White House Issues NSM-22 on Critical Infrastructure Security — April 30, 2024

Executive briefing: On 30 April 2024 President Biden signed National Security Memorandum-22 (NSM-22), establishing a refreshed framework for safeguarding U.S. critical infrastructure. The memorandum supersedes Presidential Policy Directive 21, mandates updated sector risk management plans, and elevates federal coordination for cybersecurity incidents.

Memorandum highlights

• Sector Risk Management Agencies (SRMAs). NSM-22 codifies SRMA responsibilities, including development of sector-specific resilience plans and adoption of cross-sector Cybersecurity Performance Goals.
• Incident response unity. The memorandum creates a U.S. Government Coordination Council and requires integrated cyber incident response playbooks aligned with CIRCIA reporting.
• Regulatory harmonization. Federal agencies must identify overlapping cybersecurity regulations and streamline requirements through the Office of the National Cyber Director (ONCD).

Control alignment guidance

• CIRCIA readiness. Owners and operators should map internal notification workflows to forthcoming Cyber Incident Reporting for Critical Infrastructure Act rules referenced in NSM-22.
• Risk management updates. Refresh sector risk assessments to incorporate NSM-22’s resilience planning expectations, leveraging NIST CSF 2.0 and the National Risk Management Center’s methodologies.
• Public-private exercises. Participate in SRMA-led tabletop exercises to validate cross-sector coordination and information sharing commitments.

Operational recommendations

• Assign executive sponsors to monitor ONCD and SRMA implementation milestones and reflect requirements in enterprise governance charters.
• Update memoranda of understanding with Information Sharing and Analysis Centers (ISACs) to align with NSM-22’s information exchange directives.
• Integrate resilience metrics—such as recovery time objectives and supply chain visibility—into board reporting to evidence compliance with the memorandum.