Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Similar documents
THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

Executive Order on Coordinating National Resilience to Electromagnetic Pulses

Why you should adopt the NIST Cybersecurity Framework

Critical Infrastructure Resilience

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Presidential Documents

National Policy and Guiding Principles

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

National Preparedness System (NPS) Kathleen Fox, Acting Assistant Administrator National Preparedness Directorate, FEMA April 27, 2015

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Office of Infrastructure Protection Overview

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

The Office of Infrastructure Protection

DHS Cybersecurity: Services for State and Local Officials. February 2017

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Critical Infrastructure Partnership

Implementing Executive Order and Presidential Policy Directive 21

The Office of Infrastructure Protection

March 21, 2016 MEMORANDUM FOR THE HEADS OF EXECUTIVE DEPARTMENTS AND AGENCIES. Building National Capabilities for Long-Term Drought Resilience

Critical Infrastructure Sectors and DHS ICS CERT Overview

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

The Office of Infrastructure Protection

2014 Sector-Specific Plan Guidance. Guide for Developing a Sector-Specific Plan under NIPP 2013 August 2014

The NIST Cybersecurity Framework

Section One of the Order: The Cybersecurity of Federal Networks.

Emergency Management Response and Recovery. Mark Merritt, President September 2011

FDA & Medical Device Cybersecurity

STRATEGY ATIONAL. National Strategy. for Critical Infrastructure. Government

The Office of Infrastructure Protection

Updates to the NIST Cybersecurity Framework

Cyber Security & Homeland Security:

Pre-Decisional Draft Working Product Do Not Cite or Quote

ISAO SO Product Outline

*** THIS DOCUMENT IS CLASSIFIED FOR PUBLIC ACCESS ***

Quadrennial Homeland Security Review (QHSR) Ensuring Resilience to Disasters

Final Draft/Pre-Decisional/Do Not Cite. Forging a Common Understanding for Critical Infrastructure. Shared Narrative

Security Hygiene. Be in a defensible position. Be cyber resilient. November 8 th, 2017

GAO CYBERSPACE POLICY. Executive Branch Is Making Progress Implementing 2009 Policy Review Recommendations, but Sustained Leadership Is Needed

Overview of the Federal Interagency Operational Plans

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Introduction to the National Response Plan and National Incident Management System

Emergency Support Function #12 Energy Annex. ESF Coordinator: Support Agencies:

Better together. KPMG LLP s GRC Advisory Services for IBM OpenPages implementations. kpmg.com

Energy Assurance Plans

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

The Office of Infrastructure Protection

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Statement for the Record

Cybersecurity & Privacy Enhancements

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Medical Device Cybersecurity: FDA Perspective

ACR 2 Solutions Compliance Tools

MULTI-YEAR TRAINING AND EXERCISE PLAN. Boone County Office of Emergency Management

Executive Order & Presidential Policy Directive 21. Ed Goff, Duke Energy Melanie Seader, EEI

DOE s Roles and Responsibilities for Energy Sector Cybersecurity

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

DHS Supply Chain Activity: Cross-Sector Supply Chain Working Group and Strategy on Global Supply Chain Security

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

CYBERSECURITY FOR STARTUPS AND SMALL BUSINESSES OVERVIEW OF CYBERSECURITY FRAMEWORKS

National Preparedness System. Update for EMForum June 11, 2014

Mississippi Emergency Management Agency. Shawn Wise. Office Of Preparedness

NATIONAL STRATEGY FOR GLOBAL SUPPLY CHAIN SECURITY

ASSEMBLY, No STATE OF NEW JERSEY. 217th LEGISLATURE INTRODUCED FEBRUARY 4, 2016

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

S&T Stakeholders Conference

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Timing Security: Mitigating Threats in a Changing Landscape Webinar

FEMA Update. Tim Greten Technological Hazards Division Deputy Director. NREP April 2017

Department of Defense. Installation Energy Resilience

Emergency Support Function #2 Communications Annex INTRODUCTION. Purpose. Scope. ESF Coordinator: Support Agencies: Primary Agencies:

