Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
163 Homeland Security Laws, Directives, and Guidance Since 2001, government efforts to secure all modes of transportationâaviation, maritime, and land-basedâhave undergone a concentration of major proportion, unparalleled in American history. Transportation agenciesâ roles as partners with government in protecting the homeland has required them to become familiar with a host of new legislative initiatives, presidential orders, and federal department mandates, regulations, and guidelines. This chapter identifies core components of the federal governmentâs homeland security protection strategies that focus on surface transportation. The federal governmentâs three branchesâexecutive, leg- islative, and judicialâhave been intensely involved in creating law, policy, procedures, and protocols to safeguard the nation against homeland security threats. By reviewing some of these activities, in particular those of the executive and legislative branches that relate to the transportation sector, agencies can obtain a sense of the national strategies and supportive frameworks available to help them reduce security risks. Homeland Security Laws, Statutes, and Regulations Congress has passed important homeland security laws that relate specifically to transpor- tation. These include the Aviation and Transportation Security Act (ATSA), the Maritime Transportation Security Act, the Homeland Security Act of 2002, and the Safe Port Security Act. Transportation agencies may also be affected by certain provisions in disaster relief and emergency acts such as the Stafford Act, the 1995 Emergency Management Assistance Compact (EMAC), and the acts following Hurricanes Katrina and Sandy. In addition, the two recent transportation reauthorization billsâthe FAST Act and MAP-21 (2012)âinclude emergency management requirements for transportation agencies and thus have implications for infra- structure security. ATSA was signed soon after the terrorist attacks of September 11, 2001, with the goal âto secure the air travel system.â The act also referenced the security of other modes of transportation. ATSA created the Transportation Security Administration (TSA) under the U.S. Department of Transportation. TSA has since been reorganized as an administration under the Department of Homeland Security. Figure 7-1 shows the TSA organization chart as of October 30, 2017. The Homeland Security Act of 2002, a sweeping piece of legislation, established the Depart- ment of Homeland Security as a cabinet-level department of the federal government. The responsibilities of the new department included âpreventing terrorist attacks within the United States, reducing the vulnerability of the United States to terrorism at home, and mini- mizing the damage and assisting in the recovery from any attacks that may occur.â The act created the position of Secretary of Homeland Security, to be appointed by the president with the consent of the Senate. Whereas the Department of Defense works in the military sphere, C H A P T E R 7
164 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies DHS works in the civilian sphere to protect the United States within, at, and outside its borders. Its goal is to prepare for, prevent, and respond to domestic emergencies, particularly terrorism. The establishment of DHS resulted in a massive reorganization of federal agencies. In total, over 22 federal departments or agencies, including FEMA, the Secret Service, the U.S. Coast Guard, TSA, and the Immigration and Naturalization Service, were moved to the new depart- ment. Title IV of the act created the position of Undersecretary for Border and Transportation Security, whose primary duties include the following: â¢ Preventing the entry of terrorists and the instruments of terrorism into the United States; â¢ Securing the borders, territorial waters, ports, terminals, waterways, and air, land, and sea transportation systems of the United States; â¢ Administering the immigration and naturalization laws of the United States, including the establishment of rules governing the granting of visas and other forms of permission to enter the United States to include individuals who are not citizens or lawful permanent residents; ADMINISTRATOR ------ DEPUTY ADMINISTRATOR Offices ACQUISITION PROGRAM MANAGEMENT Assistant Administrator CHIEF COUNSEL CIVIL RIGHTS AND LIBERTIES, OMBUDSMAN AND TRAVELER ENGAGEMENT Assistant Administrator CONTRACTING AND PROCUREMENT Assistant Administrator Offices (cont.) FINANCE AND ADMINISTRATION Assistant Administrator GLOBAL STRATEGIES Assistant Administrator HUMAN CAPITAL Assistant Administrator INFORMATION TECHNOLOGY Assistant Administrator Offices (cont.) INSPECTION Assistant Administrator INTELLIGENCE AND ANALYSIS Assistant Administrator LAW ENFORCEMENT / FEDERAL AIR MARSHAL SERVICE Assistant Administrator LEGISLATIVE AFFAIRS Assistant Administrator Offices (cont.) PERFORMANCE AND ENTERPRISE RISK Assistant Administrator PROFESSIONAL RESPONSIBILITY Assistant Administrator REQUIREMENTS AND CAPABILITIES ANALYSIS Assistant Administrator SECURITY OPERATIONS Assistant Administrator Offices (cont.) SECURITY POLICY AND INDUSTRY ENGAGEMENT Assistant Administrator STRATEGIC COMMUNICATIONS AND PUBLIC AFFAIRS Assistant Administrator TRAINING AND DEVELOPMENT Assistant Administrator CHIEF OF STAFF CHIEF OF OPERATIONS CHIEF OF MISSION SUPPORT Source: Adapted from TSA 2017. Figure 7-1. TSA organization chart as of October 30, 2017.
