§ 121. Information and Analysis and Infrastructure Protection  


Latest version.
  • (a) Intelligence and analysis and infrastructure protection

    There shall be in the Department an Office of Intelligence and Analysis and an Office of Infrastructure Protection.

    (b) Under Secretary for Intelligence and Analysis and Assistant Secretary for Infrastructure Protection(1) Office of Intelligence and Analysis

    The Office of Intelligence and Analysis shall be headed by an Under Secretary for Intelligence and Analysis, who shall be appointed by the President, by and with the advice and consent of the Senate.

    (2) Chief Intelligence Officer

    The Under Secretary for Intelligence and Analysis shall serve as the Chief Intelligence Officer of the Department.

    (3) Office of Infrastructure Protection

    The Office of Infrastructure Protection shall be headed by an Assistant Secretary for Infrastructure Protection, who shall be appointed by the President.

    (c) Discharge of responsibilities

    The Secretary shall ensure that the responsibilities of the Department relating to information analysis and infrastructure protection, including those described in subsection (d), are carried out through the Under Secretary for Intelligence and Analysis or the Assistant Secretary for Infrastructure Protection, as appropriate.

    (d) Responsibilities of Secretary relating to intelligence and analysis and infrastructure protectionThe responsibilities of the Secretary relating to intelligence and analysis and infrastructure protection shall be as follows:(1) To access, receive, and analyze law enforcement information, intelligence information, and other information from agencies of the Federal Government, State and local government agencies (including law enforcement agencies), and private sector entities, and to integrate such information, in support of the mission responsibilities of the Department and the functions of the National Counterterrorism Center established under section 119 of the National Security Act of 1947 [50 U.S.C. 3056], in order to—(A) identify and assess the nature and scope of terrorist threats to the homeland;(B) detect and identify threats of terrorism against the United States; and(C) understand such threats in light of actual and potential vulnerabilities of the homeland.(2) To carry out comprehensive assessments of the vulnerabilities of the key resources and critical infrastructure of the United States, including the performance of risk assessments to determine the risks posed by particular types of terrorist attacks within the United States (including an assessment of the probability of success of such attacks and the feasibility and potential efficacy of various countermeasures to such attacks).(3) To integrate relevant information, analysis, and vulnerability assessments (regardless of whether such information, analysis or assessments are provided by or produced by the Department) in order to—(A) identify priorities for protective and support measures regarding terrorist and other threats to homeland security by the Department, other agencies of the Federal Government, State, and local government agencies and authorities, the private sector, and other entities; and(B) prepare finished intelligence and information products in both classified and unclassified formats, as appropriate, whenever reasonably expected to be of benefit to a State, local, or tribal government (including a State, local, or tribal law enforcement agency) or a private sector entity.(4) To ensure, pursuant to section 122 of this title, the timely and efficient access by the Department to all information necessary to discharge the responsibilities under this section, including obtaining such information from other agencies of the Federal Government.(5) To develop a comprehensive national plan for securing the key resources and critical infrastructure of the United States, including power production, generation, and distribution systems, information technology and telecommunications systems (including satellites), electronic financial and property record storage and transmission systems, emergency preparedness communications systems, and the physical and technological assets that support such systems.(6) To recommend measures necessary to protect the key resources and critical infrastructure of the United States in coordination with other agencies of the Federal Government and in cooperation with State and local government agencies and authorities, the private sector, and other entities.(7) To review, analyze, and make recommendations for improvements to the policies and procedures governing the sharing of information within the scope of the information sharing environment established under section 485 of this title, including homeland security information, terrorism information, and weapons of mass destruction information, and any policies, guidelines, procedures, instructions, or standards established under that section.(8) To disseminate, as appropriate, information analyzed by the Department within the Department, to other agencies of the Federal Government with responsibilities relating to homeland security, and to agencies of State and local governments and private sector entities with such responsibilities in order to assist in the deterrence, prevention, preemption of, or response to, terrorist attacks against the United States.(9) To consult with the Director of National Intelligence and other appropriate intelligence, law enforcement, or other elements of the Federal Government to establish collection priorities and strategies for information, including law enforcement-related information, relating to threats of terrorism against the United States through such means as the representation of the Department in discussions regarding requirements and priorities in the collection of such information.(10) To consult with State and local governments and private sector entities to ensure appropriate exchanges of information, including law enforcement-related information, relating to threats of terrorism against the United States.(11) To ensure that—(A) any material received pursuant to this chapter is protected from unauthorized disclosure and handled and used only for the performance of official duties; and(B) any intelligence information under this chapter is shared, retained, and disseminated consistent with the authority of the Director of National Intelligence to protect intelligence sources and methods under the National Security Act of 1947 [50 U.S.C. 3001 et seq.] and related procedures and, as appropriate, similar authorities of the Attorney General concerning sensitive law enforcement information.(12) To request additional information from other agencies of the Federal Government, State and local government agencies, and the private sector relating to threats of terrorism in the United States, or relating to other areas of responsibility assigned by the Secretary, including the entry into cooperative agreements through the Secretary to obtain such information.(13) To establish and utilize, in conjunction with the chief information officer of the Department, a secure communications and information technology infrastructure, including data-mining and other advanced analytical tools, in order to access, receive, and analyze data and information in furtherance of the responsibilities under this section, and to disseminate information acquired and analyzed by the Department, as appropriate.(14) To ensure, in conjunction with the chief information officer of the Department, that any information databases and analytical tools developed or utilized by the Department—(A) are compatible with one another and with relevant information databases of other agencies of the Federal Government; and(B) treat information in such databases in a manner that complies with applicable Federal law on privacy.(15) To coordinate training and other support to the elements and personnel of the Department, other agencies of the Federal Government, and State and local governments that provide information to the Department, or are consumers of information provided by the Department, in order to facilitate the identification and sharing of information revealed in their ordinary duties and the optimal utilization of information received from the Department.(16) To coordinate with elements of the intelligence community and with Federal, State, and local law enforcement agencies, and the private sector, as appropriate.(17) To provide intelligence and information analysis and support to other elements of the Department.(18) To coordinate and enhance integration among the intelligence components of the Department, including through strategic oversight of the intelligence activities of such components.(19) To establish the intelligence collection, processing, analysis, and dissemination priorities, policies, processes, standards, guidelines, and procedures for the intelligence components of the Department, consistent with any directions from the President and, as applicable, the Director of National Intelligence.(20) To establish a structure and process to support the missions and goals of the intelligence components of the Department.(21) To ensure that, whenever possible, the Department—(A) produces and disseminates unclassified reports and analytic products based on open-source information; and(B) produces and disseminates such reports and analytic products contemporaneously with reports or analytic products concerning the same or similar information that the Department produced and disseminated in a classified format.(22) To establish within the Office of Intelligence and Analysis an internal continuity of operations plan.(23) Based on intelligence priorities set by the President, and guidance from the Secretary and, as appropriate, the Director of National Intelligence—(A) to provide to the heads of each intelligence component of the Department guidance for developing the budget pertaining to the activities of such component; and(B) to present to the Secretary a recommendation for a consolidated budget for the intelligence components of the Department, together with any comments from the heads of such components.(24) To perform such other duties relating to such responsibilities as the Secretary may provide.(25) To prepare and submit to the Committee on Homeland Security and Governmental Affairs of the Senate and the Committee on Homeland Security in the House of Representatives, and to other appropriate congressional committees having jurisdiction over the critical infrastructure or key resources, for each sector identified in the National Infrastructure Protection Plan, a report on the comprehensive assessments carried out by the Secretary of the critical infrastructure and key resources of the United States, evaluating threat, vulnerability, and consequence, as required under this subsection. Each such report—(A) shall contain, if applicable, actions or countermeasures recommended or taken by the Secretary or the head of another Federal agency to address issues identified in the assessments;(B) shall be required for fiscal year 2007 and each subsequent fiscal year and shall be submitted not later than 35 days after the last day of the fiscal year covered by the report; and(C) may be classified. (e) Staff(1) In general

    The Secretary shall provide the Office of Intelligence and Analysis and the Office of Infrastructure Protection with a staff of analysts having appropriate expertise and experience to assist such offices in discharging responsibilities under this section.

    (2) Private sector analysts

    Analysts under this subsection may include analysts from the private sector.

    (3) Security clearances

    Analysts under this subsection shall possess security clearances appropriate for their work under this section.

    (f) Detail of personnel(1) In general

    In order to assist the Office of Intelligence and Analysis and the Office of Infrastructure Protection in discharging responsibilities under this section, personnel of the agencies referred to in paragraph (2) may be detailed to the Department for the performance of analytic functions and related duties.

    (2) Covered agenciesThe agencies referred to in this paragraph are as follows:(A) The Department of State.(B) The Central Intelligence Agency.(C) The Federal Bureau of Investigation.(D) The National Security Agency.(E) The National Geospatial-Intelligence Agency.(F) The Defense Intelligence Agency.(G) Any other agency of the Federal Government that the President considers appropriate.(3) Cooperative agreements

    The Secretary and the head of the agency concerned may enter into cooperative agreements for the purpose of detailing personnel under this subsection.

