3rd Party Risk Management , Access Management , Critical Infrastructure Security
White House Pushing Federal Agencies Toward 'Zero Trust'CISA and OMB Creating Road Maps So Departments Can Adopt by 2024
The White House is preparing executive branch agencies to adopt "zero trust" network architectures by September 2024, with the U.S. Cybersecurity and Infrastructure Security Agency and the Office of Management and Budget overseeing the creation of technology road maps that departments must follow to achieve these goals.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
On Tuesday, OMB released several draft documents related to this strategy, including "Moving the U.S. Government Towards Zero Trust Cybersecurity Principles," which includes an outline of how executive branch agencies should move toward adopting zero trust by September 2024. The office is taking public comment on the documents between now and Sept. 21.
Also on Tuesday, CISA released what the agency calls a "Zero Trust Maturity Model," which is "one of many road maps for agencies to reference as they transition towards a zero trust architecture." The U.S. Department of Homeland Security, which oversees CISA, will accept public comments on the document now through Oct. 1.
The move toward zero trust architectures is one of the main components of President Joe Biden's executive order, which was signed in May and designed to address several of the security issues that came to light in the wake of the SolarWinds supply chain attack as well as several recent ransomware incidents involving critical infrastructure (see: Biden's Cybersecurity Executive Order: 4 Key Takeaways).
As part of that executive order, the White House is pushing federal departments to change their cybersecurity stance by adopting technologies such as multifactor authentication and endpoint detection and response as well as moving toward zero trust and away from traditional perimeter defenses.
"Zero trust architecture allows users full access but only to the bare minimum they need to perform their jobs. If a device is compromised, zero trust can ensure that the damage is contained," according to the executive order. "The zero trust architecture security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity."
The documents released Tuesday note that executive branch departments and agencies have 60 days after the release of the memo to submit to OMB zero trust implementation plans that cover the years 2022 through 2024 as well as budget estimates for 2023 and 2024. Each department also needs to designate an agency official to oversee and implement these plans within 30 days of the release of the memo.
As part of the documents released by OMB, agencies and departments are expected to adopt a zero trust architecture that incorporates five specific "pillars" to improve cybersecurity. These include:
- Identity: This will require the staff of all executive branch agencies to adopt identity best practices when accessing applications that they use for work. This can include technologies such as multifactor authentication to limit threats such as phishing emails.
- Devices: Federal agencies and departments need to develop a full inventory of devices that live within their networks to help detect and respond to threat.
- Networks: Departments now must encrypt Domain Name System requests and HTTP traffic and segment networks, to move toward zero trust. Agencies must also find a way to begin encrypting email data in transit.
- Applications: Agencies will need to test their apps for vulnerabilities and to ensure proper security. Departments should also seek out external reports about flaws and bugs in applications.
- Data: Agencies are taking advantage of cloud security services to monitor access to their sensitive data and have implemented enterprisewide logging and information sharing.
Besides the OMB documents, CISA released its maturity model document for agencies and departments to consider, although it was not specifically required through the Biden executive order.
The CISA document also refers to the five pillars outlined in the OMB memo and offers several tools and techniques for executive branch agencies to work toward zero trust architectures, including how best to adopt and apply the National Institute of Standards and Technology's Special Publication 800-207, which outlines zero trust models (see: NIST Issues Final Guidance on 'Zero Trust' Architecture).
"Zero trust presents a shift from a location-centric model to a more data-centric approach for fine-grained security controls between users, systems, data and assets that change over time; for these reasons, moving to a [zero trust architecture] is nontrivial," according to the CISA document. "This [maturity model] provides the visibility needed to support the development, implementation, enforcement and evolution of security policies."
While the memo outlines the steps these departments and agencies must take, the most difficult part of zero trust is where to begin such a project, John Kindervag, the former Forrester analyst who created the concept of zero trust, previously told Information Security Media Group when the executive order was released in May.
"The challenge is going to be in the section where it says the agency head needs to develop a plan. That's going to be a challenge for everybody because the first thing they need to do is determine what you need to protect - and that takes longer than 60 days," said Kindervag, who is now senior vice president of cybersecurity strategy at ON2IT Cybersecurity.
Zero Trust Initiatives
Even before the release of the documents on Tuesday, members of the Biden administration had pushed for the federal government to adopt zero trust models
Testifying before a U.S. Senate panel in March to discuss the SolarWinds supply chain attack, Christopher DeRusha, the federal CISO, and Brandon Wales, who was then acting director of CISA, both agreed that federal agencies need to move away from traditional perimeter defenses and adopt modern concepts of cybersecurity such as zero trust (see: The Case for 'Zero Trust' Approach After SolarWinds Attack).