The Nation's critical infrastructure is diverse and complex. It includes distributed networks, varied organizational structures and operating models (including multinational ownership), interdependent functions and systems in both the physical space and cyberspace, and governance constructs that involve multi-level authorities, responsibilities, and regulations. Critical infrastructure owners and operators are uniquely positioned to manage risks to their individual operations and assets, and to determine effective strategies to make them more secure and resilient.

​

Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery. A fundamental component of the Department of Homeland Security’s (DHS) efforts to protect and secure our nation’s critical infrastructure (CI) is partnerships among public and private stakeholders. Critical infrastructure is assets and systems, whether physical or virtual, so vital to the United States that their incapacity or destruction would have a debilitating impact on national security, national economic security, national public health or safety, or any combination of those matters. The private sector owns the majority of the nation’s critical infrastructure—banking and financial institutions, commercial facilities, and energy production and transmission facilities, among others—it is vital that the public and private sectors work together to protect these assets and systems.

​

Below are some of the primary Federal directives for the definition, protection, and strategy around our nation's critical infrastructure. 

​

The Presidential Policy Directive 21 - Critical Infrastructure Security and Resilience (February 2013) 

The Presidential Policy Directive (PPD) on Critical Infrastructure Security and Resilience advances a national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.  This directive, released in February 2013, establishes national policy on critical infrastructure security and resilience. This endeavor is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities, and public and private owners and operators of critical infrastructure (herein referred to as "critical infrastructure owners and operators"). This directive also refines and clarifies the critical infrastructure-related functions, roles, and responsibilities across the Federal Government, as well as enhances overall coordination and collaboration. The Federal Government also has a responsibility to strengthen the security and resilience of its own critical infrastructure, for the continuity of national essential functions, and to organize itself to partner effectively with and add value to the security and resilience efforts of critical infrastructure owners and operators.

​

Presidential Decision Directive 63 - Critical Infrastructure Protection (May 1998)

PDD-63 was the product of an interagency evaluation of the recommendations of the President's Commission on Critical Infrastructure Protection, with a view to producing a workable and innovative framework for critical infrastructure protection, which described a strategy for cooperative efforts by government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government. According to PDD-63, any interruptions in the ability of these infrastructures to provide their goods and services must be "brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States."[2]

PDD-63 called for a range of actions intended to improve federal agency security programs, improve the nation’s ability to detect and respond to serious computer-based and physical attacks, and establish a partnership between the government and the private sector.

The Directive called on the federal government to serve as a model of how infrastructure assurance is best achieved and designated lead agencies to work with private-sector and government organizations. Further, it established critical infrastructure protection (CIP) as a national goal and stated that, by the close of 2000, the United States was to have achieved an initial operating capability to protect the nation’s critical infrastructures from intentional destructive acts and, by 2003, have developed the ability to protect U.S. critical infrastructures from intentional destructive attacks.

​

Executive Order 13231 - Critical Infrastructure Protection in the Information Age

The order created a federal "critical infrastructure protection" board and charged it with recommending policies and coordinating programs for protecting information systems for critical infrastructure. The Board's wide ambit includes outreach to the private sector and state and local governments, information sharing, incident coordination and crisis response, recruitment of Executive Branch security professionals, coordination of research and development, law enforcement coordination, and international cooperation.​

Executive Order -- Improving Critical Infrastructure Cybersecurity

Develop a technology-neutral voluntary cybersecurity framework, promote and incentivize the adoption of cybersecurity practices, increase the volume, timeliness and quality of cyber threat information sharing, incorporate strong privacy and civil liberties protections into every initiative to secure our critical infrastructure, explore the use of existing regulation to promote cyber security