    (4) Basis

    The detail of personnel under this subsection may be on a reimbursable or non-reimbursable basis.

    (g) Functions transferredIn accordance with subchapter XII of this chapter, there shall be transferred to the Secretary, for assignment to the Office of Intelligence and Analysis and the Office of Infrastructure Protection under this section, the functions, personnel, assets, and liabilities of the following:(1) The National Infrastructure Protection Center of the Federal Bureau of Investigation (other than the Computer Investigations and Operations Section), including the functions of the Attorney General relating thereto.(2) The National Communications System of the Department of Defense, including the functions of the Secretary of Defense relating thereto.(3) The Critical Infrastructure Assurance Office of the Department of Commerce, including the functions of the Secretary of Commerce relating thereto.(4) The National Infrastructure Simulation and Analysis Center of the Department of Energy and the energy security and assurance program and activities of the Department, including the functions of the Secretary of Energy relating thereto.(5) The Federal Computer Incident Response Center of the General Services Administration, including the functions of the Administrator of General Services relating thereto.
(Pub. L. 107–296, title II, § 201, Nov. 25, 2002, 116 Stat. 2145; Pub. L. 110–53, title V, §§ 501(a)(2)(A), (b), 531(a), title X, § 1002(a), Aug. 3, 2007, 121 Stat. 309, 332, 374; Pub. L. 110–417, [div. A], title IX, § 931(b)(5), Oct. 14, 2008, 122 Stat. 4575; Pub. L. 111–84, div. A, title X, § 1073(c)(9), Oct. 28, 2009, 123 Stat. 2475; Pub. L. 111–258, § 5(b)(1), Oct. 7, 2010, 124 Stat. 2650.)

References In Text

References in Text

This chapter, referred to in subsec. (d)(11), was in the original “this Act”, meaning Pub. L. 107–296, Nov. 25, 2002, 116 Stat. 2135, known as the Homeland Security Act of 2002, which is classified principally to this chapter. For complete classification of this Act to the Code, see Short Title note set out under section 101 of this title and Tables.

The National Security Act of 1947, referred to in subsec. (d)(11)(B), is act July 26, 1947, ch. 343, 61 Stat. 495, which was formerly classified principally to chapter 15 (§ 401 et seq.) of Title 50, War and National Defense, prior to editorial reclassification in Title 50, and is now classified principally to chapter 44 (§ 3001 et seq.) of Title 50. For complete classification of this Act to the Code, see Tables.

Codification

Codification

Section is comprised of section 201 of Pub. L. 107–296. Subsec. (h) of section 201 of Pub. L. 107–296 amended section 3003 of Title 50, War and National Defense.

Amendments

Amendments

2010—Subsec. (d)(3). Pub. L. 111–258 amended par. (3) generally. Prior to amendment, par. (3) read as follows: “To integrate relevant information, analyses, and vulnerability assessments (whether such information, analyses, or assessments are provided or produced by the Department or others) in order to identify priorities for protective and support measures by the Department, other agencies of the Federal Government, State and local government agencies and authorities, the private sector, and other entities.”

2009—Subsec. (f)(2)(E). Pub. L. 111–84 made technical amendment to directory language of Pub. L. 110–417. See 2008 amendment note below.

2008—Subsec. (f)(2)(E). Pub. L. 110–417, § 931(b)(5), as amended by Pub. L. 111–84, substituted “National Geospatial-Intelligence Agency” for “National Imagery and Mapping Agency”.

2007—Pub. L. 110–53, § 531(a)(1), substituted “Information and” for “Directorate for Information” in section catchline.

Subsecs. (a) to (c). Pub. L. 110–53, § 531(a)(2), added subsecs. (a) to (c) and struck out former subsecs. (a) to (c) which related to, in subsec. (a), establishment and responsibilities of Directorate for Information Analysis and Infrastructure Protection, in subsec. (b), positions of Assistant Secretary for Information Analysis and Assistant Secretary for Infrastructure Protection, and, in subsec. (c), Secretary’s duty to ensure that responsibilities regarding information analysis and infrastructure protection would be carried out through the Under Secretary for Information Analysis and Infrastructure Protection.

Subsec. (d). Pub. L. 110–53, § 531(a)(3), substituted “Secretary relating to intelligence and analysis and infrastructure protection” for “Under Secretary” in heading and “The responsibilities of the Secretary relating to intelligence and analysis and infrastructure protection” for “Subject to the direction and control of the Secretary, the responsibilities of the Under Secretary for Information Analysis and Infrastructure Protection” in introductory provisions.

Subsec. (d)(1). Pub. L. 110–53, § 501(b)(1), inserted “, in support of the mission responsibilities of the Department and the functions of the National Counterterrorism Center established under section 119 of the National Security Act of 1947 (50 U.S.C. 404o),” after “to integrate such information” in introductory provisions.

Subsec. (d)(7). Pub. L. 110–53, § 501(b)(2), added par. (7) and struck out former par. (7) which read as follows: “To review, analyze, and make recommendations for improvements in the policies and procedures governing the sharing of law enforcement information, intelligence information, intelligence-related information, and other information relating to homeland security within the Federal Government and between the Federal Government and State and local government agencies and authorities.”

Pub. L. 110–53, § 501(a)(2)(A), redesignated par. (8) as (7) and struck out former par. (7) which read as follows: “To administer the Homeland Security Advisory System, including—

“(A) exercising primary responsibility for public advisories related to threats to homeland security; and

“(B) in coordination with other agencies of the Federal Government, providing specific warning information, and advice about appropriate protective measures and countermeasures, to State and local government agencies and authorities, the private sector, other entities, and the public.”

Subsec. (d)(8). Pub. L. 110–53, § 501(a)(2)(A)(ii), redesignated par. (9) as (8). Former par. (8) redesignated (7).

Subsec. (d)(9). Pub. L. 110–53, § 531(a)(3)(C), substituted “Director of National Intelligence” for “Director of Central Intelligence”.

Pub. L. 110–53, § 501(a)(2)(A)(ii), redesignated par. (10) as (9). Former par. (9) redesignated (8).

Subsec. (d)(10). Pub. L. 110–53, § 501(a)(2)(A)(ii), redesignated par. (11) as (10). Former par. (10) redesignated (9).

Subsec. (d)(11). Pub. L. 110–53, § 501(a)(2)(A)(ii), redesignated par. (12) as (11). Former par. (11) redesignated (10).

Subsec. (d)(11)(B). Pub. L. 110–53, § 531(a)(3)(D), substituted “Director of National Intelligence” for “Director of Central Intelligence”.

Subsec. (d)(12) to (17). Pub. L. 110–53, § 501(a)(2)(A)(ii), redesignated pars. (13) to (18) as (12) to (17), respectively. Former par. (12) redesignated (11).

Subsec. (d)(18). Pub. L. 110–53, § 531(a)(3)(E), (F), added par. (18) and redesignated former par. (18) as (24).

Pub. L. 110–53, § 501(a)(2)(A)(ii), redesignated par. (19) as (18). Former par. (18) redesignated (17).

Subsec. (d)(19). Pub. L. 110–53, § 531(a)(3)(F), added par. (19).

Pub. L. 110–53, § 501(a)(2)(A)(ii), redesignated par. (19) as (18).

Subsec. (d)(20) to (23). Pub. L. 110–53, § 531(a)(3)(F), added pars. (20) to (23).

Subsec. (d)(24). Pub. L. 110–53, § 531(a)(3)(E), redesignated par. (18) as (24).

Subsec. (d)(25). Pub. L. 110–53, § 1002(a), added par. (25).

Subsec. (e)(1). Pub. L. 110–53, § 531(a)(4), substituted “provide the Office of Intelligence and Analysis and the Office of Infrastructure Protection” for “provide the Directorate” and “assist such offices in discharging” for “assist the Directorate in discharging”.

Subsec. (f)(1). Pub. L. 110–53, § 531(a)(5), substituted “Office of Intelligence and Analysis and the Office of Infrastructure Protection” for “Directorate”.

Subsec. (g). Pub. L. 110–53, § 531(a)(6), substituted “Office of Intelligence and Analysis and the Office of Infrastructure Protection” for “Under Secretary for Information Analysis and Infrastructure Protection” in introductory provisions.

Effective Date Of Amendment

Effective Date of 2009 Amendment

Pub. L. 111–84, div. A, title X, § 1073(c), Oct. 28, 2009, 123 Stat. 2474, provided that the amendment by section 1073(c)(9) is effective as of Oct. 14, 2008, and as if included in Pub. L. 110–417 as enacted.

