How Biden’s National Security Memo Bolsters US Cybersecurity

To account for the growing potential threat of cyberattacks across government systems, the Biden administration is prioritizing its efforts to strengthen the U.S.’s cybersecurity capabilities. In the latest National Security Memorandum, the administration provided direction on cybersecurity requirements and operations for national systems, demonstrating the government’s effort to modernize and bolster its cybersecurity systems. Here is what’s new from the memo, how these updates will change current cybersecurity processes, and why these changes are beneficial. 

Zero-Trust has Arrived

Zero-trust architecture is a method of identifying and mitigating risk based on resources, assets and principles rather than the more traditional approach of network boundaries. No implicit trust is granted to a resource, regardless of where it is located or the task it is performing. This model, explicitly called out and mandated by this latest memo, will likely be the focal point of compliance and controls within the government for years to come.

While the zero-trust architecture does have a defined standard, it’s important to understand that it is an incredibly complex model and has never been fully implemented at any organization. Much like Spotify’s squad model was aspirational, zero-trust must be understood in the same context. My concern is that in the interest of being able to say an organization is compliant, zero-trust will be boiled down to a series of policies and controls and the old and broken problem of compliance-by-checklist will reemerge.

This is not to say that zero-trust is bad or is to be avoided. Due to the trend of shifting from on-premises to cloud as the default mode for new services, the network boundaries that old models relied on are no longer applicable. Now, there is not a single ingress or egress point in a network. Zero-trust is not only an improvement (albeit a difficult one to work toward), but is born directly out of a cloud-based, API-first approach to network security. We must begin shifting toward zero-trust, but compliance-by-checklist will only set us back. Security leadership should keep this in mind when complying with directives in this national security memo.

Supply Chain Security

The memo also calls out software supply chain security as a top concern, calling for improved security for critical software and helping to put some definitions around it. However, there is one phrase that stands out in particular: “The development of commercial software often lacks transparency, sufficient focus on the ability of the software to resist attack, and adequate controls to prevent tampering by malicious actors.”

This indicates either increased interest in open source software or a loss of faith in the traditional defense contractor-led software acquisition process. Either way, the bar is being raised for federal government suppliers regarding both the infrastructure they operate and the software they deliver. 

The order also included a requirement to provide a software bill of materials (SBOM). SBOMs, as a concept, have been around for more than a decade; however, they are only just beginning to gain traction and adoption. Requiring SBOMs for software delivered to the federal government will greatly accelerate their adoption and improve the tooling and ecosystem for generating, validating and using them as well.

Cyber Safety Review Board

The May 2021 executive order also establishes a new Cyber Safety Review Board (CSRB) composed of both government and private sector representatives to review and access threats, vulnerabilities, mitigation activities and agency responses. While the purpose and scope of this board is new, the format resembles the National Transportation Safety Board and will likely be the body tasked with doing postmortems on major incidents like Log4j and the Colonial Pipeline attack. 

This signals the administration’s commitment to partnering with the private sector in this rapidly evolving area and a major new direction in the government’s approach to security. Given the NSA’s recently expanded mandate and responsibility to unify a security strategy across the entire federal government and supply chain, we can expect to see many of the board’s recommendations become binding directives that all are expected to follow. 

Expanding the NSA’s Authority

While the NSA has long played a critical role in defending the nation’s digital infrastructure, they now have the authority to issue “Binding Operational Directives” to agencies operating National Security Systems (NSS), ordering them to remediate problems or mitigate against identified or probable threats. In conjunction with the Cybersecurity and Infrastructure Security Agency (CISA) primarily managing civilian agencies, we now have a last stop for government-wide policies and directives for cybersecurity.

Standardizing Cybersecurity

Historically, every agency is responsible for managing their own interpretation and implementation of NIST publications and requirements of their own infrastructure. As the memo mentions, this leads to a patchwork of policies and control and a lack of consistency in both application and security posture.

The goal here is to standardize language in contracts, incident response processes, policies and even incident reporting chains. This move will ease the burden on many CIOs and CISOs in federal agencies by allowing them to focus on solving problems unique to their organizations rather than policy. 

Overhauling Information Sharing and Incident Response

While reporting security incidents to federal authorities is a requirement for most government suppliers, the process is far from uniform. The memo requires suppliers to streamline and improve this process by establishing a clear reporting chain for notifying the government about potential threats and incidents that have already occurred. 

In section two of the memo, agency directors were given an explicit directive to update contract language to enable and require providers to collaborate with and share more information both between agencies and public and private entities. Because the defense industrial base suppliers and their customers in the government are so tightly intertwined, we cannot as a country afford to maintain the current high level of compartmentalization. A breach or significant vulnerability in one area impacts so many more.

Centralizing and standardizing this process also allows vendors in the defense industrial base to adhere to a single standard and spend more time perfecting their implementation rather than struggling to understand and comply with multiple frameworks simultaneously, some of which have conflicting controls.

A Roadmap for Security Maturity

Biden’s latest cybersecurity memo provides a roadmap for security maturity and builds on the already aggressive and comprehensive executive order from May of 2021, placing the security of our software and digital infrastructure among the top priorities for our national security. Through several of the directives laid out in the memo and executive order, Biden sent a clear message that the U.S. intends to modernize its approach to security and will partner with the private sector to achieve these goals. While we are still in the early phases of implementing the requirements, this is a promising move and looks to dramatically improve the state of cybersecurity in the U.S. government.     

     

Avatar photo

Bren Briggs

Bren Briggs is the VP of DevSecOps at Hypergiant, where he oversees the infrastructure and security operations of the product development and all client engagements. A seasoned security and operations engineer, Briggs has experience in environments ranging from combat zones to data centers and everything in between.

bren-briggs has 1 posts and counting.See all posts by bren-briggs