On Wednesday, January 19, 2022, President Joe Biden signed a national security memorandum (NSM) with the objective to improve cybersecurity across the Department of Defense (DoD) and the intelligence community (IC). The memo builds on Biden’s cybersecurity executive order, issued in May 2021, by laying out a roadmap on how he intends to improve cybersecurity across the federal government. It comes on the heels of multiple warnings released by the Cybersecurity and Infrastructure Security Agency (CISA) about potential threats coming from Russia, demonstrating the immediate need for up-to-date cybersecurity requirements.
The Plan
The goal is to bring cybersecurity requirements for military agencies and the IC in line with those for civilian agencies. It sets specific guidelines for agencies to adopt including: zero-trust architecture implementation plans, cloud technologies, multifactor authentication, and encryption. It also gives the National Security Agency (NSA) the authority to issue operational directives on cyber issues.
The Requirements
Cloud Technology
Agencies should update existing agency plans to prioritize resources for the adoption and use of cloud technology.
Zero Trust Architecture
Agencies must develop a plan to implement Zero Trust Architecture. The plan may include: NIST Special Publication 800-207 Guidance, CNSS instructions, and/or other relevant CNSS instructions, directives, and policies regarding enterprise architectures, insider threats, and access management.
Cryptographic Protocols
Agencies must ensure widespread cryptographic interoperability among NSS using NSA‑approved, public standards-based cryptographic protocols or NSA-approved mission unique protocols.
Collaboration
All agencies will coordinate and collaborate on cybersecurity and incident response activities related to NSS commercial cloud technologies.
The Timeline
The head of each executive department or agency that owns or operates a national security system (NSS) is required to update agency plans concerning cloud technology within 60 days. Agencies must implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit within 180 days. Departments and agencies are also required to notify the National Manager, the NSA, of known or suspected incidents or compromises of NSS. This directive is modeled on the Department of Homeland Security’s (DHS) Binding Operational Directive for civilian government networks.
Too often the assumption is that because military or IC agencies deal with national security data, they’re inherently more secure and covered by greater levels of protection. This NSM makes it explicit that the same elements of basic cyber hygiene are necessary for both non-NSS government networks as well as national security networks.
CDT has worked with several agencies to build systems and improve network security. With increased focus on cybersecurity and new timelines in place, agencies will need to improve and modernize their security models quickly. Reach out and let us know how we can help.
 |
info@cyberdefensetechnologies.com |
 |
www.linkedin.com/company/cyber-defense-technologies |
 |
www.facebook.com/CDTLLC |
 |
www.twitter.com/CDTLLC |