President Biden recently signed a National Security Memorandum on cybersecurity. This memorandum was required by an earlier executive order, which we previously have discussed here.  The new memorandum (NSM) requires certain network cybersecurity measures for any government information system that is used for highly sensitive national security purposes. The requirements go into effect on a rolling basis over the next 6 months.

Systems covered include those used for intelligence activities, command and control of military forces, or weapons systems (dubbed, “National Security Systems” or “NSS”). Requirements will include use of multifactor authentication, encryption, cloud technologies, and endpoint detection services.  Notably, the NSM:

1. requires agencies to identify their National Security Systems and report cyber incidents to the National Security Agency (NSA) (the agency tasked with responsibilities over NSS);
2. authorizes the NSA to create Binding Operational Directives requiring agencies to take specific actions against known or suspected cybersecurity threats and vulnerabilities; and
3. requires agencies to secure cross domain solutions (i.e., tools that transfer data between classified and unclassified systems).

The NSM also outlines how the cybersecurity requirements will be implemented.

Putting it into Practice: At this point, the NSM is directed only at requirements for agencies (rather than contractors or vendors). But, as we’ve seen in the past, once agencies have new policies and processes in place, these requirements are likely to impact or flow-down to contractors that support National Security Systems.