U S DEPARTMENT OF HOMELAND SECURITY CYBERSECURITY STRATEGY May 15 2018 Vision By 2023 the Department of Homeland Security will have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure decreasing illicit cyber activity improving responses to cyber incidents and fostering a more secure and reliable cyber ecosystem through a unified departmental approach strong leadership and close partnership with other federal and nonfederal entities UNCLASSIFIED FOR OFFICIAL USE ONLY TABLE OF CONTENTS INTRODUCTION 1 SCOPE 1 THE CYBER THREAT 2 MANAGING NATIONAL CYBERSECURITY RISK 3 GUIDING PRINCIPLES 5 DEVELOPMENT AND IMPLEMENTATION 6 PILLAR I - RISK IDENTIFICATION 7 GOAL 1 ASSESS EVOLVING CYBERSECURITY RISKS 7 PILLAR II - VULNERABILITY REDUCTION 8 GOAL 2 PROTECT FEDERAL GOVERNMENT INFORMATION SYSTEMS 8 GOAL 3 PROTECT CRITICAL INFRASTRUCTURE 11 PILLAR III THREAT REDUCTION 15 GOAL 4 PREVENT AND DISRUPT CRIMINAL USE OF CYBERSPACE 15 PILLAR IV - CONSEQUENCE MITIGATION 19 GOAL 5 RESPOND EFFECTIVELY TO CYBER INCIDENTS 19 PILLAR V - ENABLE CYBERSECURITY OUTCOMES 22 GOAL 6 STRENGTHEN THE SECURITY AND RELIABILITY OF THE CYBER ECOSYSTEM 22 GOAL 7 IMPROVE MANAGEMENT OF DHS CYBERSECURITY ACTIVITIES 25 CONCLUSION 27 APPENDIX DHS CYBERSECURITY AUTHORITIES A-1 i INTRODUCTION The American people are increasingly dependent upon the Internet for daily conveniences critical services and economic prosperity Substantial growth in Internet access and networked devices has facilitated widespread opportunities and innovation This extraordinary level of connectivity however has also introduced progressively greater cyber risks for the United States Long-standing threats are evolving as nation-states terrorists individual criminals transnational criminal organizations and other malicious actors move their activities into the digital world Enabling the delivery of essential services--such as electricity finance transportation water and health care--through cyberspace also introduces new vulnerabilities and opens the door to potentially catastrophic consequences from cyber incidents The growing number of Internet-connected devices and reliance on global supply chains further complicates the national and international risk picture More than ever cybersecurity is a matter of homeland security and one of the core missions of the U S Department of Homeland Security DHS At DHS we believe that cyberspace can be secure and resilient 1 We work every day across the Department and with key partners and stakeholders to identify and manage national cybersecurity risks We do this by adopting a holistic risk management approach Like every organization no matter how big or small we must minimize our organizational vulnerability to malicious cyber activity by protecting our own networks DHS also has broader responsibilities to protect the larger federal enterprise and improve the security and resilience of other critical systems At the same time we seek to reduce cyber threats by preventing and disrupting cyber crimes and to lessen the consequences of cyber incidents by ensuring an effective federal response when appropriate Finally we work to create conditions for more effective cyber risk management through efforts to make the cyber ecosystem more fundamentally secure and resilient This strategy sets forth our goals objectives and priorities to successfully execute the full range of the Secretary of Homeland Security's cybersecurity responsibilities Scope This strategy provides the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience countering malicious actors in cyberspace responding to incidents and making the cyber ecosystem more secure and resilient 1 The term cyberspace in this strategy refers to the interdependent network of information technology infrastructure including the Internet telecommunications networks computers information and communications systems and embedded processors and controllers 1 The Cyber Threat During the last several decades advances in technology have fundamentally changed the world Substantial growth in Internet access use of Internet-enabled devices and the availability of high speed information technology systems and large datasets have facilitated productivity efficiencies and capabilities across all major industries The proliferation of technology also presents new cybersecurity challenges and leads to significant national risks More than 20 billion devices are expected to be connected to the Internet by 2020 The risks introduced by the growing number and variety of such devices are substantial The United States faces threats from a growing set of sophisticated malicious actors who seek to exploit cyberspace Motivations include espionage political and ideological interests and financial gain Nation-states continue to present a considerable cyber threat But non-state actors are emerging with capabilities that match those of sophisticated nation-states Criminal actors are increasingly empowered by modern information and communications technologies that enable them to grow in sophistication and transnational reach Transnational criminal organizations also increasingly collaborate through cyberspace Complicating the threat picture nation-states are increasingly using proxies and other techniques that blur the distinction between state and non-state cyber activities In a number of cases malicious actors engaged in significant criminal cyber activity appear to have both criminal and nation-state affiliations These diverse threats can impact federal and nonfederal information systems Attempted incursions into government networks occur on a daily basis the number of cyber incidents on federal systems reported to DHS increased more than ten-fold between 2006 and 2015 In 2015 a high-profile intrusion into a single federal agency resulted in the compromise of personnel records of over 4 million federal employees and ultimately affected nearly 22 million people The growing interconnection of cyber and physical systems within critical infrastructure also creates the potential risk for malicious cyber activity to result in direct physical consequences for example the December 2015 overriding of controls in the Ukrainian electric grid resulted in widespread loss of power Ransomware incidents such as WannaCry and NotPetya demonstrate how the rapid growth of the internet-of-things further complicates the threat as everyday devices can be targeted by malicious cyber actors with potentially far-reaching consequences The broad availability relatively low cost and increasing capabilities of cyber tools also affect trends in the threats we face Ransomware for example has evolved to attack both frontline systems and backup drives Malicious cyber actors have successfully used ransomware to compromise maritime travel control and healthcare systems The Darkweb facilitates the easy sale of illicit goods and services such as firearms forged passports and malware which threat actors may acquire and use Malware kits and instructions are also readily available on the Darkweb Malicious cyber tools sold on the Internet can be adapted to intrude into systems and otherwise commit criminal acts related to financial fraud money laundering intellectual property theft or other illicit activities The growing popularity of cryptocurrencies also presents challenges to countering money laundering and the work of law enforcement 2 Managing National Cybersecurity Risk DHS must find innovative ways to leverage our broad resources and capabilities across the Department and the homeland security enterprise to strategically manage national cybersecurity risks We have accordingly identified five pillars of a DHS-wide risk management approach Through our efforts to accomplish seven identified goals across these five pillars we work to ensure the availability of critical national functions and to foster efficiency innovation trustworthy communication and economic prosperity in ways consistent with our national values and that protect privacy and civil liberties DHS Cybersecurity Goals Pillar I - Risk Identification Goal 1 Assess Evolving Cybersecurity Risks We will understand the evolving national cybersecurity risk posture to inform and prioritize risk management activities Pillar II - Vulnerability Reduction Goal 2 Protect Federal Government Information Systems We will reduce vulnerabilities of federal agencies to ensure they achieve an adequate level of cybersecurity Goal 3 Protect Critical Infrastructure We will partner with key stakeholders to ensure that national cybersecurity risks are adequately managed Pillar III - Threat Reduction Goal 4 Prevent and Disrupt Criminal Use of Cyberspace We will reduce cyber threats by countering transnational criminal organizations and sophisticated cyber criminals Pillar IV - Consequence Mitigation Goal 5 Respond Effectively to Cyber Incidents We will minimize consequences from potentially significant cyber incidents through coordinated community-wide response efforts Pillar V - Enable Cybersecurity Outcomes Goal 6 Strengthen the Security and Reliability of the Cyber Ecosystem We will support policies and activities that enable improved global cybersecurity risk management Goal 7 Improve Management of DHS Cybersecurity Activities We will execute our departmental cybersecurity efforts in an integrated and prioritized way The first pillar of our approach is better understanding our national risk posture Understanding these risks at the strategic level will enable us to effectively allocate resources and prioritize efforts to address vulnerabilities threats and consequences across all of our cybersecurity activities Under pillars two through four we focus on reducing or mitigating vulnerabilities threats and the potential consequences from cybersecurity incidents DHS leads national efforts to protect 3 federal information systems critical infrastructure and other systems that impact national security public health and safety and economic security These protective efforts seek to reduce organizational and systemic vulnerability to malicious cyber activity and empower stakeholders to make informed risk management decisions and to improve their cybersecurity At the same time our law enforcement Components work closely with each other and throughout the law enforcement community to reduce threats by aggressively investigating disrupting and defeating criminal actors and organizations that use cyberspace to carry out their illicit activities To mitigate the consequences of cyber incidents DHS draws upon its experience and capabilities in emergency management in addition to our network protection and law enforcement capabilities DHS plays a lead role in the federal response to many cyber incidents which may or may not involve physical consequences DHS works with other federal agencies and stakeholders to minimize impacts and ensure that lessons learned from incidents are incorporated into future risk management efforts Finally DHS also works to support cybersecurity risk management outcomes under the fifth pillar of our approach through efforts aimed at making cyberspace more defensible This includes efforts to strengthen the security and reliability of the overall cyber ecosystem and align our internal cybersecurity efforts In particular DHS seeks to foster security innovations that give an advantage to those protecting networks and also to drive research development and technology transfer efforts Because cyberspace is inherently global DHS collaborates with the international community to build capacity advocate for best practices and promote responsible international behavior to ensure that the Internet remains open interoperable secure and reliable DHS also prioritizes efforts to address cybersecurity workforce challenges and empower organizations to recruit hire develop and retain personnel with strong and enduring cybersecurity skillsets Through these complementary efforts across our Components DHS works to collectively shift the advantage away from malicious cyber actors and toward those who are working to reduce national cybersecurity risks Accomplishing our identified cybersecurity goals will also deter malicious cyber activity by denying access to and imposing costs on those who try to use cyberspace for illicit purposes The cross-cutting goals and objectives set forth in this strategy are designed to ensure that DHS is maximizing its unique resources to accomplish impactful policy and operational outcomes as part of a national cybersecurity risk management approach 4 Guiding Principles DHS advances our mission and will accomplish our cybersecurity goals by aligning departmental activities according to the following guiding principles 1 Risk prioritization The foremost responsibility of DHS is to safeguard the American people and we must prioritize our efforts to focus on systemic risks and the greatest cybersecurity threats and vulnerabilities faced by the American people and our homeland 2 Cost-effectiveness Cyberspace is highly complex and DHS efforts to increase cybersecurity must be continuously evaluated and reprioritized to ensure the best results for investments made 3 Innovation and agility Cyberspace is an evolving domain with emergent risks Although the proliferation of technology leads to new risks it also provides an opportunity for innovation DHS must lead by example in researching developing adapting and employing cutting-edge cybersecurity capabilities and remain agile in its efforts to keep up with evolving threats and technologies 4 Collaboration The growth and development of the Internet has been primarily driven by the private sector and the security of cyberspace is an inherently cross-cutting challenge To accomplish our cybersecurity goals we must work in a collaborative manner across our Components and with other federal and nonfederal partners 5 Global approach Robust international engagement and collaboration is required to accomplish our national cybersecurity goals DHS must engage internationally to manage global cyber risks respond to worldwide incidents and disrupt growing transnational cyber threats as well as encourage other nations and foreign entities to adopt the policies necessary to create an open interoperable secure and reliable Internet 6 Balanced equities Cyberspace empowers people and enables prosperity worldwide Cybersecurity is not an end unto itself and efforts to mitigate cybersecurity risks must also support international commerce strengthen international security and foster free expression and innovation 7 National values DHS must uphold privacy civil rights and civil liberties in accordance with applicable law and policy The Department empowers our cybersecurity programs to succeed by integrating privacy protections from the outset and employing a layered approach to privacy and civil liberties oversight 2 2 See for example the Fair Information Practice Principles available at https www dhs gov xlibrary assets privacy privacy_policyguide_2008-01 pdf 5 Development and Implementation The DHS Office of Strategy Policy and Plans PLCY led the development of this strategy in collaboration with all DHS Components and in accordance with section 1912 of the 2017 National Defense Authorization Act In accordance with section 1912 DHS will also issue a corresponding implementation plan to outline Component roles responsibilities programs and timelines for accomplishing these goals and objectives This strategy and the implementation plan will be used to harmonize and prioritize DHS cybersecurity planning programming budget training and execution activities In addition the Joint Requirements Council will utilize the strategy and implementation plan to support the review of capability gap analyses and requirements generated by relevant Components PLCY will annually assess implementation of this strategy and provide a report to the Secretary The report will include areas of success opportunities for improvement constraints impeding progress and suggested adjustments to the strategy DHS will review and update this strategy in 2023 and periodically thereafter 6 PILLAR 1 - RISK IDENTIFICATION DHS must understand the global cybersecurity landscape and associated risks at the strategic level to effectively allocate our resources and prioritize departmental efforts to address vulnerabilities threats and consequences across all of our cybersecurity activities Goal 1 Assess Evolving Cybersecurity Risks We will understand the evolving national cybersecurity risk posture to inform and prioritize risk management activities For DHS to effectively execute our mission in the long-term we must work with stakeholders including sector-specific agencies nonfederal cybersecurity firms and other federal and nonfederal entities to gain an adequate understanding of the national cybersecurity risk posture analyze evolving interdependencies and systemic risk and assess changing techniques of malicious actors Objective 1 1 Maintain strategic awareness of trends in national and systemic cybersecurity risks Understanding trends in threats vulnerabilities interdependencies and potential consequences over time will allow DHS to prioritize our protective investigative and response activities and to plan and budget appropriately DHS must also take stock of gaps in national analytic capabilities and risk management efforts to ensure a robust understanding of the effectiveness of cybersecurity efforts We must anticipate the changes that future technological innovation will bring ensure long-term preparedness and prevent a failure of imagination Sub-Objectives a Identify evolving cybersecurity risks that affect national security public health and safety and economic security b Identify and develop plans to address gaps in analytic capabilities and risk management efforts across DHS and national cybersecurity stakeholders c Develop scenarios and plans for future technology developments and potentially disruptive innovations and adjust DHS efforts accordingly Outcomes DHS understands national and systemic cybersecurity risks and regularly adjusts our program and policy efforts to account for evolving technologies and operational priorities 7 PILLAR II - VULNERABILITY REDUCTION DHS works to reduce organizational and systemic vulnerabilities across the federal enterprise including our own networks as well as other nationally critical systems and assets Through technical capabilities cybersecurity information and other assistance we empower our stakeholders to better manage their cybersecurity risks Goal 2 Protect Federal Government Information Systems We will reduce vulnerabilities of federal agencies to ensure they achieve an adequate level of cybersecurity DHS leads the effort to secure the federal enterprise and must use all available mechanisms to ensure that every agency maintains an adequate level of cybersecurity commensurate with its own risks and with those of the larger enterprise 3 While individual agencies ultimately must implement their own cybersecurity risk-management programs because they are best positioned to understand their unique mission environments DHS works with the Office of Management and Budget OMB to ensure an adequate level of security enterprise-wide and to address systemic risks and interdependencies across and between agencies DHS must also support agency efforts to reduce their vulnerabilities to cyber threats by providing tailored capabilities tools and services to protect legacy systems as well as cloud and shared infrastructure Within its own systems DHS must continue to adopt new technologies and serve as a model for other agencies in the implementation of cybersecurity best practices In looking across the federal enterprise and in protecting its own information systems DHS must address the greatest risks first and focus on the highest impact systems assets and capabilities This means identifying the most critical systems and prioritizing protections around those systems DHS must use cost-effective approaches that both get the most risk reduction leverage and ensure maximum return for investment DHS must exhibit leadership through direct action and offerings but also through collaboration with other agencies and stakeholders to pursue innovations like changes in federal information technology and procurement policies improved analysis and better operational planning DHS must continue to closely collaborate with agencies including OMB the U S General Services Administration and the National Institute of Standards and Technology NIST as well as those responsible for protecting military and intelligence networks to deliver cybersecurity outcomes for the federal enterprise 3 DHS's authority to administer the implementation of agency information security policy and practices applies to systems of federal executive-branch agencies except for national security systems and certain Department of Defense and intelligence community systems See 44 U S C 3553 b 8 Objective 2 1 Increase cybersecurity of the federal enterprise through improved governance information security policies and oversight To execute our statutory responsibility to administer the implementation of agency information security policies and practices DHS must continuously assess and advocate for changes to federal information technology governance structures and government-wide