White House Issues NSM-22 on Critical Infrastructure Security — April 30, 2024

On 30 April 2024 the White House issued National Security Memorandum 22 NSM-22 on critical infrastructure security and resilience, updating and replacing Presidential Policy Directive 21 from 2013. The memorandum modernizes the federal approach to protecting critical infrastructure by emphasizing resilience, cross-sector risk management, and improved coordination between government and private sector owners and operators.

Key Changes from PPD-21

NSM-22 reflects the evolution of critical infrastructure threats and interdependencies over the past decade, incorporating lessons learned from cyberattacks, natural disasters, and the COVID-19 pandemic. The memorandum expands focus beyond protection to include resilience and recovery capabilities.

• Resilience emphasis. The memorandum elevates resilience as a core objective alongside protection, recognizing that sophisticated adversaries may penetrate defenses and that organizations must be able to operate through and recover from disruptions.
• Minimum security requirements. NSM-22 directs sector risk management agencies to work with industry to develop minimum cybersecurity requirements for critical infrastructure sectors, moving beyond voluntary frameworks where appropriate.
• Supply chain security. The memorandum addresses supply chain risks more comprehensively than its predecessor, requiring assessment of dependencies and vulnerabilities across critical infrastructure supply chains.

Sector Risk Management Agency Responsibilities

NSM-22 clarifies and expands the responsibilities of Sector Risk Management Agencies SRMAs that serve as federal leads for specific critical infrastructure sectors. These agencies must develop deeper understanding of their sectors and more actively coordinate risk management efforts.

• Sector risk assessments. SRMAs must conduct full assessments of risks to their sectors, including cyber, physical, climate, and supply chain threats, and share findings with sector teams.
• Coordination mechanisms. The memorandum strengthens requirements for SRMAs to establish effective coordination mechanisms with sector owners and operators, including information sharing agreements and joint exercises.
• Performance measurement. SRMAs must develop metrics to assess sector security and resilience, enabling evidence-based prioritization of risk management investments.

Implications for Critical Infrastructure Owners and Operators

Private sector organizations operating critical infrastructure should prepare for improved engagement with their SRMAs and potentially new regulatory requirements. The memorandum direction toward minimum security requirements signals possible mandatory cybersecurity standards for sectors currently operating under voluntary frameworks.

• Engagement preparation. Review current relationships with relevant SRMAs and prepare for deeper coordination on risk assessment, information sharing, and incident response.
• Security baseline assessment. Evaluate current security posture against existing sector frameworks to identify gaps that minimum requirements might address.
• Resilience planning. Develop or improve business continuity and resilience plans that address the memorandum emphasis on maintaining operations during and recovering from significant disruptions.

Cross-Sector Dependencies and Cascade Risks

NSM-22 specifically addresses risks arising from interdependencies between critical infrastructure sectors, such as energy dependencies of communications networks or financial system dependencies on multiple other sectors. If you are affected, assess their dependencies on other critical infrastructure and the potential for cascading failures affecting their operations.

Implementation Timeline and Future Developments

The memorandum directs various federal agencies to complete setup tasks within specified timeframes, with some actions required within 90 days and others over longer periods. Critical infrastructure owners and operators should monitor agency setup activities and participate in stakeholder engagement opportunities to influence practical setup approaches.

See also

Selected articles on related subjects.

Cybersecurity · Credibility 92/100 · July 13, 2023

ONCD Releases National Cybersecurity Strategy Implementation Plan — July 13, 2023

The ONCD’s July 2023 National Cybersecurity Strategy Implementation Plan assigns 69 initiatives, 18 high-impact deliverables, and agency accountability checkpoints that boards must track while sequencing technology…

Cybersecurity · Credibility 90/100 · May 9, 2024

TSA Expands Aviation Cybersecurity Directives — May 9, 2024

TSA's aviation cybersecurity directives continue to evolve. Airlines, airports, and aviation service providers face mandatory incident reporting, cybersecurity assessments, and vulnerability management requirements. If…

Cybersecurity · Credibility 91/100 · April 4, 2024

CISA Issues Proposed Rule for CIRCIA Reporting — April 4, 2024

CISA released the CIRCIA proposed rule requiring critical infrastructure to report cyber incidents within 72 hours and ransomware payments within 24 hours. Comments are open.

Cybersecurity · Credibility 90/100 · March 18, 2024

EPA Issues Enforcement Alert on Water System Cyber Deficiencies — March 18, 2024

EPA warned drinking water utilities about cybersecurity gaps in March 2024. Their inspections found serious problems. If you are running water infrastructure, expect more regulatory attention on cyber.

Cybersecurity · Credibility 91/100 · October 30, 2023

Executive Order 14110 on Safe, Secure, and Trustworthy AI — October 30, 2023

Executive Order 14110 directs NIST, DHS, and sector risk agencies to build secure-by-design AI guidance, critical infrastructure risk frameworks, and red-teaming regimes—demanding governance to oversee compliance…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

April 30, 2024

Coverage pillar

Cybersecurity

Source credibility

93/100 — high confidence

Topics

United States · White House · Critical infrastructure · Policy

Sources cited

3 sources (hitehouse.gov, iso.org)

Reading time

5 min

Cited sources

1. White House Fact Sheet — President Biden Signs National Security Memorandum to Secure U.S. Critical Infrastructure
2. NSM-22 Memorandum Text
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization