PPD-21 Improving Critical Infrastructure Cybersecurity

2013-03915.pdf

CISA Vulnerability Assessments

PPD-21 Improving Critical Infrastructure Cybersecurity

OMB: 1670-0035

Document [pdf]
Download: pdf | pdf
Vol. 78

Tuesday,

No. 33

February 19, 2013

Part III

The President

srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

Executive Order 13636—Improving Critical Infrastructure Cybersecurity

VerDate Mar<15>2010

17:57 Feb 15, 2013

Jkt 229001

PO 00000

Frm 00001

Fmt 4717

Sfmt 4717

E:\FR\FM\19FEE0.SGM

19FEE0

srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

VerDate Mar<15>2010

17:57 Feb 15, 2013

Jkt 229001

PO 00000

Frm 00002

Fmt 4717

Sfmt 4717

E:\FR\FM\19FEE0.SGM

19FEE0

11739

Presidential Documents

Federal Register
Vol. 78, No. 33
Tuesday, February 19, 2013

Title 3—

Executive Order 13636 of February 12, 2013

The President

Improving Critical Infrastructure Cybersecurity
By the authority vested in me as President by the Constitution and the
laws of the United States of America, it is hereby ordered as follows:
Section 1. Policy. Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical
infrastructure continues to grow and represents one of the most serious
national security challenges we must confront. The national and economic
security of the United States depends on the reliable functioning of the
Nation’s critical infrastructure in the face of such threats. It is the policy
of the United States to enhance the security and resilience of the Nation’s
critical infrastructure and to maintain a cyber environment that encourages
efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve
these goals through a partnership with the owners and operators of critical
infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.
Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital
to the United States that the incapacity or destruction of such systems
and assets would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those matters.

srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

Sec. 3. Policy Coordination. Policy coordination, guidance, dispute resolution,
and periodic in-progress reviews for the functions and programs described
and assigned herein shall be provided through the interagency process established in Presidential Policy Directive–1 of February 13, 2009 (Organization
of the National Security Council System), or any successor.
Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United
States Government to increase the volume, timeliness, and quality of cyber
threat information shared with U.S. private sector entities so that these
entities may better protect and defend themselves against cyber threats.
Within 120 days of the date of this order, the Attorney General, the Secretary
of Homeland Security (the ‘‘Secretary’’), and the Director of National Intelligence shall each issue instructions consistent with their authorities and
with the requirements of section 12(c) of this order to ensure the timely
production of unclassified reports of cyber threats to the U.S. homeland
that identify a specific targeted entity. The instructions shall address the
need to protect intelligence and law enforcement sources, methods, operations, and investigations.
(b) The Secretary and the Attorney General, in coordination with the
Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to
the targeted entity. Such process shall also, consistent with the need to
protect national security information, include the dissemination of classified
reports to critical infrastructure entities authorized to receive them. The
Secretary and the Attorney General, in coordination with the Director of
National Intelligence, shall establish a system for tracking the production,
dissemination, and disposition of these reports.
(c) To assist the owners and operators of critical infrastructure in protecting
their systems from unauthorized access, exploitation, or harm, the Secretary,
consistent with 6 U.S.C. 143 and in collaboration with the Secretary of

