NH!ISAC"ADVISORY"201.13" NATIONAL"CRITICAL"INFRASTRUCTURE"RESILIENCE"ANALYSIS"REPORT""

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL NH!ISACADVISORY201.13 NATIONALCRITICALINFRASTRUCTURERESILIENCEANALYSISREPORT FederalCybersecurityAction2009toPresent NationalCriticalInfrastructureInformationSharing&AnalysisCenters(ISACs) NationalHealthcare&PublicHealthCybersecurityResilience Date: February23,2013 To: NH7ISACMembers NationalHealthSectorCoordinatingCouncil(SCC) NationalHealthcare&PublicHealthCriticalInfrastructureOwners+Operators Title: NationalCriticalInfrastructureResilience Introduction* Thefederalgovernment scybersecurityroleincludesbothsecuringfederalsystemsandassistingin protectingnon7federalsystems.identifiedfederalagencies,knownassector7specificagencies,have responsibilities for protection of their respective national critical infrastructure by writing a protectionplan(annexestothenationalinfrastructureprotectionplan). Theover7arching consultativeprocess referencedinthefebruary12,2013presidentialexecutive Order13636andPresidentialPolicyDirectivePPD721encompasses: Federal Sector7Specific Agencies (SSAs) working in concert with the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils (Government Coordinating Councils andprivatesectorcoordinatingcouncils);criticalinfrastructureownersandoperators(private7 sector CIleadershipand eachcriticalinfrastructure srecognized privatesector7led Information Sharing & Analysis Center ISAC); other relevant agencies; State, local, territorial and tribal governments,universitiesandoutsideexperts; Withcloseto90%ofthenation scriticalinfrastructuresownedandoperatedbytheprivatesector, critical infrastructure owners and operators and their respective private sector7led ISAC as the operationalandtacticalarm,havealeadershipresponsibilityandleading definingvoice toenable nationalcybersecuritycriticalinfrastructureprotection,workingincollaborationwithgovernment. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 1

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Thereare50+statutescurrentlyaddressingcybersecurityeitherdirectlyorindirectly,butthereisno comprehensivecybersecurityframework legislationthat encompasseshowthegovernmentassists the private sector with national cybersecurity critical infrastructure protection efforts including informationsharingwiththerequiredprivacyandcivillibertiesprotections. The following report provides an overview of cybersecurity Presidential and Congressional Actions frommarch2009topresent,thenation sprivate7sectorledinformationsharing&analysiscenters (ISACs)infrastructure,NationalHealthcare&PublicHealthCybersecurityResilience(aninitiativeled bythehealthcareandpublichealthsectorincollaborationwithgovernment seebelow),andan analysisofpresidentialexecutiveorder13636andpresidentialpolicydirective(ppd721). NationalHealthcareandPublicHealthCybersecurityResponseSystem(HPH!CRS) National Healthcare and Public Health Cybersecurity First Responder (HPH!CFR) Program (AnnualTraining/Certification) NationalHealthcareandPublicHealthCybersecurityEducationFramework(HPH!CEF) * * NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 2

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL FEDERAL*CYBERSECURITY*ACTION*2009*TO*PRESENT* Overview:**2009*A*2012* March* 20097PresidentObamareleasedtheCyberspacePolicyReviewdeclaringtheNation s digital infrastructures (cyberspace) as a key strategic national asset and national security priority.(http://www.whitehouse.gov/assets/documents/cyberspace_policy_review_final.pdf) ThePresident scyberspacepolicyreviewidentifiedten(10)near7termactionstosupportthe cybersecuritystrategy: 1. Appoint a cybersecurity policy official responsible for coordinating the Nation s cybersecuritypoliciesandactivities. 2. PrepareforthePresident sapprovalanupdatedstrategytosecuretheinformationand communicationsinfrastructure. 3. Designate cybersecurity as one of the President s key management priorities and establishperformancemetrics. 4. DesignateprivacyandcivillibertiesofficialtotheNSCCybersecurityDirectorate. 5. Conductinteragency7clearedlegalanalysesofprioritycybersecurity7relatedissues. 6. Initiateanationalawarenessandeducationcampaigntopromotecybersecurity 7. Develop an international cybersecurity policy framework and strengthen our internationalpartnerships. 8. Prepareacybersecurityincidentresponseplanandinitiateadialogtoenhancepublic7 privatepartnerships. 9. Develop a framework for research and development strategies that focus on game7 changing technologies that have the potential to enhance the security, reliability, resilienceandtrustworthinessofdigitalinfrastructure. 10. Build a cybersecurity7based identity management vision and strategy, leveraging privacy7enhancingtechnologiesforthenation. KeyDocuments Someofthekeydocumentsguidingeffortsinclude: Draft@National@Strategy@for@Trusted@Identities@in@Cyberspace@ The@Comprehensive@National@Cybersecurity@Initiative@ International@Strategy@for@Cyberspace@ The@Cyberspace@Policy@Review@ The@Cyberspace@Policy@Review@ @Supporting@Documents@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 3

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL The@National@Initiative@for@Cybersecurity@Education@(NICE)@ NIST@ @National@Initiative@for@Cybersecurity@Education@(NICE)@ Cybersecurity@R&D@ March*20117ThePresidentissuedPresidential@Policy@Directive@PPDH8onNationalPreparedness to strengthen the security and resilience of the United States by implementing a national preparedness system identifying and supporting core preparedness capabilities Prevention, Protection,Mitigation,ResponseandRecovery.@@ Presidential*Policy*Directive@ @A@Presidential@Policy@Directive@is@a@form@of@an@executive@order@ issued@ by@ the@ President@ of@ the@ United@ States@ with@ the@ advice@ and@ consent@ of@ the@ National@ Security@Council.@@The@National@Security@Council@(NSC)@is@the@principal@forum@for@Presidential@ consideration@of@foreign@policy@issues@and@national@security@matters.@@pursuant@to@policy@review@ directives,@ the@ NSC@ gathers@ facts@ and@ views@ of@ appropriate@ Government@ agencies,@ conducts@ analyses,@ determines@ alternatives@ and@ presents@ policy@ choices@ to@ the@ President@ for@ decision.@@ The@President s@decisions@are@announced@by@decision@directives.@@ May* 12,* 2011 7 TheObamaAdministrationtransmittedacybersecurity@legislative@proposal to Capitol Hill in response to Congress call for assistance on how best to address national cybersecurityneeds.@ 2011*and*2012 Unsuccessfullegislationincludes,butisnotlimitedto: (S.3414)@ The@Cybersecurity@Act@of@2012H@ Improve public/private cybersecurity sector risk assessments, infrastructure identification, private sector leading practice adoption, incentive7basedvoluntarycybersecurityprogramforciownersandoperators. (H.R.@ 2096)@ Cybersecurity@ Enhancement@ Act@ of@ 2011 Direct specified federal agencies to developandupdatethefederalcybersecurityr&dandtechnicalstandardsstrategicplan. (H.R.@ 3834)@ Advancing@ American s@ Networking@ and@ Information@ Technology@ Research@ and@ Development@Act@of@2012 R&Dinnetworkingandinformationtechnology,includingbut notlimitedtosecurity.amendhighperformancecomputingact.@ (H.R.@4257)@Federal@Information@Security@Amendments@Act@of@2012 FISMAreform. (H.R.@3523)@Cyber@Intelligence@Sharing@and@Protection@Act@(CISPA)7Informationsharingand coordination,includingsharingofclassifiedinformation.passedbythehouse,butstalledin thesenateunderthreatofpresidentialvetoandfromgrass7rootsprotestscitingthebillasa threattointernetprivacyandcivilliberties. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 4

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL (H.R.@6183)@ @Cyber@Privacy@Fortification@Act@of@2012@ Amendthefederalcriminalcodeto providecriminalpenaltiesforintentionalfailurestoproviderequirednoticesofasecurity breachinvolvingsensitivepersonallyidentifiableinformation(specifiedelectronicordigital information). (S.@2111)@ Cyber@Crime@Protection@Security@Act Amendthefederalcriminalcodetomake fraudinconnectionwiththeunauthorizedaccessofpersonallyidentifiableinformation(in electronicordigitalform)apredicateforinstitutingaprosecutionforracketeering. (S.3342)@ Secure@ IT Authorize private entities to employ countermeasures and use cybersecurity systems to obtain, identify or possess cyber threat information on its own networksorthenetworksofanotherentitywithsuchentity authorization. (H.R.@ 3674)@ PRECISE@ Act@ of@ 2012 Promote and Enhance Cybersecurity and Information Sharing Effectiveness and addressing DHS role in CI protection (risk assessments, technologydevelopment,mitigation,awareness/outreach). Overview:**2013** * PresidentialPolicyDirectivePPD!21andExecutiveOrder136367 With legislative failure to successfully pass any effective cybersecurity legislation to support national critical infrastructure protection in 2011 or 2012, on February 12, 2013, the President issuedpresidential@policy@directive@(ppdh21)oncriticalinfrastructuresecurityandresilienceand Presidential@Executive@Order@13636.Contentandanalysisareprovidedlaterinthisreport. Presidential* Executive* Order@ @ An@ official@ document@ issued@ by@ the@ President@ of@ the@ United@ States,@ the@ head@ of@ the@ Executive@ Branch,@ through@ which@ operations@ of@ the@ Federal@ Government@are@managed.@ The113 th Congress The 113 th Congress was sworn in on January 3, 2013. Provided below is an overview of the Legislative Congressional Cybersecurity Caucus, Committees and current pending cybersecurity legislation. US*House*of*Representatives*Congressional*Cybersecurity*Caucus Co7Chairs:CongressmanJimLangevin(RI7D)andCongressmanMikeT.McCaul(TX7R) Congressman Langevin and Congressman McCaul founded the first7ever Congressional Cybersecurity Caucus in September 2008. As Co7Chairs of the CSIS Commission on Cybersecurityforthe44 th Presidency,theyareactivelyengagedinidentifyingchallengesand NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 5

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL making recommendations for the Administration and providing opportunities for more membersofcongresstoengageinthediscussions.whilecongressplaysakeyroleinthe future of cybersecurity policy, the overlap of committee jurisdictions can divide the attentionandfocusofcongressontheseissues.congressmanlangevinandmccaulhope thatthiscaucuswillhelpraiseawarenessandprovideaforumformembersrepresenting differentcommitteesofjurisdictiontodiscussthechallengesinsecuringcyberspace. House*Oversight*and*Government*Reform*Committee* Chair:RepresentativeDarrellE.Issa(RCA749) RankingMember:RepresentativeElijahCummings(DMD77) RepublicanSite:http://oversight.house.gov/ TheHouseOversightandGovernmentReformCommitteeexiststosecuretwofundamental principles.first,americanshavearighttoknowthatthemoneywashingtontakesfrom themiswellspent.andsecond,americansdeserveanefficient,effectivegovernmentthat works for them. The duty on the Oversight and Government Reform Committee is to protecttheserights. The Committee s solemn responsibility is to hold government accountable to taxpayers. They work in partnership with citizen7watchdogs, to deliver the facts to the American peopleandbringgenuinereformtothefederalbureaucracy. The Committee has legislative jurisdiction over the District of Columbia, the government procurementprocess,federalpersonnelsystems,thepostalserviceandothermatters.its primaryresponsibilityisoversightofvirtuallyeverythingthegovernmentdoesfromnational securitytohomelandsecuritygrants,fromfederalworkforcepoliciestoregulatoryreform andreorganizationauthority,andfrominformationtechnologyprocurementsatindividual agenciestogovernment7widesecuritystandards. Subcommittees: Federal Workforce; Government Organization; Health Care & D.C.; NationalSecurity;RegulatoryAffairs;T.A.R.P,&FinancialResources DemocraticSite:http://democrats.oversight.house.gov/ CommitteeJurisdiction:TheCommitteeonOversightandGovernmentReformisthemain investigative committee in the U.S. House of Representatives. It has the authority to investigate the subjects within the Committee s legislative jurisdiction as well as any matter withinthejurisdictionoftheotherstandinghousecommittee. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 6

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Subcommittees: Federal Workforce / US Postal Service and Labor Policy, Government Organization, Efficiency and Financial Management; Health Care, District of Columbia, Census and the National Archives; National Security, Homeland Defense and Foreign Operations; Regulatory Affairs, Stimulus Oversight and Government Spending; T.A.R.P, Financial Services and Bailouts of Public and Private Programs; Technology, Information Policy,IntergovernmentalRelationsandProcurementReform. Committee*on*Homeland*Security* RepublicanSite:http://homeland.house.gov Chair RepresentativeMichaelMcCaul(R7TX) CommitteeDescription:Republican Establishedin2002toprovideCongressionaloversightforUSDHSandbetterprotect Americansagainstapossibleterroristattack. Subcommittees: Border and Maritime Security; Counterterrorism and Intelligence; Cybersecurity, Infrastructure Protection and Security Technologies; Emergency Preparedness, Response and Communications; Oversight and Management Efficiency; TransportationSecurity Issues:9/11Trials/GuantanamoDetainees;BorderSecurity;ChemicalFacilitySecurity Counterterrorism;Cybersecurity;FirstResponderCommunications InformationSharing andstateandlocalfusioncenters;maritimesecurity;oversightofdhsmanagement; Passenger and Cargo Aviation Security; Preparedness for and Response to Terrorist Attacks and Natural Disasters; Risk7Based Grant Funding; Surface Transportation Security;WeaponsofMassDestruction DemocraticSite @http://chsdemocrats.house.gov/about/index.asp RankingMember:Rep.BennieG.Thompson(D7MS) CommitteeDescription Democratic CreatedbytheUSHouseofRepresentativesin2002intheaftermathofSeptember11, 2001 to provide Congressional oversight to US DHS and better protect the American peopleagainstapossibleterroristattack. Subcommittees: Border and Maritime Security; Counterterrorism and Intelligence; Cybersecurity, Infrastructure Protection and Security Technologies; Emergency Preparedness, Response and Communications; Oversight and Management Efficiency; TransportationSecurity Issues: Transportation Security; Border and Port Security; Critical Infrastructure Protection Cybersecurity and Science and Technology; Emergency Preparedness NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 7

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Emerging Threats; Intelligence and Information Sharing; Investigations; Management andprocurement;privacy,civilrightsandcivilliberties Homeland*Security*&*Governmental*Affairs*(GSGA)* Chairman:SenatorThomasR.Carper RankingMember:SenatorTomCoburn Committee Description: Chief oversight committee of the U.S. Senate. The Committee has 5 subcommittees that examine issues ranging from the federal Civil Service,tothegovernment sfinancialmanagementtohowgovernmenthelpscommunities recoverfromcatastrophes. Subcommittees: Permanent Subcommittee on Investigations; Oversight of Government Management; Federal Financial Management; Disaster Recovery and Intergovernmental Affairs;ContractingOversight. Permanent*Select*Committee*on*Intelligence Chairman:CongressmanMikeRogers RankingMember:CongressmanDutchRuppersberger Committee Description: The Committee is the House s primary panel responsible for authorizingthefundingforandoverseeingtheexecutionoftheintelligenceactivitiesofthe USgovernment. Subcommittees:Oversight;TechnicalandTacticalIntelligence;Terrorism,HUMINT,Analysis andcounterintelligence 2013CurrentPendingBills Withover1,381billsintroducedasofFebruary20,2013(the113 th LegislativeSession),the billsbelowrepresentintroducedcybersecuritylegislationtodate. (H.R.624)*Cyber*Intelligence*Sharing*and*Protection*Act*(CISPA)7HouseIntelligencePanel Leaders reintroduced and referred to the House Committee the identical bill (H.R. 3523) from2012onfebruary13,2013.asoffebruary20,2013,thesummaryforh.r.624hasnot beenreceived. House@Permanent@Select@Committee@on@Intelligence@ @CISPA@2013@ (H.R.756)*To*Advance*Cybersecurity*Research,*Development*and*Technical*Standards,*and* for* Other* Purposes Bipartisan legislation to improve communication and collaboration between the private sector and the federal government. Introduced to the House and referredtothehousecommitteeonscience,spaceandtechnologyonfebruary15,2013. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 8

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL (S.21)*Cybersecurity*and*American*Cyber*Competitiveness*Act*of*2013 IntroducedJanuary 22,2013,readtwiceandreferredtotheCommitteeonHomelandSecurityandGovernment Affairs. Calls for enactment of bipartisan legislation to improve communication and collaboration between the private sector and the federal government to secure the US against cyber attack and enhance the competitiveness of the US and create jobs in the informationtechnologyindustry,andprotectandidentitiesandsensitiveinformationofus citizensandbusinesses. (H.Res.57) ThesummaryforHouseResolution577ExpressingthesenseoftheHouseof Representatives that in order to continue aggressive growth in the Nation s telecommunicationsandtechnologyindustries,theunitedstatesgovernmentshould Get OutoftheWayandStayoutoftheWay hasnotbeenreceivedasoffebruary20,2013. (H.R.86)*Cybersecurity*Education*Enhancement*Act*of*20137ReferredtotheSubcommittee oncybersecurity,infrastructureprotectionandsecuritytechnologiesonfebruary12,2013. Directs the Secretary of Homeland Security to establish, in conjunction with the National Science Foundation, a program to award grants to institutions of higher education for cybersecurity professional development programs, associate cybersecurity degree programs, and the purchase of equipment to provide training in cybersecurity for professionaldevelopmentofdegreeprograms. MovingForward Implementationofcapabilitiestomovefromareactivetoanationalproactivecybersecuritystance requiresnotonlyeffectivelegislationsupportingprivate7sectordefinedimplementationofsecurity standardsandprotectionpolicies,butalsorequirescontinuallyassessingourcurrentenvironments acrossallcriticalinfrastructuresfromsectorandcross7sectorthreatandvulnerabilityimpacts.this includes two7way security intelligence information sharing, countermeasure solutions, incident response,leadingpracticeandeducation. Beingevervigilant7lookingandmovingforward,workingtogetherinatrustedpublicandprivate sectorcollaborativepartnershipisparamount. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 9

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL NATIONAL*HEALTHCARE*&*PUBLIC*HEALTH*CYBERSECURITY*RESILIENCE* NationalHealthcareandPublicHealthCybersecurityResponseSystem(HPH7CRS) NationalHealthcareandPublicHealthCybersecurityFirstResponderProgram(HPH7CFR) NationalHealthcareandPublicHealthCybersecurityEducationFramework(HPH7CEF) The nation s healthcare and public health critical infrastructure (CI) has moved forward to build a trustedcollaborativepartnershipunitinghealthsectorciownersandoperatorswithothernational criticalinfrastructuresandorganizationssupportingthehealthsector.ledbythehealthsector,this isaccomplishedincollaborationandcooperationwiththenationalcouncilofisacs,representingall nationalcriticalinfrastructures,thehealthsectorcoordinatingcouncil(scc),andgovernment(hhs, DHS,NIST,andstate,local,tribalandterritorialgovernments. EnablingNationalHealthcareandPublicHealthCriticalInfrastructureResilience ToenableNationalHealthcareandPublicHealthCriticalInfrastructureresilience,ledbythenation s healthcareandpublichealthsectorincooperationwithgovernment,thenationalhealthisac(nh7 ISAC)leadsdevelopmentandimplementationof: TheNationalHealthcareandPublicHealthCybersecurityResponseSystem(HPH!CRS) HPH!CRS represents a nationwide all7hazards cybersecurity incident response system supporting prevention,protection,mitigation,responseandrecovery.itiscoordinatedwithinthenation shealth sector, across other critical infrastructures and aligned to state, local, tribal and territorial (SLTT) emergencyoperationsandfederalemergencysupportfunctions(esfs). HPH!CRS is supported via a public/private partnership from NH7ISAC headquarters at the Global Institute for Cybersecurity + Research, Global Situational Awareness Center, NASA/Kennedy Space Center. National healthcare and public health cybersecurity response incorporates NH7ISAC 24/7 physical and cyber (all7hazards) security situational awareness intelligence, two7way information sharing, countermeasure solutions, incident response, leading practice and education in a collaborativepartnershipwiththenationalcouncilofisacs,usdepartmentofhomelandsecurity, IntelligenceAgencies,NIST,HHS,andsupportingtechnologyandsecurityorganizations. HPH!CRSincludesimplementationoftheNationalHealthcare&PublicHealthCyberFirstResponder (HPH7CFR)Program.HealthsectorCIownersandoperatorsandorganizationssupportingthehealth sectoraredesignatingindividualstobeannuallytrainedandcertifiedas NationalHPHCybersecurity FirstResponders(HPH7CRF). The National Healthcare and Public Health Cybersecurity Council has been established. It is comprisedofnationwidehealthcareandpublichealthstakeholderstoleadhph7crsimplementation. State7levelbriefingworkshopsarebeingheldacrossthenation. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 10

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL NationalHPHCybersecurityEducationProgram(HPH!CEF) ApillarofthesystemisimplementationoftheNationalHealthcareandPublicHealthCybersecurity Education Program. Leveraging the NIST National Initiative for Cybersecurity Education (NICE) Frameworkasthefoundationalbaseline,healthsector7specific role7based cybersecurityfunctions, responsibilities, tasks, competencies and job descriptions are being defined and supported by education,trainingandcertificationprograms. GlobalInstituteforCybersecurity+Research(GICSR)andNASA/KennedySpaceCenter Centerfor LifeCycleDesign(CfLCD) HeadquarteredattheGICSRGlobalSituationalAwarenessCenteratKennedySpaceCenter,NH7ISAC works in partnership with GICSR to address security issues and challenges via their collaborative partnership with NASA s Center for Lifecycle Design (CflCD). NASA s Center for Lifecycle Design (CflCD)advancesexpandingandstrengtheningsecuredesignanddevelopmentconcepts/tools,and leverages modeling and simulation of critical infrastructure high7risk, safety7critical, cybersecurity systems,andsupportseducationandexperientiallearninginitiatives. TheNationalHealthISAC(NH!ISAC) TheNH7ISACisthenation shealthcareandpublichealthcriticalinfrastructureinformationsharing& AnalysisCenter.NH7ISAC,privatesector7ledandanon7profitorganizationisrecognized,asallcritical infrastructures ISACs, by their respective Federal Sector7Specific Agency (SSA), Sector Coordinating Council(SCC),IntelligenceAgencies,NationalCouncilofISACs,andCriticalInfrastructureOwnersand Operators. TheNationalCouncilofISACs(NCIDirectorate) The NCI Directorate is comprised of member representatives of all national critical infrastructure ISACs.NCI smissionistoadvancethephysicalandcybersecurityofthecriticalinfrastructuresof North America by establishing and maintaining a forum and framework for valuable interaction between and among the ISACs, supporting sector and cross7sector intelligence, and working in collaboration with governments, representing national critical infrastructure operational components. NationalCriticalInfrastructureISACsInfrastructure NationalCouncilofISACs CommunicationsISAC,DefenseIndustrialBase(DIB),ElectricSectorISAC, EmergencyManagementResponseISAC(EMR7ISAC),FinancialServicesISAC(FS7ISAC) NationalHealthISAC(NH7ISAC),InformationTechnology(IT7ISAC), MaritimeISAC,Multi7StateISAC,EI(NuclearEnergyInstitute), PublicTransportationISAC(PT7ISAC),RealEstateISAC(RE7ISAC), Research&EducationNetworkingISAC(REN7ISAC),SupplyChainISAC(SC7ISAC), SurfaceTransportationISAC(ST7ISAC),MotorCoachISAC,WaterISAC,AviationISAC(Forming) NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 11

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL ANALYSIS PRESIDENTIALEXECUTIVEORDER13636ANDPRESIDENTIALPOLICYDIRECTIVEPPD!21 The issuance of Presidential Directive PPD721 and Executive Order 13636 to increase and improve national critical infrastructure cybersecurity resilience is a tremendous step forward. It serves to raise awareness and brings together the public and private sectors to proactively address cybersecurityissuesandchallenges. Both orders are inter7related. The Presidential Directive provides the framework for addressing a public/privatepartnership.theexecutiveorderfocusesonfederalagencyoperations, settingout specific programs, roles, responsibilities and activities for federal agencies to improve support of criticalinfrastructureprotection. To provide insight and defining voice opportunities for the health sector to support cybersecurity critical infrastructure resilience, the National Health ISAC (NH7ISAC) has conducted an analysis of boththeexecutiveorderandpresidentialdirectiveandtheirimpacttothenation shealthcareand PublicHealthCriticalInfrastructure. AsCEO/ExecutiveDirectoroftheNationalHealthISACforthenation shealthcareandpublichealth critical infrastructure, and as Chair of the Health Sector Coordinating Council (SCC) Cybersecurity LegislationCommittee,Iampleasedtoprovidethefollowingreport. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 12

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Section1.Policy EXECUTIVEORDER13636 FEBRUARY13,2013 IMPROVINGCRITICALINFRASTRUCTURECYBERSECURITY Repeated cyber intrusions into critical infrastructure demonstrate the need for improved cybersecurity.thecyberthreattocriticalinfrastructurecontinuestogrowandrepresentsoneofthe mostseriousnationalsecuritychallengeswemustconfront.thenationalandeconomicsecurityof theunitedstatesdependsonthereliablefunctioningofthenation'scriticalinfrastructureintheface of such threats. It is the policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy,andcivilliberties.wecanachievethesegoalsthroughapartnershipwiththeownersand operatorsofcriticalinfrastructuretoimprovecybersecurityinformationsharingandcollaboratively developandimplementrisk7basedstandards. Section2.CriticalInfrastructure Asusedinthisorder,thetermcriticalinfrastructuremeanssystemsandassets,whetherphysicalor virtual, so vital to the United States that the incapacity or destruction of such systems and assets wouldhaveadebilitatingimpactonsecurity,nationaleconomicsecurity,nationalpublichealthor safety,oranycombinationofthosematters. The@Executive@Order@lays@a@foundation@to@build@a@collaborative@Cybersecurity@Framework@with@private@ sector@ critical@ infrastructure@ (CI)@ owners@ and@ operators@ and@ experts@ to@ share@ information@ on@ cyber@ attacks@ and@ threats@ between@ the@ federal@ government@ and@ the@ private@ sector,@ and@ to@ define@ and@ implement@standards.@@ Close@to@90%@of@national@critical@infrastructures@(CI)@are@owned@and@operated@by@the@private@sector.@An@ Executive@ Order@ is@ written@ to@ manage@ government@ executive@ branch@ agency@ operations.@ @ Private@ sector@ CI@ owners@ and@ operators,@ working@ through@ their@ respective@ ISAC@ and@ Sector@ Coordinating@ Council@(SCC)@have@a@leading@ defining@voice @working@in@collaboration@with@government@to@define,@ implement@ and@ improve@ CI@ cybersecurity@ goals,@ standards,@ policies,@ legislation@ and@ trusted@ partnerships.@@ @ @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 13

