Start your day with intelligence. Get The OODA Daily Pulse.
On January 19th, the President signed National Security Memorandum (NSM) 8, “Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems”.
NSM8 appeared to have been inspired by Project Warp Speed – specifically, the elimination of layers of reportage and bureaucracy when trying to innovate with unprecedented speed and scale. With NSM8 and NSS, the goal was not so much the acceleration of innovation, but the ability to “defend forward” at speed and scale – with a tight OODA Loop between the White House and the NSA.
Legislation introduced in the House in early April builds on NSM 8 – which inspired us to return to NSM8 for further analysis as we promised at the end of our analysis back in January. Our coda back in January: “This memorandum is a wildly interesting national security development. Stay tuned for more OODA Loop coverage as details are made available.” There were major Quantum Cybersecurity strategic directives in NSM 8 which was not a part of our initial analysis. The legislation in the house, entitled The Quantum Cybersecurity Preparedness Act is – excuse the pun – a quantum leap forward to this strategic plan for what will be “the greatest cryptographic migration in history.” (1)
In this post, we will return to the section of NSM 8 concerned with Quantum Cybersecurity, including the 30, 60, 90, and 180-day deadlines from the date of the memorandum.
We will then take a look at the legislation to determine if the House Committee on Oversight and Reform has become the central, public-facing organizational entity for this strategic initiative. The research question is: How many of the deadline-driven deliverables and directives informed the bill and/or found their way into the legislation? Is this legislation the mechanism for delivery of the directives? If not, is there a public repository available for unclassified documents which may be of interest to the private sector exploring opportunities to provide solutions?
We also included directives and deadlines related to zero trust architecture – as OODA Network members are proponents of the innovative architecture. Also of interest (and encouraging): commercial cloud technologies and commercial national security algorithms (CNSA) crop up in a few places, complete with specific directives.
Following are the 30, 60, 90, and 180-day deadlines from the date of the memorandum related to Quantum cybersecurity.
Updates or modifications regarding the approved list of commercial national security algorithms (CNSA): Within 30 days of the date of this memorandum, the NSA shall review Committee on National Security Systems (CNSS) Policy 15 and provide to CNSS any updates or modifications regarding the approved list of commercial national security algorithms (CNSA).
Zero Trust Architecture: Within 60 days of the date of this memorandum, the head of each executive department or agency (agency) that owns or operates an NSS shall, consistent with its statutory authority:
Information Assurance Cryptographic Equipment Modernization: Within 60 days of the date of this memorandum, the NSA shall revise and make available to Chief Information Officers the CNSS Advisory Memorandum 01-07 (Information Assurance Cryptographic Equipment Modernization) and any associated enclosures and relevant references regarding modernization planning, use of unsupported encryption, approved mission unique protocols, quantum-resistant protocols, and planning for use of quantum-resistant cryptography where necessary.
Develop and Publish Guidance (regarding minimum security standards and controls related to cloud migration and operations for NSS): Within 90 days of the date of this memorandum, the Committee on National Security Systems (CNSS) shall develop and publish guidance, in addition to CNSS Instruction (CNSSI) 1253, regarding minimum security standards and controls related to cloud migration and operations for NSS, taking into account migration steps that the National Institute of Standards and Technology (NIST) within the Department of Commerce has outlined in standards and guidance.
Update All Cryptographic-related Policies, Directives, and Issuances: Within 90 days of the date of this memorandum, CNSS shall identify and prioritize for update all cryptographic-related policies, directives, and issuances, and CNSS shall provide to the Secretary of Defense, the Director of National Intelligence, and the National Manager a timeline, not to exceed 6 months, for the re-issuance of these policies, as appropriate.
Implementation of Multifactor Authentication and Encryption for NSS data-at-rest and data-in-transit: Within 180 days of the date of this memorandum, agencies shall implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit. In those instances where the head of an agency determines the agency is unable to implement these measures, the head of the agency shall authorize an exception pursuant to the process provided in section 3 of this memorandum. To ensure widespread cryptographic interoperability among NSS, all agencies shall use NSA‑approved, public standards-based cryptographic protocols. If mission-unique requirements preclude the use of public standards-based cryptographic protocols, NSA-approved mission unique protocols may be used. An agency shall not authorize new systems to operate that do not use approved encryption algorithms and implementations, absent an exception authorized by the head of an agency pursuant to section 3 of this memorandum.
