White House Issues Memo on Critical Infrastructure Security

NATIONAL SECURITY MEMORANDUM/nSM-22

MEMORANDUM FOR THE VICE PRESIDENT

THE SECRETARY OF STATE

THE SECRETARY OF THE TREASURY

THE SECRETARY OF DEFENSE

THE ATTORNEY GENERAL

THE SECRETARY OF THE INTERIOR

THE SECRETARY OF AGRICULTURE

THE SECRETARY OF COMMERCE

THE SECRETARY OF HEALTH AND HUMAN SERVICES

THE SECRETARY OF HOUSING AND URBAN DEVELOPMENT

THE SECRETARY OF TRANSPORTATION

THE SECRETARY OF ENERGY

THE SECRETARY OF EDUCATION

THE SECRETARY OF HOMELAND SECURITY

THE ASSISTANT TO THE PRESIDENT AND CHIEF OF STAFF

THE ASSISTANT TO THE PRESIDENT FOR NATIONAL

SECURITY AFFAIRS

THE ASSISTANT TO THE PRESIDENT AND HOMELAND

SECURITY ADVISOR

THE ASSISTANT TO THE PRESIDENT AND DIRECTOR OF

THE NATIONAL ECONOMIC COUNCIL

THE ASSISTANT TO THE PRESIDENT AND DIRECTOR OF

THE OFFICE OF INTERGOVERNMENTAL AFFAIRS

THE ADMINISTRATOR OF THE ENVIRONMENTAL PROTECTION

AGENCY

THE DIRECTOR OF THE OFFICE OF MANAGEMENT AND

BUDGET

THE DIRECTOR OF NATIONAL INTELLIGENCE

THE DIRECTOR OF THE OFFICE OF SCIENCE AND

TECHNOLOGY POLICY

THE DIRECTOR OF THE CENTRAL INTELLIGENCE AGENCY

THE DIRECTOR OF THE FEDERAL BUREAU OF

INVESTIGATION

THE CHAIRMAN OF THE JOINT CHIEFS OF STAFF

THE ADMINISTRATOR OF GENERAL SERVICES

THE CHAIR OF THE NUCLEAR REGULATORY COMMISSION

THE CHAIR OF THE FEDERAL COMMUNICATIONS

COMMISSION

THE NATIONAL CYBER DIRECTOR

THE POSTMASTER GENERAL AND CHIEF EXECUTIVE

OFFICER OF THE UNITED STATES POSTAL SERVICE

SUBJECT: Critical Infrastructure Security and Resilience

Critical infrastructure comprises the physical and virtual assets and systems so vital to the Nation that their incapacity or destruction would have a debilitating impact on national security, national economic security, or national public health or safety. It is diverse and complex, and includes distributed networks, varied organizational structures, operating models, interdependent systems, and governance constructs.

The United States is in the midst of a generational investment in the Nation's infrastructure. This investment, and the emergence of new technologies, presents an opportunity to build for the future. In the 21st century, the United States will rely on new sources of energy, modes of transportation, and an increasingly interconnected and interdependent economy. This modernization effort will ensure critical infrastructure provides a strong and innovative economy, protects American families, and enhances our collective resilience to disasters before they happen — creating a resilient Nation for generations to come.

The United States also faces an era of strategic competition with nation-state actors who target American critical infrastructure and tolerate or enable malicious actions conducted by non-state actors. Adversaries target our critical infrastructure using licit and illicit means. In the event of crisis or conflict, the Nation's adversaries will also likely increase their efforts to compromise critical infrastructure to undermine the will of the American public and jeopardize the projection of United States military power. The growing impact of climate change, including changes to the frequency and intensity of natural hazards, as well as scarcities; supply chain shocks; and the potential for instability, conflict, or mass displacement places further strain on the assets and systems that Americans depend upon to live and do business.

This memorandum advances our national unity of effort to strengthen and maintain secure, functioning, and resilient critical infrastructure.

