New cyber plans for critical infrastructure could be ready early next year

The Biden administration, having struggled in some cases to set cybersecurity requirements for critical infrastructure, sees a new plan for minimum cyber standards coming together by early 2025.

That’s according to Caitlin Durkovich, special assistant to the president and deputy homeland security advisor for resilience and response. During an event on Thursday hosted by the ICS Village, Durkovich spoke about the Biden administration’s efforts to implement a recently signed national security memorandum on critical infrastructure security.

“One of the reasons that we pushed so hard to make sure this NSM was signed out when it was, was so we had some runway to drive the implementation,” Durkovich said. “The president essentially signed it 270 days until the end of his first term. We wanted that first term to be able to implement the majority of actions.”

“And so we should, by the end of January of next year, have a good sense of where we need to go in the minimum standards path,” she said.

The memorandum requires sector risk management agencies to develop new “sector risk management plans” in coordination with the Cybersecurity and Infrastructure Security Agency.

“One of the requirements will be if there is not a minimum or baseline standard, then as part of that sector risk management plan, come back with recommendations or a path forward for how they’re going to get there,” Durkovich said.

In some cases, agencies could recommend new cybersecurity regulations.

“The challenge with regulation is that regulation making is not a fast process,” Durkovich added. “And when I say not fast, I’m not saying months, I’m saying years, to get regs done. Or whether we can work with Congress — what’s the best path to drive some sort of minimum standard into these critical sectors?”

While some of the 16 critical infrastructure sectors, such as financial services or oil and natural gas, are subject to cybersecurity regulations, many others are not. The Biden administration’s cybersecurity strategy has called for implementing new requirements for critical infrastructure, but those efforts have faced difficulties.

The Environmental Protection Agency, for instance, last year sought to institute new cybersecurity requirements for the water sector as part of EPA-mandated sanitary reviews. But after strong pushback from industry and Republican states, including court challenges, the EPA called off those requirements.

The renewed efforts under the recent Biden directive are “still early,” Durkovich said.

“Those sectors that don’t have minimum standards, particularly around just good cyber hygiene, is where we will look for those recommendations and then work to act on them,” she said.

Policymakers have had a heightened focus on the cybersecurity of key sectors after U.S. officials earlier this year warned about Chinese intrusions into critical infrastructure.

Durkovich said she’s also focused on efforts to identify “systemically important entities.” CISA is helping to lead that initiative.

“That’s something that we want agreement on across all sectors, and we need a common framework and methodology,” she said.

Durkovich also highlighted work to hold the intelligence community “accountable” to the directives in the memorandum. Biden directed intelligence agencies to increase their sharing of cyber threat information with critical infrastructure owners and operators, as well as sector risk management agencies.

“That’s a big change,” Durkovich said. “It’s something that we work really closely with the intelligence community on. It is really important, given the strategic environment, and the need to make sure that owners and operators have what they need to compel them to make the investments they should be making, even beyond regulation.”

White House officials have also highlighted increased funding for some sector risk management, agencies, including EPA and the Department of Health and Human Services, in the fiscal 2025 budget request.

“We have some departments and agencies that just are well resourced and do a fantastic job – think Treasury, [Energy Department] –and others where the national security [and] critical infrastructure thing is not at the top of their priority mission set, and often not well resourced,” Durkovich said. “The reality, though, is that all these sectors are critical for a reason. And we need to make sure everybody’s on the same playing field.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.