For Immediate Release
Office of the Press Secretary
December 17, 2003
Homeland Security Presidential Directive/HSPD-7
Subject: Critical Infrastructure Identification, Prioritization, and Protection
Purpose
(1) This directive establishes a national policy for Federal departments and agencies to identify
and prioritize United States critical infrastructure and key resources and to protect them from
terrorist attacks.
Background
(2) Terrorists seek to destroy, incapacitate, or exploit critical infrastructure and key resources
across the United States to threaten national security, cause mass casualties, weaken our
economy, and damage public morale and confidence.
(3) America's open and technologically complex society includes a wide array of critical
infrastructure and key resources that are potential terrorist targets. The majority of these are
owned and operated by the private sector and State or local governments. These critical
infrastructures and key resources are both physical and cyber-based and span all sectors of the
economy.
(4) Critical infrastructure and key resources provide the essential services that underpin American
society. The Nation possesses numerous key resources, whose exploitation or destruction by
terrorists could cause catastrophic health effects or mass casualties comparable to those from
the use of a weapon of mass destruction, or could profoundly affect our national prestige and
morale. In addition, there is critical infrastructure so vital that its incapacitation, exploitation, or
destruction, through terrorist attack, could have a debilitating effect on security and economic
well-being.
(5) While it is not possible to protect or eliminate the vulnerability of all critical infrastructure and
key resources throughout the country, strategic improvements in security can make it more
difficult for attacks to succeed and can lessen the impact of attacks that may occur. In addition to
strategic security enhancements, tactical security improvements can be rapidly implemented to
deter, mitigate, or neutralize potential attacks.
Definitions
(6) In this directive:
(a) The term "critical infrastructure" has the meaning given to that term in section 1016(e)
of the USA PATRIOT Act of 2001 (42 U.S.C. 5195c(e)).
(b) The term "key resources" has the meaning given that term in section 2(9) of the
Homeland Security Act of 2002 (6 U.S.C. 101(9)).
(c) The term "the Department" means the Department of Homeland Security.
(d) The term "Federal departments and agencies" means those executive departments
enumerated in 5 U.S.C. 101, and the Department of Homeland Security; independent
establishments as defined by 5 U.S.C. 104(1); Government corporations as defined by 5
U.S.C. 103(1); and the United States Postal Service.
(e) The terms "State," and "local government," when used in a geographical sense, have
the same meanings given to those terms in section 2 of the Homeland Security Act of
2002 (6 U.S.C. 101).
(f) The term "the Secretary" means the Secretary of Homeland Security.
(g) The term "Sector-Specific Agency" means a Federal department or agency
responsible for infrastructure protection activities in a designated critical infrastructure
sector or key resources category. Sector-Specific Agencies will conduct their activities
under this directive in accordance with guidance provided by the Secretary.
(h) The terms "protect" and "secure" mean reducing the vulnerability of critical
infrastructure or key resources in order to deter, mitigate, or neutralize terrorist attacks.
Policy
(7) It is the policy of the United States to enhance the protection of our Nation's critical
infrastructure and key resources against terrorist acts that could:
(a) cause catastrophic health effects or mass casualties comparable to those from the
use of a weapon of mass destruction;
(b) impair Federal departments and agencies' abilities to perform essential missions, or to
ensure the public's health and safety;
(c) undermine State and local government capacities to maintain order and to deliver
minimum essential public services;
(d) damage the private sector's capability to ensure the orderly functioning of the
economy and delivery of essential services;
(e) have a negative effect on the economy through the cascading disruption of other
critical infrastructure and key resources; or
(f) undermine the public's morale and confidence in our national economic and political
institutions.
(8) Federal departments and agencies will identify, prioritize, and coordinate the protection of
critical infrastructure and key resources in order to prevent, deter, and mitigate the effects of
deliberate efforts to destroy, incapacitate, or exploit them. Federal departments and agencies will
work with State and local governments and the private sector to accomplish this objective.
(9) Federal departments and agencies will ensure that homeland security programs do not
diminish the overall economic security of the United States.
(10) Federal departments and agencies will appropriately protect information associated with
carrying out this directive, including handling voluntarily provided information and information that
would facilitate terrorist targeting of critical infrastructure and key resources consistent with the
Homeland Security Act of 2002 and other applicable legal authorities.
