Yesterday, the Biden Administration issued a National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems (“Memorandum”). A short summary is below. However, the primary take away is that the government will be establishing preliminary cybersecurity performance goals for certain industries no later than September 2021. While we do not yet know what these “performance goals” will be, there is a potential risk that failure to meet these goals, once they are published, could be seen as negligence or lack of reasonable security by a regulator. The Memorandum states these goals “should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services.” See Memorandum Section 4(b).
The Memorandum is directed to both public and private entities and envisions “collaboration.”
The first sentence of the Memorandum emphasizes that it reaches private entities: “Protection of our Nation’s critical infrastructure is a responsibility of the government at the Federal, State, local, Tribal, and territorial levels and of the owners and operators of that infrastructure.” Additionally, it establishes the Industrial Control Systems Cybersecurity Initiative as a “a voluntary, collaborative effort between the
Federal Government and the critical infrastructure community to significantly improve the cybersecurity of these critical systems.” See Memorandum Section 2.
The Memorandum potentially has a very broad scope.
The Memorandum’s policy statement says it applies to “National Critical Functions,” defined as “the functions of Government and the private sector so vital to the United States that their disruption,
corruption, or dysfunction would have a debilitating effect on national security, economic security, public health or safety, or any combination thereof.” See Memorandum Section 1. However, other sections of the Memorandum appear to be focused on specific subsets of the private sector. For example, Memorandum Section 3 and the possibility of increased reporting requirements appears focused on “priority control system critical infrastructure” while Memorandum Section 4 and its discussion of “baseline cybersecurity goals” refers more generally to “critical infrastructure.” It remains to be seen how the lines shaping these categories will be drawn but there is clearly the possibility of broad applicability.
The Memorandum again hints at increased private sector reporting requirements.
Similar to the May 2021 Executive Order on Improving the Nation’s Cybersecurity, the Memorandum suggests there will be new cybersecurity reporting requirements. “The Federal Government will work with industry to share threat information for priority control system critical infrastructure throughout the country.” See Memorandum Section 3. No details are given, however, on what threat information sharing would be required or how this process might be shaped.
The Memorandum identifies a need for baseline cybersecurity goals.
It states: “[T]here is a need for baseline cybersecurity goals that are consistent across all critical infrastructure sectors, as well as a need for security controls for select critical infrastructure that is dependent on control systems.” See Memorandum Section 4. The government “shall develop and issue cybersecurity performance goals for critical infrastructure to further a common understanding of the baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.” See Memorandum Section 4(a). These “preliminary goals” will be published by September 22, 2021, and sector-specific critical infrastructure cybersecurity performance goals will be published by July 28, 2022. See Memorandum Section 4(b).