President Trump on Friday signed National Security Presidential Memorandum-12 (NSPM-12) to bolster the cybersecurity of National Security Systems (NSS).
NSS includes the most sensitive computer systems in the US, used for the processing of classified information and for military and intelligence mission support.
The new memorandum establishes a clear structure for NSS governance and NSS cybersecurity requirements accountability, to ensure that NSS owned or operated by civilian agencies receive the same level of protection as those of the government.
“It shall be the policy of the United States Government to foster a proactive, adaptive, and resilient cybersecurity ecosystem for all NSS to better safeguard the Nation against persistent cyber threats from sophisticated adversaries,” NSPM-12 reads.
The memo also reestablishes the Committee on National Security Systems (CNSS), modernizing it to set baseline cybersecurity requirements across all NSS.
Per NSPM-12, CNSS will oversee NSS cybersecurity across the government, will issue emergency directives, provide authoritative minimum requirements, and promote coordination and information sharing to provide collaboration, standardization, and resource management.
“The CNSS will leverage the combined authorities and resources of the Federal Chief Information Officer, the Chief Information Officers of the DOW and IC, and the Director of the National Security Agency (NSA) to ensure that there are no gaps or weak links in NSS defenses,” the White House’s NSPM-12 fact sheet reads.
Per the memorandum, the director of the NSA will serve as the National Manager for NSS to bolster NSS security, and a Policy Coordination Committee (PCC) will work with the CNSS on an NSS cybersecurity posture assessment.
The National Manager will provide technical advice to the CNSS, recommendations on incident response, and may issue emergency directives to protect the NSS in response to “intelligence of adversary capability and intent to target NSS,” the memo reads.
Per NSPM-12, within the next three months, CNSS shall revise specific directives, issue a roadmap and policy priority areas, decide which existing policies must be maintained and incorporated into directives, and “review all existing CNSS policies, directives, and instructions to determine which should be rescinded or harmonized”.
Agencies are required to maintain an inventory of NSS they own or operate, update it annually, and make it available to the National Manager.
Related: CISA Directs Federal Agencies to Prioritize Security Patches Based on Risk
Related: US Military Reaches Deals With 7 Tech Companies to Use Their AI on Classified Systems
Related: White House Scraps ‘Burdensome’ Software Security Rules
Related: CISA Closes 10 Emergency Directives as Vulnerability Catalog Takes Over
