A cybersecurity policy organization has criticized a decade-old presidential directive, Presidential Policy Directive 21 (PPD-21), for being outdated and inadequate in addressing the protection of critical infrastructure. The directive, which outlined the responsibilities of sector risk management agencies (SRMAs) for safeguarding sectors like power utilities and manufacturing plants, is being revamped by the Biden administration.
However, a report by CSC 2.0 argues that the current incremental approach is insufficient in the face of escalating physical and cyber threats. The report emphasizes the need for a modernized document and improved implementation, resourcing, collaboration, and emergency response to protect critical infrastructure.
The report highlights that the PPD-21 overhaul, combined with recent events like the Colonial Pipeline hack and the ongoing conflict in Ukraine, provides an opportunity to reshape the security relationship and address the challenges faced over the past decade.
Mary Brooks, co-author of the report, emphasizes the importance of fixing the directive not just for today but also for the future. The report also reveals that the existing SRMA framework lacks accessible information and guidance, leading to confusion during crisis situations.
To address these issues, the CSC 2.0 report provides recommendations for the revamp of the directive. These include clarifying the role of the Cybersecurity and Infrastructure Security Agency (CISA) as the “national risk management agency,” identifying both critical infrastructure sectors and their subsectors, and establishing a process for routine updates of the directive.
Implementation measures suggested by the report include adequate resourcing for agencies responsible for sector cybersecurity, the establishment of a cyber threat information collaboration environment involving CISA and other entities, and the refinement of existing emergency response law and policy.
Mark Montgomery, executive director of CSC 2.0, acknowledges the historical inconsistency in performance and cooperation among federal agencies and sectors. He emphasizes the urgency of addressing these issues to protect critical infrastructure and ensure the completion of essential core documents.
