The White House recently issued a Memorandum designed to strengthen the cyber defenses of “National Security Systems” – information systems operated by the federal government that are used for intelligence or military purposes.  The Memorandum comes at a time when cyberthreats to government actors are substantial.  For example, back in December, the Virginia legislature was the target of a ransomware attack that threatened to delay the start of its legislative session.  Similarly, multiple agencies of the Ukrainian government have recently been the target of substantial cyberattacks. 

But the Memorandum may also contain clues for the private sector.  Many of the requirements in the Memorandum reflect the same types of precautions enforced by some state regulatory agencies.  While the Memorandum is solely directed at federal agencies, it may be harbinger of what’s to come should federal oversight of cyber readiness in the private sector become a reality.  But at the very least, the Memorandum reflects the types of precautions that are at the center of discussions regarding cyber-readiness in both the public and private sectors. 

The Memorandum itself builds on the cybersecurity Executive Order issued by President Biden last year.  As we wrote at the time, that Executive Order was designed to strengthen the federal government’s cybersecurity defenses by improving coordination among agencies and setting certain cybersecurity infrastructure benchmarks.  The Memorandum lays out concrete steps for National Security Systems to meet or exceed those benchmarks.  Some of the specific benchmarks it sets out include the following:

Zero Trust Architecture. Within 60 days, federal agencies must update their plans to prioritize the adoption of “Zero Trust Architecture.” This is a model of network design that limits the ability of internal users to access data with the goal of preventing individual network users subject to an unauthorized intrusion (e.g., a phishing attack) from becoming a network-wide attack vector.

Multi-factor Authentication.  Within 180 days, agencies must implement multi-factor authentication for accessing National Security Systems.

Encryption.  Within 180 days, agencies must implement encryption for data at rest and in transit, and that encryption must be consistent with “NSA-approved Quantum Resistant Algorithms” or “commercial national security algorithms (CNSA).”     

Aside from laying out these requirements, another highlight of the Memorandum is that it empowers the Director of the NSA, in its role as “National Manger” of National Security Systems, to act as a central coordinator of implementation and compliance for all agencies operating National Security Systems.  The authorities and responsibilities conferred on the NSA include the following:

National Security System Identification.  The NSA has authority to identify federal agency information systems that should be designated as National Security Systems and is empowered to push agencies operating those systems to designate them as such.

Incident Reporting.  Other agencies must report incidents of compromise or unauthorized access of National Security Systems to the NSA.

Directives.  As summarized in a fact sheet issued by the White House alongside the Memorandum, the NSA has the authority “to create Binding Operational Directives requiring agencies to take specific actions against known or suspected cybersecurity threats and vulnerabilities.” 

In many ways, these provisions touch on the same themes found in some private-sector regulation.  For example, New York’s Department of Financial Services (“DFS”) requires entities covered by its cybersecurity regulation to use multi-factor authentication with limited exceptions, and it recently issued a guidance letter underscoring its importance as “an essential part of cybersecurity hygiene.”  The Memorandum’s mandate suggests that the federal government is moving in a similar direction for its own critical digital assets.

The Memorandum’s requirement that agencies report cybersecurity incidents to a central authority represents another common theme.  State regulatory authorities also require reporting of a incidents to a central authority.  DFS’s regulation and New York’s SHIELD Act, for example, each require reporting, the former to DFS, and the latter to the New York Attorney General (as well as others).  As DFS has explained, reporting of incidents can be important from a regulatory perspective because it allows a central authority to “more rapidly identify techniques used by attackers,” “alert industry,” and “respond quickly to new threats.”  This mirrors talking points from the White House’s  fact sheet explaining that reporting to the NSA will help “improve the government’s ability to identify, understand, and mitigate cyber risk across all National Security Systems.”

It is unclear if or when the federal government will itself move to impose greater regulation on the private sector, but in light of developments like the exponential growth of ransomware attacks in the past year, it could be in the pipeline at some point.  SEC Chair Gary Gensler recently suggested that his agency may consider re-proposing Regulation Systems Compliance and Integrity (“SCI”) to “further shore up the cyber hygiene of important financial institutions.”  Whether any further action is taken at the federal level remains to be seen—many drafts of federal cyber legislation have surfaced and stalled in Congress—but the recent Memorandum provides hints as to where federal executive guidance may be headed.