Receive CohnReznick insights and event invitations on topics relevant to your business and role.
01/26/2022
White House issues new guidance on cybersecurity for federal agencies via National Security Memorandum 8
In addition to spelling out requirements published in the May 2021 Executive Order 14028, Improving the Nation’s Cybersecurity, recently signed National Security Memorandum 8 reaffirms the criticality of cybersecurity to securing National Security Systems (NSS) and protecting the nation’s critical infrastructure and the government’s mission-critical applications and systems.
The memorandum, titled Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems, focuses on the Department of Defense and the federal intelligence community. Intended to boost the government’s ability to identify, understand, and mitigate cyber-risks across all NSS, the memorandum explicitly calls on federal government agencies to adopt National Institute of Standards and Technology (NIST) guidelines for cloud computing and Zero Trust Architecture (SP-800-207).
Beyond familiar tools like multifactor authentication, the guidance asks agencies to submit plans for use of emerging technologies like quantum resistant cryptography, a new type of encryption that uses an advanced encryption protocol to protect data. Current widely used cryptographic methods are susceptible to attacks from threat actors leveraging quantum computing. Quantum-resistant cryptography is designed to withstand such exploits.
The memo also requires agencies to submit a plan to implement the Zero Trust security model. Zero Trust has been included in previous executive orders, giving many organizations a head start in drafting plans and proving the efficacy of the model. But adoption of Zero Trust will be a challenge, given that the security model is a work in progress with unresolved implementation issues. Many organizations, for example, rely on legacy mainframes and applications to achieve core business needs, and technology issues arise when legacy systems are not fully compatible with Zero Trust Architecture.
The following are some of the most notable requirements outlined in the memorandum. Timeframes range from 30 to 180 days.
- Prioritize resources for the adoption of cloud technology.
- Develop a plan to implement Zero Trust Architecture.
- Implement multifactor authentication for NSS data at rest and in transit.
- Implement quantum-resistant encryption for NSS data at rest and in transit.
- Use NSA-approved public standards-based cryptographic protocols to help ensure cryptographic interoperability.
- Review NIST guidance on quantum computing and identify technologies that are compatible with quantum computing.
- Report known or suspected data compromises of NSS, or unauthorized access to them, to help expedite threat detection and response.
The memorandum also offers guidance on obtaining exceptions for requirements or extensions to project deadlines due to “unique mission needs” or constraints. Agencies will need to provide a plan to satisfy requirements using alternate methods.
Think about this now
While the memorandum doesn’t establish new requirements, it provides plenty of issues to think about. We believe, for instance, that the memorandum will catalyze changes in security requirements in federal government contracts.
What’s more, the memorandum definitively establishes cybersecurity as a key pillar of federal agencies, one that will likely trickle down from government agencies to federal contractors. Private-sector federal contractors should carefully review these requirements and assess their potential impacts. Organizations that are ahead of the technological curve may require no immediate action. But those that discover gaps should immediately address them. If you need help interpreting the memorandum, our team is here to assist and provide guidance.
Contact
Bhavesh Vadhani, Principal and Global Practice Leader, Cybersecurity, Technology Risk, and Privacy
703.847.4418
Daryouche Behboudi, Managing Director, Cybersecurity, Technology Risk, and Privacy
703.744.850
Ali Khraibani, Senior Manager, Cybersecurity, Technology Risk, and Privacy
862.245.5166
Subject matter expertise
Bhavesh Vadhani
CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
Daryouche Behboudi
Advisory Managing Director
Close
Contact
Let’s start a conversation about your company’s strategic goals and vision for the future.
Please fill all required fields*
Please verify your information and check to see if all require fields have been filled in.
Related Insights
Insight
New SEC cybersecurity guidelines: Next steps for public companies
Insight
Federal agencies face complex cyber compliance – but relief is underway
Insight
Today’s boards need cyber expertise more than ever
Insight
Zero Trust 2.0: Strengthening security for a shifting threat landscape
Insight
AI as a gamechanger: Institute guardrails around data, ethics, and compliance
Related services
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.