[Federal Register Volume 78, Number 33 (Tuesday, February 19, 2013)]
[Presidential Documents]
[Pages 11737-11744]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2013-03915]



[[Page 11737]]

Vol. 78

Tuesday,

No. 33

February 19, 2013

Part III





The President





-----------------------------------------------------------------------



Executive Order 13636--Improving Critical Infrastructure Cybersecurity


                        Presidential Documents 



Federal Register / Vol. 78 , No. 33 / Tuesday, February 19, 2013 / 
Presidential Documents

___________________________________________________________________

Title 3--
The President

[[Page 11739]]

                Executive Order 13636 of February 12, 2013

                
Improving Critical Infrastructure Cybersecurity

                By the authority vested in me as President by the 
                Constitution and the laws of the United States of 
                America, it is hereby ordered as follows:

                Section 1. Policy. Repeated cyber intrusions into 
                critical infrastructure demonstrate the need for 
                improved cybersecurity. The cyber threat to critical 
                infrastructure continues to grow and represents one of 
                the most serious national security challenges we must 
                confront. The national and economic security of the 
                United States depends on the reliable functioning of 
                the Nation's critical infrastructure in the face of 
                such threats. It is the policy of the United States to 
                enhance the security and resilience of the Nation's 
                critical infrastructure and to maintain a cyber 
                environment that encourages efficiency, innovation, and 
                economic prosperity while promoting safety, security, 
                business confidentiality, privacy, and civil liberties. 
                We can achieve these goals through a partnership with 
                the owners and operators of critical infrastructure to 
                improve cybersecurity information sharing and 
                collaboratively develop and implement risk-based 
                standards.

                Sec. 2. Critical Infrastructure. As used in this order, 
                the term critical infrastructure means systems and 
                assets, whether physical or virtual, so vital to the 
                United States that the incapacity or destruction of 
                such systems and assets would have a debilitating 
                impact on security, national economic security, 
                national public health or safety, or any combination of 
                those matters.

                Sec. 3. Policy Coordination. Policy coordination, 
                guidance, dispute resolution, and periodic in-progress 
                reviews for the functions and programs described and 
                assigned herein shall be provided through the 
                interagency process established in Presidential Policy 
                Directive-1 of February 13, 2009 (Organization of the 
                National Security Council System), or any successor.

                Sec. 4. Cybersecurity Information Sharing. (a) It is 
                the policy of the United States Government to increase 
                the volume, timeliness, and quality of cyber threat 
                information shared with U.S. private sector entities so 
                that these entities may better protect and defend 
                themselves against cyber threats. Within 120 days of 
                the date of this order, the Attorney General, the 
                Secretary of Homeland Security (the ``Secretary''), and 
                the Director of National Intelligence shall each issue 
                instructions consistent with their authorities and with 
                the requirements of section 12(c) of this order to 
                ensure the timely production of unclassified reports of 
                cyber threats to the U.S. homeland that identify a 
                specific targeted entity. The instructions shall 
                address the need to protect intelligence and law 
                enforcement sources, methods, operations, and 
                investigations.

                    (b) The Secretary and the Attorney General, in 
                coordination with the Director of National 
                Intelligence, shall establish a process that rapidly 
                disseminates the reports produced pursuant to section 
                4(a) of this order to the targeted entity. Such process 
                shall also, consistent with the need to protect 
                national security information, include the 
                dissemination of classified reports to critical 
                infrastructure entities authorized to receive them. The 
                Secretary and the Attorney General, in coordination 
                with the Director of National Intelligence, shall 
                establish a system for tracking the production, 
                dissemination, and disposition of these reports.
                    (c) To assist the owners and operators of critical 
                infrastructure in protecting their systems from 
                unauthorized access, exploitation, or harm, the 
                Secretary, consistent with 6 U.S.C. 143 and in 
                collaboration with the Secretary of

[[Page 11740]]

                Defense, shall, within 120 days of the date of this 
                order, establish procedures to expand the Enhanced 
                Cybersecurity Services program to all critical 
                infrastructure sectors. This voluntary information 
                sharing program will provide classified cyber threat 
                and technical information from the Government to 
                eligible critical infrastructure companies or 
                commercial service providers that offer security 
                services to critical infrastructure.
                    (d) The Secretary, as the Executive Agent for the 
                Classified National Security Information Program 
                created under Executive Order 13549 of August 18, 2010 
                (Classified National Security Information Program for 
                State, Local, Tribal, and Private Sector Entities), 
                shall expedite the processing of security clearances to 
                appropriate personnel employed by critical 
                infrastructure owners and operators, prioritizing the 
                critical infrastructure identified in section 9 of this 
                order.
                    (e) In order to maximize the utility of cyber 
                threat information sharing with the private sector, the 
                Secretary shall expand the use of programs that bring 
                private sector subject-matter experts into Federal 
                service on a temporary basis. These subject matter 
                experts should provide advice regarding the content, 
                structure, and types of information most useful to 
                critical infrastructure owners and operators in 
                reducing and mitigating cyber risks.

                Sec. 5. Privacy and Civil Liberties Protections. (a) 
                Agencies shall coordinate their activities under this 
                order with their senior agency officials for privacy 
                and civil liberties and ensure that privacy and civil 
                liberties protections are incorporated into such 
                activities. Such protections shall be based upon the 
                Fair Information Practice Principles and other privacy 
                and civil liberties policies, principles, and 
                frameworks as they apply to each agency's activities.

                    (b) The Chief Privacy Officer and the Officer for 
                Civil Rights and Civil Liberties of the Department of 
                Homeland Security (DHS) shall assess the privacy and 
                civil liberties risks of the functions and programs 
                undertaken by DHS as called for in this order and shall 
                recommend to the Secretary ways to minimize or mitigate 
                such risks, in a publicly available report, to be 
                released within 1 year of the date of this order. 
                Senior agency privacy and civil liberties officials for 
                other agencies engaged in activities under this order 
                shall conduct assessments of their agency activities 
                and provide those assessments to DHS for consideration 
                and inclusion in the report. The report shall be 
                reviewed on an annual basis and revised as necessary. 
                The report may contain a classified annex if necessary. 
                Assessments shall include evaluation of activities 
                against the Fair Information Practice Principles and 
                other applicable privacy and civil liberties policies, 
                principles, and frameworks. Agencies shall consider the 
                assessments and recommendations of the report in 
                implementing privacy and civil liberties protections 
                for agency activities.
                    (c) In producing the report required under 
                subsection (b) of this section, the Chief Privacy 
                Officer and the Officer for Civil Rights and Civil 
                Liberties of DHS shall consult with the Privacy and 
                Civil Liberties Oversight Board and coordinate with the 
                Office of Management and Budget (OMB).
                    (d) Information submitted voluntarily in accordance 
                with 6 U.S.C. 133 by private entities under this order 
                shall be protected from disclosure to the fullest 
                extent permitted by law.

                Sec. 6. Consultative Process. The Secretary shall 
                establish a consultative process to coordinate 
                improvements to the cybersecurity of critical 
                infrastructure. As part of the consultative process, 
                the Secretary shall engage and consider the advice, on 
                matters set forth in this order, of the Critical 
                Infrastructure Partnership Advisory Council; Sector 
                Coordinating Councils; critical infrastructure owners 
                and operators; Sector-Specific Agencies; other relevant 
                agencies; independent regulatory agencies; State, 
                local, territorial, and tribal governments; 
                universities; and outside experts.

                Sec. 7. Baseline Framework to Reduce Cyber Risk to 
                Critical Infrastructure. (a) The Secretary of Commerce 
                shall direct the Director of the National

[[Page 11741]]

                Institute of Standards and Technology (the 
                ``Director'') to lead the development of a framework to 
                reduce cyber risks to critical infrastructure (the 
                ``Cybersecurity Framework''). The Cybersecurity 
                Framework shall include a set of standards, 
                methodologies, procedures, and processes that align 
                policy, business, and technological approaches to 
                address cyber risks. The Cybersecurity Framework shall 
                incorporate voluntary consensus standards and industry 
                best practices to the fullest extent possible. The 
                Cybersecurity Framework shall be consistent with 
                voluntary international standards when such 
                international standards will advance the objectives of 
                this order, and shall meet the requirements of the 
                National Institute of Standards and Technology Act, as 
                amended (15 U.S.C. 271 et seq.), the National 
                Technology Transfer and Advancement Act of 1995 (Public 
                Law 104-113), and OMB Circular A-119, as revised.

