The RC3 and SLTTGCC have concluded the Regional Overview project.
RC3 and the State, Local, Tribal, and Territorial Government Coordinating Council (SLTTGCC) have reached the conclusion of the Regional Overview of Critical Infrastructure Programs, a collaborative project to document the current state of critical infrastructure mission implementation across the Nation. Throughout 2015, the councils engaged over 200 critical infrastructure professionals through council-sponsored questionnaires and Virtual Roundtable Webinars to detail the structure and mission of programs and partnerships, critical infrastructure activities, and major needs and challenges.
The Regional Overview project represents Phase 2 of an ongoing RC3 and SLTTGCC effort. Phase 1 comprised the SLTTGCC Regional Initiative (2011–2013), the SLTTGCC Tribal Critical Infrastructure Capabilities and Needs study (2014), and the RC3 Member and Mission Landscape Study (2013–2014). Since Phase 1 of the project, public-private partnerships and SLTT critical infrastructure programs have continued to evolve to address the changing critical infrastructure risk landscape amidst limited resources.
The results of the project are consolidated in a Summary Report that highlights the councils’ findings on the implementation of the critical infrastructure mission by public-private partnerships and SLTT programs. Included here are the project’s findings related to public-private partnerships working on critical infrastructure issues, as well as recommendations submitted by the councils to the DHS Office of Infrastructure Protection (IP) to improve Federal critical infrastructure programs, tools, and capabilities utilized by partnerships. The full Summary Report can be obtained by emailing the RC3: RegionalCCC@gmail.com.
Project Findings: Regional Partnerships
Public-private partnerships are adapting to the changing risk landscape in a limited-resource environment by focusing their critical infrastructure efforts on activities that provide the most value to their members and partners. High-value preparedness and incident response activities include hosting events, sharing information, and coordinating private sector resources and expertise. Such activities continue to provide value to public-private partnerships, as was illustrated in Phase 1. Partnerships needs for sustained success include access to additional critical infrastructure education opportunities (e.g., basic cybersecurity guidance, mass-gathering preparedness, interdependency risk), stronger connections between partnerships through continuous engagement, and improved information-sharing programs and mechanisms.
Public-private partnerships embrace a non-profit, volunteer-based governance structure and are designed to focus on all critical infrastructure issues across all sectors.
- Although most partnerships are non-profits, some are managed by a State/local agency and many collaborate with State/local critical infrastructure programs.
- Many partnerships are managed by volunteers who have full-time jobs apart from the partnerships. The level of activity and success of these partnerships depend greatly on the energy and capabilities of these volunteers. The voluntary nature of partnerships is a characteristic consistent with Phase 1 findings.
- Primary motivations for organizations to join partnerships include (1) opportunity to network, collaborate, and exchange ideas; and (2) access to a trusted clearinghouse of relevant information and training opportunities. These benefits are due largely to the broad focus of partnerships, which often span all critical infrastructure issues across all sectors.
Public-private partnerships actively contribute to the critical infrastructure security and resilience mission through valued preparedness and incident response activities, including hosting events, sharing information, and coordinating private sector resources and expertise.
- Partnerships offer their members value by enabling networking and access to trusted information and training opportunities; this is consistent with Phase 1.
- Preparedness and steady-state activities include gathering and supporting the dissemination of information (e.g., reports, surveys, briefings, and training opportunities), hosting or conducting events (e.g., workshops, exercises, meetings, and conferences), and facilitating relationship development and direct contact between public and private sector stakeholders.
- Incident response activities include coordinating private sector resource allocation and distribution, integrating private sector personnel within SLTT EOCs, and sharing situational awareness information.
- Sectors most often engaged by partnerships relating to these activities include Energy, Emergency Services, Information Technology, Healthcare and Public Health, Financial Services, and Commercial Facilities.
Sustainability is a major concern for public-private partnerships across the Nation. In order to continue to demonstrate value through relevant activities for critical infrastructure stakeholders, partnerships need access to additional critical infrastructure education opportunities, stronger connections between partnerships, and improved information-sharing programs and mechanisms.
- Adaptation to the changing risk environment requires continued education and awareness regarding prominent and emerging critical infrastructure issues (e.g., basic cybersecurity guidance, mass-gathering preparedness, interdependency risk). Partnerships are commonly interested in more and advanced critical infrastructure security and resilience education opportunities relating to such issues.
