Last Updated on March 15, 2022
The US government’s Office of Management and Budget (OMB) sent a 29-page memorandum to all federal agencies and departments on January 26, 2022, finalizing a “Federal zero trust architecture strategy.” All agencies must meet “specific cybersecurity standards and objectives” to align with zero trust principles by the end of the 2024 fiscal year.
The memorandum gives all federal agencies a coherent cybersecurity strategy, per the Biden administration’s May 2021 Executive Order 14028 on cybersecurity. Based on eliminating implicit trust within networks or services, the zero trust paradigm replaces the failed “hard perimeter” security model that cannot safeguard modern organizations from today’s cyber threats.
What are the key takeaways from the OMB’s new zero trust strategy? Here are 8 top-of-mind points for security leaders:
One: This heralds a major security transformation across both public and private sectors.
The OMB memorandum doesn’t just set out action items for government orgs—it explicitly “flows down” these mandates to the private sector supply chain as well. For example, in the Actions section under Identity, it states, “For agency staff, contractors, and partners, phishing-resistant MFA is required.”
This isn’t surprising, as EO 14028 had already made government contractors accountable for uplifting their security to match what the government is mandating internally. There is little benefit in hardening the federal security posture if controlled unclassified information (CUI) and other sensitive USG data is then shared or accessed via vulnerable third-party systems.
Two: This ball is already rolling.
The OMB’s zero trust strategy includes several shorter-term actions within its overall timeline. These include:
- Within 30 days (that is, by February 26, 2022), agencies must name a zero trust “strategy implementation lead” for their enterprise.
- Agencies must perform a gap analysis and submit a 2-year zero trust implementation plan, including a budget estimate, to OMB and the Cybersecurity and Infrastructure Security Agency (CISA) within 60 days.
- Within 60 days, agencies must submit to CISA and the General Services Administration (GSA) a list of any non-.gov hostnames they are using, as a starting point for “welcoming” external vulnerability assessments.
- Within 120 days, agencies must develop an initial set of categories for sensitive data, “with the goal of automatically monitoring and potentially restricting the sharing of these documents.”
- Within one year, agencies must eliminate password policies that require special characters and/or password rotation, in favor of “greater use of passwordless multi-factor authentication” or passwords as a factor in MFA.
As agencies move forward with their implementation plans and begin addressing budget realities, revisions are to be expected. Many orgs will benefit from independent, third-party strategic support to optimize their roadmaps.
Three: Identity/MFA and “no trusted networks” are strongly emphasized.
In alignment with CISA’s “five pillars” of zero trust, the OMB memo outlines five “complementary areas of effort” to achieve zero trust security: Identity, Devices, Networks, Applications and Workloads, and Data. But among these areas, Identity gets top billing.
For example, the memo’s executive summary states, “This strategy places significant emphasis on stronger enterprise identity and access controls, including multi-factor authentication. … This strategy sets a new baseline for access controls across the Government that prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied.”
Another zero trust precept that gets primary emphasis is “no network is implicitly considered trusted.” Further, “In the near-term, every application should be treated as internet-accessible from a security perspective.” This calls specifically for encryption and authentication of all network traffic, including internal traffic.
Why underscore some controls when a holistic approach is needed to implement a zero trust strategy? Because MFA and in-transit encryption can deliver the greatest “security return” with the least time and resources against current attack vectors (e.g., ransomware, phishing, credential harvesting).
Four: Protecting the application layer is pivotal.
The OMB’s zero trust strategy focuses on centrally managed applications that rely on a unified/federated, agency-wide identity management solution. The idea is that “users should log into applications, rather than networks, and enterprise applications should eventually be able to be used over the public internet.”
As a precursor to those longer-term goals, “in the near-term, every application should be treated as internet-accessible from a security perspective.” This means agencies must double down on application security verification, including penetration testing that mimics Advanced Persistent Threat (APT) level attacks. This is another area where OBM regards “external partners and independent perspectives to evaluate the real-world security of agency applications” as potentially beneficial.
Five: The USG is moving to the cloud.
From the perspective of cloud service providers (CSPs), the new zero trust strategy is good news, as it strongly advocates leveraging cloud computing to deliver internal as well as public-facing services. As the memo’s overview states, it’s all about realizing the security benefits of cloud while mitigating associated risks with zero trust architecture.
Indeed, cloud-based services and an overall “cloud-oriented Federal architecture” will be essential to many of the memo’s specific mandates, e.g., an enterprise-wide, web-accessible identity solution.
Six: Email encryption is TBD.
Perhaps the biggest security question left unanswered by the OMB’s comprehensive memo is end-to-end email security. The memo states, “It remains challenging today to easily and reliably encrypt an email all the way between any sender and any recipient. Unlike HTTP and DNS, there is not today a clear path forward for guaranteeing that Federal emails are encrypted in transit, particularly for emails with external parties.”
The next step to a defined solution will be for CISA to evaluate current open standards for encrypting email in transit and then make recommendations. This includes collaborating with “cloud service providers and other participants in the email ecosystem” via the FedRAMP program.
Seven: “Tone at the top” is a given.
OMB hasn’t forgotten that strategies without executive buy-in and commitment aren’t going anywhere.
The memo tells agency senior leaders in no uncertain terms, “Agency chief financial officers, chief acquisition officers, senior agency officials for privacy, and others in agency leadership should work in partnership with their IT and security leadership to deploy and sustain Zero Trust capabilities. It is critical that agency leadership and the entire C-suite be aligned and committed to overhauling an agency’s security architecture and operations.”
Eight: Zero trust will increasingly become a requirement to work with the USG (or to work with a customer that works with the USG).
Zero trust is not a new idea, but now the idea has been clarified and put forth with unstoppable momentum. For organizations and vendors across the board, the days of “hard perimeter” or “castle and moat” security are coming to an end.
As agencies move to zero trust, they will require that all third parties in their supply chain do the same. Given that US government business accounted for more than 40% of our country’s GDP in 2020, zero trust (via flow down) is exceptionally likely to be in your future if you handle client information.
To ensure your organization takes the best possible “next steps” on its unique path to zero trust, contact Pivot Point Security to connect with a zero trust expert.