For Immediate Release
Office of the Press Secretary
October 16, 2001
Executive Order on Critical Infrastructure Protection
By the authority vested in me as President by the Constitution and the
laws of the United States of America, and in order to ensure protection of
information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support such
systems, in the information age, it is hereby ordered as follows:
Section 1. Policy.
(a) The information technology
revolution has changed the way business is transacted, government
operates, and national defense is conducted. Those three
functions now depend on an interdependent network of critical
information infrastructures. The protection program authorized by this
order shall consist of continuous efforts to secure information systems
for critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems.
Protection of these systems is essential to the telecommunications,
energy, financial services, manufacturing, water, transportation,
health care, and emergency services sectors.
(b) It is the policy of the
United States to protect against disruption of the operation of
information systems for critical infrastructure and thereby help to
protect the people, economy, essential human and government services,
and national security of the United States, and to ensure that any
disruptions that occur are infrequent, of minimal duration, and
manageable, and cause the least damage possible. The
implementation of this policy shall include a voluntary public-private
partnership, involving corporate and nongovernmental organizations.
Sec. 2. Scope. To
achieve this policy, there shall be a senior executive branch board to
coordinate and have cognizance of Federal efforts and programs that
relate to protection of information systems and involve:
(a) cooperation with and
protection of private sector critical infrastructure, State and local
governments, critical infrastructure, and supporting programs in
corporate and academic organizations;
(b) protection of Federal
departments, and agencies, critical infrastructure; and
(c) related national security
programs.
Sec.
3. Establishment. I hereby establish the
"President's Critical Infrastructure Protection Board" (the "Board").
Sec. 4. Continuing
Authorities. This order does not alter the existing
authorities or roles of United States Government departments and
agencies. Authorities set forth in 44 U.S.C. Chapter 35, and
other applicable law, provide senior officials with responsibility for
the security of Federal Government information systems.
(a) Executive Branch
Information Systems Security. The Director of the Office of
Management and Budget (OMB) has the responsibility to develop and
oversee the implementation of government-wide policies, principles,
standards, and guidelines for the security of information systems that
support the executive branch departments and agencies, except those
noted in section 4(b) of this order. The Director of OMB
shall advise the President and the appropriate department or agency
head when there is a critical deficiency in the security practices
within the purview of this section in an executive branch department or
agency. The Board shall assist and support the Director of
OMB in this function and shall be reasonably cognizant of programs
related to security of department and agency information systems.
(b) National Security
Information Systems. The Secretary of Defense and the
Director of Central Intelligence (DCI) shall have responsibility to
oversee, develop, and ensure implementation of policies, principles,
standards, and guidelines for the security of information systems that
support the operations under their respective control. In
consultation with the Assistant to the President for National Security
Affairs and the affected departments and agencies, the Secretary of
Defense and the DCI shall develop policies, principles, standards, and
guidelines for the security of national security information systems
that support the operations of other executive branch departments and
agencies with national security information.
(i) Policies, principles,
standards, and guidelines developed under
this subsection may require more stringent
protection than those developed in accordance with subsection
4(a) of this order.
(ii) The Assistant to the
President for National Security Affairs
shall advise the President and the
appropriate department or agency
head when there is a critical deficiency
in the security practices of a department or agency within the purview
of this section. The Board,
or one of its standing or ad hoc
committees, shall be reasonably cognizant of programs to provide security
and continuity to national security information systems.
(c) Additional
Responsibilities: The Heads of Executive Branch Departments
and Agencies. The heads of executive branch departments and
agencies are responsible and accountable for providing and maintaining
adequate levels of security for information systems, including
emergency preparedness communications systems, for programs under
their control. Heads of such departments and agencies shall ensure
the development and, within available appropriations, funding of
programs that adequately address these mission
areas. Cost-effective security shall be built into and made
an integral part of government information systems, especially those
critical systems that support the national security and other essential
government programs. Additionally, security should enable,
and not unnecessarily impede, department and agency business
operations.
Sec. 5. Board
Responsibilities. Consistent with the responsibilities noted
in section 4 of this order, the Board shall recommend policies and
coordinate programs for protecting information systems for critical
infrastructure, including emergency preparedness communications, and
the physical assets that support such systems. Among its
activities to implement these responsibilities, the Board shall:
(a) Outreach to the Private
Sector and State and Local Governments. In consultation with affected
executive branch departments and agencies, coordinate outreach to and
consultation with the private sector, including corporations that own,
operate, develop, and equip information, telecommunications,
transportation, energy, water, health care, and financial services, on
protection of information systems for critical infrastructure,
including emergency preparedness communications, and the physical
assets that support such systems; and coordinate outreach to State and
local governments, as well as communities and representatives from
academia and other relevant elements of society.
(i) When requested
to do so, assist in the development of voluntary
standards and best practices in a manner
consistent with 15 U.S.C. Chapter 7;
(ii) Consult with potentially
affected communities, including the
legal, auditing, financial, and insurance
communities, to the extent
permitted by law, to determine areas of
mutual concern; and
(iii) Coordinate the activities
of senior liaison officers appointed
by the Attorney General, the Secretaries
of Energy, Commerce,
Transportation, the Treasury, and Health
and Human Services, and the Director of the Federal Emergency
Management Agency for outreach on
critical infrastructure protection issues
with private sector organizations within the areas of concern
to these departments and agencies. In these and other
related functions, the Board shall work in
coordination with the Critical Infrastructure Assurance Office (CIAO) and
the National Institute of Standards and Technology of the Department
of Commerce, the National Infrastructure Protection Center (NIPC),
and the National Communications System (NCS).
(b) Information
Sharing. Work with industry, State and local governments,
and nongovernmental organizations to ensure that systems are created
and well managed to share threat warning, analysis, and recovery
information among government network operation centers, information
sharing and analysis centers established on a voluntary basis by
industry, and other related operations centers. In this and
other related functions, the Board shall work in coordination with the
NCS, the Federal Computer Incident Response Center, the NIPC, and other
departments and agencies, as appropriate.
(c) Incident Coordination and
Crisis Response. Coordinate programs and policies for
responding to information systems security incidents that threaten
information systems for critical infrastructure, including emergency
preparedness communications, and the physical assets that support such
systems. In this function, the Department of Justice,
through the NIPC and the Manager of the NCS and other departments and
agencies, as appropriate, shall work in coordination with the Board.
(d) Recruitment, Retention, and
Training Executive Branch Security Professionals. In
consultation with executive branch departments and agencies, coordinate
programs to ensure that government employees with responsibilities for
protecting information systems for critical infrastructure, including
emergency preparedness communications, and the physical assets that
support such systems, are adequately trained and evaluated. In this
function, the Office of Personnel Management shall work in coordination
with the Board, as appropriate.
(e) Research and
Development. Coordinate with the Director of the Office of
Science and Technology Policy (OSTP) on a program of Federal Government
research and development for protection of information systems for
critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems, and
ensure coordination of government activities in this field with
corporations, universities, Federally funded research centers, and
national laboratories. In this function, the Board shall
work in coordination with the National Science Foundation, the Defense
Advanced Research Projects Agency, and with other departments and
agencies, as appropriate.
(f) Law Enforcement
Coordination with National Security Components. Promote programs
against cyber crime and assist Federal law enforcement agencies in
gaining necessary cooperation from executive branch departments and
agencies. Support Federal law enforcement agencies,
investigation of illegal activities involving information systems for
critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems, and
support coordination by these agencies with other departments and
agencies with responsibilities to defend the Nation's
security. In this function, the Board shall work in
coordination with the Department of Justice, through the NIPC, and the
Department of the Treasury, through the Secret Service, and with other
departments and agencies, as appropriate.
(g) International Information
Infrastructure Protection. Support the Department of State's
coordination of United States Government programs for international
cooperation covering international information infrastructure
protection issues.
(h) Legislation. In
accordance with OMB circular A-19, advise departments and agencies, the
Director of OMB, and the Assistant to the President for Legislative
Affairs on legislation relating to protection of information systems
for critical infrastructure, including emergency preparedness
communications, and the physical assets that support such systems.
(i) Coordination with Office of
Homeland Security. Carry out those functions relating to
protection of and recovery from attacks against information systems for
critical infrastructure, including emergency preparedness
communications, that were assigned to the Office of Homeland Security
by Executive Order 13228 of October 8, 2001. The Assistant
to the President for Homeland Security, in coordination with the
Assistant to the President for National Security Affairs, shall be
responsible for defining the responsibilities of the Board in
coordinating efforts to protect physical assets that support
information systems.
Sec.
6. Membership. (a) Members of the
Board shall be drawn from the executive branch departments, agencies,
and offices listed below; in addition, concerned Federal departments
and agencies may participate in the activities of appropriate
committees of the Board. The Board shall be led by a Chair
and Vice Chair, designated by the President. Its other
members shall be the following senior officials or their designees:
(i) Secretary of
State;
(ii) Secretary of
the Treasury;
(iii) Secretary of Defense;
(iv) Attorney
General;
(v) Secretary of
Commerce;
(vi) Secretary of
Health and Human Services;
(vii) Secretary of
Transportation;
(viii) Secretary of Energy;
(ix) Director of
Central Intelligence;
(x) Chairman of
the Joint Chiefs of Staff;
(xi) Director of
the Federal Emergency Management Agency;
(xii) Administrator of General
Services;
(xiii) Director of the Office
of Management and Budget;
(xiv) Director of the Office
of Science and Technology Policy;
(xv) Chief of Staff
to the Vice President;
(xvi) Director of the National
Economic Council;
(xvii) Assistant to the
President for National Security Affairs;
(xviii) Assistant to the President for
Homeland Security;
(xix) Chief of Staff to the
President; and
(xx) Such other
executive branch officials as the
President may designate.
Members of the Board and their designees
shall be full-time or permanent part-time officers or employees of the
Federal Government.
(b) In addition, the following
officials shall serve as members of the Board and shall form the
Board's Coordination Committee:
(i) Director, Critical
Infrastructure Assurance Office, Department of Commerce;
(ii) Manager, National
Communications System;
(iii) Vice Chair, Chief Information
Officers' (CIO) Council;
(iv) Information Assurance
Director, National Security Agency;
(v) Deputy Director of Central
Intelligence for Community Management; and
(vi) Director, National
Infrastructure Protection Center,
Federal Bureau of Investigation,
Department of Justice.
(c) The Chairman of the Federal
Communications Commission may appoint a representative to the Board.
Sec.
7. Chair. (a) The Chair also shall be
the Special Advisor to the President for Cyberspace
Security. Executive branch departments and agencies shall
make all reasonable efforts to keep the Chair fully informed in a
timely manner, and to the greatest extent permitted by law, of all
programs and issues within the purview of the Board. The
Chair, in consultation with the Board, shall call and preside at
meetings of the Board and set the agenda for the Board. The
Chair, in consultation with the Board, may propose policies and
programs to appropriate officials to ensure the protection of the
Nation's information systems for critical infrastructure, including
emergency preparedness communications, and the physical assets that
support such systems. To ensure full coordination between
the responsibilities of the National Security Council (NSC) and the
Office of Homeland Security, the Chair shall report to both the
Assistant to the President for National Security Affairs and to the
Assistant to the President for Homeland Security. The Chair
shall coordinate with the Assistant to the President for Economic
Policy on issues relating to private sector systems and economic
effects and with the Director of OMB on issues relating to budgets and
the security of computer networks addressed in subsection 4(a) of this
order.
(b) The Chair shall be assisted
by an appropriately sized staff within the White House
Office. In addition, heads of executive branch departments
and agencies are authorized, to the extent permitted by law, to detail
or assign personnel of such departments and agencies to the Board's
staff upon request of the Chair, subject to the approval of the Chief
of Staff to the President. Members of the Board's staff with
responsibilities relating to national security information systems,
communications, and information warfare may, with respect to those
responsibilities, also work at the direction of the Assistant to the
President for National Security Affairs.
Sec. 8. Standing
Committees. (a) The Board may establish standing
and ad hoc committees as appropriate. Representation on
standing committees shall not be limited to those departments and
agencies on the Board, but may include representatives of other
concerned executive branch departments and agencies.
(b) Chairs of standing and ad
hoc committees shall report fully and regularly on the activities of
the committees to the Board, which shall ensure that the committees are
well coordinated with each other.
(c) There are established the
following standing committees:
(i) Private Sector and State
and Local Government Outreach, chaired
by the designee of the Secretary of
Commerce, to work in coordination with the
designee of the Chairman of
the National Economic Council.
(ii) Executive Branch
Information Systems Security, chaired by the
designee of the Director of
OMB. The committee shall assist OMB in
fulfilling its responsibilities under 44
U.S.C. Chapter 35 and other
applicable law.
(iii) National Security
Systems. The National Security
Telecommunications and Information Systems
Security Committee, as
established by and consistent with NSD-42
and chaired by the Department of Defense, shall serve as a
Board standing committee, and be redesignated the Committee on National
Security Systems.
(iv) Incident Response Coordination,
co-chaired by the
designees of the Attorney General and the
Secretary of Defense.
(v) Research and Development,
chaired by a designee of the Director of OSTP.
(vi) National Security and Emergency
Preparedness Communications. The NCS
Committee of Principals is renamed the Board's
Committee for National Security and
Emergency Preparedness
Communications. The reporting
functions established above for
standing committees are in addition to the
functions set forth in
Executive Order 12472 of April 3, 1984,
and do not alter any function
or role set forth therein.
(vii) Physical Security, co-chaired by the
designees of the Secretary
of Defense and the Attorney General, to
coordinate programs to ensure
the physical security of information
systems for critical
infrastructure, including emergency
preparedness communications, and
the physical assets that support such
systems. The standing committee
shall coordinate its work with the Office
of Homeland Security and shall work closely with the Physical
Security Working Group of the
Records Access and Information Security
Policy Coordinating Committee
to ensure coordination of efforts.
(viii) Infrastructure Interdependencies,
co-chaired by the designees of the Secretaries of
Transportation and Energy, to coordinate programs to assess the unique
risks, threats, and vulnerabilities associated with the
interdependency of information systems for critical infrastructures,
including the development of effective models, simulations, and other
analytic tools and
cost-effective technologies in this area.
(ix) International Affairs, chaired by a
designee of the Secretary of
State, to support Department of State
coordination of United States
Government programs for international
cooperation covering international information infrastructure
issues.
(x) Financial and Banking
Information Infrastructure, chaired by a designee of the Secretary of
the Treasury and including representatives of the banking and
financial institution regulatory
agencies.
(xi) Other Committees. Such
other standing committees
as may be established by the Board.
(d) Subcommittees. The chair of each standing
committee may form necessary subcommittees with organizational
representation as determined by the Chair.
(e) Streamlining. The Board shall develop
procedures that specify the manner in which it or a subordinate
committee will perform the responsibilities previously assigned to the
Policy Coordinating Committee. The Board, in coordination with the
Director of OSTP, shall review the functions of the Joint
Telecommunications Resources Board, established under Executive Order
12472, and make recommendations about its future role.
Sec. 9. Planning and
Budget. (a) The Board, on a periodic basis, shall
propose a National Plan or plans for subjects within its purview. The
Board, in coordination with the Office of Homeland Security, also shall
make recommendations to OMB on those portions of executive branch
department and agency budgets that fall within the Board's purview,
after review of relevant program requirements and resources.
(b) The Office of
Administration within the Executive Office of the President shall
provide the Board with such personnel, funding, and administrative
support, to the extent permitted by law and subject to the availability
of appropriations, as directed by the Chief of Staff to carry out the
provisions of this order. Only those funds that are
available for the Office of Homeland Security, established by Executive
Order 13228, shall be available for such purposes. -To the
extent permitted by law and as appropriate, agencies represented on the
Board also may provide administrative support for the
Board. The National Security Agency shall ensure that the
Board's information and communications systems are appropriately
secured.
(c) The Board may annually
request the National Science Foundation, Department of Energy,
Department of Transportation, Environmental Protection Agency,
Department of Commerce, Department of Defense, and the Intelligence
Community, as that term is defined in Executive Order 12333 of December
4, 1981, to include in their budget requests to OMB funding for
demonstration projects and research to support the Board's activities.
Sec. 10. Presidential Advisory
Panels. The Chair shall work closely with panels of senior
experts from outside of the government that advise the President, in
particular: the President's National Security
Telecommunications Advisory Committee (NSTAC) created by Executive
Order 12382 of September 13, 1982, as amended, and the National
Infrastructure Advisory Council (NIAC or Council) created by this
Executive Order. The Chair and Vice Chair of these two
panels also may meet with the Board, as appropriate and to the extent
permitted by law, to provide a private sector perspective.
(a) NSTAC. The NSTAC
provides the President advice on the security and continuity of
communications systems essential for national security and emergency
preparedness.
