Federal agencies must implement a zero trust architecture by fiscal year 2024
On January 26, the White House issued a federal zero trust architecture (ZTA) strategy, setting cybersecurity objectives and standards that will enhance the federal government’s cyber defenses.
The Office of Management and Budget (OMB) Memo (M-22-09) lays out requirements and deadlines for federal agencies to transition to a zero trust architecture. The document is another step toward enhancing the federal government’s cybersecurity posture as outlined in President Biden’s May 2021 Executive Order (EO) 14028 Improving the Nation’s Cybersecurity.
The memo gives agency leaders timelines to meet on the way to full ZTA implementation by FY24. Within 30 days, agencies must identify a ZTA strategy implementation lead. Agency leaders have 60 days to begin incorporating the requirements into their ZTA strategies and provide them to OMB and the Cybersecurity and Infrastructure Security Agency (CISA).
OMB states that agencies will need to internally resource funding in FY22 and FY23 to meet the requirements and identify funding needs for the FY24 budget request. This means agencies will need to reprogram funding and prioritize zero trust efforts within their current funding levels for the next two fiscal years.
The conventional approach to a perimeter-focused cybersecurity posture is no longer sufficient to defend against new and evolving threats, OMB says, and a “transition to a zero trust approach to security provides a defensible architecture for this new environment.”
A zero trust model assumes “that no actor, system, network, or service operating outside or within the security perimeter is trusted.” Verifying every connection and device is critical to meeting this requirement.
To achieve a zero trust security architecture, the memo identifies five top-level lines of effort.
"This strategy envisions a federal government where:
In particular, the strategy emphasizes the need for multi-factor authentication (MFA), encrypting domain name system (DNS) requests and HTTP traffic within agency environments, maintaining a comprehensive device inventory and system isolation.
As the lead agency responsible for federal cybersecurity, CISA will support agencies with capabilities and guidance during their transitions. CISA, in conjunction with OMB, will also review agency implementation plans.
The strategic goals align with the five pillars of CISA’s zero trust maturity model:
"1. Identity: Agency staff use enterprise-managed identities to access the applications they use in their work. Phishing-resistant MFA protects those personnel from sophisticated online attacks.
2. Devices: The federal government has a complete inventory of every device it operates and authorizes for government use, and can prevent, detect, and respond to incidents on those devices.
3. Networks: Agencies encrypt all DNS requests and HTTP traffic within their environment, and begin executing a plan to break down their perimeters into isolated environments.
4. Applications and Workloads: Agencies treat all applications as internet-connected, routinely subject their applications to rigorous empirical testing, and welcome external vulnerability reports.
5. Data: Agencies are on a clear, shared path to deploy protections that make use of thorough data categorization. Agencies are taking advantage of cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing."
CISA’s many existing security programs will serve as key enablers to meet zero trust requirements. Agencies will also work with CISA to ensure their tools meet the proper specifications and coordinate deployment.
For example, the memo directs agencies to leverage CISA’s Protective DNS program and work with CISA to preload their “.gov” domains as only accessible of HTTPS. Large-scale CISA programs like Continuous Diagnostics and Mitigation (CDM), will be enhanced to “better support cloud-oriented Federal architecture” to manage digital asset inventory.
CISA, along with GSA, will also work to provide agencies with rapid procurement options as well as access to valuable historical data.
This strategy to implement a zero trust approach is a key part of the government’s overall efforts to bolster its cybersecurity posture. As OMB notes, “the Federal Government executes unique and deeply challenging missions” and cyberattacks against government networks can impact many facets of our daily lives.
To learn how to implement zero trust browsing isolation, check out Zero Trust App Access on our website.