In January 2022, President Biden signed a National Security Memorandum intended to modernize cyber security defenses and protect federal government networks. The memo grants significant responsibility to the National Security Agency (NSA) to oversee and provide directives to other federal agencies that are using what is being referred to as National Security Systems.
A National Security System is defined as any information system that involves intelligence activities, cryptologic activities related to national security, command, and control of military forces, a weapons system, or critical to military or intelligence missions. Federal agencies are required to identify and inventory their National Security Systems and report on them to the National Security Manager.
1. National Security Agency
The NSA has been named the National Security Manager, which makes the agency responsible for National Security Systems as defined above. Agencies using National Security Systems are required to inventory and report their in-scope systems to the NSA, acting as National Security Manager. The intention of naming a National Security Manager is to centralize security standards of National Security Systems, enabling the federal government to better identify and manage cyber risks on its most critical information assets. The National Security Manager will create Binding Operational Directives (BODs) that define how agencies in possession of a National Security System will react and respond to identified cyber incidents. Establishing an inventory will streamline reaction to cyber incidents, as the National Security Manager will have visibility into every National Security System and can react accordingly when incidents or vulnerabilities are reported.
2. Zero Trust Architecture
Among the standards initially established for National Security Systems are: establishing Zero Trust Architecture, establishing and enforcing multifactor authentication, implementing encryption standards, and enhancing and standardizing threat detection mechanisms. Further detailed guidance will be issued by the National Security Manager to further clarify the actions that federal agencies in possession of a National Security System will be required to undertake.
3. Software Supply Chain Providers
The directive follows other mandates from President Biden in 2021, including most notably new requirements for software supply chain providers. Federal contractors will be asked to define critical software in their supply chains. This will help federal agencies better inventory risks associated with outsourced software and information systems. This is also known as fourth-party risk, which is a third party to a third party supplier. Identifying critical downstream third parties will enable federal agencies to inventory their supplier risk and more nimbly adapt and react to potential cyber incidents involving third and fourth parties.
This will likely create a trickle-down effect throughout the software and technology industries, as companies will evaluate their business partners with more scrutiny as a result of the directive. Software vendors could be exposed to federal cyber security requirements, even if the organization is not directly a government contractor. Organizations with any potential exposure to government contracts, directly or indirectly, should be on high alert to potential downstream risks to their business as the government and their vendors reevaluate their third-party risk and cyber security risk in general.
As these directives are interpreted and enforced, organizations should be ready to adapt and react to new standards. Over the next few months, “Cyber hygiene” will be a big focus in systems that handle sensitive national security information. Agencies will be subject to added login and data security procedures, mandatory multifactor authentication, encryption and zero trust architecture among other elements. CKSS will monitor subsequent policy revisions that emerge in the coming months.