Federal agencies have until 2024 to implement various security measures - like multi-factor authentication (MFA) and encryption of network traffic - under a zero-trust architecture strategy finalized Wednesday by the White House.
The newly released memorandum is a product of President Joe Biden’s cybersecurity Executive Order 14028 from last year, which first ordered the government to develop various security mandates for agencies, including a zero-trust approach, in an effort to protect against cyberattacks. The finalized strategy comes on the heels of an initial draft released for public comment in September.
While traditional network security models have assumed endpoints and users within organization networks can be implicitly trusted, the zero-trust approach takes into account scenarios like threat actors that have stolen legitimate account credentials as well as insider threats. This type of model encourages continual monitoring and authentication of each endpoint under the premise that no actor, system, network or service within the “security perimeter” can be trusted. CISA Director Jen Easterly in a Wednesday statement said that zero trust is a “key element” of the effort to modernize and strengthen U.S. cyber defenses.
“As our adversaries continue to pursue innovative ways to breach our infrastructure, we must continue to fundamentally transform our approach to federal cybersecurity,” said CISA Director Jen Easterly in a Wednesday statement. “CISA will continue to provide technical support and operational expertise to agencies as we strive to achieve a shared baseline of maturity.”
The finalized strategy mandates that federal staff have enterprise-managed accounts and that their devices are consistently tracked and monitored. Also as part of the memo, various agency systems must also be isolated from one another, all DNS requests and HTTP traffic must be encrypted and enterprise applications will be tested both internally and externally. The implementation of stronger identity and access controls - including multi-factor authentication - is also a priority of the strategy. Federal security teams and data teams will be required to work together to develop rules that will detect and block unauthorized access to sensitive information.
“This strategy sets a new baseline for access controls across the Government that prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied,” according to the memo.
The memo acknowledged that "transitioning to a zero trust architecture will not be a quick or easy task for an enterprise as complex and technologically diverse as the federal government," as federal agencies will need to overcome various roadblocks such as dealing with legacy hardware and adapting to new practices.
“The adoption of zero trust will make a massive difference in federal cybersecurity, as long as the government keeps the pedal to the metal and keeps moving.”
Jonathan Reiber, senior director of cybersecurity strategy and policy at AttackIQ, said that the biggest challenge in transitioning to zero trust is “keeping teams moving towards progress.”
“It is a labor-intensive effort to collate metadata, map interactions between workloads and applications, and then set policy to prevent unauthorized access for a large organization’s data,” he said. “The adoption of zero trust will make a massive difference in federal cybersecurity, as long as the government keeps the pedal to the metal and keeps moving.”
Mark Montgomery, senior fellow at the Foundation for Defense of Democracies, said that while it is good to see a strong push on improving and tightening access controls, the “key to success” in implementing this strategy will be oversight by the Federal CISO (who is part of the White House's Office of Management and Budget branch).
“We will have to ensure the Federal CISO and the National Cyber Director are resourced to conduct the oversight needed to enforce this implementation plan,” he said.
The federal zero-trust strategy requires government agencies to meet its various security objectives by the end of fiscal year 2024. Agencies also must designate a zero-trust strategy implementation lead for their organizations within 30 days of the memorandum being published; and they must submit individual implementation plans that address the requirements to the Office of Management and Budget within 60 days. The memo noted that agencies will need to internally source funding for fiscal years 2022 and 2023 in order to carry out the zero-trust implementation requirements, or seek funding from alternative sources, such as working capital funds or the Technology Modernization Fund, a funding model for various federal technology modernization projects.
The memo is only the latest effort from the White House in bolstering the security policies across all different parts of the federal government. Earlier in January, for instance, Biden signed a National Security Memorandum that aims to better secure the information systems that store and process classified data.
Overall, the memo’s requirements for government agencies to “verify anything and everything attempting to establish access” represents a paradigm shift for the government’s approach to cybersecurity, said Reiber.
“In the case of the SolarWinds intrusion, the intruder moved laterally throughout U.S. government networks because there were no internal walls to stop that movement,” he said. “The memo outlines the need for new policy and higher internal firewalls between workloads, applications, and servers to prevent unauthorized movement – all key components of zero trust – and that’s exactly what is required to make change.”