Cybersecurity and Infrastructure Security Agency Identifies Critical Infrastructure Sectors
Author
Bret S. Wacker
On March 16, 2020, the President issued “Guidelines for America” which outlined multiple steps that individuals and organizations should take to slow the spread of the coronavirus. The recent “stay at home” orders issued in California, New York, New Jersey, Michigan, and Illinois, as well as other business shutdown orders in other states, have created confusion among companies and employees as to whether full or even partial operations will continue in the near term. Even more important, these shutdown orders raise questions about maintaining essential services and supply chains. For this reason, the President’s Guidelines specifically referenced the Department of Homeland Security’s (“DHS”) list of “Critical Infrastructure Industries.”
Thereafter, on March 19, 2020, DHS’s Cybersecurity and Infrastructure Security Agency (“CISA”) issued a memorandum identifying an initial list of “Essential Critical Infrastructure Workers.” This action is part of CISA’s responsibilities under the Homeland Security Act of 2020 which was enacted following the 9/11 terrorist attacks. One purpose of the Act is to identify those industries (and their employees) who are determined to be essential to maintaining critical infrastructure. The List is intended to assist State and local officials in making decisions regarding “continuity of operations and incident response, including the appropriate movement of critical infrastructure workers within and between jurisdictions.” The List is only advisory in nature as reflected by the memorandum’s recognition that “State, local, tribal, and territorial governments are ultimately in charge of implementing and executing response activities in communities under their jurisdiction, while the Federal Government is in a supporting role.” But as the President’s Guidance states: "If you work in a critical infrastructure industry, as defined by the Department of Homeland Security, you have a special responsibility to maintain your normal work schedule."
Specifically, with respect to the response to the COVID-19 pandemic, the CISA Memorandum identifies 14 critical infrastructure sectors:
- Healthcare/Public Health,
- Law Enforcement, Public Safety, First Responders,
- Food and Agriculture,
- Energy,
- Water and Wastewater,
- Transportation and Logistics,
- Public Works,
- Communications and Information Technology,
- Critical Manufacturing,
- Hazardous Materials,
- Financial Services,
- Chemical Defense,
- Industrial Base, and
- Other Community-Based Government Operations and Essential Functions.
The CISA memorandum outlines which workers in these sectors are considered essential to the continuity of operations, e.g., within the Critical Manufacturing Sector, the List identifies “workers necessary for the manufacturing of materials and products needed for medical supply chains” as being essential.
On March 20, 2020, Ellen Lord, the Under Secretary of Defense for Acquisition and Sustainment, issued a follow-on memorandum regarding the Defense Industrial Base (“DIB”) sector identified in the CISA memorandum. The DIB is defined as “the worldwide industrial complex that enables research and development as well as design, production, delivery, and maintenance of military weapons systems/software systems, subsystems, and components or parts, as well as purchased services to meet U.S. Military requirements.” Under Secretary Lord’s memorandum informs contractors and subcontractors that their work is considered Essential Critical Infrastructure if they have contracts or subcontracts supporting the development, production, testing, fielding, or sustainment of weapon systems/software systems (or the infrastructure to support these activities), or if they have contracts or subcontracts which support manning, training, equipping, deploying, or supporting military forces, their work is considered Essential Critical Infrastructure. Tasks such as providing office supplies, recreational support, or lawn care are not considered part of the Essential Critical Infrastructure Workforce. Companies with contracts meeting the Essential Critical Infrastructure Workforce definition are expected to maintain their normal work schedules, although those schedules should be consistent with CDC guidelines regarding social distancing and quarantining, including the use of telework where possible without endangering work performance.
Undoubtedly, there will be questions whether a particular company or contract falls within the CISA and DOD definitions. We are advising clients to undertake a case by case assessment of their contracts, particularly those clients who may be considered part of the DIB. Close coordination with contracting officers and higher tier contractors is essential. We are also advising that DIB clients familiarize themselves with the relevant FAR Changes, Disputes, and Excusable Delay clauses in their contracts and subcontracts. These clauses have notice provisions with time deadlines. Failure to provide timely notice could risk otherwise appropriate performance relief and possible compensation. We can provide specific advice regarding a client’s individual circumstance upon request.