FOR OFFICIAL USE ONLY,

20365
THE WHITE HOUSE
WASH INGTON

May 22, 1998
PRESIDENTIAL DECISION DIRECTIVE/NSC-63
MEMORANDUM FOR THE VICE PRESIDENT
THE SECRETARY OF STATE
THE SECRETARY OF THE'TREASURY
THE SECRETARY OF DEFENSE
THE ATTORNEY GENERAL
THE SECRETARY OF COMMERCE
THE SECRETARY OF HEALTH AND HUMAN SERVICES
THE SECRETARY OF TRANSPORTATION
THE SECRETARY OF ENERGY
THE SECRETARY OF VETERANS AFFAIRS
ADMINISTRATOR, ENVIRONMENTAL PROTECTION AGENCY
THE DIRECTOR, OFFICE OF MANAGEMENT AND BUDGET
THE DIRECTOR OF CENTRAL INTELLIGENCE
THE DIRECTOR, FEDERAL EMERGENCY MANAGEMENT AGENCY
THE ASSISTANT TO THE PRESIDENT FOR
NATIONAL SECURITY AFFAIRS
THE ASSISTANT TO THE PRESIDENT FOR
ECONOMIC POLICY
THE ASSISTANT TO THE PRESIDENT FOR
SCIENCE AND TECHNOLOGX
THE CHAIRMAN, JOINT CHIEFS OF STAFF
THE DIRECTOR, FEDERAL BUREAU OF INVESTIGATION
THE DIRECTOR, NATIONAL SECURITY AGENCY
SUBJECT:

Critical Infrastructure Protection

I . . A Growing Potential Vulnerability
The United States possesses both the world's strongest military
and its largest national economy. Those two aspects of our
power are mutually reinforcing and dependent. They are also
increasingly reliant upon certain critical infrastructures and
upon cyber-based information systems.
Critical infrastructure~ are those physical and cyber-based
systems essential to the minimum operations of the economy and
government. They include, but are riot limited to,
telecommunications, energy, banking and finance, transportation,

FOR OFFICIAL USE ONLY

 FOR OFFICIAL USE ONLY  

2


water systems and emergency services,both governmental and
private. ManY,Df the nation's critical infrastructures have
historically been physically and logically ,separate systems that
had little interdependence. As a result of advances in
information technology and the necessity of improved efficiency,
however" these infrastructures have become increasingly
automated and·interlinked. These same advances have created new
vulnerabilities to equipment failures, human error, weather and
other natural causes, and physical and cyb'er attacks:
Addressing these vulnerabilities will necessarily require
exible, evolutionary approaches that span both the public and
private sectors, and protect both domestic and international
security.
Because of our military strength, future enemies, whether
nations, 'groups or individuals, may seek to· harm us in non­
traditional ways including attacks within the United st es.
Because our economy is increasingly reliant upon interdependent
and cyber-supported infrastructures" non-traditional attacks on
our infrastructure and information systems may be capable of
significantly harming both our military power and our economy.
II.

President's Intent

It has long been the policy of the United States to assure the
continuity and viability of critical infrastructures. I intend
that the United States will take all necessa~y measures to
swiftly eliminate any significani vultierability to both physical
and cyber attacks on our critical infrastructures,
luding
especially our cyber systems.
III.

A National Goal

No later than the year 2000, th~ Unit~d States shall have
achieved an initial operating capability and no later than five
years from today the United States shall pave achieved and shall
maintain the ~bility to. protect our nation's critical
infrastructures from intentional 'acts. that would significantly
diminish theabiliti~s of: '
o   the Federal Government to perform essentia'l national securi ty
missions and to ensure .the general public hea~th and ~afety;
,

•   state and local governments to maintain order and to deliver
minimum essential public services;
.

FOR OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY  

3

•   the private sector to ensure the orderly functioning of the
economy and the delivery of essential telecommunications,
energy, financial and transportation services.
Any interruptions or manipulations of these critical functions
must be brief, infrequent, manageable, geographically isolated
and minimally detrimental to the welfare of the United States.
IV.

