015 - Appendix 4 Executive Order 13718

1 00:00:00,280 --> 00:00:05,519 Speaker 1: Section fourteen of Report on Securing and Growing the Digital Economy. 2 00:00:05,559 --> 00:00:09,119 This is a LibriVox recording. All LibriVox recordings are in 3 00:00:09,199 --> 00:00:13,160 the public domain. For more information or to volunteer, please 4 00:00:13,240 --> 00:00:19,120 visit LibriVox dot org. Recording by Colleen McMahon. Report on 5 00:00:19,199 --> 00:00:22,640 Securing and Growing the Digital Economy by the Commission on 6 00:00:22,760 --> 00:00:28,679 Enhancing National Cybersecurity. Appendix four Executive Order one three seven 7 00:00:28,760 --> 00:00:33,320 one eight. This appendix provides the text of Executive Order 8 00:00:33,399 --> 00:00:37,840 one three seven one eight, Commission on Enhancing National Cybersecurity, 9 00:00:38,399 --> 00:00:42,520 February ninth, twenty sixteen. The text is also available at 10 00:00:42,679 --> 00:00:49,359 https colan slash slash www dot Federal Register dot gov 11 00:00:49,759 --> 00:00:54,600 slash Executive hyphen Order slash one three seven one eight, 12 00:00:55,600 --> 00:00:58,560 By the authority vested in May as President, by the 13 00:00:58,600 --> 00:01:01,560 Constitution and the Laws of the United States of America, 14 00:01:02,079 --> 00:01:05,560 and in order to enhance cybersecurity awareness and protections at 15 00:01:05,599 --> 00:01:09,879 all levels of government, business, and society, to protect privacy, 16 00:01:10,079 --> 00:01:14,120 to ensure public safety, and economic and national security, and 17 00:01:14,200 --> 00:01:18,040 to empower Americans to take better control of their digital security. 18 00:01:18,400 --> 00:01:23,239 It is hereby ordered as follows. Section one. Establishment there 19 00:01:23,319 --> 00:01:26,680 is established within the Department of Commerce, the Commission on 20 00:01:26,840 --> 00:01:34,400 Enhancing National Cybersecurity Commission. Section two Membership A. The Commission 21 00:01:34,400 --> 00:01:37,599 shall be composed of not more than twelve members appointed 22 00:01:37,640 --> 00:01:40,319 by the President. The members of the Commission may include 23 00:01:40,400 --> 00:01:45,560 those with knowledge about or experience in cybersecurity, the digital economy, 24 00:01:45,879 --> 00:01:54,400 national security and law enforcement, corporate governance, risk management, information technology, IT, privacy, 25 00:01:54,719 --> 00:02:00,799 identity management, internet governance and standards, government administration, digital and 26 00:02:00,879 --> 00:02:04,840 social media communications, or any other area determined by the 27 00:02:04,840 --> 00:02:07,920 President to be of value to the Commission. The Speaker 28 00:02:07,959 --> 00:02:10,680 of the House of Representatives, the Minority Leader of the 29 00:02:10,680 --> 00:02:14,159 House of Representatives, the Majority Leader of the Senate, and 30 00:02:14,199 --> 00:02:16,800 the Minority Leader of the Senate are each invited to 31 00:02:16,879 --> 00:02:21,319 recommend one individual for membership on the Commission. No federally 32 00:02:21,360 --> 00:02:25,400 registered lobbyists or person presently otherwise employed by the federal 33 00:02:25,479 --> 00:02:29,400 government may serve on the Commission. B. The President shall 34 00:02:29,439 --> 00:02:31,919 designate one member of the Commission to serve as the 35 00:02:32,000 --> 00:02:34,439 Chair and one member of the Commission to serve as 36 00:02:34,439 --> 00:02:39,000 the vice Chair. Section three. Mission and Work. The Commission 37 00:02:39,039 --> 00:02:43,439 will make detailed recommendations to strengthen cybersecurity in both the 38 00:02:43,479 --> 00:02:48,360 public and private sectors, while protecting privacy, insuring public safety, 39 00:02:48,439 --> 00:02:52,800 and economic and national security, fostering discovery and development of 40 00:02:52,879 --> 00:02:57,680 new technical solutions, and bolstering partnerships between federal, state, and 41 00:02:57,759 --> 00:03:01,560 local government and the private sector in the development, promotion, 42 00:03:01,800 --> 00:03:07,400 and use of cybersecurity technologies, policies and best practices. The 43 00:03:07,439 --> 00:03:11,439 Commission's recommendations should address actions that can be taken over 44 00:03:11,479 --> 00:03:16,000 the next decade to accomplish these goals. A In developing 45 00:03:16,000 --> 00:03:20,560 its recommendations, the Commission shall identify and study actions necessary 46 00:03:20,680 --> 00:03:25,520 to further improve cybersecurity awareness, risk management, and adoption of 47 00:03:25,599 --> 00:03:29,120 best practices throughout the private sector and at all levels 48 00:03:29,120 --> 00:03:32,319 of government. These areas of study may include methods to 49 00:03:32,400 --> 00:03:37,439 influence the way individuals and organizations perceive and use technology 50 00:03:37,879 --> 00:03:42,599 and approach cybersecurity as consumers and providers in the digital economy, 51 00:03:43,120 --> 00:03:47,639 Demonstrate the nature and severity of cybersecurity threats, the importance 52 00:03:47,680 --> 00:03:51,360 of mitigation, and potential ways to manage and reduce the 53 00:03:51,400 --> 00:03:55,520 economic impacts of cyber risk, improve access to the knowledge 54 00:03:55,639 --> 00:04:00,199 needed to make informed cyber risk management decisions related to privacy, 55 00:04:00,439 --> 00:04:05,560 economic impact, and business continuity. And develop partnerships with industry, 56 00:04:05,719 --> 00:04:10,280 civil society, and international stakeholders. At a minimum, the Commission 57 00:04:10,319 --> 00:04:15,439 shall develop recommendations regarding one how best to bolster the 58 00:04:15,479 --> 00:04:21,319 protection of systems and data, including how to advance identity management, authentication, 59 00:04:21,560 --> 00:04:26,360 and cybersecurity of online identities in light of technological developments 60 00:04:26,399 --> 00:04:30,839 and other trends. Two ensuring that cybersecurity is a core 61 00:04:30,879 --> 00:04:34,560 element of the technologies associated with the Internet of Things 62 00:04:34,600 --> 00:04:38,240 and cloud computing, and that the policy and legal foundation 63 00:04:38,360 --> 00:04:41,560 for cybersecurity in the context of the Internet of Things 64 00:04:41,680 --> 00:04:46,079 is stable and adaptable. Three further investments in research and 65 00:04:46,120 --> 00:04:52,759 development initiatives that can enhance cybersecurity. Four increasing the quality, quantity, 66 00:04:52,920 --> 00:04:56,560 and level of expertise of the cybersecurity workforce in the 67 00:04:56,600 --> 00:05:01,079 federal government and private sector, including through EDGBA location and training. 68 00:05:01,680 --> 00:05:07,000 Five Improving broad based education of common sense cybersecurity practices 69 00:05:07,040 --> 00:05:10,959 for the general public. And six any other issues that 70 00:05:11,040 --> 00:05:15,439 the President, through the Secretary of Commerce Secretary requests the 71 00:05:15,480 --> 00:05:20,639 Commission to consider. B In developing its recommendations, the Commission 72 00:05:20,720 --> 00:05:25,480 shall also identify and study advances in technology management and 73 00:05:25,600 --> 00:05:29,959 IT service delivery that should be developed, widely adopted, or 74 00:05:30,079 --> 00:05:33,720 further tested throughout the private sector and at all levels 75 00:05:33,720 --> 00:05:37,040 of government, and in particular in the federal government, and 76 00:05:37,120 --> 00:05:41,560 by critical infrastructure owners and operators. These areas of study 77 00:05:41,600 --> 00:05:46,800 may include cybersecurity technologies and other advances that are responsive 78 00:05:46,879 --> 00:05:51,480 to the rapidly evolving digital economy, and approaches to accelerating 79 00:05:51,519 --> 00:05:55,120 the introduction and use of emerging methods designed to enhance 80 00:05:55,199 --> 00:05:59,120 early detection, mitigation, and management of cyber risk in the 81 00:05:59,160 --> 00:06:04,120 security and privacy and business and governance sectors. At a minimum, 82 00:06:04,120 --> 00:06:09,519 the Commission shall develop recommendations regarding one governance, procurement and 83 00:06:09,600 --> 00:06:16,079 management processes for federal civilian IT systems, applications, services, and infrastructure, 84 00:06:16,279 --> 00:06:21,680 including the following A framework for identifying which IT services 85 00:06:21,759 --> 00:06:25,959 should be developed internally or shared across agencies, and for 86 00:06:26,040 --> 00:06:31,480 specific investment priorities for all such IT services. B A 87 00:06:31,519 --> 00:06:36,399 framework to ensure that as federal civilian agencies procure, modernize, 88 00:06:36,519 --> 00:06:41,399 or upgrade their IT systems, cybersecurity is incorporated into the process. 