCLASSIFIED
8
UNCLASSIFIED
Cyber EO/PPD-21: Working Groups
ITF Working Groups
Task
Deliverable
Incentives
Lead study of incentives for voluntary
participation CI cybersecurity program.
Contribute to developing recommendations
feasibility, security benefits & relative merits
of incorporating security standards into
acquisition planning & contract
administration.
• Cybersecurity voluntary program incentive
reports
Framework Collaboration
along with NIST
Work with National Institute of Standards &
Technology to develop, evaluate &
disseminate cybersecurity framework.
Encourage adoption by CI owners &
operators, to include adoption of
cybersecurity performance goals.
• Cybersecurity Framework
• Report on applicability of Cybersecurity
Framework to regulations
• Performance Goals
Assessments: Privacy and Civil
Rights and Civil Liberties
Coordinate w/Privacy & Civil Rights & Civil
Liberties representatives across agencies &
assessing privacy & CRCL impacts to
EO/PPD deliverables.
• Report on privacy and civil rights and civil
liberties risks associated with cybersecurity
enhancements
Research and Development
Lead all research & development-related
tasks in EO/PPD.
• CISR R&D Plan
Cyber Threat Information
Sharing
Develop instructions to ensure timely
production of unclas reports of cyber threats
to specific targets. Establish a process that
rapidly disseminates unclas cybersecurity
information reports to targeted CIKR &
disseminates classified cybersecurity reports
to authorized CIKR.
•Unclas Cyber Threat Report Production
Instruction
•Unclas/Classified Cybersecurity Information
Dissemination Process
Homeland
Security
UNCLASSIFIED
9
UNCLASSIFIED
Transportation Sector Specific Agencies
__________________________________________________
Collaboration
GCCs
Transportation Sector All-Hazards Risk Management
CIPAC, SCCs
MARITIME
AVIATION
Homeland
Security
HIGHWAY
FREIGHT/
RAIL
UNCLASSIFIED
MASS
TRANSIT
PIPELINE
10
UNCLASSIFIED
CYBER EO/PPD-21: TSSCWG
Transportation Systems Sector Cyber Working Group
Transportation SSA (DOT/TSA/USCG)
Meet with ITF and WG leads to address Sector Specific Issues
Participate/Contribute in 9 WGs
Through CIPAC Engage & Collaborate with Stakeholders
Needs Maritime Sector Industry Representation
Homeland
Security
UNCLASSIFIED
11
UNCLASSIFIED
CYBER EO/PPD-21: Maritime Industry
How Does Industry Contribute to the Process?
Feedback to Working Groups
Participation in TSSCWG via CIPAC
Proactive engagement through review current Cyber practices and
governance
• DHS Cybersecurity Evaluation Tool (CSET)
• DHS On-Site Assessment by Control Systems Security Program
• ICS-CERT (http://ics-cert.us-cert.gov)
Visit USCG Maritime Security-Cybersecurity page on Homeport
• Register to receive page update notifications
Voluntary adoption of framework when developed
Continuous Feedback
Homeland
Security
UNCLASSIFIED
12
UNCLASSIFIED
CYBER EO/PPD-21: Maritime Industry
NIST REQUEST FOR INFORMATION – APRIL 2013
Current Risk Management Process
Use of Frameworks, Standards, Guidelines and Best Practices
Specific Industry Practices
Public Workshop on April 3, 2013
Submit comments by April 8, 2013
Homeland
Security
UNCLASSIFIED
13
UNCLASSIFIED
CYBER EO/PPD-21: Maritime Industry
CRITICAL INFRASTRUCTURE IDENTIFICATION – APRIL 2013
SESSION 1:
Determine Critical Functions that encompass the full set of processes that
produce, provide, and maintain a sector’s products and services
Examine Supporting Value Chain(s) that include the general sequence of
events for providing a sector’s critical function
Identify Cyber Critical Infrastructure that support value chain activities,
including business systems, control systems, and specialty systems, to support
identification of sector cyber-dependent critical infrastructure
SESSION 2:
Discuss and confirm identification criteria that will be used to determine the
sector’s cyber-dependent cyber infrastructure
Homeland
Security
UNCLASSIFIED
14
UNCLASSIFIED
CYBER EO/PPD-21: What Now?
What Do We Need From Industry?
Participation in the EO/PPD implementation
Participants who can respond to supply chain impacts from a cyber incident
• Decision Makers
• Understand the interface between operations & information technology
Rapidly respond to short-fused tasks & reviews of working group products
Initial participation will be informing the identification of Cyber-dependent
Critical Infrastructure (CI) & Framework Development
Homeland
Security
UNCLASSIFIED
15
UNCLASSIFIED
CYBER EO/PPD-21
QUESTIONS?
Eric Chapman – [email protected]
Brett Rouzer – [email protected]
LCDR Ulysses Mullins – [email protected]
Homeland
Security
UNCLASSIFIED
16