[Federal Register Volume 76, Number 198 (Thursday, October 13, 2011)]
[Presidential Documents]
[Pages 63811-63815]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2011-26729]




                        Presidential Documents 



Federal Register / Vol. 76, No. 198 / Thursday, October 13, 2011 / 
Presidential Documents

[[Page 63811]]


                Executive Order 13587 of October 7, 2011

                
Structural Reforms To Improve the Security of 
                Classified Networks and the Responsible Sharing and 
                Safeguarding of Classified Information

                By the authority vested in me as President by the 
                Constitution and the laws of the United States of 
                America and in order to ensure the responsible sharing 
                and safeguarding of classified national security 
                information (classified information) on computer 
                networks, it is hereby ordered as follows:

                Section 1. Policy. Our Nation's security requires 
                classified information to be shared immediately with 
                authorized users around the world but also requires 
                sophisticated and vigilant means to ensure it is shared 
                securely. Computer networks have individual and common 
                vulnerabilities that require coordinated decisions on 
                risk management.

                This order directs structural reforms to ensure 
                responsible sharing and safeguarding of classified 
                information on computer networks that shall be 
                consistent with appropriate protections for privacy and 
                civil liberties. Agencies bear the primary 
                responsibility for meeting these twin goals. These 
                structural reforms will ensure coordinated interagency 
                development and reliable implementation of policies and 
                minimum standards regarding information security, 
                personnel security, and systems security; address both 
                internal and external security threats and 
                vulnerabilities; and provide policies and minimum 
                standards for sharing classified information both 
                within and outside the Federal Government. These 
                policies and minimum standards will address all 
                agencies that operate or access classified computer 
                networks, all users of classified computer networks 
                (including contractors and others who operate or access 
                classified computer networks controlled by the Federal 
                Government), and all classified information on those 
                networks.

                Sec. 2. General Responsibilities of Agencies.

                Sec. 2.1. The heads of agencies that operate or access 
                classified computer networks shall have responsibility 
                for appropriately sharing and safeguarding classified 
                information on computer networks. As part of this 
                responsibility, they shall:

                    (a) designate a senior official to be charged with 
                overseeing classified information sharing and 
                safeguarding efforts for the agency;
                    (b) implement an insider threat detection and 
                prevention program consistent with guidance and 
                standards developed by the Insider Threat Task Force 
                established in section 6 of this order;
                    (c) perform self-assessments of compliance with 
                policies and standards issued pursuant to sections 3.3, 
                5.2, and 6.3 of this order, as well as other applicable 
                policies and standards, the results of which shall be 
                reported annually to the Senior Information Sharing and 
                Safeguarding Steering Committee established in section 
                3 of this order;
                    (d) provide information and access, as warranted 
                and consistent with law and section 7(d) of this order, 
                to enable independent assessments by the Executive 
                Agent for Safeguarding Classified Information on 
                Computer Networks and the Insider Threat Task Force of 
                compliance with relevant established policies and 
                standards; and

[[Page 63812]]

                    (e) detail or assign staff as appropriate and 
                necessary to the Classified Information Sharing and 
                Safeguarding Office and the Insider Threat Task Force 
                on an ongoing basis.

                Sec. 3. Senior Information Sharing and Safeguarding 
                Steering Committee.

                Sec. 3.1. There is established a Senior Information 
                Sharing and Safeguarding Steering Committee (Steering 
                Committee) to exercise overall responsibility and 
                ensure senior-level accountability for the coordinated 
                interagency development and implementation of policies 
                and standards regarding the sharing and safeguarding of 
                classified information on computer networks.

                Sec. 3.2. The Steering Committee shall be co-chaired by 
                senior representatives of the Office of Management and 
                Budget and the National Security Staff. Members of the 
                committee shall be officers of the United States as 
                designated by the heads of the Departments of State, 
                Defense, Justice, Energy, and Homeland Security, the 
                Office of the Director of National Intelligence, the 
                Central Intelligence Agency, and the Information 
                Security Oversight Office within the National Archives 
                and Records Administration (ISOO), as well as such 
                additional agencies as the co-chairs of the Steering 
                Committee may designate.

                Sec. 3.3. The responsibilities of the Steering 
                Committee shall include:

                    (a) establishing Government-wide classified 
                information sharing and safeguarding goals and annually 
                reviewing executive branch successes and shortcomings 
                in achieving those goals;
                    (b) preparing within 90 days of the date of this 
                order and at least annually thereafter, a report for 
                the President assessing the executive branch's 
                successes and shortcomings in sharing and safeguarding 
                classified information on computer networks and 
                discussing potential future vulnerabilities;
                    (c) developing program and budget recommendations 
                to achieve Government-wide classified information 
                sharing and safeguarding goals;
                    (d) coordinating the interagency development and 
                implementation of priorities, policies, and standards 
                for sharing and safeguarding classified information on 
                computer networks;
                    (e) recommending overarching policies, when 
                appropriate, for promulgation by the Office of 
                Management and Budget or the ISOO;
                    (f) coordinating efforts by agencies, the Executive 
                Agent, and the Task Force to assess compliance with 
                established policies and standards and recommending 
                corrective actions needed to ensure compliance;
                    (g) providing overall mission guidance for the 
                Program Manager-Information Sharing Environment (PM-
                ISE) with respect to the functions to be performed by 
                the Classified Information Sharing and Safeguarding 
                Office established in section 4 of this order; and
                    (h) referring policy and compliance issues that 
                cannot be resolved by the Steering Committee to the 
                Deputies Committee of the National Security Council in 
                accordance with Presidential Policy Directive/PPD-1 of 
                February 13, 2009 (Organization of the National 
                Security Council System).

