THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12 2013 February 12 2013 PRESIDENTIAL POLICY DIRECTIVE PPD-21 SUBJECT Critical Infrastructure Security and Resilience The Presidential Policy Directive PPD on Critical Infrastructure Security and Resilience advances a national unity of effort to strengthen and maintain secure functioning and resilient critical infrastructure Introduction The Nation's critical infrastructure provides the essential services that underpin American society Proactive and coordinated efforts are necessary to strengthen and maintain secure functioning and resilient critical infrastructure – including assets networks and systems – that are vital to public confidence and the Nation's safety prosperity and wellbeing The Nation's critical infrastructure is diverse and complex It includes distributed networks varied organizational structures and operating models including multinational ownership interdependent functions and systems in both the physical space and cyberspace and governance constructs that involve multilevel authorities responsibilities and regulations Critical infrastructure owners and operators are uniquely positioned to manage risks to their individual operations and assets and to determine effective strategies to make them more secure and resilient Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards Achieving this will require integration with the national preparedness system across prevention protection mitigation response and recovery This directive establishes national policy on critical infrastructure security and resilience This endeavor is a shared responsibility among the Federal state local tribal and territorial SLTT entities and public and private owners and operators of critical infrastructure herein referred to as critical infrastructure owners and operators This directive also refines and clarifies the critical infrastructure-related functions roles and responsibilities across the Federal Government as well as enhances overall coordination and collaboration The Federal Government also has a responsibility to strengthen the security and resilience of its own critical infrastructure for the continuity of national essential functions and to organize itself to partner effectively with and add value to the security and resilience efforts of critical infrastructure owners and operators 2 Policy It is the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats The Federal Government shall work with critical infrastructure owners and operators and SLTT entities to take proactive steps to manage risk and strengthen the security and resilience of the Nation's critical infrastructure considering all hazards that could have a debilitating impact on national security economic stability public health and safety or any combination thereof These efforts shall seek to reduce vulnerabilities minimize consequences identify and disrupt threats and hasten response and recovery efforts related to critical infrastructure The Federal Government shall also engage with international partners to strengthen the security and resilience of domestic critical infrastructure and critical infrastructure located outside of the United States on which the Nation depends U S efforts shall address the security and resilience of critical infrastructure in an integrated holistic manner to reflect this infrastructure's interconnectedness and interdependency This directive also identifies energy and communications systems as uniquely critical due to the enabling functions they provide across all critical infrastructure sectors Three strategic imperatives shall drive the Federal approach to strengthen critical infrastructure security and resilience 1 Refine and clarify functional relationships across the Federal Government to advance the national unity of effort to strengthen critical infrastructure security and resilience 2 Enable effective information exchange by identifying baseline data and systems requirements for the Federal Government and 3 Implement an integration and analysis function to inform planning and operations decisions regarding critical infrastructure All Federal department and agency heads are responsible for the identification prioritization assessment remediation and security of their respective internal critical infrastructure that supports primary mission essential functions Such infrastructure shall be addressed in the plans and execution of the requirements in the National Continuity Policy Federal departments and agencies shall implement this directive in a manner consistent with applicable law Presidential directives and Federal regulations including those protecting privacy civil rights and civil liberties In addition Federal departments and agencies shall protect all information associated with carrying out this directive consistent with applicable legal authorities and policies Roles and Responsibilities Effective implementation of this directive requires a national unity of effort pursuant to strategic guidance from the Secretary of Homeland Security That national effort must include expertise and day-to-day engagement from the SectorSpecific Agencies SSAs as well as the specialized or support capabilities from other Federal departments and agencies and 3 strong collaboration with critical infrastructure owners and operators and SLTT entities Although the roles and responsibilities identified in this directive are directed at Federal departments and agencies effective partnerships with critical infrastructure owners and operators and SLTT entities are imperative to strengthen the security and resilience of the Nation's critical infrastructure Secretary of Homeland Security The Secretary of