4 September 2000. Thanks to RT.
Each page imprinted with three large "4"s. See image of first page: http://cryptome.org/pdd63-1.jpg (126KB)
[18 pages.]
FOR OFFICIAL USE ONLY 20365
THE WHITE HOUSE
WASHINGTON
[Stamp]
98 MAY 22 PM 2:14
May 22, 1998
OSD
WHITE HOUSE LIAISON
PRESIDENTIAL DECISION DIRECTIVE/NSC-63
MEMORANDUM FOR THE VICE PRESIDENT
THE SECRETARY OF STATE
THE SECRETARY OF THE TREASURY
THE SECRETARY OF DEFENSE
THE ATTORNEY GENERAL
THE SECRETARY OF COMMERCE
THE SECRETARY OF HEALTH AND HUMAN SERVICES
THE SECRETARY OF TRANSPORTATION
THE SECRETARY OF ENERGY
THE SECRETARY OF VETERANS AFFAIRS
ADMINISTRATOR, ENVIRONMENTAL PROTECTION AGENCY
THE DIRECTOR, OFFICE OF MANAGEMENT AND BUDGET
THE DIRECTOR OF CENTRAL INTELLIGENCE
THE DIRECTOR, FEDERAL EMERGENCY MANAGEMENT AGENCY
THE ASSIST TO THE PRESIDENT FOR
NATIONAL SECURITY AFFAIRS
THE ASSISTANT TO PRESIDENT FOR
SCIENCE AND TECHNOLOGY
THE CHAIRMAN, JOINT CHIEFS OF STAFF
THE DIRECTOR, FEDERAL BUREAU OF INVESTIGATION
THE DIRECTOR, NATIONAL SECURITY AGENCY
SUBJECT: Critical Infrastructure Protection
1. A Growing Potential Vulnerability
The United States possesses both the world's strongest military
and its largest national economy. Those two aspects of our
power are mutually reinforcing and dependent. They are also
increasingly reliant upon certain critical infrastructures and
upon cyber-based information systems.
Critical infrastructures are those physical and cyber-based
systems essential to the minimum operations of the economy and
government. They include, but are not limited to,
telecommunications, energy, banking and finance, transportation,
FOR OFFICIAL USE ONLY W00570 /98
FOR OFFICIAL USE ONLY 2
water systems and emergency services, both governmental and
private. Many of the nation's critical infrastructures have
historically been physically and logically separate systems that
had little interdependence. As a result of advances in
information technology and the necessity of improved efficiency,
however, these infrastructures have become increasingly
automated and interlinked. These same advances have created new
vulnerabilities to equipment failure, human error, weather and
other natural causes, and physical and cyber attacks.
Addressing these vulnerabilities will necessarily require
flexible, evolutionary approaches that span both the public and
private sectors, and protect both domestic and international
security.
Because of our military strength, future enemies, whether
nations, groups or individuals, may seek to harm us in non-
traditional ways including attacks within the United States.
Because our economy is increasingly reliant upon interdependent
and cyber-supported infrastructures, non-traditional attacks on
our infrastructure and information systems may be capable of
significantly harming both our military power and our economy.
II. President's Intent
It has long been the policy of the United States to assure the
continuity and viability of critical infrastructures. I intend
that the United States will take all necessary measures to
swiftly eliminate any significant vulnerability to both physical
and cyber attacks on our critical infrastructures, including
especially our cyber systems.
III. A National Goal
No later than the year 2000, the United States shall have
achieved an initial operating capability and no later than five
years from today the United States shall have achieved and shall
maintain the ability to protect the nation's critical
infrastructures from intentional acts that would significantly
diminish the abilities of:
* the Federal Government to perform essential national security
missions and to ensure the general public health and safety;
* state and local governments to maintain order and to deliver
minimum essential public services.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 3
* the private sector to ensure the orderly functioning of the
economy and the delivery of essential telecommunications,
energy, financial and transportation services.
Any interruptions or manipulations of these critical functions
must be brief, infrequent, manageable, geographically isolated
and minimally detrimental to the welfare of the United States.
