White House issues new guidance on cybersecurity for federal agencies via National Security Memorandum 8
In addition to spelling out requirements published in the May 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, recently signed National Security Memorandum 8 reaffirms the criticality of cybersecurity to securing National Security Systems (NSS) and protecting the nation’s critical infrastructure and the government’s mission-critical applications and systems.
The memorandum, titled Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems, focuses on the Department of Defense and the federal intelligence community. Intended to boost the government’s ability to identify, understand, and mitigate cyber-risks across all NSS, the memorandum explicitly calls on federal government agencies to adopt National Institute of Standards and Technology (NIST) guidelines for cloud computing and Zero Trust Architecture (SP-800-207).
Beyond familiar tools like multifactor authentication, the guidance asks agencies to submit plans for use of emerging technologies like quantum resistant cryptography, a new type of encryption that uses an advanced encryption protocol to protect data. Current widely used cryptographic methods are susceptible to attacks from threat actors leveraging quantum computing. Quantum-resistant cryptography is designed to withstand such exploits.
The memo also requires agencies to submit a plan to implement the Zero Trust security model. Zero Trust has been included in previous executive orders, giving many organizations a head start in drafting plans and proving the efficacy of the model. But adoption of Zero Trust will be a challenge, given that the security model is a work in progress with unresolved implementation issues. Many organizations, for example, rely on legacy mainframes and applications to achieve core business needs, and technology issues arise when legacy systems are not fully compatible with Zero Trust Architecture.
The following are some of the most notable requirements outlined in the memorandum. Timeframes range from 30 to 180 days.
- Prioritize resources for the adoption of cloud technology.
- Develop a plan to implement Zero Trust Architecture.
- Implement multifactor authentication for NSS data at rest and in transit.
- Implement quantum-resistant encryption for NSS data at rest and in transit.
- Use NSA-approved public standards-based cryptographic protocols to help ensure cryptographic interoperability.
- Review NIST guidance on quantum computing and identify technologies that are compatible with quantum computing.
- Report known or suspected data compromises of NSS, or unauthorized access to them, to help expedite threat detection and response.
The memorandum also offers guidance on obtaining exceptions for requirements or extensions to project deadlines due to “unique mission needs” or constraints. Agencies will need to provide a plan to satisfy requirements using alternate methods.
Think about this now
While the memorandum doesn’t establish new requirements, it provides plenty of issues to think about. We believe, for instance, that the memorandum will catalyze changes in security requirements in federal government contracts.
What’s more, the memorandum definitively establishes cybersecurity as a key pillar of federal agencies, one that will likely trickle down from government agencies to federal contractors. Private-sector federal contractors should carefully review these requirements and assess their potential impacts. Organizations that are ahead of the technological curve may require no immediate action. But those that discover gaps should immediately address them. If you need help interpreting the memorandum, our team is here to assist and provide guidance.
Bhavesh Vadhani, Principal and Global Practice Leader, Cybersecurity, Technology Risk, and Privacy
Daryouche Behboudi, Managing Director, Cybersecurity, Technology Risk, and Privacy
Ali Khraibani, Senior Manager, Cybersecurity, Technology Risk, and Privacy
Take a strategic approach in protecting your data assets.
Press ReleaseSun joins CohnReznick as Principal, CybersecurityDavid Sun leads CohnReznick’s security incident response and recovery; computer forensic and litigation support; and cloud security services.
InsightUnderstanding Zero TrustBhavesh Vadhani, Adonye ChamberlainRead about the evolution of this cybersecurity paradigm, why it is increasingly necessary, and how to get started on its implementation.
InsightBe on guard for phishing attacks amid bank collapsesBhavesh VadhaniAs scammers take advantage of the chaos caused by the Silicon Valley Bank and Signature Bank turmoil, keep these key security principles top of mind.
Insight9 ways to refresh your organization’s fraud controls nowGeorge GallingerThere’s no time like the present to reflect on your control environment and take action to reduce the risk of fraudulent activity. Read how.
InsightProposed regulatory changes increase board responsibility for cybersecurity programsScott Corzine, Bhavesh VadhaniProposed regulations may increase the responsibility of corporate board directors with cybersecurity programs. Learn more.