A new National Security Memorandum, signed Wednesday by President Joe Biden, aims to better secure the information systems that store and process classified data, which exist across various federal agencies.
The National Security Memorandum - a type of directive used to promote presidential decisions on national security matters - builds on objectives put in place by Biden’s cybersecurity Executive Order last year by specifying how various security provisions in the EO apply to national security systems. A large portion of the memo tasks the National Security Agency (NSA) with overseeing various mandates related to the data protection and threat mitigation for these types of systems across numerous agencies.
The memo also details various security requirements that must be implemented for national security systems; within 180 days, for instance, agencies are required to implement multi-factor authentication and encryption for the systems; and within 90 days the Committee on National Security Systems must issue cloud migration guidance for the systems.
“The President’s May 2021 Executive Order required that the government ‘shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order,’” according to the memo. “Consistent with that mandate, this [memo] establishes timelines and guidance for how these cybersecurity requirements will be implemented, including multi-factor authentication, encryption, cloud technologies, and endpoint detection services.”
The NSA’s authorities outlined by the memo include assisting agencies in developing an inventory of their various national security systems, as well as launching emergency directives and binding operational directives that require agencies to take specific actions against security threats or flaws, if need be. The latter directive is modeled on the Department of Homeland Security’s (DHS) binding operational directive authority for civilian government networks, which has previously been leveraged by the agency in addressing various security concerns. Agencies must now also report any security incidents on national security systems to the NSA.
"This new executive order is meant to standardize cybersecurity requirements for national security systems across all agencies instead of letting every agency fend for themselves."
Mark Montgomery, executive director of the Cyberspace Solarium Commission, said the binding operational directive model has been effective at the DHS and is hopeful that it will be useful for national security systems. While many of the mandates - such as the requirement of incident reporting - were likely happening in a vast majority of cases on national security systems, “putting it as a requirement is good practice,” he said.
As part of the security incident reporting mandate, agencies are directed to report any compromise or unauthorized access of a network hosting a cross-domain solution - tools that transfer data between classified and unclassified systems - when an agency-operated national security system is impacted. The memo also directs agencies to inventory these cross-domain solutions and mandates that the NSA establish security standards and testing requirements to better protect critical systems.
“The cross-domain issue has seriously hurt national security in the past with some egregious compromises, so oversight of this is always a good thing,” Montgomery said.
The memorandum also seeks to improve collaboration between various agencies when it comes to securing national security systems, requiring the NSA, director of National Intelligence, CIA, FBI and DOD to develop a framework within 90 days for coordinating on security and incident response activities “that ensures effective information sharing among agencies.” The goal here is to improve the government’s ability to identify, understand, and mitigate various security risks across all national security systems.
Crane Hassold, director of threat intelligence with Abnormal Security, said one of the biggest challenges that the federal government faces is the maintenance of a vast array of disparate computer systems owned by dozens of different agencies.
“Similar to the CISA directive issued in November that established vulnerability management priorities across the federal government, this new executive order is meant to standardize cybersecurity requirements for national security systems across all agencies instead of letting every agency fend for themselves,” he said.