TOP SECRET/NOFORNReason: 1.4 (a)(c)(e)(g)Declassify on: 10/16/37

The following terms are defined for the purposes of thisdirective and should be used when possible in interagency

I. Definitions (U)

This Presidential Policy Directive (PPD) supersedes NationalSecurity Presidential Directive (NSPD)-38 of July 7, 2004. Thisdirective complements, but does not affect, NSPD-54/HomelandSecurity Presidential Directive (HSPD)-23 on "CybersecurityPolicy" of January 8, 2008; National Security Directive (NSD)-42on "National Policy for the Security of National SecurityTelecommunications and Information Systems" of July 5, 1990; andPPD-8 on "National Preparedness" of March 30, 2011. (C/NF)

U.S. Cyber Operations Policy (U)SUBJECT:

ASSISTANT TO THE PRESIDENT AND CHIEF OF STAFFDIRECTOR OF THE OFFICE OF MANAGEMENT AND BUDGETASSISTANT TO THE PRESIDENT FOR NATIONAL SECURITY

AFFAIRSDIRECTOR OF NATIONAL INTELLIGENCEASSISTANT TO THE PRESIDENT FOR HOMELAND SECURITY

AND COUNTERTERRORISMDIRE.CTOR OF THE OFFICE OF SCIENCE AND TECHNOLOGY

POLICYDIRECTOR OF THE FEDERAL BUREAU OF INVESTIGATIONDIRECTOR OF THE CENTRAL INTELLIGENCE AGENCYCHAIRMAN OF THE JOINT CHIEFS OF STAFFDIRECTOR OF THE NATIONAL SECURITY AGENCY

MEMORANDUM FOR THE VICE PRESIDENTTHE SECRETARY OF STATETHE SECRETARY OF THE TREASURYTHE SECRETARY OF DEFENSETHE ATTORNEY GENERALTHE SECRETARY OF COMMERCETHE SECRETARY OF ENERGYTHE SECRETARY OF HOMELAND SECURITY

PRESIDENTIAL POLICY DIRECTIVE/PPD-20

TOP SECRET/NOFORN

TOP SECRET/NOFORN

documents and communications on this topic to ensure commonunderstanding. (U)

Cyberspace: The interdependent network of informationtechnology infrastructures that includes the Internet,telecommunications networks, computers, information orcommunications systems, networks, and embedded processors andcontrollers. (U)Network Defense: Programs, activities, and the use of toolsnecessary to facilitate them (including those governed byNSPD-54/HSPD-23 and NSD-42) conducted on a computer, network,or information or communications system by the owner or withthe consent of the owner and, as appropriate, the users forthe primary purpose of protecting (1) that computer, network,or system; (2) data stored on, processed on, or transitingthat computer, network, or system; or (3) physical and virtualinfrastructure controlled by that computer, network, orsystem. Network defense does not involve or require accessingor conducting activities on computers, networks, orinformation or communications systems without authorizationfrom the owners or exceeding access authorized by the owners.(U)Malicious Cyber Activity: Activities, other than thoseauthorized by or in accordance with U.S. law, that seek tocompromise or impair the confidentiality, integrity, oravailability of computers, information or communicationssystems, networks, physical or virtual infrastructurecontrolled by computers or information systems, or informationresident thereon. (U)Cyber Effect: The manipulation, disruption, denial,degradation, or destruction of computers, information orcommunications systems, networks, physical or virtualinfrastructure controlled by computers or information systems,or information resident thereon. (U)Cyber Collection: Operations and related programs oractivities conducted by or on behalf of the United StatesGovernment, in or through cyberspace, for the primary purposeof collecting intelligence - including information that can beused for future operations - from computers, information orcommunications systems, or networks with the intent to remainundetected. Cyber collection entails accessing a computer,information system, or network without authorization from theowner or operator of that computer, information system, ornetwork or from a party to a communication or by exceedingauthorized access. Cyber collection includes those activitiesessential and inherent to enabling cyber collection, such as

2TOP SECRET/NOFORN

TOP SECRET/NOFORN

1 As these terms are used in HSPD-7on "Critical Infrastructure,Identification, Prioritization, and Protection" from December 17, 2003. (U)

inhibiting detection or attribution, even if they create cybereffects. (C/NF)Defensive Cyber Effects Operations (DCEO): Operations andrelated programs or activities - other than network defense orcyber collection - conducted by or on behalf of theUnited States Government, in or through cyberspace, that areintended to enable or produce cyber effects outsideUnited States Government networks for the purpose of defendingor protecting against imminent threats or ongoing attacks ormalicious cyber activity against U.S. national interests frominside or outside cyberspace. (C/NF)Nonintrusive Defensive Countermeasures (NDCM): The subset ofDCEO that does not require accessing computers, information orcommunications systems, or networks without authorization fromthe owners or operators of the targeted computers, informationor communications systems, or networks or exceeding authorizedaccess and only creates the minimum cyber effects needed tomitigate the threat activity. (C/NF)Offensive Cyber Effects Operations (OCEO): Operations andrelated programs or activities - other than network defense,cyber collection, or DCEO - conducted by or on behalf of theUnited States Government, in or through cyberspace, that areintended to enable or produce cyber effects outsideUnited States Government networks. (C/NF)Cyber Operations: Cyber collection, DCEO (including NDCM),and OCEO collectively. (U)Significant Consequences: Loss of life, significantresponsive actions against the United States, significantdamage to property, serious adverse U.S. foreign policyconsequences, or serious economic impact on the United States.(U)

U.S. National Interests: Matters of vital interest to theUnited States to include national security, public safety,national economic security, the safe and reliable functioningof "critical infrastructure,U and the availability of "keyresources.u1 (U)Emergency Cyber Action: A cyber operation undertaken at thedirection of the head of a department or agency withappropriate authorities who has determined that such action isnecessary, pursuant to the requirements of this directive, tomitigate an imminent threat or ongoing attack against U.S.national interests from inside or outside cyberspace and undercircumstances that at the time do not permit obtaining prior

3TOP SECRET/NOFORN

TOP SECRET/NOFORN

2 NSPD-38 referred to operations with significant consequences as "sensitiveoffensive cyber operations." (S/NF)

The principles and requirements in this directive apply exceptas otherwise lawfully directed by the President. With theexception of the grant of authority to the Secretary of Defenseto conduct Emergency Cyber Actions as provided below, nothing inthis directive is intended to alter the existing authorities of,or grant new authorities to, any United States Governmentdepartment or agency (including authorities to carry out

This directive pertains to cyber operations, including thosethat support or enable kinetic, information, or other types ofoperations. Most of this directive is directed exclusively toDCEO and OCEO. (S/NF)

The United States Government has mature capabilities andeffective processes for cyber collection. (S/NF)Therefore, this directive affirms and does not intend to alterexisting procedures, guidelines, or authorities for cybercollection. (S/NF)This directive provides a procedure for cyber collectionoperations that are reasonably likely to result in"significant consequences.u2 (S/NF)

The United States has an abiding interest in developing andmaintaining use of cyberspace as an integral part of U.s.national capabilities to collect intelligence and to deter,deny, or defeat any adversary that seeks to harm U.S. nationalinterests in peace, crisis, or war. Given the evolution in U.S.experience, policy, capabilities, and understanding of the cyberthreat, and in information and communications technology, thisdirective establishes updated principles and processes as partof an overarching national cyber policy framework. (C/NF)

The United States Government shall conduct all cyberoperations consistent with the U.S. Constitution and otherapplicable laws and policies of the United States, includingPresidential orders and directives. (C/NF)The United States Government shall conduct DCEO and OCEO underthis directive consistent with its obligations underinternational law, including with regard to matters ofsovereignty and neutrality, and, as applicable, the law ofarmed conflict. (C/NF)

(U)Purpose and ScopeII.

Presidential approval to the extent that such approval wouldotherwise be required. (S/NF)

4TOP SECRET/NOFORN

TOP SECRET/NOFORN

3 Humanintelligence operations undertaken via the Internet. (S/NF)

In addition, this directive does not pertain to or alterexisting authorities related to the following categories ofactivities by or on behalf of the United States Government,regardless of whether they produce cyber effects:

Activities conducted under section 503 of the NationalSecurity Act of 1947 (as amended);Activities conducted pursuant to the Foreign IntelligenceSurveillance Act, the approval authority delegated to theAttorney General (AG) by section 2.5 of Executive Order 12333(as amended), or law enforcement authorities; however, cyberoperations reasonably likely to result in significantconsequences still require Presidential approval, andoperations that reasonably can be expected to adversely affectother United States Government operations still requirecoordination under established processes;Activities conducted by the United States Secret Service forthe purpose of protecting the President, the Vice President,and others as defined in 18 U.S.C. § 3056; however, cyberoperations reasonably likely to result in significantconsequences still require Presidential approval, andoperations that reasonably can be expected to adversely affectother United States Government operations still requirecoordination under established processes;The use of online personas and other virtual operations3 -

undertaken exclusively for counterintelligence, intelligencecollection, or law enforcement purposes - that do not involvethe use of DCEO or OCEO;Activities conducted in cyberspace pursuant tocounterintelligence authorities for the purpose of protectingspecific intelligence sources, methods, and activities;Signals intelligence collection other than cyber collection asdefined in this directive;Open-source intelligence collection;Network defense;

operational activities), or supersede any existing coordinationand approval processes, other than those of NSPD-38. Nothing inthis directive is intended to limit or impair militarycommanders from using DCEO or OCEO specified in a militaryaction approved by the President and previously coordinated anddeconflicted as required by existing processes and thisdirective. (S/NF)

5TOP SECRET/NOFORN

TOP SECRET/NOFORN

4 As defined by the Joint Dictionary 1-02, "Department of Defense Dictionaryof Military and Associated TermsH (as amended through February 15, 2012):military action involving the use of electromagnetic or directed energy tocontrol the electromagnetic spectrum or to attack the enemy. Electronicwarfare consists of three divisions: electronic attack, electronicprotection, and electronic warfare support. (U)

The United States Government shall conduct DCEO and OCEO in amanner consistent with applicable values, principles, and normsfor state behavior that the united States Government promotesdomestically and internationally as described in the2011 "International Strategy for Cyberspace.H (C/NF)

National-level strategic objectives and operationalnecessities shall dictate what the United States Governmentseeks to accomplish with DCEO and OCEO. (C/NF)The United States Government shall integrate DCEO and OCEO, asappropriate, with other diplomatic, informational, military,economic, financial, intelligence, counterintelligence, andlaw enforcement options, taking into account effectiveness,costs, risks, potential consequences, foreign policy, andother policy considerations. (C/NF)The United States Government shall reserve the right to act inaccordance with the United States' inherent right of selfdefense as recognized in international law, including throughthe conduct of DCEO. (C/NF)The United States Government shall conduct neither DCEO norOCEO that are intended or likely to produce cyber effectswithin the United States unless approved by the President. Adepartment or agency, however, with appropriate authority may

DCEO and OCEO may raise unique national security and foreignpolicy concerns that require additional coordination and policyconsiderations because cyberspace is globally connected. DCEOand OCEO, even for subtle or clandestine operations, maygenerate cyber effects in locations other than the intendedtarget, with potential unintended or collateral consequencesthat may affect U.S. national interests in many locations.(S/NF)

III. Guiding Principles for DCEO and OCEO (U)

Traditional electronic warfare4 activities;The development of content to support influence campaigns,military deception, or military information supportoperations; orSimple transit of data or commands through networks that donot create cyber effects on those networks. (S/NF)

6TOP SECRET/NOFORN

TOP SECRET/NOFORN

The United States Government, to ensure appropriate applicationof these principles, shall make all reasonable efforts, undercircumstances prevailing at the time, to identify the adversaryand the ownership and geographic location of the targets andrelated infrastructure where DCEO or OCEO will be conducted orcyber effects are expected to occur, and to identify the peopleand entities, including U.S. persons, that could be affected byproposed DCEO or OCEO. (S/NF)

The information revealed to other countries in the course ofseeking consent shall be consistent with operational securityrequirements and the protection of intelligence sources,methods, and activities. (S/NF)

The united States Government shall obtain consent from countriesin which cyber effects are expected to occur or those countrieshosting U.S. computers and systems used to conduct DCEO or OCEOunless:

Military actions approved by the President and ordered by theSecretary of Defense authorize nonconsensual DCEO or OCEO,with provisions made for using existing processes to conductappropriate interagency coordination on targets, geographicareas, levels of effect, and degrees of risk for theoperations;DCEO is undertaken in accordance with the United States'inherent right of self defense as recognized in internationallaw, and the United States Government provides notificationafterwards in a manner consistent with the protection ofU.S. military and intelligence capabilities and foreign policyconsiderations and in accordance with applicable law; orThe President - on the recommendation of the DeputiesCommittee and, as appropriate, the Principals Committee -determines that an exception to obtaining consent isnecessary, takes into account overall U.S. national interestsand equities, and meets a high threshold of need and effectiveoutcomes relative to the risks created by such an exception.(S/NF)

conduct a particular case of DCEO that is intended or likelyto produce cyber effects within the United States if itqualifies as an Emergency Cyber Action as set forth in thisdirective and otherwise complies with applicable laws andpolicies, including Presidential orders and directives.(C/NF)

