By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to ensure protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, in the information age, it is hereby ordered as follows:
(a) The information technology revolution has changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of critical information infrastructures. The protection program authorized by this order shall consist of continuous efforts to secure information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Protection of these systems is essential to the telecommunications, energy, financial services, manufacturing, water, transportation, health care, and emergency services sectors.
(b) It is the policy of the United States to protect against disruption of the operation of information systems for critical infrastructure and thereby help to protect the people, economy, essential human and government services, and national security of the United States, and to ensure that any disruptions that occur are infrequent, of minimal duration, and manageable, and cause the least damage possible. The implementation of this policy shall include a voluntary public-private partnership, involving corporate and nongovernmental organizations.
To achieve this policy, there shall be a senior executive branch board to coordinate and have cognizance of Federal efforts and programs that relate to protection of information systems and involve:
(a) cooperation with and protection of private sector critical infrastructure, State and local governments? critical infrastructure, and supporting programs in corporate and academic organizations;
(b) protection of Federal departments? and agencies? critical infrastructure; and
(c) related national security programs.
I hereby establish the "President's Critical Infrastructure Protection Board"(the "Board").
This order does not alter the existing authorities or roles of United States Government departments and agencies. Authorities set forth in 44 U.S.C. Chapter 35, and other applicable law, provide senior officials with responsibility for the security of Federal Government information systems.
(a) Executive Branch Information Systems Security. The Director of the Office of Management and Budget(OMB) has the responsibility to develop and oversee the implementation of government-wide policies, principles, standards, and guidelines for the security of information systems that support the executive branch departments and agencies, except those noted in section 4(b) of this order. The Director of OMB shall advise the President and the appropriate department or agency head when there is a critical deficiency in the security practices within the purview of this section in an executive branch department or agency. The Board shall assist and support the Director of OMB in this function and shall be reasonably cognizant of programs related to security of department and agency information systems.
(b) National Security Information Systems. The Secretary of Defense and the Director of Central Intelligence (DCI) shall have responsibility to oversee, develop, and ensure implementa-tion of policies, principles, standards, and guidelines for the security of information systems that support the operations under their respective control. In consultation with the Assistant to the President for National Security Affairs and the affected departments and agencies, the Secretary of Defense and the DCI shall develop policies, principles, standards, and guidelines for the security of national security information systems that support the operations of other executive branch departments and agencies with national security information.
(c) Additional Responsibilities: The Heads of Executive Branch Departments and Agencies. The heads of executive branch departments and agencies are responsible and accountable for providing and maintaining adequate levels of security for information systems, including emergency preparedness communi-cations systems, for programs under their control. Heads of such depart-ments and agencies shall ensure the development and, within available appropriations, funding of programs that adequately address these mission areas. Cost-effective security shall be built into and made an integral part of government information systems, especially those critical systems that support the national security and other essential government programs. Additionally, security should enable, and not unnecessarily impede, department and agency business operations.
Consistent with the responsibilities noted in section 4 of this order, the Board shall recommend policies and coordinate programs for protecting information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. Among its activities to implement these responsibilities, the Board shall:
to the Private Sector and State and Local Governments. In consultation
with affected executive branch departments and agencies, coordinate outreach
to and consultation with the private sector, including corporations that
own, operate, develop, and equip information, telecommunications, transporta-tion,
(b) Information Sharing. Work with industry, State and local governments, and nongovernmental organizations to ensure that systems are created and well managed to share threat warning, analysis, and recovery information among government network operation centers, information sharing and analysis centers established on a voluntary basis by industry, and other related operations centers. In this and other related functions, the Board shall work in coordination with the NCS, the Federal Computer Incident Response Center, the NIPC, and other departments and agencies, as appropriate.
(c) Incident Coordination and Crisis Response. Coordinate programs and policies for responding to information systems security incidents that threaten information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. In this function, the Department of Justice, through the NIPC and the Manager of the NCS and other departments and agencies, as appropriate, shall work in coordination with the Board.
