CyberClub

Amid serious cyberattacks by Russian and Chinese threat actors, the Biden administration issued a new National Security Memorandum (NSM-22) to update Presidential Policy Director 21 (PPD-21) from the Obama administration to secure and enhance the resilience of US critical infrastructure in “a comprehensive effort to protect US infrastructure against all threats and hazards, current and future.”

The NSM is a wide-ranging document that:

Places the Department of Homeland Security (DHS) at the forefront of the whole-of-government approach to secure US critical infrastructure by designating the Cybersecurity & Infrastructure Security Agency (CISA) as the National Coordinator for Security and Resilience to coordinate efforts.

Directs the US intelligence community, consistent with the goals outlined in the 2023 National Intelligence Strategy, to collect, produce, and share intelligence and information with federal departments and agencies, state and local partners, and the owners and operators of critical infrastructure.

Reaffirms the designation of 16 critical infrastructure sectors and a federal department or agency as the Sector Risk Management Agency (SRMA) for each sector. Earlier this year, some discussion suggested expanding the sixteen sectors to include new security terrains such as space.

Elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.

Changes in the threat environment prompted update

During a press call, Jen Easterly, the director of CISA, underscored the collaborative nature of the NSM-22. She emphasized the significant changes in the threat environment since the Obama administration and the US government’s substantial investments in protecting critical infrastructure.

“This NSM really builds on important work that has been happening across the government and, in particular, CISA and agencies, working with industry undertaking a partnership to ensure that we can understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day,” Easterly said, inviting all stakeholders to join in this crucial effort.

“What they’re doing with this policy is they’re updating the executive branch approach to critical infrastructure security resilience, working in partnership with the private sector and state local governments to advance this mission in the face of what they take to be the current threat environment,” Bob Kolaksy, senior vice president for critical infrastructure at Exiger, tells CSO.

Kolasky, who was instrumental in implementing PPD-21 during his time in government, said the NSM also relies on “lessons learned from the previous policies, making sure that it is aligned to organize the federal government as effectively as possible to deal with today’s risks to critical infrastructure.” The NSM is the executive branch’s fourth iteration of a comprehensive policy to protect critical infrastructure. Before PPD-21, there was the Homeland Security Presidential Directive 7 in 2003 and the Presidential Decision Directive/NSC-63 in 1997.

Principles and objectives driving the NSM

The NSM cites eight core principles that drive the NSM. First among these is a sense of shared responsibility by government entities and the owners of critical to come together in a “national unity of effort.” Related to this united effort is the principle that government regulatory and oversight entities “have a responsibility to prioritize establishing and implementing minimum requirements for risk management, including those requirements that address sector-specific and cross-sector risks.”

Among the other principles cited in the NSM is that critical infrastructure security and resilience require a risk-based approach that considers “all threats and hazards, likelihood, vulnerabilities, and consequences, including shocks and stressors.” 

Another value stressed in the NSM is the ever-important exchange of “timely and actionable” information between government organizations and the private sector to reduce risk. Easterly said during the press call that “CISA will continue to support the work of our partners across the US government by leveraging existing relationships, processes, and networks to share critical information and guidance and then provide additional guidance and resources to aid sector risk management agencies in the execution of the roles and responsibilities in the new NSM.”

CISA’s more defined role could bring the private sector to the table

The NSM more clearly defines and arguably expands CISA’s role with DHS. Among other things, CISA will coordinate with the SRMAs to fulfill “their roles and responsibilities and implement national priorities consistent with strategic guidance and the National Infrastructure Risk Management Plan (National Plan), as required by statute.”

CISA’s director also co-chairs, with a non-CISA SRMA official who serves a two-year term, the Federal Senior Leadership Council (FSLC), which under the NSM will “be the consensus-based body that coordinates and deconflicts the shared responsibilities and activities of Federal departments and agencies,” informed by engagement with the National Security Council.

The NSM also directs the development and maintenance of a non-public list of “systematically important entities” whose disruption or malfunction would cause significant and cascading negative impacts on national security. During the press call, Easterly said CISA had already begun working to establish this list, and a senior administration official said the list currently has less than 500 entities.

Although the federal government and the NSM can’t prescribe what private sector organizations should do, CISA must, by necessity, work closely with the private sector to develop the minimum requirements for risk management and the list of systematically important entities.

The private sector must be at the table “in defining what minimum requirements are and what it means to be a systemically important entity, what expectations are placed on systemically important entities, and what the relationship is between the government and systemically important entities” Kolasky says.

Emphasis on water sector security

Perhaps because of the recent high-profile attacks on US water systems attributed to Iran, China, and Russia, the Biden administration emphasized the importance of the NSM in protecting this critical sector.

“The policy is particularly relevant today, given continued disruptive ransomware attacks, cyberattacks on US water systems by our adversaries,” Easterly said during the press briefing.

“Cybersecurity and climate change threats pose serious risks to the drinking water and wastewater services that people in this country rely on every day, and recent cyber-attacks on water systems underscore the urgency of increased and coordinated action to protect public health and the environment,” EPA Deputy Administrator Janet McCabe said.

Future actions in implementing the NSM

The NSM stipulates that within one year of its date and annually after that, on June 30, the Director of National Intelligence (DNI), in coordination with the intelligence community, must submit to the President a report on intelligence collection against threats to US critical infrastructure.

It also says that the DNI must submit to the President a report on intelligence and information sharing on threats to the US critical infrastructure with owners and operators and SRMAs annually.

Finally, within 12 months of the date of the NSM, the DNI must establish implementing guidance to ensure the intelligence community, to the maximum extent possible, timely notifies appropriate Federal departments and agencies, including the FBI, CISA, and relevant SRMAs, when intelligence elements are aware of specific and credible threats to the United States critical infrastructure.

Another critical future step is to ensure that CISA has the budget to accomplish its new responsibilities in the NSM. “Saying CISA’s got more authority, saying that the sector risk management agencies have to do a more robust job of being sector risk management agencies, has to come with the budget and resources for them to do the robust job,” Kolasky says.