[Federal Register Volume 66, Number 202 (Thursday, October 18, 2001)]
[Presidential Documents]
[Pages 53061-53071]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 01-26509]



[[Page 53061]]

-----------------------------------------------------------------------

Part VI





The President





-----------------------------------------------------------------------



Executive Order 13231--Critical Infrastructure Protection in the 
Information Age


                        Presidential Documents 



Federal Register / Vol. 66, No. 202 / Thursday, October 18, 2001 / 
Presidential Documents

___________________________________________________________________

Title 3--
The President

[[Page 53063]]

                Executive Order 13231 of October 16, 2001

                
Critical Infrastructure Protection in the 
                Information Age

                By the authority vested in me as President by the 
                Constitution and the laws of the United States of 
                America, and in order to ensure protection of 
                information systems for critical infrastructure, 
                including emergency preparedness communications, and 
                the physical assets that support such systems, in the 
                information age, it is hereby ordered as follows:

                Section 1. Policy.

                    (a) The information technology revolution has 
                changed the way business is transacted, government 
                operates, and national defense is conducted. Those 
                three functions now depend on an interdependent network 
                of critical information infrastructures. The protection 
                program authorized by this order shall consist of 
                continuous efforts to secure information systems for 
                critical infrastructure, including emergency 
                preparedness communications, and the physical assets 
                that support such systems. Protection of these systems 
                is essential to the telecommunications, energy, 
                financial services, manufacturing, water, 
                transportation, health care, and emergency services 
                sectors.
                    (b) It is the policy of the United States to 
                protect against disruption of the operation of 
                information systems for critical infrastructure and 
                thereby help to protect the people, economy, essential 
                human and government services, and national security of 
                the United States, and to ensure that any disruptions 
                that occur are infrequent, of minimal duration, and 
                manageable, and cause the least damage possible. The 
                implementation of this policy shall include a voluntary 
                public-private partnership, involving corporate and 
                nongovernmental organizations.

                Sec. 2. Scope. To achieve this policy, there shall be a 
                senior executive branch board to coordinate and have 
                cognizance of Federal efforts and programs that relate 
                to protection of information systems and involve:

                    (a) cooperation with and protection of private 
                sector critical infrastructure, State and local 
                governments' critical infrastructure, and supporting 
                programs in corporate and academic organizations;
                    (b) protection of Federal departments' and 
                agencies' critical infrastructure; and
                    (c) related national security programs.

                Sec. 3. Establishment. I hereby establish the 
                ``President's Critical Infrastructure Protection 
                Board'' (the ``Board'').

                Sec. 4. Continuing Authorities. This order does not 
                alter the existing authorities or roles of United 
                States Government departments and agencies. Authorities 
                set forth in 44 U.S.C. Chapter 35, and other applicable 
                law, provide senior officials with responsibility for 
                the security of Federal Government information systems.

                    (a) Executive Branch Information Systems Security. 
                The Director of the Office of Management and Budget 
                (OMB) has the responsibility to develop and oversee the 
                implementation of government-wide policies, principles, 
                standards, and guidelines for the security of 
                information systems that support the executive branch 
                departments and agencies, except those noted in section 
                4(b) of this order. The Director of OMB shall advise 
                the President and the appropriate department or agency 
                head when there is a critical deficiency in the 
                security practices within the purview of this section 
                in an executive branch department or agency. The Board 
                shall assist and support the Director

[[Page 53064]]

                of OMB in this function and shall be reasonably 
                cognizant of programs related to security of department 
                and agency information systems.
                    (b) National Security Information Systems. The 
                Secretary of Defense and the Director of Central 
                Intelligence (DCI) shall have responsibility to 
                oversee, develop, and ensure implementation of 
                policies, principles, standards, and guidelines for the 
                security of information systems that support the 
                operations under their respective control. In 
                consultation with the Assistant to the President for 
                National Security Affairs and the affected departments 
                and agencies, the Secretary of Defense and the DCI 
                shall develop policies, principles, standards, and 
                guidelines for the security of national security 
                information systems that support the operations of 
                other executive branch departments and agencies with 
                national security information.