(d) Recruitment, Retention, and Training Executive Branch Security Professionals. In consultation with executive branch departments and agencies, coordinate programs to ensure that government employees with responsibilities for protecting information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, are adequately trained and evaluated. In this function, the Office of Personnel Management shall work in coordination with the Board, as appropriate.
(e) Research and Development. Coordinate with the Director of the Office of Science and Technology Policy (OSTP) on a program of Federal Government research and development for protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, and ensure coordination of govern-ment activities in this field with corporations, universities, Federally funded research centers, and national laboratories. In this function, the Board shall work in coordination with the National Science Foundation, the Defense Advanced Research Projects Agency, and with other departments and agencies, as appropriate.
(f) Law Enforcement Coordination with National Security Components. Promote programs against cyber crime and assist Federal law enforcement agencies in gaining necessary cooperation from executive branch departments and agencies. Support Federal law enforcement agencies? investigation of illegal activities involving information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems, and support coordi-nation by these agencies with other departments and agencies with responsibilities to defend the Nation's security. In this function, the Board shall work in coordination with the Department of Justice, through the NIPC, and the Department of the Treasury, through the Secret Service, and with other departments and agencies, as appropriate.
(g) International Information Infrastructure Protection. Support the Department of State's coordination of United States Government programs for international cooperation covering international information infrastructure protection issues.
(h) Legislation. In accordance with OMB circular A-19, advise departments and agencies, the Director of OMB, and the Assistant to the President for Legislative Affairs on legislation relating to protection of information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems.
(i) Coordination with Office of Homeland Security. Carry out those functions relating to protection of and recovery from attacks against information systems for critical infrastructure, including emergency preparedness communications, that were assigned to the Office of Homeland Security by Executive Order 13228 of October 8, 2001. The Assistant to the President for Homeland Security, in coordination with the Assistant to the President for National Security Affairs, shall be responsible for defining the responsibilities of the Board in coordinating efforts to protect physical assets that support information systems.
(a) Members of the Board shall be drawn from the executive branch departments, agencies, and offices listed below; in addition, concerned Federal departments and agencies may participate in the activities of appropriate committees of the Board. The Board shall be led by a Chair and Vice Chair, designated by the President. Its other members shall be the following senior officials or their designees:
Members of the Board and their designees shall be full-time or permanent part-time officers or employees of the Federal Government.
(b) In addition, the following officials shall serve as members of the Board and shall form the Board's Coordination Committee:
(c) The Chairman of the Federal Communications Commission may appoint a representative to the Board.
(a) The Chair also shall be the Special Advisor to the President for Cyberspace Security. Executive branch departments and agencies shall make all reasonable efforts to keep the Chair fully informed in a timely manner, and to the greatest extent permitted by law, of all programs and issues within the purview of the Board. The Chair, in consultation with the Board, shall call and preside at meetings of the Board and set the agenda for the Board. The Chair, in consultation with the Board, may propose policies and programs to appropriate officials to ensure the protection of the Nation's information systems for critical infrastructure, including emergency preparedness communications, and the physical assets that support such systems. To ensure full coordination between the responsibilities of the National Security Council (NSC) and the Office of Homeland Security, the Chair shall report to both the Assistant to the President for National Security Affairs and to the Assistant to the President for Homeland Security. The Chair shall coordinate with the Assistant to the President for Economic Policy on issues relating to private sector systems and economic effects and with the Director of OMB on issues relating to budgets and the security of computer networks addressed in subsection 4(a) of this order.
(b) The Chair shall be assisted by an appropriately sized staff within the White House Office. In addition, heads of executive branch departments and agencies are authorized, to the extent permitted by law, to detail or assign personnel of such departments and agencies to the Board's staff upon request of the Chair, subject to the approval of the Chief of Staff to the President. Members of the Board's staff with responsibilities relating to national security information systems, communica-tions, and information warfare may, with respect to those responsibilities, also work at the direction of the Assistant to the President for National Security Affairs.
