Christopher Krebs, under secretary for the Department of Homeland Security’s (DHS) National Protection and Programs Directorate (NPPD), described how DHS’ National Risk Management Center (NRMC) is pinpointing the critical functions in American infrastructure and setting actionable tasks during an interview with Government Matters.
Krebs began by defining the mission of the NRMC, which was announced on July 31 during DHS’ National Cybersecurity Summit, and clarified that the center would not be involved in immediate incident response.
“The National Risk Management Center is about looking forward,” said Krebs. “It’s about looking at what are the most important issues facing our critical infrastructure community…and actually identifying, ‘what are the aspects of the critical infrastructure community that are the most critical?’”
Krebs noted that the NRMC is focusing on “what the functions are that industry provides to support our national security, our economic security, and our daily way of life.”
He pointed to the financial sector as an example of this approach. “We’re not necessarily thinking about a single bank, or ATMs. What we’re thinking about is what happens at the end of the day when payments have to be cleared. That is an example of what we’re calling a national critical function.”
Those critical functions are a key focus of the NRMC. Krebs said that the center will work with industry to define those functions and describe how they interact and how different critical infrastructure sectors rely on each other. “There is no individual agency right now in the Federal government, other than the Department of Homeland Security, that can bring all of those folks together,” he said.
Krebs noted that the NRMC team has set “a number of 90-day sprints that will manifest on November 1,” including identifying national critical functions, collaborating with industry, and looking at the information and communications technology (ICT) supply chain.
“We established an ICT supply chain risk management task force, bringing together tech companies and communications companies and looking at what information they need from government to secure their products and better inform procurement decisions on their side,” said Krebs.
He said that the task force is looking to identify indicators of trustworthiness in the ICT supply chain, and noted that the task force is sharing some classified and recently declassified information with industry. Krebs cited the binding order to remove Kaspersky Labs products from the Federal government as an example of the importance of understanding the IT supply chain.
“We want to make sure that government is making the right procurement decisions, and that industry can similarly make their own procurement and supply chain decisions,” Krebs said.