White House Asks CISA, NIST to Set Performance Goals for Critical Infrastructure Operators

President Joe Biden finishes leaves after speaking during a visits to the Office of the Director of National Intelligence in McLean, Va., Tuesday, July 27, 2021.

President Joe Biden finishes leaves after speaking during a visits to the Office of the Director of National Intelligence in McLean, Va., Tuesday, July 27, 2021. Susan Walsh/AP

The initiative will not result in mandatory measures for the private sector, but the administration hopes to signal its commitment to cybersecurity and maybe get a little help from Congress on that front.

The White House will issue a national security memo Wednesday instructing the Cybersecurity and Infrastructure Security Agency and the National Institute of Standards and Technology to establish cybersecurity performance goals for private-sector owners and operators of critical infrastructure.

The goal is to set comprehensive expectations for cybersecurity across all sectors of critical infrastructure at a time when private companies might be more inclined to meet them, a senior administration official told reporters Tuesday.

The official said the administration expects the action will make a difference even though it’s not a requirement because of “the fact that it's being announced by the president in the context of the [Transportation Security Administration’s] recent mandate, in the context of us openly saying that we really are committed to addressing the limited and piecemeal regulation, in the context of the current environment where the threat is known and seen by critical infrastructure owners and private sectors.” 

“You look at a Colonial Pipeline, you look at JBS foods, you look at Kaseya, there is now a different threat,” said the official, listing victims of recent ransomware attacks with reverberating effects. “The threats that many people talked about have become real. So we believe these goals will be viewed differently.”

In contrast with typical industry reactions to the prospect of government mandates, Colonial Pipeline CEO Joseph Blunt told the Senate Homeland Security Committee having standards to follow would be welcome. Blunt was testifying during a June 8 hearing on a pending TSA directive, now in effect, requiring pipeline operators to implement certain cybersecurity best practices

The administration’s approach is exemplified by work the Department of Energy is doing to get companies in that sector to put specific technology in place to protect industrial control systems, the official said, noting the cooperation of 150 electric utilities in that effort and that “additional initiatives for other sectors will follow later this year.”

The official said the administration is committed to finding innovative ways of working with the private sector and wants its initial steps to be voluntary but also signalled plans to work with Congress to secure the authority that would allow it to issue broad cybersecurity mandates.

“Short of legislation, there isn't a comprehensive way to require deployment of security technologies and practices that address, really, the threat environment that we see,” the official said. “The absence of mandated cybersecurity requirements for critical infrastructure is what, in many ways, has brought us to the level of vulnerability we have today. We're committed to addressing it. We're starting with voluntary, as much as we can because we want to do this in full partnership, but we're also pursuing all options we have in order to make the rapid progress we need.”