The Biden Administration released a new National Security Memorandum that aims to strengthen the U.S. critical infrastructure.

NSM-22 is an evolution of Presidential Policy Directive-21. Many of the new elements in the memo seek to bolster existing approaches, processes, and authorities. However, it does acknowledge that voluntary approaches to security and resiliency have not been successful enough, and that mandatory minimum requirements are necessary. 

The memo also gives the Cybersecurity & Infrastructure Security Agency (CISA) clearer authority over critical infrastructure than in the past and better defines the roles of sector risk management agencies (SRMA) — the non-regulatory agencies that primarily work with the sector.

The new memo states that additional guidance is needed as there has been generational investment in infrastructure, new technologies, as well as strategic and geopolitical competition, climate change and other threats to critical infrastructure and the United States. Additionally, adversaries have shown a  willingness to target critical infrastructure.

The memo calls for minimum security and resilience requirements with accountability and enforcement, including sector specific goals. There will also be an effort to expand and improve public/private sector collaboration and international engagement and better policy and regulatory harmonization.

There are eight policy principles in the memo. They include:

  • A shared responsibility model for critical infrastructure security and resilience.
  •  An all-hazards risk-based approach that considers the full scope and scale of dependencies.
  • The establishment and implementation of minimum requirements for risk management that addresses sector-specific and cross-sector risk, and that leverages existing guidance and standards, prioritizes harmonization, complements public-private collaboration, and is both scalable and adaptable.
  • Robust accountability and enforcement mechanisms related to risk management.    
  • Robust information exchange, including public-private information sharing and cooperation.
  • The effective use of all relevant government expertise and technical resources to mature the capacity and capability of each federally led effort to manage sector‑specific risk, including ensuring a consistent experience for all stakeholders engaging with the government.
  • The continued strengthening of international engagement and collaboration.
  • Policy alignment so that critical infrastructure efforts are fully integrated and coordinated with complementary Federal policies and frameworks.

The objectives of NSM-22 include:

  • Clarifying the roles and responsibilities of the federal government. 
  • Coordinating a risk-based national approach to critical infrastructure security and resiliency.
  • Establishing minimum security/resiliency requirements and accountability mechanisms with aligned/harmonized regulations.
  • Leveraging government processes to incentivize security/resiliency requirement adoption.
  • Improving critical infrastructure threat intelligence and analysis.
  • Improving Information sharing.
  • Promoting Risk mitigating technology investments.
  • Engaging international partners to build out risk management and promote security/resiliency 

The Secretary of Homeland Security is to submit to the president a National Infrastructure Risk Management Plan every two years. This plan is to be informed by individual sector‑specific risk assessments and risk management plans, and a cross-sector risk assessment. SRMAs are to develop the sector-specific risk assessments and sector-specific risk management plans, and the National Coordinator is to develop the cross-sector risk assessment in coordination with SRMAs.

Additionally, the NSM-22 directs the National Coordinator for Cybersecurity to “regularly identify organizations that own, operate, or otherwise control critical infrastructure.” This will inform a non-public list of Systemically Important Entities (SIE) that will also “be informed by inputs received from SRMAs and other Federal departments and agencies.” This SIE list will help the government prioritize activities.

The full memo text can be found here.

Ari Schwartz & Tim McGiff

Read Next

Cyber Leaders Discuss a Common AI and Cyber Vision in LATAM

Industry, government, and civil society stakeholders from across Latin America, the EU, and U.S. convened in Colombia last month for a roundtable discussion "Towards a Common AI and Cyber Vision in LATAM," hosted by the Digi Americas Alliance.

Building Digital Solidarity: The New International Cyberspace and Digital Policy Strategy

U.S. State Department releases International Cyberspace & Digital Policy Strategy, building off the U.S. National Cybersecurity Strategy.

Event Recap - Advancing Risk Management: Cybersecurity, Privacy and AI

The CCPL hosted a half-day event during the RSA Conference in San Francisco featuring speakers from the NIST and the NCCoE to talk about the Cybersecurity, Privacy, and AI risk management frameworks.