President Biden today signed a new national security memorandum (NSM) that aims to better protect U.S. critical infrastructure sectors by enlisting U.S. intelligence agencies to ramp up their sharing of threat data across multiple levels of government and with private-sector critical infrastructure providers.
The new NSM also places additional emphasis on creating “minimum security and resilience requirements within and across” critical infrastructure sectors but does not appear to offer a precise roadmap for any particular sector.
That fresh emphasis on security and resilience is consistent with the White House’s National Cybersecurity Strategy issued in March 2023. The White House emphasized today that the national cyber strategy “recognizes the limits of a voluntary approach to risk management in the current threat environment.”
The new NSM updates an 11-year-old presidential policy document on critical infrastructure protection, and according to the White House, launches “a comprehensive effort to protect U.S. infrastructure against all threats and hazards, current and future.”
Among other steps, the updated policy cements in place the central roles of the Department of Homeland Security (DHS) and its Cybersecurity and Infrastructure Security Agency (CISA) component – which did not exist when the prior policy document was issued – in critical infrastructure protection.
The White House said the new NSM “empowers” DHS “to lead the whole-of-government effort to secure U.S. critical infrastructure,” with CISA acting as the National Coordinator for Security and Resilience. The NSM requires DHS to create biennial national risk management plans for critical infrastructure.
The new document also reaffirms the current official designation by DHS of 16 U.S. critical infrastructure sectors. It keeps the current lineup of Federal agencies as the sector risk management agencies (SMRA) for each of those 16 sectors. DHS remains the sector risk management agency for 8 of the 16 sectors.
Notably, the new NSM does not create any new official designations of critical infrastructure sectors – resisting calls in recent years for designation of the space and cloud computing sectors as additional, separate critical infrastructure sectors.
Driving the Policy
The White House said that both nation-state threats and natural hazards are driving its thinking in the new NSM.
“The nation faces an era of strategic competition in which nation-state actors will continue to target American critical infrastructure – and tolerate or enable malicious activity conducted by non-state actors,” the White House said.
“In the event of crisis or conflict, America’s adversaries may attempt to compromise our critical infrastructure to undermine the will of the American public and impede the functioning of the economy and projection of U.S. military power abroad,” it said. “Resilience, particularly for our most sensitive assets and systems, is the cornerstone of homeland defense and security.”
“Further, the growing impact of climate change, including changes to the frequency and intensity of natural hazards, as well as supply chain shocks and the potential for instability, conflict, or mass displacement, places a strain on the infrastructure that Americans depend upon for their lives and livelihoods,” the White House said. “This NSM seeks to fulfill the U.S. government’s sacred obligation to the American people to protect our infrastructure and the prosperity and security of the nation.”
Positive Industry Reaction
“It’s a welcome modernization of existing critical infrastructure, policy and directives,” commented Matt Hayden, who is vice president of General Dynamics Information Technology’s Intelligence and Homeland Security Division, but one that also “misses out on an opportunity to expand critical infrastructure sectors to innovative areas such as space and cloud.”
Hayden, who was assistant secretary for cyber, infrastructure, risk, and resilience at DHS from 2020 to 2021, said the new NSM “builds on the reputation and creation of CISA as well as the 2023 intelligence strategy and incorporates the White House’s cybersecurity plan in ways to improve resilience across these critical sectors.”
“This plan makes no hiding of the fact that they have an active threat from nation-state adversaries to include China, Russia, Iran, and North Korea, but not to leave out ransomware and criminal actors as well,” he said.
“That necessary transparency is required to both offer proactive and reactive techniques and resilience measures as outcomes, as well as to inform the whole of government for strategic deterrence and that impose-costs side of the equation,” he continued. “They can’t respond in kind if they don’t know what to respond to, and so transparency is key, and it puts that obligation on the government once transparency is received to act on those measures.”
Intel Community Role
The White House said the new NSM “directs the U.S. Intelligence Community, consistent with the goals outlined in the 2023 National Intelligence Strategy, to collect, produce and share intelligence and information with Federal departments and agencies, state and local partners, and the owners and operators of critical infrastructure.”
“The NSM recognizes private sector owners and operators of critical infrastructure are often our first line of defense against adversaries who target the Nation’s most critical assets and systems,” the White House said.
More broadly on the intel sharing front, the White House said “the appropriate sharing of timely, actionable information, which may include relevant classified and unclassified intelligence and law enforcement sensitive information, among Federal, state, local, Tribal, and territorial entities; owners and operators; and other relevant stakeholders, is essential for effective risk management.”
“The Federal government will support a robust information sharing environment and public-private cooperation that enables actions and outcomes that reduce risk,” the White House said.
Among other requirements, the new NSM says that the U.S. intelligence community, “led by the Director of National Intelligence (DNI), shall coordinate with DHS and SRMAs to identify critical infrastructure owner and operator intelligence needs.”
“The IC shall provide intelligence to the National Coordinator and SRMAs regarding threats to critical infrastructure and coordinate on intelligence and other sensitive or proprietary information related to critical infrastructure, as appropriate,” the White House said.
“In the event of significant cyber incidents involving critical infrastructure, the DNI, acting through the Director of the Cyber Threat Intelligence Integration Center, shall carry out its responsibilities as the Federal lead agency for intelligence support and related activities” under Presidential Policy Directive 41 issued in 2016 and covering cyber incident coordination, the White House said.
Minimum Resilience Requirements
The new NSM calls for the use of “minimum requirements” for critical infrastructure security and resilience but does not appear to dictate precisely what those requirements should be or order their enforcement.
“Federal, state, local, Tribal, and territorial regulatory and oversight entities have a responsibility to prioritize establishing and implementing minimum requirements for risk management, including those requirements that address sector-specific and cross-sector risk,” the White House said, adding, “these requirements should also leverage existing guidance where applicable.”
“Regulatory frameworks should be risk- and performance-based when feasible; informed by existing requirements, standards, and guidelines; aligned to reduce unnecessary duplication; complementary to voluntary public-private collaboration; and scalable and adaptable to an evolving risk environment,” the White House said.
“Requiring and enforcing minimum resilience and security requirements and recommendations that direct building resilience into critical infrastructure assets and systems upfront, and by-design, shall be a primary responsibility of the Federal government,” it said.
