Improving Critical Infrastructure Cybersecurity

THE WHITE HOUSE
Office of the Press Secretary

For Immediate Release

February 12, 2013

EXECUTIVE ORDER
- - - - - - IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY

By the authority vested in me as President by the
Constitution and the laws of the United States of America, it
is hereby ordered as follows:
Section 1. Policy. Repeated cyber intrusions into
critical infrastructure demonstrate the need for improved
cybersecurity. The cyber threat to critical infrastructure
continues to grow and represents one of the most serious
national security challenges we must confront. The national and
economic security of the United States depends on the reliable
functioning of the Nation's critical infrastructure in the face
of such threats. It is the policy of the United States to
enhance the security and resilience of the Nation's critical
infrastructure and to maintain a cyber environment that
encourages efficiency, innovation, and economic prosperity while
promoting safety, security, business confidentiality, privacy,
and civil liberties. We can achieve these goals through a
partnership with the owners and operators of critical
infrastructure to improve cybersecurity information sharing and
collaboratively develop and implement risk-based standards.
Sec. 2. Critical Infrastructure. As used in this order,
the term critical infrastructure means systems and assets,
whether physical or virtual, so vital to the United States that
the incapacity or destruction of such systems and assets would
have a debilitating impact on security, national economic
security, national public health or safety, or any combination
of those matters.
Sec. 3. Policy Coordination. Policy coordination,
guidance, dispute resolution, and periodic in-progress reviews
for the functions and programs described and assigned herein
shall be provided through the interagency process established in
Presidential Policy Directive-1 of February 13, 2009
(Organization of the National Security Council System), or any
successor.
Sec. 4. Cybersecurity Information Sharing. (a) It is the
policy of the United States Government to increase the volume,
timeliness, and quality of cyber threat information shared with
U.S. private sector entities so that these entities may better
protect and defend themselves against cyber threats. Within
120 days of the date of this order, the Attorney General, the
Secretary of Homeland Security (the "Secretary"), and the
Director of National Intelligence shall each issue instructions
consistent with their authorities and with the requirements of

2
section 12(c) of this order to ensure the timely production of
unclassified reports of cyber threats to the U.S. homeland that
identify a specific targeted entity. The instructions shall
address the need to protect intelligence and law enforcement
sources, methods, operations, and investigations.
(b) The Secretary and the Attorney General, in
coordination with the Director of National Intelligence, shall
establish a process that rapidly disseminates the reports
produced pursuant to section 4(a) of this order to the targeted
entity. Such process shall also, consistent with the need to
protect national security information, include the dissemination
of classified reports to critical infrastructure entities
authorized to receive them. The Secretary and the Attorney
General, in coordination with the Director of National
Intelligence, shall establish a system for tracking the
production, dissemination, and disposition of these reports.
(c) To assist the owners and operators of critical
infrastructure in protecting their systems from unauthorized
access, exploitation, or harm, the Secretary, consistent with
6 U.S.C. 143 and in collaboration with the Secretary of Defense,
shall, within 120 days of the date of this order, establish
procedures to expand the Enhanced Cybersecurity Services program
to all critical infrastructure sectors. This voluntary
information sharing program will provide classified cyber threat
and technical information from the Government to eligible
critical infrastructure companies or commercial service
providers that offer security services to critical
infrastructure.
(d) The Secretary, as the Executive Agent for the
Classified National Security Information Program created under
Executive Order 13549 of August 18, 2010 (Classified National
Security Information Program for State, Local, Tribal, and
Private Sector Entities), shall expedite the processing of
security clearances to appropriate personnel employed by
critical infrastructure owners and operators, prioritizing the
critical infrastructure identified in section 9 of this order.
(e) In order to maximize the utility of cyber threat
information sharing with the private sector, the Secretary shall
expand the use of programs that bring private sector subjectmatter experts into Federal service on a temporary basis. These
subject matter experts should provide advice regarding the
content, structure, and types of information most useful to
critical infrastructure owners and operators in reducing and
mitigating cyber risks.
Sec. 5. Privacy and Civil Liberties Protections. (a)
Agencies shall coordinate their activities under this order with
their senior agency officials for privacy and civil liberties
and ensure that privacy and civil liberties protections are
incorporated into such activities. Such protections shall be
based upon the Fair Information Practice Principles and other
privacy and civil liberties policies, principles, and frameworks
as they apply to each agency's activities.
(b) The Chief Privacy Officer and the Officer for Civil
Rights and Civil Liberties of the Department of Homeland
Security (DHS) shall assess the privacy and civil liberties

