Executive Order
Critical Infrastructure Protection in the
Information Age
By
the authority vested in me as President by the Constitution and the laws of the
United States of America, and in order to ensure protection of information
systems for critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems, in the
information age, it is hereby ordered as follows:
Section 1. Policy.
(a)
The information technology revolution has changed the way business is
transacted, government operates, and national defense is conducted. Those three
functions now depend on an interdependent network of critical information infrastructures.
The protection program authorized by this order shall consist of continuous
efforts to secure information systems for critical infrastructure, including
emergency preparedness communications, and the physical assets that support
such systems. Protection of these systems is essential to the
telecommunications, energy, financial services, manufacturing, water,
transportation, health care, and emergency services sectors.
(b)
It is the policy of the United States to protect against disruption of the
operation of information systems for critical infrastructure and thereby help
to protect the people, economy, essential human and government services, and
national security of the United States, and to ensure that any disruptions that
occur are infrequent, of minimal duration, and manageable, and cause the least
damage possible. The implementation of this policy shall include a voluntary
public-private partnership, involving corporate and nongovernmental
organizations.
Sec. 2. Scope.
To
achieve this policy, there shall be a senior executive branch board to
coordinate and have cognizance of Federal efforts and programs that relate to
protection of information systems and involve:
(a)
cooperation with and protection of private sector critical infrastructure,
State and local governments? critical infrastructure, and supporting programs
in corporate and academic organizations;
(b)
protection of Federal departments? and agencies? critical infrastructure; and
(c)
related national security programs.
Sec. 3. Establishment.
I
hereby establish the "President's Critical Infrastructure Protection
Board"(the "Board").
Sec. 4. Continuing Authorities.
This
order does not alter the existing authorities or roles of United States
Government departments and agencies. Authorities set forth in 44 U.S.C. Chapter
35, and other applicable law, provide senior officials with responsibility for
the security of Federal Government information systems.
(a)
Executive Branch Information Systems Security. The Director of the Office of
Management and Budget(OMB) has the responsibility to develop and oversee the
implementation of government-wide policies, principles, standards, and
guidelines for the security of information systems that support the executive
branch departments and agencies, except those noted in section 4(b) of this
order. The Director of OMB shall advise the President and the appropriate
department or agency head when there is a critical deficiency in the security
practices within the purview of this section in an executive branch department
or agency. The Board shall assist and support the Director of OMB in this
function and shall be reasonably cognizant of programs related to security of
department and agency information systems.
(b)
National Security Information Systems. The Secretary of Defense and the
Director of Central Intelligence (DCI) shall have responsibility to oversee,
develop, and ensure implementa-tion of policies, principles, standards, and
guidelines for the security of information systems that support the operations
under their respective control. In consultation with the Assistant to the
President for National Security Affairs and the affected departments and
agencies, the Secretary of Defense and the DCI shall develop policies,
principles, standards, and guidelines for the security of national security
information systems that support the operations of other executive branch
departments and agencies with national security information.
(i) Policies, principles, standards,
and guidelines developed under this subsection may require more stringent
protection than those developed in accordance with subsection 4(a) of this
order.
(ii) The Assistant to the
President for National Security Affairs shall advise the President and the
appropriate department or agency head when there is a critical deficiency in
the security practices of a department or agency within the purview of this
section. The Board, or one of its standing or ad hoc committees, shall be
reasonably cognizant of programs to provide security and continuity to national
security information systems.
(c)
Additional Responsibilities: The Heads of Executive Branch Departments and
Agencies. The heads of executive branch departments and agencies are
responsible and accountable for providing and maintaining adequate levels of
security for information systems, including emergency preparedness
communi-cations systems, for programs under their control. Heads of such
depart-ments and agencies shall ensure the development and, within available
appropriations, funding of programs that adequately address these mission
areas. Cost-effective security shall be built into and made an integral part of
government information systems, especially those critical systems that support
the national security and other essential government programs. Additionally,
security should enable, and not unnecessarily impede, department and agency
business operations.
Sec. 5. Board Responsibilities.
Consistent
with the responsibilities noted in section 4 of this order, the Board shall
recommend policies and coordinate programs for protecting information systems
for critical infrastructure, including emergency preparedness communications,
and the physical assets that support such systems. Among its activities to
implement these responsibilities, the Board shall:
(a)
Outreach to the Private Sector and State and Local Governments. In consultation
with affected executive branch departments and agencies, coordinate outreach to
and consultation with the private sector, including corporations that own,
operate, develop, and equip information, telecommunications, transporta-tion,
energy, water, health care, and financial services, on protection of
information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support such systems;
and coordinate outreach to State and local governments, as well as communities
and representatives from academia and other relevant elements of society.
(i) When requested to do so,
assist in the development of voluntary standards and best practices in a manner
consistent with 15 U.S.C. Chapter 7;
(ii) Consult with potentially
affected communities, including the legal, auditing, financial, and insurance
communities, to the extent permitted by law, to determine areas of mutual
concern; and
(iii) Coordinate the activities of
senior liaison officers appointed by the Attorney General, the Secretaries of
Energy, Commerce, Transportation, the Treasury, and Health and Human Services,
and the Director of the Federal Emergency Management Agency for outreach on
critical infrastructure protection issues with private sector organizations
within the areas of concern to these departments and agencies. In these and
other related functions, the Board shall work in coordination with the Critical
Infrastructure Assurance Office (CIAO) and the National Institute of Standards
and Technology of the Department of Commerce, the National Infrastructure
Protection Center (NIPC), and the National Communications System (NCS).
(b)
Information Sharing. Work with industry, State and local governments, and
nongovernmental organizations to ensure that systems are created and well
managed to share threat warning, analysis, and recovery information among
government network operation centers, information sharing and analysis centers
established on a voluntary basis by industry, and other related operations
centers. In this and other related functions, the Board shall work in
coordination with the NCS, the Federal Computer Incident Response Center, the
NIPC, and other departments and agencies, as appropriate.
(c)
Incident Coordination and Crisis Response. Coordinate programs and policies for
responding to information systems security incidents that threaten information
systems for critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems. In this
function, the Department of Justice, through the NIPC and the Manager of the
NCS and other departments and agencies, as appropriate, shall work in
coordination with the Board.
(d)
Recruitment, Retention, and Training Executive Branch Security Professionals.
In consultation with executive branch departments and agencies, coordinate
programs to ensure that government employees with responsibilities for
protecting information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support such systems,
are adequately trained and evaluated. In this function, the Office of Personnel
Management shall work in coordination with the Board, as appropriate.
(e)
Research and Development. Coordinate with the Director of the Office of Science
and Technology Policy (OSTP) on a program of Federal Government research and
development for protection of information systems for critical infrastructure,
including emergency preparedness communications, and the physical assets that
support such systems, and ensure coordination of govern-ment activities in this
field with corporations, universities, Federally funded research centers, and
national laboratories. In this function, the Board shall work in coordination
with the National Science Foundation, the Defense Advanced Research Projects
Agency, and with other departments and agencies, as appropriate.
(f)
Law Enforcement Coordination with National Security Components. Promote
programs against cyber crime and assist Federal law enforcement agencies in
gaining necessary cooperation from executive branch departments and agencies.
Support Federal law enforcement agencies? investigation of illegal activities
involving information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support such systems,
and support coordi-nation by these agencies with other departments and agencies
with responsibilities to defend the Nation's security. In this function, the
Board shall work in coordination with the Department of Justice, through the
NIPC, and the Department of the Treasury, through the Secret Service, and with
other departments and agencies, as appropriate.
(g)
International Information Infrastructure Protection. Support the Department of
State's coordination of United States Government programs for international
cooperation covering international information infrastructure protection
issues.
(h)
Legislation. In accordance with OMB circular A-19, advise departments and
agencies, the Director of OMB, and the Assistant to the President for
Legislative Affairs on legislation relating to protection of information
systems for critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems.
(i)
Coordination with Office of Homeland Security. Carry out those functions
relating to protection of and recovery from attacks against information systems
for critical infrastructure, including emergency preparedness communications,
that were assigned to the Office of Homeland Security by Executive Order 13228
of October 8, 2001. The Assistant to the President for Homeland Security, in
coordination with the Assistant to the President for National Security Affairs,
shall be responsible for defining the responsibilities of the Board in
coordinating efforts to protect physical assets that support information
systems.
Sec. 6. Membership.
(a)
Members of the Board shall be drawn from the executive branch departments,
agencies, and offices listed below; in addition, concerned Federal departments
and agencies may participate in the activities of appropriate committees of the
Board. The Board shall be led by a Chair and Vice Chair, designated by the
President. Its other members shall be the following senior officials or their
designees:
(i) Secretary of State;
(ii) Secretary of the Treasury;
(iii) Secretary of Defense;
(iv) Attorney General;
(v) Secretary of Commerce;
(vi) Secretary of Health and Human
Services;
(vii) Secretary of Transportation;
(viii) Secretary of Energy;
(ix) Director of Central
Intelligence;
(x) Chairman of the Joint Chiefs
of Staff;
(xi) Director of the Federal
Emergency Management Agency;
(xii) Administrator of General
Services;
(xiii) Director of the Office of
Management and Budget;
(xiv) Director of the Office of
Science and Technology Policy;
(xv) Chief of Staff to the Vice
President;
(xvi) Director of the National
Economic Council;
(xvii) Assistant to the President
for National Security Affairs;
(xviii) Assistant to the President
for Homeland Security;
(xix) Chief of Staff to the
President; and
(xx) Such other executive branch
officials as the President may designate.
Members
of the Board and their designees shall be full-time or permanent part-time
officers or employees of the Federal Government.
(b)
In addition, the following officials shall serve as members of the Board and
shall form the Board's Coordination Committee:
(i) Director, Critical
Infrastructure Assurance Office, Department of Commerce;
(ii) Manager, National
Communications System;
(iii) Vice Chair, Chief
Information Officers' (CIO) Council;
(iv) Information Assurance
Director, National Security Agency;
(v) Deputy Director of Central
Intelligence for Community Management; and
(vi) Director, National
Infrastructure Protection Center, Federal Bureau of Investigation, Department
of Justice.
(c)
The Chairman of the Federal Communications Commission may appoint a
representative to the Board.
Sec. 7. Chair.
(a)
The Chair also shall be the Special Advisor to the President for Cyberspace
Security. Executive branch departments and agencies shall make all reasonable
efforts to keep the Chair fully informed in a timely manner, and to the
greatest extent permitted by law, of all programs and issues within the purview
of the Board. The Chair, in consultation with the Board, shall call and preside
at meetings of the Board and set the agenda for the Board. The Chair, in
consultation with the Board, may propose policies and programs to appropriate
officials to ensure the protection of the Nation's information systems for
critical infrastructure, including emergency preparedness communications, and
the physical assets that support such systems. To ensure full coordination
between the responsibilities of the National Security Council (NSC) and the
Office of Homeland Security, the Chair shall report to both the Assistant to
the President for National Security Affairs and to the Assistant to the
President for Homeland Security. The Chair shall coordinate with the Assistant
to the President for Economic Policy on issues relating to private sector
systems and economic effects and with the Director of OMB on issues relating to
budgets and the security of computer networks addressed in subsection 4(a) of
this order.
(b)
The Chair shall be assisted by an appropriately sized staff within the White
House Office. In addition, heads of executive branch departments and agencies
are authorized, to the extent permitted by law, to detail or assign personnel
of such departments and agencies to the Board's staff upon request of the Chair,
subject to the approval of the Chief of Staff to the President. Members of the
Board's staff with responsibilities relating to national security information
systems, communica-tions, and information warfare may, with respect to those
responsibilities, also work at the direction of the Assistant to the President
for National Security Affairs.
Sec. 8. Standing Committees.
(a)
The Board may establish standing and ad hoc committees as appropriate.
Representation on standing committees shall not be limited to those departments
and agencies on the Board, but may include representatives of other concerned
executive branch departments and agencies.
(b)
Chairs of standing and ad hoc committees shall report fully and regularly on
the activities of the committees to the Board, which shall ensure that the
committees are well coordinated with each other.
(c)
There are established the following standing committees:
(i) Private Sector and State and
Local Government Outreach, chaired by the designee of the Secretary of
Commerce, to work in coordination with the designee of the Chairman of the
National Economic Council.
(ii) Executive Branch Information
Systems Security, chaired by the designee of the Director of OMB. The committee
shall assist OMB in fulfilling its responsibilities under 44 U.S.C. Chapter 35
and other applicable law.
(iii) National Security Systems.
