Feds Publish Zero Trust Plan
The U.S. Office of Management and Budget (OMB) published a strategy to move the government to a Zero Trust cybersecurity model.
A Jan. 26 memorandum with the subject “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles” requires federal agencies to meet specific cybersecurity standards and objectives by the end of 2024, reinforcing the government’s defenses against increasingly sophisticated and persistent threats.
The memo follows a May 2021 executive order from the Biden administration to tighten software security practices generally, including advocating the federal use of Zero-Trust architectures, with secure use of cloud-based services.
“The growing threat of sophisticated cyber attacks has underscored that the Federal Government can no longer depend on conventional perimeter-based defenses to protect critical systems and data,” the White House said in a Jan. 26 news release. “The Log4j vulnerability is the latest evidence that adversaries will continue to find new opportunities to get their foot in the door. The Zero Trust strategy will enable agencies to more rapidly detect, isolate, and respond to these types of threats. By detailing a series of specific security goals for agencies, the new strategy will serve as a comprehensive roadmap for shifting the Federal Government to a new cybersecurity paradigm that will help protect our nation. These goals are directly aligned with and support existing Zero Trust models.”
The Zero Trust model eschews the standard security approach of walling off networks and systems behind a secure perimeter. It’s one of the latest security darlings in an industry that has seen the advent of hybrid work models, the proliferation of endpoints and bring-your-own devices, disparate and interconnected systems spanning clouds and enterprise datacenters, and just general complexity all around. Instead of trying to secure perimeters, Zero Trust assumes that such fortress security approaches are destined to fail and that systems have already been penetrated, seeking to lessen the damage that can be caused.
Zero Trust has been described as part of the future of network security (along with SASE and automation) and has been backed by Microsoft to fight ransomware.
What’s more, Zero Trust is seen as replacing less-secure VPNs, though gaps still remain in enterprise implementations.
Along with espousing Zero Trust, the memo also requires all federal agencies to use phishing-resistant Multi-Factor Authentication (MFA), enforced at the application layer instead of the network layer.
Requiring that agencies designate and identify a Zero Trust strategy implementation lead for their organization within 30 days of the Jan. 26 memo publication date, the OMB said the strategy envisions a federal government where:
- Federal staff have enterprise-managed accounts, allowing them to access everything they need to do their job while remaining reliably protected from even targeted, sophisticated phishing attacks.
- The devices that federal staff use to do their jobs are consistently tracked and monitored, and the security posture of those devices is taken into account when granting access to internal resources.
- Agency systems are isolated from each other, and the network traffic flowing between and within them is reliably encrypted.
- Enterprise applications are tested internally and externally, and can be made available to staff securely over the internet.
- Federal security teams and data teams work together to develop data categories and security rules to automatically detect and ultimately block unauthorized access to sensitive information.
“In the face of increasingly sophisticated cyber threats, the Administration is taking decisive action to bolster the federal government’s cyber defenses,” said Acting OMB Director Shalanda Young. “This Zero Trust strategy is about ensuring the Federal Government leads by example, and it marks another key milestone in our efforts to repel attacks from those who would do the United States harm.”
David Ramel is an editor and writer for Converge360.