The White House has released a new memo instructing federal agencies to officially move towards a zero trust approach to cybersecurity, to lower the risk of cyberattacks against the government’s digital infrastructure.
The document, published by the Office of Management and Budget (OMB, the policy arm of White House administration), represents an important step in implementing President Biden’s Executive Order on strengthening the nation’s cyber security.
Federal agencies have until the end of fiscal year 2024 to meet the strategy targets, which are based on a zero-trust model created by the US Cybersecurity and Infrastructure Security Agency (CISA).
The document spells out dozens of security measures that federal agencies must implement in the next two years to secure their systems and networks, and to limit the risk of security incidents. They include widespread encryption, multi-factor authentication, and more rigorous network segmentation.
The increasing threat of sophisticated cyberattacks underscores the idea that the federal government cannot rely on conventional perimeter-based defenses to protect critical systems and data, the memo says.
The announcement also mentions the Log4j vulnerability as evidence that threat actors will continue to find new ways to get their foot in the door.
According to the new zero-trust paradigm, no actor, system, network, or service operating either within or outside the security perimeter can be trusted; thus, government agencies must validate anything and anyone that seeks access to systems and data.
To prevent unauthorised access to sensitive data, federal agencies will need to trace and verify each user, machine, application, and transaction. They will have two months to provide an implementation plan to the OMB and CISA.
“Security is the cornerstone of our efforts to build exceptional digital experiences for the American public,” said federal chief information officer Clare Martorana.
“Federal agency CIOs and IT leadership are leaning into this challenge, and the zero trust strategy provides a clear roadmap for deploying technology that is secure by design and responsive to the needs of our workforce so they can better deliver for the American public.”
The new directive is part of a broader effort to safeguard the country’s systems and networks, which began with an executive order last year.
President Biden signed a national security memorandum in July aimed at strengthening cybersecurity for the country’s critical infrastructure – like power and water suppliers, public health organisations and transport systems.
The memorandum directed the Departments of Homeland Security and Commerce to develop baseline cybersecurity performance goals for all critical infrastructure sectors. It also established an Industrial Control Systems Cybersecurity Initiative: a collaborative effort between the federal government and firms running industrial control systems, to provide the latest tools and technologies to defend against attacks.
The national security memorandum followed a spate of ransomware attacks on American entities, hampering services and logistics in the US.
In May last year, US fuel distributor Colonial Pipeline suffered a massive ransomware attack that crippled fuel delivery in southeastern US states.
Florida-based IT firm Kaseya also suffered an attack in July that was said to be the work of the Russia-based REvil group.
In August, Biden met with the heads of tech firms including Apple, Google and Microsoft, at the White House to discuss how the public and private sectors can work together to improve the USA’s critical infrastructure and supply chain cyber security.
The President appealed to business leaders to “raise the bar on cybersecurity,” and take further steps to tackle the growing threat of cyber attacks to the US economy.