Regional Resilience Assessment Program: Frequently Asked Questions
Q1: How do I know if my facility qualifies as critical infrastructure?
A1: Public Safety Canada conducts on-site assessments through the Regional Resilience Assessment Program (RRAP) across the ten sectors identified in Canada’s National Strategy on Critical Infrastructure:
- Information and Communication Technology
- Energy and Utilities
In addition, select other assets such as places of mass gathering (e.g. stadiums), may qualify for assessments in certain circumstances. Should you have any questions, please email firstname.lastname@example.org.
Q2: Do you gather any commercial intellectual property in your assessments?
A2: No. The assessments focus on the characteristics of a facility’s physical resilience, emergency preparedness, and cyber security posture.
Q3: How is assessment information kept secure at Public Safety Canada, and what is it used for?
A3: Assessment data is kept on an encrypted, air-gapped, off-network system, and data is protected from release under federal access to information laws. The Department does not share data on individual facilities outside of the Public Safety Portfolio without the prior written consent of the organization. Aggregated and anonymized data is used by Public Safety Canada for analytical purposes to identify sectoral or geographic trends. Reports outlining these trends may be shared with relevant critical infrastructure stakeholders. At no time do these reports contain individually identifiable information about a specific facility or organization.
Q4: What products do participants receive from an assessment?
A4: Participants receive comprehensive reports that include their scores, how they compare to industry peers, and options for consideration on how to enhance resilience, physical security and cyber security. Specifically, products that participating organizations receive include:
- a detailed report with options for consideration (CIRT);
- an interactive dashboard that shows scores for all questions and can be used to build real-time scenarios (CIRT);
- a virtual rendering (360 degree photos) of the facility that can be shared proactively with first responders (CIMT);
- a detailed analysis of cyber maturity against 10 cyber security domains, as well as resilience enhancement options (CCRR); and
- a Chief Executive Officer Summary for cyber health (CCRR).
Q5: My facility’s scores are compared to the scores of similar U.S. facilities. Is Canadian data available?
A5: The RRAP team is working towards being able to provide Canadian comparative averages over time. Presently, more U.S. data is available, and provides a strong baseline for similar facilities in Canada. Where sufficient data exists, some comparison with Canadian facilities can be made.
Q6: Can Public Safety Canada share the question set in advance of the assessment?
A6: The entire question set includes about 1,500 variables. Instead of providing the entire question set, the RRAP team provides information on the key components of physical security, resilience and cybersecurity that are evaluated in the assessment. Owner/operators can use this information to ensure that the appropriate staff are made available to answer questions during the assessment.
Q7: Where can we go to get more information regarding the options for consideration you provided to better enhance our resilience and security?
A7: If you have more specific questions regarding the outcome of your assessment, you can contact the lead assessor (i.e. individual who provided you with the original report). The assessor can provide you with alternative resources to implement the options for consideration recommended in the report. An important outcome of RRAP assessments is to create a relationship between critical infrastructure owner and operators, Public Safety Canada, and other relevant stakeholders to enhance information sharing.
Q8: What do the Protective Measures Index (PMI) and Resilience Measures Index (RMI) numbers mean?
A8: The PMI and the RMI are scores produced from the facility-level assessment that range from 0 to 100. The PMI uses a subset of the CIRT’s variables in order to produce an estimate of the facility’s protective measures, and is derived from five components: Physical Security, Security Management, Security Force Profile, Information Sharing and Security Activity Background. The RMI produces an estimate of the facility’s ability to anticipate, resist, absorb, respond to, adapt to, and recover from a disturbance and maintain an acceptable level of operation. The RMI is derived from four components: Preparedness, Mitigation Measures, Response Capabilities, and Recovery Mechanisms.
- Date modified: