The agency also suggested existing sectors be consolidated and that there is a need for some agencies to exercise greater authority over private-sector entities.
Leading cybersecurity and sector risk management officials should consider establishing space and bioeconomy as two new sectors of critical infrastructure, the Cybersecurity and Infrastructure Security Agency wrote in a report to President Joe Biden and relevant congressional committees.
“Findings highlight an opportunity to designate a space sector and bioeconomy sector, depending on a review process described,” CISA wrote, recommending criteria—such as the potential for disruption within various sectors of the U.S. economy to cause debilitating impacts on society—in making critical-infrastructure determinations.
Referring to the portion of the economy that relies on biological resources such as plants and microorganisms, securing the bioeconomy would involve efforts to address issues like climate change and food production.
Entities in sectors designated as critical infrastructure—and their assigned sector risk management agencies, or SRMAs—stand to receive more resources and bear greater regulatory responsibilities under a proposed evolution of federal cybersecurity policy.
“Multiple sectors offer a fragmented or partial view of a larger scope associated with common functions, and therefore it may be advantageous to consider merging or consolidating those sectors,” CISA also highlighted, noting the emergency services sector as one example of this, because it “contains services largely provided or overseen by government entities.”
The report, obtained by Nextgov, was referenced in a Nov. 7 letter President Biden addressed to Congress, noting his intention of implementing its recommendations. The secretary of the Department of Homeland Security was required to deliver the report under the 2021 National Defense Authorization Act. The NDAA provision nudged DHS’ standing obligation under the Homeland Security Act and a 2013 presidential policy directive—PPD 21—to produce and update a national plan to secure key resources and protect critical infrastructure.
In September, 2021, DHS’ inspector general called CISA out for not having updated the plan in over eight years. Responding to the inspector general, CISA Director Jen Easterly said the plan would be ready by September 30, 2022. In a previous report, CISA estimated the plan would be ready by December 2020, the inspector general said.
The secretary of DHS has the power to designate new sectors of critical infrastructure, as former DHS Secretary Jeh Johnson did in 2017, naming elections as a subsector of the government services sector. But CISA, as articulated in the NDAA-required report, wants such responsibilities for coordinating the protection of critical infrastructure to be shared by the Office of the National Cyber Director—also overdue to produce a national strategy—the National Security Council and agencies that make up the Federal Senior Leadership Council.
“CISA, in collaboration with ONCD, NSC and SRMAs, and with input from other relevant departments and agencies, should … evaluate the scope of current critical infrastructure sectors to ensure they appropriately address systems, assets, national critical functions and capabilities; evaluate potential modifications to SRMA designations; and evaluate the potential establishment of new sectors or subsectors,” CISA wrote.
CISA has assigned sector-risk management responsibilities for more than half the current set of 16 critical infrastructure sectors, some of which—such as the communications and information technology sectors—it does not have regulatory authority over.
Some lawmakers, most notably Rep. Ritchie Torres, D-N.Y., have questioned CISA’s ability to shoulder so much of the responsibility for securing critical infrastructure absent additional authorities.
Others in Congress have discussed a need to revise PPD 21 to better manage risks within information and communications technology. And Deputy National Security Adviser for Cyber and Emerging Tech Anne Neuberger and National Cyber Director Chris Inglis have both suggested a greater exercise of regulatory authority is imminent for such entities.
CISA’s report to the president and committees addresses these issues, noting that consistent use of its criteria for designating agencies for the protection of critical infrastructure should rely, “on all the necessary capabilities and authorities across federal departments and agencies.” It should also ensure that the national plan “does not overly rely on a single department’s or agency’s authority for managing sector engagement.”
“The Homeland Security Act, PPD-21 and the national plan all recognize that regulatory authority and capability are central reasons that a federal agency would be designated as an SRMA within a given sector,” CISA added. “Likewise, SRMAs and DHS have responsibilities to identify appropriate countermeasures to infrastructure threats and vulnerabilities.”
In September, CISA published a plan to guide the agency’s efforts over the next three years. That plan put a premium on measuring the effect of performance goals CISA has issued for critical infrastructure with ownership of industrial control systems that are vulnerable to disruptive attacks. But the agency did not say how it intends to execute its measurement goals and its report to the president said there are limitations in the current plan for evaluating critical infrastructure security across the SRMAs.
CISA’s report also highlighted its possession of various baseline capabilities and services, including those to “identify and reduce cybersecurity risks, such as vulnerability scanning, penetration testing and architecture reviews.
The report specifically recommended an evaluation of the need for additional authorities, in line with a Cyberspace Solarium Commission proposal on identifying “systemically important entities” of critical infrastructure for regulation.
Such authorities might empower the DHS secretary, “in consultation with the heads of relevant SRMAs as appropriate … to designate high-priority infrastructure, target federal resources to designated infrastructure, and require certain actions from owners and operators of such [SIEs].”
Given the opportunity to weigh in on how Congress might appropriately augment federal authorities during a hearing Tuesday, DHS Secretary Alejandro Mayorkas demurred.