policies and programs that affect cybersecurity outcomes and investments It is necessary to further refine and clarify roles and responsibilities between OMB DHS and other agencies To start DHS must provide better support to OMB's policy development and oversight role and assess our own policies and programs to ensure efficiency and effectiveness DHS must also advocate for and develop new processes to ensure accountability within agencies and across the federal enterprise in order to affect necessary cybersecurity changes In support of these efforts DHS must integrate information from existing protective capabilities along with relevant cybersecurity threat reporting from the intelligence community law enforcement and other sources to enhance the ability to understand individual agency enterprise and systemic risks inform risk management decisions and assess potential returns on investment Driven by this information the federal enterprise will be able to prioritize resources to meaningfully address policy and capability gaps and build a more modern secure and resilient information infrastructure Sub-Objectives a Develop and implement a clear governance model for federal cybersecurity including defining roles and responsibilities for legacy and cloud or shared services b Issue new or revised policies and recommendations as required consistent with DHS authorities to ensure adequate cybersecurity across the federal enterprise c Develop a formalized approach to measure and track agency adoption of information security policies practices and required controls d Implement processes to increase agency accountability and compliance with information security policies practices and required controls e Assess enterprise and individual agency risk posture through strategic analyses available threat reporting and other means to inform cybersecurity and investment priorities f Provide agencies with integrated and operationally relevant information necessary to understand and manage their cyber risk Outcomes DHS-led efforts result in agencies maintaining an adequate level of cybersecurity commensurate with each agency's risks and with those of the federal enterprise 9 Objective 2 2 Provide protective capabilities tools and services across the federal enterprise DHS operates enterprise-wide capabilities and offers tools and services to assist agencies manage their cybersecurity risks Certain elements of the federal enterprise must be further centralized to appropriately and consistently address key cybersecurity risks and provide improved enterprisewide security For example DHS has made significant progress in establishing baseline protective capabilities across the federal enterprise through the deployment of perimeter security capabilities DHS will establish additional capabilities to cost-effectively address key cybersecurity risks across the federal enterprise and to address increasing use of cloud infrastructure and shared services DHS must also build on economic and operational efficiencies through the centralized purchase or in-house development of tools and services where appropriate to address threats to legacy systems and cloud or shared services New tools and services may be offered to agencies on a reimbursable basis or without reimbursement when they provide needed capability to agencies address priority threats or are necessary to facilitate situational awareness incident response or other strategic goals Sub-Objectives a Identify elements of the federal enterprise that should be centralized to cost-effectively address key cybersecurity risks and provide enterprise security b Deploy where appropriate centralized protective capabilities to address enterprise-wide cybersecurity risk c Develop and provide additional cybersecurity tools and services for agencies in response to emerging or identified threats d Create performance metrics to measure the effectiveness of new and existing cybersecurity capabilities tools and services Outcomes Federal agencies utilize DHS capabilities tools and services to identify and mitigate cyber threats and vulnerabilities before they do significant harm Objective 2 3 Deploy innovative cybersecurity capabilities and practices to protect DHS information systems DHS must maintain an adequate level of security for our own systems Many DHS information systems remain largely decentralized and are operated by Components without a standardized cybersecurity approach or methodology DHS must undertake a systematic effort to assess our information systems at greatest risk and to ensure that appropriate protective capabilities and methodologies are in place to secure sensitive information while enabling critical mission functions DHS must adopt a more unified approach to securing our own information systems and where appropriate deploy standardized cost-effective and cutting-edge capabilities across high-value departmental information systems As we increasingly leverage cloud and shared services DHS must continue to develop and pilot emerging capabilities tools and practices to more effectively detect and mitigate evolving threats and vulnerabilities in a timely fashion and ensure that our cybersecurity approaches are flexible and dynamic enough to counter determined and creative adversaries DHS must serve as a first adopter and model for other agencies as we work to modernize our information technology and the entire federal enterprise 10 Sub-Objectives a Conduct comprehensive risk and gap assessments across DHS information systems based on consistent methodology and government and industry best practices b Deploy appropriate best-in-class technologies and practices including standardized solutions where cost-effective and operationally feasible to secure legacy systems and cloud or shared services c Pursue innovative and agile approaches to acquisition and technology procurement to deploy cutting-edge capabilities and facilitate use of cloud and shared services d Pilot innovative capabilities tools and other new technologies or practices that can protect DHS systems and are potentially scalable across the federal enterprise level Outcomes DHS maintains an adequate level of cybersecurity commensurate with our own risks and with those of the government-wide enterprise to ensure the confidentiality availability and integrity of critical DHS information systems and information Goal 3 Protect Critical Infrastructure We will partner with key stakeholders to ensure that national cybersecurity risks are adequately managed DHS must ensure that growing cybersecurity risks across all critical infrastructure sectors and other systems that impact national security public health and safety and economic security are managed at an acceptable level 4 DHS must partner with key stakeholders including sector specific agencies and the private sector to drive better cybersecurity by promoting the development and adoption of best practices and international standards by providing services like risk assessments and other technical offerings and by improving engagement efforts to advance cybersecurity risk management efforts DHS must also expand operationally meaningful cybersecurity information sharing efforts to empower those protecting networks from cyber threats To these ends DHS serves an essential partnership role as the sector-specific lead or co-lead for 10 of the 16 critical infrastructure sectors and the Secretary coordinates the overall Federal effort to promote security and resilience across all of the sectors 5 While continuing to leverage existing partnership structures DHS must deepen technical collaboration across all the sectors and with other key nonfederal entities on risk mitigation efforts As the agency 4 Congress authorized DHS to engage broadly with federal and nonfederal entities to collaboratively address cybersecurity risks See 6 U S C 148 c 9 5 The 16 critical infrastructure sectors are 1 Chemical 2 Commercial Facilities 3 Communications 4 Critical Manufacturing 5 Dams 6 Defense Industrial Base 7 Emergency Services 8 Energy 9 Financial Services 10 Food and Agriculture 11 Government Facilities 12 Healthcare and Public Health 13 Information Technology 14 Nuclear Reactors Materials and Waste 15 Transportation Systems and 16 Water and Wastewater https www dhs gov critical-infrastructure-sectors 11 designated to lead the national effort to protect the Nation's infrastructure DHS must also act as a backstop to ensure that cybersecurity threats do not disrupt the provision of essential services to the American people DHS must therefore smartly leverage its regulatory authorities in tailored ways and engage with other agencies to ensure that their policies and efforts are informed by cybersecurity risks and aligned to national objectives to address critical cybersecurity gaps To properly allocate resources and prioritize efforts DHS must maintain substantial awareness of the cybersecurity risk posture across critical infrastructure This includes understanding the potential consequences of infrastructure-related cybersecurity incidents DHS must prioritize its engagement efforts based upon those with the highest risk such as entities where a cyber incident could result in catastrophic impacts 6 Objective 3 1 Mature cybersecurity offerings and engagements to address significant national risks to critical infrastructure DHS must improve the cybersecurity of critical infrastructure through the development and deployment of tools services and other offerings as well as through targeted outreach to critical infrastructure owners and operators service providers and other key enablers of risk management activity DHS must routinely evaluate the value of these risk management efforts and assess capability gaps In particular DHS must engage sector-specific agencies nonfederal cybersecurity firms individual critical infrastructure entities and other stakeholders to assess interdependencies and systemic risk across critical infrastructure and identify gaps in risk management efforts DHS offerings must be prioritized to focus on systemic risk or address risk at individual entities that have the greatest potential impact on national security public health and safety and economic security Offerings that do not address identified gaps or provide DHS with access to unique cybersecurity information should be reconsidered To ensure effective outreach DHS must take a disciplined approach to identify its key stakeholders including entities across all 16 critical infrastructure sectors and key enablers of risk management activities DHS must expand efforts to encourage adoption of applicable cybersecurity best practices including NIST's