United States President Joe Biden has signed a National Security Memorandum (NSM) requiring national security systems to implement network cybersecurity measures that are at least as good as those required of federal civilian networks.
The requirements for federal civilian networks were laid out in Biden’s Executive Order 14028 (EO 14028) issued May 12 2021. The new memo, signed Wednesday, specifies how the provisions of EO 14028 apply to national security systems.
The NSM establishes timelines and guidance for how cybersecurity requirements, including multi-factor authentication, encryption, cloud technologies and endpoint detection services, will be implemented.
It also requires agencies to identify their national security systems and report cyber incidents that occur on them to the National Security Agency (NSA).
Commenting on this particular requirement of the NSM, Mark Manglicmot, vice president of security services at Arctic Wolf, said: “To defend something, you need to have an asset inventory to know what your most critical systems and data are. This directive mandates this best practice.”
The NSM further authorizes the NSA to create Binding Operational Directives that require agencies to take specific actions against known or suspected cyber-threats and vulnerabilities. In addition, it requires the NSA and the Department of Homeland Security to share BODs and “learn from each other to determine if any of the requirements from one agency’s directive should be adopted by the other.”
Under the new memo, agencies are required to secure tools known as cross-domain solutions that transfer data between classified and unclassified systems.
In a statement released Wednesday, the White House said: Modernizing our cybersecurity defenses and protecting all federal networks is a priority for the Biden Administration, and this National Security Memorandum raises the bar for the cybersecurity of our most sensitive systems.”
James McQuiggan, security awareness advocate at KnowBe4, noted that the memo omitted any requirements around cybersecurity education or creating a security culture among users.
He said: “When users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyber-attack.”