Biden Memo Orders Cybersecurity ImprovementsNSA Will Strengthen Cybersecurity of Defense, Intel Systems
U.S. President Joe Biden signed a National Security Memorandum on Wednesday that aims to improve the cybersecurity of national security and intelligence community systems.
The memo requires that national security systems "employ the same network cybersecurity measures as those required of federal civilian networks," per Biden's May 2021 executive order. It also gives new powers to the National Security Agency to oversee cybersecurity improvements, and the agency will also now collect reports on incidents affecting national security systems.
The NSA will be empowered to issue its own emergency directives and require agencies under its jurisdiction to take specific actions to mitigate cyberthreats per specific timelines laid out for 2022.
In a fact sheet, the White House says the memorandum "builds on the Biden administration's work to protect our nation from sophisticated malicious cyber activity, from both nation-state actors and cybercriminals." Officials say the memorandum "raises the bar for cybersecurity for our most sensitive systems."
The directive specifies how the provisions of the 2021 executive order apply to "national security systems," which will be designated by NSA Director Gen. Paul Nakasone. It also establishes timelines and guidance for how these requirements will be implemented.
Sen. Mark Warner, D-Va., chairman of the Senate Select Committee on Intelligence, praised the memo but called for legislation to bring more transparency to cyber incidents that affect critical infrastructure.
"Among other priorities, this NSM requires federal agencies to report efforts to breach their systems by cybercriminals and state-sponsored hackers," Warner says in a news release. "Now it's time for Congress to act by passing our bipartisan legislation that would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours."
Top cybersecurity experts say the memo is a productive step for federal networks.
"American cyberspace is besieged. I have never seen such a systemic onslaught," says Tom Kellermann, head of cybersecurity strategy at VMware and a member of the Cyber Investigations Advisory Board with the U.S. Secret Service. "This memo is strategic and will significantly improve the long-term security of our national security systems."
Taking to Twitter on Tuesday, the NSA's Director of Cybersecurity Rob Joyce said, "This national security memorandum has great tools that will aid NSA's efforts as part of the federal team to protect the most sensitive networks!"
Also on Twitter, National Cyber Director Chris Inglis wrote that the memo marks another step forward for "federal coherence" in cyber policy.
Similarly, Phil Reitinger, president and CEO of the Global Cyber Alliance and former director of the National Cyber Security Center at DHS, says, "Giving NSA greater responsibility and authority regarding use of cloud systems relevant to it makes considerable sense, as does increasing the focus on zero trust architectures."
White House officials say the memo will help improve "the visibility of cybersecurity incidents" by requiring agencies to identify their national security systems and report cyber incidents occurring on them to the NSA. The NSA is considered the "national manager" for the United States' classified systems.
The memo also requires agencies to act to protect or mitigate cyberthreats to these systems. Namely, it authorizes the NSA to create "binding operational directives" requiring agencies to take actions against known or suspected security threats and vulnerabilities.
Administration officials say the directive authority is modeled on the Department of Homeland Security's efforts, through CISA, to oversee civilian government networks. The memorandum also "directs NSA and DHS to share directives and to learn from each other to determine if any of the requirements from one agency's directive should be adopted by the other."
The memorandum also requires agencies to secure cross-domain solutions, or tools that transfer data between classified and unclassified systems. Administration officials add: "Adversaries can seek to leverage these tools to get access to our classified networks, and the NSM directs decisive action to mitigate this threat."
The White House adds that related agencies will be required to inventory their cross-domain solutions, and the NSA will establish security standards and testing requirements to better protect these systems.
Per the memorandum, the Department of Defense, the FBI, the CIA and the Office of the Director of National Intelligence will have responsibility to create a framework for conducting incident response activities on national security systems.
By March, agencies with systems handling sensitive or classified national security data must update their zero trust and cloud adoption plans.
By April, the Committee on National Security Systems will establish "minimum" security controls for national security IT systems in the cloud. And by July, agencies will be required to confirm their related systems are using multifactor authentication and encryption protocols for data-at-rest and in transit.
The directive also provides defense and intelligence agencies six months to document systems that may be noncompliant or that fail to use NSA-approved encryption algorithms. They'll also be tasked with setting timelines for replacement.
White House Efforts
The fact sheet issued Wednesday says that "cybersecurity is a national security and economic security imperative for the Biden administration," which continues to "prioritize and elevate cybersecurity like never before."
Officials point to a "surge effort" to improve cybersecurity across the electric and pipeline sectors, which has yielded commitments from some 150 utilities serving 90 million Americans to deploy specific cybersecurity controls. Biden, they add, also issued a memorandum establishing voluntary cybersecurity goals with expectations for providers of critical infrastructure.
"We continue to work closely with the private sector on the importance of prioritizing cybersecurity as a central part of their efforts to maintain business continuity," officials say.