White House releases National Security Memorandum on critical infrastructure security and resilience
The U.S. White House announced Tuesday that President Joe Biden has signed a National Security Memorandum (NSM) to secure and enhance the resilience of the nation’s critical infrastructure sector. The move will replace a decade-old presidential policy document from President Barack Obama on critical infrastructure protection and launch a comprehensive effort to protect U.S. infrastructure against all threats and hazards, current and future.
The National Security Memorandum 22 (NSM-22) intends to refine and clarify the roles and responsibilities of the federal government for critical infrastructure security, resilience, and risk management while working on identifying and prioritizing critical infrastructure security and resilience based on risk and implementing a coordinated national approach to assess and manage sector-specific and cross-sector risk.
It also intends to establish minimum requirements and accountability mechanisms for the security and resilience of critical infrastructure, including through aligned and effective regulatory frameworks; leverage federal government agreements, including grants, loans, and procurement processes, to require or encourage owners and operators to meet or exceed minimum security and resilience requirements; and enhance and improve the quality of intelligence collection and analysis addressing threats to critical infrastructure.
The federal move also seeks to improve the real-time sharing of timely, actionable intelligence and information at the lowest possible classification level among Federal, State, local, Tribal, territorial, private sector, and international partners to facilitate risk mitigation to critical infrastructure.
It also aims to promote timely and cost-effective investments in technologies and solutions that mitigate risk from evolving threats and hazards to critical infrastructure and strengthen the security and resilience of critical infrastructure by engaging international partners and allies to build situational awareness and capacity, facilitate operational collaboration, promote effective infrastructure risk management globally, and develop and promote international security and resilience recommendations.
Federal departments and agencies shall implement this memorandum consistent with applicable law; presidential directives; and federal regulations, including those protecting privacy, civil rights, and civil liberties.
The NSM empowers the Department of Homeland Security to lead the whole-of-government effort to secure U.S. critical infrastructure, with the Cybersecurity and Infrastructure Security Agency (CISA) acting as the National Coordinator for Security and Resilience. The Secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes U.S. government efforts to manage risk to the nation’s critical infrastructure.
“Our nation’s critical infrastructure consists of the systems and services upon which Americans rely in their daily lives. From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the safety and defense of our critical infrastructure as a matter of homeland and national security,” Alejandro N. Mayorkas, Secretary of Homeland Security, said in a media statement. President Biden’s new National Security Memorandum empowers the Department of Homeland Security to lead our government’s efforts, alongside our Administration partners, to better confront the increasingly complex and frequent threats facing our critical infrastructure. Together, we will ensure America remains vigilant, secure, and resilient.”
The federal move also reaffirms the designation of 16 critical infrastructure sectors and a federal department or agency as the Sector Risk Management Agency (SRMA) for each sector. SRMAs have the day-to-day relationships and sector specific expertise to lead risk management and coordination within the designated sectors. The Secretary of Homeland Security shall periodically evaluate the need for and approve changes to critical infrastructure sectors, and shall make recommendations to the President in accordance with statute and in consultation with the Assistant to the President and Homeland Security Advisor.
The sectors and SRMAs are:
- Chemical: Sector Risk Management Agency: DHS
- Commercial Facilities: Sector Risk Management Agency: DHS
- Communications: Sector Risk Management Agency: DHS
- Critical Manufacturing: Sector Risk Management Agency: DHS
- Dams: Sector Risk Management Agency: DHS
- Defense Industrial Base: Sector Risk Management Agency: DOD
- Emergency Services: Sector Risk Management Agency: DHS
- Energy: Sector Risk Management Agency: DOE
- Financial Services: Sector Risk Management Agency: Department of the Treasury
- Food and Agriculture: Co-Sector Risk Management Agencies: Department of Agriculture and Department of Health and Human Services (HHS)
- Government Services and Facilities: Co-Sector Risk Management Agencies: DHS and GSA
- Healthcare and Public Health: Sector Risk Management Agency: HHS
- Information Technology: Sector Risk Management Agency: DHS
- Nuclear Reactors, Materials, and Waste: Sector Risk Management Agency: DHS
- Transportation Systems: Co-Sector Risk Management Agencies: DHS and Department of Transportation
- Water and Wastewater Systems: Sector Risk Management Agency: Environmental Protection Agency
“We refuse to turn a blind eye to any risks facing our critical infrastructure, and today’s announcement strengthens President Biden’s whole-of-government approach to prepare for and mitigate against emerging threats and hazards to our energy infrastructure,” Jennifer M. Granholm, Secretary of Energy, said in a media statement. “The actions taken by the Biden-Harris Administration will support federal agencies, the intelligence community, and our stakeholders to be even more empowered to prioritize security as we build a resilient clean energy future.”
