BACKGROUND
 

GOVERNMENT POLICY AND DIRECTIVES TO PROTECT OUR CRITICAL INFRASTRUCTURE

​

Immediately after 9/11 our government set forth plans to better protect the homeland and prepare for threats like terrorism, cyberattacks, and natural disasters. While the Critical Infrastructure Protection (CIP) program which recognized certain parts of the national infrastructure as critical to national security began in 1996 with Executive order 13010 and in 1998 (Presidential Decision Directive 63 (PPD-63)), it was the Homeland Security Presidential Directive 7 (HSPD-7) in 2003 that expanded the scope of CIP and added a focus on threats from terrorism.

​

The first National Infrastructure Protection Plan (NIPP) was published in 2006, with the latest version published in 2013. The NIPP provides a framework that outlines how the government and private sector work together to protect critical infrastructure. The 2013 version was revised and developed in response to Presidential Policy Directive 21 (PPD-21), also published in 2013, which identified 16 critical infrastructure sectors, which are considered vital to national security and economic stability. More about these sectors can be found on the Cybersecurity & Infrastructure Security Agency (CISA) website. PPD-21 also identifies Sector Risk Management Agencies (SRMA) designated for each sector. For example: the Department of Defense (DoD) is the SRMA for the Defense Industrial Base Sector and the Department of Homeland Security (DHS) is the SRMA for the Communications Sector, among others.

​​

If you've read this far and still have some interest in this stuff, it was Presidential Policy Directive 8 (PPD-8), published in 2011 that emphasized a comprehensive approach to actually preparing for all types of hazards and threats. It is in PPD-8 that the whole community, including individuals, businesses, schools, and all levels of government are called into the effort to prepare for and mitigate the vulnerabilities to and impacts from threats and hazards. The National Preparedness Goal (2015) also brought greater focus to the whole community effort. "A secure and resilient Nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk."

​

From a CIP perspective, it is PPD-8, PPD-21 (now NSM-22), and the NIPP which provide the most comprehensive marching orders from a high level. From that, the Federal Emergency Management Agency (FEMA) and other parts of the Department of Homeland Security (DHS) have created guidance and processes such as the Threat and Hazard Identification and Risk Assessment (THIRA) for the whole community.

 

It should be noted that PPD-21 was updated in 2024 as the National Security Memorandum 22 (NSM-22). The NSM-22 continues the focus on critical infrastructure while emphasizing enhanced intelligence sharing and collaboration with the private sector. NSM-22 also outlines the need for developing sector-specific minimum security and resilience requirements for each critical infrastructure sector. Perhaps one of the updates which stands out the most is the introduction of a new risk management cycle. According to CISA, "NSM-22 details a new risk management cycle that requires SRMAs to identify, assess, and prioritize risk within their respective sectors and develop sector risk management plans to address those risks. With these risk assessments and risk management plans, CISA will identify and prioritize systemic, cross-sector, and nationally significant risk through a cross-sector risk assessment. This assessment will enable CISA to prioritize systemic risk reduction efforts—detailed in the National Plan—that the U.S. government will take in collaboration with relevant federal, state and local, private, and international partners. Most importantly, the National Plan will recognize that the U.S. government cannot make all critical infrastructure immune from all threats and hazards. Rather, it will detail U.S. government efforts to make critical infrastructure resilient against prioritized risks based on the 16 sector’s risk assessments and CISA’s cross-sector risk assessments. All the while, CISA and other federal partners will work closely with SRMAs to manage their unique sector risks." CISA, 2024

​​

​

CLEAR TERRAIN'S EXPERIENCE

 

Clear Terrain was born from experience conducting DoD risk assessments for the U.S. Navy and Marine Corps. I spent years watching the CIP directives, guidance, and processes evolve while critical infrastructure owners and operators struggled to take repeatable actions to effectively assess and mitigate risks from hazards and our latest threats. 

​

Over a period of 8 years, I used my military intelligence experience to first focus on developing All-Hazard Threat Assessments (AHTA) tailored to DoD installations. These assessments provided the context for which the broader risk assessment could be conducted for each installation. The organization I was with had, and still employees, some of the most knowledgeable professionals in the industry who continuously evolved the critical infrastructure risk assessment process into a powerful tool that uncovers vulnerabilities to well-defined threats and provides authoritative advocacy for enhanced capabilities to mitigate the risks.

 

Most DoD installations are miniature cities with many critical infrastructure sector components within them, which makes risk assessments for that sector quite unique. That's why, after continuously improving the process and methodologies over many years, I realized this experience could significantly assist small governments and private entities with the security and resilience of their critical infrastructure as well. It is my hope that many will benefit, in community safety, from the unique knowledge that makes up Clear Terrain Consulting. 

​​

Sincerely,

Chris Adam

​