A Public-Private Partnership to Reduce Vulnerability

Since the targets of attacks on o~i'critical infrastiucture
would likely include both facilities iri the economy and those in
the government, the elimination -of our potenti
vulnerability
requires a closely co6rdinat~d'effort of both the government and·
the private sector. To succeed, this partnership must be
genuine, mutual and cooperat
In seeking to meet our
national goal to eliminate the vulnerabiltt s of our critical
infrastructure, therefor~, we ~hould, to the extent feasible,
seek to avoid ·outcomes that increaS~ governmerit regulatiori or
expand unfunded government mandates to the private sector.
For each of the
or sectors of our economy that are vulnerable
to infrastructure attack, the ,Federal Gove.rnment will appoint
from a designated
Agency a senior officer of that agency as
the Sector Liaison Official. to work with the private sector.
Sector Liaison Of cials, after disc~ssions and coordination
with private sector entities ·of their infrastructure sector,
will identify a private sector counterpart (Sector. Coordinator)
to represent their sector.
Together these two individuals and the departments and
corporations they represent shall contribute to a sectoral
National Infrastructure Assurance Plan by:
•   assessing the vulnerabilities of the sector to cyber or
physical attacks;
•   recommending a plan to eliminate significant vulnerabilities;
u 

proposing a system for identifying and preventing attempted.
major attacks;

o   developing a plan for alerting, containing and rebuffing an
attack in progress and then, in coordination with FEMA as
appropriate, rapidly reconstituting minimum essential
capabilities in the aftermath of an attack.
FOR OFFICIAL USE ONLY

 '.

FOR OFFICIAL USE ONLY  

4

During the preparation of the sectoral plans, the National
Coordinator (see section VI), in conjunction with the Lead
Agency Sector Liaison Of cials and a repr!,=sentative fr.om the
National Economic Council, shall ensure, their overall'
cbordination and the integration of
various s~~toral plans,
with a particular focus on interdependenciesi
, .
V.

Guidelines

In addressing this pot~ntial v~lnerability and the means of
eliminating it, I want those involved to ~e mindful of the
following general principles and concerns.
•   We shall' consult with, and seek input from, the Congress on
approaches and programs to meet the obj
ives set forth in
this directive.
•   The protection of our critical infrastructures is necessarily
a shared responsibility and partnership between owners,
operators and the government. Furthermore, the Federal
Government shall encourage internationa:l cooperation to help
,manage this increasingly global problem.
•   Frequent assessments shall be made of our
tical
tructures' existing reliability, vulnerability and
environment because, as technology and the nature of
threats to our critical infrastructures will continue to
change rapidly, so must our protective measures and responses
be robustly adaptive.
•   The incentives that the market provides are the first choice
for addressing the problem of critigal infrastructure
protection; regulation will be used only iri the
of a
mat
al failure of the ~ark~t to protect the health, safety
or well-being of the American people. ;In such cases, agencies
shall identify and assess available alternatives to direct
regulation, including providing economic incentives to
encourage the desired behavior, or providing' information upon
which choices can be made by the private sector. The~e
incent
s, along with other actions, shall be designed to
help harness the latest technologies, bring about global
solutions to
ernational problems, apd enable private sector
owners and operators to achieve and maintain the maximum
feasible security.

FOR OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY  

5


•   The full authorities, capabilities and resources of the
government, including'law·enforcement, regulation, foreign
intelligence and, defense preparedness shall. be available, as
appropriate, to ensure that critical infrastructure protection
is achieved and maint
•   Care must be taken to respect privacy righ~s. Consumers and
operators must have confidence' that information will be
handled accurately, confident
ly and reliably . . '
•   The F~deral Government shall, through i
research,
development and procurement, encourage
introduction of
increasingly capable methods of
tructure protection.
•   The Federal Government shall serve as a model to the private
sector on how infrastructure assurance is best achieved and
shall, to the extent feasible, distribute the results of its
endeavors.
•   We must focus on preventative measures as well as threat and
crisis management. To that end, private sector owners and
operators should be encouraged to provide maximum
asible
security for the infrastructures they. control and to provide
the government necessary information to assi
them in that
task.
In order to engage the private sector fully, it is
preferred that participation by owners and operators
a
national infrastructure protection system be voluntary.
•   Close cooperation and coordination with state and local
governments and first responders is. essential
a robust and
flexible infrastructure protection program. All crit
infrastructure protection plans and action shall. take into
consideration the needs, activities and responsibilit s of
state and local governments and first responders.
VI.

Structure and Organization

The Federal Government will be organized for the purposes of
this endeavor around four components (ela;borated in Annex A) .
1.   Lead
s for Sector Liaison:
For each infrastructure
sector that could be a target for significant cyber or
physical attacks, there will bea 's~ngle;U.S. Government
department which will serve as the lead agency for liaispn.
Each Lead Agency will design~te one tndividual of Assistant

FOR   OFFICIAL USE'ONLY

 FOR   OFFICIAL USE ONLY

6


Secretary rank or higher to be the Sector Liaison Official
for that area and to cooperate with the priVate sector
representat
s (Sector Coordinators) in addressing problems
related to critical infrastructure protection and, in
particular, in recommending components, of the National
Infrastructure Assurance Plan. Together, the Lead Agency
and the private sector counterparts will develop and
implement a Vulnerability Awareness and Education Program,
for their sector.
2.   Lead Agencies for Special Functions: There are, in
addition, certain functions related t6 critical
infrastructure protec~ion that must be chiefly performed by
the Federal Government (national
fense, foreign affairs,
intelligence, law enforcement). For each of those special
functions, ther~ shall be a Lead Agency which will be
responsible for c00rdinating all of the activities of the
United States Government in that area. Each lead agency
will appoint a senior 0
cer of Assistant Secretary rank or
higher to serve as the Functional Coordinator for that
function for the Federal Government.
3.   Interagency Coordination: The Sector Liaison Officials and
'Functional Coordinators of the Lead Agencies, as well as
representatives from other relevant departments and
agencies, including the National Economic Council, will meet
to coordinate the implementation of this directive under the
auspices of a Critical Infras~ructure Coordination Group
(CICGI, chaired by the National Coordinator for Security,
Infrastructure Protect.1on"andCounter-Terrorism. The
National Coordinator will be appointed by me and report to
me through the Assistant to. the President for National
Security Affairs, who shall assure appropriate coordination
with the Assistant to the ·President for Economic Affairs.
Agency representatives to. the CICG sl10uldbe at a senior
policy level (Assistant· S,ecreta:r:-Y 0 higher)., Where.,.
appropriate, the CICGwill be assisted by extant policy
structur,es, such as the Security Po'licy Board.,' .Security
Policy Forum and the National Security and
Telecommunications· and ,Information System Security
Committee.
4.   National Infrastructure AssurahceCouncil: On ·the
recommendation of the Lead AgeI?-cies, the National Economic
Council and the National Coordinator, I will appoint a panel
of major infrastructure providers and state ,and local
government 9fficialsto serve as my National II).frastructure

FOR   OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY
,

"

7


..

Assurance Council. I will appoint the Chairman. The
National Coordinator will serve as the Council's Executive
Director. The National Infrastructure Assurance Council
will meet periodically to enhance the partnership of the
public and private sectors in protecting our critical
infrastructures and will provide reports to me as
appropriate. Senior Federal Government officials will
participate in the meetings of the National Infrastructure
Assurance Council as appropriate.
VII.

Protecting Federal Government.Critical Infrastructures

Every department and agency of the Federal Government shall be
responsible for protecting its own critical infrastructure,
especially its cyber-based systems. Every department and agency
Chief Information Officer (CIO) shall be responsible for
information assurance. Every department and agency shall
appoint a Ch~ef Infrastructure Assurance Qfficer (CIAO) who
1 be responsible for the protection of all of the other
aspects of that department's critical infrastructure. The CIO'
may be double-hatted as the CIAO at the discretion of the
individual department. ·These officials shall establish
procedures for obtaining expedient and valid authorities to
allow vulnerability assessments to be performed on government
computer and physical systems. The Department of Jus ce shall
establish legal guidelines for providing for such authorities.
No later than 180 days from issuance of this directive,. every
department and agency'shall develop a plan for protecting its
own critical infrastructure, including but not limited to its
cyber-based systems. The National Coordinator shall be
responsible for coordinating anal es r~q~ired by the
departments and agencies of~inter-governmental dependencies and
the mitigation of those dependeticies~~'Th~ Critical
Infrastructure Coordination Group (CICG) ,shall sponsor an expert
review process for those plans. No later; than two years from
today, those plans shall have been implemented and shall be.'
updated every two years. In meeting this schedule; the,Federal
Government shall present a model. to the private .sector on how
. best to protect critical infrastructure.

FOR OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY  
VIII.

8


Tasks

Within 180 days, the Principals Comniitteeshould submit to me a
schedule for cqmpletion of a National Infrastructure Assurance
Plan with milestones for accomplishing "the follow~ng subordinate
and related tasks.
1.   Vulnerability Analyses:

For' each secto'r of the: economy and
each sector of the government that might be a target of
infrastructure, attack intended to significantly damage the
Uni ted State's, there shall be an
ial vulnerability
assessment,
llowed by periodic updates~ 'As appropriate,
these assessments shall also include the determination of the
minimum essential infrastructure in each s'ector.

2.   Remedial Plan: Based upon the vulnerability assessment,
there shall be a r,ecommended remed~al plan. The plan shall
identify timeline.s for implementation, responsibilities and
funding.
3.   Warning: A national center to warn of ~ignificant
infrastructure attacks will be established immediately (see
Annex A). As soon thereafter as possible, we will put in
place an enhanced system for detecting and analyzing such
attacks, with maximum poss'ible participation of the private
sector.
4.   Response: We shall develop a system for responding to a.
significant infrastructure attack while it is underway, with
the goal 'of isolating and minimizing damage.
5.   Recbnstitution: For varying levels of successful
infrastructure attacks, we shall have'a system to'
reconstitute minimum required capabili es rapidly.
6.   Education and Awareness: There shall be Vulnerability
Awareness and Education Programs within both the government
and the private sector to sensitize people regarding the
importance of security and to train them in security
standards, particularly regarding cyber systems.
7.   Research and Development: Federally-sponsored research and
development in support of infrastructure protection shall be
coordinated, be subj
to multi~year planning, take into
account private sector research, and be adequately funded to
minimize our vulnerabilities on a rapid but achievable.
timetable.

FOR   OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY  

9


8.   Intelligence: The Intelligence Community shall develop and
implement a plan for enhancing collection and analysis of the
foreign threat to our national infrastructure, to include but
not be limited to the foreign cyber/information warfare
threat.
9.   International Cooperation: There sha
be a plan to expand
cooperation on critical infrastructure
ion with like~,
minded and friendly nations, international,organizations and
mUltinational corporations.
10.  Legislative and Budgetary Requirements:
shall be an ,
evaluation of the executive branch's legis
ive authorities
and budgetary priorities regarding critical infrastructure,
and ameliorative recommendations shall be made to me as
necessary. The evaluations and recommendat
, if any,
shall be coordinated with the Director of OMB.
The CICG shall also review and schedule, the taskings listed in
Annex B.
IX.

