U.S. President Joe Biden this week signed a memorandum on boosting the cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.
The new national security memorandum’s goal is to implement the cybersecurity requirements outlined in the executive order signed by Biden in May 2021 to improve cyber defenses.
Specifically, the memorandum establishes guidance and timelines for implementing the National Security Systems (NSS) cybersecurity requirements described in the executive order.
The memorandum requires agencies to report any NSS cyber incidents to the NSA, and it authorizes the NSA (which has the role of National Manager) to create binding operational directives (BODs) that require agencies to take measures to address known cyber threats and vulnerabilities.
Industry professionals have commented on the memorandum and its implications.
And the feedback begins…
Andrew Howard, CEO of Kudelski Security
“These baseline standards have existed under the government’s NIST 800-37 Risk Management Framework for a long time but were not always deployed unless the computer system had significant confidentiality, integrity, or availability concerns. More ubiquitous deployment of multi-factor authentication and hard disk encryption across government systems is a prudent step. The government’s footprint of systems is huge and a strong baseline is a good idea.”
Rick Holland, CISO, Vice President Strategy, Digital Shadows:
“The SolarWinds intrusion that ravaged government networks occurred in December of 2020. The Biden administration published Executive Order 14028 (Improving the Nation’s Cybersecurity) in May of 2021, yet we are just now seeing guidance for National Security Systems. Given the threat landscape and the urgency to build defensible and resilient government networks, I’m surprised that the directive has taken this long to come out.
Readers shouldn’t assume that just because a program is designated a National Security System (NSS), it will be far more secure than unclassified or private sector systems. “Military-grade” isn’t always synonymous with better or more secure. Protecting classified systems has many of the same challenges that we all face. The memorandum highlights asset discovery, logging, Zero Trust, incident response, which are universal and perennial opportunities for improvement.
The exception management process will make or break this memorandum. There are lofty goals around multi-factor authentication and encryption. If an agency cannot meet the timelines, they can request exceptions. How these exceptions are assessed and validated is critical; if the National Manager doesn’t challenge exceptions and hold agencies accountable, much of this memorandum will be a paper tiger.”
John Bambenek, Principal Threat Hunter, Netenrich:
“This seems like a straightforward directive to create solitary authority and control of these types of systems so one person can be accountable and responsible for protecting it. These systems contain the most sensitive information that there is and it’s important that there is “one throat to choke” when there are failures.”
Joseph Carson, chief security scientist and Advisory CISO, ThycoticCentrify:
“The reality is that cyberattacks are happening now and we must act fast to reduce the risks of a major catastrophe happening sooner, rather than later. Recent initiatives by the Biden administration are great, however, we must prioritize what we can do now and what we must do in the future. We must look to accelerate the need for skilled workers in cybersecurity and fast track them into the industry as the skills shortage is only getting larger. Cybersecurity is no longer just an industry issue. It is one that can impact all of society and that means cybersecurity training is needed for everyone to reduce the risks from cyberattacks. Cybersecurity is no longer just a career path. It is an essential skill in today’s digital society.”
Jim Richberg, Field CISO Public Sector, Fortinet:
“National Security Systems (NSS) are frequently left out of Presidential directives on cybersecurity; they have a different focus and they’re governed by a different set of legal authorities. Too often, the assumption is that because these deal with national security data, they’re inherently more secure and covered by greater—or at least equal—levels of protection. Today’s National Security Memo (NSS) makes it explicit that the same elements of basic cyber hygiene that EO 14028 prescribes for non-NSS government networks exist within national security ones, ensuring that there is interoperability of capability. This is useful, given the number of cyber priorities Federal agencies face.
You cannot overstate how difficult it is to protect yourself against a threat that you can’t detect, that you didn’t see coming, or that affects assets you didn’t know you had. This directive strengthens the NSA’s abilities, as the National Manager for NSS systems, to unify these important systems and the missions they support. It requires agencies to create and share inventories with the NSA and to report cyber incidents. It also allows the NSA to issue Binding Operational Directives (BODs) requiring agencies with NSS to take specified actions. This parallels the authority of DHS with respect to non-NSS civilian networks, ensuring Whole of Government action against a potential threat or vulnerability.
Bottom line: By shining a spotlight on NSS, it clarifies that the levels of protection and focus on these critical systems must be equal to or exceed non-NSS Federal networks. Moreover, it promotes interoperability and collaboration in identifying and protecting against threats to the full spectrum of Federal networks.”
Mike Wiacek, Founder and CEO, Stairwell:
“The guidance seems positioned to help NSA’s role in managing classified systems throughout U.S. government networks, to further drive adoption of zero-trust principals across agencies, and to help ensure that agencies have comprehensive plans in case of emergencies.
While zero-trust provides critical principles for ensuring the security of a network, an important caveat is that it won’t always prevent exploitation from vulnerabilities, such as Log4j. It will significantly reduce an attacker’s ability to move laterally and pivot to other systems – giving defenders more time to respond.”
Sen. Mark R. Warner, Chairman of the Senate Select Committee on Intelligence:
“I applaud President Biden for signing this order to improve our nation’s cybersecurity. Among other priorities, this National Security Memorandum (NSM) requires federal agencies to report efforts to breach their systems by cyber criminals and state-sponsored hackers. Now it’s time for Congress to act by passing our bipartisan legislation that would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours.”
