Critical Infrastructure: Updating the 2013 NIPP and other Risk Mitigation Actions
Publication | 05.14.24
Protecting critical infrastructure is paramount to today’s digital age. Critical infrastructure includes physical and virtual systems essential for the functioning of our society, economy, and national security. Such a definition may include power grids, communication networks, and financial institutions, among other networks that heavily rely on interconnected computer systems. These systems are also considered critical infrastructure, as they are used to protect critical cybersecurity infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) has identified 16 critical infrastructure sectors whose assets are so “vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Cybersecurity is embedded in each of these. The National Infrastructure Protection Plan (NIPP) details how each sector must develop a sector-specific plan through coordinated efforts with public and private partners.
This plan, however, has not been updated since 2013. With the growth of the internet and integration of digital technology, critical infrastructure is more interconnected than ever before. Interconnectivity brings opportunities for efficiency and innovation, but also introduces new vulnerabilities. Since the release of the 2013 NIPP, the threat landscape has evolved significantly, with new and emerging risks posed by cyber threat actors. Thus, updating the 2013 NIPP is an important next step to enhancing the resilience and security of our nation’s critical infrastructure.
In November 2023, the Biden Administration announced its plans to review and revise Presidential Policy Directive 21, which established how federal agencies would steer protection of critical infrastructure and called for them to work together to create the 2013 NIPP. In the announcement, the White House acknowledged that an “updated policy would strengthen the public-private partnership and provide clear guidance to executive departments and agencies on designating certain critical infrastructure as systemically important.” An updated NIPP would also complement the National Cybersecurity Strategy, released in March 2023 as part of the Biden Administration’s efforts to protect critical infrastructure through comprehensive cybersecurity measures, public-private partnerships, and information-sharing practices.
In February 2023, the Government Accountability Office (GAO) released a report on Critical Infrastructure Protection, calling on CISA to update the 2013 NIPP and provide templates for revising sector-specific guidance documents. On Oct. 25, 2023, the U.S. House of Representatives, Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection held a hearing on federal cybersecurity governance, focusing on plans to raise the level of federal cybersecurity resilience across the government as a whole.
Protecting critical infrastructure is a complex and ongoing challenge requiring a collaborative, comprehensive, and proactive approach that enhances overall resilience. As we wait for an update to the NIPP, there are actions that CISA suggests government contractors take to help protect the nation’s security, such as setting specific goals and objectives, identifying infrastructure, implementing risk management activity, and measuring effectiveness. It is important to identify assets, systems, and networks that contribute to critical functionality and collect information pertinent to risk management, as well as to evaluate risk and consider potential direct and indirect consequences of an incident. Implementing a risk management approach, founded on prevention, protection, mitigation, response, and recovery activities, as well technical solutions, is an important step that companies may take to help protect the nation’s critical infrastructure and therefore promote the resilience of our vital systems.