Policy Deep Dive: Critical Infrastructure

Policy Deep Dive: Critical Infrastructure

In this special policy series, the Caveat team is taking a deep dive into key topic areas that are likely to generate notable conversations and political actions throughout the next administration. This limited monthly series focuses on different policy topic areas to provide you with our analysis of how this issue is currently being addressed, how existing policies may change, and to provide thought-provoking insights. 

For this month's conversation, we’re focusing on Critical Infrastructure Policy. Over the past twenty-five years, the federal government has continued to expand its role and responsibilities when securing critical infrastructure and increasing resilience. However, under a new administration, this role and these associated responsibilities are seeing significant changes.

To listen to the full conversation, head over to the Caveat Podcast for additional compelling insights. 

Key insights.

1. The Growth of Federal Roles. Since 2010, the federal government has continued to expand its responsibilities when securing critical infrastructure.
2. Supply Chains and Semiconductors. Since COVID, the federal government’s role evolved as it pivoted to focus on securing supply chains and key sectors.
3. Reducing Responsibility. With a new administration, the role of CISA and who bears the responsibility of securing infrastructure are rapidly changing.

Critical infrastructure management.

Previously, the United States (US) federal government has steadily expanded its critical infrastructure management role; however, President Trump’s new policies are bringing notable changes.

Over the past decade, the US’s critical infrastructure policy has undergone a steady transformation. What started as a fragmented, reactive system has gradually shifted toward greater federal oversight, which was largely driven by the growing complexity and severity of both physical and cybersecurity threats to each essential sector.

This centralization did not happen overnight. Rather, it evolved incrementally across multiple administrations, each expanding the federal government’s role. These changes included reshaping agency responsibilities, increasing regulatory requirements, and fostering a collaborative private-public partnership. Now, under the second Trump administration, that trajectory is shifting.

While the new administration has stated its policy shift aims to create a more agile and resilient infrastructure system, these changes are beginning to erode key components of long-established federal policy. However, before evaluating the implications of this shift, it is essential to understand how the modern framework for critical infrastructure management emerged.

Thinking Ahead: 

What could be the potential impacts of de-federalizing critical infrastructure management?

Centralizing a disjointed system.

With each administration, the federal government has continued to expand its role when helping manage critical infrastructure.

As the federal government has expanded its role in critical infrastructure, a recurring theme has centered around consolidating agency responsibilities and fostering public-private partnerships across critical infrastructure sectors. While each administration has tackled these challenges differently, each has continued to build off the success of the previous administration regardless of political affiliation.  

Stepping back and viewing these policies broadly, a clear pattern forms where the US transformed its management system from a largely decentralized, laissez-faire system, to one where the federal government has now become a central authority for infrastructure security. The foundations laid by both the Obama administration and the first Trump administration were instrumental in creating this oversight system.

Regarding former President Obama, three core policies defined his critical infrastructure agenda. These policies were:

1. The 2013 Presidential Policy Directive 21 (PPD-21)
2. The creation of the NIST Cybersecurity Framework in 2014
3. The 2015 Cybersecurity Information Sharing Act

To begin with PPD-21, this policy established the national strategy for critical infrastructure security and resilience. This directive modernized national security for critical infrastructure by formally designating sixteen critical infrastructure sectors and assigning federal agencies to oversee them. PPD-21 emphasized a more integrated approach to managing physical and cybersecurity risks, strengthened public-private collaborations, and reinforced the role of the National Infrastructure Protection Plan (NIPP). This directive served as the foundation for subsequent developments like the NIST Cybersecurity Framework and laid the groundwork for a more centralized and strategic federal authority.

Regarding the NIST Cybersecurity Framework, this tool has been invaluable. Widely adopted across critical infrastructure sectors and government agencies, this framework bridged the gap between business operations and cybersecurity helping private enterprises understand, manage, and reduce cyber risks. The risk-based approach was instrumental in allowing critical infrastructure entities to tailor their defense approaches to their specific contexts, resources, and threat environments. 

Lastly, coupling the foundations of PPD-21 with the nationwide commonality established by the NIST framework, the 2015 Cybersecurity Information Sharing Act rounded the Obama administration’s efforts. With this law, the federal government streamlined threat intelligence sharing and established liability protection for companies that participated in these programs. By providing liability protection, the federal government opened the doors to threat intelligence sharing efforts and its value cannot be understated. 

Scott Algeier, the executive director of Information Technology at ISAC, commented on the significance of this law stating that “it provides a really strong legal framework for the sharing of threat intelligence, both within the industry and industry to government.” 

Matthew Eggers, the vice president of cybersecurity policy in the US Chamber of Commerce’s cyber, intelligence, and security division also commented on the importance of this law. Eggers noted how this law’s “protections are absolutely necessary to really achieve the kind of sharing and receiving of cyber threat information that benefits not only the business that’s doing the sharing and receiving, but industry partners and the government.”

With these foundational policies established, the first Trump administration only continued to build upon these successes with the establishment of the Cybersecurity and Infrastructure Security Agency (CISA) in 2018. By signing the Cybersecurity and Infrastructure Security Agency Act, President Trump centralized critical infrastructure management under one agency, whereas traditionally these responsibilities had been spread across the Department of Homeland Security. Moreover, by designating CISA as the primary and central authority, this law further cemented many of the private-public partnerships, improved threat intelligence sharing efforts, and created faster incident response times. Some notable programs launched under CISA include:

• Multi-State Information Sharing and Analysis Center: Serves as the central cybersecurity hub for government agencies and critical infrastructure providers, offering alerts, advisories, and coordination tools.
• Joint Cyber Defense Collaborative: Unifies cyber defense capabilities from government, industry, and international organizations to respond to threats collectively.
• Supply Chain Risk Management Program (SCRM): A public-private partnership program that identifies risks and develops mitigation solutions to improve supply chain resilience. 

While these three programs represent just a fraction of CISA’s broader efforts, they have played a pivotal role in advancing critical infrastructure security.

Building on the foundations laid by both the Obama and first Trump administrations, former President Biden significantly expanded upon and operationalized this security framework.

Thinking Ahead: 

What are some of the large impacts that emerged from this centralized approach?

Securing supply chains.

Under former President Biden, expanding critical infrastructure management became a core strategy in the wake of COVID-19.

In the wake of COVID-19, it became self-evident that the nation’s supply chains represented a glaring vulnerability within the broader critical infrastructure landscape. Surveys, conducted by Ernst & Young LLP in both 2020 and 2022, noted how senior supply chain executives pivoted their strategies after the pandemic to become more resilient, sustainable, and collaborative. However, the Biden administration chose not to leave this transformation solely to private enterprises. Instead, using the foundations laid by previous administrations, the federal government took an active role in shaping these strategic realignments.

With the new critical infrastructure security systems created under the previous administrations, former President Biden expanded and operationalized federal capabilities to address long-standing vulnerabilities, particularly in supply chain security and domestic semiconductor manufacturing. The former Biden administration pursued several landmark policies to advance these goals, including:

• Executive Order 14017 (America’s Supply Chains): Mandated a comprehensive review of critical supply chains and infrastructure sectors, resulting in recommendations for diversification, greater transparency, and domestic production.
• Cyber Incident Reporting for Critical Infrastructure Act 2022: Required CISA to establish new mandatory incident reporting regulations in critical infrastructure sectors, aimed to improve response efforts, intelligence sharing, and transparency.
• 2023 National Cyber Strategy: Marked a significant shift from voluntary guidelines to mandatory cybersecurity requirements, directing agencies to implement sector-specific cybersecurity regulations and standards.

Collectively, these policies marked a significant expansion in the federal government's role. Whereas prior administrations focused on voluntary participation and incentivization, these new policies centered around mandatory requirements and direct federal intervention. 

Beyond setting new standards, these policies also aimed to expand CISA’s role. In former President Biden’s National Cyber Strategy, his administration reaffirmed CISA’s role as the national coordinator for critical infrastructure defense. Moreover, the strategy emphasized deepening public-private relationships and tasked CISA with developing sector-specific cybersecurity performance goals. 

Complementing these security initiatives, the former Biden administration also stressed the importance of shoring up supply chains. The 2022 CHIPS and Science Act allocated more than $50 billion to boost domestic semiconductor manufacturing and research capabilities. This legislation aimed to reduce reliance on foreign-made production, which created a key vulnerability across multiple critical sectors. With this funding, former President Biden partnered with major chipmaking firms, such as Intel and TSMC, to establish new fabrication facilities and improve supply chain infrastructure.

Through these combined policies, former President Biden further expanded and entrenched the federal government’s role in securing critical infrastructure. Instead of voluntary recommendations and partnerships, the federal government became an active driver of regulation, investment, and sector-specific security mandates. However, with a new administration, comes new policies, many of which are pivoting the US’s critical infrastructure focus.

Thinking Ahead: 

How will this new focus area evolve over the next administration?

Redefining Infrastructure Management.

Under President Trump, the federal government’s role has already begun to change.

With the second Trump administration, the trajectory of US critical infrastructure policy has shifted. While the new administration is still in its early days, emerging patterns reflect a clear movement toward decentralization. The two most significant developments in this shift include a renewed emphasis on state and local preparedness and a deliberate reduction in the role and capacity of CISA.

In March, President Trump signed Executive Order 14239, known as Achieving Efficiency Through State and Local Preparedness. This order marks a fundamental shift in how infrastructure resilience is approached. Alongside reviewing numerous long-standing resilience policies, this new order aims to place the responsibility for response efforts on state and local officials. When announcing this order, the administration asserted that by empowering state, local, and individual preparers, citizens become “immediate beneficiaries of sound local decisions and investments designed to address risks.”

Central to this policy is the belief that the federally centralized model has become inefficient and misaligned with local needs. The administration advocates for a risk-informed approach that moves “beyond information sharing to action.” 

In parallel with this ideological pivot, the Trump administration has also begun scaling back CISA’s operating capacity. Whereas former President Biden aimed to make CISA the de facto agency for critical infrastructure security, the Trump administration is pursuing the opposite. The proposed 17% budget cut for CISA in the FY2026 federal budget is one such indicator. Additionally, reports indicated plans to cut approximately 1,300 full-time staff positions and 40% of CISA’s contractors. 

Taken together, these actions represent a significant reversal of course. The move away from federal coordination toward localized control reflects a broader philosophical shift, one that challenges the foundational assumptions of past bipartisan infrastructure security strategies.

A pivotal test of this new agenda will involve the future of the 2015 Cybersecurity Information Sharing Act. While widely regarded as a cornerstone of federal infrastructure security policy, the bill is up for renewal. Whether President Trump chooses to push for the bill’s renewal, revision, or allow its lapse will serve as a key indicator of how it intends to pursue this decentralization strategy, and what kind of role the federal government will play in the nation’s infrastructure future. 

Thinking Ahead: 

What are the potential impacts this pivot will have on national resiliency?

Diverting pathways.

For two decades, the US’s critical infrastructure policy has continued to expand and is now seeing a notable pivot.

US infrastructure policy has evolved over the years from a fragmented, reactive framework into a coordinated national effort rooted in federal oversight and public-private collaboration. Since the Obama administration, each successive administration has contributed to this evolution by modernizing cybersecurity policy, streamlining intelligence sharing, and expanding the federal government’s operation role through CISA. 

Now, under President Trump’s second administration, the future of critical infrastructure policy remains uncertain. The emerging shift toward decentralization represents not only a break from recent precedent but a rethinking of the federal government’s role in safeguarding essential infrastructure. 

This reversal raises critical questions such as how far will this shift go. What will be the cost and consequences of these shifts? Will states and localities have the capacity to manage these responsibilities independently?

While these questions remain unanswered, what is evident is that the direction set by the Trump administration will redefine the resilience, security, and adaptability of US infrastructure for years.

Thinking Ahead: 

What will be the most immediate impact of these policy changes?