The Federal Government’s Zero-Trust Vision
OMB’s draft memo on zero trust instructs agencies to achieve specific cybersecurity goals by the end of fiscal year 2024. They go far beyond the relatively simple actions called for in the executive order to adopt multifactor authentication and encrypt traffic in transit and at rest. The memo says agencies are required to make progress in the following five areas:
- Identity: Agency staff are to use an “enterprise-wide identity to access the applications they use in their work,” and “phishing-resistant MFA” is meant to protect them from sophisticated online attacks.
- Devices: The government will have “a complete inventory of every device it operates and authorizes” for government use and will be able to “detect and respond to incidents on those devices.”
- Networks: Agencies will “encrypt all DNS requests and HTTP traffic within their environment, and begin segmenting networks around their applications,” and the government will create a “workable path to encrypting email in transit.”
- Applications: Agencies will “treat all applications as internet-connected, routinely subject their applications to rigorous testing, and welcome external vulnerability reports.”
- Data: Agencies will be on “a clear, shared path to deploy protections that make use of thorough data categorization” and will also take advantage of “cloud security services to monitor access to their sensitive data, and have implemented enterprise-wide logging and information sharing.”
Getting to this end state from where agencies are now within three years will be a challenge, and some agencies will make faster progress than others, cybersecurity leaders have acknowledged in recent weeks.
“We know that it really is a journey. For some organizations that are just on the front end of re-architecting their networks, we wanted to give them benchmarks to get to in how they advance in maturity,” Jen Easterly, director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency said at the Amazon Web Services summit in Washington, D.C., last week, FedScoop reports.
In September, CISA released its Zero Trust Maturity Model for public comment and took comments through Oct. 1. Easterly said that the agency is looking to foster a collaborative dialogue with the private sector and with agencies to help the government upgrade networks and cybersecurity technology to make the move to zero trust.
OMB’s zero-trust roadmap is designed to get agencies on the same page and create a cross-government push to zero trust, according to Federal CISO Chris DeRusha.
“We didn’t feel like there was a clear agency roadmap for them to follow,” DeRusha tells Federal News Network. “That led us to take the approach that you see in the strategy that we’ve put out for public comment, where we’re taking a phased approach organized around this as draft capability maturity model [from the Cybersecurity Infrastructure Security Agency], defining set targets for agencies over a three-year period to achieve a certain first level of maturity across all the zero trust pillars, and is designed to get agencies all moving in the right direction.”
DeRusha adds that OMB “will support that with communities of practice, sharing best practices, surging technical support, where possible, and really just sort of learning from this first phase for us of a multi-year journey that we view this as.”
How Will a Federal Zero-Trust Shift Be Funded?
Getting to zero trust will require agencies to upgrade their technologies in some cases. It will also require additional funding. Sheena Burrell, deputy CIO at the National Archives and Records Administration, said in September during an AFCEA Bethesda webinar that agencies cannot simply create funding to move to zero trust overnight, FedScoop reports.
The draft OMB memo calls for agencies to update their zero-trust migration plans and submit an implementation plan for fiscal years 2022-2024 and a budget estimate for fiscal year 2023-2024.
“Agencies should re-prioritize funding in FY22 to achieve priority goals, or seek funding from alternative sources, such as agency working capital funds or the Technology Modernization Fund,” the memo states.
DeRusha acknowledges the funding challenge, but he notes that OMB wants agencies to shift funds around and look more closely at which cybersecurity tools they are investing in.
“We’re definitely working closely with our resource management colleagues within OMB to make sure they understand what we mean by the zero trust strategic priorities, and the types of investments we’re expecting to see from agencies,” he tells Federal News Network. “In the plan, we’ve asked for 60 day implementation and resource plans back from agencies, which we plan to be heavily involved in ensure are the right investment choices. We’re moving fast and having some of those conversations now because the budget processes is definitely moving forward in earnest for 2023.”
Last week, OMB and the General Services Administration announced funding from the TMF worth $311 million for seven different projects, one of which is classified. Three of the projects — at the GSA, the Department of Education and the Office of Personnel Management — involve funding for a move to zero-trust architectures.