(11) Federal departments and agencies shall implement this directive in a manner consistent with
applicable provisions of law, including those protecting the rights of United States persons.
Roles and Responsibilities of the Secretary
(12) In carrying out the functions assigned in the Homeland Security Act of 2002, the Secretary
shall be responsible for coordinating the overall national effort to enhance the protection of the
critical infrastructure and key resources of the United States. The Secretary shall serve as the
principal Federal official to lead, integrate, and coordinate implementation of efforts among
Federal departments and agencies, State and local governments, and the private sector to
protect critical infrastructure and key resources. (13) Consistent with this directive, the Secretary
will identify, prioritize, and coordinate the protection of critical infrastructure and key resources
with an emphasis on critical infrastructure and key resources that could be exploited to cause
catastrophic health effects or mass casualties comparable to those from the use of a weapon of
mass destruction.
(14) The Secretary will establish uniform policies, approaches, guidelines, and methodologies for
integrating Federal infrastructure protection and risk management activities within and across
sectors along with metrics and criteria for related programs and activities.
(15) The Secretary shall coordinate protection activities for each of the following critical
infrastructure sectors: information technology; telecommunications; chemical; transportation
systems, including mass transit, aviation, maritime, ground/surface, and rail and pipeline systems;
emergency services; and postal and shipping. The Department shall coordinate with appropriate
departments and agencies to ensure the protection of other key resources including dams,
government facilities, and commercial facilities. In addition, in its role as overall cross-sector
coordinator, the Department shall also evaluate the need for and coordinate the coverage of
additional critical infrastructure and key resources categories over time, as appropriate.
(16) The Secretary will continue to maintain an organization to serve as a focal point for the
security of cyberspace. The organization will facilitate interactions and collaborations between
and among Federal departments and agencies, State and local governments, the private sector,
academia and international organizations. To the extent permitted by law, Federal departments
and agencies with cyber expertise, including but not limited to the Departments of Justice,
Commerce, the Treasury, Defense, Energy, and State, and the Central Intelligence Agency, will
collaborate with and support the organization in accomplishing its mission. The organization's
mission includes analysis, warning, information sharing, vulnerability reduction, mitigation, and
aiding national recovery efforts for critical infrastructure information systems. The organization will
support the Department of Justice and other law enforcement agencies in their continuing
missions to investigate and prosecute threats to and attacks against cyberspace, to the extent
permitted by law.
(17) The Secretary will work closely with other Federal departments and agencies, State and
local governments, and the private sector in accomplishing the objectives of this directive.
Roles and Responsibilities of Sector-Specific Federal Agencies
(18) Recognizing that each infrastructure sector possesses its own unique characteristics and
operating models, there are designated Sector-Specific Agencies, including:
(a) Department of Agriculture -- agriculture, food (meat, poultry, egg products);
(b) Health and Human Services -- public health, healthcare, and food (other than meat,
poultry, egg products);
(c) Environmental Protection Agency -- drinking water and water treatment systems;
(d) Department of Energy -- energy, including the production refining, storage, and
distribution of oil and gas, and electric power except for commercial nuclear power
facilities;
(e) Department of the Treasury -- banking and finance;
(f) Department of the Interior -- national monuments and icons; and
(g) Department of Defense -- defense industrial base.
(19) In accordance with guidance provided by the Secretary, Sector-Specific Agencies shall:
(a) collaborate with all relevant Federal departments and agencies, State and local
governments, and the private sector, including with key persons and entities in their
infrastructure sector;
(b) conduct or facilitate vulnerability assessments of the sector; and
(c) encourage risk management strategies to protect against and mitigate the effects of
attacks against critical infrastructure and key resources.
(20) Nothing in this directive alters, or impedes the ability to carry out, the authorities of the
Federal departments and agencies to perform their responsibilities under law and consistent with
applicable legal authorities and presidential guidance.
(21) Federal departments and agencies shall cooperate with the Department in implementing this
directive, consistent with the Homeland Security Act of 2002 and other applicable legal
authorities.
Roles and Responsibilities of Other Departments, Agencies, and Offices
(22) In addition to the responsibilities given the Department and Sector-Specific Agencies, there
are special functions of various Federal departments and agencies and components of the
Executive Office of the President related to critical infrastructure and key resources protection.
(a) The Department of State, in conjunction with the Department, and the Departments of
Justice, Commerce, Defense, the Treasury and other appropriate agencies, will work with
foreign countries and international organizations to strengthen the protection of United
States critical infrastructure and key resources.
