Changes to Critical Infrastructure Requirements

In 2025, owners and operators of critical infrastructure will have new security and information sharing obligations to consider under the National Security Memorandum 22 (“NSM-22” or the “Memorandum”). NSM- 22 replaces the Obama-era Presidential Policy Directive 21: Critical Infrastructure Security and Resilience (PPD-21).

The Memorandum builds upon many of the foundations of PPD-21, while modernizing requirements and responsibilities to address technological advancements and increase collaboration. It also continues to focus on the 16 critical infrastructure sectors[1] originally defined in the PPD-21, managed under designated Sector Risk Management Agencies (SRMAs), but it also creates new obligations for critical infrastructure entities aimed at strengthening resiliency and enhancing cooperation within and among sectors. While it is unclear whether the requirements will continue to be in effect under the second Trump Administration, organizations may still want to consider preparations for actions under the Memorandum.

The new office, dubbed the Office of the National Coordinator, will be established by the Cybersecurity and Information Security Agency (CISA), underscoring the importance of cybersecurity to the new age of critical infrastructure security. The Office of the National Coordinator will serve as a coordination point for all SRMAs and will be tasked with supporting the development of subject matter expertise, encouraging cooperation between critical infrastructure entities, consulting with the intelligence community, and assisting with the development and implementation of minimum security and resilience requirements.

Further, the Department of Homeland Security (DHS) will now be required to develop a National Information Risk Management Plan (National Plan) for critical infrastructure. The National Plan will be informed by sector-specific risk assessments conducted by the SRMAs and cross-sector risk assessments conducted by the Office of the National Coordinator. It will guide the federal actions to mitigate sector specific and cross-sector critical infrastructure risks. The plan will lay out the obligations and requirements for owners and operators of critical infrastructure, including long- term mitigation activities, minimum security and resilience requirements, and recommendations for pilot efforts.

The responsibilities of owners and operators of critical infrastructure will become more demanding under the NSM-22. Noting that voluntary minimum security and resilience requirements have mitigated risk in the past, the NSM-22 now requires adoption of mandatory minimum security and resilience requirements developed by the federal government. The NSM-22 requires that DHS, SRMAs, and the National Coordinator use their authorities to develop and implement cross-sector and sector specific guidance and requirements. Notably, the NSM-22 requires that contracts now include appropriate audit rights in regards to these requirements and cybersecurity standards. The National Coordinator is also tasked with identifying a list of Systemically Important Entities (SIE). The SIE List will include organizations that own, operate, or control critical infrastructure whose disruption could cause significant national security impacts. Regulators are instructed to consider the list when developing and applying risk management requirements.

The Memorandum also creates new requirements to enhance the collection and sharing of threat information. The NSM-22 encourages information sharing between entities and creates requirements for the intelligence community. The Director of National Intelligence (DNI) is tasked with collecting information from intelligence reporting to identify threats to critical infrastructure. The director is also tasked with coordinating with DHS, SRMAs, federal and state entities, and the private sector to collect, analyze, and share information regarding the threats to critical infrastructure.

Owners and operators should be prepared to coordinate with their SRMA as it begins to draft a sector-specific risk management plan. Critical infrastructure organizations should also ensure that their systems are currently able to identify threats and that there are proper procedures in place for information sharing. The NSM-22 requires several reports to be developed and delivered in 2025, so organizations should continue to monitor these developments to understand what new requirements may be coming for their sector.