New White House Cybersecurity Memo Raises the Bar for National Security Systems

President Joe Biden recently issued a National Security Memorandum (NSM-8) specifying how the defense, national security and intelligence community are to bring their national security systems (NSS) into compliance with his May 2021 Executive Order #14028 on improving cybersecurity across the federal government.

The memo sets authorities, requirements and timelines for members of the broad national security and intelligence community for improving the cybersecurity of the most sensitive information technology systems within the government. The new directive effectively applies the same basic requirements the White House has placed upon Federal Civilian Executive Branch (FCEB) agencies, with appropriate adaptations for NSS to account for their governance under the Director of the National Security Agency (NSA) – who acts as the National Manager (NM) responsible for NSS – in consultation with the Secretary of Defense (SECDEF), the Director of National Intelligence (DNI) and others in the national security community.

Here are the key elements of the memo that will drive the cybersecurity efforts of agencies owning or operating NSS as well as their contract partners that provide operational services, cloud services, software products and other technology solutions.

Requirements to Share Cyber Threat Information

Information Sharing – Service providers will be required to share data on cyber incidents or potential incidents relevant to any agency with which they have contracted and collaborate with federal cybersecurity or investigative agencies in their incident investigations and responses. The Department of Homeland Security (DHS) will take the lead in identifying the nature of cyber incidents that require reporting; the types of information that require reporting; protections for privacy and civil liberties; and the time periods within which contractors must report.

Updated Contract Requirements – The Office of Management and Budget (OMB) – in consultation with other federal cybersecurity leaders, including the National Manager (i.e. NSA Director) – is reviewing and recommending updates to the Federal Acquisition Regulation (FAR) and the Defense Federal Acquisition Regulation Supplement (DFARS) contract requirements and language for contracting with IT and operational technology (OT)) service providers. The updated contract requirements are to ensure that service providers – including cloud service providers – collect and store cybersecurity data on all information systems over which they have control, including systems operated on behalf of agencies.

Standardizing Agency Cyber Requirement Contract Language

To streamline and improve compliance for vendors and agencies the Cybersecurity and Infrastructure Security Agency (CISA) is reviewing existing agency-specific cybersecurity requirements and recommending to the FAR Council standardized contract language for appropriate cybersecurity requirements. Once approved by the FAR Council, agencies will update their agency-specific cybersecurity requirements to remove any duplicative requirements. The latest memo encompasses NSS and the owner agencies under this process.

Modernizing Agency Cybersecurity

Cloud Computing – The memo directs the Committee on National Security Systems (CNSS) to develop guidance on minimum security standards and controls for cloud migration and operations for NSS, in line with National Institute of Standards and Technology (NIST) standards and guidance. Federal departments or agencies that own or operate a NSS must update their IT plans to prioritize resources for the adoption of cloud technology.

Zero Trust –  Departments and agencies that own or operate a NSS must develop a plan to implement Zero Trust Architecture based on NIST and CNSS guidance and instructions.

Multifactor Authentication and Encryption – Agencies must implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit. Unless otherwise approved, agencies are directed to use NSA?approved, public standards-based cryptographic protocols to ensure cryptographic interoperability among NSS. The NSA will review and update the approved list of commercial national security algorithms (CNSA) and any related cryptographic equipment modernization requirements. The CNSS will update all cryptographic-related policies, directives, and issuances. Agencies must identify any use of encryption not in compliance with NSA-approved Quantum Resistant Algorithms or the CNSA list.

Cyber Collaboration and Incident Response – The National Manager is to develop a framework to coordinate and collaborate on cybersecurity and incident response activities related to NSS commercial cloud technologies that ensures effective information sharing among agencies, the NSA and commercial Cloud Service Providers (CSP). NSA and DHS will coordinate to ensure a unified federal effort across agencies and CSPs.

Enhancing Software Supply Chain Security

Critical Software Security – The National Manager must publish guidance outlining security measures for NSS critical software, including applying practices of least privilege, network segmentation, and proper configuration. The guidance must align with similar guidance issued by the Office of Management and Budget (OMB) and NIST. Agencies may request an extension to the time period for meeting the requirements issued in the NSS Critical Software Security guidance.

Cybersecurity Vulnerability and Incident Response Procedures

Vulnerability and Incident Response – In May, CISA was charged with working with other federal cybersecurity leaders, including the National Manager, to develop a standard set of operational procedures (playbooks) to be used in planning and conducting a cybersecurity vulnerability and incident response activity through all phases of an incident response. The federal Cybersecurity Incident and Vulnerability Response Playbooks, published last November, define key terms to provide a shared lexicon among agencies and OMB shall issue guidance on agency use of the playbook. Agencies with procedures that deviate from the playbook may use such procedures only after demonstrating to OMB and the Assistant to the President and National Security Advisor (APNSA) that these procedures meet or exceed the standards proposed in the playbook.

