The Department of Homeland Security (DHS) released guidance on Thursday aimed at helping Federal agencies, critical infrastructure owners and operators, and other government and private sector stakeholders with their critical infrastructure security and resilience efforts.
The strategic guidance sets forth specific risk areas – like those surrounding the Chinese government and AI technologies – that should be prioritized in a whole-of-society effort for the next two years to secure the critical infrastructure systems Americans rely on every day.
The memo from DHS Secretary Alejandro Mayorkas – signed on June 14 and publicly released June 20 – builds on President Biden’s April 2024 National Security Memorandum (NSM-22) on Critical Infrastructure Security and Resilience.
“From the banking system to the electric grid, from healthcare to our nation’s water systems and more, we depend on the reliable functioning of our critical infrastructure as a matter of national security, economic security, and public safety,” Secretary Mayorkas said in a statement. “The threats facing our critical infrastructure demand a whole of society response and the priorities set forth in this memo will guide that work. I look forward to continuing our work with partners at all levels of government and the private sector to better ensure the safety of all Americans.”
In NSM-22, the White House established a two-year risk management cycle that prioritizes the identification and mitigation of critical infrastructure risk at the asset, sector, and national levels.
“Addressing these risks will require a coordinated effort by DHS, Sector Risk Management Agencies (SRMAs), and other relevant Federal agencies; state, local, tribal, and territorial (SLTT) governments; infrastructure owners and operators; and other stakeholders across the critical infrastructure community both domestic and abroad,” Secretary Mayorkas’ memo says. “The forthcoming sector-specific risk management plans and the first biennial National Infrastructure Risk Management Plan represent an opportunity to communicate to all critical infrastructure stakeholders how the U.S. government will prioritize risk management efforts over the next two years.”
DHS’s strategic guidance calls on the critical infrastructure community to prioritize five risk management areas, starting with addressing the cyber threats posed by the People’s Republic of China (PRC).
“Attacks targeting infrastructure essential to protect, support, and sustain military forces and operations worldwide or that may cause potential disruptions to the delivery of key goods or services to the American people must be our top priority,” the memo states.
Mayorkas wrote that DHS will collaborate with government and private sector partners to develop plans and capabilities to manage consequences of complex incidents involving critical infrastructure, including a National Security Emergency Plan and updated National Cyber Incident Response Plan, and to strengthen intelligence and information sharing across the community.
The second priority area focuses on managing the risk and opportunity of AI.
According to the document, SRMAs and critical infrastructure owners and operators should integrate relevant risk assessments and DHS guidance into their sector-specific risk assessments and sector-specific risk management plans to address risks from AI and other emerging technologies.
The memo also states that “SRMAs should identify, and where possible pilot or deploy, AI and other technology-informed risk mitigation tools to increase the security and resilience of critical infrastructure against other threats.”
The memo outlines three additional priority areas:
- Identifying and mitigating supply chain vulnerabilities;
- Addressing the growing dependency of critical infrastructure on space systems and assets; and
- Incorporating climate risks into sector resilience efforts.
The guidance also lists four priority risk mitigation efforts including building resilience; adopting security baseline requirements; incentivizing service providers to drive down risk; and identifying areas of concentrated risk.
The memo states that the director of the Cybersecurity and Infrastructure Security Agency (CISA), as the national coordinator of critical infrastructure security and resilience efforts, will drive sector-specific risk assessments and management plans for SRMAs and other important partners that address the outlined priority risk areas and adopt the identified risk mitigation activities, culminating in the National Infrastructure Risk Management Plan.
“Through close collaboration with our partners, CISA and the Department are working towards safer and more secure critical infrastructure to ensure the functioning of government, the delivery of essential services, and the protection of the American people,” said CISA Director Jen Easterly.
