Attacks and Vulnerabilities
CISA
Critical infrastructure
IT/OT Collaboration
Malware, Phishing & Ransomware
News
Regulation, Standards and Compliance
Risk & Compliance
System Design & Architecture
Technology & Solutions
Threat Landscape
Vulnerabilities

CISA outlines forward-looking National Plan for critical infrastructure security and resilience

May 30, 2024
CISA outlines forward-looking National Plan for critical infrastructure security and resilience

After the release of National Security Memorandum 22 (NSM-22) by U.S. President Joe Biden in April, the Cybersecurity and Infrastructure Security Agency (CISA), acting as the National Coordinator for critical infrastructure security and resilience, will craft the 2025 National Infrastructure Risk Management Plan (National Plan). The plan will utilize federal tools, resources, and authorities to mitigate national-level risks, including those affecting critical infrastructure sectors. CISA will collaborate with partners and other Sector Risk Management Agencies (SRMAs) throughout the year to develop this essential document.

“Building off the priorities of NSM-22, the 2025 National Plan will articulate how the U.S. government will collaborate with partners to identify and manage national risk. This will be an evolution from the 2013 National Plan which described risk management as ‘the cornerstone’ to strengthening critical infrastructure security and resilience,” Jen Easterly, director at CISA, wrote in a Wednesday blog post. “Eleven years later, the spirit of this concept holds true; yet it must evolve due to pervasive vulnerabilities and an elevated threat landscape, which could lead to cascading regional and national consequences.” 

Easterly highlighted that over that same decade, Congress and successive administrations have established new agencies, authorities, and collaborative partnerships that empower a whole-of-society approach to national risk management. “As the National Coordinator, CISA will be the primary driver for operationalizing this approach through the National Plan,” she added.

NSM-22 details a new risk management cycle that requires SRMAs to identify, assess, and prioritize risk within their respective sectors and develop sector risk management plans to address those risks. With these risk assessments and risk management plans, 

CISA will identify and prioritize systemic, cross-sector, and nationally significant risk through a cross-sector risk assessment. This assessment will enable CISA to prioritize systemic risk reduction efforts—detailed in the National Plan—that the U.S. government will take in collaboration with relevant federal, state and local, private, and international partners. 

Most importantly, the National Plan will recognize that the U.S. government cannot make all critical infrastructure immune from all threats and hazards. Rather, it will detail U.S. government efforts to make critical infrastructure resilient against prioritized risks based on the 16 sector’s risk assessments and CISA’s cross-sector risk assessments. All the while, CISA and other federal partners will work closely with SRMAs to manage their unique sector risks.  

This will be a fundamentally new approach to U.S. government risk management. In this era of technological advancements and dynamic global volatility, the security and resilience of critical infrastructure are of paramount importance. Essential systems, including energy grids, water systems, transportation networks, healthcare facilities, and communication systems, are vital for public safety, economic stability, and national security. 

The increasing interconnectivity of critical infrastructure systems, reliance upon global technologies and supply chains, and geopolitical tensions make these systems susceptible to a myriad of threats. Addressing these risks will require a coordinated national effort by federal agencies; State, Local, Tribal, and Territorial (SLTT) governments, infrastructure owners and operators, and other stakeholders across the critical infrastructure community. 

As those responsible for the security and resilience of U.S. critical infrastructure, we must collectively address emergent risks and an uncertain future while remaining vigilant against long-standing threats like terrorism, natural disasters, and targeted violence. Indeed, trusted, sustained, and effective partnerships between the federal government and private-sector and SLTT partners are the foundation of collective effort to protect the nation’s critical infrastructure. 

Easterly noted that ‘the 2025 National Plan will not succeed unless our partners collaborate with us to inform its development and its eventual implementation. We ask that you work with your respective SRMAs through the development of your sector risk assessments and sector risk management plans, as these will be core inputs into the National Plan.’

Earlier this month, the CISA published its Encrypted Domain Name System (DNS) Implementation Guidance for federal civilian executive branch (FCEB) agencies to meet encryption requirements for DNS traffic and enhance the cybersecurity resilience of their IT networks. The guidance aligns with the Office of Management and Budget (OMB) Memorandum M-22-09 and the Zero Trust principles of the National Cybersecurity Strategy. It provides FCEB agencies with direction on implementing encrypted DNS protocols in line with M-22-09, emphasizing the advancement of the U.S. government towards zero trust cybersecurity principles.

Anna Ribeiro
Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.

Webinar: A Sense of Urgency - Industrial Cybersecurity and Compliance Under the NIS2 Directive

Register: June 27, 2024 2pm CET

http://industrialcyber.co

Related

DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
DHS Secretary Mayorkas unveils strategic guidance to bolster US critical infrastructure security and resilience
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
House Committee urges DHS, DOE to declassify risks of Chinese-manufactured drones
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
US DHS partners with Indonesia to strengthen maritime cybersecurity in Indo-Pacific region
Broadcom's Symantec solutions achieve IRAP certification, meeting Australian government standards
Broadcom’s Symantec solutions achieve IRAP certification, meeting Australian government standards
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA's ICSNPP Parsers
MITRE launches ACID to boost OT security with ATT&CK-based indicators using CISA’s ICSNPP Parsers
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
Fortinet reports surge in OT system cyberattacks with phishing and email compromises leading to intrusions
US CISA issues ICS cybersecurity advisories for Emerson, Mitsubishi Electric, Johnson Controls equipment
CISA warns of path traversal vulnerability in RAD Data’s SecFlow-2 hardware
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
US DOE introduces supply chain cybersecurity principles to bolster global energy infrastructure security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Global cybersecurity agencies advocate adoption of zero trust, SSE, SASE to enhance network access security
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix
Cal Poly report highlights outer space as new frontier for cybersecurity threats; offers ICARUS matrix