On January 19th, 2022, President Biden signed a National Security Memorandum (NSM) to further improve the cybersecurity of the United States. This NSM signifies a renewed focus by the administration to protect National Security Systems (NSS) within the Department of Defense and the Intelligence Community.
The National Security Memorandum (NSM) sets the bar for Department of Defense and Intelligence Community National Security Systems (NSS), extending the requirements set forth within Executive Order 14028 of May 12, 2021 (Improving the Nation’s Cybersecurity) from solely civilian agencies to all Federal Information Systems.
This new directorate stipulates the DoD and Intelligence agencies “shall adopt National Security Systems requirements that are equivalent to or exceed the cybersecurity requirements set forth” in EO 14028.
Similar to the previous Executive Order, the NSM outlines specific actions that agencies must take to comply with new U.S. requirements as well as steps for reporting compliance and failures, including:
- Agencies shall be required to implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit
- All agencies shall use NSA‑approved, public standards-based cryptographic protocols to ensure widespread cryptographic interoperability. An agency shall not authorize new systems to operate that do not use approved encryption algorithms and implementations.
- Agencies shall identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms or CNSA, where appropriate in accordance with section 1(b)(iv)(A) and (B) of this memorandum, and shall report to the National Manager:
- systems where non-compliant encryption is being used, to include those operating under an existing waiver or exception.
- a timeline to transition these systems to use compliant encryption, to include quantum resistant encryption; and
- any exception from transition to compliant encryption, pursuant to section 3 of this memorandum, which shall additionally be reviewed by the National Manager and reported quarterly to the Secretary of Defense and the Director of National Intelligence for the systems within their respective jurisdictions.
What It Means for Product Vendors
The U.S. Federal Government has doubled down on ensuring the products it deploys utilize proper security functions, specifically as it applies to encryption. Leveraging previously issued waivers and outdated encryption methods will no longer be acceptable.
To avoid potential loss of contracts as well as removal of previously deployed solutions where cryptography was not approved, a FIPS 140-3 validated solution could be the answer. Discuss your projects, products, and security plans with your engineering team and certification consultants to ensure compliance.
About Corsec Security, Inc.
For two decades Corsec has assisted companies through the IT security certification process for FIPS 140-2 / FIPS 140-3, Common Criteria (CC) and the DoD’s APL. We are a privately owned company focused on partnering with organizations worldwide to assist with the process of security certifications and validations. Our certification methodology helps open doors to new markets and increase revenue for clients with products ranging from mobile phones to satellites. Our broad knowledge safeguards against common pitfalls and thwarts delays, translating to a swift and seamless path to certification. Corsec has created the benchmark for providing business leaders with fast, flexible access to industry knowledge on security certifications and validations.