On January 19th, the  President signed National Security Memorandum (NSM) 8, “Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems”.

NSM8 appeared to have been inspired by Project Warp Speed – specifically, the elimination of layers of reportage and bureaucracy when trying to innovate with unprecedented speed and scale.  With NSM8 and NSS, the goal was not so much the acceleration of innovation, but the ability to “defend forward” at speed and scale – with a tight OODA Loop between the White House and the NSA.

Legislation introduced in the House in early April builds on NSM 8 – which inspired us to return to NSM8 for further analysis as we promised at the end of our analysis back in January. Our coda back in January:  “This memorandum is a wildly interesting national security development.  Stay tuned for more OODA Loop coverage as details are made available.”  There were major Quantum Cybersecurity strategic directives in NSM 8 which was not a part of our initial analysis.  The legislation in the house, entitled The Quantum Cybersecurity Preparedness Act is – excuse the pun – a quantum leap forward to this strategic plan for what will be “the greatest cryptographic migration in history.”  (1)

In this post, we will return to the section of NSM 8 concerned with Quantum Cybersecurity, including the 30, 60, 90, and 180-day deadlines from the date of the memorandum.

We will then take a look at the legislation to determine if the  House Committee on Oversight and Reform has become the central, public-facing organizational entity for this strategic initiative. The research question is:  How many of the deadline-driven deliverables and directives informed the bill and/or found their way into the legislation? Is this legislation the mechanism for delivery of the directives?  If not, is there a public repository available for unclassified documents which may be of interest to the private sector exploring opportunities to provide solutions?

We also included directives and deadlines related to zero trust architecture – as OODA Network members are proponents of the innovative architecture.  Also of interest (and encouraging):  commercial cloud technologies and commercial national security algorithms (CNSA) crop up in a few places, complete with specific directives.

National Security Memorandum 8:  Directives and Deadlines

Following are the 30, 60, 90, and 180-day deadlines from the date of the memorandum related to Quantum cybersecurity.

30 days (Deadline: February 19, 2022)

Updates or modifications regarding the approved list of commercial national security algorithms (CNSA):  Within 30 days of the date of this memorandum, the NSA shall review Committee on National Security Systems (CNSS)  Policy 15 and provide to CNSS any updates or modifications regarding the approved list of commercial national security algorithms (CNSA).

60 days (Deadline: March 19, 2022)

Zero Trust Architecture:  Within 60 days of the date of this memorandum, the head of each executive department or agency (agency) that owns or operates an NSS shall, consistent with its statutory authority:

1. Update existing agency plans to prioritize resources for the adoption and use of cloud technology, including the adoption of Zero Trust Architecture as practicable;
2. Develop a plan to implement Zero Trust Architecture, which shall incorporate, as appropriate:
   • NIST Special Publication 800-207 Guidance (Zero Trust Architecture);
   • CNSS instructions on Zero Trust Reference Architectures; and
   • Other relevant CNSS instructions, directives, and policies regarding enterprise architectures, insider threats, and access management; and
3. provide a report to the CNSS and National Manager discussing the plans required pursuant to sections 1(b)(ii)(A) and (B) of this memorandum.

Information Assurance Cryptographic Equipment Modernization:  Within 60 days of the date of this memorandum, the NSA shall revise and make available to Chief Information Officers the CNSS Advisory Memorandum 01-07 (Information Assurance Cryptographic Equipment Modernization) and any associated enclosures and relevant references regarding modernization planning, use of unsupported encryption, approved mission unique protocols, quantum-resistant protocols, and planning for use of quantum-resistant cryptography where necessary.

90 days (Deadline:  April 19, 2022)

Develop and Publish Guidance (regarding minimum security standards and controls related to cloud migration and operations for NSS):  Within 90 days of the date of this memorandum, the Committee on National Security Systems (CNSS) shall develop and publish guidance, in addition to CNSS Instruction (CNSSI) 1253, regarding minimum security standards and controls related to cloud migration and operations for NSS, taking into account migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance.

Update All Cryptographic-related Policies, Directives, and Issuances:  Within 90 days of the date of this memorandum, CNSS shall identify and prioritize for update all cryptographic-related policies, directives, and issuances, and CNSS shall provide to the Secretary of Defense, the Director of National Intelligence, and the National Manager a timeline, not to exceed 6 months, for the re-issuance of these policies, as appropriate.

Implementation of Multifactor Authentication and Encryption for NSS data-at-rest and data-in-transit:  Within 180 days of the date of this memorandum, agencies shall implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit.  In those instances where the head of an agency determines the agency is unable to implement these measures, the head of the agency shall authorize an exception pursuant to the process provided in section 3 of this memorandum.  To ensure widespread cryptographic interoperability among NSS, all agencies shall use NSA‑approved, public standards-based cryptographic protocols.  If mission-unique requirements preclude the use of public standards-based cryptographic protocols, NSA-approved mission unique protocols may be used.  An agency shall not authorize new systems to operate that do not use approved encryption algorithms and implementations, absent an exception authorized by the head of an agency pursuant to section 3 of this memorandum.

