[Federal Register Volume 76, Number 198 (Thursday, October 13, 2011)]
[Presidential Documents]
[Pages 63811-63815]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-26729]
�
�
� Presidential Documents
�
�
��Federal Register / Vol. 76, No. 198 / Thursday, October 13, 2011 /
Presidential Documents��
[[Page 63811]]
Executive Order 13587 of October 7, 2011
Structural Reforms To Improve the Security of
Classified Networks and the Responsible Sharing and
Safeguarding of Classified Information
By the authority vested in me as President by the
Constitution and the laws of the United States of
America and in order to ensure the responsible sharing
and safeguarding of classified national security
information (classified information) on computer
networks, it is hereby ordered as follows:
Section 1. Policy. Our Nation's security requires
classified information to be shared immediately with
authorized users around the world but also requires
sophisticated and vigilant means to ensure it is shared
securely. Computer networks have individual and common
vulnerabilities that require coordinated decisions on
risk management.
This order directs structural reforms to ensure
responsible sharing and safeguarding of classified
information on computer networks that shall be
consistent with appropriate protections for privacy and
civil liberties. Agencies bear the primary
responsibility for meeting these twin goals. These
structural reforms will ensure coordinated interagency
development and reliable implementation of policies and
minimum standards regarding information security,
personnel security, and systems security; address both
internal and external security threats and
vulnerabilities; and provide policies and minimum
standards for sharing classified information both
within and outside the Federal Government. These
policies and minimum standards will address all
agencies that operate or access classified computer
networks, all users of classified computer networks
(including contractors and others who operate or access
classified computer networks controlled by the Federal
Government), and all classified information on those
networks.
Sec. 2. General Responsibilities of Agencies.
Sec. 2.1. The heads of agencies that operate or access
classified computer networks shall have responsibility
for appropriately sharing and safeguarding classified
information on computer networks. As part of this
responsibility, they shall:
(a) designate a senior official to be charged with
overseeing classified information sharing and
safeguarding efforts for the agency;
(b) implement an insider threat detection and
prevention program consistent with guidance and
standards developed by the Insider Threat Task Force
established in section 6 of this order;
(c) perform self-assessments of compliance with
policies and standards issued pursuant to sections 3.3,
5.2, and 6.3 of this order, as well as other applicable
policies and standards, the results of which shall be
reported annually to the Senior Information Sharing and
Safeguarding Steering Committee established in section
3 of this order;
(d) provide information and access, as warranted
and consistent with law and section 7(d) of this order,
to enable independent assessments by the Executive
Agent for Safeguarding Classified Information on
Computer Networks and the Insider Threat Task Force of
compliance with relevant established policies and
standards; and
[[Page 63812]]
(e) detail or assign staff as appropriate and
necessary to the Classified Information Sharing and
Safeguarding Office and the Insider Threat Task Force
on an ongoing basis.
Sec. 3. Senior Information Sharing and Safeguarding
Steering Committee.
Sec. 3.1. There is established a Senior Information
Sharing and Safeguarding Steering Committee (Steering
Committee) to exercise overall responsibility and
ensure senior-level accountability for the coordinated
interagency development and implementation of policies
and standards regarding the sharing and safeguarding of
classified information on computer networks.
Sec. 3.2. The Steering Committee shall be co-chaired by
senior representatives of the Office of Management and
Budget and the National Security Staff. Members of the
committee shall be officers of the United States as
designated by the heads of the Departments of State,
Defense, Justice, Energy, and Homeland Security, the
Office of the Director of National Intelligence, the
Central Intelligence Agency, and the Information
Security Oversight Office within the National Archives
and Records Administration (ISOO), as well as such
additional agencies as the co-chairs of the Steering
Committee may designate.
Sec. 3.3. The responsibilities of the Steering
Committee shall include:
(a) establishing Government-wide classified
information sharing and safeguarding goals and annually
reviewing executive branch successes and shortcomings
in achieving those goals;
(b) preparing within 90 days of the date of this
order and at least annually thereafter, a report for
the President assessing the executive branch's
successes and shortcomings in sharing and safeguarding
classified information on computer networks and
discussing potential future vulnerabilities;
(c) developing program and budget recommendations
to achieve Government-wide classified information
sharing and safeguarding goals;
(d) coordinating the interagency development and
implementation of priorities, policies, and standards
for sharing and safeguarding classified information on
computer networks;
(e) recommending overarching policies, when
appropriate, for promulgation by the Office of
Management and Budget or the ISOO;
(f) coordinating efforts by agencies, the Executive
Agent, and the Task Force to assess compliance with
established policies and standards and recommending
corrective actions needed to ensure compliance;
(g) providing overall mission guidance for the
Program Manager-Information Sharing Environment (PM-
ISE) with respect to the functions to be performed by
the Classified Information Sharing and Safeguarding
Office established in section 4 of this order; and
(h) referring policy and compliance issues that
cannot be resolved by the Steering Committee to the
Deputies Committee of the National Security Council in
accordance with Presidential Policy Directive/PPD-1 of
February 13, 2009 (Organization of the National
Security Council System).