                    (b) The Cybersecurity Framework shall provide a 
                prioritized, flexible, repeatable, performance-based, 
                and cost-effective approach, including information 
                security measures and controls, to help owners and 
                operators of critical infrastructure identify, assess, 
                and manage cyber risk. The Cybersecurity Framework 
                shall focus on identifying cross-sector security 
                standards and guidelines applicable to critical 
                infrastructure. The Cybersecurity Framework will also 
                identify areas for improvement that should be addressed 
                through future collaboration with particular sectors 
                and standards-developing organizations. To enable 
                technical innovation and account for organizational 
                differences, the Cybersecurity Framework will provide 
                guidance that is technology neutral and that enables 
                critical infrastructure sectors to benefit from a 
                competitive market for products and services that meet 
                the standards, methodologies, procedures, and processes 
                developed to address cyber risks. The Cybersecurity 
                Framework shall include guidance for measuring the 
                performance of an entity in implementing the 
                Cybersecurity Framework.
                    (c) The Cybersecurity Framework shall include 
                methodologies to identify and mitigate impacts of the 
                Cybersecurity Framework and associated information 
                security measures or controls on business 
                confidentiality, and to protect individual privacy and 
                civil liberties.
                    (d) In developing the Cybersecurity Framework, the 
                Director shall engage in an open public review and 
                comment process. The Director shall also consult with 
                the Secretary, the National Security Agency, Sector-
                Specific Agencies and other interested agencies 
                including OMB, owners and operators of critical 
                infrastructure, and other stakeholders through the 
                consultative process established in section 6 of this 
                order. The Secretary, the Director of National 
                Intelligence, and the heads of other relevant agencies 
                shall provide threat and vulnerability information and 
                technical expertise to inform the development of the 
                Cybersecurity Framework. The Secretary shall provide 
                performance goals for the Cybersecurity Framework 
                informed by work under section 9 of this order.
                    (e) Within 240 days of the date of this order, the 
                Director shall publish a preliminary version of the 
                Cybersecurity Framework (the ``preliminary 
                Framework''). Within 1 year of the date of this order, 
                and after coordination with the Secretary to ensure 
                suitability under section 8 of this order, the Director 
                shall publish a final version of the Cybersecurity 
                Framework (the ``final Framework'').
                    (f) Consistent with statutory responsibilities, the 
                Director will ensure the Cybersecurity Framework and 
                related guidance is reviewed and updated as necessary, 
                taking into consideration technological changes, 
                changes in cyber risks, operational feedback from 
                owners and operators of critical infrastructure, 
                experience from the implementation of section 8 of this 
                order, and any other relevant factors.

                Sec. 8. Voluntary Critical Infrastructure Cybersecurity 
                Program. (a) The Secretary, in coordination with 
                Sector-Specific Agencies, shall establish a voluntary 
                program to support the adoption of the Cybersecurity 
                Framework by owners and operators of critical 
                infrastructure and any other interested entities (the 
                ``Program'').

[[Page 11742]]

