President Biden on Wednesday issued a directive aimed at strengthening the cybersecurity of the nation’s information systems used for national security purposes, including giving the National Security Agency (NSA) authority to direct agencies to take specific measures against known or suspected cyber threats and vulnerabilities, and require agencies to report cyber incidents against these systems to the NSA.
Biden’s National Security Memorandum (NSM)-8 also directs that National Security Systems (NSS) at a minimum meet the cybersecurity requirements set forth in his May 2021 executive order on Improving the Nation’s Cybersecurity. The executive order was aimed at improving the cyber defenses of the federal sector and also to leverage influence and authorities to prompt the private sector to strengthen its defenses.
The NSM also sets deadlines for agencies with NSS, including having 60 days to update plans to prioritize resources for adopting cloud technology and zero trust architecture, and having a plan to implement zero trust architecture. It also requires agencies within 180 days to “implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit.”
U.S. code defines NSS as information systems, including telecommunications systems, used in intelligence activities, cryptologic activities for national security, command and control of military forces, as a key part of weapon systems, and critical to fulfilling military or intelligence missions.
The memo also directs agencies to take heed of Section 4 of the 2021 executive order to enhance software supply chain security for NSS and gives the NSA 60 days to issue similar guidance.
For incident reporting, the NSM directs agencies to report to the NSA through the “appropriate Federal Cyber Center.” The NSA has 90 days to establish reporting procedures.
The Binding Operational Directives (BODs) that can be issued by the NSA to rectify cyber vulnerabilities on NSS are modeled after BODs issued by the Department of Homeland Security to federal civilian agencies. The NSA has 30 days to establish governing procedures for the issuance of BODs.