StudyDaddy Article Writing Critical InfrastructureThis week, you will discuss those critical infrastructure sectors you feel are most at risk and why, as well as the manner in which certain Federal documents affect the private

Critical InfrastructureThis week, you will discuss those critical infrastructure sectors you feel are most at risk and why, as well as the manner in which certain Federal documents affect the private

Vol. 78 Tuesday, No. 33 February 19, 2013 Part III The President Executive Order 13636—Improving Critical Infrastructure Cybersecurity\ VerDate Mar<15>2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00001 Fmt 4717 Sfmt 4717 E:\FR\FM\19FEE0.SGM 19FEE0srobinson on DSK4SPTVN1PROD with MISCELLANEOUS VerDate Mar<15>2010 17:57 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00002 Fmt 4717 Sfmt 4717 E:\FR\FM\19FEE0.SGM 19FEE0srobinson on DSK4SPTVN1PROD with MISCELLANEOUS Presidential Documents 11739 Federal Register Vol. 78, No. 33 Tuesday, February 19, 2013 Title 3— The President Executive Order 13636 of February 12, 2013 Improving Critical Infrastructure Cybersecurity By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Policy. Repeated cyber intrusions into critical infrastructure dem- onstrate the need for improved cybersecurity. The cyber threat to critic\ al infrastructure continues to grow and represents one of the most serious \ national security challenges we must confront. The national and economic\ security of the United States depends on the reliable functioning of the\ Nation’s critical infrastructure in the face of such threats. It is t\ he policy of the United States to enhance the security and resilience of the Natio\ n’s critical infrastructure and to maintain a cyber environment that encoura\ ges efficiency, innovation, and economic prosperity while promoting safety, \ secu- rity, business confidentiality, privacy, and civil liberties. We can ach\ ieve these goals through a partnership with the owners and operators of criti\ cal infrastructure to improve cybersecurity information sharing and collabo-\ ratively develop and implement risk-based standards.

Sec. 2. Critical Infrastructure. As used in this order, the term critical infra- structure means systems and assets, whether physical or virtual, so vita\ l to the United States that the incapacity or destruction of such systems \ and assets would have a debilitating impact on security, national econom\ ic security, national public health or safety, or any combination of those \ matters.

Sec. 3. Policy Coordination. Policy coordination, guidance, dispute resolution, and periodic in-progress reviews for the functions and programs describe\ d and assigned herein shall be provided through the interagency process es\ tab- lished in Presidential Policy Directive–1 of February 13, 2009 (Orga\ nization of the National Security Council System), or any successor.

Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyb\ er threat information shared with U.S. private sector entities so that thes\ e entities may better protect and defend themselves against cyber threats.\ Within 120 days of the date of this order, the Attorney General, the Sec\ retary of Homeland Security (the ‘‘Secretary’’), and the Director\ of National Intel- ligence shall each issue instructions consistent with their authorities \ and with the requirements of section 12(c) of this order to ensure the tim\ ely production of unclassified reports of cyber threats to the U.S. homeland\ that identify a specific targeted entity. The instructions shall address\ the need to protect intelligence and law enforcement sources, methods, oper-\ ations, and investigations.

(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidl\ y dis- seminates the reports produced pursuant to section 4(a) of this order \ to the targeted entity. Such process shall also, consistent with the need t\ o protect national security information, include the dissemination of clas\ sified reports to critical infrastructure entities authorized to receive them. \ The Secretary and the Attorney General, in coordination with the Director of\ National Intelligence, shall establish a system for tracking the product\ ion, dissemination, and disposition of these reports.

(c) To assist the owners and operators of critical infrastructure in p\ rotecting their systems from unauthorized access, exploitation, or harm, the Secre\ tary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of \ VerDate Mar<15>2010 18:55 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00003 Fmt 4705 Sfmt 4790 E:\FR\FM\19FEE0.SGM 19FEE0srobinson on DSK4SPTVN1PROD with MISCELLANEOUS 11740 Federal Register/ Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents Defense, shall, within 120 days of the date of this order, establish pro\ cedures to expand the Enhanced Cybersecurity Services program to all critical in\ fra- structure sectors. This voluntary information sharing program will provi\ de classified cyber threat and technical information from the Government to\ eligible critical infrastructure companies or commercial service provide\ rs that offer security services to critical infrastructure.

