National Academies Press: OpenBook

Security 101: A Physical and Cybersecurity Primer for Transportation Agencies (2019)

Chapter: Chapter 7 Homeland Security Laws, Directives, and Guidance

« Previous: Chapter 6 Infrastructure Protection and Resilience
Page 184
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 184
Page 185
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 185
Page 186
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 186
Page 187
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 187
Page 188
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 188
Page 189
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 189
Page 190
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 190
Page 191
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 191
Page 192
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 192
Page 193
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 193
Page 194
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 194
Page 195
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 195
Page 196
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 196
Page 197
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 197
Page 198
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 198
Page 199
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 199
Page 200
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 200
Page 201
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 201
Page 202
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 202
Page 203
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 203
Page 204
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 204
Page 205
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 205
Page 206
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 206
Page 207
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 207
Page 208
Suggested Citation:"Chapter 7 Homeland Security Laws, Directives, and Guidance." National Academies of Sciences, Engineering, and Medicine. 2019. Security 101: A Physical and Cybersecurity Primer for Transportation Agencies. Washington, DC: The National Academies Press. doi: 10.17226/25554.
×
Page 208

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

184 Chapter 7 Homeland Security Laws, Directives, and Guidance Since 2001 all modes of transportation—aviation, maritime, and land-based—have experienced a concentration of government efforts on security that is both of major proportion and unparalleled in American history. Understanding their roles as partners with government in the protection of the homeland has required transportation agencies to become familiar with a host of new legislative initiatives, presidential orders, and federal department mandates, regulations, and guidelines. Chapter 7 identifies core components of the federal government’s homeland security protection strategies that focus on surface transportation. The Federal Government, all three branches—executive, legislative, and judicial—has been intensely involved in creating law, policy, procedures, and protocols to safeguard the Nation against homeland security threats. By reviewing some of these activities, in particular those of the executive and legislative branches that relate to the transportation sector, agencies can obtain a sense of the national strategies and supportive frameworks available to help them in reducing security risks.  Homeland Security Laws, Statutes, and Regulations Congress has passed some important homeland security laws that relate specifically to transportation. These include the Aviation and Transportation Security Act (ATSA), the Maritime Transportation Security Act, the Homeland Security Act of 2002, and the Safe Port Security Act. Transportation agencies may also be affected by certain provisions in disaster relief and emergency acts such as the Stafford Act, the Emergency Management Assistance Compact (EMAC), and the acts following Hurricanes Katrina and Sandy. In addition, the two recent transportation reauthorization bills (the FAST Act and MAP-21) include emergency management requirements for transportation agencies – and thus, indirectly, have implications for infrastructure security. ATSA was signed soon after the terrorist attacks of September 11, 2001, with the goal “to secure the air travel system.” The Act also referenced the security of other modes of transportation. ATSA created the Transportation Security Administration (TSA) under the Department of Transportation. TSA has since been reorganized as an administration under the Department of Homeland Security. Figure 62 shows the TSA Organization Chart as of October 30, 2017.

185   Figure  62:  Transportation  Security  Administration  organization  chart,  as  of  October  30,  2017.  Source:  Created  from  https://www.tsa.gov/about/tsa‐leadership The Homeland Security Act of 2002, a sweeping piece of legislation, established the Department of Homeland Security as a cabinet-level department of the federal government. The responsibilities of the new department included “preventing terrorist attacks within the United States, reducing the vulnerability of the United States to terrorism at home, and minimizing the damage and assisting in the recovery from any attacks that may occur.” The Act created the position of Secretary of Homeland Security to be appointed by the president with the consent of the Senate. Whereas the Department of Defense works in the military sphere, DHS works in the civilian sphere to protect the United States within, at, and outside its borders. Its goal is to prepare for, prevent, and respond to domestic emergencies, particularly terrorism. The establishment of DHS resulted in a massive reorganization of federal agencies. In total, over 22 federal departments or agencies including FEMA, the Secret Service, the U.S. Coast Guard, TSA, and the Immigration and Naturalization Service (INS), were moved under the new department. Title IV of the Act also expressly created the Undersecretary for Border and Transportation Security (BTS) whose primary duties include the following: ADMINISTRATOR ‐‐‐‐‐‐ DEPUTY ADMINISTRATOR Offices ACQUISITION PROGRAM  MANAGEMENT Assistant Administrator CHIEF COUNSEL CIVIL RIGHTS AND LIBERTIES,  OMBUDSMAN AND TRAVELER  ENGAGEMENT  Assistant Administrator CONTRACTING AND  PROCUREMENT Assistant Administrator Offices (cont.) FINANCE AND  ADMINISTRATION Assistant Administrator GLOBAL STRATEGIES Assistant Administrator HUMAN CAPITAL Assistant Administrator INFORMATION TECHNOLOGY Assistant Administrator Offices (cont.) INSPECTION Assistant Administrator INTELLIGENCE AND ANALYSIS Assistant Administrator LAW ENFORCEMENT /  FEDERAL AIR MARSHAL  SERVICE Assistant Administrator LEGISLATIVE AFFAIRS Assistant Administrator Offices (cont.) PERFORMANCE AND  ENTERPRISE RISK Assistant Administrator PROFESSIONAL  RESPONSIBILITY Assistant Administrator REQUIREMENTS AND  CAPABILITIES ANALYSIS Assistant Administrator SECURITY OPERATIONS Assistant Administrator Offices (cont.) SECURITY POLICY AND  INDUSTRY ENGAGEMENT Assistant Administrator STRATEGIC  COMMUNICATIONS AND  PUBLIC AFFAIRS Assistant Administrator TRAINING AND  DEVELOPMENT Assistant Administrator CHIEF OF STAFF CHIEF OF OPERATIONS CHIEF OF MISSION SUPPORT

