This story has been updated to include feedback from a former DoD and intelligence official.
WASHINGTON — President Joe Biden on Wednesday signed a national security memorandum that establishes metrics for improving the cybersecurity of national security systems.
The order specifies how national security systems, the most sensitive information technology systems within the government, should comply with a May 2021 executive order designed to improve cybersecurity across the federal government.
While that executive order laid out a broad set of tasks for managers of national security systems, the new memorandum establishes specific timelines and guidance for implementation. This includes requiring multifactor authentication and encryption.
The memorandum also requires agencies to develop a plan to implement zero trust architectures, a move considered critical to protecting systems and information from both inside and outside threats.
Rob Carey, who previously served as chief information officer for the Navy and deputy CIO at the Pentagon, said the memorandum is a “necessary next step.”
“The action taken by the president raises the cybersecurity bar in the federal government to a consistent, higher level that aligns with that which is already required of the national security agencies and their systems,” said Carey, who now is president of Cloudera Government. “It will also utilize the preeminent cybersecurity expertise in the nation (the National Security Agency) and expand its role in defending the nation.”
The document also mandates improved visibility of cybersecurity incidents that occur and requires agencies to report cyber incidents to the National Security Agency.
Jim Richberg, former national intelligence manager for cyber in the Office of the Director of National Intelligence, said it marks an important step in giving the government a leg up on attacks.
“You cannot overstate how difficult it is to protect yourself against a threat that you can’t detect, that you didn’t see coming, or that affects assets you didn’t know you had,” said Richberg, who is now public sector field CISO and VP of information security at Fortinet. “This directive strengthens the NSA’s abilities ... to unify these important systems and the missions they support.”
Agencies must secure cross domain solutions, which are tools that allow the transfer of information and data between classified and unclassified systems. These solutions can be avenues or vectors of attack for adversaries that gain access and burrow deeper into sensitive systems.
Mark Pomerleau is a reporter for C4ISRNET, covering information warfare and cyberspace.