- National Security Systems (NSS) operators have 180 days to implement multifactor authentication and encryption for data at rest and in transit, according to a memorandum from President Joe Biden Wednesday.
- In that same time frame, agencies have to identify encryption instances that are non-compliant with National Security Agency (NSA)-approved Quantum Resistant Algorithms or the list of commercial national security algorithms (CNSA).
- Agency heads can exempt their respective agency from implementing certain requirements if it has a "unique mission" that warrants the exception. Exceptions might include systems supporting military or intelligence activities, systems with obscured attributions to the U.S. government, or information systems used for vulnerability research or testing.
Industry criticized Biden's May cyber executive order, which emphasized the need for public-private partnerships, for lacking consequences or incentives for applying security standards. The recent requirements are the latest attempt by the Biden administration to bolster U.S. cyber standards.
NSS operators handle classified and declassified information, which requires specialized information sharing and intelligence protection guidelines, which the NSA and DHS are tasked with establishing within 60 days.
In July, the Biden administration directed the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and Office of Management and Budget to establish performance goals for critical infrastructure. Wednesday's order aims to have NSS operators use the same network cybersecurity measures required of federal civilian networks, as outlined in the May executive order.
The memorandum allows the NSA to issue binding operational directives to NSS operators, akin to CISA's authority for civilian government networks. The memo directs the NSA and DHS to share directives and "learn from each other" to determine if directives should be applied across agencies, a White House fact sheet said.
NSS operators are expected to report to the NSA or their Federal Cyber Center any threat or compromise detected on a network that facilitates a cross domain solution (CDS) "when one side of the CDS connects to NSS operated by or on behalf of the agency." The NSA, director of national intelligence, and CIA are expected to create reporting procedures within 90 days of the memorandum.
The directive provides an estimation on what the administration views as priority cybersecurity requirements. For example, the memo gives agencies 60 days to update "existing agency plans to prioritize resources for the adoption and use of cloud technology, including adoption of zero trust architecture as practicable."
NSS operators must also have a plan for zero trust implementation, adhering to NIST guidance and Committee on National Security Systems (CNSS) instructions. The NSA and CNSS have 90 days to create the policies agencies are expected to adhere to.