DDC779BE02 3BHE006805R0002 模块备件

DDC779BE02 3BHE006805R0002

行政命令（EO）12977，建立机构间安全委员会的命令，
概述了ISC的作用和范围。在EO 12977的范围内，ISC负责：
并有权“……制定和评估联邦设施的标准，制定
确保遵守此类标准的战略，并监督
联邦设施中的适当安全措施……”1
在监督安全标准实施的范围内，该命令继续
鼓励联邦政府内的机构和部门向
遵守ISC规定的标准。此外，EO 12977授权
机构间安全委员会，声明“……各执行机构和部门应：
合作并遵守委员会根据以下文件发布的政策和建议：
根据本命令……“2进一步命令”，管理员应负责监控联邦
机构遵守委员会政策和建议的情况“
授权
此后，ISC的管理工作已委托给国土部部长
安全4
.
根据EO 12977的授权，ISC制定了一种方法来协助联邦
各机构不仅遵守了原始的EO 12977，还遵守了更新后的要求：
PPD-21.在跨部门安全委员会近20年的历史中，许多好的
联邦范围内的许多机构采用了实践和标准
政府因此，ISC在帮助领导这项工作方面处于独特的地位。
112977号行政命令：机构间安全委员会，5（a）（2）节。
212977号行政命令：机构间安全委员会，6（b）节。
312977号行政命令：机构间安全委员会，6（c）节。
413286号行政命令：修订行政命令和其他行动，23节。
2 PPD-21实施：ISC白皮书
2.分析
PPD-21工作组分析了联邦设施的风险管理流程：
机构间安全委员会标准（RMP），以确定可能产生的任何问题
联邦设施支持的安全和恢复工作的脆弱性或障碍
所有危险环境中的主要任务基本功能（PMEF）。如2014年所述
国土安全部四年期审查（QHSR）：
国家的关键基础设施提供了支撑美国方式的基本服务
生命的。关键基础设施作为离散的物理资产的概念已经过时，因为
一切都与网络空间联系在一起。这种“网络-物理融合”改变了
能源和交通等部门关键基础设施面临的风险
农业和医疗保健。此外，这种互联的网络物理基础设施包括
多个系统在更大程度上相互依赖以进行操作，
独立于人的方向操作。这种互连系统的一个例子是
全球供应链，信息和通信技术提供实时
位置服务、交通更新、紧急通知等。关键基础设施所有者
运营商还继续遭遇越来越复杂的网络入侵
为恶意参与者提供中断基本服务交付的能力，导致物理
对关键基础设施资产造成损害，并可能产生严重的连锁效应。
工作组审议了目前独立评估物理和
与联邦设施相关的安全相关系统的网络威胁。据指出
当前的设计基准威胁（DBT）报告和物理安全标准
RMP中包含了应适当考虑的赛博要素
与联邦设施相关的管理。以下是由
组
联邦设施的风险管理流程：跨部门安全委员会
该标准必须解决可能对一次系统造成不利影响的相关危险
这是一项基本职能。一个重要的问题是对工业控制的网络安全威胁
系统（ICS）5和联邦物理安全的相互依赖性和级联效应
设施在大多数联邦设施中通常有三种类型的系统，
如下所列。这些系统支持依赖或补充国家关键设施的设施
基础设施对这些基于网络的系统的日益依赖创造了潜力
如果被利用，可能会对联邦设施和
重要的伴随能力（如任务执行）。下面是一个简短的描述
支持或解决与联邦设施相关的关键功能的系统类型：
6.
建筑汽车

DDC779BE02 3BHE006805R0002

DDC779BE02 3BHE006805R0002

Executive Order (EO) 12977, the order establishing the Interagency Security Committee, outlined the role and scope of the ISC. Within the context of EO 12977, the ISC is charged with and given authority to “…develop and evaluate standards for Federal facilities, develop a strategy for ensuring compliance with such standards, and oversee the implementation of appropriate security measures in Federal facilities…”1 Within the scope of overseeing the implementation of security standards, the Order went on to encourage agencies and departments within the Federal government to lend assistance to and comply with the standards set forth by the ISC. Furthermore, EO 12977 granted authority to the Interagency Security Committee, stating “…each executive agency and department shall cooperate and comply with the policies and recommendations of the Committee issued pursuant to this order....” 2 It further orders “the Administrator shall be responsible for monitoring Federal agency compliance with the policies and recommendations of the Committee”.3 The authority to administer the ISC has since been delegated to the Secretary of the Department of Homeland Security4 . Based upon the authority of EO 12977, the ISC has developed an approach to assist Federal agencies in complying not only with the original EO 12977 but with the updated requirements of PPD-21. In the nearly 20-year history of the Interagency Security Committee, many of the best practices and standards have been employed by numerous agencies within the Federal government. Thus, the ISC is in a unique position to help lead this effort. 1 Executive Order 12977: Interagency Security Committee, Sec. 5(a)(2). 2 Executive Order 12977: Interagency Security Committee, Sec. 6(b). 3 Executive Order 12977: Interagency Security Committee, Sec. 6(c). 4 Executive Order 13286: Amendment of Executive Orders and Other Actions, Sec. 23. 2 PPD-21 Implementation: An ISC White Paper 2 Analysis The PPD-21 Working Group analyzed The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard (RMP) to identify any issues that could create vulnerabilities or obstacles to security and resilience efforts for Federal facilities supporting primary mission essential functions (PMEF) in an all hazards environment. As noted in the 2014 Department of Homeland Security Quadrennial Review (QHSR): The Nation’s critical infrastructure provides the essential services that underpin the American way of life. The concept of critical infrastructure as discrete, physical assets has become outdated as everything becomes linked to cyberspace. This “cyber-physical convergence” has changed the risks to critical infrastructure in sectors ranging from aspects energy and transportation to agriculture and healthcare. Moreover, this interconnected cyber-physical infrastructure consists of multiple systems that rely on one another to greater degrees for their operations and, at times, operate independent of human direction. One example of this type of interconnected system is the global supply chain, where information and communications technologies are providing real-time location services, traffic updates, emergency notifications, and more. Critical infrastructure owners and operators also continue to experience increasingly sophisticated cyber intrusions, which provide malicious actors the ability to disrupt the delivery of essential services, cause physical damage to critical infrastructure assets, and potentially produce severe cascading effects. The Working Group considered the current processes that independently assess the physical and cyber threats for security-related systems associated with Federal facilities. It was noted that neither the current Design Basis Threat (DBT) Report nor the Physical Security Criteria contained in the RMP articulate cyber elements that should be considered and appropriately managed as they relate to Federal facilities. What follows are the major issues identified by the group. The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard must address interrelated hazards that could lead to a debilitating impact on primary mission essential functions. A significant concern is the cybersecurity threat to Industrial Control Systems (ICS)5 and the interdependencies and cascading effects on physical security in Federal facilities. There are generally three types of systems located in the majority of Federal facilities, listed below. These systems support facilities that depend on or complement the Nation's critical infrastructure. An ever increasing reliance upon these cyber-based systems creates potential vulnerabilities that, if exploited, could have physical consequences for Federal facilities and important concomitant capabilities (e.g., mission execution). The following is a brief description of the types of systems that support or address critical functions related to Federal facilities: 6 Building Automation Systems (BAS) – Centralized, interlinked networks of hardware and software that monitor and control the environment in commercial, industrial, and institutional facilities. While managing various building systems, the automation system ensures the operational performance of the facility as well as the comfort and safety of building occupants. Examples include: • Supervisory Control and Data Acquisition (SCADA) Systems; and