Skip to main content
close search
site logo
Dive Brief

Biden gives defense, intel agencies 180 days to apply MFA, encryption

Published Jan. 20, 2022
Samantha Schwartz's headshot
Samantha Schwartz Reporter
Win McNamee via Getty Images

Dive Brief:

  • National Security Systems (NSS) operators have 180 days to implement multifactor authentication and encryption for data at rest and in transit, according to a memorandum from President Joe Biden Wednesday. 
  • In that same time frame, agencies have to identify encryption instances that are non-compliant with National Security Agency (NSA)-approved Quantum Resistant Algorithms or the list of commercial national security algorithms (CNSA). 
  • Agency heads can exempt their respective agency from implementing certain requirements if it has a "unique mission" that warrants the exception. Exceptions might include systems supporting military or intelligence activities, systems with obscured attributions to the U.S. government, or information systems used for vulnerability research or testing.  

Dive Insight:

Industry criticized Biden's May cyber executive order, which emphasized the need for public-private partnerships, for lacking consequences or incentives for applying security standards. The recent requirements are the latest attempt by the Biden administration to bolster U.S. cyber standards. 

NSS operators handle classified and declassified information, which requires specialized information sharing and intelligence protection guidelines, which the NSA and DHS are tasked with establishing within 60 days. 

In July, the Biden administration directed the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST) and Office of Management and Budget to establish performance goals for critical infrastructure. Wednesday's order aims to have NSS operators use the same network cybersecurity measures required of federal civilian networks, as outlined in the May executive order. 

The memorandum allows the NSA to issue binding operational directives to NSS operators, akin to CISA's authority for civilian government networks. The memo directs the NSA and DHS to share directives and "learn from each other" to determine if directives should be applied across agencies, a White House fact sheet said

NSS operators are expected to report to the NSA or their Federal Cyber Center any threat or compromise detected on a network that facilitates a cross domain solution (CDS) "when one side of the CDS connects to NSS operated by or on behalf of the agency." The NSA, director of national intelligence, and CIA are expected to create reporting procedures within 90 days of the memorandum.

The directive provides an estimation on what the administration views as priority cybersecurity requirements. For example, the memo gives agencies 60 days to update "existing agency plans to prioritize resources for the adoption and use of cloud technology, including adoption of zero trust architecture as practicable." 

NSS operators must also have a plan for zero trust implementation, adhering to NIST guidance and Committee on National Security Systems (CNSS) instructions. The NSA and CNSS have 90 days to create the policies agencies are expected to adhere to. 

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Strategy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell