OCR of the Document

View the Document >>

William J. Clinton, Presidential Decision Directive/NSC-63, “Subject: Critical Infrastructure Protection,” May 22, 1998, For Official Use Only/Unclassified

FOR OFFICIAL USE ONLY 20365 THE WHITE HOUSE WASH INGTON May 22 1998 PRESIDENTIAL DECISION DIRECTIVE NSC-63 MEMORANDUM FOR THE VICE PRESIDENT THE SECRETARY OF STATE THE SECRETARY OF THE'TREASURY THE SECRETARY OF DEFENSE THE ATTORNEY GENERAL THE SECRETARY OF COMMERCE THE SECRETARY OF HEALTH AND HUMAN SERVICES THE SECRETARY OF TRANSPORTATION THE SECRETARY OF ENERGY THE SECRETARY OF VETERANS AFFAIRS ADMINISTRATOR ENVIRONMENTAL PROTECTION AGENCY THE DIRECTOR OFFICE OF MANAGEMENT AND BUDGET THE DIRECTOR OF CENTRAL INTELLIGENCE THE DIRECTOR FEDERAL EMERGENCY MANAGEMENT AGENCY THE ASSISTANT TO THE PRESIDENT FOR NATIONAL SECURITY AFFAIRS THE ASSISTANT TO THE PRESIDENT FOR ECONOMIC POLICY THE ASSISTANT TO THE PRESIDENT FOR SCIENCE AND TECHNOLOGX THE CHAIRMAN JOINT CHIEFS OF STAFF THE DIRECTOR FEDERAL BUREAU OF INVESTIGATION THE DIRECTOR NATIONAL SECURITY AGENCY SUBJECT Critical Infrastructure Protection I A Growing Potential Vulnerability The United States possesses both the world's strongest military and its largest national economy Those two aspects of our power are mutually reinforcing and dependent They are also increasingly reliant upon certain critical infrastructures and upon cyber-based information systems Critical infrastructure are those physical and cyber-based systems essential to the minimum operations of the economy and government They include but are riot limited to telecommunications energy banking and finance transportation FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 2 water systems and emergency services both governmental and private ManY Df the nation's critical infrastructures have historically been physically and logically separate systems that had little interdependence As a result of advances in information technology and the necessity of improved efficiency however these infrastructures have become increasingly automated and·interlinked These same advances have created new vulnerabilities to equipment failures human error weather and other natural causes and physical and cyb'er attacks Addressing these vulnerabilities will necessarily require exible evolutionary approaches that span both the public and private sectors and protect both domestic and international security Because of our military strength future enemies whether nations 'groups or individuals may seek to· harm us in non­ traditional ways including attacks within the United st es Because our economy is increasingly reliant upon interdependent and cyber-supported infrastructures non-traditional attacks on our infrastructure and information systems may be capable of significantly harming both our military power and our economy II President's Intent It has long been the policy of the United States to assure the continuity and viability of critical infrastructures I intend that the United States will take all necessa y measures to swiftly eliminate any significani vultierability to both physical and cyber attacks on our critical infrastructures luding especially our cyber systems III A National Goal No later than the year 2000 th Unit d States shall have achieved an initial operating capability and no later than five years from today the United States shall pave achieved and shall maintain the bility to protect our nation's critical infrastructures from intentional 'acts that would significantly diminish theabiliti s of ' o the Federal Government to perform essentia'l national securi ty missions and to ensure the general public hea th and afety • state and local governments to maintain order and to deliver minimum essential public services FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 3 • the private sector to ensure the orderly functioning of the economy and the delivery of essential telecommunications energy financial and transportation services Any interruptions or manipulations of these critical functions must be brief infrequent manageable geographically isolated and minimally detrimental to the welfare of the United States IV A Public-Private Partnership to Reduce Vulnerability Since the targets of attacks on o i'critical infrastiucture would likely include both facilities iri the economy and those in the government the elimination -of our potenti vulnerability requires a closely co6rdinat d'effort of both the government and· the private sector To succeed this partnership must be genuine mutual and cooperat In seeking to meet our national goal to eliminate the vulnerabiltt s of our critical infrastructure therefor we hould to the extent feasible seek to avoid ·outcomes that increaS governmerit regulatiori or expand unfunded government mandates to the private sector For each of the or sectors of our economy that are vulnerable to infrastructure attack the Federal Gove rnment will appoint from a designated Agency a senior officer of that agency as the Sector Liaison Official to work with the private sector Sector Liaison Of cials after disc ssions and coordination with private sector entities ·of their infrastructure sector will identify a private sector counterpart Sector Coordinator to represent their sector Together these two individuals and the departments and corporations they represent shall contribute to a sectoral National Infrastructure Assurance Plan by • assessing the vulnerabilities of the sector to cyber or physical attacks • recommending a plan to eliminate significant vulnerabilities u proposing a system for identifying and preventing attempted major attacks o developing a plan for alerting containing and rebuffing an attack in progress and then in coordination with FEMA as appropriate rapidly reconstituting minimum essential capabilities in the aftermath of an attack FOR OFFICIAL USE ONLY ' FOR OFFICIAL USE ONLY 4 During the preparation of the sectoral plans the National Coordinator see section VI in conjunction with the Lead Agency Sector Liaison Of cials and a repr sentative fr om the National Economic Council shall ensure their overall' cbordination and the integration of various s toral plans with a particular focus on interdependenciesi V Guidelines In addressing this pot ntial v lnerability and the means of eliminating it I want those involved to e mindful of the following general principles and concerns • We shall' consult with and seek input from the Congress on approaches and programs to meet the obj ives set forth in this directive • The protection of our critical infrastructures is necessarily a shared responsibility and partnership between owners operators and the government Furthermore the Federal Government shall encourage internationa l cooperation to help manage this increasingly global problem • Frequent assessments shall be made of our tical tructures' existing reliability vulnerability and environment because as technology and the nature of threats to our critical infrastructures will continue to change rapidly so must our protective measures and responses be robustly adaptive • The incentives that the market provides are the first choice for addressing the problem of critigal infrastructure protection regulation will be used only iri the of a mat al failure of the ark t to protect the health safety or well-being of the American people In such cases agencies shall identify and assess available alternatives to direct regulation including providing economic incentives to encourage the desired behavior or providing' information upon which choices can be made by the private sector The e incent s along with other actions shall be designed to help harness the latest technologies bring about global solutions to ernational problems apd enable private sector owners and operators to achieve and maintain the maximum feasible security FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 5 • The full authorities capabilities and resources of the government including'law·enforcement regulation foreign intelligence and defense preparedness shall be available as appropriate to ensure that critical infrastructure protection is achieved and maint • Care must be taken to respect privacy righ s Consumers and operators must have confidence' that information will be handled accurately confident ly and reliably ' • The F deral Government shall through i research development and procurement encourage introduction of increasingly capable methods of tructure protection • The Federal Government shall serve as a model to the private sector on how infrastructure assurance is best achieved and shall to the extent feasible distribute the results of its endeavors • We must focus on preventative measures as well as threat and crisis management To that end private sector owners and operators should be encouraged to provide maximum asible security for the infrastructures they control and to provide the government necessary information to assi them in that task In order to engage the private sector fully it is preferred that participation by owners and operators a national infrastructure protection system be voluntary • Close cooperation and coordination with state and local governments and first responders is essential a robust and flexible infrastructure protection program All crit infrastructure protection plans and action shall take into consideration the needs activities and responsibilit s of state and local governments and first responders VI Structure and Organization The Federal Government will be organized for the purposes of this endeavor around four components ela borated in Annex A 1 Lead s for Sector Liaison For each infrastructure sector that could be a target for significant cyber or physical attacks there will bea 's ngle U S Government department which will serve as the lead agency for liaispn Each Lead Agency will design te one tndividual of Assistant FOR OFFICIAL USE'ONLY FOR OFFICIAL USE ONLY 6 Secretary rank or higher to be the Sector Liaison Official for that area and to cooperate with the priVate sector representat s Sector Coordinators in addressing problems related to critical infrastructure protection and in particular in recommending components of the National Infrastructure Assurance Plan Together the Lead Agency and the private sector counterparts will develop and implement a Vulnerability Awareness and Education Program for their sector 2 Lead Agencies for Special Functions There are in addition certain functions related t6 critical infrastructure protec ion that must be chiefly performed by the Federal Government national fense foreign affairs intelligence law enforcement For each of those special functions ther shall be a Lead Agency which will be responsible for c00rdinating all of the activities of the United States Government in that area Each lead agency will appoint a senior 0 cer of Assistant Secretary rank or higher to serve as the Functional Coordinator for that function for the Federal Government 3 Interagency Coordination The Sector Liaison Officials and 'Functional Coordinators of the Lead Agencies as well as representatives from other relevant departments and agencies including the National Economic Council will meet to coordinate the implementation of this directive under the auspices of a Critical Infras ructure Coordination Group CICGI chaired by the National Coordinator for Security Infrastructure Protect 1on andCounter-Terrorism The National Coordinator will be appointed by me and report to me through the Assistant to the President for National Security Affairs who shall assure appropriate coordination with the Assistant to the ·President for Economic Affairs Agency representatives