59.7 F
Washington D.C.
Tuesday, May 21, 2024

A Critical Policy Update: What to Watch For in Implementation of NSM 22

Earlier this week, President Biden issued the long-anticipated successor document to Presidential Policy Directive 21 (PPD 21). This new policy, National Security Memorandum 22 (NSM 22), codifies his Administration’s policy toward Critical Infrastructure Security and Resilience and updates the policy approach to reflect the current critical infrastructure risk environment and the reality that digitalization and new technologies have fundamentally altered the operations of the Nation’s critical infrastructure.  It’s release was welcomed by the critical infrastructure community because it emphasizes the importance of the security and resilience requirement in the face of increased Nation-state and criminal threats and it aligns national policy with the Administration’s strategy on cyber security and other risks.  In doing so, it also maintains a good deal of structural stability, which is crucially important to facilitate collaboration between the private sector, State and local governments, and the Federal government on these issues.

In November of 2022, I wrote 5 Ways to Update Critical Infrastructure Security and Resilience Policy in an Era of Strategic Risk about some of what I hoped the successor to PPD 21 might achieve, and for the most part I think the NSM met the goals I identified.  While I may quibble with some omissions in the NSM, overall it is well done and represents the culmination of what seems to have been a successful interagency process.  Like many Presidential policies, however, it leaves a good bit of work to be done as part of “policy implementation” in terms of planning, risk identification and assessment, and ultimately prioritized risk mitigation activities.  As such, the homeland security and critical infrastructure community will need to remain engaged on these issues.

Amongst the upcoming efforts that are worth continuing to track:

  • The development of the National Infrastructure Risk Management Plan, as a successor to the National Infrastructure Protection Plan. This plan can further articulate the risk basis for critical infrastructure and set risk management goals for national-, sector-based and regional risk.  By doing so, it should reinforce the need for collaboration to address the risks and what the delta is between what critical infrastructure owners and operators are responsible for and what is in the national interest. The Federal government plays an important role in bringing risk information to bear, setting incentives, and defending critical infrastructure from nation-state adversaries, but it is important to remember that risk management needs to be balanced with opportunity and take into account business and community needs.
  • Steps to address systemic risk. For the first time, through this NSM, critical infrastructure policy focuses on the reality that certain dependencies and technologies can potentially cause systemic risk if they fail.  This concept, borrowed from the financial sector, is intended to focus resilience efforts on things that can cause widespread cascading impacts, such as failure of cloud services, regional power or telecom outages, vulnerabilities in ubiquitous software or hardware or concentrated supply shocks.  Based on this policy, the government will endeavor to identify Systemically Important Entities, conduct the first-ever cross-sector risk assessment for critical infrastructure, and address “the most significant risks involving multiple sectors”. This sets a clear foundation for prioritizing certain critical infrastructure for security and resilience investments and continuous monitoring of health and stability.
  • The identification of Essential Critical Infrastructure workers. During the pandemic in 2020, for the first time, CISA worked with the interagency and the government to identify types of workers that were essential for critical infrastructure functioning.  That list was expansive and context-specific to the pandemic. In NSM 22, Sector Risk Management Agencies are tasked with doing that again in a way that is not scenario-specific. It will be worth watching what comes out of that effort and how such an identification is used to strengthen the labor pool.
  • Work to strengthen minimum security requirements. Recent cyber incidents have demonstrated that there are critical infrastructure sectors where baseline security requirements are not in place – or not met.  Consistent with last year’s National Cybersecurity Strategy, NSM 22 calls for an evaluation of whether there are sufficient requirements for individual critical infrastructure sectors and whether they are being met; it also calls for using existing regulatory authorities or pursuing additional authorities to increase minimum security requirements where the government demonstrates them needed.
  • Future change in the 16 Sector structure. NSM 22 carries through PPD 21’s Sector structure and designation of Sector Risk Management Agencies but leaves room for that to be revisited through the Secretary of Homeland Security. Worth watching, in particular, is whether the Secretary puts forward the idea that Space should be designated as a critical infrastructure sector in some manner. Doing so would send a message about the critical nature of securing space assets and collaborating with companies who operate there and help deliver cross-sector functionality such as position, navigation and timing.
  • Publication of an Intelligence Community-driven Threat Assessment for critical infrastructure. This requirement, at both the classified and unclassified levels, gives the Director of National Intelligence an opportunity and mandate to make public threats to critical infrastructure to guide risk mitigation. This will be an important element in information sharing as it will help maintain focus on security and resilience for critical infrastructure that adversaries are actively looking to weaken.

