13 February 2013
Executive Order -- Improving Critical Infrastructure Cybersecurity
Presidential Policy Directive 21:
The White House
Office of the Press Secretary
For Immediate Release
February 12, 2013
Executive Order -- Improving Critical Infrastructure Cybersecurity
- - - - - - -
IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY
By the authority vested in me as President by the Constitution and the laws
of the United States of America, it is hereby ordered as follows:
Section 1. Policy. Repeated cyber intrusions into critical infrastructure
demonstrate the need for improved cybersecurity. The cyber threat to critical
infrastructure continues to grow and represents one of the most serious national
security challenges we must confront. The national and economic security
of the United States depends on the reliable functioning of the Nation's
critical infrastructure in the face of such threats. It is the policy of
the United States to enhance the security and resilience of the Nation's
critical infrastructure and to maintain a cyber environment that encourages
efficiency, innovation, and economic prosperity while promoting safety, security,
business confidentiality, privacy, and civil liberties. We can achieve these
goals through a partnership with the owners and operators of critical
infrastructure to improve cybersecurity information sharing and collaboratively
develop and implement risk-based standards.
Sec. 2. Critical Infrastructure. As used in this order, the term critical
infrastructure means systems and assets, whether physical or virtual, so
vital to the United States that the incapacity or destruction of such systems
and assets would have a debilitating impact on security, national economic
security, national public health or safety, or any combination of those matters.
Sec. 3. Policy Coordination. Policy coordination, guidance, dispute
resolution, and periodic in-progress reviews for the functions and programs
described and assigned herein shall be provided through the interagency process
established in Presidential Policy Directive-1 of February 13, 2009 (Organization
of the National Security Council System), or any successor.
Sec. 4. Cybersecurity Information Sharing.
(a) It is the policy of the United States Government to increase the volume,
timeliness, and quality of cyber threat information shared with U.S. private
sector entities so that these entities may better protect and defend themselves
against cyber threats. Within 120 days of the date of this order, the Attorney
General, the Secretary of Homeland Security (the "Secretary"), and the Director
of National Intelligence shall each issue instructions consistent with their
authorities and with the requirements of section 12(c) of this order to ensure
the timely production of unclassified reports of cyber threats to the U.S.
homeland that identify a specific targeted entity. The instructions shall
address the need to protect intelligence and law enforcement sources, methods,
operations, and investigations.
(b) The Secretary and the Attorney General, in coordination with the Director
of National Intelligence, shall establish a process that rapidly disseminates
the reports produced pursuant to section 4(a) of this order to the targeted
entity. Such process shall also, consistent with the need to protect national
security information, include the dissemination of classified reports to
critical infrastructure entities authorized to receive them. The Secretary
and the Attorney General, in coordination with the Director of National
Intelligence, shall establish a system for tracking the production,
dissemination, and disposition of these reports.
(c) To assist the owners and operators of critical infrastructure in protecting
their systems from unauthorized access, exploitation, or harm, the Secretary,
consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense,
shall, within 120 days of the date of this order, establish procedures to
expand the Enhanced Cybersecurity Services program to all critical infrastructure
sectors. This voluntary information sharing program will provide classified
cyber threat and technical information from the Government to eligible critical
infrastructure companies or commercial service providers that offer security
services to critical infrastructure.
(d) The Secretary, as the Executive Agent for the Classified National Security
Information Program created under Executive Order 13549 of August 18, 2010
(Classified National Security Information Program for State, Local, Tribal,
and Private Sector Entities), shall expedite the processing of security
clearances to appropriate personnel employed by critical infrastructure owners
and operators, prioritizing the critical infrastructure identified in section
9 of this order.
(e) In order to maximize the utility of cyber threat information sharing
with the private sector, the Secretary shall expand the use of programs that
bring private sector subject-matter experts into Federal service on a temporary
basis. These subject matter experts should provide advice regarding the content,
structure, and types of information most useful to critical infrastructure
owners and operators in reducing and mitigating cyber risks.
Sec. 5. Privacy and Civil Liberties Protections.