(i)

 Policies, principles, standards, and guidelines developed under this 
subsection may require more stringent protection than those developed in 
accordance with subsection 4(a) of this order.

(ii)

 The Assistant to the President for National Security Affairs shall advise 
the President and the appropriate department or agency head when there is a 
critical deficiency in the security practices of a department or agency 
within the purview of this section. The Board, or one of its standing or ad 
hoc committees, shall be reasonably cognizant of programs to provide 
security and continuity to national security information systems.

                    (c) Additional Responsibilities: The Heads of 
                Executive Branch Departments and Agencies. The heads of 
                executive branch departments and agencies are 
                responsible and accountable for providing and 
                maintaining adequate levels of security for information 
                systems, including emergency preparedness 
                communications systems, for programs under their 
                control. Heads of such departments and agencies shall 
                ensure the development and, within available 
                appropriations, funding of programs that adequately 
                address these mission areas. Cost-effective security 
                shall be built into and made an integral part of 
                government information systems, especially those 
                critical systems that support the national security and 
                other essential government programs. Additionally, 
                security should enable, and not unnecessarily impede, 
                department and agency business operations.

                Sec. 5. Board Responsibilities. Consistent with the 
                responsibilities noted in section 4 of this order, the 
                Board shall recommend policies and coordinate programs 
                for protecting information systems for critical 
                infrastructure, including emergency preparedness 
                communications, and the physical assets that support 
                such systems. Among its activities to implement these 
                responsibilities, the Board shall:

                    (a) Outreach to the Private Sector and State and 
                Local Governments. In consultation with affected 
                executive branch departments and agencies, coordinate 
                outreach to and consultation with the private sector, 
                including corporations that own, operate, develop, and 
                equip information, telecommunications, transportation, 
                energy, water, health care, and financial services, on 
                protection of information systems for critical 
                infrastructure, including emergency preparedness 
                communications, and the physical assets that support 
                such systems; and coordinate outreach to State and 
                local governments, as well as communities and 
                representatives from academia and other relevant 
                elements of society.

(i)

 When requested to do so, assist in the development of voluntary standards 
and best practices in a manner consistent with 15 U.S.C. Chapter 7;

(ii)

 Consult with potentially affected communities, including the legal, 
auditing, financial, and insurance communities, to the extent permitted by 
law, to determine areas of mutual concern; and

[[Page 53065]]

(iii)

 Coordinate the activities of senior liaison officers appointed by the 
Attorney General, the Secretaries of Energy, Commerce, Transportation, the 
Treasury, and Health and Human Services, and the Director of the Federal 
Emergency Management Agency for outreach on critical infrastructure 
protection issues with private sector organizations within the areas of 
concern to these departments and agencies. In these and other related 
functions, the Board shall work in coordination with the Critical 
Infrastructure Assurance Office (CIAO) and the National Institute of 
Standards and Technology of the Department of Commerce, the National 
Infrastructure Protection Center (NIPC), and the National Communications 
System (NCS).

