Federal agencies face new zero-trust cybersecurity requirements

As part of the Biden administration’s wide-ranging cybersecurity executive order (EO) issued in May, the Office of Management and Budget (OMB) and the Cybersecurity and Infrastructure Security Agency (CISA) issued three documents on zero trust last week. Zero trust is a security concept that « eliminates implicit trust in any one element, node, or service and instead requires continuous verification of the operational picture via real-time information from multiple sources to determine access and other system responses, » according to the EO.

From a cybersecurity practitioner’s perspective, zero trust is a security approach that, among other things, relies on stringent authentication and authorization processes to give users needed access to digital assets but in constrained ways that limit damage when a breach or compromise occurs. The EO repeatedly references zero trust and directs CISA and OMB to develop initiatives to incorporate zero-trust cybersecurity security models throughout the federal government.

The documents released last week offer draft versions of these models. CISA and OMB call them « strategic and technical guidance documents meant to move the US government towards a zero-trust architecture. »

Federal strategy seeks shared baseline of early zero-trust maturity

The first document is a draft Federal Zero Trust Strategy to move civilian agencies toward a shared early zero-trust maturity baseline. It relies on a zero-trust maturity model articulated by CISA in June that rests on five pillars:

• Identity premised on agency-wide use of « phishing-resistant » multi-factor authentication
• Devices tracked in an inventory of all devices operated and authorized for government use to better detect and respond to any incidents
• Networks segmented around applications and encrypted DNS requests and HTTPS traffic
• Applications subject to rigorous testing, with all applications automatically assumed to be internet-connected
• Data on a clear shared path to deploy protections that make use of thorough data categorization. In addition, the model directs agencies to take advantage of cloud services and implement enterprise logging and information-sharing

Comments on the zero-trust strategy are due September 21. Agencies have until November 6 to draw up plans for FY22-24 for implementing this architecture. Agencies are also required to designate a zero-trust architecture implementation lead by October 7.

One fly in the ointment is that as of yet, no funding is available to achieve this « dramatic paradigm shift in philosophy of how to secure infrastructure, networks and data. » OMB says agencies should « re-prioritize » their FY22 budget to achieve the goals or find funding somewhere else. Government offices must also develop an FY23-24 budget to achieve their zero-trust priorities in that year.

Zero-trust maturity model is a conceptual roadmap

The second document is CISA’s Zero Trust Maturity Model itself. It « pushes agencies to adopt zero-trust cybersecurity principles and adjust their network architectures accordingly. » The Maturity Model is more of a conceptual roadmap to achieve an « optimal zero trust environment. » Public comments on the Zero Trust Maturity Model are due October 1.