Section 9002(b) Report

Our national infrastructure security is built on a partnership between government and private industry that combines the implementation of policy, regulatory, and voluntary actions to manage risk. Both public and private entities own and operate the Nation’s critical infrastructure, but the risk associated with the destruction or failure of that infrastructure is borne by a much larger population of Americans—and disproportionately by vulnerable or disadvantaged communities, and people of color. For this reason, the effort to secure the Nation’s critical infrastructure requires a whole-of-government approach and coordination and collaboration across multiple intergovernmental and industry stakeholders. The Cybersecurity and Infrastructure Security Agency (CISA) Act of 2018, as codified in 6 U.S.C. § 652(c)(4), requires the Director of CISA to “coordinate a national effort to secure and protect against critical infrastructure risks” consistent with a comprehensive national plan (currently the National Infrastructure Protection Plan 2013, hereafter referred to as the National Plan) required in (e)(1)(E) of the same subchapter.

This existing national infrastructure security framework provides a collaborative partnership model for consolidating information and expertise from government and industry. Working with critical infrastructure sectors, the Federal Government ensures the security and resilience of the Nation’s infrastructure through the use of tools and resources like bi-directional threat information sharing, real-world exercises, incident response training and guidance, federally-led risk assessments and analysis, and subject matter expertise. Active engagement with public- and private-sector partners inform this national framework and its associated tools and resources, which those partners rely on for the security of their systems and assets.

As detailed in this report, the current framework for securing the Nation’s critical infrastructure originated from presidential policy decisions in the 1990s and subsequent provisions in the 2000s that recognized both the expanding scale of terrorism and other threats, and the emerging cybersecurity challenge of increasingly networked and internet-enabled infrastructure systems. The Federal Government has an opportunity to evaluate and enhance the current approach to accommodate updates to national policy; leverage lessons learned from the operation of the national partnership through steady state activities, real-world events, and exercises; and consider new and evolving national security threats and cybersecurity risks.

On behalf of the Department of Homeland Security (DHS), CISA is providing this report as required under Sec. 9002 of the 2021 National Defense Authorization Act (NDAA) which codified Sector-Specific Agencies (SSAs), previously defined in Presidential Policy Directive 21 (PPD-21), as Sector Risk Management Agencies (SRMAs), and defined how DHS and SRMAs should work with each other to protect critical infrastructure.1 Within 180 days, the NDAA required the Secretary of Homeland Security, in consultation with the heads of SRMAs, to review the current framework for securing critical infrastructure, as outlined in the National Plan, developed pursuant to 6 U.S.C. § 652(e)(1)(E). As required by Section 9002(b) of the 2021 NDAA, the Secretary was also required to evaluate the current list of critical infrastructure sectors and current designations for SRMAs and provide recommendations for revisions to the President.

This report describes the resulting assessment and findings and outlines several recommendations for consideration. As required, this report recommends a process and structure for identifying and designating sectors and aligning those sectors to designated SRMAs. The findings highlight an opportunity to designate a Space Sector and Bioeconomy Sector, depending on a review process described in further detail below. CISA will collaborate with each SRMA to evaluate the list of sectors and SRMAs through a phased approach to validate and refine the activities of the current sector structure.

Some of the recommendations described below may change depending upon the implementation of new uniform statutory authorities, roles, and responsibilities for SRMAs contained in Section 9002(c), which now appear in the U.S. Code at 6 U.S.C. § 665d. Future periodic reviews can more completely assess SRMA and sector performance in line with these new authorities and roles.