Docstoc

White House Cybersecurity Exec Order Leaked

Document Sample
White House Cybersecurity Exec Order Leaked Powered By Docstoc
					                                                                                    004216
                                      THE WHITE HOUSE

                                        WASHINGTON



                                  September 28, 2 012
MEMORANDUM FOR

MR. ANTONY BLINKEN                           MRS. CAROL A. MATTHEWS
Deputy A s s i s t a n t t o t h e           A c t i n g D i r e c t o r , Executive
  President and N a t i o n a l                  Secretariat
  S e c u r i t y Advisor t o t h e          Department o f Energy
  Vice President
                                             MS. TERESA A. GARLAND
MR. STEPHEN D. MULL                          D i r e c t o r , O f f i c e of Executive
Executive Secretary                              Secretariat
Department o f State                         Department of Education

MS. REBECCA H. EWING                         MR. PHIL MCNAMARA
Executive Secretary                          Executive. Secretary
Department o f t h e Treasury                Department of Homeland S e c u r i t y
MR. MICHAEL L. BRUHN                         MS. NANCY-ANN DEPARLE
Executive' Secretary                         A s s i s t a n t t o t h e President and
Department of Defense                            Deputy Chief o f S t a f f f o r
                                                 Policy
MR. DAVID A. O'NEIL
Associate Deputy A t t o r n e y             MS. DIANE THOMPSON
  General                                    Chief o f S t a f f
Department o f J u s t i c e                 Environmental P r o t e c t i o n Agency

MS. KRYSTA HARDEN                            MR. STEVEN M. KOSIAK
Chief o f S t a f f                          Associate D i r e c t o r f o r Defense
Department of A g r i c u l t u r e              and I n t e r n a t i o n a l A f f a i r s
                                             O f f i c e of Management and Budget
MS. LATOYA MURPHY
D i r e c t o r , Executive                  MR. WILLIAM MACK
    Secretariat                              Executive Secretary
Department o f Commerce                      U.S. Trade Representative

MS. JENNIFER CANNISTRA                       MR. WALLACE D. COGGINS
Executive Secretary                          Executive Secretary
Department o f Health and                    Director of National
  Human Services                               Intelligence

MS. CAROL DARR                               MR. ROBERT L. NABORS
D i r e c t o r , Executive                  A s s i s t a n t t o the President and
    Secretariat                                 Director of Legislative
Department of T r a n s p o r t a t i o n       Affairs
                                                   2

MR. MICHAEL B. G. FROMAN                           MR. DARREN BLUE
A s s i s t a n t t o the President                Associate A d m i n i s t r a t o r
   and Deputy N a t i o n a l S e c u r i t y      O f f i c e of Emergency Response
   Advisor f o r I n t e r n a t i o n a l            and Recovery
   Economics                                       General Services A d m i n i s t r a t i o n

MR. RICK SIGER                                     MS. ANNETTE VIETTI-COOK
Chief of S t a f f                                 Secretary of t h e Commission
O f f i c e of Science and                         Nuclear Regulatory Commission
   Technology P o l i c y
                                                   MS. AVRIL D. HAINES
MR. AARON M. ZEBLEY                                Deputy A s s i s t a n t t o t h e
Chief of S t a f f                                    President and Deputy Counsel
Federal Bureau of                                     t o the President
   Investigation
                                                   GEN KEITH B. ALEXANDER, USA
MR. TYRONE DINDAL                                  Director
Executive Secretary                                N a t i o n a l S e c u r i t y Agency
Central I n t e l l i g e n c e Agency
                                                   MR. DAVID B. ROBBINS
MR. RICHARD W. BOLSON                              Managing D i r e c t o r
Special A s s i s t a n t f o r                    Federal Communications
   Interagency A f f a i r s (J-5)                    Commission
J o i n t Chiefs of S t a f f

SUBJECT:              Paper Deputies Committee Meeting on Executive
                      Order on Improving C r i t i c a l I n f r a s t r u c t u r e
                      Cybersecurity P r a c t i c e s


Deputies are requested t o provide comments and concurrence on
behalf of t h e i r P r i n c i p a l s on the d r a f t Executive Order on
Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s
attached a t Tab A. A discussion paper i s 'attached a t Tab B.
Please pass the attached t o Deputies. Responses should be
provided t o the N a t i o n a l S e c u r i t y S t a f f Executive S e c r e t a r i a t by
close of business on Friday, October 5, 2012.                      I f you have any
questions, please contact Rob Knake a t rknake@nss.eop.gov or
(202) 456-4534.