IV. A Public-Private Partnership to Reduce Vulnerability
Since the targets of attacks on our critical infrastructure
would likely include both facilities in the economy and those in
the government, the elimination of our potential vulnerability
requires a closely coordinated effort of both the government and
the private sector. To succeed, this partnership must be
genuine, mutual and cooperative. In seeking to meet our
national goal to eliminate the vulnerabilities of our critical
infrastructure, therefore, we should, to the extent feasible,
seek to avoid outcomes that increase government regulation or
expand unfunded government mandates to the private sector.
For each of the major sectors of our economy that are vulnerable
to infrastructure attack, the Federal Government will appoint
from a designated Lead Agency a senior officer of that agency as
the Sector Liaison Official to work with the private sector.
Sector Liaison Officials, after discussions and coordination
with private sector entities of their infrastructure sector,
will identify a private sector or counterpart (Sector Coordinator)
to represent their sector.
Together these two individuals and the departments and
corporations they represent shall contribute to a sectoral
National Infrastructure Assurance Plan by:
* assessing the vulnerabilities of the sector to cyber or
physical attacks;
* recommending a plan to eliminate significant vulnerabilities;
* proposing a system for identifying and preventing attempted
major attacks;
* developing a plan for alerting, containing and rebuffing an
attack in progress and then, in coordination with FEMA as
appropriate, rapidly reconstituting minimum essential
capabilities in the aftermath of an attack.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 4
During the preparation of the sectoral plans, the National
Coordinator (see section VI), in conjunction with the Lead
Agency Sector Liaison Officials and a representative from the
National Economic Council, shall ensure their overall
coordination and the integration of the various sectoral plans,
with a particular focus on interdependencies.
V. Guidelines
In addressing this potential vulnerability and the means of
eliminating it, I want those involved to be mindful of the
following general principles and concerns.
* We shall consult with, and seek input from, the Congress on
approaches and programs to meet the objectives set forth in
this directive.
* The protection of our critical infrastructures is necessarily
a shared responsibility and partnership between owners,
operators and the government. Furthermore, the Federal
Government shall encourage international cooperation to help
manage this increasingly global problem.
* Frequent assessments shall be made of our critical
infrastructures' existing reliability, vulnerability and
threat environment because, as technology and the nature of
the threats to our critical infrastructures will continue to
change rapidly, so must our protective measures and responses
be robustly adaptive.
* The incentives that the market provides are the first choice
for addressing the problem of critical infrastructure
protection; regulation will be used only in the face of a
material failure of the market to protect the health, safety
or well-being of the American people. In such cases, agencies
shall identify and assess available alternatives to direct
regulation, including providing economic incentives to
encourage the desired behavior, providing information upon
which choices can be made by the private sector. These
incentives, along with other action, shall be designed to
help harness the latest technologies, bring about global
solutions to international problems, and enable private sector
owners and operators to achieve and maintain the maximum
feasible security.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 5
* The full authorities, capabilities and resources of the
government, including law enforcement, regulation, foreign
intelligence and defense preparedness shall be available, as
appropriate, to ensure that critical infrastructure protection
is achieved and maintained.
* Care must be taken to respect privacy rights. Consumers and
operators must have confidence that information will be
handled accurately, confidentially and reliably.
* The Federal Government shall, through its research,
development and procurement, encourage the introduction of
increasingly capable methods of infrastructure protection.
* The Federal Government shall serve as a model to the private
sector on how infrastructure assurance is best achieved and
shall, to the extent feasible, distribute the results of its
endeavors.
* We must focus on preventive measure as well as threat and
crisis management. To that end, private sector owners and
operators should be encouraged to provide maximum feasible
security for the infrastructures they control and to provide
the government necessary information to assist them in that
task. In order to engage the private sector fully, it is
preferred that participation by owners and operators in a
national infrastructure protection system be voluntary.
* Close cooperation and coordination with state and local
governments and first responders is essential for a robust and
flexible infrastructure protection program. All critical
infrastructure protection plans and action shall take into
consideration the needs, activities and responsibilities of
state and local governments and first responders.
VI. Structure and Organization
The Federal Government will be organized for the purposes of
this endeavor around four components (elaborated in Annex A).
1. Lead Agencies for Sector Liaison: For each infrastructure
sector that could be a target for significant cyber or
physical attack, there will be a single U.S. Government
department which will serve as the lead agency for liaison.
Each Lead Agency will designate the individual of Assistant
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 6
Secretary rank or higher to be the Sector Liaison Official
for that area and to cooperate with the private sector
representatives (Sector Coordinators) in addressing problems
related to critical infrastructure protection and, in
particular, in recommending components of the National
Infrastructure Protection Plan. Together, the Lead Agency
and the private sector counterparts will develop and
implement a Vulnerability Awareness and Education Program
for their sector.
2. Lead Agencies for Special Functions: There are, in
addition, certain functions related to critical
infrastructure protection that must be chiefly performed by
the Federal Government (national defense, foreign affairs,
intelligence, law enforcement). For each of those special
functions, there shall be a Lead Agency which will be
responsible for coordinating all of the activities of the
United States Government in that area. Each lead agency
will appoint a senior officer of Assistant Secretary rank or
higher to serve as the Functional Coordinator for that
function for the Federal Government.
3. Interagency Coordination: The Sector Liaison Officials and
Functional Coordinators of the Lead Agencies, as well as
representatives from other relevant departments and
agencies, including the National Economic Council, will meet
to coordinate the implementation of this directive under the
auspices of a Critical Infrastructure Coordination Group
(CICG), chaired by the National Coordinator for Security,
Infrastructure Protection and Counter-Terrorism. The
National Coordinator will be appointed by me and report to
me through the Assistant to the President for National
Security Affairs, who shall assure appropriate coordination
with the Assistant to the President for Economic Affairs.
Agency representatives to the CICG should be at a senior
policy level (Assistant Secretary or higher). Where
appropriate, the CICG will be assisted by extant policy
structures, such as the Security Policy Board, Security
Policy Forum and the National Security and
Telecommunications and Information System Security
Committee.
4. National Infrastructure Assurance Council: On the
recommendation of the Lead Agencies, the National Economic
Council and the National Coordinator, I will appoint a panel
of major infrastructure providers and state and local
government officials to serve as my National Infrastructure
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 7
Assurance Council. I will appoint the Chairman. The
National Coordinator will serve as the Council's Executive
Director. The National Infrastructure Assurance Council
will meet periodically to enhance the partnership of the
public and private sectors in protecting our critical
infrastructures and will provide reports to me as
appropriate. Senior Federal Government officials will
participate in the meetings of the National Infrastructure
Assurance Council as appropriate.
VII. Protecting Federal Government Critical Infrastructures
Every department and agency of the Federal Government shall be
responsible for protecting its own critical infrastructure,
especially its cyber-based systems. Every department and agency
Chief Information Officer (CIO) shall be responsible for
information assurance. Every department and agency shall
appoint a Chief Infrastructure Assurance Officer (CIAO) who
shall be responsible for the protection of all of the other
aspects of that department's critical infrastructure. The CIO
may be double-hatted as the CIAO at the discretion of the
individual department. These officials shall establish
procedures for obtaining expedient and valid authorities to
allow vulnerability assessments to be performed on government
computer and physical systems. The Department of Justice shall
establish legal guidelines for providing for such authorities.
No later than 180 days from the issuance of this directive, every
department and agency shall develop a plan for protecting its
own critical infrastructure, including but not limited to its
cyber-based systems. The National Coordinator shall be
responsible for coordinating analyses required by the
departments and agencies of inter-governmental dependencies and
the mitigation of those dependencies. The Critical
infrastructure Coordination Group (CICG) shall sponsor an expert
review process for those plans. No later than two years from
today, those plans shall have been implemented and shall be
updated every two years. In meeting this schedule, the Federal
Government shall present a model to the private sector on how
best to protect critical infrastructure.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 8
VIII. Tasks
Within 180 days, the Principals Committee should submit to me a
schedule for completion of a National Infrastructure Assurance
Plan with milestones for accomplishing the following subordinate
and related tasks.
