It’s promotion time. The Cybersecurity and Infrastructure Security Agency (CISA), which keeps hackers from messing with key infrastructure, is getting an upgrade, a White House official recently announced.
National Security Council Director of Critical Infrastructure Cybersecurity Jonathan Murphy told attendees at CyberTalks in Washington, DC, on Nov. 16 that the anticipated rewrite of Presidential Policy Directive 21 (PPD-21) will emphasize CISA’s role in coordinating infrastructure security.
The executive branch first released PPD-21, a document on protecting critical infrastructure, in 2013—long before CISA existed. As the Washington Post explained, PPD-21 updated George W. Bush administration-era guidance on which federal agencies hold responsibility for protecting critical infrastructure in 16 separate sectors.
The fiscal 2021 defense policy bill had already transferred some sector risk management agency responsibilities to CISA, the Post reported. But the forthcoming rewrite will formalize CISA’s role as the central coordinator of all 16 sectors, and add cybersecurity as a major element of the strategy.
The rewrite will create a “positive vision for having an organizing structure, but also empower them to execute that responsibility,” Murphy told attendees.
“We’re looking across all of those 16 infrastructure sectors to identify where levers exist to enable the federal government to have positive, reliable outcomes, set down cybersecurity requirements for those critical infrastructure sectors,” Murphy added. “It’s very much an evolution of where we went to last.”
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
As CyberScoop noted, Joe Biden’s administration is also looking to streamline cybersecurity requirements between critical infrastructure sectors, although its recent National Cybersecurity Strategy (NCS) warns operators that the federal government views managing cyber risks as obligatory.
PPD-21 is important because the sector-specific plans in place under previous regulations “are all garbage,” Mark Montgomery, executive director of a congressionally mandated advisory panel called the Cyberspace Solarium Commission (CSC) and its successor, CSC 2.0, told attendees at the Hack the Capitol conference earlier this year. According to the Post, Montgomery compared the plans to a copy-and-paste job and expressed skepticism that any rewrite would be accomplished this year.
Haphazard cybersecurity across the nation’s infrastructure has been highlighted in alarming fashion over the past few years by high-profile incidents ranging from the Colonial Pipeline hack to more recent reports of mass infiltration of networks by Russia- and China-backed hackers. The administration’s NCS implementation plan, released this year, outlines more than 65 “high impact” initiatives, ranging from increased sharing of threat intelligence to encouraging mass adoption of secure-by-design principles in software and hardware.