For Immediate Release
Office of the Press Secretary
December 17, 2003
December 17, 2003 Homeland Security Presidential Directive/Hspd-7
Subject: Critical Infrastructure Identification, Prioritization, and
Protection
Purpose
(1) This directive establishes a national policy for Federal
departments and agencies to identify and prioritize United States
critical infrastructure and key resources and to protect them from
terrorist attacks.
Background
(2) Terrorists seek to destroy, incapacitate, or exploit critical
infrastructure and key resources across the United States to threaten
national security, cause mass casualties, weaken our economy, and
damage public morale and confidence.
(3) America's open and technologically complex society includes a
wide array of critical infrastructure and key resources that are
potential terrorist targets. The majority of these are owned and
operated by the private sector and State or local governments. These
critical infrastructures and key resources are both physical and
cyber-based and span all sectors of the economy.
(4) Critical infrastructure and key resources provide the essential
services that underpin American society. The Nation possesses numerous
key resources, whose exploitation or destruction by terrorists could
cause catastrophic health effects or mass casualties comparable to
those from the use of a weapon of mass destruction, or could profoundly
affect our national prestige and morale. In addition, there is
critical infrastructure so vital that its incapacitation, exploitation,
or destruction, through terrorist attack, could have a debilitating
effect on security and economic well-being.
(5) While it is not possible to protect or eliminate the
vulnerability of all critical infrastructure and key resources
throughout the country, strategic improvements in security can make it
more difficult for attacks to succeed and can lessen the impact of
attacks that may occur. In addition to strategic security
enhancements, tactical security improvements can be rapidly implemented
to deter, mitigate, or neutralize potential attacks.
Definitions
(6) In this directive:
(a) The term "critical infrastructure" has the meaning given to
that
term in section 1016(e) of the USA PATRIOT Act of 2001 (42 U.S.C.
5195c(e)).
(b) The term "key resources" has the meaning given that term in
section
2(9) of the Homeland Security Act of 2002 (6 U.S.C. 101(9)).
(c) The term "the Department" means the Department of Homeland
Security.
(d) The term "Federal departments and agencies" means those
executive
departments enumerated in 5 U.S.C. 101, and the Department of
Homeland
Security; independent establishments as defined by 5 U.S.C. 104(1);
Government corporations as defined by 5 U.S.C. 103(1); and the
United
States Postal Service.
(e) The terms "State," and "local government," when used in a
geographical sense, have the same meanings given to those terms in
section 2 of the Homeland Security Act of 2002 (6 U.S.C. 101).
(f) The term "the Secretary" means the Secretary of Homeland
Security.
(g) The term "Sector-Specific Agency" means a Federal department or
agency responsible for infrastructure protection activities in a
designated critical infrastructure sector or key resources
category.
Sector-Specific Agencies will conduct their activities under this
directive in accordance with guidance provided by the Secretary.
(h) The terms "protect" and "secure" mean reducing the
vulnerability of
critical infrastructure or key resources in order to deter,
mitigate, or
neutralize terrorist attacks.
Policy
(7) It is the policy of the United States to enhance the protection
of our Nation's critical infrastructure and key resources against
terrorist acts that could:
(a) cause catastrophic health effects or mass casualties
comparable to those from the use of a weapon of mass destruction;
(b) impair Federal departments and agencies' abilities to perform
essential missions, or to ensure the public's health and safety;
(c) undermine State and local government capacities to maintain
order and to deliver minimum essential public services;
(d) damage the private sector's capability to ensure the orderly
functioning of the economy and delivery of essential services;
(e) have a negative effect on the economy through the cascading
disruption of other critical infrastructure and key resources; or
(f) undermine the public's morale and confidence in our national
economic and political institutions.
(8) Federal departments and agencies will identify, prioritize, and
coordinate the protection of critical infrastructure and key resources
in order to prevent, deter, and mitigate the effects of deliberate
efforts to destroy, incapacitate, or exploit them. Federal departments
and agencies will work with State and local governments and the private
sector to accomplish this objective.
(9) Federal departments and agencies will ensure that homeland
security programs do not diminish the overall economic security of the
United States.
(10) Federal departments and agencies will appropriately protect
information associated with carrying out this directive, including
handling voluntarily provided information and information that would
facilitate terrorist targeting of critical infrastructure and key
resources consistent with the Homeland Security Act of 2002 and other
applicable legal authorities.
(11) Federal departments and agencies shall implement this
directive in a manner consistent with applicable provisions of law,
including those protecting the rights of United States persons.
Roles and Responsibilities of the Secretary
(12) In carrying out the functions assigned in the Homeland
Security Act of 2002, the Secretary shall be responsible for
coordinating the overall national effort to enhance the protection of
the critical infrastructure and key resources of the United States.
The Secretary shall serve as the principal Federal official to lead,
integrate, and coordinate implementation of efforts among Federal
departments and agencies, State and local governments, and the private
sector to protect critical infrastructure and key resources. (13)
Consistent with this directive, the Secretary will identify,
prioritize, and coordinate the protection of critical infrastructure
and key resources with an emphasis on critical infrastructure and key
resources that could be exploited to cause catastrophic health effects
or mass casualties comparable to those from the use of a weapon of mass
destruction.
(14) The Secretary will establish uniform policies, approaches,
guidelines, and methodologies for integrating Federal infrastructure
protection and risk management activities within and across sectors
along with metrics and criteria for related programs and activities.
(15) The Secretary shall coordinate protection activities for each
of the following critical infrastructure sectors: information
technology; telecommunications; chemical; transportation systems,
including mass transit, aviation, maritime, ground/surface, and rail
and pipeline systems; emergency services; and postal and shipping. The
Department shall coordinate with appropriate departments and agencies
to ensure the protection of other key resources including dams,
government facilities, and commercial facilities. In addition, in its
role as overall cross-sector coordinator, the Department shall also
evaluate the need for and coordinate the coverage of additional
critical infrastructure and key resources categories over time, as
appropriate.
(16) The Secretary will continue to maintain an organization to
serve as a focal point for the security of cyberspace. The
organization will facilitate interactions and collaborations between
and among Federal departments and agencies, State and local
governments, the private sector, academia and international
organizations. To the extent permitted by law, Federal departments and
agencies with cyber expertise, including but not limited to the
Departments of Justice, Commerce, the Treasury, Defense, Energy, and
State, and the Central Intelligence Agency, will collaborate with and
support the organization in accomplishing its mission. The
organization's mission includes analysis, warning, information sharing,
vulnerability reduction, mitigation, and aiding national recovery
efforts for critical infrastructure information systems. The
organization will support the Department of Justice and other law
enforcement agencies in their continuing missions to investigate and
prosecute threats to and attacks against cyberspace, to the extent
permitted by law.
(17) The Secretary will work closely with other Federal departments
and agencies, State and local governments, and the private sector in
accomplishing the objectives of this directive.
Roles and Responsibilities of Sector-Specific Federal Agencies
(18) Recognizing that each infrastructure sector possesses its own
unique characteristics and operating models, there are designated
Sector-Specific Agencies, including:
(a) Department of Agriculture -- agriculture, food (meat,
poultry, egg products);
(b) Health and Human Services -- public health, healthcare, and
food (other than meat, poultry, egg products);
(c) Environmental Protection Agency -- drinking water and water
treatment systems;
(d) Department of Energy -- energy, including the production
refining, storage, and distribution of oil and gas, and electric power
except for commercial nuclear power facilities;
(e) Department of the Treasury -- banking and finance;
(f) Department of the Interior -- national monuments and icons;
and
(g) Department of Defense -- defense industrial base.
(19) In accordance with guidance provided by the Secretary,
Sector-Specific Agencies shall:
(a) collaborate with all relevant Federal departments and
agencies, State and local governments, and the private sector,
including with key persons and entities in their infrastructure sector;
(b) conduct or facilitate vulnerability assessments of the
sector; and
(c) encourage risk management strategies to protect against and
mitigate the effects of attacks against critical infrastructure and key
resources.
(20) Nothing in this directive alters, or impedes the ability to
carry out, the authorities of the Federal departments and agencies to
perform their responsibilities under law and consistent with applicable
legal authorities and presidential guidance.
(21) Federal departments and agencies shall cooperate with the
Department in implementing this directive, consistent with the Homeland
Security Act of 2002 and other applicable legal authorities.
Roles and Responsibilities of Other Departments, Agencies, and
Offices
(22) In addition to the responsibilities given the Department and
Sector-Specific Agencies, there are special functions of various
Federal departments and agencies and components of the Executive Office
of the President related to critical infrastructure and key resources
protection.
(a) The Department of State, in conjunction with the Department,
and the Departments of Justice, Commerce, Defense, the Treasury and
other appropriate agencies, will work with foreign countries and
international organizations to strengthen the protection of United
States critical infrastructure and key resources.
(b) The Department of Justice, including the Federal Bureau of
Investigation, will reduce domestic terrorist threats, and investigate
and prosecute actual or attempted terrorist attacks on, sabotage of, or
disruptions of critical infrastructure and key resources. The Attorney
General and the Secretary shall use applicable statutory authority and
attendant mechanisms for cooperation and coordination, including but
not limited to those established by presidential directive.
(c) The Department of Commerce, in coordination with the
Department, will work with private sector, research, academic, and
government organizations to improve technology for cyber systems and
promote other critical infrastructure efforts, including using its
authority under the Defense Production Act to assure the timely
availability of industrial products, materials, and services to meet
homeland security requirements.
(d) A Critical Infrastructure Protection Policy Coordinating
Committee will advise the Homeland Security Council on interagency
policy related to physical and cyber infrastructure protection. This
PCC will be chaired by a Federal officer or employee designated by the
Assistant to the President for Homeland Security.
(e) The Office of Science and Technology Policy, in coordination
with the Department, will coordinate interagency research and
development to enhance the protection of critical infrastructure and
key resources.
(f) The Office of Management and Budget (OMB) shall oversee the
implementation of government-wide policies, principles, standards, and
guidelines for Federal government computer security programs. The
Director of OMB will ensure the operation of a central Federal
information security incident center consistent with the requirements
of the Federal Information Security Management Act of 2002.
(g) Consistent with the E-Government Act of 2002, the Chief
Information Officers Council shall be the principal interagency forum
for improving agency practices related to the design, acquisition,
development, modernization, use, operation, sharing, and performance of
information resources of Federal departments and agencies.
(h) The Department of Transportation and the Department will
collaborate on all matters relating to transportation security and
transportation infrastructure protection. The Department of
Transportation is responsible for operating the national air space
system. The Department of Transportation and the Department will
collaborate in regulating the transportation of hazardous materials by
all modes (including pipelines).
(i) All Federal departments and agencies shall work with the
sectors relevant to their responsibilities to reduce the consequences
of catastrophic failures not caused by terrorism.
(23) The heads of all Federal departments and agencies will
coordinate and cooperate with the Secretary as appropriate and
consistent with their own responsibilities for protecting critical
infrastructure and key resources.
(24) All Federal department and agency heads are responsible for
the identification, prioritization, assessment, remediation, and
protection of their respective internal critical infrastructure and key
resources. Consistent with the Federal Information Security Management
Act of 2002, agencies will identify and provide information security
protections commensurate with the risk and magnitude of the harm
resulting from the unauthorized access, use, disclosure, disruption,
modification, or destruction of information.
Coordination with the Private Sector
(25) In accordance with applicable laws or regulations, the
Department and the Sector-Specific Agencies will collaborate with
appropriate private sector entities and continue to encourage the
development of information sharing and analysis mechanisms.
Additionally, the Department and Sector-Specific Agencies shall
collaborate with the private sector and continue to support
sector-coordinating mechanisms:
(a) to identify, prioritize, and coordinate the protection of
critical infrastructure and key resources; and
(b) to facilitate sharing of information about physical and cyber
threats, vulnerabilities, incidents, potential protective measures, and
best practices.
National Special Security Events
(26) The Secretary, after consultation with the Homeland Security
Council, shall be responsible for designating events as "National
Special Security Events" (NSSEs). This directive supersedes language
in previous presidential directives regarding the designation of NSSEs
that is inconsistent herewith.
Implementation
(27) Consistent with the Homeland Security Act of 2002, the
Secretary shall produce a comprehensive, integrated National Plan for
Critical Infrastructure and Key Resources Protection to outline
national goals, objectives, milestones, and key initiatives within 1
year from the issuance of this directive. The Plan shall include, in
addition to other Homeland Security-related elements as the Secretary
deems appropriate, the following elements:
(a) a strategy to identify, prioritize, and coordinate the
protection of critical infrastructure and key resources, including how
the Department intends to work with Federal departments and agencies,
State and local governments, the private sector, and foreign countries
and international organizations;
(b) a summary of activities to be undertaken in order to: define
and prioritize, reduce the vulnerability of, and coordinate the
protection of critical infrastructure and key resources;
(c) a summary of initiatives for sharing critical infrastructure
and key resources information and for providing critical infrastructure
and key resources threat warning data to State and local governments
and the private sector; and
(d) coordination and integration, as appropriate, with other
Federal emergency management and preparedness activities including the
National Response Plan and applicable national preparedness goals.
(28) The Secretary, consistent with the Homeland Security Act of
2002 and other applicable legal authorities and presidential guidance,
shall establish appropriate systems, mechanisms, and procedures to
share homeland security information relevant to threats and
vulnerabilities in national critical infrastructure and key resources
with other Federal departments and agencies, State and local
governments, and the private sector in a timely manner.
(29) The Secretary will continue to work with the Nuclear
Regulatory Commission and, as appropriate, the Department of Energy in
order to ensure the necessary protection of:
(a) commercial nuclear reactors for generating electric power and
non-power nuclear reactors used for research, testing, and training;
(b) nuclear materials in medical, industrial, and academic
settings and facilities that fabricate nuclear fuel; and
(c) the transportation, storage, and disposal of nuclear
materials and waste.
(30) In coordination with the Director of the Office of Science and
Technology Policy, the Secretary shall prepare on an annual basis a
Federal Research and Development Plan in support of this directive.
(31) The Secretary will collaborate with other appropriate Federal
departments and agencies to develop a program, consistent with
applicable law, to geospatially map, image, analyze, and sort critical
infrastructure and key resources by utilizing commercial satellite and
airborne systems, and existing capabilities within other agencies.
National technical means should be considered as an option of last
resort. The Secretary, with advice from the Director of Central
Intelligence, the Secretaries of Defense and the Interior, and the
heads of other appropriate Federal departments and agencies, shall
develop mechanisms for accomplishing this initiative. The Attorney
General shall provide legal advice as necessary.
(32) The Secretary will utilize existing, and develop new,
capabilities as needed to model comprehensively the potential
implications of terrorist exploitation of vulnerabilities in critical
infrastructure and key resources, placing specific focus on densely
populated areas. Agencies with relevant modeling capabilities shall
cooperate with the Secretary to develop appropriate mechanisms for
accomplishing this initiative.
(33) The Secretary will develop a national indications and warnings
architecture for infrastructure protection and capabilities that will
facilitate:
(a) an understanding of baseline infrastructure operations;
(b) the identification of indicators and precursors to an attack;
and
(c) a surge capacity for detecting and analyzing patterns of
potential attacks.
In developing a national indications and warnings architecture, the
Department will work with Federal, State, local, and non-governmental
entities to develop an integrated view of physical and cyber
infrastructure and key resources.
(34) By July 2004, the heads of all Federal departments and
agencies shall develop and submit to the Director of the OMB for
approval plans for protecting the physical and cyber critical
infrastructure and key resources that they own or operate. These plans
shall address identification, prioritization, protection, and
contingency planning, including the recovery and reconstitution of
essential capabilities.
(35) On an annual basis, the Sector-Specific Agencies shall report
to the Secretary on their efforts to identify, prioritize, and
coordinate the protection of critical infrastructure and key resources
in their respective sectors. The report shall be submitted within 1
year from the issuance of this directive and on an annual basis
thereafter.
(36) The Assistant to the President for Homeland Security and the
Assistant to the President for National Security Affairs will lead a
national security and emergency preparedness communications policy
review, with the heads of the appropriate Federal departments and
agencies, related to convergence and next generation architecture.
Within 6 months after the issuance of this directive, the Assistant to
the President for Homeland Security and the Assistant to the President
for National Security Affairs shall submit for my consideration any
recommended changes to such policy.
(37) This directive supersedes Presidential Decision
Directive/NSC-63 of May 22, 1998 ("Critical Infrastructure
Protection"), and any Presidential directives issued prior to this
directive to the extent of any inconsistency. Moreover, the Assistant
to the President for Homeland Security and the Assistant to the
President for National Security Affairs shall jointly submit for my
consideration a Presidential directive to make changes in Presidential
directives issued prior to this date that conform such directives to
this directive.
(38) This directive is intended only to improve the internal
management of the executive branch of the Federal Government, and it is
not intended to, and does not, create any right or benefit, substantive
or procedural, enforceable at law or in equity, against the United
States, its departments, agencies, or other entities, its officers or
employees, or any other person.
GEORGE W. BUSH
# # #
|