The Biden Administration released a new National Security Memorandum that aims to strengthen the U.S. critical infrastructure.

NSM-22 is an evolution of Presidential Policy Directive-21. Many of the new elements in the memo seek to bolster existing approaches, processes, and authorities. However, it does acknowledge that voluntary approaches to security and resiliency have not been successful enough, and that mandatory minimum requirements are necessary. 

The memo also gives the Cybersecurity & Infrastructure Security Agency (CISA) clearer authority over critical infrastructure than in the past and better defines the roles of sector risk management agencies (SRMA) — the non-regulatory agencies that primarily work with the sector.

The new memo states that additional guidance is needed as there has been generational investment in infrastructure, new technologies, as well as strategic and geopolitical competition, climate change and other threats to critical infrastructure and the United States. Additionally, adversaries have shown a  willingness to target critical infrastructure.

The memo calls for minimum security and resilience requirements with accountability and enforcement, including sector specific goals. There will also be an effort to expand and improve public/private sector collaboration and international engagement and better policy and regulatory harmonization.

There are eight policy principles in the memo. They include:

  • A shared responsibility model for critical infrastructure security and resilience.
  •  An all-hazards risk-based approach that considers the full scope and scale of dependencies.
  • The establishment and implementation of minimum requirements for risk management that addresses sector-specific and cross-sector risk, and that leverages existing guidance and standards, prioritizes harmonization, complements public-private collaboration, and is both scalable and adaptable.
  • Robust accountability and enforcement mechanisms related to risk management.    
  • Robust information exchange, including public-private information sharing and cooperation.
  • The effective use of all relevant government expertise and technical resources to mature the capacity and capability of each federally led effort to manage sector‑specific risk, including ensuring a consistent experience for all stakeholders engaging with the government.
  • The continued strengthening of international engagement and collaboration.
  • Policy alignment so that critical infrastructure efforts are fully integrated and coordinated with complementary Federal policies and frameworks.

The objectives of NSM-22 include:

  • Clarifying the roles and responsibilities of the federal government. 
  • Coordinating a risk-based national approach to critical infrastructure security and resiliency.
  • Establishing minimum security/resiliency requirements and accountability mechanisms with aligned/harmonized regulations.
  • Leveraging government processes to incentivize security/resiliency requirement adoption.
  • Improving critical infrastructure threat intelligence and analysis.
  • Improving Information sharing.
  • Promoting Risk mitigating technology investments.
  • Engaging international partners to build out risk management and promote security/resiliency 

The Secretary of Homeland Security is to submit to the president a National Infrastructure Risk Management Plan every two years. This plan is to be informed by individual sector‑specific risk assessments and risk management plans, and a cross-sector risk assessment. SRMAs are to develop the sector-specific risk assessments and sector-specific risk management plans, and the National Coordinator is to develop the cross-sector risk assessment in coordination with SRMAs.

Additionally, the NSM-22 directs the National Coordinator for Cybersecurity to “regularly identify organizations that own, operate, or otherwise control critical infrastructure.” This will inform a non-public list of Systemically Important Entities (SIE) that will also “be informed by inputs received from SRMAs and other Federal departments and agencies.” This SIE list will help the government prioritize activities.

The full memo text can be found here.

Ari Schwartz & Tim McGiff

Read Next

Progress Report: National Cyber Workforce and Education Strategy

The Office of the National Cyber Director released an Initial Stages of Implementation report on the National Cyber Workforce and Education Strategy showing progress made thus far.

Chevron Pattern Disrupted: The Impact on Cybersecurity Regulations

The Supreme Court struck down a long-standing precedent on the power of federal agencies to interpret and clarify the laws they enforce. The ruling will likely have a sweeping effect on regulations, including cybersecurity rules, in every sector.

EU Cyber Policy with Despina Spanou (DCP S2 E5)

In our latest Distilling Cyber Policy podcast, our hosts are joined by Despina Spanou, the Head of the Cabinet of the Vice-President of the European Commission. In her role, Despina oversees the EUs policies on security, migration, and other topics.