President Biden recently issued a presidential memorandum that sets a new course for critical infrastructure protection in the United States. The National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) comes at a time when, as the administration notes in the document, “the United States is in the midst of a generational investment in the Nation’s infrastructure.”
For enterprises, there are two main themes that impact everyday business operations: (1) increased regulation; and (2) stronger risk management practices for critical infrastructure entities, as well as at the sector, cross-sector, and national levels.
The administration's action signals that the era of best practices, self-attestations, and voluntary certifications is coming to its close. As the United States looks toward a future of minimum security requirements for critical infrastructure, NSM-22 is positioned to be the watershed moment that sets the regulatory gears in motion in the United States.
Critical infrastructure owners and operators should be assessing their companies’ risk management programs and looking for ways to reduce risks now, before regulation compels risk reduction measures in the future.
The most significant impact arising out of NSM-22, which replaces 2013’s Presidential Policy Directive 21 (PPD-21), is the shift to a regulatory approach for regulating critical infrastructure in the United States. As the document clearly states:
“Voluntary approaches to enhance critical infrastructure security and resilience have meaningfully mitigated risk over the past decade, but more must be done to ensure the Nation’s critical infrastructure is secure and resilient against all threats and hazards. The Federal Government must focus on increasing the adoption of requirements that address sector, national, and cross-sector risks to critical infrastructure.”
The Administration also endorses “robust accountability and enforcement mechanisms” at all levels, including “Federal, State, local, Tribal, territorial, and private sector entities, as well as independent third parties… [as] an essential component of effective risk management for critical infrastructure. It will be interesting to see how the intent for Federal regulatory harmonization aligns with the support for regulatory development and accountability across multiple levels of government, and between private sector parties.
It is clear that enterprises will have to pay close attention to emerging regulations, potentially conflicting regulations at the Federal, state, or international level, and contractual commitments as essential elements of critical infrastructure protection and enforcement. Managing these conflicting laws and obligations will be important because liability will likely continue to grow as the regulatory environment expands, given NSM-22’s intention that “accountability mechanisms should continuously evolve to keep pace with the Nation’s risk environment.”
Liability will certainly be an issue at the company level, and has the potential to impact directors and officers as well. Critical infrastructure owners and operators of all sizes should prepare to participate in comment cycles and share inputs to help shape coming regulations so that they are practical and as harmonized as possible.
The administration’s focus on risk management is an evolution of many years of continued effort to identify and mitigate significant risks to the nation. The National Infrastructure Risk Management Plan (NIRMP) concept laid out in NSM-22 is a thoughtful evolution of the original concept from 2013, and the original National Infrastructure Protection Plan. We can expect, based on current intent, that risk assessments at the national, sector-level, and cross-sector level will be conducted on a biennial basis.
The NIRMP defines risk quite broadly, referring to the “potential for an unwanted outcome, as determined by its likelihood and the consequences.” The new risk-based approach will focus on ensuring that sector risk management agencies (SMRAs) and sectors can define risks within the sector, as well as systemic and cross-sector risks that pose threats to national interests.
In addition, the new NIRMP will be required to set out “national and cross-sector minimum security and resilience requirements to mitigate cross-sector risks not covered under sector specific requirements…” and recognizes that: “Where existing authorities are not sufficient to implement these minimum requirements, the National Coordinator shall develop a proposal to request new authorities from Congress…” signaling the Administration’s intent to leverage regulation to compel action, rather than rely on the best practices of the previous era.
The new risk-based approach will focus on ensuring that sector risk management agencies (SMRAs) and sectors can define risks within the sector, as well as systemic and cross-sector risks that pose threats to national interests.
Now is a good time for critical infrastructure owners and operators to evaluate current enterprise approaches to risk management and develop risk mitigation plans, as new enforcement authorities will make compelled risk management efforts far more costly in the future.
All private sector critical infrastructure owners and operators are going to have to prepare for greater compliance and oversight in the years ahead. With adversaries such as China’s VoltTyphoon targeting critical infrastructure in the United States, the administration is signaling that voluntary risk management efforts and attestations aren’t going to cut it any longer. NSM-22 is a reset of the nation’s approach to critical infrastructure protection, and organizations are urged to participate in future regulatory comment periods and strengthen governance and risk management practices and mitigation plans before being compelled to do so. Regulation is coming. Be prepared.
Cristin is the managing partner of Advanced Cyber Law, a boutique law firm focused on cybersecurity, incident response, threat intelligence, and artificial intelligence. She and her team leverage Cristin’s 17 years as lead cybersecurity counsel at Microsoft, where she was head lawyer for the Microsoft Security Response Center, the Microsoft Threat Intelligence Center, the Government Security Program, cybersecurity law and compliance, and built Microsoft’s Digital Security Unit, fusing threat intelligence with geopolitical analysis, including Microsoft’s seminal Ukraine Report in April 2022. Cristin is also the founder and CEO of Advancing Cyber, a regulatory technology startup.
