US OMB Releases Zero Trust Strategy for Federal AgenciesPlan Focuses on 'Phishing-Resistant MFA,' Encryption, Info-Sharing and More
The Office of Management and Budget on Wednesday released a federal strategy to move the U.S. government toward mature zero trust architectures. White House officials say the new strategy - with a focus on "phishing-resistant" multifactor authentication, asset inventories, traffic encryption and more - is a "key step forward in delivering on President Biden's May 2021 executive order on cybersecurity.
See Also: A Guide to Passwordless Anywhere
The memorandum eliminates rotating passwords with special characters in one year's time, and it stresses the importance of encryption around DNS requests and HTTP traffic. OMB also plans to pivot away from application authentication via virtual private networks and the use of unsecure dot-gov intranets, opting instead for stronger authentication at the app layer.
"This zero trust strategy is about ensuring the federal government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the U.S. harm," says acting OMB Director Shalanda Young in a statement.
Biden's cybersecurity executive order, the foundation of this OMB release, initiated a governmentwide effort to instill security best practices, realize the benefits of cloud infrastructure and migrate to zero trust - the "never trust, always verify" security concept that does away with trust by default, even for previously verified devices.
In the statement on Wednesday, Biden administration officials say, "The growing threat of sophisticated cyberattacks has underscored that the federal government can no longer depend on conventional perimeter-based defenses to protect critical systems and data. The Log4j vulnerability is the latest evidence that adversaries will continue to find new opportunities to get their foot in the door."
The strategy adheres to five key pillars previously outlined and defined by the Cybersecurity and Infrastructure Security Agency and gives agencies until the end of fiscal year 2024 to achieve specific zero trust goals. It calls for the following actions in the following areas:
- Identity: Agency staff will utilize phishing-resistant MFA to protect enterprise-managed personnel from "sophisticated online attacks."
- Devices: Federal agencies will inventory all devices they operate and authorize for government use.
- Networks: Agencies will encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments.
- Applications and Workloads: Agencies will treat all applications as internet-connected and routinely subject to "rigorous empirical testing" and will "welcome external vulnerability reports."
- Data: Agencies will ensure they are on a "clear, shared path to deploy protections that make use of thorough data categorization." Also, agencies will leverage cloud security services to monitor sensitive data and implement enterprisewide logging and information sharing.
The strategy also requires the following:
- Update Plans: Within 60 days, agencies will be required to build upon plans first outlined by Executive Order 14028, incorporating all additional requirements, and submit them to OMB and CISA.
- FY22 to FY24: Specific plan updates include an implementation approach for 2022 to 2024, along with a budget estimate.
- Funding: OMB advises agencies to internally source funding or seek funding from sources such as the Technology Modernization Fund.
- Implementation Lead: Agencies will have 30 days to designate and identify a zero trust strategy implementation lead, who will be relied upon for "coordination and planning" efforts.
- Collaboration: OMB and CISA will work with agencies through the implementation phase to "capture best practices, lessons learned, and additional agency guidance on a jointly maintained website at zerotrust.cyber.gov.
Federal Leaders Discuss
Many of the nation's top cybersecurity leaders were quick to tout OMB's road map on Wednesday.
"It was extremely important for us to work collaboratively with top experts across the government, industry and academia and build consensus around the highest-value starting points for a defensible zero trust architecture," says Federal CISO Chris DeRusha. "This strategy will serve as the foundation for a paradigm shift in federal cybersecurity and provide a model for others to follow."
National Cyber Director Chris Inglis also commented on the plan, saying, "This strategy is a step in our efforts to build a defensible and coherent approach to our federal cyber defenses. We are not waiting to respond to the next cyber breach. Rather, this administration is continuing to reduce the risk to our nation by taking proactive steps towards a more resilient society."
"As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity," says CISA Director Jen Easterly. "Zero trust is a key element of this effort to modernize and strengthen our defenses. CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity."
Deputy National Security Adviser for Cyber Anne Neuberger says that the plan is an important milestone in achieving the modernization Biden outlined in 2021. "Agency leadership plays a key role in making this strategy real, ensuring that agency CISOs have the support they need from their agencies' financial and acquisition teams to execute this strategy," she says.
John Kindervag, who created the zero trust model while working as an industry analyst for Forrester, tells ISMG that OMB's zero trust strategy "is a significant milestone" in a "decade-long journey to bring zero trust to the cybersecurity mainstream." He calls the document a "powerful endorsement of zero trust's value to cybersecurity."
But Kindervag, who now serves as senior vice president of cybersecurity strategy at the firm ON2IT, adds that "each zero trust environment will be unique, so federal agencies should adapt their zero trust efforts to meet their individual needs in protecting sensitive data and assets."
Other experts praise the security-driven directives now frequently coming from the White House.
"The continuous and consistent messaging coming from the executive branch is most definitely driving progress across the federal landscape when it comes to zero trust," Richard Bird, board member of the Identity Defined Security Alliance, tells ISMG. "The vast majority of federal organizations have been diving into zero trust strategizing since the middle of 2020 and look to be on track to deliver against these dates."
Still, the identity and access management space, a key component of zero trust, has continued to lag behind the corporate world, says Bird, who is currently the chief product officer at the firm SecZetta.
He says: "The reality is that it has taken a series of executive orders to force federal agencies to move into the 21st century from a security standpoint. As President Biden said, 'Incremental improvements will not give us the security we need; instead, the federal government needs to make bold changes.' Our government should have been bold about security a long time ago."