[Federal Register Volume 78, Number 33 (Tuesday, February 19, 2013)]
[Presidential Documents]
[Pages 11739-11744]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2013-03915]
[[Page 11737]]
Vol. 78
Tuesday,
No. 33
February 19, 2013
Part III
The President
-----------------------------------------------------------------------
Executive Order 13636--Improving Critical Infrastructure Cybersecurity
�
�
� Presidential Documents
�
�
��Federal Register / Vol. 78 , No. 33 / Tuesday, February 19, 2013 /
Presidential Documents��
�___________________________________________________________________
�Title 3--
�The President
[[Page 11739]]
Executive Order 13636 of February 12, 2013
Improving Critical Infrastructure Cybersecurity
By the authority vested in me as President by the
Constitution and the laws of the United States of
America, it is hereby ordered as follows:
Section 1. Policy. Repeated cyber intrusions into
critical infrastructure demonstrate the need for
improved cybersecurity. The cyber threat to critical
infrastructure continues to grow and represents one of
the most serious national security challenges we must
confront. The national and economic security of the
United States depends on the reliable functioning of
the Nation's critical infrastructure in the face of
such threats. It is the policy of the United States to
enhance the security and resilience of the Nation's
critical infrastructure and to maintain a cyber
environment that encourages efficiency, innovation, and
economic prosperity while promoting safety, security,
business confidentiality, privacy, and civil liberties.
We can achieve these goals through a partnership with
the owners and operators of critical infrastructure to
improve cybersecurity information sharing and
collaboratively develop and implement risk-based
standards.
Sec. 2. Critical Infrastructure. As used in this order,
the term critical infrastructure means systems and
assets, whether physical or virtual, so vital to the
United States that the incapacity or destruction of
such systems and assets would have a debilitating
impact on security, national economic security,
national public health or safety, or any combination of
those matters.
Sec. 3. Policy Coordination. Policy coordination,
guidance, dispute resolution, and periodic in-progress
reviews for the functions and programs described and
assigned herein shall be provided through the
interagency process established in Presidential Policy
Directive-1 of February 13, 2009 (Organization of the
National Security Council System), or any successor.
Sec. 4. Cybersecurity Information Sharing. (a) It is
the policy of the United States Government to increase
the volume, timeliness, and quality of cyber threat
information shared with U.S. private sector entities so
that these entities may better protect and defend
themselves against cyber threats. Within 120 days of
the date of this order, the Attorney General, the
Secretary of Homeland Security (the ``Secretary''), and
the Director of National Intelligence shall each issue
instructions consistent with their authorities and with
the requirements of section 12(c) of this order to
ensure the timely production of unclassified reports of
cyber threats to the U.S. homeland that identify a
specific targeted entity. The instructions shall
address the need to protect intelligence and law
enforcement sources, methods, operations, and
investigations.
(b) The Secretary and the Attorney General, in
coordination with the Director of National
Intelligence, shall establish a process that rapidly
disseminates the reports produced pursuant to section
4(a) of this order to the targeted entity. Such process
shall also, consistent with the need to protect
national security information, include the
dissemination of classified reports to critical
infrastructure entities authorized to receive them. The
Secretary and the Attorney General, in coordination
with the Director of National Intelligence, shall
establish a system for tracking the production,
dissemination, and disposition of these reports.
(c) To assist the owners and operators of critical
infrastructure in protecting their systems from
unauthorized access, exploitation, or harm, the
Secretary, consistent with 6 U.S.C. 143 and in
collaboration with the Secretary of
[[Page 11740]]
Defense, shall, within 120 days of the date of this
order, establish procedures to expand the Enhanced
Cybersecurity Services program to all critical
infrastructure sectors. This voluntary information
sharing program will provide classified cyber threat
and technical information from the Government to
eligible critical infrastructure companies or
commercial service providers that offer security
services to critical infrastructure.
(d) The Secretary, as the Executive Agent for the
Classified National Security Information Program
created under Executive Order 13549 of August 18, 2010
(Classified National Security Information Program for
State, Local, Tribal, and Private Sector Entities),
shall expedite the processing of security clearances to
appropriate personnel employed by critical
infrastructure owners and operators, prioritizing the
critical infrastructure identified in section 9 of this
order.
(e) In order to maximize the utility of cyber
threat information sharing with the private sector, the
Secretary shall expand the use of programs that bring
private sector subject-matter experts into Federal
service on a temporary basis. These subject matter
experts should provide advice regarding the content,
structure, and types of information most useful to
critical infrastructure owners and operators in
reducing and mitigating cyber risks.