to the CICG sl10uldbe at a senior policy level Assistant· S ecreta r -Y 0 higher Where appropriate the CICGwill be assisted by extant policy structur es such as the Security Po'licy Board ' Security Policy Forum and the National Security and Telecommunications· and Information System Security Committee 4 National Infrastructure AssurahceCouncil On ·the recommendation of the Lead AgeI -cies the National Economic Council and the National Coordinator I will appoint a panel of major infrastructure providers and state and local government 9fficialsto serve as my National II frastructure FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 7 Assurance Council I will appoint the Chairman The National Coordinator will serve as the Council's Executive Director The National Infrastructure Assurance Council will meet periodically to enhance the partnership of the public and private sectors in protecting our critical infrastructures and will provide reports to me as appropriate Senior Federal Government officials will participate in the meetings of the National Infrastructure Assurance Council as appropriate VII Protecting Federal Government Critical Infrastructures Every department and agency of the Federal Government shall be responsible for protecting its own critical infrastructure especially its cyber-based systems Every department and agency Chief Information Officer CIO shall be responsible for information assurance Every department and agency shall appoint a Ch ef Infrastructure Assurance Qfficer CIAO who 1 be responsible for the protection of all of the other aspects of that department's critical infrastructure The CIO' may be double-hatted as the CIAO at the discretion of the individual department ·These officials shall establish procedures for obtaining expedient and valid authorities to allow vulnerability assessments to be performed on government computer and physical systems The Department of Jus ce shall establish legal guidelines for providing for such authorities No later than 180 days from issuance of this directive every department and agency'shall develop a plan for protecting its own critical infrastructure including but not limited to its cyber-based systems The National Coordinator shall be responsible for coordinating anal es r q ired by the departments and agencies of inter-governmental dependencies and the mitigation of those dependeticies 'Th Critical Infrastructure Coordination Group CICG shall sponsor an expert review process for those plans No later than two years from today those plans shall have been implemented and shall be ' updated every two years In meeting this schedule the Federal Government shall present a model to the private sector on how best to protect critical infrastructure FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY VIII 8 Tasks Within 180 days the Principals Comniitteeshould submit to me a schedule for cqmpletion of a National Infrastructure Assurance Plan with milestones for accomplishing the follow ng subordinate and related tasks 1 Vulnerability Analyses For' each secto'r of the economy and each sector of the government that might be a target of infrastructure attack intended to significantly damage the Uni ted State's there shall be an ial vulnerability assessment llowed by periodic updates 'As appropriate these assessments shall also include the determination of the minimum essential infrastructure in each s'ector 2 Remedial Plan Based upon the vulnerability assessment there shall be a r ecommended remed al plan The plan shall identify timeline s for implementation responsibilities and funding 3 Warning A national center to warn of ignificant infrastructure attacks will be established immediately see Annex A As soon thereafter as possible we will put in place an enhanced system for detecting and analyzing such attacks with maximum poss'ible participation of the private sector 4 Response We shall develop a system for responding to a significant infrastructure attack while it is underway with the goal 'of isolating and minimizing damage 5 Recbnstitution For varying levels of successful infrastructure attacks we shall have'a system to' reconstitute minimum required capabili es rapidly 6 Education and Awareness There shall be Vulnerability Awareness and Education Programs within both the government and the private sector to sensitize people regarding the importance of security and to train them in security standards particularly regarding cyber systems 7 Research and Development Federally-sponsored research and development in support of infrastructure protection shall be coordinated be subj to multi year planning take into account private sector research and be adequately funded to minimize our vulnerabilities on a rapid but achievable timetable FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 9 8 Intelligence The Intelligence Community shall develop and implement a plan for enhancing collection and analysis of the foreign threat to our national infrastructure to include but not be limited to the foreign cyber information warfare threat 9 International Cooperation There sha be a plan to expand cooperation on critical infrastructure ion with like minded and friendly nations international organizations and mUltinational corporations 10 Legislative and Budgetary Requirements shall be an evaluation of the executive branch's legis ive authorities and budgetary priorities regarding critical infrastructure and ameliorative recommendations shall be made to me as necessary The evaluations and recommendat if any shall be coordinated with the Director of OMB The CICG shall also review and schedule the taskings listed in Annex B IX Implementation In addition to the l80-day report the National Coordinator working with the National Economic Council shall provide an annual report on the implementation of this di to me and the of departments and agencies through Assistant to the President for National Security Affairs The report should inc an updated threat assessment a status 'report on achieving the milestones identified for the National Plan and additional policy legislative and budgetary recommendations The evaluations and recommendations if any shall coordinated with the Director of OMB In addition lowing the establishment of an initial oper ting capability in the year 2000 National Coordinator shall conduct a zero-based review FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY Annex A 10 structure and Organization Lead Agencies Clear accountability within the U S Government must be designated for specific sectors and functions The following assignments of responsibility will apply Lead Agencies Sector Li son Commerce Information and communications Treasury Banking and finance EPA Water supply Transportation Aviation Highways including trucking and intelligent transportation systems Mass transit Pipelines Rail Waterborne commerce Justice FBI Emergency' law enforcement services FEMA Emergency fire service Continuity of government services HHS Public health services including prevention surveillance laboratory services and personal health services Energy Electric power Oil and gas production Law enforcement and CIA Foreign intelligence State Foreign affairs Defense National defense storage Lead Agencies for Special Functions ' Justice FBI nd intern l security In addition OSTP shall be responsib for 600rdinating esearch and development agendas and programs for the government through' the National Science and Technology Council Furthermore while FOR OFFICIAL USE ONLY ' FOR OFFICIAL USE ONLY 11 Commerce is the lead agency for information and communi ion the Department of Defense will retain its Executive Agent responsibilities for the National Communications System and support of the President's National Security Telecommuni ions Advisory Commit National The National Coordinator fqr Security Infrastructure ion and Counter-Terrorism shall be ' responsible coordinating the implementation of this directive The Nat Coordinator will report to me through the Assistant to President for National Security Af The National Coordinator will also participate as a full member of Deputies or Principals Committee meetings when they meet to consider infrastructure issues Although the National· Coordinator will not direct Depart ents and Agencies he or she will ensure interagency coordination for policy development and implementation and will review crisis activities concern ing infrastructure events with significant foreign involvement The National Coordinator ill provide advice in the context of the established annual budget process regarding agency budgets for critical infrastructure piot ion The N tional Coordinator will chair the Critical iucture Coordination Group CrCG reporting to Deputies Committee or at the call of its chair the Principals' Committee The Sector Liaison Officials and Spe6ial Function Coordinators shall attend the CIGC's·meetings Departments and gencies shall each appoint to the CIGC a senior al Assista t Secrefary level o higher who will regularly attend meetings The National Security Advisor shall appoint a Senior for Infrastructu e Protection on' the NSC st A National Plan Coordination NPC staff will be contributed on a non-reimbursable basis by the departments and agencies consistent with law The NPC ll ntegrate the various sector· plans into a National tructure Assurance Plan and coordinate analyses of the U S Government's own dependencies on critical infrastructures The NPC sta will also help coordinate a national education and awareness program and legislative and public affairs The Defense Department shall continue to serve as Executive Agent for the Commission Transition Office which will form the basis of the NPC during the remainder of FY98 eginning in FY99 the NPC shall be an office of Commerce Department The Office of Personnel Management shall provide the necessary assistance in facilitating the NPC's operations The NPC will FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 12 terminate at the end of FY01 unless extended by Presidential directive Warning and Information Centers As part of a national warning and information sharing system I' immediately authorize the FBI to expand its current 1 organization to a full scale National tructure Protect Center NIPC This organiz tion shall serve as a national critical infrastructure threat assessment warning vulnerability and law' enforcement investigation and response entity ' During the initial period of six to twelve months I also direct the National Coon iinator and the S Liaison Officials working together with the Sector Coordinators the Special Function Coordinators and representatives from the National Economic Council as appropriate to consult with owners and operators of the critical infrastructures to enc uragethe creation of a private sector sharing and analysis center as described below National Infrastructure Protection Center NIPC The NIPC will include FBI USSS and other investigators experienced in computer crimes' and infrastructure protection as well as representatives detailed from the Department of Defense the Intelligence Community and Lead Agencies It will be linked electronically to the rest of the Government including other warning and operations centers as well as any private sect0r sharing and analysis centers Its mission will include providing timely warnings of intentional threats comprehensive analyses and law enforcement investigation and response All executive departments and agencies shall cooperate with the NIPC and provide such assistance information and advice that the NIPC may request to the extent permitted by law All executive departments shall'also share with the