186  Preventing the entry of terrorists and the instruments of terrorism into the United States;  Securing the borders, territorial waters, ports, terminals, waterways, and air, land, and sea transportation systems of the United States;  Administering the immigration and naturalization laws of the United States, including the establishment of rules governing the granting of visas and other forms of permission to enter the United States to include individuals who are not citizens or lawful permanent residents;  Ensuring the customs laws of the United States; and  Ensuring the speedy, orderly and efficient flow of lawful traffic and commerce in carrying out these responsibilities. Figure 63 is a top-level organization chart of DHS current as of October 30, 2017. Figure 63: Department of Homeland Security top-level organization chart. Source: https://www.dhs.gov/organizational-chart The Maritime Transportation Security Act (signed into law on November 25, 2002) required maritime transportation security plans. These plans are intended to establish regional response and recovery protocols to mitigate regional transportation security incidents. The Act also required the Transportation Worker Identification Credential (TWIC) for workers who need access to secure areas of the nation’s maritime facilities and vessels. In addition, the Act required owners of facilities on or adjacent to U.S. waters which pose a high risk of being involved in a transportation security incident do the following: (1) to make a vulnerability assessment available to appropriate authorities, and (2) to integrate the facility’s security system with compatible systems operated by state, law enforcement agencies, and the Coast Guard. The Security and Accountability For Every (SAFE) Port Act (signed into law on March 30, 2006) focuses on enhancing security at U.S. ports, preventing threats and attacks before they reach the United States, and the security of shipping containers bound for the United States.

187 Several laws relating to disaster relief and emergency assistance can affect transportation agencies. Such laws include the Stafford Act and the Emergency Management Assistance Compact. In addition, transportation agencies were also affected by laws passed in the wake of Hurricanes Katrina and Sandy. The Robert T. Stafford Disaster Relief and Emergency Assistance Act (Public Law 100-707) created the system in place today by which a Presidential disaster declaration triggers financial and physical assistance through FEMA. Such assistance is also available to transportation agencies (for example, through the FEMA Public Assistance program). Under the Stafford Act, the President can designate an incident as an “Emergency” or “Major Disaster”. The Federal assistance available for emergencies is more limited than that which is available for a major disaster. Major disasters may be caused by such natural events as floods, hurricanes, and earthquakes. Disasters may include fires, floods, or explosions that the President feels are of sufficient magnitude to warrant Federal assistance. In 1996, Public Law 104-321 ratified the Emergency Management Assistance Compact (EMAC) – a national interstate mutual-aid agreement that provides supplemental support to that provided by federal agencies. For example, such support can supplement any FEMA and FHWA support to state transportation agencies. EMAC has been adopted by all 50 states, the District of Columbia, the U.S. Virgin Islands, and Puerto Rico, although EMAC support is also available to local agencies (such as local transportation agencies) if the state has passed intrastate laws permitting as much. Several gaps became apparent in the response to Hurricane Katrina, thus leading to the Post-Katrina Emergency Management Reform Act of 2006 (PKEMRA). While PKEMRA kept FEMA within the Department of Homeland Security, it significantly reorganized FEMA by providing it substantial new authority to remedy gaps in response and by including a more robust preparedness mission for FEMA. For example, with regards to transportation, the Act coordinates and supports precautionary evacuations and recovery efforts, and provides transportation assistance for relocating and returning individuals displaced from their residences in a major disaster. In the wake of Hurricane Sandy, the Sandy Recovery Improvement Act (SRIA) amended the Stafford Act, by authorizing several significant changes to the way FEMA may deliver Federal disaster assistance. For example, it authorized alternative procedures for the Public Assistance program (which can be a source of support for transportation agencies), reviewed and evaluated the Public Assistance small project threshold, and established a nationwide dispute resolution pilot program for Public Assistance projects. The SIRA also streamlined the Hazard Mitigation Grant Program (HMGP). The two recent transportation reauthorization bills (the FAST Act and MAP-21) which included emergency management requirements for transportation agencies. The Moving Ahead for Progress in the 21st Century Act (MAP-21) was passed in 2012. It focused on performance management and established national performance goals. MAP-21 required incorporating performance goals, measures, and targets into transportation planning. Most aspects of MAP-21 are continued in the FAST Act. The transportation reauthorization legislation passed in 2015 and titled the Fixing America’s Surface Transportation (FAST) Act expanded the focus on the resiliency of the transportation system. The FAST Act requires strategies to reduce the vulnerability of existing transportation infrastructure to natural disasters. The Act expands the scope of consideration of the metropolitan planning process to include improving transportation system resiliency and reliability. Key features include: 1) emphasis on resilience with funding permitted to protect bridges and tunnels; 2) emphasis on risk-based as well as performance based asset management, 3) inclusion of critical infrastructure for project funding eligibility, 4) comprehensive guidance from FTA on emergency relief programs, funding and planning, and 5) new