VerDate Mar<15>2010

18:55 Feb 15, 2013

Jkt 229001

PO 00000

Frm 00003

Fmt 4705

Sfmt 4790

E:\FR\FM\19FEE0.SGM

19FEE0

11740

Federal Register / Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents
Defense, shall, within 120 days of the date of this order, establish procedures
to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide
classified cyber threat and technical information from the Government to
eligible critical infrastructure companies or commercial service providers
that offer security services to critical infrastructure.
(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August
18, 2010 (Classified National Security Information Program for State, Local,
Tribal, and Private Sector Entities), shall expedite the processing of security
clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section
9 of this order.
(e) In order to maximize the utility of cyber threat information sharing
with the private sector, the Secretary shall expand the use of programs
that bring private sector subject-matter experts into Federal service on a
temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical
infrastructure owners and operators in reducing and mitigating cyber risks.
Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate
their activities under this order with their senior agency officials for privacy
and civil liberties and ensure that privacy and civil liberties protections
are incorporated into such activities. Such protections shall be based upon
the Fair Information Practice Principles and other privacy and civil liberties
policies, principles, and frameworks as they apply to each agency’s activities.
(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil
Liberties of the Department of Homeland Security (DHS) shall assess the
privacy and civil liberties risks of the functions and programs undertaken
by DHS as called for in this order and shall recommend to the Secretary
ways to minimize or mitigate such risks, in a publicly available report,
to be released within 1 year of the date of this order. Senior agency privacy
and civil liberties officials for other agencies engaged in activities under
this order shall conduct assessments of their agency activities and provide
those assessments to DHS for consideration and inclusion in the report.
The report shall be reviewed on an annual basis and revised as necessary.
The report may contain a classified annex if necessary. Assessments shall
include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles,
and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections
for agency activities.

srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

(c) In producing the report required under subsection (b) of this section,
the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties
of DHS shall consult with the Privacy and Civil Liberties Oversight Board
and coordinate with the Office of Management and Budget (OMB).
(d) Information submitted voluntarily in accordance with 6 U.S.C. 133
by private entities under this order shall be protected from disclosure to
the fullest extent permitted by law.
Sec. 6. Consultative Process. The Secretary shall establish a consultative
process to coordinate improvements to the cybersecurity of critical infrastructure. As part of the consultative process, the Secretary shall engage and
consider the advice, on matters set forth in this order, of the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical
infrastructure owners and operators; Sector-Specific Agencies; other relevant
agencies; independent regulatory agencies; State, local, territorial, and tribal
governments; universities; and outside experts.
Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.
(a) The Secretary of Commerce shall direct the Director of the National

VerDate Mar<15>2010

18:55 Feb 15, 2013

Jkt 229001

PO 00000

Frm 00004

Fmt 4705

Sfmt 4790

E:\FR\FM\19FEE0.SGM

19FEE0

Federal Register / Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents

11741

Institute of Standards and Technology (the ‘‘Director’’) to lead the development of a framework to reduce cyber risks to critical infrastructure (the
‘‘Cybersecurity Framework’’). The Cybersecurity Framework shall include
a set of standards, methodologies, procedures, and processes that align policy,
business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry
best practices to the fullest extent possible. The Cybersecurity Framework
shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet
the requirements of the National Institute of Standards and Technology
Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer
and Advancement Act of 1995 (Public Law 104–113), and OMB Circular
A–119, as revised.
(b) The Cybersecurity Framework shall provide a prioritized, flexible,
repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of
critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards
and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed
through future collaboration with particular sectors and standards-developing
organizations. To enable technical innovation and account for organizational
differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from
a competitive market for products and services that meet the standards,
methodologies, procedures, and processes developed to address cyber risks.
The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.
(c) The Cybersecurity Framework shall include methodologies to identify
and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality, and to protect
individual privacy and civil liberties.
(d) In developing the Cybersecurity Framework, the Director shall engage
in an open public review and comment process. The Director shall also
consult with the Secretary, the National Security Agency, Sector-Specific
Agencies and other interested agencies including OMB, owners and operators
of critical infrastructure, and other stakeholders through the consultative
process established in section 6 of this order. The Secretary, the Director
of National Intelligence, and the heads of other relevant agencies shall
provide threat and vulnerability information and technical expertise to inform
the development of the Cybersecurity Framework. The Secretary shall provide
performance goals for the Cybersecurity Framework informed by work under
section 9 of this order.

srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

(e) Within 240 days of the date of this order, the Director shall publish
a preliminary version of the Cybersecurity Framework (the ‘‘preliminary
Framework’’). Within 1 year of the date of this order, and after coordination
with the Secretary to ensure suitability under section 8 of this order, the
Director shall publish a final version of the Cybersecurity Framework (the
‘‘final Framework’’).
(f) Consistent with statutory responsibilities, the Director will ensure the
Cybersecurity Framework and related guidance is reviewed and updated
as necessary, taking into consideration technological changes, changes in
cyber risks, operational feedback from owners and operators of critical infrastructure, experience from the implementation of section 8 of this order,
and any other relevant factors.
Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. (a) The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework
by owners and operators of critical infrastructure and any other interested
entities (the ‘‘Program’’).

