Presidential Decision Directive 63

In 1998, President Clinton issued Presidential Decision Directive 63 (PDD 63), which described a strategy for cooperative efforts by government and the sprivate sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government. PDD 63 called for a range of actions intended to improve federal agency security programs, improve the nation’s ability to detect and respond to serious  computer-based and physical attacks, and establish a partnership between the government and the private sector.

The directive called on the federal government to serve as a model of how infrastructure assurance is best achieved and designated lead agencies to work with private-sector and government organizations. Further, it established CIP as a national goal and stated that, by the close of 2000, the United States was to have achieved an initial operating capability to protect the nation’s critical infrastructures from intentional destructive acts and, by 2003, have developed the ability to protect the nation’s critical infrastructures from intentional destructive attacks. To accomplish its goals, PDD 63 established and designated organizations to provide central coordination and support, including: housed in the Department of Commerce, which was established to develop a national plan for CIP on the basis of infrastructure plans developed by the private sector and federal agencies; within the FBI, which was expanded to address national-level threat assessment, warning, vulnerability, and law enforcement investigation/response; and To ensure coverage of critical sectors, PDD 63 also identified eight private- sector infrastructures and five special functions. For each of the infrastuctures and functions, the directive designated lead federal agencies, referred to as sector liaisons, to work with their counterparts in the private sector, referred to as sector coordinators. To facilitate private-sector participation, PDD 63 also encouraged the voluntary creation of information sharing and analysis centers (ISACs) to serve as mechanisms for gathering, analyzing, and appropriately sanitizing and disseminating information to and from infrastructure sectors and the federal government through NIPC.
 * the Critical Infrastructure Assurance Office (CIAO), an interagency office
 * the National Infrastructure Protection Center (NIPC), an organization
 * the National Infrastructure Assurance Council (NIAC), which was established to enhance the partnership of the public and private sectors in protecting our critical infrastructures.

DD 63 called for a range of activities intended to establish a partnership between the public and private sectors to ensure the security of our nation’s critical infrastructures. The sector liaison and the sector coordinator were to work with each other to address problems related to CIP for their sector. In particular, PDD 63 stated that they were to (1) develop and implement vulnerability awareness and education programs and (2) contribute to a sectoral National Infrastructure Assurance Plan by:

• assessing the vulnerabilities of the sector to cyber or physical attacks; • recommending a plan to eliminate significant vulnerabilities; • proposing a system for identifying and preventing major attacks; and • developing a plan for alerting, containing, and rebuffing an attack in progress and then, in coordination with FEMA as appropriate, rapidly reconstituting minimum essential capabilities in the aftermath of an attack. PDD 63 also required every federal department and agency to be responsible for protecting its own critical infrastructures, including both cyber-based and physical assets. To fulfill this responsibility, PDD 63 called for agencies’ CIOs to be responsible for information assurance, and it required every agency to appoint a chief infrastructure assurance officer to be responsible for the protection of all other aspects of an agency’s critical infrastructure. Further, it required federal agencies to: • develop, implement, and periodically update a plan for protecting its critical infrastructure; • determine its minimum essential infrastructure that might be a target of attack; • conduct and periodically update vulnerability assessments of its minimum essential infrastructure; • develop a recommended remedial plan based on vulnerability assessments that identifies time lines for implementation, responsibilities, and funding; and • analyze intergovernmental dependencies, and mitigate those dependencies.

Other PDD 63 requirements for federal agencies are that they provide vulnerability awareness and education to sensitize people regarding the importance of security and to train them in security standards, particularly regarding cybersystems; that they establish a system for responding to a significant infrastructure attack while it is under way, to help isolate and minimize damage; and that they establish a system for rapidly reconstituting minimum required capabilities for varying levels of successful infrastructure attacks.