Implementation

In addition to the l80-day report, the National Coordinator,
working with the National Economic Council, shall provide an
annual report on the implementation of this di
to me and
the
of departments and agencies, through
Assistant to
the President for National Security Affairs. The report should
inc
an updated threat assessment, a status 'report on
achieving the milestones identified for the National Plan and
additional policy, legislative and budgetary recommendations.
The evaluations and recommendations, if any, shall
coordinated with the Director of OMB.
In addition,
lowing
the establishment of an initial oper~ting capability in the year
2000,
National Coordinator shall conduct a zero-based
review.

FOR   OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY  
Annex A:

10 


structure and Organization

Lead Agencies: Clear accountability within the U.S. Government
must be designated for specific sectors and functions. The
following assignments of responsibility will apply.
Lead Agencies

Sector Li

son:

Commerce  

Information and communications

Treasury  

Banking and finance

EPA  

Water supply

Transportation   Aviation
Highways (including trucking and intelligent
transportation systems)
Mass transit
Pipelines
Rail
Waterborne commerce
Justice/FBI  

Emergency' law enforcement services

FEMA  

Emergency fire service 

Continuity of government services 


HHS  

Public health services, including prevention,
surveillance, laboratory services and
personal health services

Energy

Electric power 

Oil and gas. production

Law enforcement and

CIA  

Foreign intelligence

State  

Foreign affairs

Defense  

National defense

storage 


.,


Lead Agencies for Special. Functions: ..:'
Justice/FBI  

~nd

intern~l

security

In addition, OSTP shall be responsib
for 600rdinating ~esearch
and development agendas and programs for the government through'
the National Science and Technology Council. Furthermore, while

FOR OFFICIAL USE ONLY
.'

,

 FOR OFFICIAL USE ONLY

11 


Commerce is the lead agency for information and communi
ion,
the Department of Defense. will retain its Executive Agent
responsibilities for the National Communications System and
support of the President's National Security Telecommuni
ions
Advisory Commit
National
The National Coordinator fqr Security,
Infrastructure
ion and Counter-Terrorism shall be '
responsible
coordinating the implementation of this
directive.
The Nat
Coordinator will report to me through
the Assistant to
President for National Security Af
The National Coordinator will also participate as a full member
of Deputies or Principals Committee meetings when they meet to
consider infrastructure issues.. , Although the National·
Coordinator will not direct Depart~ents and Agencies, he or she
will ensure interagency coordination for policy development and
implementation, and will review.crisis activities concern,ing
infrastructure events with significant foreign involvement. The
National Coordinator ~ill provide advice, in the context of the
established annual budget process,. regarding agency budgets for
critical infrastructure piot
ion. The.N~tional Coordinator
will .chair the Critical
iucture Coordination. Group
(CrCG), reporting to
Deputies Committee (or, at the call of
its chair, the Principals' Committee). The Sector Liaison
Officials and Spe6ial Function Coordinators shall attend the
CIGC's·meetings. Departments and ~gencies shall each appoint to
the CIGC a senior
al (Assista~t Secrefary level o~higher)
who will regularly attend
meetings. : The National Security
Advisor shall appoint a Senior
for Infrastructu~e
Protection on' the NSC st
A National Plan Coordination (NPC) staff will be contributed on
a non-reimbursable basis by the departments and agencies,
consistent with law. The NPC
~~ll ~ntegrate the various
sector· plans into a National
tructure Assurance Plan and.
coordinate analyses of the U.S. Government's own dependencies on
critical infrastructures. The NPC sta
will also help
coordinate a national education and awareness program, and
legislative and public affairs.
The Defense Department shall continue to ,serve as Executive
Agent for the Commission Transition Office, which will form the
basis of the NPC, during the remainder of FY98. ~eginning in
FY99, the NPC shall be an office of
Commerce Department. The
Office of Personnel Management shall provide the necessary
assistance in facilitating the NPC's operations. The NPC will

FOR OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY

12

terminate at the end of FY01, unless extended by,Presidential
directive.

Warning and Information Centers
As part of a national warning and: information sharing system, I',
immediately authorize the FBI to expand its current~1 organization
to a full scale National
tructure Protect
Center
(NIPC).
This organiz~tion shall serve as a national critical
infrastructure threat assessment, warning, vulnerability, and
law' enforcement investigation and response entity .. ' During the
initial period of six to twelve months, I also direct the
National Coon;iinator and the S
Liaison Officials, working
together with the Sector Coordinators, the Special Function
Coordinators and representatives from the.National Economic
Council, as appropriate, to consult with owners and operators of
the critical infrastructures to enc?uragethe creation of a
private sector sharing and analysis center, as described below.
National Infrastructure Protection Center (NIPC):
The NIPC will
include FBI, USSS, and other investigators experienced in
computer crimes' and infrastructure protection, as well as
representatives detailed from the Department of Defense, the
Intelligence Community and Lead Agencies.
It will be linked
electronically to the rest of the
Government, including
other warning and operations centers, as well as any private
sect0r sharing and analysis centers.
Its mission will include
providing timely warnings of intentional threats, comprehensive
analyses and law enforcement investigation and response.
All executive departments and agencies shall cooperate with the
NIPC and provide such assistance, information and advice that
the NIPC may request, to the extent permitted by law. All
executive departments shall'also share with the NIPC information
about threats and warning of attacks and about actual attacks on
critical government and private sector infrastructures, to the
extent permitted by law.
The NIPC will
lude elements
responsible for warning, analysis, computer inves gation,
coordinating emergency response, training, outreach and,
development and application of technical too
In addition, it
will establish its own relations directly with others in the
private sector and with any information sharing qnd analysis
ity that the private sector may create, such as the
Information Sharing and Analysis Center described below.
The NIPC, in conjunction with the information originating
agency, will sanitize law enforcement and intelligence

FOR OFFICIAL USE ONLY

 FOR OFFICIAL USE ONLY  

13 


information for inclusion into analyses and reports that it will
provide, in appropriate form, to relevant federal, state and
local  agencies; the relevant owners and operators of critical
infrastructures; and to any private sector information sharing
and analysis entity. Before disseminating national's~curity or
other  information that originated from the intelligence'
commun'i ty, the NIPC will coordinate fully with the intelligence,
community through existing procedures. Whether as, s~nitlz~ci or
unsanitized reports, the NIPC will issue attack w~rniQg~'or
alerts t6 increases in threat condition to any pri~at~ sector '.
information sharing and analysis entity and to the owners,and
operators.
These warnings may also include guidance ieg~,r.di-ng
additional protection measures to be taken by owners an~'; ;
operators. Except in extreme emergencies, the NIPC shall
coordinate with the National Coordinator before issuing public ,~
warnings of imminent attacks by international terrorists,
foreign states or other malevolent foreign powers.
The NIPC will provide a national focal point for gathering
information on threats to the infrastructures. Additionally,
the NIPC will provide the principal means of facilitating and
coordinating the Federal Government's response to an incident,
mitigating attacks, investigating threats and monitoring
reconstitution efforts. Depending on the nature and level of a
foreign threat/attack, protocols established between special
function agencies (DOJ/DOD/CIA), and the ultimate decision of
the President, the NIPC may be placed in a direct support role
to either DOD or the Intelligence Community.
Information Sharing and Analysis Center (ISAC):
The National
working with Sector Coordinators, Sector Liaison
Officials and the National Economic Council, shall consult with
owners and operatqrs of the critical infrastructures to strongly
encourage the creation of a private sector information sharing
)  and analy~is center.
The actual desi~n and functions of the
center and its relation to the NIPC will bedetermiried by the
private sector, in consultation with and with assistance from
the Federal Government. Within 180 days of this directive" the
National Coordinator, with the assistance of the CICGincluding
the National Economic Council, shall identify possible ~ethods
of providing federal assistance to facilitate the startup :of ah
ISAC.
Co~rdinator,

I,

Such a center could serve as the mech~nism for gathering,
"'.
analyzing, appropriately sanitizing and disseminating private
sector information to both industry and the NIPC.
The center
could  also gather, analyze and disseminate information from the
".

