United States: Biden Administration Plans For Sweeping Cybersecurity Regulation For Critical Infrastructure

Issue in Brief: Forthcoming cybersecurity requirements in critical sectors, such as the chemicals, manufacturing, energy, transportation, and water sectors, form a leading part of the Biden Administration's newly-released National Cybersecurity Strategy ("Strategy")—part of the Administration's general program of hardening the country's cyber defenses for its critical infrastructure.

Key Takeaways: According to the Administration, while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes. As a result, critical infrastructure sectors should prepare for increased performance-based regulation, including minimum cybersecurity requirements.

On the Horizon: The federal government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Where federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the Administration will work with Congress to close them.

Biden Administration National Cybersecurity Strategy

Enhancing cybersecurity for critical infrastructure remains at the fore, and owners and operators of critical infrastructure across all sectors, verticals, and industries should expect more legal requirements imposed upon them in the near future.

As part of a multi-objective approach, the Administration seeks to achieve key strategic objectives, including:

• Expanding the use of minimum cybersecurity requirements in critical sectors to ensure national security and public safety, as well as "harmonizing and streamlining" regulations to reduce the burden of compliance;
• Scaling public-private collaboration at the speed and scale necessary to defend critical infrastructure and essential services, including enhanced coordination between the federal government and the Cybersecurity and Infrastructure Security Administration ("CISA"); and
• Integrating federal cybersecurity centers and updating federal incident response policy.

One reason for these comprehensive changes, the Administration explains, is that, while voluntary approaches to critical infrastructure cybersecurity have produced meaningful improvements, the lack of mandatory requirements has resulted in inadequate and inconsistent outcomes.

The Administration has established new cybersecurity requirements in certain critical sectors. In other sectors, new authorities will be required to set regulations that can drive better cybersecurity practices at scale. These regulations will define "minimum expected cybersecurity practices or outcomes," and will leverage existing cybersecurity frameworks, voluntary consensus standards, and the Cybersecurity and Infrastructure Security Agency ("CISA") and the National Institute of Standards and Technology ("NIST") guidance. "Our strategic environment requires modern and nimble regulatory frameworks for cybersecurity tailored for each sector's risk profile, harmonized to reduce duplication, complementary to public-private collaboration, and cognizant of the cost of implementation."

Throughout this process, the Administration is encouraging critical infrastructure regulators to drive the adoption of secure-by-design principles, prioritize the availability of essential services, and ensure that systems are designed to fail safely and recover quickly. Likewise, the Administration will identify gaps in authorities to drive better cybersecurity practices for essential third-party services, and work with industry, Congress, and regulators to close them. Where federal regulations are in conflict, duplicative, or overly burdensome, regulators must work together to minimize these harms. When necessary, the United States will pursue cross-border regulatory harmonization to prevent cybersecurity requirements from impeding digital trade flows.

These anticipated regulations will build upon requirements that the federal government has already established in key sectors, such as oil and natural gas pipelines, aviation, and rail, led by the Transportation Security Agency, and water systems, led by the Environmental Protection Agency.

The federal government will use existing authorities to set necessary cybersecurity requirements in critical sectors. Where federal departments and agencies have gaps in statutory authorities to implement minimum cybersecurity requirements or mitigate related market failures, the Administration will work with Congress to close them.

The National Cybersecurity Strategy is available here.

The White House Fact Sheet is available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.