{
  "id": "R45809",
  "type": "CRS Report",
  "typeId": "REPORTS",
  "number": "R45809",
  "active": true,
  "source": "EveryCRSReport.com",
  "versions": [
    {
      "source": "EveryCRSReport.com",
      "id": 601785,
      "date": "2019-07-08",
      "retrieved": "2019-07-11T22:22:49.118500",
      "title": "Critical Infrastructure: Emerging Trends and Policy Considerations for Congress ",
      "summary": "Protection of the nation\u2019s critical infrastructure (CI) against asymmetric physical or cyber threats emerged in the late 1990s as a policy concern, which was then further amplified by the 9/11 terrorist attacks. Congress created the Department of Homeland Security (DHS) in the wake of the attacks, and directed the new Department to identify, prioritize, and protect systems and assets critical to national security, the economy, and public health or safety. Identification of CI assets was, and remains, a complex and resource-intensive task. \nMany governmental and non-governmental stakeholders increasingly advocate for a fundamentally different approach to critical infrastructure security, maintaining that criticality is not a fixed characteristic of given infrastructure assets. Rather, they argue, criticality should be understood in the context of ensuring system-wide resilience of American government, society, and economic life against the full range of natural and manmade hazards. \nCongress further elevated resilience as a priority when it passed the Cybersecurity and Infrastructure Security Agency (CISA) Act into law in late 2018. As the name indicates, CISA was created to lead the national cybersecurity and infrastructure security effort as an operational component of DHS. In April 2019, leadership of the new agency identified a set of 56 National Critical Functions (NCF) (\u201cAppendix A: National Critical Functions\u201d) which it plans to use as the basis of a resilience-based CI risk management approach. However, implementation will rely to a large degree on repurposed legacy programs. Thus, CI policy is currently at an inflection point that raises several potentially pressing issues for Congress: \nScope of federal CI policy: The CI security enterprise has expanded significantly from its early focus on protecting systems and assets \u201cessential to the minimum operations of the economy and government\u201d against deliberate attack. Congress may consider narrowing the scope of CI policy.\nThe legacy policy framework: National CI policy retains many legacy mandates and programs designed to support asset protection despite a long-term policy shift towards an all-hazards resilience framework. Congress may consider revising existing asset identification and reporting requirements statutorily linked to federal homeland security grant award processes. \nValidity of new risk management methods: Congress may assess the potential advantages and drawbacks of the resilience framework, and NCF as the basis for national-level infrastructure risk assessments and investment prioritization. In the past, Congress has called for external validation of DHS risk management methods and may wish to do so in the present case given its comparative novelty. \nRoles and responsibilities of federal agencies: The Homeland Security Act of 2002 created DHS and consolidated many of the federal government\u2019s CI security functions in a large-scale reorganization of government and its mission that is still ongoing. Congress may consider transfer of certain infrastructure security related functions to or from DHS as appropriate.\nScope of regulation: Congress may consider legislating compulsory compliance with security standards in cases where voluntary private-sector measures are deemed insufficient to protect national security, the economy, and public health or safety.\nAppropriateness of existing public-private partnership structures: CISA plans to maintain the current sector specific public-private partnership structures as the preferred vehicle for information sharing and policy coordination. Congress may consider whether adjustment or replacement of these structures is needed to better align partnership efforts with the emerging federal emphasis on system-level resilience.\nEffectiveness of public-private partnerships: CISA and its predecessor organizations have not been able to provide reliable data indicating the reach and effectiveness of public-partnership programs in incentivizing efficient private investments in national level (as opposed to enterprise level) resilience. Congress may consider whether new or revised reporting requirements are necessary.",
      "type": "CRS Report",
      "typeId": "REPORTS",
      "active": true,
      "formats": [
        {
          "format": "HTML",
          "encoding": "utf-8",
          "url": "https://www.crs.gov/Reports/R45809",
          "sha1": "ad8e4033f98386978ce78207ad39b2dea0fcebb2",
          "filename": "files/20190708_R45809_ad8e4033f98386978ce78207ad39b2dea0fcebb2.html",
          "images": {
            "/products/Getimages/?directory=R/html/R45809_files&id=/0.png": "files/20190708_R45809_images_1de8e148bd27cd9497e54933109f59b607faa712.png"
          }
        },
        {
          "format": "PDF",
          "encoding": null,
          "url": "https://www.crs.gov/Reports/pdf/R45809",
          "sha1": "54416d7b2f43d41696e8e971832aea5fe96a9919",
          "filename": "files/20190708_R45809_54416d7b2f43d41696e8e971832aea5fe96a9919.pdf",
          "images": {}
        }
      ],
      "topics": [
        {
          "source": "IBCList",
          "id": 4794,
          "name": "Science for Security"
        },
        {
          "source": "IBCList",
          "id": 4884,
          "name": "Critical Infrastructure"
        }
      ]
    }
  ],
  "topics": [
    "Economic Policy",
    "Intelligence and National Security",
    "National Defense",
    "Science and Technology Policy"
  ]
}