(d) The Secretary, as the Executive Agent for the Classified National \ Secu- rity Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, L\ ocal, Tribal, and Private Sector Entities), shall expedite the processing of \ security clearances to appropriate personnel employed by critical infrastructure \ own- ers and operators, prioritizing the critical infrastructure identified i\ n section 9 of this order.

(e) In order to maximize the utility of cyber threat information shari\ ng with the private sector, the Secretary shall expand the use of programs \ that bring private sector subject-matter experts into Federal service on\ a temporary basis. These subject matter experts should provide advice rega\ rd- ing the content, structure, and types of information most useful to crit\ ical infrastructure owners and operators in reducing and mitigating cyber ris\ ks.

Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for\ privacy and civil liberties and ensure that privacy and civil liberties protecti\ ons are incorporated into such activities. Such protections shall be based u\ pon the Fair Information Practice Principles and other privacy and civil lib\ erties policies, principles, and frameworks as they apply to each agency’s a\ ctivities.

(b) The Chief Privacy Officer and the Officer for Civil Rights and Civ\ il Liberties of the Department of Homeland Security (DHS) shall assess th\ e privacy and civil liberties risks of the functions and programs undertak\ en by DHS as called for in this order and shall recommend to the Secretary \ ways to minimize or mitigate such risks, in a publicly available report,\ to be released within 1 year of the date of this order. Senior agency pr\ ivacy and civil liberties officials for other agencies engaged in activities u\ nder this order shall conduct assessments of their agency activities and prov\ ide those assessments to DHS for consideration and inclusion in the report. \ The report shall be reviewed on an annual basis and revised as necessary\ .

The report may contain a classified annex if necessary. Assessments shal\ l include evaluation of activities against the Fair Information Practice P\ rin- ciples and other applicable privacy and civil liberties policies, princi\ ples, and frameworks. Agencies shall consider the assessments and recommenda- tions of the report in implementing privacy and civil liberties protecti\ ons for agency activities.

(c) In producing the report required under subsection (b) of this se\ ction, the Chief Privacy Officer and the Officer for Civil Rights and Civil Lib\ erties of DHS shall consult with the Privacy and Civil Liberties Oversight Boar\ d and coordinate with the Office of Management and Budget (OMB).

(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 \ by private entities under this order shall be protected from disclosure \ to the fullest extent permitted by law.

Sec. 6. Consultative Process. The Secretary shall establish a consultative process to coordinate improvements to the cybersecurity of critical infr\ astruc- ture. As part of the consultative process, the Secretary shall engage an\ d consider the advice, on matters set forth in this order, of the Critical\ Infra- structure Partnership Advisory Council; Sector Coordinating Councils; cr\ itical infrastructure owners and operators; Sector-Specific Agencies; other rel\ evant agencies; independent regulatory agencies; State, local, territorial, an\ d tribal governments; universities; and outside experts.

Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure.

(a) The Secretary of Commerce shall direct the Director of the Nationa\ l VerDate Mar<15>2010 18:55 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00004 Fmt 4705 Sfmt 4790 E:\FR\FM\19FEE0.SGM 19FEE0srobinson on DSK4SPTVN1PROD with MISCELLANEOUS 11741 Federal Register/ Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents Institute of Standards and Technology (the ‘‘Director’’) t\ o lead the develop- ment of a framework to reduce cyber risks to critical infrastructure (t\ he ‘‘Cybersecurity Framework’’). The Cybersecurity Framework s\ hall include a set of standards, methodologies, procedures, and processes that align \ policy, business, and technological approaches to address cyber risks. The Cyber\ secu- rity Framework shall incorporate voluntary consensus standards and indus\ try best practices to the fullest extent possible. The Cybersecurity Framewo\ rk shall be consistent with voluntary international standards when such int\ er- national standards will advance the objectives of this order, and shall \ meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104–113), and OMB Circular \ A–119, as revised.

(b) The Cybersecurity Framework shall provide a prioritized, flexible,\ repeatable, performance-based, and cost-effective approach, including in\ for- mation security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cyb\ ersecu- rity Framework shall focus on identifying cross-sector security standard\ s and guidelines applicable to critical infrastructure. The Cybersecurity \ Frame- work will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-devel\ oping organizations. To enable technical innovation and account for organizati\ onal differences, the Cybersecurity Framework will provide guidance that is t\ ech- nology neutral and that enables critical infrastructure sectors to benef\ it from a competitive market for products and services that meet the standards, \ methodologies, procedures, and processes developed to address cyber risk\ s.

The Cybersecurity Framework shall include guidance for measuring the per\ - formance of an entity in implementing the Cybersecurity Framework.

(c) The Cybersecurity Framework shall include methodologies to identif\ y and mitigate impacts of the Cybersecurity Framework and associated infor\ ma- tion security measures or controls on business confidentiality, and to p\ rotect individual privacy and civil liberties.

(d) In developing the Cybersecurity Framework, the Director shall enga\ ge in an open public review and comment process. The Director shall also consult with the Secretary, the National Security Agency, Sector-Specifi\ c Agencies and other interested agencies including OMB, owners and operato\ rs of critical infrastructure, and other stakeholders through the consultat\ ive process established in section 6 of this order. The Secretary, the Direc\ tor of National Intelligence, and the heads of other relevant agencies shall\ provide threat and vulnerability information and technical expertise to \ inform the development of the Cybersecurity Framework. The Secretary shall prov\ ide performance goals for the Cybersecurity Framework informed by work under\ section 9 of this order.

(e) Within 240 days of the date of this order, the Director shall publ\ ish a preliminary version of the Cybersecurity Framework (the ‘‘preli\ minary Framework’’). Within 1 year of the date of this order, and after \ coordination with the Secretary to ensure suitability under section 8 of this order, \ the Director shall publish a final version of the Cybersecurity Framework (\ the ‘‘final Framework’’).

(f) Consistent with statutory responsibilities, the Director will ensu\ re the Cybersecurity Framework and related guidance is reviewed and updated as necessary, taking into consideration technological changes, changes i\ n cyber risks, operational feedback from owners and operators of critical \ infra- structure, experience from the implementation of section 8 of this order\ , and any other relevant factors.

Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. (a) The Sec- retary, in coordination with Sector-Specific Agencies, shall establish a\ vol- untary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interes\ ted entities (the ‘‘Program’’). VerDate Mar<15>2010 18:55 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00005 Fmt 4705 Sfmt 4790 E:\FR\FM\19FEE0.SGM 19FEE0srobinson on DSK4SPTVN1PROD with MISCELLANEOUS 11742 Federal Register/ Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents (b) Sector-Specific Agencies, in consultation with the Secretary and o\ ther interested agencies, shall coordinate with the Sector Coordinating Counc\ ils to review the Cybersecurity Framework and, if necessary, develop impleme\ n- tation guidance or supplemental materials to address sector-specific ris\ ks and operating environments.

(c) Sector-Specific Agencies shall report annually to the President, t\ hrough the Secretary, on the extent to which owners and operators notified unde\ r section 9 of this order are participating in the Program.

(d) The Secretary shall coordinate establishment of a set of incentive\ s designed to promote participation in the Program. Within 120 days of the\ date of this order, the Secretary and the Secretaries of the Treasury an\ d Commerce each shall make recommendations separately to the President, through the Assistant to the President for Homeland Security and Counter\ ter- rorism and the Assistant to the President for Economic Affairs, that sha\ ll include analysis of the benefits and relative effectiveness of such ince\ ntives, and whether the incentives would require legislation or can be provided \ under existing law and authorities to participants in the Program.

(e) Within 120 days of the date of this order, the Secretary of Defens\ e and the Administrator of General Services, in consultation with the Secr\ etary and the Federal Acquisition Regulatory Council, shall make recommendatio\ ns to the President, through the Assistant to the President for Homeland Se\ curity and Counterterrorism and the Assistant to the President for Economic Aff\ airs, on the feasibility, security benefits, and relative merits of incorporat\ ing security standards into acquisition planning and contract administration\ .

The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.

Sec. 9. Identification of Critical Infrastructure at Greatest Risk. (a) Within 150 days of the date of this order, the Secretary shall use a risk-based\ approach to identify critical infrastructure where a cybersecurity incid\ ent could reasonably result in catastrophic regional or national effects on \ public health or safety, economic security, or national security. In identifyin\ g critical infrastructure for this purpose, the Secretary shall use the consultativ\ e proc- ess established in section 6 of this order and draw upon the expertise of Sector-Specific Agencies. The Secretary shall apply consistent, objec\ tive criteria in identifying such critical infrastructure. The Secretary shal\ l not identify any commercial information technology products or consumer info\ r- mation technology services under this section. The Secretary shall revie\ w and update the list of identified critical infrastructure under this sec\ tion on an annual basis, and provide such list to the President, through the \ Assistant to the President for Homeland Security and Counterterrorism an\ d the Assistant to the President for Economic Affairs.

(b) Heads of Sector-Specific Agencies and other relevant agencies shal\ l provide the Secretary with information necessary to carry out the respon\ sibil- ities under this section. The Secretary shall develop a process for othe\ r relevant stakeholders to submit information to assist in making the iden\ tifica- tions required in subsection (a) of this section.

(c) The Secretary, in coordination with Sector-Specific Agencies, shal\ l confidentially notify owners and operators of critical infrastructure id\ entified under subsection (a) of this section that they have been so identified\ , and ensure identified owners and operators are provided the basis for the de\ ter- mination. The Secretary shall establish a process through which owners and operators of critical infrastructure may submit relevant information\ and request reconsideration of identifications under subsection (a) of thi\ s section.

Sec. 10. Adoption of Framework. (a) Agencies with responsibility for regu- lating the security of critical infrastructure shall engage in a consult\ ative process with DHS, OMB, and the National Security Staff to review the preliminary Cybersecurity Framework and determine if current cybersecuri\ ty regulatory requirements are sufficient given current and projected risks\ . In making such determination, these agencies shall consider the identificat\ ion VerDate Mar<15>2010 18:55 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00006 Fmt 4705 Sfmt 4790 E:\FR\FM\19FEE0.SGM 19FEE0srobinson on DSK4SPTVN1PROD with MISCELLANEOUS 11743 Federal Register/ Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents of critical infrastructure required under section 9 of this order. Withi\ n 90 days of the publication of the preliminary Framework, these agencies sha\ ll submit a report to the President, through the Assistant to the President\ for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether\ or not the agency has clear authority to establish requirements based up\ on the Cybersecurity Framework to sufficiently address current and projecte\ d cyber risks to critical infrastructure, the existing authorities identif\ ied, and any additional authority required.

(b) If current regulatory requirements are deemed to be insufficient, \ within 90 days of publication of the final Framework, agencies identified in su\ b- section (a) of this section shall propose prioritized, risk-based, eff\ icient, and coordinated actions, consistent with Executive Order 12866 of Septem\ ber 30, 1993 (Regulatory Planning and Review), Executive Order 13563 of Ja\ nuary 18, 2011 (Improving Regulation and Regulatory Review), and Executive O\ rder 13609 of May 1, 2012 (Promoting International Regulatory Cooperation),\ to mitigate cyber risk.

(c) Within 2 years after publication of the final Framework, consisten\ t with Executive Order 13563 and Executive Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory Burdens), agencies identified in \ sub- section (a) of this section shall, in consultation with owners and ope\ rators of critical infrastructure, report to OMB on any critical infrastructure\ subject to ineffective, conflicting, or excessively burdensome cybersecurity req\ uire- ments. This report shall describe efforts made by agencies, and make rec\ - ommendations for further actions, to minimize or eliminate such require-\ ments.

(d) The Secretary shall coordinate the provision of technical assistan\ ce to agencies identified in subsection (a) of this section on the develo\ pment of their cybersecurity workforce and programs.

