DHS Critical Infrastructure Workforce Guidance during Coronavirus Response

Key Takeaways

• DHS’s Cybersecurity and Infrastructure Security Agency (CISA) has issued guidance (not directives) to Critical Infrastructure providers to help them identify functions and workforces that should continue normal operations while following CDC workforce and customer protection guidance.
• Many Critical Infrastructure sectors such as IT, Communications and the Defense Industrial Base (DIB) are intertwined at various levels, so operational and workforce decisions in one sector can have implications for another.
• CI sector firms should leverage their established sector-specific plans (SSP) to help them mitigate risk and adapt during disruptions to normal operations.

CISA’s Role in U.S. Coronavirus Response

From early on the Cybersecurity and Infrastructure Security Agency (CISA) has been active in interagency and industry coordination efforts as part of the Department of Homeland Security’s (DHS) coronavirus response, working with critical infrastructure partners to prepare for possible disruptions to critical infrastructure that may stem from widespread illness and to help meet national priorities.

Critical Infrastructure Industries Workforce Guidance

To help minimize disruptions and aid in staffing decisions CISA recently issued guidance on identifying Critical Infrastructure (CI) workforce during the COVID-19 response efforts. The guidance is intended to help CI sector companies assess how to ensure continuity of functions and support decision-making on which functions should continue normal operations, i.e. which staff functions should keep working, “appropriately modified to account for Centers for Disease Control (CDC) workforce and customer protection guidance.”

Among the 16 CI sectors identifies by DHS, several that are especially relevant to the traditional federal contracting community include:

• Communications Sector – Presidential Policy Directive (PPD) 21 identified the Communications Sector as critical because it provides an “enabling function” across all critical infrastructure sectors and is integral to the U.S. economy, public safety and government. The Communications Sector-Specific Plan was updated in 2015.
• Information Technology (IT) Sector – The interdependent and interconnected providers of IT hardware, software, systems and services is critical as areas of our lives and national security are increasingly dependent upon the capabilities IT provides, including the Internet. Information Technology Sector-Specific Plan was updated in 2016.
• Defense Industrial Base (DIB) Sector – The worldwide industrial complex that meets U.S. military requirements through research and development, production and maintenance of military weapons systems, platforms and components. The Defense Industrial Base Sector-Specific Plan was updated in 2010.

Each of the sector-specific plans (SSP) detail how the National Infrastructure Protection Plan (NIPP) risk management framework is implemented within each of the industry sectors, including how government and private sector CI participants collaborate to manage risks and achieve security and resilience outcomes. CISA details all 16 critical infrastructure sectors in their guidance.

In the memo CISA stressed that “this list is advisory in nature. It is not, nor should it be considered to be, a federal directive or standard in and of itself.” (emphasis added) This underscores CISA’s advisory and facilitating role in helping ensure CI protections, rather than a regulatory role.

Implications

Like many industries, company leaders within CI sectors and in government support industries are grappling with how to keep their firms moving forward amidst government policies encouraging, and in some case mandating, remote operations. Further, the fluid and rapidly changing environment has many looking for credible information to help them make decisions that impact their workforce and balance priorities.

Another consideration is the integrated nature of many of these markets. Most of these CI sectors – especially Communications, DIB and IT – are intertwined and interdependent and multiple levels, so decisions across one sector can significantly influence and impact decisions and operations in the others.

Individual firms that have not already done so should consult with their relevant Sector Coordinating Councils (SCCs) and collaborate with sector-specific agencies (SSAs) to address specific concerns that will help them navigate and adjust to ongoing changes within their sector.