White House issues new guidance on cybersecurity for federal agencies via National Security Memorandum 8
In addition to spelling out requirements published in the May 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, recently signed National Security Memorandum 8 reaffirms the criticality of cybersecurity to securing National Security Systems (NSS) and protecting the nation’s critical infrastructure and the government’s mission-critical applications and systems.
The memorandum, titled Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems, focuses on the Department of Defense and the federal intelligence community. Intended to boost the government’s ability to identify, understand, and mitigate cyber-risks across all NSS, the memorandum explicitly calls on federal government agencies to adopt National Institute of Standards and Technology (NIST) guidelines for cloud computing and Zero Trust Architecture (SP-800-207).
Beyond familiar tools like multifactor authentication, the guidance asks agencies to submit plans for use of emerging technologies like quantum resistant cryptography, a new type of encryption that uses an advanced encryption protocol to protect data. Current widely used cryptographic methods are susceptible to attacks from threat actors leveraging quantum computing. Quantum-resistant cryptography is designed to withstand such exploits.
The memo also requires agencies to submit a plan to implement the Zero Trust security model. Zero Trust has been included in previous executive orders, giving many organizations a head start in drafting plans and proving the efficacy of the model. But adoption of Zero Trust will be a challenge, given that the security model is a work in progress with unresolved implementation issues. Many organizations, for example, rely on legacy mainframes and applications to achieve core business needs, and technology issues arise when legacy systems are not fully compatible with Zero Trust Architecture.
The following are some of the most notable requirements outlined in the memorandum. Timeframes range from 30 to 180 days.
- Prioritize resources for the adoption of cloud technology.
- Develop a plan to implement Zero Trust Architecture.
- Implement multifactor authentication for NSS data at rest and in transit.
- Implement quantum-resistant encryption for NSS data at rest and in transit.
- Use NSA-approved public standards-based cryptographic protocols to help ensure cryptographic interoperability.
- Review NIST guidance on quantum computing and identify technologies that are compatible with quantum computing.
- Report known or suspected data compromises of NSS, or unauthorized access to them, to help expedite threat detection and response.
The memorandum also offers guidance on obtaining exceptions for requirements or extensions to project deadlines due to “unique mission needs” or constraints. Agencies will need to provide a plan to satisfy requirements using alternate methods.
Think about this now
While the memorandum doesn’t establish new requirements, it provides plenty of issues to think about. We believe, for instance, that the memorandum will catalyze changes in security requirements in federal government contracts.
What’s more, the memorandum definitively establishes cybersecurity as a key pillar of federal agencies, one that will likely trickle down from government agencies to federal contractors. Private-sector federal contractors should carefully review these requirements and assess their potential impacts. Organizations that are ahead of the technological curve may require no immediate action. But those that discover gaps should immediately address them. If you need help interpreting the memorandum, our team is here to assist and provide guidance.
Take a strategic approach in protecting your data assets.
InsightFinancial reporting: Account for the impacts of global conflictMatthew DerbaEven businesses not directly connected to Ukraine or Russia may see impacts to operations that will need to be clearly conveyed to stakeholders. Read more.
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.
InsightFuture of cannabis – Cannabis Quarterly insights, Q1 2022Read our team’s perspectives on taxation, data strategy, and data privacy (including California’s CPRA) in CohnReznick’s CannaQuarterly newsletter.
InsightProtect your organization against nation-state cyberattacksAmid federal warnings to boost cybersecurity vigilance, take these steps to understand your capabilities and implement further safeguards.