Critical Infrastructure Protection and Resilience North America Conference
Critical Infrastructure Protection and Resilience North America Conference
Houston, TX
March 11-13, 2025
The Critical Infrastructure Protection and Resilience North America conference will again bring together leading stakeholders from industry, operators, agencies, and governments to collaborate on securing North America.
The conference will look at developing on the theme of previous events in helping to create better understanding of the issues and the threats, to help facilitate the work to develop frameworks, good risk management, strategic planning, and implementation.
There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety.
The Biden Administration rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.
NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive – Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA).
Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.
We must be prepared!
The Nation’s critical infrastructure provides the essential services that underpin American society. Proactive and coordinated efforts are necessary to strengthen and maintain secure, functioning, and resilient critical infrastructure – including assets, networks, and systems – that are vital to public confidence and the Nation’s safety, prosperity, and well-being.
Critical infrastructure must be secure and able to withstand and rapidly recover from all hazards. Achieving this will require integration with the national preparedness system across prevention, protection, mitigation, response, and recovery.
NSM-22 directs federal agencies to set “minimum requirements and effective accountability mechanisms for the security and resilience of critical infrastructure, including through aligned and effective regulatory frameworks.” NSM-22 goes on to direct federal agencies and departments to “utilize regulation, drawing on existing voluntary consensus standards as appropriate” to establish the minimum requirements and accountability mechanisms applicable to critical infrastructure entities. In addition, NSM-22 states that “accountability mechanisms should continuously evolve to keep pace with the Nation’s risk environment.”
NSM-22 highlights a potential “accountability mechanism” through the adoption of new requirements in the federal procurement process. For example, NSM-22 encourages federal agencies and departments to utilize “grants, loans, and procurement processes, to require or encourage owners and operators to meet or exceed minimum security and resilience requirements.” In addition, NSM-22 specifically directs the General Services Administration with ensuring that government-wide contracts for critical infrastructure assets and systems contain “appropriate audit rights for the security and resilience of critical infrastructure.”
NSM-22 also directs U.S. intelligence agencies and critical infrastructure entities to strengthen collaboration and engagement. For example, NSM-22 recommends owners and operators of critical infrastructure entities be afforded the opportunity to identify sector intelligence needs and priorities that support specific security and resilience efforts.
One of the most notable modifications contained in NSM-22 is the elevation of CISA as the national coordinator for Critical Infrastructure cybersecurity efforts across the federal government and private sector. For example, NSM-22 directs CISA to specifically identify and categorize certain critical infrastructure entities as Systemically Important Entities (SIEs).
Why the need for such a discussion?
All Federal department and agency heads are responsible for the identification, prioritization, assessment, remediation, and security of their respective internal critical infrastructure that supports primary mission essential functions. Such infrastructure needs to be addressed in the plans and executed to the requirements of the National Continuity Policy.
The ever-changing nature of threats, whether natural through climate change, or man-made through terrorism activities, either physical or cyber-attacks, means the need to continually review and update policies, practices and technologies to meet these demands.
Comments