WASHINGTON—President Biden on Wednesday expanded the National Security Agency’s role in protecting the U.S. government’s most sensitive computer networks, issuing a directive intended to bolster cybersecurity within the Defense Department and intelligence agencies.
The memorandum signed by Mr. Biden mandates baseline cybersecurity practices and standards, such as two-factor authentication and use of encryption, for so-called national security systems, which include the Defense Department and intelligence agencies and the federal contractors that support them.
It effectively aligns the cybersecurity standards imposed on national security agencies with those previously established for civilian agencies under an executive order Mr. Biden signed last May. Affected agencies will soon be expected to implement various cybersecurity protocols, including use of certain cloud technologies and software that can detect security problems on a network.
The new 17-page order authorizes the National Security Agency, the government’s leading digital surveillance organization, to issue what are known as binding operational directives, which require operators of national security systems to undertake efforts to guard against known or potential cybersecurity threats. The NSA has long had both offensive and defensive missions, but it has sought to expand its cybersecurity mission in the years following the leaks of classified surveillance information by former intelligence contractor Edward Snowden.
The Department of Homeland Security already has the power to issue binding operational directives that apply to civilian government networks, and most recently used the authority in December to order agencies to immediately mitigate the widespread Log4J cyber flaw. Binding operational directives could require agencies to install certain patches immediately, take some systems offline or uninstall software viewed as potentially dangerous, as the Trump administration did with Kaspersky Lab antivirus software in 2017.
Additionally, Wednesday’s memorandum requires agencies to identify their national security systems and report to the NSA cyber incidents that involve them. A fact sheet shared by the White House said this reporting would help the government identify and mitigate cyber risk across all national security systems.
The new rules also will require defense and intelligence agencies to better secure tools used to share data between classified and unclassified systems, in recognition that nation-state adversaries often seek to identify weaknesses in those tools to access highly sensitive national security information. Mr. Biden’s memorandum requires agencies to inventory so-called cross-domain solutions and places the NSA in charge of creating new security standards and testing requirements for such tools.
Mr. Biden and his national security team have repeatedly identified cybersecurity threats as a top national and economic security threat to the U.S.
Wednesday’s directive follows several organizational changes at the White House, State Department and elsewhere to elevate the issue and a push to place cybersecurity mandates on some private industries, including pipelines and trains, after several presidential administrations of both parties largely relied on voluntary industry standards.
Write to Dustin Volz at [email protected]
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8