Develop a Framework to Coordinate and Collaborate on Cybersecurity and Incident Response Activities related to NSS Commercial Cloud Technologies:   Within 90 days of the date of this memorandum, the National Manager shall, in coordination with the Director of National Intelligence, the Director of the Central Intelligence Agency, the Director of the Federal Bureau of Investigation, and the heads of appropriate elements of the Department of Defense, develop a framework to coordinate and collaborate on cybersecurity and incident response activities related to NSS commercial cloud technologies that ensure effective information sharing among agencies, the National Manager, and Cloud Service Providers (CSP).

180 days (Deadline:  July 19, 2022)

Identify any Instances of Encryption not in Compliance with NSA-approved Quantum Resistant Algorithms or Commercial National Security Algorithms (CNSA):  Within 180 days of the date of this memorandum, agencies shall identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms or CNSA, where appropriate in accordance with section 1(b)(iv)(A) and (B) of this memorandum, and shall report to the National Manager:

• Systems where non-compliant encryption is being used, to include those operating under an existing waiver or exception;
• A timeline to transition these systems to use compliant encryption, including quantum-resistant encryption; and
• Any exception from transition to compliant encryption, pursuant to section 3 of this memorandum, shall additionally be reviewed by the National Manager and reported quarterly to the Secretary of Defense and the Director of National Intelligence for the systems within their respective jurisdictions.  The National Manager, in coordination with and only after engaging the system owner, may include other relevant agencies if a shared risk is jointly determined.

The Quantum Cybersecurity Preparedness Act

FEDSCOOP captured the top line very well:

“Proposed legislation that would give agencies a year to begin migration to post-quantum cryptography is a recognition transitioning from legacy to new algorithms will require significant planning and funding, say industry experts.  The Quantum Cybersecurity Preparedness Act would give the Office of Management and Budget a year from the day the National Institute of Standards and Technology issues post-quantum cryptography standards to prioritize the migration of agencies’ IT systems based on cybersecurity risk. Reps. Nancy Mace, R-S.C.; Ro Khanna, D-Calif.; and Gerry Connolly, D-Va., introduced the bill.” (1)

Alexandra Kelley, at NextGov adds:  Largely in response to the “harvest now, decrypt later” strategy among some hacking organizations, the bill calls on the director of OMB to work with the Chief Information Officers Council to plan and assess current information technology networks and related risks within federal agencies, and advocate migration to post-quantum cryptography, pursuant to mandated NIST standards.  Major private tech firms have supported the bill, including IBM, Google, QuSecure, and Maybell Quantum.” (2)

What Next?

Overall, these efforts are on the right track based solely on the metric of taking the threat very seriously with adequate strategic lead time.  In an OODAcast conversation, OODA CTO Bob Gourley captured the nature of the challenge ahead:  “What scares me is the fact that after two decades of working in security, we didn’t fix security for the old architectures. There are still challenges. So why should anybody think security will be fixed for the new world of quantum computing and space communications, space remote sensing, and the biotech revolution?  It’s not going to be fixed. There will always be issues of trust and risk and risk mitigation and optimizing in a world where the adversary can be observing all your actions. So that is what worries me. I’m still an optimist. This is going to be a great and wonderful tech-enabled future, but there will always be a need for professionals to assess risk and mitigate risk when it comes to cybersecurity.”

Do We Need a Joint Quantum Cybersecurity Collaborative?  Building on Bob’s perspective about the role of private professionals in assessing and mitigating risk, as far as we can tell, there is not a clear public/private collaborative organization charged with engaging the private sector and distributing time-sensitive findings from the NSM8. There is what seems like an archived website for an organization called the Committee on National Security Systems.  We will take a look as soon as we are granted access. Our point of reference is the CISA Joint Cyber Defense Collaborative (JCDC) – which was launched in 2021 and has made significant contributions to critical Joint Cybersecurity Advisories released in the last few weeks.  It seems logical that early, formal private sector collaboration would be productive in this space as well.

The DHS Roadmap – Post-Quantum Cryptography:   The National Institute of Standards and Technology is developing a post-quantum cryptography standard and partnered on a DHS roadmap as an interim document to prepare agencies for the transition.

Will OMB Reports Prove Adequate?  As previously mentioned, OMB would also be required to report annually on the state of the governmentwide transition.  Is the OMB report format enough for this behemoth, important initiative?  What are other organizations which should manage the information generated from this project? and what innovative taxonomies exist for the innovative structuring and dissemination of information throughout this cryptographic migration?

Related Reading:

Explore OODA Research and Analysis

Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.