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL The*cyber*threat*to*our*Nation s*critical*infrastructures*must*be*approached*from*an* AllAHazards * (Physical* and* Cyber)* Security* perspective.**these* are* no* longer* two* separate* environments,* as* cyber*infrastructures*provide*the*foundation*to*provision*and*mange*physical*security.@@ AllHHazards @security@must@include@protection@from@physical@(natural@or@manhmade)@impacts,@such@as@ hurricanes,@tornadoes,@earthquakes,@fires,@asteroids@(satellite@or@earth)@or@terrorism,@as@well@as@cyberh generated@impacts@from@cyber@warfare,@organized@crime,@individual@criminals@or@corporate@insiders.@@@ Technology@infrastructures@and@the@data@that@resides@within@them@are@the@foundation@of@all@of@our@ National@Critical@Infrastructures.@ To@achieve@the@goals@of@enhancing@the@security@and@resilience@of@the@Nation s@critical@infrastructures@ privatehsector@ cyber@ environments@ must@ be@ maintained@ to@ encourage@ efficiency,@ innovation@ and@ economic@ prosperity@ while@ promoting@ safety,@ security,@ business@ confidentiality,@ privacy@ and@ civil@ liberties.@ @ Alignment@ of@ cybersecurity@ prevention,@ protection,@ mitigation,@ response@ and@ recovery@ protocols@must@be@integrated@and@aligned@to@established@government@emergency@preparedness@and@ operations@ protocols@ including@ the@ Federal@ Emergency@ Support@ Functions@ (ESF)@ structure@ for@ each@ critical@infrastructure@(not@only@to@esf@function@#2@for@communications).@ ESFs,@ as@ part@ of@ the@ National@ Response@ Framework@ provide@ the@ structure@ for@ coordinating@ Federal@ interagency@support@for@federal@response@to@an@incident.@they@are@mechanisms@for@grouping@functions@ most@frequently@used@to@provide@federal@support@to@states@and@federalhtohfederal@support,@both@for@ declared@disasters@and@emergencies@under@the@stafford@act@and@for@nonhstafford@act@incidents.@ The@following@FEMA@chart@summarizes@Stafford@Act@support@to@States:@@@ http://www.fema.gov/pdf/emergency/nrf/nrfhstafford.pdf@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 14

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL The@ Incident@ Command@ System@ provides@ for@ the@ flexibility@ to@ assign@ ESF@ and@ other@ stakeholder@ resources@according@to@their@capabilities,@tasks@and@requirements@to@augment@and@support@the@other@ sections@of@the@joint@field@office@(jfo)@/@regional@response@coordination@center@(rrcc)@or@national@ Response@Coordination@Center@(NRCC)@in@order@to@respond@to@incidents@in@a@more@collaborative@and@ crosshcutting@manner.@ The@NRCC,@a@component@of@the@National@Operations@Center@(NOC),@develops@and@issues@operations@ orders@to@activate@individual@esfs@based@on@the@scope@and@magnitude@of@the@threat@or@incident.@ ESF@primary@agencies@are@notified@of@the@operations@orders@and@time@to@report@to@the@NRCC@by@the@US@ Department@of@Homeland@Security@(DHS)@/@Federal@Emergency@Management@Agency@(FEMA).@At@the@ regional@level,@esfs@are@notified@by@the@rrcc@per@established@protocols.@@ Cybersecurity@response@protocols,@operations,@roles,@responsibilities,@functions@and@resources@need@to@ be@defined@and@integrated@within@and@across@all@esfs,@as@previously@stated.@@@each@esf@is@required@to@ develop@ standard@ operating@ procedures@ (SOPs)@ and@ notification@ protocols@ and@ to@ maintain@ current@ rosters@and@contact@information.@@these@sops@must@be@updated@to@incorporate@cyber@response.@ Federal@Emergency@Support@Functions@(ESFs):@ http://www.fema.gov/pdf/emergency/nrf/nrfhesfhintro.pdf@@ @ @ ESF@#1@ Transportation@ @ @ @ @ @ @ ESF@#2@ @Communications@ @ @ @ ESF@#3@ @Public@Works@and@Engineering@ @ @ @ @ ESF@#4@ @Firefighting@ @ @ @ @ ESF@#5@ @Emergency@Management@ @ @ @ @ ESF@#6@ @Mass@Care,@Emergency@Assistance,@Housing@and@Human@Services@ @ @ ESF#7@ @Logistics@Management@and@Resource@Support@ @ @ ESF@#8@ @Public@Health@and@Medical@Services@ @ @ @ ESF@#9@ @Search@and@Rescue@ @ @ ESF@@#10@ @Oil@and@Hazardous@Materials@Response@ @ @ ESF@#@11@ @Agriculture@and@Natural@Resources@ @ @ @ ESF@#@12@ @Energy@ @ @ ESF@#@13@ @Pubic@Safety@and@Security@ @ @ @ ESF@#@14@ @Long@Term@Community@Recovery@ @ @ @ ESF@#@15@ @External@Affairs@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 15

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Section3.PolicyCoordination Policycoordination,guidance,disputeresolution,andperiodicin7progressreviewsforthefunctions and programs described and assigned herein shall be provided through the interagency process established in Presidential Policy Directive71* of February 13, 2009 (Organization of the National SecurityCouncilSystem),oranysuccessor. * *Presidential*Policy*Directive*A1,*February*13,*2009* *Organization*of*the*National*Security*Council@ National*Security*Council*(NSC)@ @Principal@forum@for@consideration@of@national@security@policy@issues@ requiring@presidential@determination.@@nsc:@ Advises@and@assists@the@President@in@integrating@all@aspects@of@national@security@policy@as@it@ affects@the@us@ @domestic,@foreign,@military,@intelligence,@and@economic)@in@conjunction@with@ the@national@economic@council.@ President s@ principal@ means@ for@ coordinating@ executive@ departments@ and@ agencies@ in@ the@ development@and@implementation@of@national@security@policy.@ Members:@President,@ViceHPresident,@Secretary@of@State,@Secretary@of@Defense,@Secretary@of@ Energy,@ Secretary@ of@ the@ Treasury,@ Attorney@ General,@ Secretary@ of@ Homeland@ Security,@ Representative@of@the@US@to@the@United@Nations,@Assistant@to@the@President@and@President s@ Chief@ of@ Staff,@ Assistant@ to@ the@ President@ for@ National@ Security@ Affairs@ (National@ Security@ Advisors).@ @ The@ Director@ of@ National@ Intelligence@ and@ Chairman@ of@ the@ Joint@ Chiefs@ of@ Staff@ attend@as@statutory@advisors.@@ NSC@Meeting@Attendees:@@President s@counsel@ @ Invited@to@NSC@meetings.@@Assistant@to@the@ President@and@Deputy@National@Security@Advisor@ @Attend@every@NSC@meeting@and@serve@as@ Secretary. For international economic issues@ @ Secretary@ of@ Commerce,@ US@ Trade@ Representative,@Assistant@to@the@President@for@Economic@Policy@and@Chair@of@the@Council@of@ Economic@Advisors.@For*homeland*security*or*counterAterrorism*related*issues@ @Assistant@ to@the@president@for@homeland@security@and@counterhterrorism.@@for*science*and*technology* related* issues@ @ Director@ of@ the@ Office@ of@ Science@ and@ Technology@ Policy.@ Executive@ department,@agency@heads@and@other@senior@officials@are@invited@to@attend,@as@appropriate.@ NSC@meets@regularly@and@as@required.@@National@Security@Advisor,@at@the@President s@direction@and@in@ consultation@with@nsc@members@determines@the@agenda,@records@actions@and@presidential@decisions.@ NSC*Principals*Committee*(NSC/PC)@ @The@Senior@interagency@forum@for@consideration@of@policy@issues@ affecting@national@security.@ NSC*Deputies*Committee*(NSC/DC)@ @Reviews@and@monitors@the@work@of@the@NSC@interagency@process@ (including@interagency@policy@committees).@ensures@that@issues@being@brought@before@the@hsc/pc@or@ NSC@ have@ been@ properly@ analyzed@ and@ prepared@ for@ decision.@ @ Focuses@ on@ significant@ attention@ on@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 16

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL policy@ implementation.@ @ Periodic@ reviews@ of@ Administration s@ major@ foreign@ policy@ initiatives.@@ Responsible@for@dayHtoHday@crisis@management,@reporting@to@the@National@Security@Council.@@ Interagency*Policy*Committees*(NSC/IPCs) Management@of@the@development@and@implementation@ of@national@security@policies@by@multiple@agencies@of@the@us@are@accomplished@by@the@nsc@interagency@ Policy@ Committee.@ @ NSC/IPCs@ conduct@ the@ main@ dayhtohday@ interagency@ coordination@ of@ national@ security@policy.@@provide@policy@analysis@for@consideration@by@the@more@senior@committees@and@ensure@ timely@responses@to@decisions@made@by@the@president.@@ Section4.CybersecurityInformationSharing (a)itisthepolicyoftheunitedstatesgovernmenttoincreasethevolume,timeliness,andqualityof cyber threat information shared with U.S. private sector entities so that these entities may better protectanddefendthemselvesagainstcyberthreats.within120daysofthedateofthisorder,the AttorneyGeneral,theSecretaryofHomelandSecurity(theSecretary),andtheDirectorofNational Intelligenceshalleachissueinstructionsconsistentwiththeirauthoritiesandwiththerequirements ofsection12(c)ofthisordertoensurethetimelyproductionofunclassifiedreportsofcyberthreats totheu.s.homelandthatidentifyaspecifictargetedentity.theinstructionsshalladdresstheneed toprotectintelligenceandlawenforcementsources,methods,operations,andinvestigations. (b)thesecretaryandtheattorneygeneral,incoordinationwiththedirectorofnationalintelligence, shallestablishaprocessthatrapidlydisseminatesthereportsproducedpursuanttosection4(a)of thisordertothetargetedentity.suchprocessshallalso,consistentwiththeneedtoprotectnational securityinformation,includethedisseminationofclassifiedreportstocriticalinfrastructureentities authorized to receive them. The Secretary and the Attorney General, in coordination with the DirectorofNationalIntelligence,shallestablishasystemfortrackingtheproduction,dissemination, anddispositionofthesereports. (c) To assist the owners and operators of critical infrastructure in protecting their systems from unauthorized access, exploitation, or harm, the Secretary, consistent with 6 U.S.C. 143 and in collaborationwiththesecretaryofdefense,shall,within120daysofthedateofthisorder,establish procedures to expand the Enhanced Cybersecurity Services program to all critical infrastructure sectors.thisvoluntaryinformation7sharingprogramwillprovideclassifiedcyberthreatandtechnical informationfromthegovernmenttoeligiblecriticalinfrastructurecompaniesorcommercialservice providersthatoffersecurityservicestocriticalinfrastructure. (d) The Secretary, as the Executive Agent for the Classified National Security Information Program created under Executive Order 13549 of August 18, 2010 (Classified National Security Information ProgramforState,Local,Tribal,andPrivateSectorEntities),shallexpeditetheprocessingofsecurity clearances to appropriate personnel employed by critical infrastructure owners and operators, prioritizingthecriticalinfrastructureidentifiedinsection9ofthisorder. http://www.archives.gov/isoo/policy7documents/eo713549.html (e)inordertomaximizetheutilityofcyberthreatinformationsharingwiththeprivatesector,the Secretary shall expand the use of programs that bring private sector subject7matter experts into Federalserviceonatemporarybasis.Thesesubjectmatterexpertsshouldprovideadviceregarding NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 17

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL the content, structure, and types of information most useful to critical infrastructure owners and operatorsinreducingandmitigatingcyberrisks. Increasing@ the@ volume,@ timeliness@ and@ quality@ of@ sharing@ unclassified@ and@ classified@ threat@ information@identified@by@government@intelligence@agencies@to@the@private@sector@of@the@united@states@ is@ essential@ to@ ensure@ critical@ infrastructure@ (CI)@ resilience.@@the@ number@ of@ security@ clearances@ for@ privatehsector@ critical@ infrastructure@ owners/operators@ needs@ to@ be@ increased@ to@ achieve@ this@ capability.@ By@ June@ 12,@ 2013@ @ (120@ days@ from@ EO@ issuance),@ the@ US@ Attorney@ General,@ Secretary@ of@ Homeland@ Security,@and@the@Director@of@National@Intelligence@are@required@to@issue@instructions@to@ensure@timely@ production@ of@ unclassified@ reports@ of@ cyber@ threats@ to@ the@ US@ homeland@ that@ identify@ a@ specific@ targeted@ entity.@ @ @ Instructions@ will@ protect@ intelligence@ and@ law@ enforcement@ sources,@ methods,@ operations@and@investigations.@@ Note:@@Federal@agencies@are@required@the@law@to@report@all@incidents@to@the@United@States@Computer@ Emergency@Readiness@Team@(USHCERT).@@ Per@ guidelines@ in@ the@ National@ Infrastructure@ Plan@ (NIPP)@ and@ NIST@ Security@ Incident@ Response@ standards,@ critical@ infrastructure@ owners@ and@ operators@ are@ encouraged@ to@ report@ threats@ and@ incidents@to@their@respective@sectorhspecific@isac.@@in@addition@to@isacs@providing@advice@and@additional@ resources@to@successfully@respond@to@a@threat@or@incident,@reporting@and@information@sharing@is@critical@ to@enable@sector@and@crosshsector@impact@and@countermeasure@solution@analysis@and@response.@@this@is@ the@only@way@to@move@from@a@reactive@to@proactive@cybersecurity@stance.@@@ All@ critical@ infrastructure@ ISACs@ are@ sectorhled@ and@ coordinate@ critical@ infrastructure@ threat@ and@ vulnerability@incident@response@24/7@via@the@national@council@of@isacs@working@in@collaboration@with@ government.@ Improving@ the@ sharing@ of@ classified@ and@ technical@ information@ from@ the@ government@ enables@expanded@and@trusted@intelligence@information@sharing.@ ISACs@enable@realHtime@twoHway@actionable@intelligence@sector@and@crossHsector@information@sharing,@ serving@ as@ the@ tactical@ and@ operational@ arm@ conducting@ 24/7@ allhhazards@ threat@ and@ vulnerability@ intelligence@ and@ response@ analysis@ in@ collaboration@ and@ coordination@ with@ the@ US@ Department@ of@ Homeland@ Security@ National@ Cybersecurity@ and@ Communications@ Integration@ Center@ (NCCIC),@ USH CERT,@ intelligence@ agencies,@ federal@ SectorHSpecific@ Agencies@ (SSAs)@ and@ security@ and@ technology@ expert@ organizations.@ @Working@ directly@ with@ their@ respective@ critical@ infrastructure@ owners@ and@ operators@ and@ technology@ partners,@ ISACs,@ frequently@ identify@ threats@ and@ vulnerabilities@ prior@ to@ government@intelligence@agency@sources.@@@ As@defined@by@the@National@Infrastructure@Protection@Plan@(NIPP),@ ISACs@are@privatelyHled@sectorH specific@organizations@advancing@physical@and@cyber@security@critical@infrastructure@and@key@resources@ (CIKR)@protection@by@establishing@and@maintaining@collaborative@frameworks@for@operational@ interaction@between@and@among@members@and@external@partners.@ @ @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 18

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Situational@Awareness@Intelligence@Capabilities@ @ CI@owners@and@operator@increase@sector@and@crossHsector@situational@awareness@understanding@of@the@ threats@and@vulnerabilities@they@face@on@a@daily@basis@and@the@associated@risks.@@ Capabilities@ also@ need@ to@ include@ dedicated@ teams@ of@ highly@ skilled@ cybersecurity@ analysts@ for@ the@ nation s@ healthcare@ and@ public@ health.@ @ Improving@ timely@ public/private@ capabilities@ of@ cyber@ intelligence@situational@awareness@information@sharing@from@a@classified@and@unclassified@perspective@ is@an@essential@step@and@will@help@support@ensuring@appropriate@investments@to@achieve@ci@resilience.@ Analysis@and@issuance@of@timely@unclassified@cyber@threat@reports@by@DHS@to@US@private@sector@entities@ need@ to@ include@ sector@ and@ crosshsector@ analysis,@ supported@ by@ the@ National@ Council@ of@ ISACs,@ for@ potential@ allhhazards@ (physical@ and@ cyber)@ security@ cascading@ impacts@ including@ threat@ report@ information@analyzed@and@coordinated@per@nist*computer*security*incident*handling*guide*(special* Publication*800A61,*Revision*2* *August*2012)@for@Coordination@and@Information@Sharing@specifying@ threat@and@incident@reporting.@@@ When@reaching@out@to@external@parties,@coordination@with@the@sector s@information@sharing@&@analysis@ Center@(ISAC)@represent@a@ trusted@introducer,@as@represented@in@nist@standard@800h61.@@ http://csrc.nist.gov/publications/nistpubs/800h61rev2/sp800h61rev2.pdf@@ NIST*800A61,*Revision*2* *Table*4.1*Coordination*Relationships* Category:**TeamAtoATeam* Definition:@@TeamHtoHteam@relationships@exist@whenever@technical@incident@responders@in@different@ organizations@collaborate@with@their@peers@during@any@phase@of@the@incident@handling@life@cycle.@@ The@ organizations@ participating@ in@ this@ type@ of@ relationship@ are@ usually@ peers@ without@ any@ authority@over@each@other@and@choose@to@share@information,@pool@resources@and@reuse@knowledge@ to@solve@problems@common@to@both@teams.@ Information* Shared:@@The@information@most@frequently@shared@in@teamHtoHteam@relationships@is@ tactical@and@technical@(e.g.,@technical@indicators@or@compromise,@suggested@remediation@actions)@ but@may@also@include@other@types@of@information@(plans,@procedures,@lessons@learned)@if@conducted@ as@part@of@the@preparation@phase.@ Category:*TeamAtoACoordinating*Team* Definition:@@TeamHtoHcoordinating@ team@ relationships@ exist@ between@ an@ organizational@ incident@ response@team@and@a@separate@organization@that@acts@as@a@central@point@for@coordinated@incident@ response@and@management@such@as@ushcert@or@an@isac.@@this@type@of@relationships@may@include@ some@degree@of@required@reporting@from@the@member@organizations@by@the@coordinating@body,@as@ well@ as@ the@ expectation@ that@ the@ coordinating@ team@ will@ disseminate@ timely@ and@ useful@ information@to@participating@member@organizations.@ Information* Shared:@ @Teams@ and@ coordinating@ teams@ frequently@ share@ tactical,@ technical@ information@as@well@as@information@regarding@threats,@vulnerabilities@and@risks@to@the@community@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 19

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL served@ by@ the@ coordinating@ team.@ @ The@ coordinating@ team@ may@ also@ need@ specific@ impact@ information@about@incidents@in@order@to@help@make@decisions@on@where@to@focus@its@resources@and@ attention.@ Category:**Coordinating*TeamAtoACoordinating*Team* Definition:@@Relationships@between@multiple@coordinating@teams@such@as@USHCERT@and@the@ISACs@ exist@ to@ share@ information@ relating@ to@ cross@ cutting@ incidents@ which@ may@ affect@ multiple@ communities.@ @ The@ coordinating@ teams@ act@ on@ behalf@ of@ their@ respective@ community@ member@ organizations@ to@ share@ information@ on@ the@ nature@ and@ scope@ of@ cross@ cutting@ incidents@ and@ reusable@mitigation@strategies@to@assist@in@interhcommunity@response.@ Information* Shared:@ @ The@ type@ of@ information@ shared@ by@ coordinating@ teams@ with@ their@ counterparts@ often@ consists@ of@ periodical@ summaries@ during@ steady@ state @ operations,@ punctuated@ by@ the@ exchange@ of@ tactical,@ technical@ details,@ response@ plans,@ and@ impact@ or@ risk@ assessment@information@during@coordinated@incident@response@activities.@ @ Section5.PrivacyandCivilLibertiesProtections (a) Agencies shall coordinate their activities under this order with their senior agency officials for privacyandcivillibertiesandensurethatprivacyandcivillibertiesprotectionsareincorporatedinto suchactivities.suchprotectionsshallbebaseduponthefairinformationpracticeprinciplesandother privacyandcivillibertiespolicies,principles,andframeworksastheyapplytoeachagency'sactivities. (b)thechiefprivacyofficerandtheofficerforcivilrightsandcivillibertiesofthedepartmentof HomelandSecurity(DHS)shallassesstheprivacyandcivillibertiesrisksofthefunctionsandprograms undertakenbydhsascalledforinthisorderandshallrecommendtothesecretarywaystominimize ormitigatesuchrisks,inapubliclyavailablereport,tobereleasedwithin1yearofthedateofthis order.senioragencyprivacyandcivillibertiesofficialsforotheragenciesengagedinactivitiesunder thisordershallconductassessmentsoftheiragencyactivitiesandprovidethoseassessmentstodhs for consideration and inclusion in the report. The report shall be reviewed on an annual basis and revisedasnecessary.thereportmaycontainaclassifiedannexifnecessary.assessmentsshallinclude evaluation of activities against the Fair Information Practice Principles and other applicable privacy andcivillibertiespolicies,principles,andframeworks.agenciesshallconsiderreportassessmentsand recommendationsinimplementingprivacyandcivillibertiesprotectionsforagencyactivities. (c)inproducingthereportrequiredundersubsection(b)ofthissection,thechiefprivacyofficerand theofficerforcivilrightsandcivillibertiesofdhsshallconsultwiththeprivacyandcivilliberties OversightBoardandcoordinatewiththeOfficeofManagementandBudget(OMB). (d)informationsubmittedvoluntarilyinaccordancewith6u.s.c.133byprivateentitiesunderthis ordershallbeprotectedfromdisclosuretothefullestextentpermittedbylaw. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 20

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL The@ Executive@ Order@ does@ not@ focus@ on@ language@ to@ change@ or@ directly@ impact@ privacy@ laws@ and@ regulations,@ but@ calls@ for@ collaborative@ consultation@ among@ privacy@ officers@ and@ senior@ officials@ to@ ensure@ privacy@ and@ civil@ liberties@ protections.@ Many@ companies@ have@ data,@ such@ as@ financial@ and@ personal@health@information@(phi)@subject@to@state@privacy@and@breach@notification@laws.@@@ Many@private@sector@organizations@have@raised@concerns@over@liability@protection@for@private@sector@ information@ sharing@ with@ government,@ a@ major@ obstacle@ for@ public/private@ interaction.@ @ As@ this@ is@ beyond@ the@ scope@ of@ the@ Executive@ Order@ or@ Presidential@ Powers,@ leaving@ liability@ issues@ open@ may@ greatly@limit@private@sector@voluntary@participation.@ Further@debates@and@potential@protests@are@expected@from@the@privacy@community,@contingent@upon@ proposed@and@any@resulting@legislation.@ Section6.ConsultativeProcess TheSecretaryshallestablishaconsultativeprocesstocoordinateimprovementstothecybersecurity ofcriticalinfrastructure.aspartoftheconsultativeprocess,thesecretaryshallengageandconsider the advice, on matters set forth in this order, of the Critical Infrastructure Partnership Advisory Council; Sector Coordinating Councils; critical infrastructure owners and operators; Sector7Specific Agencies;otherrelevantagencies;independentregulatoryagencies;State,local,territorial,andtribal governments;universities;andoutsideexperts. The@ consultative@process@to@coordinate@improvements@to@the@cybersecurity@of@critical@infrastructure @ must@engage@private@sector@ci@leadership@and@representative@expertise@from@security@and@technology@ organizations@supporting@national@critical@infrastructures.@ The@ consultative@ agenda@ must@ address@ security@ from@ an@ allhhazards @ perspective@ and@ align@ cybersecurity@to@federal,@state,@local,@territorial@and@tribal@emergency@operations@protocols.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Section7.BaselineFrameworktoReduceCyberRisktoCriticalInfrastructure (a) The Secretary of Commerce shall direct the Director of the National Institute of Standards and Technology(theDirector)toleadthedevelopmentofaframeworktoreducecyberriskstocritical infrastructure (the Cybersecurity Framework). The CybersecurityFrameworkshallincludeasetof standards, methodologies, procedures, and processes that align policy, business, and technological approaches to address cyber risks. The Cybersecurity Framework shall incorporate voluntary consensus standards and industry best practices to the fullest extent possible. The Cybersecurity Framework shall be consistent with voluntary international standards when such international standardswilladvancetheobjectivesofthisorder,andshallmeettherequirementsofthenational Institute of Standards and Technology Act, as amended (15 U.S.C. 271 et seq.), the National TechnologyTransferandAdvancementActof1995(PublicLaw1047113),andOMBCircularA7119,as revised. @ @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 21

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL (b)thecybersecurityframeworkshallprovideaprioritized,flexible,repeatable,performance7based, and cost7effective approach, including information security measures and controls, to help owners and operators of critical infrastructure identify, assess, and manage cyber risk. The Cybersecurity Framework shall focus on identifying cross7sector security standards and guidelines applicable to critical infrastructure. The Cybersecurity Framework will also identify areas for improvement that should be addressed through future collaboration with particular sectors and standards7developing organizations. To enable technical innovation and account for organizational differences, the Cybersecurity Framework will provide guidance that is technology neutral and that enables critical infrastructuresectorstobenefitfromacompetitivemarketforproductsandservicesthatmeetthe standards, methodologies, procedures, and processes developed to address cyber risks. The Cybersecurity Framework shall include guidance for measuring the performance of an entity in implementingthecybersecurityframework. (c)thecybersecurityframeworkshallincludemethodologiestoidentifyandmitigateimpactsofthe Cybersecurity Framework and associated information security measures or controls on business confidentiality,andtoprotectindividualprivacyandcivilliberties. (d)indevelopingthecybersecurityframework,thedirectorshallengageinanopenpublicreviewand comment process. The Director shall also consult with the Secretary, the National Security Agency, Sector7Specific Agencies and other interested agencies including OMB, owners and operators of criticalinfrastructure,andotherstakeholdersthroughtheconsultativeprocessestablishedinsection 6ofthisorder.TheSecretary,theDirectorofNationalIntelligence,andtheheadsofotherrelevant agencies shall provide threat and vulnerability information and technical expertise to inform the developmentofthecybersecurityframework.thesecretaryshallprovideperformancegoalsforthe CybersecurityFrameworkinformedbyworkundersection9ofthisorder. (e)within240daysofthedateofthisorder,thedirectorshallpublishapreliminaryversionofthe CybersecurityFramework(thepreliminaryFramework).Within1yearofthedateofthisorder,and aftercoordinationwiththesecretarytoensuresuitabilityundersection8ofthisorder,thedirector shallpublishafinalversionofthecybersecurityframework(thefinalframework). (f)consistentwithstatutoryresponsibilities,thedirectorwillensurethecybersecurityframeworkand related guidance is reviewed and updated as necessary, taking into consideration technological changes, changes in cyber risks, operational feedback from owners and operators of critical infrastructure,experiencefromtheimplementationofsection8ofthisorder,andanyotherrelevant factors. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 22

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Director@ of@ the@ National@ Institute@ of@ Standards@ and@ Technology@ is@ responsible@ for@ leading@ development@ of@ the@ Cybersecurity@ Framework,@ standards,@ methodologies,@ procedures@ and@ processes@aligning@policy,@business@and@technology@to@address@cybersecurity@issues@and@challenges.@ The@Framework@will@be@technology@neutral@supporting@a@competitive@market@for@products@and@services@ to@meet@framework@requirements.@@@ A@draft@Framework@for@public@review@and@comment@is@due@within@240@days@from@February@12,@2013@ (i.e.,@by@october@10,@2013)@and@a@final@version@issued@within@one@year@of@the@executive@order.@ PrivateHsector@ CI@ owners@ and@ operators@ and@ the@ ISAC@ community@ must@ maintain@ a@ leadership@ defining@voice @role@in@all@ci@protection@efforts,@including@reviews@and@future@updates.@@ It@is@in@the@private@sector s@best@interests@to@ensure@that@the@federal@government@understands@their@ business@operations,@cybersecurity,@disaster@recovery,@and@business@continuity@requirements@and@the@ impact@ of@ policies@ and/or@ standards@ supporting@ implementation@ of@ a@ National@ Cybersecurity@ Framework.@ Section8.VoluntaryCriticalInfrastructureCybersecurityProgram. a)thesecretary,incoordinationwithsector7specificagencies,shallestablishavoluntaryprogramto support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructureandanyotherinterestedentities(theprogram). (b) Sector7Specific Agencies, in consultation with the Secretary and other interested agencies, shall coordinate with the Sector Coordinating Councils to review the Cybersecurity Framework and, if necessary, develop implementation guidance or supplemental materials to address sector7specific risksandoperatingenvironments. (c)sector7specificagenciesshallreportannuallytothepresident,throughthesecretary,ontheextent towhichownersandoperatorsnotifiedundersection9ofthisorderareparticipatingintheprogram. (d) The Secretary shall coordinate establishment of a set of incentives designed to promote participation in the Program. Within 120 days of the date of this order, the Secretary and the Secretaries of the Treasury and Commerce each shall make recommendations separately to the President,throughtheAssistanttothePresidentforHomelandSecurityandCounterterrorismandthe AssistanttothePresidentforEconomicAffairs,thatshallincludeanalysisofthebenefitsandrelative effectiveness of such incentives, and whether the incentives would require legislation or can be providedunderexistinglawandauthoritiestoparticipantsintheprogram. (e) Within 120 days of the date of this order, the Secretary of Defense and the Administrator of GeneralServices,inconsultationwiththeSecretaryandtheFederalAcquisitionRegulatoryCouncil, shallmakerecommendationstothepresident,throughtheassistanttothepresidentforhomeland Security and Counterterrorism and the Assistant to the President for Economic Affairs, on the feasibility, security benefits, and relative merits of incorporating security standards into acquisition planningandcontractadministration.thereportshalladdresswhatstepscanbetakentoharmonize andmakeconsistentexistingprocurementrequirementsrelatedtocybersecurity. @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 23

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL The@ Secretary,@ in@ coordination@ with@ SectorHSpecific@ Agencies@ (SSAs)@ to@ support@ and@ encourage@ voluntary@ adoption@ of@ the@ Cybersecurity@ Framework@ by@ CI@ owners@ and@ operators,@ including@ recommendations@ for@ adoption@ incentives,@ must@ work@ directly@ with@ private@ sector@ critical@ infrastructure@owners@and@operators@leaders@and@the@isac@community,@and@the@sector@coordinating@ Councils@to@ define @voluntary@adoption,@guidance@and@supplemental@materials.@@@ To@successfully@implement@a@ voluntary @cybersecurity@framework,@it@is@essential@that@the@framework@ validate@ that@ all@ stakeholder@ requirements@ are@ recognized@ and@ integrated,@ and@ opportunities@ for@ framework@refinement@and@sustainability@are@maintained.@ Recommendation@ for@ adoption@ incentives@ should@ include@ consideration@ of@ tax@ credits@ for@ those@ organizations@that@implement@the@framework@and@work@in@collaboration@with@their@respective@sector s@ ISAC.@ @ (Note:@ @ Similar@ to@ the@ tax@ credit@ that@ is@ provided@ to@ organizations@ that@ conduct@ qualified@ research@and@development).@@@ Section9.IdentificationofCriticalInfrastructureatGreatestRisk (a)within150daysofthedateofthisorder,thesecretaryshallusearisk7basedapproachtoidentify criticalinfrastructurewhereacybersecurityincidentcouldreasonablyresultincatastrophicregional ornationaleffectsonpublichealthorsafety,economicsecurity,ornationalsecurity.inidentifying criticalinfrastructureforthispurpose,thesecretaryshallusetheconsultativeprocessestablishedin section6ofthisorderanddrawupontheexpertiseofsector7specificagencies.thesecretaryshall apply consistent, objective criteria in identifying such critical infrastructure. The Secretary shall not identify any commercial information technology products or consumer information technology services under this section. The Secretary shall review and update the list of identified critical infrastructureunderthissectiononanannualbasis,andprovidesuchlisttothepresident,through theassistanttothepresidentforhomelandsecurityandcounterterrorismandtheassistanttothe PresidentforEconomicAffairs. (b) Heads of Sector7Specific Agencies and other relevant agencies shall provide the Secretary with informationnecessarytocarryouttheresponsibilitiesunderthissection.thesecretaryshalldevelop aprocessforotherrelevantstakeholderstosubmitinformationtoassistinmakingtheidentifications requiredinsubsection(a)ofthissection. (c)thesecretary,incoordinationwithsector7specificagencies,shallconfidentiallynotifyownersand operatorsofcriticalinfrastructureidentifiedundersubsection(a)ofthissectionthattheyhavebeen so identified, and ensure identified owners and operators are provided the basis for the determination.thesecretaryshallestablishaprocessthroughwhichownersandoperatorsofcritical infrastructuremaysubmitrelevantinformationandrequestreconsiderationofidentificationsunder subsection(a)ofthissection. @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 24

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL SectorHSpecific@Agencies@(SSA)@@H@Incorporate@Sector@Coordinator@Councils@(SCCs)@and@their@respective@ ISACs@as@components@of@the@collaborative@input@(the@consultative@process).@ The@Health@Sector@Coordinating@Council@(SCC)@has@been@identifying@healthcare@and@public@health@CI@ assets@via@the@critical@asset@identification@process.@@ Education@ and@ awareness@ of@ the@ effort@ to@ identify@ CI@ at@ greatest@ risk@ that@ have@ not@ already@ been@ identified,@as@part@of@the@hhs@critical@asset@identification@process@needs@to@be@communicated@across@ the@nation s@healthcare@and@public@health@critical@infrastructure.@ Section10.AdoptionofFramework (a)agencieswithresponsibilityforregulatingthesecurityofcriticalinfrastructureshallengageina consultative process with DHS, OMB, and the National Security Staff to review the preliminary Cybersecurity Framework and determine if current cybersecurity regulatory requirements are sufficient given current and projected risks. In making such determination, these agencies shall considertheidentificationofcriticalinfrastructurerequiredundersection9ofthisorder.within90 days of the publication of the preliminary Framework, these agencies shall submit a report to the President, through the Assistant to the President for Homeland Security and Counterterrorism, the DirectorofOMB,andtheAssistanttothePresidentforEconomicAffairs,thatstateswhetherornot theagencyhasclearauthoritytoestablishrequirementsbaseduponthecybersecurityframeworkto sufficientlyaddresscurrentandprojectedcyberriskstocriticalinfrastructure,theexistingauthorities identified,andanyadditionalauthorityrequired. (b)ifcurrentregulatoryrequirementsaredeemedtobeinsufficient,within90daysofpublicationof thefinalframework,agenciesidentifiedinsubsection(a)ofthissectionshallproposeprioritized,risk7 based, efficient, and coordinated actions, consistent with Executive Order 12866 of September 30, 1993 (Regulatory Planning and Review), Executive Order 13563 of January 18, 2011 (Improving Regulation and Regulatory Review), and Executive Order 13609 of May 1, 2012 (Promoting InternationalRegulatoryCooperation),tomitigatecyberrisk. (c)within2yearsafterpublicationofthefinalframework,consistentwithexecutiveorder13563and Executive Order 13610 of May 10, 2012 (Identifying and Reducing Regulatory Burdens), agencies identifiedinsubsection(a)ofthissectionshall,inconsultationwithownersandoperatorsofcritical infrastructure, report to OMB on any critical infrastructure subject to ineffective, conflicting, or excessively burdensome cybersecurity requirements. This report shall describe efforts made by agencies, and make recommendations for further actions, to minimize or eliminate such requirements. (d) The Secretary shall coordinate the provision of technical assistance to agencies identified in subsection(a)ofthissectiononthedevelopmentoftheircybersecurityworkforceandprograms. (e) Independent regulatory agencies with responsibility for regulating the security of critical @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 25

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL infrastructureareencouragedtoengageinaconsultativeprocesswiththesecretary,relevantsector7 SpecificAgencies,andotheraffectedpartiestoconsiderprioritizedactionstomitigatecyberrisksfor criticalinfrastructureconsistentwiththeirauthorities. This@Administrative@action@outlining@that@agencies@with@the@responsibility@for@regulating@the@security@ of@ critical@ infrastructures@ to@ engage@ in@ a@ 90@ day@ review@ to@ determine@ if@ they@ have@ the@ existing@ authority@to@establish@framework@cyber@risk@requirement.@if@not,@within@90@days@of@the@framework s@ final@publication,@propose@additional@regulations@for@cyber@risk@mitigation@are@to@be@proposed.@@this@ leaves@questions@as@to@whether@the@framework@will@actually@be@a@voluntary@program.@ If@ the@ voluntary @ Cybersecurity@ Framework@ is@ to@ be@ used@ for@ review@ against@ current@ regulatory@ requirements@or@in@development@of@new@regulatory@regulations,@laws@or@mandates,@this@has@potential@ cascading@impacts@to@healthcare@regulations@that@must@be@considered@and@discussed@with@healthcare@ and@public@health@stakeholders.@@this@could@cause@serious@hesitation@in@the@health@sector s@adoption@of@ the@resulting@cybersecurity@framework@and@bring@into@question@whether@the@ voluntary @framework@ in@only@a@means@and@a@path@to@more@regulations.@@ From@the@standpoint@of@managing@the@impact@of@any@existing@or@new@regulatory@requirements,@it@is@ very@important@that@ci@owners@and@operators@be@involved@from@the@beginning@of@development@of@this@ Framework,@ and@ stay@ involved,@ especially@ to@ define@ and@ address@ regulatory@ compliance.@ Any@ ineffective,@conflicting@or@excessively@burdensome@cybersecurity@requirements@impacting@the@nation s@ healthcare@ or@ public@ health@ critical@ infrastructure@ need@ to@ be@ communicated@ by@ CI@ owners@ and@ operators@with@recommendations@for@further@actions@and@monitored@for@resolution.@ Agencies@and@independent@regulatory@agencies@with@the@responsibility@for@regulating@the@security@of@ critical@ infrastructures@ that@ will@ be@ part@ of@ this@ consultative@ process@ need@ to@ be@ defined@ and@ communicated@to@ci@owners@and@operator@stakeholders.@@ @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 26

