The National Infrastructure Protection Plan (NIPP) established a strategic direction for coordinating the nation’s critical infrastructure protection and resilience initiatives. The new National Plan built on the previous Plan from 2009, and reflects major changes in risk, policy, and operating environments, reflecting “a significant evolution in critical infrastructure risk policy.”
This evolution reflects movement toward long held ISA doctrine on risk, the economics of cyber security and the need for incentives. Much of the new language was negotiated personally between ISA and DHS Undersecretary Suzanne Spaulding.
Among the new constructs that mirror long standing ISA policy are statements including:
- Risk management means identifying and analyzing risk and accepting, avoiding or transferring it at an acceptable level and acceptable costs.
- Government and industry have aligned, but not identical, interests in securing critical infrastructure…both perspectives are legitimate.
- Risk tolerance will differ between public and private sector regarding security investments and appropriate risk tolerance.
- Finding the appropriate value proposition between these partners requires understanding the different perspectives.
- Critical infrastructure security may depend on applying risk management coupled with available resources and incentives.