NIPC information about threats and warning of attacks and about actual attacks on critical government and private sector infrastructures to the extent permitted by law The NIPC will lude elements responsible for warning analysis computer inves gation coordinating emergency response training outreach and development and application of technical too In addition it will establish its own relations directly with others in the private sector and with any information sharing qnd analysis ity that the private sector may create such as the Information Sharing and Analysis Center described below The NIPC in conjunction with the information originating agency will sanitize law enforcement and intelligence FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 13 information for inclusion into analyses and reports that it will provide in appropriate form to relevant federal state and local agencies the relevant owners and operators of critical infrastructures and to any private sector information sharing and analysis entity Before disseminating national's curity or other information that originated from the intelligence' commun'i ty the NIPC will coordinate fully with the intelligence community through existing procedures Whether as s nitlz ci or unsanitized reports the NIPC will issue attack w rniQg 'or alerts t6 increases in threat condition to any pri at sector ' information sharing and analysis entity and to the owners and operators These warnings may also include guidance ieg r di-ng additional protection measures to be taken by owners an ' operators Except in extreme emergencies the NIPC shall coordinate with the National Coordinator before issuing public warnings of imminent attacks by international terrorists foreign states or other malevolent foreign powers The NIPC will provide a national focal point for gathering information on threats to the infrastructures Additionally the NIPC will provide the principal means of facilitating and coordinating the Federal Government's response to an incident mitigating attacks investigating threats and monitoring reconstitution efforts Depending on the nature and level of a foreign threat attack protocols established between special function agencies DOJ DOD CIA and the ultimate decision of the President the NIPC may be placed in a direct support role to either DOD or the Intelligence Community Information Sharing and Analysis Center ISAC The National working with Sector Coordinators Sector Liaison Officials and the National Economic Council shall consult with owners and operatqrs of the critical infrastructures to strongly encourage the creation of a private sector information sharing and analy is center The actual desi n and functions of the center and its relation to the NIPC will bedetermiried by the private sector in consultation with and with assistance from the Federal Government Within 180 days of this directive the National Coordinator with the assistance of the CICGincluding the National Economic Council shall identify possible ethods of providing federal assistance to facilitate the startup of ah ISAC Co rdinator I Such a center could serve as the mech nism for gathering ' analyzing appropriately sanitizing and disseminating private sector information to both industry and the NIPC The center could also gather analyze and disseminate information from the FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 14 NIPC for further distribution to the private sector While' crucial toa successful government-industry partnership this mechanism for sharing important information about vulnerabilities threats intrusions and anomalies is not to interfere with direct information exchaJ lge betwee ncompanies and t e government ' - ' -' ' As ultimately designed by private sector representatives the· ISAC may emulate particular aspects of such insti tut ions ·as the· Centers for Disease Control and Prevention that ·have'proye i · highly effectivej particularly its extensive inte change with the private and non-federal sectors Under such a model ' tne ' ISAC would pO$sess a large degree of technical focus and expertise and non-regulatory and non-law enforcement missions It woulde stablishbaseline statistics and patterns ontpe various infrastructures become a clearinghouse for information within and among the various sectors and provide a library for historical data to be used be the private sector and as' deemed appropriate by the· ISAC by the government Critical to the success of such an institution would be its timeliness accessibility coordination flexibility utility and acceptability '1 FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY Annex B 15 Additional Taskings studies The National Coordinator shall commission studies on the following subjects - Liability issues arising from partitipation by private' sector companies in the information sharing' process - Existing legal impediments to ion' sharing with an eye to proposals to remove these impediments including through the drafting of model codes cooperation with the American Legal Institute -The necessity of document and information the impact of such classificatioI'l on use well as the methods and information systems and vulnerability information can be shared avoiding disclosu e or unacceptable risk of those who will misuse 'it sification and dissemination as by which threat securely while disclosure to - The improved protection including secure dissemination and information handling systems of ' ndustry trade secrets and other confidential business data law enforcement information and evidentiary material classi ed national security rmation unclassified materiai disclosing vulnerabilities of privately owned infrastructures' and apparently innocuous rmation that in the aggregate i t 'is unwise to disclose - The implications of sharing information with ign entities where