On January 20, President Biden signed a memorandum aimed at improving the cybersecurity of the National Security, Department of Defense, and Intelligence Community Systems (together, the “National Security Systems).
A National Security System (NSS) is an information system used or operated by an agency or on its behalf, the function, operation, or use of which involves: (i) intelligence activities; (ii) cryptologic activities related to national security; (iii) command and control of military forces; or (iv) equipment that is an integral part of a weapon or weapons system.[1] This designation also applies to information systems that are critical to the direct fulfillment of military or intelligence missions or ones that are to be kept classified in the interest of national defense or foreign policy.[2]
In essence, the memorandum directs agencies (departments that own or operate an NSS) to: (1) identify systems that are or are likely to constitute NSS; (2) implement protocols to protect that information against cyberthreats; and (3) develop a plan to respond to a suspected or actual cyberthreat.
Identifying Sensitive Information/Systems
A critical step in any organization’s cybersecurity program is to identify the organization’s most sensitive information — in this instance, information systems that are likely to constitute a NSS. The memorandum therefore authorizes the National Security Agency (NSA) to develop, within 30 days, a process to assist agencies with identifying and inventorying such systems.[3]
Protecting Sensitive Information
Another critical step in any cybersecurity program is to implement controls to protect the organization’s most-sensitive information. The memorandum requires agencies to update, within 60 days, their existing plans to prioritize resources for the adoption and use of cloud technology and Zero Trust Architecture and develop a plan to implement Zero Trust Architecture.[4]
Zero Trust Architecture helps protect sensitive information by limiting access to that information to only those that should have access. Rather than focus on securing a physical network, Zero Trust Architecture focuses on securing resources (data, identities, and services).
The memorandum also requires agencies to implement multifactor authentication, implement encryption of NSS data at-rest and in-transit, and identify instances when encryption does not satisfy NSA requirements.
Responding to Threats
Another essential component to a cybersecurity plan is to determine what constitutes a threat, to whom to report a threat, and how to respond to one. The memorandum addresses these items as well, requiring that the national manager, director of national intelligence, and the CIA director establish procedures for (i) identifying what constitutes a known or suspected compromise or unauthorized access[5] and (ii) agencies to follow when reporting actual or suspected threats.[6] Finally, if a cyberthreat is reported, the memorandum authorizes the NSA to act. The national manager can create binding operational directives that require agencies to take specific action in response to a cyberthreat.[7] And in response to a known or suspected substantial threat, the national manager has authority to issue an emergency directive to the head of the agency to take any lawful action regarding the operation of NSS to protect or mitigate the NSS from threat, vulnerability, or risk.[8]
Last June 2021, the Biden administration signed a separate national security memorandum (NSM) titled, “Improving Cybersecurity for Critical Infrastructure Control Systems.” This NSM required that the Cybersecurity and Infrastructure Security Agency (CISA) and the National Institute of Standards and Technology (NIST) work with other federal agencies to develop “cybersecurity performance goals for critical infrastructure.” It also established the president’s Industrial Control System Cybersecurity Initiative, which is a “voluntary, collaborative effort between the federal government and the critical infrastructure community to facilitate the deployment of technology and systems that provide threat visibility, indicators, detections, and warnings.” President Biden has also signed an executive order aimed at “improv[ing] the nation’s cybersecurity and protect[ing] federal government networks.”
These efforts by the Biden administration seem to be driven in large part by high-profile data incidents, including SolarWinds and the Colonial Pipeline ransomware attack. The press release accompanying last year’s executive order states that these incidents “are a sobering reminder that U.S. public and private sector entities increasingly face sophisticated malicious cyber activity from both nation-state actors and cyber criminals.” To prevent future attacks/minimize their impact, the executive order mandated that the secretary of commerce and the secretary of defense publish guidelines recommending minimum security standards for vendors. The order also required that the Department of Homeland Security standardize common cybersecurity contractual requirements for vendors.
***
This memorandum sets forth important steps to any cybersecurity program — identifying sensitive information, implementing protocols to protect that information, and devising a strategy to report and respond to data security incidents. How an organization implements these steps will vary. Organizations should tailor their cybersecurity programs based on the type of business they conduct, their industry, and the nature of their data processing activities. While the protective cybersecurity measures included in this memorandum (multifactor authentication, encryption, Zero Trust, etc.) are certainly effective, their implementation may be impractical and unnecessary for organizations that possess less sensitive information. It is also vital that organizations periodically assess the sufficiency of their cybersecurity programs and amend these programs over time to address the latest threats.
[1] 44 U.S.C., § 3552 (b)(6).
[2]Id.
[3] Memo. § 2(2).
[4] Memo. § 1(b)(ii)(b).
[5] Memo. § 2(b)(i).
[6] Memo. § 2(b)(iii).
[7] Memo. § 2(c)(ii).
[8] Memo. § 2(c)(i).
