White House Issues NSM-22 on Critical Infrastructure Security — April 30, 2024

Executive briefing: On 30 April 2024 President Biden signed National Security Memorandum-22 (NSM-22), establishing a refreshed framework for safeguarding U.S. critical infrastructure. The memorandum supersedes Presidential Policy Directive 21, mandates updated sector risk management plans, and elevates federal coordination for cybersecurity incidents.

Memorandum highlights

• Sector Risk Management Agencies (SRMAs). NSM-22 codifies SRMA responsibilities, including development of sector-specific resilience plans and adoption of cross-sector Cybersecurity Performance Goals.
• Incident response unity. The memorandum creates a U.S. Government Coordination Council and requires integrated cyber incident response playbooks aligned with CIRCIA reporting.
• Regulatory harmonization. Federal agencies must identify overlapping cybersecurity regulations and streamline requirements through the Office of the National Cyber Director (ONCD).

Control alignment guidance

• CIRCIA readiness. Owners and operators should map internal notification workflows to forthcoming Cyber Incident Reporting for Critical Infrastructure Act rules referenced in NSM-22.
• Risk management updates. Refresh sector risk assessments to incorporate NSM-22’s resilience planning expectations, leveraging NIST CSF 2.0 and the National Risk Management Center’s methodologies.
• Public-private exercises. Participate in SRMA-led tabletop exercises to validate cross-sector coordination and information sharing commitments.

Operational recommendations

• Assign executive sponsors to monitor ONCD and SRMA implementation milestones and reflect requirements in enterprise governance charters.
• Update memoranda of understanding with Information Sharing and Analysis Centers (ISACs) to align with NSM-22’s information exchange directives.
• Integrate resilience metrics—such as recovery time objectives and supply chain visibility—into board reporting to evidence compliance with the memorandum.

Related briefings

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 92/100 · July 13, 2023

ONCD Releases National Cybersecurity Strategy Implementation Plan — July 13, 2023

The ONCD’s July 2023 National Cybersecurity Strategy Implementation Plan assigns 69 initiatives, 18 high-impact deliverables, and agency accountability checkpoints that boards must track while sequencing technology…

Cybersecurity · Credibility 90/100 · May 9, 2024

TSA Expands Aviation Cybersecurity Directives — May 9, 2024

TSA ordered airport and aircraft operators to harden incident reporting, network segmentation, and access controls under new emergency amendments.

Cybersecurity · Credibility 93/100 · April 4, 2024

CISA Issues Proposed Rule for CIRCIA Reporting — April 4, 2024

CISA released a 447-page notice of proposed rulemaking that defines who must report substantial cyber incidents and ransomware payments under the Critical Infrastructure Reporting Act.

Cybersecurity · Credibility 90/100 · March 18, 2024

EPA Issues Enforcement Alert on Water System Cyber Deficiencies — March 18, 2024

The Environmental Protection Agency warned drinking water systems to fix cybersecurity lapses after nationwide inspections uncovered critical gaps.

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook — Zeph Tech

  Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.