1. Vulnerability Analyses: For each sector of the economy and
each sector of the government that might be a target of
infrastructure attack intended to significantly damage the
United States, there shall be an initial vulnerability
assessment, followed by periodic updates. As appropriate,
these assessments shall also include the determination of the
minimum essential infrastructure in each sector.
2. Remedial Plan: Based upon the vulnerability assessment,
there shall be a recommended remedial plan. The plan shall
identify timelines, for implementation, responsibilities and
funding.
3. Warning: A national center to warn of significant
infrastructure attacks will be established immediately (see
Annex A). As soon thereafter as possible, we will put in
place an enhanced system for detecting and analyzing such
attacks, with maximum possible participation of the private
sector.
4. Response: We shall develop a system for responding to a
significant infrastructure attack while it is underway, with
the goal of isolating and minimizing damage.
5. Reconstitution: For varying levels of successful
infrastructure attacks, we shall have a system to
reconstitute minimum required capabilities rapidly.
6. Education and Awareness: There shall be Vulnerability
Awareness and Education Program within both the government
and the private sector to sensitize people regarding the
importance of security and to train them in security
standards, particularly regarding cyber systems.
7. Research and Development: Federally-sponsored research and
development in support of infrastructure protection shall be
coordinated, be subject to multi-year planning, take into
account private sector research, and be adequately funded to
minimize our vulnerabilities on a rapid but achievable
timetable.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 9
8. Intelligence: The Intelligence Community shall develop and
implement a plan for enhancing collection and analysis of the
foreign threat to our national infrastructure, to include but
not be limited to the foreign cyber/information warfare
threat.
9. International Cooperation: There shall be a plan to expand
cooperation on critical infrastructure protection with like-
minded and friendly nations, international organizations and
multinational corporations.
10. Legislative and Budgetary Requirements: There shall be an
evaluation of the executive branch's legislative authorities
and budgetary priorities regarding critical infrastructure,
and ameliorative recommendations shall be made to me as
necessary. The evaluations and recommendations, if any,
shall be coordinated with the Director of OMB.
The CICG shall also review and schedule the taskings listed in
Annex B.
IX. Implementation
In addition to the 180-day report, the National Coordinator,
working with the National Economic Council, shall provide an
annual report on the implementation of this directive to me and
the heads of departments and agencies, through the Assistant to
the President for National Security Affairs. The report should
include an updated threat assessment, a status report on
achieving the milestones identified for the National Plan and
additional policy, legislative and budgetary recommendations.
The evaluations and recommendations, if any, shall be
coordinated with the Director of OMB. In addition, following
the establishment of an initial operating capability in the year
2000, the National Coordinator shall conduct a zero-based
review.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 10
Annex A: Structure and Organization
Lead Agencies: Clear accountability within the U.S. Government
must be designated for specific sectors and functions. The
following assignments of responsibility will apply.
Lead Agencies for Sector Liaison:
Commerce Information and communications
Treasury Banking and finance
EPA Water supply
Transportation Aviation
Highways (including trucking and intelligent
transportation systems)
Mass transit
Pipelines
Rail
Waterborne commerce
Justice/FBI Emergency law enforcement services
FEMA Emergency fire service
Continuity of government services
HHS Public health services, including prevention,
surveillance, laboratory services and
personal health services
Energy Electric power
Oil and gas production and storage
Lead Agencies for Special Functions:
Justice/FBI Law enforcement and internal security
CIA Foreign intelligence
State Foreign affairs
Defense National defense
In addition, OSTP shall be responsible for coordinating research
and development agendas and programs for the government through
the National Science and Technology Council. Furthermore, while
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 11
Commerce is the lead agency for information and communication,
the Department of Defense will retain its Executive Agent
responsibilities for the National Communications System and
support of the President's National Security Telecommunications
Advisory Committee.