The National Security Telecommunications and Information Systems Security
Committee, as established by and consistent with NSD-42 and chaired by the
Department of Defense, shall serve as a Board standing committee, and be
redesignated the Committee on National Security Systems.
(iv) Incident Response
Coordination, co-chaired by the designees of the Attorney General and the
Secretary of Defense.
(v) Research and Development,
chaired by a designee of the Director of OSTP.
(vi) National Security and
Emergency Preparedness Communications. The NCS Committee of Principals is
renamed the Board's Committee for National Security and Emergency Preparedness
Communications. The reporting functions established above for standing
committees are in addition to the functions set forth in Executive Order 12472
of April 3, 1984, and do not alter any function or role set forth therein.
(vii) Physical Security, co-chaired
by the designees of the Secretary of Defense and the Attorney General, to
coordinate programs to ensure the physical security of information systems for
critical infrastructure, including emergency preparedness communications, and
the physical assets that support such systems. The standing committee shall
coordinate its work with the Office of Homeland Security and shall work closely
with the Physical Security Working Group of the Records Access and Information
Security Policy Coordinating Committee to ensure coordination of efforts.
(viii) Infrastructure
Interdependencies, co-chaired by the designees of the Secretaries of
Transportation and Energy, to coordinate programs to assess the unique risks,
threats, and vulnerabilities associated with the interdependency of information
systems for critical infrastructures, including the development of effective
models, simulations, and other analytic tools and cost-effective technologies
in this area.
(ix) International Affairs,
chaired by a designee of the Secretary of State, to support Department of State
coordination of United States Government programs for international cooperation
covering international information infrastructure issues.
(x) Financial and Banking
Information Infrastructure, chaired by a designee of the Secretary of the
Treasury and including representatives of the banking and financial institution
regulatory agencies.
(xi) Other Committees. Such other
standing committees as may be established by the Board.
(d)
Subcommittees. The chair of each standing committee may form necessary
subcommittees with organizational represen-tation as determined by the Chair.
(e)
Streamlining. The Board shall develop procedures that specify the manner in
which it or a subordinate committee will perform the responsibilities
previously assigned to the Policy Coordinating Committee. The Board, in
coordination with the Director of OSTP, shall review the functions of the Joint
Telecommunications Resources Board, established under Executive Order 12472,
and make recommendations about its future role.
Sec. 9. Planning and Budget.
(a)
The Board, on a periodic basis, shall propose a National Plan or plans for
subjects within its purview. The Board, in coordination with the Office of
Homeland Security, also shall make recommen-dations to OMB on those portions of
executive branch department and agency budgets that fall within the Board's
purview, after review of relevant program requirements and resources.
(b)
The Office of Administration within the Executive Office of the President shall
provide the Board with such personnel, funding, and administrative support, to
the extent permitted by law and subject to the availability of appropria-tions,
as directed by the Chief of Staff to carry out the provisions of this order.
Only those funds that are available for the Office of Homeland Security,
established by Executive Order 13228, shall be available for such purposes. -To
the extent permitted by law and as appropriate, agencies represented on the
Board also may provide administrative support for the Board. The National
Security Agency shall ensure that the Board's information and communications
systems are appropriately secured.
(c)
The Board may annually request the National Science Foundation, Department of
Energy, Department of Transportation, Environmental Protection Agency,
Department of Commerce, Depart-ment of Defense, and the Intelligence Community,
as that term is defined in Executive Order 12333 of December 4, 1981, to
include in their budget requests to OMB funding for demonstration projects and
research to support the Board's activities.
Sec. 10. Presidential Advisory
Panels.
The
Chair shall work closely with panels of senior experts from outside of the
government that advise the President, in particular: the President's National
Security Telecommunications
Advisory Committee (NSTAC) created by Executive Order 12382 of September 13,
1982, as amended, and the National Infrastructure Advisory Council (NIAC or
Council) created by this Executive Order. The Chair and Vice Chair of these two
panels also may meet with the Board, as appropriate and to the extent permitted
by law, to provide a private sector perspective.
(a)
NSTAC. The NSTAC provides the President advice on the security and continuity
of communications systems essential for national security and emergency
preparedness.