(b) The Department of Justice, including the Federal Bureau of Investigation, will reduce
domestic terrorist threats, and investigate and prosecute actual or attempted terrorist
attacks on, sabotage of, or disruptions of critical infrastructure and key resources. The
Attorney General and the Secretary shall use applicable statutory authority and attendant
mechanisms for cooperation and coordination, including but not limited to those
established by presidential directive.
(c) The Department of Commerce, in coordination with the Department, will work with
private sector, research, academic, and government organizations to improve technology
for cyber systems and promote other critical infrastructure efforts, including using its
authority under the Defense Production Act to assure the timely availability of industrial
products, materials, and services to meet homeland security requirements.
(d) A Critical Infrastructure Protection Policy Coordinating Committee will advise the
Homeland Security Council on interagency policy related to physical and cyber
infrastructure protection. This PCC will be chaired by a Federal officer or employee
designated by the Assistant to the President for Homeland Security.
(e) The Office of Science and Technology Policy, in coordination with the Department,
will coordinate interagency research and development to enhance the protection of
critical infrastructure and key resources.
(f) The Office of Management and Budget (OMB) shall oversee the implementation of
government-wide policies, principles, standards, and guidelines for Federal government
computer security programs. The Director of OMB will ensure the operation of a central
Federal information security incident center consistent with the requirements of the
Federal Information Security Management Act of 2002.
(g) Consistent with the E-Government Act of 2002, the Chief Information Officers Council
shall be the principal interagency forum for improving agency practices related to the
design, acquisition, development, modernization, use, operation, sharing, and
performance of information resources of Federal departments and agencies.
(h) The Department of Transportation and the Department will collaborate on all matters
relating to transportation security and transportation infrastructure protection. The
Department of Transportation is responsible for operating the national air space system.
The Department of Transportation and the Department will collaborate in regulating the
transportation of hazardous materials by all modes (including pipelines).
(i) All Federal departments and agencies shall work with the sectors relevant to their
responsibilities to reduce the consequences of catastrophic failures not caused by
terrorism.
(23) The heads of all Federal departments and agencies will coordinate and cooperate with the
Secretary as appropriate and consistent with their own responsibilities for protecting critical
infrastructure and key resources.
(24) All Federal department and agency heads are responsible for the identification, prioritization,
assessment, remediation, and protection of their respective internal critical infrastructure and key
resources. Consistent with the Federal Information Security Management Act of 2002, agencies
will identify and provide information security protections commensurate with the risk and
magnitude of the harm resulting from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information.
Coordination with the Private Sector
(25) In accordance with applicable laws or regulations, the Department and the Sector-Specific
Agencies will collaborate with appropriate private sector entities and continue to encourage the
development of information sharing and analysis mechanisms. Additionally, the Department and
Sector-Specific Agencies shall collaborate with the private sector and continue to support sectorcoordinating mechanisms:
(a) to identify, prioritize, and coordinate the protection of critical infrastructure and key
resources; and
(b) to facilitate sharing of information about physical and cyber threats, vulnerabilities,
incidents, potential protective measures, and best practices.
National Special Security Events
(26) The Secretary, after consultation with the Homeland Security Council, shall be responsible
for designating events as "National Special Security Events" (NSSEs). This directive supersedes
language in previous presidential directives regarding the designation of NSSEs that is
inconsistent herewith.
Implementation
(27) Consistent with the Homeland Security Act of 2002, the Secretary shall produce a
comprehensive, integrated National Plan for Critical Infrastructure and Key Resources Protection
to outline national goals, objectives, milestones, and key initiatives within 1 year from the
issuance of this directive. The Plan shall include, in addition to other Homeland Security-related
elements as the Secretary deems appropriate, the following elements:
(a) a strategy to identify, prioritize, and coordinate the protection of critical infrastructure
and key resources, including how the Department intends to work with Federal
departments and agencies, State and local governments, the private sector, and foreign
countries and international organizations;
(b) a summary of activities to be undertaken in order to: define and prioritize, reduce the
vulnerability of, and coordinate the protection of critical infrastructure and key resources;
(c) a summary of initiatives for sharing critical infrastructure and key resources
information and for providing critical infrastructure and key resources threat warning data
to State and local governments and the private sector; and
(d) coordination and integration, as appropriate, with other Federal emergency
management and preparedness activities including the National Response Plan and
applicable national preparedness goals.
