In a comprehensive National Security Memorandum (NSM), President Joe Biden has outlined his administration's strategy for strengthening the security and resilience of United States critical infrastructure against threats like cyberattacks, natural disasters, and climate change.
The memorandum designates 16 critical infrastructure sectors—such as energy, transportation, healthcare—and outlines roles and responsibilities for relevant federal agencies to identify and mitigate risks within each sector.
Key elements of the new strategy include:
- Establishing "Sector Risk Management Agencies" (SRMAs) to lead risk management efforts for each critical infrastructure sector, like the Department of Homeland Security (DHS) for communications and the Department of Energy (DOE) for energy
- Requiring SRMAs to produce biennial sector-specific risk assessments and risk management plans that establish minimum security and resilience requirements
- Directing DHS, through its Cybersecurity and Infrastructure Security Agency (CISA), to coordinate the overall national risk management effort as the "National Coordinator"
- Mandating development of a National Infrastructure Risk Management Plan that synthesizes sector-level inputs to manage cross-sector risks
- Improving intelligence sharing and collection related to threats against critical infrastructure between agencies and with the private sector
- Identifying a list of "Systemically Important Entities" whose disruption could cause cascading national impacts, prioritizing federal resources
The strategy represents a major step toward unifying critical infrastructure security efforts across the federal government and compiling minimum cybersecurity baselines and other protective standards that could be backstopped by regulation.
It aims to enhance cross-sector risk management as critical infrastructure grows more interdependent. The White House is also emphasizing more robust information sharing as a core component.
"The United States is facing complex cyber threats. As we continue to become even more reliant on technology, this threat will only increase," said Michael Gregg, CISO for the State of North Dakota. "Highlighting this risk and building plans to test resilience via tabletops and testing will help us be better prepared. Expanding threat intelligence sharing between these 16 critical infrastructure sectors is a good next step, as it will help build a more robust response capability."
Scott Margolis, CISO for Massachusetts Bay Transportation Authority, offered his perspective:
"The real benefit of the Executive Order is the emphasis on a harmonized and risk-based approach to safeguarding critical infrastructure. Truly a transformational approach for our Federal Partners and the Executive branch in continuing to support us in this rapidly evolving cyber landscape. This approach ensures a consistent and actionable strategy across various sectors and agencies, enabling us to effectively respond to an increasing volume of sophisticated threats. By aligning efforts and resources, prioritizing based on risk, and fostering strong public-private partnerships, we enhance our capacity to protect critical transit systems against emerging threats, ensuring safety and continuity in our services. This unified approach not only increases our resilience but also streamlines our response mechanisms, making them more effective and timely."
Oren Koren, Co-founder and CPO at Veriti, shared his thoughts:
"I believe that under the new Biden administration's strategy, we will see a focus on three major areas that will add significant value:
- Service Providers: New service organizations, certified by the government, will be formed to oversee operations and will require a blend of manpower and automation. Currently, this manpower is represented by MSSPs and MDRs.
- Automation: These service organizations, mostly government and MSSPs, will consolidate various solutions to effectively achieve their objectives.
- Data aggregation: It will be essential for each company to share its data—logs, alerts, and insights—at a centralized location.
- A critical concern is that this central aggregator could become a prime target for adversaries. If an attacker aims to harvest data for a cyber attack, their primary challenge would be to breach this central node—effectively, the 'holy grail.' Ensuring the security of this data will be the foremost priority of the organization."
The memorandum identifies 16 critical infrastructure sectors and designates associated Sector Risk Management Agencies (SRMAs). In some cases, co-SRMAs are designated where multiple departments share the roles and responsibilities of the SRMA. The Secretary of Homeland Security shall periodically evaluate the need for and approve changes to critical infrastructure sectors, and shall make recommendations to the President in accordance with statute and in consultation with the Assistant to the President and Homeland Security Advisor. The sectors and SRMAs are as follows:
- Chemical
Sector Risk Management Agency: DHS
- Commercial Facilities
Sector Risk Management Agency: DHS
- Communications
Sector Risk Management Agency: DHS
- Critical Manufacturing
Sector Risk Management Agency: DHS
- Dams
Sector Risk Management Agency: DHS
- Defense Industrial Base
Sector Risk Management Agency: Department of Defense (DOD)
- Emergency Services
Sector Risk Management Agency: DHS
- Energy
Sector Risk Management Agency: DOE
- Financial Services
Sector Risk Management Agency: Department of the Treasury
- Food and Agriculture:
Co-Sector Risk Management Agencies: Department of Agriculture and Department of Health and Human Services (HHS)
- Government Services and Facilities:
Co-Sector Risk Management Agencies: DHS and General Services Administration (GSA)
- Healthcare and Public Health
Sector Risk Management Agency: HHS
- Information Technology
Sector Risk Management Agency: DHS
- Nuclear Reactors, Materials, and Waste
Sector Risk Management Agency: DHS
- Transportation Systems
Co-Sector Risk Management Agencies: DHS and Department of Transportation
- Water and Wastewater Systems
Sector Risk Management Agency: Environmental Protection Agency
CISA added this commentary in its overview of the White House memorandum:
"CISA has already been working toward the goals of the NSM. We have already re-established the Federal Senior Leadership Council, which has made impressive strides through the FSLC's robust collaboration model toward meeting our shared goals. When the FSLC was re-chartered, the group not only took on new authorities, but a heavy lift to inform how we define, modernize, and protect our critical infrastructure sectors.
We have already completed the first assessment of sector designations. Through a transparent, iterative, and collaborative process, the FSLC evaluated the current 16 critical infrastructure sectors and considered potential new potential sectors; changing the scope of various other sectors; and removing or moving various subsectors within existing sectors. The FSLC achieved consensus among its 30 member Departments and Agencies on the recommendations for the first time since the sectors were established in PPD-21 in 2013. This updated sector structure was presented to the President in late 2023 and is reflected in the sectors listed in the NSM."
While implementation will take years, the new critical infrastructure directive overhauls U.S. policies not substantially updated in a decade and signals the Biden Administration's prioritization of this issue among pressing national security imperatives.
More from CISA on Systemically Important Entities (SIEs):
"Finally, as the National Coordinator, CISA has already begun the work to establish Systemically Important Entities (SIE). As described in the NSM, SIEs are critical infrastructure which is prioritized based on the potential for its disruption or malfunction to cause nationally significant and cascading negative impacts to national security (including national defense and continuity of government), national economic security, or national public health or safety. The SIE list will inform prioritization of Federal activities, including risk mitigation information and other operational resources to non-Federal entities. The list of SIEs developed pursuant to this NSM, and subsequent updates, will strengthen our understanding and prioritization of those functions that American’s rely on every day and satisfy the requirement for the Secretary of Homeland Security to develop the list described in Section 9 of Executive Order 13636."
