White House orders federal agencies to raise cybersecurity bar for national security systems
New guidance will bring standards into line with federal civilian networks
President Biden has granted the National Security Agency (NSA) new powers to bolster the cybersecurity of US federal government computer systems related to national security.
A memorandum issued by the White House yesterday (January 19) also sets out new obligations for federal agencies and timelines for meeting them.
As prescribed by an executive order signed by Biden in May 2021, the measures will, “at minimum”, ensure that national security, Department of Defense (DoJ), and intelligence community systems adhere to the more stringent cybersecurity measures already in place for federal civilian networks.
DON’T FORGET TO READ US government launches ‘Hack the DHS’ bug bounty program
Federal agencies have been instructed to identify their national security systems and report security incidents affecting them to the NSA, the DoJ’s intelligence agency.
Mark Warner, Democrat senator for Virginia and chairman of the Senate Select Committee on Intelligence, urged Congress to build on this measure by passing pending bipartisan legislation requiring critical infrastructure operators to report cyber-attacks within 72 hours.
The legislation was drafted in the wake of the SolarWinds and Colonial Pipeline hacks.
The directive also includes guidance on the use of multi-factor authentication (MFA), encryption, zero-trust architecture, and endpoint detection services.
Binding operational directives
The memo authorizes the NSA to issue ‘binding operational directives’ that oblige operators of national security systems “to take specific actions against known or suspected cybersecurity threats and vulnerabilities”, reads a fact sheet.
These powers are modeled on those already wielded by the Department of Homeland Security (DHS) in relation to civilian government networks, with one recent DHS directive ordering agencies to mitigate the far-reaching Log4j vulnerability.
The memorandum also requires that federal agencies inventory and bolster the security of ‘cross-domain solutions’, which transfer data between classified and unclassified systems.