188 initiatives from FTA for mobility for seniors and individuals with disabilities that may increase opportunities for advance outreach by transportation emergency managers. In addition to laws and statutes, transportation agencies must also abide by certain homeland security regulations. These include federal regulations on pipeline safety, grant program eligibility, emergency planning requirements, and transit system Sensitive Security Information (SSI). These also include transportation security directives. Certain federal regulations related to pipeline safety and to FEMA and DHS grant programs may be relevant to transportation agencies. The regulations in Title 44 of the Code of Federal Regulations (“Emergency Management and Assistance”) have been promulgated to administer grant programs under FEMA and DHS. For example, they define requirements for eligible parties under these programs. In addition, all 50 states and the District of Columbia have elected to adopt Federal pipeline safety regulations by reference (and hence affect the mode of pipeline transportation). These regulations have specific emergency planning requirements, such as mandated written emergency response procedures and the requirement that such plans and procedures be communicated to fire, police, and other public officials. These regulations can be found in the following sections of the Code of Federal Regulations (CFR): Title 49 Parts 33, 112, 192, 193, 194, and 195; and Title 30 Part 254. Transit agencies must comply with federal regulations regarding Sensitive Security Information (SSI) – information obtained or developed which, if released publicly, would be detrimental to transportation security. Regulations in CFR Title 49 Part 15 control the handling of SSI for the federal Department of Transportation, while those in Part 1520 concern the handling of SSI for the TSA. The regulation in CFR Title 49 Part 659.11 notes certain circumstances where investigation reports and system security plans can be kept confidential. TSA has also published a Stakeholder Best Practices Quick Reference Guide for SSI. Through its SSI Office, Guide presents the TSA’s requirements for SSI, a list of information that qualifies as SSI, and best practices include the reasonable steps that must be taken for safeguarding SSI in various media (e.g. electronic presentations, spreadsheets, portable drives, etc.). The TSA has also promulgated Transportation Security Directives related to threats to passenger rail systems. On May 20, 2004, TSA released Security Directive (SD) RAILPAX-04-02 for passenger operations conducted by AMTRAK and by the Alaska Railroad Corporation. Simultaneously, TSA published SD RAILPAX-04-01 for a wider range of passenger rail operators that include commuter passenger trains, heavy rail, and light rail among others. These directives outline fifteen (15) protective measures to be carried out by passenger rail operators. These include (among other requirements): designating primary and alternate security coordinators; reporting potential threats or significant security concerns to appropriate law enforcement authorities; providing TSA with the date of the most recent vulnerability assessment; and installing bomb resistant trash receptacles at stations where a vulnerability assessment has identified a significant risk. Homeland Security Directives and Executive Orders Presidential Decision Directives (PDDs), Homeland Security Presidential Directives (HSPDs), Presidential Policy Directives (PPDs), and Executive Orders (E.O.s) have been promulgated by the President of the United States to enhance homeland security. Prior to the terrorist attacks of September 11, 2001, presidential decisions were communicated by PDD. On October 29, 2001, the first HSPD was signed by President Bush and pronounced as “the first in a series of Homeland Security Presidential Directives that shall record and communicate presidential decisions about the homeland security policies of the United States.” The most significant PDD affecting Homeland Security was PDD-63 issued by President Clinton on May 22, 1998. The intent of PDD-63 was “to assure the continuity and viability of critical infrastructures... the United States will take all necessary measures to

189 swiftly eliminate any significant vulnerability to both physical and cyber-attacks on our critical infrastructures, including especially our cyber systems.” All HSPDs, by definition, affect Homeland Security; however, some are more relevant to the protection of the transportation sector than others. During the Obama Administration, analogous presidential directives were designated as Presidential Policy Directives (PPDs). While the Obama Administration also promulgated Presidential Study Directives (PSDs) that initiated policy review procedures, none are deemed relevant to include in the table below. Of the Obama Administration Directives and Executive Orders, Presidential Policy Directive 21 and Executive Orders 13636 and 13653 are worthy of particular focus. PPD-21 established rapid recovery and the concept of resilience as key desired outcomes of critical infrastructure security efforts. E.O. 13636 made cybersecurity an essential component of critical infrastructure security, directed the development of a technology-neutral cybersecurity framework, and incentivized the adoption of cybersecurity practices. E.O. 13653 directed federal agencies to ensure that the impacts of climate change were reflected on the agencies’ programs, policies, rules, and operations. The Trump Administration promulgates National Security Presidential Memoranda (NSPMs), though as of November 1, 2017, none of the contemporarily available NSPMs are deemed relevant for Table 7-1 below. However, the table does include three Executive Orders relevant to infrastructure and cybersecurity: E.O. 13766 on expediting environmental reviews and approvals for high priority infrastructure projects; E.O. 13800 on strengthening the cybersecurity of federal networks and critical infrastructure; and E.O. 13807 on establishing discipline and accountability in the environmental review and permitting process for infrastructure projects. Table 28 summarizes the purpose of important HSPDs, PPDs, and Executive Orders that affect transportation. Table 28: Purpose of HSPDs, PPDs, and Executive Orders affecting transportation.  Presidential Directive or Executive Order Purpose of the Order HSPD – 3 (May 22, 2002) Homeland Security Advisory System A Homeland Security Advisory System (HSAS) to provide a comprehensive and effective means to disseminate information regarding the risk of terrorist acts to Federal, State, and local authorities and to the American people. Such a system would provide warnings in the form of a set of graduated "Threat Conditions" that would increase as the risk of the threat increases. HSPD – 5 (Feb 28, 2003) Management of Domestic Incidents To enhance the ability of the United States to manage domestic incidents by establishing a single, comprehensive national incident management system. HSPD – 7 (Dec 17,2003) Critical Infrastructure Identification, Prioritization, and Protection Establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks HSPD – 8 (Dec 17, 2003) National Preparedness Establishes policies to strengthen the preparedness of the United States to prevent and respond to threatened or actual domestic terrorist attacks, major disasters, and other emergencies by requiring a national domestic all-hazards preparedness goal, establishing mechanisms for improved delivery of Federal preparedness assistance to State and local governments, and outlining actions to strengthen preparedness capabilities of Federal, State, and local entities.

190 HSPD – 13 (Dec 21, 2004) Maritime Security Policy Establishes U.S. policy, guidelines, and implementation actions to enhance U.S. national security and homeland security by protecting U.S. maritime interests. It directs the coordination of United States Government maritime security programs and initiatives to achieve a comprehensive and cohesive national effort involving appropriate Federal, State, local, and private sector entities. HSPD – 16 (Jun 22, 2006) National Strategy for Aviation Security Strategies for the prevention of the Air Domain from being exploited by terrorist groups, hostile nations-states and criminals to commit acts against the United States, its people, its infrastructure and its other interests; safe and efficient use of the Air Domain; and the continued facilitation of travel and commerce. PPD – 8 (Mar 30, 2011) National Preparedness Links together national preparedness efforts by integrating the following key elements: the National Preparedness Goal, the National Preparedness System, Whole Community Initiative, and the Annual National Preparedness Report. Strengthens security and resilience through five preparedness mission areas—Prevention, Protection, Mitigation, Response, and Recovery. These mission areas each have their own framework within the National Planning Frameworks. PPD – 21 (Feb 12, 2013) Critical Infrastructure Security and Resilience Establishes resilience and rapid recovery as focus of critical infrastructure security, and integrates these concepts with the National Preparedness System. Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Resilient infrastructure systems are flexible and agile, and should be able to bounce back after disruptions. E.O. – 13618 (Jul 6, 2012) Assignment of National Security and Emergency Preparedness Communications Functions Stipulates that the Federal Government must have the ability to communicate at all times and under all circumstances to carry out its most critical and time sensitive missions, ensure national security, effectively manage emergencies, and improve national resilience. Survivable, resilient, enduring, and effective communications, both domestic and international, are essential to enable the executive branch to communicate within itself and with: the legislative and judicial branches; State, local, territorial, and tribal governments; private sector entities; and the public, allies, and other nations. (The implication is that state transportation agencies are included among these stakeholders.) E.O. – 13636 (Feb 12, 2013) Improving Critical Infrastructure Cybersecurity Develops a technology-neutral cybersecurity framework, and is intended to promote and incentivize the adoption of cybersecurity practices. Cybersecurity is established as an aspect of critical infrastructure security. E.O. – 13653 (Nov 1, 2013) Preparing the United States for the Impacts of Climate Change Establishes climate change as an additional aspect to address in plans and programs. Requires federal agencies to integrate considerations of the challenges posed by climate change effects into their programs, policies, rules and operations to ensure they continue to be effective, even as the climate changes. E.O. – 13690 (Jan 30, 2015) Establishing a Federal Flood Risk Management Standard and a Process for Further Soliciting and Considering Stakeholder Input Improve the resilience of communities and Federal assets against the impacts of flooding. Require executive departments and agencies (agencies) to avoid, to the extent possible, the long- and short-term adverse impacts associated with the occupancy and modification of floodplains and to avoid direct or indirect support

191 of floodplain development wherever there is a practicable alternative. E.O. – 13691 (Feb 13, 2015) Private Sector Cybersecurity Information Sharing Encourage the voluntary formation of organizations that engage in sharing information related to security risks and incidents. Such organizations play an invaluable role in the collective cybersecurity of the United States. In addition, establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis. E.O. – 13717 (Feb 2, 2016) Establishing a Federal Earthquake Risk Management Standard Strengthen the security and resilience of the Nation against earthquakes, to promote public safety, economic strength, and national security. To that end, the Federal Government must continue to take proactive steps to enhance the resilience of buildings that are owned, leased, financed, or regulated by the Federal Government. When making investment decisions related to Federal buildings, each executive department and agency (agency) responsible for implementing this order shall seek to enhance resilience by reducing risk to the lives of building occupants and improving continued performance of essential functions following future earthquakes. E.O. – 13728 (May 18, 2016) Wildland-Urban Interface Risk Mitigation Strengthen the security and resilience of the Nation against the impacts of wildfire. Enhance the resilience of buildings that are owned by the Federal Government and are located on Federal land. Each executive department and agency responsible for implementing this order shall seek to enhance the resilience of its buildings when making investment decisions to ensure continued performance of essential functions and to reduce risks to its buildings' occupants in the event of a wildfire. E.O. – 13766 (Jan 25, 2017) Expediting Environmental Reviews and Approvals for High Priority Infrastructure Projects Streamline and expedite – in a manner consistent with the law – environmental reviews and approvals for all infrastructure projects, especially projects that are a high priority for the Nation. Examples include improving the U.S. electric grid and telecommunications facilities and repairing and upgrading critical port facilities, airports, pipelines, bridges, and highways. E.O. – 13800 (May 11, 2017) Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Hold heads of agencies and executive departments accountable for managing cybersecurity risk to their enterprise. Risk management decisions made by agency heads can affect the risk to the executive branch as a whole. E.O. – 13807 (Aug 15, 2017) Establishing Discipline and Accountability in the Environmental Review and Permitting Process for Infrastructure Projects Ensure that the Federal environmental review and permitting process for infrastructure projects is coordinated, predictable, and transparent.

192 Homeland Security National Guidance Documents The following homeland security-related national guidance documents are significant for transportation agencies:  National Preparedness System and Goal  National Planning Frameworks o National Prevention Framework o National Protection Framework o National Mitigation Framework o National Response Framework, o National Disaster Recovery Framework  National Infrastructure Protection Plan  Transportation Systems Sector-Specific Plan National Preparedness System and Goal Presidential Policy Directive 8: National Preparedness (PPD-8) 2011 described the Nation’s approach to preparing for the threats and hazards that pose the greatest risk to the security of the United States. The Directive established the National Preparedness Goal and identified the core capabilities necessary to achieve that goal across five mission areas- prevention, protection, mitigation, response and recovery. The National Preparedness Goal (2nd Ed., 2015) is a “A secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and recover from the threats and hazards that pose the greatest risk.” It defines what it means for the whole community to be prepared for all types of disasters and emergencies. The National Preparedness Goal also identifies five mission areas (NPG, 2015):  Prevention. Prevent, avoid or stop an imminent, threatened or actual act of terrorism.  Protection. Protect our citizens, residents, visitors, and assets against the greatest threats and hazards in a manner that allows our interests, aspirations and way of life to thrive.  Mitigation. Reduce the loss of life and property by lessening the impact of future disasters.  Response. Respond quickly to save lives, protect property and the environment, and meet basic human needs in the aftermath of a catastrophic incident.  Recovery. Recover through a focus on the timely restoration, strengthening and revitalization of infrastructure, housing and a sustainable economy, as well as the health, social, cultural, historic and environmental fabric of communities affected by a catastrophic incident. The 2015 National Preparedness Goal also identifies 32 core capabilities essential to executing the five mission areas. Figure 64 groups these core capabilities under the mission areas.

193 Figure 64: Core Capabilities by Mission Area. Source: NPG, 2015. The Strategic National Risk Assessment (cited within the 2015 National Preparedness Goal) categorizes transportation system failures among the technological and accidental hazards that pose a significant risk to the Nation. The 2015 National Preparedness Goal incorporates the following changes to the original 2011 document:  Language was added to stress the importance of community preparedness and resilience.  The Risk and the Core Capabilities were enhanced to include items on cybersecurity and climate change.  A new core capability, Fire Management and Suppression, was added.  Core capability titles were revised: o Threats and Hazard Identification (Mitigation) – revised to Threats and Hazards Identification;

194 o Public and Private Services and Resources (Response) – revised to Logistics and Supply Chain Management; o On-scene Security and Protection (Response) – revised to On-scene Security, Protection, and Law Enforcement; o Public Health and Medical Services (Response) – revised to Public Health, Healthcare, and Emergency Medical Services. The National Preparedness Goal is meant to be the cornerstone to implementing the National Preparedness System (NPG, 2015). This system consists of several components which contribute to building, sustaining, and delivering the core capabilities described in the National Preparedness Goal (NPG, 2015):  The National Planning System, which “supports the integration of planning across all levels of government and the whole community to provide an agile, flexible, and accessible delivery of the core capabilities”.  A series of National Frameworks and Federal Interagency Operational Plans. The National Frameworks “address the roles and responsibilities across the whole community to deliver the core capabilities”. The Federal Interagency Operational Plans “address the critical tasks, responsibilities, and resourcing, personnel, and sourcing requirements for the core capabilities”.  The National Preparedness Report, which “provides a summary of the progress being made toward building, sustaining, and delivering the core capabilities described in the Goal”. The annual National Preparedness Report facilitates measuring “advancements made in preparedness and to identify where challenges remain”. National Planning Frameworks Collectively, the National Planning Frameworks describe how the whole community works together to achieve the National Preparedness Goal. There is a framework for each of the five National Preparedness Goal mission areas:  National Prevention Framework  National Protection Framework  National Mitigation Framework  National Response Framework  National Disaster Recovery Framework The National Preparedness Goal defines what it means to be prepared for all types of disasters and emergencies, including natural disasters, disease pandemics, chemical spills and other manmade hazards, terrorist attacks and cyber attacks. National Prevention Framework The National Prevention Framework (2nd Ed., 2016) focuses on terrorism and addresses the capabilities necessary to avoid, prevent, or stop imminent threats or attacks. Specifically, this framework describes what the whole community (from community members to senior leaders in government) should do upon the discovery of an imminent threat to the homeland. Some core capabilities overlap with the Protection mission area. In this updated second edition, edits include:  Updates to Coordinating Structure language on Joint Operations Centers and the Nationwide Suspicious Activity Reporting Initiative.  Clarification on the relationship and differences between the Prevention and Protection mission areas.  Updated language on the National Terrorism Advisory System (NTAS) as part of the Public Information and Warning core capability.

195  Additional language on science and technology investments within the prevention mission area. In terms of protecting transportation infrastructure, the 2016 National Protection Framework designates the Department of Homeland Security as having a responsibility to prevent the use of U.S. transportation systems for terrorist purposes. This responsibility is pursuant to the department’s other specified roles for terrorism prevention. Of the core capabilities discussed in the 2016 National Protection Framework, “Public Information and Warning” is most relevant to transportation agencies. Specifically, the National Terrorism Advisory System (NTAS) provides the public information on credible terrorist threats. Critical infrastructure owners and operators (such as transportation agencies) are among those stakeholders to whom the NTAS disseminates this information in the form of NTAS Bulletins and Alerts. Transportation agencies can avail themselves to various coordinating structures, according to the 2016 National Protection Framework. At the federal level, the National Infrastructure Coordinating Center (NICC) facilitates time-sensitive incident management coordination, situational awareness, and the sharing of critical intelligence and information. At the state level and in major urban areas, fusion centers empower critical infrastructure protection personnel to understand local implications of national intelligence. National Protection Framework The National Protection Framework (2nd Ed., 2016) focuses on “actions to deter threats, reduce vulnerabilities, and minimize the consequences associated with an incident.” This framework describes how the whole community safeguards against acts of terrorism, natural disasters, and other threats or hazards. It provides processes and guiding principles that provide a unifying approach adaptable to specific Protection mission requirements, mission activities, jurisdictions, and sectors. In this updated second edition, edits include:  Updated Cybersecurity Core Capability Critical Tasks to align with the Mitigation, Response, and Recovery Mission Areas.  Additional language on science and technology investments to protect against emerging vulnerabilities is included within the protection mission area.  Additional language on interagency coordination was added within the protection mission area to support the decision-making processes outlined within the framework.” The 2016 National Protection Framework includes transportation systems among such critical infrastructure systems as chemical, communications, information technology, and critical manufacturing. It follows the PPD-21 definition of critical infrastructure: “those systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security; economy; public safety or health; environment; or any combination of these matters, across any jurisdiction”. In addition, it includes Maritime Security and Transportation Security as two activities which are enabled by the Protection core capabilities. In particular, the 2016 National Protection Framework seeks the secure U.S. maritime infrastructure and resources and U.S. transportation systems and the air domain against terrorism and other threats and hazards. At the same time, the framework seeks to preserve civil rights, respect privacy and civil liberties, and enable legitimate travelers and goods to move efficiently without fear of harm or significant disruption. The 2016 National Protection Framework notes that the U.S. Department of Transportation has responsibilities under the Protection Federal Interagency Operational Plan (FIOP). This Protection FIOP provides detailed description of how federal agencies like DOT engage and contribute to the delivery of