Framework for Improving Critical Infrastructure Cybersecurity 7 DHS must also increasingly leverage field personnel to engage geographically diverse stakeholders to encourage the adoption of cybersecurity risk management best practices and provide access to available cybersecurity information risk management offerings and other DHS-wide capabilities DHS must also be prepared to engage with officials at the appropriate levels within an organization to ensure that gaps in critical infrastructure cybersecurity involving potentially significant impacts on national security public health and safety or economic security are addressed 6 Executive Order 13636 Improving Critical Infrastructure Cybersecurity 2013 section 9 https www gpo gov fdsys pkg FR-2013-02-19 pdf 2013-03915 pdf 7 Available at https www nist gov cyberframework 12 Sub-Objectives a Understand the interdependencies across critical infrastructure and systemic risks that affect national security public health and safety and economic security b Evaluate the efficacy quality and usage of DHS cybersecurity risk management offerings provided to various critical infrastructure and other key stakeholders c Assess impact of engagement by DHS personnel on progress toward adoption of best practices and usage of DHS offerings d Identify and prioritize gaps in current national cybersecurity risk management efforts e Address identified gaps through tools services and other offerings provided to critical infrastructure owners and operators or other key entities f Establish mechanisms to mitigate persistent cybersecurity risks with a potential significant impact on national security public health and safety or economic security Outcomes DHS reduces the most significant national risks to critical infrastructure especially those where incidents could have a significant impact on national security public health and safety and economic security Objective 3 2 Expand and improve sharing of cyber threat indicators defensive measures and other cybersecurity information DHS must assess and improve existing information sharing efforts to ensure that the most operationally useful information is provided to our stakeholders We serve as the main federal interface for receiving and sharing cyber threat indicators and defensive measures between and among nonfederal entities and with other agencies 8 DHS must build on and expand automated mechanisms to receive analyze and share cyber threat indicators defensive measures and other cybersecurity information with critical infrastructure and other key stakeholders DHS must continue to pursue programs for sharing vulnerability information and classified cybersecurity information where appropriate while also emphasizing the need to rapidly declassify cyber threat and associated contextual information DHS must continue to partner with information sharing and analysis centers and other information sharing and analysis organizations to increase access to and collaboration regarding cybersecurity information We must identify and address barriers to sharing information with the U S Government and between agencies In addition to expanding its information sharing and collaboration capacities DHS must improve its analytic capabilities to enhance the quantity and quality of information shared and increase the value of information sharing programs for all critical infrastructure stakeholders Sub-Objectives a Continue to expand participation in information sharing programs and increase the cybersecurity information shared by all participants b Support engagement with information sharing and analysis centers information sharing and analysis organizations and other information sharing entities or fora c Increase the ability of DHS to analyze correlate and enrich data received and shared with all cybersecurity information sharing partners 8 The terms cyber threat indicator and defensive measure are defined in the Cybersecurity Information Sharing Act of 2015 at 6 U S C 1501 13 d Improve technical platforms and mechanisms to share cybersecurity information and collaborate with stakeholders including in highly automated ways e Evaluate the efficacy of and continue to improve DHS programs to share or access classified and unclassified U S Government information to protect nonfederal entities Outcomes Cybersecurity stakeholders increasingly leverage information shared by DHS to quickly understand cybersecurity risks and protect their information systems Objective 3 3 Improve cybersecurity capabilities and resources available to sector-specific agencies regulators and policymakers As a sector specific agency for 10 critical infrastructure sectors DHS must ensure institutional knowledge and specialized expertise for each of these sectors in order to best support that sector during steady-state and incident response activities In addition DHS has regulatory authority with respect to chemical and transportation sectors DHS must maintain relevant expertise mature existing voluntary and regulatory partnerships and continue to integrate cyber and physical resources for these sectors DHS must also continue to mature our capabilities to provide non-DHS sector-specific agencies regulators and other policy-making entities with cybersecurity expertise to inform efforts to protect the Nation's critical infrastructure DHS must leverage its expertise to shape the wide array of federal and nonfederal policies that can drive significant advancements in cybersecurity Sub-Objectives a Enhance sector-specific cyber expertise to understand the potential impact of cyber incidents and facilitate risk management efforts b Assess and update DHS policies and regulations to address cybersecurity risk to covered entities c Support each critical infrastructure sector in developing and employing appropriate cybersecurity approaches and technical support mechanisms d Identify and provide technical and other support to significant non-DHS regulatory and policy efforts that affect management of national cybersecurity risk Outcomes All of the 16 critical infrastructure sectors are aware of cyber risks to their sector and maintain sufficient cybersecurity-related policies and capabilities to support risk management efforts 14 PILLAR III - THREAT REDUCTION DHS law enforcement agencies investigate and reduce threats from cyber criminals In partnership with other law enforcement agencies DHS must prevent cyber crime and disrupt criminals and criminal organizations who use cyberspace to carry out their illicit activities and leverage identified threat activity and trends to inform national risk management efforts Goal 4 Prevent and Disrupt Criminal Use of Cyberspace We will reduce cyber threats by countering transnational criminal organizations and sophisticated cyber criminals Law enforcement performs a critical role in cybersecurity risk management by focusing on the threat and preventing the use of cyberspace for illicit purposes While breaches of sensitive personal information generate significant media attention financial fraud money laundering theft of intellectual property and sensitive technologies selling of illicit goods and child exploitation are also increasingly being conducted online In response nearly all criminal investigations now require law enforcement investigators to have knowledge of computer forensics digital investigations and the cyber tradecraft that is necessary to counter transnational criminal threats Improved criminal intelligence is also a key component of cyber investigations and combatting transnational criminal organizations DHS must continue to strengthen our efforts as part of the law enforcement community to pursue counter reduce and disrupt illicit cyber activity by leveraging in particular our specialized expertise and capabilities to target financial and trans-border cyber crimes 9 The transnational and cross-jurisdictional nature of cyberspace as well as the sheer size of the challenge requires closer collaboration with other federal state local and international law enforcement partners Objective 4 1 Combat financial and trans-border cyber crimes and disrupt and defeat associated criminal organizations While our law enforcement jurisdiction is broad DHS must continue to focus on our core investigative responsibilities regarding financial services and payment systems computer fraud and abuse cross-border transmission of illicit materials human trafficking and child exploitation intellectual property violations misuse of cryptocurrencies and other violations of customs law through the Internet or online marketplaces DHS must prioritize investigative efforts to focus on identifying disrupting and dismantling transnational criminal organizations 9 While multiple DHS Components have law enforcement responsibilities those with the most direct responsibility related to countering illicit cyber activity include the United States Secret Service USSS and U S Immigration and Customs Enforcement Homeland Security Investigations ICE HSI 15 and sophisticated criminals that constitute the most significant economic and homeland security threats to the Nation Sub-Objectives a Develop DHS investigative priorities related to illicit cyber activity b Identify and conduct high-impact investigations of cyber crimes and illicit uses of cyberspace by transnational criminal organizations c Disrupt the ability to use online marketplaces and tools for illicit trafficking money laundering and malicious cyber activity d Develop options to appropriately disrupt counter and deter transnational criminal organizations to augment arrest and prosecution of individual criminals Outcomes DHS law enforcement investigations effectively counter significant illicit cyber activities and the ability of transnational criminal organizations to operate online Objective 4 2 Prevent disrupt and counter cybersecurity threats to protected persons special security events and critical infrastructure DHS must fully leverage its law enforcement and protective capabilities to provide appropriate security for protected persons special security events federal facilities and other high-risk critical infrastructure against cyber threats DHS has been a leader in integrating traditional law enforcement methods and protective measures to strengthen security Such efforts include working with national and international partners through electronic crimes task forces to prevent detect and investigate various cyber crimes including potential terrorist attacks against critical infrastructure and financial payment systems as well as improving the security of federal facilities DHS must strengthen its ability to apply its full range of authorities in an integrated manner to counter cyber threats to protected persons special security events federal facilities and other critical infrastructure Sub-Objectives a Identify and investigate cyber threats to protected persons special events federal facilities and other critical infrastructure b Implement detection and protection measures to appropriately secure key systems and assets Outcomes DHS timely and thoroughly investigates key cyber threats to protected persons events and assets and applies protective measures based on insight regarding such cyber threats 16 Objective 4 3 Develop relationships and build law enforcement capacity to counter illicit uses of cyberspace Countering illicit uses of cyberspace requires enhanced law enforcement coordination and engagement DHS must expand outreach to other law enforcement entities at the federal state local territorial and tribal levels DHS must build on existing collaboration capabilities such as cyber crime centers and electronic crimes task forces which join together law enforcement the private sector and academia for the purpose of preventing detecting and investigating various forms of cyber crimes DHS must also expand our role in international cyber investigations and law enforcement working groups that target transnational criminal organizations through our numerous attaches located around the world as well as with key international organizations such as Interpol and Europol DHS must continue to provide training on cyber crime investigations and digital forensics to law enforcement partners including equipping nonfederal agencies where appropriate Sub-Objectives a Collaborate with other domestic law enforcement agencies to investigate and counter cyber crimes b Strengthen partnerships with private industry and academia to prevent and counter illicit uses of cyberspace c Strengthen international law enforcement partnerships to counter cyber crimes d Provide training and where appropriate otherwise equip law enforcement partners to improve collective law enforcement capabilities Outcomes Greater cooperation with increasingly capable foreign and domestic law enforcement agencies results in apprehension of transnational criminal actors and dismantling of transnational criminal organizations that seek to use cyberspace for illicit purposes Objective 4 4 Develop capabilities and resources to enhance investigative efforts and address evolving law enforcement challenges DHS must better align our existing law enforcement efforts and resources to address new and emerging challenges in cyberspace to include the growing use of end-to-end encryption anonymous networks online marketplaces and cryptocurrencies DHS must look for ways to leverage and share existing resources technical capabilities and investigative information available across the Department to counter illicit uses of cyberspace and invest in new capabilities and development opportunities for law enforcement agents Sub-Objectives a Identify and align existing DHS cyber investigative capabilities and mission support resources to build greater law enforcement capabilities b Leverage technical capabilities and resources available across the Department to supplement and support existing investigative and forensic efforts c Invest in cutting-edge technical resources and advanced law enforcement capabilities for DHS and its partners 17 d Develop a method for DHS to more effectively share our investigation-related information through a non-classified law enforcement sensitive mechanism Outcomes DHS investigative and forensic capabilities and resources more effectively support investigations of sophisticated cyber criminals 18 PILLAR IV - CONSEQUENCE MITIGATION DHS must limit the impact of potentially significant cyber incidents by leveraging our unique emergency management expertise and insights from network protection and law enforcement efforts Goal 5 Respond Effectively to Cyber Incidents We will minimize consequences from potentially significant cyber incidents through coordinated community-wide response efforts As the world becomes ever-more connected the number and scale of cyber incidents are certain to grow despite network protection and law enforcement best efforts Many cyber incidents do not require a national response But where they do DHS plays a unique role in responding to cyber incidents to mitigate potential consequences by providing technical assistance to affected entities and other assets that are at risk asset response and in investigating the underlying crimes threat response 10 DHS responds to significant cyber incidents in close coordination with the Department of Justice and other federal agencies In our role as asset responder DHS must enhance capabilities to protect entities from additional harm following an incident reduce the risk to others safeguard sensitive personal and business information and coordinate responses to significant incidents As part of the law enforcement community DHS must investigate incidents and be prepared to identify and counteract immediate cyber threats DHS must also implement mechanisms to ensure that asset and threat responders informed by the intelligence community share information with each other with sector specific agencies and with the private sector to inform all related incident response efforts DHS sector specific agencies must similarly be prepared to provide sector expertise to support the needs of federal responders and to promote and support private sector coordination during and after a cyber incident In the case of significant cyber incidents DHS must ensure preparedness across our Components for a coordinated government-wide response and to support any related emergency management activities DHS must also ensure that we have in place mechanisms to coordinate with international partners as cyber incidents whether they originate domestically or abroad assume international implications 10 Pursuant to Presidential Policy Directive 41 United States Cyber Incident Coordination July 26 2016 19 Objective 5 1 Increase voluntary incident reporting and victim notification to facilitate the provision of response assistance DHS cybersecurity efforts must be directed to build trusted relationships with entities at greatest risk of experiencing potentially significant cyber incidents These relationships especially through DHS field offices and sector specific agencies help to facilitate the provision of DHS and other federal resources following an incident DHS must encourage the reporting of incidents and work with other incident responders to develop consistent processes for notifying potential victims of cyber incidents Encouraging a culture of reporting notification and information sharing will increase the security and resilience of critical infrastructure help prevent counter and disrupt illicit cyber actors and enable the government to assess and potentially manage responses to incidents of unknown severity Sub-Objectives a Encourage reporting of cyber incidents by nonfederal entities to DHS or other law enforcement agencies relevant sector specific agencies and the National Cybersecurity and Communications Integration Center NCCIC b Improve processes to facilitate timely and effective notification to potential victims of cyber incidents by DHS and other agencies and to enhance sector specific agency awareness of incidents within their sectors Outcomes DHS receives reports of cyber incidents and in appropriate coordination with other agencies makes timely victim notifications Objective 5 2 Expand asset response capabilities to mitigate and manage cyber incidents DHS provides asset response assistance to requesting entities following incidents that pose significant risks to national security public health and safety or economic security or as otherwise appropriate to the circumstances DHS is also responsible for maintaining shared situational awareness of emerging cybersecurity risks and incidents During significant cyber incidents DHS serves as the lead agency for asset response as part of a Cyber Unified Coordination Group and supports the White House-led Cyber Response Group DHS must continue to build capabilities to provide technical assistance and mitigation recommendations including on-site incident response teams following cyber incidents DHS must also leverage incident information to identify emerging risks and protect entities that rely on impacted entities or those at risk of similar incidents Sub-Objectives a Develop technical asset response capabilities to respond to cyber incidents b Establish a common operating picture across the Department and with other stakeholders to assess emerging incidents and associated national regional or sector risks c Build capacity to manage national asset response efforts and support a Cyber Unified Coordination Group and Cyber Response Group following significant incidents 20 d Support emergency management efforts under the National Response Framework for cyber incidents that may result in physical impacts or otherwise impede disaster response and recovery efforts e Plan and exercise for cyber incident response at the local regional national and international level Outcomes DHS responds to cyber incidents by providing technical and other asset response assistance where requested and appropriate and supporting national-level decision-making and emergency management efforts Objective 5 3 Increase cooperation between incident responders to ensure complementary threat response and asset response efforts Threat response activities include efforts by DHS and non-DHS law enforcement agencies to combat cyber crimes and national security threats through investigations that identify malicious actors and seek to prevent or deter additional illicit cyber activity Effective incident response requires an understanding of the methods and intent of the responsible threat actors as well as the provision of asset response assistance DHS investigative and intelligence assets must collaborate with asset responders other entities responding to incidents and affected entities to share information regarding the threat to prevent additional harm Such information must be integrated with information available from other law enforcement agencies the intelligence community and other sources DHS must also promote effective coordination between all agencies responding to a cyber incident in the field to enhance the timeliness and effectiveness of response efforts Sub-Objectives a Leverage DHS and non-DHS investigative resources to provide incident and threat attribution information to all federal incident responders and sector specific agencies b Develop holistic assessments of adversaries threats and incidents to aid asset and threat response as well as protective and planning efforts c Improve mechanisms to increase field-level collaboration on cybersecurity issues and coordinate the provision of federal response assistance when appropriate Outcomes DHS responds to incidents and engages impacted entities in a coordinated fashion enabling access to the expertise and capabilities of all threat and asset responders 21 PILLAR V - ENABLE CYBERSECURITY OUTCOMES DHS must enable improved cybersecurity risk management outcomes by supporting policy and operational efforts that make the entire cyber ecosystem more secure and reliable These efforts help shift the advantage away from malicious cyber actors toward those protecting cyberspace DHS must similarly look internally to align our efforts to maximize cybersecurity outcomes Goal 6 Strengthen the Security and Reliability of the Cyber Ecosystem We will support policies and activities that enable improved global cybersecurity risk management A more fundamentally secure cyber ecosystem can help tip the balance toward those protecting networks and away from malicious cyber actors Strengthening the security and reliability of the cyber ecosystem therefore enables risk management and sets the conditions to support other DHS strategic cybersecurity goals The cyber ecosystem includes not only the interconnected network of information technology infrastructure we call cyberspace but also the people environment norms and conditions that influence that network DHS must support efforts globally that will result in fundamentally improved security outcomes through technological innovation as well as the widespread adoption of improved operational and policy frameworks DHS must also invest in research and development efforts that support mission objectives So too must DHS develop collaborative communities build global partnerships and participate in international and multi-stakeholder venues to advance positive developments in cybersecurity and to impose costs for unacceptable behavior in cyberspace To create a pipeline to support our cybersecurity goals DHS must accelerate the expansion of cyber personnel programs Objective 6 1 Foster improved cybersecurity in software hardware services and technologies and the building of more resilient networks DHS must support efforts to identify and develop high-leverage technical operational and policy innovations that will result in more secure technologies and resilient networks Many of today's greatest challenges are endemic to the current ecosystem Nearly all cyber incidents for example involve exploitation of vulnerabilities or misconfigurations in software or hardware Network operators are also increasingly dependent on vendors of commercial off-the-shelf products or integrators of commercially available products and lack the capability to effectively manage supply chain risks The continued globalization of the information technology supply chain and shifting of information and services to cloud or other shared infrastructure introduces additional risks As Internet-connected and other new technologies rapidly proliferate the number of attack vectors also increases Developers and manufacturers of many internet-of- 22 things and other consumer devices are frequently motivated by speed to market rather than strong security Even specialized technologies like medical devices and industrial control systems remain susceptible to compromise DHS must foster innovations that can shift the status quo toward improved security and resilience DHS must partner with information technology communications cybersecurity services and other communities to incentivize security and enable cybersecurity outcomes such as minimizing vulnerabilities and addressing supply chain risks DHS must also encourage improved security for cloud infrastructure and throughout the life-cycle of internet-of-things devices and emerging technologies In addition DHS must focus on efforts to enhance the overall resiliency of networks that can be vulnerable to a variety of attacks DHS must leverage our unique expertise to support associated standards-setting efforts and ensure all of our related activities are aligned with those of interagency and international partners to ensure consistency of approaches Sub-Objectives a Identify and foster high-leverage innovations to drive more secure software hardware services and technologies and more resilient networks b Develop solutions to identify and manage supply chain risks for federal networks and other national and global stakeholders c Engage with relevant stakeholders to enhance cybersecurity of cloud infrastructure internet-of-things products and other emerging technologies or otherwise mitigate associated threats to networks Outcomes More secure and resilient technologies and networks result in a more defensible cyber ecosystem Objective 6 2 Prioritize DHS cybersecurity research development and technology transition activities to support DHS mission objectives DHS research and development efforts must continue to support and advance our cybersecurity objectives including the development of protective capabilities to secure the federal enterprise and critical infrastructure and necessary tools for law enforcement DHS must also prioritize research and development that supports incident response information sharing and other cybersecurity objectives identified in this strategy DHS must leverage commercial capabilities and research and development efforts targeting information and communication technology Where DHS invests in cybersecurity research and development we must focus on capabilities and innovations that support departmental priorities and can be employed by DHS and other key stakeholders to include private sector state local tribal territorial and international partners Sub-Objectives a Develop and implement effective methods to prioritize research and development needs based on identified DHS cybersecurity objectives b Identify develop and transition new capabilities and innovations that support DHS cybersecurity objectives 23 Outcomes New technologies resulting from Department-supported research and development increase the capability to protect critical systems investigate cyber crimes respond to cyber incidents and accomplish identified DHS cybersecurity objectives Objective 6 3 Expand international collaboration to advance DHS objectives and promote an open interoperable secure and reliable Internet DHS international cybersecurity engagements must help shape the cyber ecosystem to support the Department's cybersecurity objectives and broader U S foreign policy priorities DHS develops and maintains relationships with international partners that advance our specific network protection law enforcement incident response and research and development objectives DHS also participates in international fora to support risk management objectives and broader cybersecurity goals including the U S goal of an open interoperable secure and reliable Internet For example DHS encourages widespread adoption of voluntary norms of responsible state behavior in peacetime to improve international stability and protect critical infrastructure DHS also supports broader U S and international efforts to deter those who act unacceptably in cyberspace and impose costs on those actors Developing the capacity of foreign Computer Security Incident Response Teams CSIRTs and law enforcement entities also enhances global cybersecurity efforts and supports broader DHS and U S foreign policy objectives Sub-Objectives a Prioritize international engagements based on DHS and national objectives b Improve international cooperation and build capacity through the sharing of best practices cybersecurity information expertise and technical assistance c Contribute cybersecurity subject matter expertise to advance efforts in international fora and advance positive international policy developments in cybersecurity d Support efforts to impose costs for unacceptable behavior in cyberspace Outcomes DHS international engagements result in shared global approaches to cybersecurity and increased capabilities and cooperation on cybersecurity risk management activities Objective 6 4 Improve recruitment education training and retention to develop a world-class cyber workforce There is a critical shortage of cybersecurity talent globally as the demand for personnel with cyber expertise in both the public and private sectors far exceeds the supply Execution of our cybersecurity responsibilities depends on the recruitment and retention of highly skilled cyber professionals but career paths in cybersecurity are far more lucrative in the private sector and traditional federal hiring processes are not aligned to the culture of cyber recruitment and hiring The challenge is not ours alone Key stakeholders across government and in the private sector face similar shortfalls 24 DHS must continue to support efforts to increase the supply of national cybersecurity talent through cyber education programs and the National Initiative for Cybersecurity Education NICE DHS must also continue to develop and promote cybersecurity training programs dedicated to advancing the cybersecurity skills of the existing federal workforce DHS must in particular work to expand and accelerate our cybersecurity personnel recruitment training and retention efforts through congressionally mandated workforce analysis and planning actions and by implementing the authorized cybersecurity-focused personnel system with hiring and compensation flexibilities DHS must also encourage and support the development and implementation of specifically designed training programs for our network protection and law enforcement personnel to support the needs of DHS and other stakeholders Sub-Objectives a Assess participation in and continue support for cyber training awareness education and retention initiatives to support the homeland security enterprise b Complete mandatory DHS workforce planning and analysis activities to source data to drive approaches to recruitment retention and training c Enhance cyber recruitment strategies across the Department to target highly skilled and trained populations to perform mission critical cyber activities d Implement the full range of congressionally authorized cyber security human capital flexibilities for the Department e Develop cutting-edge network protection and cyber investigative workforces through increased training detail assignments and advanced development opportunities Outcomes DHS recruits and trains highly-skilled