White House memo directs the Defense Department and Intelligence Community to implement its May 2021 Executive Order on improving national cybersecurity.
On January 19, 2022, the Biden Administration released a national security memorandum on “Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems.” Up front, the memo explicitly directs national security systems (with some exceptions) to have the same or preferably better security mechanisms in place as all other federal information systems. The rationale is also clear – “. . . the Federal Government must improve its efforts to identify, deter, protect against, detect, and respond to malicious cyber campaigns and their actors through bold changes and significant investments in cybersecurity.” Perhaps most notably, the NSA is now set to play an even greater role regarding the security of NSS, acting in a similar capacity as CISA does for Federal civilian agencies.
Timelines for Implementation
Similar to the May Executive Order, NSM-8 sets forth a range of timelines of between 14 and 180 days for which national security systems owners must comply with specified security controls. For example, the Committee on National Security Systems (CNSS) has 90 days to issue guidance on minimum security standards for NSS cloud utilization. Zero Trust will also play a key role as the memo directs NSS agencies to prioritize funding, adoption, and implementation of zero trust architectures across NSS cloud environments within 60 days.
Log Management Standardization
Tucked away towards the end of section 1, the Administration has given the National Manager (Director of the NSA), coordinating with DoD and DNI, 14 days to provide recommendations to CNSS on implementing section 8(b) of the Executive Order. One may recall that section 8(b) requested recommendations on “requirements for logging events and retaining other relevant data within an agency’s systems and networks. Such recommendations shall include the types of logs to be maintained, the time periods to retain the logs and other relevant data, the time periods for agencies to enable recommended logging and security requirements, and how to protect logs.” In effect, the National Manager and CNSS are in the same position as CISA and OMB were with regards to section 8(b). That direction led to OMB’s release of M-21-31, “Improving the Federal Government’s Investigative and Remediation Capabilities Related to Cybersecurity Incidents” last August. Similar to the direction given to OMB, CNSS has 90 days to issue guidance based on the recommendations received from the National Manager.
NSM-8’s section 1(v) requires the National Manager, in coordination with the other national security organizations, to develop a “framework to coordinate and collaborate” on cybersecurity incident response activities related to NSS commercial cloud technologies to ensure effective information sharing within 90 days. This provision is similar to DHS’s Joint Cyber Defense Collaborative noted in the Executive Order. Critically, however, NSM-8 calls for a “unity of effort and collaboration” with the Department of Homeland Security.
National Manager Roles and Responsibilities and Incident Reporting
NSM-8 continues with direction to the National Manager to assist agency CIOs in identifying and inventorying NSS in an attempt to establish a common government-wide cybersecurity risk. Regarding incident reporting, agencies are to notify the National Manager of “any known or suspected compromise or other unauthorized access” to include potential compromises of cross domain solutions.
How Splunk Can Help
We’ve been building partnerships across the public sector and private industry to ensure all public sector organizations, including the Defense Department, are well positioned to address the areas of the Administration’s Executive Order. As discussed previously, Zero Trust and SOAR are at the center of the Department’s strategy. It’s also our belief that a cloud-centric strategy is imperative to successfully meet these new requirements. In September 2021, Splunk received DoD Impact Level (IL) 5 provisional authorization for Splunk Cloud which further validates our commitment to the Defense Department.
Additionally, Splunk’s partnerships with leading Zero Trust solution providers such as DTEX and Zscaler, who also recently obtained DoD IL5 Provisional Authorization, as well as our logging modernization program demonstrates our continued commitment to enabling the next generation of cybersecurity capabilities across the United States. For more details on Splunk’s Zero Trust approach, we encourage you to take a look at "The Essential Guide to Zero Trust."
Information sharing and security intelligence management are priorities for Splunk. Today, we support several information sharing communities with specific needs, including seamless workflows with existing tools, private enclaves, redaction, access controls, and automation.
Although this blog has focused on the explicit call outs in NSM-8, organizations that fall under NSS should be cognizant of the entirety of the Executive Order. It can be assumed that organizations will have requirements like collecting PassiveDNS, but will NSS agencies also be asked to provide relevant logs to the NSA? Or furthermore, OMB M-21-31 has requirements that organizations provide logs to the FBI (or other agencies) upon request to address incidents or cyber risks. It is a bit unclear how this will be handled in the NSM-8, but offices should be prepared to meet all requirements as per this memo.
This article was co-authored by Drew Church, Senior Security Strategist at Splunk, and Ryan Kovar, Distinguished Strategist at Splunk.