196 core capabilities. In addition, the Department of Transportation supports the National Health Security Strategy developed by the Secretary of Health and Human Services. Transportation is mentioned in two of the core capabilities included in the 2016 National Protection Framework. One of the critical tasks for the Cybersecurity core capability is to “secure, to the extent possible, public and private networks and critical infrastructure (e.g., communication, financial, power grid, water, and transportation systems), based on vulnerability results from risk assessment, mitigation, and incident response capabilities.” For the “Physical Protective Measures” core capability, one critical task is to “protect critical lifeline functions, which include energy, communications, transportation, and water and wastewater management.” National Mitigation Framework The National Mitigation Framework (2nd Ed., 2016) covers the capabilities necessary to reduce the loss of life and property by lessening the effects of disasters. Specifically, this framework sets the strategy and doctrine for how the whole community builds, sustains, and delivers the Mitigation core capabilities identified in the National Preparedness Goal in an integrated manner with the other mission areas. The framework focuses on risk (understanding and reducing it), resilience (helping communities recover quickly and effectively after disasters), and a culture of preparedness. The updated second edition of this framework incorporates new lessons learned, for example, a revised core capability title: Threats and Hazards Identification. Other edits include:  Additional language on science and technology efforts to reduce risk and analyze vulnerabilities within the mitigation mission area.  Updates on the Mitigation Framework Leadership Group (MitFLG).  Updates to the Community Resilience core capability definition to promote preparedness activities among individuals, households and families. The 2016 National Mitigation Framework describes core capabilities in which transportation systems are explicitly mentioned. First, regarding the “Planning” core capability, the framework notes that the development of plans related transportation “as a tool to integrate risk analysis and assessment of local capabilities and authorities into community priorities and decision making.” Second, transportation infrastructure is part of the “Community Resilience” core capability: “Community resilience is expressed through a holistic approach to risk reduction. The success of one element relies upon the resilience capacity of other elements. For example, when a large business facility is retrofitted to account for wind and flood hazards, the community is also motivated to strengthen area schools, employee housing, and transportation infrastructure to ensure that workers will be able to quickly rebound from an incident, return to work, and restore the community’s tax base.” The U.S. Department of Transportation is one of the potential federal members of a Mitigation Framework Leadership Group (MitFLG). A MitFLG coordinates mitigation efforts across the Federal Government and assesses the effectiveness of mitigation capabilities. In addition to federal members, the MitFLG includes representatives from local, state, tribal, and Federal Government.

197 National Response Framework The National Response Framework (NRF) identifies the key personnel, roles, responsibilities, and mechanisms for the Nation’s response to incidents. Originally published in 2008 to replace the National Response Plan, the NRF is on its Third Edition (2016). Considered applicable at all levels of government— federal, state, and local—as well as to the private sector, the NRF defines the Response mission area as having the capabilities to “save lives, protect property and the environment, meet human basic needs, stabilize the incident, restore basic services and community functionality, and establish a safe and secure environment to facilitate the integration of recovery activities.” The NRF builds on the National Incident Management System (NIMS) by outlining how the federal government is organized to support communities and the States in the event of a catastrophic occurrence. Transportation’s role under such circumstances is defined under Emergency Support Function (ESF) 1. The 14 ESFs are as follows:  ESF #1: Transportation  ESF #2: Communications  ESF #3: Public Works and Engineering  ESF #4: Firefighting  ESF #5: Emergency Management  ESF #6: Mass Care, Emergency Assistance, Temporary Housing, and Human Services  ESF #7: Logistics  ESF #8: Public Health and Medical Services  ESF #9: Search and Rescue  ESF #10: Oil and Hazardous Materials Response  ESF #11: Agriculture and Natural Resources  ESF #12: Energy  ESF #13: Public Safety and Security  ESF #15: External Affairs Please note that the original ESF #14 (Long Term Community Recovery) has been superseded by the National Disaster Recovery Framework (NDRF). In addition, the names of some ESFs have been modified in the update, specifically ESFs #5, #6, and #7. ESF#5 was originally “Emergency Management”. ESF#7 was originally longer – “Logistics Management and Resource Support”. Meanwhile, the current name of ESF#6 now includes the qualifier “temporary” in “Temporary Housing” (see emphasis in italics in list above). Role of Transportation in the NRF and the ESF #1 Transportation Annex The lead federal agency (“ESF Coordinator”) for ESF1 is the U.S. Department of Transportation. DOT is responsible for planning and coordinating activities affecting transportation throughout all mission areas—prevention, protection, mitigation, response, and recovery. During a national incident, DOT will activate the Crisis Management Center (CMC), which serves as the department’s focal point for emergency response and communications. DHS’ document ESF 1 Transportation Annex (most recently updated in 2013) captures information related to the responsibilities and action steps of the various entities and partners under the framework. This includes Scope, Relationship to the Whole Community, and Core Capabilities and Actions. In addition, the ESF#1 Transportation Annex includes agency actions for the following support agencies:  Department of Agriculture: United States Forest Service  Department of Commerce: National Oceanic and Atmospheric Administration (NOA)  Department of Defense: Department itself, as well as the U.S. Army Corps of Engineers (USACE)  Department of Energy

198  Department of Homeland Security (DHS): Customs and Border Protection (CBP), Federal Emergency Management Agency (FEMA), Transportation Security Administration (TSA), U.S. Coast Guard, Office of Infrastructure Protection  Department of the Interior  Department of Justice  Department of State  General Services Administration  U.S. Postal Service Figure 65 depicts the ESF 1 Annex’s sections on Scope and Relationship to the Whole Community.