cybersecurity personnel and develops a cadre of welltrained cybersecurity professionals across the Department and homeland security enterprise Goal 7 Improve Management of DHS Cybersecurity Activities We will execute our departmental cybersecurity efforts in an integrated and prioritized way Each of the cybersecurity goals identified in this strategy involves multiple Components While some have major external responsibilities with respect to network protection or law enforcement all are involved in protecting internal networks and program data hiring cyber professionals and acquiring secure information and communication technologies To ensure departmental unity of effort and a coordinated approach to accomplishing our cybersecurity goals and objectives DHS must constantly assess evolving risks and evaluate priorities in the cybersecurity mission space DHS must also develop department-wide processes and policies to align Component programs and activities with this strategy departmental priorities and changes in the cybersecurity 25 landscape Through these efforts DHS must be positioned to address our evolving needs and to adapt to evolving cyber threats Objective 7 1 Integrate Department-wide cybersecurity policy development strategy and planning activities Through PLCY and in collaboration with the DHS Management Directorate and affected Components we must establish internal mechanisms to ensure the development and execution of consistent cybersecurity policy and strategic plans DHS must effectively collaborate across Components to promote and ensure consistent and integrated programs and activities Sub-Objectives a Identify and expand internal coordination mechanisms to ensure consistent departmental approaches to cybersecurity policy development and strategy and to accomplish identified cybersecurity goals and objectives b Establish mechanisms to integrate and align cross-Component cyber activities Outcomes DHS will execute our cybersecurity mission responsibilities in a coordinated and integrated way Objective 7 2 Prioritize and evaluate the effectiveness of DHS cybersecurity programs and activities DHS must ensure that our cybersecurity programs and activities align to the goals and objectives set forth in this strategy DHS must leverage management processes to evaluate programs and activities to assess their efficacy and to ensure that program funding personnel and other resources are optimized to meet departmental priorities Sub-Objectives a Prioritize cyber related programming and activities across the Department in accordance with this strategy b Review and evaluate the effectiveness of DHS cyber programs and activities and alignment to budget programmatic and policy efforts c Identify and prioritize gaps through the Department's joint requirements process across all the goals and objectives of this strategy Outcomes DHS cybersecurity programs effectively and efficiently address departmental goals and objectives 26 CONCLUSION DHS believes that cyberspace can be made safe and secure for the functioning of government the delivery of essential services and the everyday lives of the American people DHS will maintain a leadership role collaborating with other federal agencies the private sector and other stakeholders across all of its cybersecurity mission areas to ensure that cybersecurity risks are effectively managed critical networks are protected vulnerabilities are mitigated cyber threats are reduced and countered incidents are responded to in a timely way and the cyber ecosystem is more secure and resilient Meeting the goals and objectives outlined in this strategy requires a unified long-term approach across the Department Aligning departmental network protection and law enforcement authorities with traditional risk management information sharing and incident response efforts will enhance DHS cybersecurity efforts moving forward and provide the Nation with a secure cyberspace for future generations 27 APPENDIX DHS CYBERSECURITY AUTHORITIES Statutes o Title II of the Homeland Security Act of 2002 as amended Pub Law 107-296 Subtitle B of title II authorizes DHS through NPPD to enhance the security resilience and reliability of the Nation's cyber and communications infrastructure-- Section 227 - National cybersecurity and communications integration center 6 U S C 148 Created by the National Cybersecurity Protection Act of 2014 Pub Law 113-282 and amended by the Cybersecurity Act of 2015 section 227 authorizes the NCCIC within NPPD as a Federal civilian interface for the multi-directional and cross-sector sharing of information related to cybersecurity risks This provision includes the authority to receive analyze and disseminate information about cybersecurity risks and incidents and to provide guidance assessments incident response support and other technical assistance upon request Section 227 codifies NPPD's coordinating role among federal and nonfederal entities and clarifies that NPPD's cybersecurity authorities apply broadly to federal and nonfederal entities including international partners sectors of critical infrastructure information sharing organizations or any other entity Section 227 also authorizes NPPD to establish information sharing relationships and to enter into information sharing agreements and establishes a wide range of federal and nonfederal stakeholders as components of the NCCIC Section 223 - Enhancement of Federal and Non-Federal Cybersecurity 6 U S C 143 Section 223 authorizes NPPD in carrying out its cybersecurity responsibilities to provide analysis and warnings related to threats to and vulnerabilities of critical information systems to state and local government entities and upon request to owners and operators of critical information systems Section 223 also authorizes NPPD to provide crisis management support and technical assistance including recovery assistance to the private sector and governmental entities Section 223 also delegates to NPPD the Department's responsibilities to protect federal information systems under subchapter II of chapter 35 of title 44 discussed below Section 201 d 6 U S C 121 d Section 201 broadly authorizes NPPD's activities to ensure security and resilience of critical infrastructure to terrorist and other threats including by authorizing NPPD to access and integrate information as well as to carry out comprehensive assessments of the vulnerabilities of critical infrastructure Section 228 - Cybersecurity plans 6 U S C 149 Section 228 as amended by the Cybersecurity Act of 2015 directs DHS to develop maintain update and exercise cyber incident response plans - including the National Cybersecurity Incident Response Plan and the Cyber Incident Annex to the National Response Framework The NCCIC is specifically required to participate in national exercises associated with those plans A-1 Section 230 - Federal intrusion detection and prevention system 6 U S C 151 151 note The Federal Cybersecurity Enhancement Act of 2015 created section 230 of the Homeland Security Act which authorizes DHS to deploy technology that detects and removes cybersecurity risks in information transiting or traveling to and from agency systems notwithstanding any other provision of law The Act mandates that all agencies apply and continue to utilize DHS technologies authorized by this section including improvements and new capabilities that DHS makes available within six months Section 226 - Cybersecurity recruitment and retention 6 U S C 147 The Border Patrol Agent Pay Reform Act of 2014 Pub Law 113-277 amended the Homeland Security Act to authorize the Secretary to establish cybersecurity positions appoint personnel fix rates of pay and promulgate implementing regulations in consultation with the director of the Office of Personnel Management OPM o The Cybersecurity Information Sharing Act of 2015 CISA Title I of the Cybersecurity Act of 2015 6 U S C 1501-1510 CISA requires DHS in consultation with interagency partners to establish the Federal Government's capability and process for receiving cyber threat indicators and defensive measures and directs DHS to further share cyber threat indicators and defensive measures it receives with federal entities in an automated and real-time manner CISA provides targeted liability protection to companies that share cyber threat indicators with DHS and provides other legal protections for indicators shared in accordance with CISA CISA also authorizes private entities to share cyber threat indicators with one another and to monitor their networks for cybersecurity threats with liability protection for doing so as well as to operate defensive measures o Subchapter II of Chapter 35 of Title 44 44 U S C 3551-3558 These provisions created by the Federal Information Security Modernization Act of 2014 Pub Law 113-283 direct the Secretary to provide information protections for DHS networks commensurate with the risk and magnitude of the harm resulting from unauthorized access use disclosure disruption modification or destruction of DHS information or information systems The provisions also establish DHS's central role in the security of the information and information systems of federal executive branch agencies Through NPPD DHS administers the implementation of government-wide policies deploys technologies to assist in the protection of federal agencies' networks information and information systems and issues binding operational directives to agencies to safeguard information and information systems The Act also places in DHS the federal information security incident center o Strengthening State and Local Cyber Crime Fighting Act of 2017 Pub Law 115-76 6 U S C 383 The Act amended the Homeland Security Act adding a section 822 to authorize the USSS to operate the National Computer Forensics Institute to disseminate information related to the investigation and prevention of cyber and electronic crime and related threats and educate train and equip state local tribal and territorial law enforcement officers prosecutors and judges and facilitate the expansion of the network of Electronic Crime Task Forces of the USSS A-2 o Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 as amended 18 U S C 1029-1030 The Act amended the federal criminal code to establish an offense of fraud in connection with computers and grants authority to the USSS to investigate offenses under this Act As amended the Act establishes criminal violations related to cybersecurity such as obtaining information or causing damage by intentionally accessing without authorization a computer which is used in or affecting interstate or foreign commerce or communication o 18 U S C 3056 Authorizes the