                Sec. 4. Classified Information Sharing and Safeguarding 
                Office.

                Sec. 4.1. There shall be established a Classified 
                Information Sharing and Safeguarding Office (CISSO) 
                within and subordinate to the office of the PM-ISE to 
                provide expert, full-time, sustained focus on 
                responsible sharing and safeguarding of classified 
                information on computer networks. Staff of the CISSO 
                shall include detailees, as needed and appropriate, 
                from agencies represented on the Steering Committee.

                Sec. 4.2. The responsibilities of CISSO shall include:

                    (a) providing staff support for the Steering 
                Committee;
                    (b) advising the Executive Agent for Safeguarding 
                Classified Information on Computer Networks and the 
                Insider Threat Task Force on the development of an 
                effective program to monitor compliance with 
                established policies

[[Page 63813]]

                and standards needed to achieve classified information 
                sharing and safeguarding goals; and
                    (c) consulting with the Departments of State, 
                Defense, and Homeland Security, the ISOO, the Office of 
                the Director of National Intelligence, and others, as 
                appropriate, to ensure consistency with policies and 
                standards under Executive Order 13526 of December 29, 
                2009, Executive Order 12829 of January 6, 1993, as 
                amended, Executive Order 13549 of August 18, 2010, and 
                Executive Order 13556 of November 4, 2010.

                Sec. 5. Executive Agent for Safeguarding Classified 
                Information on Computer Networks.

                Sec. 5.1. The Secretary of Defense and the Director, 
                National Security Agency, shall jointly act as the 
                Executive Agent for Safeguarding Classified Information 
                on Computer Networks (the ``Executive Agent''), 
                exercising the existing authorities of the Executive 
                Agent and National Manager for national security 
                systems, respectively, under National Security 
                Directive/NSD-42 of July 5, 1990, as supplemented by 
                and subject to this order.

                Sec. 5.2. The Executive Agent's responsibilities, in 
                addition to those specified by NSD-42, shall include 
                the following:

                    (a) developing effective technical safeguarding 
                policies and standards in coordination with the 
                Committee on National Security Systems (CNSS), as re-
                designated by Executive Orders 13286 of February 28, 
                2003, and 13231 of October 16, 2001, that address the 
                safeguarding of classified information within national 
                security systems, as well as the safeguarding of 
                national security systems themselves;
                    (b) referring to the Steering Committee for 
                resolution any unresolved issues delaying the Executive 
                Agent's timely development and issuance of technical 
                policies and standards;
                    (c) reporting at least annually to the Steering 
                Committee on the work of CNSS, including 
                recommendations for any changes needed to improve the 
                timeliness and effectiveness of that work; and
                    (d) conducting independent assessments of agency 
                compliance with established safeguarding policies and 
                standards, and reporting the results of such 
                assessments to the Steering Committee.

                Sec. 6. Insider Threat Task Force.

                Sec. 6.1. There is established an interagency Insider 
                Threat Task Force that shall develop a Government-wide 
                program (insider threat program) for deterring, 
                detecting, and mitigating insider threats, including 
                the safeguarding of classified information from 
                exploitation, compromise, or other unauthorized 
                disclosure, taking into account risk levels, as well as 
                the distinct needs, missions, and systems of individual 
                agencies. This program shall include development of 
                policies, objectives, and priorities for establishing 
                and integrating security, counterintelligence, user 
                audits and monitoring, and other safeguarding 
                capabilities and practices within agencies.

                Sec. 6.2. The Task Force shall be co-chaired by the 
                Attorney General and the Director of National 
                Intelligence, or their designees. Membership on the 
                Task Force shall be composed of officers of the United 
                States from, and designated by the heads of, the 
                Departments of State, Defense, Justice, Energy, and 
                Homeland Security, the Office of the Director of 
                National Intelligence, the Central Intelligence Agency, 
                and the ISOO, as well as such additional agencies as 
                the co-chairs of the Task Force may designate. It shall 
                be staffed by personnel from the Federal Bureau of 
                Investigation and the Office of the National 
                Counterintelligence Executive (ONCIX), and other 
                agencies, as determined by the co-chairs for their 
                respective agencies and to the extent permitted by law. 
                Such personnel must be officers or full-time or 
                permanent part-time employees of the United States. To 
                the extent permitted by law, ONCIX shall provide an 
                appropriate work site and administrative support for 
                the Task Force.

                Sec. 6.3. The Task Force's responsibilities shall 
                include the following:

[[Page 63814]]

                    (a) developing, in coordination with the Executive 
                Agent, a Government-wide policy for the deterrence, 
                detection, and mitigation of insider threats, which 
                shall be submitted to the Steering Committee for 
                appropriate review;
                    (b) in coordination with appropriate agencies, 
                developing minimum standards and guidance for 
                implementation of the insider threat program's 
                Government-wide policy and, within 1 year of the date 
                of this order, issuing those minimum standards and 
                guidance, which shall be binding on the executive 
                branch;
                    (c) if sufficient appropriations or authorizations 
                are obtained, continuing in coordination with 
                appropriate agencies after 1 year from the date of this 
                order to add to or modify those minimum standards and 
                guidance, as appropriate;
                    (d) if sufficient appropriations or authorizations 
                are not obtained, recommending for promulgation by the 
                Office of Management and Budget or the ISOO any 
                additional or modified minimum standards and guidance 
                developed more than 1 year after the date of this 
                order;
                    (e) referring to the Steering Committee for 
                resolution any unresolved issues delaying the timely 
                development and issuance of minimum standards;
                    (f) conducting, in accordance with procedures to be 
                developed by the Task Force, independent assessments of 
                the adequacy of agency programs to implement 
                established policies and minimum standards, and 
                reporting the results of such assessments to the 
                Steering Committee;
                    (g) providing assistance to agencies, as requested, 
                including through the dissemination of best practices; 
                and
                    (h) providing analysis of new and continuing 
                insider threat challenges facing the United States 
                Government.

                Sec. 7. General Provisions. (a) For the purposes of 
                this order, the word ``agencies'' shall have the 
                meaning set forth in section 6.1(b) of Executive Order 
                13526 of December 29, 2009.

                    (b) Nothing in this order shall be construed to 
                change the requirements of Executive Orders 12333 of 
                December 4, 1981, 12829 of January 6, 1993, 12968 of 
                August 2, 1995, 13388 of October 25, 2005, 13467 of 
                June 30, 2008, 13526 of December 29, 2009, 13549 of 
                August 18, 2010, and their successor orders and 
                directives.
                    (c) Nothing in this order shall be construed to 
                supersede or change the authorities of the Secretary of 
                Energy or the Nuclear Regulatory Commission under the 
                Atomic Energy Act of 1954, as amended; the Secretary of 
                Defense under Executive Order 12829, as amended; the 
                Secretary of Homeland Security under Executive Order 
                13549; the Secretary of State under title 22, United 
                States Code, and the Omnibus Diplomatic Security and 
                Antiterrorism Act of 1986; the Director of ISOO under 
                Executive Orders 13526 and 12829, as amended; the PM-
                ISE under Executive Order 13388 or the Intelligence 
                Reform and Terrorism Prevention Act of 2004, as 
                amended; the Director, Central Intelligence Agency 
                under NSD-42 and Executive Order 13286, as amended; the 
                National Counterintelligence Executive, under the 
                Counterintelligence Enhancement Act of 2002; or the 
                Director of National Intelligence under the National 
                Security Act of 1947, as amended, the Intelligence 
                Reform and Terrorism Prevention Act of 2004, as 
                amended, NSD-42, and Executive Orders 12333, as 
                amended, 12968, as amended, 13286, as amended, 13467, 
                and 13526.
                    (d) Nothing in this order shall authorize the 
                Steering Committee, CISSO, CNSS, or the Task Force to 
                examine the facilities or systems of other agencies, 
                without advance consultation with the head of such 
                agency, nor to collect information for any purpose not 
                provided herein.
                    (e) The entities created and the activities 
                directed by this order shall not seek to deter, detect, 
                or mitigate disclosures of information by Government 
                employees or contractors that are lawful under and 
                protected by the Intelligence Community Whistleblower 
                Protection Act of 1998, Whistleblower

[[Page 63815]]

                Protection Act of 1989, Inspector General Act of 1978, 
                or similar statutes, regulations, or policies.
                    (f) With respect to the Intelligence Community, the 
                Director of National Intelligence, after consultation 
                with the heads of affected agencies, may issue such 
                policy directives and guidance as the Director of 
                National Intelligence deems necessary to implement this 
                order.
                    (g) Nothing in this order shall be construed to 
                impair or otherwise affect:

(1) the authority granted by law to an agency, or the head thereof; or

(2) the functions of the Director of the Office of Management and Budget 
relating to budgetary, administrative, or legislative proposals.

                    (h) This order shall be implemented consistent with 
                applicable law and appropriate protections for privacy 
                and civil liberties, and subject to the availability of 
                appropriations.
                    (i) This order is not intended to, and does not, 
                create any right or benefit, substantive or procedural, 
                enforceable at law or in equity by any party against 
                the United States, its departments, agencies, or 
                entities, its officers, employees, or agents, or any 
                other person.
                
                
                    (Presidential Sig.)

                THE WHITE HOUSE,

                    October 7, 2011.

[FR Doc. 2011-26729
Filed 10-12-11; 11:15 am]
Billing code 3295-F2-P