New White House action improves security of nation’s most sensitive systems

Presidential action expands the oversight role for the NSA regarding national security systems

The White House this week released a National Security Memorandum 8 (NSM-8), requiring key improvements to security architecture and visibility for the United States’ most sensitive computer systems and networks. Most notably, it greatly expands NSA’s role in security oversight for national security systems. Why this is important and what key changes to expect can be found below.

What does NSM-8 do?

NSM-8 is significant because it establishes additional security oversight and responsibilities by NSA and directs agencies to adopt multi-factor authentication, cloud computing and zero trust architecture for national security systems (NSS), as well as those used by Department of Defense and Intelligence Community agencies. These include the most sensitive U.S. government systems.

As noted in the NSA’s press release on NSM-8, it expands security oversight and ensures national security systems implement policy in the widely publicized Executive Order 14028 issued in May 2021.

Among the highlights of NSM-8:

• Adoption of modern security approaches: NSM-8 implements policy from EO 14028, and includes timelines for national security systems to implement modern controls and architectures including: cloud compute and endpoint protection, multifactor authentication, NSA-approved encryption and zero trust architectures.
• Greater visibility and oversight into national security systems: As the designated National Manager, NSA can issue binding operational directives to other agencies to thwart cybersecurity threats and remediate vulnerabilities in NSS. Departments and agencies that operate NSS will have to identify all NSS under their purview, report status on vulnerability mitigations and assess impact to their systems.
• Notification of security incidents: As part of NSA’s expanded oversight role, agencies operating NSS must also report known or suspected incidents or compromises of NSS to NSA.  
• Standards for cross-domain systems: Agencies that use cross-domain systems to move data one-way from lower-trust systems to higher-trust systems are required to inventory their cross-domain solutions. In addition, NSM-8 directs NSA to establish security standards and testing requirements for cross-domain systems.

Additional information is available in the full text of NSM-8.  

What is an NSM?

A National Security Memorandum (NSM) is a type of presidential action document signed by the President that promulgates his decision on national security issues. NSMs outline actions to be taken by executive agencies and are addressed to departments, agencies and other organizations within the federal executive branch for awareness, action and national-level coordination. The term “national security memorandum” is specific to the Biden administration; each presidential administrations has a unique term for the same type of document. For example, under the Trump administration, equivalent memoranda were termed “National Security Presidential Memorandums.” The documents may be classified to protect national security or may be unclassified and available for public release.

What are national security systems? Per definition in the U.S. Code (and referenced in NIST guidance), a national security system refers to “any information system…used or operated by an agency or by a contractor of an agency [and] the function, operation, or use of which”:

• Involves intelligence activities;
• Involves cryptologic activities related to national security;
• Involves command and control of military forces;
• Involves equipment that is an integral part of a weapon or weapons system; or
• Is critical to the direct fulfillment of military or intelligence missions; or
• Is protected at all times by procedures established for information that have been specifically authorized under criteria established by an Executive order or an Act of Congress to be kept classified in the interest of national defense or foreign policy.

These systems can be classified or unclassified, and each requires additional protection and security controls due to the missions and data they enable. Directives and oversight for national security systems differ from other systems in the federal government due to additional security requirements.

Specific cybersecurity policies, directives and other guidance for these systems are set by the Committee on National Security Systems. If interested in reading more about CNSS, including history and authorities, see the archive of information at the CNSS Authorities website.

NSM-8 is quite significant as it provides important steps to improve the security of our nation’s most sensitive information and missions. With greater visibility and coordination by NSA, we can expect additional accountability for security, more rapid and coordinated response to incidents and additional resources and guidance to agencies operating national security systems.