Presidential action expands the oversight role for the NSA regarding national security systems
The White House this week released a National Security Memorandum 8 (NSM-8), requiring key improvements to security architecture and visibility for the United States’ most sensitive computer systems and networks. Most notably, it greatly expands NSA’s role in security oversight for national security systems. Why this is important and what key changes to expect can be found below.
NSM-8 is significant because it establishes additional security oversight and responsibilities by NSA and directs agencies to adopt multi-factor authentication, cloud computing and zero trust architecture for national security systems (NSS), as well as those used by Department of Defense and Intelligence Community agencies. These include the most sensitive U.S. government systems.
As noted in the NSA’s press release on NSM-8, it expands security oversight and ensures national security systems implement policy in the widely publicized Executive Order 14028 issued in May 2021.
Among the highlights of NSM-8:
Additional information is available in the full text of NSM-8.
A National Security Memorandum (NSM) is a type of presidential action document signed by the President that promulgates his decision on national security issues. NSMs outline actions to be taken by executive agencies and are addressed to departments, agencies and other organizations within the federal executive branch for awareness, action and national-level coordination. The term “national security memorandum” is specific to the Biden administration; each presidential administrations has a unique term for the same type of document. For example, under the Trump administration, equivalent memoranda were termed “National Security Presidential Memorandums.” The documents may be classified to protect national security or may be unclassified and available for public release.
What are national security systems? Per definition in the U.S. Code (and referenced in NIST guidance), a national security system refers to “any information system…used or operated by an agency or by a contractor of an agency [and] the function, operation, or use of which”:
These systems can be classified or unclassified, and each requires additional protection and security controls due to the missions and data they enable. Directives and oversight for national security systems differ from other systems in the federal government due to additional security requirements.
Specific cybersecurity policies, directives and other guidance for these systems are set by the Committee on National Security Systems. If interested in reading more about CNSS, including history and authorities, see the archive of information at the CNSS Authorities website.
NSM-8 is quite significant as it provides important steps to improve the security of our nation’s most sensitive information and missions. With greater visibility and coordination by NSA, we can expect additional accountability for security, more rapid and coordinated response to incidents and additional resources and guidance to agencies operating national security systems.