89 00:06:42,120 --> 00:06:47,360 C A governance model for managing cybersecurity risk, enhancing resilience 90 00:06:47,800 --> 00:06:52,560 and ensuring appropriate incident response and recovery in the operations 91 00:06:52,600 --> 00:06:56,439 of and delivery of goods and services by the federal government. 92 00:06:57,120 --> 00:07:01,079 And D Strategies to overcome by barriers that make it 93 00:07:01,120 --> 00:07:04,439 difficult for the federal government to adopt and keep pace 94 00:07:04,560 --> 00:07:09,800 with industry best practices. Two Effective private sector and government 95 00:07:09,839 --> 00:07:14,040 approaches to critical infrastructure protection a light of current and 96 00:07:14,120 --> 00:07:18,480 projected trends in cybersecurity threats and the connected nature of 97 00:07:18,519 --> 00:07:23,879 the United States economy. Three Steps states and local governments 98 00:07:23,920 --> 00:07:27,480 can take to enhance cybersecurity, and how the federal government 99 00:07:27,600 --> 00:07:31,560 can best support such steps, and for any other issues 100 00:07:31,639 --> 00:07:35,639 that the President, through the Secretary, requests the Commission to consider. 101 00:07:36,560 --> 00:07:40,920 See To accomplish its mission, the Commission shall one reference 102 00:07:41,120 --> 00:07:46,800 and as appropriate, build on successful existing cybersecurity policies, public 103 00:07:46,839 --> 00:07:52,920 private partnerships, and other initiatives. Two Consult with cybersecurity, national 104 00:07:52,959 --> 00:07:58,959 security and law enforcement, privacy management, technology, and digital economy 105 00:07:59,000 --> 00:08:03,240 experts in the public and private sectors. Three seek input 106 00:08:03,360 --> 00:08:08,360 from those who have experienced significant cybersecurity incidents to understand 107 00:08:08,439 --> 00:08:13,600 lessons learned from these experiences, including identifying any barriers to awareness, 108 00:08:13,800 --> 00:08:18,959 risk management, and investment. Four review reported information from the 109 00:08:19,040 --> 00:08:24,040 Office of Management and Budget regarding federal information and information systems, 110 00:08:24,439 --> 00:08:29,279 including legacy systems, in order to assess critical federal civilian 111 00:08:29,360 --> 00:08:35,600 IT infrastructures, governance and management processes. Five review the impact 112 00:08:35,639 --> 00:08:40,480 of technological trends and market forces on existing cybersecurity policies 113 00:08:40,480 --> 00:08:44,879 and practices. And six examine other issues related to the 114 00:08:44,879 --> 00:08:48,080 Commission's mission that the Chair and Vice Chair agree are 115 00:08:48,120 --> 00:08:52,639 necessary and appropriate to the Commission's work. D. Where appropriate, 116 00:08:52,840 --> 00:08:56,720 the Commission may conduct original research, commission studies, and hold 117 00:08:56,720 --> 00:09:01,480 hearings to further examine particular issues. E. The Commission shall 118 00:09:01,519 --> 00:09:04,559 be advisory in nature and shall submit a final report 119 00:09:04,600 --> 00:09:08,720 to the President by December one, twenty sixteen. This report 120 00:09:08,759 --> 00:09:11,519 shall be published on a public website, along with any 121 00:09:11,559 --> 00:09:15,519 appropriate response from the President, within forty five days after 122 00:09:15,559 --> 00:09:20,279 it is provided to the President. Section four Administration A. 123 00:09:20,759 --> 00:09:24,399 The Commission shall hold periodic meetings in public forums in 124 00:09:24,440 --> 00:09:28,879 an open and transparent environment. B. In carrying out its mission, 125 00:09:29,000 --> 00:09:31,879 the Commission shall be informed by and shall strive to 126 00:09:31,919 --> 00:09:36,840 avoid duplicating the efforts of other governmental entities. C. The 127 00:09:36,879 --> 00:09:40,559 Commission shall have a staff, headed by an Executive Director, 128 00:09:40,960 --> 00:09:43,759 which shall provide support for the functions of the Commission. 