004216 THE WHITE HOUSE WASHINGTON September 28 2 012 MEMORANDUM FOR MR ANTONY BLINKEN Deputy A s s i s t a n t t o t h e President and N a t i o n a l S e c u r i t y Advisor t o t h e Vice President MRS CAROL A MATTHEWS A c t i n g D i r e c t o r Executive Secretariat Department o f Energy MR STEPHEN D MULL Executive Secretary Department o f State MS TERESA A GARLAND D i r e c t o r O f f i c e of Executive Secretariat Department of Education MS REBECCA H EWING Executive Secretary Department o f t h e Treasury MR PHIL MCNAMARA Executive Secretary Department of Homeland S e c u r i t y MR MICHAEL L BRUHN Executive' Secretary Department of Defense MS NANCY-ANN DEPARLE A s s i s t a n t t o t h e President and Deputy Chief o f S t a f f f o r Policy MR DAVID A O'NEIL Associate Deputy A t t o r n e y General Department o f J u s t i c e MS KRYSTA HARDEN Chief o f S t a f f Department of A g r i c u l t u r e MS DIANE THOMPSON Chief o f S t a f f Environmental P r o t e c t i o n Agency MR STEVEN M KOSIAK Associate D i r e c t o r f o r Defense and I n t e r n a t i o n a l A f f a i r s O f f i c e of Management and Budget MS LATOYA MURPHY D i r e c t o r Executive Secretariat Department o f Commerce MR WILLIAM MACK Executive Secretary U S Trade Representative MS JENNIFER CANNISTRA Executive Secretary Department o f Health and Human Services MR WALLACE D COGGINS Executive Secretary Director of National Intelligence MS CAROL DARR D i r e c t o r Executive Secretariat Department of T r a n s p o r t a t i o n MR ROBERT L NABORS A s s i s t a n t t o the President and Director of Legislative Affairs 2 MR MICHAEL B G FROMAN A s s i s t a n t t o the President and Deputy N a t i o n a l S e c u r i t y Advisor f o r I n t e r n a t i o n a l Economics MR DARREN BLUE Associate A d m i n i s t r a t o r O f f i c e of Emergency Response and Recovery General Services A d m i n i s t r a t i o n MR RICK SIGER Chief of S t a f f O f f i c e of Science and Technology P o l i c y MS ANNETTE VIETTI-COOK Secretary of t h e Commission Nuclear Regulatory Commission MR AARON M ZEBLEY Chief of S t a f f Federal Bureau of Investigation MR TYRONE DINDAL Executive Secretary Central I n t e l l i g e n c e Agency MR RICHARD W BOLSON Special A s s i s t a n t f o r Interagency A f f a i r s J-5 J o i n t Chiefs of S t a f f SUBJECT MS AVRIL D HAINES Deputy A s s i s t a n t t o t h e President and Deputy Counsel t o the President GEN KEITH B ALEXANDER USA Director N a t i o n a l S e c u r i t y Agency MR DAVID B ROBBINS Managing D i r e c t o r Federal Communications Commission Paper Deputies Committee Meeting on Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s Deputies are requested t o provide comments and concurrence on behalf of t h e i r P r i n c i p a l s on the d r a f t Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s attached a t Tab A A discussion paper i s 'attached a t Tab B Please pass the attached t o Deputies Responses should be provided t o the N a t i o n a l S e c u r i t y S t a f f Executive S e c r e t a r i a t by close of business on Friday October 5 2012 I f you have any questions please contact Rob Knake a t rknake@nss eop gov or 202 456-4534 B r i a n P McKeon Executive Secretary 3 Attachments Tab A Discussion Paper f o r Paper Deputies Committee Meeting on Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s Tab B D r a f t Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s A 004216 DISCUSSION PAPER FOR PAPER DEPUTIES COMMITTEE MEETING ON EXECUTIVE ORDER ON IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY PRACTICES The d r a f t Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s Tab B provides a s t r u c t u r e t o enhance the c y b e r s e c u r i t y posture o f U S c r i t i c a l i n f r a s t r u c t u r e This Executive Order f i t s i n t o a broader A d m i n i s t r a t i o n p o l i c y e f f o r t to strengthen the p r o t e c t i o n and r e s i l i e n c e o f the N a t i o n s c r i t i c a l i n f r a s t r u c t u r e The new C r i t i c a l I n f r a s t r u c t u r e P r o t e c t i o n and R e s i l i e n c e P r e s i d e n t i a l P o l i c y D i r e c t i v e which w i l l replace Homeland S e c u r i t y P o l i c y D i r e c t i v e -7 i s i n d r a f t and w i l l be presented t o the Deputies Committee i n the coming weeks The N a t i o n a l S e c u r i t y S t a f f w i l l continue i t s c o o r d i n a t i o n between these two r e l a t e d e f f o r t s as they are finalized 7 I n May o f 2011 the A d m i n i s t r a t i o n submitted proposed l e g i s l a t i o n t o improve c y b e r s e c u r i t y t o Congress Since Congress has so f a r f a i l e d t o pass c y b e r s e c u r i t y l e g i s l a t i o n i n the 2011-2012 session the President intends t o use h i s a u t h o r i t y t o improve the Nation's c y b e r s e c u r i t y This Executive Order addresses one o f seven major components o f the l e g i s l a t i v e proposal t h e Cybersecurity Regulatory Framework f o r Covered C r i t i c a l I n f r a s t r u c t u r e Other components o f the proposal where p o s s i b l e w i l l be addressed through separate a c t i o n by the Administration The d r a f t Executive Order e s t a b l i s h e s a c o n s u l t a t i v e process l e d by the Secretary o f Homeland S e c u r i t y the S e c r e t a r y and r e q u i r e s the Secretary o f Commerce t o d i r e c t the N a t i o n a l I n s t i t u t e o f Standards and Technology NIST t o develop a framework f o r reducing cyber r i s k s t o c r i t i c a l i n f r a s t r u c t u r e The Executive Order f u r t h e r r e q u i r e s the Secretary t o work w i t h S e c t o r - S p e c i f i c Agencies and the Sector Coordinating Councils t o e s t a b l i s h a v o l u n t a r y program t o promote the adoption o f t h e framework by p r i v a t e i n d u s t r y and encourages Federal r e g u l a t o r y agencies t o review the framework and v o l u n t a r i l y adopt i t i f c u r r e n t r e g u l a t o r y requirements are deemed t o be i n s u f f i c i e n t F i n a l l y the Executive Order provides d i r e c t i o n t o the Secretary on e s t a b l i s h i n g i n f o r m a t i o n sharing programs and procedures The A d m i n i s t r a t i o n ' s proposed l e g i s l a t i o n had f o u r major obj e c t i v e s 2 1 Enhance the c y b e r s e c u r i t y of i n f r a s t r u c t u r e determined by the Secretary t o be c r i t i c a l t o n a t i o n a l s e c u r i t y n a t i o n a l economic s e c u r i t y and n a t i o n a l p u b l i c h e a l t h and s a f e t y 2 Provide f o r c o n s u l t a t i o n on matters p e r t a i n i n g t o c y b e r s e c u r i t y among Sector-Specific Agencies w i t h r e s p o n s i b i l i t y f o r c r i t i c a l i n f r a s t r u c t u r e agencies w i t h r e s p o n s i b i l i t i e s f o r r e g u l a t i n g c r i t i c a l i n f r a s t r u c t u r e and agencies w i t h e x p e r t i s e regarding services provided by c r i t i c a l infrastructure 3 F a c i l i t a t e p u b l i c sector and p r i v a t e i n d u s t r y c o n s u l t a t i o n and development of best c y b e r s e c u r i t y p r a c t i c e s by encouraging a n a t i o n a l dialogue on c y b e r s e c u r i t y v u l n e r a b i l i t i e s a f f e c t i n g c r i t i c a l infrastructure 4 E s t a b l i s h workable frameworks f o r implementing c y b e r s e c u r i t y minimum standards and p r a c t i c e s designed t o complement not supplant c u r r e n t l y - a v a i l a b l e s e c u r i t y measures - w i t h o u t p r e s c r i b i n g p a r t i c u l a r technologies or methodologies 1 The Executive Order meets these o b j e c t i v e s however i t d i f f e r s from the l e g i s l a t i v e proposal i n three main areas by using agencies' c u r r e n t a u t h o r i t i e s • The l e g i s l a t i v e proposal c a l l e d f o r the Department of Homeland S e c u r i t y DHS t o develop the frameworks f o r addressing c y b e r s e c u r i t y r i s k s the Executive Order uses NIST's e x i s t i n g processes i n c o n s u l t a t i o n w i t h the Departmentand the p r i v a t e sector • The l e g i s l a t i v e proposal gave DHS a u t h o r i t y t o r e g u l a t e a l l c r i t i c a l i n f r a s t r u c t u r e p r o v i d i n g an exemption i f s u f f i c i e n t r e g u l a t i o n i s deemed t o be i n place the Executive Order cannot extend new r e g u l a t o r y a u t h o r i t y and t h e r e f o r e r e l i e s on the a u t h o r i t y of e x i s t i n g r e g u l a t o r s As a r e s u l t the Executive Order may not be able t o cover a l l c r i t i c a l i n f r a s t r u c t u r e sectors • The l e g i s l a t i v e proposal r e q u i r e d owners and operators t o develop c y b e r s e c u r i t y plans and e s t a b l i s h e d a process f o r the Secretary t o evaluate implementation of the plans the Executive Order leaves the d e t a i l s of the v o l u n t a r y program t o the Secretary t o develop and the d e t a i l s of any r e g u l a t o r y programs t o the e x i s t i n g r e g u l a t o r s I n a d d i t i o n the proposed Senate b i l l Lieberman-Collins proposed extending l i a b i l i t y p r o t e c t i o n s t o companies t h a t p a r t i c i p a t e d i n the b i l l ' s equivalent of the v o l u n t a r y program C y b e r s e c u r i t y R e g u l a t o r y Framework f o r Covered C r i t i c a l I n f r a s t r u c t u r e Act L e g i s l a t i v e Language The White House May 12 2 011 1 3 L i a b i l i t y p r o t e c t i o n requires s t a t u t o r y a u t h o r i t y t h e r e f o r e the Executive Order cannot e s t a b l i s h such an i n c e n t i v e DRAFT 004216 EXECUTIVE ORDER IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY PRACTICES By the A u t h o r i t y vested i n me as President by t h e C o n s t i t u t i o n and laws o f t h e United States o f America i t i s hereby ordered as f o l l o w s Sec 1 P o l i c y Repeated cyber i n t r u s i o n s i n t o c r i t i c a l i n f r a s t r u c t u r e demonstrate the need f o r improved s e c u r i t y The cyber t h r e a t t o c r i t i c a l i n f r a s t r u c t u r e continues t o grow and represents one o f the most serious n a t i o n a l s e c u r i t y challenges we must c o n f r o n t The n a t i o n a l s e c u r i t y o f the United States depends on the r e l i a b l e f u n c t i o n i n g o f the Nation's c r i t i c a l i n f r a s t r u c t u r e i n the face o f such t h r e a t s I t i s the p o l i c y o f the United States t o enhance the p r o t e c t i o n and r e s i l i e n c e o f the Nation's c r i t i c a l i n f r a s t r u c t u r e and t o m a i n t a i n a cyber environment t h a t encourages e f f i c i e n c y i n n o v a t i o n and economic p r o s p e r i t y w h i l e promoting s a f e t y s e c u r i t y p r i v a c y and c i v i l l i b e r t i e s We w i l l achieve these goals through a c o l l a b o r a t i v e p a r t n e r s h i p w i t h the owners and operators o f c r i t i c a l infrastructure Sec 2 P o l i c y Coordination P o l i c y c o o r d i n a t i o n guidance dispute r e s o l u t i o n and p e r i o d i c in-progress reviews f o r the f u n c t i o n s and programs described and assigned h e r e i n s h a l l be provided through the interagency process e s t a b l i s h e d i n P r e s i d e n t i a l P o l i c y D i r e c t i v e - 1 o f February 13 2009 Organization o f the N a t i o n a l S e c u r i t y Council System PPD-1 Sec 3 C o n s u l t a t i v e Process The Secretary o f Homeland S e c u r i t y the Secretary s h a l l e s t a b l i s h a c o n s u l t a t i v e process under the C r i t i c a l I n f r a s t r u c t u r e P a r t n e r s h i p Advisory Council CIPAC t o coordinate improvements t o the c y b e r s e c u r i t y o f c r i t i c a l i n f r a s t r u c t u r e Through the CIPAC the Secretary s h a l l r e c e i v e and consider the advice o f the Sector Coordinating Councils c r i t i c a l i n f r a s t r u c t u r e owners and operators agencies independent r e g u l a t o r y agencies s t a t e l o c a l t e r r i t o r i a l and t r i b a l governments u n i v e r s i t i e s and o u t s i d e experts on the matters set f o r t h i n t h i s order Sec 4 I d e n t i f i c a t i o n o f C r i t i c a l I n f r a s t r u c t u r e a t Risk a W i t h i n 150 days o f the date o f t h i s order the Secretary s h a l l i d e n t i f y c r i t i c a l i n f r a s t r u c t u r e where a c y b e r s e c u r i t y i n c i d e n t could reasonably r e s u l t i n a d e b i l i t a t i n g impact on DRAFT 2 n a t i o n a l s e c u r i t y n a t i o n a l economic s e c u r i t y o r n a t i o n a l public health or safety I n i d e n t i f y i n g c r i t i c a l i n f r a s t r u c t u r e f o r t h i s purpose t h e Secretary s h a l l draw upon the p r i o r i t i z e d c r i t i c a l i n f r a s t r u c t u r e l i s t r e q u i r e d under s e c t i o n 210E of t h e Homeland S e c u r i t y Act 6 U S C 124L b Heads o f S e c t o r - S p e c i f i c Agencies and o t h e r agencies s h a l l provide the Secretary w i t h i n f o r m a t i o n necessary t o c a r r y out the r e s p o n s i b i l i t i e s under t h i s s e c t i o n i n accordance w i t h s e c t i o n 202 of the Homeland S e c u r i t y Act c The Secretary w i l l coordinate w i t h S e c t o r - S p e c i f i c Agencies the n o t i f i c a t i o n of owners and operators of c r i t i c a l i n f r a s t r u c t u r e i d e n t i f i e d under sub-section a of t h i s s e c t i o n of the Secretary's d e t e r m i n a t i o n Sec 5 Framework t o Reduce Cyber Risk t o C r i t i c a l Infrastructure a The Secretary of Commerce s h a l l d i r e c t the D i r e c t o r of the N a t i o n a l I n s t i t u t e of Standards and Technology the D i r e c t o r t o coordinate the development of a framework t o reduce' the cyber r i s k s t o c r i t i c a l i n f r a s t r u c t u r e the Cybersecurity Framework The Cybersecurity Framework s h a l l r e l y oh e x i s t i n g consensus-based standards t o the f u l l e s t extent p o s s i b l e c o n s i s t e n t w i t h requirements of the N a t i o n a l Technology Transfer and Advancement Act of 1995 P u b l i c Law 104-113 and the O f f i c e of Management and Budge C i r c u l a r A-119 Federal P a r t i c i p a t i o n i n the Development and Use o f V o l u