On April 30th, the White House released National Security Memorandum-22 on Critical Infrastructure Security and Resilience, which updates national policy on how the U.S. government protects and secures critical infrastructure from cyber and all-hazard threats.
NSM-22 recognizes the changed risk landscape over the past decade and leverages the enhanced authorities of federal departments and agencies to implement a new risk management cycle that prioritizes collaborating with partners to identify and mitigate sector, cross-sector, and nationally significant risk.
The culmination of this cycle is the creation of the 2025 National Infrastructure Risk Management Plan-updating and replacing the 2013 National Infrastructure Protection Plan-and will guide federal efforts to secure and protect critical infrastructure over the coming years.
As the National Coordinator for critical infrastructure security and resilience, the Cybersecurity and Infrastructure Security Agency will develop this National Plan to be forward-looking and employ all available federal tools, resources, and authorities to manage and reduce national-level risks, including those cascading across critical infrastructure sectors.
CISA will look to its partners to help us and the other Sector Risk Management Agencies over the course of the year as we develop this foundational document.
Building off the priorities of NSM-22, the 2025 National Plan will articulate how the U.S. government will collaborate with partners to identify and manage national risk.
Over that same decade, Congress and successive administrations have established new agencies, authorities, and collaborative partnerships that empower a whole-of-society approach to national risk management.
NSM-22 details a new risk management cycle that requires SRMAs to identify, assess, and prioritize risk within their respective sectors and develop sector risk management plans to address those risks.
With these risk assessments and risk management plans, CISA will identify and prioritize systemic, cross-sector, and nationally significant risk through a cross-sector risk assessment.
This assessment will enable CISA to prioritize systemic risk reduction efforts-detailed in the National Plan-that the U.S. government will take in collaboration with relevant federal, state and local, private, and international partners.
Most importantly, the National Plan will recognize that the U.S. government cannot make all critical infrastructure immune from all threats and hazards.
Rather, it will detail U.S. government efforts to make critical infrastructure resilient against prioritized risks based on the 16 sector's risk assessments and CISA's cross-sector risk assessments.
All the while, CISA and other federal partners will work closely with SRMAs to manage their unique sector risks.
This will be a fundamentally new approach to U.S. government risk management.
The increasing interconnectivity of critical infrastructure systems, reliance upon global technologies and supply chains, and geopolitical tensions make these systems susceptible to a myriad of threats.
Addressing these risks will require a coordinated national effort by federal agencies; State, Local, Tribal, and Territorial governments, infrastructure owners and operators, and other stakeholders across the critical infrastructure community.
As those responsible for the security and resilience of U.S. critical infrastructure, we must collectively address emergent risks and an uncertain future while remaining vigilant against longstanding threats like terrorism, natural disasters, and targeted violence.
Trusted, sustained, and effective partnerships between the federal government and private-sector and SLTT partners is the foundation of our collective effort to protect the nation's critical infrastructure.
We ask that you work with your respective SRMAs through the development of your sector risk assessments and sector risk management plans, as these will be core inputs into the National Plan.
These inputs will be invaluable as we develop a plan that allows the U.S. government to better prioritize our risk mitigation efforts and reduce risk for the critical infrastructure that underpin American society.
This Cyber News was published on www.cisa.gov. Publication date: Wed, 29 May 2024 21:13:07 +0000