Biden memorandum signals that the private sector must live up to cyber performance goals

Got a building your selling? Worried about Taxes? Free 1031 eBook


On July 28, 2021, President Biden signed a memorandum to modernize defenses in industrial control systems (ICS) that command and direct manufacturing, product handling, production, distribution and related data acquisition.

Why does it matter? The Biden administration committed to take concrete action soon after Americans saw how easy it was for hackers to threaten essential services like gas and food in May 2021. It immediately required pipeline owners and operators to implement urgently needed protections, spelled out in two directives from the Department of Homeland Security’s Transportation Security Administration.

With the July 28 memo, President Biden signals future action on other priority critical infrastructure sectors such as water, wastewater and chemicals.

This is a matter of trust. American people should be able to count on services to be safe and reliable. And they should be able to trust that critical infrastructure — in government and in the private sector — can stand up to 24/7 cybersecurity threats.

What’s in the memo?

Biden’s “National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems” engages the private sector to harden defenses in two ways:

What’s new?

It requires setting cyber performance goals — “baseline security practices that critical infrastructure owners and operators should follow to protect national and economic security, as well as public health and safety.” September 22, 2021 is the deadline for the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute for Standards and Technology (NIST) to draft preliminary goals. Final cross-sector and sector-specific goals are due in a year, after consultations with relevant agencies.

What’s not new?

It encourages expanded deployment of technologies and systems in the private sector via the voluntary, but formalized, ICS Cybersecurity Initiative. In scope are technologies and systems that (a) provide threat visibility, indications, detection and warnings and (b) facilitate response capabilities for cybersecurity in essential control system and operational technology networks.

Although the ICS initiative is a voluntary, collaborative effort between the federal government and the critical infrastructure community, the Biden administration takes a positive view. At the background press call about the memo, an official cited the ICS initiative pilot with the electricity subsector, stating that “already over 150 electricity utilities representing almost 90 million residential customers are either deploying or have agreed to deploy control system cybersecurity technologies.”

Get ahead of the coming regulatory compliance obligations

Engage with the government on the development of goals and standards

Continue to improve your cyber program

Engage with the government on the development of goals and standards

Organizations in critical infrastructures have an opportunity to shape voluntary standards and goals that will likely become requirements a year from now. Here are some key ways to get ahead:

  • Actively engage with the government. Develop a smart understanding of how the government is approaching this initiative. Share your industry and operational insights to help develop clear performance standards in order to build trust in services that Americans depend on every day.
  • Drive a risk-based approach and work with your respective government agencies towards standards and goals that can lead to the greatest improvement (despite resource constraints) and position the private sector to be agile in the face of ever-evolving threats.
  • Bring your voice and influence together with your industry associations. Use established mechanisms and programs (including consortia and public working groups) to collaborate with the government via CISA and NIST.
  • If you’re in a sector that has not had any regulatory security compliance obligations, prepare to fold these into your overall regulatory compliance program