199   Figure 65: ESF #1 Annex sections “Scope” and “Relationship to Whole Community”. National Disaster Recovery Framework The National Disaster Recovery Framework (2nd Ed., 2016) describes “how the whole community works together to restore, redevelop, and revitalize the health, social, economic, natural, and environmental fabric of the community.” the National Disaster Recovery Framework (NDRF) defines  eight principles that guide recovery core capability development and recovery support activities under the NDRF;  roles and responsibilities of recovery coordinators and other stakeholders;  a coordinating structure that facilitates communication and collaboration among all stakeholders, guidance for pre- and post-disaster recovery planning and;  the overall process by which communities can capitalize on opportunities to rebuild stronger, smarter and safer. In describing the roles and responsibilities of stakeholders from individuals to Nongovernmental Organizations to local, state, and federal governments, the 2016 NDRF emphasizes that a successful recovery effort ensures the inclusion of the whole community: “Those who are engaging in recovery activities are covered by specific legal obligations that prohibit discrimination.” Such statutory and executive order obligations extend to accessibility to transportation. As owners and operators of critical infrastructure, the 2016 NDRF’s “Infrastructure Systems” core capability directly affects transportation agencies. This core capability “integrates the efforts of the owners and operators of public and private infrastructure.” The 2016 NDRF states the goal of recovery process as “match(ing) the post-disaster infrastructure to the community’s projected demand on its built and virtual

200 environment”, and recommends developing this goal using public-private collaborative structures. This core capability designates four critical tasks:  Facilitate the restoration of and sustain essential services (public and private) to maintain community functionality.  Coordinate planning for infrastructure redevelopment at the regional, system-wide level.  Develop a plan with a specified timeline for developing, redeveloping, and enhancing community infrastructures to contribute to resilience, accessibility, and sustainability.  Provide systems that meet the community needs while minimizing service disruption during restoration within the specified timeline in the recovery plan. Role of Transportation in the NDRF and in Recovery Support Function #5 (Infrastructure Systems) The 2016 NDRF designates six Recovery Support Functions (RSFs): 1. Community Planning and Capacity Building (CPCB) 2. Economic Recovery 3. Health and Social Services 4. Housing 5. Infrastructure Systems 6. Natural and Cultural Resources In this updated second edition, edits include:  Increased focus on the relationship of Recovery to the other four mission areas.  Updated Recovery Support Functions (RSFs) to reflect changes in Primary Agencies and Supporting Organizations.  Additional language on science and technology capabilities and investments for the rebuilding and recovery efforts. In particular for transportation agencies, the Infrastructure Systems RSF provides the coordinating structures, framework and guidance for resilience, sustainability and mitigation. Collaborative efforts of this RSF involve government and private sector partners across the infrastructure sectors identified in the National Infrastructure Protection Plan (NIPP). Therefore, the scope of this RSF includes Transportation Systems. The U.S. Department of Transportation is one of the Primary Agencies for this RSF, although the U.S. Army Corps of Engineers is the Coordinating Agency that leads this RSF. Primary agencies have been chosen based upon their authorities, resources, and capabilities. Together, the Coordinating Agency, Primary Agencies, and Supporting Organizations of the Infrastructure Systems RSF work to efficiently facilitate the restoration of infrastructure systems and services to support a viable, sustainable community and improves resilience to and protection from future hazards. U.S. DOT is also a supporting organization to two other RSFs: Community Planning and Capacity Building, and Health and Social Services. Supporting organizations are agencies which may bring relevant subject matter expertise and technical assistance as needed. National Infrastructure Protection Plan The National Infrastructure Protection Plan (2nd Ed., 2013) outlines how government and private sector participants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes. The NIPP 2013 emphasizes the importance of resilience, the need to reduce all-hazards

201 vulnerabilities and mitigate potential consequences of incidents or events that do occur. Infrastructure protection is critically necessary for the Nation to meet its National Preparedness Goal of “a secure and resilient nation with the capabilities required across the whole community to prevent, protect against, respond to, and recover from the threats and hazards that pose the greatest risk.” The NIPP is also consistent with the Homeland Security Act of 2002 which assigns DHS the responsibility to develop a comprehensive national plan for critical infrastructure security and resilience. The NIPP 2013 has six chapters, two appendices, and four supplements. After an Executive Summary, the Introduction (Chapter 1) gives an overview of the NIPP 2013 and its evolution from the 2009 NIPP. Chapter 2 defines the Vision, Mission, and Goals of the NIPP 2013, while Chapter 3 describes the Critical Infrastructure Environment in terms of key concepts, risk, policy, operations, and partnership. Core Tenets are established in Chapter 4. Ways to collaborate to manage risk are given in Chapter 5. The final chapter includes Calls to Action (“Steps to Advance the National Effort”). The NIPP 2013 Goals are: 1. Assess and analyze threats to, vulnerabilities of, and consequences to critical infrastructure to inform risk management activities; 2. Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts to reduce risk, while accounting for the costs and benefits of security investments; 3. Enhance critical infrastructure resilience by minimizing the adverse consequences of incidents through advance planning and mitigation efforts, and employing effective responses to save lives and ensure the rapid recovery of essential services; 4. Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk-informed decision making; and 5. Promote learning and adaptation during and after exercises and incidents. The NIPP 2013 Calls to Action are: 1. Set national focus through jointly developed priorities. 2. Determine collective actions through joint planning efforts. 3. Empower local and regional partnerships to build capacity nationally. 4. Leverage incentives to advance security and resilience. 5. Enable risk-informed decision making through enhanced situational awareness. 6. Analyze infrastructure dependencies, interdependencies, and associated cascading effects. 7. Identify, assess, and respond to unanticipated infrastructure cascading effects during and following incidents. 8. Promote infrastructure, community, and regional recovery following incidents. 9. Strengthen coordinated development and delivery of technical assistance, training, and education. 10. Improve critical infrastructure security and resilience by advancing research and development solutions. 11. Evaluate progress toward the achievement of goals. 12. Learn and adapt during and after exercises and incidents. The NIPP establishes Critical Infrastructure protection roles for certain federal departments and agencies. Figure 66 illustrates the sector-specific agency assignments.

