Presidential Decision Directive 63

Citation[]

The Clinton Administration, Presidential Decision Directive 63 (PDD-63): Policy on Critical Infrastructure Protection (May 22, 1998) (full-text).

Overview[]

PDD-63 (also known as NSC-63) was the product of an interagency evaluation of the recommendations of the President's Commission on Critical Infrastructure Protection, with a view to producing a workable and innovative framework for critical infrastructure protection,^[1] which described a strategy for cooperative efforts by government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government. According to PDD-63, any interruptions in the ability of these infrastructures to provide their goods and services must be "brief, infrequent, manageable, geographically isolated, and minimally detrimental to the welfare of the United States."^[2]

PDD-63 called for a range of actions intended to improve federal agency security programs, improve the nation’s ability to detect and respond to serious computer-based and physical attacks, and establish a partnership between the government and the private sector.

The Directive called on the federal government to serve as a model of how infrastructure assurance is best achieved and designated lead agencies to work with private-sector and government organizations. Further, it established critical infrastructure protection (CIP) as a national goal and stated that, by the close of 2000, the United States was to have achieved an initial operating capability to protect the nation’s critical infrastructures from intentional destructive acts and, by 2003, have developed the ability to protect U.S. critical infrastructures from intentional destructive attacks.

The Directive identified activities whose critical infrastructures should be protected:

• information and communications;
• banking and finance;
• water supply;
• aviation, highways, mass transit, pipelines, rail, and waterborne commerce;
• emergency and law enforcement services;
• emergency, fire, and continuity of government services;
• public health services;
• electric power, oil and gas production; and
• storage.

New organizations[]

To accomplish its goals, PDD-63 established and designated organizations to provide central coordination and support, including:

• a National Coordinator for Security, Infrastructure Protection, and Counter-Terrorism,^[3] whose responsibilities include not only critical infrastructure protection, but also safeguarding against foreign terrorism and threats of domestic mass destruction, including biological weapons. This person chairs the Critical Infrastructure Coordination Group (CICG);
• the Critical Infrastructure Assurance Office (CIAO), an interagency office housed in the Department of Commerce, which was to provide support for the National Coordinator's work with government agencies and the private sector and was established to develop a national plan for CIP and to help coordinate a national education and awareness program, and legislative and public affairs activities;
• the National Infrastructure Protection Center (NIPC) at the FBI, which involves representatives from the bureau, the Department of Defense, the U.S. Secret Service, the Department of Energy, the Department of Transportation, the intelligence community, and the private sector in an information sharing and collaboration effort, and which also provided the principal means of facilitating and coordinating the federal response to an incident, mitigating attacks, investigating threats, and monitoring reconstitution efforts; and
• the National Infrastructure Assurance Council (NIAC), which was composed of private sector experts and state and local government officials, and was established to enhance the partnership of the public and private sectors in protecting our critical infrastructures.

The Directive also encourages the creation of Information Sharing and Analysis Centers in partnership with the private sector and modeled on the Centers for Disease Control and Prevention.

Identified infrastructures[]

To ensure coverage of critical sectors, PDD 63 identified the following activities whose critical infrastructures should be protected: information and communications; banking and finance; water supply; aviation, highways, mass transit, pipelines, rail, and waterborne commerce; emergency and law enforcement services; emergency, fire, and continuity of government services; public health services; electric power, oil and gas production, and storage. In addition, the PDD identified four activities where the federal government controls the critical infrastructure: internal security and federal law enforcement; foreign intelligence; foreign affairs; and national defense.

For each of the infrastructures and functions, the directive designated lead federal agencies, referred to as sector liaisons, to work with their counterparts in the private sector, referred to as sector coordinators. Each lead agency was directed to appoint a Sector Liaison Official to interact with appropriate private sector organizations. The private sector was encouraged to select a Sector Coordinator to work with the agency's sector liaison official. Together, the liaison official, sector coordinator, and all affected parties were to contribute to a sectoral security plan which was to be integrated into a National Infrastructure Assurance Plan. Each of the activities performed primarily by the federal government also were assigned a lead agency who was to appoint a Functional Coordinator to coordinate efforts similar to those made by the Sector Liaisons.

To facilitate private-sector participation, PDD-63 also encouraged the voluntary creation of information sharing and analysis centers (ISACs) to serve as mechanisms for gathering, analyzing, and appropriately sanitizing and disseminating information to and from infrastructure sectors and the federal government through NIPC.

Designated activities[]

PDD-63 called for a range of activities intended to establish a partnership between the public and private sectors to ensure the security of our nation’s critical infrastructures. The sector liaison and the sector coordinator were to work with each other to address problems related to CIP for their sector. In particular, PDD-63 stated that they were to (1) develop and implement vulnerability awareness and education programs and (2) contribute to a sectoral National Infrastructure Assurance Plan by:

• assessing the vulnerabilities of the sector to cyber or physical attacks;
• recommending a plan to eliminate significant vulnerabilities;
• proposing a system for identifying and preventing major attacks; and
• developing a plan for alerting, containing, and rebuffing an attack in progress and then, in coordination with FEMA as appropriate, rapidly reconstituting minimum essential capabilities in the aftermath of an attack.

Federal agency responsibilities[]

PDD-63 also required every federal department and agency to be responsible for protecting its own critical infrastructures, including both cyber-based and physical assets. To fulfill this responsibility, PDD-63 called for agencies’ CIOs to be responsible for information assurance, and it required every agency to appoint a chief infrastructure assurance officer to be responsible for the protection of all other aspects of an agency’s critical infrastructure.

In those cases where the CIO and the CIAO were different, the CIO was responsible for assuring the agency’s information assets (databases, software, computers), while the CIAO was responsible for any other assets that make up that agency’s critical infrastructure.

Further, PDD-63 required federal agencies to:

• develop, implement, and periodically update a plan for protecting its critical infrastructure;
• determine its minimum essential infrastructure that might be a target of attack;
• conduct and periodically update vulnerability assessments of its minimum essential infrastructure;
• develop a recommended remedial plan based on vulnerability assessments that identifies time lines for implementation, responsibilities, and funding; and
• analyze intergovernmental dependencies, and mitigate those dependencies.

Other PDD-63 requirements for federal agencies were that they provide vulnerability awareness and education to sensitize people regarding the importance of security and to train them in security standards, particularly regarding cyber systems; that they establish a system for responding to a significant infrastructure attack while it is under way, to help isolate and minimize damage; and that they establish a system for rapidly reconstituting minimum required capabilities for varying levels of successful infrastructure attacks.

Subsequent developments[]

This policy was updated in 2003 with The National Strategy to Secure Cyberspace. It was superseded in December 2003 when Homeland Security Presidential Directive 7 (HSPD-7) was issued, which assigned the Secretary of Homeland Security responsibility for coordinating the nation’s overall critical infrastructure protection efforts, including protection of the cyber infrastructure, across all sectors (federal, state, local, and private) working in cooperation with designated sector-specific agencies within the Executive Branch.

References[]

Source[]

• Critical Infrastructures: Background, Policy, and Implementation, at 4-7.