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Applying Mitigation. to Build Resilient Communities

The J100 RAMCAP Method

Outreach and Partnerships for Promoting and Facilitating Private Sector Emergency Preparedness

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

COUNTERING IMPROVISED EXPLOSIVE DEVICES

June 5, 2018 Independence, Ohio

Vulnerability Assessments and Penetration Testing

HPH SCC CYBERSECURITY WORKING GROUP

About Issues in Building the National Strategy for Cybersecurity in Vietnam

Election Infrastructure Security: The How and Why of It

Long-Term Power Outage Response and Recovery Tabletop Exercise

Framework for Improving Critical Infrastructure Cybersecurity

STRATEGIC PLAN. USF Emergency Management

MEDICAL DEVICE CYBERSECURITY: FDA APPROACH

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

CRITICAL INFRASTRUCTURE AND KEY RESOURCES

NCSF Foundation Certification

JOINT UNITED STATES-CANADA ELECTRIC GRID SECURITY AND RESILIENCE STRATEGY

The US National Near-Earth Object Preparedness Strategy and Action Plan

Testers vs Writers: Pen tests Quality in Assurance Projects. 10 November Defcamp7

Transcription:

Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com

Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding critical infrastructure security and resilience. The directive summons a national effort to strengthen and maintain the security, functionality, and resiliency of critical infrastructure while maintaining a safe, secure, and efficient cyber environment. These efforts will be shared among federal, state, local, and public or private owners and operators of critical infrastructure.

3 Cybersecurity Presidential Policy Directive FAQs Cyber Presidential Policy Directive 1 What is the Cyber Presidential Policy Directive (PPD)? The Cyber PPD is a policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats. The White House advocates that these goals can be achieved through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards. 2 What is considered critical infrastructure? Critical infrastructure, according to the Cyber PPD, refers to systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. 3 Why was the PPD produced? The PPD was produced to ensure critical infrastructure is secure and able to withstand and rapidly recover from all hazards. Critical infrastructure must have the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. In addition, it must be able to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery, as outlined in the directive. 4 What does the PPD encompass? The PPD consists of three strategic imperatives that drive the federal approach to strengthen critical infrastructure security and resilience: Refine and clarify functional relationships across the federal government to advance the national unity of effort to strengthen critical infrastructure security and resilience; Enable effective information exchange by identifying baseline data and systems requirements for the federal government; and Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure. 5 Who does the PPD apply to? All federal department and agency heads are responsible for the identification, prioritization, assessment, remediation, and security of their respective internal critical infrastructure that supports primary mission-essential functions. Implementation of this directive requires a national effort from the Sector-Specific Agencies (SSAs) as well as the specialized or support capabilities from other federal departments and agencies, and strong collaboration with critical information owners and operators and state, local, tribal, and territorial (SLTT) entities.

Cybersecurity Presidential Policy Directive FAQs 4 Sector-Specific Agencies 6 What is a Sector-Specific Agency (SSA)? A Sector-Specific Agency (SSA) refers to the federal department or agency designated under the directive to be responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all-hazards environment. 7 What are the responsibilities of Sector-Specific Agencies? Each critical infrastructure sector has unique characteristics, operating models, and risk profiles that benefit from an identified Sector-Specific Agency that has institutional knowledge and specialized expertise about the sector. SSAs shall carry out the following roles and responsibilities for their respective sectors: Coordinate with the Department of Homeland Security (DHS) and other relevant federal departments and agencies and collaborate with critical infrastructure owners and operators, and others as appropriate, to implement this directive; Serve as a day-to-day federal interface for the dynamic prioritization and coordination of sector-specific activities; Carry out incident management responsibilities consistent with appropriate policies, directives, or regulations; Provide, support, or facilitate technical assistance and consultations for that sector to identify vulnerabilities and help mitigate incidents, as appropriate Support the Secretary of Homeland Security s statutorily required reporting requirements by providing on an annual basis sector-specific critical infrastructure information. 8 Which sectors are included in the directive? This directive identifies 15 critical infrastructure sectors and designates associated federal SSAs. The sectors and sector specific agencies include: Chemical Communications Critical manufacturing Dams Defense industrial base Emergency services Energy Financial services Food and agriculture Government facilities Healthcare and public health Information technology Nuclear reactors, materials, and waste Transportation systems Water and wastewater systems

