The memo builds on Biden’s landmark cybersecurity executive order issued last May and spells out how network requirements for civilian federal agencies included in that order — such as applying zero-trust security principles — should also be instituted across national security systems.
The effect of the document is to bring cybersecurity requirements for military agencies and the IC in line with those for civilian agencies, and to give the National Security Agency authority to issue binding operational directives on cyber issues.
New binding operational directives from NSA will mirror those issued by the Department of Homeland Security for civilian agencies, including a directive last November that gave agencies 60 days to review and update vulnerability management procedures.
“The President’s May 2021 Executive Order required that the government ‘shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth in this order,'” the memo reads. “Consistent with that mandate, this NSM establishes timelines and guidance for how these cybersecurity requirements will be implemented, including multifactor authentication, encryption, cloud technologies, and endpoint detection services.”
The federal government defines national security systems as those that “the function, operation, or use of which involves intelligence activities; involves cryptologic activities related to national security; involves command and control of military forces; involves equipment that is an integral part of a weapon or weapons system; or is critical to the direct fulfillment of military or intelligence missions … or (ii) is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.”
The memo stipulates that agencies responsible for national security systems must work to improve the visibility of cybersecurity incidents that occur on their networks. The document also authorizes the National Security Agency to create binding operational directives that require agencies to take specific actions against known or suspected cybersecurity threats.
CIOs of DOD and IC agencies must also retain internal records relating to system exceptions sufficiently detailed to perform effective identification of cybersecurity issues, according to the memo.
Commenting on the memo, Senate Intelligence Committtee Chair Mark Warner, D-Ind., said: “I applaud President Biden for signing this order to improve our nation’s cybersecurity. Among other priorities, this National Security Memorandum (NSM) requires federal agencies to report efforts to breach their systems by cyber criminals and state-sponsored hackers.” He added: “Now it’s time for Congress to act by passing our bipartisan legislation that would require critical infrastructure owners and operators to report such cyber intrusions within 72 hours.”