New White House Policy Previews Increased Cybersecurity Oversight and Regulation: Wiley

On April 30, 2024 the White House updated the foundational U.S. government policy that defines critical infrastructure (CI) sectors and establishes a coordination structure within the federal government to support owners and operators of CI in those sectors. The Administration’s National Security Memorandum-22 on Critical Infrastructure Security and Resilience (NSM-22) replaces its predecessor document, Presidential Policy Directive 21 (PPD-21). The new policy keeps intact the general CI framework that was developed under PPD-21, including maintaining 16 CI sectors. However, NSM-22 represents a significant shift towards regulation of owners and operators of CI within these sectors, as it directs federal agencies to set “minimum requirements and effective accountability mechanisms for the security and resilience of critical infrastructure.”

Companies within one of the CI sectors – including Communications, Information Technology, Financial Services, Healthcare, and Transportation, among others – should be aware of this latest push for cybersecurity requirements and the federal regulatory activity that will likely flow from this new policy. This effort comes on the heels of DHS’s proposed rules for mandatory cybersecurity incident reporting obligations for CI owners and operators, among other efforts to set requirements for these companies regarding security and resilience more generally.

The New Policy Previews Additional Regulation and Will Define “Systemically Important Entities”

The updated Biden Administration CI security and resilience policy moves forward on two major issues that CI companies should be aware of.

Most Critical Infrastructure Companies Will Not See a Change in Their Day-to-Day Interactions with Their Sector Risk Management Agencies

Apart from the regulatory focus and implementation of the SIE concept, NSM-22 is more of an evolution than a revolution. NSM-22 does not make large-scale structural or organizational changes to the existing federal model for CI security and resilience collaboration. The policy retains the PPD-21-assigned roles and responsibilities for federal agencies as “sector risk management agencies” (SRMAs), and it does not create new or modify the existing 16 CI sectors. The Administration did not adopt suggestions, including from a 2021 CISA report, to establish new sectors for space and the bioeconomy.

NSM-22 does make some modest changes to how the federal government will manage CI protection efforts. The policy clarifies and assigns additional coordination responsibilities for CISA and directs closer engagement between U.S. intelligence agencies and CI companies. CI owners and operators will have opportunities to identify sector intelligence needs and priorities that can support their security and resilience efforts.

Critical Infrastructure Companies Should Be Prepared for Increased Activity from Federal Agencies on Cybersecurity

NSM-22 will launch increased activity in the federal government related to cybersecurity. Most significantly, CI owners and operators should be prepared for potential new cybersecurity requirements, including from sector-specific regulators and through federal procurement. The new policy does not give significant details about what security and resilience minimum requirements might look like, but does point to “existing voluntary consensus standards” as a starting point. A look at recent cybersecurity requirements may be instructive, as agencies such as the Federal Communications Commission (FCC) have begun to require select funding recipients to certify that they have cybersecurity and supply chain risk management plans based on voluntary National Institute of Standards and Technology (NIST) guidance.

Additionally, NSM-22 highlights the potential for adopting new requirements into federal procurement. The policy encourages federal agencies to use “grants, loans, and procurement processes, to require or encourage owners and operators to meet or exceed minimum security and resilience requirements,” while also specifically tasking the General Services Administration with ensuring that “Government-wide contracts for critical infrastructure assets and systems […] include appropriate audit rights for the security and resilience of critical infrastructure.”

The new policy will kick off 13 separate implementation actions for federal agencies, including requiring SRMAs to issue sector-specific risk management plans. Of note, SRMAs are directed to consult with their sector coordinating councils in this effort, so there will be opportunities for industry engagement.

As with earlier moves from this Administration to pursue cybersecurity regulation, CI companies may want to take advantage of the SRMA structure and public comment opportunities to provide their expertise and experience in developing minimum security and resilience requirements that are flexible, outcome-based, and realistic.

Wiley’s Privacy, Cyber & Data Governance team has helped companies of all sizes from various sectors proactively address risks and compliance with new cybersecurity laws and requirements. Please reach out to any of the authors with questions.

Our Site uses cookies to improve your experience. Cookies may collect your personal information, such as IP address or device identifier, which we may disclose to our analytics partners. You may opt out of the cookies that are not strictly necessary if you wish. By using this site, you agree to our updated Privacy Policy, Terms & Conditions, and Cookies Policy.

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.