The latest memo gives the National Manager the responsibility of reviewing and validating NSS agencies’ incident response and remediation results upon an agency’s completion of its incident response.

Endpoint Detection and Response – The May EO directed the NSA Director (National Manager), the Secretary of Defense, the Director of National Intelligence, and the Committee on National Security Systems (CNSS) to establish policies and actions for improving the detection of cyber incidents affecting NSS, including how NSS agencies should deploy Endpoint Detection and Response (EDR) approaches. The May EO charged CISA and OMB with developing an Endpoint Detection and Response (EDR) initiative aimed at increasing the visibility into and early detection of cybersecurity vulnerabilities and threats to agency networks. FCEB agencies will be required to adopt the defined government-wide EDR approaches, including a capability for CISA to engage in cyber hunt, detection, and response activities. The latest memo directs the National Manager to determine whether NSS-related EDR capabilities should be operated by individual agencies or through a centralized EDR service provided by the NSA. 

Incident Reporting – This memo requires NSS owner/operator agencies to report to the National Manager any compromise or unauthorized access to an NSS upon agency detection or upon report by another entity, including contractors and IT service providers. The scope includes any compromise or unauthorized access of a network hosting a Cross Domain Solution (CDS) when one side of the CDS connects to an agency’s NSS. The National Manager is charged with establishing the respective reporting procedures, including required information criteria, emergency response procedures, and information protection and dissemination parameters.

Investigative and Remediation Capabilities

Event Logging – The memo directs the National Manager, SECDEF, DNI and CNSS to establish requirements for logging events and retaining other relevant data within an agency’s NSS and networks. The May EO directed DHS and OMB to set policies and requirements for FCEB agencies to establish network and system logging on their information systems (for both on-premises systems and connections hosted by third parties, such as CSPs), as well as log retention, management and protection. One requirement is to enable NSS agencies to share log information with the NSA or other federal agencies for cyber risks or incidents.

National Manager Authorities and Responsibilities 

Identification and Inventory of National Security Systems – The National Manager is to develop in the next 30 days a process for assisting federal agencies with identifying and inventorying systems that are, or should be, designated as NSS. Afterwards, agencies have 60 days to identify and inventory systems designated as NSS through the process. The designation process will include provisions for resolving determination discrepancies and for the re-designation of NSS systems as non-NSS.

Cyber Emergency Directives and Coordination

National Manager Directives – The memo sets authorities and parameters for the National Manager to issue Emergency Directives (ED) or Binding Operational Directive (BOD) to an agency for the purpose of protecting an NSS from a known or suspected information security threat, vulnerability, or risk or to mitigate a threat, vulnerability, risk, or incident. The memo further requires the NM to provide cross-agency notifications of issued directives as well as technical and operational assistance to the implementing agency. Also, the National Manager may request information from agencies on the overall cybersecurity posture of their NSS.

Coordination and Alignment –  The National Manager and the Secretary of Homeland Security are directed to establish procedures to immediately share with each other their respective EDs and BODs to ensure alignment between directives for NSS and FCEB information systems. The procedures will address information-sharing guidelines, including protections for classified information, protection of intelligence sources and methods, and protection of information originated by other agencies. The procedures will also include a process for evaluating whether to adopt any requirements or guidance contained in the other agency’s directive and communicating the determination and resulting actions to the Assistant to the President for National Security Affairs (APNSA) or their designee.

Cross Domain Solutions (CDS)

CDS Security Verifications – The memo directs the National Manager, in operating the National Cross Domain Strategy and Management Office (NCDSMO), to issue a directive requiring agencies operating a CDS connected to NSS to provide information regarding those deployments. Agencies will need to verify that they collect and archive machine-readable logs from CDS, supporting systems, and connected systems; validate that the latest authorized patches have been installed on CDS; report on the status of upgrading to the Raise-the-Bar (RTB) compliant version of their CDS; and update or develop plans of actions and milestones (POAMs) for all CDS installations to comply with NCDSMO CDS security requirements.

CDS Deployment Inventories – Relevant agencies are required to establish and maintain a deployment inventory for all CDS deployments within their jurisdiction. The National Manager will define what information is required to maintain the inventory.

Exceptions

The memorandum provides specific parameters for when and how exceptions to the above directives may be applied. The NSA Director/National Manager is to publish an exception provision process in the next 30 days. Agency Chief Information Officers (CIOs) will be required maintain a consolidated inventory of all exceptions authorized by their agency head.

_____

Get our assessment of the federal cybersecurity market in our report, Federal Information Security Market, 2021-2023.