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Section11.Definitions. (a)agencymeansanyauthorityoftheunitedstatesthatisanagencyunder44u.s.c.3502(1), otherthanthoseconsideredtobeindependentregulatoryagencies,asdefinedin44u.s.c.3502(5). (b)criticalinfrastructurepartnershipadvisorycouncilmeansthecouncilestablishedbydhsunder 6 U.S.C. 451 to facilitate effective interaction and coordination of critical infrastructure protection activities among the Federal Government; the private sector; and State, local, territorial, and tribal governments. (c) Fair Information Practice Principles means the eight principles set forth in Appendix A of the NationalStrategyforTrustedIdentitiesinCyberspace. (d)independentregulatoryagencyhasthemeaninggiventhetermin44u.s.c.3502(5). (e) Sector Coordinating Council means a private sector coordinating council composed of representativesofownersandoperatorswithinaparticularsectorofcriticalinfrastructureestablished bythenationalinfrastructureprotectionplanoranysuccessor. (f) Sector!Specific Agency has the meaning given the term in Presidential Policy Directive721 of February12,2013(CriticalInfrastructureSecurityandResilience),oranysuccessor. Section12.GeneralProvisions. (a)thisordershallbeimplementedconsistentwithapplicablelawandsubjecttotheavailabilityof appropriations. Nothing in this order shall be construed to provide an agency with authority for regulatingthesecurityofcriticalinfrastructureinadditiontoortoagreaterextentthantheauthority the agency has under existing law. Nothing in this order shall be construed to alter or limit any authorityorresponsibilityofanagencyunderexistinglaw. (b)nothinginthisordershallbeconstruedtoimpairorotherwiseaffectthefunctionsofthedirector ofombrelatingtobudgetary,administrative,orlegislativeproposals. (c)allactionstakenpursuanttothisordershallbeconsistentwithrequirementsandauthoritiesto protect intelligence and law enforcement sources and methods. Nothing in this order shall be interpreted to supersede measures established under authority of law to protect the security and integrity of specific activities and associations that are in direct support of intelligence and law enforcementoperations. (d)thisordershallbeimplementedconsistentwithu.s.internationalobligations. (e)thisorderisnotintendedto,anddoesnot,createanyrightorbenefit,substantiveorprocedural, enforceableatlaworinequitybyanypartyagainsttheunitedstates,itsdepartments,agencies,or entities,itsofficers,employees,oragents,oranyotherperson.@@ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 27

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL! PRESIDENTIALPOLICYDIRECTIVE(PPD!21),FEBRUARY13,2013 CRITICALINFRASTRUCTURESECURITY&CYBERSECURITY http://www.whitehouse.gov/thehpresshoffice/2013/02/12/presidentialhpolicyhdirectivehcriticalh infrastructurehsecurityhandhresil@ ThePresidentialPolicyDirective(PPD)onCriticalInfrastructureSecurityandResilienceadvancesa national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure. Introduction The Nation's critical infrastructure provides the essential services that underpin American society. Proactiveandcoordinatedeffortsarenecessarytostrengthenandmaintainsecure,functioning,and resilient critical infrastructure including assets, networks, and systems that are vital to public confidenceandthenation'ssafety,prosperity,andwell7being. The Nation's critical infrastructure is diverse and complex. It includes distributed networks, varied organizationalstructuresandoperatingmodels(includingmultinationalownership),interdependent functions and systems in both the physical space and cyberspace, and governance constructs that involve multi7level authorities, responsibilities, and regulations. Critical infrastructure owners and operatorsareuniquelypositionedtomanageriskstotheirindividualoperationsandassets,andto determineeffectivestrategiestomakethemmoresecureandresilient. Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Achieving this will require integration with the national preparedness system across prevention, protection,mitigation,response,andrecovery. This directive establishes national policy on critical infrastructure security and resilience. This endeavor is a shared responsibility among the Federal, state, local, tribal, and territorial (SLTT) entities,andpublicandprivateownersandoperatorsofcriticalinfrastructure(hereinreferredtoas critical infrastructure owners and operators). This directive also refines and clarifies the critical infrastructure7relatedfunctions,roles,andresponsibilitiesacrossthefederalgovernment,aswellas enhancesoverallcoordinationandcollaboration.thefederalgovernmentalsohasaresponsibilityto strengthenthesecurityandresilienceofitsowncriticalinfrastructure,forthecontinuityofnational essentialfunctions,andtoorganizeitselftopartnereffectivelywithandaddvaluetothesecurityand resilienceeffortsofcriticalinfrastructureownersandoperators. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 28

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Policy It is the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats. The Federal Government shall work with criticalinfrastructureownersandoperatorsandslttentitiestotakeproactivestepstomanagerisk and strengthen the security and resilience of the Nation's critical infrastructure, considering all hazardsthatcouldhaveadebilitatingimpactonnationalsecurity,economicstability,publichealth andsafety,oranycombinationthereof.theseeffortsshallseektoreducevulnerabilities,minimize consequences, identify and disrupt threats, and hasten response and recovery efforts related to criticalinfrastructure. TheFederalGovernmentshallalsoengagewithinternationalpartnerstostrengthenthesecurityand resilienceofdomesticcriticalinfrastructureandcriticalinfrastructurelocatedoutsideoftheunited StatesonwhichtheNationdepends. U.S.effortsshalladdressthesecurityandresilienceofcriticalinfrastructureinanintegrated,holistic mannertoreflectthisinfrastructure'sinterconnectednessandinterdependency.thisdirectivealso identifiesenergyandcommunicationssystemsasuniquelycriticalduetotheenablingfunctionsthey provideacrossallcriticalinfrastructuresectors. Three strategic imperatives shall drive the Federal approach to strengthen critical infrastructure securityandresilience: 1)RefineandclarifyfunctionalrelationshipsacrosstheFederalGovernmenttoadvancethenational unityofefforttostrengthencriticalinfrastructuresecurityandresilience; 2)Enableeffectiveinformationexchangebyidentifyingbaselinedataandsystemsrequirementsfor thefederalgovernment;and 3) Implement an integration and analysis function to inform planning and operations decisions regardingcriticalinfrastructure. All Federal department and agency heads are responsible for the identification, prioritization, assessment,remediation,andsecurityoftheirrespectiveinternalcriticalinfrastructurethatsupports primarymissionessentialfunctions.suchinfrastructureshallbeaddressedintheplansandexecution oftherequirementsinthenationalcontinuitypolicy. Federal departments and agencies shall implement this directive in a manner consistent with applicable law, Presidential directives, and Federal regulations, including those protecting privacy, civil rights, and civil liberties. In addition, Federal departments and agencies shall protect all informationassociatedwithcarryingoutthisdirectiveconsistentwithapplicablelegalauthoritiesand policies. RolesandResponsibilities Effective implementation of this directive requires a national unity of effort pursuant to strategic guidancefromthesecretaryofhomelandsecurity.thatnationaleffortmustincludeexpertiseand day7to7dayengagementfromthesector7specificagencies(ssas)aswellasthespecializedorsupport NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 29

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL capabilities from other Federal departments and agencies, and strong collaboration with critical infrastructure owners and operators and SLTT entities. Although the roles and responsibilities identifiedinthisdirectivearedirectedatfederaldepartmentsandagencies,effectivepartnerships withcriticalinfrastructureownersandoperatorsandslttentitiesareimperativetostrengthenthe securityandresilienceofthenation'scriticalinfrastructure. SecretaryofHomelandSecurity The Secretary of Homeland Security shall provide strategic guidance, promote a national unity of effort,andcoordinatetheoverallfederalefforttopromotethesecurityandresilienceofthenation's critical infrastructure.incarryingoutthe responsibilities assigned in the Homeland Security Act of 2002,asamended,theSecretaryofHomelandSecurityevaluatesnationalcapabilities,opportunities, and challenges in protecting critical infrastructure; analyzes threats to, vulnerabilities of, and potentialconsequencesfromallhazardsoncriticalinfrastructure;identifiessecurityandresilience functions that are necessary for effective public7private engagement with all critical infrastructure sectors; develops a national plan and metrics, in coordination with SSAs and other critical infrastructure partners; integrates and coordinates Federal cross7sector security and resilience activities; identifies and analyzes key interdependencies among critical infrastructure sectors; and reports on the effectiveness of national efforts to strengthen the Nation's security and resilience postureforcriticalinfrastructure. AdditionalrolesandresponsibilitiesfortheSecretaryofHomelandSecurityinclude: 1)Identifyandprioritizecriticalinfrastructure,consideringphysicalandcyberthreats,vulnerabilities, andconsequences,incoordinationwithssasandotherfederaldepartmentsandagencies; 2) Maintain national critical infrastructure centers that shall provide a situational awareness capabilitythatincludesintegrated,actionableinformationaboutemergingtrends,imminentthreats, andthestatusofincidentsthatmayimpactcriticalinfrastructure; 3)IncoordinationwithSSAsandotherFederaldepartmentsandagencies,provideanalysis,expertise, andothertechnicalassistancetocriticalinfrastructureownersandoperatorsandfacilitateaccessto andexchangeofinformationandintelligencenecessarytostrengthenthesecurityandresilienceof criticalinfrastructure; 4)ConductcomprehensiveassessmentsofthevulnerabilitiesoftheNation'scriticalinfrastructurein coordinationwiththessasandincollaborationwithslttentitiesandcriticalinfrastructureowners andoperators; 5) Coordinate Federal Government responses to significant cyber or physical incidents affecting criticalinfrastructureconsistentwithstatutoryauthorities; 6) Support the Attorney General and law enforcement agencies with their responsibilities to investigateandprosecutethreatstoandattacksagainstcriticalinfrastructure; 7)CoordinatewithandutilizetheexpertiseofSSAsandotherappropriateFederaldepartmentsand agencies to map geospatially, image, analyze, and sort critical infrastructure by employing NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 30

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL commercialsatelliteandairbornesystems,aswellasexistingcapabilitieswithinotherdepartments andagencies;and 8)Reportannuallyonthestatusofnationalcriticalinfrastructureeffortsasrequiredbystatute. Sector7SpecificAgencies Eachcriticalinfrastructuresectorhasuniquecharacteristics,operatingmodels,andriskprofilesthat benefit from an identified Sector7Specific Agency that has institutional knowledge and specialized expertiseaboutthesector.recognizingexistingstatutoryorregulatoryauthoritiesofspecificfederal departments and agencies, and leveraging existing sector familiarity and relationships, SSAs shall carryoutthefollowingrolesandresponsibilitiesfortheirrespectivesectors: 1) As part of the broader national effort to strengthen the security and resilience of critical infrastructure, coordinate with the Department of Homeland Security (DHS) and other relevant Federaldepartmentsandagenciesandcollaboratewithcriticalinfrastructureownersandoperators, whereappropriatewithindependentregulatoryagencies,andwithslttentities,asappropriate,to implementthisdirective; 2)Serveasaday7to7dayFederalinterfaceforthedynamicprioritizationandcoordinationofsector7 specificactivities; 3) Carry out incident management responsibilities consistent with statutory authority and other appropriatepolicies,directives,orregulations; 4) Provide, support, or facilitate technical assistance and consultations for that sector to identify vulnerabilitiesandhelpmitigateincidents,asappropriate;and 5) Support the Secretary of Homeland Security's statutorily required reporting requirements by providingonanannualbasissector7specificcriticalinfrastructureinformation. AdditionalFederalResponsibilities The following departments and agencies have specialized or support functions related to critical infrastructure security and resilience that shall be carried out by, or along with, other Federal departmentsandagenciesandindependentregulatoryagencies,asappropriate. 1) The Department of State, in coordination with DHS, SSAs, and other Federal departments and agencies, shall engage foreign governments and international organizations to strengthen the securityandresilienceofcriticalinfrastructurelocatedoutsidetheunitedstatesandtofacilitatethe overallexchangeofbestpracticesandlessonslearnedforpromotingthesecurityandresilienceof criticalinfrastructureonwhichthenationdepends. 2) The Department of Justice (DOJ), including the Federal Bureau of Investigation (FBI), shall lead counterterrorism and counterintelligence investigations and related law enforcement activities across the critical infrastructure sectors. DOJ shall investigate, disrupt, prosecute, and otherwise reduce foreign intelligence, terrorist, and other threats to, and actual or attempted attacks on, or sabotageof,thenation'scriticalinfrastructure.thefbialsoconductsdomesticcollection,analysis, NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 31

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL and dissemination of cyber threat information, and shall be responsible for the operation of the NationalCyberInvestigativeJointTaskForce(NCIJTF).TheNCIJTFservesasamulti7agencynational focal point for coordinating, integrating, and sharing pertinent information related to cyber threat investigations, with representation from DHS, the Intelligence Community (IC), the Department of Defense (DOD), and other agencies as appropriate. The Attorney General and the Secretary of HomelandSecurityshallcollaboratetocarryouttheirrespectivecriticalinfrastructuremissions. 3)TheDepartmentoftheInterior,incollaborationwiththeSSAfortheGovernmentFacilitiesSector, shallidentify,prioritize,andcoordinatethesecurityandresilienceeffortsfornationalmonuments andiconsandincorporatemeasurestoreducerisktothesecriticalassets,whilealsopromotingtheir useandenjoyment. 4) The Department of Commerce (DOC), in collaboration with DHS and other relevant Federal departments and agencies, shall engage private sector, research, academic, and government organizations to improve security for technology and tools related to cyber7based systems, and promote the development of other efforts related to critical infrastructure to enable the timely availabilityofindustrialproducts,materials,andservicestomeethomelandsecurityrequirements. 5) The IC, led by the Director of National Intelligence (DNI), shall use applicable authorities and coordinationmechanismstoprovide,asappropriate,intelligenceassessmentsregardingthreatsto criticalinfrastructureandcoordinateonintelligenceandothersensitiveorproprietaryinformation relatedtocriticalinfrastructure.inaddition,informationsecuritypolicies,directives,standards,and guidelinesforsafeguardingnationalsecuritysystemsshallbeoverseenasdirectedbythepresident, applicablelaw,andinaccordancewiththatdirection,carriedoutundertheauthorityoftheheadsof agenciesthatoperateorexerciseauthorityoversuchnationalsecuritysystems. 6)TheGeneralServicesAdministration,inconsultationwithDOD,DHS,andotherdepartmentsand agencies as appropriate, shall provide or support government7wide contracts for critical infrastructure systems and ensure that such contracts include audit rights for the security and resilienceofcriticalinfrastructure. 7) The Nuclear Regulatory Commission (NRC) is to oversee its licensees' protection of commercial nuclear power reactors and non7power nuclear reactors used for research, testing, and training; nuclearmaterialsinmedical,industrial,andacademicsettings,andfacilities that fabricate nuclear fuel; and the transportation, storage, and disposal of nuclear materials and waste. The NRC is to collaborate, to the extent possible, with DHS, DOJ, the Department of Energy, the Environmental ProtectionAgency,andotherFederaldepartmentsandagencies,asappropriate,onstrengthening criticalinfrastructuresecurityandresilience. 8) The Federal Communications Commission, to the extent permitted by law, is to exercise its authorityandexpertisetopartnerwithdhsandthedepartmentofstate,aswellasotherfederal departments and agencies and SSAs as appropriate, on: (1) identifying and prioritizing communications infrastructure; (2) identifying communications sector vulnerabilities and working with industry and other stakeholders to address those vulnerabilities; and (3) working with stakeholders,includingindustry,andengagingforeigngovernmentsandinternationalorganizations NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 32