                                                B r i a n P. McKeon
                                                Executive Secretary
                                             3

Attachments
Tab A Discussion Paper f o r Paper Deputies Committee Meeting on
       Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e
       Cybersecurity P r a c t i c e s
Tab B D r a f t Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e
       Cybersecurity P r a c t i c e s
TAB A
                                                                                                   004216

                        DISCUSSION PAPER FOR
 PAPER DEPUTIES COMMITTEE MEETING ON EXECUTIVE ORDER ON IMPROVING
          CRITICAL INFRASTRUCTURE CYBERSECURITY PRACTICES

The d r a f t Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e
Cybersecurity P r a c t i c e s (Tab B) provides a s t r u c t u r e t o enhance
the c y b e r s e c u r i t y posture o f U.S. c r i t i c a l i n f r a s t r u c t u r e .           This
Executive Order f i t s i n t o a broader A d m i n i s t r a t i o n p o l i c y e f f o r t
to strengthen the p r o t e c t i o n and r e s i l i e n c e o f the N a t i o n s            7


c r i t i c a l i n f r a s t r u c t u r e . The new C r i t i c a l I n f r a s t r u c t u r e
P r o t e c t i o n and R e s i l i e n c e P r e s i d e n t i a l P o l i c y D i r e c t i v e , which
w i l l replace Homeland S e c u r i t y P o l i c y D i r e c t i v e -7, i s i n d r a f t
and w i l l be presented t o the Deputies Committee i n the coming
weeks. The N a t i o n a l S e c u r i t y S t a f f w i l l continue i t s
c o o r d i n a t i o n between these two r e l a t e d e f f o r t s as they are
finalized.

I n May o f 2011, the A d m i n i s t r a t i o n submitted proposed
l e g i s l a t i o n t o improve c y b e r s e c u r i t y t o Congress. Since
Congress has so f a r f a i l e d t o pass c y b e r s e c u r i t y l e g i s l a t i o n i n
the 2011-2012 session, the President intends t o use h i s
a u t h o r i t y t o improve the Nation's c y b e r s e c u r i t y . This Executive
Order addresses one o f seven major components o f the l e g i s l a t i v e
proposal, t h e "Cybersecurity Regulatory Framework f o r Covered
C r i t i c a l I n f r a s t r u c t u r e . " Other components o f the proposal,
where p o s s i b l e , w i l l be addressed through separate a c t i o n by the
Administration.

The d r a f t Executive Order e s t a b l i s h e s a c o n s u l t a t i v e process l e d
by the Secretary o f Homeland S e c u r i t y (the S e c r e t a r y ) , and
r e q u i r e s the Secretary o f Commerce t o d i r e c t the N a t i o n a l
I n s t i t u t e o f Standards and Technology (NIST) t o develop a
framework f o r reducing cyber r i s k s t o c r i t i c a l i n f r a s t r u c t u r e .
The Executive Order f u r t h e r r e q u i r e s the Secretary t o work w i t h
S e c t o r - S p e c i f i c Agencies and the Sector Coordinating Councils t o
e s t a b l i s h a v o l u n t a r y program t o promote the adoption o f t h e
framework by p r i v a t e i n d u s t r y and encourages Federal r e g u l a t o r y
agencies t o review the framework and v o l u n t a r i l y adopt i t i f
c u r r e n t r e g u l a t o r y requirements are deemed t o be i n s u f f i c i e n t .
F i n a l l y , the Executive Order provides d i r e c t i o n t o the Secretary
on e s t a b l i s h i n g i n f o r m a t i o n sharing programs and procedures.