National Coordinator: The National Coordinator for Security,
Infrastructure Protection and Counter-Terrorism shall be
responsible for coordinating the implementation of this
directive. The National Coordinator will report to me through
the Assistant to the President for National Security Affairs.
The National Coordinator will also participate as a full member
of Deputies or Principals Committee meetings when they meet to
consider infrastructure issues. Although the National
Coordinator will not direct Departments and Agencies, he or she
will ensure interagency coordination for policy development and
implementation, and will review crisis activities concerning
infrastructure events with significant foreign involvement. The
National Coordinator will provide advice, in the context of the
established annual budget process, regarding agency budgets for
critical infrastructure protection. The National Coordinator
will chair the Critical Infrastructure Coordination Group
(CICG), reporting to the Deputies Committee (or, at the call of
its chair, the Principals Committee). The Sector Liaison
officials and Special Function Coordinators shall attend the
CIGC's meetings. Departments and agencies shall each appoint to
the CIGC a senior official (Assistant Secretary level or higher)
who will regularly attend its meetings. The National Security
Advisor shall appoint a Senior Director for Infrastructure
Protection on the NSC staff.
A National Plan Coordination (NPC) staff will be contributed on
a non-reimbursable basis by the departments and agencies,
consistent with law. The NPC staff will integrate the various
sector plans into a National Infrastructure Assurance Plan and
coordinate analyses of the U.S. Government's own dependencies on
critical infrastructures. The NPC staff will also help
coordinate a national education and awareness program, and
legislative and public affairs.
The Defense Department shall continue to serve as Executive
Agent for the Commission Transition Office, which will form the
basis of the NPC, during the remainder of FY98. Beginning in
FY99, the NPC shall be an office of the Commerce Department. The
office of Personnel Management shall provide the necessary
assistance in facilitating the NPC's operations. The NPC will
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 12
terminate at the end of FY01, unless extended by Presidential
directive.
Warning and Information Centers
As part of a national warning and information sharing system, I
immediately authorize the FBI to expand its current organization
to a full scale National Infrastructure Protection Center
(NIPC). This organization shall serve as a national critical
infrastructure threat assessment, warning, vulnerability, and
law enforcement investigation and response entity. During the
initial period of six to twelve months, I also direct the
National Coordinator and the Sector Liaison Officials, working
together with the Sector Coordinators, the Special Function
Coordinators and representatives from the National Economic
Council, as appropriate, to consult with owners and operators of
the critical infrastructures to encourage the creation of a
private sector sharing and analysis center, as described below.
National Infrastructure Protection Center (NIPC): The NIPC will
include FBI, USSS, and other investigators experienced in
computer crimes and infrastructure protection, as well as
representatives detailed from the Department of Defense, the
Intelligence Community and Lead Agencies. It will be linked
electronically to the rest of the Federal Government, including
other warning and operations centers, as well as any private
sector sharing and analysis centers. Its mission will include
providing timely warnings of international threats, comprehensive
analyses and law enforcement investigation and response.
All executive departments and agencies shall cooperate with the
NIPC and provide such assistance, information and advice that
the NIPC may request, to the extent permitted by law. All
executive departments shall also share with the NIPC information
about threats and warning of attacks and about actual attacks on
critical government and private sector infrastructures, to the
extent permitted by law. The NIP will include elements
responsible for warning, analysis, computer investigation,
coordinating emergency response, training, outreach and
development and application of technical tools. In addition, it
will establish its own relations directly with others in the
private sector and with any information sharing and analysis
entity that the private sector may create, such as the
Information Sharing and Analysis Center described below.
The NIPC, in conjunction with the information originating
agency, will sanitize law enforcement and intelligence
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 13
information for inclusion into analyses and reports that it will
provide, in appropriate form, to relevant federal, state and
local agencies; the relevant owners and operators of critical
infrastructures; and to any private sector information sharing
and analysis entity. Before disseminating national security or
other information that originated from the intelligence
community, the NIPC will coordinate fully with the intelligence
community through existing procedures. Whether as sanitized or
unsanitized reports, the NIPC will issue attack warnings or
alerts to increases in threat condition to any private sector
information sharing and analysis entity and to the owners and
operators. These warnings may also include guidance regarding
additional protection measures to be taken by owners and
operators. Except in extreme emergencies, the NIPC shall
coordinate with the National Coordinator before issuing public
warnings of imminent attacks by international terrorists,
foreign states or other malevolent foreign powers.
The NIPC will provide a national focal point for gathering
information on threats to the infrastructures. Additionally,
the NIPC will provide the principal means of facilitating and
coordinating the Federal Government's response to an incident,
mitigating attacks, investigating threats and monitoring
reconstitution efforts. Depending on the nature and level of a
foreign threat/attack, protocols established between special
function agencies (DOJ/DOD/CIA), and the ultimate decision of
the President, the NIPC may be placed in a direct support role
to either DOD or the Intelligence Community.
Information Sharing and Analysis Center (ISAC): The National
Coordinator, working with Sector Coordinators, Sector Liaison
Officials and the National Economic Council, shall consult with
owners and operators of the critical infrastructures to strongly
encourage the creation of a private sector information sharing
and analysis center. The actual design and functions of the
center and its relation to the NIPC will be determined by the
private sector, in consultation with and with assistance from
the Federal Government,. Within 180 days of this directive, the
National Coordinator, with the assistance of the CICG including
the National Economic Council, shall identify possible methods
of providing federal assistance to facilitate the startup of an
ISAC.
Such a center could serve as the mechanism for gathering,
analyzing, appropriately sanitizing and disseminating private
sector information to both industry and the NIPC. The center
could also gather, analyze and disseminate information from the
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 14
NIPC for further distribution to the private sector. While
crucial to a successful government-industry partnership, this
mechanism for sharing important information about
vulnerabilities, threats, intrusions and anomalies is not to
interfere with direct information exchanges between companies
and the government.
As ultimately designed by private sector representatives, the
ISAC may emulate particular aspects of such institutions as the
Centers for Disease Control and Prevention that have proved
highly effective, particularly it extensive interchanges with
the private and non-federal sectors. Under such a model, the
ISAC would possess a large degree of technical focus and
expertise and non-regulatory and non-law enforcement missions.
it would establish baseline statistics and patterns on the
various infrastructures, become a clearinghouse for information
within and among the various sectors, and provide a library for
historical data to be used be the private sector and, as deemed
appropriate by the ISAC, by the government. Critical to the
success of such an institution would be its timeliness,
accessibility, coordination, flexibility, utility and
acceptability.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 15
Annex B: Additional Taskings
Studies
The National Coordinator shall commission studies on the
following subjects:
* Liability issues arising from participation by private sector
companies in the information sharing process.
* Existing legal impediments to information sharing, with an eye
to proposals to remove these impediments, including through
the drafting of model codes in cooperation with the American
Legal Institute.
* The necessity of document and information classification and
the impact of such classification on useful dissemination, as
well as the methods and information systems by which threat
and vulnerability information can be shared securely while
avoiding disclosure or unacceptable risk of disclosure to
those who will misuse it.
* The improved protection, including secure dissemination and
information handling systems, of industry trade secrets and
other confidential business data, law enforcement information
and evidentiary material, classified national security
information, unclassified material disclosing vulnerabilities
of privately owned infrastructures and apparently innocuous
information that, in the aggregate, it is unwise to disclose.
* The implications of sharing information with foreign entities
where such sharing is deemed necessary to the security of
United States infrastructures.
* The potential benefit to security standards of mandating,
subsidizing, or otherwise assisting in the provision of
insurance for selected critical infrastructure providers and
requiring insurance tie-ins for foreign critical
infrastructure providers hoping to do business with the United
States.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 16
Public Outreach
In order to foster a climate of enhanced public sensitivity to
the problem of infrastructure protection, the following actions
shall be taken:
* The White House, under the oversight of the National
Coordinator, together with the relevant Cabinet agencies shall
consider a series of conferences: (1) that will bring
together national leaders in the public and private sectors to
propose programs to increase the commitment to information
security; (2) that convoke academic leaders from engineering,
computer science, business and law schools to review the
status of education in information security and will identify
changes in the curricula and resources necessary to meet the
national demand for professionals in this field; (3) on the
issues around computer ethics as these relate to the K through
12 and general university populations.
