From the Expert: Critical Infrastructure Sector Guidance versus Sector Cybersecurity Implementation Guidance

In our From the Expert blog series, we feature leading voices from Capitol Tech's network of thought leaders contributing their fresh insights, groundbreaking ideas, and real-world experience. From innovative research to practical applications, their unique perspectives on today’s most exciting scientific and technological discoveries bring us to the frontiers of discovery and inspire us to imagine the future. 

Critical Infrastructure Sector Guidance versus Sector Cybersecurity Implementation Guidance 

by Dr. Ron Martin, CPP

According to the Cybersecurity and Infrastructure Security Agency (CISA), there are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof. A list of these sectors, along with their corresponding sector guides, can be accessed on their website.

Presidential Policy Directive 21 (PPD-21): Critical Infrastructure Security and Resilience advances a national policy to strengthen and maintain secure, functioning, and resilient critical infrastructure. This directive supersedes Homeland Security Presidential Directive 7. 

The current CISA Critical Sector Guides were developed using the 2013 National Infrastructure Protection Plan (NIPP). The NIPP, as well as the sector plans, requires revision. Until then, we must use the concepts in NIPP and its sector plans to develop plans for organizational security postures. You can review the 2013 NIPP and resources on the CISA website. This provides current information that critical infrastructure stakeholders can use to improve their overall security postures. The NIPP Document is located on the NIST website.

CISA and the National Institute of Standards and Technology (NIST) collaborated to guide the implementation of the Cybersecurity Framework (CSF) 1.1 across many of the 16 sectors. CSF 1.1 was released in 2014. Therefore, the implementation guides were developed between 2015 and 2020 and can be accessed on the NIST website.

These organizations also leveraged non-federal entities to guide this implementation in some sectors. NIST provided a summary of the federal and non-federal resources.   

NIST recently released the CSF 2.0. This is an important rewrite that will enhance any organization that implements its attributes. You access the CSF 2.0 on the NIST Project Page.

In my research on critical infrastructure, I have not found any integration of the combined guidance areas. Therefore, as part of this critical infrastructure capstone course, I challenged our graduate students to develop and present a Project report on this integration. As graduates of Capitol's Master of Science program, they will contribute an important project report that supports the practice of critical infrastructure and cybersecurity protection. 

Dr. Ron Martin

Professor of Practice, CPP, CPOI

Contact Dr. Ron Martin

Dr. Ron Martin is a Professor of Practice at Capitol Technology University, specializing in the functional areas of Critical Infrastructure, Industrial Control System Security, Identity, Credential, and Access Management. Dr. Martin maintains professional relationships with a diverse mix of businesses. He serves on the board of directors for many profit and nonprofit organizations, such as the International Foundation for Protection Officers (IFPO), and the Institute of Electrical and Electronics Engineers (IEEE) P2887 - Zero Trust Security Working Group (ZTSWG) as Vice Chair. He is a voting member of the U.S. Technical Advisory Group to the International Standards Organization (ISO), which works to develop and articulate the U.S. position by ensuring public and private sector stakeholder involvement. He is also a member of the Cloud Security Alliance Zero-Trust/ Software Defined Perimeter Expert’s Working Group and the Security Industry Association Standards Committee. Recently, he has been designated by the U.S. Department of State as a Fulbright Specialist.