3
risks of the functions and programs undertaken by DHS as called
for in this order and shall recommend to the Secretary ways to
minimize or mitigate such risks, in a publicly available report,
to be released within 1 year of the date of this order. Senior
agency privacy and civil liberties officials for other agencies
engaged in activities under this order shall conduct assessments
of their agency activities and provide those assessments to DHS
for consideration and inclusion in the report. The report shall
be reviewed on an annual basis and revised as necessary. The
report may contain a classified annex if necessary. Assessments
shall include evaluation of activities against the Fair
Information Practice Principles and other applicable privacy and
civil liberties policies, principles, and frameworks. Agencies
shall consider the assessments and recommendations of the report
in implementing privacy and civil liberties protections
for agency activities.
(c) In producing the report required under subsection (b)
of this section, the Chief Privacy Officer and the Officer for
Civil Rights and Civil Liberties of DHS shall consult with the
Privacy and Civil Liberties Oversight Board and coordinate with
the Office of Management and Budget (OMB).
(d) Information submitted voluntarily in accordance with
6 U.S.C. 133 by private entities under this order shall be
protected from disclosure to the fullest extent permitted by
law.
Sec. 6. Consultative Process. The Secretary shall
establish a consultative process to coordinate improvements to
the cybersecurity of critical infrastructure. As part of the
consultative process, the Secretary shall engage and consider
the advice, on matters set forth in this order, of the Critical
Infrastructure Partnership Advisory Council; Sector Coordinating
Councils; critical infrastructure owners and operators; SectorSpecific Agencies; other relevant agencies; independent
regulatory agencies; State, local, territorial, and tribal
governments; universities; and outside experts.
Sec. 7. Baseline Framework to Reduce Cyber Risk to
Critical Infrastructure. (a) The Secretary of Commerce shall
direct the Director of the National Institute of Standards and
Technology (the "Director") to lead the development of a
framework to reduce cyber risks to critical infrastructure (the
"Cybersecurity Framework"). The Cybersecurity Framework shall
include a set of standards, methodologies, procedures, and
processes that align policy, business, and technological
approaches to address cyber risks. The Cybersecurity Framework
shall incorporate voluntary consensus standards and industry
best practices to the fullest extent possible. The
Cybersecurity Framework shall be consistent with voluntary
international standards when such international standards will
advance the objectives of this order, and shall meet the
requirements of the National Institute of Standards and
Technology Act, as amended (15 U.S.C. 271 et seq.), the National
Technology Transfer and Advancement Act of 1995 (Public Law 104113), and OMB Circular A-119, as revised.
(b) The Cybersecurity Framework shall provide a
prioritized, flexible, repeatable, performance-based, and
cost-effective approach, including information security measures

4
and controls, to help owners and operators of critical
infrastructure identify, assess, and manage cyber risk. The
Cybersecurity Framework shall focus on identifying cross-sector
security standards and guidelines applicable to critical
infrastructure. The Cybersecurity Framework will also identify
areas for improvement that should be addressed through future
collaboration with particular sectors and standards-developing
organizations. To enable technical innovation and account for
organizational differences, the Cybersecurity Framework will
provide guidance that is technology neutral and that enables
critical infrastructure sectors to benefit from a competitive
market for products and services that meet the standards,
methodologies, procedures, and processes developed to address
cyber risks. The Cybersecurity Framework shall include guidance
for measuring the performance of an entity in implementing the
Cybersecurity Framework.
(c) The Cybersecurity Framework shall include
methodologies to identify and mitigate impacts of the
Cybersecurity Framework and associated information security
measures or controls on business confidentiality, and to protect
individual privacy and civil liberties.
(d) In developing the Cybersecurity Framework, the
Director shall engage in an open public review and comment
process. The Director shall also consult with the Secretary,
the National Security Agency, Sector-Specific Agencies and other
interested agencies including OMB, owners and operators of
critical infrastructure, and other stakeholders through the
consultative process established in section 6 of this order.
The Secretary, the Director of National Intelligence, and the
heads of other relevant agencies shall provide threat and
vulnerability information and technical expertise to inform the
development of the Cybersecurity Framework. The Secretary shall
provide performance goals for the Cybersecurity Framework
informed by work under section 9 of this order.
(e) Within 240 days of the date of this order, the
Director shall publish a preliminary version of the
Cybersecurity Framework (the "preliminary Framework"). Within
1 year of the date of this order, and after coordination with
the Secretary to ensure suitability under section 8 of this
order, the Director shall publish a final version of the
Cybersecurity Framework (the "final Framework").
(f) Consistent with statutory responsibilities, the
Director will ensure the Cybersecurity Framework and related
guidance is reviewed and updated as necessary, taking into
consideration technological changes, changes in cyber risks,
operational feedback from owners and operators of critical
infrastructure, experience from the implementation of section 8
of this order, and any other relevant factors.
Sec. 8. Voluntary Critical Infrastructure Cybersecurity
Program. (a) The Secretary, in coordination with SectorSpecific Agencies, shall establish a voluntary program to
support the adoption of the Cybersecurity Framework by owners
and operators of critical infrastructure and any other
interested entities (the "Program").