Develop a Framework to Coordinate and Collaborate on Cybersecurity and Incident Response Activities related to NSS Commercial Cloud Technologies: Within 90 days of the date of this memorandum, the National Manager shall, in coordination with the Director of National Intelligence, the Director of the Central Intelligence Agency, the Director of the Federal Bureau of Investigation, and the heads of appropriate elements of the Department of Defense, develop a framework to coordinate and collaborate on cybersecurity and incident response activities related to NSS commercial cloud technologies that ensure effective information sharing among agencies, the National Manager, and Cloud Service Providers (CSP).
Identify any Instances of Encryption not in Compliance with NSA-approved Quantum Resistant Algorithms or Commercial National Security Algorithms (CNSA): Within 180 days of the date of this memorandum, agencies shall identify any instances of encryption not in compliance with NSA-approved Quantum Resistant Algorithms or CNSA, where appropriate in accordance with section 1(b)(iv)(A) and (B) of this memorandum, and shall report to the National Manager:
FEDSCOOP captured the top line very well:
“Proposed legislation that would give agencies a year to begin migration to post-quantum cryptography is a recognition transitioning from legacy to new algorithms will require significant planning and funding, say industry experts. The Quantum Cybersecurity Preparedness Act would give the Office of Management and Budget a year from the day the National Institute of Standards and Technology issues post-quantum cryptography standards to prioritize the migration of agencies’ IT systems based on cybersecurity risk. Reps. Nancy Mace, R-S.C.; Ro Khanna, D-Calif.; and Gerry Connolly, D-Va., introduced the bill.” (1)
Alexandra Kelley Largely in response to the “harvest now, decrypt later” strategy among some hacking organizations, the bill calls on the director of OMB to work with the Chief Information Officers Council to plan and assess current information technology networks and related risks within federal agencies, and advocate migration to post-quantum cryptography, pursuant to mandated NIST standards. Major private tech firms have supported the bill, including IBM, Google, QuSecure, and Maybell Quantum.” (2)
Overall, these efforts are on the right track based solely on the metric of taking the threat very seriously with adequate strategic lead time. In an OODAcast conversation, OODA CTO Bob Gourley captured the nature of the challenge ahead: “What scares me is the fact that after two decades of working in security, we didn’t fix security for the old architectures. There are still challenges. So why should anybody think security will be fixed for the new world of quantum computing and space communications, space remote sensing, and the biotech revolution? It’s not going to be fixed. There will always be issues of trust and risk and risk mitigation and optimizing in a world where the adversary can be observing all your actions. So that is what worries me. I’m still an optimist. This is going to be a great and wonderful tech-enabled future, but there will always be a need for professionals to assess risk and mitigate risk when it comes to cybersecurity.”
Do We Need a Joint Quantum Cybersecurity Collaborative? Building on Bob’s perspective about the role of private professionals in assessing and mitigating risk, as far as we can tell, there is not a clear public/private collaborative organization charged with engaging the private sector and distributing time-sensitive findings from the NSM8. There is what seems like an archived website for an organization called the Committee on National Security Systems. We will take a look as soon as we are granted access. Our point of reference is the CISA Joint Cyber Defense Collaborative (JCDC) – which was launched in 2021 and has made significant contributions to critical Joint Cybersecurity Advisories released in the last few weeks. It seems logical that early, formal private sector collaboration would be productive in this space as well.
The DHS Roadmap – Post-Quantum Cryptography: The National Institute of Standards and Technology is developing a post-quantum cryptography standard and partnered on a DHS roadmap as an interim document to prepare agencies for the transition.
Will OMB Reports Prove Adequate? As previously mentioned, OMB would also be required to report annually on the state of the governmentwide transition. Is the OMB report format enough for this behemoth, important initiative? What are other organizations which should manage the information generated from this project? and what innovative taxonomies exist for the innovative structuring and dissemination of information throughout this cryptographic migration?
Use OODA Loop to improve your decision-making in any competitive endeavor. Explore OODA Loop
The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence, and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence
We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, and Space Technology. Explore Disruptive/Exponential Tech
Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation-state conflict, non-nation state conflict, global health, international crime, supply chain, and terrorism. Explore Security and Resiliency
The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders, and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences, and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member-only video library. Explore The OODA Community.