{"id":4584,"date":"2022-01-20T07:18:06","date_gmt":"2022-01-20T07:18:06","guid":{"rendered":"https:\/\/mailinvest.blog\/index.php\/2022\/01\/20\/biden-memorandum-sets-new-cybersecurity-requirements-for-national-security-systems\/"},"modified":"2022-01-20T07:18:06","modified_gmt":"2022-01-20T07:18:06","slug":"biden-memorandum-sets-new-cybersecurity-requirements-for-national-security-systems","status":"publish","type":"post","link":"https:\/\/mailinvest.blog\/index.php\/2022\/01\/20\/biden-memorandum-sets-new-cybersecurity-requirements-for-national-security-systems\/","title":{"rendered":"Biden memorandum sets new cybersecurity requirements for National Security Systems"},"content":{"rendered":"

<\/a>\n
<\/p>\n

\n

U.S. President Joe Biden today signed a national security memorandum<\/a> that sets new cybersecurity requirements for National Security Systems run by the Department of Defense and the country\u2019s intelligence agencies.<\/p>\n

The order states that NSS requirements must meet or exceed the standard laid out for civilian federal agencies as detailed in an executive order signed by the President in May<\/a>. That order, coming just after the attack on pipeline system operator Colonial Pipeline Co.<\/a>, included information sharing between the government and the private sector, mandating the use\u00a0of multifactor authentication by government departments, establishing a Cybersecurity Safety Review Board and creating a standardized response playbook for responding to cyberattacks.<\/p>\n

The new order authorizes the National Security Agency to issue binding operational directives to force agencies to \u201ctake specific actions against known or suspected cybersecurity threats and vulnerabilities.\u201d The Department of Homeland Security has identical powers relating to civilian agencies under the previous May order.<\/p>\n

A lot of the order goes into technicalities, but notable among the requirements is that every department or agency that operates an NSS must update its plans regarding cloud technology within two months. NSS agencies have also been given 180 days to implement MFA and encryption for NSS data-at-rest and data-in-transit.<\/p>\n

All NSS agencies are also required to report any cybersecurity incidents that involve them to the NSA. The White House said that this reporting would help the government identify and mitigate cybersecurity risk across NSS.<\/p>\n

\u201cAgencies being required to identify their national security systems and report cyber incidents that involve them to the NSA aligns with the advice that industry often tells customers,\u201d\u00a0Mark Manglicmot, vice president of security services at security operations company Arctic Wolf Networks Inc.<\/a>, told SiliconANGLE. \u201cTo defend something, you need to have an asset inventory to know what your most critical systems and data are. This directive mandates this best practice.\u201d<\/p>\n

Manglicmot notes that new security standards and testing requirements for security tools are key. \u201cHaving a well-known standard sets a baseline that can be enforced and improved upon,\u201d Manglicmot explained. \u201cTesting is part of a mature security program to test its effectiveness and technical controls. Without testing, it\u2019s unclear just how effective the implementation of these controls is \u2013 much less how to improve it as the threat landscape evolves.\u201d<\/p>\n

Tim Erlin, vice president of strategy at cybersecurity and compliance solutions firm Tripwire Inc.<\/a>, said the\u00a0memorandum touches on many aspects of the original executive order, including promoting zero-trust<\/a> architecture, implementing encryption and improving data sharing about incidents.<\/p>\n

\u201cIt may be difficult for the average person to parse what\u2019s happening here, but these kinds of artifacts, memorandums and executive orders, are key components in effectively operationalizing broadly applicable policy changes,\u201d Erlin said. \u201cFor example, the inclusion of zero trust in this memorandum and in the executive order will cause agencies to make specific decisions about what technologies to purchase and implement.\u201d<\/p>\n

James McQuiggan, security awareness advocate at security awareness training company KnowBe4 Inc.<\/a>, said that one thing missing from the order is\u00a0education around and the creation of a solid security culture among users. \u201cWhen users can spot social engineering attacks, have the necessary training to work in Network or Security Operations Centers and understand the importance of developing secure code, it can strengthen the resiliency of the organization or government systems and significantly reduce the risk of a cyberattack,\u201d McQuiggan added.<\/p>\n

Photo: POTUS\/Twitter<\/h5>\n
\n
\n

Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.<\/span><\/h3>\n<\/div><\/div>\n