5 Cybersecurity Presidential Policy Directive FAQs Cybersecurity Framework 9 What will be included in the Cybersecurity Framework? The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework. 10 How will the Framework be deployed? Agencies will have the guidance of the National Institute of Standards and Technology (NIST), who will be responsible for developing a Cybersecurity Framework to identify gaps in the country s digital defenses and set forward standards and methodologies to address the risks. The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. Agencies will have 90 days from the publication of the draft Framework to put forward a report stating whether they are able to authorize requirements for addressing cyber risks. In addition, agencies will have another 90 days from the publication of the final Framework to outline the actions to mitigate those risks. 11 What will be the process for adopting the Cybersecurity Framework? Agencies with responsibility for regulating the security of critical infrastructure shall engage in a consultative process with the Department of Homeland Security, Office of Management and Budget (OMB), and the National Security staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. In making such determination, these agencies shall consider the identification of critical infrastructure required as identified in the PPD. Within 90 days of the publication of the preliminary Framework, these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.

Cybersecurity Presidential Policy Directive FAQs 6 Timeline: 2013 October 10, 2013 Within 240 days of the directive, the Director of NIST will be responsible for publishing a preliminary version of the Cybersecurity Framework. 2014 January 8, 2014 Within 90 days of the publication of the preliminary Cybersecurity Framework, agencies will need to submit a report to the President that states whether or not the agency has clear authority to establish requirements to sufficiently address current and projected cyber risks to critical infrastructure. February 12, 2014 Within 1 year of the executive order, the Director of NIST will publish the final version of the Cybersecurity Framework. May 13, 2014 If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies will be responsible for proposing prioritized, risk-based, efficient, and coordinated actions to mitigate cyber risk. 2016 February 12, 2016 Within 2 years after publication of the final Framework, agencies will need to report to the OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.

7 Cybersecurity Presidential Policy Directive FAQs How can we help? KPMG LLP (KPMG) understands that in today s environment, cybersecurity is a top priority for many companies. KPMG knows the risks associated with cybersecurity threats and has developed a cybersecurity framework to assess a company s cyber maturity level. With our experience in the area, KPMG will be participating in the development of the Cybersecurity Framework led by NIST. In addition, KPMG can help clients address their cyber risks by providing the following areas: Cyber Maturity Assessment (CMA) provides an in-depth review of an organization s ability to protect its information assets and its preparedness against cyber attack and providing an intelligence-led cybersecurity action plan Specific Security Technology Assessment e.g., Application, Network, Cloud, Host, etc. Cloud Security Strategy Disaster Recovery(DR)/Business Continuity Management (BCM) Assessment, Strategy, Plan Development, Implementation Security Operations Center (SOC) Gap Assessment, Strategy, Implementation Policies and Procedures Development

Cybersecurity Presidential Policy Directive FAQs 8

9 Cybersecurity Presidential Policy Directive FAQs

Cybersecurity Presidential Policy Directive FAQs 10

Contact us Greg Bell Information Protection and Business Resilience National Practice Leader T: 404-222-7197 E: rgregbell@kpmg.com Tony Buffomante Information Protection and Business Resilience Strategy and Governance COE Lead T: 312-665-1748 E: abuffomante@kpmg.com Fred Rica Information Protection and Business Resilience Cyber Risk & Threat Intelligence COE Lead T: 973-912-4524 E: frica@kpmg.com Brian Geffert Information Protection and Business Resilience Cybersecurity Framework Lead T: 703-286-8055 E: bgeffert@kpmg.com kpmg.com The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and NDPPS 164930

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback