From the Director: Perspectives on NSM-22
Office of Cybersecurity, Energy Security, and Emergency Response
April 30, 2024In light of the release of National Security Memorandum 22 on Critical Infrastructure Security and Resilience on April 30, I have been reflecting on the role of the U.S. Department of Energy (DOE) as the Sector Risk Management Agency, or SRMA, for the U.S. energy sector. I applaud NSM-22 as it represents a timely evolution of Presidential Policy Directive-21, which established the SRMA structure and function within the federal government in 2013.
Since 2013, the U.S. energy sector has undergone tremendous change. As the demand for electricity has continued to increase, new and diverse sources of generation have been added and new players have entered the market. At the same time, technological advancements have strengthened the reliability, efficiency, and safety of our energy systems.
Simultaneously, we've seen an increase in threats facing the sector from nation-states like the People’s Republic of China (PRC). In fact, in mid-April, FBI Director Christopher Wray stated unequivocally that “The PRC has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage, and that its plan is to land low blows against civilian infrastructure to try to induce panic and break America’s will to resist.” He has previously stated that “PRC hackers are targeting our critical infrastructure—our water treatment plants, our electrical grid, our oil and natural gas pipelines, our transportation systems.”
Between the alarming threats posed by foreign adversaries and the increased severity and frequency of hurricanes, wildfires, and drought, and even an increase in physical intrusions at energy infrastructure sites, the U.S. energy sector needs to manage risk more precisely and with greater coordination than ever before. And that risk management must be done in close collaboration with the industry, the State, local, territorial, and tribal (SLTT) community, academia, and international allies.
This NSM empowers SRMAs to lead risk management in their respective sectors while organizing the broader U.S. government and interagency to support SRMAs in this effort. In particular, I am pleased to see the NSM focusing on the following:
- Establishing a new two-year risk management cycle for critical infrastructure. This will drive risk assessment, management, and intelligence-related activities across DOE for the energy sector.
- Highlighting the need for operational collaboration, a priority for the Biden-Harris Administration. Having SRMAs work closely with the Intelligence Community will ensure the right information gets to the right people with expertise to effectively mitigate risk. DOE’s Energy Threat Analysis Center provides a model for this as it is designed to analyze threats and risks to the sector, take potential impacts into account, and produce actionable insights and mitigations in partnership with private sector owners and operators, DOE’s National Laboratories, and interagency partners.
- Prioritizing minimum requirements for risk management, with an emphasis on promoting the adoption of requirements that address sector, national, and cross-sector risks to critical infrastructure. DOE is already actively pursuing this objective having recently funded an effort with the National Association of Regulatory Utility Commissioners (NARUC) to publish Cybersecurity Baselines for Electric Distribution Systems and Distributed Energy Resources (DER). This landmark publication establishes risk-based cybersecurity guidelines to help utilities make smart investment decisions targeted at reducing cyber risk.
- Creating a consistent experience for the owners and operators of critical infrastructure, by fully leveraging expertise and technical resources from all relevant federal departments and agencies. The same commitment to consistency will benefit state, local, Tribal, and territorial (SLTT) stakeholders and others involved in ensuring the security and resilience of critical assets. In this realm, DOE is working with the Bureau of Land Management and the U.S. Forest Service to address the devastating impact of wildfires on people and communities across the country through better prioritization and the accelerated development of policies and technologies as well as the implementation of wildfire mitigation efforts on federal lands in partnership with the electricity sector.
The NSM acknowledges that protecting and securing America’s critical infrastructure is a multifaceted undertaking best managed by those familiar with sector-specific nuances and challenges. As each SRMA is responsible for day-to-day oversight and coordination of federal risk management and resilience activities it makes sense to divide and conquer, putting those with the most experience and greatest expertise in positions of leadership and authority in their respective sectors.
DOE has a track record of success as the SRMA for the energy sector precisely because we have a depth of knowledge specific to the generation, transmission, distribution, and consumption of electricity as well as upstream, midstream, and downstream segments in the oil and natural gas subsector. We also have an exceptional breadth of capabilities across the Department, including the cybersecurity, risk analysis, resilience, and emergency response capabilities that reside within CESER and subject matter expertise on energy in all of its forms—fossil, nuclear, and renewables—across the Department and at the DOE national laboratories that we are able to leverage.
A large majority of the critical energy infrastructure in the United States is owned and operated by private companies so it is crucial that lines of communication between the federal government and these companies remain open and that we approach risk management with a sense of shared responsibility. CESER facilitates both the Electricity Subsector Coordinating Council (ESCC) and the Oil and Natural Gas Subsector Coordinating Council (ONGSCC) in partnership with the Department of Homeland Security and other agencies. These groups bring executives from the energy sector together regularly to identify security and resilience challenges and advance policy, technology, and preparedness solutions. The ESCC, in particular, is led by 30 CEOs who work hand-in-hand with DOE to advance the security and resilience of the energy sector in partnership with the highest levels of government.
We work closely with the DOE National Laboratories who are powerhouses of expertise when it comes to energy systems, cybersecurity, modeling, and capabilities to advance the security of the nation’s energy systems through advanced research, development, and demonstration. The world-class subject matter experts at the laboratories are part of the extensive network of resources that make the DOE an incredibly effective SRMA for the energy sector and I am proud of the work we do together.
While DOE has a time-tested SRMA model, there is always room for improvement. In the coming months, we will work to develop an Energy Sector Risk Assessment in close coordination with the private sector and will undertake a series of additional implementation activities including the development of an energy SRMA operating plan and contributing to a cross-sector National Risk Assessment Plan.
I am grateful for the work that has been done to date by dozens of DOE staff and their counterparts across many other federal agencies, and in cooperation with industry and SLTT representatives, to develop NSM-22. I look forward to the work that lies ahead as we continue to refine our approach to sector risk management and interagency collaboration.
To learn more, click here.