5
(b) Sector-Specific Agencies, in consultation with the
Secretary and other interested agencies, shall coordinate with
the Sector Coordinating Councils to review the Cybersecurity
Framework and, if necessary, develop implementation guidance or
supplemental materials to address sector-specific risks and
operating environments.
(c) Sector-Specific Agencies shall report annually to the
President, through the Secretary, on the extent to which owners
and operators notified under section 9 of this order are
participating in the Program.
(d) The Secretary shall coordinate establishment of a set
of incentives designed to promote participation in the Program.
Within 120 days of the date of this order, the Secretary and the
Secretaries of the Treasury and Commerce each shall make
recommendations separately to the President, through the
Assistant to the President for Homeland Security and
Counterterrorism and the Assistant to the President for Economic
Affairs, that shall include analysis of the benefits and
relative effectiveness of such incentives, and whether the
incentives would require legislation or can be provided under
existing law and authorities to participants in the Program.
(e) Within 120 days of the date of this order, the
Secretary of Defense and the Administrator of General Services,
in consultation with the Secretary and the Federal Acquisition
Regulatory Council, shall make recommendations to the President,
through the Assistant to the President for Homeland Security and
Counterterrorism and the Assistant to the President for Economic
Affairs, on the feasibility, security benefits, and relative
merits of incorporating security standards into acquisition
planning and contract administration. The report shall address
what steps can be taken to harmonize and make consistent
existing procurement requirements related to cybersecurity.
Sec. 9. Identification of Critical Infrastructure at
Greatest Risk. (a) Within 150 days of the date of this order,
the Secretary shall use a risk-based approach to identify
critical infrastructure where a cybersecurity incident could
reasonably result in catastrophic regional or national effects
on public health or safety, economic security, or national
security. In identifying critical infrastructure for this
purpose, the Secretary shall use the consultative process
established in section 6 of this order and draw upon the
expertise of Sector-Specific Agencies. The Secretary shall
apply consistent, objective criteria in identifying such
critical infrastructure. The Secretary shall not identify any
commercial information technology products or consumer
information technology services under this section. The
Secretary shall review and update the list of identified
critical infrastructure under this section on an annual basis,
and provide such list to the President, through the Assistant to
the President for Homeland Security and Counterterrorism and the
Assistant to the President for Economic Affairs.
(b) Heads of Sector-Specific Agencies and other relevant
agencies shall provide the Secretary with information necessary
to carry out the responsibilities under this section. The
Secretary shall develop a process for other relevant

