What NSM-22 Means for Critical Infrastructure Owners and Operators

What NSM-22 Means for Critical Infrastructure Owners and Operators

On April 30, the White House published National Security Memorandum-22 (NSM-22), which empowers the Department of Homeland Security (DHS) to lead a “whole-of-government effort to secure U.S. infrastructure,” and charges the Cybersecurity and Infrastructure Agency (CISA) with a new role: acting as the National Coordinator for Security and Resilience. It also directs the U.S. Intelligence Community to more closely engage with government agencies as well as private owners and operators of critical infrastructure, who are recognized as “often our first line of defense against adversaries who target the nation’s most critical assets and system.”

Here are key takeaways for both public agencies and private companies.

National Critical Infrastructure Memorandum Overview

NSM-22 is an update of a key policy document that, given technological advances, evolving threats and rising geopolitical tensions, was long overdue for a refresh. It replaces Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21), which was signed by President Barack Obama in 2013.

Presidential memoranda and policy directives are both types of presidential executive orders (EOs) used to outline rule-making priorities for agencies within the executive branch without providing particulars. As such, the only deadlines in the Memorandum apply to the agencies themselves, which are given 13 specific actions. Like other EOs, NSM-22 can be overturned by future administrations who embrace other policies and priorities.

Caveats aside, the Memorandum is important because the world has changed a lot since 2013. Look no further than Volt Typhoon, the Chinese hacking grouping that has been establishing persistence in American water, energy and telecommunications networks for future attack.

NSM-22 Key Authorities and Actions

PPD-21 was important because it defined the 16 critical infrastructure sectors and created corresponding Sector Risk Management Agencies (SRMAs) to coordinate activities within each sector. It also outlined expectations for information sharing and collaboration to protect them.

The 16 Critical Infrastructure Sectors Designated by CISA
The 16 Critical Infrastructure Sectors Designated by CISA

The new Memorandum builds on the foundational policies laid out in PPD-21 but builds on them in a few key ways:  

  1. Although the Memorandum doesn’t call out operational technology (OT) or industrial control systems (ICS) in particular, it acknowledges that they have become much more connected to IT and the internet and are therefore much more subject to threats from nation-state and other threat actors. An IT attack on critical infrastructure must be treated as both a cyber and a physical attack.
  1. Squarely places responsibility on CISA — created in 2018, five years after PPD-21 — to coordinate and direct efforts to protect critical infrastructure and build resilience. This aligns with policies already put in place by CISA to secure OT and IoT with BOD 23-01.
  1. Sets the stage for rule-making by directing federal regulatory agencies to “draw on existing voluntary consensus standards” to “establish minimum requirements and effective accountability mechanisms for the security and resilience of critical infrastructure."   
  1. Instructs CISA to prioritize critical infrastructure whose disruption could have significant impact on national security, public health or safety. Specifically, the agency must identify and maintain a non-public list of systemically important entities (SIEs) to receive priority access to risk mitigation information and operational resources.
  1. More clearly delineates the role of the SRMAs to issue sector-specific risk management plans and coordinate activities within their sectors and with CISA.  

Takeaways for Critical Infrastructure Owners and Operators

Other than newly designated SIEs, critical infrastructure companies are not likely to be immediately impacted. However, NSM-22 is a significant shift towards regulation of owner-operators in these sectors. The progression from voluntary standards to mandatory compliance is common in federal rule-making. Within DHS, TSA has sole authority to exercise regulatory oversight by issuing cybersecurity directives, and it has used that authority to issue directives to airports, pipelines, oil and gas, and rail.  We can expect to see similar directives for other critical infrastructure sectors to emerge over the next 18 months. The Nozomi Networks platform provides asset inventory, vulnerability mapping and continuous security monitoring that aligns with the requirements in the TSA Security Directives.

Harden Cyber-Physical Defenses for Business, Not Regulatory Reasons 

There are several new rules and regulations in the pipeline for private and public/private operators of critical infrastructure, some of which will be tied to this Memorandum. NSM-22 comes on the heels of DHS’s proposed rules for mandatory cybersecurity incident reporting  for CI owners and operators and the department’s guidelines for securing critical infrastructure against AI-assisted attacks.  

Understanding the impact of new regulations, taking actions and complying with overlapping mandates can be costly and labor intensive. With the kickoff of enforcement and accountability in NSM-22, organizations will face tremendous pressure to ensure investments are made, executed on and integrated into operations safely, with as small impact as possible. Where defenders may fall short is almost always due to lack of resources, not because they need more accountability or guidance. Notably, NSM-22 doesn’t mention additional resources for those on the front lines. That funding may yet come from Congress, which holds the purse strings.  

In the end, critical infrastructure owners must harden their cyber-physical defenses to protect their assets, maintain operational continuity and fulfill their public mission. The consequences of not doing so aren’t regulatory; they’re physical, financial and reputational.

Here are two additional resources to help critical infrastructure owners: