US President Joe Biden signed a memorandum on Tuesday concerning the cybersecurity of the Defense Department and the country's intelligence agencies, sketching out exactly how an executive order he signed in May 2021 will be implemented.
"This NSM requires that, at minimum, National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028. The NSM builds on the Biden Administration's work to protect our Nation from sophisticated malicious cyber activity, from both nation-state actors and cybercriminals," the White House said.
The memorandum goes into detail about how the executive order applies to national security systems and provides timelines for implementing things like multifactor authentication, encryption, cloud technologies, and endpoint detection services.
Within two months of the memorandum, the head of each executive department or agency that owns or operates an national security systems (NSS) is required to update agency plans concerning cloud technology, and within 180 days, agencies need to implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit.
It also forces agencies to "identify their national security systems and report cyber-incidents that occur on them to the National Security Agency."
The memorandum gives the National Security Agency broad powers to issue binding directives that force agencies to "take specific actions against known or suspected cybersecurity threats and vulnerabilities."
The White House noted that this directive was modeled after the Department of Homeland Security's Binding Operational Directive authority for civilian government networks. The NSA and DHS will work together on certain directives and share information about requirements and threats.
Additionally, the memorandum forces agencies to be aware of and secure cross-domain tools that allow agencies to transfer data between classified and unclassified systems.
"Adversaries can seek to leverage these tools to get access to our classified networks, and the NSM directs decisive action to mitigate this threat. The NSM requires agencies to inventory their cross-domain solutions and directs NSA to establish security standards and testing requirements to better protect these critical systems," the White House said.
The memorandum includes a range of other deadlines and orders for agencies working with sensitive information.
It comes on the heels of multiple warnings released by the Cybersecurity and Infrastructure Security Agency (CISA) about potential threats coming from Russia. CISA sent out a warning about potential Russian attacks on critical infrastructure and, this week, warned businesses working with Ukrainian organizations about potential cybersecurity issues.
The country is still recovering from the SolarWinds scandal, which saw Russian hackers invade multiple US agencies and spend months inside the country's most sensitive information systems.
Nine government agencies were hacked, including the Department of State, Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce, and the Department of Energy.
Jim Richberg, former cyber chief at the Office of the Director of National Intelligence, told ZDNet that national security systems are frequently left out of Presidential directives on cybersecurity because they have a different focus and they're governed by a different set of legal authorities.
"Too often, the assumption is that because these deal with national security data, they're inherently more secure and covered by greater—or at least equal—levels of protection. Today's National Security Memo (NSS) makes it explicit that the same elements of basic cyber hygiene that EO 14028 prescribes for non-NSS government networks exist within national security ones, ensuring that there is interoperability of capability. This is useful, given the number of cyber priorities Federal agencies face," said Richberg, who is now field CISO of the public sector at Fortinet.
"You cannot overstate how difficult it is to protect yourself against a threat that you can't detect, that you didn't see coming, or that affects assets you didn't know you had. This directive strengthens the NSA's abilities, as the National Manager for NSS systems, to unify these important systems and the missions they support. It requires agencies to create and share inventories with the NSA and to report cyber incidents. It also allows the NSA to issue Binding Operational Directives (BODs) requiring agencies with NSS to take specified actions. This parallels the authority of DHS with respect to non-NSS civilian networks, ensuring Whole of Government action against a potential threat or vulnerability."
Richberg added that by shining a spotlight on national security systems, it clarifies that the levels of protection and focus on these critical systems must be equal to or exceed non-NSS Federal networks.
"Moreover, it promotes interoperability and collaboration in identifying and protecting against threats to the full spectrum of Federal networks," Richberg said.