Building on his administration’s historic cybersecurity executive order, President Joe Biden yesterday signed a new National Security memorandum (NSM) designed to further improve security across the Department of Defense, intelligence community, and national security systems. The memo lays out concrete requirements around the technology required to secure government data - and by when changes need to happen.
A lot has happened since the original Executive Order was announced last May. In August, the US Office of Management and Budget (OMB) released a memorandum with a deadline for agencies to identify and secure critical software. Just two months later, the Cybersecurity & Infrastructure Agency (CISA) released guidance around zero trust architecture, a key component to the Executive Order.
So, what’s different about this latest memorandum? For one, it’s a clear message from the administration that, for the first time, military and defense agencies will be held to the same cybersecurity mandates already issued by the Department of Homeland Security (DHS) for civilian agencies (EO 14028). It also provides the National Security Agency with the new authority to require agencies to take specific actions against suspected threats.
Collaboration is a key theme of the latest memo as well - it specifically directs the NSA and DHS to coordinate on cybersecurity incident response, collaborate on the development of new directives, and learn from each other about requirements and threats.
Accounting for nearly half (48%) of all cyberattacks over the past year, the federal government became the most targeted industry for cyber adversaries . The United States alone suffered 46% of those attacks, underscoring just how critical it is for federal agencies to work collaboratively on adopting security measures like those outlined in the memo.
Crucially, the memo sets out specific deadlines for agencies that operate national security systems. The new timeframes include 60 days to update plans for implementing zero trust architecture and 180 days to implement multifactor authentication (MFA) and encryption for all data stored and moved in such national security systems.
Combined with the focus on cloud computing, this brings renewed urgency to ongoing efforts to securely lock down access to government data and information systems wherever they reside. Considering the requirements for continuous monitoring and security testing set out in previous executive orders, agencies will also need to ensure that the stricter access controls mandated by the latest memo do not hamper their existing and planned efforts around incident and vulnerability detection.
The federal government’s ability to perform its critical functions depends on the security of its software. Learn more about how Invicti helps close security gaps in web applications to help organizations stay on top of federal mandates and guidelines.