Cybersecurity panel requests comprehensive blueprint for safeguarding critical infrastructure
The Cyberspace Solarium Commission (CSC) report, published in 2020, has identified the establishment of minimum security burdens for critical infrastructure entities as a crucial step towards bolstering the United States' cybersecurity posture. The report emphasises the need for federal support, threat information sharing, and risk management responsibilities, but particularly focuses on minimum cyber and personnel security standards, enhanced authority for the Cybersecurity and Infrastructure Security Agency (CISA), continuous monitoring and verification, and public-private collaboration.
The report suggests that critical infrastructure sectors, particularly those receiving federal funding or considered national security risks, should adhere to minimum cyber and personnel security standards. To enforce these standards, the CSC recommends granting CISA enhanced authority, such as the power to issue administrative subpoenas, to support threat mitigation and vulnerability disclosure.
A framework for continuous monitoring and verification of cybersecurity compliance by critical infrastructure operators is also proposed. This would be achieved by leveraging collaboration between the government and insurance industry to incentivise adherence to these baseline cybersecurity standards, for instance, through insurance coverage tied to compliance.
The Joint Cyber Defense Collaborative (JCDC) is proposed under CISA as a coordinating structure for gathering data and assessing compliance and risk across critical infrastructure sectors. The U.S. government has made progress in implementing this recommendation with the JCDC being established by Congress under CISA via the 2021 National Defense Authorization Act.
Congress and federal agencies have been actively working on the legal and operational frameworks needed to enact these minimum cybersecurity standards and reporting requirements. The Department of Homeland Security manages programs like the Chemical Facility Anti-Terrorism Standards (CFATS) under CISA, which regulates security at high-risk chemical facilities, serving as a model for sector-specific minimum standards application.
Practical mechanisms like conditional licensing of foreign ICT products, deconfliction with existing review processes (e.g., CFIUS), and insurance-driven incentives for cybersecurity improvements are being developed and debated to operationalize the CSC’s recommendations.
In summary, while the minimum security burdens for critical infrastructure entities centre on baseline cybersecurity and personnel security standards, continuous monitoring, federal enforcement authority, and public-private collaboration, the U.S. government is actively advancing these through legislative, regulatory, and collaborative frameworks such as enhancing CISA’s authority, implementing sector-specific standards (CFATS), and operationalizing the JCDC. Full nationwide implementation is ongoing but progressing steadily in alignment with CSC’s roadmap.
- The Cyberspace Solarium Commission's report underscores the importance of minimum cybersecurity and personnel security standards for critical infrastructure sectors, with a focus on federal funding recipients or national security risks.
- To ensure compliance with these standards, the report recommends granting the Cybersecurity and Infrastructure Security Agency (CISA) enhanced authority, such as the power to issue administrative subpoenas, for threat mitigation and vulnerability disclosure.
- The government is also proposing a structure for continuous monitoring and verification of cybersecurity compliance by critical infrastructure operators, utilizing collaboration between the government and the insurance industry to incentivize adherence to these baseline cybersecurity standards.
