What’s New in the Federal Zero Trust Strategy?
Where the Federal government goes, other parts of the private sector follow. So it was good to see that in response to last May’s Executive Order 14028, the Office of Management and Budget (OMB) released a memo Wednesday outlining a new strategy for moving the federal government toward a zero trust cybersecurity posture.
(Check out Lindsey O’Donnell-Welch’s coverage of the news in Decipher.)
What’s the Vision?
The vision being set forth by OMB is ambitious — but vital. Imagine a shift away from logging into a “network” to having security seamlessly built into the network, and multi-factor authentication and authorization continuously performed at the application level on the fly — without users typing passwords.
This will require a shift away from “perimeter-based networks” with validation done at the point of entry and exit towards intelligent, intuitive networks that are capable of assessing and addressing threats in real time.
What’s in the Strategy?
The memo requires agencies to adopt security strategies for five asset classes, including:
Employees — governed by a single enterprise identity, and use phishing resistant multi-factor authentication solutions
Devices — agencies maintain a complete inventory of devices, which are tracked and monitored, including use of endpoint detection and response devices
Networks — encrypt all DNS, HTTP and email traffic, and provide isolation for federal assets. This includes the use of cloud based infrastructure
Applications — tested internally and externally
Data — categorized and tagged using cloud security services and enterprise logging capabilities
What’s Notable in the Memo?
The strategy places significant emphasis on what Duo Security, now part of Cisco Secure, calls “workforce zero trust” — the combination of users and devices, managed using multi-factor authentication and device health evaluations. This, in combination with network encryption, will lay a strong foundation against phishing and other common attack vectors.
The memo emphasizes the importance of including cloud-based platforms, applications and systems in the agency zero trust strategy. The move to a zero trust model allows for secure use of cloud, and OMB is requiring use of zero trust to facilitate the modernization of federal technologies.
Although not part of a typical zero trust strategy, the memo also requires agencies to leverage internal and external testing and scrutiny of federal systems, to ensure the health and efficacy of federal controls. Combined with a coordinated vulnerability disclosure program, overall these requirements will ensure federal assets are better protected, and that agency vulnerability findings can be shared with the broader public, as necessary.
The memo suggests that immutable (unchanging) workloads are more likely to occur when the principle of “least privilege” (of developers and other operational personnel) is in place. OMB is promoting “Modern software development lifecycle practices, including Continuous Integration/Continuous Deployment (CI/CD) and Infrastructure as Code (IaC)” in order to ensure immutability, particularly in cloud environments.
In addition to detailing the “what” of the strategy, OMB also details the “how.” The requirements suggest taking an iterative approach: “Agencies must identify at least one internal-facing FISMA Moderate application and make it fully operational and accessible over the public internet” and “without relying on a virtual private network (VPN) or other network tunnel.”
The OMB notes that an agency will need to “put in place minimum viable monitoring infrastructure, denial of service protections, and an enforced access-control policy. While implementing those elements, the agency should integrate this internet-facing system into an enterprise identity management system… Agencies will likely find it beneficial to gain confidence in their controls and processes by performing this shift first on a FISMA Low system before attempting to meet the requirement of doing so for a FISMA Moderate system.”
Piloting a new architecture using a low-risk system is a prudent way to implement a new strategy, but it suggests the agency strategies may take some time to deploy.
The OMB is to be applauded for encouraging collaborative efforts “to capture best practices, lessons learned, and additional agency guidance” across the agencies via OMB and the Cybersecurity and Infrastructure Security Agency (CISA) website, zerotrust.cyber.gov.
Agencies have 60 days to submit a plan to CISA and OMB, and 30 days to identify an agency lead for the effort.
Try Duo For Free
With our free 30-day trial, see how easy it is to get started with Duo and secure your workforce from anywhere, on any device.