Homeland Security Laws, Directives, and Guidance 165 â¢ Ensuring the customs laws of the United States; and â¢ Ensuring the speedy, orderly, and efficient flow of lawful traffic and commerce in carrying out these responsibilities. Figure 7-2 is a top-level organization chart of DHS as of October 30, 2017. The Maritime Transportation Security Act, signed into law on November 25, 2002, man- dated maritime transportation security plans. These plans are intended to establish regional response and recovery protocols to mitigate regional transportation security incidents. The act also required the Transportation Worker Identification Credential for workers who need access to secure areas of the nationâs maritime facilities and vessels. The act required owners of facilities on or adjacent to U.S. waters that pose a high risk of involvement in a transportation security incident to make a vulnerability assessment available to appropriate authorities, and integrate the facilityâs security system with compatible systems operated by state agencies, law enforcement agencies, and the Coast Guard. The Security and Accountability For Every (SAFE) Port Act, signed into law on March 30, 2006, focuses on enhancing security at U.S. ports, preventing threats and attacks before they reach the United States, and the security of shipping containers bound for the United States. Several laws relating to disaster relief and emergency assistance can affect transportation agencies. These include the Stafford Act and the Emergency Management Assistance Compact. Transporta- tion agencies were also affected by laws passed in the wake of Hurricanes Katrina and Sandy. The Robert T. Stafford Disaster Relief and Emergency Assistance Act (Public Law 100-707) created the system in place today by which a presidential disaster declaration triggers financial and physical assistance through FEMA (U.S. Government 1988). Such assistance is also avail- able to transportation agencies (for example, through the FEMA Public Assistance program). Under the Stafford Act, the president can designate an incident as an âemergencyâ or âmajor disaster.â The federal assistance available for emergencies is more limited than what is available for a major disaster. Major disasters may be caused by such natural events as floods, hurricanes, and earthquakes. Disasters may include fires, floods, or explosions that the president feels are of sufficient magnitude to warrant federal assistance. In 1996, Public Law 104-321 ratified EMAC, a national interstate mutual aid agreement that provides supplemental support to that provided by federal agencies. For example, EMAC funds can supplement any FEMA and FHWA support to state transportation agencies. EMAC has been adopted by all 50 states, the District of Columbia, the U.S. Virgin Islands, and Puerto Rico, although EMAC support is also available to local transportation agencies if the state has passed appropriate intrastate laws. Several gaps became apparent in the response to Hurricane Katrina, leading to the Post- Katrina Emergency Management Reform Act of 2006 (PKEMRA). While PKEMRA kept FEMA within the DHS, it significantly reorganized FEMA by providing it substantial new authority to remedy gaps in response and including a more robust preparedness mission for FEMA. For example, with regard to transportation, the act coordinates and supports precautionary evacu- ations and recovery efforts, and provides transportation assistance for relocating and returning people displaced from their residences in a major disaster. In the wake of Hurricane Sandy, the 2013 Sandy Recovery Improvement Act (SRIA) amended the Stafford Act by authorizing several significant changes to the way FEMA may deliver federal disas- ter assistance. For example, it authorized alternative procedures for the Public Assistance program (which can be a source of support for transportation agencies), reviewed and evaluated the Public Assistance small project threshold, and established a nationwide dispute resolution pilot program for Public Assistance projects. The SRIA also streamlined the Hazard Mitigation Grant Program.
Source: https://www.dhs.gov/organizational-chart Figure 7-2. DHS top-level organization chart.
Homeland Security Laws, Directives, and Guidance 167 Two recent transportation reauthorization bills, MAP-21 and the FAST Act, included emergency management requirements for transportation agencies. The Moving Ahead for Progress in the 21st Century Act (MAP-21) was passed in 2012. It focused on performance management and established national performance goals. MAP-21 required incorporating performance goals, measures, and targets into transportation planning. Most aspects of MAP-21 are continued in the FAST Act. The transportation reauthorization legislation passed in 2015, Fixing Americaâs Surface Transportation (FAST) Act, expanded the focus on the transportation systemâs resiliency. FAST requires strategies to reduce the vulnerability of existing transportation infrastructure to natural disasters. The act expands the scope of the metropolitan planning process to include improving transportation system resiliency and reliability. Key features include (1) emphasis on resilience with funding permitted to protect bridges and tunnels; (2) emphasis on risk- based as well as performance-based asset management; (3) inclusion of critical infrastructure for project funding eligibility; (4) comprehensive guidance from FTA on emergency relief programs, funding, and planning; and (5) new initiatives from FTA for mobility for seniors and people with disabilities, which may increase opportunities for advance outreach by trans- portation emergency managers. In addition to laws and statutes, transportation agencies must abide by certain homeland security regulations. These include federal regulations on pipeline safety, grant program eligibil- ity, emergency planning requirements, and transit system SSI. These also include transportation security directives. Certain federal regulations related to pipeline safety and to FEMA and DHS grant programs may be relevant to transportation agencies. The regulations in Title 44 of the Code of Federal Regulations (âEmergency Management and Assistanceâ) have been promulgated to administer grant programs under FEMA and DHS. For example, they define requirements for eligible par- ties under these programs. In addition, all 50 states and the District of Columbia have elected to adopt Federal pipeline safety regulations by reference (and hence affect the mode of pipe- line transportation). These regulations have specific emergency planning requirements, such as mandated written emergency response procedures and the requirement that such plans and procedures be communicated to fire, police, and other public officials. These regulations can be found in the following sections of the Code of Federal Regulations (CFR): Title 49 Parts 33, 112, 192, 193, 194, and 195; and Title 30 Part 254. Transit agencies must comply with federal regulations regarding SSI, information obtained or developed which, if released publicly, would be detrimental to transportation security. Regula- tions in CFR Title 49 Part 15 control the handling of SSI for the U.S. Department of Transporta- tion, while those in Part 1520 concern the handling of SSI for the TSA. The regulation in CFR Title 49 Part 659.11 notes certain circumstances in which investigation reports and system security plans can be kept confidential. TSA has also published a Stakeholder Best Practices Quick Reference Guide for SSI, which presents the TSAâs requirements for SSI; a list of information that qualifies as SSI; and best practices, including the reasonable steps that must be taken for safeguarding SSI in various media (e.g., electronic presentations, spreadsheets, portable drives) (TSA n.d.). The TSA has also promulgated Transportation Security Directives related to threats to passenger rail systems. On May 20, 2004, TSA released Security Directive (SD) RAILPAX-04-02 for passenger operations conducted by AMTRAK and by the Alaska Railroad Corporation. Simultaneously, TSA published SD RAILPAX-04-01 for a wider range of passenger rail opera- tors that include commuter passenger trains, heavy rail, and light rail, among others. These directives outline 15 protective measures to be carried out by passenger rail operators, includ- ing designating primary and alternate security coordinators; reporting potential threats or sig- nificant security concerns to appropriate law enforcement authorities; providing TSA with the
168 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies date of the most recent vulnerability assessment; and installing bomb-resistant trash recep- tacles at stations where a vulnerability assessment has identified a significant risk. Homeland Security Directives and Executive Orders Presidential Decision Directives (PDDs), Homeland Security Presidential Directives (HSPDs), Presidential Policy Directives (PPDs), and Executive Orders (E.O.s) are measures enabling the president of the United States to enhance homeland security. Prior to the terrorist attacks of September 11, 2001, presidential decisions were communicated by PDD. The most significant PDD affecting homeland security was PDD-63, issued by President Bill Clinton on May 22, 1998. The intent of PDD-63 was âto assure the continuity and viability of critical infrastructures . . . the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber attacks on our critical infrastructures, including especially our cyber systems.â On October 29, 2001, the first HSPD was signed by Presi- dent George W. Bush and pronounced âthe first in a series of Homeland Security Presidential Directives that shall record and communicate presidential decisions about the homeland security policies of the United States.â All HSPDs, by definition, affect homeland security, however, some are more relevant than others to protecting the transportation sector. During the administration of President Barack Obama, analogous presidential directives were designated as Presidential Policy Directives (PPDs). Of the Obama administrationâs directives and E.O.s, Presidential Policy Directive 21 and Executive Orders 13636 and 13653 are of particular significance. PPD-21 established rapid recovery and the concept of resilience as key desired outcomes of critical infrastructure security efforts. E.O. 13636 made cybersecu- rity an essential component of critical infrastructure security, directed the development of a technology-neutral cybersecurity framework, and incentivized the adoption of cybersecurity practices. E.O. 13653 directed federal agencies to ensure that the impacts of climate change were reflected in the agenciesâ programs, policies, rules, and operations. The administration of President Donald Trump has issued three E.O.s relevant to infra- structure and cybersecurity: E.O. 13766 on expediting environmental reviews and approvals for high-priority infrastructure projects; E.O. 13800 on strengthening the cybersecurity of federal networks and critical infrastructure; and E.O. 13807 on establishing discipline and accountability in the environmental review and permitting process for infrastructure projects. Table 7-1 summarizes important HSPDs, PPDs, and E.O.s that affect transportation. Homeland Security National Guidance Documents The following homeland securityârelated national guidance documents are significant for transportation agencies: â¢ National Preparedness System and Goal; â¢ National Planning Frameworks â National Prevention Framework; â National Protection Framework; â National Mitigation Framework; â National Response Framework; â National Disaster Recovery Framework; â¢ National Infrastructure Protection Plan; and â¢ Transportation Systems Sector-Specific Plan.
Homeland Security Laws, Directives, and Guidance 169 HSPD-16 (Jun 22, 2006) National Strategy for Aviation Security Strategies for the prevention of the Air Domain from being exploited by terrorist groups, hostile nations-states and criminals to commit acts against the United States, its people, its infrastructure and its other interests; safe and efficient use of the Air Domain; and the continued facilitation of travel and commerce. PPD-8 (Mar 30, 2011) National Preparedness Links together national preparedness efforts by integrating the following key elements: the National Preparedness Goal, the National Preparedness System, Whole Community Initiative, and the Annual National Preparedness Report. Strengthens security and resilience through five preparedness mission areasâPrevention, Protection, Mitigation, Response, and Recovery. These mission areas each have their own framework within the National Planning Frameworks. PPD-21 (Feb 12, 2013) Critical Infrastructure Security and Resilience Establishes resilience and rapid recovery as focus of critical infrastructure security, and integrates these concepts with the National Preparedness System. Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Resilient infrastructure systems are flexible and agile, and should be able to bounce back after disruptions. E.O. -13618 (Jul 6, 2012) Assignment of National Security and Emergency Preparedness Communications Functions Stipulates that the Federal Government must have the ability to communicate at all times and under all circumstances to carry out its most critical and time-sensitive missions, ensure national security, effectively manage emergencies, and improve national resilience. Survivable, resilient, enduring, and effective communications, both domestic and international, are essential to enable the executive branch to communicate within itself and with: the legislative and judicial branches; State, local, territorial, and tribal governments; private sector entities; and the public, allies, and other nations. (The implication is that state transportation agencies are included among these stakeholders.) E.O. -13636 (Feb 12, 2013) Improving Critical Infrastructure Cybersecurity Develops a technology-neutral cybersecurity framework, and is intended to promote and incentivize the adoption of cybersecurity practices. Cybersecurity is established as an aspect of critical infrastructure security. E.O. -13653 (Nov 1, 2013) Preparing the United States for the Impacts of Climate Change Establishes climate change as an additional aspect to address in plans and programs. Requires federal agencies to integrate considerations of the challenges posed by climate change effects into their programs, policies, rules and operations to ensure they continue to be effective, even as the climate changes. Presidential Directive or Executive Order Purpose of the Order HSPD-3 (May 22, 2002) Homeland Security Advisory System A Homeland Security Advisory System to provide a comprehensive and effective means to disseminate information regarding the risk of terrorist acts to Federal, State, and local authorities and to the American people. Such a system would provide warnings in the form of a set of graduated âThreat Conditionsâ that would increase as the risk of the threat increases. HSPD- 5 (Feb 28, 2003) Management of Domestic Incidents To enhance the ability of the United States to manage domestic incidents by establishing a single, comprehensive national incident management system. HSPD-7 (Dec 17,2003) Critical Infrastructure Identification, Prioritization, and Protection Establishes a national policy for Federal departments and agencies to identify and prioritize United States critical infrastructure and key resources and to protect them from terrorist attacks. HSPD- 8 (Dec 17, 2003) National Preparedness Establishes policies to strengthen the preparedness of the United States to prevent and respond to threatened or actual domestic terrorist attacks, major disasters, and other emergencies by requiring a national domestic all-hazards preparedness goal, establishing mechanisms for improved delivery of Federal preparedness assistance to State and local governments, and outlining actions to strengthen preparedness capabilities of Federal, State, and local entities. HSPD-13 (Dec 21, 2004) Maritime Security Policy Establishes U.S. policy, guidelines, and implementation actions to enhance U.S. national security and homeland security by protecting U.S. maritime interests. It directs the coordination of United States Government maritime security programs and initiatives to achieve a comprehensive and cohesive national effort involving appropriate Federal, State, local, and private sector entities. (continued on next page) Table 7-1. Purpose of HSPDs, PPDs, and E.O.s affecting transportation.
170 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies National Preparedness System and Goal Presidential Policy Directive 8: National Preparedness (PPD-8) 2011 described the nationâs approach to preparing for the threats and hazards that pose the greatest risk to the security of the United States. The directive established the National Preparedness Goal and identified the core capabilities necessary to achieve that goal across five mission areasâprevention, protection, mitigation, response, and recovery. The National Preparedness Goal is a âA secure and resilient nation with the capabilities required across the whole community to prevent, protect against, mitigate, respond to, and E.O. -13690 (Jan 30, 2015) Establishing a Federal Flood Risk Management Standard and a Process for Further Soliciting and Considering Stakeholder Input Improve the resilience of communities and Federal assets against the impacts of flooding. Require executive departments and agencies (agencies) to avoid, to the extent possible, the long- and short-term adverse impacts associated with the occupancy and modification of floodplains and to avoid direct or indirect support of floodplain development wherever there is a practicable alternative. E.O. -13691 (Feb 13, 2015) Private Sector Cybersecurity Information Sharing Encourage the voluntary formation of organizations that engage in sharing information related to security risks and incidents. Such organizations play an invaluable role in the collective cybersecurity of the United States. In addition, establish mechanisms to Presidential Directive or Executive Order Purpose of the Order continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis. E.O.-13717 (Feb 2, 2016) Establishing a Federal Earthquake Risk Management Standard Strengthen the security and resilience of the Nation against earthquakes, to promote public safety, economic strength, and national security. To that end, the Federal Government must continue to take proactive steps to enhance the resilience of buildings that are owned, leased, financed, or regulated by the Federal Government. When making investment decisions related to Federal buildings, each executive department and agency (agency) responsible for implementing this order shall seek to enhance resilience by reducing risk to the lives of building occupants and improving continued performance of essential functions following future earthquakes. E.O.-13728 (May 18, 2016) Wildland-Urban Interface Risk Mitigation Strengthen the security and resilience of the Nation against the impacts of wildfire. Enhance the resilience of buildings that are owned by the Federal Government and are located on Federal land. Each executive department and agency responsible for implementing this order shall seek to enhance the resilience of its buildings when making investment decisions to ensure continued performance of essential functions and to reduce risks to its buildingsâ occupants in the event of a wildfire. E.O.-13766 (Jan 25, 2017) Expediting Environmental Reviews and Approvals for High Priority Infrastructure Projects Streamline and expedite â in a manner consistent with the law â environmental reviews and approvals for all infrastructure projects, especially projects that are a high priority for the Nation. Examples include improving the U.S. electric grid and telecommunications facilities and repairing and upgrading critical port facilities, airports, pipelines, bridges, and highways. E.O.-13800 (May 11, 2017) Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure Hold heads of agencies and executive departments accountable for managing cybersecurity risk to their enterprise. Risk management decisions made by agency heads can affect the risk to the executive branch as a whole. E.O.-13807 (Aug 15, 2017) Establishing Discipline and Accountability in the Environmental Review and Permitting Process for Infrastructure Projects Ensure that the Federal environmental review and permitting process for infrastructure projects is coordinated, predictable, and transparent. Source: U.S. Government n.d.a. Table 7.1. (Continued).
