JD

Executive Order 13587: Classified Network Security and Information Sharing

Executive Order 13587: Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information

Overview and Policy Statement

  • Executive Order 13587, issued on October 7, 2011, addresses critical structural reforms for managing classified national security information (classified information) on computer networks.

  • Purpose: To enhance the security of classified networks and ensure the responsible sharing and safeguarding of classified information.

  • Foundation: Derives authority from the President's constitutional powers and U.S. laws.

  • Core Challenge: The imperative to share classified information immediately with authorized users globally must be balanced with sophisticated and vigilant secure safeguarding.

  • Acknowledged Vulnerabilities: Computer networks possess individual and common weaknesses that necessitate coordinated risk management decisions.

  • Directive for Structural Reforms: The order mandates reforms to facilitate responsible sharing and safeguarding, strictly adhering to appropriate protections for privacy and civil liberties.

  • Agency Responsibility: Agencies bear the primary duty for achieving the dual goals of sharing and safeguarding.

  • Scope of Reforms: These reforms aim for:

    • Coordinated interagency development and reliable implementation of policies and minimum standards across information security, personnel security, and systems security.

    • Addressing both internal and external security threats and vulnerabilities.

    • Establishing policies and minimum standards for sharing classified information both within and outside the Federal Government.

  • Applicability: The order covers all agencies that operate or access classified computer networks, all users (including contractors and others operating or accessing Federal Government-controlled classified networks), and all classified information present on these networks.

General Responsibilities of Agencies

Heads of agencies that operate or access classified computer networks are primarily responsible for appropriately sharing and safeguarding classified information. Their specific duties include:

  • Designation of Senior Official: Appointing a senior official to oversee classified information sharing and safeguarding efforts for their agency.

  • Insider Threat Program: Implementing an insider threat detection and prevention program, which must align with guidance and standards developed by the Insider Threat Task Force (established in Section 6).

  • Self-Assessments: Conducting annual self-assessments to ensure compliance with policies and standards issued under Sections 3.3, 5.2, and 6.3 of this order, as well as other relevant policies. The results of these assessments must be reported annually to the Senior Information Sharing and Safeguarding Steering Committee.

  • Independent Assessment Access: Providing necessary information and access, consistent with law and Section 7(d), to facilitate independent assessments by the Executive Agent for Safeguarding Classified Information on Computer Networks and the Insider Threat Task Force.

  • Staff Assignment: Detailing or assigning staff on an ongoing basis to the Classified Information Sharing and Safeguarding Office and the Insider Threat Task Force as appropriate and necessary.

Senior Information Sharing and Safeguarding Steering Committee (Steering Committee)

  • Establishment: A Steering Committee is created to ensure overall responsibility and senior-level accountability for the coordinated interagency development and implementation of policies and standards related to classified information sharing and safeguarding on computer networks.

  • Leadership: Co-chaired by senior representatives from the Office of Management and Budget (OMB) and the National Security Staff.

  • Membership: Comprised of officers designated by the heads of the Departments of State, Defense, Justice, Energy, and Homeland Security, the Office of the Director of National Intelligence (ODNI), the Central Intelligence Agency (CIA), and the Information Security Oversight Office (ISOO) within the National Archives and Records Administration. Additional agencies may be designated by the co-chairs.

  • Key Responsibilities: The Steering Committee is tasked with:

    • Setting Government-wide goals for classified information sharing and safeguarding and annually reviewing the executive branch's successes and shortcomings.

    • Preparing an annual report for the President (initial report due within 90 days of the order) that assesses progress, identifies shortcomings, and discusses potential future vulnerabilities in classified information management on networks.

    • Developing program and budget recommendations to achieve classified information sharing and safeguarding goals across the Government.

    • Coordinating agency efforts in developing and implementing priorities, policies, and standards.

    • Recommending overarching policies for promulgation by OMB or ISOO when appropriate.

    • Coordinating compliance assessment efforts by agencies, the Executive Agent, and the Task Force, and recommending corrective actions.

    • Providing overall mission guidance to the Program Manager-Information Sharing Environment (PM-ISE) concerning the functions of the Classified Information Sharing and Safeguarding Office (CISSO).

