"Critical Infrastructure Identification Prioritization and Protection"
1816 Dec. 17 / Administration of George W. Bush, 2003 Sec. 3. Administration. This order shall be Subject: Critical Infrastructure transmitted to the Congress and published Identification, Prioritization, and Protection in the Federal Register. George W. Bush Purpose (1) This directive establishes a national The White House, policy for Federal departments and agencies December 17, 2003. to identify and prioritize United States crit- ical infrastructure and key resources and to [Filed with the Office of the Federal Register, protect them from terrorist attacks. 8:45 a.m., December 22, 2003] Background NOTE: This Executive order will be published in (2) Terrorists seek to destroy, incapacitate, the Federal Register on December 23. or exploit critical infrastructure and key re- sources across the United States to threaten Letter to Congressional Leaders national security, cause mass casualties, Reporting on the Executive Order weaken our economy, and damage public Regarding Appointments During morale and confidence. National Emergency (3) America’s open and technologically December 17, 2003 complex society includes a wide array of crit- ical infrastructure and key resources that are Dear Mr. Speaker: (Dear Mr. President:) potential terrorist targets. The majority of Consistent with section 301 of the National these are owned and operated by the private Emergencies Act (50 U.S.C. 1631), I hereby sector and State or local governments. These report that I have taken additional steps with critical infrastructures and key resources are respect to the national emergency I declared both physical and cyber-based and span all in Proclamation 7463 of September 14, 2001, sectors of the economy. by invoking and making available to the Sec- (4) Critical infrastructure and key re- retary of Defense the emergency appoint- sources provide the essential services that ments authority of section 603 of title 10 of underpin American society. The Nation pos- the United States Code, consistent with the sesses numerous key resources, whose ex- terms of that statute and of Executive Order ploitation or destruction by terrorists could 12396 of December 9, 1982. cause catastrophic health effects or mass cas- I am enclosing a copy of the Executive ualties comparable to those from the use of Order I have issued, which is effective imme- a weapon of mass destruction, or could pro- diately. foundly affect our national prestige and mo- Sincerely, rale. In addition, there is critical infrastruc- ture so vital that its incapacitation, exploi- George W. Bush tation, or destruction, through terrorist at- tack, could have a debilitating effect on secu- NOTE: Identical letters were sent to J. Dennis rity and economic well-being. Hastert, Speaker of the House of Representatives, (5) While it is not possible to protect or and Richard B. Cheney, President of the Senate. eliminate the vulnerability of all critical infra- structure and key resources throughout the Directive on Critical Infrastructure country, strategic improvements in security Identification, Prioritization, and can make it more difficult for attacks to suc- Protection ceed and can lessen the impact of attacks December 17, 2003 that may occur. In addition to strategic secu- rity enhancements, tactical security improve- Homeland Security Presidential Directive/ ments can be rapidly implemented to deter, HSPD–7 mitigate, or neutralize potential attacks. VerDate jul 14 2003 11:18 Dec 23, 2003 Jkt 203250 PO 00000 Frm 00022 Fmt 1244 Sfmt 1244 E:\PRESDOCS\P51DET4.019 P51DET4 Administration of George W. Bush, 2003 / Dec. 17 1817 Definitions (a) cause catastrophic health effects or (6) In this directive: mass casualties comparable to those (a) The term ‘‘critical infrastructure’’ has from the use of a weapon of mass de- the meaning given to that term in sec- struction; tion 1016(e) of the USA PATRIOT (b) impair Federal departments and Act of 2001 (42 U.S.C. 5195c(e)). agencies’ abilities to perform essential (b) The term ‘‘key resources’’ has the missions, or to ensure the public’s meaning given that term in section health and safety; 2(9) of the Homeland Security Act of (c) undermine State and local govern- 2002 (6 U.S.C. 101(9)). ment capacities to maintain order and (c) The term ‘‘the Department’’ means to deliver minimum essential public the Department of Homeland Secu- services; rity. (d) damage the private sector’s capability (d) The term ‘‘Federal departments and to ensure the orderly functioning of agencies’’ means those executive de- the economy and delivery of essential partments enumerated in 5 