Cybersecurity Presidential Policy Directive Frequently Asked Questions kpmg.com
Introduction On February 12, 2013, the White House released the official version of the Presidential Policy Directive regarding critical infrastructure security and resilience. The directive summons a national effort to strengthen and maintain the security, functionality, and resiliency of critical infrastructure while maintaining a safe, secure, and efficient cyber environment. These efforts will be shared among federal, state, local, and public or private owners and operators of critical infrastructure.
3 Cybersecurity Presidential Policy Directive FAQs Cyber Presidential Policy Directive 1 What is the Cyber Presidential Policy Directive (PPD)? The Cyber PPD is a policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats. The White House advocates that these goals can be achieved through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards. 2 What is considered critical infrastructure? Critical infrastructure, according to the Cyber PPD, refers to systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. 3 Why was the PPD produced? The PPD was produced to ensure critical infrastructure is secure and able to withstand and rapidly recover from all hazards. Critical infrastructure must have the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. In addition, it must be able to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery, as outlined in the directive. 4 What does the PPD encompass? The PPD consists of three strategic imperatives that drive the federal approach to strengthen critical infrastructure security and resilience: Refine and clarify functional relationships across the federal government to advance the national unity of effort to strengthen critical infrastructure security and resilience; Enable effective information exchange by identifying baseline data and systems requirements for the federal government; and Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure. 5 Who does the PPD apply to? All federal department and agency heads are responsible for the identification, prioritization, assessment, remediation, and security of their respective internal critical infrastructure that supports primary mission-essential functions. Implementation of this directive requires a national effort from the Sector-Specific Agencies (SSAs) as well as the specialized or support capabilities from other federal departments and agencies, and strong collaboration with critical information owners and operators and state, local, tribal, and territorial (SLTT) entities.
Cybersecurity Presidential Policy Directive FAQs 4 Sector-Specific Agencies 6 What is a Sector-Specific Agency (SSA)? A Sector-Specific Agency (SSA) refers to the federal department or agency designated under the directive to be responsible for providing institutional knowledge and specialized expertise as well as leading, facilitating, or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all-hazards environment. 7 What are the responsibilities of Sector-Specific Agencies? Each critical infrastructure sector has unique characteristics, operating models, and risk profiles that benefit from an identified Sector-Specific Agency that has institutional knowledge and specialized expertise about the sector. SSAs shall carry out the following roles and responsibilities for their respective sectors: Coordinate with the Department of Homeland Security (DHS) and other relevant federal departments and agencies and collaborate with critical infrastructure owners and operators, and others as appropriate, to implement this directive; Serve as a day-to-day federal interface for the dynamic prioritization and coordination of sector-specific activities; Carry out incident management responsibilities consistent with appropriate policies, directives, or regulations; Provide, support, or facilitate technical assistance and consultations for that sector to identify vulnerabilities and help mitigate incidents, as appropriate Support the Secretary of Homeland Security s statutorily required reporting requirements by providing on an annual basis sector-specific critical infrastructure information. 8 Which sectors are included in the directive? This directive identifies 15 critical infrastructure sectors and designates associated federal SSAs. The sectors and sector specific agencies include: Chemical Communications Critical manufacturing Dams Defense industrial base Emergency services Energy Financial services Food and agriculture Government facilities Healthcare and public health Information technology Nuclear reactors, materials, and waste Transportation systems Water and wastewater systems
5 Cybersecurity Presidential Policy Directive FAQs Cybersecurity Framework 9 What will be included in the Cybersecurity Framework? The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework. 10 How will the Framework be deployed? Agencies will have the guidance of the National Institute of Standards and Technology (NIST), who will be responsible for developing a Cybersecurity Framework to identify gaps in the country s digital defenses and set forward standards and methodologies to address the risks. The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. Agencies will have 90 days from the publication of the draft Framework to put forward a report stating whether they are able to authorize requirements for addressing cyber risks. In addition, agencies will have another 90 days from the publication of the final Framework to outline the actions to mitigate those risks. 11 What will be the process for adopting the Cybersecurity Framework? Agencies with responsibility for regulating the security of critical infrastructure shall engage in a consultative process with the Department of Homeland Security, Office of Management and Budget (OMB), and the National Security staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. In making such determination, these agencies shall consider the identification of critical infrastructure required as identified in the PPD. Within 90 days of the publication of the preliminary Framework, these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.
Cybersecurity Presidential Policy Directive FAQs 6 Timeline: 2013 October 10, 2013 Within 240 days of the directive, the Director of NIST will be responsible for publishing a preliminary version of the Cybersecurity Framework. 2014 January 8, 2014 Within 90 days of the publication of the preliminary Cybersecurity Framework, agencies will need to submit a report to the President that states whether or not the agency has clear authority to establish requirements to sufficiently address current and projected cyber risks to critical infrastructure. February 12, 2014 Within 1 year of the executive order, the Director of NIST will publish the final version of the Cybersecurity Framework. May 13, 2014 If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies will be responsible for proposing prioritized, risk-based, efficient, and coordinated actions to mitigate cyber risk. 2016 February 12, 2016 Within 2 years after publication of the final Framework, agencies will need to report to the OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
7 Cybersecurity Presidential Policy Directive FAQs How can we help? KPMG LLP (KPMG) understands that in today s environment, cybersecurity is a top priority for many companies. KPMG knows the risks associated with cybersecurity threats and has developed a cybersecurity framework to assess a company s cyber maturity level. With our experience in the area, KPMG will be participating in the development of the Cybersecurity Framework led by NIST. In addition, KPMG can help clients address their cyber risks by providing the following areas: Cyber Maturity Assessment (CMA) provides an in-depth review of an organization s ability to protect its information assets and its preparedness against cyber attack and providing an intelligence-led cybersecurity action plan Specific Security Technology Assessment e.g., Application, Network, Cloud, Host, etc. Cloud Security Strategy Disaster Recovery(DR)/Business Continuity Management (BCM) Assessment, Strategy, Plan Development, Implementation Security Operations Center (SOC) Gap Assessment, Strategy, Implementation Policies and Procedures Development
Cybersecurity Presidential Policy Directive FAQs 8
9 Cybersecurity Presidential Policy Directive FAQs
Cybersecurity Presidential Policy Directive FAQs 10
Contact us Greg Bell Information Protection and Business Resilience National Practice Leader T: 404-222-7197 E: rgregbell@kpmg.com Tony Buffomante Information Protection and Business Resilience Strategy and Governance COE Lead T: 312-665-1748 E: abuffomante@kpmg.com Fred Rica Information Protection and Business Resilience Cyber Risk & Threat Intelligence COE Lead T: 973-912-4524 E: frica@kpmg.com Brian Geffert Information Protection and Business Resilience Cybersecurity Framework Lead T: 703-286-8055 E: bgeffert@kpmg.com kpmg.com The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act upon such information without appropriate professional advice after a thorough examination of the particular situation. network of independent member firms affiliated with KPMG International Cooperative ( KPMG International ), a Swiss entity. All rights reserved. Printed in the U.S.A. The KPMG name, logo and NDPPS 164930