n t a r y Consensus Standards and i n Conformity Assessment A c t i v i t i e s b The Cybersecurity Framework s h a l l p r o v i d e a f l e x i b l e and repeatable approach t o apply b a s e l i n e i n f o r m a t i o n s e c u r i t y measures and c o n t r o l s t o help owners and operators of c r i t i c a l i n f r a s t r u c t u r e i d e n t i f y assess and manage cyber r i s k and t o p r o t e c t p r i v a c y and c i v i l l i b e r t i e s To a l l o w f o r t e c h n i c a l i n n o v a t i o n and o r g a n i z a t i o n a l d i f f e r e n c e s the Cybersecurity Framework s h a l l n o t p r e s c r i b e p a r t i c u l a r t e c h n o l o g i c a l s o l u t i o n s or s p e c i f i c a t i o n s The Cybersecurity Framework s h a l l i n c l u d e m e t r i c s f o r measuring t h e performance o f an e n t i t y i n implementing the Cybersecurity Framework 1 c I n developing the Cybersecurity Framework the D i r e c t o r s h a l l c o n s u l t w i t h the Secretary S e c t o r - S p e c i f i c Agencies and other i n t e r e s t e d agencies the O f f i c e of Management and Budget owners and operators o f c r i t i c a l i n f r a s t r u c t u r e and o t h e r stakeholders and engage i n an open p u b l i c review and comment process DRAFT 3 d W i t h i n 18 0 days of the date of t h i s order the D i r e c t o r s h a l l p u b l i s h a p r e l i m i n a r y v e r s i o n of the Cybersecurity Framework W i t h i n 1 year of the date of t h i s order and a f t e r review by the Secretary the D i r e c t o r s h a l l p u b l i s h the f i n a l v e r s i o n o f the Cybersecurity Framework i n the Federal Register Sec V o l u n t a r y C r i t i c a l I n f r a s t r u c t u r e Cybersecurity Program a The Secretary i n c o o r d i n a t i o n w i t h SectorS p e c i f i c Agencies s h a l l e s t a b l i s h and i n v i t e owners and operators of c r i t i c a l i n f r a s t r u c t u r e t o p a r t i c i p a t e i n a v o l u n t a r y program t o encourage the adoption of the Cybersecurity Framework and t o p r o v i d e t e c h n i c a l advice and assistance and a forum t o exchange best p r a c t i c e s the Program b S e c t o r - S p e c i f i c Agencies i n c o n s u l t a t i o n w i t h the Secretary w i l l coordinate w i t h the Sector Coordinating Councils to review the Cybersecurity Framework and i f necessary adapt i t t o address s e c t o r - s p e c i f i c r i s k s and f i t the o p e r a t i n g environment of i n d i v i d u a l s e c t o r s c W i t h i n 180 days of the date of t h i s order the Secretary s h a l l issue implementation guidance t o the S e c t o r - S p e c i f i c Agencies c o n s i s t e n t w i t h the N a t i o n a l I n f r a s t r u c t u r e P r o t e c t i o n Plan t o encourage a comprehensive and i n t e g r a t e d approach across s e c t o r s Sec _7- Adoption by Agencies a W i t h i n 120 days of the date of t h i s order each agency w i t h r e s p o n s i b i l i t i e s f o r r e g u l a t i n g the s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e s h a l l submit t o the President through the A s s i s t a n t t o the President f o r Homeland S e c u r i t y and Counterterrorism and the D i r e c t o r of the O f f i c e of Management and Budget a r e p o r t t h a t d e t a i l s a u t h o r i t i e s under which the agency could r e g u l a t e the c y b e r s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e what c r i t i c a l i n f r a s t r u c t u r e could be covered whether e x i s t i n g r e g u l a t i o n s on c y b e r s e c u r i t y are i n place