The A d m i n i s t r a t i o n ' s proposed l e g i s l a t i o n had f o u r major
obj e c t i v e s :
                                                                2

1. Enhance the c y b e r s e c u r i t y of i n f r a s t r u c t u r e determined by the
   Secretary t o be c r i t i c a l , t o n a t i o n a l s e c u r i t y , n a t i o n a l
   economic s e c u r i t y , and n a t i o n a l p u b l i c h e a l t h and s a f e t y .
2. Provide f o r c o n s u l t a t i o n on matters p e r t a i n i n g t o
   c y b e r s e c u r i t y among Sector-Specific Agencies w i t h
   r e s p o n s i b i l i t y f o r c r i t i c a l i n f r a s t r u c t u r e , agencies w i t h
   r e s p o n s i b i l i t i e s f o r r e g u l a t i n g c r i t i c a l i n f r a s t r u c t u r e , and
   agencies w i t h e x p e r t i s e regarding services provided .by
   c r i t i c a l infrastructure.
3 . F a c i l i t a t e p u b l i c sector and p r i v a t e i n d u s t r y c o n s u l t a t i o n and
   development of best c y b e r s e c u r i t y p r a c t i c e s by encouraging a
   n a t i o n a l dialogue on c y b e r s e c u r i t y v u l n e r a b i l i t i e s a f f e c t i n g
   c r i t i c a l infrastructure.
4. E s t a b l i s h workable frameworks f o r implementing c y b e r s e c u r i t y
   minimum standards and p r a c t i c e s designed t o complement, not
   supplant, c u r r e n t l y - a v a i l a b l e s e c u r i t y measures - w i t h o u t
   p r e s c r i b i n g p a r t i c u l a r technologies or methodologies.                                 1




The Executive Order meets these o b j e c t i v e s ; however, i t d i f f e r s
from the l e g i s l a t i v e proposal i n three main areas by using
agencies' c u r r e n t a u t h o r i t i e s :

• The l e g i s l a t i v e proposal c a l l e d f o r the Department of Homeland
  S e c u r i t y (DHS) t o develop the frameworks f o r addressing
  c y b e r s e c u r i t y r i s k s ; the Executive Order uses NIST's e x i s t i n g
  processes i n c o n s u l t a t i o n w i t h the Departmentand the p r i v a t e
  sector.
• The l e g i s l a t i v e proposal gave DHS a u t h o r i t y t o r e g u l a t e a l l
  c r i t i c a l i n f r a s t r u c t u r e , p r o v i d i n g an exemption i f s u f f i c i e n t
  r e g u l a t i o n i s deemed t o be i n place; the Executive Order
  cannot extend new r e g u l a t o r y a u t h o r i t y and t h e r e f o r e r e l i e s on
  the a u t h o r i t y of e x i s t i n g r e g u l a t o r s . As a r e s u l t , the
  Executive Order may not be able t o cover a l l c r i t i c a l
  i n f r a s t r u c t u r e sectors.
• The l e g i s l a t i v e proposal r e q u i r e d owners and operators t o
  develop c y b e r s e c u r i t y plans and e s t a b l i s h e d a process f o r the
  Secretary t o evaluate implementation of the plans; the
  Executive Order leaves the d e t a i l s of the v o l u n t a r y program t o
  the Secretary t o develop and the d e t a i l s of any r e g u l a t o r y
  programs t o the e x i s t i n g r e g u l a t o r s .

I n a d d i t i o n , the proposed Senate b i l l         (Lieberman-Collins)
proposed extending l i a b i l i t y p r o t e c t i o n s t o companies t h a t
p a r t i c i p a t e d i n the b i l l ' s equivalent of the v o l u n t a r y program.

1 " C y b e r s e c u r i t y R e g u l a t o r y Framework f o r Covered C r i t i c a l I n f r a s t r u c t u r e
Act," L e g i s l a t i v e Language, The White House, May 12, 2 011.
                                                        3

L i a b i l i t y p r o t e c t i o n requires s t a t u t o r y a u t h o r i t y ; t h e r e f o r e
the Executive Order cannot e s t a b l i s h such an i n c e n t i v e .
TAB B
                                                     DRAFT                                           004216

                                          EXECUTIVE ORDER



      IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY PRACTICES

By the A u t h o r i t y vested i n me as President by t h e C o n s t i t u t i o n
and laws o f t h e United States o f America, i t i s hereby ordered
as f o l l o w s :