(e) Independent regulatory agencies with responsibility for regulating\ the security of critical infrastructure are encouraged to engage in a consul\ tative process with the Secretary, relevant Sector-Specific Agencies, and other\ affected parties to consider prioritized actions to mitigate cyber risks\ for critical infrastructure consistent with their authorities.

Sec. 11. Definitions. (a) ‘‘Agency’’ means any authority of the United States that is an ‘‘agency’’ under 44 U.S.C. 3502(1), other than \ those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5)\ .

(b) ‘‘Critical Infrastructure Partnership Advisory Council’’\ means the coun- cil established by DHS under 6 U.S.C. 451 to facilitate effective intera\ ction and coordination of critical infrastructure protection activities among \ the Federal Government; the private sector; and State, local, territorial, a\ nd tribal governments.

(c) ‘‘Fair Information Practice Principles’’ means the eig\ ht principles set forth in Appendix A of the National Strategy for Trusted Identities in C\ yber- space.

(d) ‘‘Independent regulatory agency’’ has the meaning give\ n the term in 44 U.S.C. 3502(5).

(e) ‘‘Sector Coordinating Council’’ means a private sector\ coordinating council composed of representatives of owners and operators within a par\ - ticular sector of critical infrastructure established by the National In\ frastruc- ture Protection Plan or any successor.

(f) ‘‘Sector-Specific Agency’’ has the meaning given the t\ erm in Presidential Policy Directive–21 of February 12, 2013 (Critical Infrastructure Se\ curity and Resilience), or any successor.

Sec. 12. General Provisions. (a) This order shall be implemented consistent with applicable law and subject to the availability of appropriations. N\ othing in this order shall be construed to provide an agency with authority for\ regulating the security of critical infrastructure in addition to or to \ a greater VerDate Mar<15>2010 18:55 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00007 Fmt 4705 Sfmt 4790 E:\FR\FM\19FEE0.SGM 19FEE0srobinson on DSK4SPTVN1PROD with MISCELLANEOUS 11744 Federal Register/ Vol. 78, No. 33 / Tuesday, February 19, 2013 / Presidential Documents extent than the authority the agency has under existing law. Nothing in \ this order shall be construed to alter or limit any authority or respons\ ibility of an agency under existing law.

(b) Nothing in this order shall be construed to impair or otherwise af\ fect the functions of the Director of OMB relating to budgetary, administrati\ ve, or legislative proposals.

(c) All actions taken pursuant to this order shall be consistent with \ require- ments and authorities to protect intelligence and law enforcement source\ s and methods. Nothing in this order shall be interpreted to supersede mea\ sures established under authority of law to protect the security and integrity\ of specific activities and associations that are in direct support of in\ telligence and law enforcement operations.

(d) This order shall be implemented consistent with U.S. international\ obligations.

(e) This order is not intended to, and does not, create any right or b\ enefit, substantive or procedural, enforceable at law or in equity by any party \ against the United States, its departments, agencies, or entities, its o\ fficers, employees, or agents, or any other person.

THE WHITE HOUSE, February 12, 2013. [FR Doc. 2013–03915 Filed 2–15–13; 11:15 am] Billing code 3295–F3 VerDate Mar<15>2010 18:55 Feb 15, 2013 Jkt 229001 PO 00000 Frm 00008 Fmt 4705 Sfmt 4790 E:\FR\FM\19FEE0.SGM 19FEE0 OB#1.EPS srobinson on DSK4SPTVN1PROD with MISCELLANEOUS

Have a similar question?

Continue to edit or attach image(s).

  • Fast and convenient

    Fast and convenient

    Simply post your question and get it answered by professional tutor within 30 minutes. It's as simple as that!

  • Any topic, any difficulty

    Any topic, any difficulty

    We've got thousands of tutors in different areas of study who are willing to help you with any kind of academic assignment, be it a math homework or an article.

  • 100% Satisfied Students

    100% Satisfied Students

    Join 3,4 million+ members who are already getting homework help from StudyDaddy!