What’s next for the federal government and Zero Trust?
The federal government’s zero-trust vision
OMB’s draft zero trust memo calls on agencies to meet specific cybersecurity goals by the end of fiscal 2024. They go far beyond the relatively simple actions called for in the decree to adopt. multi-factor authentication and encrypt traffic in transit and at rest. The note states that agencies are required to make progress in the following five areas:
- Identity: Agency staff must use an “enterprise-wide identity to access the applications they use in the course of their work” and “phishing-resistant MFA authentication” aims to protect them from threats. sophisticated online attacks.
- Devices: The government will have “a complete inventory of every device it operates and authorizes” for government use and will be able to “detect and respond to incidents on these devices.”
- Networks: Agencies will “encrypt all DNS queries and HTTP traffic within their environment, and begin segmenting networks around their applications,” and the government will create a “convenient path to encrypt e-mail in transit.”
- Applications: The agencies “will treat all applications as connected to the Internet, systematically subject their applications to rigorous testing and welcome external vulnerability reports.”
- Data: Agencies will be on “a clear and shared path to deploy protections that use deep data categorization” and will also take advantage of “cloud security services to monitor access to their sensitive data, and have implemented logging and company-wide information sharing. “
Reaching that end state within three years will be a challenge, and some agencies will progress faster than others, cybersecurity officials have recognized in recent weeks.
“We know it really is a trip. For some organizations that are just in the early stages of re-architecture their networks, we wanted to give them benchmarks to determine how they are progressing in maturity, ”said Jen Easterly, Director of Cybersecurity and Infrastructure Security Agency, Department of Homeland Security. . at the Amazon Web Services summit in Washington, DC last week, reports FedScoop.
In September, CISA released its zero confidence maturity model for public comment and collected comments until October 1. Easterly said the agency seeks to foster a collaborative dialogue with the private sector and with agencies to help the government upgrade cybersecurity networks and technology to zero trust.
RELATED: Find out why monitoring network behavior is the key to zero trust.
The OMB’s zero trust roadmap is designed to put agencies on the same page and create an intergovernmental push towards zero trust, according to federal CISO Chris DeRusha.
“We didn’t feel there was a clear agency road map to follow,” DeRusha told Federal News Network. “This has led us to take the approach that you see in the strategy that we have submitted for public comment, where we take a phased approach organized around this as a draft capacity maturity model. [from the Cybersecurity Infrastructure Security Agency], setting targets set for agencies over a three-year period to achieve a certain first level of maturity on all pillars of zero trust, and is designed to move agencies forward in the right direction.
DeRusha adds that OMB “will support this with communities of practice, sharing best practices, strengthening technical support where possible, and just learning from this first phase for us on a multi-year journey. that we consider to be that. “
TO EXPLORE: How do granular identity and access management controls enable zero trust?
How will a federal zero confidence change be funded?
To achieve zero trust, agencies will need to upgrade their technologies in some cases. This will also require additional funding. Sheena Burrell, deputy CIO at the National Archives and Records Administration, told an AFCEA Bethesda webinar in September that agencies can’t just create funds to move to zero trust overnight, FedScoop reports .
The OMB draft memo calls on agencies to update their zero trust migration plans and submit an implementation plan for fiscal years 2022-2024 and a budget estimate for fiscal year 2023-2024.
“Agencies should redefine the priority of funding in FY22 to achieve priority objectives, or seek funding from alternative sources, such as agency working capital or the Technology Modernization Fund,” the note said. .
DeRusha acknowledges the funding challenge, but notes that OMB wants agencies to reallocate funds and take a closer look at the cybersecurity tools they invest in.
“We certainly work closely with our resource management colleagues within OMB to ensure they understand what we mean by zero trust strategic priorities and the types of investments we expect from agencies.” , he told Federal News Network. “In the plan, we have requested the return of the 60-day implementation and resource plans to the agencies, in which we plan to be heavily involved to ensure these are the right investment choices. We’re moving fast and having some of those conversations now, as budget processes are definitely moving forward for 2023. ”
Last week, the OMB and the General Services Administration announced TMF funding worth $ 311 million for seven different projects, one of which is classified. Three of the projects – at the GSA, the Ministry of Education and the Office of Personnel Management – involve funding a transition to zero trust architectures.