Future of Digital Security

IST Statement on President Biden’s National Security Memorandum on Critical Infrastructure Security and Resilience

MAY 1, 2024 – The Institute for Security and Technology (IST) commends the Biden-Harris Administration for this week releasing its National Security Memorandum (NSM) 22 on Critical Infrastructure Security and Resilience, providing a needed update to the decade-old Presidential Policy Directive (PPD) 21. Given the evolving and increasing threats and hazards to U.S. critical infrastructure, it is essential that the nation’s approach to protecting it continues to evolve and mature.

IST has long supported the nation’s security and resilience through efforts such as the Ransomware Task Force, and has launched new critical infrastructure-specific initiatives, such as its budding efforts on clean energy cybersecurity and co-sponsoring of the industrial control systems (ICS)-focused Hack the Capital event with ICS Village. IST offers the following observations and reflections on NSM-22:

  • “National Coordinator” role. We note the memorandum clarifies and solidifies the Cybersecurity and Infrastructure Agency (CISA) as the National Coordinator for the security and resilience of critical infrastructure. While the Cybersecurity and Infrastructure Security Act of 2018 called on the CISA Director to “coordinate a national effort to secure and protect against critical infrastructure risks,” a lack of specificity in what this means or entails—particularly vis-à-vis the roles and responsibilities of other sector risk management agencies (SRMAs)—led to uncertainty. We welcome this clarity.
  • Designated accountable officials for each SRMA function. It might surprise some readers that, heretofore, a department or agency designated under law or policy as an SRMA might not have a designated senior official who is accountable for carrying out that responsibility and function. In some cases, the SRMA responsibilities might be spread across two or more offices, potentially resulting in paralysis when decisive action is needed and unnecessary escalation within the SRMA’s chain of command. We welcome this modest but needed reform, which requires each SRMA function be assigned to an accountable Assistant Secretary or above.
  • Systemically important entities. We note the memorandum builds on the intent of President Obama’s Executive Order 13636 section 9 to pursue a risk-based approach by identifying and taking special measures to protect critical infrastructure that is most essential. The U.S. Cyberspace Solarium Commission also brought focus to this idea and coined the term Systemically Important Critical Infrastructure, or “SICI” for short. IST also observes CISA’s earlier effort to go beyond looking at entities (i.e., organizations), but instead focus on the most important critical functions. We support these ideas and urge CISA, in close collaboration with SRMAs and critical infrastructure owners and operators, to urgently operationalize this approach.
  • Establishing and harmonizing minimum cybersecurity requirements. Consistent with themes in the National Cybersecurity Strategy and repeated statements from senior administration officials, the memorandum calls for critical infrastructure entities to maintain a minimum cybersecurity posture under regulation. And where such authority to regulate is lacking, that the relevant agency submits a legislative proposal to gain such authority. While federal government regulations are not appropriate or desired in all circumstances, IST believes that ensuring the security and resilience of functions essential to national security, economic security, or public health and safety warrants a regulatory approach. In order to minimize the regulatory burden, IST supports the memorandum’s call for maximum cross-sector harmonization of requirements, leveraging consensus-based standards and best practices.
  • Increased intelligence focus on U.S. critical infrastructure. In light of nation-state threats to U.S. critical infrastructure called out in the U.S. Intelligence Community’s (IC’s) 2024 Annual Threat Assessment, including continued ransomware effects on critical entities like hospitals, it is essential that insights from the IC and law enforcement community are shared and actioned in a timely fashion. IST supports the memorandum’s call for defining sector-specific intelligence needs so the IC can know what is important in its collection, analysis, and production. Private sector owners and operators of critical infrastructure can, and should, inform this effort.
  • Stability in the nation’s cyber incident coordination approach. We appreciate the memorandum’s re-affirmation of PPD-41 on United States Cyber Incident Coordination, and in particular, the federal lead agency and cyber center responsibilities for threat and asset response activities. In our view, PPD-41 and the Cyber Incident Severity Schema have thus far stood the test of time and are not yet in need of revision.

On balance, NSM-22 represents an incrementalist approach to policy making, for instance maintaining the existing list of sectors and designated SRMAs. While this approach may leave some wanting for bolder action, IST supports the Administration building on what has worked in the past, while focusing its efforts to reform and improve areas in most need of it. We also encourage the Administration to invest further work in exploring ways to address the critical importance of the space domain to our communications infrastructure and national defense.