OMB issues zero-trust strategy for federal agencies

All federal agencies must meet zero-trust goals that the U.S. Office of Management and Budget has set by 2024, building on earlier federal cybersecurity initiatives.

Conceptual image of a network labeled 'Zero Trust.'
Olivier Le Moal / Shutterstock

Through a memo issued by the Office of Management and Budget (OMB), the Biden administration issued a 30-page strategy to move the U.S. government toward a zero trust approach to cybersecurity. The strategy “represents a key step forward” in delivering on the president’s sweeping May executive order (EO) on cybersecurity, which contains a directive for federal government agencies to develop a plan to advance towards a zero trust architecture.

A hot buzz phrase in the cybersecurity world, zero trust is a model premised on the notion of “never trust, always verify.” The executive order defines zero trust as a security concept that "eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses." OMB says that a “key tenet of a zero trust architecture is that no network is implicitly considered trusted.”

The latest step in a series of zero trust actions

The administration has already taken several steps under the executive order to position the federal government to adopt zero trust.  President Biden’s executive order required agencies to develop their plans for implementing zero trust architectures.

Last September, the administration released three documents that more fully flesh out zero trust under the EO. First, the OMB released a draft for public comment on the steps government agencies can take to implement zero trust. The just-released OMB memo is a final version of this earlier draft that reflects comments received on the initial document.

The Cybersecurity and Infrastructure Security Agency (CISA) also released at the same time its Cloud Security Technical Reference Architecture to inform agencies of the advantages and inherent risks of adopting cloud-based services as agencies move closer to zero trust architecture. Concurrent with the reference architecture release, CISA released its Zero-Trust Maturity Model to help agencies implement zero-trust architectures.

OMB’s memo lays out a tight timeline. Within 30 days from the memo’s publications, or by February 26, agencies will have to designate and identify a zero-trust strategy implementation lead for their organization. Within 60 days of OMB’s memo, or by March 26, agencies must build on the EO-mandated plans by incorporating the additional requirements spelled out in the memo into those plans. Finally, agencies must achieve five zero-trust security goals by the end of 2024.

Five zero-trust goals

The goals agencies must achieve are aligned with the five pillars articulated in CISA’s zero-trust model. The goals and the specific actions needed to achieve those goals are as follows:

  1. Identity: The goal is that agency staff use enterprise-managed identities to access the applications they use in their work. To achieve this goal, agencies must employ centralized identity management systems for agency users that can be integrated into applications and common platforms. Moreover, agencies must use strong multifactor authentication (MFA) throughout the enterprise that is phishing-resistant for agency staff, contractors, and partners. Phishing-resistant options must also be available for public users. In addition, password policies must not require special characters or regular rotation. When authorizing users to access resources, agencies must consider at least one device-level signal alongside identity information about the authenticated user.
  2. Devices: The goal is to create a complete inventory of every device the government operates and authorizes for government use and prevent, detect and respond to incidents on those devices. To achieve the goal, agencies must create reliable asset inventories through CISA’s continuous diagnostics and mitigation (CDM) program. Agencies must also ensure their endpoint detection, and response (EDR) tools meet CISA’s technical requirements and are deployed widely.
  3. Networks: The goal is to have agencies encrypt all DNS requests and HTTP traffic within their environment and begin executing a plan to break down their perimeters into isolated environments. The actions agencies must take include resolving DNS queries using encrypted DNS wherever it is technically supported, enforcing HTTPS for all web and application program interface (API) traffic in their environment, and developing a zero-trust architecture plan that describes the agency’s approach to environmental isolation in consultation with CISA.
  4. Applications and workloads: The goal is to have agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports. The actions required to achieve this goal include, among other things, requiring agencies to operate dedicated application security testing programs, use high-quality firms specializing in application security for independent third-party evaluation, and maintain effective and welcoming public vulnerability disclosure programs for their internet-accessible systems.
  5. Data: The goal is to put agencies on a clear, shared path to deploying protections that make use of thorough data categorization, taking advantage of cloud security services and tools to discover, classify, and protect their sensitive data while implementing enterprise-wide logging and information sharing. The actions agencies must take to achieve the goals are implementing initial automation of data categorization and security responses, tagging and managing access to sensitive documents, auditing access to any data encrypted at rest in commercial cloud infrastructure, and working with CISA to implement comprehensive logging and information-sharing capabilities.

The private sector pioneered zero trust

Much of what the OMB has proposed are practices that the private sector has already developed and, to varying degrees deployed, over the past ten years. Kelsey Hightower, a technologist who works at Google Cloud, tells CSO that “zero trust is essentially impossible, right? But the idea that we practice removing implicit trust is the goal. The idea is that the White House is moving toward more industry-standard practices about being transparent and honest about the challenge.”

John Yeoh, global vice president of research at the Cloud Security Alliance, tells CSO, “The urgency of the memorandum comes in the aftermath of all these attacks and vulnerabilities that we’ve been seeing lately.” But, he say, “A lot of the [zero-trust actions in the memo] began even before the executive order.”

Aradhna Chetal, a senior executive in cloud security, co-chair CNCF TAG Security, and co-chair CSA Serverless Working Group, tells CSO that “We need to get to zero trust for all our agencies as well as enterprises. Zero trust is not a new concept. It has been talked about in the industry for over a decade. The concept of a stronger, exterior perimeter doesn’t protect us from the current threat landscape. We needed the mandate to enforce and accelerate some of what the industry has been doing.”

Will government agencies move quickly?

One question is whether slow-moving government bureaucracies can achieve the zero-trust goals in less than two years. “I think it’s difficult [to know] until you fully assess the current state of your agency or program,” Yeoh says. “We are going to see that over the next 30 and 60 days. That’s going to be eye-opening to a lot of organizations.”

“It is doable in the time frame assuming that federal agencies are able to acquire knowledgeable technical resources, engineering resources, and funding is made available for them for transitioning to the new technologies,” Chetal says.

“When you look at those kinds of timelines with milestones, those are basically industry best practices that we already know about,” Hightower says. “It's more about giving a large group of people clarity on things that just need to be done with no excuses.”

Copyright © 2022 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022