Principles and objectives driving the NSM

The NSM cites eight core principles that drive the NSM. First among these is a sense of shared responsibility by government entities and the owners of critical to come together in a “national unity of effort.” Related to this united effort is the principle that government regulatory and oversight entities “have a responsibility to prioritize establishing and implementing minimum requirements for risk management, including those requirements that address sector-specific and cross-sector risks.”

Among the other principles cited in the NSM is that critical infrastructure security and resilience require a risk-based approach that considers “all threats and hazards, likelihood, vulnerabilities, and consequences, including shocks and stressors.” 

Another value stressed in the NSM is the ever-important exchange of “timely and actionable” information between government organizations and the private sector to reduce risk. Easterly said during the press call that “CISA will continue to support the work of our partners across the US government by leveraging existing relationships, processes, and networks to share critical information and guidance and then provide additional guidance and resources to aid sector risk management agencies in the execution of the roles and responsibilities in the new NSM.”

CISA’s more defined role could bring the private sector to the table

The NSM more clearly defines and arguably expands CISA’s role with DHS. Among other things, CISA will coordinate with the SRMAs to fulfill “their roles and responsibilities and implement national priorities consistent with strategic guidance and the National Infrastructure Risk Management Plan (National Plan), as required by statute.”

CISA’s director also co-chairs, with a non-CISA SRMA official who serves a two-year term, the Federal Senior Leadership Council (FSLC), which under the NSM will “be the consensus-based body that coordinates and deconflicts the shared responsibilities and activities of Federal departments and agencies,” informed by engagement with the National Security Council.

The NSM also directs the development and maintenance of a non-public list of “systematically important entities” whose disruption or malfunction would cause significant and cascading negative impacts on national security. During the press call, Easterly said CISA had already begun working to establish this list, and a senior administration official said the list currently has less than 500 entities.