Homeland Security shall provide strategic guidance promote a national unity of effort and coordinate the overall Federal effort to promote the security and resilience of the Nation's critical infrastructure In carrying out the responsibilities assigned in the Homeland Security Act of 2002 as amended the Secretary of Homeland Security evaluates national capabilities opportunities and challenges in protecting critical infrastructure analyzes threats to vulnerabilities of and potential consequences from all hazards on critical infrastructure identifies security and resilience functions that are necessary for effective public-private engagement with all critical infrastructure sectors develops a national plan and metrics in coordination with SSAs and other critical infrastructure partners integrates and coordinates Federal cross-sector security and resilience activities identifies and analyzes key interdependencies among critical infrastructure sectors and reports on the effectiveness of national efforts to strengthen the Nation's security and resilience posture for critical infrastructure Additional roles and responsibilities for the Secretary of Homeland Security include 1 Identify and prioritize critical infrastructure considering physical and cyber threats vulnerabilities and consequences in coordination with SSAs and other Federal departments and agencies 2 Maintain national critical infrastructure centers that shall provide a situational awareness capability that includes integrated actionable information about emerging trends imminent threats and the status of incidents that may impact critical infrastructure 3 In coordination with SSAs and other Federal departments and agencies provide analysis expertise and other technical assistance to critical infrastructure owners and operators and facilitate access to and exchange of information and intelligence necessary to strengthen the security and resilience of critical infrastructure 4 Conduct comprehensive assessments of the vulnerabilities of the Nation's critical infrastructure in coordination with the SSAs and in collaboration with SLTT entities and critical infrastructure owners and operators 5 Coordinate Federal Government responses to significant cyber or physical incidents affecting critical infrastructure consistent with statutory authorities 6 Support the Attorney General and law enforcement agencies with their responsibilities to investigate and prosecute threats to and attacks against critical infrastructure 7 Coordinate with and utilize the expertise of SSAs and other appropriate Federal departments and agencies to map geospatially image analyze and sort critical infrastructure by employing commercial satellite and airborne systems as well as existing capabilities within other departments and agencies and 4 8 Report annually on the status of national critical infrastructure efforts as required by statute Sector-Specific Agencies Each critical infrastructure sector has unique characteristics operating models and risk profiles that benefit from an identified Sector-Specific Agency that has institutional knowledge and specialized expertise about the sector Recognizing existing statutory or regulatory authorities of specific Federal departments and agencies and leveraging existing sector familiarity and relationships SSAs shall carry out the following roles and responsibilities for their respective sectors 1 As part of the broader national effort to strengthen the security and resilience of critical infrastructure coordinate with the Department of Homeland Security DHS and other relevant Federal departments and agencies and collaborate with critical infrastructure owners and operators where appropriate with independent regulatory agencies and with SLTT entities as appropriate to implement this directive 2 Serve as a day-to-day Federal interface for the dynamic prioritization and coordination of sector-specific activities 3 Carry out incident management responsibilities consistent with statutory authority and other appropriate policies directives or regulations 4 Provide support or facilitate technical assistance and consultations for that sector to identify vulnerabilities and help mitigate incidents as appropriate and 5 Support the Secretary of Homeland Security's statutorily required reporting requirements by providing on an annual basis sector-specific critical infrastructure information Additional Federal Responsibilities The following departments and agencies have specialized or support functions related to critical infrastructure security and resilience that shall be carried out by or along with other Federal departments and agencies and independent regulatory agencies as appropriate 1 The Department of State in coordination with DHS SSAs and other Federal departments and agencies shall engage foreign governments and international organizations to strengthen the security and resilience of critical infrastructure located outside the United States and to facilitate the overall exchange of best practices and lessons learned for promoting the security and resilience of critical infrastructure on which the Nation depends 2 The Department of Justice DOJ including the Federal Bureau of Investigation FBI shall lead counterterrorism and counterintelligence investigations and related law enforcement activities across the critical infrastructure sectors DOJ shall investigate disrupt prosecute and otherwise reduce foreign intelligence terrorist and other threats to and actual or attempted attacks on or sabotage of the Nation's critical infrastructure The FBI also conducts domestic collection analysis and dissemination of cyber threat information and shall be responsible for the operation