Miscellaneous

Regulations

Pub. L. 109–295, title V, § 550, Oct. 4, 2006, 120 Stat. 1388, as amended by Pub. L. 110–161, div. E, title V, § 534, Dec. 26, 2007, 121 Stat. 2075; Pub. L. 111–83, title V, § 550, Oct. 28, 2009, 123 Stat. 2177; Pub. L. 112–10, div. B, title VI, § 1650, Apr. 15, 2011, 125 Stat. 146; Pub. L. 112–74, div. D, title V, § 540, Dec. 23, 2011, 125 Stat. 976; Pub. L. 113–6, div. D, title V, § 537, Mar. 26, 2013, 127 Stat. 373, provided that:“(a) No later than six months after the date of enactment of this Act [Oct. 4, 2006], the Secretary of Homeland Security shall issue interim final regulations establishing risk-based performance standards for security of chemical facilities and requiring vulnerability assessments and the development and implementation of site security plans for chemical facilities: Provided, That such regulations shall apply to chemical facilities that, in the discretion of the Secretary, present high levels of security risk: Provided further, That such regulations shall permit each such facility, in developing and implementing site security plans, to select layered security measures that, in combination, appropriately address the vulnerability assessment and the risk-based performance standards for security for the facility: Provided further, That the Secretary may not disapprove a site security plan submitted under this section based on the presence or absence of a particular security measure, but the Secretary may disapprove a site security plan if the plan fails to satisfy the risk-based performance standards established by this section: Provided further, That the Secretary may approve alternative security programs established by private sector entities, Federal, State, or local authorities, or other applicable laws if the Secretary determines that the requirements of such programs meet the requirements of this section and the interim regulations: Provided further, That the Secretary shall review and approve each vulnerability assessment and site security plan required under this section: Provided further, That the Secretary shall not apply regulations issued pursuant to this section to facilities regulated pursuant to the Maritime Transportation Security Act of 2002, Public Law 107–295, as amended [see Tables for classification]; Public Water Systems, as defined by section 1401 of the Safe Drinking Water Act, Public Law 93–523, as amended [42 U.S.C. 300f]; Treatment Works as defined in section 212 of the Federal Water Pollution Control Act, Public Law 92–500, as amended [33 U.S.C. 1292]; any facility owned or operated by the Department of Defense or the Department of Energy, or any facility subject to regulation by the Nuclear Regulatory Commission.“(b) Interim regulations issued under this section shall apply until the effective date of interim or final regulations promulgated under other laws that establish requirements and standards referred to in subsection (a) and expressly supersede this section: Provided, That the authority provided by this section shall terminate on October 4, 2013.“(c) Notwithstanding any other provision of law and subsection (b), information developed under this section, including vulnerability assessments, site security plans, and other security related information, records, and documents shall be given protections from public disclosure consistent with similar information developed by chemical facilities subject to regulation under section 70103 of title 46, United States Code: Provided, That this subsection does not prohibit the sharing of such information, as the Secretary deems appropriate, with State and local government officials possessing the necessary security clearances, including law enforcement officials and first responders, for the purpose of carrying out this section, provided that such information may not be disclosed pursuant to any State or local law: Provided further, That in any proceeding to enforce this section, vulnerability assessments, site security plans, and other information submitted to or obtained by the Secretary under this section, and related vulnerability or security information, shall be treated as if the information were classified material.“(d) Any person who violates an order issued under this section shall be liable for a civil penalty under section 70119(a) of title 46, United States Code: Provided, That nothing in this section confers upon any person except the Secretary a right of action against an owner or operator of a chemical facility to enforce any provision of this section.“(e) The Secretary of Homeland Security shall audit and inspect chemical facilities for the purposes of determining compliance with the regulations issued pursuant to this section.“(f) Nothing in this section shall be construed to supersede, amend, alter, or affect any Federal law that regulates the manufacture, distribution in commerce, use, sale, other treatment, or disposal of chemical substances or mixtures.“(g) If the Secretary determines that a chemical facility is not in compliance with this section, the Secretary shall provide the owner or operator with written notification (including a clear explanation of deficiencies in the vulnerability assessment and site security plan) and opportunity for consultation, and issue an order to comply by such date as the Secretary determines to be appropriate under the circumstances: Provided, That if the owner or operator continues to be in noncompliance, the Secretary may issue an order for the facility to cease operation, until the owner or operator complies with the order.“(h) This section shall not preclude or deny any right of any State or political subdivision thereof to adopt or enforce any regulation, requirement, or standard of performance with respect to chemical facility security that is more stringent than a regulation, requirement, or standard of performance issued under this section, or otherwise impair any right or jurisdiction of any State with respect to chemical facilities within that State, unless there is an actual conflict between this section and the law of that State.”

Cybersecurity Collaboration Between the Department of Defense and the Department of Homeland Security

Pub. L. 112–81, div. A, title X, § 1090, Dec. 31, 2011, 125 Stat. 1603, provided that:“(a) Interdepartmental Collaboration.—“(1)In general.—The Secretary of Defense and the Secretary of Homeland Security shall provide personnel, equipment, and facilities in order to increase interdepartmental collaboration with respect to—“(A) strategic planning for the cybersecurity of the United States;“(B) mutual support for cybersecurity capabilities development; and“(C) synchronization of current operational cybersecurity mission activities.“(2)Efficiencies.—The collaboration provided for under paragraph (1) shall be designed—“(A) to improve the efficiency and effectiveness of requirements formulation and requests for products, services, and technical assistance for, and coordination and performance assessment of, cybersecurity missions executed across a variety of Department of Defense and Department of Homeland Security elements; and“(B) to leverage the expertise of each individual Department and to avoid duplicating, replicating, or aggregating unnecessarily the diverse line organizations across technology developments, operations, and customer support that collectively execute the cybersecurity mission of each Department.“(b) Responsibilities.—“(1)Department of homeland security.—The Secretary of Homeland Security shall identify and assign, in coordination with the Department of Defense, a Director of Cybersecurity Coordination within the Department of Homeland Security to undertake collaborative activities with the Department of Defense.“(2)Department of defense.—The Secretary of Defense shall identify and assign, in coordination with the Department of Homeland Security, one or more officials within the Department of Defense to coordinate, oversee, and execute collaborative activities and the provision of cybersecurity support to the Department of Homeland Security.”

Cybersecurity Oversight

Pub. L. 111–259, title III, § 336, Oct. 7, 2010, 124 Stat. 2689, provided that:“(a) Notification of Cybersecurity Programs.—“(1) Requirement for notification.—“(A)Existing programs.—Not later than 30 days after the date of the enactment of this Act [Oct. 7, 2010], the President shall submit to Congress a notification for each cybersecurity program in operation on such date that includes the documentation referred to in subparagraphs (A) through (F) of paragraph (2).“(B)New programs.—Not later than 30 days after the date of the commencement of operations of a new cybersecurity program, the President shall submit to Congress a notification of such commencement that includes the documentation referred to in subparagraphs (A) through (F) of paragraph (2).“(2)Documentation.—A notification required by paragraph (1) for a cybersecurity program shall include—“(A) the legal basis for the cybersecurity program;“(B) the certification, if any, made pursuant to section 2511(2)(a)(ii)(B) of title 18, United States Code, or other statutory certification of legality for the cybersecurity program;“(C) the concept for the operation of the cybersecurity program that is approved by the head of the appropriate department or agency of the United States;“(D) the assessment, if any, of the privacy impact of the cybersecurity program prepared by the privacy or civil liberties protection officer or comparable officer of such department or agency;“(E) the plan, if any, for independent audit or review of the cybersecurity program to be carried out by the head of such department or agency, in conjunction with the appropriate inspector general; and“(F) recommendations, if any, for legislation to improve the capabilities of the United States Government to protect the cybersecurity of the United States.“(b) Program Reports.—“(1)Requirement for reports.—The head of a department or agency of the United States with responsibility for a cybersecurity program for which a notification was submitted under subsection (a), in consultation with the inspector general for that department or agency, shall submit to Congress and the President a report on such cybersecurity program that includes—“(A) the results of any audit or review of the cybersecurity program carried out under the plan referred to in subsection (a)(2)(E), if any; and“(B) an assessment of whether the implementation of the cybersecurity program—“(i) is in compliance with—     “(I) the legal basis referred to in subsection (a)(2)(A); and     “(II) an assessment referred to in subsection (a)(2)(D), if any;“(ii) is adequately described by the concept of operation referred to in subsection (a)(2)(C); and“(iii) includes an adequate independent audit or review system and whether improvements to such independent audit or review system are necessary.“(2) Schedule for submission of reports.—“(A)Existing programs.—Not later than 180 days after the date of the enactment of this Act [Oct. 7, 2010], and annually thereafter, the head of a department or agency of the United States with responsibility for a cybersecurity program for which a notification is required to be submitted under subsection (a)(1)(A) shall submit a report required under paragraph (1).“(B)New programs.—Not later than 120 days after the date on which a certification is submitted under subsection (a)(1)(B), and annually thereafter, the head of a department or agency of the United States with responsibility for the cybersecurity program for which such certification is submitted shall submit a report required under paragraph (1).“(3) Cooperation and coordination.—“(A)Cooperation.—The head of each department or agency of the United States required to submit a report under paragraph (1) for a particular cybersecurity program, and the inspector general of each such department or agency, shall, to the extent practicable, work in conjunction with any other such head or inspector general required to submit such a report for such cybersecurity program.“(B)Coordination.—The heads of all of the departments and agencies of the United States required to submit a report under paragraph (1) for a particular cybersecurity program shall designate one such head to coordinate the conduct of the reports on such program.“(c)Information Sharing Report.—Not later than one year after the date of the enactment of this Act [Oct. 7, 2010], the Inspector General of the Department of Homeland Security and the Inspector General of the Intelligence Community shall jointly submit to Congress and the President a report on the status of the sharing of cyber-threat information, including—“(1) a description of how cyber-threat intelligence information, including classified information, is shared among the agencies and departments of the United States and with persons responsible for critical infrastructure;“(2) a description of the mechanisms by which classified cyber-threat information is distributed;“(3) an assessment of the effectiveness of cyber-threat information sharing and distribution; and“(4) any other matters identified by either Inspector General that would help to fully inform Congress or the President regarding the effectiveness and legality of cybersecurity programs.“(d) Personnel Details.—“(1)Authority to detail.—Notwithstanding any other provision of law, the head of an element of the intelligence community that is funded through the National Intelligence Program may detail an officer or employee of such element to the National Cyber Investigative Joint Task Force or to the Department of Homeland Security to assist the Task Force or the Department with cybersecurity, as jointly agreed by the head of such element and the Task Force or the Department.“(2)Basis for detail.—A personnel detail made under paragraph (1) may be made—“(A) for a period of not more than three years; and“(B) on a reimbursable or nonreimbursable basis.“(e)Additional Plan.—Not later than 180 days after the date of the enactment of this Act [Oct. 7, 2010], the Director of National Intelligence shall submit to Congress a plan for recruiting, retaining, and training a highly-qualified cybersecurity intelligence community workforce to secure the networks of the intelligence community. Such plan shall include—“(1) an assessment of the capabilities of the current workforce;“(2) an examination of issues of recruiting, retention, and the professional development of such workforce, including the possibility of providing retention bonuses or other forms of compensation;“(3) an assessment of the benefits of outreach and training with both private industry and academic institutions with respect to such workforce;“(4) an assessment of the impact of the establishment of the Department of Defense Cyber Command on such workforce;“(5) an examination of best practices for making the intelligence community workforce aware of cybersecurity best practices and principles; and“(6) strategies for addressing such other matters as the Director of National Intelligence considers necessary to the cybersecurity of the intelligence community.“(f) Report on Guidelines and Legislation To Improve Cybersecurity of the United States.—“(1)Initial.—Not later than one year after the date of the enactment of this Act [Oct. 7, 2010], the Director of National Intelligence, in coordination with the Attorney General, the Director of the National Security Agency, the White House Cybersecurity Coordinator, and any other officials the Director of National Intelligence considers appropriate, shall submit to Congress a report containing guidelines or legislative recommendations, if appropriate, to improve the capabilities of the intelligence community and law enforcement agencies to protect the cybersecurity of the United States. Such report shall include guidelines or legislative recommendations on—“(A) improving the ability of the intelligence community to detect hostile actions and attribute attacks to specific parties;“(B) the need for data retention requirements to assist the intelligence community and law enforcement agencies;“(C) improving the ability of the intelligence community to anticipate nontraditional targets of foreign intelligence services; and“(D) the adequacy of existing criminal statutes to successfully deter cyber attacks, including statutes criminalizing the facilitation of criminal acts, the scope of laws for which a cyber crime constitutes a predicate offense, trespassing statutes, data breach notification requirements, and victim restitution statutes.“(2)Subsequent.—Not later than one year after the date on which the initial report is submitted under paragraph (1), and annually thereafter for two years, the Director of National Intelligence, in consultation with the Attorney General, the Director of the National Security Agency, the White House Cybersecurity Coordinator, and any other officials the Director of National Intelligence considers appropriate, shall submit to Congress an update of the report required under paragraph (1).“(g)Sunset.—The requirements and authorities of subsections (a) through (e) shall terminate on December 31, 2013.“(h)Definitions.—In this section:“(1)Cybersecurity program.—The term ‘cybersecurity program’ means a class or collection of similar cybersecurity operations of a department or agency of the United States that involves personally identifiable data that is—“(A) screened by a cybersecurity system outside of the department or agency of the United States that was the intended recipient of the personally identifiable data;“(B) transferred, for the purpose of cybersecurity, outside the department or agency of the United States that was the intended recipient of the personally identifiable data; or“(C) transferred, for the purpose of cybersecurity, to an element of the intelligence community.“(2)National cyber investigative joint task force.—The term ‘National Cyber Investigative Joint Task Force’ means the multiagency cyber investigation coordination organization overseen by the Director of the Federal Bureau of Investigation known as the National Cyber Investigative Joint Task Force that coordinates, integrates, and provides pertinent information related to cybersecurity investigations.“(3)Critical infrastructure.—The term ‘critical infrastructure’ has the meaning given that term in section 1016 of the USA PATRIOT Act (42 U.S.C. 5195c).”

[For definition of “intelligence community” as used in section 336 of Pub. L. 111–259, set out above, see section 2 of Pub. L. 111–259, set out as a note under section 3003 of Title 50, War and National Defense.]

Treatment of Incumbent Under Secretary for Intelligence and Analysis

Pub. L. 110–53, title V, § 531(c), Aug. 3, 2007, 121 Stat. 335, provided that: “The individual administratively performing the duties of the Under Secretary for Intelligence and Analysis as of the date of the enactment of this Act [Aug. 3, 2007] may continue to perform such duties after the date on which the President nominates an individual to serve as the Under Secretary pursuant to section 201 of the Homeland Security Act of 2002 [6 U.S.C. 121], as amended by this section, and until the individual so appointed assumes the duties of the position.”

Reports To Be Submitted to Certain Committees

Pub. L. 110–53, title XXIV, § 2403, Aug. 3, 2007, 121 Stat. 547, provided that: “The Committee on Commerce, Science, and Transportation of the Senate shall receive the reports required by the following provisions of law in the same manner and to the same extent that the reports are to be received by the Committee on Homeland Security and Governmental Affairs of the Senate:“(1) Section 1016(j)(1) of the Intelligence Reform and Terrorist [Terrorism] Prevention Act of 2004 (6 U.S.C. 485(j)(1)).“(2) Section 511(d) of this Act [121 Stat. 323].“(3) Subsection (a)(3)(D) of section 2022 of the Homeland Security Act of 2002 [6 U.S.C. 612(a)(3)(D)], as added by section 101 of this Act.“(4) Section 7215(d) of the Intelligence Reform and Terrorism Prevention Act of 2004 (6 U.S.C. 123(d)).“(5) Section 7209(b)(1)(C) of the Intelligence Reform and Terrorism Prevention Act of 2004 [Pub. L. 108–458] (8 U.S.C. 1185 note).“(6) Section 804(c) of this Act [42 U.S.C. 2000ee–3(c)].“(7) Section 901(b) of this Act [121 Stat. 370].“(8) Section 1002(a) of this Act [amending this section].“(9) Title III of this Act [enacting sections 579 and 580 of this title and amending sections 194 and 572 of this title].”

Security Management Systems Demonstration Project

Pub. L. 110–53, title XXIV, § 2404, Aug. 3, 2007, 121 Stat. 548, provided that:“(a)Demonstration Project Required.—Not later than 120 days after the date of enactment of this Act [Aug. 3, 2007], the Secretary of Homeland Security shall—“(1) establish a demonstration project to conduct demonstrations of security management systems that—“(A) shall use a management system standards approach; and“(B) may be integrated into quality, safety, environmental and other internationally adopted management systems; and“(2) enter into one or more agreements with a private sector entity to conduct such demonstrations of security management systems.“(b)Security Management System Defined.—In this section, the term ‘security management system’ means a set of guidelines that address the security assessment needs of critical infrastructure and key resources that are consistent with a set of generally accepted management standards ratified and adopted by a standards making body.”

Executive Order

Ex. Ord. No. 13231. Critical Infrastructure Protection in the Information Age

Ex. Ord. No. 13231, Oct. 16, 2001, 66 F.R. 53063, as amended by Ex. Ord. No. 13284, § 2, Jan. 23, 2003, 68 F.R. 4075; Ex. Ord. No. 13286, § 7, Feb. 28, 2003, 68 F.R. 10620; Ex. Ord. No. 13385, § 5, Sept. 29, 2005, 70 F.R. 57990; Ex. Ord. No. 13652, § 6, Sept. 30, 2013, 78 F.R. 61818, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, and in order to ensure protection of information systems for critical infrastructure, including emergency preparedness communications and the physical assets that support such systems, in the information age, it is hereby ordered as follows:

Section 1. Policy. The information technology revolution has changed the way business is transacted, government operates, and national defense is conducted. Those three functions now depend on an interdependent network of critical information infrastructures. It is the policy of the United States to protect against disruption of the operation of information systems for critical infrastructure and thereby help to protect the people, economy, essential human and government services, and national security of the United States, and to ensure that any disruptions that occur are infrequent, of minimal duration, and manageable, and cause the least damage possible. The implementation of this policy shall include a voluntary public-private partnership, involving corporate and nongovernmental organizations.

