White House Issues New National Security Memorandum on Critical Infrastructure

PDF

On April 30, 2024, the White House announced that President Biden signed a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience ("NSM-22"). This new memorandum will replace an Obama-era policy directive, Presidential Policy Directive -- Critical Infrastructure Security and Resilience ("PPD-21), which designated the 16 critical infrastructure sectors that are the focal point of the Cyber Incident Reporting for Critical Infrastructure Act of 2022 ("CIRCIA").

Notably, NSM-22 comes on the heels of the Cybersecurity & Infrastructure Security Agency's ("CISA") proposed rule implementing CIRCIA, which also was published in April, discussed here. Together, CIRCIA, NSM-22, and CISA's proposed rule signal the government's heightened focus on cybersecurity and protecting critical infrastructure sectors in the U.S., including, for example, by "[r]equiring and enforcing minimum resilience and security requirements and recommendations that direct building resilience into critical infrastructure assets and systems upfront[.]"

Like its predecessor PPD-21, the White House’s announcement shows that NSM-22 will help to ensure strong and resilient U.S. critical infrastructure by, among other things:

• Empowering the Department of Homeland Security to lead the whole-of-government effort to secure U.S. critical infrastructure, with CISA acting as the National Coordinator for Security and Resilience. 
• Directing the U.S. Intelligence Community, consistent with the goals outlined in the 2023 National Intelligence Strategy, to collect, produce and share intelligence and information with Federal departments and agencies, State and local partners, and the owners and operators of critical infrastructure.
• Reaffirming the designation of 16 critical infrastructure sectors and a federal department or agency as the Sector Risk Management Agency (SRMA) for each sector.
• Elevating the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.

Ultimately, as the White House noted, our "Nation faces an era of strategic competition in which nation-state actors will continue to target American critical infrastructure – and tolerate or enable malicious activity conducted by non-state actors." Given the ever-increasing threat to our 16 critical infrastructure sectors and beyond, and the wide-spread and lasting damage that could ensue in the wake of an attack by nation-state actors or their proxies, a foundational theme that surfaces throughout the memo is resilience, which is the "cornerstone of homeland defense and security."