Last week, the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) revised its “Memorandum on Identification of Essential Critical Infrastructure Workers During COVID-19 Response” to further stress that states and local governments would ultimately determine which sectors, functions, and workers would be considered critical and by adding three new sectors that the agency thinks could be considered essential.
First, CISA added the adjective “Advisory” to the title of the memorandum to further emphasize that the document is not meant as binding and that the agency is not directing state and local governments on how to categorize workers essential for critical infrastructure. CISA added this language as well:
This list is intended to help State, local, tribal and territorial officials as they work to protect their communities, while ensuring continuity of functions critical to public health and safety, as well as economic and national security. Decisions informed by this list should also take into consideration additional public health considerations based on the specific COVID-19-related concerns of particular jurisdictions.
CISA also included, in bold letters, the following:
This list is advisory in nature. It is not, nor should it be considered, a federal directive or standard. Additionally, this advisory list is not intended to be the exclusive list of critical infrastructure sectors, workers, and functions that should continue during the COVID-19 response across all jurisdictions. Individual jurisdictions should add or subtract essential workforce categories based on their own requirements and discretion.
In the first memorandum, In the attached cover letter to the memo, CISA Director Christopher Krebs explained
…this list is advisory in nature. It is not, nor should it be considered to be, a federal directive or standard in and of itself.
So, obviously the agency is hitting the point harder that the federal government is not in charge of determining which workers, sectors, and functions are to be considered critical. This would be of a piece with much of the Trump Administration’s response to COVID-19 in allowing states to determine, for example, whether to issue stay-at-home orders. And yet, there appears to be the risk that some sectors, functions, or workers may be categorized as essential in one jurisdiction, but not another, which carries risk that a sector CISA and the federal government would normally consider critical is not treated as such at the state level. And this could expose it to increased risk of a cyber-attack, among other dangers.
CISA continued in the cover letter of the new memorandum:
State, local, tribal, and territorial governments are responsible for implementing and executing response activities, including decisions about access and reentry, in their communities, while the Federal Government is in a supporting role. Officials should use their own judgment in issuing implementation directives and guidance. Similarly, while adhering to relevant public health guidance, critical infrastructure owners and operators are expected to use their own judgement on issues of the prioritization of business processes and workforce allocation to best ensure continuity of the essential goods and services they support. All decisions should appropriately balance public safety, the health and safety of the workforce, and the continued delivery of essential critical infrastructure services and functions. While this advisory list is meant to help public officials and employers identify essential work functions, it allows for the reality that some workers engaged in activity determined to be essential may be unable to perform those functions because of health-related concerns.
CISA expanded the types of workers and considerations for most of the sectors identified in the first memorandum, but added three new sectors: Commercial Facilities, Residential/Shelter Facilities And Services, and Hygiene Products And Services.