USSS to assess and mitigate cybersecurity risks to systems that could impact the agency's protective mission as well as detect and arrest any person who violates the laws of the United States relating to electronic fund transfer frauds access device frauds false identification documents or devices and any fraud or other criminal or unlawful activity in or against any federally insured financial institution among other violations o 18 U S C 3056 note Expansion of National Electronic Crime Task Force Initiative Requires the USSS to develop a national network of electronic crime task forces based on the New York Electronic Crimes Task Force model throughout the United States for the purpose of preventing detecting and investigating various forms of electronic crimes including potential terrorist attacks against critical infrastructure and financial payment systems o Section 890A of Title VIII of the Homeland Security Act 6 U S C 473 The Human Exploitation Rescue Operations HERO Act of 2015 Pub Law 114-22 amends title VIII of the Homeland Security Act and directs the Department to operate within HSI a Cyber Crimes Center to provide investigative assistance training and equipment to support domestic and international investigations by HSI of cyber-related crimes The HERO Act also creates a Cyber Crimes Unit CCU within the Cyber Crimes Center which oversees the cyber security strategy and cyber-related operations and programs for HSI o 18 U S C 1028A - Aggravated Identify Theft The USSS and other federal law enforcement agencies investigate violations of the prohibition against an individual who knowingly transfers possesses or uses without lawful authority a means of identification of another person with the intent to commit or to aid or abet or in connection with any unlawful activity that constitutes a violation of federal law or that constitutes a felony under any applicable State or local law o 18 U S C 2251 2252 2260 - Sexual exploitation of children child pornography importation of sexually explicit depictions of a minor These subsections of Title 18 criminalize the sexual exploitation activities and importation of material involving and constituting the exploitation and distribution of child pornography HSI has primary investigative jurisdiction of child pornography involving international transportations shipping and mailings A-3 o 18 U S C 2319 and 17 U S C 506 - Criminal Infringement of a copyright HSI investigates violations of these subsections which criminalize the willful act of infringing a copyright o Federal Cybersecurity Workforce Assessment Act - part of the Consolidated Appropriations Act of 2016 P L 114-113 Dec 18 2015 The Federal Cybersecurity Workforce Assessment Act of 2015 was enacted in December 2015 It assigned specific workforce planning-related activities to all federal agencies including DHS Specifically the law requires all federal agencies to identify all positions that perform information technology cybersecurity or other cyber-related functions and assign the appropriate employment code to each position The Act also requires all federal agencies including DHS to identify and report to OPM on its cybersecurity work roles of critical need each agency also is to submit a progress report on identifying cyber-related work roles of critical need to Congress o Border Patrol Agent Pay Reform Act P L 113-277 Dec 18 2014 6 U S C 146 Section 3 of this Act directs the Secretary of Homeland Security within 180 days and annually thereafter for three years to conduct an assessment of the DHS cybersecurity workforce The Act also directs the Secretary to develop maintain and update a comprehensive workforce strategy to enhance the readiness capacity training recruitment and retention of DHS's cybersecurity workforce Section 4 of this Act requires the Secretary to submit to the appropriate congressional committees 1 annual updates on such assessment and on the Secretary's progress in carrying out such strategy and 2 a report on the feasibility cost and benefits of establishing a Cybersecurity Fellowship Program to offer a tuition payment plan for individuals pursuing undergraduate and doctoral degrees who agree to work for DHS for an agreed upon period o Cybersecurity Workforce Assessment Act P L 113-246 Dec 18 2014 6 U S C 146 note Authorizes the Secretary to identify determine and assign the appropriate employment codes work categories and specialty areas of critical need to enable the Secretary to effectively implement the Cybersecurity Workforce Assessment Act o 49 U S C 44912 b 1 A ii b 'REVIEW OF THREATS ' This section directs the TSA to periodically review threats to civil aviation with particular focus on a comprehensive systems analysis of the civil aviation system including i the destruction commandeering or diversion of civil aircraft or the use of civil aircraft as a weapon and ii the disruption of civil aviation service including by cyberattack o 46 U S C 3306 Addresses USCG Officer in Charge Marine Inspection OCMI authorities over vessel safety As the Maritime Transportation sector specific agency these authorities support USCG regulatory oversight of commercial vessels to include cyber security equities associated with safety management systems o 46 U S C VII Addresses OCMI and Captain of the Port COTP authorities over vessel and facility security It also designates USCG officials as Federal Maritime Security Coordinators for areas in which Area Maritime Security Plans apply From a cybersecurity A-4 perspective these authorities support the USCG's role as the Maritime Transportation sector specific agency o Maritime Transportation Security Act of 2002 Public Law 107-85 46 U S C 701 The Act provides authority for USCG to introduce cybersecurity requirements for both vessels and facilities through Facility Security Plans and Vessel Security Plans Executive Orders o Executive Order 13800--Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure 2017 Directs federal agencies to conduct risk reviews and prepare reports related to the cybersecurity of federal networks critical infrastructure international cooperation and deterrence and workforce development o Executive Order 13773--Enforcing Federal Law with Respect to Transnational Criminal Organizations and Preventing International Trafficking 2017 Sets U S policy to strengthen enforcement of federal law in order to thwart transnational criminal organizations to include those engaged in activity related to corruption cyber crime fraud financial crimes and intellectual property theft The Secretary of Homeland Security is directed to work with the Attorney General Secretary of State and Director of National Intelligence to implement the executive order o Executive Order 13691--Promoting Private Sector Cybersecurity Information Sharing 2015 Tasks DHS with encouraging the development and formation of Information Sharing and Analysis Organizations ISAOs and entering into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization to identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under the executive order o Executive Order 13636--Improving Critical Infrastructure Cybersecurity 2013 Directs the Department to increase its cybersecurity information sharing efforts with the private sector consult on and promote the National Institute of Standards and Technology Cybersecurity Framework and identify develop and maintain a list of critical infrastructure entities where a cybersecurity incident could reasonably result in catastrophic effects on the Nation Other Presidential Direction o Presidential Policy Directive 41--Cyber Incident Coordination Policy 2016 Sets forth principles governing the Federal Government's response to any cyber incident and for significant cyber incidents establishes an architecture for coordinating the broader response and recovery efforts through a Cyber Unified Coordination Group with lead federal agencies responsible for coordinating respective lines of effort During a significant incident DHS acting through the NCCIC is the federal lead agency for asset response activities DHS also takes information from a given incident and shares it more broadly so that others will be protected against the same or similar threats During a significant incident the Department A-5 of Justice acting through the Federal Bureau of Investigation and the National Cyber Investigative Joint Task Force is the federal lead agency for threat response activities USSS and ICE HSI are responsible for investigating cyber crimes within their jurisdiction and in the context of a significant cyber incident will coordinate their threat response activities with the Department of Justice o Presidential Policy Directive 21--Critical Infrastructure Security and Resilience 2013 Directs the Department to develop and implement strategic approaches to increase situational awareness of physical and cyber threats to infrastructure and reinforces the need for holistic thinking about security and risk management o Presidential Policy Directive 8 - National Preparedness 2011 Directs the Department to lead and coordinate the development of the national preparedness system which includes a series of integrated national planning frameworks The National Response Framework is part of this national preparedness system and sets the strategy and doctrine for how the whole community builds sustains and delivers the Response core capabilities identified in the National Preparedness Goal in an integrated manner with the other mission areas o National Security Presidential Directive-54 Homeland Security Presidential Directive23--Cybersecurity Policy 2008 Sets forth aspects of the Department's operational role particularly in protecting federal information systems o Homeland Security Presidential Directive 5 - Management of Domestic Incidents as amended 2003 Enhances the ability of the United States to manage domestic incidents by establishing a single comprehensive national incident management system NIMS This directive designates the Secretary of Homeland Security as the principal federal official for domestic incident management and provides that the Secretary shall coordinate the Federal Government's resources utilized in response to or recovery from terrorist attacks major disasters or other emergencies if and when any one of four specific conditions applies including where one or more federal department or agency is substantially involved in the incident response A-6 This document is from the holdings of The National Security Archive Suite 701 Gelman Library The George Washington University 2130 H Street NW Washington D C 20037 Phone 202 994-7000 Fax 202 994-7005 nsarchiv@gwu edu