Sec. 2. Continuing Authorities. This order does not alter the existing authorities or roles of United States Government departments and agencies. Authorities set forth in 44 U.S.C. chapter 35, and other applicable law, provide senior officials with responsibility for the security of Federal Government information systems.

(a) Executive Branch Information Systems Security. The Director of the Office of Management and Budget (OMB) has the responsibility to develop and oversee the implementation of government-wide policies, principles, standards, and guidelines for the security of information systems that support the executive branch departments and agencies, except those noted in section 2(b) of this order. The Director of OMB shall advise the President and the appropriate department or agency head when there is a critical deficiency in the security practices within the purview of this section in an executive branch department or agency.

(b) National Security Information Systems. The Secretary of Defense and the Director of Central Intelligence (DCI) shall have responsibility to oversee, develop, and ensure implementation of policies, principles, standards, and guidelines for the security of information systems that support the operations under their respective control. In consultation with the Assistant to the President for National Security Affairs and the affected departments and agencies, the Secretary of Defense and the DCI shall develop policies, principles, standards, and guidelines for the security of national security information systems that support the operations of other executive branch departments and agencies with national security information.

(i) Policies, principles, standards, and guidelines developed under this subsection may require more stringent protection than those developed in accordance with section 2(a) of this order.

(ii) The Assistant to the President for National Security Affairs shall advise the President and the appropriate department or agency when there is a critical deficiency in the security practices of a department or agency within the purview of this section.

(iii) National Security Systems. The National Security Telecommunications and Information Systems Security Committee, as established by and consistent with NSD–42 and chaired by the Department of Defense, shall be designated as the “Committee on National Security Systems.”

(c) Additional Responsibilities. The heads of executive branch departments and agencies are responsible and accountable for providing and maintaining adequate levels of security for information systems, including emergency preparedness communications systems, for programs under their control. Heads of such departments and agencies shall ensure the development and, within available appropriations, funding of programs that adequately address these mission systems, especially those critical systems that support the national security and other essential government programs. Additionally, security should enable, and not unnecessarily impede, department and agency business operations.

Sec. 3. The National Infrastructure Advisory Council. The National Infrastructure Advisory Council (NIAC), established on October 16, 2001, shall provide the President, through the Secretary of Homeland Security, with advice on the security and resilience of the critical infrastructure sectors and their functional systems, physical assets, and cyber networks.

(a) Membership. The NIAC shall be composed of not more than 30 members appointed by the President, taking appropriate account of the benefits of having members:

(i) from the private sector, including individuals with experience in banking and finance, transportation, energy, water, communications, health care services, food and agriculture, government facilities, emergency services organizations, institutions of higher education, environmental and climate resilience, and State, local, and tribal governments;

(ii) with senior executive leadership responsibilities for the availability and reliability, including security and resilience, of critical infrastructure sectors;

(iii) with expertise relevant to the functions of the NIAC; and

(iv) with experience equivalent to that of a chief executive of an organization.

Unless otherwise determined by the President, no full-time officer or employee of the executive branch shall be appointed to serve as a member of the NIAC. The President shall designate from among the members of the NIAC a Chair and a Vice Chair, who shall perform the functions of the Chair if the Chair is absent or disabled, or in the instance of a vacancy in the Chair.

(b) Functions of the NIAC. The NIAC shall meet periodically to:

(i) enhance the partnership of the public and private sectors in securing and enhancing the security and resilience of critical infrastructure and their supporting functional systems, physical assets, and cyber networks, and provide reports on this issue to the President, through the Secretary of Homeland Security, as appropriate;

(ii) propose and develop ways to encourage private industry to perform periodic risk assessments and implement risk-reduction programs;

(iii) monitor the development and operations of critical infrastructure sector coordinating councils and their information-sharing mechanisms and provide recommendations to the President, through the Secretary of Homeland Security, on how these organizations can best foster improved cooperation among the sectors, the Department of Homeland Security, and other Federal Government entities;

(iv) report to the President through the Secretary of Homeland Security, who shall ensure appropriate coordination with the Assistant to the President for Homeland Security and Counterterrorism, the Assistant to the President for Economic Policy, and the Assistant to the President for National Security Affairs under the terms of this order; and

(v) advise sector-specific agencies with critical infrastructure responsibilities to include issues pertaining to sector and government coordinating councils and their information sharing mechanisms.

In implementing this order, the NIAC shall not advise or otherwise act on matters pertaining to National Security and Emergency Preparedness (NS/EP) Communications and, with respect to any matters to which the NIAC is authorized by this order to provide advice or otherwise act on that may depend on or affect NS/EP Communications, shall coordinate with the National Security and Telecommunications Advisory Committee established by Executive Order 12382 of September 13, 1982, as amended.

(c) Administration of the NIAC.

(i) The NIAC may hold hearings, conduct inquiries, and establish subcommittees, as appropriate.

(ii) Upon request of the Chair, and to the extent permitted by law, the heads of the executive departments and agencies shall provide the NIAC with information and advice relating to its functions.

(iii) Senior Federal Government officials may participate in the meetings of the NIAC, as appropriate.

(iv) Members shall serve without compensation for their work on the NIAC. However, members may be reimbursed for travel expenses, including per diem in lieu of subsistence, as authorized by law for persons serving intermittently in Federal Government service (5 U.S.C. 5701–5707).

(v) To the extent permitted by law and subject to the availability of appropriations, the Department of Homeland Security shall provide the NIAC with administrative services, staff, and other support services, and such funds as may be necessary for the performance of the NIAC’s functions.

Sec. 4. Judicial Review. This order does not create any right or benefit, substantive or procedural, enforceable at law or in equity, against the United States, its departments, agencies, or other entities, its officers or employees, or any other person.

Miscellaneous

Extension of Term of National Infrastructure Advisory Council

Term of National Infrastructure Advisory Council extended until Sept. 30, 2005, by Ex. Ord. No. 13316, Sept. 17, 2003, 68 F.R. 55255, formerly set out as a note under section 14 of the Federal Advisory Committee Act in the Appendix to Title 5, Government Organizations and Employees.

Term of National Infrastructure Advisory Council extended until Sept. 30, 2007, by Ex. Ord. No. 13385, Sept. 29, 2005, 70 F.R. 57989, formerly set out as a note under section 14 of the Federal Advisory Committee Act in the Appendix to Title 5.

Term of National Infrastructure Advisory Council extended until Sept. 30, 2009, by Ex. Ord. No. 13446, Sept. 28, 2007, 72 F.R. 56175, formerly set out as a note under section 14 of the Federal Advisory Committee Act in the Appendix to Title 5.

Term of National Infrastructure Advisory Council extended until Sept. 30, 2011, by Ex. Ord. No. 13511, Sept. 29, 2009, 74 F.R. 50909, formerly set out as a note under section 14 of the Federal Advisory Committee Act in the Appendix to Title 5.

Term of National Infrastructure Advisory Council extended until Sept. 30, 2013, by Ex. Ord. No. 13585, Sept. 30, 2011, 76 F.R. 62281, formerly set out as a note under section 14 of the Federal Advisory Committee Act in the Appendix to Title 5.

Term of National Infrastructure Advisory Council extended until Sept. 30, 2015, by Ex. Ord. No. 13652, Sept. 30, 2013, 78 F.R. 61817, set out as a note under section 14 of the Federal Advisory Committee Act in the Appendix to Title 5.

Executive Order

Ex. Ord. No. 13284. Amendment of Executive Orders, and Other Actions, in Connection With the Establishment of the Department of Homeland Security

Ex. Ord. No. 13284, Jan. 23, 2003, 68 F.R. 4075, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, including the Homeland Security Act of 2002 (Public Law 107–296) [see Tables for classification], and the National Security Act of 1947, as amended (50 U.S.C. 401et seq.) [now 50 U.S.C. 3001 et seq.], and in order to reflect responsibilities vested in the Secretary of Homeland Security and take other actions in connection with the establishment of the Department of Homeland Security, it is hereby ordered as follows:

Section 1. [Amended Ex. Ord. No. 13234.]

Sec. 2. [Amended Ex. Ord. No. 13231, set out above.]