(b) NIAC. There is hereby
established the National Infrastructure Advisory Council, which shall
provide the President advice on the security of information systems for
critical infrastructure supporting other sectors of the economy:
banking and finance, transportation, energy, manufacturing, and
emergency government services. The NIAC shall be composed of
not more than 30 members appointed by the President. The
members of the NIAC shall be selected from the private sector,
academia, and State and local government. Members of the
NIAC shall have expertise relevant to the functions of the NIAC and
generally shall be selected from industry Chief Executive Officers (and
equivalently ranked leaders in other organizations) with
responsibilities for the security of information infrastructure
supporting the critical sectors of the economy, including banking and
finance, transportation, energy, communications, and emergency
government services. Members shall not be full-time
officials or employees of the executive branch of the Federal
Government.
(i) The President shall designate a Chair and Vice Chair
from among the members of the NIAC.
(ii)
The Chair of the Board established by this order will serve
as the Executive Director of the NIAC.
(c) NIAC Functions. The NIAC will meet periodically to:
(i) enhance the partnership of the public and private
sectors in protecting information systems for critical infrastructures and
provide reports on this issue to the President, as appropriate;
(ii)
propose and develop ways to encourage private industry to
perform periodic risk assessments of critical information and
telecommunications systems;
(iii)
monitor the development of private sector Information Sharing and Analysis Centers (ISACs) and provide recommendations to the Board on how these organizations can best foster improved cooperation among
the ISACs, the NIPC, and other Federal Government entities;
(iv)
report to the President through the Board, which shall
ensure appropriate coordination with the Assistant to the
President for Economic Policy under the terms of this order; and
(v) advise lead agencies with critical infrastructure
responsibilities, sector coordinators, the NIPC, the ISACs, and
the Board.
(d) Administration of the
NIAC.
(i) The NIAC may hold hearings, conduct inquiries, and
establish subcommittees, as appropriate.
(ii)
Upon the request of the Chair, and to the extent permitted
by law, the heads of the executive branch departments and agencies shall provide the Council with information and advice relating to its functions.
(iii)
Senior Federal Government officials may participate in the meetings of the NIAC, as appropriate.
(iv)
Members shall serve without compensation for their work on
the Council. However, members may be allowed travel expenses,
including per diem in lieu of subsistence, as authorized by law
for persons serving intermittently in Federal Government service
(5 U.S.C. 5701-5707).
(v) To the extent permitted by law, and subject to the
availability of appropriations, the Department of Commerce, through the CIAO, shall provide the NIAC with administrative
services, staff, and other support services and such funds as may
be necessary for the performance of the NIAC's functions.
(e) General Provisions.
(i) Insofar as the Federal Advisory Committee Act, as
amended (5 U.S.C. App.), may apply to the NIAC, the functions of the
President under that Act, except that of reporting to the Congress, shall be performed by the Department of Commerce in accordance with the guidelines and procedures established by the Administrator of General Services.
(ii)
The Council shall terminate 2 years from the date of this
order, unless extended by the President prior to that date.
(iii)
Executive Order 13130 of July 14, 1999, is
hereby revoked.
Sec. 11. National
Communications System. Changes in technology are causing the
convergence of much of telephony, data relay, and internet
communications networks into an interconnected network of
networks. The NCS and its National Coordinating Center shall
support use of telephony, converged information, voice networks, and
next generation networks for emergency preparedness and national
security communications functions assigned to them in Executive Order
12472. All authorities and assignments of responsibilities
to departments and agencies in that order, including the role of the
Manager of NCS, remain unchanged except as explicitly modified by this
order.
Sec.
12. Counter-intelligence. The Board shall
coordinate its activities with those of the Office of the
Counter-intelligence Executive to address the threat to programs within
the Board's purview from hostile foreign intelligence services.
Sec. 13. Classification
Authority. I hereby delegate to the Chair the authority to
classify information originally as Top Secret, in accordance with
Executive Order 12958 of April 17, 1995, as amended, or any successor
Executive Order.
Sec. 14. General
Provisions. (a) Nothing in this order shall
supersede any requirement made by or under law.
(b) This order does not create
any right or benefit, substantive or procedural, enforceable at law or
equity, against the United States, its departments, agencies or other
entities, its officers or employees, or any other person.
GEORGE W. BUSH
THE WHITE HOUSE,
October 16, 2001.
# # #
|