    • Referring unresolved policy and compliance issues to the Deputies Committee of the National Security Council, in accordance with Presidential Policy Directive/PPD-1 of February 13, 2009 (Organization of the National Security Council System).

Classified Information Sharing and Safeguarding Office (CISSO)

  • Establishment: The CISSO is established within and subordinate to the office of the PM-ISE.

  • Mission: To provide an expert, full-time, and sustained focus on the responsible sharing and safeguarding of classified information on computer networks.

  • Staffing: Includes detailees from agencies represented on the Steering Committee, as needed.

  • Primary Roles: CISSO's responsibilities include:

    • Providing staff support for the Steering Committee.

    • Advising the Executive Agent and the Insider Threat Task Force on developing an effective program for monitoring compliance with established policies and standards.

    • Consulting with various departments (State, Defense, Homeland Security, ISOO, ODNI) to ensure consistency with existing Executive Orders (13526 of December 29, 2009; 12829 of January 6, 1993, as amended; 13549 of August 18, 2010; and 13556 of November 4, 2010).

Executive Agent for Safeguarding Classified Information on Computer Networks

  • Joint Executive Agent: The Secretary of Defense and the Director, National Security Agency (NSA), jointly serve as the Executive Agent.

  • Authority: They exercise existing authorities under National Security Directive/NSD-42 of July 5, 1990, supplemented by and subject to this order.

  • Additional Responsibilities (beyond NSD-42):

    • Developing effective technical safeguarding policies and standards in coordination with the Committee on National Security Systems (CNSS), as re-designated by Executive Orders 13286 of February 28, 2003, and 13231 of October 16, 2001. These policies address the safeguarding of classified information within national security systems and the systems themselves.

    • Referring any unresolved issues that delay the timely development and issuance of technical policies and standards to the Steering Committee for resolution.

    • Reporting at least annually to the Steering Committee on CNSS activities, including recommendations for improving timeliness and effectiveness.

    • Conducting independent assessments of agency compliance with established safeguarding policies and standards and reporting the results to the Steering Committee.

Insider Threat Task Force

  • Establishment: An interagency Insider Threat Task Force is created.

  • Mandate: To develop a Government-wide program (insider threat program) focused on deterring, detecting, and mitigating insider threats, including specifically safeguarding classified information from exploitation, compromise, or unauthorized disclosure.

    • The program must consider varying risk levels and the distinct needs, missions, and systems of individual agencies.

    • It will include policies, objectives, and priorities for establishing and integrating security, counterintelligence, user audits and monitoring, and other safeguarding capabilities/practices within agencies.

  • Leadership: Co-chaired by the Attorney General and the Director of National Intelligence (or their designees).

  • Membership: Composed of officers from the Departments of State, Defense, Justice, Energy, and Homeland Security, ODNI, CIA, and ISOO, along with additional agencies designated by the co-chairs.

  • Staffing: Personnel from the Federal Bureau of Investigation (FBI) and the Office of the National Counterintelligence Executive (ONCIX), as well as other agencies determined by the co-chairs, provided they are officers or full-time/permanent part-time U.S. employees. ONCIX shall provide a work site and administrative support if legally permitted.

  • Responsibilities: The Task Force's duties include:

    • Developing a Government-wide policy for deterrence, detection, and mitigation of insider threats, in coordination with the Executive Agent, and submitting it to the Steering Committee for review.

    • Coordinating with appropriate agencies to develop and issue minimum standards and guidance for the insider threat program's policy implementation. These standards, binding on the executive branch, must be issued within 1 year of the order's date.

    • If appropriations or authorizations are sufficient after 1 year, continuing to add to or modify these minimum standards and guidance as appropriate.

    • If appropriations are insufficient after 1 year, recommending any additional or modified minimum standards and guidance for promulgation by OMB or ISOO.

    • Referring unresolved issues that delay the timely development and issuance of minimum standards to the Steering Committee.

    • Conducting independent assessments of agency programs to implement established policies and minimum standards, following procedures developed by the Task Force, and reporting results to the Steering Committee.

    • Providing assistance to agencies, upon request, including through the dissemination of best practices.

    • Analyzing new and ongoing insider threat challenges facing the U.S. Government.

General Provisions

  • Definition of Agencies: For this order,