EXECUTIVE ORDER
- - - - - - -
IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
By the authority vested in me as President by the Constitution and
the laws of the United States of America, it is hereby ordered as
follows:
Section 1.
Policy. Repeated cyber intrusions
into critical infrastructure demonstrate the need for improved
cybersecurity. The cyber threat to critical infrastructure continues to
grow and represents one of the most serious national security challenges
we must confront. The national and economic security of the United
States depends on the reliable functioning of the Nation's critical
infrastructure in the face of such threats. It is the policy of the
United States to enhance the security and resilience of the Nation's
critical infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic prosperity while
promoting safety, security, business confidentiality, privacy, and civil
liberties. We can achieve these goals through a partnership with the
owners and operators of critical infrastructure to improve cybersecurity
information sharing and collaboratively develop and implement
risk-based standards.
Sec.
2.
Critical Infrastructure. As used in this
order, the term critical infrastructure means systems and assets,
whether physical or virtual, so vital to the United States that the
incapacity or destruction of such systems and assets would have a
debilitating impact on security, national economic security, national
public health or safety, or any combination of those matters.
Sec.
3.
Policy Coordination. Policy
coordination, guidance, dispute resolution, and periodic in-progress
reviews for the functions and programs described and assigned herein
shall be provided through the interagency process established in
Presidential Policy Directive-1 of February 13, 2009 (Organization of
the National Security Council System), or any successor.
Sec.
4.
Cybersecurity Information Sharing. (a)
It is the policy of the United States Government to increase the volume,
timeliness, and quality of cyber threat information shared with U.S.
private sector entities so that these entities may better protect and
defend themselves against cyber threats. Within 120 days of the date of
this order, the Attorney General, the Secretary of Homeland Security
(the "Secretary"), and the Director of National Intelligence shall each
issue instructions consistent with their authorities and with the
requirements of section 12(c) of this order to ensure the timely
production of unclassified reports of cyber threats to the U.S. homeland
that identify a specific targeted entity. The instructions shall
address the need to protect intelligence and law enforcement sources,
methods, operations, and investigations.
(b) The Secretary and the Attorney General, in coordination with the
Director of National Intelligence, shall establish a process that
rapidly disseminates the reports produced pursuant to section 4(a) of
this order to the targeted entity. Such process shall also, consistent
with the need to protect national security information, include the
dissemination of classified reports to critical infrastructure entities
authorized to receive them. The Secretary and the Attorney General, in
coordination with the Director of National Intelligence, shall establish
a system for tracking the production, dissemination, and disposition of
these reports.
(c) To assist the owners and operators of critical infrastructure in
protecting their systems from unauthorized access, exploitation, or
harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration
with the Secretary of Defense, shall, within 120 days of the date of
this order, establish procedures to expand the Enhanced Cybersecurity
Services program to all critical infrastructure sectors. This voluntary
information sharing program will provide classified cyber threat and
technical information from the Government to eligible critical
infrastructure companies or commercial service providers that offer
security services to critical infrastructure.
(d) The Secretary, as the Executive Agent for the Classified National
Security Information Program created under Executive Order 13549 of
August 18, 2010 (Classified National Security Information Program for
State, Local, Tribal, and Private Sector Entities), shall expedite the
processing of security clearances to appropriate personnel employed by
critical infrastructure owners and operators, prioritizing the critical
infrastructure identified in section 9 of this order.
(e) In order to maximize the utility of cyber threat information
sharing with the private sector, the Secretary shall expand the use of
programs that bring private sector subject-matter experts into Federal
service on a temporary basis. These subject matter experts should
provide advice regarding the content, structure, and types of
information most useful to critical infrastructure owners and operators
in reducing and mitigating cyber risks.
Sec.
5.
Privacy and Civil Liberties Protections.
(a) Agencies shall coordinate their activities under this order with
their senior agency officials for privacy and civil liberties and ensure
that privacy and civil liberties protections are incorporated into such
activities. Such protections shall be based upon the Fair Information
Practice Principles and other privacy and civil liberties policies,
principles, and frameworks as they apply to each agency's activities.
