004216

THE WHITE HOUSE

WASHINGTON

September 28, 2 012 MEMORANDUM FOR MR. ANTONY BLINKEN Deputy A s s i s t a n t t o t h e President and N a t i o n a l S e c u r i t y Advisor t o t h e Vice President MR. STEPHEN D. MULL Executive Secretary Department o f State MS. REBECCA H. EWING Executive Secretary Department o f t h e Treasury MR. MICHAEL L. BRUHN Executive' Secretary Department of Defense MR. DAVID A. O'NEIL Associate Deputy A t t o r n e y General Department o f J u s t i c e MS. KRYSTA HARDEN Chief o f S t a f f Department of A g r i c u l t u r e MS. LATOYA MURPHY D i r e c t o r , Executive Secretariat Department o f Commerce MS. JENNIFER CANNISTRA Executive Secretary Department o f Health and Human Services MS. CAROL DARR D i r e c t o r , Executive Secretariat Department of T r a n s p o r t a t i o n MRS. CAROL A. MATTHEWS A c t i n g D i r e c t o r , Executive Secretariat Department o f Energy MS. TERESA A. GARLAND D i r e c t o r , O f f i c e of Executive Secretariat Department of Education MR. PHIL MCNAMARA Executive. Secretary Department of Homeland S e c u r i t y MS. NANCY-ANN DEPARLE A s s i s t a n t t o t h e President and Deputy Chief o f S t a f f f o r Policy MS. DIANE THOMPSON Chief o f S t a f f Environmental P r o t e c t i o n Agency MR. STEVEN M. KOSIAK Associate D i r e c t o r f o r Defense and I n t e r n a t i o n a l A f f a i r s O f f i c e of Management and Budget MR. WILLIAM MACK Executive Secretary U.S. Trade Representative MR. WALLACE D. COGGINS Executive Secretary Director of National Intelligence MR. ROBERT L. NABORS A s s i s t a n t t o the President and Director of Legislative Affairs

2 MR. MICHAEL B. G. FROMAN A s s i s t a n t t o the President and Deputy N a t i o n a l S e c u r i t y Advisor f o r I n t e r n a t i o n a l Economics MR. RICK SIGER Chief of S t a f f O f f i c e of Science and Technology P o l i c y MR. AARON M. ZEBLEY Chief of S t a f f Federal Bureau of Investigation MR. TYRONE DINDAL Executive Secretary Central I n t e l l i g e n c e Agency MR. RICHARD W. BOLSON Special A s s i s t a n t f o r Interagency A f f a i r s (J-5) J o i n t Chiefs of S t a f f SUBJECT: MR. DARREN BLUE Associate A d m i n i s t r a t o r O f f i c e of Emergency Response and Recovery General Services A d m i n i s t r a t i o n MS. ANNETTE VIETTI-COOK Secretary of t h e Commission Nuclear Regulatory Commission MS. AVRIL D. HAINES Deputy A s s i s t a n t t o t h e President and Deputy Counsel t o the President GEN KEITH B. ALEXANDER, USA Director N a t i o n a l S e c u r i t y Agency MR. DAVID B. ROBBINS Managing D i r e c t o r Federal Communications Commission

Paper Deputies Committee Meeting on Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s

Deputies are requested t o provide comments and concurrence on behalf of t h e i r P r i n c i p a l s on the d r a f t Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s attached a t Tab A. A discussion paper i s 'attached a t Tab B. Please pass the attached t o Deputies. Responses should be provided t o the N a t i o n a l S e c u r i t y S t a f f Executive S e c r e t a r i a t by close of business on Friday, October 5, 2012. I f you have any questions, please contact Rob Knake a t rknake@nss.eop.gov or (202) 456-4534.