and the agency's assessment of the s u f f i c i e n c y of those r e g u l a t i o n s b W i t h i n 2 70 days of the date of t h i s order the Secretary s h a l l i n c o o r d i n a t i o n w i t h the D i r e c t o r of the O f f i c e of Management and Budget review these r e p o r t s i n c o n s i d e r a t i o n of the c r i t i c a l i n f r a s t r u c t u r e i d e n t i f i e d i n s e c t i o n 4 of t h i s order and the p r e l i m i n a r y v e r s i o n of the Cybersecurity Framework developed under s e c t i o n 5 and i d e n t i f y and recommend t o agencies a p r i o r i t i z e d risk-based e f f i c i e n t and coordinated set of a c t i o n s t o m i t i g a t e or remediate i d e n t i f i e d c y b e r s e c u r i t y risks to c r i t i c a l infrastructure DRAFT 4 c W i t h i n 1 year of the date of t h i s order agencies subject t o t h i s order w i t h r e s p o n s i b i l i t i e s f o r r e g u l a t i n g the s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e are encouraged t o propose r e g u l a t i o n s c o n s i s t e n t w i t h Executive Orders 12856 and 13563 t o m i t i g a t e c y b e r s e c u r i t y r i s k based on such set of p r i o r i t i z e d a c t i o n s d Independent r e g u l a t o r y agencies are encouraged t o engage i n a c o n s u l t a t i v e process w i t h the Secretary and a f f e c t e d p a r t i e s as they consider the set of p r i o r i t i z e d a c t i o n s Sec _8 Cybersecurity I n f o r m a t i o n Sharing a To a s s i s t the owners and operators of c r i t i c a l i n f r a s t r u c t u r e i n p r o t e c t i n g t h e i r systems from unauthorized access e x p l o i t a t i o n or data e x f i l t r a t i o n the Secretary i n c o o r d i n a t i o n w i t h the Secretary of Defense the D i r e c t o r of the N a t i o n a l S e c u r i t y Agency the D i r e c t o r of N a t i o n a l I n t e l l i g e n c e and the A t t o r n e y General s h a l l e s t a b l i s h w i t h i n 12 0 days a near r e a l time i n f o r m a t i o n sharing program The program w i l l p r o v i d e government derived s e c u r i t y i n f o r m a t i o n f o r the p r o t e c t i o n of c r i t i c a l networks and s e n s i t i v e i n f o r m a t i o n The Secretary i n c o o r d i n a t i o n w i t h the D i r e c t o r of N a t i o n a l I n t e l l i g e n c e s h a l l e s t a b l i s h procedures t o l i m i t the f u r t h e r dissemination of such i n f o r m a t i o n t o ensure t h a t i t i s not used f o r an unauthorized purpose b The D i r e c t o r of N a t i o n a l I n t e l l i g e n c e s h a l l ensure the t i m e l y p r o d u c t i o n of u n c l a s s i f i e d t e a r l i n e s f o r a l l known cyber t h r e a t s t o the U S homeland t h a t i d e n t i f y a t a r g e t or v i c t i m The Secretary s h a l l e s t a b l i s h a coordinated process t h a t r a p i d l y disseminates these u n c l a s s i f i e d t e a r l i n e s t o the t a r g e t or victim c The Secretary as the Executive Agent f o r the C l a s s i f i e d N a t i o n a l S e c u r i t y I n f o r m a t i o n Program created under Executive Order 13549 s h a l l expedite the p r o v i s i o n of s e c u r i t y clearances to appropriate personnel employed by c r i t i c a l i n f r a s t r u c t u r e owners and operators p a r t i c i p a t i n g i n the Program d The Secretary s h a l l request owners and operators of c r i t i c a l i n f r a s t r u c t u r e t o r e p o r t promptly t o the Secretary or other appropriate agency c y b e r s e c u r i t y i n c i d e n t s or t h r e a t s e The