CISA and the National Institute of Standards and Technology must issue “preliminary” cyber performance goals for critical infrastructure by Sept. 22, under the national security memorandum issued by President Biden that also formalizes a process for bolstering the security of industrial control systems in key sectors.
NSM-5, “Improving Cybersecurity for Critical Infrastructure Control Systems,” was signed today by the president and addresses “a need for baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems,” according to the document.
“The administration is committed to leveraging every authority we have, though limited, and we’re also open to new approaches, both voluntary and mandatory,” a senior administration official told reporters. “Responsible critical infrastructure owners and operators should be following voluntary guidance as well as mandatory requirements in order to ensure that the critical services the American people rely on are protected from cyber threats.”
The Biden memo declares: “It is the policy of my Administration to safeguard the critical infrastructure of the Nation, with a particular focus on the cybersecurity and resilience of systems supporting National Critical Functions, defined as the functions of Government and the private sector so vital to the United States that their disruption, corruption, or dysfunction would have a debilitating effect on national security, economic security, public health or safety, or any combination thereof.”
The memo says the “primary objective” of the ICS initiative “is to defend the United States' critical infrastructure by encouraging and facilitating deployment of technologies and systems that provide threat visibility, indications, detection, and warnings, and that facilitate response capabilities for cybersecurity in essential control system and operational technology networks. The goal of the Initiative is to greatly expand deployment of these technologies across priority critical infrastructure.”
On performance goals, the memo says, “Cybersecurity needs vary among critical infrastructure sectors, as do cybersecurity practices. However, there is a need for baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems.”
It says CISA and NIST “shall develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.”
According to the memo:
This effort shall begin with the Secretary of Homeland Security issuing preliminary goals for control systems across critical infrastructure sectors no later than September 22, 2021, followed by the issuance of final cross-sector control system goals within 1 year of the date of this memorandum. Additionally, following consultations with relevant agencies, the Secretary of Homeland Security shall issue sector-specific critical infrastructure cybersecurity performance goals within 1 year of the date of this memorandum. These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services. That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation.
NIST issued a short statement saying, “Among activities that will contribute to implementing the National Security Memorandum, NIST is revising its Guide to Industrial Control Systems (ICS) Security (SP 800-82).”
DHS, Commerce leaders embrace initiative
Homeland Security Secretary Alejandro Mayorkas and Commerce Secretary Gina Raimondo said in a joint statement: “Today President Biden signed a new National Security Memorandum (NSM) to implement long overdue efforts to meet the scale and severity of the cybersecurity threats our country continues to face. This NSM takes a key step toward improving the cybersecurity of critical infrastructure by directing the Departments of Homeland Security and Commerce to work together, alongside other agencies, in developing cybersecurity performance goals that set a clear, easy-to-understand security baseline.”
The two cabinet secretaries said: “The safety and security of the American people rely on the resilience of the companies that provide essential services such as power, water, and transportation. The establishment of cybersecurity performance goals marks important progress toward this goal. We look to responsible critical infrastructure owners and operators to follow voluntary guidance in order to ensure that the critical services the American people rely on are protected from cyber threats, and we are committed to working closely with our partners in the private sector to promote proactive cybersecurity practices that will protect our national and economic security.”
On Capitol Hill, Senate Intelligence Chairman Mark Warner (D-VA) said in a statement: “I applaud the Biden administration for taking additional steps to secure our critical infrastructure and bolster our cybersecurity standards after a wave of cyberattacks. As the administration noted, we know that in order to mitigate the aftermath of these cyberattacks, we need open communication and transparency from affected entities to better anticipate and respond to these national security threats. Unfortunately, for too long we’ve relied heavily on voluntary reporting of these cyber intrusions which has limited our ability to effectively respond. In order to better anticipate and respond to future cyber incidents, Congress must swiftly pass the Cyber Incident Notification Act of 2021, which will work in concert with the steps the administration has put forth today to safeguard our critical infrastructure.”
The NSM “is an important step forward,” commented Phil Reitinger, who led cyber efforts at the Department of Homeland Security during the Obama administration. “We've all known for a long time that the cybersecurity defenses imposed by critical infrastructure are not sufficient, and we must do more. This order extends the past and pioneering work done on the Cybersecurity Framework and directs CISA to set cybersecurity performance goals for critical infrastructure. This step was also included in the  Executive Order that established the Cybersecurity Framework, E.O. 13636, but the new requirement suggests that CISA will issue a more detailed set of requirements that are essential.” – Charlie Mitchell (firstname.lastname@example.org)