                    (b) Sector-Specific Agencies, in consultation with 
                the Secretary and other interested agencies, shall 
                coordinate with the Sector Coordinating Councils to 
                review the Cybersecurity Framework and, if necessary, 
                develop implementation guidance or supplemental 
                materials to address sector-specific risks and 
                operating environments.
                    (c) Sector-Specific Agencies shall report annually 
                to the President, through the Secretary, on the extent 
                to which owners and operators notified under section 9 
                of this order are participating in the Program.
                    (d) The Secretary shall coordinate establishment of 
                a set of incentives designed to promote participation 
                in the Program. Within 120 days of the date of this 
                order, the Secretary and the Secretaries of the 
                Treasury and Commerce each shall make recommendations 
                separately to the President, through the Assistant to 
                the President for Homeland Security and 
                Counterterrorism and the Assistant to the President for 
                Economic Affairs, that shall include analysis of the 
                benefits and relative effectiveness of such incentives, 
                and whether the incentives would require legislation or 
                can be provided under existing law and authorities to 
                participants in the Program.
                    (e) Within 120 days of the date of this order, the 
                Secretary of Defense and the Administrator of General 
                Services, in consultation with the Secretary and the 
                Federal Acquisition Regulatory Council, shall make 
                recommendations to the President, through the Assistant 
                to the President for Homeland Security and 
                Counterterrorism and the Assistant to the President for 
                Economic Affairs, on the feasibility, security 
                benefits, and relative merits of incorporating security 
                standards into acquisition planning and contract 
                administration. The report shall address what steps can 
                be taken to harmonize and make consistent existing 
                procurement requirements related to cybersecurity.

                Sec. 9. Identification of Critical Infrastructure at 
                Greatest Risk. (a) Within 150 days of the date of this 
                order, the Secretary shall use a risk-based approach to 
                identify critical infrastructure where a cybersecurity 
                incident could reasonably result in catastrophic 
                regional or national effects on public health or 
                safety, economic security, or national security. In 
                identifying critical infrastructure for this purpose, 
                the Secretary shall use the consultative process 
                established in section 6 of this order and draw upon 
                the expertise of Sector-Specific Agencies. The 
                Secretary shall apply consistent, objective criteria in 
                identifying such critical infrastructure. The Secretary 
                shall not identify any commercial information 
                technology products or consumer information technology 
                services under this section. The Secretary shall review 
                and update the list of identified critical 
                infrastructure under this section on an annual basis, 
                and provide such list to the President, through the 
                Assistant to the President for Homeland Security and 
                Counterterrorism and the Assistant to the President for 
                Economic Affairs.

                    (b) Heads of Sector-Specific Agencies and other 
                relevant agencies shall provide the Secretary with 
                information necessary to carry out the responsibilities 
                under this section. The Secretary shall develop a 
                process for other relevant stakeholders to submit 
                information to assist in making the identifications 
                required in subsection (a) of this section.
                    (c) The Secretary, in coordination with Sector-
                Specific Agencies, shall confidentially notify owners 
                and operators of critical infrastructure identified 
                under subsection (a) of this section that they have 
                been so identified, and ensure identified owners and 
                operators are provided the basis for the determination. 
                The Secretary shall establish a process through which 
                owners and operators of critical infrastructure may 
                submit relevant information and request reconsideration 
                of identifications under subsection (a) of this 
                section.

                Sec. 10. Adoption of Framework. (a) Agencies with 
                responsibility for regulating the security of critical 
                infrastructure shall engage in a consultative process 
                with DHS, OMB, and the National Security Staff to 
                review the preliminary Cybersecurity Framework and 
                determine if current cybersecurity regulatory 
                requirements are sufficient given current and projected 
                risks. In making such determination, these agencies 
                shall consider the identification

[[Page 11743]]

                of critical infrastructure required under section 9 of 
                this order. Within 90 days of the publication of the 
                preliminary Framework, these agencies shall submit a 
                report to the President, through the Assistant to the 
                President for Homeland Security and Counterterrorism, 
                the Director of OMB, and the Assistant to the President 
                for Economic Affairs, that states whether or not the 
                agency has clear authority to establish requirements 
                based upon the Cybersecurity Framework to sufficiently 
                address current and projected cyber risks to critical 
                infrastructure, the existing authorities identified, 
                and any additional authority required.

                    (b) If current regulatory requirements are deemed 
                to be insufficient, within 90 days of publication of 
                the final Framework, agencies identified in subsection 
                (a) of this section shall propose prioritized, risk-
                based, efficient, and coordinated actions, consistent 
                with Executive Order 12866 of September 30, 1993 
                (Regulatory Planning and Review), Executive Order 13563 
                of January 18, 2011 (Improving Regulation and 
                Regulatory Review), and Executive Order 13609 of May 1, 
                2012 (Promoting International Regulatory Cooperation), 
                to mitigate cyber risk.
                    (c) Within 2 years after publication of the final 
                Framework, consistent with Executive Order 13563 and 
                Executive Order 13610 of May 10, 2012 (Identifying and 
                Reducing Regulatory Burdens), agencies identified in 
                subsection (a) of this section shall, in consultation 
                with owners and operators of critical infrastructure, 
                report to OMB on any critical infrastructure subject to 
                ineffective, conflicting, or excessively burdensome 
                cybersecurity requirements. This report shall describe 
                efforts made by agencies, and make recommendations for 
                further actions, to minimize or eliminate such 
                requirements.
                    (d) The Secretary shall coordinate the provision of 
                technical assistance to agencies identified in 
                subsection (a) of this section on the development of 
                their cybersecurity workforce and programs.
                    (e) Independent regulatory agencies with 
                responsibility for regulating the security of critical 
                infrastructure are encouraged to engage in a 
                consultative process with the Secretary, relevant 
                Sector-Specific Agencies, and other affected parties to 
                consider prioritized actions to mitigate cyber risks 
                for critical infrastructure consistent with their 
                authorities.

                Sec. 11. Definitions. (a) ``Agency'' means any 
                authority of the United States that is an ``agency'' 
                under 44 U.S.C. 3502(1), other than those considered to 
                be independent regulatory agencies, as defined in 44 
                U.S.C. 3502(5).

                    (b) ``Critical Infrastructure Partnership Advisory 
                Council'' means the council established by DHS under 6 
                U.S.C. 451 to facilitate effective interaction and 
                coordination of critical infrastructure protection 
                activities among the Federal Government; the private 
                sector; and State, local, territorial, and tribal 
                governments.
                    (c) ``Fair Information Practice Principles'' means 
                the eight principles set forth in Appendix A of the 
                National Strategy for Trusted Identities in Cyberspace.
                    (d) ``Independent regulatory agency'' has the 
                meaning given the term in 44 U.S.C. 3502(5).
                    (e) ``Sector Coordinating Council'' means a private 
                sector coordinating council composed of representatives 
                of owners and operators within a particular sector of 
                critical infrastructure established by the National 
                Infrastructure Protection Plan or any successor.
                    (f) ``Sector-Specific Agency'' has the meaning 
                given the term in Presidential Policy Directive-21 of 
                February 12, 2013 (Critical Infrastructure Security and 
                Resilience), or any successor.

                Sec. 12. General Provisions. (a) This order shall be 
                implemented consistent with applicable law and subject 
                to the availability of appropriations. Nothing in this 
                order shall be construed to provide an agency with 
                authority for regulating the security of critical 
                infrastructure in addition to or to a greater

[[Page 11744]]

                extent than the authority the agency has under existing 
                law. Nothing in this order shall be construed to alter 
                or limit any authority or responsibility of an agency 
                under existing law.

                    (b) Nothing in this order shall be construed to 
                impair or otherwise affect the functions of the 
                Director of OMB relating to budgetary, administrative, 
                or legislative proposals.
                    (c) All actions taken pursuant to this order shall 
                be consistent with requirements and authorities to 
                protect intelligence and law enforcement sources and 
                methods. Nothing in this order shall be interpreted to 
                supersede measures established under authority of law 
                to protect the security and integrity of specific 
                activities and associations that are in direct support 
                of intelligence and law enforcement operations.
                    (d) This order shall be implemented consistent with 
                U.S. international obligations.
                    (e) This order is not intended to, and does not, 
                create any right or benefit, substantive or procedural, 
                enforceable at law or in equity by any party against 
                the United States, its departments, agencies, or 
                entities, its officers, employees, or agents, or any 
                other person.
                
                
                    (Presidential Sig.)

                THE WHITE HOUSE,

                    February 12, 2013.

[FR Doc. 2013-03915
Filed 2-15-13; 11:15 am]
Billing code 3295-F3