casestudy

profilerocky786
30497.docx

INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION 2

INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE PROTECTION 2

Running head: INITIATIVES TO ENHANCE CRITICAL INFRASTRUCTURE

PROTECTION 1

Initiatives to Enhance Critical Infrastructure Protection

January 26, 2020

Abstract

Critical Infrastructure Security is so critical to U.S. economic and social security along with public well-being and protection that disorder or disruption of any of the varied critical sectors will have a devastating outcome on the country. As reported by GAO, until the administrative agencies who are managing the Critical Infrastructure Security make attempts to have a complete understanding of the application of cyber security framework by the entities within these sectors, they would be restricted in their capacity to recognize the success of security efforts. This paper is intended to review the GAO (Government Accountability Office) report and describe the initiatives taken to enhance critical infrastructure protection followed by an appropriate conclusion.

Introduction

U.S. CIP (Critical Infrastructure Protection) necessitates the provision of protection from external and internal threats and restoration of physically ruined Critical Infrastructure that may disrupt services. This has been a major cause of concern due to the deteriorating U.S.

infrastructure causing enough destruction and loss of life. On 22nd May 1998, President Bill Clinton has signed Presidential Decision Directive (PDD-63) which emphasized on critical infrastructure as a growing potential vulnerability and acknowledged that U.S. must view the U.S. national infrastructure from perspective of security due to its significance to national and financial security. CIP has to be tackled in a preventive manner. The 16 critical infrastructure sectors comprise of communication, chemical, defense industrial base, energy, emergency services, food and agriculture, financial, health, transportation, nuclear reactors and material waste, water and waste-water sector. Each of these sectors has its own security plan and exclusive manmade and natural threats, risks and deteriorations. Any attack or disaster on any of this vital infrastructure may cause severe damage to the security of the nation and probably may lead to the disintegration of the complete infrastructure (Hemme, 2015).

National Infrastructure Protection Plan

NIPP-2013 provides the basis for a collaborative and an integrated approach to attain a vision of a country where physical as well as cyber critical infrastructure stays secure and resilient. This policy has permitted CIP to be flexible and self sufficient to address threats by means of regular quadrennial assessments of CIP policies. However researches involving critical infrastructure have indicated that DHS and every Sector Specific Agency (SSA) have not paid attention to prior warnings concerning the potential results of deprived maintenance. Instead they opted for aggressive efforts to prevent terrorist’s threats and the policy makers were mostly ignored calls for the resources that have to be spent for infrastructure maintenance. In 2013 February, there was no collective effort to secure the interconnected element of critical infrastructure as there was no interrelationship among sectors. In order to tackle this issue PPD 21 came into existence to foster the protection and resilience of critical infrastructure. An integrated task force was created by DHS to implement PPD 21. This move also called for association between the federal administration and its partners in private sector (Hemme, 2015).

Initiatives to enhance CIP as per GAO report According to GAO-18-211 report,

Executive Order 13636:

In February of 2013, Executive Order 13636 presented an action plan to enhance security for critical cyber infrastructure. As per this, federal policy has directed various sector specific agencies in consultation with DHS and diverse other agencies to examine the cyber security framework and establish implementation guidance or additional materials to tackle sector specific risk and operating atmosphere (GAO Report, 2018).

NIST Framework:

The National Institute of Standards and Technology has published a framework that is broadly acknowledged as a comprehensive touchstone for organizational cyber risk management. This framework has been broadly implemented by private sector, integrated across sectors and within organization and offers an initiating point to consider risks and best practices. NIST Framework for Enhancing Critical Infrastructure Security was developed in 2014 as a voluntary framework to be adopted by the industry for cyber security standards and methods. The core of this framework comprises of continuous and concurrent functions to identify, safeguard, recognize, respond and recover. These functions taken together provide a highly strategic view of the lifecycle of the cyber security risk management of an organization (GAO Report, 2018).

Cyber Security Enhancement Act:

The CEA of 2014 comprised of provisions for GAO to examine aspects of cyber security procedures and standards in NIST Framework. The objective of GAO was to evaluate regarding the degree to which critical infrastructure have implemented this framework. GAO examined the documentation like sector specific guidance and devices to help its implementation (GAO

Report, 2018).

Executive Order 18300:

In 2017, this order was issued by the President which requires every federal agency to apply the cyber security framework to manage the cyber security risk of the agency (GAO

Report, 2018).

Draft Interagency Report 8170:

In May 2017, this report was released by NIST in reply to the previous order and this report is aimed at providing guidance on the use of framework by agencies to complement prevalent practices of risk management and enhance their cyber security risk management program. Several areas were identified by this report on the basis of implementation in nonfederal entities. They are as follows:

· Manage the cyber security program.

· Integrate enterprise and cyber security risk management.

· Evaluate organizational cyber security.

· Manage cyber security essentials.

· Maintain a complete understanding of cyber security risk.

· Incorporate and align cyber security and acquisition procedures.

· Inform the tailoring procedure.

· Report cyber security risks (GAO Report, 2018).

Critical Infrastructure Cyber Community Voluntary Program:

In February 2014, C3VP initiative was launched by DHS in accordance with EO 13636, with a mission to facilitate the improvement of critical infrastructure cyber security and to motivate the framework adoption. Additionally officials from every SSA stated that they have continuously conducted promotional activities of this framework using C3VP and NIST resources (GAO Report, 2018).

GAO Recommendations to SSAs:

GAO has made certain recommendations that appropriate methods have to be developed to determine the adoption of Framework by SSA across their corresponding sector in consultation with their section partners respectively, such as SCC, DHS and NIST.

Conclusion

Numerous sectors have taken measures to assist implementation of the NIST cyber security framework in their corresponding sectors. By establishing the adoption guidance, numerous SSAs have developed a sequence of tools that could be leveraged by entities for framework adoption. Without an exact evaluation in each sector, federal entities and SSA lack a complete knowledge of the present adoption level in Critical Infrastructure sectors (GAO Report, 2018). However, certain challenges were identified by the federal authorities, NIST and SCCs, which may hamper cyber security framework implementation. The GAO recommendations were agreed upon by few agencies whereas some neither disagreed nor agreed to the recommendations

(Maritalk.com, 2018).

References

GAO Report. (2018). Critical Infrastructure Protection: Additional Actions are Essential for Assessing Cyber Security Framework Adoption. Report to Congressional Committees.

United States Government Accountability Office. GAO-18-211(February, 2018).

Retrieve online at:

https://www.gao.gov/assets/700/690112.pdf

GAO Snaps at Critical Infrastructure Protection Ambiguity. (2018, March 7). Retrieved online at: https://www.meritalk.com/articles/gao - snaps - at - critical - infrastructure - protection ambiguity/

Hemme, K. (2015). Critical Infrastructure Protection: Maintenance is National Security. Journal of Strategic Security. Vol.8, Issue.5, pp. 25-39 Retrieved online at:

https://www.researchgate.net/publication/283280777_Critical_Infrastructure_Protection

Maintenance_is_National_Security/link/5ba3e83b299bf13e603fbc39/download