Sec. 5. Privacy and Civil Liberties Protections. (a)
Agencies shall coordinate their activities under this
order with their senior agency officials for privacy
and civil liberties and ensure that privacy and civil
liberties protections are incorporated into such
activities. Such protections shall be based upon the
Fair Information Practice Principles and other privacy
and civil liberties policies, principles, and
frameworks as they apply to each agency's activities.
(b) The Chief Privacy Officer and the Officer for
Civil Rights and Civil Liberties of the Department of
Homeland Security (DHS) shall assess the privacy and
civil liberties risks of the functions and programs
undertaken by DHS as called for in this order and shall
recommend to the Secretary ways to minimize or mitigate
such risks, in a publicly available report, to be
released within 1 year of the date of this order.
Senior agency privacy and civil liberties officials for
other agencies engaged in activities under this order
shall conduct assessments of their agency activities
and provide those assessments to DHS for consideration
and inclusion in the report. The report shall be
reviewed on an annual basis and revised as necessary.
The report may contain a classified annex if necessary.
Assessments shall include evaluation of activities
against the Fair Information Practice Principles and
other applicable privacy and civil liberties policies,
principles, and frameworks. Agencies shall consider the
assessments and recommendations of the report in
implementing privacy and civil liberties protections
for agency activities.
(c) In producing the report required under
subsection (b) of this section, the Chief Privacy
Officer and the Officer for Civil Rights and Civil
Liberties of DHS shall consult with the Privacy and
Civil Liberties Oversight Board and coordinate with the
Office of Management and Budget (OMB).
(d) Information submitted voluntarily in accordance
with 6 U.S.C. 133 by private entities under this order
shall be protected from disclosure to the fullest
extent permitted by law.
Sec. 6. Consultative Process. The Secretary shall
establish a consultative process to coordinate
improvements to the cybersecurity of critical
infrastructure. As part of the consultative process,
the Secretary shall engage and consider the advice, on
matters set forth in this order, of the Critical
Infrastructure Partnership Advisory Council; Sector
Coordinating Councils; critical infrastructure owners
and operators; Sector-Specific Agencies; other relevant
agencies; independent regulatory agencies; State,
local, territorial, and tribal governments;
universities; and outside experts.
Sec. 7. Baseline Framework to Reduce Cyber Risk to
Critical Infrastructure. (a) The Secretary of Commerce
shall direct the Director of the National
[[Page 11741]]
Institute of Standards and Technology (the
``Director'') to lead the development of a framework to
reduce cyber risks to critical infrastructure (the
``Cybersecurity Framework''). The Cybersecurity
Framework shall include a set of standards,
methodologies, procedures, and processes that align
policy, business, and technological approaches to
address cyber risks. The Cybersecurity Framework shall
incorporate voluntary consensus standards and industry
best practices to the fullest extent possible. The
Cybersecurity Framework shall be consistent with
voluntary international standards when such
international standards will advance the objectives of
this order, and shall meet the requirements of the
National Institute of Standards and Technology Act, as
amended (15 U.S.C. 271 et seq.), the National
Technology Transfer and Advancement Act of 1995 (Public
Law 104-113), and OMB Circular A-119, as revised.
(b) The Cybersecurity Framework shall provide a
prioritized, flexible, repeatable, performance-based,
and cost-effective approach, including information
security measures and controls, to help owners and
operators of critical infrastructure identify, assess,
and manage cyber risk. The Cybersecurity Framework
shall focus on identifying cross-sector security
standards and guidelines applicable to critical
infrastructure. The Cybersecurity Framework will also
identify areas for improvement that should be addressed
through future collaboration with particular sectors
and standards-developing organizations. To enable
technical innovation and account for organizational
differences, the Cybersecurity Framework will provide
guidance that is technology neutral and that enables
critical infrastructure sectors to benefit from a
competitive market for products and services that meet
the standards, methodologies, procedures, and processes
developed to address cyber risks. The Cybersecurity
Framework shall include guidance for measuring the
performance of an entity in implementing the
Cybersecurity Framework.
(c) The Cybersecurity Framework shall include
methodologies to identify and mitigate impacts of the
Cybersecurity Framework and associated information
security measures or controls on business
confidentiality, and to protect individual privacy and
civil liberties.
(d) In developing the Cybersecurity Framework, the
Director shall engage in an open public review and
comment process. The Director shall also consult with
the Secretary, the National Security Agency, Sector-
Specific Agencies and other interested agencies
including OMB, owners and operators of critical
infrastructure, and other stakeholders through the
consultative process established in section 6 of this
order. The Secretary, the Director of National
Intelligence, and the heads of other relevant agencies
shall provide threat and vulnerability information and
technical expertise to inform the development of the
Cybersecurity Framework. The Secretary shall provide
performance goals for the Cybersecurity Framework
informed by work under section 9 of this order.
(e) Within 240 days of the date of this order, the
Director shall publish a preliminary version of the
Cybersecurity Framework (the ``preliminary
Framework''). Within 1 year of the date of this order,
and after coordination with the Secretary to ensure
suitability under section 8 of this order, the Director
shall publish a final version of the Cybersecurity
Framework (the ``final Framework'').
(f) Consistent with statutory responsibilities, the
Director will ensure the Cybersecurity Framework and
related guidance is reviewed and updated as necessary,
taking into consideration technological changes,
changes in cyber risks, operational feedback from
owners and operators of critical infrastructure,
experience from the implementation of section 8 of this
order, and any other relevant factors.
Sec. 8. Voluntary Critical Infrastructure Cybersecurity
Program. (a) The Secretary, in coordination with
Sector-Specific Agencies, shall establish a voluntary
program to support the adoption of the Cybersecurity
Framework by owners and operators of critical
infrastructure and any other interested entities (the
``Program'').
[[Page 11742]]
(b) Sector-Specific Agencies, in consultation with
the Secretary and other interested agencies, shall
coordinate with the Sector Coordinating Councils to
review the Cybersecurity Framework and, if necessary,
develop implementation guidance or supplemental
materials to address sector-specific risks and
operating environments.
(c) Sector-Specific Agencies shall report annually
to the President, through the Secretary, on the extent
to which owners and operators notified under section 9
of this order are participating in the Program.
(d) The Secretary shall coordinate establishment of
a set of incentives designed to promote participation
in the Program. Within 120 days of the date of this
order, the Secretary and the Secretaries of the
Treasury and Commerce each shall make recommendations
separately to the President, through the Assistant to
the President for Homeland Security and
Counterterrorism and the Assistant to the President for
Economic Affairs, that shall include analysis of the
benefits and relative effectiveness of such incentives,
and whether the incentives would require legislation or
can be provided under existing law and authorities to
participants in the Program.
(e) Within 120 days of the date of this order, the
Secretary of Defense and the Administrator of General
Services, in consultation with the Secretary and the
Federal Acquisition Regulatory Council, shall make
recommendations to the President, through the Assistant
to the President for Homeland Security and
Counterterrorism and the Assistant to the President for
Economic Affairs, on the feasibility, security
benefits, and relative merits of incorporating security
standards into acquisition planning and contract
administration. The report shall address what steps can
be taken to harmonize and make consistent existing
procurement requirements related to cybersecurity.
Sec. 9. Identification of Critical Infrastructure at
Greatest Risk. (a) Within 150 days of the date of this
order, the Secretary shall use a risk-based approach to
identify critical infrastructure where a cybersecurity
incident could reasonably result in catastrophic
regional or national effects on public health or
safety, economic security, or national security. In
identifying critical infrastructure for this purpose,
the Secretary shall use the consultative process
established in section 6 of this order and draw upon
the expertise of Sector-Specific Agencies. The
Secretary shall apply consistent, objective criteria in
identifying such critical infrastructure. The Secretary
shall not identify any commercial information
technology products or consumer information technology
services under this section. The Secretary shall review
and update the list of identified critical
infrastructure under this section on an annual basis,
and provide such list to the President, through the
Assistant to the President for Homeland Security and
Counterterrorism and the Assistant to the President for
Economic Affairs.
(b) Heads of Sector-Specific Agencies and other
relevant agencies shall provide the Secretary with
information necessary to carry out the responsibilities
under this section. The Secretary shall develop a
process for other relevant stakeholders to submit
information to assist in making the identifications
required in subsection (a) of this section.
(c) The Secretary, in coordination with Sector-
Specific Agencies, shall confidentially notify owners
and operators of critical infrastructure identified
under subsection (a) of this section that they have
been so identified, and ensure identified owners and
operators are provided the basis for the determination.
The Secretary shall establish a process through which
owners and operators of critical infrastructure may
submit relevant information and request reconsideration
of identifications under subsection (a) of this
section.
Sec. 10. Adoption of Framework. (a) Agencies with
responsibility for regulating the security of critical
infrastructure shall engage in a consultative process
with DHS, OMB, and the National Security Staff to
review the preliminary Cybersecurity Framework and
determine if current cybersecurity regulatory
requirements are sufficient given current and projected
risks. In making such determination, these agencies
shall consider the identification
[[Page 11743]]
of critical infrastructure required under section 9 of
this order. Within 90 days of the publication of the
preliminary Framework, these agencies shall submit a
report to the President, through the Assistant to the
President for Homeland Security and Counterterrorism,
the Director of OMB, and the Assistant to the President
for Economic Affairs, that states whether or not the
agency has clear authority to establish requirements
based upon the Cybersecurity Framework to sufficiently
address current and projected cyber risks to critical
infrastructure, the existing authorities identified,
and any additional authority required.
(b) If current regulatory requirements are deemed
to be insufficient, within 90 days of publication of
the final Framework, agencies identified in subsection
(a) of this section shall propose prioritized, risk-
based, efficient, and coordinated actions, consistent
with Executive Order 12866 of September 30, 1993
(Regulatory Planning and Review), Executive Order 13563
of January 18, 2011 (Improving Regulation and
Regulatory Review), and Executive Order 13609 of May 1,
2012 (Promoting International Regulatory Cooperation),
to mitigate cyber risk.
(c) Within 2 years after publication of the final
Framework, consistent with Executive Order 13563 and
Executive Order 13610 of May 10, 2012 (Identifying and
Reducing Regulatory Burdens), agencies identified in
subsection (a) of this section shall, in consultation
with owners and operators of critical infrastructure,
report to OMB on any critical infrastructure subject to
ineffective, conflicting, or excessively burdensome
cybersecurity requirements. This report shall describe
efforts made by agencies, and make recommendations for
further actions, to minimize or eliminate such
requirements.
(d) The Secretary shall coordinate the provision of
technical assistance to agencies identified in
subsection (a) of this section on the development of
their cybersecurity workforce and programs.
(e) Independent regulatory agencies with
responsibility for regulating the security of critical
infrastructure are encouraged to engage in a
consultative process with the Secretary, relevant
Sector-Specific Agencies, and other affected parties to
consider prioritized actions to mitigate cyber risks
for critical infrastructure consistent with their
authorities.
Sec. 11. Definitions. (a) ``Agency'' means any
authority of the United States that is an ``agency''
under 44 U.S.C. 3502(1), other than those considered to
be independent regulatory agencies, as defined in 44
U.S.C. 3502(5).
(b) ``Critical Infrastructure Partnership Advisory
Council'' means the council established by DHS under 6
U.S.C. 451 to facilitate effective interaction and
coordination of critical infrastructure protection
activities among the Federal Government; the private
sector; and State, local, territorial, and tribal
governments.
(c) ``Fair Information Practice Principles'' means
the eight principles set forth in Appendix A of the
National Strategy for Trusted Identities in Cyberspace.
(d) ``Independent regulatory agency'' has the
meaning given the term in 44 U.S.C. 3502(5).
(e) ``Sector Coordinating Council'' means a private
sector coordinating council composed of representatives
of owners and operators within a particular sector of
critical infrastructure established by the National
Infrastructure Protection Plan or any successor.
(f) ``Sector-Specific Agency'' has the meaning
given the term in Presidential Policy Directive-21 of
February 12, 2013 (Critical Infrastructure Security and
Resilience), or any successor.
Sec. 12. General Provisions. (a) This order shall be
implemented consistent with applicable law and subject
to the availability of appropriations. Nothing in this
order shall be construed to provide an agency with
authority for regulating the security of critical
infrastructure in addition to or to a greater
[[Page 11744]]
extent than the authority the agency has under existing
law. Nothing in this order shall be construed to alter
or limit any authority or responsibility of an agency
under existing law.
(b) Nothing in this order shall be construed to
impair or otherwise affect the functions of the
Director of OMB relating to budgetary, administrative,
or legislative proposals.
(c) All actions taken pursuant to this order shall
be consistent with requirements and authorities to
protect intelligence and law enforcement sources and
methods. Nothing in this order shall be interpreted to
supersede measures established under authority of law
to protect the security and integrity of specific
activities and associations that are in direct support
of intelligence and law enforcement operations.
(d) This order shall be implemented consistent with
U.S. international obligations.
(e) This order is not intended to, and does not,
create any right or benefit, substantive or procedural,
enforceable at law or in equity by any party against
the United States, its departments, agencies, or
entities, its officers, employees, or agents, or any
other person.
(Presidential Sig.)
THE WHITE HOUSE,
February 12, 2013.
[FR Doc. 2013-03915
Filed 2-15-13; 11:15 am]
Billing code 3295-F3