Federal agencies must update cybersecurity controls to achieve zero-trust architecture


On January 26, 2022, the United States Office of Management and Budget (OMB) issued Memorandum M-22-09, “Moving the US Government Toward Zero Trust Cybersecurity Principles” (the ZTA Memorandum), which requires agencies Governments to take a close look at their cybersecurity controls, and invest and implement new measures to better protect government networks, systems and devices. The ZTA memorandum extends to President Biden’s Executive Order 14028, “Enhancing the Nation’s Cybersecurity,” which outlines the President’s overall goals for moving the federal government toward a Zero Trust Architecture (ZTA). The ZTA memorandum also follows President Biden’s “Memorandum on Enhancing Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems” issued on January 19, 2022, which establishes certain cybersecurity requirements for National Security Systems (NSS) and sets out the methods by which Federal agencies could obtain exceptions to these requirements, as appropriate, given the unique needs of the mission. To comply with the increased cybersecurity requirements of the ZTA memorandum, federal agencies will need to invest in new and/or enhanced cybersecurity controls, policies, and procedures to transition to a ZTA. For government contractors involved in IT modernization efforts for the federal government, this initiative will likely result in unique and evolving agency requirements, which will ultimately present new partnership opportunities.

The ZTA memorandum directs federal agencies to each take concrete steps to achieve specific ZTA security goals by the end of fiscal year 2024, including:

  • Within 60 days, submit to the OMB and the Cybersecurity and Infrastructure Security Agency (CISA) an implementation plan outlining how the agency intends to incorporate the requirements for implementing an ZTA; and
  • Within 30 days, designate and identify a person for each agency to serve as the lead implementer of the zero trust strategy.

The “zero trust” cybersecurity model is based on the principle “never trust, always verify”. A network architecture based on zero trust requires that all users, whether inside or outside the network, be authenticated, authorized and validated at all times before being granted access to applications or data. Additionally, in this cybersecurity model, users and devices are only given permissions to access the network resources necessary for the task at hand, also known as the principle of least privilege. The government’s move to ZTA is a departure from previous policies, which accepted certain “networks of trust”.

To implement zero trust in accordance with the ZTA memorandum, federal agencies will be required to take the following actions, among others:

  • Use centralized identity management systems
  • Use strong multi-factor authentication (MFA) in their business
  • Create reliable asset inventories through participation in CISA’s Continuous Diagnostics and Mitigation (CDM) program
  • Ensure that their endpoint detection and response (EDR) tools meet CISA technical requirements and are widely deployed
  • Resolve Domain Name System (DNS) Queries Using Encrypted DNS
  • Enforce HTTPS for all web and application program interface (API) traffic in their environment
  • Operate dedicated application security testing programs and use external companies for independent third-party assessments
  • Maintain a public vulnerability disclosure program for their Internet-facing systems
  • Implement initial automation of data categorization and security responses
  • Audit access to all encrypted data at rest in commercial cloud infrastructure
  • Implement comprehensive logging and information sharing features

Government contractors operating in this space should take note of these new requirements for federal agencies. ZTA requirements are already incorporated into some solicitations issued by defense and, in some cases, civilian agencies. Very recently, the Defense Information Systems Agency (DISA) awarded a multi-million dollar award to begin laying the groundwork for ZTA for the Department of Defense. The contract was awarded for a $6.8 million zero-trust prototype project, which the agency calls Thunderdome. The winner was tasked with building the first testbed implementation of a ZTA.

Undoubtedly, new partnership opportunities will emerge for innovative entrepreneurs to help the federal government meet the fiscal year 2024 deadline. Agencies’ compliance with these heightened cybersecurity requirements will require additional investments in new and/or enhanced cybersecurity controls, policies and procedures to transition to an ZTA. Within the next 60 days, or by the end of March 2022, each of the federal agencies will submit implementation plans to OMB and CISA. These implementation plans will necessarily provide details on how each agency plans to invest in the tools and resources necessary to develop an ZTA and to further modernize federal government cybersecurity controls to thwart current threats.

This is just one more step toward implementing President Biden’s strategy to develop a defensible and cohesive whole-of-government approach to federal cybersecurity defense. The Biden administration has made it clear that federal agencies cannot afford to wait for the next cyber breach and simply react and respond. Instead, agencies will need to take active steps to reduce risk by implementing frameworks such as ZTA, and entrepreneurs should take advantage of the opportunities that arise.


Comments are closed.