VerDate Mar<15>2010

18:55 Feb 15, 2013

Jkt 229001

PO 00000

Frm 00005

Fmt 4705

Sfmt 4790

E:\FR\FM\19FEE0.SGM

19FEE0

11742

Federal Register / Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents
(b) Sector-Specific Agencies, in consultation with the Secretary and other
interested agencies, shall coordinate with the Sector Coordinating Councils
to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks
and operating environments.
(c) Sector-Specific Agencies shall report annually to the President, through
the Secretary, on the extent to which owners and operators notified under
section 9 of this order are participating in the Program.
(d) The Secretary shall coordinate establishment of a set of incentives
designed to promote participation in the Program. Within 120 days of the
date of this order, the Secretary and the Secretaries of the Treasury and
Commerce each shall make recommendations separately to the President,
through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, that shall
include analysis of the benefits and relative effectiveness of such incentives,
and whether the incentives would require legislation or can be provided
under existing law and authorities to participants in the Program.

srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

(e) Within 120 days of the date of this order, the Secretary of Defense
and the Administrator of General Services, in consultation with the Secretary
and the Federal Acquisition Regulatory Council, shall make recommendations
to the President, through the Assistant to the President for Homeland Security
and Counterterrorism and the Assistant to the President for Economic Affairs,
on the feasibility, security benefits, and relative merits of incorporating
security standards into acquisition planning and contract administration.
The report shall address what steps can be taken to harmonize and make
consistent existing procurement requirements related to cybersecurity.
Sec. 9. Identification of Critical Infrastructure at Greatest Risk. (a) Within
150 days of the date of this order, the Secretary shall use a risk-based
approach to identify critical infrastructure where a cybersecurity incident
could reasonably result in catastrophic regional or national effects on public
health or safety, economic security, or national security. In identifying critical
infrastructure for this purpose, the Secretary shall use the consultative process established in section 6 of this order and draw upon the expertise
of Sector-Specific Agencies. The Secretary shall apply consistent, objective
criteria in identifying such critical infrastructure. The Secretary shall not
identify any commercial information technology products or consumer information technology services under this section. The Secretary shall review
and update the list of identified critical infrastructure under this section
on an annual basis, and provide such list to the President, through the
Assistant to the President for Homeland Security and Counterterrorism and
the Assistant to the President for Economic Affairs.
(b) Heads of Sector-Specific Agencies and other relevant agencies shall
provide the Secretary with information necessary to carry out the responsibilities under this section. The Secretary shall develop a process for other
relevant stakeholders to submit information to assist in making the identifications required in subsection (a) of this section.
(c) The Secretary, in coordination with Sector-Specific Agencies, shall
confidentially notify owners and operators of critical infrastructure identified
under subsection (a) of this section that they have been so identified, and
ensure identified owners and operators are provided the basis for the determination. The Secretary shall establish a process through which owners
and operators of critical infrastructure may submit relevant information and
request reconsideration of identifications under subsection (a) of this section.
Sec. 10. Adoption of Framework. (a) Agencies with responsibility for regulating the security of critical infrastructure shall engage in a consultative
process with DHS, OMB, and the National Security Staff to review the
preliminary Cybersecurity Framework and determine if current cybersecurity
regulatory requirements are sufficient given current and projected risks. In
making such determination, these agencies shall consider the identification

