NSF and CISA: Protecting the World’s Critical Infrastructure

At first glance, NSF, the global product testing, inspection and certification organization founded in 1944 and headquartered in Ann Arbor, Michigan, and the Cybersecurity and Infrastructure Security Agency, commonly known as CISA, is based in Washington, D.C. and launched in 2018, would not appear to have a lot in common.

But take a closer look, and you see five key focus areas that overlap. The common ground is apparent in the critical sectors of water, food, manufacturing, healthcare and chemicals. This overlap may seem surprising, but it makes sense when you consider the histories and missions of the two organizations.

President and CEO Pedro Sancha describes the work of NSF like this: “We see how critical it is for societies to have independent, science-based testing, inspection and certification organizations such as NSF. With our world-class expertise in food safety, water quality, health sciences and sustainability, NSF is uniquely positioned to fulfill its mission of protecting and improving human health and the environment on a global scale.”

CISA’s work involves joining with other agencies, departments and private-sector partners to protect 16 critical infrastructure sectors within the U.S.: chemical facilities, commercial facilities, communications, manufacturing, dams, the defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, healthcare and public health, information technology, nuclear reactors, transportation systems, and water systems.

There’s no question that CISA covers a lot of ground. Chief Executive Jen Easterly acknowledged as much when she took over leadership of the organization in July 2021: “I look forward to building on the excellent work of my predecessors to continue evolving the strategy, workforce and culture of CISA to be the world’s premier cyber and infrastructure defense agency and to achieve our vision of a secure and resilient infrastructure for the American people.”

How does CISA define the critical infrastructure sectors it’s responsible for protecting? They are designated as sectors that are considered “so vital to the U.S. that their incapacitation or destruction would have a debilitating effect on security, the nation’s economy and national public health and safety.” That’s classic bureaucratic jargon for the most critical parts of the country’s security, economic, and health and safety infrastructure.

An element often overlooked in critical infrastructure work is the importance of strong partnerships across the private and public sectors — especially given that much of this infrastructure is owned by private companies. However, federal, state or municipal government agencies often regulate it. And you have city-owned water systems relying on private-sector vendors for equipment, critical operations, and IT software. These partnerships are essential to secure operations.

Admittedly, this is all big-picture stuff, and it may seem far removed from day-to-day life. But consider what can happen when food testing of an essential agricultural product, like wheat, is impacted because war has broken out in Eastern Europe, and the bread your children love is no longer on your store’s shelf. Or imagine the conversation between your city’s water system administrator and her IT manager as they figure out how to respond to the ransomware demand they just received.

That’s when it gets much more real and closer to home. Barry Yuan, Security Technical Solutions Architect at tech firm Cisco, poses an important question that applies to critical infrastructure: “What have we learned from all these ransomware incidents? Many businesses and organizations didn't realize how critical their systems and data were. Because it’s like tap water, right? You take it for granted. Until it stops flowing.”