(a) Agencies shall coordinate their activities under this order with their
senior agency officials for privacy and civil liberties and ensure that privacy
and civil liberties protections are incorporated into such activities. Such
protections shall be based upon the Fair Information Practice Principles
and other privacy and civil liberties policies, principles, and frameworks
as they apply to each agency's activities.
(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil
Liberties of the Department of Homeland Security (DHS) shall assess the privacy
and civil liberties risks of the functions and programs undertaken by DHS
as called for in this order and shall recommend to the Secretary ways to
minimize or mitigate such risks, in a publicly available report, to be released
within 1 year of the date of this order. Senior agency privacy and civil
liberties officials for other agencies engaged in activities under this order
shall conduct assessments of their agency activities and provide those
assessments to DHS for consideration and inclusion in the report. The report
shall be reviewed on an annual basis and revised as necessary. The report
may contain a classified annex if necessary. Assessments shall include evaluation
of activities against the Fair Information Practice Principles and other
applicable privacy and civil liberties policies, principles, and frameworks.
Agencies shall consider the assessments and recommendations of the report
in implementing privacy and civil liberties protections for agency activities.
(c) In producing the report required under subsection (b) of this section,
the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties
of DHS shall consult with the Privacy and Civil Liberties Oversight Board
and coordinate with the Office of Management and Budget (OMB).
(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by
private entities under this order shall be protected from disclosure to the
fullest extent permitted by law.
Sec. 6. Consultative Process. The Secretary shall establish a consultative
process to coordinate improvements to the cybersecurity of critical
infrastructure. As part of the consultative process, the Secretary shall
engage and consider the advice, on matters set forth in this order, of the
Critical Infrastructure Partnership Advisory Council; Sector Coordinating
Councils; critical infrastructure owners and operators; Sector-Specific Agencies;
other relevant agencies; independent regulatory agencies; State, local,
territorial, and tribal governments; universities; and outside experts.
Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical
(a) The Secretary of Commerce shall direct the Director of the National Institute
of Standards and Technology (the "Director") to lead the development of a
framework to reduce cyber risks to critical infrastructure (the "Cybersecurity
Framework"). The Cybersecurity Framework shall include a set of standards,
methodologies, procedures, and processes that align policy, business, and
technological approaches to address cyber risks. The Cybersecurity Framework
shall incorporate voluntary consensus standards and industry best practices
to the fullest extent possible. The Cybersecurity Framework shall be consistent
with voluntary international standards when such international standards
will advance the objectives of this order, and shall meet the requirements
of the National Institute of Standards and Technology Act, as amended (15
U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act
of 1995 (Public Law 104-113), and OMB Circular A-119, as revised.
(b) The Cybersecurity Framework shall provide a prioritized, flexible,
repeatable, performance-based, and cost-effective approach, including information
security measures and controls, to help owners and operators of critical
infrastructure identify, assess, and manage cyber risk. The Cybersecurity
Framework shall focus on identifying cross-sector security standards and
guidelines applicable to critical infrastructure. The Cybersecurity Framework
will also identify areas for improvement that should be addressed through
future collaboration with particular sectors and standards-developing
organizations. To enable technical innovation and account for organizational
differences, the Cybersecurity Framework will provide guidance that is technology
neutral and that enables critical infrastructure sectors to benefit from
a competitive market for products and services that meet the standards,
methodologies, procedures, and processes developed to address cyber risks.
The Cybersecurity Framework shall include guidance for measuring the performance
of an entity in implementing the Cybersecurity Framework.
(c) The Cybersecurity Framework shall include methodologies to identify and
mitigate impacts of the Cybersecurity Framework and associated information
security measures or controls on business confidentiality, and to protect
individual privacy and civil liberties.