                    (b) Information Sharing. Work with industry, State 
                and local governments, and nongovernmental 
                organizations to ensure that systems are created and 
                well managed to share threat warning, analysis, and 
                recovery information among government network operation 
                centers, information sharing and analysis centers 
                established on a voluntary basis by industry, and other 
                related operations centers. In this and other related 
                functions, the Board shall work in coordination with 
                the NCS, the Federal Computer Incident Response Center, 
                the NIPC, and other departments and agencies, as 
                appropriate.
                    (c) Incident Coordination and Crisis Response. 
                Coordinate programs and policies for responding to 
                information systems security incidents that threaten 
                information systems for critical infrastructure, 
                including emergency preparedness communications, and 
                the physical assets that support such systems. In this 
                function, the Department of Justice, through the NIPC 
                and the Manager of the NCS and other departments and 
                agencies, as appropriate, shall work in coordination 
                with the Board.
                    (d) Recruitment, Retention, and Training Executive 
                Branch Security Professionals. In consultation with 
                executive branch departments and agencies, coordinate 
                programs to ensure that government employees with 
                responsibilities for protecting information systems for 
                critical infrastructure, including emergency 
                preparedness communications, and the physical assets 
                that support such systems, are adequately trained and 
                evaluated. In this function, the Office of Personnel 
                Management shall work in coordination with the Board, 
                as appropriate.
                    (e) Research and Development. Coordinate with the 
                Director of the Office of Science and Technology Policy 
                (OSTP) on a program of Federal Government research and 
                development for protection of information systems for 
                critical infrastructure, including emergency 
                preparedness communications, and the physical assets 
                that support such systems, and ensure coordination of 
                government activities in this field with corporations, 
                universities, Federally funded research centers, and 
                national laboratories. In this function, the Board 
                shall work in coordination with the National Science 
                Foundation, the Defense Advanced Research Projects 
                Agency, and with other departments and agencies, as 
                appropriate.
                    (f) Law Enforcement Coordination with National 
                Security Components. Promote programs against cyber 
                crime and assist Federal law enforcement agencies in 
                gaining necessary cooperation from executive branch 
                departments and agencies. Support Federal law 
                enforcement agencies' investigation of illegal 
                activities involving information systems for critical 
                infrastructure, including emergency preparedness 
                communications, and the physical assets that support 
                such systems, and support coordination by these 
                agencies with other departments and agencies with 
                responsibilities to defend the Nation's security. In 
                this function, the Board shall work in coordination 
                with the Department of Justice, through the NIPC, and 
                the Department of the Treasury, through the Secret 
                Service, and with other departments and agencies, as 
                appropriate.
                    (g) International Information Infrastructure 
                Protection. Support the Department of State's 
                coordination of United States Government programs for 
                international cooperation covering international 
                information infrastructure protection issues.

[[Page 53066]]

                    (h) Legislation. In accordance with OMB circular A-
                19, advise departments and agencies, the Director of 
                OMB, and the Assistant to the President for Legislative 
                Affairs on legislation relating to protection of 
                information systems for critical infrastructure, 
                including emergency preparedness communications, and 
                the physical assets that support such systems.
                    (i) Coordination with Office of Homeland Security. 
                Carry out those functions relating to protection of and 
                recovery from attacks against information systems for 
                critical infrastructure, including emergency 
                preparedness communications, that were assigned to the 
                Office of Homeland Security by Executive Order 13228 of 
                October 8, 2001. The Assistant to the President for 
                Homeland Security, in coordination with the Assistant 
                to the President for National Security Affairs, shall 
                be responsible for defining the responsibilities of the 
                Board in coordinating efforts to protect physical 
                assets that support information systems.

                Sec. 6. Membership. (a) Members of the Board shall be 
                drawn from the executive branch departments, agencies, 
                and offices listed below; in addition, concerned 
                Federal departments and agencies may participate in the 
                activities of appropriate committees of the Board. The 
                Board shall be led by a Chair and Vice Chair, 
                designated by the President. Its other members shall be 
                the following senior officials or their designees:

  (i) Secretary of State;

  (ii) Secretary of the Treasury;

  (iii) Secretary of Defense;

  (iv) Attorney General;

  (v) Secretary of Commerce;

  (vi) Secretary of Health and Human Services;

  (vii) Secretary of Transportation;

  (viii) Secretary of Energy;

  (ix) Director of Central Intelligence;

  (x) Chairman of the Joint Chiefs of Staff;

  (xi) Director of the Federal Emergency Management Agency;

  (xii) Administrator of General Services;

  (xiii) Director of the Office of Management and Budget;

  (xiv) Director of the Office of Science and Technology Policy;

  (xv) Chief of Staff to the Vice President;

  (xvi) Director of the National Economic Council;

  (xvii) Assistant to the President for National Security Affairs;

  (xviii) Assistant to the President for Homeland Security;

  (xix) Chief of Staff to the President; and

  (xx) Such other executive branch officials as the President may 
designate.

                    Members of the Board and their designees shall be 
                full-time or permanent part-time officers or employees 
                of the Federal Government.
                    (b) In addition, the following officials shall 
                serve as members of the Board and shall form the 
                Board's Coordination Committee:

(i)

 Director, Critical Infrastructure Assurance Office, Department of 
Commerce;

(ii)

 Manager, National Communications System;

(iii)

 Vice Chair, Chief Information Officers' (CIO) Council;

(iv)

 Information Assurance Director, National Security Agency;

(v)

 Deputy Director of Central Intelligence for Community Management; and

(vi)

 Director, National Infrastructure Protection Center, Federal Bureau of 
Investigation, Department of Justice.

[[Page 53067]]

                    (c) The Chairman of the Federal Communications 
                Commission may appoint a representative to the Board.

                Sec. 7. Chair. (a) The Chair also shall be the Special 
                Advisor to the President for Cyberspace Security. 
                Executive branch departments and agencies shall make 
                all reasonable efforts to keep the Chair fully informed 
                in a timely manner, and to the greatest extent 
                permitted by law, of all programs and issues within the 
                purview of the Board. The Chair, in consultation with 
                the Board, shall call and preside at meetings of the 
                Board and set the agenda for the Board. The Chair, in 
                consultation with the Board, may propose policies and 
                programs to appropriate officials to ensure the 
                protection of the Nation's information systems for 
                critical infrastructure, including emergency 
                preparedness communications, and the physical assets 
                that support such systems. To ensure full coordination 
                between the responsibilities of the National Security 
                Council (NSC) and the Office of Homeland Security, the 
                Chair shall report to both the Assistant to the 
                President for National Security Affairs and to the 
                Assistant to the President for Homeland Security. The 
                Chair shall coordinate with the Assistant to the 
                President for Economic Policy on issues relating to 
                private sector systems and economic effects and with 
                the Director of OMB on issues relating to budgets and 
                the security of computer networks addressed in 
                subsection 4(a) of this order.

                    (b) The Chair shall be assisted by an appropriately 
                sized staff within the White House Office. In addition, 
                heads of executive branch departments and agencies are 
                authorized, to the extent permitted by law, to detail 
                or assign personnel of such departments and agencies to 
                the Board's staff upon request of the Chair, subject to 
                the approval of the Chief of Staff to the President. 
                Members of the Board's staff with responsibilities 
                relating to national security information systems, 
                communications, and information warfare may, with 
                respect to those responsibilities, also work at the 
                direction of the Assistant to the President for 
                National Security Affairs.

                Sec. 8. Standing Committees. (a) The Board may 
                establish standing and ad hoc committees as 
                appropriate. Representation on standing committees 
                shall not be limited to those departments and agencies 
                on the Board, but may include representatives of other 
                concerned executive branch departments and agencies.

                    (b) Chairs of standing and ad hoc committees shall 
                report fully and regularly on the activities of the 
                committees to the Board, which shall ensure that the 
                committees are well coordinated with each other.
                    (c) There are established the following standing 
                committees:

(i)

 Private Sector and State and Local Government Outreach, chaired by the 
designee of the Secretary of Commerce, to work in coordination with the 
designee of the Chairman of the National Economic Council.

(ii)

 Executive Branch Information Systems Security, chaired by the designee of 
the Director of OMB. The committee shall assist OMB in fulfilling its 
responsibilities under 44 U.S.C. Chapter 35 and other applicable law.

(iii)

 National Security Systems. The National Security Telecommunications and 
Information Systems Security Committee, as established by and consistent 
with NSD-42 and chaired by the Department of Defense, shall serve as a 
Board standing committee, and be redesignated the Committee on National 
Security Systems.

(iv)

 Incident Response Coordination, co-chaired by the designees of the 
Attorney General and the Secretary of Defense.

(v)

 Research and Development, chaired by a designee of the Director of OSTP.

[[Page 53068]]

(vi)

 National Security and Emergency Preparedness Communications. The NCS 
Committee of Principals is renamed the Board's Committee for National 
Security and Emergency Preparedness Communications. The reporting functions 
established above for standing committees are in addition to the functions 
set forth in Executive Order 12472 of April 3, 1984, and do not alter any 
function or role set forth therein.

(vii)

 Physical Security, co-chaired by the designees of the Secretary of Defense 
and the Attorney General, to coordinate programs to ensure the physical 
security of information systems for critical infrastructure, including 
emergency preparedness communications, and the physical assets that support 
such systems. The standing committee shall coordinate its work with the 
Office of Homeland Security and shall work closely with the Physical 
Security Working Group of the Records Access and Information Security 
Policy Coordinating Committee to ensure coordination of efforts.

(viii)

 Infrastructure Interdependencies, co-chaired by the designees of the 
Secretaries of Transportation and Energy, to coordinate programs to assess 
the unique risks, threats, and vulnerabilities associated with the 
interdependency of information systems for critical infrastructures, 
including the development of effective models, simulations, and other 
analytic tools and cost-effective technologies in this area.

(ix)

 International Affairs, chaired by a designee of the Secretary of State, to 
support Department of State coordination of United States Government 
programs for international cooperation covering international information 
infrastructure issues.

(x)

 Financial and Banking Information Infrastructure, chaired by a designee of 
the Secretary of the Treasury and including representatives of the banking 
and financial institution regulatory agencies.

(xi)

 Other Committees. Such other standing committees as may be established by 
the Board.

                    (d) Subcommittees. The chair of each standing 
                committee may form necessary subcommittees with 
                organizational representation as determined by the 
                Chair.
                    (e) Streamlining. The Board shall develop 
                procedures that specify the manner in which it or a 
                subordinate committee will perform the responsibilities 
                previously assigned to the Policy Coordinating 
                Committee. The Board, in coordination with the Director 
                of OSTP, shall review the functions of the Joint 
                Telecommunications Resources Board, established under 
                Executive Order 12472, and make recommendations about 
                its future role.

                Sec. 9. Planning and Budget. (a) The Board, on a 
                periodic basis, shall propose a National Plan or plans 
                for subjects within its purview. The Board, in 
                coordination with the Office of Homeland Security, also 
                shall make recommendations to OMB on those portions of 
                executive branch department and agency budgets that 
                fall within the Board's purview, after review of 
                relevant program requirements and resources.

                    (b) The Office of Administration within the 
                Executive Office of the President shall provide the 
                Board with such personnel, funding, and administrative 
                support, to the extent permitted by law and subject to 
                the availability of appropriations, as directed by the 
                Chief of Staff to carry out the provisions of this 
                order. Only those funds that are available for the 
                Office of Homeland Security, established by Executive 
                Order 13228, shall be available for such purposes. To 
                the extent permitted by law and as appropriate, 
                agencies represented on the Board also may provide 
                administrative support for the Board. The National 
                Security Agency shall ensure that the Board's 
                information and communications systems are 
                appropriately secured.
                    (c) The Board may annually request the National 
                Science Foundation, Department of Energy, Department of 
                Transportation, Environmental Protection Agency, 
                Department of Commerce, Department of Defense, and the 
                Intelligence Community, as that term is defined in 
                Executive Order 12333

[[Page 53069]]

                of December 4, 1981, to include in their budget 
                requests to OMB funding for demonstration projects and 
                research to support the Board's activities.

                Sec. 10. Presidential Advisory Panels. The Chair shall 
                work closely with panels of senior experts from outside 
                of the government that advise the President, in 
                particular: the President's National Security 
                Telecommunications Advisory Committee (NSTAC) created 
                by Executive Order 12382 of September 13, 1982, as 
                amended, and the National Infrastructure Advisory 
                Council (NIAC or Council) created by this Executive 
                Order. The Chair and Vice Chair of these two panels 
                also may meet with the Board, as appropriate and to the 
                extent permitted by law, to provide a private sector 
                perspective.

                    (a) NSTAC. The NSTAC provides the President advice 
                on the security and continuity of communications 
                systems essential for national security and emergency 
                preparedness.
                    (b) NIAC. There is hereby established the National 
                Infrastructure Advisory Council, which shall provide 
                the President advice on the security of information 
                systems for critical infrastructure supporting other 
                sectors of the economy: banking and finance, 
                transportation, energy, manufacturing, and emergency 
                government services. The NIAC shall be composed of not 
                more than 30 members appointed by the President. The 
                members of the NIAC shall be selected from the private 
                sector, academia, and State and local government. 
                Members of the NIAC shall have expertise relevant to 
                the functions of the NIAC and generally shall be 
                selected from industry Chief Executive Officers (and 
                equivalently ranked leaders in other organizations) 
                with responsibilities for the security of information 
                infrastructure supporting the critical sectors of the 
                economy, including banking and finance, transportation, 
                energy, communications, and emergency government 
                services. Members shall not be full-time officials or 
                employees of the executive branch of the Federal 
                Government.