Secretary s h a l l develop i n c o o r d i n a t i o n w i t h the Attorney General and i n c o n s u l t a t i o n w i t h o t h e r agencies i n t e r n a l Federal r e p o r t i n g and dissemination procedures t o n o t i f y appropriate agencies of c y b e r s e c u r i t y i n c i d e n t s or t h r e a t s reported t o the Secretary o r t o any o t h e r agency DRAFT 5 f I n f o r m a t i o n submitted v o l u n t a r i l y i n accordance w i t h s e c t i o n 214 of the Homeland S e c u r i t y Act 6 U S C 133 by p r i v a t e e n t i t i e s f o r any purpose under t h i s order s h a l l be p r o t e c t e d from d i s c l o s u r e t o the f u l l e x t e n t p e r m i t t e d by s e c t i o n 214 of the Homeland S e c u r i t y Act Sec 9_ Privacy and C i v i l L i b e r t i e s Assessment and P r o t e c t i o n s a The Chief Privacy O f f i c e r and the O f f i c e r f o r C i v i l Rights and C i v i l L i b e r t i e s of the Department of Homeland S e c u r i t y s h a l l assess the p r i v a c y and c i v i l r i g h t s r i s k s of the f u n c t i o n s and programs c a l l e d f o r i n t h i s order and s h a l l recommend t o the Secretary ways t o minimize or m i t i g a t e such r i s k s Relevant agencies w i l l conduct t h e i r own reviews and provide the r e s u l t s of those reviews t o the Department f o r i n c l u s i o n i n a p u b l i c r e p o r t The r e p o r t s h a l l be reviewed and r e v i s e d as necessary on an annual basis t h e r e a f t e r b I n conducting these a c t i v i t i e s the Chief Privacy O f f i c e r and the O f f i c e r f o r C i v i l Rights and C i v i l L i b e r t i e s of the Department of Homeland S e c u r i t y ' s h a l l consult w i t h the O f f i c e of Management and Budget and the Privacy and C i v i l L i b e r t i e s Oversight Board Privacy aspects s h a l l be evaluated against the F a i r I n f o r m a t i o n P r a c t i c e P r i n c i p l e s and other a p p l i c a b l e privacy policies c Departments and agencies s h a l l consider the assessments and recommendations of the r e p o r t as a p p l i c a b l e and i n c o n s u l t a t i o n w i t h t h e i r own p r i v a c y and c i v i l l i b e r t i e s o f f i c i a l s s h a l l i n c l u d e appropriate p r o t e c t i o n s based upon F a i r I n f o r m a t i o n P r a c t i c e P r i n c i p l e s i n t h e i r implementation a c t i o n s Sec 10 Implementation a S e c t o r - S p e c i f i c Agencies s h a l l r e p o r t annually t o the President through the Secretary on the extent t o which owners and operators n o t i f i e d under s e c t i o n 4 are p a r t i c i p a t i n g i n the Program b W i t h i n 9 0 days of the date of t h i s order the Secretary of Defense and the A d m i n i s t r a t o r of General Services s h a l l make recommendations t o the President through the A s s i s t a n t t o the President f o r Homeland S e c u r i t y and Counterterrorism on the f e a s i b i l i t y s e c u r i t y b e n e f i t s and r e l a t i v e m e r i t s o f ' e s t a b l i s h i n g procurement preferences f o r vendors who meet c y b e r s e c u r i t y standards I n developing the recommendations they s h a l l c o n s u l t w i t h the Federal A c q u i s i t i o n Regulatory Council and s h a l l engage i n the c o n s u l t a t i v e process e s t a b l i s h e d i n s e c t i o n 3 DRAFT 6 c W i t h i n 90 days o f t h e date o f t h i s order t h e S e c r e t a r i e s o f the Treasury and Commerce s h a l l submit t o t h e President through the A s s i s t a n t t o t h e President f o r Homeland