Enclosure 1

1. USE PPD 63 AS BASE DOCUMENT: Start with PDD 63 and the National Strategy for the Physical Protection of Critical Infrastructure and Key Assets as common base documents for federal, state and local efforts. The number of sectors may need to be expanded; however, the important thing is to put someone in charge of each sector---a sector captain---at the federal and state levels.

2. CONDUCT A VULNENABILITY ASSESSMENT: The sector captain should assess in terms of vulnerability their sector for critical infrastructure—both private and public. That assessment should result in physical and cyber based systems being classified and prioritized according to criticality.

3. ESTABLISH PRIORITIES: A common definition for each priority level must be developed. The more specific the definition of these levels, the better the common understanding of these levels of security across the public and private sectors. After the definitions are agreed upon, simultaneous assessment efforts can start at the state and federal level. Local input into this process is mandatory.

4. USE ESTABLISHED POINTS OF CONTACT: The state points of contact are already established through the Department of Homeland Security. There may be some changes to these Points of Contacts as the states continue to refine and focus their efforts, but this data should provide a good starting point.

5. INTEGRATE PRIORITIZED LISTS: When the assessments have been completed by sector, they need to be integrated into one prioritized national list. The federal government should deal with that infrastructure that services multiple states or regions or is clearly identified as national in scope. The majority of the infrastructure should be left for the states.

6. SHARE CRITICAL INFORMATION: Once the federal list has been approved by the Director for Homeland Security, it should be shared on a close hold basis with each state. The state should then de-conflict any duplication that occurs at their level. The state would also have the responsibility to ensure that all infrastructures, private and public, within their geographical boundaries has been fully considered and prioritized.

7. ORGANIZE: The Department of Homeland Security in coordination with the National Guard should be given the mission of developing and implementing plans to protect all federal Critical infrastructures---and should take lead for the military in the overall effort of combating terrorism on U.S. soil. Depending upon the situation within the state, the National Guard could also protect the state’s critical infrastructure or should at least be given the requirement of validating the state plans to protect that infrastructure.

8. PARTNER WITH PRIVATE INDUSTRY: There are significant private efforts that need to be leveraged. It is in the best interest of private industry to enhance their own security and states need to find a way to synchronize public and private efforts and leverage maximum return on investment. A coordinated plan to protect all state infrastructures must be developed by each state that fully coordinates public and private efforts at the state level. These efforts must find a way to share sensitive information without making that information available to potential terrorists. Critical Infrastructure Information must be protected.

9. ADDRESS THE RESOURCE ISSUE: Resources will clearly be an issue but not an insurmountable obstacle. In the development of this homeland security plan, bands of preparedness need to be developed with the highest band of preparedness being “resource unconstrained”. Realistically that will have to be modified but should not be modified until the best level of protection that can be provided our citizens has been determined. The minimum level of protection should be that associated with protecting the critical infrastructure identified during the assessment process. The development of such a system would give decision makers a way of applying finite resources in order to achieve realistic goals over time.

10. PROVIDE FOR MINIMUM LEVEL PROTECTION ASAP: The resources required to provide the minimum level of protection should be established and those resources provided through a combination of federal, state and private funding as quickly as possible. Obviously, the proper level of initial protection required is a collective decision; however, the paradigm in place should allow decision makers to make a risk benefit analysis and determine that level of funding.

11. INSTITUTIONALIZE THE EFFORT: To institutionalize this effort regional Centers of Excellence (COE) and Information Sharing and Analysis Organizations need to be established across the United States. They could provide an independent assessment of the plans in their region and also provide a means of improving identified weaknesses in areas of training, equipping and technology. These COEs should take a holistic approach to preparedness so that the various efforts are fully integrated and not stove piped as they are under the current system. Many of these centers exist but their efforts are not fully coordinated or leveraged.

12. EXECUTE THE LONG-RANGE PLAN: Finally, a long-range plan must be developed, reviewed annually and updated as required. The goal of the long-range plan should be to provide the optimum level of security for each state and its citizens over time. The National Response Plan and National Incident Management System must be finalized.