7TOP SECRET/NOFORN

TOP SECRET/NOFORN

The United States recognizes that network defense, design, andmanagement cannot mitigate all possible malicious cyber activityand reserves the right, consistent with applicable law, toprotect itself from malicious cyber activity that threatens U.S.national interests. (S/NF)

The United States Government shall work with private industry- through DHS, DOC, and relevant sector-specific agencies - toprotect critical infrastructure in a manner that minimizes theneed for DCEO against malicious cyber activity; however, theUnited States Government shall retain DCEO, includinganticipatory action taken against imminent threats, asgoverned by the provisions in this directive, as an option toprotect such infrastructure. (S/NF)The United States Government shall - in coordination, asappropriate, with DHS, law enforcement, and other relevantdepartments and agencies, to include sector-specific agencies- obtain the consent of network or computer owners forUnited States Government use of DCEO to protect againstmalicious cyber activity on their behalf, unless the activity

Additional Considerations for DCEO (U)The Nation requires flexible and agile capabilities thatleverage the full resources of the United States Government toconduct necessary and proportionate DCEO. These operationsshall conform to the following additional policy principles:

The United States Government shall reserve use of DCEO toprotect U.S. national interests in circumstances when networkdefense or law enforcement measures are insufficient or cannotbe put in place in time to mitigate a threat, and when otherpreviously approved measures would not be more appropriate, orif a Deputies or Principals Committee review determines thatproposed DCEO provides an advantageous degree ofeffectiveness, timeliness, or efficiency compared to othermethods commensurate with the risks;The United States Government shall conduct DCEO with the leastintrusive methods feasible to mitigate a threat;The United States Government shall seek partnerships withindustry, other levels of government as appropriate, and othernations and organizations to promote cooperative defensivecapabilities, including, as appropriate, through the use ofDCEO as governed by the provisions in this directive; andPartnerships with industry and other levels of government forthe protection of critical infrastructure shall be coordinatedwith the Department of Homeland Security (DHS), working withrelevant sector-specific agencies and, as appropriate, theDepartment of Commerce (DOC). (S/NF)

8TOP SECRET/NOFORN

TOP SECRET/NOFORN

Responses to Persistent Malicious Cyber Activity (U)Departments and agencies with appropriate authorities -consistent with the provisions set forth in this directive andin coordination with the Departments of State, Defense (DOD),Justice (DOJ), and Homeland SecuritYi the Federal Bureau ofInvestigation (FBI)i the Office of the Director of NationalIntelligence (DNI); the National Security Agency (NSA); theCentral Intelligence Agency (CIA); the Departments of theTreasury and Energy (DOE); and other relevant members of theIntelligence Community (IC) and sector-specific agencies - shallestablish criteria and procedures to be approved by the

(U)Threat Response OperationsV.

Specific Presidential approval is required for any cyberoperations - including cyber collection, DCEO, and OCEO -determined by the head of a department or agency to conduct theoperation to be reasonably likely to result in "significantconsequences" as defined in this directive. This requirementapplies to cyber operations generally, except for those alreadyapproved by the President, even if this directive otherwise doesnot pertain to such operations as provided in the "Purpose andScope" section of this directive. (S/NF)

IV. Cyber Operations with Significant Consequences (U)

Offensive Cyber Effects Operations (U)OCEO can offer unique and unconventional capabilities to advanceu.s. national objectives around the world with little or nowarning to the adversary or target and with potential effectsranging from subtle to severely damaging. The development andsustainment of OCEO capabilities, however, may requireconsiderable time and effort if access and tools for a specifictarget do not already exist. (TS/NF)

The United States Government shall identify potential targetsof national importance where OCEO can offer a favorablebalance of effectiveness and risk as compared with otherinstruments of national power, establish and maintain OCEOcapabilities integrated as appropriate with other U.S.offensive capabilities, and execute those capabilities in amanner consistent with the provisions of this directive.(TS/NF)

implicates the United States' inherent right of self-defenseas recognized in international law or the policy reviewprocesses established in this directive and appropriate legalreviews determine that such consent is not required. (S/NF)

9TOP SECRET/NOFORN

5 As defined in NSPD-51/HSPD-20 on "National Continuity PolicyH of May 9,2007. (U)

TOP SECRET/NOFORN

Emergency Cyber Actions (C/NF)The Secretary of Defense is hereby authorized to conduct, or adepartment or agency head with appropriate authorities mayconduct, under procedures approved by the President, EmergencyCyber Actions necessary to mitigate an imminent threat orongoing attack using DCEO if circumstances at the time do notpermit obtaining prior Presidential approval (to the extent thatsuch approval would otherwise be required) and the department oragency head determines that:

An emergency action is necessary in accordance with theUnited States inherent right of self-defense as recognized ininternational law to prevent imminent loss of life orsignificant damage with enduring national impact on thePrimary Mission Essential Functions of the United StatesGovernment,S U.S. critical infrastructure and key resources,or the mission of U.S. military forces;Network defense or law enforcement would be insufficient orunavailable in the necessary timeframe, and other previouslyapproved activities would not be more appropriate;The Emergency Cyber Actions are reasonably likely not toresult in significant consequences;The Emergency Cyber Actions will be conducted in a mannerintended to be nonlethal in purpose, action, and consequence;The Emergency Cyber Actions will be limited in magnitude,scope, and duration to that level of activity necessary tomitigate the threat or attack;The Emergency Cyber Actions, when practicable, have beencoordinated with appropriate departments and agencies,including State, DOD, DHS, DOJ, the Office of the DNI, FBI,CIA, NSA, the Treasury, DOE, and other relevant members of theIC and sector-specific agencies; and

President for responding to persistent malicious cyber activityagainst u.s. national interests. Such criteria and proceduresshall include the following requirements:

The United States Government shall reserve use of suchresponses to circumstances when network defense or lawenforcement measures are insufficient or cannot be put inplace in time to mitigate the malicious cyber activity; andDepartments and agencies shall conduct these responses in amanner not reasonably likely to result in significantconsequences and use the minimum action required to mitigatethe activity. (S/NF)

10TOP SECRET/NOFORN

TOP SECRET/NOFORN

The National Security Staff (NSS) shall formalize the functionsof the Cyber Operations Policy Working Group (COP-WG) as theprimary United States Government forum below the level of anInteragency Policy Committee (IPC) for integrating DCEO or OCEOpolicy, including consideration of exceptions or refinements tothe principles of this directive. The COP-WG shall work withother elements of the policy community as appropriate to thegeographic or functional context of the DCEO- or OCEO-relatedpolicy discussion at the earliest opportunity. The COP-WG is

(U)ProcessVI.

Until such time as any additional criteria for domesticoperations are approved by the President, authorization bydepartment and agency heads for Emergency Cyber Actions that areintended or likely to produce cyber effects within the UnitedStates (or otherwise likely to adversely affect U.S. networkdefense activities or U.S. networks) shall be granted only ifthe President has provided prior approval for such activity, orcircumstances at the time do not permit obtaining prior approvalfrom the President and such actions are conducted within theother constraints defined above. (S/NF)

Department and agency heads shall report Emergency Cyber Actionsto the President through the National Security Advisor as soonas feasible. If the coordination specified above is notpracticable in the available time, then notification shall occurafter the fact as soon as possible to inform subsequent whole­of-government response and recovery activities. (S/NF)

In addition, Emergency Cyber Actions that are intended or likelyto produce cyber effects within the United States (or otherwiselikely to adversely affect U.S. network defense activities orU.S. networks) must be conducted:

Under the procedures and, as appropriate, criteria fordomestic operations previously approved by the President; andUnder circumstances that at the time of the Emergency CyberAction preclude the use of network defense, law enforcement,or some form of DOD support to civil authorities that wouldprevent the threatened imminent loss of life or significantdamage. (S/NF)

The Emergency Cyber Actions are consistent with theu.s. Constitution and other applicable laws and policies ofthe United States, including Presidential orders anddirectives. (S/NF)

11TOP SECRET/NOFORN

TOP SECRET/NOFORN

6 Including the May 9, 2007, "Trilateral Memorandum of Agreement (MOA) amongthe Department of Defense and the Department of Justice and the IntelligenceCommunity Regarding Computer Network Attack and Computer Network ExploitationActivities," and other operational coordination processes that exist betweendepartments and agencies. (S/NF)

Coordination of DCEO and OCEO with network defense efforts shallbe sufficient to enable a whole-of-government approach to theprotection of u.S. national interests and shall identifypotential implications of proposed DCEO and OCEO for u.S.networks, including potential adversary responses or unintendedconsequences of u.S. operations for which the United StatesGovernment or the private sector would need to prepare. Thiscoordination shall occur in a manner consistent with operational

Departments and agencies, during planning for proposed cyberoperations, shall use established processes6 to coordinate anddeconflict with other organizations - including, as appropriate,State, DOD, DOJ, DHS, members of the IC, and relevant sector­specific agencies - and obtain any other approvals requiredunder applicable policies, except as those processes aremodified by or under this directive. Departments and agenciesshall modify or enhance these processes as future circumstancesdictate. (S/NF)

Departments and agencies shall coordinate DCEO and OCEO withState and Chiefs of Station or their designees in countrieswhere DCEO or OCEO are conducted or cyber effects are expectedto occur. (S/NF)

Departments and agencies shall continue to use existingoperational processes for cyber operations, except as thoseprocesses are modified by or under this directive. Other typesof operations that are supported or enabled by cyber operationsshall use their existing operational processes. This continueduse of existing operational processes applies, for example, tooperations conducted under military orders that authorize DCEOor OCEO, including clandestine preparatory activities. (C/NF)

Departments and agencies shall work through the COP-WG to raiseunresolved or ambiguous policy questions in an integrated IPCmeeting of all appropriate national and economic securitystakeholders. The NSS shall use existing channels to elevateany unresolved policy conflicts to the Deputies and PrincipalsCommi ttees, as appropriate. (C/NF)

not an operational group, but will address policy issues relatedto the conduct of operations raised by departments and agenciesor the NSS. (S/NF)

12TOP SECRET/NOFORN

TOP SECRET/NOFORN

Policy Criteria (U)Policy deliberations for DCEO and OCEO shall consider, but notbe limited to, the following criteria:

Impact: The potential threat from adversary actions or thepotential benefits, scope, and recommended prioritization ofproposed u.s. operations as compared with other approaches -including, as appropriate, network defense by theUnited States Government or private sector network operators;Risks: Assessments of intelligence gain or loss, the risk ofretaliation or other impacts on U.s. networks or interests(including economic), impact on the security and stability ofthe Internet, and political gain or loss to include impact onforeign policies, bilateral and multilateral relationships(including Internet governance), and the establishment ofunwelcome norms of international behavior;Methods: The intrusiveness, timeliness, efficiency, capacity,and effectiveness of operational methods to be employed;Geography and Identity: Geographic and identity aspects ofthe proposed activity, including the location of operationsand the resulting effects, the identity of network owners andusers that will be affected, and the identity or type - whenknown - of adversaries to be countered or affected by U.s.operations;Transparency: The need for consent or notification of networkor computer owners or host countries, the potential for impacton U.s. persons and U.s. private sector networks, and the needfor any public or private communications strategies before orafter an operation; andAuthorities and Civil Liberties: The available authoritiesand procedures and the potential for cyber effects inside theUnited States or against U.s. persons. (S/NF)

security requirements and the protection of intelligencesources, methods, and activities. (S/NF)

Toward this end of ensuring a unified whole-of-governmentapproach, departments and agencies shall coordinate anddeconflict DCEO and OCEO with network defense efforts of otherdepartments and agencies as appropriate. (S/NF)

In addition, DCEO and OCEO with potential implications foru.s. networks shall be deconflicted as appropriate andcoordinated with DHS, appropriate law enforcement agencies,and relevant sector-specific agencies. (S/NF)The United States Government shall make all reasonable effortsto identify and notify, as appropriate, private sectorentities that could be affected by DCEO and OCEO. (S/NF)

13TOP SECRET/NOFORN

TOP SECRET/NOFORN

Policy Process (U)

Departments and agencies shall, as appropriate, conduct DCEOand OCEO in accordance with the principles set forth in thisdirective and shall bring forward to the COP-WG situationsthat require policy discussion, including considerations ofexceptions to those principles, using the policy criteriadescribed in this directive. [Action: All; ongoing] (C/NF)The National Security Advisor, through the NSS, shallestablish and operate the COP-WG to serve as the entry pointfor interagency deliberations of policy matters related toDCEO and OCEO. [Action: NSS; ongoing] (C/NF)The National Security Advisor, through the NSS, as needed,shall use the existing policy escalation process through anappropriate joint IPC-level group involving all stakeholdersfor a given situation, the Deputies Committee, and thePrincipals Committee. This process shall clarify theapplication of the principles set forth in this directive tospecific operations, including consideration of exceptions orrefinements to those principles. [Action: NSS; ongoing](C/NF)The NSS, as needed, shall lead reviews by appropriatedepartments and agencies of legal issues associated with DCEOand OCEO. The NSS shall refer legal questions to the chieflegal officers of the appropriate departments or agencies orto DOJ for resolution of interagency disagreements or asotherwise appropriate. [Action: NSS; ongoing] (C/NF)The DNI shall continue to ensure, through appropriate policiesand procedures, the deconfliction, coordination, andintegration of all IC cyber operations and serve as the ICfocal point for strategic planning and policy coordinationrelated to cyber operations, both within the IC and with otherdepartments and agencies in interagency coordinationprocesses. [Action: DNI; ongoing] (C/NF)

Departments and agencies shall establish necessary capabilitiesand procedures for appropriate and timely implementation of DCEOand OCEO policies in the national interest. (C/NF)

Annex: Implementation (U)

Policy decisions shall be broad enough and include rationales inorder to provide guidelines and direction for future proposalswith the same operational and risk parameters. (C/NF)

14TOP SECRET/NOFORN

TOP SECRET/NOFORN

Policy Reviews and Preparation (U)

The Office of the DNI, in coordination with appropriatedepartments and agencies, shall prepare a classification guidefor departments and agencies to use in the implementation ofthe policies in this directive. [Action: Office of the DNI;2 months after directive approval] (U)The National Security Advisor, through the NSS, shall lead aninteragency review of the United States Government'scommunications strategy, including public affairs guidance,regarding DCEO and OCEO. Pending approval of this strategy bythe Deputies Committee, the United States Government's publicposture on related matters shall be: "All United StatesGovernment activities in cyberspace are consistent with theprinciples stated in the May 2011 International Strategy forCyberspace." [Action: NSS report to Deputies; 1 month afterdirective approval] (C/NF)The National Security Advisor, through the NSS, shall workwith the Secretaries of Defense, State, and Homeland Security,the AG, the DNI, relevant IC and sector-specific agencies, andother heads of departments and agencies as appropriate todevelop for the conduct of Emergency Cyber Actions, as setforth in this directive - in addition to the previously citedprocedures and, as appropriate, domestic criteria to beapproved by the President - detailed concepts of operation,supporting processes, communications capabilities, exercises,and training. In addition, the NSS - working with these samedepartments and agencies - shall, as necessary, develop forPresidential approval procedures and criteria for DCEO to beconducted in response to malicious cyber activity. [Action:NSS update on implementation to Deputies; 3 months afterdirective approval] (C/NF)The Secretary of Defense, the DNI, and the Director of the CIA- in coordination with the AG, the Secretaries of State andHomeland Security, and relevant IC and sector-specificagencies - shall prepare for approval by the President throughthe National Security Advisor a plan that identifies potentialsystems, processes, and infrastructure against which theUnited States should establish and maintain OCEO capabilities;proposes circumstances under which OCEO might be used; andproposes necessary resources and steps that would be neededfor implementation, review, and updates as U.S. nationalsecurity needs change. [Action: DOD, Office of the DNI, andCIA update to Deputies on scope of plans; 6 months afterdirective approval] (TS/NF)