FOR OFFICIAL USE ONLY

 FOR OFFICIAL USE ONLY

14

NIPC for further distribution to the private sector. While' .
crucial toa successful government-industry partnership, this
mechanism for sharing important information about
vulnerabilities, threats, intrusions and anomalies is not to
interfere. with direct information exchaJ;lge::;; betwee.ncompanies
. ,.
and t~e government.
'"

;

-: .

,':

-'.

: .. '.

As ultimately designed by private sector representatives,;" the· 

ISAC may emulate particular aspects of such insti tut.ions,·as the·,.". 

Centers for Disease Control and Prevention that ·have'proye<i . · . 

highly effectivej particularly its extensive inte~change~ with. 

the private and non-federal sectors. Under such a model;' tne ' 

ISAC would pO$sess a large degree of technical focus and 

expertise and non-regulatory and non-law enforcement missions. 

It woulde.stablishbaseline statistics and patterns ontpe 

various infrastructures, become a clearinghouse for information 

within and among the various sectors, and provide a library for 

historical data to be used be the private sector and, as' deemed 

appropriate by the· ISAC, by the government. Critical to the 

success of such an institution would be its timeliness, 

accessibility, coordination, flexibility, utility and 

acceptability. 


,'1

FOR OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY

Annex B:

15 


Additional Taskings

studies

The National Coordinator shall commission studies on the
following subjects,:
-

Liability issues arising from partitipation by private' sector
companies in the information sharing' process ..

-

Existing legal impediments to
ion' sharing, with an eye
to proposals to remove these impediments, including through
the drafting of model codes
cooperation with the American
Legal Institute.

-The necessity of document and information
the impact of such classificatioI'l: on use
well as the methods and information systems
and vulnerability information can be shared
avoiding disclosu~e or unacceptable risk of
those who will misuse 'it.

sification and
dissemination, as
by which threat
securely while
disclosure to

-

The improved protection, including secure dissemination and
information handling systems, of '~ndustry trade secrets and
other confidential business data, law enforcement information
and evidentiary material, classi ed national security
rmation, unclassified materiai disclosing vulnerabilities
of privately owned infrastructures' and apparently innocuous
rmation that, in the aggregate,., .i t, 'is unwise to disclose,.

-

The implications of sharing information with
ign entities
where such sharing is deemed necessary to the $ecurity of
United States infrastructures.

-

The potential benefit to security standards of mandating,
subsidizing, or otherwise assisting
the provision of
insurance for selected critical infrastru,cture provide'rs and
requiring insurance tie-ins for foreign
t
1
ructure providers hoping to do bus
with the 'United

FOR OFFICIAL USE ONLY 


 FOR OFFICIAL USE ONLY  

16

Public outreach
In order to foster a climate of enhanced public sensitivity to .
the problem of infrastructure prot
ion, 'the following actions
shall be taken:
•   The White House, under the oversight of the National
Coordinator, together wi.th the relevant Cabinet agencies shall
consider a series of conferences: .. (1) that wil~ bring
together national leaders in the public and private sectors to
propose programs to increase the commitment to information
security; (2) that convoke academic leaders from engineering,
computer science, business and law schobls to
ew the
status of education in information security and will identify
change~ in the crirricula and resources nece~
to meet the
national demand for professionals in this
eld;(3) on the
issues around computer ethics,as·these reI
to the K through
12 and general university populations.
•   The National Academy of Sciences and the National Academy of
Engineering shall consider a round table bringing together
federal, state and local officials with~ industry ~nd academic
leaders to develop national strategies for enhancing
infrastructure security.
•   The intelligence community and law enfo.rcement shall expand
existing programs for briefing infrastr,ucture owners and
operators and senior government 0
cials.
•   The National Coordinator shall (1) establish a program
infrastructure assurance simulations involving senior public
and private officials, the reports Df which might be
distributed as part of an awareness' campaign; and (2) in
coordination with the private ~ector, launch a continuing
national awareness campaign, emphasizing improving
infrastructure security.
Internal Federal Government Actions
In order for the Federal Government to improve its
infrastructure security, these immediate steps shall he taken:
e   The Department of Commerce, the General Services
Administration, and the Department of Defense shall assist

