UNCLASSIFIED Draft Pre-Decisional Deliberative DRAFT OF 11/21/2012 I EXECUTIVE ORDER IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY By the, Authority vested innie as President by the Constitution and laws of the United States of it is hereby ordered as follows: Eolicy. Repeated cyber intrusions into critical infrastructure denionstrate the need for improved cybersecurity. The-cyber threat to critical --infrastructure continues to grow and. represjents one of the most serious national securitychallenges we must confront. The national and economic security ofthe United States depends on the reliable. functioning of the Nation's critical i_nfrast_ruc_t_ur_e in the face of -such threats. It is -the policy .of the United State_s to enhance the protection and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while'pro1notin'g s'afety,. confidentiality, privacy, and civil liberties. We will achieve these. goals through a partnership with the owners" and operators 'of critical infrastructure that includes cybersecurity inforrnation sharing' and the 'collaborative development and the adoption of risl<-- based standards. Sec. Critical Infrastructure. As used in this order, the. term critical inf1'astructu1'e has the meaning given in 42 U.S.C. 5l95c(e). For purposes of this order, a product or service used by critical infrastructure. shall. not be considered to be critical infrastructure unless the product or service meets the definition in 42 U.S.C. 5l95c(e). S33. Q. Policy Coordination. Policy coordination, guidance, dispute resolution, and periodic in- progress reviews for. the functions and programs described and assigned herein shall be provided through'th'e'.interagency process established in Presidential Policy Directive-l of February 13, 2009 of the National Security Council System). gag. Cybersecurity lnformation Sharing. Within. 120 days of the date of this order-, the Director of National Intelligence shall issue instructions to the intelligence community consistent'. with 50 U.S.C. Attorney General of the United States shall issue instructions consistent with 42 U.S.C. l0607_(b) to federal law enforcement entities underthe Attorney General authority-, to ensure the timely production of unclassified versions ofall reports' of cyber threats to the homeland that identify a specific targeted entity. The Secretary of Homeland Security (the-Secretary') shall produce timely unclassified versions ofall Department of 'Homeland_ Security reports of cyber. threats to the U.S. homeland that identify a specific 'targeted entity. The Secretary, consistent with 6 U.S.C. shall establish a _coordina_ted_proces_s ;that rapidly disselninates all unclassified" reports of cyber threats-that identify a specific targeted entity U.S. targeted" entity. The Secretary, in coordination with the Director of National UNCLASSIFIED D1'_aft__/ Deliberative '2 DRAFT OF 1 1/21/2012 Intelligence, shall establish a system for the tracking of these reports and notifications-. Agencies 'making notifications are responsible for reporting to the Secretary when notifications are-made. (0.) To owners and operators of critical infrastructure in protecting -their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 USC. 143 and in collaboration with the Secretary of Defense, shall within 120 days of the date of this order establish procedures to allow the owners and operators of critical infrastructure in all sectorstc participate, one voluntary basis, in the Enhanced Cybersecurity Services initiative. The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for-. State, Local, Tribal, and Private Sector Entities), shall expedite the provision of security to appropriate personnel employed by critical .infrastructure ownerfs and -operators, prioritizing the critical infrast_ructu1'e identified in 'section 9. In -order to maximize the utility of cyber threat information sliaringwitli the private sector, the -Secretary shall expand the use of programs that bring private sector subject--rnatter experts into federal -service on a ternporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical i'nfrastructure owners and o'p'e1'ators in reducing and mitigating cyber risks. E. Q. Privacy and Civil Liberties Protections. Agencies shall coordinate their activities under this ord_er_with their senior agency officials for privacy and. civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities based upon the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles and frameworks. The Chief Privacy Officer and the Officer for "Civil Rights and Civil Liberties of the Departinent of Homeland Security shall assess the privacy and civil liberties risks of the "functions and programs called for in this order and shall recornmend to the Secretary ways to minimize 'or mitigate such risks, in a publicly available report, to be released within one year of the 'date of this order. Senior agency priivacy and civil liberties