The White House recently released a memorandum aimed at strengthening the cyber defenses of “national security systems” – information systems operated by the federal government that are used for intelligence or military purposes. The Memorandum comes at a time when cyber threats against government actors are significant. For example, last December the Virginia legislature was the target of a ransomware attack that threatened to delay the start of its legislative session. Similarly, several Ukrainian government agencies have recently been the target of significant cyberattacks.
But the Memorandum may also contain clues for the private sector. Many requirements of the Memorandum reflect the same types of precautions applied by some state regulatory agencies. Although the memorandum is aimed only at federal agencies, it could be a harbinger of what is to come if federal oversight of cybersecurity preparedness in the private sector becomes a reality. But at the very least, the Memorandum reflects the kinds of precautions that are at the center of discussions about cyber-preparedness in the public and private sectors.
The memorandum itself builds on the cybersecurity executive order issued by President Biden last year. As we wrote at the time, this executive order was designed to strengthen the federal government’s cybersecurity defenses by improving inter-agency coordination and establishing certain cybersecurity infrastructure benchmarks. The memorandum sets out concrete steps for national security systems to meet or exceed these benchmarks. Some of the specific benchmarks it sets include the following:
Zero trust architecture. Within 60 days, federal agencies must update their plans to prioritize the adoption of Zero Trust Architecture. It is a network design pattern that limits the ability of internal users to access data with the intent of preventing individual network users from unauthorized intrusion (for examplea phishing attack) to become a network-wide attack vector.
Multi-factor authentication. Within 180 days, agencies must implement multi-factor authentication to access national security systems.
encryption. Within 180 days, agencies must implement encryption of data at rest and in transit, and that encryption must comply with “NSA-approved Quantum Resistant Algorithms” or “Commercial National Security Algorithms (CNSA).”
In addition to setting out these requirements, another strength of the memorandum is that it empowers the Director of the NSA, in his role as “national manager” of national security systems, to act as the central coordinator of the implementation implementation and compliance for all agencies operating at the national level. Security systems. The powers and responsibilities conferred on the ANS include the following:
Identification of the national security system. The NSA has the authority to identify federal agency information systems that should be designated as national security systems and has the authority to push agencies operating those systems to designate them as such.
Incident reports. Other agencies must report incidents of compromise or unauthorized access to national security systems to the NSA.
Guidelines. As summarized in a fact sheet released by the White House alongside the memorandum, the NSA has the authority “to create binding operational guidelines requiring agencies to take specific action against known or suspected cybersecurity threats and vulnerabilities.” .
In many respects, these provisions touch on the same themes found in some private sector regulations. For example, the New York Department of Financial Services (“DFS”) requires entities covered by its cybersecurity regulations to use multi-factor authentication with limited exceptions, and it recently issued a guidance letter highlighting its importance. as an “essential element of cybersecurity hygiene”. “The protocol mandate suggests that the federal government is moving in the same direction for its own critical digital assets.
Another common theme is the Memorandum’s requirement that agencies report cybersecurity incidents to a central authority. State regulatory authorities also require reporting of an incident to a central authority. DFS regulations and New York’s SHIELD Act, for example, each require reporting, the former to the DFS and the latter to the New York Attorney General (as well as others). As DFS explained, incident reporting can be important from a regulatory standpoint because it allows a central authority to “more quickly identify the techniques used by attackers”, “alert the industry” and to “respond quickly to new threats”. This mirrors the White House fact sheet talking points explaining that reporting to the NSA will help “enhance the government’s ability to identify, understand, and mitigate cyber risks across all national security systems.”
It’s unclear if or when the federal government itself will impose greater regulation on the private sector, but in light of developments such as the exponential growth in ransomware attacks over the past year, it could be in course at any given time. SEC Chairman Gary Gensler recently suggested that his agency might consider re-proposing Regulatory Systems Compliance and Integrity (“SCI”) to “further strengthen the cyber hygiene of significant financial institutions.” It remains to be seen whether further action will be taken at the federal level – numerous proposed federal cybercrime legislation have surfaced and are stalled in Congress – but the recent memorandum provides clues as to where the guidelines could go. federal executive.