United States Fire Administration Critical Infrastructure Protection - February 19, 2004

CIP Process Synopsis

The Emergency Management and Response--Information Sharing and Analysis Center (EMR-ISAC) research indicates that hundreds of communities and their fire and emergency medical services still lack sufficient resources to effectively protect their indispensable personnel, physical assets, and communication systems. Additionally, there is ample evidence that local emergency managers and fire/EMS chief officers persevere in the struggle to do more with less. For these reasons the EMR-ISAC continues to recommend the implementation of the Critical Infrastructure Protection (CIP) Process.

The CIP Process was developed to ensure scarce resources (e.g., money, time, people, and materials) are applied exclusively to those infrastructures and key assets that really need protection. Utilization of the process should reduce to the absolute minimum the infrastructures and key assets that genuinely require protective measures. A synopsis of this time-efficient and resource-restrained process follows for those who are new to this valuable and user-friendly methodology:

• Identify critical infrastructures and key assets that are credibly threatened by all hazards.

Rationale: Because of the reality of scarce resources, all efforts should focus only on those infrastructures and key assets that are truly threatened. Although most may be threatened by man-made and/or natural disasters, it is quite possible that some are not. Therefore, there should be no expenditure of limited resources on that which is not credibly threatened.

• Determine the vulnerabilities of those critical infrastructures and key assets that are credibly threatened.

Rationale: In order to promote a time-efficient and resource-restrained approach to critical infrastructure protection, identify the vulnerabilities (i.e., weaknesses) of only credibly threatened infrastructures and key assets. Precious resources should not be spent on analyzing the vulnerabilities of non-threatened infrastructures and key assets.

• Assess the risks of degradation or loss of those critical infrastructures and key assets that are credibly threatened and vulnerable.

Rationale: Conduct a risk assessment only for those infrastructures and key assets that are both threatened and vulnerable. No energy and resources should be invested in infrastructures and key assets that are not threatened and vulnerable. Therefore, the practitioner will only consider the risks involved in doing either something or nothing about threatened and vulnerable infrastructures and key assets.

• Apply protective measures for those critical infrastructures and key assets where risk is unacceptable.

Rationale: Risk should be considered unacceptable when the degradation or loss of an infrastructure or key asset will have catastrophic results; i.e., survivability, continuity of operations, and mission accomplishment will be terminated. When the practitioner determines that risk is unacceptable, it is appropriate to apply limited resources to effect measures protecting the specific (risk-adverse) infrastructure or key asset.

For technical assistance with the process, see the CIP Process Job Aid at: http://www.usfa.fema.gov/fire-service/cipc/cipc-jobaid.shtm. For consultation, contact the EMR-ISAC at 301-447-1325, or at [email protected].

Situational Awareness: A CIP Necessity

Law enforcement authorities throughout the United States receive intermittent reports regarding suspicious activities. Occasionally, the incidents may pertain to an individual or individuals who have attempted to impersonate emergency first responders. Although few in number, these attempts should elicit caution and situational awareness by first response departments, because impersonation is a tactic that has been used by al Qaeda operatives around the world. Furthermore, counterterrorism specialists teach that impostors from extremist groups endeavor to penetrate organizations to conduct deception activities, which conceal a planned terrorist attack.

To reduce or eliminate the risk of subterfuge by an adversary, many emergency departments have begun issuing identification (ID) cards to employees. Some of these organizations have initiated ID card programs in a low cost manner by using existing mechanisms such as those at the local schools and colleges. Others have pursued a cost-effective regional approach by purchasing an ID card machine for use by all the departments within a given region or county. Security experts write that any ID card program should be comprehensively and efficiently executed to include all department personnel regardless of where the ID cards are made.

The ruses and ploys of domestic and transnational terrorists cannot be degraded or defeated by a quality ID card program alone. All the leaders and personnel of an organization must supplement any protective measures with outstanding situational awareness. Perpetual vigilance for suspicious persons and activities in all situations and circumstances will significantly enhance the protection of a department