NSM 22 is a policy that is written in an age of strategic competition between the United States and key adversaries, most prominently China and Russia. It recognizes that critical infrastructure security and resilience is a core natural interest and that it is important that the country’s critical functions not serve a strategic vulnerability, but instead as a source of strength. The United States must continue to strive to have the most dynamic economy and innovative suite of technologies in the world and to do so the country has to invest in making sure that critical infrastructure, technologies, and supply chains are secure and resilient.  The policy approach within NSM 22 recognizes that it takes a team effort and that prioritization, collaboration and effective and efficient orchestration are key.  That spirit needs to infuse the policy implementation work to come to maintain our country’s commitment to invest in the future.

author avatar
Bob Kolasky
Bob Kolasky is the Senior Vice President for Critical Infrastructure at Exiger, LLC a global leader in AI-powered supply chain and third-party risk management solutions. Previously, Mr. Kolasky led the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center. In that role, he saw the Center’s efforts to facilitate a strategic, cross-sector risk management approach to cyber and physical threats to critical infrastructure. As head of the National Risk Management Center, Mr. Kolasky had the responsibility to develop integrated analytic capability to analyze risk to critical infrastructure and work across the national community to reduce risk. As part of that, he co-chaired the Information and Communications Technology Supply Chain Risk Management Task Force and led CISA’s efforts to support development of a secure 5G network. He also served on the Executive Committee for the Election Infrastructure Government Coordinating Council. Previously, Mr. Kolasky had served as the Deputy Assistant Secretary and Acting Assistant Secretary for Infrastructure Protection (IP), where he led the coordinated national effort to partner with industry to reduce the risk posed by acts of terrorism and other cyber or physical threats to the nation’s critical infrastructure, including election infrastructure. . Mr. Kolasky has served in a number of other senior leadership roles for DHS, including acting Deputy Under Secretary for NPPD before it became CISA and the Director of the DHS Cyber-Physical Critical Infrastructure Integrated Task Force to implement Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience, as well as Executive Order 13636 on Critical Infrastructure Cybersecurity.
Bob Kolasky
Bob Kolasky
Bob Kolasky is the Senior Vice President for Critical Infrastructure at Exiger, LLC a global leader in AI-powered supply chain and third-party risk management solutions. Previously, Mr. Kolasky led the Cybersecurity and Infrastructure Security Agency’s (CISA) National Risk Management Center. In that role, he saw the Center’s efforts to facilitate a strategic, cross-sector risk management approach to cyber and physical threats to critical infrastructure. As head of the National Risk Management Center, Mr. Kolasky had the responsibility to develop integrated analytic capability to analyze risk to critical infrastructure and work across the national community to reduce risk. As part of that, he co-chaired the Information and Communications Technology Supply Chain Risk Management Task Force and led CISA’s efforts to support development of a secure 5G network. He also served on the Executive Committee for the Election Infrastructure Government Coordinating Council. Previously, Mr. Kolasky had served as the Deputy Assistant Secretary and Acting Assistant Secretary for Infrastructure Protection (IP), where he led the coordinated national effort to partner with industry to reduce the risk posed by acts of terrorism and other cyber or physical threats to the nation’s critical infrastructure, including election infrastructure. . Mr. Kolasky has served in a number of other senior leadership roles for DHS, including acting Deputy Under Secretary for NPPD before it became CISA and the Director of the DHS Cyber-Physical Critical Infrastructure Integrated Task Force to implement Presidential Policy Directive 21 on Critical Infrastructure Security and Resilience, as well as Executive Order 13636 on Critical Infrastructure Cybersecurity.

Related Articles

Latest Articles