Critical infrastructure blueprint gets long-awaited update but maintains status quo on key sectors

A wastewater recycling plant Fountain Valley, California. A recent update to critical infrastructure policy names CISA as the national coordinator for critical infrastructure protections.

A wastewater recycling plant Fountain Valley, California. A recent update to critical infrastructure policy names CISA as the national coordinator for critical infrastructure protections. Mario Tama/Getty Images

The memorandum reaffirms the statutory authority of America’s top cyber agency, but doesn’t update the primary list of critical sectors that can be targeted in cyberattacks, notably leaving out space infrastructure

A high-level blueprint that designates critical sectors of the U.S. economy in need of protection against cyber threats has received a long-sought update from the White House, though it notably does not revise the list of key infrastructure areas first identified over 10 years ago.

President Joe Biden on Tuesday signed a National Security Memorandum that rewrites Presidential Policy Directive 21, or PPD-21, an Obama-era catalog of 16 critical infrastructure sectors like water systems and government facilities that are considered vital for the economy and public safety. The directive assigned sector risk management agencies — or SRMAs — to oversee their defense.

The update reaffirms those 16 sectors and does not add any new categories to the fold, despite DHS’s Cybersecurity and Infrastructure Security Agency recommending in 2022 that space and bioeconomy be considered as two new critical infrastructure tracts.

The new memorandum instead taps CISA as the national coordinator for critical infrastructure protections, a move that the administration says helps align the agency’s statutory goals further, given that PPD-21 was written before CISA was created. It gives CISA more risk management oversight into eight of the sectors, including chemicals, information technology and dams.

It also directs intelligence agencies to collect and share information with critical infrastructure operators, who are often the first entities put in hackers’ crosshairs. The Office of the Director of National Intelligence will also need to provide the White House with a critical infrastructure intelligence assessment within six months of the signing. Additionally, the Homeland Security Secretary will be responsible for sending a report to the president every other year that summarizes U.S. efforts to mitigate cyber risks to the sectors.

The rewrite was over a year in the making and was motivated by the evolution of cyber tactics that shifted from counterterrorism toward strategic competition and nation-state hacking, said CISA Director Jen Easterly, speaking on a call with reporters to preview the signing.

The new NSM will require CISA to officially institute a list of important entities that are deemed so critical that a cyber compromise would result in a catastrophe impacting public health and safety, the economy or national security. The move would essentially replace a docket of these original “Section 9 entities,” which are named after Section 9 of the executive order that created PPD-21, according to a senior administration official who spoke on the call.

That current list, which is not made publicly available, contains around 500 entities, the senior official said, adding that it’s undergoing reapproval with the private sector.

Space was left out of the critical infrastructure ranks because “space is really a part of so many different sectors” and it “did not at this time make sense to break space out as a separate sector,” the senior administration official later said. The Federal Senior Leadership Council, which serves as the coordinating body for critical infrastructure responsibilities, leaned in on the decision, the official added.

Some experts have made pushes to get space listed in the PPD-21 rewrite, arguing that space systems like GPS platforms and satellites have become key players in modern cyber warfare.

The administration said it plans to revisit at a later time whether it makes sense to add space onto the primary list or as a subsector. Space was previously assigned to a CISA working group in May 2021, involving a mix of government and industry players that advise on best practices for space infrastructure security.

Infrastructure-level cybersecurity has been top of mind for officials for several years but became a tangible threat in 2021 when Russia-linked ransomware hackers breached a major fuel system run by Colonial Pipeline, forcing the company to shutter the pipeline operations for several days. The event was a wake-up call for federal officials who stood up task forces and other groups to help prevent related incidents in the future. 

Chinese, Russian and Iranian cyber operatives have been documented burrowing into critical infrastructure in the U.S. and abroad, including water systems.

CISA recently unveiled a legal framework that will require infrastructure operators targeted by ransomware or other cyber incidents report them to the agency in a timely manner.