officials for other agencies engaged activities under this order shall conduct assessments of their agency activities and provide -those -assessments to the Department of Homeland "Security for consideration and inclusion in the report. The report shall be reviewed and revised as necessary on an annual.basis -thereafter; The report "may. contain a classified annexif necessary. Assessments will include 'e_va1ua_t_i'on of activities. against the Fair Information Practice" Principles and other applicable privacy and civilliberties policies, principies and framevvorlrs. The Chief Privacy Officer and the Officer for Civil Rights=and_ Civil Liberties of the Dep'a'rtrnent.of Homeland Security shall coordinate the report required under subsection of this section with the Office of Management and Budget (OMB) and the Privacy and Civil Liberties Oversight Board. Draft Pro-Decisional Deliberative 3 DRAFT OF "l 1/21/2012 Agencies shall consider the. assessments and reconirnendations of the report, and, in coordination with tlieirsenior privacy and civil liberties officials, shall include privacy and civil liberties-_ protections in agency activities. Information submitted voluntarily by private entities under this order, in accordance with 6 U.S.C. 133, shall be protected from disclosure to the fullest extent permitted by law. Consultative Process. The Secretary shall establish a consultative process using the Critical InfrastructurePartnership Advisory Council (CIPAC), to coordinate improvements -to the cybersecurity of critical infrastructure. The Secretary shall facilitate the engagement and consider advice on matters set forth in this order of the Sector Coordinating Councils, critical infrastructure owners and operators, Sector-Specific Agencies, other relevant agencies, independent.r_egulatory agencies, state, local, territorial, and tribal governments, universities, and 'ou_tsi__d_e _ex'perts. S3. 2-. Baseline Framework to Reduce Cvber Risk to Critical Infrastructure. The Secretary of Commerce shall direct the Director of the.National Institute of Standards and Technology (the Director) to coordinate the development of a framework to reduce cyber risks to critical infra'st'ructure (the Cybersecurity Framework). The Cybersecurity Framework shall include a set of standards-,_ Inethodologies, procedures, and_ processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shali incorporate existing consensus-based standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with international standards whenever feasible, and shall 1neet.the.r'equirernents -of the National institute of Standards -and Technology Act, Public Law 104-113, and OMB Circular A-l 9. The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance- based-, and cost-effective approach, including information security measures and controls, "to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity F'ranrework.shall focus on identifying cross-sector security standards and applic'able to critical infrastructure. The Framework will also identify potential gaps that should be addressed through collaboration. with particular sectors and industry--l_ed standards organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework-will provide cybersecurity guidance that is technology neutral and that enables sectors to benefit from a co1npetiti'v_e market for products and services that meet the__ standards, methodologies, procedures, and processes developed to address cyber risks. The Cyberse_c_urity Framework shall include guidance for rneasuring the performance ofan entity in implementing the Cybersecurity Framework. The._C_ybersecurity Framework shall include methodologies to identify and mitigate-impacts of the Framework and associated information security measures orcontrols on business confidentiality, .and to protect individual privacy and civil liberties. Within 240 days of the date of this order, and after conrpletion of the consultation process requi1'e'd under subsection of this section, the Director shall publish a preliminary version of the Cyberseeurity Framework (the pre1irninary.Fra1nework). Within one year of the date of' this Draft Pre-Decisi0nal Deliberative '4 DRAFT OF ll/21/2012 order, and .aft_er review by the Secretary, the Director shall. publish a final version of the Cybersecurity Framework (tlietinal Framework). In coordinating development of the preliminary and final Cybersecurity Fra1newo'rl<, as well as any the Director shall engage in an open public review and comment process. The Director shall also consult with the Secretary, Sector-Specific Agencies and other interested age1_1_c_i_e_s, OMB, owners and operators of critical infrastructure, and other stakeholders through the 'consultative processestablished in section 6 of this order. The Secretary, the Director of National. Intelligence, and the heads of other'rele'vant agencies shall provide threat and vulnerability inforniation, including unclassified reports relating to cyber threats, and technical - expertise, to inform the Cybersecurity Franiework and the consultative development process. Co_nsistent"witl1 statutory responsibilities, the Director will ensure the Cybersecurity Framework and related" guidance is reviewed and updated as necessary, in consultation with the Secretary, Sector-Specific Agencies and other interested agencies, OMB, owners and operators of critical infrastructure, and other stakeholders, at least every 3 years, taking into consideration changes in cyber risks, operational feedback from owners and operator of critical infrastructure and any other relevant factors. Voluntary Critical infrastructure Cvbersecuritv Pro gram. The Secretary,-in coordination with Sector-Specific Agencies, shall establish a voluntary" prograin to support the adoption of the Cybersecurity- Framework by owners and operators of critical infrastructure and any other interested entities (the Program). (13) Sector--Specif1c. Agencies, in consultation with the Secretary and other interested agencies, shall coordinate-with the -Sector Coordinating Councils. to review the Cybersec_urity Frainework and, if necessary, develop implementation guidance. or supplemental materials to address sector~ specific risks and operating environments. Cc) Sector--Specific Agencies shall report annually to the President, through the Secretary, on the extent -to which owners and operatorsnotified under section 9 of this order are participating in the Program. 'shall coordinate establishment of a set of _incentives- designed to proinote paiticipation 'in the Program. 'Within 90 'days of the date of this order, the -Secretary and the Secretaries- of Treasury and Commerce each shall make recoinrnendations separately to the President,- through the Assistant to the President for Homeland Security and Counterterror_is_ni and the .Assistant to the President for Economic Affairs, on what incentives can be provided to owners. of critical infrastrucmre that participate' in the under' existing' law and ;a11tho'i'ities, and wha_t'i_ncen_tives would require legislation, including analysis ofthe benefits and reliative effectiveness of such "incentives. Within 90 days of the date of this order, the Secretary of Defense and the of General Services, in consultation with the Secretary, shall make recomniendations to the President,_ through the to the President for Homeland Security and Cou_nterterroris_m and the Assistant to the President for'Econo_m_ic Affairs, on the feasibility, security benefits, and Draft I Pre-Decisional I Deliberative '5 DRAFT OF 1/2 M20 12 relative.rnerits of changing the federal procurement process to create preferences for vendors who meet cybersecurity standards, and to harmonize and make consistent existing procurement requirenients related to cybersecurity. In developing such the S_ecretary.of Defense and the Adrninistrator of General Services shall consult with the -Federal Acquisition Regulatory Council and shall use the consultative process established in section .6 of this order. of this "order, "consistent with 6 1241, the Secretary shall use a risk--based approach to identify critical infrastructure wl1_e'1'e a_ cybersccurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, ornational security._. In identifying critical infiastructure for this purpose, the Secretary shall use the consultative process established in section 6 of thisordcr and draw upon the "expertise of Sector- Specific Agencies. The Secretary shall apply consistent, objective criteria in making_ such identification's_. The Secretary shall not identify an_y commercial information technology products under this section. The ecretary shall review and update identifications under this _se_ction on an annual basis, a__nd provide each such identification to the President, through the Assistant t_o the President for Homeland Security and Counterterrcrisni and the Assistantto the President for Economic Affairs. Sec. 9. identification of Critical Infrastructure at Greatest Risk. Within 150 days of the-date (13) Heads of Sector-Specific Agencies and other relevant agencies shall provide the Secretary with information necessary to carry out the responsibilities under this section. The S.ec1'etary shall develop a process for other relevant stakeholders to submit information to assist in making the -'identifications required in -subsection.