Full Report
The National Security Commission on Emerging Biotechnology (NSCEB) delivered its major report and action plan to Congress. One... The post NSCEB reports need for urgent legislative fix to classify biotechnology under critical infrastructure, urges DHS to act appeared first on Industrial Cyber.
Analysis Summary
# Regulation/Compliance: Designation of Biotechnology Infrastructure as Critical Infrastructure
## Overview
This summary outlines recommendations from the National Security Commission on Emerging Biotechnology (NSCEB) report, transmitted to Congress, which mandates the Department of Homeland Security (DHS) to formally recognize biotechnology infrastructure and sensitive biological data (including genomic and biometric data) as part of the nation's Critical Infrastructure (CI). This is deemed necessary due to increasing targeting by malicious actors and the current fragmented approach to protection across existing CI sectors.
## Key Details
- Issuing Authority: National Security Commission on Emerging Biotechnology (NSCEB), directed to Congress.
- Effective Date: Pending Congressional action and subsequent DHS Directive.
- Jurisdiction: United States Federal oversight, impacting organizations handling biotechnology infrastructure and sensitive biological data.
- Status: Recommended/Action Plan Phase.
## Requirements
### Mandatory Requirements (If enacted by Congress)
1. **Congressional Directive to DHS:** Congress must direct DHS to ensure biotechnology infrastructure and data are covered under existing Critical Infrastructure Sectors.
2. **DHS Work Plan Submission:** DHS must submit a work plan to Congress within **45 days** of the directive being passed into law.
3. **Inclusion of Stakeholders:** DHS must incorporate a preliminary list of biotechnology infrastructure stakeholders (e.g., BIO-ISAC) into its work plan.
4. **Amend CISA Act:** Congress should amend the Cybersecurity and Infrastructure Security Agency Act of 2018 to specifically categorize genetic data systems involving genomic sequences and sensitive biometric data as Critical Infrastructure.
5. **CISA Protocol Development:** CISA, in collaboration with biotechnology stakeholders and biosecurity agencies, must develop security protocols for genetic data, including joint exercises and data sharing.
6. **Federal Training:** Implement training for federal personnel on protecting genetic/biometric data, covering security, ethical considerations, and unique challenges.
7. **Strategy Integration:** Incorporate genetic and biometric data security into the national cybersecurity strategy for ongoing adaptation to new threats.
### Recommended Practices (As per NSCEB)
1. **Outreach Plan:** DHS must develop an outreach plan to inform stakeholders of their inclusion under applicable CI sectors and clarify which sectors apply.
2. **Representation:** Ensure biotechnology stakeholders are appropriately represented in relevant consortia and Sector Coordinating Councils (SCCs).
3. **NIPP Update Roadmap:** Develop a roadmap to update the National Infrastructure Protection Plan (NIPP) by **2026** with direct input from the biotechnology community.
4. **Synchronization:** Coordinate security concerns between entities handling genetic data and those that convert this data into physical genetic sequences (biosecurity alignment).
## Affected Organizations
- Industries: Biotechnology sector, Health, Agriculture, Chemicals, Critical Manufacturing, Defense Industrial Base, Energy, Food and Agriculture, Healthcare and Public Health (sectors through which biotechnology operations span).
- Organization Size: Applicable to all entities within the scope of the identified infrastructure and data handling.
- Geographic Scope: United States, overseen by Federal agencies (DHS, CISA).
## Compliance Timeline
- **T + 45 Days (Post-Legislation):** DHS must submit an initial execution work plan for coverage under existing sectors.
- **By 2026:** Roadmap completion for updating the National Infrastructure Protection Plan (NIPP) with biotechnology input.
- **< 1 Year (Post-Legislation):** Estimated completion timeline for the initial DHS execution utilizing the work plan.
- **No Later than 2 years (Post-NIPP Update):** DHS must conduct a follow-up evaluation and report findings to Congress regarding any uncovered critical biotechnology areas.
## Implementation Guidance
### Assessment Phase
- **Identify Overlap:** Determine which existing CI sectors (PPD-21 sectors) currently cover aspects of the organization's physical infrastructure or data processing.
- **Data Inventory:** Inventory all handling and storage of sensitive biological data, genomic sequences, and other biometric data to assess current protection levels against known vulnerabilities, referencing existing standards like NIST genomic frameworks.
### Implementation Phase
- **Engage with DHS/CISA:** Actively participate in stakeholder engagement, consortia, and SCCs as directed by DHS to ensure accurate sectoral mapping.
- **Protocol Adoption:** Develop and implement security protocols for genetic data in collaboration with biosecurity counterparts, ensuring alignment with any evolving CISA requirements.
- **Staff Augmentation/Training:** Increase CISA staffing (if the legislative mandate passes) or ensure internal staff receives specialized training on genetic/biometric data security and ethical considerations.
### Validation Phase
- **Follow-up Evaluation Review:** Prepare documentation for the mandated DHS follow-up evaluation to demonstrate how the organization’s infrastructure and data fit within the newly clarified CI landscape.
- **Joint Exercises:** Participate in planned joint exercises developed by CISA and stakeholders to test security and data sharing protocols.
## Technical Requirements
1. **Genetic Data System Security:** Explicit requirements for securing genetic data systems involving genomic sequences and sensitive biometric data (mandated amendment to CISA Act).
2. **Data Sharing Mechanisms:** Establishment of secure mechanisms for data sharing between CISA and biotechnology stakeholders.
3. **Biosecurity Synchronization:** Technical coordination to ensure security measures bridge the gap between digital genetic data and systems converting data into physical genetic sequences.
## Penalties & Enforcement
- Fines: Not explicitly detailed, but organizational non-compliance with new mandates under DHS/CISA authority would likely incur penalties associated with failure to adhere to Critical Infrastructure security directives.
- Other Consequences: Increased scrutiny from federal regulators; potential regulatory action if sensitive national security data (biological/genomic) is compromised due to non-adherence.
- Enforcement: Enforcement will primarily fall under the purview of DHS and CISA, utilizing existing CI oversight mechanisms once the recommendations are formalized into law.
## Related Standards
- **Presidential Policy Directive (PPD) 21 (2013):** Forms the basis for the 16 existing CI sectors that biotechnology must map onto.
- **NIST Framework for Genomic Cybersecurity:** Mentioned as a current, but insufficient ("piecemeal"), existing effort.
- **National Institute of Health (NIH) Genomic Data Sharing Policy:** Noted as an existing policy touching upon sensitive data.
## Resources
- Official Documentation: NSCEB Final Report: ‘Charting the Future of Biotechnology: An action plan for American security and prosperity’ (link assumed to be available via official government sources).
- Guidance Documents: DHS/CISA forthcoming sector inclusion guidance, stakeholder outreach materials.
- Tools: Participation in the Bioeconomy Information Sharing and Analysis Center (BIO-ISAC) activities.
## Practical Recommendations
1. **Advocacy/Lobbying:** Organizations should monitor Congressional action closely, as the effective implementation relies entirely on the passage of legislation directing DHS.
2. **Internal Data Mapping:** Immediately begin internal mapping of all genomic/biometric data processing flows to identify ownership and vulnerability, cross-referencing against existing sector participation (e.g., Health/Ag).
3. **Stakeholder Liaison:** Designate a liaison now to prepare for active participation in the BIO-ISAC and subsequent Sector Coordinating Councils to influence the NIPP revision and protocol development process.
4. **Budget for Training:** Anticipate and budget for specialized security training tailored to biological and sensitive data unique challenges, as required training for federal personnel may also drive private sector best practices.