President Biden on April 30 signed a National Security Memorandum to secure and enhance the resilience of U.S. critical infrastructure.
The NSM will replace a decade-old presidential policy document on critical infrastructure protection and launch a comprehensive effort to protect U.S. infrastructure against all threats and hazards, current and future.
The NSM empowers the Department of Homeland Security to lead the whole-of-government effort to secure U.S. critical infrastructure, with the Cybersecurity and Infrastructure Security Agency acting as the National Coordinator for Security and Resilience.
The Secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes U.S. government efforts to manage risk to the Nation’s critical infrastructure.
The NSM also directs the U.S. Intelligence Community, consistent with the goals outlined in the 2023 National Intelligence Strategy, to collect, produce and share intelligence and information with federal departments and agencies, State and local partners, and the owners and operators of critical infrastructure.
“The NSM recognizes private sector owners and operators of critical infrastructure are often our first line of defense against adversaries who target the Nation’s most critical assets and systems,” the White House said.
The NSM also reaffirms the designation of 16 critical infrastructure sectors and a federal department or agency as the Sector Risk Management Agency for each sector. SRMAs have the day-to-day relationships and sector specific expertise to lead risk management and coordination within the designated sectors. The named SRMAs for each sector can be found below.
In addition, the NSM elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.
SRMAs will undertake sector-specific risk assessments and risk management plans every two years, in consultation with their respective sector coordinating councils, i.e., the Electricity Subsector Coordinating Council and Oil and Natural Gas Subsector Coordinating Council for the Department of Energy.
An initial energy sector risk assessment will be completed by DOE within 180 days, while an initial energy sector risk management plan, including a sector risk assessment, along with DOE SRMA priorities for 2024–2026 will be completed within 270 days.
A number of other federal agencies are affected by the NSM including the Department of Homeland Security, which will develop a cross-sector national risk management plan within 365 days.