Cybersecurity rules are needed for critical infrastructure. This includes everything from water systems to air transportation. The rules are specific to each sector

The Biden Administration expects owners and operators of critical infrastructure sectors to take greater responsibility for strengthening US cybersecurity, even beyond their own platforms. The Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) requires critical infrastructure operators to report

 certain incidents to federal government agencies, while the Cyber Security and Infrastructure Security Agency (CISA) has released a set of Cyber Performance Goals that set a security baseline for critical infrastructure operators. The Environmental Protection Agency (EPA) and the Transportation Security Administration (TSA) have published mandates for improving the cybersecurity of public water and aviation systems, respectively. The EPA requires states to evaluate the cybersecurity of public water systems, while the TSA's cybersecurity amendment focuses on performance-based requirements, such as enhancing security and preventing unauthorized access to critical systems and data. Both measures promote the Biden Administration's commitment to defending critical infrastructure and drive security and resilience. These measures focus on identifying desired cybersecurity outcomes and competencies, which can be achieved using a range of frameworks, and they are distinct from compliance-based approaches.