On April 30, 2024, President Biden signed a National Security Memorandum (“NSM”) on Critical Infrastructure Security and Resilience (NSM-22), updating the policy objectives and operational contours of the US government (“USG”) approach to ensuring the security of critical infrastructure. NSM-22 replaces Presidential Policy Directive 21 (PPD-21), the policy directive issued in 2013 that defined the critical infrastructure sectors and created the USG strategy to building their resilience. The NSM, coming on the heels of a rule proposal expanding the collection of cyber incident data from infrastructure owners and operators, further indicates that the federal government is planning on taking a much more forward leaning posture in engaging with critical infrastructure entities.
Due to the breadth of initiatives laid out in the NSM, critical infrastructure owners and operators should consider engaging with the appropriate Sector Coordinating Councils and reviewing public issuances by their relevant regulator. Entities in sectors with voluntary standards setting organizations should also consider actively engaging with these organizations in preparation for such voluntary standards being incorporated into mandatory requirement discussions.
Critical Infrastructure Sectors and Sector Risk Management Agencies
NSM-22 affirms the designation of 16 critical infrastructure sectors and the corresponding federal department or agency interfacing with each sector. While NSM-22 replaces the PPD-21 nomenclature of "Sector-Specific Agencies" with “Sector Risk Management Agencies” (“SRMAs”), first articulated in the FY21 National Defense Authorization Act, no changes were made to the corresponding departments or agencies acting as the Federal interface for any sectors. The 16 critical infrastructure sectors and their SRMAs are:
- Chemical: Department of Homeland Security (“DHS”)
- Commercial Facilities: DHS
- Communications: DHS
- Critical Manufacturing: DHS
- Dams: DHS
- Defense Industrial Base: Department of Defense
- Emergency Services: DHS
- Energy: Department of Energy
- Financial Services: Department of the Treasury
- Food and Agriculture: Department of Agriculture and Department of Health and Human Services (“HHS”)
- Government Services and Facilities: DHS and General Services Administration
- Healthcare and Public Health: HHS
- Information Technology: DHS
- Nuclear Reactors, Materials, and Waste: DHS
- Transportation Systems: DHS and Department of Transportation
- Water and Wastewater Systems: Environmental Protection Agency
Minimum Security and Resilience Requirements
While the policy principles laid out in NSM-22 generally build upon strategic initiatives from PPD-21, a new priority is the development of minimum security and resilience requirements for critical infrastructure entities. This NSM tasks regulatory and oversight entities with establishing and implementing minimum requirements and accountability mechanisms for the security and resilience of critical infrastructure.
This advancement of minimum security and resilience requirements is in-line with considerations in the National Cyber Strategy regarding the limits of voluntary standards. While the actions that government stakeholders are directed to take within NSM-22 rely on the government’s interpretation of its existing authorities, SRMAs are tasked with coordinating with relevant regulators on the adoption of regulations that promote the implementation of minimum requirements. With DHS acting as the SRMA for 8 sectors, such coordination with regulators is needed to create mandatory requirements only using existing authorities. In the Information Technology sector, for example, the ability to involve the Department of Commerce, and others, will create a much wider variety of options for the government to consider in furthering the immediate goals of the NSM. SRMAs are also directed to develop proposals requesting new authorities from Congress for areas where existing authorities are not sufficient.
Additionally, the SRMAs and the National Coordinator for Security and Resilience of Critical Infrastructure (“National Coordinator”)[1] are required to submit a review of available tools and authorities to require and incentivize critical infrastructure owners and operators to implement minimum security and resilience requirements by January 25, 2025. This review will identify gaps in the Federal Government’s capacity to require and enforce minimum requirements for critical infrastructure and create a legislative proposal for any additional authorities or capabilities needed to implement such requirements.
Systemically Important Entity Designation
This NSM also tasks the National Coordinator with identifying Systemically Important Entities (“SIEs”), which are “organizations that own, operate or otherwise control critical infrastructure that is prioritized based on the potential for its disruption or malfunction to cause nationally significant and cascading negative impacts.” The prioritization of SIEs will relate to the provision of risk mitigation information and other operational resources from Federal stakeholders. The list of SIEs also serves to satisfy the requirement for the Department of Homeland Security to develop a list of critical infrastructure “at greatest risk” from Section 9 of Executive Order 13636. The list of SIEs will not be publicly available.
Key Federal Departments and Agencies
One significant update from PPD-21, which was issued prior to the establishment of CISA, is the codification of CISA’s function in the whole of government approach to securing critical infrastructure. As the National Coordinator, CISA will play a central role in assessing the progress of the initiatives laid out in NSM-22, having a comprehensive view across sectoral efforts.
- The Secretary of Homeland Security is charged with the role of coordinating the national effort to secure critical infrastructure.
- The Department of Justice will lead counterterrorism and counterintelligence law enforcement activities for critical infrastructure, including criminal investigations into and the operational response to incidents that concern critical infrastructure.
- The Department of Commerce will lead the development of standards and facilitate and support guidelines, best practices, methodologies, procedures, and processes to reduce cybersecurity risks to critical infrastructure.
- The Department of Energy will continue to lead the policy, preparedness, risk analysis, technical assistance, research and development, operational collaboration, and emergency response activities for the U.S. energy sector.
[1] NSM-22 designates the Director of the Cybersecurity and Infrastructure Security Agency (“CISA”) as the National Coordinator.