(d) In developing the Cybersecurity Framework, the Director shall engage
in an open public review and comment process. The Director shall also consult
with the Secretary, the National Security Agency, Sector-Specific Agencies
and other interested agencies including OMB, owners and operators of critical
infrastructure, and other stakeholders through the consultative process
established in section 6 of this order. The Secretary, the Director of National
Intelligence, and the heads of other relevant agencies shall provide threat
and vulnerability information and technical expertise to inform the development
of the Cybersecurity Framework. The Secretary shall provide performance goals
for the Cybersecurity Framework informed by work under section 9 of this
(e) Within 240 days of the date of this order, the Director shall publish
a preliminary version of the Cybersecurity Framework (the "preliminary
Framework"). Within 1 year of the date of this order, and after coordination
with the Secretary to ensure suitability under section 8 of this order, the
Director shall publish a final version of the Cybersecurity Framework (the
(f) Consistent with statutory responsibilities, the Director will ensure
the Cybersecurity Framework and related guidance is reviewed and updated
as necessary, taking into consideration technological changes, changes in
cyber risks, operational feedback from owners and operators of critical
infrastructure, experience from the implementation of section 8 of this order,
and any other relevant factors.
Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program.
(a) The Secretary, in coordination with Sector-Specific Agencies, shall establish
a voluntary program to support the adoption of the Cybersecurity Framework
by owners and operators of critical infrastructure and any other interested
entities (the "Program").
(b) Sector-Specific Agencies, in consultation with the Secretary and other
interested agencies, shall coordinate with the Sector Coordinating Councils
to review the Cybersecurity Framework and, if necessary, develop implementation
guidance or supplemental materials to address sector-specific risks and operating
(c) Sector-Specific Agencies shall report annually to the President, through
the Secretary, on the extent to which owners and operators notified under
section 9 of this order are participating in the Program.
(d) The Secretary shall coordinate establishment of a set of incentives designed
to promote participation in the Program. Within 120 days of the date of this
order, the Secretary and the Secretaries of the Treasury and Commerce each
shall make recommendations separately to the President, through the Assistant
to the President for Homeland Security and Counterterrorism and the Assistant
to the President for Economic Affairs, that shall include analysis of the
benefits and relative effectiveness of such incentives, and whether the
incentives would require legislation or can be provided under existing law
and authorities to participants in the Program.
(e) Within 120 days of the date of this order, the Secretary of Defense and
the Administrator of General Services, in consultation with the Secretary
and the Federal Acquisition Regulatory Council, shall make recommendations
to the President, through the Assistant to the President for Homeland Security
and Counterterrorism and the Assistant to the President for Economic Affairs,
on the feasibility, security benefits, and relative merits of incorporating
security standards into acquisition planning and contract administration.
The report shall address what steps can be taken to harmonize and make consistent
existing procurement requirements related to cybersecurity.
Sec. 9. Identification of Critical Infrastructure at Greatest Risk.
(a) Within 150 days of the date of this order, the Secretary shall use a
risk-based approach to identify critical infrastructure where a cybersecurity
incident could reasonably result in catastrophic regional or national effects
on public health or safety, economic security, or national security. In
identifying critical infrastructure for this purpose, the Secretary shall
use the consultative process established in section 6 of this order and draw
upon the expertise of Sector-Specific Agencies. The Secretary shall apply
consistent, objective criteria in identifying such critical infrastructure.
The Secretary shall not identify any commercial information technology products
or consumer information technology services under this section. The Secretary
shall review and update the list of identified critical infrastructure under
this section on an annual basis, and provide such list to the President,
through the Assistant to the President for Homeland Security and Counterterrorism
and the Assistant to the President for Economic Affairs.
(b) Heads of Sector-Specific Agencies and other relevant agencies shall provide
the Secretary with information necessary to carry out the responsibilities
under this section. The Secretary shall develop a process for other relevant
stakeholders to submit information to assist in making the identifications
required in subsection (a) of this section.
(c) The Secretary, in coordination with Sector-Specific Agencies, shall
confidentially notify owners and operators of critical infrastructure identified
under subsection (a) of this section that they have been so identified, and
ensure identified owners and operators are provided the basis for the
determination. The Secretary shall establish a process through which owners
and operators of critical infrastructure may submit relevant information
and request reconsideration of identifications under subsection (a) of this
Sec. 10. Adoption of Framework.