The NSM also directs the U.S. Intelligence Community, consistent with the goals outlined in the 2023 National Intelligence Strategy, to collect, produce and share intelligence and information with Federal departments and agencies, State and local partners, and the owners and operators of critical infrastructure. The NSM recognizes private sector owners and operators of critical infrastructure are often our first line of defense against adversaries who target the nation’s critical assets and systems.
The memorandum also elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.
When it comes to the implementation of the NSM, the administration laid down that except where otherwise directed by existing National Security Memoranda or Executive Orders, within 30 days of the date of this memorandum, SRMAs shall identify a senior leader who will serve as the primary representative to sectoral stakeholders for each respective sector and the day-to-day Coordinator of the SRMA Function. Also, within 45 days of the date of this memorandum, the Secretary of Homeland Security shall issue strategic guidance that provides national-level priorities and a format that SRMAs shall use in the development of their sector-specific risk assessments and sector-specific risk management plans.
Within 180 days of the date of this memorandum, SRMAs, in coordination with the National Coordinator, shall develop plans to execute the required roles and responsibilities of each SRMA to ensure a continuity of effort and the coordination of policy and resourcing requirements, the NSM prescribed. “The plans should detail how the identified senior leaders will have the sufficient expertise, support capacity, and access to resources to consistently execute the roles and responsibilities of an SRMA. Plans should include potential colocation options; an assessment of the current structure; detailed arrangements between DHS, SRMAs, and the IC; and other potential maturity models.”
It added that the National Coordinator, SRMAs, and other federal departments and agencies shall, as appropriate, also establish personnel exchanges through Memoranda of Understanding to develop subject matter expertise, interagency familiarity, and routine cross-pollination.
The NSM also laid down that within one year of the date of this memorandum, DHS, through CISA, shall officially establish or designate an office of the National Coordinator to serve as the single coordination point for SRMAs across the Federal Government. This office shall be distinct from the elements of CISA that carry out its SRMA functions and shall work with SRMAs to perform the duties of the National Coordinator, including managing the production of cross-cutting assessments, guidance, recommendations, and other priorities related to areas of significant cross-sector risk such as climate change, and DCI. It shall also manage the process to identify and support systemically important entities.
This office shall also support SRMAs, as they work to execute the roles and responsibilities outlined in this memorandum, using DHS resources and authorities to help execute identified activities and achieve sector-level performance objectives, as appropriate. To the extent practicable, SRMAs will consider detailing sector-specific experts to this office for limited periods of time to enhance the national unity of effort. Alternatively, the National Coordinator will consider detailing representatives to SRMAs.
It also directed that within nine months of the date of this memorandum, and on a recurring basis biennially by February 1 of each year, each SRMA shall submit its sector-specific risk management plan to the Secretary of Homeland Security, based on guidance developed by DHS, through their Secretary or Agency Head. The plan shall be informed by the sector-specific risk assessment included as an annex.
Each SRMA shall conduct a preliminary interim sector‑specific risk assessment for the initial 270-day deliverable, and, on a biennial basis thereafter, a more complete and robust risk assessment. For the first sector-specific risk assessment and risk management plan cycle, draft sector-specific risk assessments will be provided to the National Coordinator within 180 days of the date of this memorandum to inform the first cross-sector risk assessment.
The NSM also stipulated that within one year of the date of this memorandum, and on a recurring basis every two years thereafter by June 30 of each year, the Secretary of Homeland Security shall submit to the President and the Assistant to the President and Homeland Security Advisor the National Plan for approval. This plan shall be informed by sector‑specific risk assessments and the cross-sector risk assessment.
Furthermore, within nine months of the date of this memorandum, as a one-time report, SRMAs and the National Coordinator shall submit to the Assistant to the President and Homeland Security Advisor a review of the available authorities, incentives, and other tools to encourage and require owners and operators to implement identified sector-specific or cross-sector minimum security and resilience requirements. The review should focus on identifying the most critical gaps in the federal government’s capacity to require and enforce minimum security and resilience requirements for critical infrastructure.
Also, within one year of the date of this memorandum, the Secretary of Homeland Security shall review the existing Critical Infrastructure Partnership Advisory Council framework for adequacy and make proposed changes. This shall include sector coordinating council requirements.
The NSM also directed that within 180 days of the date of this memorandum, and thereafter annually by September 30 of each year, the DNI, in coordination with the Secretary of Defense (acting through the Under Secretary of Defense for Intelligence and Security), the Director of the FBI, and the Secretary of Homeland Security (acting through the Under Secretary for Intelligence and Analysis), and in consultation with SRMAs, shall submit to the President an intelligence assessment on threats to U.S. critical infrastructure. The intelligence assessment shall be submitted to the President in classified form at the highest level of classification necessary to characterize the threats.
Also, within one year of the date of this memorandum, and thereafter annually by June 30 of each year, the DNI, in coordination with IC elements, shall submit to the President a report on intelligence collection against threats to U.S. critical infrastructure. The report will describe the collection and reporting for the prior year, including (by classification level) quantity, quality, and collection type; identify any intelligence gaps and offer recommendations on how they can be remedied; and analyze the extent to which such collection addresses the current threat, the President’s Intelligence Framework, and the NIPF, noting any opportunities for improvement.
The NSM also said that within 18 months of the date of this memorandum, and thereafter annually by June 30 of each year, the DNI, in coordination with IC elements, shall submit to the President a report on intelligence and information sharing on threats to United States critical infrastructure with owners and operators and SRMAs. The report will describe, at a strategic level, intelligence and information sharing for the prior year by all IC elements with those entities.
The DNI, the Secretary of Homeland Security, and SRMAs shall maximize the efficiency and effectiveness of U.S. government engagements with critical infrastructure owners and operators by ensuring they are coordinated and deconflicted, consistent with agencies’ authorities, third-party agreements, and protection of sources and methods.
To accomplish this, the DNI and the Secretary of Homeland Security shall jointly develop, within 180 days of the date of this memorandum, policies, procedures, and guidance to ensure, respectively, the full participation of SRMAs and IC elements in ensuring this outcome. Not later than 180 days after the completion of these guidance documents, the DNI shall institute an organizational approach, to include establishing or designating existing IC offices or elements, for coordinating the tracking of its engagements and information sharing with critical infrastructure owners and operators, and improve centralized reporting on these IC engagements, consistent with the protection of sources and methods and third-party agreements.
The NSM also stipulated that within 12 months of the date of this memorandum, the DNI shall establish implementing guidance to ensure all IC elements, to the maximum extent possible, timely notify appropriate federal departments and agencies, including the FBI, CISA, and relevant SRMAs, when IC elements are aware of specific and credible threats to U.S. critical infrastructure. This process shall be implemented in a manner consistent with the protection of sources and methods; investigations; Executive Order 12333; Executive Order 13636; applicable IC directives (including ICD-191); and authorities of the IC and its elements, as well as DHS.
Commenting on NSM-22, Roman Arutyunov, co-founder and senior vice president of products at Xage Security wrote in an emailed statement that “this rewrite is a monumental and much-needed move. It signifies major steps being taken to safeguard America’s critical infrastructure to diminish nation-state attacks and malicious actors from causing chaos and gaining access to our critical assets, systems, and networks.”
“However, I believe it’s a missed opportunity to not include space as a critical infrastructure sector,” Arutyunov added. “The administration has said they plan to revisit whether to add it to the list but, given the rising threats posed by near-peer competitors, we cannot afford to wait. After all, the Space Force was designed to protect our society and people – from the highest ground of any battlefield – and that cannot be done without the right foundations and regulations in place.”
Related
