Photo illustration by Eduardo Parra / Europa Press via Getty Images

NSA Can Now Order Other Agencies to Fix Their IT Systems

A White House memo grants the intelligence agency new powers under the May 2021 executive order on cybersecurity.

President Joe Biden signed a national security memorandum granting new authorities to the National Security Agency to order updates and fixes to national security systems through binding operational directives modeled after those employed by the Cybersecurity and Information Security Agency.

The new memorandum outlines how the May 2021 executive order on cybersecurity applies to classified systems and cross-domain systems that move data between classified and unclassified systems, and it sets out a schedule for updating policies and plans on zero trust, multifactor authentication and cloud security. The document also sets out requirements for encryption of classified systems, with a focus on transitioning to quantum-resistant encryption standards.

The memo calls for new guidance on minimum security standards for national security systems in the cloud to be developed and published within 90 days of its issuance. 

The NSA, which is referred to in the document as the "national manager," a reference to the spy agency's authority over national security systems established in a 1990 national security directive, is tasked with coordinating a cybersecurity and incident response framework for secret and top-secret cloud systems to facilitate information sharing among agencies, commercial cloud vendors and the NSA. The cloud security effort will involve CIA, FBI, the Defense Department and the Office of the Director of National Intelligence. 

Additionally, the memo calls for the Department of Homeland Security, the parent agency of CISA, to coordinate with NSA on cloud cybersecurity incidents that have impacts across national security systems and federal civilian executive branch systems. DHS and NSA are also charged with collaborating on the development of emergency directives and binding operational directives – which order agencies to make rapid updates to systems that are vulnerable to known exploits or are currently under attack. Within 60 days, DHS and NSA must come up with procedures that cover information sharing and protections for classified information and intelligence sources in the development and promulgation of such directives.

Within 60 days, agencies that operate national security systems must update plans to "prioritize resources" for using cloud computing and to implement zero trust architectures.

Within 180 days, agencies need to put in place multifactor authentication and encryption for data stored in and moving across national security systems.

There are some exceptions and carve outs that can applied in instances where an agency head deems that it is "not practicable or is contrary to national security" to apply the requirements of the memo to a system involving military, intelligence or law enforcement. Systems that are used expressly for vulnerability research and are not part of an agency's operational networks can be exempted as well. Another exemption is offered for systems "for which attribution to the United States Government is obscured and for which this attribution would be reasonably endangered due to implementation of these requirements."