Sec. 1. P o l i c y . Repeated cyber i n t r u s i o n s i n t o c r i t i c a l
i n f r a s t r u c t u r e demonstrate the need f o r improved s e c u r i t y . The
cyber t h r e a t t o c r i t i c a l i n f r a s t r u c t u r e continues t o grow and
represents one o f the most serious n a t i o n a l s e c u r i t y challenges
we must c o n f r o n t . The n a t i o n a l s e c u r i t y o f the United States
depends on the r e l i a b l e f u n c t i o n i n g o f the Nation's c r i t i c a l
i n f r a s t r u c t u r e i n the face o f such t h r e a t s . I t i s the p o l i c y o f
the United States t o enhance the p r o t e c t i o n and r e s i l i e n c e o f
the Nation's c r i t i c a l i n f r a s t r u c t u r e and t o m a i n t a i n a cyber
environment t h a t encourages e f f i c i e n c y , i n n o v a t i o n , and economic
p r o s p e r i t y w h i l e promoting s a f e t y , s e c u r i t y , p r i v a c y , and c i v i l
l i b e r t i e s . We w i l l achieve these goals through a c o l l a b o r a t i v e
p a r t n e r s h i p w i t h the owners and operators o f c r i t i c a l
infrastructure.

Sec. 2. P o l i c y Coordination. P o l i c y c o o r d i n a t i o n , guidance,
dispute r e s o l u t i o n , and p e r i o d i c in-progress reviews f o r the
f u n c t i o n s and programs described and assigned h e r e i n s h a l l be
provided through the interagency process e s t a b l i s h e d i n
P r e s i d e n t i a l P o l i c y D i r e c t i v e - 1 o f February 13, 2009
(Organization o f the N a t i o n a l S e c u r i t y Council System) (PPD-1).

Sec. 3. C o n s u l t a t i v e Process. The Secretary o f Homeland
S e c u r i t y (the Secretary) s h a l l e s t a b l i s h a c o n s u l t a t i v e process
under the C r i t i c a l I n f r a s t r u c t u r e P a r t n e r s h i p Advisory Council
 (CIPAC) t o coordinate improvements t o the c y b e r s e c u r i t y o f
c r i t i c a l i n f r a s t r u c t u r e . Through the CIPAC, the Secretary s h a l l
r e c e i v e and consider the advice o f the Sector Coordinating
Councils, c r i t i c a l i n f r a s t r u c t u r e owners and operators,
agencies, independent r e g u l a t o r y agencies, s t a t e , l o c a l ,
t e r r i t o r i a l , and t r i b a l governments, u n i v e r s i t i e s , and o u t s i d e
experts on the matters set f o r t h i n t h i s order.

Sec. 4. I d e n t i f i c a t i o n o f C r i t i c a l I n f r a s t r u c t u r e a t Risk,
(a) W i t h i n 150 days o f the date o f t h i s order, the Secretary
s h a l l i d e n t i f y c r i t i c a l i n f r a s t r u c t u r e where a c y b e r s e c u r i t y
i n c i d e n t could reasonably r e s u l t i n a d e b i l i t a t i n g impact on
DRAFT                                                  2

n a t i o n a l s e c u r i t y , n a t i o n a l economic s e c u r i t y , o r n a t i o n a l
public health or safety. I n i d e n t i f y i n g c r i t i c a l i n f r a s t r u c t u r e
f o r t h i s purpose, t h e Secretary s h a l l draw upon the p r i o r i t i z e d
c r i t i c a l i n f r a s t r u c t u r e l i s t r e q u i r e d under s e c t i o n 210E of t h e
Homeland S e c u r i t y Act (6 U.S.C. 124L.)

(b) Heads o f S e c t o r - S p e c i f i c Agencies and o t h e r agencies s h a l l
provide the Secretary w i t h i n f o r m a t i o n necessary t o c a r r y out
the r e s p o n s i b i l i t i e s under t h i s s e c t i o n i n accordance w i t h
s e c t i o n 202 of the Homeland S e c u r i t y Act.

(c) The Secretary w i l l coordinate w i t h S e c t o r - S p e c i f i c Agencies
the n o t i f i c a t i o n of owners and operators of c r i t i c a l
i n f r a s t r u c t u r e i d e n t i f i e d under sub-section (a) of t h i s s e c t i o n
of the Secretary's d e t e r m i n a t i o n .

Sec. 5. Framework t o Reduce Cyber Risk t o C r i t i c a l
Infrastructure.                 (a) The Secretary of Commerce s h a l l d i r e c t the
D i r e c t o r of the N a t i o n a l I n s t i t u t e of Standards and Technology
 (the D i r e c t o r ) t o coordinate the development of a framework t o:


reduce' the cyber r i s k s t o c r i t i c a l i n f r a s t r u c t u r e (the
Cybersecurity Framework). The Cybersecurity Framework s h a l l
r e l y oh e x i s t i n g consensus-based standards t o the f u l l e s t extent
p o s s i b l e c o n s i s t e n t w i t h requirements of the " N a t i o n a l
Technology Transfer and Advancement Act of 1995", P u b l i c Law
104-113, and the O f f i c e of Management and Budge C i r c u l a r A-119,
"Federal P a r t i c i p a t i o n i n the Development and Use o f V o l u n t a r y
Consensus Standards and i n Conformity Assessment A c t i v i t i e s . "

 (b) The Cybersecurity Framework s h a l l p r o v i d e a f l e x i b l e and
                                                   1


repeatable approach t o apply b a s e l i n e i n f o r m a t i o n s e c u r i t y
measures and c o n t r o l s t o help owners and operators of c r i t i c a l
i n f r a s t r u c t u r e i d e n t i f y , assess, and manage cyber r i s k and t o
p r o t e c t p r i v a c y and c i v i l l i b e r t i e s . To a l l o w f o r t e c h n i c a l
i n n o v a t i o n and o r g a n i z a t i o n a l d i f f e r e n c e s , the Cybersecurity
Framework s h a l l n o t p r e s c r i b e p a r t i c u l a r t e c h n o l o g i c a l s o l u t i o n s
or s p e c i f i c a t i o n s . The Cybersecurity Framework s h a l l i n c l u d e
m e t r i c s f o r measuring t h e performance o f an e n t i t y i n
implementing the Cybersecurity Framework.

 (c) I n developing the Cybersecurity Framework, the D i r e c t o r
s h a l l c o n s u l t w i t h the Secretary, S e c t o r - S p e c i f i c Agencies and
other i n t e r e s t e d agencies, the O f f i c e of Management and Budget,
owners and operators o f c r i t i c a l i n f r a s t r u c t u r e , and o t h e r
stakeholders, and engage i n an open p u b l i c review and comment
process.
DRAFT                                                 3

 (d) W i t h i n 18 0 days of the date of t h i s order, the D i r e c t o r
s h a l l p u b l i s h a p r e l i m i n a r y v e r s i o n of the Cybersecurity
Framework. W i t h i n 1 year of the date of t h i s order, and a f t e r
review by the Secretary, the D i r e c t o r s h a l l p u b l i s h the f i n a l
v e r s i o n o f the Cybersecurity Framework i n the Federal                     Register.

Sec.             V o l u n t a r y C r i t i c a l I n f r a s t r u c t u r e Cybersecurity
Program. (a) The Secretary, i n c o o r d i n a t i o n w i t h Sector-
S p e c i f i c Agencies, s h a l l e s t a b l i s h and i n v i t e owners and
operators of c r i t i c a l i n f r a s t r u c t u r e t o p a r t i c i p a t e i n a
v o l u n t a r y program t o encourage the adoption of the Cybersecurity
Framework and t o p r o v i d e t e c h n i c a l advice and assistance and a
forum t o exchange best p r a c t i c e s (the Program).

 (b) S e c t o r - S p e c i f i c Agencies, i n c o n s u l t a t i o n w i t h the
Secretary, w i l l coordinate w i t h the Sector Coordinating Councils
to review the Cybersecurity Framework and, i f necessary, adapt
i t t o address s e c t o r - s p e c i f i c r i s k s and f i t the o p e r a t i n g
environment of i n d i v i d u a l s e c t o r s .

 (c) W i t h i n 180 days of the date of t h i s order, the Secretary
s h a l l issue implementation guidance t o the S e c t o r - S p e c i f i c
Agencies c o n s i s t e n t w i t h the N a t i o n a l I n f r a s t r u c t u r e P r o t e c t i o n
Plan, t o encourage a comprehensive and i n t e g r a t e d approach
across s e c t o r s .

Sec. _7- Adoption by Agencies. (a) W i t h i n 120 days of the date
of t h i s order, each agency w i t h r e s p o n s i b i l i t i e s f o r r e g u l a t i n g
the s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e s h a l l submit t o the
President, through the A s s i s t a n t t o the President f o r Homeland
S e c u r i t y and Counterterrorism and the D i r e c t o r of the O f f i c e of
Management and Budget, a r e p o r t t h a t d e t a i l s a u t h o r i t i e s under
which the agency could r e g u l a t e the c y b e r s e c u r i t y of c r i t i c a l
i n f r a s t r u c t u r e , what c r i t i c a l i n f r a s t r u c t u r e could be covered,
whether e x i s t i n g r e g u l a t i o n s on c y b e r s e c u r i t y are i n place, and
the agency's assessment of the s u f f i c i e n c y of those r e g u l a t i o n s .

