by Beth Burgin Waller and Patrick J. Austin
The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.
NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.
Overview of NSM-22’s Regulatory Framework for Critical Infrastructure
It would be fair to describe NSM-22 as an update rather than an overhaul of PPD-21. For example, NSM-22 keeps intact PPD-21’s general regulatory framework for critical infrastructure, including maintaining the specific 16 critical infrastructure sectors. Nevertheless, the modifications contained in NSM-22 signal a shift towards federal regulation of critical infrastructure owners and operators. For example, NSM-22 directs federal agencies to set “minimum requirements and effective accountability mechanisms for the security and resilience of critical infrastructure, including through aligned and effective regulatory frameworks.” NSM-22 goes on to direct federal agencies and departments to “utilize regulation, drawing on existing voluntary consensus standards as appropriate” to establish the minimum requirements and accountability mechanisms applicable to critical infrastructure entities. In addition, NSM-22 states that “accountability mechanisms should continuously evolve to keep pace with the Nation’s risk environment.”
NSM-22 highlights a potential “accountability mechanism” through the adoption of new requirements in the federal procurement process. For example, NSM-22 encourages federal agencies and departments to utilize “grants, loans, and procurement processes, to require or encourage owners and operators to meet or exceed minimum security and resilience requirements.” In addition, NSM-22 specifically directs the General Services Administration with ensuring that government-wide contracts for critical infrastructure assets and systems contain “appropriate audit rights for the security and resilience of critical infrastructure.”
NSM-22 also directs U.S. intelligence agencies and critical infrastructure entities to strengthen collaboration and engagement. For example, NSM-22 recommends owners and operators of critical infrastructure entities be afforded the opportunity to identify sector intelligence needs and priorities that support specific security and resilience efforts.
NSM-22 Expands CISA’s Role in Overseeing Critical Infrastructure, Including Development of a “Systemically Important Entities” List
One of the most notable modifications contained in NSM-22 is the elevation of CISA as the national coordinator for Critical Infrastructure cybersecurity efforts across the federal government and private sector. For example, NSM-22 directs CISA to specifically identify and categorize certain critical infrastructure entities as Systemically Important Entities (SIEs).
According to NSM-22, an SIE would be an entity whose infrastructure, if disrupted or suffers a malfunction, would “cause nationally significant and cascading negative impacts to national security (including national defense and continuity of Government), national economic security, or national public health or safety.” NSM-22’s SIE directive effectively adopts a recommendation from the Cybersecurity Solarium Commission, in addition to a requirement from a 2013 Executive Order. CISA is tasked with collaborating and engaging with other federal agencies who have responsibilities for particular critical infrastructure sectors to develop a preliminary list of SIEs, which, reportedly, will not be disclosed to the public.
CISA has already indicated that companies designated as SIEs would receive priority for information sharing and technical assistance from the federal government, but the designation will likely also come with heightened regulatory requirements.
NSM-22 tasks the Director of CISA to coordinate with System Risk Management Agencies (SRMAs), and other relevant agencies, to “plan and enable integrated actions for cyber defense campaigns at scale and to otherwise mitigate risks to critical infrastructure nationally.” In addition, CISA, in concert with SRMAs and other federal agencies, must be prepared to “provide technical and operational assistance, best practices based on existing standards and guidance to the greatest extent possible, and capacity development to State, local, Tribal, and territorial governments; other Federal entities; owners and operators; and international partners to enhance the security and resilience of critical infrastructure.”
NSM-22, when combined with the CIRCIA and CISA’s proposed cyber incident reporting obligations, signals an emphasis on enhancing cybersecurity for critical infrastructure sectors, but also portends more invasive and stricter regulatory oversight by federal departments and agencies.
Looking Ahead
Following issuance of NSM-22, there are expected to be 13 “implementation actions” by federal agencies, including requiring SRMAs to issue sector-specific risk management plans. Notably, SRMAs are directed to consult with sector coordinating councils regarding their risk management plans. This means there will likely be an opportunity for private industry to engage with federal agencies in the development of these action plans.
In addition, the public comment period for CISA’s proposed rule for cyber incident reporting requirements was extended to June 3, 2024. CISA’s final rule must be published by within 18 months of the proposed rule, or by no later than September 2025.
Take Proactive Compliance Measures
We recommend entities operating within an identified critical infrastructure sector – including information technology, financial services, healthcare, education, communications, etc. – start taking proactive measures now to strengthen their compliance posture when CISA’s incident reporting obligations under the CIRCIA, along with other regulatory requirements, go into effect in the fall of 2025. Critical infrastructure entities should consider taking advantage of the SRMA structure and public comment periods to provide constructive feedback and recommendations during the development of minimum security and resilience requirements.
Beth Burgin Waller is a Principal and Patrick J. Austin is Of Counsel at Woods Rogers Vandeventer Black PLC.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).