IAL USE ONLY 


 FOR OFFICIAL USE ONLY

17  .

federal agencies . in the implementation of. best practices for
information assurance within, their individ~al.agencies.
•   The National Coordinator shall coordiqate a review of existing
federal, state and local bodies c~arged with information
assurance tasks, and provide recommendations on how these
institutions can cooperate'most effectively.
•   All federal agencie~ shall mak~ cl~ar d~signatidns regardin~
who may. authorize access to thei~ computer systems.
•   The Intelligence Community shall elevate and formalize the·
priority for enhanced collection and analysis of information
on the foreign cyber/information warfare threat to our
critical infrastructure.
•   The Federal Bureau of Investigation, the Secret Service and
other appropriate agencies shall:
(1) vigorously recruit
undergraduate and graduate students with the relevant
computer-rela.ted technical skills for full-time employment as
well as for part-time work with r~gional computer crime
squads; and (2) facilitate the hiring and retention of
qualified personnel for technical analysis and investigation
involving cyber attacks.
•   The Department of Transportation, in consultation with the
Department of Defense, shall undertake a thorough evaluation
of the vulnerability of the national transportation
infrastructure that· relies on the Global Positioning System.
This evaluation shall include sponsoring an independent,
integrated assessment of risks to· civilian users of GPS-based
.systems,   with a view to basing decisions.on the ultimate 

architecture of the modernized NAS on these evaluations. 

•   The Federal Aviation Administration shall develop and
implement a comprehensive National Airspace System Security
Program to protect the modernized NAS from information-based
and other disruptions and attacks.
•   GSA shall identify large procurements (such as the new Federal
Telecommunications System, FTS 2000) reiated to' infrastructure
assurance, study whether the procurement process reflects the
importance of infrastructure protection and propose, if
necessary, revisions to th~ overall procurement process to do
so.

FOR OFFICIAL USE ONLY 


 FOR

O~FICIAL

USE ONLY  

.18

•   OMB shall dir.-ectfederal agencies to include assigned
infrastructure assurance functionswi.thin their Governme.nt
Performance and Results Ad:: strategic planning and performance
measure~ent
framework.
,
• _The   NSA, in accordanc~ with its National Manager
responsibilities in NSD-42, shall provide assessments
.encompassing examinations of U.S. Government systems to
interception and expl6itation; di~seminate threat and
vulnerability information; establish'st~ndardsi conduct
research -and development; and conduct issue. security product
evaluations.
Assisting the Private Sector
Iri~6±der to assist the private_sec~or in achieving and

maintaining infrastructure security:
• -The National Coordinator and the National Jnfrastructure
Assurance Countil shall propose and dev~lop ~ays to~ncourage
private industr~ to perform periodic risk assessm~~ts ~f
critic~lprocesses, including information and
te-Iecoinmunications' systems.
•   The Department of Commerce and the Department of Defense 'shall
worktogetl1er, . in coordination with the private sector,' to
. offer their expertise to private owners and ot,)erators ·of 

critical infrast±ucture to develop security-related best 

practice standards. 

•   The Department of Justice and Department .of the Treasury shall
sponsor a -comprehensive study compiling! demographics of
compute"r crime, comparing state approaches to computer crime
and developing ways to deterring and responding to.computer
crime by juveniles .

~~
.

.

­

FOR OFFICIAL USE ONLY

PHOTOCOPY
WJC HANDWRmNG