United States President Joe Biden issued a 17-page National Security Memorandum (NSM) yesterday containing new cybersecurity requirements for national security systems (NSS). The memo’s purpose is to ensure that these more sensitive systems employ the same or more stringent cybersecurity measures spelled out for federal civilian systems in Biden’s comprehensive cybersecurity executive order issued in May 2021.
National security systems are information systems, including telecommunication systems, that involve intelligence or cryptologic activities related to national security, command and control of military forces, weapons systems, other activity critical to the direct fulfillment of military or intelligence missions, and classified information related to national defense or foreign policy. This latest effort to boost cybersecurity follows the order issued last May and an NSM for critical infrastructure owners, a directive to bolster pipeline cybersecurity, and several other actions by the administration to prioritize cybersecurity following a year of growing threats and attacks.
Memo address four areas of security
The NSM addresses four primary areas of security enhancements:
Cyber hygiene and protective measures: Consistent with the May executive order, the latest NSM establishes timelines and guidance for how these cybersecurity requirements will be implemented, including multifactor authentication, encryption, cloud technologies (including zero-trust architecture), and endpoint detection services. The memo lays out a series of deadlines to implement these requirements that range from 30 days from the date of the NSM to 120 days.
Cyber incident reporting: To promote greater visibility into cybersecurity incidents that occur on NSS systems, the NSM also requires agencies to identify their national security systems and report cyber incidents that occur on them to the National Security Agency (NSA), which by the prior policy is the “national manager” for the U.S. government’s classified systems. In coordination with the Director of National Intelligence and the Director of the Central Intelligence Agency, the NSA has 90 days from the date of the NSM to establish procedures for reporting known or suspected compromises of NSS or otherwise unauthorized access of NSS.
Binding operational directives: The memo further requires the NSA to create binding operational directives requiring agencies to take specific actions against known or suspected cybersecurity threats and vulnerabilities. NSA has 30 days from the date of the NSM to coordinate with the Secretary of Defense and the Director of National Intelligence and establish procedures governing the circumstances under which a directive may be issued.
Cross-domain solutions inventories: Finally, the NSM requires agencies to inventory their cross-domain solutions (CDS), which are tools that transfer data between classified and unclassified systems, and directs NSA to establish security standards and testing requirements to protect these critical systems better. In coordination with the CIO of the Intelligence Community in the office of the ODNI, NSA has 60 days to issue a directive to all agencies operating a CDS connected to NSS to make available information regarding those deployments to establish timelines for the collection and receipt of this information.
It’s noteworthy that the NSM also provides for exceptions from its requirements. Agency heads may relax the requirements “whenever the head of an agency determines that unique mission needs necessitate any NSS or category of NSS to be excepted.” This exception applies to specific categories of systems, including those that support military intelligence or sensitive law enforcement activities and systems or software procured for vulnerability research, testing, or evaluation purposes.
The memo garners an initial positive reaction
The initial reaction to the memo was positive. “We stand ready to fulfill our role, and our responsibility, in securing our nation against foreign malicious actors, and any efforts to exploit our national security systems,” General Paul M. Nakasone, commander, U.S. Cyber Command and director, NSA/Chief, Central Security Service, said.
“I applaud President Biden for signing this order to improve our nation’s cybersecurity,” Senator Mark Warner, (D-VA) chair of the Senate Select Committee on Intelligence and co-chair of the Senate Cybersecurity Caucus, said. “Among other priorities, this National Security Memorandum (NSM) requires federal agencies to report efforts to breach their systems by cyber criminals and state-sponsored hackers. Now it’s time for Congress to act by passing our bipartisan legislation that would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours.”
“This new memo makes a lot of sense,” Bill Crowell, former deputy director of the NSA and advisory board member at LookingGlass Cyber Solutions, tells CSO. “The authority given to the NSA to issue binding operational directives for national security systems is important, and I believe that’s the right place for this authority.”
LookingGlass CEO Gilman Louie tells CSO, “The memo has good requirements on basic cyber hygiene. This is baseline what the DOD and IC should be doing for cyber defense.”
“These measures, particularly mandating the use of zero trust principles and endpoint detection and response (EDR) technologies, are sensible and timely,” Drew Bagley, vice president and counsel for privacy and cyber policy at CrowdStrike, tells CSO. “If adopted, these [requirements] should ensure that defense and national security systems are at least as well-defended as their civilian counterparts by leveraging emerging technologies already widely embraced within the industry.”
Chris Jacob, global vice president, threat intelligence engineering at ThreatQuotient, tells CSO that he applauds the administration’s efforts to shore up cybersecurity practices across the federal government. “While the specific agencies addressed have long been known for having decent cybersecurity policies, a binding directive ensures the ability to enforce a set of standards for all agencies.”
“President Biden’s national security memorandum is one of the biggest directives taken to date to secure our nation’s critical systems,” W. Curtis Preston, chief technical evangelist, Druva, said in a statement. “A requirement for federal agencies to more widely deploy cloud technologies will greatly assist in strengthening our nation’s defenses and can immediately help minimize the impact of ever-increasing cyber-attacks. These government-led initiatives are essential if we are going to drive change and ensure resilience for all.”