of the National Cyber Investigative Joint Task Force NCIJTF The NCIJTF serves as a multi-agency national focal point for coordinating integrating and sharing pertinent information related to cyber threat investigations with representation from DHS the Intelligence Community IC the Department of 5 Defense DOD and other agencies as appropriate The Attorney General and the Secretary of Homeland Security shall collaborate to carry out their respective critical infrastructure missions 3 The Department of the Interior in collaboration with the SSA for the Government Facilities Sector shall identify prioritize and coordinate the security and resilience efforts for national monuments and icons and incorporate measures to reduce risk to these critical assets while also promoting their use and enjoyment 4 The Department of Commerce DOC in collaboration with DHS and other relevant Federal departments and agencies shall engage private sector research academic and government organizations to improve security for technology and tools related to cyber-based systems and promote the development of other efforts related to critical infrastructure to enable the timely availability of industrial products materials and services to meet homeland security requirements 5 The IC led by the Director of National Intelligence DNI shall use applicable authorities and coordination mechanisms to provide as appropriate intelligence assessments regarding threats to critical infrastructure and coordinate on intelligence and other sensitive or proprietary information related to critical infrastructure In addition information security policies directives standards and guidelines for safeguarding national security systems shall be overseen as directed by the President applicable law and in accordance with that direction carried out under the authority of the heads of agencies that operate or exercise authority over such national security systems 6 The General Services Administration in consultation with DOD DHS and other departments and agencies as appropriate shall provide or support government-wide contracts for critical infrastructure systems and ensure that such contracts include audit rights for the security and resilience of critical infrastructure 7 The Nuclear Regulatory Commission NRC is to oversee its licensees' protection of commercial nuclear power reactors and non-power nuclear reactors used for research testing and training nuclear materials in medical industrial and academic settings and facilities that fabricate nuclear fuel and the transportation storage and disposal of nuclear materials and waste The NRC is to collaborate to the extent possible with DHS DOJ the Department of Energy the Environmental Protection Agency and other Federal departments and agencies as appropriate on strengthening critical infrastructure security and resilience 8 The Federal Communications Commission to the extent permitted by law is to exercise its authority and expertise to partner with DHS and the Department of State as well as other Federal departments and agencies and SSAs as appropriate on 1 identifying and prioritizing communications infrastructure 2 identifying communications sector vulnerabilities and working with industry and other stakeholders to address those vulnerabilities and 3 working with stakeholders including industry and engaging foreign governments and international organizations to increase the security and resilience of critical infrastructure within the communications sector and facilitating the development and implementation of best practices promoting the security and resilience of critical communications infrastructure on which the Nation depends 6 9 Federal departments and agencies shall provide timely information to the Secretary of Homeland Security and the national critical infrastructure centers necessary to support cross-sector analysis and inform the situational awareness capability for critical infrastructure Three Strategic Imperatives 1 Refine and Clarify Functional Relationships across the Federal Government to Advance the National Unity of Effort to Strengthen Critical Infrastructure Security and Resilience An effective national effort to strengthen critical infrastructure security and resilience must be guided by a national plan that identifies roles and responsibilities and is informed by the expertise experience capabilities and responsibilities of the SSAs other Federal departments and agencies with critical infrastructure roles SLTT entities and critical infrastructure owners and operators During the past decade new programs and initiatives have been established to address specific infrastructure issues and priorities have shifted and expanded As a result Federal functions related to critical infrastructure security and resilience shall be clarified and refined to establish baseline capabilities that will reflect this evolution of knowledge to define relevant Federal program functions and to facilitate collaboration and information exchange between and among the Federal Government critical infrastructure owners and operators and SLTT entities As part of this refined structure there shall be two national critical infrastructure centers operated by DHS – one for physical infrastructure and another for cyber infrastructure They shall function in an integrated manner and serve as focal points for critical infrastructure partners to obtain situational awareness and integrated actionable information to protect the physical and cyber aspects of critical infrastructure Just as the physical and cyber elements of critical infrastructure are inextricably linked so are the vulnerabilities Accordingly an integration and analysis function further