VerDate Mar<15>2010

18:55 Feb 15, 2013

Jkt 229001

PO 00000

Frm 00006

Fmt 4705

Sfmt 4790

E:\FR\FM\19FEE0.SGM

19FEE0

Federal Register / Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents

11743

of critical infrastructure required under section 9 of this order. Within 90
days of the publication of the preliminary Framework, these agencies shall
submit a report to the President, through the Assistant to the President
for Homeland Security and Counterterrorism, the Director of OMB, and
the Assistant to the President for Economic Affairs, that states whether
or not the agency has clear authority to establish requirements based upon
the Cybersecurity Framework to sufficiently address current and projected
cyber risks to critical infrastructure, the existing authorities identified, and
any additional authority required.
(b) If current regulatory requirements are deemed to be insufficient, within
90 days of publication of the final Framework, agencies identified in subsection (a) of this section shall propose prioritized, risk-based, efficient,
and coordinated actions, consistent with Executive Order 12866 of September
30, 1993 (Regulatory Planning and Review), Executive Order 13563 of January
18, 2011 (Improving Regulation and Regulatory Review), and Executive Order
13609 of May 1, 2012 (Promoting International Regulatory Cooperation),
to mitigate cyber risk.
(c) Within 2 years after publication of the final Framework, consistent
with Executive Order 13563 and Executive Order 13610 of May 10, 2012
(Identifying and Reducing Regulatory Burdens), agencies identified in subsection (a) of this section shall, in consultation with owners and operators
of critical infrastructure, report to OMB on any critical infrastructure subject
to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.
(d) The Secretary shall coordinate the provision of technical assistance
to agencies identified in subsection (a) of this section on the development
of their cybersecurity workforce and programs.
(e) Independent regulatory agencies with responsibility for regulating the
security of critical infrastructure are encouraged to engage in a consultative
process with the Secretary, relevant Sector-Specific Agencies, and other
affected parties to consider prioritized actions to mitigate cyber risks for
critical infrastructure consistent with their authorities.
Sec. 11. Definitions. (a) ‘‘Agency’’ means any authority of the United States
that is an ‘‘agency’’ under 44 U.S.C. 3502(1), other than those considered
to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5).
(b) ‘‘Critical Infrastructure Partnership Advisory Council’’ means the council established by DHS under 6 U.S.C. 451 to facilitate effective interaction
and coordination of critical infrastructure protection activities among the
Federal Government; the private sector; and State, local, territorial, and
tribal governments.
(c) ‘‘Fair Information Practice Principles’’ means the eight principles set
forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.

srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

(d) ‘‘Independent regulatory agency’’ has the meaning given the term in
44 U.S.C. 3502(5).
(e) ‘‘Sector Coordinating Council’’ means a private sector coordinating
council composed of representatives of owners and operators within a particular sector of critical infrastructure established by the National Infrastructure Protection Plan or any successor.
(f) ‘‘Sector-Specific Agency’’ has the meaning given the term in Presidential
Policy Directive–21 of February 12, 2013 (Critical Infrastructure Security
and Resilience), or any successor.
Sec. 12. General Provisions. (a) This order shall be implemented consistent
with applicable law and subject to the availability of appropriations. Nothing
in this order shall be construed to provide an agency with authority for
regulating the security of critical infrastructure in addition to or to a greater

VerDate Mar<15>2010

18:55 Feb 15, 2013

Jkt 229001

PO 00000

Frm 00007

Fmt 4705

Sfmt 4790

E:\FR\FM\19FEE0.SGM

19FEE0

11744

Federal Register / Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents
extent than the authority the agency has under existing law. Nothing in
this order shall be construed to alter or limit any authority or responsibility
of an agency under existing law.
(b) Nothing in this order shall be construed to impair or otherwise affect
the functions of the Director of OMB relating to budgetary, administrative,
or legislative proposals.
(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources
and methods. Nothing in this order shall be interpreted to supersede measures
established under authority of law to protect the security and integrity
of specific activities and associations that are in direct support of intelligence
and law enforcement operations.
(d) This order shall be implemented consistent with U.S. international
obligations.
(e) This order is not intended to, and does not, create any right or benefit,
substantive or procedural, enforceable at law or in equity by any party
against the United States, its departments, agencies, or entities, its officers,
employees, or agents, or any other person.

THE WHITE HOUSE,
February 12, 2013.
[FR Doc. 2013–03915
Filed 2–15–13; 11:15 am]

VerDate Mar<15>2010

18:55 Feb 15, 2013

Jkt 229001

PO 00000

Frm 00008

Fmt 4705

Sfmt 4790

E:\FR\FM\19FEE0.SGM

19FEE0

OB#1.EPS

srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

Billing code 3295–F3


File Typeapplication/pdf
File Modified2016-01-07
File Created2016-01-07

© 2024 OMB.report | Privacy Policy