15TOP SECRET/NOFORN

TOP SECRET/NOFORN

The Secretary of Defense and other department and agency headsas appropriate - in coordination with the Secretary ofHomeland Security, the AG, and the DNI - shall develop andmaintain a flexible, agile capability for the purpose of usingDCEO to defend U.S. networks consistent with the provisionsset forth in this directive. [Action: DOD and others;ongoing] (C/NF)The Secretary of Defense - in coordination with theSecretaries of Homeland Security, Commerce, and State, the AG,the DNI, and relevant IC and sector-specific agencies - shalldevelop a multi-phase plan to be approved by the DeputiesCommittee for testing, reviewing, and implementing NDCM. Theplan shall be subjected to legal review and addressauthorities, technical feasibility, operational risks, andcoordination procedures. [Action: DOD present first phase ofplans to Deputies; 2 months after directive approval] (S/NF)The AG and the DNI - in collaboration with the Secretaries ofDefense, State, Commerce, and Homeland Security, and relevantIC and sector-specific agencies - shall develop a multi-phaseplan to be approved by the Deputies Committee for a test ofthe applicability and efficacy of counterintelligenceauthorities in the conduct of DCEO. The plan shall besubjected to legal review and address technical feasibility,operational risks, and coordination procedures. [Action: DOJand Office of the DNI present first phase of plans toDeputies; 2 months after directive approval] (S/NF)The Secretaries of Defense and Homeland Security, the DNI, theAG, and the Director of the CIA - in collaboration asappropriate with the Secretaries of State and Commerce and theheads of relevant IC and sector-specific agencies - shalldevelop proposals to be approved by the President through theNational Security Advisor to ensure that a necessary frameworkof proposed options, roles, and levels of delegation is inplace for the use of all appropriate United States GovernmentDCEO and OCEO capabilities to advance and defend U.S. nationalinterests, including actions taken in response to indicationsof imminent threat or when the United States or the Internetis subjected to a debilitating attack. This framework shallconsider how cyber operations capabilities will complementother United States Government cyber capabilities, includingnetwork defense and law enforcement. [Action: DOD, DHS, DOJ,Office of the DNI, and CIA update to Deputies; 6 months afterdirective approval] (S/NF)Department and agency heads conducting DCEO or OCEO coveredunder this directive shall report annually on the use andeffectiveness of operations of the previous year to the

16TOP SECRET/NOFORN

TOP SECRET/NOFORN

Foundation Building (U)The DNI, working with appropriate departments and agencies,shall continue to lead interagency efforts to improveintelligence collection in support of DCEO and OCEO, includingunder conditions when Internet infrastructure is significantlydegraded. These efforts shall include an enhanced process forsharing intelligence-based cyber threat information with theprivate sector and international partners in the interest ofminimizing the need for DCEO. The DNI shall identify neededinvestments - including in research and development, testing,and evaluation - to help develop intelligence capabilities insupport of DCEO and OCEO. [Action: Office of the DNI;ongoing] (S/NF)The Secretary of State - in coordination with the Secretariesof Defense and Homeland Security, the AG, the DNI, and othersas appropriate - shall continue to lead efforts to establishan international consensus around norms of behavior incyberspace to reduce the likelihood of and deter actions byother nations that would require the United States Governmentto resort to DCEO. [Action: state; ongoing] (C/NF)The AG - through the FBI and in coordination as appropriatewith DHS, appropriate elements of the IC, and otherdepartments and agencies - shall continue to identify,investigate, mitigate, and disrupt malicious cyber activity inthe interest of minimizing the need for DCEO. The AG, throughthe National Cyber Investigative Joint Task Force, shall leadrelated interagency efforts by integrating, sharing,coordinating, and collaborating on counterintelligence,counterterrorism, intelligence, and law enforcementinformation from member organizations concerninginvestigations of malicious cyber activity in order tofacilitate the use of all available authorities to addresssuch threats. These activities shall be coordinated withother entities and the private sector as appropriate.[Action: DOJ; ongoing] (C/NF)The Secretaries of State, Defense, Homeland Security, andCommerce - along with the AG, the DNI, and others asappropriate - shall continue to advance interagency effortswith international partners to increase their cyber capacitiesfor self protection and, where appropriate, to facilitatecooperative defense of cyberspace in the interest ofminimizing the need for DCEO. The partnerships shall include

President through the National Security Advisor. [Action:relevant departments and agencies; ongoing until otherwisedirected] (S/NF)

17TOP SECRET/NOFORN

TOP SECRET/NOFORN

application of not only improvements to network defenses, butalso sharing - as appropriate and consistent with operationalsecurity requirements and the protection of intelligencesources, methods, and activities - of DCEO-relatedinformation, tools, and methods consistent with the provisionsset forth in this directive, the National Disclosure Policy,and with u.s. national interests. [Action: State, DOD, DRS,DOC, and Office of the DNI; ongoing] (C/NF)The Secretary of Homeland Security - in coordination with theSecretaries of Defense and Commerce, the AG, the DNI, and theheads of relevant sector-specific agencies - shall continue tolead interagency efforts to develop partnerships with otherlevels of government and the private sector to increase thenation's cyber capacities for self protection and, whereappropriate, to facilitate cooperative efforts to securecyberspace in the interest of minimizing the need for DCEO.[Action: DRS; ongoing] (C/NF)

18TOP SECRET/NOFORN