(b)
NIAC. There is hereby established the National Infrastructure Advisory Council,
which shall provide the President advice on the security of information systems
for critical infrastructure supporting other sectors of the economy: banking
and finance, transporta-tion, energy, manufacturing, and emergency government
services. The NIAC shall be composed of not more than 30 members appointed by
the President. The members of the NIAC shall be selected from the private
sector, academia, and State and local govern-ment. Members of the NIAC shall
have expertise relevant to the functions of the NIAC and generally shall be
selected from industry Chief Executive Officers (and equivalently ranked
leaders in other organizations) with responsibilities for the security of
information infrastructure supporting the critical sectors of the economy,
including banking and finance, transportation, energy, communications, and
emergency government services. Members shall not be full-time officials or
employees of the executive branch of the Federal Government.
(i) The President shall designate
a Chair and Vice Chair from among the members of the NIAC.
(ii) The Chair of the Board
established by this order will serve as the Executive Director of the NIAC.
(c)
NIAC Functions. The NIAC will meet periodically to:
(i) enhance the partnership of the
public and private sectors in protecting information systems for critical
infrastructures and provide reports on this issue to the President, as
appropriate;
(ii) propose and develop ways to
encourage private industry to perform periodic risk assessments of critical
information and telecommunications systems;
(iii) monitor the development of
private sector Information Sharing and Analysis Centers (ISACs) and provide
recommendations to the Board on how these organizations can best foster
improved cooperation among the ISACs, the NIPC, and other Federal Government
entities;
(iv) report to the President
through the Board, which shall ensure appropriate coordination with the
Assistant to the President for Economic Policy under the terms of this order;
and
(v) advise lead agencies with
critical infrastructure responsibilities, sector coordinators, the NIPC, the
ISACs, and the Board.
(d)
Administration of the NIAC.
(i) The NIAC may hold hearings,
conduct inquiries, and establish subcommittees, as appropriate.
(ii) Upon the request of the
Chair, and to the extent permitted by law, the heads of the executive branch
departments and agencies shall provide the Council with information and advice
relating to its functions.
(iii) Senior Federal Government
officials may participate in the meetings of the NIAC, as appropriate.
(iv) Members shall serve without
compensation for their work on the Council. However, members may be allowed
travel expenses, including per diem in lieu of subsistence, as authorized by
law for persons serving intermittently in Federal Government service (5 U.S.C.
5701-5707).
(v) To the extent permitted by law,
and subject to the availability of appropriations, the Department of Commerce,
through the CIAO, shall provide the NIAC with administrative services, staff,
and other support services and such funds as may be necessary for the
performance of the NIAC's functions.
(e)
General Provisions.
(i) Insofar as the Federal
Advisory Committee Act, as amended (5 U.S.C. App.), may apply to the NIAC, the
functions of the President under that Act, except that of reporting to the
Congress, shall be performed by the Department of Commerce in accordance with
the guidelines and procedures established by the Administrator of General
Services.
(ii) The Council shall terminate 2
years from the date of this order, unless extended by the President prior to
that date.
(iii) Executive Order 13130 of
July 14, 1999, is hereby revoked.
Sec. 11. National Communications
System.
Changes
in technology are causing the convergence of much of telephony, data relay, and
internet communications networks into an interconnected network of networks.
The NCS and its National Coordinating Center shall support use of telephony,
converged information, voice networks, and next generation networks for
emergency preparedness and national security communications functions assigned
to them in Executive Order 12472. All authorities and assignments of
responsibilities to departments and agencies in that order, including the role
of the Manager of NCS, remain unchanged except as explicitly modified by this
order.
Sec. 12. Counter-intelligence.
The
Board shall coordinate its activities with those of the Office of the
Counter-intelligence Executive to address the threat to programs within the
Board's purview from hostile foreign intelligence services.
Sec. 13. Classification Authority.
I
hereby delegate to the Chair the authority to classify information originally
as Top Secret, in accordance with Executive Order 12958 of April 17, 1995, as
amended, or any successor Executive Order.
Sec. 14. General Provisions.
(a)
Nothing in this order shall supersede any requirement made by or under law.
(b)
This order does not create any right or benefit, substantive or procedural,
enforceable at law or equity, against the United States, its departments,
agencies or other entities, its officers or employees, or any other person.
GEORGE
W. BUSH
THE
WHITE HOUSE,
October 16, 2001.