National Security Memorandum on Critical Infrastructure Security and Resilience

Overview

On April 30, 2024, the White House National Security Council (NSC) published the National Security Memorandum (NSM) on Critical Infrastructure Security and Resilience. This memo builds on the important work that the Cybersecurity and Infrastructure Security Agency (CISA) and agencies across the federal government have been undertaking in partnership with America’s critical infrastructure communities for more than a decade. It also replaces Presidential Policy Directive 21 (PPD-21) on Critical Infrastructure Security and Resilience, which was issued more than a decade ago to establish national policy on critical infrastructure security and resilience.

Why Now?

Image of infrastructure-related icons over glowing, streaks of blue and white lights

The threat environment has significantly changed since PPD-21 was issued, shifting from counterterrorism to strategic competition, advances in technology like Artificial Intelligence, malicious cyber activity from nation-state actors, and the need for increased international coordination. This change in the threat landscape, along with increased federal investment in U.S. critical infrastructure, prompted the need to update PPD-21 and issue the new memo.

The NSM will help ensure U.S. critical infrastructure can provide the nation a strong and innovative economy, protect American families, and enhance our collective resilience to disasters before they happen, strengthening the nation for generations to come. This NSM specifically:

Empowers the Department of Homeland Security to lead a whole-of-government effort to secure U.S. critical infrastructure, with CISA acting as the National Coordinator for the Security and Resilience of U.S. Critical Infrastructure. The Secretary of Homeland Security will be required to submit to the President a biennial National Risk Management Plan that summarizes U.S. government efforts to mitigate risk to the nation’s critical infrastructure.
Reaffirms the designation of 16 critical infrastructure sectors and establishes a federal department or agency responsible for managing risk within each of these sectors.
Elevates the importance of minimum security and resilience requirements within and across critical infrastructure sectors, consistent with the National Cyber Strategy, which recognizes the limits of a voluntary approach to risk management in the current threat environment.

PPD-21 pre-dates the establishment of CISA. CISA actively engaged in updating the framework established by PPD-21 to detail how the U.S. government secures and protects critical infrastructure from cyber and physical threats. Three key areas in the NSM that impact CISA:

Photo of people working in an operations center

1. Establishes CISA as the National Coordinator for Critical Infrastructure Security and Resilience

The NSM directs the agency to leverage its statutory responsibility to lead the national effort to understand, manage, and reduce risk to cyber and physical infrastructure by working across the interagency and further supporting the implementation of SRMA roles and responsibilities first articulated in the FY21 National Defense Authorization Act (NDAA). As the National Coordinator, CISA will coordinate the national effort to secure and protect critical infrastructure by coordinating with SRMAs, relevant departments and agencies, the private sector, and state, local, tribal, and territorial partners to reduce risk at scale. In this role, CISA will:

Work with SRMAs to fulfill their roles and responsibilities to implement national priorities.
Assess progress against national priorities and national resilience – and support efforts that measure and enhance the strength of critical infrastructure sectors and partnerships.
Identify and assess sector and cross-sector risk considering dependencies and interdependencies.
Assess sector and SRMA designations to inform recommendations to the President.
Recommend measures to protect the critical infrastructure of the United States.
Identify security and resilience functions that are necessary for effective public-private engagement with all critical infrastructure sectors.
Identify Systemically Important Entities informed by inputs from the Sector Risk Management Agencies.

Implementing the duties of the National Coordinator will enable a “whole of government” approach providing the nation’s critical infrastructure owners and operators with more information, assessments and mitigation guidance faster with a comprehensive view of the security landscape.

Photo collage of glowing hexagons over New York City at night

2. Affirms CISA as the Sector Risk Management Agency (SRMA) for eight critical infrastructure sectors and one subsector

The agency will provide institutional knowledge and specialized expertise to chemical, commercial facilities, critical manufacturing, emergency services, IT, communications, dams, nuclear and the elections subsector. In this role, we support sector risk management, assess sector risks, and share information on physical and cyber threats.

Photo collage of glowing cyber network lines over the Capitol building

3. Directs CISA to continue to support the work of our partners across the U.S. government

CISA will continue to leverage its existing relationships, processes, and networks to sharing critical information and guidance and provide additional guidance and resources to aid SRMAs in the execution of their roles and responsibilities under the new NSM.

Efforts Already Underway

CISA has already been working toward the goals of the NSM. We have already re-established the Federal Senior Leadership Council, which has made impressive strides through the FSLC’s robust collaboration model toward meeting our shared goals. When the FSLC was re-chartered, the group not only took on new authorities, but a heavy lift to inform how we define, modernize, and protect our critical infrastructure sectors.

We have already completed the first assessment of sector designations. Through a transparent, iterative, and collaborative process, the FSLC evaluated the current 16 critical infrastructure sectors and considered potential new sectors; changing the scope of various other sectors; and removing or moving various subsectors within existing sectors. The FSLC achieved consensus among its 30 member Departments and Agencies on the recommendations for the first time since the sectors were established in PPD-21 in 2013. This updated sector structure was presented to the President in late 2023 and is reflected in the sectors listed in the NSM.

In addition, as a part of the National Coordinator role, CISA has already provided guidance to the SRMAs in creating Sector Risk Assessments and Sector Specific Risk Management Plans. This guidance is a resource for SRMAs to meet the requirements set forth in the NSM in a way that reflects strategic priorities and objectives while recognizing the unique operation environment each Sector faces.

Finally, as the National Coordinator, CISA has already begun the work to establish Systemically Important Entities (SIE). As described in the NSM, SIEs are critical infrastructure which is prioritized based on the potential for its disruption or malfunction to cause nationally significant and cascading negative impacts to national security (including national defense and continuity of government), national economic security, or national public health or safety. The SIE list will inform prioritization of Federal activities, including risk mitigation information and other operational resources to non-Federal entities. The list of SIEs developed pursuant to this NSM, and subsequent updates, will strengthen our understanding and prioritization of those functions that American’s rely on every day and satisfy the requirement for the Secretary of Homeland Security to develop the list described in Section 9 of Executive Order 13636.