Sec. 3. Executive Order 13228 of October 8, 2001 (“Establishing the Office of Homeland Security and the Homeland Security Council”) [50 U.S.C. 3021 note], is amended by inserting “the Secretary of Homeland Security,” after “the Secretary of Transportation,” in section 5(b). Further, during the period from January 24, 2003, until March 1, 2003, the Secretary of Homeland Security shall have the responsibility for coordinating the domestic response efforts otherwise assigned to the Assistant to the President for Homeland Security pursuant to section 3(g) of Executive Order 13228.

Sec. 4. [Amended Ex. Ord. No. 13224, listed in a table under section 1701 of Title 50, War and National Defense.]

Sec. 5. [Amended Ex. Ord. No. 13151, set out as a note under section 5195 of Title 42, The Public Health and Welfare.]

Sec. 6. [Amended Ex. Ord. No. 13122, set out as a note under section 3121 of Title 42, The Public Health and Welfare.]

Sec. 7. [Amended Ex. Ord. No. 13048, set out as a note under section 501 of Title 31, Money and Finance.]

Sec. 8. [Amended Ex. Ord. No. 12992, set out as a note under section 1708 of Title 21, Food and Drugs.]

Sec. 9. [Amended Ex. Ord. No. 12881, set out as a note under section 6601 of Title 42, The Public Health and Welfare.]

Sec. 10. [Amended Ex. Ord. No. 12859, set out as a note preceding section 101 of Title 3, The President.]

Sec. 11. [Amended Ex. Ord. No. 12590, set out as a note under former section 1201 of Title 21, Food and Drugs.]

Sec. 12. [Amended Ex. Ord. No. 12260, set out as a note under section 2511 of Title 19, Customs Duties.]

Sec. 13. [Amended Ex. Ord. No. 11958, set out as a note under section 2751 of Title 22, Foreign Relations and Intercourse.]

Sec. 14. [Amended Ex. Ord. No. 11423, set out as a note under section 301 of Title 3, The President.]

Sec. 15. [Amended Ex. Ord. No. 10865, set out as a note under section 3161 of Title 50, War and National Defense.]

Sec. 16. [Amended Ex. Ord. No. 13011, set out as a note under section 11101 of Title 40, Public Buildings, Property, and Works.]

Sec. 17. Those elements of the Department of Homeland Security that are supervised by the Department’s Under Secretary for Information Analysis and Infrastructure Protection through the Department’s Assistant Secretary for Information Analysis, with the exception of those functions that involve no analysis of foreign intelligence information, are designated as elements of the Intelligence Community under section 201(h) of the Homeland Security Act of 2002 [Pub. L. 107–296, amending 50 U.S.C. 3003] and section 3(4) of the National Security Act of 1947, as amended (50 U.S.C. 401a[(4)]) [now 50 U.S.C. 3003(4)].

Sec. 18. [Amended Ex. Ord. No. 12333, set out as a note under section 3001 of title 50, War and National Defense.]

Sec. 19. Functions of Certain Officials in the Department of Homeland Security.

The Secretary of Homeland Security, the Deputy Secretary of Homeland Security, the Under Secretary for Information Analysis and Infrastructure Protection, Department of Homeland Security, and the Assistant Secretary for Information Analysis, Department of Homeland Security, each shall be considered a “Senior Official of the Intelligence Community” for purposes of Executive Order 12333 [50 U.S.C. 3001 note], and all other relevant authorities, and shall:

(a) recognize and give effect to all current clearances for access to classified information held by those who become employees of the Department of Homeland Security by operation of law pursuant to the Homeland Security Act of 2002 or by Presidential appointment;

(b) recognize and give effect to all current clearances for access to classified information held by those in the private sector with whom employees of the Department of Homeland Security may seek to interact in the discharge of their homeland security-related responsibilities;

(c) make all clearance and access determinations pursuant to Executive Order 12968 of August 2, 1995 [50 U.S.C. 3161 note], or any successor Executive Order, as to employees of, and applicants for employment in, the Department of Homeland Security who do not then hold a current clearance for access to classified information; and

(d) ensure all clearance and access determinations for those in the private sector with whom employees of the Department of Homeland Security may seek to interact in the discharge of their homeland security-related responsibilities are made in accordance with Executive Order 12829 of January 6, 1993 [50 U.S.C. 3161 note].

Sec. 20. Pursuant to the provisions of section 1.4 of [former] Executive Order 12958 of April 17, 1995 (“Classified National Security Information”) [50 U.S.C. 435 note], I hereby authorize the Secretary of Homeland Security to classify information originally as “Top Secret.” Any delegation of this authority shall be in accordance with section 1.4 of that order or any successor Executive Orders.

Sec. 21. This order shall become effective on January 24, 2003.

Sec. 22. This order does not create any right or benefit, substantive or procedural, enforceable at law or equity, against the United States, its departments, agencies, or other entities, its officers or employees, or any other person.

George W. Bush.
Ex. Ord. No. 13636. Improving Critical Infrastructure Cybersecurity

Ex. Ord. No. 13636, Feb. 12, 2013, 78 F.R. 11739, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Policy. Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity. The cyber threat to critical infrastructure continues to grow and represents one of the most serious national security challenges we must confront. The national and economic security of the United States depends on the reliable functioning of the Nation’s critical infrastructure in the face of such threats. It is the policy of the United States to enhance the security and resilience of the Nation’s critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties. We can achieve these goals through a partnership with the owners and operators of critical infrastructure to improve cybersecurity information sharing and collaboratively develop and implement risk-based standards.

Sec. 2. Critical Infrastructure. As used in this order, the term critical infrastructure means systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.

Sec. 3. Policy Coordination. Policy coordination, guidance, dispute resolution, and periodic in-progress reviews for the functions and programs described and assigned herein shall be provided through the interagency process established in Presidential Policy Directive–1 of February 13, 2009 (Organization of the National Security Council System), or any successor.

Sec. 4. Cybersecurity Information Sharing. (a) It is the policy of the United States Government to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats. Within 120 days of the date of this order, the Attorney General, the Secretary of Homeland Security (the “Secretary”), and the Director of National Intelligence shall each issue instructions consistent with their authorities and with the requirements of section 12(c) of this order to ensure the timely production of unclassified reports of cyber threats to the U.S. homeland that identify a specific targeted entity. The instructions shall address the need to protect intelligence and law enforcement sources, methods, operations, and investigations.

(b) The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a process that rapidly disseminates the reports produced pursuant to section 4(a) of this order to the targeted entity. Such process shall also, consistent with the need to protect national security information, include the dissemination of classified reports to critical infrastructure entities authorized to receive them. The Secretary and the Attorney General, in coordination with the Director of National Intelligence, shall establish a system for tracking the production, dissemination, and disposition of these reports.

(c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaboration with the Secretary of Defense, shall, within 120 days of the date of this order, establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors. This voluntary information sharing program will provide classified cyber threat and technical information from the Government to eligible critical infrastructure companies or commercial service providers that offer security services to critical infrastructure.

(d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information Program for State, Local, Tribal, and Private Sector Entities), shall expedite the processing of security clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizing the critical infrastructure identified in section 9 of this order.

(e) In order to maximize the utility of cyber threat information sharing with the private sector, the Secretary shall expand the use of programs that bring private sector subject-matter experts into Federal service on a temporary basis. These subject matter experts should provide advice regarding the content, structure, and types of information most useful to critical infrastructure owners and operators in reducing and mitigating cyber risks.

Sec. 5. Privacy and Civil Liberties Protections. (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacy and civil liberties and ensure that privacy and civil liberties protections are incorporated into such activities. Such protections shall be based upon the Fair Information Practice Principles and other privacy and civil liberties policies, principles, and frameworks as they apply to each agency’s activities.

(b) The Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of the Department of Homeland Security (DHS) shall assess the privacy and civil liberties risks of the functions and programs undertaken by DHS as called for in this order and shall recommend to the Secretary ways to minimize or mitigate such risks, in a publicly available report, to be released within 1 year of the date of this order. Senior agency privacy and civil liberties officials for other agencies engaged in activities under this order shall conduct assessments of their agency activities and provide those assessments to DHS for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revised as necessary. The report may contain a classified annex if necessary. Assessments shall include evaluation of activities against the Fair Information Practice Principles and other applicable privacy and civil liberties policies, principles, and frameworks. Agencies shall consider the assessments and recommendations of the report in implementing privacy and civil liberties protections for agency activities.

(c) In producing the report required under subsection (b) of this section, the Chief Privacy Officer and the Officer for Civil Rights and Civil Liberties of DHS shall consult with the Privacy and Civil Liberties Oversight Board and coordinate with the Office of Management and Budget (OMB).

(d) Information submitted voluntarily in accordance with 6 U.S.C. 133 by private entities under this order shall be protected from disclosure to the fullest extent permitted by law.

Sec. 6. Consultative Process. The Secretary shall establish a consultative process to coordinate improvements to the cybersecurity of critical infrastructure. As part of the consultative process, the Secretary shall engage and consider the advice, on matters set forth in this order, of the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical infrastructure owners and operators; Sector-Specific Agencies; other relevant agencies; independent regulatory agencies; State, local, territorial, and tribal governments; universities; and outside experts.