* The National Academy of Science and the National Academy of
Engineering shall consider a round table bringing together
federal, state and local officials with industry and academic
leaders to develop national strategies for enhancing
infrastructure security.
* The intelligence community and law enforcement shall expand
existing programs for briefing infrastructure owners and
operators and senior government officials.
* The National Coordinator shall (1) establish a program for
infrastructure assurance simulations involving senior public
and private officials, the reports of which might be
distributed as part of an awareness campaign; and (2) in
coordination with the private sector, launch a continuing
national awareness campaign, emphasizing improving
infrastructure security.
Internal Federal Government Actions
In order for the Federal Government to improve its
infrastructure security these immediate steps shall be taken:
* The Department of Commerce, the General Services
Administration, and the Department of Defense shall assist
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 17
federal agencies in the implementation of best practices for
information assurance within their individual agencies.
* The National Coordinator shall coordinate a review of existing
federal, state and local bodies charged with information
assurance tasks, and provide recommendations on how these
institutions can cooperate most effectively.
* All federal agencies shall make clear designations regarding
who may authorize access to their computer systems.
* The Intelligence Community shall elevate and formalize the
priority for enhanced collection and analysis of information
on the foreign cyber/information warfare threat to our
critical infrastructure.
* The Federal Bureau of Investigation, the Secret Service and
other appropriate agencies shall: (1) vigorously recruit
undergraduate and graduate students with the relevant
computer-related technical skills full-time employment as
well as for part-time work with regional computer crime
squads; and (2) facilitate the hiring and retention of
qualified personnel for technical analysis and investigation
involving cyber attacks.
* The Department of Transportation, in consultation with the
Department of Defense, shall undertake a thorough evaluation
of the vulnerability of the national transportation
infrastructure that relies on the Global Positioning System.
This evaluation shall include sponsoring an independent,
integrated assessment of risks to civilian users of GPS-based
systems, with a view to basing decisions on the ultimate
architecture of the modernized NAS on these evaluations.
* The Federal Aviation Administration shall develop and
implement a comprehensive National Airspace System Security
Program to protect the modernized NAS from information-based
and other disruptions and attacks.
* GSA shall identify large procurements (such as the new Federal
Telecommunications System ETS 2000) related to infrastructure
assurance, study whether the procurement process reflects the
importance of infrastructure protection and propose, if
necessary, revisions to the overall procurement process to do
so.
FOR OFFICIAL USE ONLY
FOR OFFICIAL USE ONLY 18
* OMB shall direct federal agencies to include assigned
infrastructure assurance functions within their Government
Performance and Review Act strategic planning and performance
measurement framework.
* The NSA, in accordance with its National Manager
responsibilities in NSD 42, shall provide assessments
encompassing examinations of U.S. Government systems to
interception and exploitation; disseminate threat and
vulnerability information; establish standards; conduct
research and development; and conduct issue security product
evaluations.
Assisting the Private Sector
in order to assist the private sector in achieving and
maintaining infrastructure security:
* The National Coordinator and the National Infrastructure
Assurance Council shall propose and develop ways to encourage
private industry to perform periodic risk assessments of
critical processes, including information and
telecommunications systems.
* The Department of Commerce and the Department of Defense shall
work together, in coordination with the private sector, to
offer their expertise to private owners and operators of
critical infrastructure to develop security-related best
practice standards.
* The Department of Justice and Department of the Treasury shall
sponsor a comprehensive study compiling demographics of
computer crime, comparing state approaches to computer crime
and developing ways to deterring and responding to computer
crime by juveniles.
[Signed:] Bill Clinton
FOR OFFICIAL USE ONLY
Transcription and HTML by Cryptome.