TOP SECRET THE WHITE HOUSE WASHINGTON Janu 8 1 2008 NATIONAL SECURITY PRESIDENTIAL DIRECfiVEINSPD-54 HOMELAND SECURITY PRESIDENTIAL DIRECTNE HSPD-23 Subject Cybersecurity Policy U ' PUroose ' 1 ' ' ' This directive establishes Umted St tes policy strategy guidelines and implementation actions to secure cyberspace It strengthens and augments existing policies for protecting the security and privacy ofinfonnation entrusted to the Federal Government and clarifies roles and ·· responsibilities of Federal agencies relating to cybersecurity It require5 the Federal Government ·to integrate many of its technical and organizational capabilities in order to better address · s ophisticated cybersecuritythreats and vulnerabilities U ' provides endu ing comprehe siye · pproach 2 · Thisdirective an and to cybersecuritythat 1 antiCipates future cyber threats and technologies and involves applying all elements of national· povyer and influence to secure our national interests in cybergpace and ' b directs the collection analysis and dissemination of information related to the cyber threat against the United States and describes the missions functions operations and coordination mechanisms of various cyber operational organizations throughout the Federal Government 0 3 4 This directive· furthers the implementation of the National Strategy for Homeland Security · Homeland Security Presidential Directive-S HSPD 5J Management ofDoT lestic Incide ts Homeland Security Presidential Directive-7 HSPD 7 Critical InfraStructure Identijic ltion Prioritization and Protection Homeland Security Presidential Directive-8 HSPD 8 National Preparedness Executive Order 13434 of Ma · 17 2Q07 National Security Professional · b 1 oGA Development and Actions taken pursuanUo this directive will improve the Nation's security against the full Spectrum tif cyber threats and in particul the capability ofthe United States to deter prevent · detect characterize attribute monitor interdict and otherwise pr tect against unauthorized· access to National Security Systems Federal sys ems and private-sector critiealinfrastructure systeins 8 INF TOP SECRET Reason 1 4 c d e g Declassify on 1 05 2043 Declassified in Part Authority EPIG ' · t 5 FOIA C4¥ By tJ NARA Date ft ·· 0 ' 1t5ttt1 or f05 l Ot J U d JJI' · • · · • TOP SECRET 2 Background 5 The electronic information infrastructure of the United States is subject to constant intrusion by adyers es that may include foreign intelijgence and military services organized criptinal groups and terrorists trying to steal sensitive information or damage degrade or destroy data ' information systems or the critical infrastructures that depend upon them Cyber criminals are int t on malicious activity including the manipulation of stock prices n-ljne extortion and fraud These activities cost American citizens and businesses tens ofbillions of dollars each year Hackers and insiders have penetrated ot shut down utilities in countries on at least three con tinents Some terrorist groups have established sophisticated on-line presences and maybe developing cyber attacks against the United States 8 NF 6 'The United States must maintain estricted access to and use of cyberspace for a broad range · · of national purposes The expanding use of the Internet poses both opportunities and challenges The ability to share information rapidly and efficiently has enabled huge g ns in 'private sector productivity military capabilities intelligence analysis and government effectiveness Conversely it has created new vuln bilities that must be addressed in order to · · safeguard the gains made· from greater information sharing 8 NF Definitions' I 7 In this directive computer network attack'' or attack'' means actions taken t llrough the use of computer networks to disrupt deny degrade manipulate or destroy computers computer networkS or information residing in computers and computer networks ·· computer network xploitation or exploit means actions that enable operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary automated information systems or networks 8 · · ' b ' ' counterint lligence means information gathered and activities conducted to p -otect c against espionage other intelligence activities sabotage or assassinatiollS conducted by or on behalf of foreign governments or elements thereof foreign organizations foreign persons or internati nal terrorist activities U · d cyber incident means any attempted or successful access to exfiltrationof · manipulation of or iropainnerit to the integrity confidentiality security or availability of data an application or an information system without lawful auth oriiy U · TOP SBCRBT 3 · e cyber threat· investigation means any actions taken within the United St tes consistent· • with applicable law and Presidential guidance to determine the identity ·location intent motivation capabilities liances funding or methodologies of one or more cyber tlll eat groups or individuals U f cyber8ecurity'' means prevention of damage to protection of and restoration of · computers electronic communications systems electronic communication semces wire ' · communication and electronic comntunication includinginformation contained therein · · · to ensure its availability integrity authentication confidentiality an4·non-repudiation U g · · cyberspace means the interdependent network of information tec o gy infrastructures and includes ·the Internet telecommunications networkS computer systems and embedded processorS and controllers in criticalind11strie U · h Federal agencies means executive agencies as defined i section 105 ilftitle s United • States Code and the United States PostalService put not the Government Accountability Office U · · ' 'F'ederal systems means all Federal Govemm tfuformation systems dceptfor i National Security Systems of Federal agenciesand ii Departmentofi efen iJiformation systems U · · m huormation security incidenf' means a computer security incident withi n Federal · Goveninleritsystems as described in Natiorialll1stitute ofStandards and Technology Special Jublicatioil 800-61 Computer Security Incident Handling· Gllide ot critical infi astructure syst ms that is a violation or imntjnent threat of violation of computer security policies acceptable use policies r s dard comput security practiceS k · Information system means a discrete set of informatio11 resources orglijrizedfor the collection processing maintenance use sharing dissemination or disposition of information U 1 ' intrusion means unauthorized access to a f'ederalGovemment or critical infrastru mire network information system or application U m ational Security System means any information syst n1 including any · · · · · ·telecommunication system used or operated py an agency an agency contractc r or other organization on behalf of an agency where the function peration or use of that system involves i intelligenceactivities ii cryptologic activities related to national' security '• · · ·· · '· ·· · • '· i • ' l ·· · · 4 · '• ' ' ·· '' · · iii ·command and control f military forces iv equipment that is an inte lJ art of a· weapo11 or weapon systems or v critical to ·the direct fulfillment of litaiy -or · · intelligence mis$ions or is protected at all times by procedlU' establish for ' info ation that have been spec fically authoriz ed Ullder criteria' e8ta 1i$het J by i '- • · · Executive Order or an ActqfCongress tope kepfciassified in the interestor'national · · defense or foreign policy Th is definition excludes any systeiil tha is designed to be used for ro1 1tine administrative and business· applications such a8 paYI'Qll finaiice or l gistics aridpmonnelmanageptet1t_appl ations U · · · · ' · ·· · · · · i · · · · · _ ' · I · ··'''· '· ·-· ·' • ' ·· ·· 'r · o · ' siM tod fen · dprotect both i tsat1d i li er n t ed · · · - · p · ·· State' and loc l goveriunent' when ed in a geOgraphical sense have the m a nngs • ascribedto them in section 2 of the Homela pd Security Act of2002 section lOLoftitle 6 UiiitedStates Code and U · ' _ · ··'· · ··· r' ' · · ·· v- · US-CERr means the Unit States Computer Eni gcmcy Reacilne8s T in th · National Cyber Seeurity Division of the bepartmeritofHomeland Seeurity DHS lJ · · · ' · ·· ' ·· · ' ' ' 1 · -• ·· ·· ·· - · 8 Fedtn agencies shall cODsistent with this directi e increas efforts t6 coordhiate and - ce _ the securitY ofth ir classified and unclas ifieP networks increase proteC non of the d ta OQ _tbese netW Qr s d inlprove their capability' to deter detect prey t p tect a t and nqto ·t ¢eats• ag nstinformation systems and data 0 · · · · · · - ·'·' y · ·_· · · ·• ' Federal agencies Shall as required bylaw protect the confidentiality mtegrity and vail8bi11ty · Ofinformationstored procesSed and trallsnlitted ontheir informatiol lsystems and sbailensure · th taqthenticatiC ri of access to such systems· S reqUir¢ l Federal agencies s lall'talce· aj propfilite · · · measure8 'to redu e risk to these sy8tem and adequately deter redq¢e ' t Ibil t_$ oBi of · '·' •information or the operational degradatiori of information systems that are tritical to the iiationai security nationareconomic security ot public health or et U · ' - · • ' _i ' • 'The Federal Government shallinaease ft tt vitli critical uvcfuib·· seetars tci· ·ce·the ··secttntY oftheirinfonnatioilnetworks U · ··· · · • · · · · · tl e ··· • · - '• ' $ -· · '' ' _ -' ··· '' f • ·' • ' '· · ' ' · · ' · · · 1' • '·' ''· · 5 · 11 ·· c6n sistent with'National Security Policy Directive-l NSPD-' 1 Organization ofthe National Security ·council System and Homeland Security Presidential Directive-1· HSPD-l · · • · Organization and Operation of the Homeland Securit ' Council · the Assistant to the Presid et1t for National Security Affairs and the Assistant to the President for'HomelandSecUrityand ·Counterterrorism shall be responsible to the President fodnteragencypolicy coor tion on all · aspects ofcybersecurity · The esc PCC shall ensure ongoing coordination ofthe u S Government policies Strategies and · initiative s related to cybers urity shall m nitor actions to implement thj lirecti e · and· 1lalh keep infon ned the Assistants to the President referenced in paragraph ·11 of this directive · U · · - 13 ' ' _ · ' ' _ - · TheNational Cyber Response Co rdimi tion Group NCRCG consists of senior representatives · from Federal agencies that have roles and responsibilities related to preventing investigating defending· against responding to mitigating and assisting in the recovery from cyber incidents ··and attacb ·In the event of a cyber incident the NCRCG will convene to harmonize operational response efforts and facilitate information sharing consistent with·HSPI -5 d theNational Response Fran ework he NCRCG shall provide advice to the CSC PCC as appropriate U 14 b 1 OGA · 15 · ' Unless otherwise directed by the President with respectto partiCular matters the Secretary of l lomeland Security shall lead the national effort to protect defend and reduc vulnerabilities _of Federal systems and the S X ret ry ofDefenseshalLprovide support to the • ecretazy ofHomelaJ ld Security with respect to such assigfiinent The Secretary ofHomelan4SecuritY shall · · · ·Manage and oversee throughUS-CERT the external access points inCluding acce$s to· the Internet for allFederal systems · · · ·· · b Provid¢ consolidated intrusion detection incident analysis and cyber e o pse ·'· capabilities toprotect Federal agencies' external access points including access to the Internet for all Federal systems ·· · ·· In coonlimitionwith the Dir torof OMB setminiinum operational standaJ ds for FederCll Government Network Operations Centers NOCs a nd Secur ty Operatiol 8 Centers t ·- ' f ' 6 ·· SOts that enable DHS tl rough US•CERT to direct ihe operation and defenSe of external access points including Internet access points for aU F¢eral sy tems whjch the · Secretaiy will certify and enforce ap d ' Utilize the National InfrastructUre Protection Plari process in accordance v'ithHSPD-'7 to disseminate cyber threat vulnerability mitigation and wanting information to improve the security and protectionof critical infrastructure networks oWned or operated by Federal agencies State local and tribal governments private indu8try academia and int ationaLpartners U · · · · · ·· · d 16 The Director of OMH shall Direct to the extent practicable aniconsistent withnational security the reduction and consolidation of Federal Government external access points including Internet access · points for all Federal systems U ·· · · a b c ' ' ·• Annually assess in coordination with theS retary ofHomeland S¢prity network security bestpracticesofFederal agencies recommend changes to policies or architectUres that shoUld be applied across the FederalGovernment and ensur Federa agencies comply with standards and policies ifadopted by the Director d U Within 180 days after the effective date of this directive dratl an implemer1tatipn plan i t· coordination with the Secretary of omelandSecurity for agencya ccountability process to ensure compliance with and the mainteJ1anCe ofmandatory network security practices by Federal agencies U an 17 • The Secretary ofState in coordination with the SecretariesofDefense the·Treasury Corimlerce andHomelap d Security theAttomeyGeneral and theDNI shall work witl1foreign co1mgies and mtemational organi tions on mtemational aspects of cybersecurity U 18 The Secretary of Commerc e shall prescribe in accordance with applicab e law information ·security standards and guidelines for Federal systems U · · 19 The Secretary of Energy as authorized in the Atomic Energy Act of 1954 ABA as amended shall ·aft coordination With the SecretaryofDefense·and theDNI prescribe information · securitystandards and guidelines pertaining to the processing of restricted data a8 defined in the AEA in all Federal agencies as appropriate U · · · · 0 · ' · ' · 20 The SecretaryofDefense and the DNI sballprovide indications andvvarrung information toDijS regarding threats originating or directed from outside the United States U · · · ' l · • ' _' - • - - ' ' 1 ·· · · ·· ·· · ' · · ·' ' _ t' _ - ' ' ·· · ·• · · • The DNI analyzes and integg tes all i Qtelligence possessed r acquired b ' the U S Goy t pertirlirlng to cybersecurity The DNI as the head of the intelligence community and cb istent' ··· · · · ·with ection• 1018 o f the Intelligence R fonn t11d Terr Qrispt PreyentioiJ Act Pub c w · ·' · • '• 108-458 sh i implenient the policies and initiatives set forth in this di tective wi ·and · · · · · · throughout the intelligence commuiJity tlJ rOugh DNI's st tutory bu get taslQng al l · · intelligenceiDformation sharing authorities in orderto ensureap ropriateresQw ce allocation · ' · ·· and mte tioQ of all cyber5ecuricy eff lrts ancl'iiiitiatives Willilll and thioukiloutthe itlt ligence •· co rnmumty U · · · · · 21 the ·· _ ·· ' j · • _ · · -·· 2 Tb S retary ofllefens_e h r sponsibility fordir ng the opqationand 4eferis fthe · · · · ' _' ' · l epamnent ofDef e's information entetpnse including momtofing ofm iciotis acti-vity initf · ·· n¢tworks · The Secretary ofHomeland S ecurity is resJ onsible for protectiJig Federal systems by · · · · · · · · · · · · supportihg information aSsulan ce $trategieuvithiit Federal agencies through thefollo wing · · · ' · · · compiling and -analyzing sectirity incid¢nt information across the· Fedefai QpveniJflent 'iAfotmiiig and colllWorating with Federal State local tribal agencies private cri#cal infrastructure sectors · · · andinternational partners otfthreats ali wbierab11ities prpviding VQlUetability JDitigation ' ' · _guidance supporting public and privafe'incident reSponse etiorts and seiY iitg as aJO p int t9 · · ·'protectO S Cyb ace U · · · ·· · ·· · · ·· · '··· · -•- ' '· • • - ' • ' '• 24 · The Secretary' of HoJ Ileland Security · supported by the Director oftJS-CERT and the h of ·· ' · · · · Sector Specific Agencies as'defiDedby aridconslstentWith HSP0 7 shallconduetoutreae1itb · · •· 1h private s to on C 'hersecurity thr at and efilbility in oill1atiQn M · · _ S The hew ofall Federal agencie$ t the exteiltpemiittedhy law and nec saty for tb e fl eCtiY -· · • implementation ofthe cybersee ty Illission shall si tpJ ortand collabQrate WithJ he Seeretaryof ·· · Homeland Security Further all Federal agencies shall align their owt1'n ork periltio artd · def e capabilities to provide DHS with vislbilityandin$ight into the status of their FC derij · · · systems d $1lall respond to DHS direction in ar¢as reiated tO ne ork seeqlity allowing DHS tQ · ·effec tiv ly proteetthe Federal Go emment network enterprise Fed agenci ShaJl coniinu • • · ' to ecute theit reSponsibilities to pri teet and defend their netWorks U ' ' ' · · · ' · ' ·· I · ' ·· · ' · ' · ·- ·· I ·· •' ·· · · · • • • ' • - • · •• · · - ' · ' · ·· ·· · · · ·_ · •' -- ' ' · · ·- r - ·-·· ' · j_ · -· · ·' · _ · - -· · • 8 ' ' Th Secretary of Homeland Securlcy shall establish a National Cybersec ty Center C tef' headed by a Director to coordinate and integrate information to secureU S cyberne tworksand systems To ensure a comprehensive approach to cybersecurity and anticipat future threats other cyber activities shall inform enable and enhance cybersecurity activities as appropriate and in accordance with the implementation plan described in paragraph 28 of this djrective 00 Not later than 90 daYS from the date o this directive the Secretary of Homeland Security in coordination with the Secretary of Defense the Attorney General the Director of OMB and the DNI 'shall through the Assistantto the Presidentfor Nationill SecurityAjiairs and the Assistant t the President for Homeland Security and Cowiterterrorism submit tome for appl' val an implementation plan that includes details on howauthorities will be applied a concept of operations · and the allocation of required resources for the Center U The Director ofthe Center shall a Be appointed by the Secretary of Homeland Security with the concurrence of the Secretary of Defense after consultation with the Attorney General and the DNJ and is supervised py the SecretaryofHomel d Security U Have coordin tion authority over the directors of the cybersecurity organizations · participatingm the Center which inean s the Director has the authoritytorequire · consultation between the offices departments or agencies c llocate l in or virtUally co ectedto the Center however tllfs authority does not allow th Ilirectorto compel agreement or to exercise command rather it creates a consultative structure U c Support the Se retaries of Defense and Homeland Security the Attorney General and the DNI in executing their re$pective cyber missions includingI · b 1 OGA · · · I · 1and investigation an d prosecution of cyber crime TS INF r · · · · · ·· · · · · · · · Ensure that Federal agencies have acces to and receive information and intelli gence needed to execute their respective cybersecurity missions consist nt with applicable law ·· _ _ · ··' _ ' · ·r_-· -· · -· · -- ·· ' - • ' '' -· • · - '· ·· · ·· ' _ -- · ··· TQJ 'SElCRElTL• · · · - -·· - ··-··· • · ·- ·· · · - J ' • ' ' · ·· Ad Y ise·withip the executive branch on the extent tQ which the cyb program · · · recomnicn dations and budget proposals of agencies confonn to cybersecuiitypriorities ·e· ·· · - · and the heed to prbiect national SeC ty U · ' ' · ·' U · · • ' - - · · ' t ·- when pPropnate reco end and f ili te tllc adoption 5 fco o d tiyi pl · · d J roced s across all cyb n tission lit d U ···· ' ' · · - · • g · Notciirect or ilnpede the 'txecution·oflaw enrorcement int m gerice - unterintelli ce · oourirertetrorisiiiJ · · · · •· · · · · · · · · o · _· _ · · _ ·I·· · ·'· ' ·- ·' ' ' bi 1 oC A · · · ·1 rg1n IID y • • ' I ·· I · - · •' · ach Fe leial Mettcy operating or ercising coritrolof National Securi Syst¢n t · » Jn ormation about'infonnation security ciden thr ts d lherabiijp¢8 wjtb t le us qmr · to the extent oorisistent with standards and guidelines for National SectlritySystems and the protect $obrces 'andmethodS U · · · ·· · · · ·· · ·· · · · • · · · '· · - ·_· ' · ·· 31 ' · The National Cyber Inv tigative Joiht Ta8k Force NCDTF shall serve as amulti•agency ' i' · ·· ··• · · ·· national focld point for coordinating inte ratirig and sharing pertinentinfonnation rela tO · · · · • ·cyber thre3 t investigations with representation· from the Central Intelligen¢e Agellcy CIA · · NatioD al SecuntyA gency NSA the United'States Secret Service USSS an4 otb er •g ci s · · · · •· · _ ·a$ a ppropri t Undet the uthority of the Atto1llet Qenerij the Directot qf th Fecietal Bureau · ·•· · oflnvestigati FBI sllall be I onsible for the operation of the N U rf This uthority does iiot Uow the D irector of the FBI tQ direet the operation8 of other agencies The I irectofofthe • FBfshal ens ire that partidpahts share the methodology'and to the extent ·aPiJf priate · '· i'inforrilatlon•related to criminal cyber mttuSion investigations among law eriforceilient '• • -' otgailizatiorts represented in the NCUTF in accorclapc with paragraphs 32 - 33 U · need to ' - ''· · · • ' ' · '- · ' · · • •' • ·1 - · ' ' · ' f • ' · ' • • · _- __ _ · ' · · ·' - _ • ·' ' 32 1Jle A t ney cmeralshall by March l 200 8 develop and P lblish $jhiti yersio of tAe · · · · · A o rney General Gu idelinesJor the NCIJTF in cooi'dination with tile headS of other utive · ep ent aricl agencies as appn pria e 0 • · · · ' • ' '' ' ···· · · · · 3_J ' Witlnn 90 days ofth date of this directiv the Attorney• Gellerat shatlsulnl'litt tlie ssis ttO · the President for National Security AffairS and fb Assistant to the President for Homelan4 ·S urity·and COW lterterrorism·an perational planfot theNCUTF U · · · ·· · •' ' _ · _ '' · - - ·· ··· ' ' · ' '··' ' - ' · · ·_ · I · · TOP' 'SBCRBT • I '• ' · -· ' · ' • c ' '··· ·- ' ' · - ' · · ··' · 1- · • • • ·· - · ··_ · · ·' ·· · - ·· ·· · 10 ··Comprehensive National Cybersecuritylnitiative ·· 34 To achieve the goals outlined in this· directive the Fedetal Government needs an integratc d and holistic national approach that builds upon strengths and addresses V1 1lnerabilities ill our current cybersecuritypractices Jhis effort· allinclude the actions directed in paragraph835 • 46 · lJIIFOUO ' ' · ' · · ' ' ' · ' The Director of OMB shall within 90 days ofthed te of this directive after consultati n with the Secretary of Homeland Security submit to the Assistanttothe President for National Security Affairs and the Assistant to the President for Ho01elarid Security and Counterterrorism a detailed planJor the reduction and consolidation by June 30 2008 ofFederal Goyemn entextemal access points including Internet access points U · · · 36t the Secretary of Homeland Security shall accelerate deployment of the Einstein program t I · Federal systems and shall after consultation with the Attorney General enhance the Einste · program to· include full-packet content and protocol signature detection TheSecretm y of · · Homeland Security in consultation with the Director ofOMB shall deploy such a sys em across the single network enterprise referenced above and consistent with paragraph 16 a of this directive no laterthan December3l 20Q8 8 INF · · · 37 · Within 120 days of the dab of this drrective the Secretary of Defense with resl ect to Department · pf Defense information systems and the Secretary of Homeland Security with respect to Federal systems after consultation with the Attorney General and the Director ofOMB shall develop and subinit through the Assistant to the President tor National Security Affairs 'and the Assistant to the President for Homeland Security and Counterterrorism for my appro ' an · · · implementationplan to deploy active re8ponsesensors across the Fed l systems Suchaplan sh l also address relevant legal and policy issues of the active response sensor capability fi S · · 38 Within90 days of the date of this directive the Director of the Office of Science 3I1d Technology Policy OSTP after consulting the National Science and Technology Council NSTC and the PNI shall wjthin 90 days of the effective date develop a detailed plan to coo ate classified and unclassified offensive and defensive cyber researeh U IFOUO 39 ·Within 45 days ofthe 'date of this directive · the DNI in coordination with the SCCNtaries of Defense and Homeland Secuntyand the Attorney General shall submit to the Assistant to the President for National Security Affairs and the Assistant to the President forHomeland Security d Counterterronsm a detailed plan including standard operating and notificationproced to connect the following cyber centers NCUTF NSA CSS Threat Operations Center Join Task Force-GlobalNetwork Operations Defense Cyber Crime Center US-CERT and Intelligence Communityi Ilcident Response Center Withinl80 days ofthisdirective these centerssh l be --------- ---· ··- ·_ · · - ·-·' '···- · ----- --- '• - TOP SECRET 11 connectedas part of the National Cybersecurity Center S l'F 40 Withi 180 days of the date of this directive the DNland the Attorney Gener shall dev lop a cyber counterintelligence plan · including required resources that comprehensively reflects the scope and e Ctent of cyber threats This plan shQuld be con istent With the National Counterintelligence Strategy ofthe United States U FO JO ·Within ·180 days of the date of this directive the Secretary of Defens 'and the DNlShall develop a ' detailed plan to address the security of Federal Goven1ment classi ie4 networks including specific recommended measures that will· significantly enhance the protection •of these networks from the full spectrum ofthreats S INF · · 42 ' Within 180 days of the date of this directive the Secretary of Homeland Security in coordi nation with the Secretary of Defense the Director of the Office of Personnel Management and the Director of the National Science Foundation shall within 180 days of the effective date submit • to the Director of the Office of Management and Budget the Assistant to the President for · -· National Security Affairs and the Assistant to the President for Homeland Security d · ·Counterterrorism a report including a strategy and recommendations· for prioritizmg and · redirec g current educational efforts to build a skilled cyber workfo e ··The report should consider recommendations by such groups as the National Infrastructure Adyisory cOuncil the President's Council of Advisors on Science and Technology and the Nat1ona1Security · - Telecommunications Advisory Committee the report hould focus on training the existing·· cyber workforce in specialized skills and enswmg skilled individuals for future Federal Government employment U IFOUO Within ·120 days ofthe effective date of this directive the DireCtor of the OSTP after consultation with the NSTC and the DNI shall'developa plan to expand cybet re8earch and development in high-risk high-retun l areas in order to better protect our critical national interests from c tastrophic damage and to maintain oilrtechnological edge in cyberspace U IFOUO · 44 Within 270 days of the date of this directive the Assistant to the President forNatidnal Securlty Affairs and the Assistant to the President for Homeland Security and Counterterrorism shall · · define and develop a compre4ensive and coordinated strategy to deter i Ilterfere nce and attacks in cyberspace for my approvaL S INF · · 45 · 'within 180 days of the date of this directive and consistent with the National Infrastiucture Protection Pl8I1 and National Security Directive 42 NSD 42 National Policy for the Security of National Secur itj TelecommuniCtJtion and Information Systems the Secretaries of Defense and · Homeland Security in coordination with the Secretaries of the Treasury Energy and Commerce the Attorney General the DNI aildthe Administrator ofGeneral Services sh l develop a · · TOP SElCRBT I TOP 12 SBCRBT detailed strategy and implementation plan to better manage and mitigate supply chain vulneiabilities including specific recommendations to a Provideto Federal Government anddefense acquisition processes p onnel access to all source intelligence community vendor threat information b Reform the Federal Government and defense acquisition processes al d policy to enable · threat information to be used Within acquisition risk-managementprocesses ancl •· procurement decisions and · · · · · · c Identify and broadly implementindustry global sourcing risk-manageiiJ eht stan®rds arid · best practices acquisition lifecycle engineering and test and evaluation risk mitigation teehniques · · ' 46 ' ' 'Within 180 days of the date of this directive the Secretary of Homeland Security in coits ultation with the heads of other Sector-Specific Agencies as outtmed in HSPD-7 ·and consistent with the ·National Infrastructure Protecti nPlan shall submit through the AssistanUo the President for ' National Security Affairs and the Assistant to the President for Homeland SecuritY ana · Counterterrorism for my approval a reportdetailing policy and resource requirements for · fuiprovmg the protection ofprivately owned U S -critica infrastructure networks The repbrl ' shall detail how the Federal Government can partner with the private sector to leverage invest Inent in intrusion protec on capabilities and technology increase awareness about the extent and severity of cyber threats facing critical infrastructure to enhance teal-time cyber situational awareness and encourage specified levels ofintrusion protection for critical · information technology infrastructure U FOUO - ' ' ··· ' 47 · Implementing the Comprehensive National Cybersecurity Initiative will require key enablers in the following key areas to ensure success a · The DNI in coordination with as appropriate the Secretaries of State the Treasury Defense Cotnmerce Energy and Homeland SecuritY and the Attorney General and the · Director of OMB shall · · i ' ii Monitor and coordinate the implementation ofparagraphs 35 through 47 the Comprehensive National Cybersecurity Initiative or 'Initiative of this directive · · · · Recommend such actions as theDNI judges necessary to implementthe Initiative ·to · · • t' · · ' - 't·' · - - ' _ ·' · ···13 ·· SECRET· · '· - ··· · · I · · •· AJ · · the President 8 n 4· '-·· I '· B ' ' · · • ut i· · ' · ' · · · •' ·' ·' ··' the heads ofFederal agcm ies as appropriate and·th Directoi oftbe Office ·· ofManageme1lt ani Budget for action within tbeitresp tive authorities · an ·d· · · · · · _ · · · · · · · - · eport nof· ess often th quarterly to the Pre8ident tbrc tigh tbe Assistu1tto the · · President· for National Security Affaiis and the Assistant to the· Presidepi for Homeland Security and• Counterterrorism ' on impletnentation of tbeiniti tive · togeiber with s lch recommendations the DNI d s appropriate U · • r ·- ·' · · · Th s retary r 6 elandSec ty d ili tt eyGen l sh lert ad i • ·· support for agen t$ analysts an4 technical infrastructU re to neutralize mitigate and ' -disrUpt illegal computer activity domestically - · '· · ' · · '· • c · · ' •· ·· · · · · • _ ' · • ' • • · • ' _ · · d '· ···· - rite Secretary ofDef e the Attorney Geperai · ilie Secretary ofHo rii lan4 s ty th · · · OM d other heads of Federal agencie$ as apprOpriate shall Uictea se predictive 'b havioral infoffilatiop and trend analySes to better understan d and anticipate fo reign · · cyber and technology devel9pments ' SJINF ' · · · · · · · · ' ·· t ' - g Tl e Secretary of Defense andtheDNI sltall increase Informa o ce to·ptot¢ct National Secu ritfS 'Stenis a fintrusion' atfack by impJ eqt i ng de e S to igm6cantly reduce cur¢ntmaticiou activity enable netW ork d fenders o r · ··more effectively op more sophis cated threa is Additionally · by strengthening ' ·· · · · enterprise-Wide cross -dommn apabilities and utiiizing strong identityprptec#oJi the and ' '· TOP sEielia'F· ' · · • · '• · '-' • 14 'i' ·' Federal Government will begin to enable greatednfonnationsharingamong the key cyber organizations U IFOUO · · · - ' ht Within180 days of the date of this directive the Director of OMB coordination with the heads Of all executive departments and agenCies shall perform a comprehensive risk assessment forth loss IDanipula tion or theft of all dat currently residing on Federal gover nnlent unclassified networks The assessment should assinne that adversaries have the capability and intent to either capture the data or disrupt mission applications residing on unclassified networks The assessment should recommend a prioritized description ofwhich data and applications should be · · ' ·· migrated to nore secure·networks Sh'NF 49 Within 120 days of the date ofthis directive the Secretaries of State Defense and Homeland ·Security the Attorney General and the DNlshall submitto the Assistant to the President for National Security 1 ffairs and the Assistant the President for Homeland Security and Counterterrorism a joint plan for the coordination and application of offensive capabilities to defend U S information systems U IFOO O to 50 · Within 120days ofthe date of this directive theAttomey General and theSecretaryof ··· · · Homeland Security after coordination with the Secretary of Defense ar1d the D shalls btpit to the Assistant to the President for National Security Affairs and the Assistantto the President • · for Homeland Security and· Counterterrorism a plan· for the coordination and application of law enforcmnent capabilities to better support investigations of cyber incidents in l Jnited States networks U FOUO · 51 Forallfuture budgets the heads ofall executive departments and agencies sh submitto the Director of OMB concurrent with their budget submissions · an integratecl budget plan to implement the cybersecurity actions de8cri ed in this directive consistent with such instructio ls · as the Director ofOMB may provide U 52 To tile extentofany inconsistencies between this directive and theNationalStrategyto Se'cure Cyberspace 2003 this directive shall govern U · · · 53 This directive · a ·Shall be implemented consistentwith applicable law and the authorities of executive ·departments and agencies or heads of such departments and agencies vested by law 1 5 including for the protection of intelligence sources and methods and subject to the availability of appropriations b Shall not be construed to impair or otherwise affeetthe functions of the Director of OMB relating to budget administrative ' and legislative proposals c · Shall not be construed to alter amend or revoke any other NSPD or HSPD currentlyin effect · d Shall not be construed to apply to special activities as defined in section 3A h of Executive Order 12333 of December 4 1982 ' ' ' ' ·' Shall be implemented in a manner to ensurethat the privacy rights and oth r legal Jights ·· of Arilericans are recognized and ' Is intended only to improve theinternalmanagementoftb e executive bran h offu e Federal Government and is not intended to and does not create any right or ben fit SIJbstantiveor procedural enforceable at law or ill equity againstthe United States its departments agencies or other ntiti s its officers or employees or any othe person U