Sec. 7. Baseline Framework to Reduce Cyber Risk to Critical Infrastructure. (a) The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology (the “Director”) to lead the development of a framework to reduce cyber risks to critical infrastructure (the “Cybersecurity Framework”). The Cybersecurity Framework shall include a set of standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standards will advance the objectives of this order, and shall meet the requirements of the National Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National Technology Transfer and Advancement Act of 1995 (Public Law 104–113), and OMB Circular A–119, as revised.

(b) The Cybersecurity Framework shall provide a prioritized, flexible, repeatable, performance-based, and cost-effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross-sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards-developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructure sectors to benefit from a competitive market for products and services that meet the standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementing the Cybersecurity Framework.

(c) The Cybersecurity Framework shall include methodologies to identify and mitigate impacts of the Cybersecurity Framework and associated information security measures or controls on business confidentiality, and to protect individual privacy and civil liberties.

(d) In developing the Cybersecurity Framework, the Director shall engage in an open public review and comment process. The Director shall also consult with the Secretary, the National Security Agency, Sector-Specific Agencies and other interested agencies including OMB, owners and operators of critical infrastructure, and other stakeholders through the consultative process established in section 6 of this order. The Secretary, the Director of National Intelligence, and the heads of other relevant agencies shall provide threat and vulnerability information and technical expertise to inform the development of the Cybersecurity Framework. The Secretary shall provide performance goals for the Cybersecurity Framework informed by work under section 9 of this order.

(e) Within 240 days of the date of this order, the Director shall publish a preliminary version of the Cybersecurity Framework (the “preliminary Framework”). Within 1 year of the date of this order, and after coordination with the Secretary to ensure suitability under section 8 of this order, the Director shall publish a final version of the Cybersecurity Framework (the “final Framework”).

(f) Consistent with statutory responsibilities, the Director will ensure the Cybersecurity Framework and related guidance is reviewed and updated as necessary, taking into consideration technological changes, changes in cyber risks, operational feedback from owners and operators of critical infrastructure, experience from the implementation of section 8 of this order, and any other relevant factors.

Sec. 8. Voluntary Critical Infrastructure Cybersecurity Program. (a) The Secretary, in coordination with Sector-Specific Agencies, shall establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities (the “Program”).

(b) Sector-Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector-specific risks and operating environments.

(c) Sector-Specific Agencies shall report annually to the President, through the Secretary, on the extent to which owners and operators notified under section 9 of this order are participating in the Program.

(d) The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program. Within 120 days of the date of this order, the Secretary and the Secretaries of the Treasury and Commerce each shall make recommendations separately to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, that shall include analysis of the benefits and relative effectiveness of such incentives, and whether the incentives would require legislation or can be provided under existing law and authorities to participants in the Program.

(e) Within 120 days of the date of this order, the Secretary of Defense and the Administrator of General Services, in consultation with the Secretary and the Federal Acquisition Regulatory Council, shall make recommendations to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planning and contract administration. The report shall address what steps can be taken to harmonize and make consistent existing procurement requirements related to cybersecurity.

Sec. 9. Identification of Critical Infrastructure at Greatest Risk. (a) Within 150 days of the date of this order, the Secretary shall use a risk-based approach to identify critical infrastructure where a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security. In identifying critical infrastructure for this purpose, the Secretary shall use the consultative process established in section 6 of this order and draw upon the expertise of Sector-Specific Agencies. The Secretary shall apply consistent, objective criteria in identifying such critical infrastructure. The Secretary shall not identify any commercial information technology products or consumer information technology services under this section. The Secretary shall review and update the list of identified critical infrastructure under this section on an annual basis, and provide such list to the President, through the Assistant to the President for Homeland Security and Counterterrorism and the Assistant to the President for Economic Affairs.

(b) Heads of Sector-Specific Agencies and other relevant agencies shall provide the Secretary with information necessary to carry out the responsibilities under this section. The Secretary shall develop a process for other relevant stakeholders to submit information to assist in making the identifications required in subsection (a) of this section.

(c) The Secretary, in coordination with Sector-Specific Agencies, shall confidentially notify owners and operators of critical infrastructure identified under subsection (a) of this section that they have been so identified, and ensure identified owners and operators are provided the basis for the determination. The Secretary shall establish a process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of identifications under subsection (a) of this section.

Sec. 10. Adoption of Framework. (a) Agencies with responsibility for regulating the security of critical infrastructure shall engage in a consultative process with DHS, OMB, and the National Security Staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. In making such determination, these agencies shall consider the identification of critical infrastructure required under section 9 of this order. Within 90 days of the publication of the preliminary Framework, these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the Director of OMB, and the Assistant to the President for Economic Affairs, that states whether or not the agency has clear authority to establish requirements based upon the Cybersecurity Framework to sufficiently address current and projected cyber risks to critical infrastructure, the existing authorities identified, and any additional authority required.

(b) If current regulatory requirements are deemed to be insufficient, within 90 days of publication of the final Framework, agencies identified in subsection (a) of this section shall propose prioritized, risk-based, efficient, and coordinated actions, consistent with Executive Order 12866 of September 30, 1993 (Regulatory Planning and Review), Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), and Executive Order 13609 of May 1, 2012 (Promoting International Regulatory Cooperation), to mitigate cyber risk.

(c) Within 2 years after publication of the final Framework, consistent with Executive Order 13563 and Executive Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory Burdens), agencies identified in subsection (a) of this section shall, in consultation with owners and operators of critical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements.

(d) The Secretary shall coordinate the provision of technical assistance to agencies identified in subsection (a) of this section on the development of their cybersecurity workforce and programs.

(e) Independent regulatory agencies with responsibility for regulating the security of critical infrastructure are encouraged to engage in a consultative process with the Secretary, relevant Sector-Specific Agencies, and other affected parties to consider prioritized actions to mitigate cyber risks for critical infrastructure consistent with their authorities.

Sec. 11. Definitions. (a) “Agency” means any authority of the United States that is an “agency” under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies, as defined in 44 U.S.C. 3502(5).

(b) “Critical Infrastructure Partnership Advisory Council” means the council established by DHS under 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government; the private sector; and State, local, territorial, and tribal governments.

(c) “Fair Information Practice Principles” means the eight principles set forth in Appendix A of the National Strategy for Trusted Identities in Cyberspace.

(d) “Independent regulatory agency” has the meaning given the term in 44 U.S.C. 3502(5).

(e) “Sector Coordinating Council” means a private sector coordinating council composed of representatives of owners and operators within a particular sector of critical infrastructure established by the National Infrastructure Protection Plan or any successor.

(f) “Sector-Specific Agency” has the meaning given the term in Presidential Policy Directive–21 of February 12, 2013 (Critical Infrastructure Security and Resilience), or any successor.

Sec. 12. General Provisions. (a) This order shall be implemented consistent with applicable law and subject to the availability of appropriations. Nothing in this order shall be construed to provide an agency with authority for regulating the security of critical infrastructure in addition to or to a greater extent than the authority the agency has under existing law. Nothing in this order shall be construed to alter or limit any authority or responsibility of an agency under existing law.

(b) Nothing in this order shall be construed to impair or otherwise affect the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.

(c) All actions taken pursuant to this order shall be consistent with requirements and authorities to protect intelligence and law enforcement sources and methods. Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence and law enforcement operations.

(d) This order shall be implemented consistent with U.S. international obligations.

(e) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Barack Obama.
Ex. Ord. No. 13650. Improving Chemical Facility Safety and Security

Ex. Ord. No. 13650, Aug. 1, 2013, 78 F.R. 48029, provided:

By the authority vested in me as President by the Constitution and the laws of the United States of America, it is hereby ordered as follows:

Section 1. Purpose. Chemicals, and the facilities where they are manufactured, stored, distributed, and used, are essential to today’s economy. Past and recent tragedies have reminded us, however, that the handling and storage of chemicals are not without risk. The Federal Government has developed and implemented numerous programs aimed at reducing the safety risks and security risks associated with hazardous chemicals. However, additional measures can be taken by executive departments and agencies (agencies) with regulatory authority to further improve chemical facility safety and security in coordination with owners and operators.

Sec. 2. Establishment of the Chemical Facility Safety and Security Working Group. (a) There is established a Chemical Facility Safety and Security Working Group (Working Group) co-chaired by the Secretary of Homeland Security, the Administrator of the Environmental Protection Agency (EPA), and the Secretary of Labor or their designated representatives at the Assistant Secretary level or higher. In addition, the Working Group shall consist of the head of each of the following agencies or their designated representatives at the Assistant Secretary level or higher:

(i) the Department of Justice;

(ii) the Department of Agriculture; and

(iii) the Department of Transportation.

