President Joe Biden has set new deadlines for defense and intelligence agencies to follow cybersecurity requirements included in an executive order last year, while further centralizing oversight of those agencies’ cybersecurity at the National Security Agency.
It builds on the requirements laid out in last year’s cybersecurity executive order. The EO largely focused on the cybersecurity authorities of civilian agencies, with the Department of Homeland Security, the Office of Management and Budget and the National Institute of Standards and Technology taking the lead in implementation.
But the executive order did specify that defense and intelligence agencies must adhere to cyber requirements “that are equivalent to or exceed the cybersecurity requirements” set out in the executive order.
The latest memorandum “raises the bar for the cybersecurity of our most sensitive systems,” according to a summary of the document.
The memo gives agencies 180 days to implement multi-factor authentication and encryption for classified systems.
The order also homes in on the the security of cloud computing. It gives the heads of defense and intelligence agencies 90 days to come up with a framework for coordinating and collaborating on cybersecurity incident response for national security systems that use commercial cloud technologies.
It gives agencies with national security systems 60 days to “update existing agency plans to prioritize resources for the adoption and use of cloud technology, including adoption of Zero Trust Architecture as practicable.”
Defense and intelligence agencies will also have to pay close attention to the executive order’s software security initiatives. The memorandum directs the NSA to review the critical software security guidance published by OMB and issue similar guidance within 60 days.
The directive requires agencies to take inventory of their “cross-domain solutions,” which are “tools that transfer data between classified and unclassified systems.” NSA is responsible for establishing security standards and testing requirements for such systems.
Biden also gives the NSA the power to issue binding operational directives to agencies so they take specific actions to protect classified networks from known or suspected cyber threats. The authority is modeled on DHS’s power to issue BODs and emergency directives for federal civilian executive branch agencies.
It directs the NSA and DHS to coordinate and immediately share information with each other about their respective binding operational directives and emergency directives.
Defense and intelligence agencies are additionally required to report cyber incidents affecting classified systems to the NSA “through the appropriate Federal Cyber Center or other designated central department point of contact,” according to the memorandum.
“Among other priorities, this National Security Memorandum (NSM) requires federal agencies to report efforts to breach their systems by cyber criminals and state-sponsored hackers,” Warner said. “Now it’s time for Congress to act by passing our bipartisan legislation that would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours.”
Terry Halvorsen, former DoD chief information officer and general manager at IBM Federal, said the memorandum will help drive upgrades to classified systems, noting the directive’s focus on newer technologies like quantum-proof encryption.
“I think many of the national systems were in good shape,” Halvorsen said. “I think this is making sure that they’re in great shape.”
It also bolsters the role of the NSA as the “National Manager” for classified systems. Rob Joyce is currently director and deputy national manager for national security systems at NSA’s Cybersecurity Directorate.
“This codifies it for people,” Halvorsen said. “If somebody was maybe reluctant to report NSA, or maybe their leadership was reluctant, this pretty much says, ‘No, you have to do it.'”