A Plan to Protect Critical Infrastructure from 21st Century Threats

Purpose of the National Infrastructure Risk Management Plan

By Jen Easterly, Director, Cybersecurity and Infrastructure Security Agency

On April 30th, the White House released National Security Memorandum-22 (NSM) on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and all-hazard threats. NSM-22 recognizes the changed risk landscape over the past decade and leverages the enhanced authorities of federal departments and agencies to implement a new risk management cycle that prioritizes collaborating with partners to identify and mitigate sector, cross-sector, and nationally significant risk. The culmination of this cycle is the creation of the 2025 National Infrastructure Risk Management Plan (National Plan)—updating and replacing the 2013 National Infrastructure Protection Plan—and will guide federal efforts to secure and protect critical infrastructure over the coming years. 

As the National Coordinator for critical infrastructure security and resilience, the Cybersecurity and Infrastructure Security Agency (CISA) will develop this National Plan to be forward-looking and employ all available federal tools, resources, and authorities to manage and reduce national-level risks, including those cascading across critical infrastructure sectors. CISA will look to its partners to help us and the other Sector Risk Management Agencies (SRMAs) over the course of the year as we develop this foundational document. 

The National Plan Must Account for the Evolution of Threats, Vulnerabilities, and Consequences 

Building off the priorities of NSM-22, the 2025 National Plan will articulate how the U.S. government will collaborate with partners to identify and manage national risk. This will be an evolution from the 2013 National Plan which described risk management as “the cornerstone” to strengthening critical infrastructure security and resilience. Eleven years later, the spirit of this concept holds true; yet it must evolve due to pervasive vulnerabilities and an elevated threat landscape, which could lead to cascading regional and national consequences. Fortunately, over that same decade, Congress and successive administrations have established new agencies, authorities, and collaborative partnerships that empower a whole-of-society approach to national risk management. As the National Coordinator, CISA will be the primary driver for operationalizing this approach through the National Plan. 

The National Plan will be Informed by a New Risk Management Cycle

NSM-22 details a new risk management cycle that requires SRMAs to identify, assess, and prioritize risk within their respective sectors and develop sector risk management plans to address those risks. With these risk assessments and risk management plans, CISA will identify and prioritize systemic, cross-sector, and nationally significant risk through a cross-sector risk assessment. This assessment will enable CISA to prioritize systemic risk reduction efforts—detailed in the National Plan—that the U.S. government will take in collaboration with relevant federal, state and local, private, and international partners. Most importantly, the National Plan will recognize that the U.S. government cannot make all critical infrastructure immune from all threats and hazards. Rather, it will detail U.S. government efforts to make critical infrastructure resilient against prioritized risks based on the 16 sector’s risk assessments and CISA’s cross-sector risk assessments. All the while, CISA and other federal partners will work closely with SRMAs to manage their unique sector risks.  

We Need You for Us to be Successful 

This will be a fundamentally new approach to U.S. government risk management. In this era of technological advancements and dynamic global volatility, the security and resilience of our critical infrastructure are of paramount importance. Essential systems, including energy grids, water systems, transportation networks, healthcare facilities, and communication systems, are vital for public safety, economic stability, and national security. The increasing interconnectivity of critical infrastructure systems, reliance upon global technologies and supply chains, and geopolitical tensions make these systems susceptible to a myriad of threats. Addressing these risks will require a coordinated national effort by federal agencies; State, Local, Tribal, and Territorial (SLTT) governments, infrastructure owners and operators, and other stakeholders across the critical infrastructure community. 

As those responsible for the security and resilience of U.S. critical infrastructure, we must collectively address emergent risks and an uncertain future while remaining vigilant against longstanding threats like terrorism, natural disasters, and targeted violence. Indeed, trusted, sustained, and effective partnerships between the federal government and private-sector and SLTT partners is the foundation of our collective effort to protect the nation’s critical infrastructure. 

Put simply, the 2025 National Plan will not succeed unless our partners collaborate with us to inform its development and its eventual implementation. We ask that you work with your respective SRMAs through the development of your sector risk assessments and sector risk management plans, as these will be core inputs into the National Plan. You can also contact us at for any of your ideas. These inputs will be invaluable as we develop a plan that allows the U.S. government to better prioritize our risk mitigation efforts and reduce risk for the critical infrastructure that underpin American society. 

For more information on the NSM-22 and CISA’s role as National Coordinator, visit CISA National Security Memorandum on Critical Infrastructure Security and Resilience | CISA.