(b) The Chief Privacy Officer and the Officer for Civil Rights and
Civil Liberties of the Department of Homeland Security (DHS) shall
assess the privacy and civil liberties risks of the functions and
programs undertaken by DHS as called for in this order and shall
recommend to the Secretary ways to minimize or mitigate such risks, in a
publicly available report, to be released within 1 year of the date of
this order. Senior agency privacy and civil liberties officials for
other agencies engaged in activities under this order shall conduct
assessments of their agency activities and provide those assessments to
DHS for consideration and inclusion in the report. The report shall be
reviewed on an annual basis and revised as necessary. The report may
contain a classified annex if necessary. Assessments shall include
evaluation of activities against the Fair Information Practice
Principles and other applicable privacy and civil liberties policies,
principles, and frameworks. Agencies shall consider the assessments and
recommendations of the report in implementing privacy and civil
liberties protections for agency activities.
(c) In producing the report required under subsection (b) of this
section, the Chief Privacy Officer and the Officer for Civil Rights and
Civil Liberties of DHS shall consult with the Privacy and Civil
Liberties Oversight Board and coordinate with the Office of Management
and Budget (OMB).
(d) Information submitted voluntarily in accordance with 6 U.S.C. 133
by private entities under this order shall be protected from disclosure
to the fullest extent permitted by law.
Sec.
6.
Consultative Process. The Secretary
shall establish a consultative process to coordinate improvements to the
cybersecurity of critical infrastructure. As part of the consultative
process, the Secretary shall engage and consider the advice, on matters
set forth in this order, of the Critical Infrastructure Partnership
Advisory Council; Sector Coordinating Councils; critical infrastructure
owners and operators; Sector-Specific Agencies; other relevant agencies;
independent regulatory agencies; State, local, territorial, and tribal
governments; universities; and outside experts.
Sec.
7.
Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.
(a) The Secretary of Commerce shall direct the Director of the National
Institute of Standards and Technology (the "Director") to lead the
development of a framework to reduce cyber risks to critical
infrastructure (the "Cybersecurity Framework"). The Cybersecurity
Framework shall include a set of standards, methodologies, procedures,
and processes that align policy, business, and technological approaches
to address cyber risks. The Cybersecurity Framework shall incorporate
voluntary consensus standards and industry best practices to the fullest
extent possible. The Cybersecurity Framework shall be consistent with
voluntary international standards when such international standards will
advance the objectives of this order, and shall meet the requirements
of the National Institute of Standards and Technology Act, as amended
(15 U.S.C. 271 et seq.), the National Technology Transfer and
Advancement Act of 1995 (Public Law 104-113), and OMB Circular A-119, as
revised.
(b) The Cybersecurity Framework shall provide a prioritized,
flexible, repeatable, performance-based, and cost-effective approach,
including information security measures and controls, to help owners and
operators of critical infrastructure identify, assess, and manage cyber
risk. The Cybersecurity Framework shall focus on identifying
cross-sector security standards and guidelines applicable to critical
infrastructure. The Cybersecurity Framework will also identify areas for
improvement that should be addressed through future collaboration with
particular sectors and standards-developing organizations. To enable
technical innovation and account for organizational differences, the
Cybersecurity Framework will provide guidance that is technology neutral
and that enables critical infrastructure sectors to benefit from a
competitive market for products and services that meet the standards,
methodologies, procedures, and processes developed to address cyber
risks. The Cybersecurity Framework shall include guidance for measuring
the performance of an entity in implementing the Cybersecurity
Framework.
(c) The Cybersecurity Framework shall include methodologies to
identify and mitigate impacts of the Cybersecurity Framework and
associated information security measures or controls on business
confidentiality, and to protect individual privacy and civil liberties.
(d) In developing the Cybersecurity Framework, the Director shall
engage in an open public review and comment process. The Director shall
also consult with the Secretary, the National Security Agency,
Sector-Specific Agencies and other interested agencies including OMB,
owners and operators of critical infrastructure, and other stakeholders
through the consultative process established in section 6 of this order.
The Secretary, the Director of National Intelligence, and the heads of
other relevant agencies shall provide threat and vulnerability
information and technical expertise to inform the development of the
Cybersecurity Framework. The Secretary shall provide performance goals
for the Cybersecurity Framework informed by work under section 9 of this
order.