(b) W i t h i n 2 70 days of the date of t h i s order, the Secretary
s h a l l , i n c o o r d i n a t i o n w i t h the D i r e c t o r of the O f f i c e of
Management and Budget, review these r e p o r t s i n c o n s i d e r a t i o n of
the c r i t i c a l i n f r a s t r u c t u r e i d e n t i f i e d i n s e c t i o n 4 of t h i s
order and the p r e l i m i n a r y v e r s i o n of the Cybersecurity Framework
developed under s e c t i o n 5, and i d e n t i f y and recommend t o
agencies a p r i o r i t i z e d , risk-based, e f f i c i e n t , and coordinated
set of a c t i o n s t o m i t i g a t e or remediate i d e n t i f i e d c y b e r s e c u r i t y
risks to c r i t i c a l infrastructure.
DRAFT                                                4

 (c) W i t h i n 1 year of the date of t h i s order, agencies subject t o
t h i s order w i t h r e s p o n s i b i l i t i e s f o r r e g u l a t i n g the s e c u r i t y of
c r i t i c a l i n f r a s t r u c t u r e are encouraged t o propose r e g u l a t i o n s ,
c o n s i s t e n t w i t h Executive Orders 12856 and 13563, t o m i t i g a t e
c y b e r s e c u r i t y r i s k based on such set of p r i o r i t i z e d a c t i o n s .

 (d) Independent r e g u l a t o r y agencies are encouraged t o engage i n
a c o n s u l t a t i v e process w i t h the Secretary and a f f e c t e d p a r t i e s
as they consider the set of p r i o r i t i z e d a c t i o n s .

Sec. _8. Cybersecurity I n f o r m a t i o n Sharing. (a) To a s s i s t the
owners and operators of c r i t i c a l i n f r a s t r u c t u r e i n p r o t e c t i n g
t h e i r systems from unauthorized access, e x p l o i t a t i o n or data
e x f i l t r a t i o n , the Secretary, i n c o o r d i n a t i o n w i t h the Secretary
of Defense, the D i r e c t o r of the N a t i o n a l S e c u r i t y Agency, the
D i r e c t o r of N a t i o n a l I n t e l l i g e n c e , and the A t t o r n e y General,
s h a l l e s t a b l i s h w i t h i n 12 0 days a near r e a l time i n f o r m a t i o n
sharing program. The program w i l l p r o v i d e government derived
s e c u r i t y i n f o r m a t i o n f o r the p r o t e c t i o n of c r i t i c a l networks and
s e n s i t i v e i n f o r m a t i o n . The Secretary, i n c o o r d i n a t i o n w i t h the
D i r e c t o r of N a t i o n a l I n t e l l i g e n c e , s h a l l e s t a b l i s h procedures t o
l i m i t the f u r t h e r dissemination of such i n f o r m a t i o n t o ensure
t h a t i t i s not used f o r an unauthorized purpose.

 (b) The D i r e c t o r of N a t i o n a l I n t e l l i g e n c e s h a l l ensure the
t i m e l y p r o d u c t i o n of u n c l a s s i f i e d t e a r l i n e s f o r a l l known cyber
t h r e a t s t o the U.S. homeland t h a t i d e n t i f y a t a r g e t or v i c t i m .
The Secretary s h a l l e s t a b l i s h a coordinated process t h a t r a p i d l y
disseminates these u n c l a s s i f i e d t e a r l i n e s t o the t a r g e t or
victim.

 (c) The Secretary, as the Executive Agent f o r the C l a s s i f i e d
N a t i o n a l S e c u r i t y I n f o r m a t i o n Program created under Executive
Order 13549, s h a l l expedite the p r o v i s i o n of s e c u r i t y clearances
to appropriate personnel employed by c r i t i c a l i n f r a s t r u c t u r e
owners and operators p a r t i c i p a t i n g i n the Program.