B r i a n P. McKeon Executive Secretary

3 Attachments Tab A Discussion Paper f o r Paper Deputies Committee Meeting on Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s Tab B D r a f t Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s

TAB A

004216 DISCUSSION PAPER FOR PAPER DEPUTIES COMMITTEE MEETING ON EXECUTIVE ORDER ON IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY PRACTICES The d r a f t Executive Order on Improving C r i t i c a l I n f r a s t r u c t u r e Cybersecurity P r a c t i c e s (Tab B) provides a s t r u c t u r e t o enhance the c y b e r s e c u r i t y posture o f U.S. c r i t i c a l i n f r a s t r u c t u r e . This Executive Order f i t s i n t o a broader A d m i n i s t r a t i o n p o l i c y e f f o r t to strengthen the p r o t e c t i o n and r e s i l i e n c e o f the N a t i o n s c r i t i c a l i n f r a s t r u c t u r e . The new C r i t i c a l I n f r a s t r u c t u r e P r o t e c t i o n and R e s i l i e n c e P r e s i d e n t i a l P o l i c y D i r e c t i v e , which w i l l replace Homeland S e c u r i t y P o l i c y D i r e c t i v e -7, i s i n d r a f t and w i l l be presented t o the Deputies Committee i n the coming weeks. The N a t i o n a l S e c u r i t y S t a f f w i l l continue i t s c o o r d i n a t i o n between these two r e l a t e d e f f o r t s as they are finalized.
7

I n May o f 2011, the A d m i n i s t r a t i o n submitted proposed l e g i s l a t i o n t o improve c y b e r s e c u r i t y t o Congress. Since Congress has so f a r f a i l e d t o pass c y b e r s e c u r i t y l e g i s l a t i o n i n the 2011-2012 session, the President intends t o use h i s a u t h o r i t y t o improve the Nation's c y b e r s e c u r i t y . This Executive Order addresses one o f seven major components o f the l e g i s l a t i v e proposal, t h e "Cybersecurity Regulatory Framework f o r Covered C r i t i c a l I n f r a s t r u c t u r e . " Other components o f the proposal, where p o s s i b l e , w i l l be addressed through separate a c t i o n by the Administration. The d r a f t Executive Order e s t a b l i s h e s a c o n s u l t a t i v e process l e d by the Secretary o f Homeland S e c u r i t y (the S e c r e t a r y ) , and r e q u i r e s the Secretary o f Commerce t o d i r e c t the N a t i o n a l I n s t i t u t e o f Standards and Technology (NIST) t o develop a framework f o r reducing cyber r i s k s t o c r i t i c a l i n f r a s t r u c t u r e . The Executive Order f u r t h e r r e q u i r e s the Secretary t o work w i t h S e c t o r - S p e c i f i c Agencies and the Sector Coordinating Councils t o e s t a b l i s h a v o l u n t a r y program t o promote the adoption o f t h e framework by p r i v a t e i n d u s t r y and encourages Federal r e g u l a t o r y agencies t o review the framework and v o l u n t a r i l y adopt i t i f c u r r e n t r e g u l a t o r y requirements are deemed t o be i n s u f f i c i e n t . F i n a l l y , the Executive Order provides d i r e c t i o n t o the Secretary on e s t a b l i s h i n g i n f o r m a t i o n sharing programs and procedures. The A d m i n i s t r a t i o n ' s proposed l e g i s l a t i o n had f o u r major obj e c t i v e s :

2 1. Enhance the c y b e r s e c u r i t y of i n f r a s t r u c t u r e determined by the Secretary t o be c r i t i c a l , t o n a t i o n a l s e c u r i t y , n a t i o n a l economic s e c u r i t y , and n a t i o n a l p u b l i c h e a l t h and s a f e t y . 2. Provide f o r c o n s u l t a t i o n on matters p e r t a i n i n g t o c y b e r s e c u r i t y among Sector-Specific Agencies w i t h r e s p o n s i b i l i t y f o r c r i t i c a l i n f r a s t r u c t u r e , agencies w i t h r e s p o n s i b i l i t i e s f o r r e g u l a t i n g c r i t i c a l i n f r a s t r u c t u r e , and agencies w i t h e x p e r t i s e regarding services provided .by c r i t i c a l infrastructure. 3 . F a c i l i t a t e p u b l i c sector and p r i v a t e i n d u s t r y c o n s u l t a t i o n and development of best c y b e r s e c u r i t y p r a c t i c e s by encouraging a n a t i o n a l dialogue on c y b e r s e c u r i t y v u l n e r a b i l i t i e s a f f e c t i n g c r i t i c a l infrastructure. 4. E s t a b l i s h workable frameworks f o r implementing c y b e r s e c u r i t y minimum standards and p r a c t i c e s designed t o complement, not supplant, c u r r e n t l y - a v a i l a b l e s e c u r i t y measures - w i t h o u t p r e s c r i b i n g p a r t i c u l a r technologies or methodologies.
1

The Executive Order meets these o b j e c t i v e s ; however, i t d i f f e r s from the l e g i s l a t i v e proposal i n three main areas by using agencies' c u r r e n t a u t h o r i t i e s : The l e g i s l a t i v e proposal c a l l e d f o r the Department of Homeland S e c u r i t y (DHS) t o develop the frameworks f o r addressing c y b e r s e c u r i t y r i s k s ; the Executive Order uses NIST's e x i s t i n g processes i n c o n s u l t a t i o n w i t h the Departmentand the p r i v a t e sector. The l e g i s l a t i v e proposal gave DHS a u t h o r i t y t o r e g u l a t e a l l c r i t i c a l i n f r a s t r u c t u r e , p r o v i d i n g an exemption i f s u f f i c i e n t r e g u l a t i o n i s deemed t o be i n place; the Executive Order cannot extend new r e g u l a t o r y a u t h o r i t y and t h e r e f o r e r e l i e s on the a u t h o r i t y of e x i s t i n g r e g u l a t o r s . As a r e s u l t , the Executive Order may not be able t o cover a l l c r i t i c a l i n f r a s t r u c t u r e sectors. The l e g i s l a t i v e proposal r e q u i r e d owners and operators t o develop c y b e r s e c u r i t y plans and e s t a b l i s h e d a process f o r the Secretary t o evaluate implementation of the plans; the Executive Order leaves the d e t a i l s of the v o l u n t a r y program t o the Secretary t o develop and the d e t a i l s of any r e g u l a t o r y programs t o the e x i s t i n g r e g u l a t o r s . I n a d d i t i o n , the proposed Senate b i l l (Lieberman-Collins) proposed extending l i a b i l i t y p r o t e c t i o n s t o companies t h a t p a r t i c i p a t e d i n the b i l l ' s equivalent of the v o l u n t a r y program.
" C y b e r s e c u r i t y R e g u l a t o r y Framework f o r Covered C r i t i c a l I n f r a s t r u c t u r e Act," L e g i s l a t i v e Language, The White House, May 12, 2 011.
1

3 L i a b i l i t y p r o t e c t i o n requires s t a t u t o r y a u t h o r i t y ; t h e r e f o r e the Executive Order cannot e s t a b l i s h such an i n c e n t i v e .

TAB B

DRAFT EXECUTIVE ORDER

004216

IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY PRACTICES By the A u t h o r i t y vested i n me as President by t h e C o n s t i t u t i o n and laws o f t h e United States o f America, i t i s hereby ordered as f o l l o w s : Sec. 1. P o l i c y . Repeated cyber i n t r u s i o n s i n t o c r i t i c a l i n f r a s t r u c t u r e demonstrate the need f o r improved s e c u r i t y . The cyber t h r e a t t o c r i t i c a l i n f r a s t r u c t u r e continues t o grow and represents one o f the most serious n a t i o n a l s e c u r i t y challenges we must c o n f r o n t . The n a t i o n a l s e c u r i t y o f the United States depends on the r e l i a b l e f u n c t i o n i n g o f the Nation's c r i t i c a l i n f r a s t r u c t u r e i n the face o f such t h r e a t s . I t i s the p o l i c y o f the United States t o enhance the p r o t e c t i o n and r e s i l i e n c e o f the Nation's c r i t i c a l i n f r a s t r u c t u r e and t o m a i n t a i n a cyber environment t h a t encourages e f f i c i e n c y , i n n o v a t i o n , and economic p r o s p e r i t y w h i l e promoting s a f e t y , s e c u r i t y , p r i v a c y , and c i v i l l i b e r t i e s . We w i l l achieve these goals through a c o l l a b o r a t i v e p a r t n e r s h i p w i t h the owners and operators o f c r i t i c a l infrastructure. Sec. 2. P o l i c y Coordination. P o l i c y c o o r d i n a t i o n , guidance, dispute r e s o l u t i o n , and p e r i o d i c in-progress reviews f o r the f u n c t i o n s and programs described and assigned h e r e i n s h a l l be provided through the interagency process e s t a b l i s h e d i n P r e s i d e n t i a l P o l i c y D i r e c t i v e - 1 o f February 13, 2009 (Organization o f the N a t i o n a l S e c u r i t y Council System) (PPD-1). Sec. 3. C o n s u l t a t i v e Process. The Secretary o f Homeland S e c u r i t y (the Secretary) s h a l l e s t a b l i s h a c o n s u l t a t i v e process under the C r i t i c a l I n f r a s t r u c t u r e P a r t n e r s h i p Advisory Council (CIPAC) t o coordinate improvements t o the c y b e r s e c u r i t y o f c r i t i c a l i n f r a s t r u c t u r e . Through the CIPAC, the Secretary s h a l l r e c e i v e and consider the advice o f the Sector Coordinating Councils, c r i t i c a l i n f r a s t r u c t u r e owners and operators, agencies, independent r e g u l a t o r y agencies, s t a t e , l o c a l , t e r r i t o r i a l , and t r i b a l governments, u n i v e r s i t i e s , and o u t s i d e experts on the matters set f o r t h i n t h i s order. Sec. 4. I d e n t i f i c a t i o n o f C r i t i c a l I n f r a s t r u c t u r e a t Risk, (a) W i t h i n 150 days o f the date o f t h i s order, the Secretary s h a l l i d e n t i f y c r i t i c a l i n f r a s t r u c t u r e where a c y b e r s e c u r i t y i n c i d e n t could reasonably r e s u l t i n a d e b i l i t a t i n g impact on

DRAFT

n a t i o n a l s e c u r i t y , n a t i o n a l economic s e c u r i t y , o r n a t i o n a l public health or safety. I n i d e n t i f y i n g c r i t i c a l i n f r a s t r u c t u r e f o r t h i s purpose, t h e Secretary s h a l l draw upon the p r i o r i t i z e d c r i t i c a l i n f r a s t r u c t u r e l i s t r e q u i r e d under s e c t i o n 210E of t h e Homeland S e c u r i t y Act (6 U.S.C. 124L.) (b) Heads o f S e c t o r - S p e c i f i c Agencies and o t h e r agencies s h a l l provide the Secretary w i t h i n f o r m a t i o n necessary t o c a r r y out the r e s p o n s i b i l i t i e s under t h i s s e c t i o n i n accordance w i t h s e c t i o n 202 of the Homeland S e c u r i t y Act. (c) The Secretary w i l l coordinate w i t h S e c t o r - S p e c i f i c Agencies the n o t i f i c a t i o n of owners and operators of c r i t i c a l i n f r a s t r u c t u r e i d e n t i f i e d under sub-section (a) of t h i s s e c t i o n of the Secretary's d e t e r m i n a t i o n . Sec. 5. Framework t o Reduce Cyber Risk t o C r i t i c a l Infrastructure. (a) The Secretary of Commerce s h a l l d i r e c t the D i r e c t o r of the N a t i o n a l I n s t i t u t e of Standards and Technology (the D i r e c t o r ) t o coordinate the development of a framework t o reduce' the cyber r i s k s t o c r i t i c a l i n f r a s t r u c t u r e (the Cybersecurity Framework). The Cybersecurity Framework s h a l l r e l y oh e x i s t i n g consensus-based standards t o the f u l l e s t extent p o s s i b l e c o n s i s t e n t w i t h requirements of the " N a t i o n a l Technology Transfer and Advancement Act of 1995", P u b l i c Law 104-113, and the O f f i c e of Management and Budge C i r c u l a r A-119, "Federal P a r t i c i p a t i o n i n the Development and Use o f V o l u n t a r y Consensus Standards and i n Conformity Assessment A c t i v i t i e s . "
:

(b) The Cybersecurity Framework s h a l l p r o v i d e a f l e x i b l e and repeatable approach t o apply b a s e l i n e i n f o r m a t i o n s e c u r i t y measures and c o n t r o l s t o help owners and operators of c r i t i c a l i n f r a s t r u c t u r e i d e n t i f y , assess, and manage cyber r i s k and t o p r o t e c t p r i v a c y and c i v i l l i b e r t i e s . To a l l o w f o r t e c h n i c a l i n n o v a t i o n and o r g a n i z a t i o n a l d i f f e r e n c e s , the Cybersecurity Framework s h a l l n o t p r e s c r i b e p a r t i c u l a r t e c h n o l o g i c a l s o l u t i o n s or s p e c i f i c a t i o n s . The Cybersecurity Framework s h a l l i n c l u d e m e t r i c s f o r measuring t h e performance o f an e n t i t y i n implementing the Cybersecurity Framework.
1

(c) I n developing the Cybersecurity Framework, the D i r e c t o r s h a l l c o n s u l t w i t h the Secretary, S e c t o r - S p e c i f i c Agencies and other i n t e r e s t e d agencies, the O f f i c e of Management and Budget, owners and operators o f c r i t i c a l i n f r a s t r u c t u r e , and o t h e r stakeholders, and engage i n an open p u b l i c review and comment process.

DRAFT

(d) W i t h i n 18 0 days of the date of t h i s order, the D i r e c t o r s h a l l p u b l i s h a p r e l i m i n a r y v e r s i o n of the Cybersecurity Framework. W i t h i n 1 year of the date of t h i s order, and a f t e r review by the Secretary, the D i r e c t o r s h a l l p u b l i s h the f i n a l v e r s i o n o f the Cybersecurity Framework i n the Federal Register. Sec. V o l u n t a r y C r i t i c a l I n f r a s t r u c t u r e Cybersecurity Program. (a) The Secretary, i n c o o r d i n a t i o n w i t h SectorS p e c i f i c Agencies, s h a l l e s t a b l i s h and i n v i t e owners and operators of c r i t i c a l i n f r a s t r u c t u r e t o p a r t i c i p a t e i n a v o l u n t a r y program t o encourage the adoption of the Cybersecurity Framework and t o p r o v i d e t e c h n i c a l advice and assistance and a forum t o exchange best p r a c t i c e s (the Program). (b) S e c t o r - S p e c i f i c Agencies, i n c o n s u l t a t i o n w i t h the Secretary, w i l l coordinate w i t h the Sector Coordinating Councils to review the Cybersecurity Framework and, i f necessary, adapt i t t o address s e c t o r - s p e c i f i c r i s k s and f i t the o p e r a t i n g environment of i n d i v i d u a l s e c t o r s . (c) W i t h i n 180 days of the date of t h i s order, the Secretary s h a l l issue implementation guidance t o the S e c t o r - S p e c i f i c Agencies c o n s i s t e n t w i t h the N a t i o n a l I n f r a s t r u c t u r e P r o t e c t i o n Plan, t o encourage a comprehensive and i n t e g r a t e d approach across s e c t o r s . Sec. _7- Adoption by Agencies. (a) W i t h i n 120 days of the date of t h i s order, each agency w i t h r e s p o n s i b i l i t i e s f o r r e g u l a t i n g the s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e s h a l l submit t o the President, through the A s s i s t a n t t o the President f o r Homeland S e c u r i t y and Counterterrorism and the D i r e c t o r of the O f f i c e of Management and Budget, a r e p o r t t h a t d e t a i l s a u t h o r i t i e s under which the agency could r e g u l a t e the c y b e r s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e , what c r i t i c a l i n f r a s t r u c t u r e could be covered, whether e x i s t i n g r e g u l a t i o n s on c y b e r s e c u r i t y are i n place, and the agency's assessment of the s u f f i c i e n c y of those r e g u l a t i o n s . (b) W i t h i n 2 70 days of the date of t h i s order, the Secretary s h a l l , i n c o o r d i n a t i o n w i t h the D i r e c t o r of the O f f i c e of Management and Budget, review these r e p o r t s i n c o n s i d e r a t i o n of the c r i t i c a l i n f r a s t r u c t u r e i d e n t i f i e d i n s e c t i o n 4 of t h i s order and the p r e l i m i n a r y v e r s i o n of the Cybersecurity Framework developed under s e c t i o n 5, and i d e n t i f y and recommend t o agencies a p r i o r i t i z e d , risk-based, e f f i c i e n t , and coordinated set of a c t i o n s t o m i t i g a t e or remediate i d e n t i f i e d c y b e r s e c u r i t y risks to c r i t i c a l infrastructure.

DRAFT

(c) W i t h i n 1 year of the date of t h i s order, agencies subject t o t h i s order w i t h r e s p o n s i b i l i t i e s f o r r e g u l a t i n g the s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e are encouraged t o propose r e g u l a t i o n s , c o n s i s t e n t w i t h Executive Orders 12856 and 13563, t o m i t i g a t e c y b e r s e c u r i t y r i s k based on such set of p r i o r i t i z e d a c t i o n s . (d) Independent r e g u l a t o r y agencies are encouraged t o engage i n a c o n s u l t a t i v e process w i t h the Secretary and a f f e c t e d p a r t i e s as they consider the set of p r i o r i t i z e d a c t i o n s . Sec. _8. Cybersecurity I n f o r m a t i o n Sharing. (a) To a s s i s t the owners and operators of c r i t i c a l i n f r a s t r u c t u r e i n p r o t e c t i n g t h e i r systems from unauthorized access, e x p l o i t a t i o n or data e x f i l t r a t i o n , the Secretary, i n c o o r d i n a t i o n w i t h the Secretary of Defense, the D i r e c t o r of the N a t i o n a l S e c u r i t y Agency, the D i r e c t o r of N a t i o n a l I n t e l l i g e n c e , and the A t t o r n e y General, s h a l l e s t a b l i s h w i t h i n 12 0 days a near r e a l time i n f o r m a t i o n sharing program. The program w i l l p r o v i d e government derived s e c u r i t y i n f o r m a t i o n f o r the p r o t e c t i o n of c r i t i c a l networks and s e n s i t i v e i n f o r m a t i o n . The Secretary, i n c o o r d i n a t i o n w i t h the D i r e c t o r of N a t i o n a l I n t e l l i g e n c e , s h a l l e s t a b l i s h procedures t o l i m i t the f u r t h e r dissemination of such i n f o r m a t i o n t o ensure t h a t i t i s not used f o r an unauthorized purpose. (b) The D i r e c t o r of N a t i o n a l I n t e l l i g e n c e s h a l l ensure the t i m e l y p r o d u c t i o n of u n c l a s s i f i e d t e a r l i n e s f o r a l l known cyber t h r e a t s t o the U.S. homeland t h a t i d e n t i f y a t a r g e t or v i c t i m . The Secretary s h a l l e s t a b l i s h a coordinated process t h a t r a p i d l y disseminates these u n c l a s s i f i e d t e a r l i n e s t o the t a r g e t or victim. (c) The Secretary, as the Executive Agent f o r the C l a s s i f i e d N a t i o n a l S e c u r i t y I n f o r m a t i o n Program created under Executive Order 13549, s h a l l expedite the p r o v i s i o n of s e c u r i t y clearances to appropriate personnel employed by c r i t i c a l i n f r a s t r u c t u r e owners and operators p a r t i c i p a t i n g i n the Program. (d) The Secretary s h a l l request owners and operators of c r i t i c a l i n f r a s t r u c t u r e t o r e p o r t promptly t o the Secretary or other appropriate agency c y b e r s e c u r i t y i n c i d e n t s or t h r e a t s . (e) The Secretary s h a l l develop, i n c o o r d i n a t i o n w i t h the Attorney General and i n c o n s u l t a t i o n w i t h o t h e r agencies, i n t e r n a l Federal r e p o r t i n g and dissemination procedures t o n o t i f y appropriate agencies of c y b e r s e c u r i t y i n c i d e n t s or t h r e a t s reported t o the Secretary o r t o any o t h e r agency.

DRAFT

(f) I n f o r m a t i o n submitted v o l u n t a r i l y i n accordance w i t h s e c t i o n 214 of the Homeland S e c u r i t y Act (6 U.S.C. 133) by p r i v a t e e n t i t i e s f o r any purpose under t h i s order, s h a l l be p r o t e c t e d from d i s c l o s u r e t o the f u l l e x t e n t p e r m i t t e d by s e c t i o n 214 of the Homeland S e c u r i t y Act. Sec. 9_. Privacy and C i v i l L i b e r t i e s Assessment and P r o t e c t i o n s . (a) The Chief Privacy O f f i c e r and the O f f i c e r f o r C i v i l Rights and C i v i l L i b e r t i e s of the Department of Homeland S e c u r i t y s h a l l assess the p r i v a c y and c i v i l r i g h t s r i s k s of the f u n c t i o n s and programs c a l l e d f o r i n t h i s order and s h a l l recommend t o the Secretary ways t o minimize or m i t i g a t e such r i s k s . Relevant agencies w i l l conduct t h e i r own reviews and provide the r e s u l t s of those reviews t o the Department f o r i n c l u s i o n i n a p u b l i c r e p o r t . The r e p o r t s h a l l be reviewed and r e v i s e d as necessary on an annual basis t h e r e a f t e r . (b) I n conducting these a c t i v i t i e s , the Chief Privacy O f f i c e r and the O f f i c e r f o r C i v i l Rights and C i v i l L i b e r t i e s of the Department of Homeland S e c u r i t y ' s h a l l consult w i t h the O f f i c e of Management and Budget and the Privacy and C i v i l L i b e r t i e s Oversight Board. Privacy aspects s h a l l be evaluated against the F a i r I n f o r m a t i o n P r a c t i c e P r i n c i p l e s and other a p p l i c a b l e privacy policies. (c) Departments and agencies s h a l l consider the assessments and recommendations of the r e p o r t , as a p p l i c a b l e , and, i n c o n s u l t a t i o n w i t h t h e i r own p r i v a c y and c i v i l l i b e r t i e s o f f i c i a l s , s h a l l i n c l u d e appropriate p r o t e c t i o n s based upon F a i r I n f o r m a t i o n P r a c t i c e P r i n c i p l e s i n t h e i r implementation a c t i o n s . Sec. 10. Implementation. (a) S e c t o r - S p e c i f i c Agencies s h a l l r e p o r t annually t o the President through the Secretary on the extent t o which owners and operators n o t i f i e d under s e c t i o n 4 are p a r t i c i p a t i n g i n the Program. (b) W i t h i n 9 0 days of the date of t h i s order, the Secretary of . Defense and the A d m i n i s t r a t o r of General Services s h a l l make recommendations t o the President, through the A s s i s t a n t t o the President f o r Homeland S e c u r i t y and Counterterrorism on the f e a s i b i l i t y , s e c u r i t y b e n e f i t s , and r e l a t i v e m e r i t s o f ' e s t a b l i s h i n g procurement preferences f o r vendors who meet c y b e r s e c u r i t y standards. I n developing the recommendations, they s h a l l c o n s u l t w i t h the Federal A c q u i s i t i o n Regulatory Council and s h a l l engage i n the c o n s u l t a t i v e process e s t a b l i s h e d i n s e c t i o n 3.

DRAFT

(c) W i t h i n 90 days o f t h e date o f t h i s order, t h e S e c r e t a r i e s o f the Treasury and Commerce s h a l l submit t o t h e President, through the A s s i s t a n t t o t h e President f o r Homeland S e c u r i t y and Counterterrorism, a r e p o r t t h a t assesses t h e Federal government's a b i l i t y under e x i s t i n g laws t o provide i n c e n t i v e s to owners and operators o f c r i t i c a l i n f r a s t r u c t u r e t h a t p a r t i c i p a t e i n t h e Program. I n developing t h e r e p o r t , they s h a l l engage i n t h e c o n s u l t a t i v e process e s t a b l i s h e d i n s e c t i o n 3. Sec. 11. D e f i n i t i o n s . (a) "Agency" means any a u t h o r i t y o f t h e United States t h a t i s an "agency" under 44 U.S.C. 3502(1), o t h e r than those considered t o be independent r e g u l a t o r y agencies, as defined i n 44 U.S.C. 3502(5). (b) " C r i t i c a l i n f r a s t r u c t u r e " has the meaning given the term i n 42 U.S.C. 5195c(e). (c) " C r i t i c a l I n f r a s t r u c t u r e Partnership Advisory Council" means the c o u n c i l e s t a b l i s h e d by the Department o f Homeland S e c u r i t y under 6 U.S.C. 451 t o coordinate c r i t i c a l i n f r a s t r u c t u r e p r o t e c t i o n a c t i v i t i e s w i t h i n the Federal Government and w i t h t h e p r i v a t e sector, and State, l o c a l , t e r r i t o r i a l , and t r i b a l governments. (d) " F a i r I n f o r m a t i o n P r a c t i c e P r i n c i p l e s " means t h e e i g h t p r i n c i p l e s s e t f o r t h i n the Framework f o r Privacy P o l i c y a t t h e Department o f Homeland S e c u r i t y . (e) "Framework" means a s e t o f standards, methodologies, procedures and processes t h a t a l i g n p o l i c y , business, and t e c h n o l o g i c a l approaches. ( f ) "Independent r e g u l a t o r y agency" has the meaning given t h e term i n 44 U.S.C. 3502. (g) "Sector Coordinating Council" means a p r i v a t e s e c t o r c o o r d i n a t i n g c o u n c i l comprised o f r e p r e s e n t a t i v e s o f owners and operators w i t h i n a p a r t i c u l a r s e c t o r o f c r i t i c a l i n f r a s t r u c t u r e e s t a b l i s h e d by the N a t i o n a l I n f r a s t r u c t u r e P r o t e c t i o n Plan o r i t s successor. (h) " S e c t o r - S p e c i f i c Agency" has the meaning given t h e term i n Homeland S e c u r i t y P r e s i d e n t i a l D i r e c t i v e 7: C r i t i c a l I n f r a s t r u c t u r e I d e n t i f i c a t i o n , P r i o r i t i z a t i o n , and P r o t e c t i o n , December 17, 2003, o r i t s successor.

DRAFT

Sec. 12. General P r o v i s i o n s . (a) This order s h a l l be implemented c o n s i s t e n t w i t h a p p l i c a b l e law and s u b j e c t t o the a v a i l a b i l i t y of. a p p r o p r i a t i o n s . Nothing i n t h i s order s h a l l be construed t o provide an agency w i t h a u t h o r i t y f o r r e g u l a t i n g the s e c u r i t y of c r i t i c a l i n f r a s t r u c t u r e i n a d d i t i o n t o or t o a g r e a t e r extent than the a u t h o r i t y the agency has under e x i s t i n g law. Nothing i n t h i s order s h a l l be construed t o a l t e r o r l i m i t any a u t h o r i t y or r e s p o n s i b i l i t y of an agency under e x i s t i n g law. (b) Any a c t i o n s taken as a r e s u l t of the s t u d i e s r e q u i r e d under sections 10(b) and (c) , s h a l l be implemented c o n s i s t e n t w i t h U.S. i n t e r n a t i o n a l o b l i g a t i o n s . (c) This order i s not intended t o , and does not, c r e a t e any r i g h t or b e n e f i t , s u b s t a n t i v e o r procedural, enforceable a t law or i n e q u i t y by any p a r t y against the United States, i t s . departments, agencies, o r e n t i t i e s , i t s o f f i c e r s , employees, or agents, o r any o t h e r person.

THE WHITE HOUSE,