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL toincreasethesecurityandresilienceofcriticalinfrastructurewithinthecommunicationssectorand facilitating the development and implementation of best practices promoting the security and resilienceofcriticalcommunicationsinfrastructureonwhichthenationdepends. 9)FederaldepartmentsandagenciesshallprovidetimelyinformationtotheSecretaryofHomeland Securityandthenationalcriticalinfrastructurecentersnecessarytosupportcross7sectoranalysisand informthesituationalawarenesscapabilityforcriticalinfrastructure. ThreeStrategicImperatives 1)Refine and Clarify Functional Relationships across the Federal Government to Advance the NationalUnityofEfforttoStrengthenCriticalInfrastructureSecurityandResilience Aneffectivenationalefforttostrengthencriticalinfrastructuresecurityandresiliencemustbeguided by a national plan that identifies roles and responsibilities and is informed by the expertise, experience, capabilities, and responsibilities of the SSAs, other Federal departments and agencies withcriticalinfrastructureroles,slttentities,andcriticalinfrastructureownersandoperators. During the past decade, new programs and initiatives have been established to address specific infrastructureissues,andprioritieshaveshiftedandexpanded.asaresult,federalfunctionsrelated to critical infrastructure security and resilience shall be clarified and refined to establish baseline capabilities that will reflect this evolution of knowledge, to define relevant Federal program functions,andtofacilitatecollaborationandinformationexchangebetweenandamongthefederal Government,criticalinfrastructureownersandoperators,andSLTTentities. Aspartofthisrefinedstructure,thereshallbetwonationalcriticalinfrastructurecentersoperatedby DHS oneforphysicalinfrastructureandanotherforcyberinfrastructure.theyshallfunctioninan integratedmannerandserveasfocalpointsforcriticalinfrastructurepartnerstoobtainsituational awarenessandintegrated,actionableinformationtoprotectthephysicalandcyberaspectsofcritical infrastructure.justasthephysicalandcyberelementsofcriticalinfrastructureareinextricablylinked, so are the vulnerabilities. Accordingly, an integration and analysis function (further developed in StrategicImperative3)shallbeimplementedbetweenthesetwonationalcenters. Thesuccessofthesenationalcenters,includingtheintegrationandanalysisfunction,isdependent on the quality and timeliness of the information and intelligence they receive from the SSAs and otherfederaldepartmentsandagencies,aswellasfromcriticalinfrastructureownersandoperators andslttentities. ThesenationalcentersshallnotimpedetheabilityoftheheadsofFederaldepartmentsandagencies to carry out or perform their responsibilities for national defense, criminal, counterintelligence, counterterrorism,orinvestigativeactivities. 2)EnableEfficientInformationExchangebyIdentifyingBaselineDataandSystemsRequirementsfor thefederalgovernment A secure, functioning, and resilient critical infrastructure requires the efficient exchange of information, including intelligence, between all levels of governments and critical infrastructure NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 33

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL owners and operators. This must facilitate the timely exchange of threat and vulnerability information as well as information that allows for the development of a situational awareness capability during incidents. The goal is to enable efficient information exchange through the identification of requirements for data and information formats and accessibility, system interoperability,andredundantsystemsandalternatecapabilitiesshouldtherebeadisruptioninthe primarysystems. Greater information sharing within the government and with the private sector can and must be donewhilerespectingprivacyandcivilliberties.federaldepartmentsandagenciesshallensurethat allexistingprivacyprinciples,policies,andproceduresareimplementedconsistentwithapplicable law and policy and shall include senior agency officials for privacy in their efforts to govern and overseeinformationsharingproperly. 3)Implement an Integration and Analysis Function to Inform Planning and Operational Decisions RegardingCriticalInfrastructure The third strategic imperative builds on the first two and calls for the implementation of an integration and analysis function for critical infrastructure that includes operational and strategic analysis on incidents, threats, and emerging risks. It shall reside at the intersection of the two nationalcentersasidentifiedinstrategicimperative1,anditshallincludethecapabilitytocollate, assess, and integrate vulnerability and consequence information with threat streams and hazard informationto: a.aidinprioritizingassetsandmanagingriskstocriticalinfrastructure; b.anticipateinterdependenciesandcascadingimpacts; c.recommendsecurityandresiliencemeasuresforcriticalinfrastructurepriorto,during,andafter aneventorincident;and d.supportincidentmanagementandrestorationeffortsrelatedtocriticalinfrastructure. This function shall not replicate the analysis function of the IC or the National Counterterrorism Center,norshallitinvolveintelligencecollectionactivities.TheIC,DOD,DOJ,DHS,andotherFederal departments and agencies with relevant intelligence or information shall, however, inform this integrationandanalysiscapabilityregardingthenation'scriticalinfrastructurebyprovidingrelevant, timely,andappropriateinformationtothenationalcenters.thisfunctionshallalsouseinformation and intelligence provided by other critical infrastructure partners, including SLTT and nongovernmentalanalyticentities. Finally,thisintegrationandanalysisfunctionshallsupportDHS'sabilitytomaintainandshare,asa commonfederalservice,anearreal7timesituationalawarenesscapabilityforcriticalinfrastructure that includes actionable information about imminent threats, significant trends, and awareness of incidentsthatmayaffectcriticalinfrastructure. NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 34

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Expanding@accessibility@to@cybersecurity@expertise@and@capabilities@within@the@Federal@government@to@ support@ critical@ infrastructure@ protection@ is@ a@ step@ in@ the@ right@ direction.@ There@ have@ been@ and@ currently@are@many@initiatives@with@different@priorities,@many@in@their@own@silo,@without@or@with@limited@ private@sector@ci@participation@opportunities@to@have@a@ defining@voice.@@@ Clarifying@ and@ refining@ public@ and@ private@ baseline@ capabilities@ to@ enable@ improvement@ of@ cybersecurity@ innovation@ research,@ security@ intelligence@ information@ exchange,@ incident@ response,@ leading@practice@and@education@is@not@about@reinventing@the@wheel It s@about@connectinghthehdots,@ leveraging@refinement@and@improvement@opportunities.@@@ Improving@ and@ expanding@ government@ information@ sharing@ capabilities@ with@ national@ critical@ infrastructure@isac@information@sharing@and@response@capabilities@for@ci@owners@and@operators@builds@ upon@an@established@infrastructure@referenced@in@the@national@infrastructure@protection@plan@(nipp),@ and@ NIST@ standards,@ an@ infrastructure@ that@ is@ led,@ sustained@ and@ maintained@ by@ private@ sector@ CI@ leadership.@ The@cyber@threat@to@our@nation s@critical@infrastructures@must@be@approached@from@an@ AllHHazards @ (Physical@and@Cyber)@Security@perspective.@@These@are@no@longer@two@separate@environments,@as@cyber@ infrastructures@provide@the@foundation@to@provision@and@mange@physical@security.@@the@separation@of@ physical@and@cyber@security@into@two@separate@centers@is@counterhproductive@and@dangerous,@having@ the@potential@to@inhibit@timely@response@and@countermeasure@capabilities.@ Establishing@two@completely@separate@national@critical@infrastructure@centers,@one@for@physical@security@ and@ one@ for@ cybersecurity@ impedes@ immediate@ intelligence@ analysis@ and@ response@ capabilities@ and@ defeats@ the@ alignment@ of@ allhhazards @ security@ critical@ infrastructure@ resilience@ (prevention,@ protection,@mitigation,@response@and@recovery).@@ Achievement@of@the@goals@enhancing@the@security@and@resilience@of@the@Nation s@critical@infrastructures@ and@ maintaining@ a@ cyber@ environment@ that@ encourages@ efficiency,@ innovation@ and@ economic@ prosperity@ while@ promoting@ safety,@ security,@ business@ confidentiality,@ privacy@ and@ civil@ liberties@ is@ possible.@ @ Alignment@ of@ cybersecurity@ prevention,@ protection,@ mitigation,@ response@ and@ recovery@ protocols@ must@ be@ integrated@ to@ established@ emergency@ preparedness@ and@ operations@ protocols@ including@the@federal@government@emergency@support@functions@(esf)@structure@ @across@all@critical@ infrastructures@ and@ to@ state/city/county/tribal/territorial@ government@ and@ healthcare@ and@ public@ health@ emergency@ operations.@ @ ESFs,@ as@ part@ of@ the@ National@ Response@ Framework@ provide@ the@ structure@for@coordinating@federal@interagency@support@for@federal@response@to@an@incident.@ @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 35

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL InnovationandResearchandDevelopment TheSecretaryofHomelandSecurity,incoordinationwiththeOfficeofScienceandTechnologyPolicy (OSTP), the SSAs, DOC, and other Federal departments and agencies, shall provide input to align those Federal and Federally7funded research and development (R&D) activities that seek to strengthenthesecurityandresilienceofthenation'scriticalinfrastructure,including: 1)PromotingR&Dtoenablethesecureandresilientdesignandconstructionofcriticalinfrastructure andmoresecureaccompanyingcybertechnology; 2) Enhancing modeling capabilities to determine potential impacts on critical infrastructure of an incidentorthreatscenario,aswellascascadingeffectsonothersectors; 3) Facilitating initiatives to incentivize cybersecurity investments and the adoption of critical infrastructuredesignfeaturesthatstrengthenall7hazardssecurityandresilience;and 4)PrioritizingeffortstosupportthestrategicguidanceissuedbytheSecretaryofHomelandSecurity. To@strengthen@privateHsector@CI@security@and@resiliency,@federally@funded@research@and@development@ (R&D)@opportunities@must@include@private@sector@security@and@technology@organizations@in@addition@to@ academia.@ In@support@of@enhancing@modeling@capabilities@for@CI@impacts,@the@National@Health@ISAC@(NHHISAC)@in@ partnership@ with@ the@ Global@ Institute@ for@ Cybersecurity@ +@ Research@ and@ NASA s@ Center@ for@ Lifecycle@ Design@(CflCD)@at@Kennedy@Space@Center@are@actively@advancing,@expanding@and@strengthening@secure@ design@ and@ development@ concepts/tools,@ and@ leveraging@ modeling@ and@ simulation@ of@ critical@ infrastructure@ highhrisk,@ safetyhcritical,@ cybersecurity@ systems,@ and@ supporting@ education@ and@ experiential@learning@initiatives.@ ImplementationoftheDirective TheSecretaryofHomelandSecurityshalltakethefollowingactionsaspartoftheimplementationof thisdirective. 1)CriticalInfrastructureSecurityandResilienceFunctionalRelationships.Within120daysofthedate of this directive, the Secretary of Homeland Security shall develop a description of the functional relationshipswithindhsandacrossthefederalgovernmentrelatedtocriticalinfrastructuresecurity and resilience. It should include the roles and functions of the two national critical infrastructure centersandadiscussionoftheanalysisandintegrationfunction.whencomplete,itshouldserveasa roadmapforcriticalinfrastructureownersandoperatorsandslttentitiestonavigatethefederal Government's functions and primary points of contact assigned to those functions for critical infrastructure security and resilience against both physical and cyber threats. The Secretary shall coordinate this effort with the SSAs and other relevant Federal departments and agencies. The Secretary shall provide the description to the President through the Assistant to the President for HomelandSecurityandCounterterrorism. @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 36

