Dear Boards of Directors, Chief Executive Officers, Chief Information Officers, and Chief Information Security Officers:
The purpose of this letter is to provide you with guidance for identifying essential critical infrastructure workers during the COVID-19 pandemic. The Department of the Treasury and the Department of Homeland Security have issued guidance consistent with President Trump’s Coronavirus Guidance for America (opens new window) issued on March 16, 2020, that states, “if you work in a critical infrastructure industry, as defined by the Department of Homeland Security, such as healthcare services and pharmaceutical and food supply, you have a special responsibility to maintain your normal work schedule.”
The Memorandum for Financial Services Sector (opens new window) dated March 22, 2020, from the Secretary of the Treasury provides guidance to state and local officials as they work to protect their communities while ensuring continuity of critical functions to public health and safety, as well as economic and national security. The Memorandum on Identification of Essential Critical Infrastructure Workers During COVID-19 Response (opens new window) dated March 19, 2020, from the DHS Director of the Cybersecurity and Critical Infrastructure Agency was issued to assist organizations and businesses with the identification of essential workers to ensure the security and resilience of the nation’s critical infrastructure. For the financial services and information technology sectors, CISA identified the following essential critical infrastructure workers:
- Workers who are needed to process and maintain systems for processing financial transactions and services (e.g., payment, clearing, and settlement; wholesale funding; insurance services; and capital markets activities)
- Workers who are needed to provide consumer access to banking and lending services, including ATMs, and to move currency and payments (e.g., armored cash carriers)
- Workers who support financial operations, such as those staffing data and security operations centers
- Workers who support command centers, including, but not limited to Network Operations Command Center, Broadcast Operations Control Center and Security Operations Command Center
- Data center operators, including system administrators, HVAC & electrical engineers, security personnel, IT managers, data transfer solutions engineers, software and hardware engineers, and database administrators
- Client service centers, field engineers, and other technicians supporting critical infrastructure, as well as manufacturers and supply chain vendors that provide hardware and software, and information technology equipment (to include microelectronics and semiconductors) for critical infrastructure
- Workers responding to cyber incidents involving critical infrastructure, including medical facilities, State, local, tribal and territorial governments and federal facilities, energy and utilities, and banks and financial institutions, and other critical infrastructure categories and personnel
- Workers supporting the provision of essential global, national and local infrastructure for computing services (incl. cloud computing services), business infrastructure, web-based services, and critical manufacturing
- Workers supporting communications systems and information technology used by law enforcement, public safety, medical, energy and other critical industries
- Support required for continuity of services, including janitorial/cleaning personnel
The NCUA has also posted a link for DHS Cybersecurity and Infrastructure Security Agency COVID-19 updates on our “Other COVID-19 Resources” page https://www.ncua.gov/coronavirus.
If you have any questions about these issues, please contact the NCUA’s Office of Examination & Insurance at firstname.lastname@example.org, your regional office, or your state supervisory authority.
Rodney E. Hood