Earlier this week, President Biden issued the long-anticipated successor document to Presidential Policy Directive 21 (PPD 21). This new policy, National Security Memorandum 22 (NSM 22), codifies his Administration’s policy toward Critical Infrastructure Security and Resilience and updates the policy approach to reflect the current critical infrastructure risk environment and the reality that digitalization and new technologies have fundamentally altered the operations of the Nation’s critical infrastructure. It’s release was welcomed by the critical infrastructure community because it emphasizes the importance of the security and resilience requirement in the face of increased Nation-state and criminal threats and it aligns national policy with the Administration’s strategy on cyber security and other risks. In doing so, it also maintains a good deal of structural stability, which is crucially important to facilitate collaboration between the private sector, State and local governments, and the Federal government on these issues.
In November of 2022, I wrote 5 Ways to Update Critical Infrastructure Security and Resilience Policy in an Era of Strategic Risk about some of what I hoped the successor to PPD 21 might achieve, and for the most part I think the NSM met the goals I identified. While I may quibble with some omissions in the NSM, overall it is well done and represents the culmination of what seems to have been a successful interagency process. Like many Presidential policies, however, it leaves a good bit of work to be done as part of “policy implementation” in terms of planning, risk identification and assessment, and ultimately prioritized risk mitigation activities. As such, the homeland security and critical infrastructure community will need to remain engaged on these issues.
Amongst the upcoming efforts that are worth continuing to track:
- The development of the National Infrastructure Risk Management Plan, as a successor to the National Infrastructure Protection Plan. This plan can further articulate the risk basis for critical infrastructure and set risk management goals for national-, sector-based and regional risk. By doing so, it should reinforce the need for collaboration to address the risks and what the delta is between what critical infrastructure owners and operators are responsible for and what is in the national interest. The Federal government plays an important role in bringing risk information to bear, setting incentives, and defending critical infrastructure from nation-state adversaries, but it is important to remember that risk management needs to be balanced with opportunity and take into account business and community needs.
- Steps to address systemic risk. For the first time, through this NSM, critical infrastructure policy focuses on the reality that certain dependencies and technologies can potentially cause systemic risk if they fail. This concept, borrowed from the financial sector, is intended to focus resilience efforts on things that can cause widespread cascading impacts, such as failure of cloud services, regional power or telecom outages, vulnerabilities in ubiquitous software or hardware or concentrated supply shocks. Based on this policy, the government will endeavor to identify Systemically Important Entities, conduct the first-ever cross-sector risk assessment for critical infrastructure, and address “the most significant risks involving multiple sectors”. This sets a clear foundation for prioritizing certain critical infrastructure for security and resilience investments and continuous monitoring of health and stability.
- The identification of Essential Critical Infrastructure workers. During the pandemic in 2020, for the first time, CISA worked with the interagency and the government to identify types of workers that were essential for critical infrastructure functioning. That list was expansive and context-specific to the pandemic. In NSM 22, Sector Risk Management Agencies are tasked with doing that again in a way that is not scenario-specific. It will be worth watching what comes out of that effort and how such an identification is used to strengthen the labor pool.
- Work to strengthen minimum security requirements. Recent cyber incidents have demonstrated that there are critical infrastructure sectors where baseline security requirements are not in place – or not met. Consistent with last year’s National Cybersecurity Strategy, NSM 22 calls for an evaluation of whether there are sufficient requirements for individual critical infrastructure sectors and whether they are being met; it also calls for using existing regulatory authorities or pursuing additional authorities to increase minimum security requirements where the government demonstrates them needed.
- Future change in the 16 Sector structure. NSM 22 carries through PPD 21’s Sector structure and designation of Sector Risk Management Agencies but leaves room for that to be revisited through the Secretary of Homeland Security. Worth watching, in particular, is whether the Secretary puts forward the idea that Space should be designated as a critical infrastructure sector in some manner. Doing so would send a message about the critical nature of securing space assets and collaborating with companies who operate there and help deliver cross-sector functionality such as position, navigation and timing.
- Publication of an Intelligence Community-driven Threat Assessment for critical infrastructure. This requirement, at both the classified and unclassified levels, gives the Director of National Intelligence an opportunity and mandate to make public threats to critical infrastructure to guide risk mitigation. This will be an important element in information sharing as it will help maintain focus on security and resilience for critical infrastructure that adversaries are actively looking to weaken.
NSM 22 is a policy that is written in an age of strategic competition between the United States and key adversaries, most prominently China and Russia. It recognizes that critical infrastructure security and resilience is a core natural interest and that it is important that the country’s critical functions not serve a strategic vulnerability, but instead as a source of strength. The United States must continue to strive to have the most dynamic economy and innovative suite of technologies in the world and to do so the country has to invest in making sure that critical infrastructure, technologies, and supply chains are secure and resilient. The policy approach within NSM 22 recognizes that it takes a team effort and that prioritization, collaboration and effective and efficient orchestration are key. That spirit needs to infuse the policy implementation work to come to maintain our country’s commitment to invest in the future.