(b) In carrying out its responsibilities under this order, the Working Group shall consult with representatives from:

(i) the Council on Environmental Quality;

(ii) the National Security Staff;

(iii) the Domestic Policy Council;

(iv) the Office of Science and Technology Policy;

(v) the Office of Management and Budget (OMB);

(vi) the White House Office of Cabinet Affairs; and

(vii) such other agencies and offices as the President may designate.

(c) The Working Group shall meet no less than quarterly to discuss the status of efforts to implement this order. The Working Group is encouraged to invite other affected agencies, such as the Nuclear Regulatory Commission, to attend these meetings as appropriate. Additionally, the Working Group shall provide, within 270 days of the date of this order, a status report to the President through the Chair of the Council on Environmental Quality and the Assistant to the President for Homeland Security and Counterterrorism.

Sec. 3. Improving Operational Coordination with State, Local, and Tribal Partners. (a) Within 135 days of the date of this order, the Working Group shall develop a plan to support and further enable efforts by State regulators, State, local, and tribal emergency responders, chemical facility owners and operators, and local and tribal communities to work together to improve chemical facility safety and security. In developing this plan, the Working Group shall:

(i) identify ways to improve coordination among the Federal Government, first responders, and State, local, and tribal entities;

(ii) take into account the capabilities, limitations, and needs of the first responder community;

(iii) identify ways to ensure that State homeland security advisors, State Emergency Response Commissions (SERCs), Tribal Emergency Response Commissions (TERCs), Local Emergency Planning Committees (LEPCs), Tribal Emergency Planning Committees (TEPCs), State regulators, and first responders have ready access to key information in a useable format, including by thoroughly reviewing categories of chemicals for which information is provided to first responders and the manner in which it is made available, so as to prevent, prepare for, and respond to chemical incidents;

(iv) identify areas, in collaboration with State, local, and tribal governments and private sector partners, where joint collaborative programs can be developed or enhanced, including by better integrating existing authorities, jurisdictional responsibilities, and regulatory programs in order to achieve a more comprehensive engagement on chemical risk management;

(v) identify opportunities and mechanisms to improve response procedures and to enhance information sharing and collaborative planning between chemical facility owners and operators, TEPCs, LEPCs, and first responders;

(vi) working with the National Response Team (NRT) and Regional Response Teams (RRTs), identify means for Federal technical assistance to support developing, implementing, exercising, and revising State, local, and tribal emergency contingency plans, including improved training; and

(vii) examine opportunities to improve public access to information about chemical facility risks consistent with national security needs and appropriate protection of confidential business information.

(b) Within 90 days of the date of this order, the Attorney General, through the head of the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), shall assess the feasibility of sharing data related to the storage of explosive materials with SERCs, TEPCs, and LEPCs.

(c) Within 90 days of the date of this order, the Secretary of Homeland Security shall assess the feasibility of sharing Chemical Facility Anti-Terrorism Standards (CFATS) data with SERCs, TEPCs, and LEPCs on a categorical basis.

Sec. 4. Enhanced Federal Coordination. In order to enhance Federal coordination regarding chemical facility safety and security:

(a) Within 45 days of the date of this order, the Working Group shall deploy a pilot program, involving the EPA, Department of Labor, Department of Homeland Security, and any other appropriate agency, to validate best practices and to test innovative methods for Federal interagency collaboration regarding chemical facility safety and security. The pilot program shall operate in at least one region and shall integrate regional Federal, State, local, and tribal assets, where appropriate. The pilot program shall include innovative and effective methods of collecting, storing, and using facility information, stakeholder outreach, inspection planning, and, as appropriate, joint inspection efforts. The Working Group shall take into account the results of the pilot program in developing integrated standard operating procedures pursuant to subsection (b) of this section.

(b) Within 270 days of the date of this order, the Working Group shall create comprehensive and integrated standard operating procedures for a unified Federal approach for identifying and responding to risks in chemical facilities (including during pre-inspection, inspection execution, post-inspection, and post-accident investigation activities), incident reporting and response procedures, enforcement, and collection, storage, and use of facility information. This effort shall reflect best practices and shall include agency-to-agency referrals and joint inspection procedures where possible and appropriate, as well as consultation with the Federal Emergency Management Agency on post-accident response activities.

(c) Within 90 days of the date of this order, the Working Group shall consult with the Chemical Safety Board (CSB) and determine what, if any, changes are required to existing memorandums of understanding (MOUs) and processes between EPA and CSB, ATF and CSB, and the Occupational Safety and Health Administration and CSB for timely and full disclosure of information. To the extent appropriate, the Working Group may develop a single model MOU with CSB in lieu of existing agreements.

Sec. 5. Enhanced Information Collection and Sharing. In order to enhance information collection by and sharing across agencies to support more informed decisionmaking, streamline reporting requirements, and reduce duplicative efforts:

(a) Within 90 days of the date of this order, the Working Group shall develop an analysis, including recommendations, on the potential to improve information collection by and sharing between agencies to help identify chemical facilities which may not have provided all required information or may be non-compliant with Federal requirements to ensure chemical facility safety. This analysis should consider ongoing data-sharing efforts, other federally collected information, and chemical facility reporting among agencies (including information shared with State, local, and tribal governments).

(b) Within 180 days of the date of this order, the Working Group shall produce a proposal for a coordinated, flexible data-sharing process which can be utilized to track data submitted to agencies for federally regulated chemical facilities, including locations, chemicals, regulated entities, previous infractions, and other relevant information. The proposal shall allow for the sharing of information with and by State, local, and tribal entities where possible, consistent with section 3 of this order, and shall address computer-based and non-computer-based means for improving the process in the short-term, if they exist.

(c) Within 180 days of the date of this order, the Working Group shall identify and recommend possible changes to streamline and otherwise improve data collection to meet the needs of the public and Federal, State, local, and tribal agencies (including those charged with protecting workers and the public), consistent with the Paperwork Reduction Act and other relevant authorities, including opportunities to lessen the reporting burden on regulated industries. To the extent feasible, efforts shall minimize the duplicative collection of information while ensuring that pertinent information is shared with all key entities.

Sec. 6. Policy, Regulation, and Standards Modernization. (a) In order to enhance safety and security in chemical facilities by modernizing key policies, regulations, and standards, the Working Group shall:

(i) within 90 days of the date of this order, develop options for improved chemical facility safety and security that identifies improvements to existing risk management practices through agency programs, private sector initiatives, Government guidance, outreach, standards, and regulations;

(ii) within 90 days of developing the options described in subsection (a)(i) of this section, engage key stakeholders to discuss the options and other means to improve chemical risk management that may be available; and

(iii) within 90 days of completing the outreach and consultation effort described in subsection (a)(ii) of this section, develop a plan for implementing practical and effective improvements to chemical risk management identified pursuant to subsections (a)(i) and (ii) of this section.

(b) Within 90 days of the date of this order, the Secretary of Homeland Security, the Secretary of Labor, and the Secretary of Agriculture shall develop a list of potential regulatory and legislative proposals to improve the safe and secure storage, handling, and sale of ammonium nitrate and identify ways in which ammonium nitrate safety and security can be enhanced under existing authorities.

(c) Within 90 days of the date of this order, the Administrator of EPA and the Secretary of Labor shall review the chemical hazards covered by the Risk Management Program (RMP) and the Process Safety Management Standard (PSM) and determine if the RMP or PSM can and should be expanded to address additional regulated substances and types of hazards. In addition, the EPA and the Department of Labor shall develop a plan, including a timeline and resource requirements, to expand, implement, and enforce the RMP and PSM in a manner that addresses the additional regulated substances and types of hazards.

(d) Within 90 days of the date of this order, the Secretary of Homeland Security shall identify a list of chemicals, including poisons and reactive substances, that should be considered for addition to the CFATS Chemicals of Interest list.

(e) Within 90 days of the date of this order, the Secretary of Labor shall:

(i) identify any changes that need to be made in the retail and commercial grade exemptions in the PSM Standard; and

(ii) issue a Request for Information designed to identify issues related to modernization of the PSM Standard and related standards necessary to meet the goal of preventing major chemical accidents.

Sec. 7. Identification of Best Practices. The Working Group shall convene stakeholders, including chemical producers, chemical storage companies, agricultural supply companies, State and local regulators, chemical critical infrastructure owners and operators, first responders, labor organizations representing affected workers, environmental and community groups, and consensus standards organizations, in order to identify and share successes to date and best practices to reduce safety risks and security risks in the production and storage of potentially harmful chemicals, including through the use of safer alternatives, adoption of best practices, and potential public-private partnerships.

Sec. 8. General Provisions. (a) This order shall be implemented consistent with applicable law, including international trade obligations, and subject to the availability of appropriations.

(b) Nothing in this order shall be construed to impair or otherwise affect:

(i) the authority granted by law to a department, agency, or the head thereof; or

(ii) the functions of the Director of OMB relating to budgetary, administrative, or legislative proposals.

(c) This order is not intended to, and does not, create any right or benefit, substantive or procedural, enforceable at law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

Barack Obama.