A new White House memo expands cybersecurity requirements for national security systems beyond those of civilian government systems.
The memo dated Jan. 19 “raises the bar for the cybersecurity of our most sensitive systems,” according to an accompanying fact sheet.
The memo lays out timelines for agencies to comply with security protocols and says agencies must report “cybersecurity incidents” to the National Security Agency, which is the “national manager” of the government’s classified computer systems. The NSA will write rules “requiring agencies to take specific actions against known or suspected cybersecurity threats and vulnerabilities.”
Building on the Biden administration’s “Executive Order on Improving America’s Cybersecurity” published in May 2021, the new memo addresses multi-factor authentication, encryption, and cloud technologies among other requirements. It says agencies must secure “cross-domain solutions,” which are “tools that transfer data between classified and unclassified systems.”
It also outlines when agency heads may make exceptions “for circumstances necessitated by unique mission needs.”
Sections of the “Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” call for guidance or rules addressing:
- Cloud technologies: The Committee on National Security Systems will create guidance “regarding minimum security standards and controls related to cloud migration and operation.”
- Zero-trust architecture: Agencies will develop plans to adopt zero-trust architecture, in which parts of systems that are walled off from each other require users to continuously authenticate themselves as they move around the system.
- Quantum-resistant algorithms: The NSA will share with agencies information on its plans for using quantum-resistant security algorithms “where necessary” to defend against potential cyberattacks by quantum computers.
- Framework for collaboration: The NSA will “develop a framework to coordinate and collaborate on cybersecurity and incident response activities.” The framework will loop in the heads of relevant DOD entities along with the director of national intelligence and the directors of the FBI and CIA.