Anticipating a refresh of Sector Risk Management Agency Roles and Responsibilities
In June, CSC 2.0 released “Revising Public-Private Collaboration to Protect U.S. Critical Infrastructure”, with 12 recommendations to consider during updates to the national critical infrastructure protection framework.
CSC 2.0 is a non-profit organization continuing the work of the Cyberspace Solarium Commission established in Sec. 1652 of the FY 2019 National Defense Authorization Act (NDAA) to drive consensus toward a strategic approach to defending the United States in cyberspace against cyber attacks of significant consequences.
The policy and implementation recommendations are:
1. Clearly identify strategic changes
CSC 2.0 recommends adding two strategic imperatives to move current policy beyond security and encompass the concepts of resiliency and continuity of operations. While CSC 2.0 avoided making specific recommendations it is apparent that the federal government has a role to play regarding continuity of operations in the face of major disruptions. Pillar three of the National Cybersecurity Strategy, “Shape Market Forces to Drive Security and Resilience”, presents ideas to support resilience such as a federal cyber insurance backstop and Pillar one addresses continuity of operations requirements by recommending that the Federal government update Incident Response Plans and Processes to better address cyber events requiring Federal assistance.
2. Assign responsibilities and ensure accountability for routine updates of key strategic documents
This one makes me smile a bit as I was recently at a professional event that was discussing the National Cybersecurity Strategy, and someone asked how this was any different from the Comprehensive National Cybersecurity Initiative (CNCI) launched in 2008. Certainly, the ability of these policies and strategies is dependent upon a sustained relevance to our current environment.
3. Clarify CISA’s roles and responsibilities as NRMA
This recommendation focuses on, “increasing or clarifying CISA’s ability to compel minimum security standards and to convene or require collaboration or engagement where appropriate”. I personally feel a “minimum security standard” is an effort that should be championed by ONCD in coordination with all federal agencies. Both industry and the Federal Government are relying on a patchwork of regulations and guidelines today and you can look to everyone from the federal government to private insurance companies to find a ‘top 10 recommended security measures’. CISA certainly has a role, but cybersecurity is a global issue and those that could benefit from a minimum security standard extends beyond our homeland.
4. Resolve questions around the organization and designation of critical infrastructure sectors and assigned SRMAs
This recommendation calls for more rigor around sector designations and clarifying subsectors. I’d simply caution that there are already 16 named critical infrastructure sectors, 20 named NAICS sectors and 11 named Global Industry Classification Standard (GICS) sectors. Changing this high level construct comes with an opportunity cost of reeducating stakeholders. None of the above classification systems advocate that there are firm lines between sectors, businesses naturally focus on opportunities the provide value and these activities can certainly span sectors. These ‘buckets’ should simply be used to convey similarities not to separate them.
5. Provide guidance on SRMA organization and operation
This recommendation makes a point near and dear to my heart in recommending that PPD-21’s successor should resolve whether it is better to house a regulator and SRMA in the same entity, whether they should be separate, or whether different configurations are appropriate for different sectors. Certainly, we can all reflect upon the times that are not fully behind us where cybersecurity professionals report directly to head of IT. Avoiding conflicts of interest, especially for SRMA’s who need to foster partnership is essential to fostering the appropriate trust relationship.
6. Facilitate accountability
Accountability is always a good thing. Regulations require enforcement to maintain efficacy. The regulators should not have conflict of interest. All of these topics are woven into the preceding recommendations in more detail.
7. Strengthen CISA’s capabilities to execute its NRMA responsibilities
CISA’s 2023–2025 Strategic Plan, released almost a year ago, outlines several goals including continued focus on risk reduction to critical infrastructure.
8. Resource SRMAs for the responsibilities they have
This recommendation is all about ensuring the congress appropriates funds and revises statues to ensure SRMA’s are authorized to collaborate effectively. At the time of this writing Congress is enjoying their summer recess, but come September this is the time for them to be hard at work and reveal if there will be any material changes to advance whole of government needs to continue to resource cybersecurity.
9. Identify a more effective way to catalog, support, and protect priority infrastructure
Efforts are underway to identify systemically important entities and more work must be done by each sector risk management agency to understand the cyber risk to SIE’s and work toward a reliable method to order and prioritize this information.
10. Develop functional information-sharing capacity across all sectors
Information sharing has long between a challenge as different agencies operate under different authorities and motivations. As cyber space remains a highly contested area more work is required to analyze what information is available and work toward new agreements to expand sharing. Partnership and a commitment to removed silos will be required. Furthering standards and strengthening taxonomies for information sharing will help drive the development of interoperable technologies to further support this goal.
11. Organize public-private collaboration to mitigate systemic and cross-sector risk
Systematic improvements for these councils could include quarterly or annual cross-sector council meetings, aligned risk ratings for critical infrastructure and a common language for discussing risks across sectors. As the author notes, the space is still immature and work is needed.
12. Ensure effective emergency response
While I appreciate industry wanting a single point of contact during an emergency this remains a challenge. Efficient coordination is always a goal but the dichotomy of having divided responsibilities across agencies facilitates the competition required between agencies to position their various services and allow private industry choice in which services most appropriately support their needs during a crisis. There is a balance that must be maintained to not overwhelm or underwhelm.
Hopefully these recommendations are incorporated in to the updates which are much needed. If you are interested in another perspective the Post covered this topic in May (https://www.washingtonpost.com/politics/2023/05/11/presidential-critical-infrastructure-protection-order-is-getting-badly-needed-update-officials-say/) and the Atlantic Council published perspectives in March https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/modernizing-critical-infrastructure-protection-policy-seven-perspectives-on-rewriting-ppd21/
Contact Us
contact@hunterstrategy.net
