[Public Papers of the Presidents of the United States: George W. Bush (2003, Book II)]
[December 17, 2003]
[Pages 1739-1745]
[From the U.S. Government Publishing Office www.gpo.gov]


[[Page 1739]]


Homeland Security Presidential Directive/HSPD-7--Critical Infrastructure 
Identification, Prioritization, and Protection
December 17, 2003

Subject: Critical Infrastructure Identification, Prioritization, and 
Protection

Purpose

    (1) This directive establishes a national policy for Federal 
departments and agencies to identify and prioritize United States 
critical infrastructure and key resources and to protect them from 
terrorist attacks.

Background

    (2) Terrorists seek to destroy, incapacitate, or exploit critical 
infrastructure and key resources across the United States to threaten 
national security, cause mass casualties, weaken our economy, and damage 
public morale and confidence.
    (3) America's open and technologically complex society includes a 
wide array of critical infrastructure and key resources that are 
potential terrorist targets. The majority of these are owned and 
operated by the private sector and State or local governments. These 
critical infrastructures and key resources are both physical and cyber-
based and span all sectors of the economy.
    (4) Critical infrastructure and key resources provide the essential 
services that underpin American society. The Nation possesses numerous 
key resources, whose exploitation or destruction by terrorists could 
cause catastrophic health effects or mass casualties comparable to those 
from the use of a weapon of mass destruction, or could profoundly affect 
our national prestige and morale. In addition, there is critical 
infrastructure so vital that its incapacitation, exploitation, or 
destruction, through terrorist attack, could have a debilitating effect 
on security and economic well-being.
    (5) While it is not possible to protect or eliminate the 
vulnerability of all critical infrastructure and key resources 
throughout the country, strategic improvements in security can make it 
more difficult for attacks to succeed and can lessen the impact of 
attacks that may occur. In addition to strategic security enhancements, 
tactical security improvements can be rapidly implemented to deter, 
mitigate, or neutralize potential attacks.

Definitions

    (6) In this directive:
       (a)   The term ``critical infrastructure'' has the meaning given 
            to that term in section 1016(e) of the USA PATRIOT Act of 
            2001 (42 U.S.C. 5195c(e)).
       (b)   The term ``key resources'' has the meaning given that term 
            in section 2(9) of the Homeland Security Act of 2002 (6 
            U.S.C. 101(9)).
       (c)   The term ``the Department'' means the Department of 
            Homeland Security.
       (d)   The term ``Federal departments and agencies'' means those 
            executive departments enumerated in 5 U.S.C. 101, and the 
            Department of Homeland Security; independent establishments 
            as defined by 5 U.S.C. 104(1); Government corporations as 
            defined by 5 U.S.C. 103(1); and the United States Postal 
            Service.
       (e)   The terms ``State,'' and ``local government,'' when used in 
            a geographical sense, have the same meanings given to those 
            terms in section 2 of the Homeland Security Act of 2002 (6 
            U.S.C. 101).
       (f)   The term ``the Secretary'' means the Secretary of Homeland 
            Security.

[[Page 1740]]

       (g)   The term ``Sector-Specific Agency'' means a Federal 
            department or agency responsible for infrastructure 
            protection activities in a designated critical 
            infrastructure sector or key resources category. Sector-
            Specific Agencies will conduct their activities under this 
            directive in accordance with guidance provided by the 
            Secretary.
       (h)   The terms ``protect'' and ``secure'' mean reducing the 
            vulnerability of critical infrastructure or key resources in 
            order to deter, mitigate, or neutralize terrorist attacks.

Policy

    (7) It is the policy of the United States to enhance the protection 
of our Nation's critical infrastructure and key resources against 
terrorist acts that could:
       (a)   cause catastrophic health effects or mass casualties 
            comparable to those from the use of a weapon of mass 
            destruction;
       (b)   impair Federal departments and agencies' abilities to 
            perform essential missions, or to ensure the public's health 
            and safety;
       (c)   undermine State and local government capacities to maintain 
            order and to deliver minimum essential public services;
       (d)   damage the private sector's capability to ensure the 
            orderly functioning of the economy and delivery of essential 
            services;
       (e)   have a negative effect on the economy through the cascading 
            disruption of other critical infrastructure and key 
            resources; or
       (f)   undermine the public's morale and confidence in our 
            national economic and political institutions.
    (8) Federal departments and agencies will identify, prioritize, and 
coordinate the protection of critical infrastructure and key resources 
in order to prevent, deter, and mitigate the effects of deliberate 
efforts to destroy, incapacitate, or exploit them. Federal departments 
and agencies will work with State and local governments and the private 
sector to accomplish this objective.
    (9) Federal departments and agencies will ensure that homeland 
security programs do not diminish the overall economic security of the 
United States.
    (10) Federal departments and agencies will appropriately protect 
information associated with carrying out this directive, including 
handling voluntarily provided information and information that would 
facilitate terrorist targeting of critical infrastructure and key 
resources consistent with the Homeland Security Act of 2002 and other 
applicable legal authorities.
    (11) Federal departments and agencies shall implement this directive 
in a manner consistent with applicable provisions of law, including 
those protecting the rights of United States persons.