Homeland Security Laws, Directives, and Guidance 171 recover from the threats and hazards that pose the greatest riskâ (FEMA 2015). It defines what it means for the whole community to be prepared for all types of disasters and emergencies. The National Preparedness Goal also identifies five mission areas: â¢ PreventionâPrevent, avoid, or stop an imminent, threatened, or actual act of terrorism. â¢ ProtectionâProtect our citizens, residents, visitors, and assets against the greatest threats and hazards in a manner that allows our interests, aspirations, and way of life to thrive. â¢ MitigationâReduce the loss of life and property by lessening the impact of future disasters. â¢ ResponseâRespond quickly to save lives, protect property and the environment, and meet basic human needs in the aftermath of a catastrophic incident. â¢ RecoveryâRecover through a focus on the timely restoration, strengthening, and revi- talization of infrastructure, housing, and a sustainable economy, as well as the health, social, cultural, historic, and environmental fabric of communities affected by a cata- strophic incident. The 2015 National Preparedness Goal identifies 32 core capabilities essential to executing the five mission areas. Figure 7-3 groups these core capabilities under the mission areas. The Strategic National Risk Assessment (cited within the 2015 National Preparedness Goal) categorizes transportation system failures among the technological and accidental hazards that pose a significant risk to the nation. The 2015 National Preparedness Goal incorporates the following changes to the original 2011 document: â¢ Language was added to stress the importance of community preparedness and resilience. â¢ The Risk and the Core Capabilities were enhanced to include items on cybersecurity and climate change. â¢ A new core capability, Fire Management and Suppression, was added. â¢ Core capability titles were revised: â Threats and Hazard Identification (Mitigation) was revised to Threats and Hazards Identification. â Public and Private Services and Resources (Response) was revised to Logistics and Supply Chain Management. â On-scene Security and Protection (Response) was revised to On-scene Security, Protection, and Law Enforcement. â Public Health and Medical Services (Response) was revised to Public Health, Healthcare, and Emergency Medical Services. The National Preparedness Goal is meant to be the cornerstone of implementing the National Preparedness System (FEMA, 2015). This system consists of several components that contribute to building, sustaining, and delivering the core capabilities described in the National Preparedness Goal (FEMA, 2015): â¢ The National Planning System, which âsupports the integration of planning across all levels of government and the whole community to provide an agile, flexible, and accessible deliv- ery of the core capabilities.â â¢ A series of National Frameworks and Federal Interagency Operational Plans (FIOPs). The National Frameworks âaddress the roles and responsibilities across the whole community to deliver the core capabilities.â FIOPs âaddress the critical tasks, responsibilities, and resourcing, personnel, and sourcing requirements for the core capabilities.â â¢ The National Preparedness Report, which âprovides a summary of the progress being made toward building, sustaining, and delivering the core capabilities described in the Goal.â
172 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies The annual National Preparedness Report facilitates measuring âadvancements made in preparedness and to identify where challenges remain.â National Planning Frameworks Collectively, the National Planning Frameworks describe how the whole community works together to achieve the National Preparedness Goal. There is a framework for each of the five National Preparedness Goal mission areas: â¢ National Prevention Framework; â¢ National Protection Framework; â¢ National Mitigation Framework; â¢ National Response Framework; and â¢ National Disaster Recovery Framework. The National Preparedness Goal defines what it means to be prepared for all types of disasters and emergencies, including natural disasters, disease pandemics, chemical spills and other non- natural hazards, terrorist attacks, and cyber attacks. Source: FEMA 2015. Figure 7-3. Core capabilities by mission area.
Homeland Security Laws, Directives, and Guidance 173 National Prevention Framework The National Prevention Framework focuses on terrorism and addresses the capabilities necessary to avoid, prevent, or stop imminent threats or attacks (FEMA 2016c). Specifically, this framework describes what the whole community (from community members to senior leaders in government) should do upon the discovery of an imminent threat to the homeland. Some core capabilities overlap with the Protection mission area. In this updated second edition, edits include: â¢ Updates to Coordinating Structure language on Joint Operations Centers and the Nation- wide Suspicious Activity Reporting Initiative; â¢ Clarification on the relationship and differences between the Prevention and Protection mission areas; â¢ Updated language on the National Terrorism Advisory System (NTAS) as part of the Public Information and Warning core capability; and â¢ Additional language on science and technology investments within the prevention mis- sion area. The 2016 National Prevention Framework designates the DHS as responsible for preventing the use of U.S. transportation systems for terrorist purposes. This responsibility is pursuant to the departmentâs other specified roles for terrorism prevention. Of the core capabilities discussed in the 2016 National Prevention Framework, âPublic Infor- mation and Warningâ is most relevant to transportation agencies. Specifically, the National Terrorism Advisory System (NTAS) provides the public information on credible terrorist threats. Critical infrastructure owners and operators, such as transportation agencies, are among the stakeholders who receive NTAS-disseminated information as NTAS bulletins and alerts. Transportation agencies can avail themselves of various coordinating structures, according to the 2016 National Prevention Framework. At the federal level, the National Infrastructure Coordinating Center facilitates time-sensitive incident management coordination, situational awareness, and sharing of critical intelligence and information. At the state level and in major urban areas, fusion centers empower critical infrastructure protection personnel to understand local implications of national intelligence. National Protection Framework The National Protection Framework focuses on âactions to deter threats, reduce vulnerabili- ties, and minimize the consequences associated with an incidentâ (FEMA 2016d). This frame- work describes how the whole community safeguards against acts of terrorism, natural disasters, and other threats or hazards. It provides processes and guiding principles that provide a unifying approach adaptable to specific Protection mission requirements, mission activities, jurisdic- tions, and sectors. In this updated second edition, edits include: â¢ Updated Cybersecurity Core Capability Critical Tasks to align with the Mitigation, Response, and Recovery Mission Areas; â¢ Additional language on science and technology investments to protect against emerging vulnerabilities included in the Protection mission area; and â¢ Additional language on interagency coordination within the Protection mission area to support the decision-making processes outlined within the framework. The 2016 National Protection Framework includes transportation systems among such criti- cal infrastructure systems as chemical, communications, information technology, and critical