S e c u r i t y and Counterterrorism a r e p o r t t h a t assesses t h e Federal government's a b i l i t y under e x i s t i n g laws t o provide i n c e n t i v e s to owners and operators o f c r i t i c a l i n f r a s t r u c t u r e t h a t p a r t i c i p a t e i n t h e Program I n developing t h e r e p o r t they s h a l l engage i n t h e c o n s u l t a t i v e process e s t a b l i s h e d i n s e c t i o n 3 Sec 11 D e f i n i t i o n s a Agency means any a u t h o r i t y o f t h e United States t h a t i s an agency under 44 U S C 3502 1 o t h e r than those considered t o be independent r e g u l a t o r y agencies as defined i n 44 U S C 3502 5 b C r i t i c a l i n f r a s t r u c t u r e has the meaning given the term i n 42 U S C 5195c e c C r i t i c a l I n f r a s t r u c t u r e Partnership Advisory Council means the c o u n c i l e s t a b l i s h e d by the Department o f Homeland S e c u r i t y under 6 U S C 451 t o coordinate c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n a c t i v i t i e s w i t h i n the Federal Government and w i t h t h e p r i v a t e sector and State l o c a l t e r r i t o r i a l and t r i b a l governments d F a i r I n f o r m a t i o n P r a c t i c e P r i n c i p l e s means t h e e i g h t p r i n c i p l e s s e t f o r t h i n the Framework f o r Privacy P o l i c y a t t h e Department o f Homeland S e c u r i t y e Framework means a s e t o f standards methodologies procedures and processes t h a t a l i g n p o l i c y business and t e c h n o l o g i c a l approaches f Independent r e g u l a t o r y agency has the meaning given t h e term i n 44 U S C 3502 g Sector Coordinating Council means a p r i v a t e s e c t o r c o o r d i n a t i n g c o u n c i l comprised o f r e p r e s e n t a t i v e s o f owners and operators w i t h i n a p a r t i c u l a r s e c t o r o f c r i t i c a l i n f r a s t r u c t u r e e s t a b l i s h e d by the N a t i o n a l I n f r a s t r u c t u r e P r o t e c t i o n Plan o r i t s successor h S e c t o r - S p e c i f i c Agency has the meaning given t h e term i n Homeland S e c u r i t y P r e s i d e n t i a l D i r e c t i v e 7 C r i t i c a l I n f r a s t r u c t u r e I d e n t i f i c a t i o n P r i o r i t i z a t i o n and P r o t e c t i o n December 17 2003 o r i t s successor DRAFT 7 Sec 12 General P r o v i s i o n s a This order s h a l l be implemented c o n s i s t e n t w i t h a p p l i c a b l e law and s u b j e c t t o the a v a i l a b i l i t y of a p p r o p r i a t i o n s Nothing i n t h i s order s h a l l be construed t o provide an agency w i t h a u t h o r i t y f o r r e g u l a t i n g the s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e i n a d d i t i o n t o or t o a g r e a t e r extent than the a u t h o r i t y the agency has under e x i s t i n g law Nothing i n t h i s order s h a l l be construed t o a l t e r o r l i m i t any a u t h o r i t y or r e s p o n s i b i l i t y of an agency under e x i s t i n g law b Any a c t i o n s taken as a r e s u l t of the s t u d i e s r e q u i r e d under sections 10 b and c s h a l l be implemented c o n s i s t e n t w i t h U S i n t e r n a t i o n a l o b l i g a t i o n s c This order i s not intended t o and does not c r e a t e any r i g h t or b e n e f i t s u b s t a n t i v e o r procedural enforceable a t law or i n e q u i t y by any p a r t y against the United States i t s departments agencies o r e n t i t i e s i t s o f f i c e r s employees or agents o r any o t h e r person THE WHITE HOUSE
OCR of the Document
View the Document >>