Federal agencies have a little over two years to fundamentally remodel cyber defenses
Infosec professionals have reacted favorably to the US government’s planned pivot to a ‘zero trust’ cybersecurity model.
The US Office of Management and Budget (OMB) released a strategy for implementing a federal government-wide shift away from perimeter-based defenses towards a zero trust architecture on Wednesday (January 26).
The directive (PDF) sets federal agencies a 2024 fiscal year-end deadline to meet various strategic goals that align with the Cybersecurity and Infrastructure Security Agency’s (CISA) five pillars for zero trust maturity.
What is zero trust?
While disagreements abound over the precise definition, zero trust can be broadly characterized as not trusting users or devices by default, even if previously verified and sitting within the notional corporate perimeter.
The model therefore prescribes continual verification of users, files, endpoints, networks, operating system processes, and so on across all risk surfaces.
Bob Lord, CSO for the Democratic National Committee between 2017-2021, tweeted his endorsement of the White House strategy: “I encourage you to read it even if you don’t work with the US federal government”, he said, adding that “every org[anization] should compare their 2022 roadmap against this one and consider appropriate adjustments”.
Lord, who as Yahoo CSO inherited the fallout from two of the biggest-ever data breaches, flagged as noteworthy the directive’s prescription for “phishing-resistant authentication” such as security keys. The memo noted that multi-factor authentication (MFA) often failed to defend against phishing attacks, with users potentially “fooled into providing a one-time code”, for instance.
Also significant, continued Lord, are orders to abandon regular password rotations and password policies that require special characters, as well as instructions to migrate DNS to Secure DNS, a more secure and encrypted networking protocol.
The directive also mandates that “agencies must welcome external vulnerability reports for their internet-accessible systems by September 2022 and structure reporting channels so that system owners have direct, real-time access to incoming vulnerability reports”.
Sevco Security co-founder Greg Fitzgerald endorsed instructions that agencies maintain a complete inventory of all devices authorized for federal use.
“Every network has lost or abandoned IT assets that sit undetected,” he said. “No one is cataloging the assets they don’t know about, and no one is patching the assets they don’t catalog. Until organizations can account for all assets – including the forgotten ones – a true zero trust approach will be impossible.”
Cloudflare field CTO John Engates, meanwhile, said the directive “signals that the federal government is taking cybersecurity threats seriously and is adopting a strategy that will better protect the nation’s cyber infrastructure”.
A first draft of the strategy was released in September 2021 in order to give data privacy and cybersecurity experts that chance to provide feedback.
“It was extremely important for us to work collaboratively with top experts across the government, industry, and academia and build consensus around the highest value starting points for a defensible zero trust architecture,” said Chris DeRusha, federal CISO and deputy national cyber director, in a White House press release. “This strategy will serve as the foundation for a paradigm shift in federal cybersecurity, and provide a model for others to follow.”
The memo follows another recent White House directive designed to raise infosec standards for national security-related systems, and a series of cybersecurity-related announcements emanating from the White House since President Biden took office in January 2021.