The 2024 National Security Memorandum on Critical Infrastructure Security and Resilience
July 25, 2024
The 2024 National Security Memorandum on Critical
Infrastructure Security and Resilience
The White House issued a directive, “National Security
Administration after the terrorist attacks on September 11,
Memorandum on Critical Infrastructure Security and
2001.
Resilience” (NSM-22), on April 30, 2024. The
memorandum set forth a revised framework for federal
Strategic Context and Policy Approach
agency roles and responsibilities within the national critical
The White House framed NSM-22 in the context of several
infrastructure risk management enterprise. The Secretary of
key developments: the “generational investment” in critical
Homeland Security is designated as the responsible official
infrastructure; the transition of the national energy and
for coordination and implementation of NSM-22, acting
transportation sectors away from fossil fuels; (unspecified)
through the Director of the Cybersecurity and Infrastructure
technological transformations; and increasingly
Security Agency (CISA) as the National Coordinator for the
interdependent and interconnected critical infrastructure in
Security and Resilience of Critical Infrastructure. NSM-22
the modern economy.
supersedes Presidential Policy Directive 21 (PPD-21),
issued by President Barack Obama in 2013.
PPD-21, by contrast, generally was more inward looking in
its orientation, focusing on maturation of the modern
As the first comprehensive high-level policy guidance on
homeland security enterprise that was little more than a
critical infrastructure security and resilience (CISR) in more
decade old in 2013. It pivoted from the counterterrorism
than a decade, NSM-22 presents an updated assessment of
focus of the previous decade to broader engagement with an
the broader strategic environment that is characterized by
“all-hazards environment” of more diffuse and diverse
rapidly evolving, high complexity threats. NSM-22
challenges, including natural hazards. PPD-21 highlighted
envisions an accelerated risk management cycle for the
issues of interagency organization and coordination,
CISR enterprise, requiring biennial updates of national
information sharing, and analysis throughout the federal
infrastructure risk management plans from designated
government, prioritizing development of interagency
officials and agencies, as well as enhanced intelligence
relationships and agency capabilities.
collection, analysis, and sharing. Additionally, it mandates
a more assertive use of federal regulatory authorities and
NSM-22 retains elements of the PPD-21 all-hazards
fiscal instruments, such as procurement and grant rules to
approach and concern with interagency relationships and
encourage private-sector compliance with minimum
functions. However, much of NSM-22’s content reflects
resilience standards. As such, the directive shifts away from
emergence of threats not mentioned in PPD-21 (i.e., effects
the policy approach first established during the Clinton
of climate change, supply chain disruptions, malign foreign
Administration, which eschewed compulsory measures in
investments in critical infrastructure entities, and more
favor of voluntary public-private partnerships to promote
aggressive threats from nation-states with advanced cyber
infrastructure resilience.
capabilities). NSM-22 generally refrains from re-
imaginings of core concepts, institutions, and risk
In some aspects, NSM-22 is restrained in scope. It retains
management methods. Instead, it directs federal agencies to
PPD-21’s sector-specific organization of the federal CISR
mobilize for critical infrastructure protection and make use
enterprise, which is based on public-private partnerships
of existing authorities—and, if needed—seek new ones,
organized within designated sectors that encompass wide
stating that “federal departments and agencies with
areas of the economy and government (e.g., transportation,
regulatory authorities shall utilize regulation, drawing on
communications, energy). NSM-22 likewise preserves
existing voluntary consensus standards as appropriate, to
existing sector-specific coordination bodies and the
establish minimum requirements and effective
leadership role of Sector Risk Management Agencies
accountability mechanisms for the security and resilience of
(SRMAs) for each of the 16 currently designated sectors.
critical infrastructure.”
NSM-22 does not add any new sectors. (A Department of
Homeland Security [DHS] 2022 report to Congress raised
Key Definitions and Concepts
the possibility of adding new Space and Bioeconomy
In NSM-22, various key definitions and concepts developed
sectors.) Further, NSM-22 reiterates or reinstates many of
in PPD-21 and other prior policy directives are restated,
the core concepts established by PPD-21 and other
modified, or omitted.
directives, such as the definitions of critical infrastructure
and risk. NSM-22 places renewed policy emphasis on
Critical Infrastructure and Criticality
identification, cataloguing, and prioritization of specific
NSM-22 restates the definition of critical infrastructure
assets within designated sectors, echoing the critical
used in PPD-21 as certain “vital” infrastructure objects,
infrastructure protection policies of the Bush
whose “incapacity or destruction would have a debilitating
impact on national security, national economic security,
https://crsreports.congress.gov
The 2024 National Security Memorandum on Critical Infrastructure Security and Resilience
national public health or safety, or any combination of those
not mention the NCF framework, and its requirements for
matters.” This definition of critical infrastructure was first
cross-sector risk assessments appear to be largely based on
introduced in statute under the Uniting and Strengthening
aggregation of sector-specific asset identification and
America by Providing Appropriate Tools Required to
prioritization inputs.
Intercept and Obstruct Terrorism Act of 2001 (USA
PATRIOT Act; P.L. 107-56) and has since been
Key Implementation Milestones
incorporated by reference into many subsequent laws and
Selected NSM-22 requirements include the following
executive branch policy directives.
actions:
The PATRIOT Act definition presupposes an asset-centric
The Secretary of Homeland Security (the Secretary)
approach to risk management based on the identification,
produces the National Infrastructure Risk Management Plan
prioritization, and protection of specific infrastructure
(within one year, recurring biennially) as the government’s
assets deemed to meet the statutory threshold of criticality.
“comprehensive plan to mitigate and manage cross-sector
A 2003 White House directive for critical infrastructure
risk”; acting through CISA, creates the national coordinator
protection set forth “a national policy for Federal
office to act as “the single coordination point for SRMAs
departments and agencies to identify and prioritize United
across the Federal Government”; and reviews the existing
States critical infrastructure and key resources,” based on
CISR framework for public-private partnerships and
the Patriot Act definition of critical infrastructure.
recommends necessary changes (within one year).
Implementation of asset-level prioritization policies and
legislative mandates encountered practical difficulties and
SRMAs designate a senior official (within 30 days) to
criticism from oversight bodies over time. A decade later,
coordinate SRMA functions and stakeholder engagements
PPD-21 contained few provisions for asset identification
within their respective sectors; provide a detailed
and prioritization activities, with no specific
justification of selection criteria, agency support, and
implementation requirements for this activity.
mission fulfilment plans (within 180 days); and produce a
sector-specific risk management plan (within 270 days,
By contrast, NSM-22 instructs federal agencies to play a
recurring biennially).
more direct and assertive role in public-private
partnerships—both voluntary and regulatory—to identify,
SRMAs and the national coordinator review “available
prioritize, and protect critical assets. The directive then
authorities, incentives, and other tools to encourage and
incorporates this broad guidance into specific
require owners and operators to implement identified
implementation instructions. NSM-22 provides a definition
sector-specific or cross-sector minimum security and
of criticality as “an attribute of an asset, system, or service
resilience requirements” and propose “any additional
that reflects its degree of importance or necessity to stated
authorities or capabilities that could enable
goals, missions or functions, or continuity of operations.” It
implementation” (within 270 days).
does not provide standardized metrics or detailed guidance
to federal agencies for identification of priority assets on a
The national coordinator produces a list (no timeline) of
national level through quantitative risk assessments or other
Systematically Important Entities that could cause
means.
cascading infrastructure failures on a national scale based
on SRMA identifications of prioritized infrastructure assets
Risk
and certain other inputs.
NSM-22 defines risk as “the potential for an unwanted
outcome, as determined by its likelihood and the
The director of national intelligence (DNI) provides an
consequences”—a definition that DHS has used for more
intelligence estimate to the President on critical
than a decade, sometimes presenting it as a mathematical
infrastructure threats (within 180 days); provides reports on
function, where risk equals the product of threat,
intelligence collection (within one year, recurring annually)
vulnerability, and (predicted) consequence. Some experts
and information sharing with SRMAs and critical
believe this formula has limited usefulness for quantitative
infrastructure entities (within 18 months, recurring
comparisons of risk that might inform asset prioritization.
annually); and provides guidance (within one year) on
NSM-22 seems to present the formula as a qualitative
timely threat notification to designated federal agencies of
assessment approach; it nonetheless instructs agencies to
specific and credible threats to U.S. critical infrastructure.
use it for prioritization of risk management efforts.
Issues for Congress
National Critical Functions
The next Administration may rescind, modify, or fully
In 2019, CISA introduced an analytical framework based
implement NSM-22 without congressional action. Congress
on a set of 55 National Critical Functions (NCFs) intended
may legislate changes to federal CISR policy. In the 118th
to supplant “entity level risk management” based on asset-
Congress, some Members have introduced bills to create a
specific estimates of threat, vulnerability, and consequence.
Space infrastructure sector, to establish a national risk
The NCF framework groups diverse infrastructure functions
management process based on the NCF framework, and to
into four areas: connect, distribute, manage, and supply. It
require certain threat and vulnerability assessments.
seeks to provide “a richer understanding of how entities
come together to produce critical functions” by using a
Brian E. Humphreys, Analyst in Science and Technology
“functional lens” to understand critical infrastructure
Policy
interdependencies across multiple sectors. NSM-22 does
https://crsreports.congress.gov
The 2024 National Security Memorandum on Critical Infrastructure Security and Resilience
IF12716
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF12716 · VERSION 1 · NEW