(i)

 The President shall designate a Chair and Vice Chair from among the 
members of the NIAC.

(ii)

 The Chair of the Board established by this order will serve as the 
Executive Director of the NIAC.

                    (c) NIAC Functions. The NIAC will meet periodically 
                to:

(i)

 enhance the partnership of the public and private sectors in protecting 
information systems for critical infrastructures and provide reports on 
this issue to the President, as appropriate;

(ii)

 propose and develop ways to encourage private industry to perform periodic 
risk assessments of critical information and telecommunications systems;

(iii)

 monitor the development of private sector Information Sharing and Analysis 
Centers (ISACs) and provide recommendations to the Board on how these 
organizations can best foster improved cooperation among the ISACs, the 
NIPC, and other Federal Government entities;

(iv)

 report to the President through the Board, which shall ensure appropriate 
coordination with the Assistant to the President for Economic Policy under 
the terms of this order; and

(v)

 advise lead agencies with critical infrastructure responsibilities, sector 
coordinators, the NIPC, the ISACs, and the Board.

                    (d) Administration of the NIAC.

(i)

 The NIAC may hold hearings, conduct inquiries, and establish 
subcommittees, as appropriate.

(ii)

 Upon the request of the Chair, and to the extent permitted by law, the 
heads of the executive branch departments and agencies shall provide the 
Council with information and advice relating to its functions.

(iii)

 Senior Federal Government officials may participate in the meetings of the 
NIAC, as appropriate.

[[Page 53070]]

(iv)

 Members shall serve without compensation for their work on the Council. 
However, members may be allowed travel expenses, including per diem in lieu 
of subsistence, as authorized by law for persons serving intermittently in 
Federal Government service (5 U.S.C. 5701-5707).

(v)

 To the extent permitted by law, and subject to the availability of 
appropriations, the Department of Commerce, through the CIAO, shall provide 
the NIAC with administrative services, staff, and other support services 
and such funds as may be necessary for the performance of the NIAC's 
functions.

                    (e) General Provisions.

(i)

 Insofar as the Federal Advisory Committee Act, as amended (5 U.S.C. App.), 
may apply to the NIAC, the functions of the President under that Act, 
except that of reporting to the Congress, shall be performed by the 
Department of Commerce in accordance with the guidelines and procedures 
established by the Administrator of General Services.

(ii)

 The Council shall terminate 2 years from the date of this order, unless 
extended by the President prior to that date.

(iii)

 Executive Order 13130 of July 14, 1999, is hereby revoked.

                Sec. 11. National Communications System. Changes in 
                technology are causing the convergence of much of 
                telephony, data relay, and internet communications 
                networks into an interconnected network of networks. 
                The NCS and its National Coordinating Center shall 
                support use of telephony, converged information, voice 
                networks, and next generation networks for emergency 
                preparedness and national security communications 
                functions assigned to them in Executive Order 12472. 
                All authorities and assignments of responsibilities to 
                departments and agencies in that order, including the 
                role of the Manager of NCS, remain unchanged except as 
                explicitly modified by this order.

                Sec. 12. Counter-intelligence. The Board shall 
                coordinate its activities with those of the Office of 
                the Counter-intelligence Executive to address the 
                threat to programs within the Board's purview from 
                hostile foreign intelligence services.

                Sec. 13. Classification Authority. I hereby delegate to 
                the Chair the authority to classify information 
                originally as Top Secret, in accordance with Executive 
                Order 12958 of April 17, 1995, as amended, or any 
                successor Executive Order.

                Sec. 14. General Provisions. (a) Nothing in this order 
                shall supersede any requirement made by or under law.

[[Page 53071]]

                    (b) This order does not create any right or 
                benefit, substantive or procedural, enforceable at law 
                or equity, against the United States, its departments, 
                agencies or other entities, its officers or employees, 
                or any other person.

                    (Presidential Sig.)B

                THE WHITE HOUSE,

                     October 16, 2001.

[FR Doc. 01-26509
Filed 10-17-01; 10:32 am]
Billing code 3195-01-P