174 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies manufacturing. It follows the PPD-21 definition of critical infrastructure: âthose systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security; economy; public safety or health; environment; or any combination of these matters, across any jurisdiction.â In addition, it includes maritime security and transportation security as activities enabled by the Protection core capabilities. In particular, the 2016 National Protection Framework seeks to secure U.S. maritime infrastructure and resources and U.S. transportation systems and the air domain against terrorism and other threats and hazards. At the same time, the framework seeks to preserve civil rights, respect privacy and civil liberties, and enable legitimate travelers and goods to move efficiently without fear of harm or significant disruption. The 2016 National Protection Framework notes that the U.S. Department of Transporta- tion has responsibilities under the Protection Federal Interagency Operational Plan. The Pro- tection FIOP provides detailed description of how federal agencies like U.S.DOT engage and contribute to the delivery of core capabilities. In addition, the U.S.DOT supports the National Health Security Strategy developed by the secretary of Health and Human Services. Transportation is mentioned in two of the core capabilities included in the 2016 National Pro- tection Framework. One of the critical tasks for the Cybersecurity core capability is to âsecure, to the extent possible, public and private networks and critical infrastructure (e.g., communica- tion, financial, power grid, water, and transportation systems), based on vulnerability results from risk assessment, mitigation, and incident response capabilities.â For the Physical Protective Measures core capability, one critical task is to âprotect critical lifeline functions, which include energy, communications, transportation, and water and wastewater management.â National Mitigation Framework The National Mitigation Framework covers the capabilities necessary to reduce the loss of life and property by lessening the effects of disasters (FEMA 2016b). Specifically, this framework sets the strategy and doctrine for how the whole community builds, sustains, and delivers the Mitigation core capabilities identified in the National Preparedness Goal in an integrated man- ner with the other mission areas. The framework focuses on risk (understanding and reducing it), resilience (helping communities recover quickly and effectively after disasters), and a cul- ture of preparedness. The updated second edition of this framework incorporates new lessons learned, for example, a revised core capability title: Threats and Hazards Identification. Other edits include: â¢ Additional language on science and technology efforts to reduce risk and analyze vulnerabili- ties within the mitigation mission area; â¢ Updates on the Mitigation Framework Leadership Group (MitFLG); and â¢ Updates to the Community Resilience core capability definition to promote preparedness activities among individuals, households, and families. The 2016 National Mitigation Framework describes core capabilities in which transportation systems are explicitly mentioned. First, regarding the Planning core capability, the framework notes the development of plans related to transportation âas a tool to integrate risk analysis and assessment of local capabilities and authorities into community priorities and decision making.â Second, transportation infrastructure is part of the Community Resilience core capability: Community resilience is expressed through a holistic approach to risk reduction. The success of one element relies upon the resilience capacity of other elements. For example, when a large business facil- ity is retrofitted to account for wind and flood hazards, the community is also motivated to strengthen area schools, employee housing, and transportation infrastructure to ensure that workers will be able to quickly rebound from an incident, return to work, and restore the communityâs tax base.
Homeland Security Laws, Directives, and Guidance 175 The U.S.DOT is one of the potential federal members of a Mitigation Framework Leadership Group (MitFLG). A MitFLG coordinates mitigation efforts across the federal government and assesses the effectiveness of mitigation capabilities. In addition to federal members, a MitFLG includes representatives from local, state, and tribal governments. National Response Framework The National Response Framework (NRF) identifies the key personnel, roles, responsibilities, and mechanisms for the nationâs response to incidents. Originally published in 2008 to replace the National Response Plan, the current NRF is the third edition (FEMA 2016d). Considered applicable at all levels of governmentâfederal, state, and localâas well as to the private sector, the NRF defines the Response mission area as having the capabilities to âsave lives, protect prop- erty and the environment, meet human basic needs, stabilize the incident, restore basic services and community functionality, and establish a safe and secure environment to facilitate the inte- gration of recovery activities.â The NRF builds on the National Incident Management System (NIMS) by outlining how the federal government is organized to support communities and the states in the event of a catastrophic occurrence. Transportationâs role under such circumstances is defined under Emergency Support Function (ESF) 1. The 14 ESFs are as follows: 1. Transportation 2. Communications 3. Public Works and Engineering 4. Firefighting 5. Emergency Management 6. Mass Care, Emergency Assistance, Temporary Housing, and Human Services 7. Logistics 8. Public Health and Medical Services 9. Search and Rescue 10. Oil and Hazardous Materials Response 11. Agriculture and Natural Resources 12. Energy 13. Public Safety and Security 14. External Affairs Please note that the original ESF 14 (Long-Term Community Recovery) has been superseded by the National Disaster Recovery Framework (NDRF). In addition, the names of some ESFs have been modified in the update, specifically ESFs 5, 6, and 7. ESF 7 was originally longerâ Logistics Management and Resource Support. Meanwhile, the current name of ESF 6 now includes the qualifier âtemporaryâ in Temporary Housing (see emphasis in italics in list). Role of Transportation in the NRF and the ESF 1 Transportation Annex The lead federal agency (ESF coordinator) for ESF 1 is the U.S.DOT. The department is responsible for planning and coordinating activities affecting transportation throughout all mission areasâprevention, protection, mitigation, response, and recovery. During a national incident, U.S.DOT will activate the Crisis Management Center, which serves as the departmentâs focal point for emergency response and communications. The DHS document ESF 1 Transportation Annex (most recently updated in 2013) captures information related to the responsibilities and action steps of the various entities and partners under the framework. These include Scope, Relationship to the Whole Community, and Core
