"the Memo doesn't discuss whether critical infrastructure operators need to be compelled to act"
Actually, the briefing doesn't discuss very much at all. It's at best a kind of call to action. But we've had calls to action by the dozen over the last few decades, despite which the global cyber security position has got worse instead of improving. This seems to confirm that (as was pointed out in 2016 in response to Obama's call to action) a new approach may be necessary - continuing to do what hasn't helped much for 40 years is unlikely to solve the problem.