(28) The Secretary, consistent with the Homeland Security Act of 2002 and other applicable legal
authorities and presidential guidance, shall establish appropriate systems, mechanisms, and
procedures to share homeland security information relevant to threats and vulnerabilities in
national critical infrastructure and key resources with other Federal departments and agencies,
State and local governments, and the private sector in a timely manner.
(29) The Secretary will continue to work with the Nuclear Regulatory Commission and, as
appropriate, the Department of Energy in order to ensure the necessary protection of:
(a) commercial nuclear reactors for generating electric power and non-power nuclear
reactors used for research, testing, and training;
(b) nuclear materials in medical, industrial, and academic settings and facilities that
fabricate nuclear fuel; and
(c) the transportation, storage, and disposal of nuclear materials and waste.
(30) In coordination with the Director of the Office of Science and Technology Policy, the
Secretary shall prepare on an annual basis a Federal Research and Development Plan in support
of this directive.
(31) The Secretary will collaborate with other appropriate Federal departments and agencies to
develop a program, consistent with applicable law, to geospatially map, image, analyze, and sort
critical infrastructure and key resources by utilizing commercial satellite and airborne systems,
and existing capabilities within other agencies. National technical means should be considered as
an option of last resort. The Secretary, with advice from the Director of Central Intelligence, the
Secretaries of Defense and the Interior, and the heads of other appropriate Federal departments
and agencies, shall develop mechanisms for accomplishing this initiative. The Attorney General
shall provide legal advice as necessary.
(32) The Secretary will utilize existing, and develop new, capabilities as needed to model
comprehensively the potential implications of terrorist exploitation of vulnerabilities in critical
infrastructure and key resources, placing specific focus on densely populated areas. Agencies
with relevant modeling capabilities shall cooperate with the Secretary to develop appropriate
mechanisms for accomplishing this initiative.
(33) The Secretary will develop a national indications and warnings architecture for infrastructure
protection and capabilities that will facilitate:
(a) an understanding of baseline infrastructure operations;
(b) the identification of indicators and precursors to an attack; and
(c) a surge capacity for detecting and analyzing patterns of potential attacks.
In developing a national indications and warnings architecture, the Department will work with
Federal, State, local, and non-governmental entities to develop an integrated view of physical and
cyber infrastructure and key resources.
(34) By July 2004, the heads of all Federal departments and agencies shall develop and submit
to the Director of the OMB for approval plans for protecting the physical and cyber critical
infrastructure and key resources that they own or operate. These plans shall address
identification, prioritization, protection, and contingency planning, including the recovery and
reconstitution of essential capabilities.
(35) On an annual basis, the Sector-Specific Agencies shall report to the Secretary on their
efforts to identify, prioritize, and coordinate the protection of critical infrastructure and key
resources in their respective sectors. The report shall be submitted within 1 year from the
issuance of this directive and on an annual basis thereafter.
(36) The Assistant to the President for Homeland Security and the Assistant to the President for
National Security Affairs will lead a national security and emergency preparedness
communications policy review, with the heads of the appropriate Federal departments and
agencies, related to convergence and next generation architecture. Within 6 months after the
issuance of this directive, the Assistant to the President for Homeland Security and the Assistant
to the President for National Security Affairs shall submit for my consideration any recommended
changes to such policy.
(37) This directive supersedes Presidential Decision Directive/NSC-63 of May 22, 1998 ("Critical
Infrastructure Protection"), and any Presidential directives issued prior to this directive to the
extent of any inconsistency. Moreover, the Assistant to the President for Homeland Security and
the Assistant to the President for National Security Affairs shall jointly submit for my consideration
a Presidential directive to make changes in Presidential directives issued prior to this date that
conform such directives to this directive.
(38) This directive is intended only to improve the internal management of the executive branch of
the Federal Government, and it is not intended to, and does not, create any right or benefit,
substantive or procedural, enforceable at law or in equity, against the United States, its
departments, agencies, or other entities, its officers or employees, or any other person.
GEORGE W. BUSH
###
| File Type | application/pdf |
| File Title | Microsoft Word - HSPD-71.doc |
| Author | kliggek |
| File Modified | 2012-03-21 |
| File Created | 2003-12-18 |