(d) The Secretary s h a l l request owners and operators of c r i t i c a l
i n f r a s t r u c t u r e t o r e p o r t promptly t o the Secretary or other
appropriate agency c y b e r s e c u r i t y i n c i d e n t s or t h r e a t s .

 (e) The Secretary s h a l l develop, i n c o o r d i n a t i o n w i t h the
Attorney General and i n c o n s u l t a t i o n w i t h o t h e r agencies,
i n t e r n a l Federal r e p o r t i n g and dissemination procedures t o
n o t i f y appropriate agencies of c y b e r s e c u r i t y i n c i d e n t s or
t h r e a t s reported t o the Secretary o r t o any o t h e r agency.
DRAFT                                                5

 (f) I n f o r m a t i o n submitted v o l u n t a r i l y i n accordance w i t h s e c t i o n
214 of the Homeland S e c u r i t y Act (6 U.S.C. 133) by p r i v a t e
e n t i t i e s f o r any purpose under t h i s order, s h a l l be p r o t e c t e d
from d i s c l o s u r e t o the f u l l e x t e n t p e r m i t t e d by s e c t i o n 214 of
the Homeland S e c u r i t y Act.

Sec. 9_. Privacy and C i v i l L i b e r t i e s Assessment and P r o t e c t i o n s .
(a) The Chief Privacy O f f i c e r and the O f f i c e r f o r C i v i l Rights
and C i v i l L i b e r t i e s of the Department of Homeland S e c u r i t y s h a l l
assess the p r i v a c y and c i v i l r i g h t s r i s k s of the f u n c t i o n s and
programs c a l l e d f o r i n t h i s order and s h a l l recommend t o the
Secretary ways t o minimize or m i t i g a t e such r i s k s . Relevant
agencies w i l l conduct t h e i r own reviews and provide the r e s u l t s
of those reviews t o the Department f o r i n c l u s i o n i n a p u b l i c
r e p o r t . The r e p o r t s h a l l be reviewed and r e v i s e d as necessary
on an annual basis t h e r e a f t e r .

(b) I n conducting these a c t i v i t i e s , the Chief Privacy O f f i c e r
and the O f f i c e r f o r C i v i l Rights and C i v i l L i b e r t i e s of the
Department of Homeland S e c u r i t y ' s h a l l consult w i t h the O f f i c e of
Management and Budget and the Privacy and C i v i l L i b e r t i e s
Oversight Board. Privacy aspects s h a l l be evaluated against the
F a i r I n f o r m a t i o n P r a c t i c e P r i n c i p l e s and other a p p l i c a b l e
privacy policies.

 (c) Departments and agencies s h a l l consider the assessments and
recommendations of the r e p o r t , as a p p l i c a b l e , and, i n
c o n s u l t a t i o n w i t h t h e i r own p r i v a c y and c i v i l l i b e r t i e s
o f f i c i a l s , s h a l l i n c l u d e appropriate p r o t e c t i o n s based upon F a i r
I n f o r m a t i o n P r a c t i c e P r i n c i p l e s i n t h e i r implementation a c t i o n s .

Sec. 10. Implementation. (a) S e c t o r - S p e c i f i c Agencies s h a l l
r e p o r t annually t o the President through the Secretary on the
extent t o which owners and operators n o t i f i e d under s e c t i o n 4
are p a r t i c i p a t i n g i n the Program.

 (b) W i t h i n 9 0 days of the date of t h i s order, the Secretary of .
Defense and the A d m i n i s t r a t o r of General Services s h a l l make
recommendations t o the President, through the A s s i s t a n t t o the
President f o r Homeland S e c u r i t y and Counterterrorism on the
f e a s i b i l i t y , s e c u r i t y b e n e f i t s , and r e l a t i v e m e r i t s o f '
e s t a b l i s h i n g procurement preferences f o r vendors who meet
c y b e r s e c u r i t y standards. I n developing the recommendations,
they s h a l l c o n s u l t w i t h the Federal A c q u i s i t i o n Regulatory
Council and s h a l l engage i n the c o n s u l t a t i v e process e s t a b l i s h e d
i n s e c t i o n 3.
DRAFT                                                      6

 (c) W i t h i n 90 days o f t h e date o f t h i s order, t h e S e c r e t a r i e s o f
the Treasury and Commerce s h a l l submit t o t h e President, through
the A s s i s t a n t t o t h e President f o r Homeland S e c u r i t y and
Counterterrorism, a r e p o r t t h a t assesses t h e Federal
government's a b i l i t y under e x i s t i n g laws t o provide i n c e n t i v e s
to owners and operators o f c r i t i c a l i n f r a s t r u c t u r e t h a t
p a r t i c i p a t e i n t h e Program. I n developing t h e r e p o r t , they
s h a l l engage i n t h e c o n s u l t a t i v e process e s t a b l i s h e d i n
s e c t i o n 3.

Sec. 11. D e f i n i t i o n s . (a) "Agency" means any a u t h o r i t y o f t h e
United States t h a t i s an "agency" under 44 U.S.C. 3502(1), o t h e r
than those considered t o be independent r e g u l a t o r y agencies, as
defined i n 44 U.S.C. 3502(5).

(b) " C r i t i c a l i n f r a s t r u c t u r e " has the meaning given the term i n
42 U.S.C. 5195c(e).

 (c) " C r i t i c a l I n f r a s t r u c t u r e Partnership Advisory Council" means
the c o u n c i l e s t a b l i s h e d by the Department o f Homeland S e c u r i t y
under 6 U.S.C. 451 t o coordinate c r i t i c a l i n f r a s t r u c t u r e
p r o t e c t i o n a c t i v i t i e s w i t h i n the Federal Government and w i t h t h e
p r i v a t e sector, and State, l o c a l , t e r r i t o r i a l , and t r i b a l
governments.

 (d) " F a i r I n f o r m a t i o n P r a c t i c e P r i n c i p l e s " means t h e e i g h t
p r i n c i p l e s s e t f o r t h i n the Framework f o r Privacy P o l i c y a t t h e
Department o f Homeland S e c u r i t y .

(e) "Framework" means a s e t o f standards, methodologies,
procedures and processes t h a t a l i g n p o l i c y , business, and
t e c h n o l o g i c a l approaches.

( f ) "Independent r e g u l a t o r y agency" has the meaning given t h e
term i n 44 U.S.C. 3502.

(g) "Sector Coordinating Council" means a p r i v a t e s e c t o r
c o o r d i n a t i n g c o u n c i l comprised o f r e p r e s e n t a t i v e s o f owners and
operators w i t h i n a p a r t i c u l a r s e c t o r o f c r i t i c a l i n f r a s t r u c t u r e
e s t a b l i s h e d by the N a t i o n a l I n f r a s t r u c t u r e P r o t e c t i o n Plan o r
i t s successor.

(h) " S e c t o r - S p e c i f i c Agency" has the meaning given t h e term i n
Homeland S e c u r i t y P r e s i d e n t i a l D i r e c t i v e 7: C r i t i c a l
I n f r a s t r u c t u r e I d e n t i f i c a t i o n , P r i o r i t i z a t i o n , and P r o t e c t i o n ,
December 17, 2003, o r i t s successor.
DRAFT                                            7

Sec. 12. General P r o v i s i o n s .                   (a) This order s h a l l be
implemented c o n s i s t e n t w i t h a p p l i c a b l e law and s u b j e c t t o the
a v a i l a b i l i t y of. a p p r o p r i a t i o n s . Nothing i n t h i s order s h a l l be
construed t o provide an agency w i t h a u t h o r i t y f o r r e g u l a t i n g the
s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e i n a d d i t i o n t o or t o a
g r e a t e r extent than the a u t h o r i t y the agency has under e x i s t i n g
law. Nothing i n t h i s order s h a l l be construed t o a l t e r o r l i m i t
any a u t h o r i t y or r e s p o n s i b i l i t y of an agency under e x i s t i n g law.

 (b) Any a c t i o n s taken as a r e s u l t of the s t u d i e s r e q u i r e d under
sections 10(b) and (c) , s h a l l be implemented c o n s i s t e n t w i t h
U.S. i n t e r n a t i o n a l o b l i g a t i o n s .

 (c) This order i s not intended t o , and does not, c r e a t e any
r i g h t or b e n e f i t , s u b s t a n t i v e o r procedural, enforceable a t law
or i n e q u i t y by any p a r t y against the United States, i t s .
departments, agencies, o r e n t i t i e s , i t s o f f i c e r s , employees, or
agents, o r any o t h e r person.



THE WHITE HOUSE,

				
DOCUMENT INFO
Categories:
Stats:
views:11
posted:11/30/2012
language:
pages:15