developed in Strategic Imperative 3 shall be implemented between these two national centers The success of these national centers including the integration and analysis function is dependent on the quality and timeliness of the information and intelligence they receive from the SSAs and other Federal departments and agencies as well as from critical infrastructure owners and operators and SLTT entities These national centers shall not impede the ability of the heads of Federal departments and agencies to carry out or perform their responsibilities for national defense criminal counterintelligence counterterrorism or investigative activities 2 Enable Efficient Information Exchange by Identifying Baseline Data and Systems Requirements for the Federal Government A secure functioning and resilient critical infrastructure requires the efficient exchange of information including intelligence between all levels of governments and critical 7 infrastructure owners and operators This must facilitate the timely exchange of threat and vulnerability information as well as information that allows for the development of a situational awareness capability during incidents The goal is to enable efficient information exchange through the identification of requirements for data and information formats and accessibility system interoperability and redundant systems and alternate capabilities should there be a disruption in the primary systems Greater information sharing within the government and with the private sector can and must be done while respecting privacy and civil liberties Federal departments and agencies shall ensure that all existing privacy principles policies and procedures are implemented consistent with applicable law and policy and shall include senior agency officials for privacy in their efforts to govern and oversee information sharing properly 3 Implement an Integration and Analysis Function to Inform Planning and Operational Decisions Regarding Critical Infrastructure The third strategic imperative builds on the first two and calls for the implementation of an integration and analysis function for critical infrastructure that includes operational and strategic analysis on incidents threats and emerging risks It shall reside at the intersection of the two national centers as identified in Strategic Imperative 1 and it shall include the capability to collate assess and integrate vulnerability and consequence information with threat streams and hazard information to a Aid in prioritizing assets and managing risks to critical infrastructure b Anticipate interdependencies and cascading impacts c Recommend security and resilience measures for critical infrastructure prior to during and after an event or incident and d Support incident management and restoration efforts related to critical infrastructure This function shall not replicate the analysis function of the IC or the National Counterterrorism Center nor shall it involve intelligence collection activities The IC DOD DOJ DHS and other Federal departments and agencies with relevant intelligence or information shall however inform this integration and analysis capability regarding the Nation's critical infrastructure by providing relevant timely and appropriate information to the national centers This function shall also use information and intelligence provided by other critical infrastructure partners including SLTT and nongovernmental analytic entities Finally this integration and analysis function shall support DHS's ability to maintain and share as a common Federal service a near real-time situational awareness capability for critical infrastructure that includes actionable information about imminent threats significant trends and awareness of incidents that may affect critical infrastructure Innovation and Research and Development 8 The Secretary of Homeland Security in coordination with the Office of Science and Technology Policy OSTP the SSAs DOC and other Federal departments and agencies shall provide input to align those Federal and Federally-funded research and development R D activities that seek to strengthen the security and resilience of the Nation's critical infrastructure including 1 Promoting R D to enable the secure and resilient design and construction of critical infrastructure and more secure accompanying cyber technology 2 Enhancing modeling capabilities to determine potential impacts on critical infrastructure of an incident or threat scenario as well as cascading effects on other sectors 3 Facilitating initiatives to incentivize cybersecurity investments and the adoption of critical infrastructure design features that strengthen all-hazards security and resilience and 4 Prioritizing efforts to support the strategic guidance issued by the Secretary of Homeland Security Implementation of the Directive The Secretary of Homeland Security shall take the following actions as part of the implementation of this directive 1 Critical Infrastructure Security and Resilience Functional Relationships Within 120 days of the date of this directive the Secretary of Homeland Security shall develop a description of the functional relationships within DHS and across the Federal Government related to critical infrastructure security and resilience It should include the roles and functions of the two national critical infrastructure centers and a discussion of the analysis and integration function When complete it should serve as a roadmap for critical infrastructure owners and operators and SLTT entities to navigate the Federal Government's functions and primary points of contact assigned to those functions for critical infrastructure security and resilience against both physical and