176 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Capabilities and Actions. In addition, ESF 1 Transportation Annex includes agency actions for the following support agencies: â¢ Department of AgricultureâUnited States Forest Service; â¢ Department of CommerceâNational Oceanic and Atmospheric Administration; â¢ Department of DefenseâThe department itself, as well as the U.S. Army Corps of Engineers; â¢ Department of Energy; â¢ Department of Homeland Security (DHS)âCustoms and Border Protection, Federal Emergency Management Agency (FEMA), TSA, U.S. Coast Guard, Office of Infrastructure Protection; â¢ Department of the Interior; â¢ Department of Justice; â¢ Department of State; â¢ General Services Administration; and â¢ U.S. Postal Service. Figure 7-4 depicts the ESF 1 Annexâs sections on Scope and Relationship to the Whole Community. National Disaster Recovery Framework The National Disaster Recovery Framework describes âhow the whole community works together to restore, redevelop, and revitalize the health, social, economic, natural, and environ- mental fabric of the communityâ (FEMA 2016a). The NDRF defines: â¢ Eight principles that guide recovery core capability development and recovery support activities under the NDRF; â¢ Roles and responsibilities of recovery coordinators and other stakeholders; â¢ A coordinating structure that facilitates communication and collaboration among all stakeholders, guidance for pre- and post-disaster recovery planning; and â¢ The overall process by which communities can capitalize on opportunities to rebuild stronger, smarter, and safer. In describing the roles and responsibilities of stakeholders from individuals to nongov- ernmental organizations to local, state, and federal governments, the 2016 NDRF empha- sizes that a successful recovery effort ensures the inclusion of the whole community: âThose who are engaging in recovery activities are covered by specific legal obligations that prohibit discrimination.â Such statutory and executive order obligations extend to accessibility to transportation. The 2016 NDRFâs Infrastructure Systems core capability directly affects transportation agen- cies as owners and operators of critical infrastructure. This core capability âintegrates the efforts of the owners and operators of public and private infrastructure.â The 2016 NDRF states the goal of the recovery process as âmatch(ing) the post-disaster infrastructure to the communityâs projected demand on its built and virtual environment,â and recommends developing this goal using public-private collaborative structures. This core capability designates four critical tasks: â¢ Facilitate the restoration of and sustain essential services (public and private) to maintain community functionality. â¢ Coordinate planning for infrastructure redevelopment at the regional, system-wide level. â¢ Develop a plan with a specified timeline for developing, redeveloping, and enhancing com- munity infrastructures to contribute to resilience, accessibility, and sustainability. â¢ Provide systems that meet the community needs while minimizing service disruption during restoration within the specified timeline in the recovery plan.
Homeland Security Laws, Directives, and Guidance 177 Source: DHS 2013. Figure 7-4. ESF #1 Annex sections âScopeâ and âRelationship to Whole Community.â
178 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Role of Transportation in the NDRF and in Recovery Support Function #5 (Infrastructure Systems) The 2016 NDRF designates six recovery support functions (RSFs): 1. Community Planning and Capacity Building; 2. Economic Recovery; 3. Health and Social Services; 4. Housing; 5. Infrastructure Systems; and 6. Natural and Cultural Resources. In this updated second edition, edits include: â¢ Increased focus on the relationship of Recovery to the other four mission areas; â¢ Updated RSFs to reflect changes in primary agencies and supporting organizations; and â¢ Additional language on science and technology capabilities and investments for the rebuilding and recovery efforts. In particular for transportation agencies, the Infrastructure Systems RSF provides the coor- dinating structures, framework, and guidance for resilience, sustainability, and mitigation. Collaborative efforts of this RSF involve government and private-sector partners across the infrastructure sectors identified in the National Infrastructure Protection Plan (NIPP). The scope of this RSF includes transportation systems. U.S.DOT is a primary agency for this RSF, although the U.S. Army Corps of Engineers is the coordinating agency that leads the RSF. Supporting organizations are agencies that may bring relevant subject matter expertise and technical assistance as needed. Primary agencies have been chosen based on their authorities, resources, and capabilities. Together, the coordinating agency, primary agencies, and supporting organizations of the Infrastructure Systems RSF work to efficiently facilitate the restoration of infrastructure systems and services to support a viable, sustainable community and improve resilience to and protection from future hazards. U.S.DOT is also a supporting organization to two other RSFs: Community Planning and Capacity Building, and Health and Social Services. National Infrastructure Protection Plan The National Infrastructure Protection Plan outlines how government and private-sector par- ticipants in the critical infrastructure community work together to manage risks and achieve security and resilience outcomes (DHS 2013). The NIPP 2013 emphasizes the importance of resilience, the need to reduce all-hazards vulnerabilities and mitigate potential consequences of incidents or events that do occur. Infrastructure protection is critically necessary for the nation to meet its National Preparedness Goal of âa secure and resilient nation with the capabilities required across the whole community to prevent, protect against, respond to, and recover from the threats and hazards that pose the greatest risk.â The NIPP is also consistent with the Home- land Security Act of 2002, which assigns DHS the responsibility to develop a comprehensive national plan for critical infrastructure security and resilience. The NIPP 2013 has six chapters, two appendices, and four supplements. After an executive summary, the introduction (Chapter 1) gives an overview of the NIPP 2013 and its evolution from the 2009 NIPP. Chapter 2 defines the vision, mission, and goals of the NIPP 2013, and Chapter 3 describes the critical infrastructure environment in terms of key concepts, risk, policy, operations, and partnerships. Core tenets are established in Chapter 4, and ways to collaborate