(a) Agencies with responsibility for regulating the security of critical
infrastructure shall engage in a consultative process with DHS, OMB, and
the National Security Staff to review the preliminary Cybersecurity Framework
and determine if current cybersecurity regulatory requirements are sufficient
given current and projected risks. In making such determination, these agencies
shall consider the identification of critical infrastructure required under
section 9 of this order. Within 90 days of the publication of the preliminary
Framework, these agencies shall submit a report to the President, through
the Assistant to the President for Homeland Security and Counterterrorism,
the Director of OMB, and the Assistant to the President for Economic Affairs,
that states whether or not the agency has clear authority to establish
requirements based upon the Cybersecurity Framework to sufficiently address
current and projected cyber risks to critical infrastructure, the existing
authorities identified, and any additional authority required.
(b) If current regulatory requirements are deemed to be insufficient, within
90 days of publication of the final Framework, agencies identified in subsection
(a) of this section shall propose prioritized, risk-based, efficient, and
coordinated actions, consistent with Executive Order 12866 of September 30,
1993 (Regulatory Planning and Review), Executive Order 13563 of January 18,
2011 (Improving Regulation and Regulatory Review), and Executive Order 13609
of May 1, 2012 (Promoting International Regulatory Cooperation), to mitigate
(c) Within 2 years after publication of the final Framework, consistent with
Executive Order 13563 and Executive Order 13610 of May 10, 2012 (Identifying
and Reducing Regulatory Burdens), agencies identified in subsection (a) of
this section shall, in consultation with owners and operators of critical
infrastructure, report to OMB on any critical infrastructure subject to
ineffective, conflicting, or excessively burdensome cybersecurity requirements.
This report shall describe efforts made by agencies, and make recommendations
for further actions, to minimize or eliminate such requirements.
(d) The Secretary shall coordinate the provision of technical assistance
to agencies identified in subsection (a) of this section on the development
of their cybersecurity workforce and programs.
(e) Independent regulatory agencies with responsibility for regulating the
security of critical infrastructure are encouraged to engage in a consultative
process with the Secretary, relevant Sector-Specific Agencies, and other
affected parties to consider prioritized actions to mitigate cyber risks
for critical infrastructure consistent with their authorities.
Sec. 11. Definitions.
(a) "Agency" means any authority of the United States that is an "agency"
under 44 U.S.C. 3502(1), other than those considered to be independent regulatory
agencies, as defined in 44 U.S.C. 3502(5).
(b) "Critical Infrastructure Partnership Advisory Council" means the council
established by DHS under 6 U.S.C. 451 to facilitate effective interaction
and coordination of critical infrastructure protection activities among the
Federal Government; the private sector; and State, local, territorial, and
(c) "Fair Information Practice Principles" means the eight principles set
forth in Appendix A of the National Strategy for Trusted Identities in
(d) "Independent regulatory agency" has the meaning given the term in 44
(e) "Sector Coordinating Council" means a private sector coordinating council
composed of representatives of owners and operators within a particular sector
of critical infrastructure established by the National Infrastructure Protection
Plan or any successor.
(f) "Sector-Specific Agency" has the meaning given the term in Presidential
Policy Directive-21 of February 12, 2013 (Critical Infrastructure Security
and Resilience), or any successor.
Sec. 12. General Provisions.
(a) This order shall be implemented consistent with applicable law and subject
to the availability of appropriations. Nothing in this order shall be construed
to provide an agency with authority for regulating the security of critical
infrastructure in addition to or to a greater extent than the authority the
agency has under existing law. Nothing in this order shall be construed to
alter or limit any authority or responsibility of an agency under existing
(b) Nothing in this order shall be construed to impair or otherwise affect
the functions of the Director of OMB relating to budgetary, administrative,
or legislative proposals.
(c) All actions taken pursuant to this order shall be consistent with
requirements and authorities to protect intelligence and law enforcement
sources and methods. Nothing in this order shall be interpreted to supersede
measures established under authority of law to protect the security and integrity
of specific activities and associations that are in direct support of
intelligence and law enforcement operations.
(d) This order shall be implemented consistent with U.S. international
(e) This order is not intended to, and does not, create any right or benefit,
substantive or procedural, enforceable at law or in equity by any party against
the United States, its departments, agencies, or entities, its officers,
employees, or agents, or any other person.