In a comprehensive National Security Memorandum (NSM), President Joe Biden has outlined his administration's strategy for strengthening the security and resilience of United States critical infrastructure against threats like cyberattacks, natural disasters, and climate change.
The memorandum designates 16 critical infrastructure sectors—such as energy, transportation, healthcare—and outlines roles and responsibilities for relevant federal agencies to identify and mitigate risks within each sector.
Key elements of the new strategy include:
The strategy represents a major step toward unifying critical infrastructure security efforts across the federal government and compiling minimum cybersecurity baselines and other protective standards that could be backstopped by regulation.
It aims to enhance cross-sector risk management as critical infrastructure grows more interdependent. The White House is also emphasizing more robust information sharing as a core component.
"The United States is facing complex cyber threats. As we continue to become even more reliant on technology, this threat will only increase," said Michael Gregg, CISO for the State of North Dakota. "Highlighting this risk and building plans to test resilience via tabletops and testing will help us be better prepared. Expanding threat intelligence sharing between these 16 critical infrastructure sectors is a good next step, as it will help build a more robust response capability."
Scott Margolis, CISO for Massachusetts Bay Transportation Authority, offered his perspective:
"The real benefit of the Executive Order is the emphasis on a harmonized and risk-based approach to safeguarding critical infrastructure. Truly a transformational approach for our Federal Partners and the Executive branch in continuing to support us in this rapidly evolving cyber landscape. This approach ensures a consistent and actionable strategy across various sectors and agencies, enabling us to effectively respond to an increasing volume of sophisticated threats. By aligning efforts and resources, prioritizing based on risk, and fostering strong public-private partnerships, we enhance our capacity to protect critical transit systems against emerging threats, ensuring safety and continuity in our services. This unified approach not only increases our resilience but also streamlines our response mechanisms, making them more effective and timely."
Oren Koren, Co-founder and CPO at Veriti, shared his thoughts:
"I believe that under the new Biden administration's strategy, we will see a focus on three major areas that will add significant value:
The memorandum identifies 16 critical infrastructure sectors and designates associated Sector Risk Management Agencies (SRMAs). In some cases, co-SRMAs are designated where multiple departments share the roles and responsibilities of the SRMA. The Secretary of Homeland Security shall periodically evaluate the need for and approve changes to critical infrastructure sectors, and shall make recommendations to the President in accordance with statute and in consultation with the Assistant to the President and Homeland Security Advisor. The sectors and SRMAs are as follows:
CISA added this commentary in its overview of the White House memorandum:
"CISA has already been working toward the goals of the NSM. We have already re-established the Federal Senior Leadership Council, which has made impressive strides through the FSLC's robust collaboration model toward meeting our shared goals. When the FSLC was re-chartered, the group not only took on new authorities, but a heavy lift to inform how we define, modernize, and protect our critical infrastructure sectors.
We have already completed the first assessment of sector designations. Through a transparent, iterative, and collaborative process, the FSLC evaluated the current 16 critical infrastructure sectors and considered potential new potential sectors; changing the scope of various other sectors; and removing or moving various subsectors within existing sectors. The FSLC achieved consensus among its 30 member Departments and Agencies on the recommendations for the first time since the sectors were established in PPD-21 in 2013. This updated sector structure was presented to the President in late 2023 and is reflected in the sectors listed in the NSM."
While implementation will take years, the new critical infrastructure directive overhauls U.S. policies not substantially updated in a decade and signals the Biden Administration's prioritization of this issue among pressing national security imperatives.
More from CISA on Systemically Important Entities (SIEs):
"Finally, as the National Coordinator, CISA has already begun the work to establish Systemically Important Entities (SIE). As described in the NSM, SIEs are critical infrastructure which is prioritized based on the potential for its disruption or malfunction to cause nationally significant and cascading negative impacts to national security (including national defense and continuity of government), national economic security, or national public health or safety. The SIE list will inform prioritization of Federal activities, including risk mitigation information and other operational resources to non-Federal entities. The list of SIEs developed pursuant to this NSM, and subsequent updates, will strengthen our understanding and prioritization of those functions that American’s rely on every day and satisfy the requirement for the Secretary of Homeland Security to develop the list described in Section 9 of Executive Order 13636."