CISA Highlights Space, Bioeconomy as Possible New Critical Infrastructure Sectors

dem10/Getty Images

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Mariam Baksh By Mariam Baksh,
Senior Correspondent

By Mariam Baksh

|

The agency also suggested existing sectors be consolidated and that there is a need for some agencies to exercise greater authority over private-sector entities.

Leading cybersecurity and sector risk management officials should consider establishing space and bioeconomy as two new sectors of critical infrastructure, the Cybersecurity and Infrastructure Security Agency wrote in a report to President Joe Biden and relevant congressional committees.  

“Findings highlight an opportunity to designate a space sector and bioeconomy sector, depending on a review process described,” CISA wrote, recommending criteria—such as the potential for disruption within various sectors of the U.S. economy to cause debilitating impacts on society—in making critical-infrastructure determinations.  

Referring to the portion of the economy that relies on biological resources such as plants and microorganisms, securing the bioeconomy would involve efforts to address issues like climate change and food production. 

Entities in sectors designated as critical infrastructure—and their assigned sector risk management agencies, or SRMAs—stand to receive more resources and bear greater regulatory responsibilities under a proposed evolution of federal cybersecurity policy. 

“Multiple sectors offer a fragmented or partial view of a larger scope associated with common functions, and therefore it may be advantageous to consider merging or consolidating those sectors,” CISA also highlighted, noting the emergency services sector as one example of this, because it “contains services largely provided or overseen by government entities.”

The report, obtained by Nextgov, was referenced in a Nov. 7 letter President Biden addressed to Congress, noting his intention of implementing its recommendations. The secretary of the Department of Homeland Security was required to deliver the report under the 2021 National Defense Authorization Act. The NDAA provision nudged DHS’ standing obligation under the Homeland Security Act and a 2013 presidential policy directive—PPD 21—to produce and update a national plan to secure key resources and protect critical infrastructure.

In September, 2021, DHS’ inspector general called CISA out for not having updated the plan in over eight years. Responding to the inspector general, CISA Director Jen Easterly said the plan would be ready by September 30, 2022. In a previous report, CISA estimated the plan would be ready by December 2020, the inspector general said.

The secretary of DHS has the power to designate new sectors of critical infrastructure, as former DHS Secretary Jeh Johnson did in 2017, naming elections as a subsector of the government services sector. But CISA, as articulated in the NDAA-required report, wants such responsibilities for coordinating the protection of critical infrastructure to be shared by the Office of the National Cyber Director—also overdue to produce a national strategy—the National Security Council and agencies that make up the Federal Senior Leadership Council.

“CISA, in collaboration with ONCD, NSC and SRMAs, and with input from other relevant departments and agencies, should … evaluate the scope of current critical infrastructure sectors to ensure they appropriately address systems, assets, national critical functions and capabilities; evaluate potential modifications to SRMA designations; and evaluate the potential establishment of new sectors or subsectors,” CISA wrote.

CISA has assigned sector-risk management responsibilities for more than half the current set of 16 critical infrastructure sectors, some of which—such as the communications and information technology sectors—it does not have regulatory authority over.

Some lawmakers, most notably Rep. Ritchie Torres, D-N.Y., have questioned CISA’s ability to shoulder so much of the responsibility for securing critical infrastructure absent additional authorities. 

Others in Congress have discussed a need to revise PPD 21 to better manage risks within information and communications technology. And Deputy National Security Adviser for Cyber and Emerging Tech Anne Neuberger and National Cyber Director Chris Inglis have both suggested a greater exercise of regulatory authority is imminent for such entities.  

CISA’s report to the president and committees addresses these issues, noting that consistent use of its criteria for designating agencies for the protection of critical infrastructure should rely, “on all the necessary capabilities and authorities across federal departments and agencies.” It should also ensure that the national plan “does not overly rely on a single department’s or agency’s authority for managing sector engagement.”

“The Homeland Security Act, PPD-21 and the national plan all recognize that regulatory authority and capability are central reasons that a federal agency would be designated as an SRMA within a given sector,” CISA added. “Likewise, SRMAs and DHS have responsibilities to identify appropriate countermeasures to infrastructure threats and vulnerabilities.” 

In September, CISA published a plan to guide the agency’s efforts over the next three years. That plan put a premium on measuring the effect of performance goals CISA has issued for critical infrastructure with ownership of industrial control systems that are vulnerable to disruptive attacks. But the agency did not say how it intends to execute its measurement goals and its report to the president said there are limitations in the current plan for evaluating critical infrastructure security across the SRMAs.

CISA’s report also highlighted its possession of various baseline capabilities and services, including those to “identify and reduce cybersecurity risks, such as vulnerability scanning, penetration testing and architecture reviews.

The report specifically recommended an evaluation of the need for additional authorities, in line with a Cyberspace Solarium Commission proposal on identifying “systemically important entities” of critical infrastructure for regulation.  

Such authorities might empower the DHS secretary, “in consultation with the heads of relevant SRMAs as appropriate … to designate high-priority infrastructure, target federal resources to designated infrastructure, and require certain actions from owners and operators of such [SIEs].” 

Given the opportunity to weigh in on how Congress might appropriately augment federal authorities during a hearing Tuesday, DHS Secretary Alejandro Mayorkas demurred. 

NEXT STORY: DOD Must Enhance Cyber Incident Reporting and Sharing, Watchdog Says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.