National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems


The White House has published a National Security Memorandum addressing the cybersecurity of industrial control systems for the country’s critical infrastructure, with the goal of encouraging private operators to adopt better practices voluntarily. In advance of the memo, President Biden described the nation’s cybersecurity posture as “woefully insufficient” and anticipated that “if we end up in a war – a real shooting war with a major power – it’s going to be as a consequence of a cyber breach of great consequence.”

The memorandum formally establishes the Industrial Control Systems Cybersecurity Initiative, a private-public project begun as a pilot by the Department of Energy with the electricity sector in April. The initiative has been positively received, and the natural gas and pipeline sector is its next focus.

Rather than mandatory measures, the memo directs CISA and NIST to establish “goals,” though it hints at the possibility of “additional legal authorities,” which would likely require legislation. Mandatory incident reporting is already on Congress’ agenda. The preliminary goals from Homeland Security are due September 22, with final cross-sector goals due within a year.