(e) Within 240 days of the date of this order, the Director shall
publish a preliminary version of the Cybersecurity Framework (the
"preliminary Framework"). Within 1 year of the date of this order, and
after coordination with the Secretary to ensure suitability under
section 8 of this order, the Director shall publish a final version of
the Cybersecurity Framework (the "final Framework").
(f) Consistent with statutory responsibilities, the Director will
ensure the Cybersecurity Framework and related guidance is reviewed and
updated as necessary, taking into consideration technological changes,
changes in cyber risks, operational feedback from owners and operators
of critical infrastructure, experience from the implementation of
section 8 of this order, and any other relevant factors.
Sec.
8.
Voluntary Critical Infrastructure Cybersecurity Program.
(a) The Secretary, in coordination with Sector-Specific Agencies, shall
establish a voluntary program to support the adoption of the
Cybersecurity Framework by owners and operators of critical
infrastructure and any other interested entities (the "Program").
(b) Sector-Specific Agencies, in consultation with the Secretary and
other interested agencies, shall coordinate with the Sector Coordinating
Councils to review the Cybersecurity Framework and, if necessary,
develop implementation guidance or supplemental materials to address
sector-specific risks and operating environments.
(c) Sector-Specific Agencies shall report annually to the President,
through the Secretary, on the extent to which owners and operators
notified under section 9 of this order are participating in the Program.
(d) The Secretary shall coordinate establishment of a set of
incentives designed to promote participation in the Program. Within 120
days of the date of this order, the Secretary and the Secretaries of the
Treasury and Commerce each shall make recommendations separately to the
President, through the Assistant to the President for Homeland Security
and Counterterrorism and the Assistant to the President for Economic
Affairs, that shall include analysis of the benefits and relative
effectiveness of such incentives, and whether the incentives would
require legislation or can be provided under existing law and
authorities to participants in the Program.
(e) Within 120 days of the date of this order, the Secretary of
Defense and the Administrator of General Services, in consultation with
the Secretary and the Federal Acquisition Regulatory Council, shall make
recommendations to the President, through the Assistant to the
President for Homeland Security and Counterterrorism and the Assistant
to the President for Economic Affairs, on the feasibility, security
benefits, and relative merits of incorporating security standards into
acquisition planning and contract administration. The report shall
address what steps can be taken to harmonize and make consistent
existing procurement requirements related to cybersecurity.
Sec.
9.
Identification of Critical Infrastructure at Greatest Risk.
(a) Within 150 days of the date of this order, the Secretary shall use a
risk-based approach to identify critical infrastructure where a
cybersecurity incident could reasonably result in catastrophic regional
or national effects on public health or safety, economic security, or
national security. In identifying critical infrastructure for this
purpose, the Secretary shall use the consultative process established in
section 6 of this order and draw upon the expertise of Sector-Specific
Agencies. The Secretary shall apply consistent, objective criteria in
identifying such critical infrastructure. The Secretary shall not
identify any commercial information technology products or consumer
information technology services under this section. The Secretary shall
review and update the list of identified critical infrastructure under
this section on an annual basis, and provide such list to the President,
through the Assistant to the President for Homeland Security and
Counterterrorism and the Assistant to the President for Economic
Affairs.
(b) Heads of Sector-Specific Agencies and other relevant agencies
shall provide the Secretary with information necessary to carry out the
responsibilities under this section. The Secretary shall develop a
process for other relevant stakeholders to submit information to assist
in making the identifications required in subsection (a) of this
section.
(c) The Secretary, in coordination with Sector-Specific Agencies,
shall confidentially notify owners and operators of critical
infrastructure identified under subsection (a) of this section that they
have been so identified, and ensure identified owners and operators are
provided the basis for the determination. The Secretary shall establish
a process through which owners and operators of critical infrastructure
may submit relevant information and request reconsideration of
identifications under subsection (a) of this section.
Sec.
10.
Adoption of Framework. (a) Agencies
with responsibility for regulating the security of critical
infrastructure shall engage in a consultative process with DHS, OMB, and
the National Security Staff to review the preliminary Cybersecurity
Framework and determine if current cybersecurity regulatory requirements
are sufficient given current and projected risks. In making such
determination, these agencies shall consider the identification of
critical infrastructure required under section 9 of this order. Within
90 days of the publication of the preliminary Framework, these agencies
shall submit a report to the President, through the Assistant to the
President for Homeland Security and Counterterrorism, the Director of
OMB, and the Assistant to the President for Economic Affairs, that
states whether or not the agency has clear authority to establish
requirements based upon the Cybersecurity Framework to sufficiently
address current and projected cyber risks to critical infrastructure,
the existing authorities identified, and any additional authority
required.
(b) If current regulatory requirements are deemed to be insufficient,
within 90 days of publication of the final Framework, agencies
identified in subsection (a) of this section shall propose prioritized,
risk-based, efficient, and coordinated actions, consistent with
Executive Order 12866 of September 30, 1993 (Regulatory Planning and
Review), Executive Order 13563 of January 18, 2011 (Improving Regulation
and Regulatory Review), and Executive Order 13609 of May 1, 2012
(Promoting International Regulatory Cooperation), to mitigate cyber
risk.
(c) Within 2 years after publication of the final Framework,
consistent with Executive Order 13563 and Executive Order 13610 of May
10, 2012 (Identifying and Reducing Regulatory Burdens), agencies
identified in subsection (a) of this section shall, in consultation with
owners and operators of critical infrastructure, report to OMB on any
critical infrastructure subject to ineffective, conflicting, or
excessively burdensome cybersecurity requirements. This report shall
describe efforts made by agencies, and make recommendations for further
actions, to minimize or eliminate such requirements.
(d) The Secretary shall coordinate the provision of technical
assistance to agencies identified in subsection (a) of this section on
the development of their cybersecurity workforce and programs.
(e) Independent regulatory agencies with responsibility for
regulating the security of critical infrastructure are encouraged to
engage in a consultative process with the Secretary, relevant
Sector-Specific Agencies, and other affected parties to consider
prioritized actions to mitigate cyber risks for critical infrastructure
consistent with their authorities.
Sec.
11.
Definitions. (a) "Agency" means any
authority of the United States that is an "agency" under 44 U.S.C.
3502(1), other than those considered to be independent regulatory
agencies, as defined in 44 U.S.C. 3502(5).
(b) "Critical Infrastructure Partnership Advisory Council" means the
council established by DHS under 6 U.S.C. 451 to facilitate effective
interaction and coordination of critical infrastructure protection
activities among the Federal Government; the private sector; and State,
local, territorial, and tribal governments.
(c) "Fair Information Practice Principles" means the eight principles
set forth in Appendix A of the National Strategy for Trusted Identities
in Cyberspace.
(d) "Independent regulatory agency" has the meaning given the term in 44 U.S.C. 3502(5).
(e) "Sector Coordinating Council" means a private sector coordinating
council composed of representatives of owners and operators within a
particular sector of critical infrastructure established by the National
Infrastructure Protection Plan or any successor.
(f) "Sector-Specific Agency" has the meaning given the term in
Presidential Policy Directive-21 of February 12, 2013 (Critical
Infrastructure Security and Resilience), or any successor.
Sec.
12.
General Provisions. (a) This order
shall be implemented consistent with applicable law and subject to the
availability of appropriations. Nothing in this order shall be construed
to provide an agency with authority for regulating the security of
critical infrastructure in addition to or to a greater extent than the
authority the agency has under existing law. Nothing in this order shall
be construed to alter or limit any authority or responsibility of an
agency under existing law.
(b) Nothing in this order shall be construed to impair or otherwise
affect the functions of the Director of OMB relating to budgetary,
administrative, or legislative proposals.
(c) All actions taken pursuant to this order shall be consistent with
requirements and authorities to protect intelligence and law
enforcement sources and methods. Nothing in this order shall be
interpreted to supersede measures established under authority of law to
protect the security and integrity of specific activities and
associations that are in direct support of intelligence and law
enforcement operations.
(d) This order shall be implemented consistent with U.S. international obligations.
(e) This order is not intended to, and does not, create any right or
benefit, substantive or procedural, enforceable at law or in equity by
any party against the United States, its departments, agencies, or
entities, its officers, employees, or agents, or any other person.
BARACK OBAMA