Sec. 4. Classified Information Sharing and Safeguarding
Office.
Sec. 4.1. There shall be established a Classified
Information Sharing and Safeguarding Office (CISSO)
within and subordinate to the office of the PM-ISE to
provide expert, full-time, sustained focus on
responsible sharing and safeguarding of classified
information on computer networks. Staff of the CISSO
shall include detailees, as needed and appropriate,
from agencies represented on the Steering Committee.
Sec. 4.2. The responsibilities of CISSO shall include:
(a) providing staff support for the Steering
Committee;
(b) advising the Executive Agent for Safeguarding
Classified Information on Computer Networks and the
Insider Threat Task Force on the development of an
effective program to monitor compliance with
established policies
[[Page 63813]]
and standards needed to achieve classified information
sharing and safeguarding goals; and
(c) consulting with the Departments of State,
Defense, and Homeland Security, the ISOO, the Office of
the Director of National Intelligence, and others, as
appropriate, to ensure consistency with policies and
standards under Executive Order 13526 of December 29,
2009, Executive Order 12829 of January 6, 1993, as
amended, Executive Order 13549 of August 18, 2010, and
Executive Order 13556 of November 4, 2010.
Sec. 5. Executive Agent for Safeguarding Classified
Information on Computer Networks.
Sec. 5.1. The Secretary of Defense and the Director,
National Security Agency, shall jointly act as the
Executive Agent for Safeguarding Classified Information
on Computer Networks (the ``Executive Agent''),
exercising the existing authorities of the Executive
Agent and National Manager for national security
systems, respectively, under National Security
Directive/NSD-42 of July 5, 1990, as supplemented by
and subject to this order.
Sec. 5.2. The Executive Agent's responsibilities, in
addition to those specified by NSD-42, shall include
the following:
(a) developing effective technical safeguarding
policies and standards in coordination with the
Committee on National Security Systems (CNSS), as re-
designated by Executive Orders 13286 of February 28,
2003, and 13231 of October 16, 2001, that address the
safeguarding of classified information within national
security systems, as well as the safeguarding of
national security systems themselves;
(b) referring to the Steering Committee for
resolution any unresolved issues delaying the Executive
Agent's timely development and issuance of technical
policies and standards;
(c) reporting at least annually to the Steering
Committee on the work of CNSS, including
recommendations for any changes needed to improve the
timeliness and effectiveness of that work; and
(d) conducting independent assessments of agency
compliance with established safeguarding policies and
standards, and reporting the results of such
assessments to the Steering Committee.
Sec. 6. Insider Threat Task Force.
Sec. 6.1. There is established an interagency Insider
Threat Task Force that shall develop a Government-wide
program (insider threat program) for deterring,
detecting, and mitigating insider threats, including
the safeguarding of classified information from
exploitation, compromise, or other unauthorized
disclosure, taking into account risk levels, as well as
the distinct needs, missions, and systems of individual
agencies. This program shall include development of
policies, objectives, and priorities for establishing
and integrating security, counterintelligence, user
audits and monitoring, and other safeguarding
capabilities and practices within agencies.
Sec. 6.2. The Task Force shall be co-chaired by the
Attorney General and the Director of National
Intelligence, or their designees. Membership on the
Task Force shall be composed of officers of the United
States from, and designated by the heads of, the
Departments of State, Defense, Justice, Energy, and
Homeland Security, the Office of the Director of
National Intelligence, the Central Intelligence Agency,
and the ISOO, as well as such additional agencies as
the co-chairs of the Task Force may designate. It shall
be staffed by personnel from the Federal Bureau of
Investigation and the Office of the National
Counterintelligence Executive (ONCIX), and other
agencies, as determined by the co-chairs for their
respective agencies and to the extent permitted by law.
Such personnel must be officers or full-time or
permanent part-time employees of the United States. To
the extent permitted by law, ONCIX shall provide an
appropriate work site and administrative support for
the Task Force.
Sec. 6.3. The Task Force's responsibilities shall
include the following:
[[Page 63814]]
(a) developing, in coordination with the Executive
Agent, a Government-wide policy for the deterrence,
detection, and mitigation of insider threats, which
shall be submitted to the Steering Committee for
appropriate review;
(b) in coordination with appropriate agencies,
developing minimum standards and guidance for
implementation of the insider threat program's
Government-wide policy and, within 1 year of the date
of this order, issuing those minimum standards and
guidance, which shall be binding on the executive
branch;
(c) if sufficient appropriations or authorizations
are obtained, continuing in coordination with
appropriate agencies after 1 year from the date of this
order to add to or modify those minimum standards and
guidance, as appropriate;
(d) if sufficient appropriations or authorizations
are not obtained, recommending for promulgation by the
Office of Management and Budget or the ISOO any
additional or modified minimum standards and guidance
developed more than 1 year after the date of this
order;
(e) referring to the Steering Committee for
resolution any unresolved issues delaying the timely
development and issuance of minimum standards;
(f) conducting, in accordance with procedures to be
developed by the Task Force, independent assessments of
the adequacy of agency programs to implement
established policies and minimum standards, and
reporting the results of such assessments to the
Steering Committee;
(g) providing assistance to agencies, as requested,
including through the dissemination of best practices;
and
(h) providing analysis of new and continuing
insider threat challenges facing the United States
Government.
Sec. 7. General Provisions. (a) For the purposes of
this order, the word ``agencies'' shall have the
meaning set forth in section 6.1(b) of Executive Order
13526 of December 29, 2009.
(b) Nothing in this order shall be construed to
change the requirements of Executive Orders 12333 of
December 4, 1981, 12829 of January 6, 1993, 12968 of
August 2, 1995, 13388 of October 25, 2005, 13467 of
June 30, 2008, 13526 of December 29, 2009, 13549 of
August 18, 2010, and their successor orders and
directives.
(c) Nothing in this order shall be construed to
supersede or change the authorities of the Secretary of
Energy or the Nuclear Regulatory Commission under the
Atomic Energy Act of 1954, as amended; the Secretary of
Defense under Executive Order 12829, as amended; the
Secretary of Homeland Security under Executive Order
13549; the Secretary of State under title 22, United
States Code, and the Omnibus Diplomatic Security and
Antiterrorism Act of 1986; the Director of ISOO under
Executive Orders 13526 and 12829, as amended; the PM-
ISE under Executive Order 13388 or the Intelligence
Reform and Terrorism Prevention Act of 2004, as
amended; the Director, Central Intelligence Agency
under NSD-42 and Executive Order 13286, as amended; the
National Counterintelligence Executive, under the
Counterintelligence Enhancement Act of 2002; or the
Director of National Intelligence under the National
Security Act of 1947, as amended, the Intelligence
Reform and Terrorism Prevention Act of 2004, as
amended, NSD-42, and Executive Orders 12333, as
amended, 12968, as amended, 13286, as amended, 13467,
and 13526.
(d) Nothing in this order shall authorize the
Steering Committee, CISSO, CNSS, or the Task Force to
examine the facilities or systems of other agencies,
without advance consultation with the head of such
agency, nor to collect information for any purpose not
provided herein.
(e) The entities created and the activities
directed by this order shall not seek to deter, detect,
or mitigate disclosures of information by Government
employees or contractors that are lawful under and
protected by the Intelligence Community Whistleblower
Protection Act of 1998, Whistleblower
[[Page 63815]]
Protection Act of 1989, Inspector General Act of 1978,
or similar statutes, regulations, or policies.
(f) With respect to the Intelligence Community, the
Director of National Intelligence, after consultation
with the heads of affected agencies, may issue such
policy directives and guidance as the Director of
National Intelligence deems necessary to implement this
order.
(g) Nothing in this order shall be construed to
impair or otherwise affect:
(1) the authority granted by law to an agency, or the head thereof; or
(2) the functions of the Director of the Office of Management and Budget
relating to budgetary, administrative, or legislative proposals.
(h) This order shall be implemented consistent with
applicable law and appropriate protections for privacy
and civil liberties, and subject to the availability of
appropriations.
(i) This order is not intended to, and does not,
create any right or benefit, substantive or procedural,
enforceable at law or in equity by any party against
the United States, its departments, agencies, or
entities, its officers, employees, or agents, or any
other person.
(Presidential Sig.)
THE WHITE HOUSE,
October 7, 2011.
[FR Doc. 2011-26729
Filed 10-12-11; 11:15 am]
Billing code 3295-F2-P