The White House issued National Security Memorandum-22 updating an Obama-era policy for how agencies oversee and manage 16 critical infrastructure sectors.
Incidents like Volt Typhoon and the dramatic increase of ransomware attacks against U.S. critical infrastructure is spurring new White House action.
President Joe Biden today signed National Security Memorandum-22 to codify the Cybersecurity and Infrastructure Agency’s roles in overseeing and working with critical infrastructure providers, and to bring the analytics capabilities of the Intelligence Community further into the defense of these sectors.
“The NSM takes several important new action first, empowers the Department of Homeland Security to lead a whole of government effort to secure U.S. critical infrastructure with the Cybersecurity and Infrastructure Security Agency acting as the national coordinator for the security and resilience of U.S. critical infrastructure. As part of this new responsibility, the secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes US government efforts to mitigate risks to the nation’s critical infrastructure,” said Caitlin Durkovich is the special assistant to the President and deputy homeland security advisor for resilience and response at the White House’s National Security Council (NSC), during a press briefing with reporters yesterday. “Second, it directs the US intelligence community, consistent with the goals outlined in the 2023 National Intelligence strategy, to collect, produce and share intelligence and information with the owners and operators of critical infrastructure. The NSM recognizes private sector owners and operators of critical infrastructure are often our first line of defense against adversaries who target the nation’s most critical assets and systems.”
The NSM replaces one signed by President Barack Obama in 2013, which established the 16 critical infrastructure sectors and set up initial information sharing and collaboration efforts. It also came before DHS created CISA, then called the National Protection and Programs Directorate (NPPD).
Jen Easterly, the director of CISA, said the threat environment has dramatically changed over the last decade and her agency’s role is continuing to evolve.
“This NSM really builds on important work that has been happening across the government, and in particular CISA and agencies, working with industry, undertaking a partnership to ensure that we can understand manage and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day,” Easterly said. “For CISA, the NSM means three things. First, CISA’s role as national coordinator, which really reinforces what was in the CISA statute of 2018, and this responsibility requires CISA to coordinate that national effort to secure and protect critical infrastructure by coordinating with the sector risk management agencies (SRMA) with relevant departments and agencies, the private sector, state and local partners to reduce risks at scale. Second, CISA serves as an SRMA a itself providing institutional knowledge and specialized expertise to the eight critical infrastructure sectors, and one sub sector and that includes chemical commercial facilities, critical manufacturing, emergency services, information technology, communication, dams, nuclear and then of course, the election sub sector. Finally, CISA will continue to support the work of our partners across the government by leveraging existing relationships and processes and networks to share critical information and guidance, and then provide additional guidance and resources to aid sector risk management agencies in the execution of the roles and responsibilities in the new NSM.”
CISA and agencies ranging from the departments of Energy, Treasury and Health and Human Services as SRMAs, are busier than ever in helping critical infrastructure sector owners and operators protect their systems and networks.
The FBI reported that in 2023 its Internet Crime Complaint Center (IC3) received 1,193 complaints from organizations belonging to a critical infrastructure sector that were affected by a ransomware attack. Of the 16 critical infrastructure sectors, IC3 reporting indicated 14 sectors had at least one member that fell to a ransomware attack in 2023.
The FBI says the healthcare sector suffered the most attacks, 249 last year, while critical manufacturing and government services saw the next highest number of attacks.
Meanwhile, CISA, the FBI and the National Security Agency (NSA) released an advisory in February that People’s Republic of China (PRC) state-sponsored cyber actors, known as Volt Typhoon, are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against critical infrastructure in the event of a major crisis or conflict with the United States.
The memo details 13 short and long term deadlines for agencies to meet over the next 18 months. These include the SRMAs naming a primary representative to sectoral stakeholders, who is responsible for the day-to-day coordinating of the SRMA function, within 30 days, and within a year, CISA will establish or designate an office of the national coordinator to serve as the single coordination point for SRMAs across the government.
Easterly said given these and other growing threats, CISA has taken several steps over the last few years that the NSM reinforces. She said CISA already re-established the Federal Senior Leadership Council to help improve interagency collaboration.
“We’ve already provided guidance and templates to sector risk management agencies to use and create sector risk assessments and sector specific risk management plans. These are resources for SMRAs to meet the requirements laid out in the NSM,” she said. “In our role as national coordinator, we’ve begun the work to establish systemically important entities that critical infrastructure which is prioritized based on the potential for disruption or malfunction to cause nationally significant and cascading negative impacts to national security and economic security or public health and safety, and that SIE list will inform prioritization of federal activities including risk mitigation efforts and other operational resources to non-federal entities.”
The memo outlines 10 roles for CISA. Many of them aren’t new to the agency, like providing cyber expertise to critical infrastructure providers or coordinate with SRMAs. But a senior administration official said the memo does more than reinforce statutory authorities.
“I think it really puts a spotlight on the fact that as critical infrastructure has evolved, given the highly interdependent, highly connected, highly digitized, and frankly, highly vulnerable nature of the critical infrastructure that Americans rely on every hour of every day,” the official said. “So having a coordinating element to really manage that cross sector risk and drive down that cross sector risk, I think it’s incredibly important to the security of the nation.”
A second senior administration official added the memo highlights CISA’s role in working closely with sector risk management agencies to assess risks within and across sectors.
“The NSM is directing the sector risk management agencies to assess whether current and existing minimum requirements sufficiently address the vulnerabilities in their sectors,” the official said. “These requirements are going to be developed, or need to be developed, in close coordination with the owners and operators of that infrastructure to ensure they are appropriate and proportionate to the vulnerability if an SRMA feels that it does not have the tools or authorities necessary to ensure effective implementation of those requirements, we have built in a process to help the SRMA a be able to fold the sector accountable and if need be develop those minimum requirements.”
The memo lays out 12 roles for sector risk management agencies, including the need to share and receive information and intelligence directly with critical infrastructure owners and operators in their respective sectors, as appropriate and in coordination with the IC, and to serve as the lead federal agencies for certain domestic incidents primarily impacting their respective sectors.
One common challenge over the last decade is getting security clearances for critical infrastructure providers’ employees so they can receive classified or otherwise sensitive threat information.
The first senior administration official said CISA has taken several steps to solve this problem, especially as the Russian invasion of Ukraine started in 2022. The official also said the intelligence community has also done more to declassify threat information so it can be shared more quickly.
The second administration official added that the memo provides additional tasks for the Office of the National Coordinator of Intelligence (ODNI).
The memo requires ODNI must provide the President with an intelligence assessment on critical infrastructure within 180 days.
“We will work to share that with the owner and operator community, but also to provide the President with a report on information in an intelligence sharing,” the official said. “As part of that, ODNI is to work with CISA and the sector risk management agencies to develop a system for streamlining and coordinating outreach to an engagement with the owners and operators of infrastructure by developing policy procedure and guidance on these topics. We have a lot of instructive emerging practices and lessons learned from what has happened in the first three years of this administration, that is we work to develop, those policies and procedures will be accounted for really, again, with the goal of making sure that those that are managing the risk to critical infrastructure and are on the frontlines, have the intelligence and the information that they need to know to make investments to invest in mitigation actions so we can adequately ensure the security and the resilience of these critical assets and systems.”
Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
Jason Miller is executive editor of Federal News Network and directs news coverage on the people, policy and programs of the federal government.
Follow @jmillerWFED