cyber threats The Secretary shall coordinate this effort with the SSAs and other relevant Federal departments and agencies The Secretary shall provide the description to the President through the Assistant to the President for Homeland Security and Counterterrorism 2 Evaluation of the Existing Public-Private Partnership Model Within 150 days of the date of this directive the Secretary of Homeland Security in coordination with the SSAs other relevant Federal departments and agencies SLTT entities and critical infrastructure owners and operators shall conduct an analysis of the existing public-private partnership model and recommend options for improving the effectiveness of the partnership in both the physical and cyber space The evaluation shall consider options to streamline processes for collaboration and exchange of information and to minimize duplication of effort Furthermore the analysis shall consider how the model can be flexible and adaptable to meet the unique needs of individual sectors while providing a focused disciplined and effective approach for the Federal Government to coordinate with the critical infrastructure owners and operators and with SLTT governments The evaluation shall result in recommendations to enhance partnerships to be approved for implementation through the 9 processes established in the Organization of the National Security Council System directive 3 Identification of Baseline Data and Systems Requirements for the Federal Government to Enable Efficient Information Exchange Within 180 days of the date of this directive the Secretary of Homeland Security in coordination with the SSAs and other Federal departments and agencies shall convene a team of experts to identify baseline data and systems requirements to enable the efficient exchange of information and intelligence relevant to strengthening the security and resilience of critical infrastructure The experts should include representatives from those entities that routinely possess information important to critical infrastructure security and resilience those that determine and manage information technology systems used to exchange information and those responsible for the security of information being exchanged Interoperability with critical infrastructure partners identification of key data and the information requirements of key Federal SLTT and private sector entities availability accessibility and formats of data the ability to exchange various classifications of information and the security of those systems to be used and appropriate protections for individual privacy and civil liberties should be included in the analysis The analysis should result in baseline requirements for sharing of data and interoperability of systems to enable the timely exchange of data and information to secure critical infrastructure and make it more resilient The Secretary shall provide that analysis to the President through the Assistant to the President for Homeland Security and Counterterrorism 4 Development of a Situational Awareness Capability for Critical Infrastructure Within 240 days of the date of this directive the Secretary of Homeland Security shall demonstrate a near real-time situational awareness capability for critical infrastructure that includes threat streams and all-hazards information as well as vulnerabilities provides the status of critical infrastructure and potential cascading effects supports decision making and disseminates critical information that may be needed to save or sustain lives mitigate damage or reduce further degradation of a critical infrastructure capability throughout an incident This capability should be available for and cover physical and cyber elements of critical infrastructure and enable an integration of information as necessitated by the incident 5 Update to National Infrastructure Protection Plan Within 240 days of the date of this directive the Secretary of Homeland Security shall provide to the President through the Assistant to the President for Homeland Security and Counterterrorism a successor to the National Infrastructure Protection Plan to address the implementation of this directive the requirements of Title II of the Homeland Security Act of 2002 as amended and alignment with the National Preparedness Goal and System required by PPD-8 The plan shall include the identification of a risk management framework to be used to strengthen the security and resilience of critical infrastructure the methods to be used to prioritize critical infrastructure the protocols to be used to synchronize communication and actions within the Federal Government and a metrics and analysis process to be used to measure the Nation's ability to manage and reduce risks to 10 critical infrastructure The updated plan shall also reflect the identified functional relationships within DHS and across the Federal Government and the updates to the public-private partnership model Finally the plan should consider sector dependencies on energy and communications systems and identify pre-event and mitigation measures or alternate capabilities during disruptions to those systems The Secretary shall coordinate this effort with the SSAs other relevant Federal departments and agencies SLTT entities and critical infrastructure owners and operators 6 National Critical Infrastructure Security and Resilience R D Plan Within 2 years of the date of this directive the Secretary of Homeland Security in coordination with the OSTP the SSAs DOC and other Federal departments and agencies shall provide to the President through the Assistant to the President for Homeland Security and Counterterrorism a National Critical Infrastructure Security and Resilience R D Plan