Policy Principles and Objectives

It is the policy of the United States to strengthen the security and resilience of its critical infrastructure, consistent with the following principles:

1. Shared Responsibility. Safeguarding critical infrastructure is a responsibility shared by Federal, State, local, Tribal, and territorial entities, and the public or private owners and operators of critical infrastructure (owners and operators). All stakeholders have unique roles to contribute to the national unity of effort. Public‑private collaboration is vital to this effort.
2. Risk-Based Approach. Advancing critical infrastructure security and resilience requires a risk-based approach. The prioritization of national efforts must be informed by the relationship between specific infrastructure and national security (including national defense), national economic security, national public health or safety, and the Federal Government's ability to perform essential functions and services. Risk assessments must consider all threats and hazards, likelihood, vulnerabilities, and consequences, including shocks and stressors — as well as the scope and scale of dependencies within and across critical infrastructure sectors, immediate and long-term consequences, and cascading effects. Owners and operators are uniquely positioned to manage risks to their individual operations and assets, including their interdependencies with other entities and sectors.
3. Minimum Requirements. Federal, State, local, Tribal, and territorial regulatory and oversight entities have a responsibility to prioritize establishing and implementing minimum requirements for risk management, including those requirements that address sector-specific and cross-sector risks. These requirements should also leverage existing guidance where applicable. Regulatory frameworks should be risk- and performance-based when feasible; informed by existing requirements, standards, and guidelines; aligned to reduce unnecessary duplication; complementary to voluntary public-private collaboration; and scalable and adaptable to an evolving risk environment. Requiring and enforcing minimum resilience and security requirements and recommendations that direct building resilience into critical infrastructure assets and systems upfront, and by-design, shall be a primary responsibility of the Federal Government.
4. Accountability. Robust accountability and enforcement mechanisms from Federal, State, local, Tribal, territorial, and private sector entities, as well as independent third parties, are an essential component of effective risk management for critical infrastructure. Accountability mechanisms should continuously evolve to keep pace with the Nation's risk environment.
5. Information Exchange. The appropriate sharing of timely, actionable information, which may include relevant classified and unclassified intelligence and law enforcement sensitive information, among Federal, State, local, Tribal, and territorial entities; owners and operators; and other relevant stakeholders, is essential for effective risk management. The Federal Government will support a robust information sharing environment and public-private cooperation that enables actions and outcomes that reduce risk.
6. Expertise and Technical Resources. The Federal Government will leverage expertise and technical resources from all relevant Federal departments and agencies to mature the capacity and capability of each federally led effort to manage sector‑specific risk under the umbrella of the national effort to secure United States critical infrastructure. A primary objective of this effort will be to create a consistent experience for owners and operators; State, local, Tribal, and territorial governments; and other essential stakeholders who collaborate with the Federal Government.
7. International Engagement. Recognizing the global interconnectedness and interdependencies of critical infrastructure, the Federal Government will work closely with international partners to strengthen the security and resilience of the international critical infrastructure on which the United States depends.
8. Policy Alignment. Efforts to safeguard critical infrastructure will be fully integrated and coordinated with complementary Federal policies and frameworks, including domestic incident management and national preparedness; national continuity, including Federal Mission Resilience; and counterterrorism, counterintelligence, cybersecurity, and other threat-, hazard-, or sector-specific policies and frameworks.

It is the objective of the United States under this national effort to:

1. Refine and clarify the roles and responsibilities of the Federal Government for critical infrastructure security, resilience, and risk management.
2. Identify and prioritize critical infrastructure security and resilience based on risk and implement a coordinated national approach to assess and manage sector-specific and cross-sector risk.
3. Establish minimum requirements and accountability mechanisms for the security and resilience of critical infrastructure, including through aligned and effective regulatory frameworks.
4. Leverage Federal Government agreements, including grants, loans, and procurement processes, to require or encourage owners and operators to meet or exceed minimum security and resilience requirements.
5. Enhance and improve the quality of intelligence collection and analysis pertaining to threats to critical infrastructure.
6. Improve the real-time sharing of timely, actionable intelligence and information at the lowest possible classification level among Federal, State, local, Tribal, territorial, private sector, and international partners to facilitate risk mitigation to critical infrastructure.
7. Promote timely and cost-effective investments in technologies and solutions that mitigate risk from evolving threats and hazards to critical infrastructure.
8. Strengthen the security and resilience of critical infrastructure by engaging international partners and allies to build situational awareness and capacity, facilitate operational collaboration, promote effective infrastructure risk management globally, and develop and promote international security and resilience recommendations.

Federal departments and agencies shall implement this memorandum in a manner consistent with applicable law; Presidential directives; and Federal regulations, including those protecting privacy, civil rights, and civil liberties.

Roles and Responsibilities

The Federal Government relies on the specialized authorities, capabilities, and expertise of Federal departments and agencies to ensure an effective, whole-of-government effort to secure critical infrastructure. Under this effort, the Secretary of Homeland Security shall provide strategic guidance and coordinate Federal cross-sector risk management and resilience activities. Sector Risk Management Agencies (SRMAs) shall serve as day-to-day Federal interfaces for their designated critical infrastructure sector and conduct sector-specific risk management and resilience activities. Elements of the Intelligence Community (IC) and law enforcement, regulatory, and other Federal departments and agencies also play key roles in increasing the security and resilience of critical infrastructure, including responding to all threats and hazards that may affect critical infrastructure.

Close and continuous coordination among the Department of Homeland Security (DHS), SRMAs, and other relevant Federal departments and agencies, to include law enforcement and the IC, is essential to ensuring a national unity of effort and accomplishing the objectives of this memorandum. The Federal Government also seeks to encourage and enable strong collaboration with owners and operators; State, local, Tribal, and territorial governments; international partners; and other entities. While most of the Nation's critical infrastructure is owned and operated by non-Federal entities, which are primarily responsible for individual assets' security and resilience, both Government and the private sector have a mutual responsibility and incentive to reduce the risk to critical infrastructure.

Secretary of Homeland Security

The Secretary of Homeland Security shall coordinate the national effort to enhance the security and resilience of United States critical infrastructure and provide strategic guidance on this national effort, based on national priorities and sector-specific or cross-sector risk assessments and plans, including through the National Infrastructure Risk Management Plan (National Plan), as required by statute. The Secretary of Homeland Security shall maintain situational awareness about emerging trends, imminent threats, vulnerabilities, and the consequences of incidents that could jeopardize the security and resilience of critical infrastructure. The Secretary of Homeland Security shall make recommendations to the President, in coordination with SRMAs and other relevant departments and agencies, on the list of designated critical infrastructure sectors, subsectors, and SRMAs — prioritizing critical infrastructure for national security and resilience efforts.

The Secretary of Homeland Security, acting through the Director of the Cybersecurity and Infrastructure Security Agency (CISA) as the National Coordinator for the Security and Resilience of Critical Infrastructure (National Coordinator), shall, in coordination with SRMAs and other Federal departments and agencies:

1. Coordinate with SRMAs to fulfill their roles and responsibilities to implement national priorities consistent with strategic guidance and the National Plan and continuously strengthen a unified approach to critical infrastructure security and resilience;
2. Assess progress against national priorities and national resilience and support efforts that measure and enhance the strength of critical infrastructure sectors and partnerships;
3. Identify and assess sector and cross-sector risk, analyze the dependencies among assets and systems that comprise critical infrastructure, and consider key interdependencies of potential sector and cross-sector consequences associated with physical and cyber threats and vulnerabilities to support critical infrastructure risk management and prioritization;
4. Assess sector and SRMA designations to inform recommendations to the President;
5. Recommend measures to protect the critical infrastructure of the United States; and
6. Identify security and resilience functions that are necessary for effective public-private engagement with all critical infrastructure sectors.

To provide expertise in support of national critical infrastructure security and resilience efforts, the Director of CISA, in coordination with SRMAs and, as appropriate, other relevant agencies, shall also:

1. Provide capabilities and resources, such as cybersecurity expertise, risk assessments, and other services, to support SRMAs and national critical infrastructure security and resilience efforts;
2. Develop plans and enable integrated actions for cyber defense campaigns at scale and to otherwise mitigate risks to critical infrastructure nationally;
3. Engage international partners to enhance the security and resilience of critical infrastructure globally; and
4. Provide technical and operational assistance, best practices based on existing standards and guidance to the greatest extent possible, and capacity development to State, local, Tribal, and territorial governments; other Federal entities; owners and operators; and international partners to enhance the security and resilience of critical infrastructure.

Other Department of Homeland Security Activities

As reflected in statute and Presidential policy, the Secretary of Homeland Security has responsibilities for coordinating Federal preparedness activities and response operations in the United States, including when critical infrastructure impacts are implicated. The Secretary of Homeland Security is the principal Federal official for domestic incident management and, consistent with existing Federal law and policy, including Homeland Security Presidential Directive 5 of February 28, 2003 (Management of Domestic Incidents), as amended, DHS may coordinate Federal Government resources used in the response to or recovery from terrorist attacks, major disasters, or other emergencies, or as otherwise requested or directed by the President. In addition, the Secretary of Homeland Security, acting through the Administrator of the Federal Emergency Management Agency (FEMA), works to reduce the loss of life and property by minimizing the impact of disasters and protecting the Nation from all hazards. DHS, acting through the Director of CISA, serves as the lead Federal agency for cyber asset response activities in accordance with Presidential Policy Directive 41 of July 26, 2016 (United States Cyber Incident Coordination) (PPD-41). Further, the Secretary of Homeland Security, acting through the Administrator of the Transportation Security Administration and the Commandant of the United States Coast Guard, has broad authority to assess security risks to the Marine Transportation System and other modes of transportation, develop security measures and regulations, and seek or ensure compliance with those measures and regulations.

Sector Risk Management Agencies

Each critical infrastructure sector has unique characteristics, operating models, and risk profiles that benefit from an identified SRMA with institutional knowledge, specialized expertise, and established relationships across the sector. SRMAs help drive the national effort to strengthen the security and resilience of critical infrastructure. Consistent with the statutorily defined roles and responsibilities of SRMAs, SRMAs shall carry out the following roles and responsibilities for their respective sectors, in coordination with DHS, including the National Coordinator, and, as appropriate, other relevant departments and agencies:

1. Serve as day-to-day Federal interfaces for the prioritization and coordination of sector-specific activities, including the provision of technical expertise and assistance, serving as the Federal Government coordinating council chair; and participating in cross-sector coordinating councils. Continually collaborate and communicate through regular and appropriate outreach and engagement mechanisms with their sector's owners and operators, promoting the use of risk mitigation, to include Government-furnished capabilities and services for State, local, Tribal, and territorial governments; owners and operators; and other non-Federal entities.
2. Lead outreach to owners and operators within their respective sectors on security and resilience issues, consistent with their available authorities.
3. Designate the Accountable Senior Officials — Assistant Secretary equivalent or above — to serve as the Coordinators of the SRMA Function, with the ability to delegate responsibilities to other senior leaders within their agencies. The designees will be responsible and accountable for the implementation and performance of all SRMA roles and responsibilities.
4. Lead sector risk management within their sector and support cross-sector risk management, including establishing and implementing programs or initiatives to assist owners and operators and State, local, Tribal, and territorial governments with identifying, understanding, planning for, and mitigating risks to the systems, assets, or services in their respective sector. This should include recommending sector‑specific measures to protect critical infrastructure.
5. Identify, assess, and prioritize sector-specific risk and support cross-sector and national risk assessment efforts.
6. Facilitate the identification of essential critical infrastructure-related workforce needs and priorities for security and resilience.
7. Incorporate identified national priorities, including Defense Critical Infrastructure (DCI), climate change, and emerging technology, into sector risk management responsibilities.
8. Identify sector-specific information and intelligence needs and priorities, in consultation with owners and operators, and facilitate the exchange of information and intelligence, as appropriate, regarding risks to sector-specific critical infrastructure.