Homeland Security Laws, Directives, and Guidance 179 to manage risk are presented in Chapter 5. The final chapter includes calls to action (âSteps to Advance the National Effortâ). The NIPP 2013 goals are: 1. Assess and analyze threats to, vulnerabilities of, and consequences to critical infrastructure to inform risk management activities; 2. Secure critical infrastructure against human, physical, and cyber threats through sustainable efforts to reduce risk, while accounting for the costs and benefits of security investments; 3. Enhance critical infrastructure resilience by minimizing the adverse consequences of inci- dents through advance planning and mitigation efforts, and employing effective responses to save lives and ensure the rapid recovery of essential services; 4. Share actionable and relevant information across the critical infrastructure community to build awareness and enable risk-informed decision-making; and 5. Promote learning and adaptation during and after exercises and incidents. The NIPP 2013 calls to action are: 1. Set national focus through jointly developed priorities. 2. Determine collective actions through joint planning efforts. 3. Empower local and regional partnerships to build capacity nationally. 4. Leverage incentives to advance security and resilience. 5. Enable risk-informed decision-making through enhanced situational awareness. 6. Analyze infrastructure dependencies, interdependencies, and associated cascading effects. 7. Identify, assess, and respond to unanticipated infrastructure cascading effects during and following incidents. 8. Promote infrastructure, community, and regional recovery following incidents. 9. Strengthen coordinated development and delivery of technical assistance, training, and education. 10. Improve critical infrastructure security and resilience by advancing research and develop- ment solutions. 11. Evaluate progress toward the achievement of goals. 12. Learn and adapt during and after exercises and incidents. The NIPP establishes critical infrastructure protection roles for certain federal departments and agencies. Figure 7-5 illustrates the sector-specific agency assignments. The U.S.DOT and the DHS are the sector-specific agencies for the Transportation Systems Critical Infrastructure Sector. According to the NIPP 2013, PPD-21 identifies the following roles and responsibilities for sector-specific agencies: â¢ As appropriate to implement PPD-21, â Coordinate with DHS and other relevant federal departments and agencies and collaborate with critical infrastructure owners and operators; â Coordinate, where appropriate, with independent regulatory agencies; and â Coordinate with state, tribal, and territorial entities; â¢ Serve as a day-to-day federal interface for the dynamic prioritization and coordination of sector-specific activities; â¢ Carry out incident management responsibilities consistent with statutory authority and other appropriate policies, directives, or regulations; â¢ Provide, support, or facilitate technical assistance and consultations for that sector to identify vulnerabilities and help mitigate incidents, as appropriate; and â¢ Support the secretary of Homeland Securityâs statutory reporting requirements by providing, on an annual basis, sector-specific critical infrastructure information.
180 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: DHS 2013. Figure 7-5. Sector-specific agencies and critical infrastructure sectors. The NIPP also establishes the Critical Infrastructure Risk Management Framework, described as the cornerstone of the plan. Figure 7-6 shows the three elements of critical infrastructure (physical, cyber, and human) as well as the six steps of a continuous improvement feedback loop designed to enhance the protection of critical infrastructure/key resources. Transportation Systems Sector-Specific Plan The sector-specific plans of the 16 critical infrastructure sectors have been updated to align with the NIPP 2013, including the plan for transportation systemsâTransportation Systems Sector-Specific Plan (TSSSP) (DHS 2015a). The TSSSP describes strategies to reduce risks to critical transportation infrastructure. The main body of the TSSSP document contains sig- nificant detailed information about the transportation sector, including an overview of the sector in terms of risks, key partners and stakeholders, and cross-sector issues; sector goals and priorities; steps to achieve sector goals in risk management and national preparedness; and sector activities and approaches to measuring effectiveness. The TSSSP contains 10 sector priorities grouped into four sector goals (Figure 7-7). The Transportation Systems Sectorâs partners identified the goals and priorities in align- ment with the NIPP 2013 and the Joint National Priorities. Figure 7-8 charts this alignment. Figure 7-9 depicts the contribution of Transportation Sector Priorities to the NIPP 2013 calls to action.
Homeland Security Laws, Directives, and Guidance 181 Step Brief Description Set Goals and Objectives Establish a set of broad national goals for critical infrastructure security and resilience. Support these goals with objectives and priorities developed at the sector level. Identify Infrastructure Identify the assets, systems, and networks that are essential to their continued operation, considering associated dependencies and interdependencies. Identify information and communications technologies that facilitate the provision of essential services to state, local, tribal, and territorial governments. Identify and prioritize infrastructure according to their business and operating environments and associated risks. Assess and Analyze Risks Assess critical infrastructure risks in terms of: â¢ Threat â natural or non-natural occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property. â¢ Vulnerability â physical feature or operational attribute that renders an entity open to exploitation or susceptible to a given hazard. â¢ Consequence â effect of an event, incident, or occurrence. Implement Risk Management Activities Prioritize activities to manage critical infrastructure risk based on the criticality of the affected infrastructure, the costs of such activities, and the potential for risk reduction. These activities can be divided into the following approaches: â¢ Identify, deter, detect, disrupt, and prepare for threats and hazards â¢ Reduce vulnerabilities â¢ Mitigate consequences Measure Effectiveness Evaluate the effectiveness of risk management efforts within sectors and at national, state, local, and regional levels by developing metrics for both direct and indirect indicator measurement. Source: DHS 2013. Figure 7-6. Activities included in the NIPP Critical Infrastructure Risk Management Framework.
182 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: DHS 2015a. Figure 7-7. Transportation Systems Sector goals and priorities.
Homeland Security Laws, Directives, and Guidance 183 Figure 7-8. Alignment of Transportation Sector priorities to the Joint National Priorities and the NIPP 2013 Goals. (continued on next page)
184 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: DHS 2015a. Figure 7-8. (Continued).
Homeland Security Laws, Directives, and Guidance 185 Figure 7-9. Contribution of Transportation Sector priorities to the NIPP 2013 calls to action. (continued on next page)
186 Update of Security 101: A Physical Security and Cybersecurity Primer for Transportation Agencies Source: TSSSP 2015. Figure 7-9. (Continued).