New guidance will align standards with federal civilian networks
President Biden has delegated new powers to the National Security Agency (NSA) to strengthen the cybersecurity of U.S. federal government computer systems related to national security.
One memorandum The White House’s release yesterday (January 19) also lays out new obligations for federal agencies and a timeline for meeting them.
according to rules executive order The measures, signed by Biden in May 2021, will “at a minimum” ensure that national security, Department of Defense (DoJ) and intelligence community systems comply with the stricter cybersecurity measures already in place for federal civilian networks.
don’t forget to read US government launches ‘Hack the DHS’ bug bounty program
Federal agencies have been instructed to identify their national security systems and report security incidents affecting them to the NSA, the U.S. Department of Justice’s intelligence agency.
Senator Mark Warner, Democrat of Virginia and Chairman of the Senate Select Committee on Intelligence, urge Congress will build on the measure to pass pending bipartisan legislation requiring critical infrastructure operators to report cyberattacks within 72 hours.
The legislation was drafted in the wake of the SolarWinds and Colonial Pipeline hacks.
The directive also includes guidance on the use of multi-factor authentication (MFA), encryption, zero trust architecture and endpoint detection services.
binding operation instructions
The memo authorizes the NSA to issue “binding operational directives” requiring operators of national security systems to “take specific actions in response to known or suspected cybersecurity threats and vulnerabilities.” Fact Sheet.
These powers are modeled on those already exercised by the Department of Homeland Security (DHS) in relation to civilian government networks, with a recent DHS directive ordering agencies to mitigate the far-reaching Log4j vulnerability.
The memo also asks federal agencies to inventory and strengthen the security of “cross-domain solutions” that transfer data between classified and unclassified systems.
Read more about the latest cybersecurity policy and legislative news
“I’ll bet a lot of money, it’s not pure initiative,” tweet Jake Williams, founder and president of cybersecurity firm Rendition Infosec. “Rarely do you see discussions about cross-domain solutions (eg, unclassified to classified) and so clearly stated in the public EO as to what it says (just not sure what).
“Broadly speaking, I admit it’s probably just saying ‘we recognize this could be a problem and are trying to fix it now’. But if that’s the case, not sure if you need a public EO to do this. Wondering if this also has some signal value?”
The agency is also instructed to identify “encryption instances that do not comply with NSA-approved quantum-resistant algorithms or CNSA,” prompting Johns Hopkins professor and cryptographer Matthew Green tweet: “It looks like the U.S. is taking post-quantum encryption seriously.”
‘Surge effort’
The directive capped a busy 12 months for the Biden administration on cybersecurity policy.
Among other measures, the White House announced new rules for reporting ransomware payments, a sweeping overhaul of federal government software procurement practices and plans to develop a blueprint to quickly patch known, exploited flaws in federal systems.
Last week, the White House hosted a virtual summit aimed at securing the software supply chain.
The memo fact sheet also states, “The enormous effort to improve cybersecurity in the power and plumbing industries has resulted in more than 150 utilities serving 90 million Americans committing to deploy cybersecurity technology, and we are working with other key sectors to Collaborate on similar action plans.”
related White House addresses ‘unique security challenges’ facing open source ecosystem in dedicated virtual summit