such sharing is deemed necessary to the $ecurity of United States infrastructures - The potential benefit to security standards of mandating subsidizing or otherwise assisting the provision of insurance for selected critical infrastru cture provide'rs and requiring insurance tie-ins for foreign t 1 ructure providers hoping to do bus with the 'United FOR OFFICIAL USE ONLY FOR OFFICIAL USE ONLY 16 Public outreach In order to foster a climate of enhanced public sensitivity to the problem of infrastructure prot ion 'the following actions shall be taken • The White House under the oversight of the National Coordinator together wi th the relevant Cabinet agencies shall consider a series of conferences 1 that wil bring together national leaders in the public and private sectors to propose programs to increase the commitment to information security 2 that convoke academic leaders from engineering computer science business and law schobls to ew the status of education in information security and will identify change in the crirricula and resources nece to meet the national demand for professionals in this eld 3 on the issues around computer ethics as·these reI to the K through 12 and general university populations • The National Academy of Sciences and the National Academy of Engineering shall consider a round table bringing together federal state and local officials with industry nd academic leaders to develop national strategies for enhancing infrastructure security • The intelligence community and law enfo rcement shall expand existing programs for briefing infrastr ucture owners and operators and senior government 0 cials • The National Coordinator shall 1 establish a program infrastructure assurance simulations involving senior public and private officials the reports Df which might be distributed as part of an awareness' campaign and 2 in coordination with the private ector launch a continuing national awareness campaign emphasizing improving infrastructure security Internal Federal Government Actions In order for the Federal Government to improve its infrastructure security these immediate steps shall he taken e The Department of Commerce the General Services Administration and the Department of Defense shall assist IAL USE ONLY FOR OFFICIAL USE ONLY 17 federal agencies in the implementation of best practices for information assurance within their individ al agencies • The National Coordinator shall coordiqate a review of existing federal state and local bodies c arged with information assurance tasks and provide recommendations on how these institutions can cooperate'most effectively • All federal agencie shall mak cl ar d signatidns regardin who may authorize access to thei computer systems • The Intelligence Community shall elevate and formalize the· priority for enhanced collection and analysis of information on the foreign cyber information warfare threat to our critical infrastructure • The Federal Bureau of Investigation the Secret Service and other appropriate agencies shall 1 vigorously recruit undergraduate and graduate students with the relevant computer-rela ted technical skills for full-time employment as well as for part-time work with r gional computer crime squads and 2 facilitate the hiring and retention of qualified personnel for technical analysis and investigation involving cyber attacks • The Department of Transportation in consultation with the Department of Defense shall undertake a thorough evaluation of the vulnerability of the national transportation infrastructure that· relies on the Global Positioning System This evaluation shall include sponsoring an independent integrated assessment of risks to· civilian users of GPS-based systems with a view to basing decisions on the ultimate architecture of the modernized NAS on these evaluations • The Federal Aviation Administration shall develop and implement a comprehensive National Airspace System Security Program to protect the modernized NAS from information-based and other disruptions and attacks • GSA shall identify large procurements such as the new Federal Telecommunications System FTS 2000 reiated to' infrastructure assurance study whether the procurement process reflects the importance of infrastructure protection and propose if necessary revisions to th overall procurement process to do so FOR OFFICIAL USE ONLY FOR O FICIAL USE ONLY 18 • OMB shall dir -ectfederal agencies to include assigned infrastructure assurance functionswi thin their Governme nt Performance and Results Ad strategic planning and performance measure ent framework • _The NSA in accordanc with its National Manager responsibilities in NSD-42 shall provide assessments encompassing examinations of U S Government systems to interception and expl6itation di seminate threat and vulnerability information establish'st ndardsi conduct research -and development and conduct issue security product evaluations Assisting the Private Sector Iri 6±der to assist the private_sec or in achieving and maintaining infrastructure security • -The National Coordinator and the National Jnfrastructure Assurance Countil shall propose and dev lop ays to ncourage private industr to perform periodic risk assessm ts f critic lprocesses including information and te-Iecoinmunications' systems • The Department of Commerce and the Department of Defense 'shall worktogetl1er in coordination with the private sector ' to offer their expertise to private owners and ot erators ·of critical infrast±ucture to develop security-related best practice standards • The Department of Justice and Department of the Treasury shall sponsor a -comprehensive study compiling demographics of compute r crime comparing state approaches to computer crime and developing ways to deterring and responding to computer crime by juveniles ­ FOR OFFICIAL USE ONLY PHOTOCOPY WJC HANDWRmNG