6
stakeholders to submit information to assist in making the
identifications required in subsection (a) of this section.
(c) The Secretary, in coordination with Sector-Specific
Agencies, shall confidentially notify owners and operators of
critical infrastructure identified under subsection (a) of this
section that they have been so identified, and ensure identified
owners and operators are provided the basis for the
determination. The Secretary shall establish a process through
which owners and operators of critical infrastructure may submit
relevant information and request reconsideration of
identifications under subsection (a) of this section.
Sec. 10. Adoption of Framework. (a) Agencies with
responsibility for regulating the security of critical
infrastructure shall engage in a consultative process with DHS,
OMB, and the National Security Staff to review the preliminary
Cybersecurity Framework and determine if current cybersecurity
regulatory requirements are sufficient given current and
projected risks. In making such determination, these agencies
shall consider the identification of critical infrastructure
required under section 9 of this order. Within 90 days of the
publication of the preliminary Framework, these agencies shall
submit a report to the President, through the Assistant to the
President for Homeland Security and Counterterrorism, the
Director of OMB, and the Assistant to the President for Economic
Affairs, that states whether or not the agency has clear
authority to establish requirements based upon the Cybersecurity
Framework to sufficiently address current and projected cyber
risks to critical infrastructure, the existing authorities
identified, and any additional authority required.
(b) If current regulatory requirements are deemed to be
insufficient, within 90 days of publication of the final
Framework, agencies identified in subsection (a) of this section
shall propose prioritized, risk-based, efficient, and
coordinated actions, consistent with Executive Order 12866 of
September 30, 1993 (Regulatory Planning and Review), Executive
Order 13563 of January 18, 2011 (Improving Regulation and
Regulatory Review), and Executive Order 13609 of May 1, 2012
(Promoting International Regulatory Cooperation), to mitigate
cyber risk.
(c) Within 2 years after publication of the final
Framework, consistent with Executive Order 13563 and Executive
Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory
Burdens), agencies identified in subsection (a) of this section
shall, in consultation with owners and operators of critical
infrastructure, report to OMB on any critical infrastructure
subject to ineffective, conflicting, or excessively burdensome
cybersecurity requirements. This report shall describe efforts
made by agencies, and make recommendations for further actions,
to minimize or eliminate such requirements.
(d) The Secretary shall coordinate the provision of
technical assistance to agencies identified in subsection (a) of
this section on the development of their cybersecurity workforce
and programs.
(e) Independent regulatory agencies with responsibility
for regulating the security of critical infrastructure are

7
encouraged to engage in a consultative process with the
Secretary, relevant Sector-Specific Agencies, and other affected
parties to consider prioritized actions to mitigate cyber risks
for critical infrastructure consistent with their authorities.
Sec. 11. Definitions. (a) "Agency" means any authority
of the United States that is an "agency" under 44 U.S.C.
3502(1), other than those considered to be independent
regulatory agencies, as defined in 44 U.S.C. 3502(5).
(b) "Critical Infrastructure Partnership Advisory Council"
means the council established by DHS under 6 U.S.C. 451 to
facilitate effective interaction and coordination of critical
infrastructure protection activities among the Federal
Government; the private sector; and State, local, territorial,
and tribal governments.
(c) "Fair Information Practice Principles" means the eight
principles set forth in Appendix A of the National Strategy for
Trusted Identities in Cyberspace.
(d) "Independent regulatory agency" has the meaning given
the term in 44 U.S.C. 3502(5).
(e) "Sector Coordinating Council" means a private sector
coordinating council composed of representatives of owners and
operators within a particular sector of critical infrastructure
established by the National Infrastructure Protection Plan or
any successor.
(f) "Sector-Specific Agency" has the meaning given the
term in Presidential Policy Directive-21 of February 12, 2013
(Critical Infrastructure Security and Resilience), or any
successor.
Sec. 12. General Provisions. (a) This order shall be
implemented consistent with applicable law and subject to the
availability of appropriations. Nothing in this order shall be
construed to provide an agency with authority for regulating the
security of critical infrastructure in addition to or to a
greater extent than the authority the agency has under existing
law. Nothing in this order shall be construed to alter or limit
any authority or responsibility of an agency under existing law.
(b) Nothing in this order shall be construed to impair or
otherwise affect the functions of the Director of OMB relating
to budgetary, administrative, or legislative proposals.
(c) All actions taken pursuant to this order shall be
consistent with requirements and authorities to protect
intelligence and law enforcement sources and methods. Nothing
in this order shall be interpreted to supersede measures
established under authority of law to protect the security and
integrity of specific activities and associations that are in
direct support of intelligence and law enforcement operations.
(d) This order shall be implemented consistent with U.S.
international obligations.
(e) This order is not intended to, and does not, create
any right or benefit, substantive or procedural, enforceable at

8
law or in equity by any party against the United States, its
departments, agencies, or entities, its officers, employees, or
agents, or any other person.

BARACK OBAMA

THE WHITE HOUSE,
February 12, 2013.

# # #