129 00:09:44,080 --> 00:09:47,360 The Secretary shall appoint the Executive Director, who shall be 130 00:09:47,399 --> 00:09:50,759 a full time federal employee, and the Commission's staff. The 131 00:09:50,840 --> 00:09:54,720 Executive Director may also serve as the designated Federal Officer. 132 00:09:55,159 --> 00:09:58,679 In accordance with the Federal Advisory Committee Act, as amended 133 00:09:59,159 --> 00:10:06,000 five us c. App FACA. The Act D, the Executive Director, 134 00:10:06,240 --> 00:10:09,360 in consultation with the Chair and Vice Chair, shall have 135 00:10:09,440 --> 00:10:13,279 the authority to create subcommittees as necessary to support the 136 00:10:13,279 --> 00:10:17,600 Commission's work and to examine particular areas of importance. These 137 00:10:17,639 --> 00:10:21,080 subcommittees must report their work to the Commission to inform 138 00:10:21,159 --> 00:10:25,519 its final recommendations. E. The Secretary will work with the 139 00:10:25,559 --> 00:10:29,440 heads of Executive Departments and agencies, to the extent permitted 140 00:10:29,480 --> 00:10:33,679 by law and consistent with their ongoing activities, to provide 141 00:10:33,679 --> 00:10:37,799 the Commission such information and cooperation as it may require 142 00:10:37,919 --> 00:10:42,440 for purposes of carrying out its mission. Section five Termination 143 00:10:43,120 --> 00:10:46,720 The Commission shall terminate within fifteen days after it presents 144 00:10:46,759 --> 00:10:50,600 its final report to the President, unless extended by the President. 145 00:10:51,519 --> 00:10:56,399 Section six General Provisions. A. To the extent permitted by 146 00:10:56,480 --> 00:11:01,080 law and subject to the availability of appropriations, the Secretary 147 00:11:01,159 --> 00:11:04,639 shall direct the Director of the National Institute of Standards 148 00:11:04,679 --> 00:11:12,120 and Technology to provide the Commission with such expertise, services, funds, facilities, staff, equipment, 149 00:11:12,480 --> 00:11:15,720 and other support services as may be necessary to carry 150 00:11:15,720 --> 00:11:20,879 out its mission. B. Insofar as FACA may apply to 151 00:11:20,919 --> 00:11:24,360 the Commission. Any functions of the President under that Act, 152 00:11:24,559 --> 00:11:27,720 except for those in Section six and Section fourteen of 153 00:11:27,720 --> 00:11:32,360 that Act, shall be performed by the Secretary c Members 154 00:11:32,399 --> 00:11:35,279 of the Commission shall serve without any compensation for their 155 00:11:35,320 --> 00:11:38,639 work on the Commission, but shall be allowed travel expenses, 156 00:11:38,840 --> 00:11:42,279 including per diem in lieu of subsistence, to the extent 157 00:11:42,320 --> 00:11:46,320 permitted by law for persons serving intermittently in the government service. 158 00:11:46,879 --> 00:11:52,159 Five USC. Fifty seven one through fifty seven O seven D. 159 00:11:52,360 --> 00:11:55,200 Nothing in this Order shall be construed to impair or 160 00:11:55,240 --> 00:11:59,440 otherwise effect one the authority granted by law to a department, 161 00:11:59,480 --> 00:12:03,720 agency or the head thereof, or two the functions of 162 00:12:03,759 --> 00:12:06,879 the Director of the Office of Management and Budget relating 163 00:12:06,919 --> 00:12:12,320 to budgetary, administrative, or legislative proposals. E. This Order is 164 00:12:12,360 --> 00:12:16,000 not intended to, and does not create, any right or benefit, 165 00:12:16,360 --> 00:12:21,120 substantive or procedural, enforceable at law or in equity by 166 00:12:21,159 --> 00:12:26,240 any party against the United States, its departments, agencies, or entities, 167 00:12:26,720 --> 00:12:31,080 its officers, employees, or agents, or any other person. The 168 00:12:31,120 --> 00:12:36,440 White House, February ninth, twenty sixteen, end of Section fourteen. 169 00:12:37,200 --> 00:12:38,879 Recording by Colleen McMahon