Roles and Responsibilities of the Secretary

    (12) In carrying out the functions assigned in the Homeland Security 
Act of 2002, the Secretary shall be responsible for coordinating the 
overall national effort to enhance the protection of the critical 
infrastructure and key resources of the United States. The Secretary 
shall serve as the principal Federal official to lead, integrate, and 
coordinate implementation of efforts among Federal departments and 
agencies, State and local governments, and the private sector to protect 
critical infrastructure and key resources.
    (13) Consistent with this directive, the Secretary will identify, 
prioritize, and coordinate the protection of critical infrastructure and 
key resources with an emphasis on critical infrastructure and key 
resources that could be exploited to cause catastrophic health effects 
or mass casualties comparable to those from the use of a weapon of mass 
destruction.

[[Page 1741]]

    (14) The Secretary will establish uniform policies, approaches, 
guidelines, and methodologies for integrating Federal infrastructure 
protection and risk management activities within and across sectors 
along with metrics and criteria for related programs and activities.
    (15) The Secretary shall coordinate protection activities for each 
of the following critical infrastructure sectors: information 
technology; telecommunications; chemical; transportation systems, 
including mass transit, aviation, maritime, ground/surface, and rail and 
pipeline systems; emergency services; and postal and shipping. The 
Department shall coordinate with appropriate departments and agencies to 
ensure the protection of other key resources including dams, government 
facilities, and commercial facilities. In addition, in its role as 
overall cross-sector coordinator, the Department shall also evaluate the 
need for and coordinate the coverage of additional critical 
infrastructure and key resources categories over time, as appropriate.
    (16) The Secretary will continue to maintain an organization to 
serve as a focal point for the security of cyberspace. The organization 
will facilitate interactions and collaborations between and among 
Federal departments and agencies, State and local governments, the 
private sector, academia and international organizations. To the extent 
permitted by law, Federal departments and agencies with cyber expertise, 
including but not limited to the Departments of Justice, Commerce, the 
Treasury, Defense, Energy, and State, and the Central Intelligence 
Agency, will collaborate with and support the organization in 
accomplishing its mission. The organization's mission includes analysis, 
warning, information sharing, vulnerability reduction, mitigation, and 
aiding national recovery efforts for critical infrastructure information 
systems. The organization will support the Department of Justice and 
other law enforcement agencies in their continuing missions to 
investigate and prosecute threats to and attacks against cyberspace, to 
the extent permitted by law.
    (17) The Secretary will work closely with other Federal departments 
and agencies, State and local governments, and the private sector in 
accomplishing the objectives of this directive.

Roles and Responsibilities of Sector-Specific Federal Agencies

    (18) Recognizing that each infrastructure sector possesses its own 
unique characteristics and operating models, there are designated 
Sector-Specific Agencies, including:
       (a)   Department of Agriculture--agriculture, food (meat, 
            poultry, egg products);
       (b)   Health and Human Services--public health, healthcare, and 
            food (other than meat, poultry, egg products);
       (c)   Environmental Protection Agency--drinking water and water 
            treatment systems;
       (d)   Department of Energy--energy, including the production 
            refining, storage, and distribution of oil and gas, and 
            electric power except for commercial nuclear power 
            facilities;
       (e)   Department of the Treasury--banking and finance;
       (f)   Department of the Interior--national monuments and icons; 
            and
       (g)   Department of Defense--defense industrial base.
    (19) In accordance with guidance provided by the Secretary, Sector-
Specific Agencies shall:
       (a)   collaborate with all relevant Federal departments and 
            agencies, State and local governments, and the private 
            sector, including with key persons and entities in their 
            infrastructure sector;
       (b)   conduct or facilitate vulnerability assessments of the 
            sector; and
       (c)   encourage risk management strategies to protect against and 
            mitigate the effects of attacks against critical 
            infrastructure and key resources.

[[Page 1742]]

    (20) Nothing in this directive alters, or impedes the ability to 
carry out, the authorities of the Federal departments and agencies to 
perform their responsibilities under law and consistent with applicable 
legal authorities and presidential guidance.
    (21) Federal departments and agencies shall cooperate with the 
Department in implementing this directive, consistent with the Homeland 
Security Act of 2002 and other applicable legal authorities.

Roles and Responsibilities of Other Departments, Agencies, and Offices

    (22) In addition to the responsibilities given the Department and 
Sector-Specific Agencies, there are special functions of various Federal 
departments and agencies and components of the Executive Office of the 
President related to critical infrastructure and key resources 
protection.
       (a)   The Department of State, in conjunction with the 
            Department, and the Departments of Justice, Commerce, 
            Defense, the Treasury and other appropriate agencies, will 
            work with foreign countries and international organizations 
            to strengthen the protection of United States critical 
            infrastructure and key resources.
       (b)   The Department of Justice, including the Federal Bureau of 
            Investigation, will reduce domestic terrorist threats, and 
            investigate and prosecute actual or attempted terrorist 
            attacks on, sabotage of, or disruptions of critical 
            infrastructure and key resources. The Attorney General and 
            the Secretary shall use applicable statutory authority and 
            attendant mechanisms for cooperation and coordination, 
            including but not limited to those established by 
            presidential directive.
       (c)   The Department of Commerce, in coordination with the 
            Department, will work with private sector, research, 
            academic, and government organizations to improve technology 
            for cyber systems and promote other critical infrastructure 
            efforts, including using its authority under the Defense 
            Production Act to assure the timely availability of 
            industrial products, materials, and services to meet 
            homeland security requirements.
       (d)   A Critical Infrastructure Protection Policy Coordinating 
            Committee will advise the Homeland Security Council on 
            interagency policy related to physical and cyber 
            infrastructure protection. This PCC will be chaired by a 
            Federal officer or employee designated by the Assistant to 
            the President for Homeland Security.
       (e)   The Office of Science and Technology Policy, in 
            coordination with the Department, will coordinate 
            interagency research and development to enhance the 
            protection of critical infrastructure and key resources.
       (f)   The Office of Management and Budget (OMB) shall oversee the 
            implementation of government-wide policies, principles, 
            standards, and guidelines for Federal government computer 
            security programs. The Director of OMB will ensure the 
            operation of a central Federal information security incident 
            center consistent with the requirements of the Federal 
            Information Security Management Act of 2002.
       (g)   Consistent with the E-Government Act of 2002, the Chief 
            Information Officers Council shall be the principal 
            interagency forum for improving agency practices related to 
            the design, acquisition, development, modernization, use, 
            operation, sharing, and performance of information resources 
            of Federal departments and agencies.
       (h)   The Department of Transportation and the Department will 
            collaborate on all matters relating to transportation 
            security and transportation infrastructure protection. The 
            Department of Transportation is responsible

[[Page 1743]]

            for operating the national air space system. The Department 
            of Transportation and the Department will collaborate in 
            regulating the transportation of hazardous materials by all 
            modes (including pipelines).
       (i)   All Federal departments and agencies shall work with the 
            sectors relevant to their responsibilities to reduce the 
            consequences of catastrophic failures not caused by 
            terrorism.
    (23) The heads of all Federal departments and agencies will 
coordinate and cooperate with the Secretary as appropriate and 
consistent with their own responsibilities for protecting critical 
infrastructure and key resources.
    (24) All Federal department and agency heads are responsible for the 
identification, prioritization, assessment, remediation, and protection 
of their respective internal critical infrastructure and key resources. 
Consistent with the Federal Information Security Management Act of 2002, 
agencies will identify and provide information security protections 
commensurate with the risk and magnitude of the harm resulting from the 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of information.

Coordination with the Private Sector

    (25) In accordance with applicable laws or regulations, the 
Department and the Sector-Specific Agencies will collaborate with 
appropriate private sector entities and continue to encourage the 
development of information sharing and analysis mechanisms. 
Additionally, the Department and Sector-Specific Agencies shall 
collaborate with the private sector and continue to support sector-
coordinating mechanisms:
       (a)   to identify, prioritize, and coordinate the protection of 
            critical infrastructure and key resources; and
       (b)   to facilitate sharing of information about physical and 
            cyber threats, vulnerabilities, incidents, potential 
            protective measures, and best practices.

National Special Security Events

    (26) The Secretary, after consultation with the Homeland Security 
Council, shall be responsible for designating events as ``National 
Special Security Events'' (NSSEs). This directive supersedes language in 
previous presidential directives regarding the designation of NSSEs that 
is inconsistent herewith.

Implementation

    (27) Consistent with the Homeland Security Act of 2002, the 
Secretary shall produce a comprehensive, integrated National Plan for 
Critical Infrastructure and Key Resources Protection to outline national 
goals, objectives, milestones, and key initiatives within 1 year from 
the issuance of this directive. The Plan shall include, in addition to 
other Homeland Security-related elements as the Secretary deems 
appropriate, the following elements:
       (a)   a strategy to identify, prioritize, and coordinate the 
            protection of critical infrastructure and key resources, 
            including how the Department intends to work with Federal 
            departments and agencies, State and local governments, the 
            private sector, and foreign countries and international 
            organizations;
       (b)   a summary of activities to be undertaken in order to: 
            define and prioritize, reduce the vulnerability of, and 
            coordinate the protection of critical infrastructure and key 
            resources;
       (c)   a summary of initiatives for sharing critical 
            infrastructure and key resources information and for 
            providing critical infrastructure and key resources threat 
            warning data to State and local governments and the private 
            sector; and
       (d)   coordination and integration, as appropriate, with other 
            Federal emergency management and preparedness

[[Page 1744]]

            activities including the National Response Plan and 
            applicable national preparedness goals.
    (28) The Secretary, consistent with the Homeland Security Act of 
2002 and other applicable legal authorities and presidential guidance, 
shall establish appropriate systems, mechanisms, and procedures to share 
homeland security information relevant to threats and vulnerabilities in 
national critical infrastructure and key resources with other Federal 
departments and agencies, State and local governments, and the private 
sector in a timely manner.
    (29) The Secretary will continue to work with the Nuclear Regulatory 
Commission and, as appropriate, the Department of Energy in order to 
ensure the necessary protection of:
       (a)   commercial nuclear reactors for generating electric power 
            and non-power nuclear reactors used for research, testing, 
            and training;
       (b)   nuclear materials in medical, industrial, and academic 
            settings and facilities that fabricate nuclear fuel; and
       (c)   the transportation, storage, and disposal of nuclear 
            materials and waste.
    (30) In coordination with the Director of the Office of Science and 
Technology Policy, the Secretary shall prepare on an annual basis a 
Federal Research and Development Plan in support of this directive.
    (31) The Secretary will collaborate with other appropriate Federal 
departments and agencies to develop a program, consistent with 
applicable law, to geospatially map, image, analyze, and sort critical 
infrastructure and key resources by utilizing commercial satellite and 
airborne systems, and existing capabilities within other agencies. 
National technical means should be considered as an option of last 
resort. The Secretary, with advice from the Director of Central 
Intelligence, the Secretaries of Defense and the Interior, and the heads 
of other appropriate Federal departments and agencies, shall develop 
mechanisms for accomplishing this initiative. The Attorney General shall 
provide legal advice as necessary.
    (32) The Secretary will utilize existing, and develop new, 
capabilities as needed to model comprehensively the potential 
implications of terrorist exploitation of vulnerabilities in critical 
infrastructure and key resources, placing specific focus on densely 
populated areas. Agencies with relevant modeling capabilities shall 
cooperate with the Secretary to develop appropriate mechanisms for 
accomplishing this initiative.
    (33) The Secretary will develop a national indications and warnings 
architecture for infrastructure protection and capabilities that will 
facilitate:
       (a)   an understanding of baseline infrastructure operations;
       (b)   the identification of indicators and precursors to an 
            attack; and
       (c)   a surge capacity for detecting and analyzing patterns of 
            potential attacks.
    In developing a national indications and warnings architecture, the 
Department will work with Federal, State, local, and non-governmental 
entities to develop an integrated view of physical and cyber 
infrastructure and key resources.
    (34) By July 2004, the heads of all Federal departments and agencies 
shall develop and submit to the Director of the OMB for approval plans 
for protecting the physical and cyber critical infrastructure and key 
resources that they own or operate. These plans shall address 
identification, prioritization, protection, and contingency planning, 
including the recovery and reconstitution of essential capabilities.
    (35) On an annual basis, the Sector-Specific Agencies shall report 
to the Secretary on their efforts to identify, prioritize, and 
coordinate the protection of critical infrastructure and key resources 
in their respective sectors. The report shall be submitted within 1 year 
from the issuance of this directive and on an annual basis thereafter.
    (36) The Assistant to the President for Homeland Security and the 
Assistant to the

[[Page 1745]]

President for National Security Affairs will lead a national security 
and emergency preparedness communications policy review, with the heads 
of the appropriate Federal departments and agencies, related to 
convergence and next generation architecture. Within 6 months after the 
issuance of this directive, the Assistant to the President for Homeland 
Security and the Assistant to the President for National Security 
Affairs shall submit for my consideration any recommended changes to 
such policy.
    (37) This directive supersedes Presidential Decision Directive/NSC-
63 of May 22, 1998 (``Critical Infrastructure Protection''), and any 
Presidential directives issued prior to this directive to the extent of 
any inconsistency. Moreover, the Assistant to the President for Homeland 
Security and the Assistant to the President for National Security 
Affairs shall jointly submit for my consideration a Presidential 
directive to make changes in Presidential directives issued prior to 
this date that conform such directives to this directive.
    (38) This directive is intended only to improve the internal 
management of the executive branch of the Federal Government, and it is 
not intended to, and does not, create any right or benefit, substantive 
or procedural, enforceable at law or in equity, against the United 
States, its departments, agencies, or other entities, its officers or 
employees, or any other person.

                                                          George W. Bush