U.S.C. services; 101, and the Department of Home- (e) have a negative effect on the economy land Security; independent establish- through the cascading disruption of ments as defined by 5 U.S.C. 104(1); other critical infrastructure and key Government corporations as defined resources; or by 5 U.S.C. 103(1); and the United (f) undermine the public’s morale and States Postal Service. confidence in our national economic (e) The terms ‘‘State,’’ and ‘‘local govern- and political institutions. ment,’’ when used in a geographical (8) Federal departments and agencies will sense, have the same meanings given identify, prioritize, and coordinate the pro- to those terms in section 2 of the tection of critical infrastructure and key re- Homeland Security Act of 2002 (6 sources in order to prevent, deter, and miti- U.S.C. 101). gate the effects of deliberate efforts to de- (f) The term ‘‘the Secretary’’ means the stroy, incapacitate, or exploit them. Federal Secretary of Homeland Security. departments and agencies will work with (g) The term ‘‘Sector-Specific Agency’’ State and local governments and the private means a Federal department or agen- sector to accomplish this objective. cy responsible for infrastructure pro- (9) Federal departments and agencies will tection activities in a designated crit- ensure that homeland security programs do ical infrastructure sector or key re- not diminish the overall economic security sources category. Sector-Specific of the United States. Agencies will conduct their activities (10) Federal departments and agencies under this directive in accordance will appropriately protect information associ- with guidance provided by the Sec- ated with carrying out this directive, includ- retary. ing handling voluntarily provided informa- (h) The terms ‘‘protect’’ and ‘‘secure’’ tion and information that would facilitate ter- mean reducing the vulnerability of rorist targeting of critical infrastructure and critical infrastructure or key resources key resources consistent with the Homeland in order to deter, mitigate, or neu- Security Act of 2002 and other applicable tralize terrorist attacks. legal authorities. Policy (11) Federal departments and agencies (7) It is the policy of the United States shall implement this directive in a manner to enhance the protection of our Nation’s consistent with applicable provisions of law, critical infrastructure and key resources including those protecting the rights of against terrorist acts that could: United States persons. VerDate jul 14 2003 10:59 Dec 23, 2003 Jkt 203250 PO 00000 Frm 00023 Fmt 1244 Sfmt 1244 E:\PRESDOCS\P51DET4.019 P51DET4 1818 Dec. 17 / Administration of George W. Bush, 2003 Roles and Responsibilities of the ments and agencies, State and local govern- Secretary ments, the private sector, academia and (12) In carrying out the functions assigned international organizations. To the extent in the Homeland Security Act of 2002, the permitted by law, Federal departments and Secretary shall be responsible for coordi- agencies with cyber expertise, including but nating the overall national effort to enhance not limited to the Departments of Justice, the protection of the critical infrastructure Commerce, the Treasury, Defense, Energy, and key resources of the United States. The and State, and the Central Intelligence Agen- Secretary shall serve as the principal Federal cy, will collaborate with and support the or- official to lead, integrate, and coordinate im- ganization in accomplishing its mission. The plementation of efforts among Federal de- organization’s mission includes analysis, partments and agencies, State and local gov- warning, information sharing, vulnerability ernments, and the private sector to protect reduction, mitigation, and aiding national re- critical infrastructure and key resources. covery efforts for critical infrastructure infor- (13) Consistent with this directive, the mation systems. The organization will sup- Secretary will identify, prioritize, and coordi- port the Department of Justice and other law nate the protection of critical infrastructure enforcement agencies in their continuing and key resources with an emphasis on crit- missions to investigate and prosecute threats ical infrastructure and key resources that to and attacks against cyberspace, to the ex- could be exploited to cause catastrophic tent permitted by law. health effects or mass casualties comparable (17) The Secretary will work closely with to those from the use of a weapon of mass other Federal departments and agencies, destruction. State and local governments, and the private (14) The Secretary will establish uniform sector in accomplishing the objectives of this policies, approaches, guidelines, and meth- directive. odologies for integrating Federal infrastruc- ture protection and risk management activi- ties within and across sectors along with Roles and Responsibilities of Sector- metrics and criteria for related programs and Specific Federal Agencies activities. (18) Recognizing that each infrastructure (15) The Secretary shall coordinate protec- sector possesses its own unique characteris- tion activities for each of the following critical tics and operating models, there are des- infrastructure sectors: information tech- ignated Sector-Specific Agencies, including: nology; telecommunications; chemical; trans- (a) Department of Agriculture—agri- portation systems, including mass transit, culture, food (meat, poultry, egg aviation, maritime, ground/surface, and rail products); and pipeline systems; emergency services; (b) Health and Human Services—public and postal and shipping. The Department health, healthcare, and food (other shall coordinate with appropriate depart- than meat, poultry, egg products); ments and agencies to ensure the protection (c) Environmental Protection Agency— of other key resources including dams, gov- drinking water and water treatment ernment facilities, and commercial facilities. systems; In addition, in its role as overall cross-sector (d) Department of Energy—energy, in- coordinator, the Department shall also evalu- cluding the production refining, stor- ate the need for and coordinate the coverage age, and distribution of oil and gas, of additional critical infrastructure and key and electric power except for com- resources categories over time, as appro- mercial nuclear power facilities; priate. (e) Department of the Treasury—bank- (16) The Secretary will continue to main- ing and finance; tain an organization to serve as a focal point (f) Department of the Interior—national for the security of cyberspace. The organiza- monuments and icons; and tion will facilitate interactions and collabora- (g) Department of Defense—defense in- tions between and among Federal depart- dustrial base. VerDate jul 14 2003 01:13 Dec 23, 2003 Jkt 203250 PO 00000 Frm 00024 Fmt 1244 Sfmt 1244 E:\PRESDOCS\P51DET4.019 P51DET4 Administration of George W. Bush, 2003 / Dec. 17 1819 (19) In accordance with guidance provided ity and attendant mechanisms for co- by the Secretary, Sector-Specific Agencies operation and coordination, including shall: but not limited to those established (a) collaborate with all relevant Federal by presidential directive. departments and agencies, State and (c) The Department of Commerce, in local governments, and the private coordination with the Department, sector, including with key persons and will work with private sector, re- entities in their infrastructure sector; search, academic, and government or- (b) conduct or facilitate vulnerability as- ganizations to improve technology for sessments of the sector; and cyber systems and promote other crit- (c) encourage risk management strate- ical infrastructure efforts, including gies to protect against and mitigate using its authority under the Defense the effects of attacks against critical Production Act to assure the timely infrastructure and key resources. availability of industrial products, ma- (20) Nothing in this directive alters, or im- terials, and services to meet homeland pedes the ability to carry out, the authorities security requirements. of the Federal departments and agencies to (d) A Critical Infrastructure Protection perform their responsibilities under law and Policy Coordinating Committee will consistent with applicable legal authorities advise the Homeland Security Coun- and presidential guidance. cil on interagency policy related to (21) Federal departments and agencies physical and cyber infrastructure pro- shall cooperate with the Department in im- tection. This PCC will be chaired by plementing this directive, consistent with the a Federal officer or employee des- Homeland Security Act of 2002 and other ignated by the Assistant to the Presi- applicable legal authorities. dent for Homeland Security. (e) The Office of Science and Tech- Roles and Responsibilities of Other nology Policy, in coordination with Departments, Agencies, and Offices the Department, will coordinate (22) In addition to the responsibilities interagency research and develop- given the Department and Sector-Specific ment to enhance the protection of Agencies, there are special functions of var- critical infrastructure and key re- ious Federal departments and agencies and sources. components of the Executive Office of the (f) The Office of Management and President related to critical infrastructure Budget (OMB) shall oversee the im- and key resources protection. plementation of government-wide (a) The Department of State, in conjunc- policies, principles, standards, and tion with the Department, and the guidelines for Federal government Departments of Justice, Commerce, computer security programs. The Di- Defense, the Treasury and other ap- rector of OMB will ensure the oper- propriate agencies, will work with for- ation of a central Federal information eign countries and international orga- security incident center consistent nizations to strengthen the protection with the requirements of the Federal of United States critical infrastructure Information Security Management and key resources. Act of 2002. (b) The Department of Justice, including (g) Consistent with the E-Government the Federal Bureau of Investigation, Act of 2002, the Chief Information will reduce domestic terrorist threats, Officers Council shall be the principal and investigate and prosecute actual interagency forum for improving or attempted terrorist attacks on, sab- agency practices related to the design, otage of, or disruptions of critical in- acquisition, development, moderniza- frastructure and key resources. The tion, use, operation, sharing, and per- Attorney General and the Secretary formance of information resources of shall use applicable statutory author- Federal departments and agencies. VerDate jul 14 2003 01:13 Dec 23, 2003 Jkt 203250 PO 00000 Frm 00025 Fmt 1244 Sfmt 1244 E:\PRESDOCS\P51DET4.019 P51DET4 1820 Dec. 17 / Administration of George W. Bush, 2003 (h) The Department of Transportation protective measures, and best prac- and the Department will collaborate tices. on all matters relating to transpor- tation security and transportation in- National Special Security Events frastructure protection. The Depart- (26) The Secretary, after consultation with ment of Transportation is responsible the Homeland Security Council, shall be re- for operating the national air space sponsible for designating events as ‘‘National system. The Department of Transpor- Special Security Events’’ (NSSEs). This di- tation and the Department will col- rective supersedes language in previous pres- laborate in regulating the transpor- idential directives regarding the designation tation of hazardous materials by all of NSSEs that is inconsistent herewith. modes (including pipelines). (i) All Federal departments and agencies Implementation shall work with the sectors relevant (27) Consistent with the Homeland Secu- to their responsibilities to reduce the rity Act of 2002, the Secretary shall produce consequences of catastrophic failures a comprehensive, integrated National Plan not caused by terrorism. for Critical Infrastructure and Key Resources (23) The heads of all Federal departments Protection to outline national goals, objec- and agencies will coordinate and cooperate tives, milestones, and key initiatives within with the Secretary as appropriate and con- 1 year from the issuance of this directive. sistent with their own responsibilities for pro- The Plan shall include, in addition to other tecting critical infrastructure and key re- Homeland Security-related elements as the sources. Secretary deems appropriate, the following (24) All Federal department and agency elements: heads are responsible for the identification, (a) a strategy to identify, prioritize, and prioritization, assessment, remediation, and coordinate the protection of critical protection of their respective internal critical infrastructure and key resources, in- infrastructure and key resources. Consistent cluding how the Department intends with the Federal Information Security Man- to work with Federal departments agement Act of 2002, agencies will identify and agencies, State and local govern- and provide information security protections ments, the private sector, and foreign commensurate with the risk and magnitude countries and international organiza- of the harm resulting from the unauthorized tions; access, use, disclosure, disruption, modifica- (b) a summary of activities to be under- tion, or destruction of information. taken in order to: define and prioritize, reduce the vulnerability of, Coordination with the Private Sector and coordinate the protection of crit- (25) In accordance with applicable laws or ical infrastructure and key resources; regulations, the Department and the Sector- (c) a summary of initiatives for sharing Specific Agencies will collaborate with ap- critical infrastructure and key re- propriate private sector entities and continue sources information and for