NSA outlines its information-sharing duties under Biden cyber EO

By Sara Friedman / May 21, 2021 at 9:45 AM

The National Security Agency is taking up its mandate to establish capabilities for robust information sharing between industry and government as part of the Biden executive order designed to bolster the security of federal networks and strengthen relationships with industry.

To accomplish its EO responsibilities, "NSA will spearhead efforts to outline procedures for cyber incident report sharing, recommend actions to improve the detection of cyber incidents affecting National Security Systems (NSS), and adopt NSS cybersecurity requirements to be included in a National Security Memorandum for cybersecurity requirements specific to NSS," the intelligence agency said in a Wednesday release.

"The Executive Order also identifies the Agency as a representative to the Cyber Safety Review Board -- an incident investigation team that will work together to review significant cyber incidents and provide recommendations to improve cybersecurity and incident response, similar to the review boards that investigate airline accidents," NSA said.

The EO published on Monday has several requirements for bolstering information sharing and creating new processes for incident response.

"This Executive Order places significant expectations on NSA based on our expertise in cybersecurity. We are called out specifically several times and have a notable role to play in this national level policy," NSA director of cybersecurity Rob Joyce said. "We're glad to see the renewed security focus across the community. We look forward to collaborating with our interagency partners, along with the private sector, to deliver on the requirements in the EO. In the end, it is all about the outcomes, better securing the Nation."

The intelligence agency also has a role in supporting other federal agencies with their duties that include "publishing guidance for vendor testing of software source code and establishing a standard playbook for planning and conducting vulnerability and cyber incident response for Federal civilian agency information systems," NSA said.

The agency "will assist in recommending changes to Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation (DFAR) contract provisions to improve information sharing."

When it comes to zero trust, NSA said they are working to guide adoption across the NSS and referenced their zero trust guidance issued in February.

"NSA has a huge quantity of expertise combined with technical depth in cybersecurity," Joyce said. "We also have unique expertise -- our classified insights into the adversaries and some of the code-making capabilities. What makes this an exciting moment in time is the national-level emphasis being put on this mission. NSA is working with the White House, the USG, the private sector, and other partners in new, transparent ways."