that takes into account the evolving threat landscape annual metrics and other relevant information to identify priorities and guide R D requirements and investments The plan should be issued every 4 years after its initial delivery with interim updates as needed Policy coordination dispute resolution and periodic inprogress reviews for the implementation of this directive shall be carried out consistent with PPD-1 including the use of Interagency Policy Committees coordinated by the National Security Staff Nothing in this directive alters supersedes or impedes the authorities of Federal departments and agencies including independent regulatory agencies to carry out their functions and duties consistent with applicable legal authorities and other Presidential guidance and directives including but not limited to the designation of critical infrastructure under such authorities This directive revokes Homeland Security Presidential Directive HSPD-7 Critical Infrastructure Identification Prioritization and Protection issued December 17 2003 developed pursuant to HSPD-7 shall remain in effect until specifically revoked or superseded Plans Designated Critical Infrastructure Sectors and Sector-Specific Agencies This directive identifies 16 critical infrastructure sectors and designates associated Federal SSAs In some cases co-SSAs are designated where those departments share the roles and responsibilities of the SSA The Secretary of Homeland Security shall periodically evaluate the need for and approve changes to critical infrastructure sectors and shall consult with the Assistant to the President for Homeland Security and Counterterrorism before changing a critical infrastructure sector or a designated SSA for that sector The sectors and SSAs are as follows Chemical Sector-Specific Agency Department of Homeland Security Commercial Facilities Sector-Specific Agency Department of Homeland Security 11 Communications Sector-Specific Agency Department of Homeland Security Critical Manufacturing Sector-Specific Agency Department of Homeland Security Dams Sector-Specific Agency Department of Homeland Security Defense Industrial Base Sector-Specific Agency Department of Defense Emergency Services Sector-Specific Agency Department of Homeland Security Energy Sector-Specific Agency Department of Energy Financial Services Sector-Specific Agency Department of the Treasury Food and Agriculture Co-Sector-Specific Agencies U S Department of Agriculture and Department of Health and Human Services Government Facilities Co-Sector-Specific Agencies Department of Homeland Security and General Services Administration Healthcare and Public Health Sector-Specific Agency Department of Health and Human Services Information Technology Sector-Specific Agency Department of Homeland Security Nuclear Reactors Materials and Waste Sector-Specific Agency Department of Homeland Security Transportation Systems Co-Sector-Specific Agencies Department of Homeland Security and Department of Transportation Water and Wastewater Systems Sector-Specific Agency Environmental Protection Agency Definitions For purposes of this directive The term all hazards means a threat or an incident natural or manmade that warrants action to protect life property the environment and public health or safety and to minimize disruptions of government social or economic activities It includes natural disasters cyber incidents industrial accidents pandemics acts of terrorism sabotage and destructive criminal activity targeting critical infrastructure The term collaboration means the process of working together to achieve shared goals 12 The terms coordinate and in coordination with mean a consensus decision-making process in which the named coordinating department or agency is responsible for working with the affected departments and agencies to achieve consensus and a consistent course of action The term critical infrastructure has the meaning provided in section 1016 e of the USA Patriot Act of 2001 42 U S C 5195c e namely systems and assets whether physical or virtual so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security national economic security national public health or safety or any combination of those matters The term Federal departments and agencies means any authority of the United States that is an agency under 44 U S C 3502 1 other than those considered to be independent regulatory agencies as defined in 44 U S C 3502 5 The term national essential functions means that subset of Government functions that are necessary to lead and sustain the Nation during a catastrophic emergency The term primary mission essential functions means those Government functions that must be performed in order to support or implement the performance of the national essential functions before during and in the aftermath of an emergency The term national security systems has the meaning given to it in the Federal Information Security Management Act of 2002 44 U S C 3542 b The term resilience means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions Resilience includes the ability to withstand and recover from deliberate attacks accidents or naturally occurring threats or incidents The term Sector-Specific Agency SSA means the Federal department or agency designated under this directive to be responsible for providing institutional knowledge and specialized expertise as well as leading facilitating or supporting the security and resilience programs and associated activities of its designated critical infrastructure sector in the all-hazards environment The terms secure and security refer to reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions attacks or the effects of natural or manmade disasters # # #