NSM-8: A Step in the Right Direction to Advance the Nation’s Security

Last week’s Biden Memorandum “Improving Cybersecurity of National Security, DOD, and Intelligence Community Systems, (NSM-8) was the long-awaited cyber defense mandate for federal national security organizations. The memo mirrors the tasks outlined in the May EO 14028 document for the Civilian government sector with a heavier focus on encryption, securing cross connects, and shoring up a unified incident response plan for DOD and the intelligence community. Overall, the ambitious schedule outlined in the document is aspirational at best, but it sends a clear message for DOD and the Intelligence Community to ramp up their efforts to prioritize cybersecurity while unifying the collective communities to work with consistent standards and a team sport attitude to consistently report and mitigate discovered intrusions.

Key differences in this document from last year’s EO 14028, are few but important to note given the sensitivities of the data that National Security Systems host. Of most importance, this document denotes the role that DHS/CISA played in last year’s EO as one being played by the National Security Agency (NSA), the organization that has been deemed as the National Manager for National Security Systems (NSS) since 1981.

NSM-8 orders those who maintain NSS networks to follow the same guidelines as outlined in EO14028 Sections 2 (Removing Barriers to Sharing Threat Information), 3 (Modernizing Federal Government Cybersecurity), 4 (Enhancing Software Supply Chain Security), 6 (Standardizing the Federal Government’s Playbook for Responding to Cybersecurity Vulnerabilities and Incidents), 7 (Improving Detection of Cybersecurity Vulnerabilities and Incidents on Federal Government Networks), and 8 (Improving the Federal Government’s Investigative and Remediation Capabilities). The primary difference between the two being that NSA and the Committee on National Security Systems (CNSS) be responsible for ensuring that the tasks get done by the respective NSS owners within DOD and the Intelligence Community and some different deadlines about getting certain things done. The CNSS is chaired by DOD but includes CIA, DIA, NSA, DOJ, FBI, the National Security Council, and US Military Services as voting members, with NGA, NRO and ONI as non-voting members. If you recall, Section 5 (Establishing a Cyber Safety Review Board) of EO14028 mandated the creation of what is now known as the Joint Cyber Defense Collaborative.

Some of the big focus areas for NSM-8 are encryption, recognizing and shoring up defense mechanisms for cross domain connections (those places where different classification systems touch to share data electronically (yep, they exist), exceling the rate at which NSS networks use cloud technology, and a new requirement for NSS to enable multi-factor authentication. One of the most interesting requirements found in the document is for NSS owners to identify encryption that is being used that is NOT in compliance with quantum resistant algorithms; the first acknowledgement by the US Government for a need to counter the emergence of quantum computing.

While this is an exciting development and a great first step, there is still much to be done to make quantum resistant algorithms work with existing computer networks; most notably for example, the need to bring fiber-optic networking to every workstation.

Another great focus is the need to locate, confirm, and standardize how data is moved between different classification networks (unclassified to top secret, secret to top secret, etc…); what is known as cross connect capability. To do this, the memo highlights the responsibility rests with the network owners leveraging standards imposed by NSA. The memo also presses for DOD and the IC to move more quickly to cloud-based technologies; a long-going effort that has been slowed by failed attempts by the IC and DOD to build their own clouds, and complicated disputes by cloud provider challenging contract awards.

Lastly, the memo sets an aggressive timeline for NSS owners to apply multi-factor authentication for its users to log onto NSS networks. While this appears to be relatively straight forward, many typical multi-factor authentication methods deployed by Federal civilian networks and private sector companies today will not be readily applicable for NSS owners. For one, cell phones and personal digital devices are usually prohibited from classified facilities, so this will likely not be an option for NSS owners to leverage. In the past, both the Intelligence Community and DOD have leveraged token-based systems for their multi-factor needs but this has been fraught with the risks of losing these hard tokens and managing a token infrastructure that allows access if this happens. Overall, this will likely be a significantly harder challenge for NSS owners to deploy and will likely force delays in its implementation.

Overall, there is much to applaud in the new mandates and some likely good to come out of it not only in cyber security but also in moving NSS communities towards better digital performance. These changes, while not likely moving as fast as the Biden Administration is demanding, will move both DOD and the IC forward over time and will make the country safer overall in the long run.

What is considered a National Security System?

National Security Systems are defined in the United State Code in section 44 U.S.C 3553 {e} {2}) and {e} {3}.

E2 defines NSS as networks operated by DOD, a contractor of DOD or another entity on behalf of DOD that possesses any information that if disclosed, disrupted, modified, or destroyed would have a deliberating impact on DOD.

E3 defines NSS as networks operated by Intelligence Community (IC) members, contractors of the IC, or another entity on behalf of the IC that possesses information that if disclosed, disrupted, modified, or destroyed would have a deliberating impact on the IC.

Quantum Resistant Algorithms

Within the next 10 years, many technologists are predicting the emergence of computer technology that will be able to break existing public key cryptographic systems that use today’s standard cryptographic algorithms (ex. RSA, Diffie Hellman, and ECC). The good news is that technology exists today that can work to prevent this and involves changing the current protocol used to protect data as it moves between two or more networks to a developed protocol that allows for additional authentication methods to be applied that would neuter efforts to break the public keys. While you can technically make this switch today, there are still a host of complicated things that must be done to ensure the use of this protocol and the additional security does not impact how existing networks work.