(a) The Board may establish standing and ad hoc committees as appropriate. Representation on standing committees shall not be limited to those departments and agencies on the Board, but may include representatives of other concerned executive branch departments and agencies.
(b) Chairs of standing and ad hoc committees shall report fully and regularly on the activities of the committees to the Board, which shall ensure that the committees are well coordinated with each other.
(c) There are established the following standing committees:
(d) Subcommittees. The chair of each standing committee may form necessary subcommittees with organizational represen-tation as determined by the Chair.
(e) Streamlining. The Board shall develop procedures that specify the manner in which it or a subordinate committee will perform the responsibilities previously assigned to the Policy Coordinating Committee. The Board, in coordination with the Director of OSTP, shall review the functions of the Joint Telecommunications Resources Board, established under Executive Order 12472, and make recommendations about its future role.
(a) The Board, on a periodic basis, shall propose a National Plan or plans for subjects within its purview. The Board, in coordination with the Office of Homeland Security, also shall make recommen-dations to OMB on those portions of executive branch department and agency budgets that fall within the Board's purview, after review of relevant program requirements and resources.
(b) The Office of Administration within the Executive Office of the President shall provide the Board with such personnel, funding, and administrative support, to the extent permitted by law and subject to the availability of appropria-tions, as directed by the Chief of Staff to carry out the provisions of this order. Only those funds that are available for the Office of Homeland Security, established by Executive Order 13228, shall be available for such purposes. -To the extent permitted by law and as appropriate, agencies represented on the Board also may provide administrative support for the Board. The National Security Agency shall ensure that the Board's information and communications systems are appropriately secured.
(c) The Board may annually request the National Science Foundation, Department of Energy, Department of Transportation, Environmental Protection Agency, Department of Commerce, Depart-ment of Defense, and the Intelligence Community, as that term is defined in Executive Order 12333 of December 4, 1981, to include in their budget requests to OMB funding for demonstration projects and research to support the Board's activities.
The Chair shall work closely
with panels of senior experts from outside of the government that advise
the President, in particular: the President's National Security Telecommunications
(a) NSTAC. The NSTAC provides the President advice on the security and continuity of communications systems essential for national security and emergency preparedness.
(b) NIAC. There is hereby established the National Infrastructure Advisory Council, which shall provide the President advice on the security of information systems for critical infrastructure supporting other sectors of the economy: banking and finance, transporta-tion, energy, manufacturing, and emergency government services. The NIAC shall be composed of not more than 30 members appointed by the President. The members of the NIAC shall be selected from the private sector, academia, and State and local govern-ment. Members of the NIAC shall have expertise relevant to the functions of the NIAC and generally shall be selected from industry Chief Executive Officers (and equivalently ranked leaders in other organizations) with responsibilities for the security of information infrastructure supporting the critical sectors of the economy, including banking and finance, transportation, energy, communications, and emergency government services. Members shall not be full-time officials or employees of the executive branch of the Federal Government.
(c) NIAC Functions. The NIAC will meet periodically to:
(d) Administration of the NIAC.
(e) General Provisions.
Changes in technology are causing the convergence of much of telephony, data relay, and internet communications networks into an interconnected network of networks. The NCS and its National Coordinating Center shall support use of telephony, converged information, voice networks, and next generation networks for emergency preparedness and national security communications functions assigned to them in Executive Order 12472. All authorities and assignments of responsibilities to departments and agencies in that order, including the role of the Manager of NCS, remain unchanged except as explicitly modified by this order.
The Board shall coordinate its activities with those of the Office of the Counter-intelligence Executive to address the threat to programs within the Board's purview from hostile foreign intelligence services.
I hereby delegate to the Chair the authority to classify information originally as Top Secret, in accordance with Executive Order 12958 of April 17, 1995, as amended, or any successor Executive Order.
(a) Nothing in this order shall supersede any requirement made by or under law.
(b) This order does not create any right or benefit, substantive or procedural, enforceable at law or equity, against the United States, its departments, agencies or other entities, its officers or employees, or any other person.
GEORGE W. BUSH