Systemically Important Entities: From Guidelines to Directives NSM-22
NSM-22 represents a comprehensive update to the U.S. critical infrastructure security policy, emphasizing mandatory compliance, enhanced risk management, and increased collaboration. Critical infrastructure owners and operators must prepare for these changes to ensure the security and resilience of their operations.
Updated Policy Framework:
📌NSM-22 modernizes the policy framework to address technological advances, evolving threats, and geopolitical tensions.
📌It designates the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA) to lead a coordinated effort to manage risks across 16 critical infrastructure sectors.
Sector Risk Management Agencies (SRMAs):
📌The memorandum reaffirms the designation of 16 critical infrastructure sectors and corresponding SRMAs, which coordinate activities within each sector.
📌SRMAs are tasked with developing sector-specific risk management plans and coordinating with CISA.
Minimum Security and Resilience Requirements:
📌NSM-22 emphasizes the development of minimum security and resilience requirements for critical infrastructure entities, moving from voluntary standards to mandatory compliance.
📌Regulatory and oversight entities are tasked with establishing these requirements and accountability mechanisms.
Systemically Important Entities (SIEs):
📌CISA is instructed to identify and maintain a non-public list of SIEs, which will receive priority access to risk mitigation information and operational resources.
New Risk Management Cycle:
📌NSM-22 introduces a new risk management cycle requiring SRMAs to identify, assess, and prioritize risks within their sectors. This cycle will culminate in the creation of the 2025 National Infrastructure Risk Management Plan.
Implications for Critical Infrastructure Owners and Operators
Increased Regulation:
📌NSM-22 marks a significant shift towards regulation, with a progression from voluntary standards to mandatory compliance expected over the next 18 months.
📌Owners and operators should prepare for new cybersecurity directives and regulations, particularly in sectors like airports, pipelines, oil and gas, and rail.
Resource Allocation:
📌Compliance with new regulations and overlapping mandates can be costly and labor-intensive. Organizations will need to ensure investments are made and integrated into operations safely.
📌The memorandum does not mention additional resources for those on the front lines, which may necessitate future funding from Congress.
Cyber-Physical Defense:
📌Owners must harden their cyber-physical defenses to protect assets, maintain operational continuity, and fulfill their public mission. The consequences of failing to do so include physical, financial, and reputational damage.
Collaboration and Coordination:
📌Effective risk management will require collaboration between federal agencies, state and local governments, private sector entities, and other stakeholders.
📌Owners and operators should engage with Sector Coordinating Councils and relevant regulators to stay informed and compliant with new requirements.