providing to encourage the development of information critical infrastructure and key re- sharing and analysis mechanisms. Addition- sources threat warning data to State ally, the Department and Sector-Specific and local governments and the private Agencies shall collaborate with the private sector; and sector and continue to support sector-coordi- (d) coordination and integration, as ap- nating mechanisms: propriate, with other Federal emer- (a) to identify, prioritize, and coordinate gency management and preparedness the protection of critical infrastruc- activities including the National Re- ture and key resources; and sponse Plan and applicable national (b) to facilitate sharing of information preparedness goals. about physical and cyber threats, (28) The Secretary, consistent with the vulnerabilities, incidents, potential Homeland Security Act of 2002 and other VerDate jul 14 2003 01:13 Dec 23, 2003 Jkt 203250 PO 00000 Frm 00026 Fmt 1244 Sfmt 1244 E:\PRESDOCS\P51DET4.019 P51DET4 Administration of George W. Bush, 2003 / Dec. 17 1821 applicable legal authorities and presidential develop appropriate mechanisms for accom- guidance, shall establish appropriate systems, plishing this initiative. mechanisms, and procedures to share home- (33) The Secretary will develop a national land security information relevant to threats indications and warnings architecture for in- and vulnerabilities in national critical infra- frastructure protection and capabilities that structure and key resources with other Fed- will facilitate: eral departments and agencies, State and (a) an understanding of baseline infra- local governments, and the private sector in structure operations; a timely manner. (b) the identification of indicators and (29) The Secretary will continue to work precursors to an attack; and with the Nuclear Regulatory Commission (c) a surge capacity for detecting and and, as appropriate, the Department of En- analyzing patterns of potential attacks. ergy in order to ensure the necessary protec- In developing a national indications and tion of: warnings architecture, the Department will (a) commercial nuclear reactors for gen- work with Federal, State, local, and non-gov- erating electric power and non-power ernmental entities to develop an integrated nuclear reactors used for research, view of physical and cyber infrastructure and testing, and training; key resources. (b) nuclear materials in medical, indus- (34) By July 2004, the heads of all Federal trial, and academic settings and facili- departments and agencies shall develop and ties that fabricate nuclear fuel; and submit to the Director of the OMB for ap- (c) the transportation, storage, and dis- proval plans for protecting the physical and posal of nuclear materials and waste. cyber critical infrastructure and key re- (30) In coordination with the Director of sources that they own or operate. These the Office of Science and Technology Policy, plans shall address identification, the Secretary shall prepare on an annual basis prioritization, protection, and contingency a Federal Research and Development Plan planning, including the recovery and recon- in support of this directive. stitution of essential capabilities. (31) The Secretary will collaborate with (35) On an annual basis, the Sector-Spe- other appropriate Federal departments and cific Agencies shall report to the Secretary agencies to develop a program, consistent on their efforts to identify, prioritize, and co- with applicable law, to geospatially map, ordinate the protection of critical infrastruc- image, analyze, and sort critical infrastruc- ture and key resources in their respective ture and key resources by utilizing commer- sectors. The report shall be submitted within cial satellite and airborne systems, and exist- 1 year from the issuance of this directive and ing capabilities within other agencies. Na- on an annual basis thereafter. tional technical means should be considered (36) The Assistant to the President for as an option of last resort. The Secretary, Homeland Security and the Assistant to the with advice from the Director of Central In- President for National Security Affairs will telligence, the Secretaries of Defense and the lead a national security and emergency pre- Interior, and the heads of other appropriate paredness communications policy review, Federal departments and agencies, shall de- with the heads of the appropriate Federal velop mechanisms for accomplishing this ini- departments and agencies, related to conver- tiative. The Attorney General shall provide gence and next generation architecture. legal advice as necessary. Within 6 months after the issuance of this (32) The Secretary will utilize existing, and directive, the Assistant to the President for develop new, capabilities as needed to model Homeland Security and the Assistant to the comprehensively the potential implications President for National Security Affairs shall of terrorist exploitation of vulnerabilities in submit for my consideration any rec- critical infrastructure and key resources, ommended changes to such policy. placing specific focus on densely populated (37) This directive supersedes Presidential areas. Agencies with relevant modeling capa- Decision Directive/NSC–63 of May 22, 1998 bilities shall cooperate with the Secretary to (‘‘Critical Infrastructure Protection’’), and VerDate jul 14 2003 01:13 Dec 23, 2003 Jkt 203250 PO 00000 Frm 00027 Fmt 1244 Sfmt 1244 E:\PRESDOCS\P51DET4.019 P51DET4 1822 Dec. 17 / Administration of George W. Bush, 2003 any Presidential directives issued prior to this ments as defined by 5 U.S.C. 104(1); directive to the extent of any inconsistency. Government corporations as defined Moreover, the Assistant to the President for by 5 U.S.C. 103(1); and the United Homeland Security and the Assistant to the States Postal Service. President for National Security Affairs shall (c) The term ‘‘Federal preparedness as- jointly submit for my consideration a Presi- sistance’’ means Federal department dential directive to make changes in Presi- and agency grants, cooperative agree- dential directives issued prior to this date ments, loans, loan guarantees, train- that conform such directives to this directive. ing, and/or technical assistance pro- (38) This directive is intended only to im- vided to State and local governments prove the internal management of the execu- and the private sector to prevent, pre- tive branch of the Federal Government, and pare for, respond to, and recover from it is not intended to, and does not, create terrorist attacks, major disasters, and any right or benefit, substantive or proce- other emergencies. Unless noted oth- dural, enforceable at law or in equity, against erwise, the term ‘‘assistance’’ will the United States, its departments, agencies, refer to Federal assistance programs. or other entities, its officers or employees, (d) The term ‘‘first responder’’ refers to or any other person. those individuals who in the early George W. Bush stages of an incident are responsible for the protection and preservation of life, property, evidence, and the envi- Directive on National Preparedness ronment, including emergency re- December 17, 2003 sponse providers as defined in section 2 of the Homeland Security Act of Homeland Security Presidential Directive/ 2002 (6 U.S.C. 101), as well as emer- HSPD–8 gency management, public health, clinical care, public works, and other Subject: National Preparedness skilled support personnel (such as equipment operators) that provide Purpose immediate support services during (1) This directive establishes policies to prevention, response, and recovery strengthen the preparedness of the United operations. States to prevent and respond to threatened (e) The terms ‘‘major disaster’’ and or actual domestic terrorist attacks, major ‘‘emergency’’ have the meanings disasters, and other emergencies by requiring given in section 102 of the Robert T. a national domestic all-hazards preparedness Stafford Disaster Relief and Emer- goal, establishing mechanisms for improved gency Assistance Act (42 U.S.C. delivery of Federal preparedness assistance 5122). to State and local governments, and outlining (f) The term ‘‘major events’’ refers to do- actions to strengthen preparedness capabili- mestic terrorist attacks, major disas- ties of Federal, State, and local entities. ters, and other emergencies. (g) The term ‘‘national homeland security Definitions preparedness-related exercises’’ re- (2) For the purposes of this directive: fers to homeland security-related ex- (a) The term ‘‘all-hazards preparedness’’ ercises that train and test national de- refers to preparedness for domestic cision makers and utilize resources of terrorist attacks, major disasters, and multiple Federal departments and other emergencies. agencies. Such exercises may involve (b) The term ‘‘Federal departments and State and local first responders when agencies’’ means those executive de- appropriate. Such exercises do not in- partments enumerated in 5 U.S.C. clude those exercises conducted sole- 101, and the Department of Home- ly within a single Federal department land Security; independent establish- or agency. VerDate jul 14 2003 01:13 Dec 23, 2003 Jkt 203250 PO 00000 Frm 00028 Fmt 1244 Sfmt 1244 E:\PRESDOCS\P51DET4.019 P51DET4