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL 2)Evaluation of the Existing Public7Private Partnership Model. Within 150 days of the date of this directive,thesecretaryofhomelandsecurity,incoordinationwiththessas,otherrelevantfederal departments and agencies, SLTT entities, and critical infrastructure owners and operators, shall conduct an analysis of the existing public7private partnership model and recommend options for improvingtheeffectivenessofthepartnershipinboththephysicalandcyberspace.theevaluation shallconsideroptionstostreamlineprocessesforcollaborationandexchangeofinformationandto minimizeduplicationofeffort.furthermore,theanalysisshallconsiderhowthemodelcanbeflexible andadaptabletomeettheuniqueneedsofindividualsectorswhileprovidingafocused,disciplined, and effective approach for the Federal Government to coordinate with the critical infrastructure ownersandoperatorsandwithslttgovernments.theevaluationshallresultinrecommendationsto enhancepartnershipstobeapprovedforimplementationthroughtheprocessesestablishedinthe OrganizationoftheNationalSecurityCouncilSystemdirective. 3)IdentificationofBaselineDataandSystemsRequirementsfortheFederalGovernmenttoEnable Efficient Information Exchange. Within 180 days of the date of this directive, the Secretary of HomelandSecurity,incoordinationwiththeSSAsandotherFederaldepartmentsandagencies,shall conveneateamofexpertstoidentifybaselinedataandsystemsrequirementstoenabletheefficient exchange of information and intelligence relevant to strengthening the security and resilience of criticalinfrastructure.theexpertsshouldincluderepresentativesfromthoseentitiesthatroutinely possessinformationimportanttocriticalinfrastructuresecurityandresilience;thosethatdetermine andmanageinformationtechnologysystemsusedtoexchangeinformation;andthoseresponsible forthesecurityofinformationbeingexchanged.interoperabilitywithcriticalinfrastructurepartners; identificationofkeydataandtheinformationrequirementsofkeyfederal,sltt,andprivatesector entities;availability,accessibility,andformatsofdata;theabilitytoexchangevariousclassifications of information; and the security of those systems to be used; and appropriate protections for individualprivacyandcivillibertiesshouldbeincludedintheanalysis.theanalysisshouldresultin baseline requirements for sharing of data and interoperability of systems to enable the timely exchange of data and information to secure critical infrastructure and make it more resilient. The Secretary shall provide that analysis to the President through the Assistant to the President for HomelandSecurityandCounterterrorism. 4)DevelopmentofaSituationalAwarenessCapabilityforCriticalInfrastructure.Within240daysof the date of this directive, the Secretary of Homeland Security shall demonstrate a near real7time situationalawarenesscapabilityforcriticalinfrastructurethatincludesthreatstreamsandall7hazards information as well as vulnerabilities; provides the status of critical infrastructure and potential cascading effects; supports decision making; and disseminates critical information that may be needed to save or sustain lives, mitigate damage, or reduce further degradation of a critical infrastructure capability throughout an incident. This capability should be available for and cover physical and cyber elements of critical infrastructure, and enable an integration of information as necessitatedbytheincident. 5)UpdatetoNationalInfrastructureProtectionPlan.Within240daysofthedateofthisdirective,the SecretaryofHomelandSecurityshallprovidetothePresident,throughtheAssistanttothePresident NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 37

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL forhomelandsecurityandcounterterrorism,asuccessortothenationalinfrastructureprotection Plantoaddresstheimplementationofthisdirective,therequirementsofTitleIIoftheHomeland SecurityActof2002asamended,andalignmentwiththeNationalPreparednessGoalandSystem requiredbyppd78.theplanshallincludetheidentificationofariskmanagementframeworktobe usedtostrengthenthesecurityandresilienceofcriticalinfrastructure;themethodstobeusedto prioritizecriticalinfrastructure;theprotocolstobeusedtosynchronizecommunicationandactions within the Federal Government; and a metrics and analysis process to be used to measure the Nation's ability to manage and reduce risks to critical infrastructure. The updated plan shall also reflecttheidentifiedfunctionalrelationshipswithindhsandacrossthefederalgovernmentandthe updates to the public7private partnership model. Finally, the plan should consider sector dependencies on energy and communications systems, and identify pre7event and mitigation measuresoralternatecapabilitiesduringdisruptionstothosesystems.thesecretaryshallcoordinate thiseffortwiththessas,otherrelevantfederaldepartmentsandagencies,slttentities,andcritical infrastructureownersandoperators. 6)NationalCriticalInfrastructureSecurityandResilienceR&DPlan.Within2yearsofthedateofthis directive, the Secretary of Homeland Security, in coordination with the OSTP, the SSAs, DOC, and otherfederaldepartmentsandagencies,shallprovidetothepresident,throughtheassistanttothe PresidentforHomelandSecurityandCounterterrorism,aNationalCriticalInfrastructureSecurityand ResilienceR&DPlanthattakesintoaccounttheevolvingthreatlandscape,annualmetrics,andother relevant information to identify priorities and guide R&D requirements and investments. The plan shouldbeissuedevery4yearsafteritsinitialdelivery,withinterimupdatesasneeded. Policycoordination,disputeresolution,andperiodicin7progressreviewsfortheimplementationof this directive shall be carried out consistent with PPD71, including the use of Interagency Policy CommitteescoordinatedbytheNationalSecurityStaff. Nothinginthisdirectivealters,supersedes,orimpedestheauthoritiesofFederaldepartmentsand agencies, including independent regulatory agencies, to carry out their functions and duties consistentwithapplicablelegalauthoritiesandotherpresidentialguidanceanddirectives,including, butnotlimitedto,thedesignationofcriticalinfrastructureundersuchauthorities. This directive revokes Homeland Security Presidential Directive/HSPD77, Critical Infrastructure Identification,Prioritization,andProtection,issuedDecember17,2003.Plansdevelopedpursuantto HSPD77shallremainineffectuntilspecificallyrevokedorsuperseded. DesignatedCriticalInfrastructureSectorsandSector!SpecificAgencies Thisdirectiveidentifies16criticalinfrastructuresectorsanddesignatesassociatedFederalSSAs.In somecasesco7ssasaredesignatedwherethosedepartmentssharetherolesandresponsibilitiesof the SSA. The Secretary of Homeland Security shall periodically evaluate the need for and approve changes to critical infrastructure sectors and shall consult with the Assistant to the President for Homeland Security and Counterterrorism before changing a critical infrastructure sector or a designatedssaforthatsector.thesectorsandssasareasfollows: NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 38

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Chemical: Sector7SpecificAgency:DepartmentofHomelandSecurity CommercialFacilities: Sector7SpecificAgency:DepartmentofHomelandSecurity Communications: Sector7SpecificAgency:DepartmentofHomelandSecurity CriticalManufacturing:Sector7SpecificAgency:DepartmentofHomelandSecurity Dams: Sector7SpecificAgency:DepartmentofHomelandSecurity DefenseIndustrialBase: Sector7SpecificAgency:DepartmentofDefense EmergencyServices: Sector7SpecificAgency:DepartmentofHomelandSecurity Energy: Sector7SpecificAgency:DepartmentofEnergy FinancialServices: Sector7SpecificAgency:DepartmentoftheTreasury FoodandAgriculture: Co7Sector7SpecificAgencies:U.S.DepartmentofAgricultureandDepartmentofHealthandHuman Services GovernmentFacilities: Co7Sector7SpecificAgencies:DepartmentofHomelandSecurityandGeneralServicesAdministration HealthcareandPublicHealth: Sector7SpecificAgency:DepartmentofHealthandHumanServices InformationTechnology: Sector7SpecificAgency:DepartmentofHomelandSecurity NuclearReactors,Materials,andWaste: Sector7SpecificAgency:DepartmentofHomelandSecurity TransportationSystems: Co7Sector7SpecificAgencies:DepartmentofHomelandSecurityandDepartmentofTransportation WaterandWastewaterSystems: Sector7SpecificAgency:EnvironmentalProtectionAgency 1) CriticalInfrastructureSecurityandResilienceFunctionalRelationships@@ @ NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 39

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL ImplementationoftwoCICenters,oneforphysicalandoneforcybersecurity,willimpedetimely incidentresponsecoordinationanddefeatscriticalinfrastructureprotectionandresiliencefroman all7hazards perspective.physicalandcybersecuritymustbeapproachedasone.cyberprovides thefoundationalinfrastructuretoprovisionandsupportphysicalfacilitiesandinfrastructures.this wasevidencedmostrecentlybyhurricanesandy. NH7ISACresponseoutreachduringHurricaneSandytohealthcaretechnologyleadershiptookthem bysurprise.duringaphysicalincident,noonehadreachedouttothemforemergencyresponse unmet needs. Healthcare Technology and Emergency operations must work together during emergencyandincidentresponse. 2) EvaluationoftheExistingPublic7PrivatePartnershipModel 3) Identification of Baseline Data and Systems Requirements for the Federal Government to EnableEfficientInformationExchange 4) DevelopmentofaSituationalAwarenessCapabilityforCriticalInfrastructure 5) UpdatetoNationalInfrastructureProtectionPlan(NIPP) 6) NationalCriticalInfrastructureSecurityandResilienceR&DPlan Implementationofpolicy improvements forprivate7sectorciownersandoperatorsincludingthe National Critical Infrastructure ISAC community to analyze and improve existing public/private partnership models, identify baseline data and system requirements for two7way information exchange and situational awareness capabilities, and updating the NIPP is a great step forward. There are many options available to streamline communication, intelligence information sharing andcollaboration.planupdates,periodicreviewsandmetricsmustencompassthecistakeholder communityacrossallcriticalinfrastructures. Private sector CI community stakeholders are cautiously optimistic that outreach and inclusion plans,roles,responsibilitiesandactivitieswillbeimplemented,supportedandsustainedbythe federalgovernment. With close to 90% of the nation s critical infrastructures owned and operated by the private sector, private sector CI owners and operators leveraging their respective ISAC for operational andtacticalnationwidecoordinationandcollaboration,musttakeanationalleadershiproleto define what cybersecurity response information private sector CI owners and operators are willing to share with government intelligence agencies through their respective ISAC and work withgovernmenttoincreaseaccesstoclassifiedinformation,withtheappropriatelyclearedisac personnelandselectciownerandoperatorsrepresentatives. National Critical Infrastructure Cybersecurity Protection, Prevention, Response and Recovery mustbeledbytheprivatesector incollaborationwithgovernment,aligningcyberresponseto governmentincidentandemergencyresponseoperationsandprotocols workingtogether. Definitions Forpurposesofthisdirective: NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 40

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL Thetermallhazardsmeansathreatoranincident,naturalormanmade,thatwarrantsactionto protectlife,property,theenvironment,andpublichealthorsafety,andtominimizedisruptionsof government, social, or economic activities. It includes natural disasters, cyber incidents, industrial accidents,pandemics,actsofterrorism,sabotage,anddestructivecriminalactivitytargetingcritical infrastructure. Thetermcollaborationmeanstheprocessofworkingtogethertoachievesharedgoals. The terms coordinate and in coordination with means a consensus decision7makingprocessin which the named coordinating department or agency is responsible for working with the affected departmentsandagenciestoachieveconsensusandaconsistentcourseofaction. Thetermcriticalinfrastructurehasthemeaningprovidedinsection1016(e)oftheUSAPatriotAct of2001(42u.s.c.5195c(e)),namelysystemsandassets,whetherphysicalorvirtual,sovitaltothe UnitedStatesthattheincapacityordestructionofsuchsystemsandassetswouldhaveadebilitating impactonsecurity,nationaleconomicsecurity,nationalpublichealthorsafety,oranycombination ofthosematters. ThetermFederaldepartmentsandagenciesmeansanyauthorityoftheUnitedStatesthatisan agency under 44 U.S.C. 3502(1), other than those considered to be independent regulatory agencies,asdefinedin44u.s.c.3502(5). The term national essential functions means that subset of Government functions that are necessarytoleadandsustainthenationduringacatastrophicemergency. The term primary mission essential functions means those Government functions that must be performed in order to support or implement the performance of the national essential functions before,during,andintheaftermathofanemergency. ThetermnationalsecuritysystemshasthemeaninggiventoitintheFederalInformationSecurity ManagementActof2002(44U.S.C.3542(b)). The term resilience means the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recoverfromdeliberateattacks,accidents,ornaturallyoccurringthreatsorincidents. ThetermSector7SpecificAgency(SSA)meanstheFederaldepartmentoragencydesignatedunder thisdirectivetoberesponsibleforprovidinginstitutionalknowledgeandspecializedexpertiseaswell asleading,facilitating,orsupportingthesecurityandresilienceprogramsandassociatedactivitiesof itsdesignatedcriticalinfrastructuresectorintheall7hazardsenvironment. The terms secure and security refers to reducing the risk to critical infrastructure by physical means or defense cyber measures to intrusions, attacks, or the effects of natural or manmade disasters. FormoreinformationonhowyoucanhavealeadingdefiningvoiceinNationalCriticalInfrastructure CybersecurityResponsefortheNation shealthcareandpublichealthcriticalinfrastructureand benefitfromnationallycoordinatedcybersecurityprotection,prevention,mitigation,responseand NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 41

National(Health#ISAC#(NH!ISAC) GlobalInstituteforCybersecurity+Research7GlobalSituationalAwarenessCenter NASA SpaceLifeSciencesLaboratory KennedySpaceCenter,FL recoveryinpartnershipwiththenationalhealthinformationsharingandanalysiscenter(nh7isac), pleasecontactanyofnh7isac sexecutiveleadershipteam: TheNationalHealthISAC(NH!ISAC) GlobalInstituteforCybersecurity+Research GlobalSituationalAwarenessCenter SpaceLifeSciencesLaboratory NASA KennedySpaceCenter NH!ISACExecutiveDirector/CEO DeborahKobza dkobza@nhisac.org Direct:904747677858 NH!ISACChiefInformationOfficer(CIO) JoshuaSingletary jsingeltary@nhisac.org Direct:904753474375 NH!ISACDirector,GlobalSituationalAwarenessCenter NH!ISACChiefStrategyOfficer(CSO) MaryannFiala mfiala@nhisac.org Direct:4077 EdwardBrennan ebrennan@nhisac.org Direct:3217 NH!ISACChiefOperationsOfficer(COO) #### KatherineWaldron kwaldron@nhisac.org 703737177910 NationalHealthISAC(NH7ISAC) February2013.AllRightsReserved.! 42