- Continuous, routine engagement of stakeholders (through meetings, conference, exercises) is imperative to sustain partnerships, especially in the time between incidents or disasters when it is difficult to maintain the momentum of private sector participation. More robust connections are needed among partnerships, the private sector, and government in order to maintain partnership viability and share best practices. These challenges and needs are consistent with Phase 1.
- Providing accurate, timely, and actionable information is important to critical infrastructure security and resilience. Information sharing is a core capability of partnerships and is one of the principal ways partnerships show value to their members. In order to be better prepared, informed, and able to respond effectively, improved information-sharing programs and mechanisms are needed. Key improvements include coordination of Federal, SLTT, and private sector platforms (e.g., HSIN, fusion center, Information Sharing and Analysis Center [ISAC] portals); integration of mobile computing technologies (including social media); and stronger protections for sensitive private sector information.
Project Recommendations: Federal Programs Utilized by Partnerships
Recommendations to improve Federal programs utilized by partnerships pertain to grants, exercises, regional capacity building, information sharing, and DHS field offices.
Grants: Update the State Homeland Security Grant Program and Urban Areas Security Initiative guidance documents. Ensure eligible expenses reflect current public-private partnership needs, such as:
- Mechanisms to access real-time local and regional threat information, collaborate, and share best practices (e.g., sustaining engagement in steady state and emergency, regional resilience planning, business continuity plans).
- Integration of private sector representatives into emergency operations centers (in-person or virtually).
- Training (with technical assistance) for private sector-specific Topical needs include cybersecurity response, supply chain issues in response/recovery, soft target threats, and active shooter response.
- Exercises coordinated with public and private sector Topical needs include cybersecurity response and regional sector dependency identification and management.
- Collaborative projects between two or more public-private
- Common, user-friendly business processes for all-hazards risk
Exercises: Consolidate and disseminate a suite of successful exercise scenarios for use by SLTT agencies and partnerships in running critical infrastructure exercises, such as:
- Joint exercise across SLTT agencies and with the private sector
- Regional exercise testing sector dependencies
- Cybersecurity incident (e.g., cyber attack, cyber-physical dependency incident)
- Soft target attack (e.g., shopping malls, schools)
- Public health incident
- High-risk transportation security incident
Regional Capacity Building: Sponsor regional forums—in collaboration with the RC3 and SLTTGCC—to improve regional capacity, facilitate the sharing of best practices across SLTT programs and partnerships, and enable collaboration with peers and experts on emerging issues.
- Develop an action plan to implement regional collaboration between DHS IP, RC3, and SLTTGCC partners.
- Coordinate the development of regional forums and the action plan with DHS regional capacity pilots and projects.
Information Sharing: Develop a toolkit to facilitate more robust information sharing between SLTT agencies and private sector owners and operators. Include a listing of resources and where to obtain more information for the following topics:
- Overview of PCII uses and limitations
- Information security markings at the Federal, SLTT, and private sector levels
- Overview of State sunshine laws and public records laws
- Operational mechanisms for sharing real-time information during emergencies (e.g., memoranda of understanding and agreement, nondisclosure agreements)
- Common methodology for engaging SLTT fusion centers as the primary hub of information sharing between public and private stakeholders
- SLTT interaction with Information Sharing & Analysis Organizations (ISAOs)
DHS Field Offices: Future DHS National Programs and Partnerships Directorate regional offices should:
- Serve as coordination hubs for DHS field personnel, SLTT programs, and partnerships. A centralized framework for critical infrastructure coordination would increase efficiency of stakeholder activities, reduce redundancy, and provide more opportunities to bring valued critical infrastructure activities to a broader audience.
- Include additional Protective Security Advisors (PSAs) and CSAs, based on SLTT and partnership needs. PSAs are integral to the effectiveness of many SLTT programs and are increasingly relied upon to lead and support critical infrastructure activities, especially conducting infrastructure assessments and engaging the private sector. As more SLTT focus and resources are directed to cybersecurity, CSAs can provide exceptional value to SLTT programs and partnerships by coordinating cybersecurity assessments, education, guidance, and training from the Federal Government.
The councils look forward to continuing related engagements by hosting Webinars and reaching out to colleagues to learn more from those focused on critical infrastructure across the country.
- May 17, 2016 Presentation to RC3 membership: RegOver_RC3 Presentation 051716