(a) of this section. The -Secretary", in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection of this section that they so identified, and ensure identified owners and operators are provided with relevant. threat information. The Secretary shall establish a process through which notified owners and operators of critical infrastructure may submit relevant information and request reconsideration of an. identification under subsection (a)of this section. Agencies, as defined u_.nder.section 11(a) of this order" (not including independent regulatory agencies) with responsibility for regulating the security of critical infrastructure shall engage in a consultative process with the Department of I-Iomeland Security, and the National Security Staff to review the preliminary Cybersecurity Framework-and determine 'if current cybersecurity regulatory requirements are sufficient given current and proj efcted: risks. In making such deterrniriation, agencies shall 'consid_e'r'the. identification 'of critical 'infrastructure required under section 9 of this order. Within 90 days of the publication of the prelirninary Framework, agencies shall subinita report to the President, through the Assistant to the President for Homeland Security and Counterterrorism,- the Director and the.Assistan_t to the for Economic Affairs, that states whether or not the .a'ge_n_cy' has_ clear: authority to establish _'r_equireinen'ts based upon the Cybersecurity Fra'rnev_'vorlc' to su'ff_1ci'ently address current and projected"cy'ber risks' to critical infrastructure, the existing authorities identified, any additional authority required, and the extent to which existing 1'equi'rementS overlap, conflict, or could be harmonized. Drafi:_/ Pre--.Decisional/ Deliberative .6 DRAFT OF 11'/21/2012 If 'current regulatory requirements are deemed to be insufficient, within 60 days-of publication of the final agencies shall propose prioritized, and. coordinated actions, consistent with Executive Order 12866 of September 30, 1993 (Regulatory Planning and Review), and Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), to mitigate cyber risk. All agencies shall seek to harmoriize cybersecurity requirements across sectors through the use of the Cybersecurity Framework, adding to it as necessary to suit-the specific needs of the agency's sector. Within two years after publication of the final Framework, agencies shall, in consultation with owners-and operators of critical infrastructure, report to OMB on any critical infrastructu_re subject to duplicative, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, recoirnnendations for further.actions,. to minimize oreliininate such requirements. The Secretary shall c'oord_in'ate the provision of teclinicalassistance to agencies "identified in subsection of this section on the development of their cybersecurity workforce and programs. Independent regulatory agencies with responsibility for regulating the security of critical infrastnicture are encouraged to engage in a eonsuitative process with the Secretary and affected parties to consider prioritized actions to "mitigate cyber risks for critical infrastructure consistent with each. in'depend'ent regulatory agency's authorities. ll. . "Agency" means any authority of the United States that is an "agency" under 44 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5). "Critical Infrastructure Partnership Advisory Council" means the council established by the Department o_fHo_r.ne1and Security under 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government, the. private sector, and -State, local, territorial', and tribal governments. "Fair. Information "Practice Principles" means the eight principle's_set forth in Appendix A of tl_1'e'Nati'cn'a1 Strategy' for Trusted Identities in Cyberspace and in the Framework for Privacy Policy Department of Homeland Security. '-'Independent regulatory agency" has the meaning given the term in 44 U.S.C. 3502(5). "Sector Coordinating Council" means. aprivate sector coordinating council composed of representatives of owners and operators within a particular sector of critical infra_structure established by the National Infrastructure Protection Plan or its successor. the meaning given the term in Homeland Security' Pre_s_idential Directive '7 of Dejcernber 17, 2003 (Critical infrastructure Identification, Prioritization, and Prote_ction), or its successor. Draft Pre-Decisional I Delibe1'ative _7 DRAFT OF ll/21/20.12 flag. General Provisions. (21) This order shall be implemented consistent with applicable law and subj ect to the availability of appropriations. Nothing in this order shall be-construed to provide an agency with authority for regulating the security of critical infras_tructure in addition to or to _a_gre'ater extent. than the authority the agency has under existing law. Nothing in this order shallbfe construed to alter or limit any authority or responsibility of an agency' under existing law; Nothing 'in this order shall be construed to impair or otherwise affect the of the Director of OMB relating to budgetary, administrative, or legislative proposals. (c)A_l1 actions' taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence sources and methods. Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support ofintelligence operations. This order shall be implemented consistent with U.S. international obligations. Tliis order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person. THE WHITE HOUSE,