202 Figure 66: Sector-Specific Agencies and Critical Infrastructure Sectors (Source: NIPP 2013). Both the Department of Transportation and the Department of the Homeland Security are the Sector- Specific Agencies for the Transportation Systems Critical Infrastructure Sector. According to the NIPP 2013, PPD-21 identifies the following roles and responsibilities for the SSAs:  As appropriate to implement PPD-21, o Coordinate with DHS and other relevant Federal departments and agencies and collaborate with critical infrastructure owners and operators; o Coordinate, where appropriate, with independent regulatory agencies; and o Coordinate with state, tribal, and territorial entities;  Serve as a day-to-day Federal interface for the dynamic prioritization and coordination of sector- specific activities;  Carry out incident management responsibilities consistent with statutory authority and other appropriate policies, directives, or regulations;  Provide, support, or facilitate technical assistance and consultations for that sector to identify vulnerabilities and help mitigate incidents, as appropriate; and  Support the Secretary of Homeland Security’s statutory reporting requirements by providing, on an annual basis, sector-specific critical infrastructure information. The NIPP also establishes the Critical Infrastructure Risk Management Framework, described as the “cornerstone” of the plan. Figure 67 shows the three elements of critical infrastructure (Physical, Cyber, and Human) as well as the six steps of the process shown as a continuous improvement feedback loop designed to enhance the protection of CI/KR.

203 Step Brief Description Set Goals and Objectives Establish a set of broad national goals for critical infrastructure security and resilience. Support these goals with objectives and priorities developed at the sector level. Identify Infrastructure Identify the assets, systems, and networks that are essential to their continued operation, considering associated dependencies and interdependencies. Identify information and communications technologies that facilitate the provision of essential services. State, local, tribal, and territorial governments. Identify and prioritize infrastructure according to their business and operating environments and associated risks. Assess and Analyze Risks Assess critical infrastructure risks in terms of:  Threat – natural or manmade occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property.  Vulnerability – physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard.  Consequence – effect of an event, incident, or occurrence. Implement Risk Management Activities Prioritize activities s to manage critical infrastructure risk based on the criticality of the affected infrastructure, the costs of such activities, and the potential for risk reduction. These activities can be divided into the following approaches:  Identify, deter, detect, disrupt, and prepare for threats and hazards  Reduce vulnerabilities  Mitigate consequences Measure Effectiveness Evaluate the effectiveness of risk management efforts within sectors and at national, State, local, and regional levels by developing metrics for both direct and indirect indicator measurement. Figure 67: Activities included in the NIPP Critical Infrastructure Risk Management Framework. Source: NIPP 2013.     

204 Transportation Systems Sector-Specific Plan (TSSSP) The Sector-Specific Plans of the 16 critical infrastructure sectors have been updated to align with the NIPP 2013, including the one for Transportation Systems – the Transportation Systems Sector-Specific Plan (TSSSP), published by DHS in 2015. The TSSSP describes strategies to reduce risks to critical transportation infrastructure. The main body of the TSSSP document contains significant detailed information about the transportation sector, including an overview of the sector in terms of risks, key partners and stakeholders, and cross-sector issues; sector goals and priorities; steps to achieve sector goals in risk management and in national preparedness; and sector activities and approaches to measuring effectiveness. The TSSSP contains ten sector priorities grouped into four sector goals (Figure 68).   Figure 68: Transportation Systems Sector Goals and Priorities. Source: TSSSP, 2015. The Transportation Systems sector’s partners identified the goals and priorities above in alignment with the NIPP 2013 and the Joint National Priorities. Figure 69 depicts this alignment. Figure 70 depicts the contribution of Transportation Sector Priorities to the NIPP 2013 Calls to Action.

205   Figure  61:  Alignment  of  Transportation  Sector  Priorities  to  the  Joint  National  Priorities  and  the  NIPP  2013  Goals.  Source: TSSSP, 2015.

206 Figure 69 (cont.)

207  

208 Figure 70: Contribution of Transportation Sector Priorities to the NIPP 2013 Calls to Action. Source: TSSSP, 2015. Figure 70 (cont.)

Security 101: A Physical and Cybersecurity Primer for Transportation Agencies Get This Book
×
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Since 2009, when NCHRP's last Security 101 report was released, there have been significant advances in transportation security approaches, including new strategies, programs, and ways of doing business that have increased the security of transportation systems as well as ensured their resiliency.

Hazards and threats to the system have also continued to evolve since 2009. While the incidence of large-scale terrorist attacks has remained small, transportation agencies are at increasingly greater risk from system-disrupting events due to natural causes, unintentional human intervention, and intentional criminal acts, such as active-shooter incidents. Cyber risks also are increasing, and can impact not only data, but the control systems - like tunnel-ventilation systems - operated by transportation agencies.

This update, a pre-publication draft of NCHRP Research Report 930: Security 101: A Physical and Cybersecurity Primer for Transportation Agencies, provides valuable information about current and accepted practices associated with both physical and cyber security and its applicability to surface transportation.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!