FCD-2
5
debilitating impact on security, national economic security, national public health or safety, or
any combination of those matters.”
4
Together, PPD-40 and PPD-21, Critical Infrastructure
Security and Resilience, require the Federal Government to coordinate with state, local,
territorial, and tribal governments and private sector owners and operators of critical
infrastructure, as appropriate, to strengthen the Nation’s resilience and sustain essential services
during a catastrophic emergency.
As part of risk analysis, the analysis team must identify internal critical assets and systems
supporting essential functions and external infrastructure upon which operations are dependent,
including but not limited to “lifeline” infrastructure such as energy or power, water,
communications, and transportation systems. Analyzing dependencies and interdependencies on
critical infrastructure that support the performance of essential functions contributes to the
organization’s BIA and analysis of resilience. This information contributes to effective risk
management to ensure the protection of critical assets, networks, systems, and information
necessary to the performance of essential functions.
C. Analysis Outcomes
Analyzing risk and related dependencies on critical infrastructure through a BPA and BIA aids in
the identification of non-obvious risks, gaps in an organization’s operational processes and
procedures, and essential function resource requirements. The BIA must take a risk-based
approach to ensure all potential threats and hazards, vulnerabilities, and consequences are
considered.
Through conduct of BPAs and BIAs, D/As must:
• Identify and prioritize essential functions and resource requirements.
• Determine dependencies and interdependencies related to the performance of essential
functions.
• Identify and assess factors which may impact the performance of essential functions and
the potential for cascading effects. D/As should consider existing threat assessments,
vulnerability assessments, and consequence analysis, where available.
While organizations can neither respond to, nor eliminate, all risk, they must work to assess and
manage challenges to perform essential functions based on structured and documented analysis.
The determination and socialization of maximum tolerable downtimes, external dependencies
upon critical infrastructure sectors or other organizations, and internal dependencies or interfaces
will inform decisions on resource allocations and activities to sustain essential functions. Risk
and dependency analysis inform mitigation actions needed to sustain essential functions and the
development of the organization’s continuity program. Collectively, the continuity community
will gain an understanding of how essential functions are interrelated, how MEFs support
PMEFs, and how PMEFs support NEFs to ensure the Nation can continue to function before,
during, and after a catastrophic emergency. Effective risk management will strengthen
organizational resilience, improve readiness, and enhance the Nation’s resilience.
4
Presidential Policy Directive (PPD) 21, Critical Infrastructure Security and Resilience, February 12, 2013, p. 12;
USA Patriot Act of 2001, Section 1016(e), (42 U.S.C) 5195c(e)).